Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

KCD on a compuer object for ADCS Enrollment Proxy/Policy Services - Access Denied

August 23, 2018, 10:09 am
$
0
0

I am logged into a Domain Controller running Server 2008 R2 and the domain/forest functional level is server to 2008.  When implementing KCD for Windows Clients to request certificates via the proxy to ADCS, I get an 'Access Denied'.

I am using ADUC on the domain controller, going to properties on the CEP/CES Server object....selecting the Delegation tab...adding as a KCD to the SUBCA server object for HOST and RPCSS services...when hitting 'Apply' I get Access Denied.  I have full rights both objects, tried as a Domain Admin and Enterprise Admin....hitting a wall.

 
Search

E-Mail Notification When A User Account In A Specific Security Group Is Disabled

September 20, 2018, 8:58 am
$
0
0

Hello All!

I need to create an automated process that does the following. 

Scenario is based on user being terminated or leave the organization.

1) User account get's disabled in AD as part of the employee termination process
2) User account is part of a specific security group for example SAP-Users
3) We need an e-mail notification that a users account was disabled that belongs to the group "SAP-Users" 
Note: This process should only apply if the user account belongs "SAP-Users" 

Can I do this all in powershell or do you recommend another tool

Phil Balderos

Phil Balderos

User with no information on whoami tool

September 20, 2018, 10:04 am
$
0
0

See belo,w the weirdest thing: the whoami tool does not report any information:

Windows10/1511

C:\Users\mjordao>whoami
DOMAIN\MJORDAO

C:\Users\mjordao>whoami /user
DOMAIN\MJORDAO

C:\Users\mjordao>whoami /SID
DOMAIN\MJORDAO

C:\Users\mjordao>whoami /GROUPS
DOMAIN\MJORDAO

C:\Users\mjordao>whoami /?
DOMAIN\MJORDAO

As you can see, no output at all

tests i did:

1) psloggedon  shows correct SID of the user

2) if i copy/clone/duplicate the user, no problem

3) If i open the CMD as admin, the SIDs are all there, no problem

4) Several logofss and reboots

The problem came up after usier complaining about a specific sub-sub-folder of a multi-terabyte file server and the user can read and write with no problem, during the investigation, i noticed that the behaviour is consisten like the user hasn´t anymore member of any group (access denied on folder) but in many other folders under the same mapped drive letter, the access is ok

whic tools can I use to check for kerberos tokens, groups, etc?

how to tell if i´m using DFS or DFSR to replicate sysvol?

September 19, 2018, 7:54 am
$
0
0

how to tell if i´m using DFS or DFSR to replicate sysvol?

My fisrt AD Server is 2008R2 (10 years ago) and over time we added some WIn2012R2 AD Servers

Yesterday i´ve added my first AD Win2016 Server and a warning regarding DFS X DFSR

I´m not entirely sure if i´m not using DFS, so, how to check?

I never did the SYSVOL migration.

C:\Windows\system32>dfsrmig.exe /getglobalstate
Current DFSR global state: 'Start'
Succeeded.

reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DFSR\Parameters\SysVols\Migrating Sysvols"
    Local State    REG_DWORD    0x0

Based on this article:

http://itprocentral.com/how-to-identify-the-replication-technology-in-use-by-active-directory/

In the new window, look for the msDFSR-Flags attribute, and if the value is 48 then the DFS is being in use. If the value is one of these (null/empty, 0, 16 or 32), then you are in a transition or FRS mode.

My msDFSR-Flags is NULL.

So, i´m using DFS-R?

Migration from SBS 2008 (AD/DNS) to Windows Server 2012 R2

September 20, 2018, 1:55 pm
$
0
0
I'm trying to retire the SBS 2008 server.  I need to move AD/DNS to a new box running Windows Server 2012 R2.  The WS 2012 R2 has been promoted to DC, FSMO roles have been transferred, DNS replicated, all dcdiag tests passed, etc.  However, if I take the 2008 SBS server offline (not demoted yet), workstations cannot contact the new DC.  Running nltest /sc_query:mydomain from the DC gives "No such domain".  Running it from a workstation gives "RPC_S_SERVER_UNAVAILABLE".  I'm guessing that if I can fix this nltest error, client machines will be able to contact the new DC.  Does anyone have suggestions on how to troubleshoot this?

How do you search for a domain + samAccountName in active directory?

December 1, 2017, 4:21 pm
$
0
0

So my problem is I need to query ldap for a user given a Domain and samAccountName.

As noted in this question https://social.technet.microsoft.com/Forums/windowsserver/en-US/4ea7a9c5-af5d-4e8a-8355-c7dcd13f39f1/in-a-domain-with-subdomains-are-samaccountnames-unique?forum=winserverDS ... the samAccountName is not unique in active directory.

For example, let's say there are users NORTHEAST\NICKD and SOUTHWEST\NICKD and I want to find the ldap profile for NORTHEAST\NICKD only. Wecannot just do this at the base DN: DC=example,DC=com

(&(objectClass=user)(sAMAccountName=nickd))

Because it will return 2 accounts both different people.

