I recently did an in-place upgrade on our AD Connect server to v1.1.819.0, everything appears to be functioning properly as a full sync was performed after the upgrade and re-enabling the syncscheduler.  The full sync took several hours to complete, but noticed that after completion the connectors are consistently performing Delta Imports.  The Policy type is listed as Delta so I would expect to see a Delta Import, Delta Sync, Export.  This is no longer the case, however I can manually kick off the run configurations without issue. 

I'm sure there is something I'm overlooking but curious if anyone has any insight.

The following is my ADSyncSchedule:

AllowedSyncCycleInterval            : 00:30:00
CurrentlyEffectiveSyncCycleInterval : 00:30:00
CustomizedSyncCycleInterval         :
NextSyncCyclePolicyType             : Delta
NextSyncCycleStartTimeInUTC         : 8/7/2018 7:56:56 PM
PurgeRunHistoryInterval             : 7.00:00:00
SyncCycleEnabled                    : True
MaintenanceEnabled                  : True
StagingModeEnabled                  : False
SchedulerSuspended                  : False
SyncCycleInProgress                 : True

HI All,

   I got two Domain setup as account and Resources. Domain ABC - site and service setup. Now we got more sites comes under xyz domain.

1.     We have setup 2 x XYZ DC's in Site A (ABC domain)  and Site B (ABC Domain) and service DHCP for all new sites ( site E-F-G)   
2.       These two servers are in XYZ Site and services ( XYZ-SP1 & XYZ-SP2)  

Question:

1.     How do i add Ste A- G IP subnets in XYZ Domain site and services? 
2.     How do i setup browser selection?
3.     How do i clean this mess? remove all the ABC- DHCP servers?
4.     Do i have to add all the subnet in DNS revers Lookup zone? 

Issues:

•     Slow network access
•     Browser errors 
•     hardware maintennce

Attached the design. let me know how i solve above?

As

Hi,

Hopefully a quick question.  I am upgrading our 2012R2 DCs to 2016, these will new VMs builds, joined to the existing domain and then decommission the older 2012R2 servers.  The question is there is an external trust with another AD forest, is there anything special that I need to do to ensure that this trust is maintained.  I assume that so long as the DNS on both domains are updated with the new DC (DNS) servers then the trust should be maintained and no downtime experienced?

Thanks in advance

Rob

Hi,

    We are running into following issue while trying to impersonate as the gMSA account from a program that is NOT a Windows Service. We would like to know how can we use the gMSA account in a program which is not a Windows Service. 

Here are our steps:

1. We created a gMSA ( vayu\TestgMSA$) in Domain Controller, and this gMSA can be used in a Machine A which is a member server of the domain used (Domain Name: Vayu)
2. We configured a Windows Service (SQL Server Service) on Machine 1 to logon using this gMSA account with empty password and verified that Service is able to run using the gMSA account successfully
3. We wrote a simple test application (It is NOT a Windows Service) and we are trying to impersonate as the gMSA in this application.

Here is the code, we are passing user and domain name to LogonUser API and passing an empty string as the password because we are expecting the API to retrieve password on its own.

+++++++++++++++++++++++++++++++++++++++++++++

int main()

{

    HANDLE tokenHandle;

    BOOL bRet = LogonUser("TestgMSA$", "vayu", "", LOGON32_LOGON_BATCH, LOGON32_PROVIDER_DEFAULT, &tokenHandle);

    if (!bRet)
    {
       cout << "Logon failed with error code: " << GetLastError() << endl;
       return -1;
    }

    if(!ImpersonateLoggedOnUser(tokenHandle))
    {
       cout << "User impersonation failed!" << endl;
       CloseHandle(tokenHandle);
       return -1;
    }
    CloseHandle(tokenHandle);
    return 0;
}

+++++++++++++++++++++++++++++++++++++++++++++

Here is the command showing that the machine on which this code is run has been configured to be able to retrieve gMSA password

+++++++++++++++++++++++++++++++++++++++++++++

PS C:\Users\Administrator.VAYU> Test-ADServiceAccount TestgMSA

True

++++++++++++++++++++++++++++++++++++++++++++

However, when we run above code on Machine A using a Domain Administrator user (vayu\Administrator), it fails with following output

+++++++++++++++++++++++++++++++++++++++++++++

Logon failed with error code: 1326

Error Description: The user name or password is incorrect

+++++++++++++++++++++++++++++++++++++++++++++

We further investigated this to determine which of the two things User Name or Password is incorrect here and with below details we are able to confirm that incorrect password is getting used here.

