Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

DC replication issuea

October 18, 2018, 7:45 pm
$
0
0

We currently have 3 domain controllers.  2 at our main site and one at a another site. The sites are directly connected via fiber just on different subnets. A few weeks ago a redundant connection was put in between the sites. We did have to reboot the router so connection was lost between the sites for a little while.  Everything seemed to be working fine but today we figured out that two of our DCs are not replicating to each other from the two different sites. What's really odd is that they both can replicate to our 3 DC .  The 3rd DC is located at our main site. This is also the reason we haven't caught it yet because the 3 DC is acting like a middle man keeping them up-to-date. 

The error I see when trying to force replicate is remote procedure call failed 1727. I have tested all the ports, their is no firewalls. When I try to access sysvol from one DC to another I can't.  They can ping each other and resolve their names .  I can see sysvol on both of those servers from any machine except from each other.   Both can see the sysvol share on the 3rd DC.  Some years back I ran into an issue like this but it was due to a caching device between them.  All 3 servers are 2012 R2 but the forest and domain levels are 2008 R2. Any help would be appreciated .

Thanks,

Quentin

Quentin


Search

Direct LDAPS connectivity into internal Active Directory

October 23, 2018, 3:10 am
$
0
0

Hi all,

I am looking at a solution which includes 3rd party access into the internal AD environment directly via LDAPS.  The connection is external and via the internet.  The purpose of the connection is for AD authentication to allow a piece of software to extract data from it.

I'm not too happy with having direct connectivity into our AD from the outside like this and was wondering if this was something which is common elsewhere and has a valid technical reason i.e. just port 636 used, encrypted, etc.

Alternatively, what other options are reasonable available?  I'd rather not have an RODC on the perimeter as this exposes the whole AD externally, even if it is read only, for what is essentially a small data extract requirement.  Considering ADFS but I'm not yet too conversant with it and was hoping for a little advice.

Does anyone have a pros and cons they can think of between authenticating directly via LDAPS as opposed to the other available options?

Thank you all in advance.

Regards,
Martin



Event 2887 "performed without SSL/TLS:" vs "performed without signing"

October 18, 2018, 10:01 am
$
0
0

Hello,

I have been using MS ATA is find systems & apps making clear text LDAP connections to our domain controllers and have reconfigured them to use SLDAP / port 636. I have the clear text connections down to zero, but the count for the "performed without signing" is showing several thousand. (This is from the event 2887 in the Directory Service log.) I want to set the GPO mentioned in this article: https://support.microsoft.com/en-us/help/935834/how-to-enable-ldap-signing-in-windows-server-2008

My question is could I break anything? No one is using clear text anymore but there are a ton of non-signed connections. Can I block one and not the other? Thanks!

Number of simple binds performed without SSL/TLS: 0

Number of Negotiate/Kerberos/NTLM/Digest binds performed without signing: 3267

Allow a Account Operator to open ADUC

October 23, 2018, 4:07 am
$
0
0

Hi,

I have given Account Operator access to a domain user but when he opens ADUC, it asks for username and password. How can I allow him to open ADUC in windows 2012 Domain?

Thanks.

How to retrieve an FGPP RSOP directly from the users machine.

October 22, 2018, 11:03 am
$
0
0
Hello I am interested in finding out if there is way to retrieve an FGPP RSOP (for one particular User logged into a workstation) directly from that Workstation itself without running it from AD or one of our Domain Controllers. I have Auditors that want to make sure that the FGPP policy is especially taking place on one Workstation in general and they want the commands run from that one machine that would display the active password policy for that user on that machine like GPresult/r would. Problem is that GPresult/r doesnt display the FGPP from ADAC. It just displays the DDP. Can this be done or does it have to be done from AD on one of our Domain Controllers??

Support analyst


List of all servers in the domain

September 1, 2015, 12:15 pm
$
0
0
can we get the list of all the servers present in the domain (included all the sub domain) through Active Directory management console or any command. If yes please share the steps or command.

Extend AD schema for office 365

September 5, 2018, 6:10 am
$
0
0

Hi folks,

I know what needs to be done to get exchange ( office 365 in our case) attributes in on prem AD.  never had onprem exchange server.

This is require as we have SSO enabled by AAD connect . 

