Support analyst

Hi team,

We have two domain controllers in the HO site running Windows server 2012 R2. We're in the process of upgrading the environment to WS 2016. We have completed one server and one is remaining.

The decommissioning process includes

• Decommission of DC
• Re-formatting
• Promoting the fresh server to be DC

Currently one server we have done the above to bring it to 2016. One server is remaining.

I would like to clarify the below;

1. Currently keytab files are created for several 3rd party applications. What would be the impact if we decommission the last WS 2012 R2 server?
2. Will there be any impact on kerberos certificates or any related? Do we need to backup or reconfigure it or anything?

Thank you.
Jude.

In our corporate network we have a situation of conflicting interests between not very polite admin and privileged users.

The admin often renews annoying policies, like forced reboot, and updates.

Engineers are given local admin authority for fulfilling their tasks by maximum. We would not even need an admin, but we need an AD, and resource authorization, so there is admin attached to it.

So, like it happens with perfectionists distanced from real work, this admin often injects some parasitic policy, resulting in unexpected loss of data, panic, and general loss of development performance.

As local admins, we are given a right to fix such sabotage locally. But the problem, that the admin is a sneaky guy. He stabs you with a knife unexpectedly, when you are editing the data in 15 windows, and don't have time to save everything.

What I want is looking for any administrative access from the domain controller, that makes any changes. Then trigger a batch execution with such event, throwing an alert in the tray.

But how can I distinguish admin logins, and online policy updates from AD server, among other network logins to my system. Like logins from simple SMB browsers of coworkers' stations? Is it possible? using a cmd, or PS script?

Hi

I'm trying to create a new child domain (F) in a mixed 2012R2 / 2016 DC environment best pictured as follows

DCPROMO.LOG on the server shows the following and I'm struggling to find any relevant information for a fix

-----------------------------------------

------------------------------------------

All sensible suggestions gratefully received

Thanks

I purchased a workstation from my employer when I retired.  It was a member of a domain but never removed from that domain. One of the group policies is to disable wifi. How can I get rid off all the old policies when there is no access to a DC and there are no domain accounts on the workstation.  It is intended for my home and cannot access the internet without wifi.

Thanks

HI,

What is the benefit If  I add  client pc name to AD  prior to joining to the domain 

Thanks 

Hi,

I have a forest with 1 domain which has 3x domain controllers running on 2008 forest\domain functional levels.

I need to have a two way trust with another forest with 1 domain which has 1x domain controller running on 2012R2 forest\domain functional levels.

I have set up all the DNS, everything is pingable.

When I try to set up the two way forest trust I get the following error at the end of the wizard:

Cannot Continue

The trust relationship cannot be created because the following error occurred:

The operation failed. The error is: The request is not support.

Any ideas what could be wrong?

Thanks

We have three sites in active directory domain site and services. One of sites domain controllers were not marked as Global Catalog.  We have marked them as GC in NTDS settings. 

However, if I connect through LDP then the paramater is still GlobalCatalogReady: FALSE;   I am not sure how can mark it forcefully. Can any one please guide.

If I Run the command REPADMIN /SHOWREPL then it shows given below message. 

Hi,

Using msds-memberoftransitive attribute to get direct and transitive(nested) group membership of users. Would like to know if anyone there using it and any limitations with using msds-memberoftransitive attribute?

Comparing with nested group search control "member:1.2.840.113556.1.4.1941", msds-memberoftransitive is quite fast. Other way, any limitations Or disadvantages with msds-memberoftransitive attribute?

Question could be too generic, but looking at responses from others experience.

As these are two different approaches, any recommendation on when to use which approach?

Thanks,

Lokesh

I want to be able to grant rights to 2 people in the HR department to be able to modify the following fields in AD (I am using Delegate Control wizard):

General tab:

First name/Display name/Description/Office/Telephone number

Address tab:

Street/P.O. Box/City/State province/Zip Postal Code/Country region

Telephones tab:

Home/Pager/Mobile/Fax/IP phone/Notes

Organization tab:

Job Title/Department/Company/Manager/Direct Reports

note 1:  If I use .qds file (dsquery, OpenQueryWindow) on their desktop. Everything but the assign a "Manager" field is working. They need to be able to assign a Manager.

note 2: If I use the mmc snap-in for Active Directory Users & Computers. Everything works but, its too much access. They would be able to add/remove Users.