Following Logon Failure Event is logged into Event Viewer with value for Sub Status field logged as0xC000006A. Description for Sub Status value 0xC000006A is “user name is correct but the password is wrong” which verifies that provided user name vayu\TestgMSA$ is indeed correct but somehow the program is not able to retrieve the password for this gMSA account from AD even though the machine on which this program is running has been configured to be able to retrieve gMSA password.

+++++++++++++++++++++++++++++++++++++++++++++

An account failed to log on.

Subject:

     Security ID:      VAYU\Administrator

     Account Name:     Administrator

     Account Domain:   VAYU

     Logon ID:         0x60120A

Logon Type:            4

Account For Which Logon Failed:

     Security ID:      NULL SID

     Account Name:     TestgMSA$

     Account Domain:   vayu

Failure Information:

     Failure Reason:   Unknown user name or bad password.

     Status:           0xC000006D

     Sub Status:       0xC000006A

Process Information:

     Caller Process ID:      0x1814

     Caller Process Name:    C:\Test\TryLogin_GMSA.exe

Detailed Authentication Information:

     Logon Process:         Advapi 

     Authentication Package:Negotiate

     Transited Services:     -

     Package Name (NTLM only):     -

     Key Length:       0

+++++++++++++++++++++++++++++++++++++++++++++

Are we missing any additional configuration either on the user account being used to launch this program (vayu\Administrator) or the gMSA account (vayu\TestgMSA$)itself?

We saw some discussion regarding this athttps://social.technet.microsoft.com/Forums/lync/en-US/7aec7a1e-7b5f-4fa1-abf7-ce00a0c5356a/impersonate-as-group-managed-service-account-gmsa-in-windows-2012?forum=winserverDS and tried to implement following suggestion from the post.

“If you wanted your code sample to work, you could configure the security context your code is running as to delegate to your gMSA with protocol transition ("Any protocol" in the UI).” - In our case, security context our code is running as is a domain user (vayu\Administrator) and so we tried following settings in terms of SPN Registration and Kerberos Delegation. May be we are doing something wrong here. Any help regarding this will be highly appreciated.

SPNs for vayu\TestgMSA$

MSSQLSvc/VISHALCLIENT.VAYU.COMMVAULT.COM:VISHALSQL

MSSQLSvc/VISHALCLIENT.VAYU.COMMVAULT.COM:63254

SPNs for vayu\Admnistrator

CVAPP/VISHALCLIENT.vayu.commvault.com

CVAPP/VISHALCLIENT

Delegation Settings for vayu\Admnistrator

Trust this user for delegation to specified services only

--> Use any authentication protocol

----> Services to which this account can present delegated credentials 

Service Type  User or Computer                                          Port 

MSSQLSvc       VISHALCLIENT.VAYU.COMMVAULT.COM     63254

MSSQLSvc       VISHALCLIENT.VAYU.COMMVAULT.COM     VISHALSQL

With Kind Regards,

Vishal Khule.

Hi,

    We are running into following issue while trying to impersonate as the gMSA account from a program that is NOT a Windows Service. We would like to know how can we use the gMSA account in a program which is not a Windows Service. 

Here are our steps:

1. We created a gMSA ( vayu\TestgMSA$) in Domain Controller, and this gMSA can be used in a Machine A which is a member server of the domain used (Domain Name: Vayu)
2. We configured a Windows Service (SQL Server Service) on Machine 1 to logon using this gMSA account with empty password and verified that Service is able to run using the gMSA account successfully
3. We wrote a simple test application (It is NOT a Windows Service) and we are trying to impersonate as the gMSA in this application.

Here is the code, we are passing user and domain name to LogonUser API and passing an empty string as the password because we are expecting the API to retrieve password on its own.

