Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Managing DHCP installed on Domain Controllers?

$
0
0
If DHCP is installed on domain controllers, will DHCP admins be able to remotely manage DHCP with RSAT without also being a domain administrator?

CA Certificate - Windows Server local network

$
0
0
Good afternoon,

I have a question about the CA Certificates issued in Windows Server for Web sites.

The situation I have is as follows:

I have a server outside the X.int domain (Wserver), and another server within the X.int domain (Eserver). The Wserver server has several hosted sites that will be queried only by computers/users within the X.int domain.
At this point i need to change to https, and it is necessary to have a "trusted certificate", but at this moment i receive the indication that the a page is not secure.
Is there any way to issue a trusted certificate from Wserver or Eserver (or some alternative, maybe with a gpo for example)?

How do I authenticate users from differnet domain using IIS??

$
0
0

Scenario:

I have an existing domain (Domain A).  A new domain (Domain B) is going to be set up on the same network, but different forest from Domain A. In Domain B, an application is going to be set up that uses a web interface (IIS) for authentication.

Two things are required to happen:

1) The application in Domain B needs to (LDAP) query AD in Domain A to pull users into the app to be assigned access permissions.  (Can the LDAP query be configured to simply use a username/password to run and pull the users?)

2) From the web interface, users in Domain A need to authenticate using their Domain A username/password, and gain access to the application.(How do I accomplish this?)

I am new to Active Directory administration so your help is greatly appreciated.

Long path and file name issue

$
0
0

Dear Support,

Please guide us to resolve long path and file name issue.

Please let us know how to delete long path file name folder.

Regards,

Itsupport

Certificate template changes as a result of FFL/DFL raising

$
0
0

Hello all,

We are planning to raise the Domain Functional Level of 4 child domains and the Forest Functional Level of their root domain from version 2003 to 2008 R2, then subsequently 2012 R2. We have a Windows Certificate Authority within the root that is installed on a 2012 R2 server. The template versions are mostly old (v1 and v2).

Can anyone advise what automatic changes the act of raising the DFLs/FFL will have on the template schema versions? I.e. After I've hit the button (and assuming I make no manual changes to the templates themselves), can I expect anyAUTOMATIC changes to these template versions, or will that be my own (manual) responsibility? Cannot locate any material from MS on this.

Thanks

A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000005. The machine must now be restarted.

$
0
0

Getting this below error in my windows server 2012 domain controller and getting restarted automatically.

i can find hotfix only for server 2012 r2 not for server 2012.

A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000005.  The machine must now be restarted.

Please advice.

Apparent Catch 22 Error when trying to bring up 2012 Domain Controller for DR Testing

$
0
0

So before when we'd do this test using Server 2008 domain controllers we didn't run into any issues other than having to do the registry tweak as detailed in this kb article.https://support.microsoft.com/en-us/kb/2001093 In short what we do is bring up a series of VM's in an isolated environment at our DR site. The vm's are connected to a vswitch that is not connected to any of the rest of our branches. We then are to power up the Domain Controllers (1 FSMO role holder and the other is a non role holding DC). Then once those are up and running we bring up the exchange, file server and sql servers and do some testing to ensure the replicated data is usable. Then power down everything and decommission the volume snapshot that was used for the test.

Now with Server 2012, this is what we end up with. Neither domain controller will power on correctly because it can't see the rest of the network. Which in a DR situation could be a possibility (bring the servers at the DR site up as the telecom's are restoring connectivity). As far as I can tell the production AD environment is healthy. So is this just something that we have to deal with in the Server 2012 environment? Is it just not as resilient as the 2008 version?

Everything in production appears to replicating normal and I'm getting good responses from dcdiag, repadmin /replsummary.  Here's some of the error's we're seeing in the DR environment. 


When attempting to open Active Directory Users and Computers.

And on the Non-FSMO role holder DC


And then here is what we were seeing from the FSMO holder.



Domain Controller replication issue

$
0
0

Primary Home Server = DC-MCSTUDENT-01

secondary = DC-MCSTUDENT-02.MCMSTUDENT.LOCAL

we are not be able to do DC replication for both Server and the DCDaig showing the following error :


Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = DC-MCSTUDENT-01

   * Identified AD Forest. 
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\DC-MCSTUDENT-01

      Starting test: Connectivity

         ......................... DC-MCSTUDENT-01 passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\DC-MCSTUDENT-01

      Starting test: Advertising

         Warning: DsGetDcName returned information for

         \\DC-MCSTUDENT-02.MCMSTUDENT.LOCAL, when we were trying to reach

         DC-MCSTUDENT-01.

