Archive for the ‘Domain Controller’ Category

Alert: This source server failed to generate the changes

Description: This directory service failed to retrieve the changes requested for the following directory partition. As a result, it was unable to send change requests to the directory service at the following network address.

1479

Event ID: 1479

Active Directory Domain Services could not update the following object in the local Active Directory Domain Services database with changes received from the following source directory service. Active Directory Domain Services does not have enough database version store to apply the changes.

User Action

Restart this directory service. If this does not solve the problem, increase the size of the database version store. If you are populating the objects with a large number of values, or the size of the values is especially large, decrease the size of future changes.

 

Additional Data

Error value:

8573 The database is out of version store.

 

Resolution:

{MS has provided the resolution in this Link}

Note: Take Backup of Registry before changing

 

Registry Location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

 

You need to add the Registry value “EDB max ver pages” with 32 Bit DWord Decimal value as you need with reference below:

9600 = 152 MB
12800 = 202 MB
16000 = 252 MB
19200 = 302 MB

Reboot the Server once the changes have been done.

Check the Event viewer after restart; you need to get event 1394 in ADS Logs

1394

Advertisements

 

This Alert occurs in 2008 R2 Servers

——————————————————————————

Alert: Active Directory cannot update object due to insufficient memory
Last modified by: System
Last modified time: 7/18/2013 1:02:10 PM
Alert description: Active Directory Domain Services could not update the following object in the local Active Directory Domain Services database with changes received from the following source directory service. Active Directory Domain Services does not have enough database version store to apply the changes.

User Action

Restart this directory service. If this does not solve the problem, increase the size of the database version store. If you are populating the objects with a large number of values, or the size of the values is especially large, decrease the size of future changes.

——————————————————————————-

Additional Data

Reboot will clear the version table but it does nothing to identify or resolve the core issue.

The version store has reached its maximum size because of unresponsive transaction. Updates to database are rejected until the long-running transaction is omitted or rolled back. TechNet suggested looking for event IDs-1022, 1069,623 and none of these event ids could be found in event viewer.

Resolution:

Below is the solution but it is your own risk to change registry setting.

 Backup the Registry before Proceeding

 

  1. Update ‘Version Store Size’ (the Ops Mgr Agent queue/cache Db) by using Regedit to change  “HKLM\System\CurrentControlSet\Services\HealthService\Parameters\”Persistence Version Store Maximum”. 
    Value should be 5120 (decimal) (equates to 80MB).
  2. Update value for ‘MaximumQueueSizeKb’ in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HealthService\Parameters\Management Groups\<ManagementGroupName> Value should be 102400 (decimal)

 “Please reboot the server”

Check in the Event Viewer for Event ID 1394 “All Problems preventing updates to the Active Directory Domain Services database have been cleared. New Updates to the Active Directory Domain Services database are succeeding. The Net Logon service has restarted”

You can find this event in “Directory Services” Log of the Domain Controller.

Active Directory is made up of components that constitute its logical and physical structure. To administer Active Directory, we must understand the purpose of these components

 

Logical Structure: The logical structure of Active Directory provides methods for organizing network resources such as computers, printers, users and groups. It is made up of objects, organizational units, domains, domain trees, and forests.

 

1. Objects

The object is the most basic component of the logical structure. Object classes are template for the types of objects that can be created in Active Directory. Each object class is defined by a group of attribute. Attributes define the possible values that can be associated with an object. Each object has a unique combination of attribute values.

 

2. Organizational units

Organizational units are container objects that are used to group other objects in a manner that supports your administrative purposes. By grouping objects by organizational unit in a logical fashion, it becomes easier to locate and administer objects. We can also delegate the authority to administer an organizational unit.  Organizational units can be nested in other organizational units. By nesting organizational units, we can further simplify the administration of objects.

 

3. Domains

Domains are the core functional units in the Active Directory logical structure. A domain is a collection of objects that share a common directory database, security policies, and security relationships with other domains.  Domains provide the following three functions:

  • • Serve as an administrative boundary for objects
  • • Help to manage security for shared resources
  • • Serve as a unit of replication for objects

 

4. Domain Trees

Domains can be grouped together in hierarchical structures that are called trees. When a second domain is added to a tree, it becomes a child of the tree root domain. The domain to which a child domain is attached is called the parent domain. A child domain may in turn have its own child domain.  The name of a child domain is combined with the name of its parent domain to form its own unique Domain Name System (DNS) name. In this manner, a tree has a contiguous namespace.

