showing posts tagged with 'ad'
1 · 2
by lunarg on June 10th 2015, at 14:29

There are two ways to see which Certificate Authority servers exist in your AD domain.

1. Check the Cert Publishers group

The AD group Cert Publishers contain the servers that are permitted to publish certificates to AD. As a consequence, this gruop will contain all servers that are CAs.

2. Use certutil

You can use the certutil command to view (and select from) a list of CAs in the current AD domain:

certutil -config - -ping

Note: type the command as-is, including all spaces and hyphens.

A window will appear, listing the CA name and the server it runs on.

by lunarg on June 10th 2015, at 14:20
After migrating AD from 2003 to 2012, I ran into this issue on a RADIUS server running 2008 R2, used for authentication. When attempting to retrieve AD information for a particular user, the following error appeared:

An error (1301) occurred while enumerating the groups. The group's SID could not be resolved.

The solution (at least for Windows 7 and 2008 R2), is to install hotfix 2830145.

The hotfix is only available by request through e-mail.

When attempting to log on to a 2012-based domain controller, the following SIDs are unmappable:

S-1-18-1 : Authentication authority asserted identity

S-1-18-2 : Service asserted identity

2012 introduces two new securit  ...
by lunarg on June 5th 2015, at 10:40
If your inter-domain trust is down, and the eventlog reveals the following error:

There are currently no logon servers available to service the logon request. (0x51F)

Then check the following:

Check whether you can still access the DNS servers at the other side: try using the name first, then try through IP. If DNS does not work, there's an issue with your DNS.

Check whether the DNS zones for the domain are still in place. If it exists, try performing a reload from master. If this fails, you either have connection issues, or the other side has removed the required zone delegation, preventing you from retrieving the zone information.

If you can neither connect through DNS or IP, ch  ...
by lunarg on May 28th 2015, at 10:46

When attempting to log on with a domain account on a computer joined to a domain that has both 2012R2 and 2003 domain controllers, you may encounter the following error:

Error message
unknown username or bad password

Additionally, an Event ID 4 on Source: Kerberos is logged. You can only log on using local accounts.


Mixed 2012R2 and 2003 AD environments require hotfix 2989971 to be installed on every 2012R2 DC. See the KB for a full explanation.

The hotfix requires Update 1 (2919355) to be installed first. The hotfix is also included in update rollup 2984006.

by lunarg on November 20th 2014, at 15:16
Lingering objects in Active Directory are a pest, and require a lot of work to properly dispose of them. Luckily, there's repldiag.exe, part of Active Directory Utils. This particular tool resolves lingering objects by automating the required procedure and set of commands to run to clean up lingering objects.

In normal circumstances, you would have to look up and run various commands to completely clean out the AD database on each DC. Using repldiag.exe does the hard work for you by looking up the DC's and running the clean up on each DC, cross-referencing with the other DC's, and it does so by using the built-in commands and API's (such as those used by repladmin and other commands).

Down  ...
1 · 2
showing posts tagged with 'ad'