         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.

         ......................... DC-MCSTUDENT-01 failed test Advertising

      Starting test: FrsEvent

         ......................... DC-MCSTUDENT-01 passed test FrsEvent

      Starting test: DFSREvent

         ......................... DC-MCSTUDENT-01 passed test DFSREvent

      Starting test: SysVolCheck

         [DC-MCSTUDENT-01] An net use or LsaPolicy operation failed with error

         1203,

         The network path was either typed incorrectly, does not exist, or the network provider is not currently available. Please try retyping the path or contact your network administrator..

         

         ......................... DC-MCSTUDENT-01 failed test SysVolCheck

      Starting test: KccEvent

         ......................... DC-MCSTUDENT-01 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... DC-MCSTUDENT-01 passed test

         KnowsOfRoleHolders

      Starting test: MachineAccount

         Could not open pipe with [DC-MCSTUDENT-01]:failed with 1203:

         The network path was either typed incorrectly, does not exist, or the network provider is not currently available. Please try retyping the path or contact your network administrator.

         Could not get NetBIOSDomainName

         Failed can not test for HOST SPN

         Failed can not test for HOST SPN

         ......................... DC-MCSTUDENT-01 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... DC-MCSTUDENT-01 passed test NCSecDesc

      Starting test: NetLogons

         [DC-MCSTUDENT-01] An net use or LsaPolicy operation failed with error

         1203,

         The network path was either typed incorrectly, does not exist, or the network provider is not currently available. Please try retyping the path or contact your network administrator..

         

         ......................... DC-MCSTUDENT-01 failed test NetLogons

      Starting test: ObjectsReplicated

         ......................... DC-MCSTUDENT-01 passed test

         ObjectsReplicated

      Starting test: Replications

         [Replications Check,DC-MCSTUDENT-01] DsReplicaGetInfo(PENDING_OPS,

         NULL) failed, error 0x2105 "Replication access was denied."

         ......................... DC-MCSTUDENT-01 failed test Replications

      Starting test: RidManager

         ......................... DC-MCSTUDENT-01 passed test RidManager

      Starting test: Services

         Could not open Remote ipc to [DC-MCSTUDENT-01.MCMSTUDENT.LOCAL]: error

         0x4b3

         "The network path was either typed incorrectly, does not exist, or the network provider is not currently available. Please try retyping the path or contact your network administrator."

         

         ......................... DC-MCSTUDENT-01 failed test Services

      Starting test: SystemLog

         An error event occurred.  EventID: 0x00000422

            Time Generated: 09/09/2018   10:04:57

            Event String:

            The processing of Group Policy failed. Windows attempted to read the file \\MCMSTUDENT.LOCAL\SysVol\MCMSTUDENT.LOCAL\Policies\{D7C4B455-3B2B-479D-A4A5-12DBF67B7245}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 


         An error event occurred.  EventID: 0x00000422

            Time Generated: 09/09/2018   10:09:58

            Event String:

            The processing of Group Policy failed. Windows attempted to read the file \\MCMSTUDENT.LOCAL\SysVol\MCMSTUDENT.LOCAL\Policies\{D7C4B455-3B2B-479D-A4A5-12DBF67B7245}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 


         An error event occurred.  EventID: 0x00000456

            Time Generated: 09/09/2018   10:10:45

            Event String:

            The processing of Group Policy failed. Windows could not determine if the user and computer accounts are in the same forest. Ensure the user domain name matches the name of a trusted domain that resides in the same forest as the computer account.

         A warning event occurred.  EventID: 0xA004001B

            Time Generated: 09/09/2018   10:12:49

            EvtFormatMessage failed, error 15027 the message resource is present but the message is not found in the string/message table.
            (Event String (event log = System) could not be retrieved, error

            0x3ab3)

         An error event occurred.  EventID: 0xC0001B5B

            Time Generated: 09/09/2018   10:13:13

            Event String:

            The Workstation service depends on the following service: mrxsmb10. This service might not be installed.

         An error event occurred.  EventID: 0xC0001B59

            Time Generated: 09/09/2018   10:13:13

            Event String:

            The Netlogon service depends on the Workstation service which failed to start because of the following error: 


         A warning event occurred.  EventID: 0x0000A000

            Time Generated: 09/09/2018   10:13:15

            Event String:

            The Security System detected an authentication error for the server LDAP/DC-MCSTUDENT-02.MCMSTUDENT.LOCAL/MCMSTUDENT.LOCAL@MCMSTUDENT.LOCAL. The failure code from authentication protocol Kerberos was "An attempt was made to logon, but the netlogon service was not started.


