Enable Active Directory Recycle Bin

October 3, 2018, 5:44 am

≫ Next: Active Directory Issues after restoring from a backupServer 2008

≪ Previous: Cannot join domain "the network path was not found"

Dears

I have two domain controllers (DC1 , DC2 ) .

DC1 has the RID, PCD, Infrastructure Roles.

DC2 Has the Schema master and domain naming roles.

in DC1 i can open AD administrative Center , when i click on enable AD Recycle Bin i get the below Error .

Enable-ADOptionalFeature : Unable to contact the server. This may be because this server does not exist, it is
currently down, or it does not have the Active Directory Web Services running.

I tried too many things but nothing help me ( i got the same error when using Powers hell ).

On DC2 when I am trying to open the AD administrative Center i got the below Error

cannot connect to any domain try again when the connection is available

i can ping the names for each server all DNS setting is correct

please if anyone face the same problem and solve it kindly reply to me

↧

Active Directory Issues after restoring from a backupServer 2008

October 8, 2018, 9:00 am

≫ Next: The directory service is busy. Error when joining domain with new name.

≪ Previous: Enable Active Directory Recycle Bin

All,

We had a crypto malware outbreak and had to restore the Single domain controller we have at one of our offices.

After coming back up the server would not join the domain network.

After trouble shooting several issues we got it back on the domain.

However none of the users can get on the domain now and all connect to the public network and not the domain.

After further investigation there seems to be more than one server listed as a controller and having the Global catalog. I think the previous IT Admin did not demote the previous DC correctly and the server now having been restored after so many years of functioning correctly is trying to replicate to the old server.

What steps do I need to take here to remove the old server?

Any advice and troubleshooting help would be appreciated.

Laurie

↧

The directory service is busy. Error when joining domain with new name.

October 10, 2018, 12:07 pm

≫ Next: Temporarily Disable Windows Server 2016 Domain Controller

≪ Previous: Active Directory Issues after restoring from a backupServer 2008

In a Windows 2012 R2 Active Directory domain, using DSC resource 'Computer' from module ComputerManagementDsc version 5.2.0.0:

Computer DomainJoin {
Name = $computername
DomainName = $dc_domain
JoinOU = "OU=Servers,$defaultou"
Credential = $domainCred
}

It intermittently fails with:

Computer 'WIN-MDJHFJMVA9L' was successfully joined to the new domain 'devops.greatvalleyu.com', but renaming it to 'EDCRMWUVA0101' failed with the following error message: The directory service is busy.

+ CategoryInfo : OperationStopped: (WIN-MDJHFJMVA9L:) [], CimException

+ FullyQualifiedErrorId : FailToRenameAfterJoinDomain,Microsoft.PowerShell.Commands.AddComputerCommand

+ PSComputerName : localhost

I checked previous answers but the only solution I found was in regard to SQLEXPRESS and SPNs. I checked this and there are no SQLEXPRESS SPNs on this or any other computer in the domain.

How can I troubleshoot this to determine what the problem is in this domain?

Thank you.
Brian Walsh
Ellucian

↧

Temporarily Disable Windows Server 2016 Domain Controller

October 10, 2018, 2:13 pm

≫ Next: What is a replicated "constructed attribute"?

≪ Previous: The directory service is busy. Error when joining domain with new name.

I keep getting an error when doing so...

Error:

Unable to find type [Microsoft.Directory.Services.Deployment.DeepTasks.DeepTasks].

I would attach an image, but for some odd reason I can't. Does anyone have an idea what is causing this?

↧

What is a replicated "constructed attribute"?

October 3, 2018, 10:02 pm

≫ Next: Block 10,000 most used hacked passwords for users login password

≪ Previous: Temporarily Disable Windows Server 2016 Domain Controller

Hi,

As per the definition, for a "Constructed Attribute" in AD, it's value is generated on the fly when a client requests for the same. But, some Constructed Attributes like tokenGroupsGlobalAndUniversal are replicated. Then, what does it mean if a Constructed Attribute is replicated?

Thanks,

Lokesh

↧

Block 10,000 most used hacked passwords for users login password

October 4, 2018, 10:13 am

≫ Next: Patching Information

≪ Previous: What is a replicated "constructed attribute"?

I remember seeing a program that connects with Microsoft Identity/Security or AD that blocks users ability to use known hacked passwords for their own.

For instance "1qaz2wsx3edc," "passw0rd" and "ncc1701d" are in the top 1000 used and hacked passwords and should not be allowed. I remember seeing a program or process to add 10,000 most hacked passwords to the unacceptable list so a user can not use them.

It is probably not supported by MS but <g class="gr_ gr_58 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar multiReplace" data-gr-id="58" id="58">am</g> interested.

↧

Patching Information

October 5, 2018, 3:49 am

≫ Next: Drive mappings

≪ Previous: Block 10,000 most used hacked passwords for users login password

Hi Team,

A need in simple quick answers. We had run a nessus scan we had found few of the vulnerability for which they had mentioned to install the patches. The patches which they had mentioned is of cumlative update few of June few of July few of August.

We are using SCCM to deploy the patches as checked the patch they don't exist in the SCCM Patches Catalogue.

My aim is to check if the mentioned patches is already rolled in but still nessus is detecting it?

Or if there is an issue in the SCCM / or we are missing to install the patches?

I had checked manually patches is not present in the any of the server in the installed updates section.

My query over here is

1) Do the older patches is getting rolled over in the new Cumlative Update and the answer is yes please let me know how it can be verified in the SCCM as well as if there is any online website.

2) How can we verify the patches are expired via SCCM as well as any URL to verify.

Apart from this if there is any standalone tool if the above points can be verified also let me know.

Sumeet Mishra

↧

Drive mappings

October 8, 2018, 11:30 am

≫ Next: Remote Desktop Services has taken too long to load the user configuration from server \\DC for user administrator

≪ Previous: Patching Information

In our environment, 2008 R2 AD, we have batch files that run on login mapping users to specific drives. The GPO's used to do this point to a specific AD servers sysvol for the login scripts. So, if that server is down, the login scripts wont run. Years ago, I remember I had been able to use a wildcard or something to tell the system to look in this folder on any AD server for the specific logon script. Does anyone remember how to do this?

For example, it is currently set to \\ADServer1\NETLOGON\ABC.vbs

and I would like it to be \\ANYADSERVER\Netlogon\ABC.vbs

↧

Remote Desktop Services has taken too long to load the user configuration from server \\DC for user administrator

October 5, 2018, 9:32 am

≫ Next: Windows Server 2008 R2 - Parent Domain is down

≪ Previous: Drive mappings

Remote Desktop Services has taken too long to load the user configuration from server \\DC for user administrator

Event Id 20499

Ram Prakash Sharma

↧

Windows Server 2008 R2 - Parent Domain is down

October 7, 2018, 3:38 am

≫ Next: User to SID & SID to user

≪ Previous: Remote Desktop Services has taken too long to load the user configuration from server \\DC for user administrator

hi everyone,

i have a parent (Domain.com) and child domain (Child.Domain.com), Parent Domain is down and i haven't any backup for it, so can i use the child domain as a primary Domain and clean metadata for parent domain or should i promote new domain and move users to it.

thanks in advance

↧

User to SID & SID to user

October 10, 2018, 10:41 pm

≫ Next: ويندوز 10 برو لا يمكنه الاتصال بخادم DNS ويندوز سيرفر 2008 R2???

≪ Previous: Windows Server 2008 R2 - Parent Domain is down

Hi,

I have parent domain (domain1) and two child domains(childdomain1 and childdomain2). I was trying to find the SID details of a user with the following cmdlets.

$objuser = new-object system.security.principal.ntaccount "childdomain1\testacc1"

$objuser.translate([system.security.principal.securityidentifier])

The above works perfectly in child domains I can resolve the account and get the SID.

But it does not work on the parent domain and not on any servers joined to the parent domain. I can resolve the account but not translate the account to SID.

The Global catalog seems to be updated and has the user information. Not sure where i am going wrong. Looks like it must be something simple that am missing...

Could anyone shed some lights where i am going wrong please...

-Dhayanandh

↧

ويندوز 10 برو لا يمكنه الاتصال بخادم DNS ويندوز سيرفر 2008 R2???

October 10, 2018, 11:49 pm

≫ Next: AD Kerberos question

≪ Previous: User to SID & SID to user

السلام عليكم

واجهت مشكلة في تسجيل ويندوز 10 برو في النطاق المحلي للشبكة على الرغم من أن الويندوز 7 وباقي الاصدارات من الويندوز تم تسجيلها دون اي مشكلة

الا انه في جميع المحاولات لتسجيل الويندوز 10 برو في النطاق بائت بالفشل عبر رسالة مفادها

That domain couldn't be found. Check the domain name and try again

معلومات مهمة : قمت بتغيير عنوان النطاق Dns server بحيث يكون مطابق للخادم المراد التسجيل فيه

قمت بتعطيل جدار الحماية .

هل الويندوز 10 برو غير متوافق مع اليندوز سيرفر 2008 أر 2

windows 10 Pro N

1803

↧

AD Kerberos question

October 8, 2018, 7:30 am

≫ Next: Raise the DFL and FFL after the migrate domain from 2003 to 2012 r2 getting error

≪ Previous: ويندوز 10 برو لا يمكنه الاتصال بخادم DNS ويندوز سيرفر 2008 R2???

Hi All!

We currently run Microsoft Advanced Threat Analytics, and we quite often get the following error for Windows client PCs and ADFS servers:

Encryption downgrade activity

The encryption method of the ETYPE_INFO field of KRB_ERR message from x computers has been downgraded based on previously learned behavior.

I have been over this documentation here: https://docs.microsoft.com/en-us/advanced-threat-analytics/suspicious-activity-guide and used their Aorato Skeleton Key Malware Remote DC Scanner tool, but found nothing.

I opened a ticket with Microsoft about this, and they believe it is due to the fact that these accounts haven't changed their passwords in a long time (a lot of them are old accounts for various strange purposes and VIPs that whinge about having to change their password - but lets not get into that, we are soon going to force them into line)

I am only slightly knowledgeable about Kerberos, I want to know the whys/whats/hows about it. Forgive me if I am wrong, I understand that your password is used to hash certain information and that is sent to the KDC, the KDC uses the hash of the password at its end to decyrpt the message, and if it can, then your password is correct. So your password is never sent over the wire.

I'm assuming, that because these accounts have their passwords hashed with some older cipher, than the KDC tells the client to user an older cipher to encrypt the message, and this is why I am getting the error? Is that correct? and why Microsoft is asking me to change their passwords.

I have a few questions (assuming my assumptions are correct)

I asked a user to change their password (via going ctrl+alt+del on their Windows 7 PC and clicking Change a password), however ATA was still picking up encryption downgrades for this user on both their Windows 7 PC and ADFS. Would the fact that they have previously negotiated lower encryption with the KDC cause the new password to still be hashed with a weaker cipher?
I then changed the password for the user above via Active Directory Users and Computers (dsa.msc), and now I no longer get the ATA alerts when they log onto ADFS, but i still get them when they log onto their Windows 7 PC. Is there anything I need to do for the Windows 7 PC to ensure it uses the strongest cipher for this account?
Is there any way for me to find out, by querying AD, what users have passwords that are hashed in an older cipher?
When did Microsoft make this cipher change? What did they change their cipher from/to, and how can I enforce the stronger cipher? (I seem to be struggling finding this information)

Thanks all, I apologise for my ignorance!

Some notes:

I can cause ATA to log the Encryption downgrade activity, just by doing a failed logon to any computer / ADFS with the users that have really old passwords. (I assume this is because even though my password is incorrect, it is hashed using a more superior cipher, and that the KDC still needs to negotiate a lower cipher with the client)
The computer accounts all havemsDS-SupportedEncryptionTypes set to 28 (0x1C)
Please do not reply and ask me to submit my question to the ATA forums, I submitted this question there some time ago and got no response, this question relates mainly to Kerberos.

↧

Raise the DFL and FFL after the migrate domain from 2003 to 2012 r2 getting error

October 11, 2018, 3:05 am

≫ Next: DC decommission, Keytab and kerberos

≪ Previous: AD Kerberos question

we are facing a issue while the raise the DFL and FFL . we are getting the error"you cannot raise the domain functional level because this domain includes active directory domain are not running appropriate version of windows" .we have migrate all FSMO role from 2003 to 2012 but in this time windows 2012 and 2003 run together, windows 2012 act as PDC and Windows 2003 ac as ADC . please suggest to step by step how to raised the level.

↧

DC decommission, Keytab and kerberos

October 10, 2018, 2:34 am

≫ Next: Functional Level Upgrade / Domain Level Upgrade from 2003 to 2008R2/2012R2 and NTLM

≪ Previous: Raise the DFL and FFL after the migrate domain from 2003 to 2012 r2 getting error

Hi team,

We have two domain controllers in the HO site running Windows server 2012 R2. We're in the process of upgrading the environment to WS 2016. We have completed one server and one is remaining.

The decommissioning process includes

Decommission of DC
Re-formatting
Promoting the fresh server to be DC

Currently one server we have done the above to bring it to 2016. One server is remaining.

I would like to clarify the below;

Currently keytab files are created for several 3rd party applications. What would be the impact if we decommission the last WS 2012 R2 server?
Will there be any impact on kerberos certificates or any related? Do we need to backup or reconfigure it or anything?

Thank you.
Jude.

↧

Functional Level Upgrade / Domain Level Upgrade from 2003 to 2008R2/2012R2 and NTLM

October 11, 2018, 6:27 am

≫ Next: How I can change Display Resolution when use winrm?

≪ Previous: DC decommission, Keytab and kerberos

Hi, we are planning to raise our AD Functional level from 2003 to 2008R2 then to 2012R2. All or DC's/GC's are on Windows Server 2012R2.

We know of the .NET 3.5 or lower issues, and that we need to upgrade those apps or upgrade .NET.

Is there any other issues we should look out for? any NTLMvX issues? Any pitfalls, gotcha's?

We did read a lot of documents that were helpful, but want to check with this forum as it's always good to get feedback.

Thanks!

↧

How I can change Display Resolution when use winrm?

October 8, 2018, 2:01 pm

≫ Next: After wrong security settings my AD is no more available (the specified directory service attribute or value does not exist)

≪ Previous: Functional Level Upgrade / Domain Level Upgrade from 2003 to 2008R2/2012R2 and NTLM

I use windows server 2016 as jenkins slave for GUI tests by selenium. Master Jenkins node use for work with slave winrm protocol. When I use winrm as protocol for work beetwen master - slave I have had screenshots from web browser with tests in resolution? maybe 1024*768. But display resolution for user who is doing test is 1920-1080. Browser with tests is working in background, because I see only process in task manager. There is a desktop is empty.

I tried searched and changed in regedit DefaultSettings.XResolution, DefaultSettings.YResolution

values. From 1024-768 to 1920-1080 but that didn't help.

I can resoled my problem if BEFORE launch my tests I did login by my user to windows server, then did disconnect. Then launched my tests and i will be have screenshots from browser with my resolution 1920-1080.

PLS help me!

↧

After wrong security settings my AD is no more available (the specified directory service attribute or value does not exist)

October 11, 2018, 1:47 am

≫ Next: DHCP Users group can not Access DHCP Server Console

≪ Previous: How I can change Display Resolution when use winrm?

I am sorry for that question, but I need really help.

We was trying to avoid, that some users can see objects in the active directory.
(Properties | Security Tab)

Something we did wrong and now the AD is no more available and if open "ACTIVE DIRECTORY USERS AND COMPUTERS" I become a message, that the "the specified directory service attribute or value does not exist" and there is nothing to display in my AD structure...

Can someone help us please ?

Tanks in advance

↧

DHCP Users group can not Access DHCP Server Console

July 31, 2013, 6:54 am

≫ Next: LastlogonTimestanmp Shows Future Date - showobjectmeta shows f191c38d-bdea-4cb4-862d-24ed6f996ed1 instead of DC Name

≪ Previous: After wrong security settings my AD is no more available (the specified directory service attribute or value does not exist)

hi,

i ve got DHCP Server installed on Windows Server 2008 R2 Server Core...

it is separate from DC..

i want to grant access to user Limited access

as i read on technet, during the creation there is created 2 local groups: DHCP Administrators and DHCP Users.

i put that user on DHCP user group. but when he tries to access the DHCP console when he's trying to expand the dhcp server it shows red mark.. (see attachement)

any ideas?

Costa Curta

↧

LastlogonTimestanmp Shows Future Date - showobjectmeta shows f191c38d-bdea-4cb4-862d-24ed6f996ed1 instead of DC Name

October 3, 2018, 11:06 am

≫ Next: XP, Windows 2003 on Windows 2012R2/2016 domain controllers

≪ Previous: DHCP Users group can not Access DHCP Server Console

I have several machines that show a last logon in the future.

I ran repadmin /showobjmeta DC "OU Paths" >temp.txt and the output for the DC looks like a GUID.

Loc.USN                          Originating DSA                       Org.USN  Org.Time/Date            Ver Attribute

38623490      f191c38d-bdea-4cb4-862d-24ed6f996ed1   3555424 2032-04-21 08:22:12   78 lastLogonTimestamp

Should be something like

38623490                             City\DCNAME                      3555424 2018-10-03 08:22:12   78 lastLogonTimestamp

Is there a way to get AD to report correctly.

- LZ

↧

Latest Images