Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Decom 2012 DC but need the new DC to use the same IP Address and Name

October 8, 2018, 11:24 am
$
0
0
Hello,

I want to build a brand new 2016 DC but there is a hard requirement to have the new DC replace and old one using the old DC's name and IP address (2012 R2).  I see many people say not to do this but in my case we do since we have tons a things tied into the DC name or IP address.  What is the recommended route to get the new one online and syncing with the existing DC's and then get rid of the old DC and renaming the new one?

Thanks
Search

Functional Level Upgrade / Domain Level Upgrade from 2003 to 2008R2/2012R2 and NTLM

October 11, 2018, 6:27 am
$
0
0

Hi, we are planning to raise our AD Functional level from 2003 to 2008R2 then to 2012R2. All or DC's/GC's are on Windows Server 2012R2.

We know of the .NET 3.5 or lower issues, and that we need to upgrade those apps or upgrade .NET.

Is there any other issues we should look out for?  any NTLMvX issues?  Any pitfalls, gotcha's?

We did read a lot of documents that were helpful, but want to check with this forum as it's always good to get feedback.

Thanks!

unchecked Allow inheritable permissions from parent to propagate to this object and all child objects.

October 14, 2018, 7:04 pm
$
0
0

i unchecked "Allow inheritable permissions from parent to propagate to this object and all child objects. Include these with entries explicitly defined here"in a folder's advance permission. now i cant access that folder and its sub folders.

i am the domain admin. what should i do?


Patching Information

October 5, 2018, 3:49 am
$
0
0

Hi Team,

A need in simple quick answers. We had run a nessus scan we had found few of the vulnerability for which they had mentioned to install the patches. The patches which they had mentioned is of cumlative update few of June few of July few of August.

We are using SCCM to deploy the patches as checked the patch they don't exist in the SCCM Patches Catalogue.

My aim is to check if the mentioned patches is already rolled in but still nessus is detecting it?

Or if there is an issue in the SCCM / or we are missing to install the patches?

I had checked manually patches is not present in the any of the server in the installed updates section.

My query over here is 

1)  Do the older patches is getting rolled over in the new Cumlative Update and the answer is yes please let me know how it can be verified in the SCCM as well as if there is any online website.

2) How can we verify the patches are expired via SCCM as well as any URL to verify.

Apart from this if there is any standalone tool if the above points can be verified also let me know.

Sumeet Mishra

Drive mappings

October 8, 2018, 11:30 am
$
0
0

In our environment, 2008 R2 AD, we have batch files that run on login mapping users to specific drives.  The GPO's used to do this point to a specific AD servers sysvol for the login scripts.  So, if that server is down, the login scripts wont run.  Years ago, I remember I had been able to use a wildcard or something to tell the system to look in this folder on any AD server for the specific logon script.  Does anyone remember how to do this?

For example, it is currently set to \\ADServer1\NETLOGON\ABC.vbs

and I would like it to be  \\ANYADSERVER\Netlogon\ABC.vbs

Active Directory Upgrade 2003 to 2016

October 8, 2018, 7:04 am
$
0
0
Hi all,

I was recently hired to upgrade an Active Directory infrastructure based on Windows Server 2003 R2. Is it possible to go directly to 2016? The client is also concerned with their Windows XP machines, still more than 30% of installed workstations. What are the risks?

Thanks in advance.

create a banned password list

October 12, 2018, 8:56 am
$
0
0

Hello, 

We got a client with a problem with weak passwords, currently the complexity level is 3/4 but it is not enough and we would like to create a banned password list in order to forbids 123456aA passwords. 

How can we do it using the AD ?

Thank you in advance

Golan

 

Protected user group in 2012 R2

October 8, 2018, 9:04 am
$
0
0
Hi,

I have few privileged user account in my domain, planing to implement "protected user group" authentication mechanism.

All my NetApp shares can be connected using IP address.

Technically if user is part of protected user group NTLM authentication does not works.

In this case if I'm adding privileged account in storage shares will I able to connect the shares without issues.



Search

unchecked Include inheritable permissions from this object's parent

October 14, 2018, 7:04 pm
$
0
0

i unchecked "Include inheritable permissions from this object's parent"in a folder's advance permission setting. now i cant access that folder but can access its sub folders.

i am the domain admin. what should i do?



Domain Controller shows Public Network

October 12, 2018, 7:46 am
$
0
0

Dear Support, 

Could it have any impact on Domain Controller when the network of Domain Controller is "Public network"? 
How could the network be changed from "Public" to "Domain" if it have impact on DC?

Thanks!