Is the only way to guarantee I get the right user to do a 2 queries one for each Sub-domain's base DN's? Example one forDC=northeast,DC=example,DC=com and one for DC=southwest,DC=example,DC=com?

Any other ways i should do this?



Question regarding SID History filtering

September 13, 2018, 5:01 am
$
0
0

Hi All,

We are working to test the security of Active Directory external trust. As per Microsoft TechNet articles if we disable SID history filtering then the Administrators in trusted Domain can misuse this by adding the SID of Administrator in Trusting Domain to its own SID History.

While testing this we have created 2 separate Forests on Windows 2016 servers, Created external trust between the forests, Disabled SID filtering on both Domains and enabled SIDHistory in both Domains, added the SID of one Domain Administrator to another Domain's administrator SID History. But when I am trying to access any resource on trusting Domain with the trusted domain ID it is failing. On checking the logs of Trusting Domain I have found the event ID 4675 for SID filtering of Domain Admin Account. When I perform the same activity on a standard users by providing standard access it works which means SID filtering is properly disabled and SID History is enabled.

I am not sure if there is any security feature in Windows 2016 where Domain Admin or well known SID's are always filtered irrespective of SID filtering settings.

If there is any such detail available please help me with that

Commands Used:

netdom trust<TrustingDomainName> /domain:<TrustedDomainName> /quarantine:no

netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /enablesidhistory:Yes

AD CS affected by multiple hostnames?

September 20, 2018, 6:50 pm
$
0
0

I have some Windows Server 2016 VM's running in multiple locations (for geo-red) acting as PKI servers via AD CS. They're not a domain controller and they're not part of any domain. They're simple standalone servers. However for AD CS failover they have the same hostnames. All works well.

Now we're trying to add Microsoft SCOM for Server Monitoring, and the SCOM server is not able to handle having different servers having the same hostname even if the information passes through different SCOM Gateways. 

So one of the workarounds we're looking at is to add a second hostname to some of the servers, and let AD CS continue using the primary hostname but SCOM use the secondary hostname. 

Given the importance of these servers primary function, we don't want to risk any implementation that would affect the PKI functionality. Does anyone see any obvious pitfalls with this implementation??

Search

No SYSVOL Shares

September 13, 2018, 1:54 am
$
0
0

Hi All,

I have searched and tried several things, but I have a problem with two new 2016 DC that have no SYSVOL Shares.

Originally, I had a single SBS 2011 Std Server, acting as the sole DC.  The server is old and is no longer required, so the plan is to replace with two new servers, running 2016 Std.

The Domain Functional Level is 2008R2

I have introduced the two new 2016 Servers.  Although they will both run as DCs, they will both also provide a couple of other services.

2016Srv1 - Hyper-V Host running small VM for local application.

2016Srv2 - Running two files shares.  Has Nic Teaming Enabled.

Both Servers appeared to join the domain OK and are also DNS Servers.  Each Server has its own static IP Address as the Primary DNS Entry.

There are a number of errors in the Application and Services Logs

Under

ADWS Log. On a boot I get the Event 1202, then it goes to ADWS is now started and accepting requests

DFS Replication - Error 1202 Failed to contact DC, Replication Stopped, then 1206 Replication service successfully Contacted the Local DC.

Under DNS I have a number of 4010 events, that mention records in the reverse look up zone.  Looking at them they all belong to older devices that no longer exist.  If I delete one from the SBS server, it is replicated to the two 2016 Servers.

File Replication Service Log Warning 13508

The File Replication Service is having trouble enabling replication from SBS to 2016SRV2 for c:\windows\sysvol\domain using the DNS name SBS.domainname.local. FRS will keep retrying. 
 Following are some of the reasons you would see this warning. 
 
 [1] FRS can not correctly resolve the DNS name SBS.domainname.local from this computer. 
 [2] FRS is not running on SBS.domainname.local. 
 [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers. 
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

I have spent a couple of days trying to resolve this, any ideas?


Ad to Ad replication not working

September 5, 2018, 10:21 pm
$
0
0

Dear Support,

We have recently install PDC in our network and moved the roles for the same and its working properly.

But our AD to AD replication not working which is previously working fine.

So please give us solution for the same.

Regards,

Itsupport

Windows Server 2012R2 Password expire notification

September 12, 2018, 1:29 pm
$
0
0

Hi Guys, 

I have a problem where, All our domain admin account's password has been expired at the same time and when we try to login to the server, we get the error 'Your password has been expired, Please contact your administrator" but we are not being asked for entering our new password. Can you please let me know how to enable that option?

In short, When our password has expired, System should tel us password has been expired and should ask us to enter the new password.

Regards,

Vishwas.P

Problems with new DC - I think I f*cked up the SYSVOL

September 13, 2018, 12:12 pm
$
0
0

Hi!

