In this scenario, the domain user called “firstname.lastname@example.org” tried to log in to the domain using his workstation.
Then, he got the error below:
“During the Logon attempt, the user’s security context accumulated too many security IDs”…
However, his account has been added on the 3 members “domain admins, domain users, and HQ security group in active directory environment.
after checking his account in active directory, log in to the other workstation, and it was working fine and able to log in. He cannot only log in to the problematic workstation above with error as stated. So, then saw that the domain account tightened or added with multiple groups which is about 1217 groups in this workstation .
so in conclusion, the domain user does not only take into account to the member of domain groups that can affect the SIDs token which is more than 1024 group, but the local group of workstation or servers can also affect the limit access token.
In order to ask replicate directory changes permission to a domain controller, it does not have to be a domain admin. by delegation, we can create this.
why do we do this?
like say, user wants to update their information from SharePoint by themselve, we can allow the information that store in SharePoint database and replicate to the Active Directory. Some also need to be done as well in SharePoint Administration.
How to Grant Replicate Directory Changes?
- At your domain controller, open up the Active Directory Users and Computers.
- Right-click the domain. for example, netoverme.local ans select Delegate Control
- Click Next on the Delegation Control Wizard.
- On Users and Groups windows, click Add.
- type a name of synchronization account. For example, sp_admin .click Next
- on task to delegate, select create a custom to delegate and click next.
- on the Active Directory Objext Type, Select This Folder,existing objects in this folder, and creation of new objects in this folder, and click Next.
- on the Permission pages, select Replicating Directory Changes.
- click Next and Finish.
I have a problem with adding another child domain controller for my lab. In my scenario, my other child domain controller is also online and one of the parent domain controller is also online.
What other finding I have to make sure is that the DNS is pointed to the child domain controller.
Also, I have checked the debug log in C:\Windows\Debug\Dcpromoui.log. It seems that the error is appeared similar on the error above.
In the error above, when we further look, it successfully queries the SRV record of testbranch.netoverme.local.
My solution is by checking the Domain Naming Master role has be to online and contacted. Domain Naming FSMO role is responsible to add and also remove domain. In my case, I have 2 parent domain controller (dc1.netoverme.local and dc2.netoverme.local) and my child domain controller is testbranch.netoverme.local. my scenario above is to add another domain controller to child domain controller of testbranch.netoverme.local.
After I can ping dc1.netoverme.local which hold the FSMO role of Domain Naming Role and make sure the port and firewall is not blocking, now the domain controller can successfully add. One more thing FSMO role has to be contacted or online, DNS delegation has to be done for adding all DNS record in the parent domain.
I have posted the article in TechNet Wiki on getting use of Powershell to install Windows Server features in Windows Server 2008 R2.
here is the link below:
This video tutorial below is to allow perform system state backup on local drive or critical volume. by default, you will be unable to store backup on local drive C:\
However, you can change the default behaviour of Windows Server 2008 R2 by adding a registry entry.
Check the video that I posted on YouTube:
Test the System backup using Command Prompt or Graphical User Interface.
However I prefer using command prompt due to faster backup.
1. right Click Command Prompt and click Run As Administrator.
2. Type the command :-> wbadmin start systemstatebackup -backuptarget:c: