Managing DHCP installed on Domain Controllers?
CA Certificate - Windows Server local network
I have a question about the CA Certificates issued in Windows Server for Web sites.
The situation I have is as follows:
I have a server outside the X.int domain (Wserver), and another server within the X.int domain (Eserver). The Wserver server has several hosted sites that will be queried only by computers/users within the X.int domain.
At this point i need to change to https, and it is necessary to have a "trusted certificate", but at this moment i receive the indication that the a page is not secure.
Is there any way to issue a trusted certificate from Wserver or Eserver (or some alternative, maybe with a gpo for example)?
How do I authenticate users from differnet domain using IIS??
Scenario:
I have an existing domain (Domain A). A new domain (Domain B) is going to be set up on the same network, but different forest from Domain A. In Domain B, an application is going to be set up that uses a web interface (IIS) for authentication.
Two things are required to happen:
1) The application in Domain B needs to (LDAP) query AD in Domain A to pull users into the app to be assigned access permissions. (Can the LDAP query be configured to simply use a username/password to run and pull the users?)
2) From the web interface, users in Domain A need to authenticate using their Domain A username/password, and gain access to the application.(How do I accomplish this?)
I am new to Active Directory administration so your help is greatly appreciated.
Long path and file name issue
Dear Support,
Please guide us to resolve long path and file name issue.
Please let us know how to delete long path file name folder.
Regards,
Itsupport
Certificate template changes as a result of FFL/DFL raising
Hello all,
We are planning to raise the Domain Functional Level of 4 child domains and the Forest Functional Level of their root domain from version 2003 to 2008 R2, then subsequently 2012 R2. We have a Windows Certificate Authority within the root that is installed on a 2012 R2 server. The template versions are mostly old (v1 and v2).
Can anyone advise what automatic changes the act of raising the DFLs/FFL will have on the template schema versions? I.e. After I've hit the button (and assuming I make no manual changes to the templates themselves), can I expect anyAUTOMATIC changes to these template versions, or will that be my own (manual) responsibility? Cannot locate any material from MS on this.
ThanksA critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000005. The machine must now be restarted.
Getting this below error in my windows server 2012 domain controller and getting restarted automatically.
i can find hotfix only for server 2012 r2 not for server 2012.
A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000005. The machine must now be restarted.
Please advice.
Apparent Catch 22 Error when trying to bring up 2012 Domain Controller for DR Testing
So before when we'd do this test using Server 2008 domain controllers we didn't run into any issues other than having to do the registry tweak as detailed in this kb article.https://support.microsoft.com/en-us/kb/2001093 In short what we do is bring up a series of VM's in an isolated environment at our DR site. The vm's are connected to a vswitch that is not connected
to any of the rest of our branches. We then are to power up the Domain Controllers (1 FSMO role holder and the other is a non role holding DC). Then once those are up and running we bring up the exchange, file server and sql servers and do some testing to
ensure the replicated data is usable. Then power down everything and decommission the volume snapshot that was used for the test.
Now with Server 2012, this is what we end up with. Neither domain controller will power on correctly because it can't see the rest of the network. Which in a DR situation could be a possibility (bring the servers at the DR site up as the telecom's are restoring
connectivity). As far as I can tell the production AD environment is healthy. So is this just something that we have to deal with in the Server 2012 environment? Is it just not as resilient as the 2008 version?
Everything in production appears to replicating normal and I'm getting good responses from dcdiag, repadmin /replsummary. Here's some of the error's we're seeing in the DR environment.
When attempting to open Active Directory Users and Computers.
And on the Non-FSMO role holder DC
And then here is what we were seeing from the FSMO holder.
Domain Controller replication issue
Primary Home Server = DC-MCSTUDENT-01
secondary = DC-MCSTUDENT-02.MCMSTUDENT.LOCAL
we are not be able to do DC replication for both Server and the DCDaig showing the following error :
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC-MCSTUDENT-01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\DC-MCSTUDENT-01
Starting test: Connectivity
......................... DC-MCSTUDENT-01 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\DC-MCSTUDENT-01
Starting test: Advertising
Warning: DsGetDcName returned information for
\\DC-MCSTUDENT-02.MCMSTUDENT.LOCAL, when we were trying to reach
DC-MCSTUDENT-01.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... DC-MCSTUDENT-01 failed test Advertising
Starting test: FrsEvent
......................... DC-MCSTUDENT-01 passed test FrsEvent
Starting test: DFSREvent
......................... DC-MCSTUDENT-01 passed test DFSREvent
Starting test: SysVolCheck
[DC-MCSTUDENT-01] An net use or LsaPolicy operation failed with error
1203,
The network path was either typed incorrectly, does not exist, or the network provider is not currently available. Please try retyping the path or contact your network administrator..
......................... DC-MCSTUDENT-01 failed test SysVolCheck
Starting test: KccEvent
......................... DC-MCSTUDENT-01 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DC-MCSTUDENT-01 passed test
KnowsOfRoleHolders
Starting test: MachineAccount
Could not open pipe with [DC-MCSTUDENT-01]:failed with 1203:
The network path was either typed incorrectly, does not exist, or the network provider is not currently available. Please try retyping the path or contact your network administrator.
Could not get NetBIOSDomainName
Failed can not test for HOST SPN
Failed can not test for HOST SPN
......................... DC-MCSTUDENT-01 passed test MachineAccount
Starting test: NCSecDesc
......................... DC-MCSTUDENT-01 passed test NCSecDesc
Starting test: NetLogons
[DC-MCSTUDENT-01] An net use or LsaPolicy operation failed with error
1203,
The network path was either typed incorrectly, does not exist, or the network provider is not currently available. Please try retyping the path or contact your network administrator..
......................... DC-MCSTUDENT-01 failed test NetLogons
Starting test: ObjectsReplicated
......................... DC-MCSTUDENT-01 passed test
ObjectsReplicated
Starting test: Replications
[Replications Check,DC-MCSTUDENT-01] DsReplicaGetInfo(PENDING_OPS,
NULL) failed, error 0x2105 "Replication access was denied."
......................... DC-MCSTUDENT-01 failed test Replications
Starting test: RidManager
......................... DC-MCSTUDENT-01 passed test RidManager
Starting test: Services
Could not open Remote ipc to [DC-MCSTUDENT-01.MCMSTUDENT.LOCAL]: error
0x4b3
"The network path was either typed incorrectly, does not exist, or the network provider is not currently available. Please try retyping the path or contact your network administrator."
......................... DC-MCSTUDENT-01 failed test Services
Starting test: SystemLog
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 10:04:57
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\MCMSTUDENT.LOCAL\SysVol\MCMSTUDENT.LOCAL\Policies\{D7C4B455-3B2B-479D-A4A5-12DBF67B7245}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 10:09:58
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\MCMSTUDENT.LOCAL\SysVol\MCMSTUDENT.LOCAL\Policies\{D7C4B455-3B2B-479D-A4A5-12DBF67B7245}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000456
Time Generated: 09/09/2018 10:10:45
Event String:
The processing of Group Policy failed. Windows could not determine if the user and computer accounts are in the same forest. Ensure the user domain name matches the name of a trusted domain that resides in the same forest as the computer account.
A warning event occurred. EventID: 0xA004001B
Time Generated: 09/09/2018 10:12:49
EvtFormatMessage failed, error 15027 the message resource is present but the message is not found in the string/message table.
(Event String (event log = System) could not be retrieved, error
0x3ab3)
An error event occurred. EventID: 0xC0001B5B
Time Generated: 09/09/2018 10:13:13
Event String:
The Workstation service depends on the following service: mrxsmb10. This service might not be installed.
An error event occurred. EventID: 0xC0001B59
Time Generated: 09/09/2018 10:13:13
Event String:
The Netlogon service depends on the Workstation service which failed to start because of the following error:
A warning event occurred. EventID: 0x0000A000
Time Generated: 09/09/2018 10:13:15
Event String:
The Security System detected an authentication error for the server LDAP/DC-MCSTUDENT-02.MCMSTUDENT.LOCAL/MCMSTUDENT.LOCAL@MCMSTUDENT.LOCAL. The failure code from authentication protocol Kerberos was "An attempt was made to logon, but the netlogon service was not started.
An error event occurred. EventID: 0x0000041F
Time Generated: 09/09/2018 10:13:16
Event String:
The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
A warning event occurred. EventID: 0x0000A000
Time Generated: 09/09/2018 10:13:22
Event String:
The Security System detected an authentication error for the server DNS/dc-mcstudent-02.mcmstudent.local. The failure code from authentication protocol Kerberos was "An attempt was made to logon, but the netlogon service was not started.
An error event occurred. EventID: 0xC0001B59
Time Generated: 09/09/2018 10:14:00
Event String:
The DFS Namespace service depends on the Workstation service which failed to start because of the following error:
An error event occurred. EventID: 0xC0001B59
Time Generated: 09/09/2018 10:14:01
Event String:
The Fortinet Single Sign On Agent Service service depends on the Netlogon service which failed to start because of the following error:
An error event occurred. EventID: 0x0000002E
Time Generated: 09/09/2018 10:14:02
Event String:
The time service encountered an error and was forced to shut down. The error was: 0x80070700: An attempt was made to logon, but the network logon service was not started.
An error event occurred. EventID: 0xC0001B6F
Time Generated: 09/09/2018 10:14:02
Event String:
The Windows Time service terminated with the following error:
An error event occurred. EventID: 0x0000002E
Time Generated: 09/09/2018 10:14:02
Event String:
The time service encountered an error and was forced to shut down. The error was: 0x80070700: An attempt was made to logon, but the network logon service was not started.
An error event occurred. EventID: 0xC0001B6F
Time Generated: 09/09/2018 10:14:02
Event String:
The Windows Time service terminated with the following error:
An error event occurred. EventID: 0xC0001B5B
Time Generated: 09/09/2018 10:14:02
Event String:
The Workstation service depends on the following service: mrxsmb10. This service might not be installed.
An error event occurred. EventID: 0xC0001B59
Time Generated: 09/09/2018 10:14:02
Event String:
The Remote Desktop Configuration service depends on the Workstation service which failed to start because of the following error:
An error event occurred. EventID: 0xC0001B5B
Time Generated: 09/09/2018 10:14:02
Event String:
The Workstation service depends on the following service: mrxsmb10. This service might not be installed.
An error event occurred. EventID: 0xC0001B59
Time Generated: 09/09/2018 10:14:02
Event String:
The Remote Desktop Configuration service depends on the Workstation service which failed to start because of the following error:
An error event occurred. EventID: 0xC0001B5B
Time Generated: 09/09/2018 10:14:02
Event String:
The Workstation service depends on the following service: mrxsmb10. This service might not be installed.
An error event occurred. EventID: 0xC0001B59
Time Generated: 09/09/2018 10:14:02
Event String:
The Remote Desktop Configuration service depends on the Workstation service which failed to start because of the following error:
An error event occurred. EventID: 0xC0001B5B
Time Generated: 09/09/2018 10:14:02
Event String:
The Workstation service depends on the following service: mrxsmb10. This service might not be installed.
An error event occurred. EventID: 0xC0001B59
Time Generated: 09/09/2018 10:14:02
Event String:
The Remote Desktop Configuration service depends on the Workstation service which failed to start because of the following error:
An error event occurred. EventID: 0xC0001B5B
Time Generated: 09/09/2018 10:14:02
Event String:
The Workstation service depends on the following service: mrxsmb10. This service might not be installed.
An error event occurred. EventID: 0xC0001B59
Time Generated: 09/09/2018 10:14:02
Event String:
The Remote Desktop Configuration service depends on the Workstation service which failed to start because of the following error:
An error event occurred. EventID: 0xC0001B5B
Time Generated: 09/09/2018 10:14:02
Event String:
The Workstation service depends on the following service: mrxsmb10. This service might not be installed.
An error event occurred. EventID: 0xC0001B59
Time Generated: 09/09/2018 10:14:02
Event String:
The Remote Desktop Configuration service depends on the Workstation service which failed to start because of the following error:
An error event occurred. EventID: 0x00000456
Time Generated: 09/09/2018 10:14:41
Event String:
The processing of Group Policy failed. Windows could not determine if the user and computer accounts are in the same forest. Ensure the user domain name matches the name of a trusted domain that resides in the same forest as the computer account.
An error event occurred. EventID: 0xC0001B5B
Time Generated: 09/09/2018 10:15:31
Event String:
The Workstation service depends on the following service: mrxsmb10. This service might not be installed.
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 10:18:17
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\MCMSTUDENT.LOCAL\SysVol\MCMSTUDENT.LOCAL\Policies\{D7C4B455-3B2B-479D-A4A5-12DBF67B7245}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
An error event occurred. EventID: 0xC0001B5B
Time Generated: 09/09/2018 10:19:59
Event String:
The Workstation service depends on the following service: mrxsmb10. This service might not be installed.
An error event occurred. EventID: 0xC0001B5B
Time Generated: 09/09/2018 10:20:44
Event String:
The Workstation service depends on the following service: mrxsmb10. This service might not be installed.
An error event occurred. EventID: 0xC0001B59
Time Generated: 09/09/2018 10:20:44
Event String:
The DFS Namespace service depends on the Workstation service which failed to start because of the following error:
An error event occurred. EventID: 0xC0001B5B
Time Generated: 09/09/2018 10:20:51
Event String:
The Workstation service depends on the following service: mrxsmb10. This service might not be installed.
An error event occurred. EventID: 0xC0001B59
Time Generated: 09/09/2018 10:20:51
Event String:
The Netlogon service depends on the Workstation service which failed to start because of the following error:
An error event occurred. EventID: 0xC0001B59
Time Generated: 09/09/2018 10:20:51
Event String:
The Fortinet Single Sign On Agent Service service depends on the Netlogon service which failed to start because of the following error:
An error event occurred. EventID: 0xC0001B5B
Time Generated: 09/09/2018 10:20:57
Event String:
The Workstation service depends on the following service: mrxsmb10. This service might not be installed.
An error event occurred. EventID: 0xC0001B59
Time Generated: 09/09/2018 10:20:57
Event String:
The Netlogon service depends on the Workstation service which failed to start because of the following error:
An error event occurred. EventID: 0xC0001B5B
Time Generated: 09/09/2018 10:22:45
Event String:
The Workstation service depends on the following service: mrxsmb10. This service might not be installed.
An error event occurred. EventID: 0xC0001B59
Time Generated: 09/09/2018 10:22:45
Event String:
The Netlogon service depends on the Workstation service which failed to start because of the following error:
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 10:23:17
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\MCMSTUDENT.LOCAL\SysVol\MCMSTUDENT.LOCAL\Policies\{D7C4B455-3B2B-479D-A4A5-12DBF67B7245}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
An error event occurred. EventID: 0xC0001B5B
Time Generated: 09/09/2018 10:24:04
Event String:
The Workstation service depends on the following service: mrxsmb10. This service might not be installed.
An error event occurred. EventID: 0xC0001B5B
Time Generated: 09/09/2018 10:24:31
Event String:
The Workstation service depends on the following service: mrxsmb10. This service might not be installed.
An error event occurred. EventID: 0xC0001B59
Time Generated: 09/09/2018 10:24:31
Event String:
The Remote Desktop Configuration service depends on the Workstation service which failed to start because of the following error:
An error event occurred. EventID: 0xC0001B5B
Time Generated: 09/09/2018 10:24:47
Event String:
The Workstation service depends on the following service: mrxsmb10. This service might not be installed.
