Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Account Lockout

September 14, 2018, 10:42 pm
$
0
0

Hi Experts,

I have AD account on which I have to perform my daily tasks such as login into the remote desktop, scheduler and other tasks.

From past 10 days, my account gets locked daily in the evening around 5:45 to 6:00 PM and daily I have to unlock it which is painful activity.

For troubleshooting purpose I have referred https://activedirectorypro.com/account-lockout-tool/ and performed and RND but unable to understand the real issue.

First I have check that the Orig Lock (Using Lockout Status tool)  is one of my domain so I just check event id on that domain controller for event  4740 and caller Computer name is "CSAPL-NMS" so next I log on the caller computer name and filter event 4625 but unable to find any relevant event to find more description of service on which caller computer is performed.

During review log on caller computer name "CSAPL-NMS" i have found event id 4648 and found that one of Windows Server 2003 name as "cs-new-hrms" is target server.

All the relevant screenshots and logs.

https://crescentpk-my.sharepoint.com/:f:/g/personal/osama_mansoor_crescent_com_pk/EtZfe2oWyF9BqRxgQGzAXfIB_qs5IT83i98u26SZ3eyzzQ?e=c9sc03





Search

OU delegation in active directory.

September 19, 2018, 3:24 am
$
0
0
we have  8 site in active directory  i have create a OU in active directory for xyz sites users  . we want to xyz site users reset the password of own OU only please help me closed it 

DFSR error ID:5008/4612 Towards demoted/removed DC

September 19, 2018, 4:59 am
$
0
0

I am having a issue where i see the following errors:

The DFS Replication service failed to communicate with partner OLDSERVER for replication group Domain System Volume. This error can occur if the host is unreachable, or if the DFS Replication service is not running on the server.
 
Partner DNS Address: OLDSERVER.Domain.local
 
Optional data if available:
Partner WINS Address: OLDSERVER
Partner IP Address: x.x.x.x
 
The service will retry the connection periodically.
 
Additional Information:
Error: 1722 (The RPC server is unavailable.)

The DFS Replication service initialized SYSVOL at local path C:\Windows\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner OLDSERVER.domain.local. If the server was in the process of being promoted to a domain controller, the domain controller will not advertise and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the sync partner. If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers.
 
Additional Information:
Replicated Folder Name: SYSVOL Share
Replicated Folder ID: 4846FCD2-7777-4EDF-BC6B-13E8E16C4446
Replication Group Name: Domain System Volume
Replication Group ID: CB5BCAE8-C44F-40A8-80DD-A88DC4FDAF74
Member ID: FA911E0C-253C-426A-8EC7-71D85B49C0EB
Read-Only: 0


The server was not removed from the domain correctly so i am doing a lot of cleaning up. The issue I face is that the other solutions I have found on this is to use Meta data cleanup. OLDSERVER is not present there.

Or use ADSI edit to locate CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=domain,DC=local and delete the record of OLDSERVER, but the record is not there.

I have 4 domain controllers atm. 2 of them are 2016. (newly installed) and 2 X 2012 r2

The error is only active on 1 of the 2012 R2 servers. and the rest see no DFSR errors. OLDSERVERs OLD DNS records have all been removed.

any pointers or ideas will be greatly appreciated.

Access denied trying to remove Server 2008R2 DC

September 19, 2018, 5:39 am
$
0
0

I am in the process of retiring a DC from my domain and have run into an issue. when I ran dcpromo, I would get a prompt for AD account credentials, then shortly after, an access denied message. I was able to complete a force removal, but when I attempt to remove the AD object, I get an access denied error. the iser account I am using is a member of the Administrators, Domain admins, and Enterprise admins AD groups. I had verified prior to starting this that protect from accidental deletion boxes were not checked for either the AD object or NTDS. The error I receive is

"Windows cannot delete object Ldap://activeDCname/CN=NTDS Settings,CN=Servername of DC being removed,CN=Servers,CN=SiteName,CN=configuration,DC=domain,DC=local because Access is Denied"

how to tell if i´m using DFS or DFSR to replicate sysvol?

September 19, 2018, 7:54 am
$
0
0

how to tell if i´m using DFS or DFSR to replicate sysvol?

My fisrt AD Server is 2008R2 (10 years ago) and over time we added some WIn2012R2 AD Servers

Yesterday i´ve added my first AD Win2016 Server and a warning regarding DFS X DFSR

I´m not entirely sure if i´m not using DFS, so, how to check?

I never did the SYSVOL migration.

C:\Windows\system32>dfsrmig.exe /getglobalstate
Current DFSR global state: 'Start'
Succeeded.

reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DFSR\Parameters\SysVols\Migrating Sysvols"
    Local State    REG_DWORD    0x0

Based on this article:

http://itprocentral.com/how-to-identify-the-replication-technology-in-use-by-active-directory/

In the new window, look for the msDFSR-Flags attribute, and if the value is 48 then the DFS is being in use. If the value is one of these (null/empty, 0, 16 or 32), then you are in a transition or FRS mode.

