Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Direct LDAPS connectivity into internal Active Directory

October 23, 2018, 3:10 am
$
0
0

Hi all,

I am looking at a solution which includes 3rd party access into the internal AD environment directly via LDAPS.  The connection is external and via the internet.  The purpose of the connection is for AD authentication to allow a piece of software to extract data from it.

I'm not too happy with having direct connectivity into our AD from the outside like this and was wondering if this was something which is common elsewhere and has a valid technical reason i.e. just port 636 used, encrypted, etc.

Alternatively, what other options are reasonable available?  I'd rather not have an RODC on the perimeter as this exposes the whole AD externally, even if it is read only, for what is essentially a small data extract requirement.  Considering ADFS but I'm not yet too conversant with it and was hoping for a little advice.

Does anyone have a pros and cons they can think of between authenticating directly via LDAPS as opposed to the other available options?

Thank you all in advance.

Regards,
Martin



Search

DFSR error ID:5008/4612 Towards demoted/removed DC

September 19, 2018, 4:59 am
$
0
0

I am having a issue where i see the following errors:

The DFS Replication service failed to communicate with partner OLDSERVER for replication group Domain System Volume. This error can occur if the host is unreachable, or if the DFS Replication service is not running on the server.
 
Partner DNS Address: OLDSERVER.Domain.local
 
Optional data if available:
Partner WINS Address: OLDSERVER
Partner IP Address: x.x.x.x
 
The service will retry the connection periodically.
 
Additional Information:
Error: 1722 (The RPC server is unavailable.)

The DFS Replication service initialized SYSVOL at local path C:\Windows\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner OLDSERVER.domain.local. If the server was in the process of being promoted to a domain controller, the domain controller will not advertise and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the sync partner. If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers.
 
Additional Information:
Replicated Folder Name: SYSVOL Share
Replicated Folder ID: 4846FCD2-7777-4EDF-BC6B-13E8E16C4446
Replication Group Name: Domain System Volume
Replication Group ID: CB5BCAE8-C44F-40A8-80DD-A88DC4FDAF74
Member ID: FA911E0C-253C-426A-8EC7-71D85B49C0EB
Read-Only: 0


The server was not removed from the domain correctly so i am doing a lot of cleaning up. The issue I face is that the other solutions I have found on this is to use Meta data cleanup. OLDSERVER is not present there.

Or use ADSI edit to locate CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=domain,DC=local and delete the record of OLDSERVER, but the record is not there.

I have 4 domain controllers atm. 2 of them are 2016. (newly installed) and 2 X 2012 r2

The error is only active on 1 of the 2012 R2 servers. and the rest see no DFSR errors. OLDSERVERs OLD DNS records have all been removed.

any pointers or ideas will be greatly appreciated.

LDAP: error code 50 - 00000005: SecErr: DSID-03152857, problem 4003 (INSUFF_ACCESS_RIGHTS)

October 22, 2018, 11:47 pm
$
0
0

Hi ,

    I have one user in LDAP with account operators role. I am able to create and delete user with that user with all directories and OUs from LDAP console. But when i integrated LDAP with java i tried to create/delete user with same access , I am not able to do that as i am getting ldap exception javax.naming.NoPermissionException: [LDAP: error code 50 - 00000005: SecErr: DSID-03152857, problem 4003 (INSUFF_ACCESS_RIGHTS)] . 

Any comments on this ?


Lsass.exe sending excessive data outside the local network

March 28, 2017, 1:54 pm
$
0
0

Just this morning i noticed a huge lag on my internet connection at my work network. After rebooting the modem with no help i investigated the server.

lsass.exe was sending massive data outbound only. Upwards of 8Mb/second. To different ip address, one resolved back to france.protection-ddos.com.

I have not had any server setting changes in months. I haven't even logged on to the server in months, it's been doing it's job as it should with no interference, until this.

I updated my virus database and doing full scan now. To update my Virus database i tethered my phone to the server for an internet connection. The lsass data did not start on this connection, only the lan to cable modem connection. Scan is going to take hours so am letting my network off the internet for the night and hoping the scanner finds something upon my return in the morning.

Obviously i can't kill lsass so i have isolated the network temporarily. I'm assuming I've been compromised somehow.

I don't know why/how lsass is sending such large amount of data out of the network. Everything i googled is more talking about lsass.exe using alot of cpu, mine is not, only outgoing network. And yes it is LSASS.EXE same PID as the one doing the network authenticating.

Any input would be appreciated.

Stats:

Windows Server 2012 Essentials, all work 5 stations are Windows 7.

users are not able to connect due to missing some Attributes

October 16, 2018, 3:10 am
$
0
0

HI everyone 

 We are  implementing  new app for  our Email system . but some users are not able to connect from their Iphone,s .

We investigate and found that some user are missing some attributes .

please give me solution how i can add these attributes in missing attributes user .

User access to computer A

October 12, 2018, 5:01 am
$
0
0

i have user that is trying to log into computer X on the domain but it is receiving error

You cannot log on because the method is not allowed .