Half a year ago I took over a new installed DC, lets call it DC02 (server 2016) and the old one DC01 (Server 2008r2). When I ran dcdiag I got pretty much failed at everyting and started to work it throught before I wanted to wanted to take down the old server. After a work day all failed where gone and I got success at everything. 

Now late summer the old DC went down after a powerloss and one of the employees told me he had to log out and in every morning to have access to the shared folders (they are on the new DC) and when I looked in event viewer I get event ID 1864 under Direcotory Service.

When I took over I was totally new to servers so I searched and tried different guides on the World Wide Web to start the replication, I did the burflags to do authoritive and non authoritive replication and all that. And I got the error away from the dcdiag.

But now when the old DC went down I have Event 13577 in Event Viewer wanting me to migrate DFS Replication using DFSRMIG.

AND back before summer when I did the troubleshooting I didn't even install DFS Management (didn't know what it was) and now when I've done it no Domain System Volumes are replicating like they are on our other enviroments. There are no "Domain System Volumes" under "Namespaces" and "Replication"

Can I sort this out without crashing the whole domain? 

Remove existing dns and domain controller from a site

September 14, 2018, 8:23 am
$
0
0

Hi guys,

I am planning to remove one of the DC with dns role from a site.

But I am suspecting a lot of traffic coming to that dc. Can someone refer me the best partice steps which needs to be performed before remove it from the network.

Again its a 2k3 DC😊


Regards, pwnkmr www.ITtechPoint.com

Event 2092 -Replication Issue

September 17, 2018, 11:26 pm
$
0
0
This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role. 
 
Operations which require contacting a FSMO operation master will fail until this condition is corrected. 
 
FSMO Role: DC=XYZ,DC=com 
 
User Action: 
 
1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476. 
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors.  Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication. 
3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com. 
 
The following operations may be impacted: 
Schema: You will no longer be able to modify the schema for this forest. 
Domain Naming: You will no longer be able to add or remove domains from this forest. 
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts. 
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups. 
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.Event 

Password policy "enforce password history" seems to be not working

September 18, 2018, 8:29 pm
$
0
0

Password policy "enforce password history" seems to be not working

Able to reset my password to previous used password.

Where to check the previous used password?

Search

Configure Site and Site link for multiple site

September 20, 2018, 10:55 pm
$
0
0

Hello Team,

Please help me or suggest we have 10 sites in  we want  configure active directory site and services for 10 site , how can we create site link and site  for replication for main DC ? all sites connected through MPLS link.

Our Some Site GP update not update successfully

September 19, 2018, 3:22 am
$
0
0

Hello Team,

Please help me i have  approx 8 site in active directory but some site gpupdate not work properly on that site system and desktop please help me to closed it

OU delegation in active directory.

September 19, 2018, 3:24 am
$
0
0
we have  8 site in active directory  i have create a OU in active directory for xyz sites users  . we want to xyz site users reset the password of own OU only please help me closed it 

DFSR error ID:5008/4612 Towards demoted/removed DC

September 19, 2018, 4:59 am
$
0
0

I am having a issue where i see the following errors:

The DFS Replication service failed to communicate with partner OLDSERVER for replication group Domain System Volume. This error can occur if the host is unreachable, or if the DFS Replication service is not running on the server.
 
Partner DNS Address: OLDSERVER.Domain.local
 
Optional data if available:
Partner WINS Address: OLDSERVER
Partner IP Address: x.x.x.x
 
The service will retry the connection periodically.
 
Additional Information:
Error: 1722 (The RPC server is unavailable.)

The DFS Replication service initialized SYSVOL at local path C:\Windows\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner OLDSERVER.domain.local. If the server was in the process of being promoted to a domain controller, the domain controller will not advertise and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the sync partner. If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers.
 
Additional Information:
Replicated Folder Name: SYSVOL Share
Replicated Folder ID: 4846FCD2-7777-4EDF-BC6B-13E8E16C4446
Replication Group Name: Domain System Volume
Replication Group ID: CB5BCAE8-C44F-40A8-80DD-A88DC4FDAF74
Member ID: FA911E0C-253C-426A-8EC7-71D85B49C0EB
Read-Only: 0


The server was not removed from the domain correctly so i am doing a lot of cleaning up. The issue I face is that the other solutions I have found on this is to use Meta data cleanup. OLDSERVER is not present there.

Or use ADSI edit to locate CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=domain,DC=local and delete the record of OLDSERVER, but the record is not there.

I have 4 domain controllers atm. 2 of them are 2016. (newly installed) and 2 X 2012 r2

The error is only active on 1 of the 2012 R2 servers. and the rest see no DFSR errors. OLDSERVERs OLD DNS records have all been removed.

any pointers or ideas will be greatly appreciated.

LDAP last authenticated users report

September 21, 2018, 1:07 am
$
0
0
I am using AD LDAP server for authenticating users for CISCO meeting server (CMS) application. I want to take a list of all users with last successful authentication. Also need to take a list of users who never used the CMS application. Thanks for your help in advance. I am ok with powershell script. Thanks a ton in advance
Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>