My msDFSR-Flags is NULL.

So, i´m using DFS-R?

I need to change the replication partner of a RODC because of a planned outage for the DC.

September 19, 2018, 9:30 am
$
0
0

Is is safe to create a second replication link for the RODC to a secondary DC?

I understand that if the DC is demoted, a new link will be made automatically to another DC. But in case of a planned power outage (I will have to power off the DC in the link) the surviving RODC will not work anymore, unless I make a link to another DC before the outage. Am I correct?

Victor

forest is incompatible with the complete behavior of this optional feature - Current functional level: 4294967295

September 19, 2018, 10:04 am
$
0
0

forest is incompatible with the complete behavior of this optional feature -  Current functional level: 4294967295

An optional feature is enabled on this DC. However, the functional level of the forest is incompatible with the complete behavior of this optional feature.

 This condition could be due to a delay in replication to this Active Directory Domain Controller of a change to the functional level of the forest, and may correct itself automatically. If this condition persists, manual intervention may be necessary.

 User Action
 Raise the functional level of the forest to at least the minimum required functional level.

 Optional feature: Recycle Bin Feature
 Minimum required functional level: 4
 Current functional level: 4294967295

  The full story:

1) Between 2009/May and 2016/Jan, all DCs were Win2008R2

2) Jan/2016, we introduced the first AD/DC Win2012R2-based

3) 3 days ago, we introduced the first WIN2016 DC/AD

AD replications is fine, usera are being created, deleted, no problem

But during the install/dcpromo and even several hours after the WIn2016 install, the error was there.: Current functional level: 4294967295


PS C:\Windows\system32> Get-ADDomain | fl Name,DomainMode


Name       : qgog
DomainMode : Windows2008R2Domain

PS C:\Windows\system32> Get-ADForest | fl Name,ForestMode


Name       : qgog.ad
ForestMode : Windows2008R2Forest

My recycle bin is working well, no problem, i tested restoring a deleted object

It´s a BUG?

I´m trying to figure out why is the number so bizarre and if maybe could be a replication latency issue (18 DCs, apreaded arrount the world, including very-low latency - satellite - networks)


AD account operators cannot update Exchange attributes.

September 19, 2018, 10:08 am
$
0
0

Hello All, 

I have a few AD admins whose accounts are in the Account Operators group in AD.  It seems that the admins have no issues managing user accounts as for creating, resetting passwords and so on. 

There are two issues I am seeing so far:

1. The Account Operators are not able to update the "Email" attribute - please see image. 
2. The Account Operators are not able to update the "ProxyAddresses" attribute - please see image. 

I have tried to custom delegate a test account but not yet success.  We used to have on-prem Exchange in our environment.  

Someone who knows the steps to grant these permission please advise. I have tried to custom delegate a test account but still have no success in making changes in those attributes.  I have also tried adding the test user to the Exchange Recipient Administrators group but still no luck. 

Many Thanks.  




Search

Domain Upgrade to 2012 functional levels - how to avoid breaking things

September 4, 2018, 1:45 pm
$
0
0

Hi,

 We have 4 2012 R2 DCs and 1 2003 server. Our domain and forest functional level is 2003. I want to upgrade to 2012 and want to check what could be impacted, here's what I'm planning to do:

- Lower compatible encryption and GPO settings to accommodate older clients (i.e. NT).

- Highlight to the business that the 100 Windows NT and Windows 2000 servers we have may no longer work as normal.

- Ask the business to identify all of their critical services which are dependent on AD and then ask vendors of each app whether a domain or forest upgrade to 2012 could cause any issues (from past experience I found an issue with a telephony provider not supporting 2012 domain and forest functional levels).

- Come up with a roll back plan, so far, I have:

1. Restore DCs using NetBackup as a standard restore - not officially supported, but should work fine.

2. Run through the AD DS restore mode process which will take AD offline and take a few hours.

Advice is appreciated...

create and delete user account on a specific ou with domain user rights

September 18, 2018, 11:30 pm
$
0
0

Is it possible to add users to a security group and give them right to create and delete users, but only in a specific OU?

If so, what tool can be given to them without them seing the rest of the AD?

 

DC Event 4634 (logoff) instead of 4624 (logon) ?

September 19, 2018, 2:54 pm
$
0
0

Hello Team,

I am forwarding all security events to Splunk (from DC), and tracking logon(4624) vs logoff(4634) events and noticed that sometimes i do see a logoff event just a second after i do logon via RDP (and in such case i do never receive logon event).

As a result i do see more 4634 logoff events then logon (4624).

Moreover i do see logoff events with id for which logon event does not exist (and as per documentation it should).

That is happening randomly, but for a large part of my RDP sessions, for the rest i do have correct logon and logoff events.

That is not user dependant - the same user sometimes send right logon+logoff pair, sometimes only logoff.

Windows 2012R2. Could you please help me ? Is it a bug ?

Thanks,

Michal



Active directory

September 19, 2018, 5:54 pm
$
0
0

Hello

I have some questions. Please answers me on your own words

1- I have two forests. abc.com and xyz.com. I want to move all objects from abc.com to xyz.com. is it possible or not? If possible then how?