I looked in local policy but I cant add the user there because it is grayed out and therefore this might be defined globally in DC. i looked in DC under policy/comp. config//security setting/user right assignment/ allow log on locally. If I add this particular user there would this work and would it create any problems?

Software install and group policy

October 24, 2018, 2:44 am
$
0
0

No previous experience in Windows AD other than last few days so please bear with me. 

I have installed some software on a VM which is part of an AD and I loaded Adobe as a domain admin onto the VM.  When the domain admin logs in to the VM there is an Adobe icon on the desktop and they can use Adobe. 

The issue is when a normal user logs in to the VM they do not have access to Adobe ie. no desktop icon and the rest of thep desktop is locked down because of a group policy being applied. 

I managed to track down the setting in Group policy that stops the user getting the Adobe desktop icon - 

User Configuration -> Policies -> Administrative Templates -> Start Menu and Taskbar -> Remove common programs from Start Menu

if I turn this off then the user can use Adobe. Unfortunately it has to be enabled so a couple of questions - 

1) Is this problem at all related to loading software as domain admin ? Is there another account I should be using, note that I cannot give any of the users permissions to load software

2) How do I solve this. From my reading I have an idea it is something to do with copying files from the domain admin profile to the user profile(s) and modifying permissions but I may be completely off base here. 

Any pointers, help would be much appreciated. 


Why Active Directory not validate domain name ?

October 24, 2018, 2:52 am
$
0
0
I use NTLM to Active Directory authentication and found that: with any domain name in NTLM, the authentication will succeed. why this happened?
Search

Services and Alerting

October 24, 2018, 3:12 am
$
0
0

Hi All,

I wondered if there was any Microsoft Service Native Tool that allows administration of Active Directory?

Basically what I am after is a check on System Services, Domain Services, DFS Namespace, Replication, DNS, KKDC etc I would also like to know about monitoring Account management, logon/logoff etc, policy changes etc.

What do other IT Engineers usually Monitor in Active Directory and what is generally used.

Any help would be greatly appreciated.

Regards.

 

How I can change Display Resolution when use winrm?

October 8, 2018, 2:01 pm
$
0
0

I use windows server 2016 as jenkins slave for GUI tests by selenium. Master Jenkins node use for work with slave winrm protocol. When I use winrm as protocol for work beetwen master - slave I have had screenshots from web browser  with tests in resolution? maybe 1024*768. But display resolution for user who is doing test is 1920-1080. Browser with tests is working in background, because I see only process in task manager. There is a desktop is empty. 

I tried searched and changed in regedit DefaultSettings.XResolutionDefaultSettings.YResolution

values. From 1024-768 to 1920-1080  but that didn't help.

I can resoled my problem if BEFORE launch my tests I did login by my user to windows server, then did disconnect. Then launched my tests and i will be have screenshots from browser with my resolution 1920-1080.

PLS help me!

What is the recommendation for DNS when using multi-domain forest

October 19, 2018, 10:21 am
$
0
0

Hello, can someone please help me with the following question

If I have a Forest with a 'tree' under to forest root domain as follows

Forest-Root.Local  # forest root domain

Tree01.Local  # which is a direct child (child tree) of the above forest root domain

then I have one more domain which is a child of the above e.g.

Sales.Tree01.Local

with the above configuration how should the DNS be configured ?

for example should Tree01.local has a 'stub' zone to refer to  Forest-Root.local (and visa versa)

How should the DNS tab look in the TCP/IP settings of the Network card look (e.g. how should the IP addresses of the DNS servers be listed and it which order for each of the above.

I would be very grateful if someone could help me with this please

Thanks

Charlie

A question about _msdsc.MyDomain.local domain

October 24, 2018, 6:49 am
$
0
0

Hello, can someone please help me with the following question, thanks in advance

I have a LAB setup with a forest root domain  Forest-Root.pri

I then have a new Tree (rather than a direct child domain) under this forest root called

MyDomain.pri

The fact the forest has a 'tree' (with a different domain name than the forest, which is a supported design) may or may not be relevant to my question, but I thought I would point it out in case it was

I wanted to recreate the top level _msdsc DNS zone e.g. the one that lives directly under the 'Forest lookup zones' folder (just under the DNS Server name in the console) so I following the article at the following URL

http://itcalls.blogspot.com/2011/11/active-directory-integrated-dns-zone.html

Once I deleted the zone , I recreated it  and then restarted DNS and NetLogon service

after I restarted these two services 'two' SRV records were automatically created under the _msdsc zone namely the following two records

Start of Authority (SOA)
Name Server (NS)

Question 1:

I thought/think there should be more than just these two srv records under this zone ?

(unfortunately I forget to check which records were their before deleting, as only a LAB and I was trouble shooting a sync issue)

The reason I think their should be more records under this zone is because under the forward lookup zone for the domain itself e.g. 

