Category: troubleshooting

Jan 06 2013

Powershell: Monitor the trusted root certification authorities store, Event Schannel ID 36885-36887

The root update package KB931125, when applied might break the authentication process on servers using certificate based authentication: This problem was reported for LDAP over SSL authentication on a Domain Controller, IIS authentication on a webserver and IAS authentication on a Radius server (called Network Policy Server under Windows 2008). The symptoms, patch and workarounds of this issue are explained in this KB. The patch is only available under Windows 2003 and the root update package (KB931125) cannot be uninstalled via WSUS once applied.
Read more »

Sep 24 2011

ADDS 2008 migration: Before migrating to windows 8 server…

You can’t wait to install Windows server 8 developer preview in order to test it in the event of a future deployment… But you might want to finish your migration to ADDS 2008R2 before thinking about all that 😉 Bellow is a tab showing some client compatibility issues and the important steps when migrating your domain controllers to Windows server 2008R2:

Read more »

Apr 14 2011

The WinRM client cannot complete the operation within the time specified.

After configuring WinRM on a Windows 2008R2 server we launched the following command in order to test the installation:

winrm id -r:%machinename%

Unfortunately we had this error message:
Read more »

Mar 02 2011

Windows 2008 Event Collector: XP and 2003 clients

In this post we will describe how to configure a Windows 2008 Event Collector server to process events forwarded from Windows XP and Windows 2003 clients. The event forwarding system (aka syslog) relies on WinRM, there are two versions of the WinRM service: v1.1 and v2.0, each version of the service listen on a different default port (HTTP 80 + HTTPS 443 for WinRM 1.1, HTTP 5985 + HTTPS 5986 for WinRM 2.0). That is why you should upgrade WinRM 1.1 to WinRM v2.0 on your XP and 2003 clients in order to use event forwarding. For more details abour WinRM I suggest you read this article.

Read more »

Feb 08 2011

User account migration: Domain users primary group

After an AD domain migration, some user accounts migrated in the target domain were not membres of the domain users group. In order to identify those accounts we used the following ActiveRoles Management Shell command:

Get-QADUser -NotMemberof 'ldap389\domain users' | export-csv domusers.csv

Read more »

Jan 31 2011

Adprep 2008 troubleshooting

In this post we will describe some issues we had when extending the schema for Active 2008 or 2008R2. The steps to prepare the schema for AD 2008 are described in this askDS post.
Read more »

Jan 17 2011

MSExchange ActiveSync EventID 1053

In this article we will fix a problem we had with Exchange 2010 when synchronising mail on a mobile device using ActiveSync. When attempting the synchronisation we had the following error message (Source MSExchange ActiveSync, ID 1053) on the CAS server’s eventlog.

Exchange ActiveSync doesn’t have sufficient permissions to create the “CN=<user name>,OU=<OU Name>,DC=ldap389,DC=info” container under Active Directory user “Active Directory operation failed on <dc-name>.ldap389.info. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03151E04, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
“.
Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type “msExchangeActiveSyncDevices” and doesn’t have any deny permissions that block such operations.

Read more »

Jan 10 2011

AD schema extension: Exchange 2010

In this post we will troubleshoot a problem you can encounter when you are extending the Active Directory schema for Exchange 2010. You can read this technet article for the steps to prepare the AD schema for Exchange 2010.

We encountered some problems when launching the command line:”setup.com /PrepareAD /OrganizationName:<Organization Name>”. First an error occurred and the setup process exited, after fixing this we had a warning when running the command.
Read more »

Jul 26 2010

GPMC hangs connected to one domain controller

I will describe in this post an incident we had in our production environment and the different troubleshooting steps to resolve this issue. When we launched a GPMC, the console froze when we clicked on an OU in order to display the Policy Objects linked to it. The problem occurred only when the GPMC was connected to a particular Domain Controller (PDC emulator in our case), if we switched to another DC the GPMC was OK.

There was no problem with GPOs in our domain: Replication was ok and GPOs were applied correctly on our computers/users objects. But we could not edit anymore GPOs connected to this DC. While the GPMC was hanging there was a lsass.exe CPU overload on the DC until the console was killed. Therefore we had to edit GPOs connected to any other DC, so the production environment was working near normal during the resolution of the incident.

Read more »

Mar 20 2010

Identify applications that cause your Domain Controller to decrease in performance

We will describe in this post how to indentify an application that causes a CPU time overconsumption on your Domain Controllers. We will use two tools for this: Server Performance Advisor and Wireshark. The first is used if you have a Windows 2003 DC, if OS is Windows 2008 the tool is already included, you access it with MMC snap-in perfmon.msc, its new name is Windows Reliability and Performance Monitor. Both versions have performance counters dedicated to Active Directory, in this post we will use SPA, because the DC having trouble is running Windows 2003. If you want more details on using Windows RPM for AD you can read this article.
Read more »

WordPress Themes

Blossom Icon Set

Software Top Blogs