         An error event occurred.  EventID: 0x0000041F

            Time Generated: 09/09/2018   10:13:16

            Event String:

            The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: 


         A warning event occurred.  EventID: 0x0000A000

            Time Generated: 09/09/2018   10:13:22

            Event String:

            The Security System detected an authentication error for the server DNS/dc-mcstudent-02.mcmstudent.local. The failure code from authentication protocol Kerberos was "An attempt was made to logon, but the netlogon service was not started.


         An error event occurred.  EventID: 0xC0001B59

            Time Generated: 09/09/2018   10:14:00

            Event String:

            The DFS Namespace service depends on the Workstation service which failed to start because of the following error: 


         An error event occurred.  EventID: 0xC0001B59

            Time Generated: 09/09/2018   10:14:01

            Event String:

            The Fortinet Single Sign On Agent Service service depends on the Netlogon service which failed to start because of the following error: 


         An error event occurred.  EventID: 0x0000002E

            Time Generated: 09/09/2018   10:14:02

            Event String:

            The time service encountered an error and was forced to shut down. The error was: 0x80070700: An attempt was made to logon, but the network logon service was not started.


         An error event occurred.  EventID: 0xC0001B6F

            Time Generated: 09/09/2018   10:14:02

            Event String:

            The Windows Time service terminated with the following error: 


         An error event occurred.  EventID: 0x0000002E

            Time Generated: 09/09/2018   10:14:02

            Event String:

            The time service encountered an error and was forced to shut down. The error was: 0x80070700: An attempt was made to logon, but the network logon service was not started.


         An error event occurred.  EventID: 0xC0001B6F

            Time Generated: 09/09/2018   10:14:02

            Event String:

            The Windows Time service terminated with the following error: 


         An error event occurred.  EventID: 0xC0001B5B

            Time Generated: 09/09/2018   10:14:02

            Event String:

            The Workstation service depends on the following service: mrxsmb10. This service might not be installed.

         An error event occurred.  EventID: 0xC0001B59

            Time Generated: 09/09/2018   10:14:02

            Event String:

            The Remote Desktop Configuration service depends on the Workstation service which failed to start because of the following error: 


         An error event occurred.  EventID: 0xC0001B5B

            Time Generated: 09/09/2018   10:14:02

            Event String:

            The Workstation service depends on the following service: mrxsmb10. This service might not be installed.

         An error event occurred.  EventID: 0xC0001B59

            Time Generated: 09/09/2018   10:14:02

            Event String:

            The Remote Desktop Configuration service depends on the Workstation service which failed to start because of the following error: 


         An error event occurred.  EventID: 0xC0001B5B

            Time Generated: 09/09/2018   10:14:02

            Event String:

            The Workstation service depends on the following service: mrxsmb10. This service might not be installed.

         An error event occurred.  EventID: 0xC0001B59

            Time Generated: 09/09/2018   10:14:02

            Event String:

            The Remote Desktop Configuration service depends on the Workstation service which failed to start because of the following error: 


         An error event occurred.  EventID: 0xC0001B5B

            Time Generated: 09/09/2018   10:14:02

            Event String:

            The Workstation service depends on the following service: mrxsmb10. This service might not be installed.

         An error event occurred.  EventID: 0xC0001B59

            Time Generated: 09/09/2018   10:14:02

            Event String:

            The Remote Desktop Configuration service depends on the Workstation service which failed to start because of the following error: 


         An error event occurred.  EventID: 0xC0001B5B

            Time Generated: 09/09/2018   10:14:02

            Event String:

            The Workstation service depends on the following service: mrxsmb10. This service might not be installed.

         An error event occurred.  EventID: 0xC0001B59

            Time Generated: 09/09/2018   10:14:02

            Event String:

            The Remote Desktop Configuration service depends on the Workstation service which failed to start because of the following error: 


         An error event occurred.  EventID: 0xC0001B5B

            Time Generated: 09/09/2018   10:14:02

            Event String:

            The Workstation service depends on the following service: mrxsmb10. This service might not be installed.

         An error event occurred.  EventID: 0xC0001B59

            Time Generated: 09/09/2018   10:14:02

            Event String:

            The Remote Desktop Configuration service depends on the Workstation service which failed to start because of the following error: 


         An error event occurred.  EventID: 0x00000456

            Time Generated: 09/09/2018   10:14:41

            Event String:

            The processing of Group Policy failed. Windows could not determine if the user and computer accounts are in the same forest. Ensure the user domain name matches the name of a trusted domain that resides in the same forest as the computer account.

