Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Unkouwn Sign In AD Through Bulk Modifications

$
0
0

Hello All,

I did a bulk modification " through .csv file" for all AD users and i did add a description "description field"  for each user "in Arabic language" but it showing the description as " ♥ ". If i type it manual then it works fine.Is there is anyway to add the description "Arabic language" through bulk modification.

Best Regards,


Object types missing from selection in Select Groups

$
0
0

we run our DC on a VM and it is exclusively used for DC and Certificate purposes.

this morning there was an application error with mmc.exe, so I rebooted the VM.

All was fine except that now when I go to add a user or computer to a group in AD, I can not select "computers" or "Users" when I click the object types button, they are just missing. The only two available under the select object types are "Groups" or "Built in Security Principles"  

I do not know why those object types are no longer selectable, but It is important that I get them back.

This is on MS server 2012 R2, up to date.

concerns about switching to a different dhcp server

$
0
0

Just want to make sure that I do not miss anything when I am switching dhcp from ASA firewall to windows dhcp. What should I be concerned about before making this switch? Do I need to shorten the lease period so that the client machines will get correct dhcp immediately? If I turn off dhcp on ASA firewall (which is currently being used) and the client machines' lease time have not been reached, will they lose network connection immediately even if I turn on window dhcp?

Please advise! Thank you!

Guest's account in the SAM database failed due to a resource error

$
0
0

Hllo All,

i got this error on our server (DC) in events log and it happened few times. (on windows server 2012 R2 Standard)

Guest's account in the SAM database failed due to a resource error, such asAs a typing error on the hard drive, not be locked.The error code can be found in the error data.Accounts are blocked after multiple incorrect password entries. Therefore, reset the password for this account.

Event-ID: 12294, Source:Directory-Services-SAM

Could anyone please tell me what is this error?

Regards

permissions to delegate repadmin

$
0
0
Is there a way to delegate permissions to run repadmin commands?

Print Server - Unable to print

$
0
0

Hi,

1. I have setup 2016 print server say IP as (10.10.x.x).
2. I can send print jobs to printers available in the same network ( say printer IP as 10.10.x.x )  and I can print.
3. When I send print job to printers ( say printer IP as 10.11.x.x ) that belong to different subnet it returns error as ' Error priniting '.


Is there anything that need to be configured at the print server? like any service or rule.
Or is this something need to be done at the router level.

Please let me know.

Thanks

Is NTLM officially supported in a organization with all DCs running Windows 2016 and forest /domain lever either running Windows server 2012 or 2016

$
0
0

Hello MS Directory Services team,

I would like to gather some sort of MS officially information [KB/post] and/or response to this thread, whether NTLM authentication is not supported and has been deprecated in Windows 2016.

My client who runs a Microsoft shop[Exchange/Windows servers, Windows 10/7 PC, Office 2013/2016] is also running some legacy applications that still relies on NTLM for authentication instead of Kerberos. so, what would be the right approach given the support MS matrix?

My client is going to migrate their farm of Windows 2008 DCs to 2016, and this is something that needs to be addressed before this implementation, otherwise legacy applications that rely on NTLM will fail.

Can you please confirm that if we upgrade our DCs to Server 2016 and change the Forest and Domain Functional Levels our 3rd party applications/web sites/Microsoft Applications that rely on NTLM rather than Kerberos will still function?

Please, see below copy paste from old partner site with a similar question. It would be highly appreciated if you can provide as much information as you can with KB/urls that fully supports your answer.

Hi

 

We are migrating active directory from its current 2003 OS and 2003 domain/forest functional level to Windows 2012 R2 OS and 2012 R2 Domain and forest functional level and have some concerns about both Microsoft and 3rd party applications. Regrettably, Microsoft has provided some conflicting documentation about authentication, specifically NTLM so please can you clarify:

Primarily we have been using this resource as our plan of action

 

https://social.technet.microsoft.com/wiki/contents/articles/32100.active-directory-migrating-from-2003-to-2012-r2-enterprise-multi-site-single-forest-domain.aspx#Raise_Forest_Domain_functional_level

 

This document tells us that for the NTLM aspects:

  • Database – database configurations using NTLM will need to change authentication methodologies.
  • IIS or apache – websites using NTLM will need to change authentication methodologies.
  • Authentication in some applications may be using NTLM for authentication,NTLM is no longer supported in 2012 R2 for authentication, Kerberos is used. If applications are still using NTLM they will need to be updated or upgraded to meet this requirement.

