Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Domain Controller taking long time to login via Remote Session while another server login fast in same subnet network

August 18, 2018, 12:55 am
$
0
0

Dear All,

we are facing a issue with our domain controller (windows 2012r2) when i was accessing the server via remote session its took long time to login after given credential and some time it got disconnect and again took it remote session its working fine..we have one domain controller & one ADC controller.Earlier same issue found on ADC and still Persist but now we are facing on DC also..

note:The DC up time is up 440 Days now ..i guessed that due to more days up-time its happening so i rebooted the ADC server but same issue we are getting 

Please suggest how to rectifies the issue...........

Search

The following error occured attempting to join the domain

March 29, 2013, 4:45 am
$
0
0

Hi,

Our domain controller running on Windows Server 2008. Before this we are using single IP Address to access active directory server.

Now our organization already change the network structure and using multiple VLAN.Our client using windows 7 Pro, cannot join to domain. error "The following error occurred attempting to join the domain "XXX.Local" The specified network name is no longer available.

Below is my test:-

1. Test ping server AD = Successful

2. Test nslookup = Successful

     
C:\>nslookup
Default Server:  biru.itnmb.local
Address:  192.168.42.4

> itnmb.local
Server:  biru.itnmb.local
Address:  192.168.42.4

Name:    itnmb.local
Address:  192.168.42.4

> 192.168.42.4
Server:  biru.itnmb.local
Address:  192.168.42.4

Name:    biru.itnmb.local
Address:  192.168.42.4

3. Test running dcdiag = successful and passed test

4. Telnet from client (all port required joining to domain) = Successful

what can i do?

Thanks,

Ezzy

Ezzy

Modify Bulk Users Properties

August 3, 2018, 10:55 am
$
0
0

Hello All,

I need to modify around 3300 users name (first+middle+ last name + display name) and description. Is there is any way to do it one time.I have user's new properties in .csv file.

Best Regards,

Add Service Principal Name to server for Kerberos Constrained Delegation

August 15, 2018, 8:33 am
$
0
0

Hi Folks,

I'm currently having an issue establishing Kerberos Constrained Delegation in my enviroment. 

So I'm having a Azure Application Proxy (which should do the authentication) and an inhouse web application.

The inhouse webapplications SPN is bound to an service account, lets call it SVCWebApp and the SPN HTTP/webapp.domain.com

When I try to add the SPN to the server for dalegation, almost all other SPNs bound to ths SVC account appear, but not the one i need. I ran "setspn -L SVCWebApp" and it shows the right SPN, just not when I'm trying to add it for deleagtion.

Maybe someone could help out.

Best Regards,

Trust related issue

August 16, 2018, 2:04 am
$
0
0

Hi All,

We are part of ABC.com domain and all the users are migrated from the legacy domain XYZ.com. The legacy domain is having child domains Apac.xyz.com , Amer.xyz.com , EMEA.xyz.com. We have external trust between all these child domains and ABC.com domain.

Recently we created a forest trust between ABC.com and DEF.com domain and we created name suffix routing in the name xyz.com in the DEF.com domain. They have UPN XYZ.com.

The existing environment working fine. and all the existing external trusts are working fine. But we face issue in few locations of EMEA.xyz.com domain. The issue is that the ABC.com domain user trying to access the share in Emea.xyz.com. the user faced issue that " the system detected a possible attempt to compromise security" . We verified all the trusts and domain controllers are are good. We didnt find any issue in the DC or trust. We restarted all the dc in ABC.dom AND  EMEA.xyz.com . At last for testing we disabled the "XYZ.com" name suffix routing in  the trust between "ABC.com - DEF.Com" then it started working fine for all the affected users. 

We dont have any clue how the name suffix routing creates problem.

If the name suffix routing is the problem , how all the other locations and other legacy child domains Amer.xyz.com and Apac.xyz.com works well.