         An error event occurred.  EventID: 0xC0001B5B

            Time Generated: 09/09/2018   10:15:31

            Event String:

            The Workstation service depends on the following service: mrxsmb10. This service might not be installed.

         An error event occurred.  EventID: 0x00000422

            Time Generated: 09/09/2018   10:18:17

            Event String:

            The processing of Group Policy failed. Windows attempted to read the file \\MCMSTUDENT.LOCAL\SysVol\MCMSTUDENT.LOCAL\Policies\{D7C4B455-3B2B-479D-A4A5-12DBF67B7245}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 


         An error event occurred.  EventID: 0xC0001B5B

            Time Generated: 09/09/2018   10:19:59

            Event String:

            The Workstation service depends on the following service: mrxsmb10. This service might not be installed.

         An error event occurred.  EventID: 0xC0001B5B

            Time Generated: 09/09/2018   10:20:44

            Event String:

            The Workstation service depends on the following service: mrxsmb10. This service might not be installed.

         An error event occurred.  EventID: 0xC0001B59

            Time Generated: 09/09/2018   10:20:44

            Event String:

            The DFS Namespace service depends on the Workstation service which failed to start because of the following error: 


         An error event occurred.  EventID: 0xC0001B5B

            Time Generated: 09/09/2018   10:20:51

            Event String:

            The Workstation service depends on the following service: mrxsmb10. This service might not be installed.

         An error event occurred.  EventID: 0xC0001B59

            Time Generated: 09/09/2018   10:20:51

            Event String:

            The Netlogon service depends on the Workstation service which failed to start because of the following error: 


         An error event occurred.  EventID: 0xC0001B59

            Time Generated: 09/09/2018   10:20:51

            Event String:

            The Fortinet Single Sign On Agent Service service depends on the Netlogon service which failed to start because of the following error: 


         An error event occurred.  EventID: 0xC0001B5B

            Time Generated: 09/09/2018   10:20:57

            Event String:

            The Workstation service depends on the following service: mrxsmb10. This service might not be installed.

         An error event occurred.  EventID: 0xC0001B59

            Time Generated: 09/09/2018   10:20:57

            Event String:

            The Netlogon service depends on the Workstation service which failed to start because of the following error: 


         An error event occurred.  EventID: 0xC0001B5B

            Time Generated: 09/09/2018   10:22:45

            Event String:

            The Workstation service depends on the following service: mrxsmb10. This service might not be installed.

         An error event occurred.  EventID: 0xC0001B59

            Time Generated: 09/09/2018   10:22:45

            Event String:

            The Netlogon service depends on the Workstation service which failed to start because of the following error: 


         An error event occurred.  EventID: 0x00000422

            Time Generated: 09/09/2018   10:23:17

            Event String:

            The processing of Group Policy failed. Windows attempted to read the file \\MCMSTUDENT.LOCAL\SysVol\MCMSTUDENT.LOCAL\Policies\{D7C4B455-3B2B-479D-A4A5-12DBF67B7245}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 


         An error event occurred.  EventID: 0xC0001B5B

            Time Generated: 09/09/2018   10:24:04

            Event String:

            The Workstation service depends on the following service: mrxsmb10. This service might not be installed.

         An error event occurred.  EventID: 0xC0001B5B

            Time Generated: 09/09/2018   10:24:31

            Event String:

            The Workstation service depends on the following service: mrxsmb10. This service might not be installed.

         An error event occurred.  EventID: 0xC0001B59

            Time Generated: 09/09/2018   10:24:31

            Event String:

            The Remote Desktop Configuration service depends on the Workstation service which failed to start because of the following error: 


         An error event occurred.  EventID: 0xC0001B5B

            Time Generated: 09/09/2018   10:24:47

            Event String:

            The Workstation service depends on the following service: mrxsmb10. This service might not be installed.