An error event occurred. EventID: 0xC0001B59
Time Generated: 09/09/2018 10:24:47
Event String:
The Remote Desktop Configuration service depends on the Workstation service which failed to start because of the following error:
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 10:28:18
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\MCMSTUDENT.LOCAL\SysVol\MCMSTUDENT.LOCAL\Policies\{D7C4B455-3B2B-479D-A4A5-12DBF67B7245}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 10:33:19
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\MCMSTUDENT.LOCAL\SysVol\MCMSTUDENT.LOCAL\Policies\{D7C4B455-3B2B-479D-A4A5-12DBF67B7245}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 10:38:19
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\MCMSTUDENT.LOCAL\SysVol\MCMSTUDENT.LOCAL\Policies\{D7C4B455-3B2B-479D-A4A5-12DBF67B7245}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 10:43:20
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\MCMSTUDENT.LOCAL\SysVol\MCMSTUDENT.LOCAL\Policies\{D7C4B455-3B2B-479D-A4A5-12DBF67B7245}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 10:48:21
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\MCMSTUDENT.LOCAL\SysVol\MCMSTUDENT.LOCAL\Policies\{D7C4B455-3B2B-479D-A4A5-12DBF67B7245}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 10:53:21
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\MCMSTUDENT.LOCAL\SysVol\MCMSTUDENT.LOCAL\Policies\{D7C4B455-3B2B-479D-A4A5-12DBF67B7245}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 10:58:22
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\MCMSTUDENT.LOCAL\SysVol\MCMSTUDENT.LOCAL\Policies\{D7C4B455-3B2B-479D-A4A5-12DBF67B7245}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
An error event occurred. EventID: 0xC0001B5B
Time Generated: 09/09/2018 11:01:03
Event String:
The Workstation service depends on the following service: mrxsmb10. This service might not be installed.
An error event occurred. EventID: 0xC0001B59
Time Generated: 09/09/2018 11:01:03
Event String:
The Netlogon service depends on the Workstation service which failed to start because of the following error:
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 11:03:23
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\MCMSTUDENT.LOCAL\SysVol\MCMSTUDENT.LOCAL\Policies\{D7C4B455-3B2B-479D-A4A5-12DBF67B7245}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
......................... DC-MCSTUDENT-01 failed test SystemLog
Starting test: VerifyReferences
......................... DC-MCSTUDENT-01 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : MCMSTUDENT
Starting test: CheckSDRefDom
......................... MCMSTUDENT passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... MCMSTUDENT passed test CrossRefValidation
Running enterprise tests on : MCMSTUDENT.LOCAL
Starting test: LocatorCheck
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
1355
A Good Time Server could not be located.
......................... MCMSTUDENT.LOCAL failed test LocatorCheck
Starting test: Intersite
......................... MCMSTUDENT.LOCAL passed test Intersite
No SYSVOL Shares
Hi All,
I have searched and tried several things, but I have a problem with two new 2016 DC that have no SYSVOL Shares.
Originally, I had a single SBS 2011 Std Server, acting as the sole DC. The server is old and is no longer required, so the plan is to replace with two new servers, running 2016 Std.
The Domain Functional Level is 2008R2
I have introduced the two new 2016 Servers. Although they will both run as DCs, they will both also provide a couple of other services.
2016Srv1 - Hyper-V Host running small VM for local application.
2016Srv2 - Running two files shares. Has Nic Teaming Enabled.
Both Servers appeared to join the domain OK and are also DNS Servers. Each Server has its own static IP Address as the Primary DNS Entry.
There are a number of errors in the Application and Services Logs
Under
ADWS Log. On a boot I get the Event 1202, then it goes to ADWS is now started and accepting requests
DFS Replication - Error 1202 Failed to contact DC, Replication Stopped, then 1206 Replication service successfully Contacted the Local DC.
Under DNS I have a number of 4010 events, that mention records in the reverse look up zone. Looking at them they all belong to older devices that no longer exist. If I delete one from the SBS server, it is replicated to the two 2016 Servers.
