Hi All,

We have been directed by our Global HQ to merge AD. As a result of this we are in the process of merging objects from our European Domain to GHQ. The aim is to be one forest, Global coverage.

The project is coming along ok. We now find ourselves with two SCCM servers. What I would like to do is build using PXE on one domain and wondered if this was at all possible and how it would work in principal?

PXE is working ok in GHQ but we have a few issues on the Europe Domain. There is a two way trust relationship between the Domains.

What I would like to achieve is,

1. PXE build machines (GHQ and Europe) joining separate Domains.

2. Pick updates from GHQ via SCCM for ALL objects whether in GHQ or Europe.

Does anyone know whether this solution would work and how much work would be needed.

We already have a Task Sequence set up which joins machines to GHQ and wondered whether we could copy that and amend the sequence to join Europe? All European machines receive updates from WSUS based on their position in ADUC but I would like that to change and for them to pick updates via SCCM which lives on the GHQ domain.

Any information you could provide would be greatly appreciated. Or if anyone knows of any documentation that I could read I would be very greatful.

Hi,

I'm trying yo copy security groups between two 2-way trusted domains (interforest). The idea is to create exactly the same security groups in the target domain. I'd like that groups from domain A that belong to local groups from domain A, remains in those groups once they are migrated to domain B.

Is that possible with ADMT 3.2

Thank you.

Hallo,

I have a problem on a Windows 2016 DC. I installed the IIS and after this the PKI and the rolls: Web Enrollment service and Network Device Enrollment Service.

The CA installed without any error, also the Network Device Enrollment service. The Web Enrollment Service was installed and configured but the virtual directory CertSrv is missing under the IIS. The Network Enrollment service works, but the Web Enrollment doesn't because the virtual directory is missing. The IIS shows only under the Default Website the "CertEnroll" but no CertSRV entry.

I tried this now 2 times install/deinstall, but the virtual directory was not installed. Is this a bug in Server 2016 and how do manually create the virtual "CertSRV" dir.

The util certutil -vroot will not work. If I run the tool the output looks like: virtual directory exists ..... The tool runs for 100% successfully.

Any idear what I can do?

I remember seeing a program that connects with Microsoft Identity/Security or AD that blocks users ability to use known hacked passwords for their own.

For instance "1qaz2wsx3edc,"  "passw0rd"  and "ncc1701d" are in the top 1000 used and hacked passwords and should not be allowed. I remember seeing a program or process to add 10,000 most hacked passwords to the unacceptable list so a user can not use them.

It is probably not supported by MS but <g class="gr_ gr_58 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar multiReplace" data-gr-id="58" id="58">am</g> interested.

Why do we need a primary group? I know it is only for Mac OS clients. But what is its exact functionality?

What happens when the default primary group of a user "Domain Users" is changed to another group? 

Thanks and Regards, Radhakrishnan

Can one explain about the use of  regsrv32 schmmgmt.dll.

Abp

Hi there.

There are people setting up a 3rd party system that retrieves information from our AD.

During testing, they found that they could capture the creation of new users and modifications of users and get their system to act accordingly.

The problem is for deletions.

When a user is deleted, they have no way of knowing it.

I tried every command from this post: https://social.technet.microsoft.com/Forums/scriptcenter/en-US/5424e204-d601-4330-a7ed-331134e47e18/filter-deleted-users-in-getadobject-cmdlet-also-returns-deleted-computers?forum=ITCG

But did not get the deleted users.

Note that Active Directory Recycle Bin is not enabled on our AD.

I also tried the steps from this article: https://www.lepide.com/how-to/restore-deleted-objects-in-active-directory.html

The weird thing is that when I used LDP.exe, I found the deleted users!

Can anybody please help?

I have an OU called TestOU-1. Now I want to apply fine-grained password policies to all the users in TestOU-1. I know fine grained policies can be applied to global security groups and users only. But I heard of shadow groups through which fine-grained policies can be applied to an OU. 

How do I create a shadow group for TestOU-1. I know how to create a fine-grained policy. After creating it, what should be the value of msDS_PasswordAppliesto. Is it the DN of the TestOU-1 or the shadow group that I created. Also, do I have to create a global security group before creating a shadow group for the OU? 