         An error event occurred.  EventID: 0xC0001B59

            Time Generated: 09/09/2018   10:24:47

            Event String:

            The Remote Desktop Configuration service depends on the Workstation service which failed to start because of the following error: 


         An error event occurred.  EventID: 0x00000422

            Time Generated: 09/09/2018   10:28:18

            Event String:

            The processing of Group Policy failed. Windows attempted to read the file \\MCMSTUDENT.LOCAL\SysVol\MCMSTUDENT.LOCAL\Policies\{D7C4B455-3B2B-479D-A4A5-12DBF67B7245}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 


         An error event occurred.  EventID: 0x00000422

            Time Generated: 09/09/2018   10:33:19

            Event String:

            The processing of Group Policy failed. Windows attempted to read the file \\MCMSTUDENT.LOCAL\SysVol\MCMSTUDENT.LOCAL\Policies\{D7C4B455-3B2B-479D-A4A5-12DBF67B7245}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 


         An error event occurred.  EventID: 0x00000422

            Time Generated: 09/09/2018   10:38:19

            Event String:

            The processing of Group Policy failed. Windows attempted to read the file \\MCMSTUDENT.LOCAL\SysVol\MCMSTUDENT.LOCAL\Policies\{D7C4B455-3B2B-479D-A4A5-12DBF67B7245}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 


         An error event occurred.  EventID: 0x00000422

            Time Generated: 09/09/2018   10:43:20

            Event String:

            The processing of Group Policy failed. Windows attempted to read the file \\MCMSTUDENT.LOCAL\SysVol\MCMSTUDENT.LOCAL\Policies\{D7C4B455-3B2B-479D-A4A5-12DBF67B7245}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 


         An error event occurred.  EventID: 0x00000422

            Time Generated: 09/09/2018   10:48:21

            Event String:

            The processing of Group Policy failed. Windows attempted to read the file \\MCMSTUDENT.LOCAL\SysVol\MCMSTUDENT.LOCAL\Policies\{D7C4B455-3B2B-479D-A4A5-12DBF67B7245}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 


         An error event occurred.  EventID: 0x00000422

            Time Generated: 09/09/2018   10:53:21

            Event String:

            The processing of Group Policy failed. Windows attempted to read the file \\MCMSTUDENT.LOCAL\SysVol\MCMSTUDENT.LOCAL\Policies\{D7C4B455-3B2B-479D-A4A5-12DBF67B7245}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 


         An error event occurred.  EventID: 0x00000422

            Time Generated: 09/09/2018   10:58:22

            Event String:

            The processing of Group Policy failed. Windows attempted to read the file \\MCMSTUDENT.LOCAL\SysVol\MCMSTUDENT.LOCAL\Policies\{D7C4B455-3B2B-479D-A4A5-12DBF67B7245}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 


         An error event occurred.  EventID: 0xC0001B5B

            Time Generated: 09/09/2018   11:01:03

            Event String:

            The Workstation service depends on the following service: mrxsmb10. This service might not be installed.

         An error event occurred.  EventID: 0xC0001B59

            Time Generated: 09/09/2018   11:01:03

            Event String:

            The Netlogon service depends on the Workstation service which failed to start because of the following error: 


         An error event occurred.  EventID: 0x00000422

            Time Generated: 09/09/2018   11:03:23

            Event String:

            The processing of Group Policy failed. Windows attempted to read the file \\MCMSTUDENT.LOCAL\SysVol\MCMSTUDENT.LOCAL\Policies\{D7C4B455-3B2B-479D-A4A5-12DBF67B7245}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 


         ......................... DC-MCSTUDENT-01 failed test SystemLog

      Starting test: VerifyReferences

         ......................... DC-MCSTUDENT-01 passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : MCMSTUDENT

      Starting test: CheckSDRefDom

         ......................... MCMSTUDENT passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... MCMSTUDENT passed test CrossRefValidation

   
   Running enterprise tests on : MCMSTUDENT.LOCAL

      Starting test: LocatorCheck

         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355

         A Time Server could not be located.

         The server holding the PDC role is down.

         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error

         1355

         A Good Time Server could not be located.

         ......................... MCMSTUDENT.LOCAL failed test LocatorCheck

      Starting test: Intersite

         ......................... MCMSTUDENT.LOCAL passed test Intersite


No SYSVOL Shares

$
0
0

Hi All,

I have searched and tried several things, but I have a problem with two new 2016 DC that have no SYSVOL Shares.

Originally, I had a single SBS 2011 Std Server, acting as the sole DC.  The server is old and is no longer required, so the plan is to replace with two new servers, running 2016 Std.

The Domain Functional Level is 2008R2

I have introduced the two new 2016 Servers.  Although they will both run as DCs, they will both also provide a couple of other services.

2016Srv1 - Hyper-V Host running small VM for local application.

2016Srv2 - Running two files shares.  Has Nic Teaming Enabled.

Both Servers appeared to join the domain OK and are also DNS Servers.  Each Server has its own static IP Address as the Primary DNS Entry.