2- this question is relevant to active directory site and services. Please tell me KCC works only on additional domain controller or it works on both sites. domain controller site and additional domain controller site.

3- I have one forest. In this forest I have one root domain and two more parent domains. Can I transfer schema master role and domain naming master role from root domain to any parent domain? If yes then how?

A script to find if a computer is member of a domain or in workgroup ?

May 19, 2011, 6:53 am
$
0
0

Hi,

Someone has a script that will show me if a computer is member of the domain or not ?

indeed, some users are disjoining the AD domain to go on Workgroup (or they are modifying the member of the "Administrators" group by removing "Admins Domain" group).

(I precise that they are not local admin, but some are booting and reset the admin password etc.. but it is not the point of this topic ;))

So, I would like to find the easiest way to identify those computers.

I wanted to remotely execute a command with my domain admin account and see if I have an access denied but it is not working correctly because the "remote registry service" is disabled in some of them and so I cannot connect.

So, first, I want to find a way to identify computers in a workgroup, based on a txt file.

Do you have that please ?

Thank you !

Removing Few Administrators

September 19, 2018, 12:48 am
$
0
0

Hi Team,

We had run a MBSA scan on all of the domain Controllers in which we found one common thing Multiple Administrators were more than two.

Two accounts were suspicious to me for which I had checked and found they are added in the Bultin\Administrators Group.

1) One is a service account  2) One is user account.

We have multiple DC's under single forest. Now when I dig deeper it is been said this two accounts needs to be part of only two DC's Administrators access not the entire DC's.

When I tried deleting the accounts from one of the DC while going into user accounts -> Manage user accounts --> Removed both the accounts then suddenly after a while it was removed from all of the DC and also from the DC which it was required and parallely seen in Builtin\Administrator group that account was vanished.

I had added them back again. 

Now my question over here is :

1) How could I grant the access for the two accounts only to the specific domain controller.

2) As the account which was removed as said above I really don't know which GPO is getting applied ( how to check it).

3) From one of the Technet forum I had got this command net localgroup Administrators /add {domain}\{user}  will this command will help . ( In this I will remove once again run the gpupdate /force to all of the Domain Controlller then going to the specific domain Controller and running this command will this would achieve my outcome).

4) Or there is any other GPO which is causing to regenerate the ID after deleting.

5) Do let me know if any more details I need to check in.

Awaiting all expertise answers.

Regards,

Sumeet Mishra

Sumeet Mishra

Domain controller file share

September 19, 2018, 9:22 pm
$
0
0

Hi Everyone,

Scenario is we have a Domain controller which has configured with scheduled backup,

We configured backup destination to local drive in same disk,

Now I've a powershell  script to copy that backup from local drive to file share location in ADC(Additional DC)

i Don't want to run powershell script in DC So i took one more VM to perform copy job,

Now i'm not able to access the backup folder in DC 

i'm getting denied Notification,Since i've given full permission for Share!!

please suggest me the right way to get access

Search

Long path and file name issue

September 16, 2018, 10:02 pm
$
0
0

Dear Support,

Please guide us to resolve long path and file name issue.

Please let us know how to delete long path file name folder.

Regards,

Itsupport

User authenticated on wrong DC

September 18, 2018, 12:11 am
$
0
0

Hi,

We had recently a problem with one of our DC:s. We had 4 DC, dc01, dc02, dc03 and dc04. For some readon dc04 died and it doesnt exist on the forest anymore. But every morning somehow some clients are still trying to authenticate to that dc04. The users are having trouble to login on their domain joined computer. After some time they do manage to login, I suppose they pass by it and authenticate to another available dc. I have seen on the internet that you can clear logon cache on the clients but this is not optimal for our case because there are thousands of clients on our environment and also fixing that via GPO is also a pain because the clients are not residing on some same OU or some same location.

Has anyone been in the same situation? Is there a fix that can be done? 

Thank you
Nikart

Event 4624 logon type 3 for RDP access ?

September 20, 2018, 4:25 am
$
0
0

Hello Team,

When i logon to windows client via RDP using my AD credentials (that client is in AD domain) i got event 4624 logon - but with type=3.

This looks to be inconsistent with the documentation:

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624

Should not it be 10 ?

Thanks,

Michal

Does Windows Server 2016 Read-Only DC support the use of Group Managed Service account?

September 20, 2018, 5:41 am

Exchange Server Computer account password changed

September 20, 2018, 6:36 am
$
0
0

I recently had an issue where a customer's Exchange production environment servers both had their passwords changed, seemingly inexplicably.  The security logs were predictably overwritten shortly after so I cannot state what actually made the change any more.

Given the fact that the rest of the computers in the domain did not also change passwords at the same time, I'm concluding that an administrator (or an application / service running elsewhere) made the change to the password to both machines within a few seconds of each other.  The issue hasn't re-occurred in the last three weeks.

Has anyone seen anything similar in the past?

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>