Thanks and Regards, Radhakrishnan

I am trying to join a new Windows server 2019 server to my 2012 R2 domain. I keep getting this error.

“Verification of replica failed. The forest functional level is not supported. To install a Windows server 2019 domain or domain controller, the forest functional level must be windows server 2008 or higher.”

I have verified my domain functional level is Windows Server 2012 R2? Why would I get this error? 

We are merging two companies and have setup a two-way trust for use with the Active Directory Migration Tool.

Due to our network design problems (duplicate IP subnets) the network team has allowed connectivity to just two domain controllers. This is were the problem comes in.

PROBLEM: When a migrated PC attempts to gather its GPOs, it calls out to OURDOMAIN.COM and DNS returns the IP addresses for ALL domain controllers in a round robin process, including those DC's which are unreachable. The GPOs then time out.

QUESTION: Is there a way to specify all DNS name resolution queries to OURDOMAIN.COM to return only the IP addresses of the allowed two domain controllers?

Thanks for your advice.

My domain controller on window server 2008 R2

i want to install ADFS on window server 2012 R2

Is there any possibility? 

Hi,

I have built a test lab win VM Workstation to test various upgrade options.

I have used Windows2012 R2 as the server and have installed all the necessary options and promoted it to a DC. 

I have 2 laptops and a small hub connected to the server.

1 laptop is Windows7 and I have managed to get that to join the domain and it works fine.

1 laptop is Windows10 and I am having problems with it.....

If I use the applet to join the domain it "can't find the domain". If I try via PowerShell it says "Access Denied"

I have checked many times that the settings (IP address, etc) and everything seems correct 

Any ideas what I have missed?

All domain controllers and clients are unable to sync their time from PDC and getting below error.  PDC is dyncing from another NTP server in our environment. 

NTP port is accessable

already run

/resync /rediscover

/unregister /register

Tried to change PDC role to another server. 