There are a number of errors in the Application and Services Logs

Under

ADWS Log. On a boot I get the Event 1202, then it goes to ADWS is now started and accepting requests

DFS Replication - Error 1202 Failed to contact DC, Replication Stopped, then 1206 Replication service successfully Contacted the Local DC.

Under DNS I have a number of 4010 events, that mention records in the reverse look up zone.  Looking at them they all belong to older devices that no longer exist.  If I delete one from the SBS server, it is replicated to the two 2016 Servers.

File Replication Service Log Warning 13508

The File Replication Service is having trouble enabling replication from SBS to 2016SRV2 for c:\windows\sysvol\domain using the DNS name SBS.domainname.local. FRS will keep retrying. 
 Following are some of the reasons you would see this warning. 
 
 [1] FRS can not correctly resolve the DNS name SBS.domainname.local from this computer. 
 [2] FRS is not running on SBS.domainname.local. 
 [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers. 
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

I have spent a couple of days trying to resolve this, any ideas?


Provide remote desktop access to user

$
0
0

Hi all,

I have a vendor that needs temporary access to remote into servers in the domain. Below are the steps that i plan to do. May i know if this is the correct steps? What if i have 200 servers for UserA to remote? How do i apply the steps below to all servers or is there any easier way, if yes, how?

  1. Create account(userA) with only Domain Users privilege. (Domain Admin is not allowed for vendor)
  2. Add UserA to "Remote Desktop Users"
  3. Add UserA in Local Policies > USer Rights Assigment > Allow log on through Remote Desktop Services

Rgds,

B

Set of Permissions required to read the trust directions between domains

$
0
0

I am using the Domains.GetAllTrustRelationships() method to read the trust info .My current setup has a one way trust with the domain in other forest.But for some reason when i execute the the Domains.GetAllTrustRelationShips method with Network service account ,I get the trust direction as Bidirectional.SO i suspect that the Bidirectional Trust is returned because the current user is not having sufficient rights in active directory to read this value and maybe returning null .

And if this is the case then the below code from TrustRelationshipInformation class of System.DirectoryServices.ActiveDirectory assembly will return Bidirectional trust

internal TrustRelationshipInformation(DirectoryContext context, string source, TrustObject obj)
    {
      this.context = context;
      this.source = source;
      this.target = obj.DnsDomainName == null ? obj.NetbiosDomainName : obj.DnsDomainName;
      if ((obj.Flags & 2) != 0 && (obj.Flags & 32) != 0)
        this.direction = TrustDirection.Bidirectional;
      else if ((obj.Flags & 2) != 0)
        this.direction = TrustDirection.Outbound;
      else if ((obj.Flags & 32) != 0)
        this.direction = TrustDirection.Inbound;
      this.type = obj.TrustType;
    }

So can i get the set of permissions required in active directory for a user such that it is able to read the trust info

Password policy "enforce password history" seems to be not working

$
0
0

Password policy "enforce password history" seems to be not working

Able to reset my password to previous used password.

Where to check the previous used password?

Removing Few Administrators

$
0
0

Hi Team,

We had run a MBSA scan on all of the domain Controllers in which we found one common thing Multiple Administrators were more than two.

Two accounts were suspicious to me for which I had checked and found they are added in the Bultin\Administrators Group.

1) One is a service account  2) One is user account.

We have multiple DC's under single forest. Now when I dig deeper it is been said this two accounts needs to be part of only two DC's Administrators access not the entire DC's.

When I tried deleting the accounts from one of the DC while going into user accounts -> Manage user accounts --> Removed both the accounts then suddenly after a while it was removed from all of the DC and also from the DC which it was required and parallely seen in Builtin\Administrator group that account was vanished.

I had added them back again. 

Now my question over here is :

1) How could I grant the access for the two accounts only to the specific domain controller.

2) As the account which was removed as said above I really don't know which GPO is getting applied ( how to check it).

3) From one of the Technet forum I had got this command net localgroup Administrators /add {domain}\{user}  will this command will help . ( In this I will remove once again run the gpupdate /force to all of the Domain Controlller then going to the specific domain Controller and running this command will this would achieve my outcome).

4) Or there is any other GPO which is causing to regenerate the ID after deleting.

5) Do let me know if any more details I need to check in.

Awaiting all expertise answers.

Regards,

Sumeet Mishra


Sumeet Mishra

Replcation over VPN not working

$
0
0
Have a DC in the Philippines and master DC at headquarters in USA. It looks like replication is happening only one way. I can replicate any password and object from the US to the Philipines. But not the philippines to the US.