_msdsc.Forest-Root.pri

There are lots of srv records e.g.   dc, domains, gc, pdc

Can anyone help me with the above question please.

Thank very much

CXMelga


Active Directory Sites and Services

October 23, 2018, 9:58 am
$
0
0
We are moving to vlans for our network.  Do I need to add the subnets for these vlans into Active Directory Sites and Services in order for endpoints in the vlans to work with AD and DNS?

Robert R. Poor


Hi

October 24, 2018, 9:02 am

DOMAIN

October 24, 2018, 9:04 am
$
0
0
Need help to find my domain password it is always asking me for domain passwords if I try to download games, I know the user name but not the password. Please answer if you can help. THANK YOU
Search

Azure AD connect and ADFS

October 24, 2018, 9:12 am
$
0
0

Hi,

Should we deploy Azure AD connect to configure SSO in hybride environment?  

RSAT not showing under Windows features

March 13, 2018, 8:45 am
$
0
0

Hello

I have a colleague who is experiencing problems with getting the  Remote Server Administration Tools in his windows features. We have followed the installation proccess for RSAT windows 10, and everything goes smoothly. However, after the required restart, active directory does not show up when searching for it.  When trying to enable RSAT in Windows features, there is no "Remote Server Administration Tools". When searching for a solution, it was suggested to delete the english language package and reinstall it. This did not solve the issue. Active directory isessential for some work tasks, so we really need to solve it.

Kind regards

Hakan

Some DNS requests timed out on the client, but worked on DC

October 24, 2018, 9:27 am
$
0
0

I have a weird problem. when I do a nslookup on this particular domain name, it shows timed out on my Windows 10 client and I can't access this website, but if I log onto the DC/name server, DC02, it works just fine. 

All other websites work just fine.

Any suggestion as why this is happening and how to resolve this?

On the client: 

C:\Users\JSMITH>nslookup p2energysolutions-my.sharepoint.com
Server:  dc02.company.com
Address:  172.16.9.212

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to  dc02.company.com timed-out

On the DC02

C:\Users\JSMITH_da>nslookup p2energysolutions-my.sharepoint.com
Server:  UnKnown
Address:  ::1

Non-authoritative answer:
Name:    spo-0004.spo-msedge.net
Address:  13.107.136.9
Aliases:  p2energysolutions-my.sharepoint.com
          p2energysolutions.sharepoint.com
          prodnet10511-10480edgea0000.sharepointonline.com.akadns.net
          prodnet10511-10480a0000.sharepointonline.com.akadns.net.spo-0004.spo-msedge.net




SYSVOL replication issue

October 18, 2018, 3:58 am
$
0
0

Hi

We have two offices and main office having 2008R2 primary domain controller and 2008 R2 additional domain controller and 

Branch office having 2008R2 RODC installed.

Now when we create a new GPO in PDC and its not replicated in other two domain controller. when i check the RODC sysvol folder having old policies only.

When i run the DCDIAG on RODC and the result below.


C:\Users\Administrator.BR>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = AD01-RODC
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: BR-TRICHY\AD01-RODC
      Starting test: Connectivity
         ......................... AD01-RODC passed test Connectivity

Doing primary tests

   Testing server: BR-TRICHY\AD01-RODC
      Starting test: Advertising
         ......................... AD01-RODC passed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... AD01-RODC passed test FrsEvent
      Starting test: DFSREvent
         ......................... AD01-RODC passed test DFSREvent
      Starting test: SysVolCheck
         ......................... AD01-RODC passed test SysVolCheck
      Starting test: KccEvent
         ......................... AD01-RODC passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... AD01-RODC passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... AD01-RODC passed test MachineAccount
      Starting test: NCSecDesc
         ......................... AD01-RODC passed test NCSecDesc
      Starting test: NetLogons
         ......................... AD01-RODC passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... AD01-RODC passed test ObjectsReplicated
      Starting test: Replications
         ......................... AD01-RODC passed test Replications
      Starting test: Services
         ......................... AD01-RODC passed test Services
      Starting test: SystemLog
         ......................... AD01-RODC failed test SystemLog
      Starting test: VerifyReferences
         ......................... AD01-RODC passed test VerifyReferences


   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : br
      Starting test: CheckSDRefDom
         ......................... br passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... br passed test CrossRefValidation

   Running enterprise tests on : br.local
      Starting test: LocatorCheck
         ......................... br.local passed test LocatorCheck
      Starting test: Intersite
         ......................... br.local passed test Intersite

Also when we run the DCDIAG on PDC also same issue.

Please help me on this issue.

Thanks

Krishna

GPO Replication problem

October 18, 2018, 2:00 am
$
0
0

Hello,

We have 3 domain controllers. 2 of them is in Sync with GPOs.

DC1 and DC3 have 80 policies in sysvol folder.

DC2 has 85

The contoso.com policies folder contains 115 policies.

DFS is not reporting eny arror, I made health check which says everything is super.

Can you help me how solve this issue?

If you need more info or something like let me know.

Thanks

MrGergely

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>