Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Guest's account in the SAM database failed due to a resource error

August 22, 2018, 3:46 am
$
0
0

Hllo All,

i got this error on our server (DC) in events log and it happened few times. (on windows server 2012 R2 Standard)

Guest's account in the SAM database failed due to a resource error, such asAs a typing error on the hard drive, not be locked.The error code can be found in the error data.Accounts are blocked after multiple incorrect password entries. Therefore, reset the password for this account.

Event-ID: 12294, Source:Directory-Services-SAM

Could anyone please tell me what is this error?

Regards

Search

Authentication with around 30 seconds delay

September 2, 2018, 10:22 pm
$
0
0
Hello,I get a 30 sec delay, when I have two Forest in Microsoft and We have established Trust Between Them, The user Authentication process is delayed around 30 seconds.
 I guess for example; User-A in Forest-A, for authentication & identification First Refer to Forest-B and if authentication Fail, after 30 seconds authentication process will be Refer to Forest-A(its Forest).
 is this guess correct? 
 how can change this 30 seconds interval timer?

Windows cannot query for the list of Group Policy objects

September 4, 2018, 11:27 pm
$
0
0

I have my session on a DC 2003 with account locked status and some of the error events generating as 1030/1058.

Error:1030
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

Error:1058
Windows cannot access the file gpt.ini for GPO cn={1342C4-E50B-4708-AC94-0F2Cfd2CC8},cn=policies,cn=system,DC=xx,DC=xx,DC=com. The file must be present at the location <\\xx.xx.com\SysVol\xx.xx.com\Policies\{1342C4-E50B-4708-AC94-0F2Cfd2CC8}\gpt.ini>. (The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you. ). Group Policy processing aborted. 

I am suspecting it as a result of account authentication of my existing session on DC. and due to its locked status my profile is not allowed to lookedup in list of GPOs and apply them on nexy group policy referesh cycle. Kindly correct me if I am wrong.

We have still a 2k3 DC structure :) 

Regards, pwnkmr www.ITtechPoint.com

Change current ADCS PKI Root CA signature and asymmetric algorithms

September 9, 2018, 6:01 pm
$
0
0

How could one renew the CA certificate with a different signature and asymmetric algorithm (eg: migrate from RSA-2048 SHA1, to ECDSA-256 (DH19) with SHA256)?

I may have found a way to change the signature algorithm: https://blogs.technet.microsoft.com/pki/2013/09/19/upgrade-certification-authority-to-sha256/

There may be other ways through the registry to do this: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn771627(v=ws.11)

Would I be better of creating a new CA to set this up?


Domain Upgrade to 2012 functional levels - how to avoid breaking things

September 4, 2018, 1:45 pm
$
0
0

Hi,

 We have 4 2012 R2 DCs and 1 2003 server. Our domain and forest functional level is 2003. I want to upgrade to 2012 and want to check what could be impacted, here's what I'm planning to do:

- Lower compatible encryption and GPO settings to accommodate older clients (i.e. NT).

- Highlight to the business that the 100 Windows NT and Windows 2000 servers we have may no longer work as normal.

- Ask the business to identify all of their critical services which are dependent on AD and then ask vendors of each app whether a domain or forest upgrade to 2012 could cause any issues (from past experience I found an issue with a telephony provider not supporting 2012 domain and forest functional levels).

- Come up with a roll back plan, so far, I have:

1. Restore DCs using NetBackup as a standard restore - not officially supported, but should work fine.

2. Run through the AD DS restore mode process which will take AD offline and take a few hours.

Advice is appreciated...

We have ten sites include DC and DR all sites have different subnet our requirement to create ADC on all sites and users to authenticate with own site ADC

September 6, 2018, 12:57 am
$
0
0
we want  to know create site and services in active directory how to create it and what is use for my requirement. and also all sites users to authenticate with OWN ADC server .

Extend AD schema for office 365

September 5, 2018, 6:10 am
$
0
0

Hi folks,

I know what needs to be done to get exchange ( office 365 in our case) attributes in on prem AD.  never had onprem exchange server.

This is require as we have SSO enabled by AAD connect . 

AAD connect is setup and configured on other server standalone not in DC/AD Server.

queries:

1) Now the question is should I download Exchange in our actual AD server and update schema  and then refresh/select those attributes in AAD connect app.

 2) Before performing this change in AD schema. Is there anything, I should put into consideration except AD backup by system state?

last but not least - is there any other way we can have  exchange attributes in on prem AD for SSO by office 365 Azure AD.

Thanks

Atul

Set password hash of users in AD LDS

September 5, 2018, 1:05 am
$
0
0

We are migrating users from our custom database to an AD LDS (Windows Server 2016) instance. We would like to avoid password resets. It is possible to set the users' passwords to the same hash as the one found in the I&A DB and choose the same hashing algorithm in AD LDS as I&A uses?

Search

Certificate template changes as a result of FFL/DFL raising

September 7, 2018, 2:35 am
$
0
0

Hello all,

We are planning to raise the Domain Functional Level of 4 child domains and the Forest Functional Level of their root domain from version 2003 to 2008 R2, then subsequently 2012 R2. We have a Windows Certificate Authority within the root that is installed on a 2012 R2 server. The template versions are mostly old (v1 and v2).