 

However, If we refer to this documentation:

https://docs.microsoft.com/en-us/windows-server/security/kerberos/ntlm-overview

 

it only tells us that Kerberos if the preferred authentication protocol for domains and doesn't say that we cannot fall back onto NTLM if that is in use. It also says that it is still supported and that there have been no changes or deprecation of NTLM in server 2012 R2:

  • NTLM authentication is still supported and must be used for Windows authentication with systems configured as a member of a workgroup. NTLM authentication is also used for local logon authentication on non-domain controllers. Kerberos version 5 authentication is the preferred authentication method for Active Directory environments, but a non-Microsoft or Microsoft application might still use NTLM.
  • There are no changes in functionality for NTLM for Windows Server 2012 .
  • There is no removed or deprecated functionality for NTLM for Windows Server 2012 .

Can you please confirm that if we upgrade our DCs to Server 2012 R2 and change the Forest and Domain Functional Levels our 3rd party applications/web sites/Microsoft Applications that rely on NTLM rather than Kerberos will still function?

In addition, are you able to steer me to documentation that summarizes other functional changes/deprecation that may affect applications e.g. ciphers or authentication algorithms that may have been removed?

 

From your description, I know you have some questions about authentication on Windows server 2003 AD and Windows server 2012 R2 AD. If there’s any misunderstanding, please let us know.

 

For your convenience, I have listed my answers to your question as below:

 

Q1: Can you please confirm that if we upgrade our DCs to Server 2012 R2 and change the Forest and Domain Functional Levels our 3rd party applications/web sites/Microsoft Applications that rely on NTLM rather than Kerberos will still function?

 

A1:Based on my research, Protected Users authenticating to a Windows Server 2012 R2 domain can no longer authenticate with NTLM authentication. Please make sure if our application will use Protected users. If yes, it will be affected. If not, I think it will be OK. We can see more details in the following link:

Forest and Domain Functional Levels

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels

 

In addition, to double confirm if the third party application will be affected, we suggest to build a test environment and do the test firstly.

 

Q2: are you able to steer me to documentation that summarizes other functional changes/deprecation that may affect applications e.g. ciphers or authentication algorithms that may have been removed?

 

A2: Based as my research, I find changing the Domain or Forest Functional Level should have no impact on an application that depends on Active Directory. For any third party applications, we should contact the vendor to find out if they tested the product at the proposed Level, and if so, with what result.

https://blogs.technet.microsoft.com/askds/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level/

 

For the changes for Windows server 2012 R2, I have found the following articles, we can read them as reference:

 

Changes in the Security Guidance for Windows 8.1, Server 2012 R2 and IE11 since the beta

https://blogs.technet.microsoft.com/secguide/2014/08/13/changes-in-the-security-guidance-for-windows-8-1-server-2012-r2-and-ie11-since-the-beta/

 

Hope the above information can help. If there’s any question or concern, feel free to contact us.


How to find last successful login and user on a domain

$
0
0

Hello all,

So I'm trying to find a easier or automated way to find the last user to log on all servers on my domain, we do audit login attempts. So I was wondering if there's a command to specify a DC and it would list me all servers and last person to log on each of them.

If someone can put me on the right direction I would appreciate!

Thanks!


Active Directory User Reports

$
0
0
I would like to generate reports for AD users on criteria like newly created, deleted, modified users, enable, disable and inactive users. I want to generate these reports for past 30 days only. Is there any script or reporting tool available for this purpose?

Domain Services - Active Directory Hosting DMZ

$
0
0

Hi Team,

Just wanted to know why the people hestiate do keep their servers joined in the Domain Network while the server is placed in DMZ segmentation.

