Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

AD Trust relationship

$
0
0

Hi

We have a below scenario and facing problem with Trust relationship, pls help.

1) Forest Name is maheshgroup.com (name changed)

2) On of the domain name is maheshstore(FQDN-store.maheshgroup.com)

3) As part of restructuring, now maheshstore domain needs to be taken out.

4) Installed new Single Forest and Single Domain with the domain name as maheshstore.in as FQDN and MHST as NETBIOS name.

5) While configuring the trsust relationship it was initially configured as one way trust.

6) Understand that two way trust is required for cross forest migration using ADMT, hence deleted the one way trust configured.

7) Now when we try to create two way trust, getting error as " The Operation failed. The error is :The specified account already exist. "

8) We checked all the details and there is no such conflict found. Even we deleted the domainname$$$ group created during earlier trust.

9) Checked nltest /domain_trust also, couldnt find any trusted domain info.

Pls help how can we resolve this issue.

 


Regards:Mahesh


changing ProxyAddresses and adding two similar entries, with LOWER and UPPER cases 'smtp' and 'SMTP'

$
0
0

changing ProxyAddresses and adding two similar entries, with LOWER and UPPER cases 'smtp' and 'SMTP'

foreach($user in (Get-ADUser -Filter {SamAccountName -like 'USERPRXY*' -and enabled -eq $TRUE} )) { Set-ADUser $($user.SamAccountName) -Add @{'ProxyAddresses'="smtp:$($user.samaccountname)@MyCorp.Net"} }

i´m running this piece of code and work flawlessly.... well, almost there

due to internal requirements, we´ll need to add "smtp" and ALSO "SMTP", two entries

in this particular line of code, running twice, with the same code, another  entry is not added, ok, no problem, but when i change the code from smtp to SMTP (upper), hoping to add a second entry in upper case... does not work, the previous lower case entry remains and no upper case is added either

adding the WHATIF:

What if: Performing the operation "Set" on target "CN=USERPRXY1,CN=Users,DC=MyCorp,DC=Net".
What if: Performing the operation "Set" on target "CN=USERPRXY2,CN=Users,DC=MyCorp,DC=Net".

tried:

-Add @{'ProxyAddresses'="SMTP:"+$($user.samaccountname)+"@MyCorp.Net"

no luck!

But i noticed:

Using smtp:".toupper()+$($user.samaccountname) work,s but ONLY IF I DELETE the contents of the field, leaving the Proxyaddress BLANK, if i already have something in, don´t work

KCD on a compuer object for ADCS Enrollment Proxy/Policy Services - Access Denied

$
0
0

I am logged into a Domain Controller running Server 2008 R2 and the domain/forest functional level is server to 2008.  When implementing KCD for Windows Clients to request certificates via the proxy to ADCS, I get an 'Access Denied'.

I am using ADUC on the domain controller, going to properties on the CEP/CES Server object....selecting the Delegation tab...adding as a KCD to the SUBCA server object for HOST and RPCSS services...when hitting 'Apply' I get Access Denied.  I have full rights both objects, tried as a Domain Admin and Enterprise Admin....hitting a wall.

 

The subject alternative names "*.AA.com,AA.com" of the certificate "BC26F93E63E0CFCE1A8929279F4FD2E7205D1A03" do not contain the computed alternative names

$
0
0

Warning: The subject alternative names "*.AA.com,AA.com" of the certificate "BC26F93E63E0CFCE1A8929279F4FD2E7205D1A03" do not contain the computed alternative names "SE2016vmSKY-006.AA.com,dialin.AA.com,meet.AA.com,admin.AA.com,LyncdiscoverInternal.AA.com,Lyncdiscover.AA.com".

Do not Start service Skype for Business Server Front-End


Best Regard Mohammad Reza Abdi

ROOT SERVER LOGIN ISSUE

$
0
0

While login in root server  2008 R2 (the security database on the server does not have a computer account for this trust relationship. ?)

we are only able to login in safe mode.

plz give the best solutation

disjoined computer object

$
0
0

Hi,

what is the default settings for computer object complete removal from AD, after the computer was disjoint from domain?

I see few servers that were disjoint a week ago with the sign of disabled account.

I guess it should eventually disappear?

Thx.


--- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis


How Group policy works in active directory and how to troubleshoot it

$
0
0
i want to know How Group policy works in active directory and how to troubleshoot if we get any issues.

how remove active directory schema CN=ms-RTC-SIP-FrontEndServers

$
0
0

hi

how remove active directory schema  CN=ms-RTC-SIP-FrontEndServers


Best Regard Mohammad Reza Abdi


Unkouwn Sign In AD Through Bulk Modifications

$
0
0

Hello All,

I did a bulk modification " through .csv file" for all AD users and i did add a description "description field"  for each user "in Arabic language" but it showing the description as " ♥ ". If i type it manual then it works fine.Is there is anyway to add the description "Arabic language" through bulk modification.

Best Regards,

Account Unlocked Condition not working

$
0
0

Hi,

I need your help regarding this.

We have a policy to lock account by some conditions also i have configured conditions to unlock it after certain period of time but the unlocked condition is not working.