152575 11:15:22.7860879s - ---------- Log File Opened -----------------
152575 11:15:22.7860879s - CurSpc:15625000ns  BaseSpc:15625000ns  SyncToCmos:Yes
152575 11:15:22.7860879s - PerfFreq:10000000c/s
152575 11:15:22.7860879s - ReadConfig: Found provider 'NtpClient':
152575 11:15:22.7860879s - ReadConfig:   'Enabled'=0x00000001
152575 11:15:22.7860879s - ReadConfig:   'DllName'='C:\Windows\system32\w32time.dll'
152575 11:15:22.7860879s - ReadConfig:   'DllName'='C:\Windows\system32\w32time.dll'
152575 11:15:22.7860879s - ReadConfig:   'DllName'='C:\Windows\system32\w32time.dll'
152575 11:15:22.7860879s - ReadConfig:   'InputProvider'=0x00000001
152575 11:15:22.7860879s - ReadConfig:   'RunOnVirtualOnly'=0x00000000
152575 11:15:22.7860879s - ReadConfig: Found provider 'NtpServer':
152575 11:15:22.7860879s - ReadConfig:   'Enabled'=0x00000000
152575 11:15:22.7860879s - ReadConfig:   'DllName'='C:\Windows\system32\w32time.dll'
152575 11:15:22.7860879s - ReadConfig:   'DllName'='C:\Windows\system32\w32time.dll'
152575 11:15:22.7860879s - ReadConfig:   'DllName'='C:\Windows\system32\w32time.dll'
152575 11:15:22.7860879s - ReadConfig:   'InputProvider'=0x00000000
152575 11:15:22.7860879s - ReadConfig:   'RunOnVirtualOnly'=0x00000000
152575 11:15:22.7860879s - ReadConfig: Found provider 'VMICTimeProvider':
152575 11:15:22.7860879s - ReadConfig:   'Enabled'=0x00000001
152575 11:15:22.7860879s - ReadConfig:   'DllName'='C:\Windows\System32\vmictimeprovider.dll'
152575 11:15:22.7860879s - ReadConfig:   'DllName'='C:\Windows\System32\vmictimeprovider.dll'
152575 11:15:22.7860879s - ReadConfig:   'DllName'='C:\Windows\System32\vmictimeprovider.dll'
152575 11:15:22.7860879s - ReadConfig:   'InputProvider'=0x00000001
152575 11:15:22.7860879s - ReadConfig:   'RunOnVirtualOnly'=0x00000001
152575 11:15:22.7860879s - ReadConfig: 'PhaseCorrectRate'=0x00000001 (2)
152575 11:15:22.7860879s - ReadConfig: 'UpdateInterval'=0x00007530 (2)
152575 11:15:22.7860879s - ReadConfig: 'FrequencyCorrectRate'=0x00000004 (2)
152575 11:15:22.7860879s - ReadConfig: 'PollAdjustFactor'=0x00000005 (2)
152575 11:15:22.7860879s - ReadConfig: 'LargePhaseOffset'=0x02FAF080 (2)
152575 11:15:22.7860879s - ReadConfig: 'SpikeWatchPeriod'=0x00000384 (2)
152575 11:15:22.7860879s - ReadConfig: 'HoldPeriod'=0x00000005 (2)
152575 11:15:22.7860879s - ReadConfig: 'MinPollInterval'=0x0000000A (2)
152575 11:15:22.7860879s - ReadConfig: 'MaxPollInterval'=0x0000000F (2)
152575 11:15:22.7860879s - ReadConfig: 'AnnounceFlags'=0x00000005 (2)
152575 11:15:22.7860879s - ReadConfig: 'LocalClockDispersion'=0x0000000A (2)
152575 11:15:22.7860879s - ReadConfig: 'MaxNegPhaseCorrection'=0xFFFFFFFF (2)
152575 11:15:22.7860879s - ReadConfig: 'MaxPosPhaseCorrection'=0xFFFFFFFF (2)
152575 11:15:22.7860879s - ReadConfig: 'EventLogFlags'=0x00000002 (2)
152575 11:15:22.7860879s - ReadConfig: 'MaxAllowedPhaseOffset'=0x0000012C (2)
152575 11:15:22.7860879s - ReadConfig: 'TimeJumpAuditOffset'=0x00007080 (2)
152575 11:15:22.7860879s - lastClockRate=156250, clockPrecision=-6
152575 11:15:22.7860879s - SetTimeSlipNotification succeeds with 0x00000000.
152575 11:15:22.7860879s - W32TmServiceMain: RequestNetTopoChangeNotification Succeed
152575 11:15:22.7860879s - W32TmServiceMain: RequestNetTopoChangeNotification Succeed
152575 11:15:22.7860879s -   DomainHierarchy: LSA role change notification. Redetecting.
152575 11:15:22.8017151s - ClockDisciplineThread: Starting: SetUnsync: LI:0 S:1 RDl:0 RDs:100000000 TSF:0x0 
152575 11:15:22.8017151s - ClockDispln: we're a reliable time service with no time source: LS: 0, TN: 864000000000, WAIT: 86400000
152575 11:15:22.8017151s - Starting Providers.