I would like know a well detailed security notes for this?

I had seem multiple organization is having a fear to keep their machine joined in the Domain while the server is in DMZ

I knew our server is exposed to internet there could be lot of attacks but if we closely hardened the server as well as do the application pen test and closed the vulnerability if any then still we are in danger.

Awaiting expertise answers for this.

Regards,

Sumeet Mishra


Sumeet Mishra

Get-ADGroupmember with Users in different Forest's

$
0
0

Hi there,

i got two trusted domains in different forests and want to retrieve the members oft some groups which contain members of both domains. Get-AdGroupmeber fails with an ADException Error. Groups with members from only their own domain work fine.

The domainmode is windows2003 which both have Windows 2008 R2 domaincontrollers with Active Directory Webservices running. Any advice how to fix this?

Sorry for my bad english!

Thank you!

Password Hash, encryption inside the NTDS.DIT database

$
0
0

I understand an instance of an AD database (ntds.dit) has a ‘password encryption key’ which is used to encrypt the password hashes stored in the database. I also understand each computer has a boot key (aka system key) which is different on every computer and on DCs is used to encrypt the password encryption key. This boot key is kept in the System hive of the registry on the computer.
If the above is correct, a key is used an input to a cypher of some description.

Below I am referring to Password hash at rest encryption, not talking about Kerberos at this point

Question 1:
I believe prior to Windows 2008 R2 the default encryption was RC4 which I believe means  a user/computer password hash was encrypted using two rounds of RC4 followed by one found of DES, using the password encryption key ?

Question 2:
From 2008 R2 and above (or should that be 2012 R2), I believe AES is used in instead of RC4/DES

Question 3:
I also believe the NTLM (either v1 or v2) is always hashed using MD4 (then encrypted as above before being stored)?

Question 4:
NTLM passwords are hashed using MD4 what about non NTLM (e.g. when a user with a Kerberos TGT/TS) changes their password is the password hashed using  MD5 (pre 2008 R2) or SHA1 (2008 R2 and above)  then encrypted (RC4/DES pre 2008 R2) or AES (2008 R2 and above)  and  stored in AD, is that correct ?

Thanks all

CMelga

DCPromo as ROWC fails - Server 2016

$
0
0

I've been working on a DCPromo issue for about 6 months that I can't seem to get around.  Some of my specific details are a little fuzzy at this point since it's been so long but I tried the process 3 times in the last 24 hours & I still get a failure.

2016 servers were RWDC & I demoted them & then tried to DCPromo as RODC.  I continuously get these results:

The operation failed because:

While promoting Read-only Domain Controller, failed to replicate the secrets from the helper AD DC.

"The replication operation failed because the target object referred by a link value is recycled."

I have tried deleting any related AD recycle bin records short of just deleting everything, which I'm not doing.  I'm searching by date, by server name & by "KRBTGT_" & deleting anything I find but the issue persists:

Get-ADObject -IncludeDeletedObjects -Filter {(IsDeleted -eq $true)} -Properties * -Server domaincontroller.domain.com | Where-Object {$_.DistinguishedName -like "*krbtgt_*"} | Select-Object Name,DistinguishedName,WhenChanged | sort whenchanged

Get-ADObject -IncludeDeletedObjects -Filter {(IsDeleted -eq $true)} -Properties * -Server pdc-necorp.nesl.com | Where-Object {$_.DistinguishedName -like "*xxxxxx*"} | Select-Object Name,DistinguishedName,WhenChanged | sort whenchanged

Get-ADObject -IncludeDeletedObjects -Filter {(IsDeleted -eq $true)} -Properties * -Server dhcp-necorp.nesl.com | Where-Object {$_.WhenChanged -gt "7/17/2018 4:00:00 PM"} | Select-Object Name,DistinguishedName,WhenChanged | sort whenchanged

I've also waited over 30 days between attempts (after deleting the recycle bin items) - no good!

The only way around it is to promote as an RWDC again.