The conditions are maintain on default domain policy.

Incorrect logon event on Active Directory

$
0
0

Hi,

Intermittently ( 5 out of 10 times) I am seeing an issue.

1. I am logged onto my windows PC (10.10.10.10) with username "test1"

2. From this machine I RDP to another server (192.168.1.10) with a username 'test2'.

However after this I see a logon event in AD stating user 'test2' logged in PC 10.10.10.10 , which is my local PC.Rather AD should be showing user 'test2' logged on to 192.168.1.10.

Please help to identify where the issue could be, is it my PC settings or some issue on AD ?

User and group access limited time controll

$
0
0

Hi,

We have a system that requires often vendors to have local administrator access on the servers in the network.

The scenario is as follow. Vendor A has local admin access to 10 servers, now and then vendor A needs help from vendor B, and they need local admin access also. So we have created a group in AD that is called "Admin Access Vendor B" and this group is added to the local administrator group on all 10 servers. Usually this group is empty, but when vendor A needs help from vendor B, we populate the group "Admin Access Vendor B" with users from vendor B, so now they have admin access to all 10 servers until we remove them from the group.

We are not sure if this is the best way to go, since we then often have a lot of empty groups added to the local administrators groups on many servers, but as long as there are no users in this groups i guess its ok ? I guess if someone should be able to add them self to the group, well then they have admin access on the domain...

Another thing could be a solution is to have some kind of time limit on the accounts added to the local administrator group. Say that you add "Admin Access Vendor B" to the local administrators group on all 10 servers, but this group will automatically be removed from the local administrators group after 2 days.... is there any solution like this ? or other suggestions....

Thanks for answers.


/Regards Andreas

A question about AD password storage and encryption

$
0
0

Is the NTDS.DIT is encrypted as a whole (regardless of any internal encryption) using the BootKey stored in the System hive of the registry, and the BootKey is different for every computer, or is it just the PEK (password encryption key) that the BootKey encrypts and not the whole database?

 

The Hash of the user password as I understand it different hashes are stored for

MD4 for NTLM,

MD5 for Kerberos,

SHA1 for Kerberos 2008

 

Then this hashed password is encrypted using either RC4/DES or AES (2012 R2 and above) is that correct?

 

Thanks very much 

Macintosh with Active Directory

$
0
0
Hi to all,  we are implementing a navigation restriction mechanism through Fortigate integrated with active directory that will allow the user to navigate to certain sites only if they are part of a certain global AD group.For microsoft clients we have no problem, but for mac clients we have the following problem: run the command net user xxxxxx / domain AD sees a last logon time wrong and does not correctly rest the group to which it belongs. We have already removed and recreated the machine account and also the AD user.
any suggestions?

AD 認證問題

$
0
0
請問一下~~之前二台AD從2003直接升到2016,但發生一個問題,會有不同使用者出現帳密有問題,一開始以為是密碼輸入錯誤,但發來發現不是,只要一出現輸入帳密有問題,其它使用者(網域及本機帳號密碼)也不能登,要重開機才能登入,請問是那裡出問題,謝謝

DCPROMO - Offsite Member Server

$
0
0

We have an offsite location that I am trying to promote a member server to DC; we are using a SonicWall Site to Site VPN; confirmed all ports are allowed for AD DS.

I have been able to join the new VM to the domain; can ping the current DC by IP, Hostname and FQDN. NSLookup correctly finds the DC as well. I receive an Access Denied error; I have checked the DefaultDC Policy settings and confirmed permissions correctly setup. Cleaned METAdata from an old instance from the previous IT. Attempted IMF install. At a loss right now.

Main DC - 10.66.200.196

Member Server - 10.243.159.217

See the error below from DCPromo Logs.

dcpromoui D14.F70 230B 10:29:06.326   posting message to progress window
dcpromoui D14.F3C 230C 10:29:06.326         Enter State::GetOperationResultsCode FAILURE
dcpromoui D14.F3C 230D 10:29:06.326         OPERATION FAILED
dcpromoui D14.F3C 230E 10:29:06.326         Enter State::GetOperationResultsCode FAILURE
dcpromoui D14.F3C 230F 10:29:06.326         Enter State::GetUserCancelled false
dcpromoui D14.F3C 2310 10:29:06.326         Enter State::IsOperationRetryAllowed
dcpromoui D14.F3C 2311 10:29:06.326           true
dcpromoui D14.F3C 2312 10:29:06.326         Info: 
dcpromoui D14.F3C 2313 10:29:06.326       performed state 28, next state 29
dcpromoui D14.F3C 2314 10:29:06.326       Enter FailedFunct
dcpromoui D14.F3C 2315 10:29:06.326         Enter State::GetOperationResultsCode FAILURE
dcpromoui D14.F3C 2316 10:29:06.326         FAILURE
dcpromoui D14.F3C 2317 10:29:06.326       performed state 29, next state 30
dcpromoui D14.F3C 2318 10:29:06.326       Enter FinishFunct
dcpromoui D14.F3C 2319 10:29:06.326         Enter State::GetFailureMessage The operation failed because:

A domain controller could not be contacted for the domain xyz.local that contained an account for this computer. Make the computer a member of a workgroup then rejoin the domain before retrying the promotion.