AAD connect is setup and configured on other server standalone not in DC/AD Server.

queries:

1) Now the question is should I download Exchange in our actual AD server and update schema  and then refresh/select those attributes in AAD connect app.

 2) Before performing this change in AD schema. Is there anything, I should put into consideration except AD backup by system state?

last but not least - is there any other way we can have  exchange attributes in on prem AD for SSO by office 365 Azure AD.

Thanks

Atul

Can't raise forest functional level - Insufficient privileges

October 22, 2018, 2:00 am
$
0
0

Hi everyone

We have a forest with only one dc (2008R2) that we use for external users to our organization. So it is a sub-forest of the main forest, with several trusts configured.

I'm trying to upgrade the forest functional level from 2000 to 2003 to be able to add some 2016 dcs but I get the following message: "You do not have sufficient privilege to raise the forest functional level".

I'm logged as the domain administrator for this subforest, but have also tried as the main forest's administrator, getting the same message. The domain administrator for this forest is in Enterprise Admins and Domain Admins, of course. Schema version reports as being 47.

Anyone has any idea? Any help is appreciated. Thanks a lot.

Fran

Search

Domain name and email server name both are same

October 23, 2018, 2:00 am
$
0
0

Hi

we deployed server and domain name is same as email server name (email is hosted to cloud)

not users are not able to access email via web access. outlook working only with POP3 and SMTP ip address 

if mention server name in outlook that is also not working.

e.g   our domain name is abc.com and email also abc.com:8880 

pop3 - mail.abc.com

smtp - mail.abc.com

now where need to update any record or any thing.

kindly guide 

Arvind

Active Directory Sites and Services

October 23, 2018, 9:58 am
$
0
0
We are moving to vlans for our network.  Do I need to add the subnets for these vlans into Active Directory Sites and Services in order for endpoints in the vlans to work with AD and DNS?

Robert R. Poor


Unable to enable AD Recycle bin feature, Server 2016

July 26, 2018, 10:38 am
$
0
0

Good day all, I am having difficulty enabling the recycle bin feature. From what I gathered recycle bin was enable in the past but during upgrade from 2008 and 2016, we received error that the recycle bin feature could not be found in active directory. 

I have gone majority of guides on how to enable recycle bin. Using the Active Directory Administrative Center, enable recycle bin is greyed out. However when trying command under power shell it states that Object Recycle bin cannot be found.

Example:

PS C:\WINDOWS\system32> Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target 'domain.com' -server dc1

Error:

Enable-ADOptionalFeature : Cannot find an object with identity: 'Recycle Bin Feature' under: 'CN=Configuration,DC=domain,DC=com'.
At line:1 char:1
+ Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigu ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Recycle Bin Feature:ADOptionalFeature) [Enable-ADOptionalFeature], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.EnableADOptionalFeature

OR

PS C:\WINDOWS\system32> Enable-ADOptionalFeature –Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=my,DC=domain,DC=name' –Scope ForestOrConfigurationSet –Target 'domain.com'

Error:

Enable-ADOptionalFeature : Cannot find an object with identity: 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=my,DC=domain,DC=name' under:
'CN=Configuration,DC=domain,DC=com'.
At line:1 char:1
+ Enable-ADOptionalFeature –Identity 'CN=Recycle Bin Feature,CN=Optiona ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (CN=Recycle Bin ...=domain,DC=name:ADOptionalFeature) [Enable-ADOptionalFeature], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.EnableADOptionalFeature

Also using ADSI editor, under CN=Partitions msDS-EnabledFeature field is empty.

Any help or advice would be greatly appreciated. We will probably have to contact microsoft support, but wanted to check here first. 

Can I extend my AD schema to 2016 without migrating to DFSR?

October 23, 2018, 1:32 pm
$
0
0

I am new to AD administration and have been tasked with upgrading my current functional level and schema.

We are running all 2008R2 DC's at a 2003 Functional level.  We are still using FRS.

We are ready to upgrade the functional level to 2008R2. Then the plan was to extend the Schema for 2016 using Adprep.exe.  No 2016 server will be stood up at this time.

At a later date, we would migrate to DFSR and stand up a 2016 DC.

Will this work?

Create krb5.ini file

October 23, 2018, 5:47 pm
$
0
0

    TO provide access to a vendor app across 2 domains I am being asked to create a krb5.conf file. Research shows I need to see the krb5.ini file in Windows to create this.