Best Regards, 
Daniel

What is a replicated "constructed attribute"?

October 3, 2018, 10:02 pm
$
0
0

Hi,

As per the definition,  for a "Constructed Attribute" in AD, it's value is generated on the fly when a client requests for the same. But, some Constructed Attributes like tokenGroupsGlobalAndUniversal are replicated. Then, what does it mean if a Constructed Attribute is replicated?

Thanks,

Lokesh

Installation of Certificate Authority Role

October 12, 2018, 10:17 am
$
0
0

Where should I install certificate authority role ? do I need to have dedicated machine in a domain, can I install in domain controller where Active Directory is installed.

Thanks, Ram Ch

DC decommission, Keytab and kerberos

October 10, 2018, 2:34 am
$
0
0

Hi team,

We have two domain controllers in the HO site running Windows server 2012 R2. We're in the process of upgrading the environment to WS 2016. We have completed one server and one is remaining.

The decommissioning process includes

  • Decommission of DC
  • Re-formatting
  • Promoting the fresh server to be DC

Currently one server we have done the above to bring it to 2016. One server is remaining.

I would like to clarify the below;

  1. Currently keytab files are created for several 3rd party applications. What would be the impact if we decommission the last WS 2012 R2 server?
  2. Will there be any impact on kerberos certificates or any related? Do we need to backup or reconfigure it or anything?

Thank you.
Jude.

AD Kerberos question

October 8, 2018, 7:30 am
$
0
0

Hi All!

We currently run Microsoft Advanced Threat Analytics, and we quite often get the following error for Windows client PCs and ADFS servers:

Encryption downgrade activity
The encryption method of the ETYPE_INFO field of KRB_ERR message from x computers has been downgraded based on previously learned behavior.



I have been over this documentation here: https://docs.microsoft.com/en-us/advanced-threat-analytics/suspicious-activity-guide and used their Aorato Skeleton Key Malware Remote DC Scanner tool, but found nothing.

I opened a ticket with Microsoft about this, and they believe it is due to the fact that these accounts haven't changed their passwords in a long time (a lot of them are old accounts for various strange purposes and VIPs that whinge about having to change their password - but lets not get into that, we are soon going to force them into line)

I am only slightly knowledgeable about Kerberos, I want to know the whys/whats/hows about it. Forgive me if I am wrong, I understand that your password is used to hash certain information and that is sent to the KDC, the KDC uses the hash of the password at its end to decyrpt the message, and if it can, then your password is correct. So your password is never sent over the wire. 

I'm assuming, that because these accounts have their passwords hashed with some older cipher, than the KDC tells the client to user an older cipher to encrypt the message, and this is why I am getting the error? Is that correct? and why Microsoft is asking me to change their passwords.

I have a few questions (assuming my assumptions are correct)

  1. I asked a user to change their password (via going ctrl+alt+del on their Windows 7 PC and clicking Change a password), however ATA was still picking up encryption downgrades for this user on both their Windows 7 PC and ADFS. Would the fact that they have previously negotiated lower encryption with the KDC cause the new password to still be hashed with a weaker cipher?
  2. I then changed the password for the user above via Active Directory Users and Computers (dsa.msc), and now I no longer get the ATA alerts when they log onto ADFS, but i still get them when they log onto their Windows 7 PC. Is there anything I need to do for the Windows 7 PC to ensure it uses the strongest cipher for this account?
  3. Is there any way for me to find out, by querying AD, what users have passwords that are hashed in an older cipher?
  4. When did Microsoft make this cipher change? What did they change their cipher from/to, and how can I enforce the stronger cipher? (I seem to be struggling finding this information)

Thanks all, I apologise for my ignorance!

Some notes:

  1. I can cause ATA to log the Encryption downgrade activity, just by doing a failed logon to any computer / ADFS with the users that have really old passwords. (I assume this is because even though my password is incorrect, it is hashed using a more superior cipher, and that the KDC still needs to negotiate a lower cipher with the client)
  2. The computer accounts all havemsDS-SupportedEncryptionTypes set to 28 (0x1C)
  3. Please do not reply and ask me to submit my question to the ATA forums, I submitted this question there some time ago and got no response, this question relates mainly to Kerberos.

NTLM Kerberos Question

October 6, 2018, 11:40 am
$
0
0

I have \\server\share that is accessed by help desk.  This share has several shortcuts pointing to other \\x.x.x.x\share at remote sites.  Note the IP.  It needs to be an IP, it's a remote site that has no DNS, if site loses WAN the share needs to remain accessible longer than DNS cache.