152575 11:15:22.8017151s - Starting 'NtpClient', dll:'C:\Windows\system32\w32time.dll'
152575 11:15:22.8017151s - LoadLibrary
152575 11:15:22.8017151s - NtpTimeProvOpen("NtpClient") called.
152575 11:15:22.8017151s - StartNtpProv
152575 11:15:22.8017151s - sysPrecision=-6, systmeClockResolution=156250
152575 11:15:22.8017151s - NtpProvider: Created 2 sockets (0 listen-only): [::]:123<0x0>, 0.0.0.0:123<0x0>
152575 11:15:22.8017151s - PeerPollingThread: waiting forever
152575 11:15:22.8017151s - ReadConfig: 'AllowNonstandardModeCombinations'=0x00000001 (2)
152575 11:15:22.8017151s - ReadConfig: 'CompatibilityFlags'=0x80000000 (2)
152575 11:15:22.8017151s - ReadConfig: 'SpecialPollInterval'=0x00000E10 (2)
152575 11:15:22.8017151s - ReadConfig: 'ResolvePeerBackoffMinutes'=0x0000000F (2)
152575 11:15:22.8017151s - ReadConfig: 'ResolvePeerBackoffMaxTimes'=0x00000007 (2)
152575 11:15:22.8017151s - ReadConfig: 'EventLogFlags'=0x00000001 (2)
152575 11:15:22.8017151s - ReadConfig: 'LargeSampleSkew'=0x00000003 (2)
152575 11:15:22.8017151s - ReadConfig: 'SignatureAuthAllowed'=0x00000001 (2)
152575 11:15:22.8017151s - ReadConfig: 'Type'=NT5DS (2)
152575 11:15:22.8017151s - ReadConfig: 'CrossSiteSyncFlags'=0x00000002 (2)
152575 11:15:22.8017151s - AddNewPendingPeer: domain
152575 11:15:22.8017151s - PeerPollingThread: waiting 0.000s
152575 11:15:22.8017151s - PeerPollingThread: PeerListUpdated
152575 11:15:22.8017151s - NtpClient started.
152575 11:15:22.8017151s - Starting 'VMICTimeProvider', dll:'C:\Windows\System32\vmictimeprovider.dll'
152575 11:15:22.8017151s - Resolving domain peer
152575 11:15:22.8017151s - LoadLibrary
152575 11:15:22.8017151s - Successfully started 2 providers.
152575 11:15:22.8017151s - W32TmServiceMain: waiting i16.000s (1024.000s)
152575 11:15:22.8017151s - Domain member syncing from \\dc.mydomain.com.
152575 11:15:22.8017151s - Association: (Local) 0.0.0.0:123 => 172.16.100.100:123 (Remote)
152575 11:15:22.8017151s - Created reachability group: (
152575 11:15:22.8017151s - 172.16.100.100:123,
152575 11:15:22.8017151s - )
152575 11:15:22.8017151s - PeerPollingThread: waiting 0.000s
152575 11:15:22.8017151s - PeerPollingThread: PeerListUpdated
152575 11:15:22.8017151s - Reachability: Attempting to contact peer dc.mydomain.com (ntp.d|0.0.0.0:123->172.16.100.100:123).
152575 11:15:22.8017151s - Polling peer dc.mydomain.com (ntp.d|0.0.0.0:123->172.16.100.100:123)
152575 11:15:22.8017151s - Sending packet to dc.mydomain.com (ntp.d|0.0.0.0:123->172.16.100.100:123) in Win2K detect mode, stage 1.
152575 11:15:22.8017151s - Peer poll: Max:1024.0000000s Cur:00.0000000s
152575 11:15:22.8017151s - PeerPollingThread: waiting 1024.000s
152575 11:15:22.8017151s - ListeningThread -- DataAvailEvent set for socket 1 (0.0.0.0:123)
152575 11:15:22.8017151s - ListeningThread -- response heard from 172.16.100.100:123 <- 172.16.100.5:123
152575 11:15:22.8017151s - W32TmServiceMain: Network Topology Change
152575 11:15:22.8017151s - TimeProvCommand([NtpClient], TPC_NetTopoChange) called.
152575 11:15:22.8017151s - W32TmServiceMain: Network Topology Change
152575 11:15:22.8017151s - TimeProvCommand([NtpClient], TPC_NetTopoChange) called.
152575 11:15:22.8017151s - /-- NTP Packet:
152575 11:15:22.8017151s - | LeapIndicator: 0 - no warning;  VersionNumber: 3;  Mode: 4 - Server;  LiVnMode: 0x1C
152575 11:15:22.8017151s - | Stratum: 15 - secondary reference (syncd by (S)NTP)
152575 11:15:22.8017151s - | Poll Interval: 17 - out of valid range;  Precision: -6 - 15.625ms per tick
152575 11:15:22.8017151s - | RootDelay: 0x0000.0800s - 0.03125s;  RootDispersion: 0x0000.1A50s - 0.102783s