Does anyone have a desired setting and format for the file in a Windows AD domain?

How to change duplicated domain controller SID correctly ?

October 16, 2018, 7:54 pm
$
0
0

Hi,

Our company have 3 domain controllers, when we doing domain migration to new forest, we cannot use ADMT tools as the following error occur:

The Security System detected an authentication error for the server LDAP/server1.zh.xxxxx.com/zh.xxxxx.com. The failure code from authentication protocol Kerberos was "The name or SID of the domain specified is inconsistent with the trust information for that domain. (0xc000019b)".

So we checked these 3 domain controllers, the SID is really the same (maybe the old staffs do wrong things).

Then we want to change the SID to solve the issue, but we found that only demote and promote the DC again (also by Microsoft Forums)  :

It is impossible to change the SID on a Domain controller, what you have to do is to demote it first, remove from domain, change SID with SYSPREP and promote again.

But when we try to demote one of the DC, it seems all AD down, we cannot login to the domain, the "Active Directory Users and Computers" cannot be opened as it told that the Domain cannot be contracted.

Then we promote again with the "demoted" DC, the AD seems becomes normal.

So we want to know how to change SID in this case ??

Or the error from ADMT can be solved by other solutions ?

Thanks !


What is the recommendation for DNS when using multi-domain forest

October 19, 2018, 10:21 am
$
0
0

Hello, can someone please help me with the following question

If I have a Forest with a 'tree' under to forest root domain as follows

Forest-Root.Local  # forest root domain

Tree01.Local  # which is a direct child (child tree) of the above forest root domain

then I have one more domain which is a child of the above e.g.

Sales.Tree01.Local

with the above configuration how should the DNS be configured ?

for example should Tree01.local has a 'stub' zone to refer to  Forest-Root.local (and visa versa)

How should the DNS tab look in the TCP/IP settings of the Network card look (e.g. how should the IP addresses of the DNS servers be listed and it which order for each of the above.

I would be very grateful if someone could help me with this please

Thanks

Charlie

Search

User Account Issues

October 19, 2018, 1:17 pm
$
0
0
I purchased my laptop from my previous company when I was leaving and I kept all of the info on the laptop. I had a username with admin rights on the company domain. Since the company removed me from the domain, I cannot download or run any programs on the machine as it is saying that I need admin rights. Tried all the tricks found online but none seem to work. My IT knowledge is little to none to please advise in an easy manner how to go about fixing this. It shows my name as an admin under username but it is not allowing me to remove my profile or make any changes. Seem like the machine is stuck with no workaround. 

Domain name and email server name both are same

October 23, 2018, 2:00 am
$
0
0

Hi

we deployed server and domain name is same as email server name (email is hosted to cloud)

not users are not able to access email via web access. outlook working only with POP3 and SMTP ip address 

if mention server name in outlook that is also not working.

e.g   our domain name is abc.com and email also abc.com:8880 

pop3 - mail.abc.com

smtp - mail.abc.com

now where need to update any record or any thing.

kindly guide 

Arvind

Are Global groups and domain local groups replicated to Global Catalog ?

October 12, 2011, 11:58 pm
$
0
0

hello everyone.

at 70-640 R2 self paced training kit , we read : "universal groups are replicated to global catalog".  but about global groups and domain local groups , we read that they are replicated to domain controllers in the same domains.

as we know, global catalog contains every object in the forest so it seems that global groups and domain local groups should be replicated to global catalog as well.

does it occure ? 

any idea please.

What does error code 8007203c mean?

October 24, 2018, 12:23 am
$
0
0
While performing modification actions in Active Directory, Error 8007203c error occurs. 

One Policy Overriding the other same type of policy

October 24, 2018, 12:28 am
$
0
0

I am using Server 2012 R2. I have configured a policy on a user OU for blocking certain application say 'firefox'. Tested it, it was working fine. Then requirement came for blocking another application say 'chrome'. I created another similar policy to block 'chrome' and applied on the same OU. But when I see resultant set of policy, earlier blocked application was removed and only 'chrome' was present in the list of blocked applications. I was also able to run 'firefox' while I had blocked it using previous policy.

Kindly help me with the correct configuration of the policy. I am using 'Don't run specified Windows applications' settings. Does configuring multiple policies with same type of settings create problems?

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>