 

5. Forests

Forests are made up of one or more trees, although a single two-level tree is recommended for most organizations. A two-level tree is when all child domains are made children of the forest root domain to form one contiguous tree. The first domain in the forest is called the forest root domain, and the name of that domain is used to refer to the forest. A forest is a complete instance of Active Directory. By default, the information within Active Directory is shared only within the forest. In this way, the forest is a security boundary for the information contained in the instance of Active Directory.

 

Physical Structure: The physical structure of Active Directory models the physical structure of the network, and is made up of domain controllers and sites. The physical structure of Active Directory defines where and when replication and logon traffic occur, and is used to and manage network traffic. The physical structure enables you to optimize network traffic by determining when and where replication and logon traffic occur.  The elements of the Active Directory physical structure are:

 

1. Domain controllers Domain controller performs storage and replication functions. A domain controller can support only one domain. A domain can have one or more domain controllers.

 

2. Active Directory sites Created mainly to optimize replication traffic and to enable users to connect domain controllers by using reliable, high speed connection. A site is a group of well-connected computers. When sites are established, domain controllers within a single site communicate frequently. This communication minimizes the latency within the site. Latency is the time required for a change that is made on one domain controller to be replicated on other domain controllers. You create sites to optimize the use of bandwidth between separated domain controllers. There can be multiple domains in a single site and single site can have multiple sites.

 

Note: We use Logical structure to organize the network resources and Physical structure to manage the network traffic.

 

Active Directory enables a single sign-on, which makes the complex processes of authentication and authorization transparent to the user. A single sign-on is made up of authentication, which verifies the credentials of the connection attempt, and authorization, which verifies that the connection attempt is allowed. With a single sign-on, users do not have to manage multiple sets of credentials and can access the resources for which they are authorized without thinking about the processes that occur behind the scenes. However, as a systems engineer, we must understand how these processes work in order to troubleshoot the Active Directory structure.

 

The single sign-on process occurs as follows:

 

  1. The user enters credentials at a workstation to perform an interactive logon.
  2. The credentials are encrypted by the client and sent to a domain controller for the client’s domain.
  3. The encrypted credentials that are sent from the client are matched against the encrypted credentials on the domain controller. A Kerberos service, the Key Distribution Center (KDC), resides on each domain controller and stores the encrypted user credentials. If the credentials sent by the client match the credentials stored by the KDC, the process continues.
  4. The domain controller creates a list of the domain-based groups to which the user belongs.
  5. The domain controller queries the global catalog to identify the universal groups to which the user belongs. If the domain controller has Universal group membership caching enabled, the global catalog is not queried and the Universal group memberships are obtained from the cache on the domain controller.
  6. The KDC issues the client a ticket-granting ticket (TGT). The TGT contains the encrypted security identifiers (SIDs) for the groups of which the user is a member.
  7. The client requests access to a resource that resides on a specific server.
  8. The client uses the TGT to gain access to the ticket-granting service (TGS), on the domain controller.
  9. The TGS issues a service ticket, which is also called a session ticket, for the server where the resource resides to the client. The session ticket contains the SIDs for the user’s group memberships.
  10. The client presents the session ticket to the server where the resource resides. The Local Security Authority (LSA) on the server uses the information in the session ticket to create an access token.
  11. The LSA compares the SIDs in the access token with the groups that are assigned permissions in the resources discretionary access control list (DACL). If they match, the user is granted access to the resource.

 

You may get the error message as below:

Symptoms:

–          Not able to login to Domain Controllers due to low disk space in the systems drive.

–          You get the above error message and the server reboots every time.

–          Users not able to login in the particular network.

–          Users not able to access the shared resources from the Domain Controller.

 

Resolution:

–          Reboot the server and login using Windows directory restore mode.

–          Go To Start > Run and type ‘Cleanmgr’ and clean up the drive space of C

–          If you have lost the Restore Mode password then follow the below steps to reset the DSRM Password:

Go to Command Prompt from the nearest Domain Controller and type the below command:

ntdsutil

set dsrm password

reset password on server ServerName

–          Once you have cleared the Space in the Systems drive, reboot the Server.

–          After Reboot login normally to the Domain Controller and everything should be back to normal.

–         Everyone should be able to access the Shared Resources from the Server.

By Default a Global Catalog is created automatically on the initial Domain Controller in the forest. It stores a full replica of all the objects in the directory for its host domain and a partial replica of all objects contained in the directory of every other domain in the forest. The replica is partial because it stores some, but not all, of the property values for every object in the forest.

The Global Catalog performs two key directory roles:

–  It enables network logon by providing universal group membership information to a domain controller when a logon process is initiated.

–  It enables finding directory information in the entire forest regardless of which domain in the forest actually contains the data.