File Replication Service Log Warning 13508
The File Replication Service is having trouble enabling replication from SBS to 2016SRV2 for c:\windows\sysvol\domain using the DNS name SBS.domainname.local. FRS will keep retrying.Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name SBS.domainname.local from this computer.
[2] FRS is not running on SBS.domainname.local.
[3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
I have spent a couple of days trying to resolve this, any ideas?
Provide remote desktop access to user
Hi all,
I have a vendor that needs temporary access to remote into servers in the domain. Below are the steps that i plan to do. May i know if this is the correct steps? What if i have 200 servers for UserA to remote? How do i apply the steps below to all servers
or is there any easier way, if yes, how?
- Create account(userA) with only Domain Users privilege. (Domain Admin is not allowed for vendor)
- Add UserA to "Remote Desktop Users"
- Add UserA in Local Policies > USer Rights Assigment > Allow log on through Remote Desktop Services
Rgds,
B
Set of Permissions required to read the trust directions between domains
I am using the Domains.GetAllTrustRelationships() method to read the trust info .My current setup has a one way trust with the domain in other forest.But for some reason when i execute the the Domains.GetAllTrustRelationShips method with Network service account ,I get the trust direction as Bidirectional.SO i suspect that the Bidirectional Trust is returned because the current user is not having sufficient rights in active directory to read this value and maybe returning null .
And if this is the case then the below code from TrustRelationshipInformation class of System.DirectoryServices.ActiveDirectory assembly will return Bidirectional trust
internal TrustRelationshipInformation(DirectoryContext context, string source, TrustObject obj){
this.context = context;
this.source = source;
this.target = obj.DnsDomainName == null ? obj.NetbiosDomainName : obj.DnsDomainName;
if ((obj.Flags & 2) != 0 && (obj.Flags & 32) != 0)
this.direction = TrustDirection.Bidirectional;
else if ((obj.Flags & 2) != 0)
this.direction = TrustDirection.Outbound;
else if ((obj.Flags & 32) != 0)
this.direction = TrustDirection.Inbound;
this.type = obj.TrustType;
}
So can i get the set of permissions required in active directory for a user such that it is able to read the trust info
Password policy "enforce password history" seems to be not working
Password policy "enforce password history" seems to be not working
Able to reset my password to previous used password.
Where to check the previous used password?
Removing Few Administrators
Hi Team,
We had run a MBSA scan on all of the domain Controllers in which we found one common thing Multiple Administrators were more than two.
Two accounts were suspicious to me for which I had checked and found they are added in the Bultin\Administrators Group.
1) One is a service account 2) One is user account.
We have multiple DC's under single forest. Now when I dig deeper it is been said this two accounts needs to be part of only two DC's Administrators access not the entire DC's.
When I tried deleting the accounts from one of the DC while going into user accounts -> Manage user accounts --> Removed both the accounts then suddenly after a while it was removed from all of the DC and also from the DC which it was required and parallely seen in Builtin\Administrator group that account was vanished.
I had added them back again.
Now my question over here is :
1) How could I grant the access for the two accounts only to the specific domain controller.
2) As the account which was removed as said above I really don't know which GPO is getting applied ( how to check it).
3) From one of the Technet forum I had got this command net localgroup Administrators /add {domain}\{user} will this command will help . ( In this I will remove once again run the gpupdate /force to all of the Domain Controlller then going to the specific domain Controller and running this command will this would achieve my outcome).
4) Or there is any other GPO which is causing to regenerate the ID after deleting.
5) Do let me know if any more details I need to check in.
Awaiting all expertise answers.
Regards,
Sumeet Mishra
Sumeet Mishra
Replcation over VPN not working
Question regarding SID History filtering
Hi All,
We are working to test the security of Active Directory external trust. As per Microsoft TechNet articles if we disable SID history filtering then the Administrators in trusted Domain can misuse this by adding the SID of Administrator in Trusting Domain to its own SID History.