152575 11:15:22.8017151s - | ReferenceClockIdentifier: 0xAC106402 - source IP: 172.16.100.2
152575 11:15:22.8017151s - | ReferenceTimestamp:   0xDF57382F4EE8D617 - 13182519983308240300ns - 152575 11:06:23.3082403s
152575 11:15:22.8017151s - | OriginateTimestamp:   0xDF573A4ACD3D3367 - 13182520522801715100ns - 152575 11:15:22.8017151s
152575 11:15:22.8017151s - | ReceiveTimestamp:     0xDF573A6DD4078E69 - 13182520557828240300ns - 152575 11:15:57.8282403s
152575 11:15:22.8173377s - | TransmitTimestamp:    0xDF573A6DD4078E69 - 13182520557828240300ns - 152575 11:15:57.8282403s
152575 11:15:22.8173377s - >-- Non-packet info:
152575 11:15:22.8173377s - | DestinationTimestamp: 152575 11:15:22.8173377s - 0xDF573A4ACD3D3367152575 11:15:22.8173377s -  - 13182520522801715100ns152575 11:15:22.8173377s -  - 152575 11:15:22.8017151s
152575 11:15:22.8173377s - | RoundtripDelay: 000ns (0s)
152575 11:15:22.8173377s - | LocalClockOffset: 35026525200ns - 0:35.026525200s
152575 11:15:22.8173377s - \--
152575 11:15:22.8173377s - Response received from domain controller dc.mydomain.com authenticated successfully (using digest format)
152575 11:15:22.8173377s - Peer dc.mydomain.com (ntp.d|0.0.0.0:123->172.16.100.100:123) is not Win2K. Setting compat flags.
152575 11:15:22.8173377s - Packet test 7 failed (bad stratum: system - 1, sample - 15).
152575 11:15:22.8173377s - Ignoring packet that failed tests from dc.mydomain.com (ntp.d|0.0.0.0:123->172.16.100.100:123).
152575 11:15:22.8173377s - NtpProvider: Network Topology Change
152575 11:15:22.8173377s - Reachability:  removing peer dc.mydomain.com (ntp.d|0.0.0.0:123->172.16.100.100:123).  LAST PEER IN GROUP!
152575 11:15:22.8173377s -   Peer dc.mydomain.com (ntp.d|0.0.0.0:123->172.16.100.100:123) never sync'd, resync now!
152575 11:15:22.8173377s -   Peers reset: p-p:0 a-p:1 a-x:0
152575 11:15:22.8173377s - NtpProvider: Created 2 sockets (0 listen-only): [::]:123<0x0>, 0.0.0.0:123<0x0>
152575 11:15:22.8173377s - PeerPollingThread: waiting 1.485s
152575 11:15:22.8173377s - PeerPollingThread: PeerListUpdated
152575 11:15:22.8173377s - Logging error: NtpClient has been configured to acquire time from one or more time sources, however none of the sources are currently accessible and no attempt to contact a source will be made for 1 minutes. NTPCLIENT HAS NO SOURCE OF ACCURATE TIME.
152575 11:15:22.8173377s - PeerPollingThread: waiting 1.485s
152575 11:15:22.8173377s - NtpProvider: Network Topology Change
152575 11:15:22.8173377s -   Peer  never sync'd, resync now!
152575 11:15:22.8173377s -   Peers reset: p-p:1 a-p:1 a-x:0
152575 11:15:22.8173377s - NtpProvider: Created 2 sockets (0 listen-only): [::]:123<0x0>, 0.0.0.0:123<0x0>
152575 11:15:22.8173377s - PeerPollingThread: waiting 1.500s
152575 11:15:22.8173377s - W32TmServiceMain: waiting i16.000s (1024.000s)
152575 11:15:22.8173377s - W32TmServiceMain: RequestNetTopoChangeNotification Succeed
152575 11:15:22.8173377s - PeerPollingThread: PeerListUpdated
152575 11:15:22.8173377s - Logging error: NtpClient has been configured to acquire time from one or more time sources, however none of the sources are currently accessible and no attempt to contact a source will be made for 1 minutes. NTPCLIENT HAS NO SOURCE OF ACCURATE TIME.
152575 11:15:22.8173377s - PeerPollingThread: waiting 1.500s
152575 11:15:22.8173377s - W32TmServiceMain: waiting i16.000s (1024.000s)
152575 11:15:22.8173377s - W32TmServiceMain: RequestNetTopoChangeNotification Succeed
152575 11:15:24.3173388s - PeerPollingThread: WaitTimeout
152575 11:15:24.3173388s - Resolving domain peer
152575 11:15:24.3173388s - Domain member syncing from \\dc.mydomain.com.