"Access is denied."

iMac OS connect with AD & group policy

$
0
0

Dear Team,

I am using Windows Server 2016 with Active Directory & Group Policy.

Issue is iMac system connected with AD but Group policy don't work. Please guide me how resolve this issue.

Thanks & Regards,

Nitin Patel

Active Directory - Microsoft Windows SMB Shares Unprivileged Access

$
0
0

Hi Team,

While performing vulnerability scan on our active directory servers. Security team hightlighted the below security risk 

Risk: 

Microsoft Windows SMB Shares Unprivileged Access

Please let me know whether is default behavior or can we secure the SMB Shares (Sysvol and Netlogon) 

Regards,

S Kannan


Rgds, S Kannan

Minimum bandwidth requirement for clients authentication with DC over the MPLS/network links

$
0
0

Hi Team ,

Is there any minimum bandwidth  requirement recommended for hub and spoke model wherein we don't have additional DC at each location and if location machines need to connect with central DC over MPLS/network for authentication ?

We don't want to have additional DCs placed at each small location and looking for minimum bandwidth requirements for user authentications .  Based on any recommendations , we prefer to optimize/increase the connectivity bandwidth between branch and main data center. Thanks

Any suggestions will be appreciated. 

Regards,

ADFS - Unable to trace domain account login attempts.

$
0
0

On our ADFS servers (We have 2) are getting multiple failed login attempts from a particular user. Can we trace where they are coming from? These attempts are happening every 5 Minutes. Below are the security logs for these login attempts.

               Below is a table of failed login attempts and from what server. They all have the same event ID’s in event viewer 4771 & 4625

DC Name

Date

Time

ADFS01

23/08/2018

10:49:59

ADFS02

23/08/2018

10:55:02

ADFS02

23/08/2018

11:00:17

ADFS02

23/08/2018

11:05:32

ADFS02

23/08/2018

11:10:15

ADFS01

23/08/2018

11:15:59

Unlocked affected account at 11:36

ADFS01

23/08/2018

11:36:56

ADFS01

23/08/2018

11:42:10

ADFS02

23/08/2018

11:47:25

Unlocked affected account at 12:03

ADFS01

23/08/2018

12:03:09

ADFS02

23/08/2018

12:08:23

ADFS01

23/08/2018

12:13:37

Below are the event ID 4771 and 4625 logs

Audit Failure - Event ID 4771

Kerberos pre-authentication failed.

Account Information:

                Security ID:                            Domain\Account Trying to Login

                Account Name:                     Account Trying to Login

               

Service Information:

                Service Name:                       krbtgt/****************************************

Network Information:

                Client Address:                      ::1

                Client Port:                             0

Additional Information:

                Ticket Options:                      0x40810010

                Failure Code:                         0x18

                Pre-Authentication Type:     2

Certificate Information:

                Certificate Issuer Name:                      

                Certificate Serial Number:  

                Certificate Thumbprint:                       

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

Audit Failure - Event ID 4625

An account failed to log on.

Subject:

                Security ID:                            *****\ADFS Account

                Account Name:                     ADFS Account

                Account Domain:                  *********

                Logon ID:                               0x167BB

Logon Type:                                           3

Account For Which Logon Failed:

                Security ID:                            NULL SID

                Account Name:                     ******@****** (Account Trying to Login)

                Account Domain:                 

Failure Information:

                Failure Reason:                     Unknown user name or bad password.

                Status:                                    0xC000006D

                Sub Status:                            0xC000006A

Process Information:

                Caller Process ID:  0x5f8(This is the adfssrv proces)

                Caller Process Name:           C:\Windows\ADFS\Microsoft.IdentityServer.ServiceHost.exe

Network Information:

                Workstation Name:              Server logs have come from

                Source Network Address:     -

                Source Port:                           -

Detailed Authentication Information:

                Logon Process:                       W

                Authentication Package:     Negotiate

                Transited Services: -

                Package Name (NTLM only):              -

                Key Length:                           0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.

                - Transited services indicate which intermediate services have participated in this logon request.

                - Package name indicates which sub-protocol was used among the NTLM protocols.

                - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Now looking in the ADFS event viewer it has the Event ID 342 at the same time as the failed login attempts

Token validation failed. 

Additional Data

Token Type:

(Omitted due to unable to submit link)

%Error message:

AccountTrying to login -The user name or password is incorrect

Exception details:

System.IdentityModel.Tokens.SecurityTokenValidationException:AccountTrying to login ---> System.ComponentModel.Win32Exception: The user name or password is incorrect

   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)

   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)

   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)

   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)

   --- End of inner exception stack trace ---

   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)

   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)

System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect

   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)

   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)

   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)

   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)

As the login attempts are coming from the ADFS server, I assumed they are coming from Azure however when looking at this users sign in attempts on the Azure portal there are no failed attempts.

So how can a trace where these login attempts are coming from? Bearing in mind that according to the event log, they are coming from the ADFS server. How can I find out what is attempting to login to the affected account through the ADFS server.

Thanks,

Sean


Viewing all 31638 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>