How can I over come this?

Tommy

Hello, can someone please help me with the following question, thanks in advance

I have a LAB setup with a forest root domain  Forest-Root.pri

I then have a new Tree (rather than a direct child domain) under this forest root called

MyDomain.pri

The fact the forest has a 'tree' (with a different domain name than the forest, which is a supported design) may or may not be relevant to my question, but I thought I would point it out in case it was

I wanted to recreate the top level _msdsc DNS zone e.g. the one that lives directly under the 'Forest lookup zones' folder (just under the DNS Server name in the console) so I following the article at the following URL

http://itcalls.blogspot.com/2011/11/active-directory-integrated-dns-zone.html

Once I deleted the zone , I recreated it  and then restarted DNS and NetLogon service

after I restarted these two services 'two' SRV records were automatically created under the _msdsc zone namely the following two records

Start of Authority (SOA)
Name Server (NS)

Question 1:

I thought/think there should be more than just these two srv records under this zone ?

(unfortunately I forget to check which records were their before deleting, as only a LAB and I was trouble shooting a sync issue)

The reason I think their should be more records under this zone is because under the forward lookup zone for the domain itself e.g. 

_msdsc.Forest-Root.pri

There are lots of srv records e.g.   dc, domains, gc, pdc

Can anyone help me with the above question please.

Thank very much

CXMelga

Hello, I'm preparing for the 70-640 exam.  In attempting to redirect the default domain computer OU, I entered the command redircmp "CN=CLIENTS,DC=contoso,CD=com".  I get the error -unable to modify the wellKnownObjects attribute.  Verify that the domain functional level of the domain is at least windows Server 2003.

I have verified that the forest and domain functional level are 2008 R2.

I cannot find any suggestions in any threads other than removing "protected from deletion" check box in objects tab of advanced view properties of the target OU (this does not fix the error in my case).  Any other suggestions?

Hello,

I would like some help with mapping network drives for multiple users via group policy that are all in pre-organised security groups. 

I have seen a few posts/videos, documents on how to map via group policy but how do we apply it to specific security groups?

For example we have two security groups with:

HR - 10 users

MARKETING - 20+ users

I want it to apply to alone those groups, with those specific users inside those groups.

Thank you - *I have a looked a several posts, and other resources before posting.

Hi

we deployed server and domain name is same as email server name (email is hosted to cloud)

not users are not able to access email via web access. outlook working only with POP3 and SMTP ip address 

if mention server name in outlook that is also not working.

e.g   our domain name is abc.com and email also abc.com:8880 

pop3 - mail.abc.com

smtp - mail.abc.com

now where need to update any record or any thing.

kindly guide 

Arvind

Dear All,

Since a few weeks (after some adjustments in SCOM) we receive several alerts on Azure AD Connect Servers (different tenants) regarding a certificate warning.

Apparently Azure AD Connect uses/generates this certificate. Certificate information:

Issuer: Microsoft PolicyKeyService Certificate Authority
Validity Period: 2 years
Hashing algorithm: SHA512

On the Certification path tab it shows "The issuer of this certificate could not be found", which causes the SCOM alerts. I presume this is a self signed certificate, since it's the only item in the chain on the cert path tab.

If somebody could enlighten me with what purposes this certificate is serving, and how to resolve the warning?

Thanks in advance!

Nichola

Hi

I have 3 DCs (A-B and C) Windows 2012 R2 in same site. I download ADMX (office 2016,2019 and Office 365)

- Extract files

- Copy on server A, all ADMX in folder C:\Windows\SYSVOL\sysvol\capitaledev.local\Policies\PolicyDefinitions (Acces16,excel16, lync16,ppt16,office16, onent16,outlk16,proj16,pub16,word16) and copy ADML in C:\Windows\SYSVOL\sysvol\capitaledev.local\Policies\PolicyDefinitions\en-US.