If someone shred some light on this would be helpful for us to find the root cause

clean up the object which on longer available

August 19, 2018, 8:52 pm
$
0
0

Hi everyone,

I wanna know how to clean up the object (user or computer) which on longer available .

e.g.

some people leaved or some computers were dis-commission but we didn't do anything on our AD. So there lots of invalid user and computer in our active directory.

is there has some way to clean up those objects?

for example, query out over 60 days not "online" objects, and delete it? btw, we have SCCM, if this can be done by sccm ?

thank lots

Jerry

Kerberos& NTLM fall back method

August 9, 2018, 10:50 pm
$
0
0

Hi Expertise,

Let me know the scenario.

1) When kerberos fall back to NTLM [ what all factors is considered while falling to NTLM or we can say scenario /conditions ]

2) How can we specifically find the the request going by NTLM is V1 or V2 as well as success or fail is there any tool to check for this.

Regards,

Sumeet 

Sumeet Mishra

Give user right to backup DC

August 12, 2018, 1:50 pm
$
0
0

Hi

I encountered this question online. I am unsure which is the correct answer.

You have a Group Policy object (GPO) named DomainPolicy that is linked to the domain and a GPO named DCPolicy that is linked to the Domain Controllers organizational unit (OU).
You need to ensure that the members of the Backup Operators group can back up domain controllers. What should you do?

A. From the Computer Configuration node of DCPolicy, modify Security Settings.
B. From the Computer Configuration node of DomainPolicy, modify Security Settings.
C. From the Computer Configuration node of DomainPolicy, modify Administrative Templates.
D. From the User Configuration node of DCPolicy, modify Security Settings.
E. From the User Configuration node of DomainPolicy, modify Folder Redirection.
F. From user Configuration node of DomainPolicy, modify Administrative Templates.
G. From Preferences in the User Configuration node of DomainPolicy, modify Windows Settings.
H. From Preferences in the Computer Configuration node of DomainPolicy, modify Windows Settings.

Thanks in advance

Search

while executing the ktpass command warning Unable to set SPN mapping data appeared

January 20, 2017, 6:15 am
$
0
0

Hi All,

while executing the ktpass command from administrator command prompt on windows server machine:
C:\Users\Administrator>ktpass -princ host/<hostname>@<active directory domain> -mapuser <domain name>\TestU1 -pass * -crypto AES128-SHA1 -ptype KRB5_NT_PRINCIPAL -out C:\KeyTab\TestAES128.keytab

below warning message appeared:

Failed to set property 'servicePrincipalName' to 'host/<host name>' on
Dn 'CN=<CN Name>,CN=Users,DC=<DC Name>,DC=<DC Name>,DC=com': 0x13.
WARNING: Unable to set SPN mapping data.
If <user name> already has an SPN mapping installed for host/<host name>, this is no cause for concern.
Key created.

it is confirmed that no other user in the AD DC is configured with same host/<hostname>

please suggest how to resolve above warning.

Thanks

CERTIFICETE REQUEST PROCESSOR

August 15, 2018, 9:22 am
$
0
0

Hi guys,

I need some help please,

I'm getting this message when I'm trying to update my Certificate through the CA.

I can't find or create the certificate template that the system are asking for.

any help will really be appreciate.

-------------------------------------------------------------------------------------------------------------------------------------

The request contains no certificate template information. 0x80094801 (-2146875391)

Denied by Policy Module 0x80094801, the request does not contain a certificate template extension or the Certificate Template request attribute.

-------------------------------------------------------------------------------------------------------------------------------------

Thanks.

Mr Soy.

Active Directory Trust Issue

August 15, 2018, 10:09 pm
$
0
0

Dears ,

we have a domain abc.com and we need to establish a new trust with another domain test.abc.xyz.com , but when I create a new trust in the Active Directory Domains and Trust console , I get the error message "a trust relationship with the domain you specified already exist" , but actually that trust is not exist and was never there !

please guide me on how I supposed to troubleshoot this and create that trust ?

Thanks alot 

ADUC Missing the unlock account option

August 12, 2018, 8:34 pm
$
0
0

Hi,

Environment:

Domain Functional Level: WS2003
Forest Functional Level: WS2003
Two DCs: Running WS2003

When view ADUC from Domain Controller server - WS2003, noticed that it display (Account is locked out) for all user accounts.