While testing this we have created 2 separate Forests on Windows 2016 servers, Created external trust between the forests, Disabled SID filtering on both Domains and enabled SIDHistory in both Domains, added the SID of one Domain Administrator to another Domain's administrator SID History. But when I am trying to access any resource on trusting Domain with the trusted domain ID it is failing. On checking the logs of Trusting Domain I have found the event ID 4675 for SID filtering of Domain Admin Account. When I perform the same activity on a standard users by providing standard access it works which means SID filtering is properly disabled and SID History is enabled.
I am not sure if there is any security feature in Windows 2016 where Domain Admin or well known SID's are always filtered irrespective of SID filtering settings.
If there is any such detail available please help me with that
Commands Used:
netdom trust<TrustingDomainName> /domain:<TrustedDomainName> /quarantine:no
netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /enablesidhistory:Yes
problem in replication
hi all,
I have two domain controllers in the same site
one is the primary domain controller named DC
the other domain controller named ADC is an additional one
both domain controllers experience a power outage
but "adc" the additional domain controller faced a time jump to past date to 2002 then the time service begins to sync with the primary domain controller and the time is right now
but there is a problem in replication
I think that "ADC" the additional domain controller can replicate from "DC" the one holding the FSMO roles
ADC is the downstream server and dc is the upstream server
but "DC" can not replicate from "ADC"
"DC" is the downstream server and "Adc" is the upstream server
so i'm looking for a solution in https://support.microsoft.com/en-us/help/2020053/troubleshooting-ad-replication-error-8614-the-active-directory-cannot
if anyone could give me an advice regarding that issue
the output of readminis shown below
the output of repadmin /showrepl DC
Default-First-Site-Name\DC
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: f19df3de-60d9-45d8-9e1e-81351a3588fd
DSA invocationID: 210351f6-62a2-4cb5-8651-828f3dc53f85
==== INBOUND NEIGHBORS ======================================
DC=mydomaindc,DC=local
Default-First-Site-Name\ADC via RPC
DSA object GUID: 89650a74-a868-4d7d-8eff-4da4d16627a1
Last attempt @ 2018-09-08 08:21:31 failed, result 8614 (0x21a6):
The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
3865 consecutive failure(s).
Last success @ 2018-09-07 11:25:03.
CN=Configuration,DC=mydomaindc,DC=local
Default-First-Site-Name\ADC via RPC
DSA object GUID: 89650a74-a868-4d7d-8eff-4da4d16627a1
Last attempt @ 2018-09-08 07:55:55 failed, result 8614 (0x21a6):
The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
30 consecutive failure(s).
Last success @ 2018-09-07 11:25:03.
CN=Schema,CN=Configuration,DC=mydomaindc,DC=local
Default-First-Site-Name\ADC via RPC
DSA object GUID: 89650a74-a868-4d7d-8eff-4da4d16627a1
Last attempt @ 2018-09-08 07:55:55 failed, result 8614 (0x21a6):
The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
23 consecutive failure(s).
Last success @ 2018-09-07 11:25:03.
DC=DomainDnsZones,DC=mydomaindc,DC=local
Default-First-Site-Name\ADC via RPC
DSA object GUID: 89650a74-a868-4d7d-8eff-4da4d16627a1
Last attempt @ 2018-09-08 08:21:26 failed, result 8614 (0x21a6):
The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
89 consecutive failure(s).
Last success @ 2018-09-07 11:25:03.
DC=ForestDnsZones,DC=mydomaindc,DC=local
Default-First-Site-Name\ADC via RPC
DSA object GUID: 89650a74-a868-4d7d-8eff-4da4d16627a1
Last attempt @ 2018-09-08 08:06:26 failed, result 8614 (0x21a6):
The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
83 consecutive failure(s).
Last success @ 2018-09-07 11:25:03.
Source: Default-First-Site-Name\ADC
******* 3848 CONSECUTIVE FAILURES since 2018-09-07 11:25:03
Last error: 8614 (0x21a6):
The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
the output of repadmin showrepl/ ADC
Default-First-Site-Name\ADC
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 89650a74-a868-4d7d-8eff-4da4d16627a1
DSA invocationID: 7f1fe5f5-91d9-4a83-b527-3490d45547dd
==== INBOUND NEIGHBORS ======================================
DC=mydomaindc,DC=local
Default-First-Site-Name\DC via RPC
DSA object GUID: f19df3de-60d9-45d8-9e1e-81351a3588fd
Last attempt @ 2018-09-08 08:21:33 was successful.
