Can having a duplicate SPN for SQL cause problems with AD User and\or machine authenticating from different subnets away from the SQL server and DC? DC and SQL are in the same subnet.
↧
Duplicate SPN
↧
join client pc to domain
Hi,
If I want to join a pc (test001) after osd with an existing name (test001in the ad ) ,I have to delete test001 from the AD. It gives an administration issue .Is there a way to solve the problem
Thanks
↧
↧
How to get workstations for group of users in AD using powershell script?
Hi, Guys.
Do you know how to get workstations for group of users in AD using powershell script?
Thank you.
↧
AD 2016 Password filter DLL
Hi All,
I`m looking how to create and setup the password filer dll on AD 2016, I`ve seen Microsoft documentation but helpless
https://docs.microsoft.com/en-us/windows/desktop/secmgmt/installing-and-registering-a-password-filter-dll
I`m wondering of this is still applicable and supported by Microsoft.
Appreciate if someone did this before and can help, I know they`re paid software to do this but I though if we can get it without paying...
Kassemf
↧
Usage of -ServicePrincipalNames when creating gMSA accounts
This question is based on the below article,
https://docs.microsoft.com/en-us/powershell/module/addsadministration/new-adserviceaccount?view=win10-ps
As per the example the usage will look like below for gMSA accounts,
New-ADServiceAccount gMSAsqlservice -ServicePrincipalNames @{Add='MSSQLSvc/sqlserver.xxxxxxx.com:GMSA','MSSQLSvc/sqlserver.xxxxxxx.com:<port#>'} -DNSHostName gMSAsqlservice.xxxxxxx.com -PrincipalsAllowedToRetrieveManaged SQL_gMSA_group
We always get the below error,
New-ADServiceAccount : The name reference is invalid
At line:1 char:1
+ New-ADServiceAccount gMSAsqlservice -ServicePrincipalNames @{Add="MSSQLSvc/sql ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (CN=gMSAsqlservice,CN=Man...=xxxxxxx,DC=com:String) [New-ADServiceAccount], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8373,Microsoft.ActiveDirectory.Management.Commands.NewADServiceAccount
Was able to fix the issue using the below format. Not sure if the approach was correct but SPNs did get auto-registered in SQL Server.
New-ADServiceAccount gMSAsqlservice -ServicePrincipalNames ("MSSQLSvc/sqlserver.xxxxxxx.com:GMSA","MSSQLSvc/sqlserver.xxxxxxx.com:<port#>") -DNSHostName gMSAsqlservice.xxxxxxx.com PrincipalsAllowedToRetrieveManaged SQL_gMSA_group
************************************************************************************************************
Questions :
*****************************************
1> Which is the correct syntax to create gMSA using -ServicePrincipalNames ?
2> In the above example I have just used one server SPNs[ie., sqlserver]. But when we have several servers added to the gMSA Security Group, how do we use -ServicePrincipalNames?
I feel we need to have more elaborate explanations to the -ServicePrincipalNames.
↧
↧
Prevent users from changing domain password from workstation
I would like to prevent my users from changing their domain passwords from their workstations. We have a password reset portal that sets the users password in a number of places besides AD. I know there is an option in group policy to remove the change password option from the CTRL-ALT-DEL screen, but I believe the users still gets prompted to reset their password by the workstation at some interval before their password expires. Anyone know of a way to prevent users from changing their AD passwords via their workstations built-in mechanisms?
TIA
↧
LAPS Installed , But Unable to see the Password
Hi ,
We have implemented the LAPS for manage the local admin password . we have configured the GPO and installed LAPS clients . But unable to see the password LAPS UI . Using the below cmds we have configured and given the required permission. Could you pls anyone help to resolve the issue .
Import-module AdmPwd.PSUpdate-AdmPwdADSchema
Set-AdmPwdComputerSelfPermission -OrgUnit <name of the OU to delegate permissions>
Set-AdmPwdReadPasswordPermission -OrgUnit <name of the OU to delegate permissions> -AllowedPrincipals <users or groups>
Regards,
V.P.Neelakandan
↧
FSMO scinario
Dear Tech,
i have three domain controllers in single forest and single Domain but its located in two diff locations. in location "x" their are tow domain controllers and forest wide fsmo role configured. in y location one domain controller and configured domain wide fsmo roles. in y location i have requirement that i have to add some number of users.. but i came to know that in x location schema master is down, is it possible to create users in y location.
what are the possibilities and explain me any draw backs?
please help me in this regards...