On server A, no problem, but when i go on server B and C, i view only outlk16, office16,ppt16,and Word16, Why? not replicate all ADMX?

I try in my lab with a same 3 DCs, no problem?

Thanks

Hello there,

we have an issue since beginning of August where Active Directory accounts are being locked - not always the same accounts. It really seems to appear randomly. So far these accounts having nothing special specific attribute or group or whatever in common. I mean nothing that seperates them from the accounts not beeing locked.

Google provided me a script which offers me time, username, hostname and IP of machine where the lock happened. (gathers the DCs Eventlog and searches for EventID 4771 (Kerberos Preauthentication failed)) But it does not get me any further. Find nothing helpful in eventlog of these machines where the lock happen.

Activated gpo so that attribute msDS-FailedInteractiveLogonCount is counted and I monitor it with netwrix. On "special days" e.g. yesterday several accounts raised one higher other days nothing happens.

Researched the process which is responsible: svchost.exe -k netsvcs -pBut does it help me getting the program which leads to this behaviour? Could be several things according to google e.g. Task Scheduler. We don't push scheduled tasks to the machines with maybe outdated password and on the machines I researched no suspicious task could be found.

I have started performance monitor according to this link (we did not have any domain migration but I gave this link a try to monitor kerberos activities)

https://blogs.technet.microsoft.com/askpfeplat/2013/12/15/domain-and-dc-migrations-how-to-monitor-ldap-kerberos-and-ntlm-traffic-to-your-domain-controllers/

In this report even two locks actually happened. But it is a really large file. Although it seemed to work I did not find anything helpful again. No question: maybe I have been searching wrong - that's why I am writing...surprise.

I hope I could summarize everything I did. Maybe some help to get a new trace which leads us to the mole?

Everything in general I find at google is more like some service using an old password to login..but on machines of so many users? And even if and we push it out via gpo, why not all users then? So I am lost...

We have Windows 2012R2 Domain and DCs. Clients are Win10 Enterprise 1803.

If you need more information, please ask. Tried to make it as short as possible with all "helpful" information I have.

Thanks for your help.

Hello

I have a colleague who is experiencing problems with getting the  Remote Server Administration Tools in his windows features. We have followed the installation proccess for RSAT windows 10, and everything goes smoothly. However, after the required restart, active directory does not show up when searching for it.  When trying to enable RSAT in Windows features, there is no "Remote Server Administration Tools". When searching for a solution, it was suggested to delete the english language package and reinstall it. This did not solve the issue. Active directory isessential for some work tasks, so we really need to solve it.

Kind regards

Hakan

Hi all,

I'm currently designing a DTAP environment for one of my customers.

For those who do not know, I'll quickly describe what that is: DTAP stands for Development, Testing, Acceptance and Production. It basically means we have 4 seperated networks for each environment where developers start creating software in theDevelopment VLAN, then once they are happy with what they have made, move it to aTest VLAN where testers test the *** out of it. Once they are happy the product is moved to the Acceptance VLAN which is an exact replica of theProduction VLAN. Once everything is working fine in the Accpentance VLAN the product is eventually moved toProduction.

In addition to that there is also an Administration VLAN that has a limited form of connectivity to each DTAP VLAN so that admins can manage the systems in each VLAN. (patches, group policies, anti-virus etc.)

The essense here is that each VLAN has as little connectivity with the other VLAN's as possible.

Here's my dilemma: to simplify matters for the administrators I want to use as few AD domains as possible, preferrably even just one that spans all the VLAN's! You can imagine that for this to happen a number of firewall ports need to be opened between the VLAN's so that AD replication, WSUS, GPO's etc are working fine. 