+++++++++++++++++++++++++++++++++++++++++++++

int main()

{

    HANDLE tokenHandle;

    BOOL bRet = LogonUser("TestgMSA$", "vayu", "", LOGON32_LOGON_BATCH, LOGON32_PROVIDER_DEFAULT, &tokenHandle);

    if (!bRet)
    {
       cout << "Logon failed with error code: " << GetLastError() << endl;
       return -1;
    }

    if(!ImpersonateLoggedOnUser(tokenHandle))
    {
       cout << "User impersonation failed!" << endl;
       CloseHandle(tokenHandle);
       return -1;
    }
    CloseHandle(tokenHandle);
    return 0;
}

+++++++++++++++++++++++++++++++++++++++++++++

Here is the command showing that the machine on which this code is run has been configured to be able to retrieve gMSA password

+++++++++++++++++++++++++++++++++++++++++++++

PS C:\Users\Administrator.VAYU> Test-ADServiceAccount TestgMSA

True

++++++++++++++++++++++++++++++++++++++++++++

However, when we run above code on Machine A using a Domain Administrator user (vayu\Administrator), it fails with following output

+++++++++++++++++++++++++++++++++++++++++++++

Logon failed with error code: 1326

Error Description: The user name or password is incorrect

+++++++++++++++++++++++++++++++++++++++++++++

We further investigated this to determine which of the two things User Name or Password is incorrect here and with below details we are able to confirm that incorrect password is getting used here.

Following Logon Failure Event is logged into Event Viewer with value for Sub Status field logged as 0xC000006A.  Description for Sub Status value 0xC000006A is “user name is correct but the password is wrong” which verifies that provided user name vayu\TestgMSA$ is indeed correct but somehow the program is not able to retrieve the password for this gMSA account from AD even though the machine on which this program is running has been configured to be able to retrieve gMSA password.

+++++++++++++++++++++++++++++++++++++++++++++

An account failed to log on.

Subject:

      Security ID:      VAYU\Administrator

      Account Name:     Administrator

      Account Domain:   VAYU

      Logon ID:         0x60120A

Logon Type:             4

Account For Which Logon Failed:

      Security ID:      NULL SID

      Account Name:     TestgMSA$

      Account Domain:   vayu

Failure Information:

      Failure Reason:   Unknown user name or bad password.

      Status:           0xC000006D

      Sub Status:       0xC000006A

Process Information:

      Caller Process ID:      0x1814

      Caller Process Name:    C:\Test\TryLogin_GMSA.exe

Detailed Authentication Information:

      Logon Process:          Advapi 

      Authentication Package: Negotiate

      Transited Services:     -

      Package Name (NTLM only):     -

      Key Length:       0

+++++++++++++++++++++++++++++++++++++++++++++

Are we missing any additional configuration either on the user account being used to launch this program (vayu\Administrator) or the gMSA account (vayu\TestgMSA$)itself?

We saw some discussion regarding this at https://social.technet.microsoft.com/Forums/lync/en-US/7aec7a1e-7b5f-4fa1-abf7-ce00a0c5356a/impersonate-as-group-managed-service-account-gmsa-in-windows-2012?forum=winserverDS and tried to implement following suggestion from the post.

“If you wanted your code sample to work, you could configure the security context your code is running as to delegate to your gMSA with protocol transition ("Any protocol" in the UI).”  - In our case, security context our code is running as is a domain user (vayu\Administrator) and so we tried following settings in terms of SPN Registration and Kerberos Delegation. May be we are doing something wrong here.  Any help regarding this will be highly appreciated.

SPNs for vayu\TestgMSA$

MSSQLSvc/VISHALCLIENT.VAYU.COMMVAULT.COM:VISHALSQL

MSSQLSvc/VISHALCLIENT.VAYU.COMMVAULT.COM:63254

SPNs for vayu\Admnistrator

CVAPP/VISHALCLIENT.vayu.commvault.com

CVAPP/VISHALCLIENT

Delegation Settings for vayu\Admnistrator

Trust this user for delegation to specified services only

--> Use any authentication protocol

----> Services to which this account can present delegated credentials 

Service Type  User or Computer                                          Port 

MSSQLSvc       VISHALCLIENT.VAYU.COMMVAULT.COM     63254

MSSQLSvc       VISHALCLIENT.VAYU.COMMVAULT.COM     VISHALSQL

With Kind Regards,

Vishal Khule.