Can anyone advise what automatic changes the act of raising the DFLs/FFL will have on the template schema versions? I.e. After I've hit the button (and assuming I make no manual changes to the templates themselves), can I expect anyAUTOMATIC changes to these template versions, or will that be my own (manual) responsibility? Cannot locate any material from MS on this.

Thanks

Hybrid Joined Devices - Windows Hello for Business

September 6, 2018, 10:58 am
$
0
0

Hey @all,

I've deployed 2 Windows Server 2016 VMs with Azure AD Connect and Hybrid Device Join. I've build a 2Tier PKI (based on 2 2k16 VMs) and followed these steps:

https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs

When I try to enroll the user certificate for WHFB I get the error

Certificate enrollment for user failed to enroll for a WHFBAuthentication certificate with request ID N/A from N/A (Failed to enroll for an NGC cert because there is NO Enterprise SSO. 0x801c03f6 (DSREG: 1014 DSREG_E_NGC_CERT_NO_ENTSSO)).

Devices are correct joined in AD and Azure AD (hybrid joined). The only thing we do not have is ADFS, I also run the command on Sub CA.

certutil -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY

As mentioned here, WHFB with PTA should also work:

For non-federated environments, key trust deployments work in environments that have deployed Password Synchronization with Azure AD Connect and Azure Active Directory Pass-through-Authentication

https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs

Any suggestions or ideas? I would be really happy to get this running.

Freundliche Grüße

Sandro Reiter
Consultant Cloud Infrastructure

Cannot demote Server 2008 R2 Domain Contoller - The operation failed:

September 6, 2018, 11:23 pm
$
0
0

Hi all,

I am trying to demote a Server 2008 R2 Domain Controller. When I run dcpromo and go through the steps to demote it end with the error:
The operation failed because: Active Directory Domain Services could not transfer the remaining data in the directory partition. 

I've checked the FSMO roles and they are all on the correct DC which is staying and not being removed.

I've also checked the event log and get the following errors. Does anyone have an easy step by step way of correcting this?

The operations master roles held by this directory server could not transfer to the following remote directory server. 


Remote directory server: 
\\Servername.domainname.com 

This is preventing removal of this directory server. ------  

  

Ownership of the following FSMO role is set to a server which is deleted or does not exist. 

Operations which require contacting a FSMO operation master will fail until this condition is corrected. 

FSMO Role: CN=Infrastructure,DC=ForestDnsZones,DC=domainname,DC=com 
FSMO Server DN: CN=NTDS Settings\0ADEL:f2dc2791-2596-4619-891f-fbb7b74d8ab7,CN=SERVER2\0ADEL:f1430942-c7c6-4938-97a3-4a68e65cbdca,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domainname,DC=com 

Customize AGDLP strategy for specific needs

August 13, 2014, 10:13 am
$
0
0

Hi all, hoping I could get some input how to stick to the best practice AGDLP nesting strategy while meeting the specific needs of my users/departments.

I have a network share for our Marketing department. Following AGDLP, I have put my Marketing users in a Global group called G_Marketing, I then put that group in a Domain Local group called DL_MRKShareModify, and I have assigned the appropriate share/NTFS permissions to the DL_MRKShareModify group on the actual shared folder. This works perfectly if ALL of my Marketing users should have access to the share, but in reality, only a select few Marketing users should have access to the share.

What is the best way to set this up while also sticking to the AGDLP best practice?

 

Forest functional level not compatible

September 4, 2018, 2:57 am
$
0
0

I have a new 2012R2 Server that I have installed AD DS on which is also hosting the forest. I have an another Windows 2012R2 server that I am attaching to that existing forest and getting the following error message:The functional level of the forest is incompatible with this operating system

The domain and forest functional level of primary domain is Windows 2012R2 still getting the error.

Please help on this issue

Thank you

Avinash Udawant

Allowing a specific group to restore deleted AD objects

September 3, 2018, 3:13 am
$
0
0

Hi

I checked this doc : https://support.microsoft.com/en-us/help/892806/how-to-let-non-administrators-view-the-active-directory-deleted-object and it did allow the group I want to view Deleted Objects. However when they try to actually restore a user/computer account they get an error reading "Insufficient access rights to perform the operation.

When I checked the output from : dsacls "CN=Deleted Objects,DC=*,DC=*,DC=*" /g Domain\Group:LCRP I can see that the group I selected has the same rights as the default Domain\Administrators group has so I don't think the issue is here, I even went one step further and tried running the command : dsacls "CN=Deleted Objects,DC=*,DC=*,DC=*" /g Domain\Group:GA which grants full control of the Deleted Objects container and still they receive the same error.

So I'm thinking it's a different permission they are missing. I tried restoring to several different locations in AD including some OUs where this group has full control and that didn't help either. I should add that me as a domain admin can do this with no issues.

Anyone have an idea what is missing?




server 2012 r2

August 29, 2018, 11:42 am
$
0
0

Have server 2012 which I migrated from sbs 2008. Ran all the migration tools and dcpromo. Everything was working fine but now I can't see the AD users and computers. Not sure what happened. Any help would be awesome.