I have already found some articles on that, namely:

http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx

and

http://support.microsoft.com/kb/224196

I am however at a loss finding more information on how other people have tackled this problem, and possibly some best practices. I'm specifically worried about any dynamic port ranges I might need to open on each firewall between each VLAN. (as mentioned: I want as little connectivity between the VLAN's a spossible, and opening some port ranges kind of messes that up ;-)

Who has experience with such a DTAP environment and a single (or a little as possible) AD domains and has knowledge they can/want to share?

When promoting a Windows Server 2016 to DC, adprep fails with an error that an attribute or value already exists.

The DN is CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=<domain>.

Forest and domain functional level is Windows Server 2008 R2, Exchange 2010 is also present in the domain. The result is the same if performed on the new-to-be DC implicit via Install-ADDSDomainController or directly on the schema master.

Here is the output from adprep:

PS C:\Temp\support\adprep> .\adprep.exe /forestprep

ADPREP WARNING:

Before running adprep, all Windows Active Directory Domain Controllers in the forest must run Windows Server 2003 or lat
er.

You are about to upgrade the schema for the Active Directory forest named '<domain>', using the Active Directo
ry domain controller (schema master) 'dc1.<domain>'.
This operation cannot be reversed after it completes.

[User Action]
If all domain controllers in the forest run Windows Server 2003 or later and you want to upgrade the schema, confirm by
typing 'C' and then press ENTER to continue. Otherwise, type any other key and press ENTER to quit.


c

Current Schema Version is 86


Upgrading schema to version 87


Verifying file signature
Connecting to "dc1.<domain>"
Logging in as current user using SSPI
Importing directory from file "C:\Temp\support\adprep\sch87.ldf"
Loading entries.
Add error on entry starting on line 1: Attribute Or Value Exists
The server side error is: 0x2083 The specified value already exists.
The extended server error is:
00002083: AtrErr: DSID-031513D7, #1:
        0: 00002083: DSID-031513D7, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 90155 (appliesTo):len 72

0 entries modified successfully.
An error has occurred in the program
ERROR: Import from file C:\Temp\support\adprep\sch87.ldf failed. Error file is saved in C:\Windows\debug\adprep\logs\201
61125155706\ldif.err.87.

If the error is "Insufficient Rights" (Ldap error code 50), please make sure the specified user has rights to read/write
 objects in the schema and configuration containers, or log off and log in as an user with these rights and rerun forest
prep. In most cases, being a member of both Schema Admins and Enterprise Admins is sufficient to run forestprep.


Adprep was unable to upgrade the schema on the schema master.
[Status/Consequence]
The schema will not be restored to its original state.
[User Action]
Check the Ldif.err log file in the C:\Windows\debug\adprep\logs\20161125155706 directory for detailed information.


Adprep was unable to update forest information.
[Status/Consequence]
Adprep requires access to existing forest-wide information from the schema master in order to complete this operation.
[User Action]
Check the log file, ADPrep.log, in the C:\Windows\debug\adprep\logs\20161125155706 directory for more information.

The referenced ldif.err.87 file:

Entry DN: CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=<domain>
changetype: modify
Attribute 0) appliesTo:7b8b558a-93a5-4af7-adca-c017e67f1057

Add error on entry starting on line 1: Attribute Or Value Exists

The server side error is: 0x2083 The specified value already exists.

The extended server error is:

00002083: AtrErr: DSID-031513D7, #1:
	0: 00002083: DSID-031513D7, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 90155 (appliesTo):len 72


An error has occurred in the program

The referenced ldif.err file:

Entry DN: CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=<domain>
changetype: modify
Attribute 0) appliesTo:7b8b558a-93a5-4af7-adca-c017e67f1057

Add error on entry starting on line 1: Attribute Or Value Exists

The server side error is: 0x2083 The specified value already exists.

The extended server error is:

00002083: AtrErr: DSID-031513D7, #1:
	0: 00002083: DSID-031513D7, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 90155 (appliesTo):len 72


An error has occurred in the program

Can anyone shine some light into this matter and what to do?

Searching the internet I could not find anything resembling this.

Thanks a lot for any input!