Any suggestions would be appreciated.

-Dave

List of known incompatible applications in 2012 domain

$
0
0
We are on track to upgrade 2008 R2 domain to 2012 R2 domain controllers. We are already decommissioning exchange 2003 , I was wondering if there is a list of known applications which doesn't work in 2012 domain. Please advise. Thank you

Which name to use as internal name? ".local" is an option? Which TLD suffix must I use?

$
0
0

IN the past, a (today) expired RFC suggested to use ".local" as internal domain names and naming AD Forests/Domains are common in the 2000´s, so at that time, most of the AD forsts/domains were named xyz.local, comany.local and so on

years ago, i was reading a IPv6 book and the author suggests to not use anymore ".local" as domain suffixes due to ipv6 restrictions and quoting that particular RFC regarding ".local" it was expired and using ".local" could cause problems in the future.

Said that...

Considering i´m strongly considering to rename my forest/domain (please don´t ask) AND i´ll use a name different from Internet name... which suffiix shoud or must I use?


Repadmin report 8453 error - Access is denied

$
0
0

Background
The environment is just built using Windows server 2016. Single forest with root domain as ad.corp.com and child domain org.corp.com. Each domain has two domain controllers
ad.corp.com: RDC01, RDC02
org.corp.com: SDC01, SDC02 (not built yet)
The forest and domain functional level are all set as Windows 2008 R2.

Issues:
On SDC01 which has just been promoted, login as domain admin, then run following command
Repadmin /syncall /d

The result returned the following error

SyncAll reported the following errors:
Error issuing replication: 8453 (0x2105):
Replication access was denied.
From: CN=NTDS Settings,CN=RDC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=corp,DC=com
To : CN=NTDS Settings,CN=RDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=corp,DC=com

Checking done so
1. It seems except that error, the active directory still working fine. Object creation and deletion could be replicated to all DCs.
2. Run DCDiag on each DC and all DCs are clear. No error detected.
3. Same Repadmin command is executed on the other 2 DCs and none has error returned.
4. Execute Repadmin /replsummary and Repadmin /showrepl on EACH DC, no error is reported.
5. Installed Microsoft Active Directory Replication Status Tool on EACH DC, no error is detected.
6. On the same DC, SDC01, if I logged in using account which is member of "Enterprise Admin", then no error is returned when executing command Repadmin /syncall /d

It is clear to me that the root cause is sub domain administrator doesn't have some permission set properly. I even has tried to uninstall org.ad.corp.com domain and repromote it again using all default value (except the functional level is set as Windows 2008 R2), but still the same issue.

Any suggestions?

I have a laptop on it's leg leg.

$
0
0
I want to do a sysprep to move it into a different machine. My question is, will this action remove any programs> Like Office 2013, Photoshop or any at all.

Decommissioning the old Domain Controller

$
0
0

I was using windows server 2008 32 sp1 Server as DC.

I added new server as ADC first and then transferred FSMO role to New server Windows server 2008 R2 64 .. made new server DC.

It is working now...

what should I do to  decommission old server? need to remove from my entire network..

Should I perform any cmd or any activity?? 

Can Windows 2016 domain controller join to Windows 2003 active directory?

$
0
0

I was searching the internet how to upgrade Windows 2003 active directory to Windows 2016 but I couldn't find any documents.

Can Windows 2016 DC join to Windows 2003 active directory?

Setting up Microsoft LAPS

$
0
0

I have a large Enterprise AD environment. I have MY OU structure goes has follows Country OU then Site OU then an OU called Server.

Every Site OU has a Sub OU called Servers.

I am trying to implement laps, specifically trying to set computer permission the command as follows is how it is documented

Set-AdmPwdComputerSelfPermission -OrgUnit OU=Server.DC=Contoso,DC=ORZG.

I have tried running the command Set-AdmPwdComputerSelfPermission -OrgUnit OU=Servers,OU=site,OU=Country,DC=Contoso,DC=org.

The command failing. What am I doing wrong?

Viewing all 31638 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>