When try to reset a user password, the Account Lockout Status message is not showing up & unable to unlock account:

However, when installed the ADUC tool in WS2008, the Account Lockout Status message is there and get the unlock account option:

Why unable to unlock user account from the DC (WS2003) itself?

There is no more release WSUS patches for WS2003.
If this is patches related issue, which update(s) is missing? 

Thanks

LDS Sync Failed

August 16, 2018, 9:10 am
$
0
0

We are not getting the usual "Finished (successful) synchronization run." message at the end of the synclog as per usual. This is what's in the log:

Adamsync.exe v1.0 (6)

Establishing connection to target server localhost:389.

Saving Configuration File on DC=UCMultiForest,DC=local

Saved configuration file.

ADAMSync is querying for a writeable replica of ***.corp.

Establishing connection to source server DC03.***.corp:389.

Using file .\dam13C3.tmp as a store for deferred dn-references.

Populating the schema cache

Populating the well known objects cache

Starting synchronization run from dc=***,dc=corp.

Starting DirSync Search with object mode security.

Then it processes thousands of entries until it gets to this last one:

Processing Entry: Page 19, Frame 2, Entry 0, Count 0, USN 306367411

Processing source entry <guid=d529b83b09eb0e4ea63d6c913d1c4421>

Processing in-scope entry d529b83b09eb0e4ea63d6c913d1c4421.

(sourceobjectguid=\d5\29\b8\3b\09\eb\0e\4e\a6\3d\6c\91\3d\1c\44\21) exists in target. Converting object creation to object modification.

Renaming target object (implicit) OU=Users,OU=Mortgage Office,OU=MO,OU=US,OU=Branches,OU=Associate Locations,OU=BankIL,DC=UCMultiForest,DC=local to .

Ldap error occured. 2: Other. 

Extended Info: 00002089: UpdErr: DSID-031B0D42, problem 5012 (DIR_ERROR), data 2
.

Ldap error occured. 2: Other. 

Extended Info: 00002089: UpdErr: DSID-031B0D42, problem 5012 (DIR_ERROR), data 2
.

Saving Configuration File on DC=UCMultiForest,DC=local

Saved configuration file.

Something to note is the OU it is erroring on at the end here does not exist and hasn't for at least a year. It was moved to another parent OU and I can see in the log sync successes from the moved OU. What is the significance of it trying to rename to nothing? Any ideas how to further investigate or fix? 

Server is intermittently restarting after upgrading to 2012 R2 from 2012

July 29, 2018, 3:49 am
$
0
0

Our server is intermittently restarting after upgrading to 2012 R2 from 2012. but if we reverting back to 2012 from 2012R2, its working fine. and if we add additional domain controller in same domain, that server also see like same problem. so kindly requesting for the solution to solve  this problem if anyone know.

Error details : 

Source: Application Error

Event ID: 1000

Faulting Application name: lsass.exe, version: 6.3.9600.17415, time stamp"0x545042fe

Faulting module name: KERNELBASE.dll, version:6.3.9.600.18938, time stamp: 0x5a7ddf0a

Exception Code: 0xe0010004

Fault offset: 0x0000000000008eac

Faulting process id: 0x250

Faulting application start time: 0x01d4259802a6188b

Faulting application path: C:\Windows\system32\lsass.exe

Faulting module path: C:\Windows\system32\KERNELBASE.dll

Report Id: 53af6039-918b-11e8-80e2-00155d5d7914

Faulting package full name:

Faulting package -relative application ID:

Source: Wininit

Event ID: 1015

encryption key gets changed while generating it via executing KTPASS command

August 19, 2018, 11:21 pm
$
0
0

Hi,

SERVER: windows server 2012 R2

while generating the keytab file by using the KTPASS command, encryption key for encryption type AES128-SHA1 and AES256-SHA1 gets changed for the same domain user and password.

while in case of encryption type RC4-HMAC-NT, encryption remains same for same domain user and password.