AmarPKST
↧
The permissions on NETLOGON (server) are incorrectly ordered, which may cause some entries to be inefective.
Hi Support,
How can I troubleshoot this problem.
If I select reorder will it fix existing permissions issue?
Is it recommended to reorder fix on NETLOGON?
What are the default permissions on NETLOGON folder?
How can I find what cause the permissions problem?
Thank you
↧
↧
A question about Immediate and Urgent AD replication
The Microsoft documentation on the following does not make these point clear (especially question 2). Therefore I wanted to ask the question here and hopefully a member of the MS AD team will pick it up to give a concise answer.
Imagine you have an AD forest with one domain and three sites
Site1, Site2 and Site3
Each site has two DCs and all FMSO roles are held by the DCs in Site1
Urgent replication verses immediate replication
Let’s start off with Immediate Replication (not Urgent)
I understand certain events need to be replicated ‘immediately’ e.g. account ‘lockout’ events. My understanding of immediately is a domain controller (DC04 for example) opens a direct RPC/IP connection to the PDC emulator to update the PDC emulator’s replicate of the account lockout, thereby overriding any site link schedules.
Question 1:
First question is does DC04 update PDCs replica (as it states on some MS documents), or does DC04 inform the PDC emulator it has some ‘immediate’ attributes to update, then PDC ‘requests’ said updates (high water mark) as with a normal replication notification and pull the changes (but it just does not wait for site link schedule)?
Question 2:
Also from what I have read ‘immediate’ replication only appears to happen between a DC and the PDC in other words when a DC need to replication sometime immediately to the PDC (e.g. DC01), meaning immediate replication never happens between say DC04 and DC03 (as neither are the PDC) is that correct?
Question 3:
Is it correct to say that both ‘account lockout’ and ‘account unlock’ are both replicated to the PDC as ‘immediate’ replication?
Now let’s deal with Urgent Replication
From what I have read ‘urgent’ replication does not override site link schedules. Therefore Urgent replication only has meaning within the site where urgent replication is triggered (or if change notification is enabled between sites).
If that last statement is correct I can see a situation whereby an account ‘locked out’ in site 2, which is then immediately replicated to the PDC. The PDC then uses urgent replication (within its site only e.g. Site 1) to replicate this account lockout. At the same time the DC in Site 2 that dealt with the account lockout also uses urgent replication (again within its site only) to replicate the account lockout. So at this point it is fair to say all DCs in site 1 and site 2 know about the account lockout very quickly. However site 3 which may have a site line schedule of 2 hours for example (non-default) therefore DCs in Site 3 would not know about the account lockout (as not been replicated yet) so looking at the MrSmith AD account it would not show as locked,
Question 4:
Is the above statement about MrSmith and the lockout replication behaviour correct?
Question 5:
Assuming MrSmith account is Site 3 is not showing as locked out and MrSmith logs in to a computer in Site 3 (and therein against a DC in site 3). If he enters his password correctly, (therefore no need to refer back the PDC) I assume be will be able to login?
Question 6:
Depending on the answer to question 5 above, every time a user logs on to the domain is the PDC emulator referenced e.g. just in case the account is locked out? (e.g. even if the account shows
as not locked out and the user enters their password correctly)
Thanks very much in advance
↧
Error While Query Get-AdComputer
Hi Team,
I am just writing a below query to display all the computer in our domain but somehow it is giving an error . When I check the excel sheet it only shows up 256 entries we have almost 7K computers in our infra.
My Objective is to list out all the computers with hostname,os,os version and IP address if possible we can include the last logon.
The query which I am using is as below :-
Get-ADComputer -Filter * -properties * | Select Name,OperatingSystem,OperatingSystemVersion | Export-CSV "pathname"
Error :-
Get-ADComputer : The server has returned the following error: invalid enumeration context.At line:1 char:1
+ Get-ADComputer -Filter * -properties *|Select Name, DNSHostname, Oper ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-ADComputer], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADComputer
Do let me know if I need to add something in the query which would return all the list of computer in my domain.
Regards,
Sumeet Mishra
Sumeet Mishra
↧
The specified account already exists.
HELP.
I am in a twist here as to what is going on and am unable to resolve.
History.
Two of our Domain Controllers Tombstoned due to network card issues.
I attempted to demote the controllers but had some access issues. I believe at least one of them is now ok and has demoted successfully (I believe). I tried to re-join the domain but kept getting "the specified account already exists" and it would not re-join. I checked DNS objects etc and there were no remnants of the server anywhere. Other Domain controllers cannot see this computer either.