Dear Microsoft Team,

Have a good day!

After Windows 2012, gMSA is created/managed by Windows 2012 with the ActiveDirectory PowerShell Mmodule. The service can be started via logging on with gMSA and It doesn’t need to change the password manually. That’s great.

However we encounter a problem and need your help. Here is our steps:

(1)    We created a gMSA in Domain Controller, and this gMSA can be used in Machine A and Machine B;

(2)    There is a SQL server 2014 in Machine A, and we added this gMSA for SQL server log in;

(3)    We realized a program (It is NOT a Windows Service) and this program running on Machin B. It will connect to SQL Server via Windows Authentication. We want to use this gMSA account to connect to SQL Server, so we try to impersonate as the gMSA User in the program.

+++++++++++++++++++++++++++++++++++++++++++++

BOOLIMPERSNATE_USER()

{

   HANDLEtokenHandle;

   BOOLbRet =LogonUser("IcekingTest$","testcom", "", //s_URLUserName, s_URLDomain, s_URLPassword,

      LOGON32_LOGON_SERVICE, LOGON32_PROVIDER_DEFAULT, &tokenHandle);

   //BOOL returnValue = LogonUser("IcekingTest", "testcom", "", //s_URLUserName, s_URLDomain, s_URLPassword,

   //  LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &tokenHandle);

   if (!bRet)

    {

      cout<< "error logon: "<<GetLastError() << endl;

      returnfalse;

    }

   if(!ImpersonateLoggedOnUser(tokenHandle))

    {

      cout<< "Impersonate failed!"<<endl;

      CloseHandle(tokenHandle);

      returnfalse;

    }

   CloseHandle(tokenHandle);

   returntrue;

}

+++++++++++++++++++++++++++++++++++++++++++++

It is failed, and the output is as the followings:

+++++++++++++++++++++++++++++++++++++++++++++

error logon: 1326

+++++++++++++++++++++++++++++++++++++++++++++

Error 1326 Means:

+++++++++++++++++++++++++++++++++++++++++++++

RROR_LOGON_FAILURE

1326 (0x52E)

The user name or password is incorrect.

+++++++++++++++++++++++++++++++++++++++++++++

Our question is that if our program is Not a Windows service, how does the program impersonate as the gMSA account? Or How can we use the gMSA account in a program which is not a Windows Service?

Best regards,

Iceking

changing ProxyAddresses and adding two similar entries, with LOWER and UPPER cases 'smtp' and 'SMTP'

foreach($user in (Get-ADUser -Filter {SamAccountName -like 'USERPRXY*' -and enabled -eq $TRUE} )) { Set-ADUser $($user.SamAccountName) -Add @{'ProxyAddresses'="smtp:$($user.samaccountname)@MyCorp.Net"} }

i´m running this piece of code and work flawlessly.... well, almost there

due to internal requirements, we´ll need to add "smtp" and ALSO "SMTP", two entries

in this particular line of code, running twice, with the same code, another  entry is not added, ok, no problem, but when i change the code from smtp to SMTP (upper), hoping to add a second entry in upper case... does not work, the previous lower case entry remains and no upper case is added either

adding the WHATIF:

What if: Performing the operation "Set" on target "CN=USERPRXY1,CN=Users,DC=MyCorp,DC=Net".
What if: Performing the operation "Set" on target "CN=USERPRXY2,CN=Users,DC=MyCorp,DC=Net".

tried:

-Add @{'ProxyAddresses'="SMTP:"+$($user.samaccountname)+"@MyCorp.Net"

no luck!

But i noticed:

Using smtp:".toupper()+$($user.samaccountname) work,s but ONLY IF I DELETE the contents of the field, leaving the Proxyaddress BLANK, if i already have something in, don´t work

hi 

do not start Lync Server Front-End service

Start-CsWindowsService : Service RTCSRV failed to start within the expected timeframe.