As per my knowledge, security patch KB4103715 is installed on windows server 2012 R2 machine after that while generating the keytab file from KTPASS command encryption key for AES128-SHA1 and AES256-SHA1 becomes different from the encryption keys generated before installing the patch KB4103715 for the same domain user, password and same encryption type.

Before installation of patch KB4103715 all the respective generated encryption keys [for ASE128, ASE256] were same for same domain user and password.

is the reason in change of encryption keys for AES128 and AES256 is the installation of patch KB4103715;

is the patch KB4103715 is affecting the key generation logic of ktpass command.

please suggest.

Thank You

Search

WinRS vs WinRM - MSG.exe

August 16, 2018, 12:41 am
$
0
0

Hi All,

Im attempting to use msg.exe to send a daily reminder to all users in the domain. Ive created to GPO to enable WinRM and the WinRM service but im still getting Error 1722 when using msg.exe. Firewall for the domain is currently off on all workstations. Oddly enough it works if I use winrs -r first that then msg.exe (ie  -  winrs -r:computername msg * YakYakYak) and the message pops up on the targeted PC. 

PS C:\WINDOWS\system32> msg /server:COMPUTERNAME * Did this work again?
Error 1722 getting session names

PS C:\WINDOWS\system32> winrs -r:COMPUTERNAME msg * Did this work again?
WORKS!!

This is the full PS command im trying to run...

(Get-ADComputer -SearchBase "OU=Test OU,DC=us,DC=local" -Filter *).Name | Foreach-Object {Invok
e-Command -ComputerName $_ {msg * "PLEASE REMEMBER TO TURN OFF YOUR OFFICE LIGHTS"}}

Is there a way to work WINRS into that command?

I want to send Messages from my Active Directory Server to all currently logged on Users. My Active Directory Server is Windows 2012 R2 & Client Operating Systems are Win7, win8 & Win10. Please provide the resource about this.

August 18, 2018, 3:42 am
$
0
0

sending  Messages from my Active Directory Server to all currently logged on Users.

AD DC could not be contacted

August 17, 2018, 1:15 am
$
0
0

Hello Everyone,

       i want to join my client pc to domain, but i get error "AD DC could not be contacted"

      i have installed server with IP 192.168.0.100 

       subnet - 255.255.255.0

       default gateway - 192.168.0.1

       Client pc configuration -192.168.0.10   subnet- 255.255.255.0

      default gateway - 192.168.0.1    Dns server- 192.168.0.100

     i am not able do ping client pc from DC & vice versa.

     when i ping it says destination host unreachable.

        how should i configure server & client, please help me to solve this problem..

   Thanks 

Set up ADFS device registration in a forest without adfs server.

August 17, 2018, 1:52 am
$
0
0

Hi everyone,

We have an ADFS server in a separate forest. Is it possible to activate device registration in a forest without an ADFS server? Today we have the adfs in forest FS11 and users and devices in FS2. For user authentication this give no problem. Regarding device registration I can’t see hove to solve that. Initialize-ADDeviceRegistration set the registration service for current forest. Any thoughts around this?

Will a domain functional level change break NTLM across trusted domain?

August 17, 2018, 6:30 am
$
0
0

Your opinions please... 

2 Forests. Domain R, single forest/domain. Domain H, is a child domain within a separate Forest

The Forests have a two-way transitive FOREST trust. The Domains have a two-way non-transitive EXTERNAL trust. I don't know why it was done this way. Both Forests and Domains at FFL/DFL 2003.

Domain R has a legacy (mission critical) application that authenticates using NTLM only. It is used mostly by users in Domain H.

I've been led to believe that by upgrading the FFL/DFL of Forest/Domain (Domain H), my users on Domain H will no longer be able to authenticate to the App in Domain R. This is because in a native 2008, 2008  R2, 2012 R2 or 2016 AD environment, there is lack of support for NTLM authentication over an EXTERNAL trust. PERIOD (i.e. no amount of GPO settings can force the behaviour).

The only workaround involves CAs and signing the traffic (a plan that I'm not fully up to speed with yet).

Any input gladly appreciated.

Thanks




Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>