152575 11:15:24.3173388s - Association: (Local) 0.0.0.0:123 => 172.16.100.100:123 (Remote)
152575 11:15:24.3173388s - Created reachability group: (
152575 11:15:24.3173388s - 172.16.100.100:123,
152575 11:15:24.3173388s - )
152575 11:15:24.3173388s - PeerPollingThread: PeerListUpdated
152575 11:15:24.3173388s - Reachability: Attempting to contact peer dc.mydomain.com (ntp.d|0.0.0.0:123->172.16.100.100:123).
152575 11:15:24.3173388s - Polling peer dc.mydomain.com (ntp.d|0.0.0.0:123->172.16.100.100:123)
152575 11:15:24.3173388s - Sending packet to dc.mydomain.com (ntp.d|0.0.0.0:123->172.16.100.100:123) in Win2K detect mode, stage 1.
152575 11:15:24.3173388s - Peer poll: Max:1024.0000000s Cur:00.0000000s
152575 11:15:24.3173388s - PeerPollingThread: waiting 1024.000s
152575 11:15:24.3173388s - PeerPollingThread: waiting 1024.000s
152575 11:15:24.3173388s - ListeningThread -- DataAvailEvent set for socket 1 (0.0.0.0:123)
152575 11:15:24.3173388s - ListeningThread -- response heard from 172.16.100.100:123 <- 172.16.100.5:123
152575 11:15:24.3173388s - /-- NTP Packet:
152575 11:15:24.3173388s - | LeapIndicator: 0 - no warning;  VersionNumber: 3;  Mode: 4 - Server;  LiVnMode: 0x1C
152575 11:15:24.3173388s - | Stratum: 15 - secondary reference (syncd by (S)NTP)
152575 11:15:24.3173388s - | Poll Interval: 17 - out of valid range;  Precision: -6 - 15.625ms per tick
152575 11:15:24.3173388s - | RootDelay: 0x0000.0800s - 0.03125s;  RootDispersion: 0x0000.1A51s - 0.102798s
152575 11:15:24.3173388s - | ReferenceClockIdentifier: 0xAC106402 - source IP: 172.16.100.2
152575 11:15:24.3173388s - | ReferenceTimestamp:   0xDF57382F4EF87C7D - 13182519983308479100ns - 152575 11:06:23.3084791s
152575 11:15:24.3173388s - | OriginateTimestamp:   0xDF573A4C513D1D97 - 13182520524317338800ns - 152575 11:15:24.3173388s
152575 11:15:24.3173388s - | ReceiveTimestamp:     0xDF573A6F576B2C9E - 13182520559341479100ns - 152575 11:15:59.3414791s
152575 11:15:24.3173388s - | TransmitTimestamp:    0xDF573A6F576B2C9E - 13182520559341479100ns - 152575 11:15:59.3414791s
152575 11:15:24.3173388s - >-- Non-packet info:
152575 11:15:24.3173388s - | DestinationTimestamp: 152575 11:15:24.3173388s - 0xDF573A4C513D1D97152575 11:15:24.3173388s -  - 13182520524317338800ns152575 11:15:24.3173388s -  - 152575 11:15:24.3173388s
152575 11:15:24.3173388s - | RoundtripDelay: 000ns (0s)
152575 11:15:24.3173388s - | LocalClockOffset: 35024140300ns - 0:35.024140300s
152575 11:15:24.3173388s - \--
152575 11:15:24.3173388s - Response received from domain controller dc.mydomain.com authenticated successfully (using digest format)
152575 11:15:24.3173388s - Peer dc.mydomain.com (ntp.d|0.0.0.0:123->172.16.100.100:123) is not Win2K. Setting compat flags.
152575 11:15:24.3173388s - Packet test 7 failed (bad stratum: system - 1, sample - 15).
152575 11:15:24.3173388s - Ignoring packet that failed tests from dc.mydomain.com (ntp.d|0.0.0.0:123->172.16.100.100:123).
152575 11:15:24.8017134s - W32TimeHandler called: SERVICE_CONTROL_INTERROGATE
152575 11:15:32.5674287s - RPC Caller is mydomain\asad.admin (S-1-5-21-1699421847-4021460542-3915083997-186050)
152575 11:15:32.5674287s - RPC Call Attribute is local=1, kernel=0, session=0, authentication=6, protocol=2, OpNum=3
152575 11:15:32.5674287s - RPC Call - Query Source
152575 11:15:38.8173411s - W32TmServiceMain: timeout
152575 11:15:38.8173411s - Sample Prepared at 131825205388173411 for peer dc.mydomain.com (ntp.d|0.0.0.0:123->172.16.100.100:123)
152575 11:15:38.8173411s - W32TmServiceMain: waiting 1024.000s
152575 11:15:41.6142149s - W32TimeHandler called: SERVICE_CONTROL_INTERROGATE
152575 11:15:41.8173334s - W32TimeHandler called: SERVICE_CONTROL_INTERROGATE