At line:1 char:1
+ Start-CsWindowsService
+ ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationTimeout: (:SourceCollection) [Start-CsWindowsService], TimeoutException
    + FullyQualifiedErrorId : ServiceStartFailed,Microsoft.Rtc.Management.Deployment.StartServicesCmdlet
WARNING: Start-CsWindowsService encountered errors. Consult the log file for a detailed analysis, and ensure all errors
 (2) and warnings (0) are addressed before continuing.
WARNING: Detailed results can be found at

Certificate ok and check mark



Best Regard Mohammad Reza Abdi

HI,

not sure if this is actually possible but thought i would ask anyway.

We have 2 domains for example lets call them  Domain A and Domain B with a domain controller for both also domain B connected to a offsite DC via site to site VPN. Domain A has a trust to domain B. but the Domain Controller for Domain B we would like to replace or remove if possible.

So my question is that is it possible to have the Domain controller for Domain A connect to the DC for domain B via the VPN to the offsite DC and still maintain the trust or have the DC for Domain A be the DC for both domains since it has a trust already

i hope that wasnt too confusing

thanks

Hi All

I have a windows 2008 R2 Domain controller , There was request to check on the security event logs for a user id which was supposed to disabled but was found enabled, Using logparser tracked the eventid 4725 / 4722, but found that Ad_connect_srv has done the changes for RENAME of the id for example userid Alex which was there i renamed the Alex to x_alex for security purpose and disabled the id now i see its renamed back to Alex.

Can some one shed light here as i m going round and round .....!!!

Hi All,

Could you please send Active Directory Questions & Answers specific for Windows Server 2012R2?  Is any one have some notes for AD 2012R2 then please mail us onKaushal.temp@gmail.com. 

Thanks

Kaushal Shah

Hi All

We have just upgraded an application that required an upgrade of HPC from 2014 to 2016 update 1, and we are having issues with a service account that uses a federated credentials, as we did previously. Our working model is based upon a Resource domain in AD1 and our user base that is in AD2.

To get around the issue we have created users in our resource AD, but this is temporary, as this breaks our security rules. Does anyone know why the change in versions no longer allow us to have users and servers in different domains, even though they are trusted?

thanks for your help

Tim

I am using the Domains.GetAllTrustRelationships() method to read the trust info .My current setup has a one way trust with the domain in other forest.But for some reason when i execute the the Domains.GetAllTrustRelationShips method with Network service account ,I get the trust direction as Bidirectional.SO i suspect that the Bidirectional Trust is returned because the current user is not having sufficient rights in active directory to read this value and maybe returning null .

And if this is the case then the below code from TrustRelationshipInformation class of System.DirectoryServices.ActiveDirectory assembly will return Bidirectional trust

So can i get the set of permissions required in active directory for a user such that it is able to read the trust info

Hola a todos, buen día

cordial saludo!

de ante mano, muchas gracias por su tiempo y conocimientos compartidos!

Mi pregunta es la siguiente:

Requiero aplicar una política, que me permita bloquear un Usuario de Dominio, que se autentica en un WebService,  y que haya realizado mas de 5 intentos fallidos.

Quedo atento

Muchas gracias por su amable colaboración y por sus conocimientos compartidos!

Henry Osorio O.

Hi,

I have Windows 2008 R2 domain. I am trying to display the computer's IP address in Active Directory, but I couldn't figure it out. I wonder if it is possible to do it.

Need help!

Thanks in advance!

Grace

ADMT is not being used anymore? How to migrate users to a new domain?

We have a WIn2008R2/WIn2012R2 AD Forest and we´re facing a new chalenge, to rename the domain and reboot more than 1.600 machines, TWICE?

Or create a new/pristine enviroment and re-create all objects and users?

Or use a tool like ADMT?

Besides Sharepoint and a bunch of tools, we also have MS Office365 with 100% of the mail service in the clous, synching using Azure AD Connect to sync information from AD to Office365

ADMT is not an option anymore?

It´s not compatible with Office365?

Office365 supports users with multiple SIDs?

I would like to force replication imediately to all domain controller in the domain by command.

Does repadmin /syncall meets this ?

Hello!

I need setup access via GPO for domain user account to  remote access  admin shares (c$,Admin$) on several PCs with Windows 10.

This user account will not be a local admin account on these PCs for security reasons.

There are a lot of articles in the Net how to access admin shares for local administrators, but I have not found what rights I need setup for ordinary domain users.

Thank you for any help.