When a user logs in to the network, the global catalog provides universal group membership information for the account sending the logon request to the domain controller. If there is only one domain controller in the Domain, the domain controller and the global catalog are the same server. If there are multiple domain controllers in the network, the global catalog is hosted on the domain controller configured as such. If a Global Catalog is not available when a user initiates a network logon process, the user is only able to log on to the local computer.

Note: If a user is a member of the Domain Admins group, then they will be able to log on to the network even when the Global Catalog is not available.

The Global Catalog is designed to respond to queries about objects anywhere in the forest with maximum speed and minimum network traffic, because a single Global Catalog contains information about objects in all domain in the forest, a query about an object can be resolved by a global catalog in the domain in which the query is initiated. Thus finding the information in the directory does not produce unnecessary query traffic across domain boundaries.

You can optionally configure any domain controller to host a global catalog, based on your Company’s requirements for servicing logon requests and search queries.

After Additional domain controllers are installed in the domain, you can change the default location of the global catalog to another domain controller using the Active Directory Sites and Services.

 

Introduction

Replication ensures that all information in Active Directory is current on all domain controllers and client computers across your entire network. Many networks consist of a number of smaller networks, and the network links between these networks may operate at varying speeds. Sites in Active Directory enable you to control replication traffic and other types of traffic related to Active Directory across these various network links. You can use subnet objects, site links, and site link bridges to help control the replication topology when configuring replication between sites. An efficient, reliable replication topology depends on the configuration of site links and site link bridges.

 

What Are Sites and Subnet Objects?

 

Introduction

You use sites to control replication traffic, logon traffic, and requests to the Global Catalog server.

 

Sites

In Active Directory, sites help define the physical structure of a network. A site is defined by a set of Transmission Control Protocol/Internet Protocol (TCP/IP) subnet address ranges. Sites are used to define a group of domain controllers that are well-connected in terms of speed and cost. Sites consist of server objects, which contain connection objects that enable replication.

 

Subnet Objects

The TCP/IP subnet address ranges are represented by subnet objects that group computers. For example, a subnet object might represent all the computers on a floor in a building, or on a campus. Subnet objects are associated with sites and, because the subnet objects map to the physical network, so do the sites. For example, if you have three subnets that represent three campuses in a city, and these campuses are connected by high-speed, highly available connections, you could associate each of those subnets with the same site. A site can consist of one or more subnets. For example, on a network with three subnets in London and two in Boston, the administrator can create a site in London, a site in Boston, and then add the subnets to the respective sites.

 

Default Site

A default site is set up automatically when you install Windows Server on the first domain controller in a forest. This site is called Default-First-Site- Name. This site can be renamed. When you create your first domain in a forest it is automatically placed in the default site.

Introduction

A global catalog server is a domain controller that stores two forest-wide partitions, schema and configuration, a read/write copy of the partition from its own domain, and also a partial replica of all other domain partitions in the forest. These partial replicas contain a read-only subset of the information in each domain partition.

 

How does replication affect the global catalog server?

When a new domain is added to a forest, the information about the new domain is stored in the configuration partition, which is replicated to all domain controllers, including global catalog servers, through normal forest-wide replication. Then each global catalog server becomes a partial replica of the new domain by contacting a domain controller for that domain and obtaining the partial replica information. The configuration partition also contains a list of all global catalog servers in the forest and provides this information to the domain controllers. Global catalog servers register special DNS records in the DNS zone that correspond to the Forest Root domain. These records, which are registered only in the Forest Root DNS zone, help clients and servers locate global catalog servers throughout the forest.

Classless Inter-Domain Routing (CIDR) is a method for allocating IP addresses and routing Internet Protocol packets. It is a way to allocate and specify the Internet addresses used in inter-domain routing more flexibly than with the original system of Internet Protocol (IP) address classes. As a result, the number of available Internet addresses has been greatly increased. CIDR is now the routing system used by virtually all gateway hosts on the Internet’s backbone network.

IP addresses are described as consisting of two groups of bits in the address: the more significant part is the network address, which identifies a whole network or subnet, and the less significant portion is the host identifier, which specifies a particular interface of a host on that network. This division is used as the basis of traffic routing between IP networks and for address allocation policies. Classful network design for IPv4 sized the network address as one or more 8-bit groups, resulting in the blocks of Class A, B, or C addresses. Classless Inter-Domain Routing allocates address space to Internet service providers and end users on any address bit boundary, instead of on 8-bit segments. In IPv6, however, the interface identifier has a fixed size of 64 bits by convention, and smaller subnets are never allocated to end users.

CIDR notation is a syntax of specifying IP addresses and their associated routing prefix. It appends to the address a slash character and the decimal number of leading bits of the routing prefix, e.g., 192.0.2.0/24 for IPv4, and 2001:db8::/32 for IPv6.