Hi Team,

A need in simple quick answers. We had run a nessus scan we had found few of the vulnerability for which they had mentioned to install the patches. The patches which they had mentioned is of cumlative update few of June few of July few of August.

We are using SCCM to deploy the patches as checked the patch they don't exist in the SCCM Patches Catalogue.

My aim is to check if the mentioned patches is already rolled in but still nessus is detecting it?

Or if there is an issue in the SCCM / or we are missing to install the patches?

I had checked manually patches is not present in the any of the server in the installed updates section.

My query over here is 

1)  Do the older patches is getting rolled over in the new Cumlative Update and the answer is yes please let me know how it can be verified in the SCCM as well as if there is any online website.

2) How can we verify the patches are expired via SCCM as well as any URL to verify.

Apart from this if there is any standalone tool if the above points can be verified also let me know.

Sumeet Mishra

Hello,

Working on a flow with kerberos constrained delegation.

Can get a TGT for the user trusted for delegation and flow immediately fails on TGS_REQ / TGS_RSP with KRB5KRB_ERR_GENERIC from KDC

What are the reasons that the KDC ( running windows server 2012 R2) can return such as error?

If there a recommended way to get related logs from KDC for such error?

Hi,

I have domain admin rights and I tried to delete one OU it was showing "You do not have sufficient privileges to delete Computers, or this object is protected from accidental deletion". Even when I tried to uncheck this it was greyed out.
I also tried to delegate the OU but getting "you do not have permission to write security information for this object".

Conformed domain admin has full control on the OU however in the security tab "Add" "remove" and "restore defaults" Options are greyed out. Kindly suggest

Hi to everybody!
I have an AD that spans over many geographical sites.
I have a main site where all the branch sites connect through S2S IPSec VPN tunnels.

Then network is in a "star" topology, so every branch office can connect to the central site, but there is no direct connection/routing between two branch offices.

In order to get the AD replication topology working as the physical network does, I configured as many ip site link as the sites in the AD as follows:
Site A & Site B
Site A & Site C
Site A & Site D
...
Where "Site A" is the central office.

Now, I noticed that on some branch sites I get some AD replication links that point to another branch office site.
ex: Site B with Site D or so on...

If I manually delete those links, they will respawn within a short time, so I think that there is something wrong with the KCC.

How can I troubleshoot and solve the problem?


Thanx a lot in advance to everyone!


---

Gianluca

Metalgalle

Remote Desktop Services has taken too long to load the user configuration from server \\DC for user administrator

Event Id 20499

Ram Prakash Sharma

I have several machines that show a last logon in the future.

I ran repadmin /showobjmeta DC "OU Paths" >temp.txt and the output for the DC looks like a GUID.

Loc.USN                          Originating DSA                       Org.USN  Org.Time/Date            Ver Attribute

38623490      f191c38d-bdea-4cb4-862d-24ed6f996ed1   3555424 2032-04-21 08:22:12   78 lastLogonTimestamp

Should be something like

38623490                             City\DCNAME                      3555424 2018-10-03 08:22:12   78 lastLogonTimestamp

Is there a way to get AD to report correctly.

- LZ