Search

Restrict the Admin account to unlock a single user account not more than two times in a day.

September 2, 2018, 10:44 pm
$
0
0

Dear Team,

We need to restrict the Admin account to unlock a single user account not more than two times in a day.

Is there any option or script available to achieve the same.

Thanks

Jijo Antony. K

Usage of -ServicePrincipalNames when creating gMSA accounts

September 8, 2018, 2:07 am
$
0
0

This question is based on the below article,

https://docs.microsoft.com/en-us/powershell/module/addsadministration/new-adserviceaccount?view=win10-ps

As per the example the usage will look like below for gMSA accounts,
New-ADServiceAccount gMSAsqlservice -ServicePrincipalNames @{Add='MSSQLSvc/sqlserver.xxxxxxx.com:GMSA','MSSQLSvc/sqlserver.xxxxxxx.com:<port#>'} -DNSHostName gMSAsqlservice.xxxxxxx.com -PrincipalsAllowedToRetrieveManaged SQL_gMSA_group

We always get the below error,

New-ADServiceAccount : The name reference is invalid
At line:1 char:1
+ New-ADServiceAccount gMSAsqlservice -ServicePrincipalNames @{Add="MSSQLSvc/sql ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (CN=gMSAsqlservice,CN=Man...=xxxxxxx,DC=com:String) [New-ADServiceAccount], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:8373,Microsoft.ActiveDirectory.Management.Commands.NewADServiceAccount

Was able to fix the issue using the below format. Not sure if the approach was correct but SPNs did get auto-registered in SQL Server.

New-ADServiceAccount gMSAsqlservice -ServicePrincipalNames ("MSSQLSvc/sqlserver.xxxxxxx.com:GMSA","MSSQLSvc/sqlserver.xxxxxxx.com:<port#>") -DNSHostName gMSAsqlservice.xxxxxxx.com PrincipalsAllowedToRetrieveManaged SQL_gMSA_group
************************************************************************************************************
Questions :
*****************************************
1> Which is the correct syntax to create gMSA using -ServicePrincipalNames ?
2> In the above example I have just used one server SPNs[ie., sqlserver]. But when we have several servers added to the gMSA Security Group, how do we use -ServicePrincipalNames?

I feel we need to have more elaborate explanations to the -ServicePrincipalNames.

AD Pssword Synch Between 1 Way Trust Domains

September 8, 2018, 10:08 am
$
0
0

I have a client challenge that I hope we can solve.

    Scenario

        Corporate - 1 way trust to our client AD.

        Mirror'd AD users but completely unique SID per domain.

        Assume zero assistance from corporate , assume no sight in any way to corporate environment.

        Problem.  - corporate requires 90 day password rotation that is synchronized to their corporate AD architecture.


        Ie.  If they have user jp required to change password at corporate site, it must be done on our client side at same time.


        My thoughts so far....

        Is there a way to pull the event log locally on a pc that splits domain logins.

        Can we see the corporate domain pw prompt event ID trigger on the local pc and then trigger a script/gpo on our client domain to prompt the user to change their password when they log in next.

        ( yes -  they log in as jp@domaina.com  and jp@domainb.com on the same systems as well as have separate systems dedicated for each domain use depending on office)

        I have found this as the closest to it however it is on a failed pw reset attempt.   Anyone have any solutions or up for a challenge ?

        Description Fields in 4724

        Subject:

        The user and logon session that performed the action.

        Security ID:  The SID of the account.

        Account Name: The account logon name.

        Account Domain: The domain or - in the case of local accounts - computer name.

        Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

        Target Account:

        Security ID:  SID of the account

        Account Name:  name of the account

        Account Domain: domain of the account


        Fyi - we have zero room to change any structure or requirements.

I am aware we can introduce password sync from corporate to client. This way when password is changed in corporate it syncs to corresponding account to client domain account. Hence adheres to 90 days rule. There are password sync solution that works from domain to domain and domain to local account.

BUT, unfortunately any work on corporate end is not a possibility at this time.  It has to be a 100% client side solution.

PDC failed test VerifyReferences

September 8, 2018, 3:25 am
$
0
0

Hi,

We are facing few errors on dcdiag /q but mainly References are not being verified

I have read the article KB312862 but its seems for issue with FRS and we have DF/FFL as Windows 2008, we are using DFSR

OS: Windows 2008 R2

Anyone who can guide, how to resolve this issue 

 ......................... PDC failed test SystemLog

         Some objects relating to the DC PDC have problems: 
            [1] Problem: Missing Expected Value

             Base Object: CN=PDC,OU=Domain Controllers,DC=DOMAIN,DC=com

             Base Object Description: "DC Account Object"

             Value Object Attribute Name: frsComputerReferenceBL

             Value Object Description: "SYSVOL FRS Member Object"

             Recommended Action: See Knowledge Base Article: Q312862

             
         ......................... PDC failed test VerifyReferences

Authentication authority asserted identity question

September 5, 2018, 6:23 am
$
0
0

Hello!

How to add computer account to Authentication authority asserted identity security group?

Thank you!

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>