I eventually deleted the Server completely and built another VM using the same credentials as the original. However, when I attempt to join the domain I get the same issue "the specified account already exists".
I really don't know what to do next and need to get this resolved soonest as we are due to migrate objects in AD to a different domain.
Please could someone offer any advice.
Thanks in Advance.
Regards.
↧
Regarding Authentication Logs Printing on Domain Controller
Hello Everyone,
I'm ingesting domain controller logs into QRadar. My question is regarding user authentication on a windows machine using local instead of domain name, does the authentication logs printed on the domain controller?
Thanks,
Anand Gulla
↧
↧
SPN Question
My domain FQDN is bob.bobautomotive.com. it is a single domain all devices are registered to bob.bobautomotive.com. I have clients who record an event in windows saying cannot find domain bob. there is no DNS zone for bob. I have SPNs HOST/DC03/BOB, ldap/DC03/BOB. Bob does not exisit it is not my FQDN, should these be removed?
↧
Active Directory - PreHash Password While creating Users
Hi
We are trying to automate the Active Directory Deployment in cloud, as part of that we are looking to create users provided users provide us a pre-hash value of their password and using that we create users.
Key Criteria
1. The user must be able to create their own password through approachable commands, so only they know it.
2. A separate admin on a separate system must have an ability to use that hashed value to create users and set password from the hashed value.
3. The user must be able to login with their plain-text password once this is done.
4. The admin, or anyone who may intercept the hashed password, should not be able to decrypt this value through brute force for at least a few years.
Any ideas on implementing this criteria in Active Directory.
Regards, Nag
↧
Question regarding SID History filtering
Hi All,
We are working to test the security of Active Directory external trust. As per Microsoft TechNet articles if we disable SID history filtering then the Administrators in trusted Domain can misuse this by adding the SID of Administrator in Trusting Domain to its own SID History.
While testing this we have created 2 separate Forests on Windows 2016 servers, Created external trust between the forests, Disabled SID filtering on both Domains and enabled SIDHistory in both Domains, added the SID of one Domain Administrator to another Domain's administrator SID History. But when I am trying to access any resource on trusting Domain with the trusted domain ID it is failing. On checking the logs of Trusting Domain I have found the event ID 4675 for SID filtering of Domain Admin Account. When I perform the same activity on a standard users by providing standard access it works which means SID filtering is properly disabled and SID History is enabled.
I am not sure if there is any security feature in Windows 2016 where Domain Admin or well known SID's are always filtered irrespective of SID filtering settings.
If there is any such detail available please help me with that
Commands Used:
netdom trust<TrustingDomainName> /domain:<TrustedDomainName> /quarantine:no
netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /enablesidhistory:Yes
↧
Migration from SBS 2008 (AD/DNS) to Windows Server 2012 R2
I'm trying to retire the SBS 2008 server. I need to move AD/DNS to a new box running Windows Server 2012 R2. The WS 2012 R2 has been promoted to DC, FSMO roles have been transferred, DNS replicated, all dcdiag tests passed, etc. However,
if I take the 2008 SBS server offline (not demoted yet), workstations cannot contact the new DC. Running nltest /sc_query:mydomain from the DC gives "No such domain". Running it from a workstation gives "RPC_S_SERVER_UNAVAILABLE". I'm guessing that if I can fix this nltest error, client machines will be able to contact the new DC. Does anyone have suggestions on how to troubleshoot this?
↧
↧
LDAPS
When we install LDAPS certificates on domain controllers, will the normal traffic for user and computer authentication and replication, group policy etc.. also use LDAPS as opposed to LDAP?
↧
Any limitations Or disadvantages with using msds-memberoftransitive?
Hi,
Using msds-memberoftransitive attribute to get direct and transitive(nested) group membership of users. Would like to know if anyone there using it and any limitations with using msds-memberoftransitive attribute?
Comparing with nested group search control "member:1.2.840.113556.1.4.1941", msds-memberoftransitive is quite fast. Other way, any limitations Or disadvantages with msds-memberoftransitive attribute?
Question could be too generic, but looking at responses from others experience.
As these are two different approaches, any recommendation on when to use which approach?
Thanks,
Lokesh
↧
How to Reactivate my windows ?
Hey all,
i did format my system. Now i dunno where to activate my windows. Can someone help me out ?
Thanks
↧