locked
Unable to contact Active Directory to access or verify claim types RRS feed

  • Question

  • Dear Technet-

    I am stumped on an issue with a server 2012 domain controller. I received the "Unable to contact Active Directory to access or verify claim types" message when attempting to enable auditing on a folder from the primary DC. As my colleague and I delved more into it, the unable to find user lookup box comes up when trying to add permission in general to any folder, so I cannot add users' permissions on any of my shares. If I select the Locations from under the Select Users, Computers, Service Accounts, or Groups, and move it from "domain", to the "server", I can add users okay. I cannot expand out the actual domain and see the OU structure by clicking the plus sign under Locations. Oddly enough, if we go into the Change Ownership option, and at least bring that up, I can go into the auditing and Advanced permissions and add users without any issue!

    The issue is limited to the built-in administrator account. I have copied the Administrator account and created a new account, logged in with that new one, and can perform the permission changes without issue. We have also tried re-creating the administrator profile with no success.

    There is a secondary AD server, and can perform all tasks without issue from the administrator account. We can also alter the permissions by browsing to the C$ share of the primary DC without error.

    No impact to the actual domain appears to be occurring, but not being able to alter the permissions on a folder will become an issue down the road. I also have no idea when this issue may have started. Both DC's are replicating well by checking the repadmin commands. Just to rule it out, we did demote the secondary DC and try the permissions once demoted, without success. It has since been promoted back as a DC. Also, the DNS of the primary is pointing to itself. We tried with it pointing to the secondary DC and did not experience a difference. The server was rebooted 2 nights ago. In addition, DNS server was gone through and entries/ Name Servers/ _msdcs are looking good there too.

    I appreciate in advance any assistance in this matter. Hope this wasn't too long; Just wanted to give as much information as I could.

    Thank you, Nick-Mich
    Thursday, January 7, 2016 2:05 PM

Answers

  • Hi,

    Have you configured Dynamic Access Control?

    A claim is a unique piece of information about a user, device, or resource that has been published by a domain controller. The user’s title, the department classification of a file, or the health state of a computer are valid examples of a claim. An entity can involve more than one claim, and any combination of claims can be used to authorize access to resources.

    Please refer to article below for claim types and Dynamic Access Control:
    https://technet.microsoft.com/en-us/library/hh846167.aspx


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, January 8, 2016 9:11 AM

All replies

  • Hi,

    Have you configured Dynamic Access Control?

    A claim is a unique piece of information about a user, device, or resource that has been published by a domain controller. The user’s title, the department classification of a file, or the health state of a computer are valid examples of a claim. An entity can involve more than one claim, and any combination of claims can be used to authorize access to resources.

    Please refer to article below for claim types and Dynamic Access Control:
    https://technet.microsoft.com/en-us/library/hh846167.aspx


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, January 8, 2016 9:11 AM
  • Thanks Wendy,

    My Googling was starting to point me to this path. I have training today but am going to check this out more in depth.

    Nick-Mich

    Friday, January 8, 2016 5:26 PM
  • Just wanted to update everybody on this one. I didn't make any headway with the claim types, but I am sensing a Windows Update corrected it, or the shutdown performed last night as a result of power loss, as I just checked and everything is now working as it should.

    Thank you again,

    Nick-Mich

    Thursday, February 25, 2016 8:13 PM