Question regarding SID History filtering

$
0
0

Hi All,

We are working to test the security of Active Directory external trust. As per Microsoft TechNet articles if we disable SID history filtering then the Administrators in trusted Domain can misuse this by adding the SID of Administrator in Trusting Domain to its own SID History.

While testing this we have created 2 separate Forests on Windows 2016 servers, Created external trust between the forests, Disabled SID filtering on both Domains and enabled SIDHistory in both Domains, added the SID of one Domain Administrator to another Domain's administrator SID History. But when I am trying to access any resource on trusting Domain with the trusted domain ID it is failing. On checking the logs of Trusting Domain I have found the event ID 4675 for SID filtering of Domain Admin Account. When I perform the same activity on a standard users by providing standard access it works which means SID filtering is properly disabled and SID History is enabled.

I am not sure if there is any security feature in Windows 2016 where Domain Admin or well known SID's are always filtered irrespective of SID filtering settings.

If there is any such detail available please help me with that

Commands Used:

netdom trust<TrustingDomainName> /domain:<TrustedDomainName> /quarantine:no

netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /enablesidhistory:Yes


problem in replication

$
0
0

hi all,

I have two domain controllers in the same site 

one is the primary domain controller named DC

the other domain controller named ADC is an additional one 

both domain controllers experience a power outage

but "adc" the additional domain controller faced a time jump to past date to 2002 then the time service begins to sync with the primary domain controller and the time is right now

but there is a problem in replication

I think that "ADC" the additional domain controller can replicate from  "DC" the one holding the FSMO roles

ADC is the downstream server and dc is the upstream server

but "DC" can not replicate from "ADC"

"DC" is the downstream server and "Adc" is the upstream server

so i'm looking for a solution in https://support.microsoft.com/en-us/help/2020053/troubleshooting-ad-replication-error-8614-the-active-directory-cannot

if anyone could give me an advice regarding that issue

the output of readminis shown below

the output of repadmin /showrepl DC

Default-First-Site-Name\DC

DSA Options: IS_GC

Site Options: (none)

DSA object GUID: f19df3de-60d9-45d8-9e1e-81351a3588fd

DSA invocationID: 210351f6-62a2-4cb5-8651-828f3dc53f85



==== INBOUND NEIGHBORS ======================================



DC=mydomaindc,DC=local

    Default-First-Site-Name\ADC via RPC

        DSA object GUID: 89650a74-a868-4d7d-8eff-4da4d16627a1

        Last attempt @ 2018-09-08 08:21:31 failed, result 8614 (0x21a6):

            The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.

        3865 consecutive failure(s).

        Last success @ 2018-09-07 11:25:03.



CN=Configuration,DC=mydomaindc,DC=local

    Default-First-Site-Name\ADC via RPC

        DSA object GUID: 89650a74-a868-4d7d-8eff-4da4d16627a1

        Last attempt @ 2018-09-08 07:55:55 failed, result 8614 (0x21a6):

            The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.

        30 consecutive failure(s).

        Last success @ 2018-09-07 11:25:03.



CN=Schema,CN=Configuration,DC=mydomaindc,DC=local

    Default-First-Site-Name\ADC via RPC

        DSA object GUID: 89650a74-a868-4d7d-8eff-4da4d16627a1

        Last attempt @ 2018-09-08 07:55:55 failed, result 8614 (0x21a6):

            The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.

        23 consecutive failure(s).

        Last success @ 2018-09-07 11:25:03.



DC=DomainDnsZones,DC=mydomaindc,DC=local

    Default-First-Site-Name\ADC via RPC

        DSA object GUID: 89650a74-a868-4d7d-8eff-4da4d16627a1

        Last attempt @ 2018-09-08 08:21:26 failed, result 8614 (0x21a6):

            The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.

        89 consecutive failure(s).

        Last success @ 2018-09-07 11:25:03.



DC=ForestDnsZones,DC=mydomaindc,DC=local

    Default-First-Site-Name\ADC via RPC

        DSA object GUID: 89650a74-a868-4d7d-8eff-4da4d16627a1

        Last attempt @ 2018-09-08 08:06:26 failed, result 8614 (0x21a6):

            The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.

        83 consecutive failure(s).

        Last success @ 2018-09-07 11:25:03.