At random help desk will get an access denied for a IP\Share.  I know \\dns\share uses kerberos and \\x.x.x.x\share uses NTLM.

if help desk navigate tp \\server\share and then \\x.x.x.x\share and it works and sometimes does not, why? Using wireshark during the access denied I can see NTLM is not able to auth the user because there are "No Logon Servers" I do not understand the randomness of the issue.

Search

ControlAccessRight RightsGUID Values

October 12, 2018, 8:42 am
$
0
0

Hi I'm working on Powershell script to create a machine account and as part of giving right to users / groups to have access to add that machine to the Domain  im looking for some Rights GUID values .

On searching i got the below values for guid's: 

RIGHTS_GUID_RESET_PASSWORD      = "00299570-246D-11D0-A768-00AA006E0529"
RIGHTS_GUID_VALIDATED_WRITE_DNS = "72E39547-7B18-11D1-ADEF-00C04FD8D5CD"
RIGHTS_GUID_VALIDATED_WRITE_SPN = "F3A64788-5306-11D1-A9C5-0000F80367C1"
RIGHTS_GUID_ACCT_RESTRICTIONS   = "4C164200-20C0-11D0-A768-00AA006E0529"

which helped in selecting the four options for domain user account security properties , what if i need to allow more permission for this security group , like i need to enable the "Change Password " permission for the "Domain Users" what will be the GUID value , can you please share the complete list of guid values or provide me a solution to add Domain users and provide him with necessary rights to get joined to the domain .

Os : win 10 

Upgrade 2008 R2 to 2016 with 2012 R2 Domain & Functional Level

October 15, 2018, 3:46 am
$
0
0

Hi,

I'm seeking to understand whether the following scenario is a supported / recommended / possible upgrade path for AD DS.

We currently have a 2008 R2 domain (native) with around 20 domain controllers in a single domain forest. Due to potential issues with third party application compatibility we're not ready to jump straight to a 2016 functional level, but is it possible (and sensible?) to migrate all domain controllers to the Server 2016 OS, but only upgrade the schema and functional levels (domain and forest) from 2008 R2 to 2012 R2?

Thanks

Tony


Connect to domain

October 15, 2018, 2:04 am
$
0
0

Hello y'all,

I've installed a brand new fresh copy of Windows Server 2016 Standard on a virtual machine (VMware if it matters) and installed Active Directory - promoted to domain controller and created a new User (not changing anything apart of choosing a user name and a password) and then tried to connect to the domain using the hosting computer (the one on which I run the virtual machine) and I keep receiving the same error "can't join this domain contact your it admin windows 10" and I really got no clue where to start investigating the reasons for it. Have I missed some essential steps creating the domain/user? Would be thankful for any hint where to start.

Kind Regards,
Bar

AD CS: Issues getting the Root CA back to the Trusted CAs cert store

October 15, 2018, 8:56 am
$
0
0

Hi,

Two weeks ago we renewed our Entreprise CA cert and it was properly deployed to all our clients. I was able to even use certultil -pulse to get it updated on my laptiop as soons as I finished the cert renewal.

Today we received an incident from a group of users that manually deleted our root CA from the windows user cert store (Trusted Root CAs) and now the cert is not getting restored: no matter if you reboot or if you do certuil -pulse or if you do gpupdate /force...the CA certificate is no longer back to the Trusted Root CAs.

Nothing has changed at the CA/AD level and I see the CA cert properly published in AD (at least it seems to be in the correct AD cert stores). Are there any specific steps to be done to get the cert back into the cert store? I tried on my laptop delelting the cert and I've been not able to get it back yet (tried certutil, rebooting...etc.).

Why I don't understand is why the CA cert was properly pulled from the clients once but now if you deleted it, the certificate doesn't get back via autoenrollment.

I appreciate any help.

Thanks.


Creating password policy for individual group

October 15, 2018, 9:15 am
$
0
0
Hi I seem to be having issues with creating a seperate Password policy for certain users aside from the default domain password policy in AD. This new password Policy is set so that the only group that has access to it is the assigned Group I created with the chosen users in it. Authenticated users group is not assigned to it, The policy is enforced, the policy is applied to the proper group in delegation and GPupdate/force has been run on the login of my test user. However the security policy still doesnt show when I do a GPresult/r. The users in the group are also obviously part of the Domain Policy group which also has  Password settings for the rest of the users in our company. I noticed that the default domain policy has 'Authenticated users' assigned to its scope. But I'm assuming that 'Authenticated users' should not be assigned to a policy that I only want to restrict to certain users? Is the Password policy of the default domain policy effecting this new password policy that I am restricting to certain users? Any ideas would be helpful

Support analyst

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>