CN=Configuration,DC=mydomaindc,DC=local
Default-First-Site-Name\DC via RPC
DSA object GUID: f19df3de-60d9-45d8-9e1e-81351a3588fd
Last attempt @ 2018-09-08 07:50:12 was successful.
CN=Schema,CN=Configuration,DC=mydomaindc,DC=local
Default-First-Site-Name\DC via RPC
DSA object GUID: f19df3de-60d9-45d8-9e1e-81351a3588fd
Last attempt @ 2018-09-08 07:50:12 was successful.
DC=DomainDnsZones,DC=mydomaindc,DC=local
Default-First-Site-Name\DC via RPC
DSA object GUID: f19df3de-60d9-45d8-9e1e-81351a3588fd
Last attempt @ 2018-09-08 07:58:04 was successful.
DC=ForestDnsZones,DC=mydomaindc,DC=local
Default-First-Site-Name\DC via RPC
DSA object GUID: f19df3de-60d9-45d8-9e1e-81351a3588fd
Last attempt @ 2018-09-08 07:50:12 was successful.
Usage of -ServicePrincipalNames when creating gMSA accounts
This question is based on the below article,
https://docs.microsoft.com/en-us/powershell/module/addsadministration/new-adserviceaccount?view=win10-ps
As per the example the usage will look like below for gMSA accounts,
New-ADServiceAccount gMSAsqlservice -ServicePrincipalNames @{Add='MSSQLSvc/sqlserver.xxxxxxx.com:GMSA','MSSQLSvc/sqlserver.xxxxxxx.com:<port#>'} -DNSHostName gMSAsqlservice.xxxxxxx.com -PrincipalsAllowedToRetrieveManaged SQL_gMSA_group
We always get the below error,
New-ADServiceAccount : The name reference is invalid
At line:1 char:1
+ New-ADServiceAccount gMSAsqlservice -ServicePrincipalNames @{Add="MSSQLSvc/sql ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (CN=gMSAsqlservice,CN=Man...=xxxxxxx,DC=com:String) [New-ADServiceAccount], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8373,Microsoft.ActiveDirectory.Management.Commands.NewADServiceAccount
Was able to fix the issue using the below format. Not sure if the approach was correct but SPNs did get auto-registered in SQL Server.
New-ADServiceAccount gMSAsqlservice -ServicePrincipalNames ("MSSQLSvc/sqlserver.xxxxxxx.com:GMSA","MSSQLSvc/sqlserver.xxxxxxx.com:<port#>") -DNSHostName gMSAsqlservice.xxxxxxx.com PrincipalsAllowedToRetrieveManaged SQL_gMSA_group
************************************************************************************************************
Questions :
*****************************************
1> Which is the correct syntax to create gMSA using -ServicePrincipalNames ?
2> In the above example I have just used one server SPNs[ie., sqlserver]. But when we have several servers added to the gMSA Security Group, how do we use -ServicePrincipalNames?
I feel we need to have more elaborate explanations to the -ServicePrincipalNames.
Taggin user AD user ID with machine details
Hello All,
We are looking for an opportunity where we can see the computer name ) HostName in user Attributes
I have gone through all the attributes to check if we can use it or possibly to update it
Thanks HA
How to Migrate Infoblox DNS csv data to Microsoft Standalone DNS Server
I am working on DNS Migration activity . Currently DNS running in Infoblox appliance, we pulled the Zone information in csv formate. How do I Import the data in Standalone Microsft DNS Server.
DNS Service installed in Windows 2012 R2 system. Do I need to use any tools?
Our Some Site GP update not update successfully
Hello Team,
Please help me i have approx 8 site in active directory but some site gpupdate not work properly on that site system and desktop please help me to closed it