Source: Default-First-Site-Name\ADC

******* 3848 CONSECUTIVE FAILURES since 2018-09-07 11:25:03

Last error: 8614 (0x21a6):

            The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.

the output of repadmin showrepl/  ADC

Default-First-Site-Name\ADC

DSA Options: IS_GC

Site Options: (none)

DSA object GUID: 89650a74-a868-4d7d-8eff-4da4d16627a1

DSA invocationID: 7f1fe5f5-91d9-4a83-b527-3490d45547dd



==== INBOUND NEIGHBORS ======================================



DC=mydomaindc,DC=local

    Default-First-Site-Name\DC via RPC

        DSA object GUID: f19df3de-60d9-45d8-9e1e-81351a3588fd

        Last attempt @ 2018-09-08 08:21:33 was successful.



CN=Configuration,DC=mydomaindc,DC=local

    Default-First-Site-Name\DC via RPC

        DSA object GUID: f19df3de-60d9-45d8-9e1e-81351a3588fd

        Last attempt @ 2018-09-08 07:50:12 was successful.



CN=Schema,CN=Configuration,DC=mydomaindc,DC=local

    Default-First-Site-Name\DC via RPC

        DSA object GUID: f19df3de-60d9-45d8-9e1e-81351a3588fd

        Last attempt @ 2018-09-08 07:50:12 was successful.



DC=DomainDnsZones,DC=mydomaindc,DC=local

    Default-First-Site-Name\DC via RPC

        DSA object GUID: f19df3de-60d9-45d8-9e1e-81351a3588fd

        Last attempt @ 2018-09-08 07:58:04 was successful.



DC=ForestDnsZones,DC=mydomaindc,DC=local

    Default-First-Site-Name\DC via RPC

        DSA object GUID: f19df3de-60d9-45d8-9e1e-81351a3588fd

        Last attempt @ 2018-09-08 07:50:12 was successful.





Usage of -ServicePrincipalNames when creating gMSA accounts

$
0
0

This question is based on the below article,

https://docs.microsoft.com/en-us/powershell/module/addsadministration/new-adserviceaccount?view=win10-ps

As per the example the usage will look like below for gMSA accounts,
New-ADServiceAccount gMSAsqlservice -ServicePrincipalNames @{Add='MSSQLSvc/sqlserver.xxxxxxx.com:GMSA','MSSQLSvc/sqlserver.xxxxxxx.com:<port#>'} -DNSHostName gMSAsqlservice.xxxxxxx.com -PrincipalsAllowedToRetrieveManaged SQL_gMSA_group

We always get the below error,

New-ADServiceAccount : The name reference is invalid
At line:1 char:1
+ New-ADServiceAccount gMSAsqlservice -ServicePrincipalNames @{Add="MSSQLSvc/sql ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (CN=gMSAsqlservice,CN=Man...=xxxxxxx,DC=com:String) [New-ADServiceAccount], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:8373,Microsoft.ActiveDirectory.Management.Commands.NewADServiceAccount

Was able to fix the issue using the below format. Not sure if the approach was correct but SPNs did get auto-registered in SQL Server.

New-ADServiceAccount gMSAsqlservice -ServicePrincipalNames ("MSSQLSvc/sqlserver.xxxxxxx.com:GMSA","MSSQLSvc/sqlserver.xxxxxxx.com:<port#>") -DNSHostName gMSAsqlservice.xxxxxxx.com PrincipalsAllowedToRetrieveManaged SQL_gMSA_group
************************************************************************************************************
Questions :
*****************************************
1> Which is the correct syntax to create gMSA using -ServicePrincipalNames ?
2> In the above example I have just used one server SPNs[ie., sqlserver]. But when we have several servers added to the gMSA Security Group, how do we use -ServicePrincipalNames?

I feel we need to have more elaborate explanations to the -ServicePrincipalNames.

Taggin user AD user ID with machine details

$
0
0

Hello All,

We are looking for an opportunity where we can see the computer name ) HostName in user Attributes

I have gone through all the attributes to check if we can use it or possibly to update it


Thanks HA

How to Migrate Infoblox DNS csv data to Microsoft Standalone DNS Server

$
0
0

I am working on DNS Migration activity . Currently DNS running in Infoblox appliance, we pulled the Zone information in csv formate. How do I Import the data in Standalone Microsft DNS Server. 

DNS Service installed in Windows 2012 R2 system. Do I need to use any tools? 

Our Some Site GP update not update successfully

$
0
0

Hello Team,

Please help me i have  approx 8 site in active directory but some site gpupdate not work properly on that site system and desktop please help me to closed it

Viewing all 31638 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>