This is an example of one of the domains our forest domains. What are the consequences of changing thename attribute on a domain itself, if any? Are there any services or anything that is tied to theName attribute?
I want to be able to change this attribute so that I can pull the name that is easy for the techs to understand.
regional.mydomain.com
Thank you!
Paul
I am using the Get-addomain -identity my.domain.local (its a domain in a forest) | select-object -property *
However the results are limited and cannot see all the attributes.
Or if that is not possible. I can see the name in the properties, but I dont know if changing the name would have any effect on the domain and it's children any effect at all
Thank you for your assistance
Support analyst
Hello all,
I'm hoping someone can help me out here. I am getting a few errors when I run dcdiag on one of my DC's (I have three DC's by the way).
The first error is 'DC-01 failed test NCSecDesc' - bu I know that this is an error related to RODC's, which I don't run on my network. So I believe that this message is irrelevant.
I get a further two errors, I've copied them below. I'm running three W2K8 R2 DC's, yet I only receive this error on one of the domain controllers, which is also my FSMO and Schema Master.
I actually found this error as I was about to prep my AD for Exchange 2010 (this will be our first ever Exchange server). So I don't want to ADprep until I know my AD is working well.
Any thoughts?
C:\Windows\system32>dcdiag /q
Some objects relating to the DC JWC-DC-01 have problems:
[1] Problem: Missing Expected Value
Base Object:
CN=NTDS Settings,CN=DC01,CN=Servers,CN=EHC,CN=Sites,CN=Configuration,DC=college,DC=CollegeName,DC=ac,DC=uk
Base Object Description: "DSA Object"
Value Object Attribute Name: serverReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
[1] Problem: Missing Expected Value
Base Object:CN=DC-01,OU=Domain Controllers,DC=college,DC=CollegeName,DC=ac,DC=uk
Base Object Description: "DC Account Object"
Value Object Attribute Name: frsComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
......................... DC-01 failed test VerifyReferences
Thanks
LaszloPuskas
I have \\server\share that is accessed by help desk. This share has several shortcuts pointing to other \\x.x.x.x\share at remote sites. Note the IP. It needs to be an IP, it's a remote site that has no DNS, if site loses WAN the share needs to remain accessible longer than DNS cache.
At random help desk will get an access denied for a IP\Share. I know \\dns\share uses kerberos and \\x.x.x.x\share uses NTLM.
if help desk navigate tp \\server\share and then \\x.x.x.x\share and it works and sometimes does not, why? Using wireshark during the access denied I can see NTLM is not able to auth the user because there are "No Logon Servers" I do not understand the randomness of the issue.
We operates two AD servers. I want to add one server to operate the same domain as necessary. However, unlike the two existing servers, one network that will be added must be secure and isolated.
Assuming that the port needed for synchronizing AD between two networks should be blocked for security reasons, I would like to get your experience or technical knowledge of what method is best to use. Also, it would be better if you let me know the port that should be open at least when using the method.
Thanx alot!
Hi Microsoft Team,
I am facing issue with advanced audit policy configuration, i cannot create advanced audit policy to audit object access and account management, any one can help me?
Hi,
I have 3 Domain Controllers:
DC-1: Windows 2012 R2 -- This is the first DC that was installed
DC-2 and DC-3 Windows 2016
I have moved all the FSMO roles from controller 1 to controller 2. Now I'm trying to demote DC 1 but in "demotion" wizard, under "Removal Options" and ask to check the option "Remove this DNS zone (this is the last DNS server that hosts the zone)". The "Next" button in the wizard won't activate if I don't select this option.
I'm afraid of selecting this option and end up with my DNS zones removed. Am I confusing something here? I'm not sure why I'm being asked to confirm this option even though my forest/domain has two other DCs.
I even tried uninstalling the DNS role from DC-1, but the "demote" wizard still shows the same options.
In the first page of the wizard, I am NOT selecting "Last domain controller in the domain".
Any ideas?
Thanks
Hello,
Working on a flow with kerberos constrained delegation.
Can get a TGT for the user trusted for delegation and flow immediately fails on TGS_REQ / TGS_RSP with KRB5KRB_ERR_GENERIC from KDC
What are the reasons that the KDC ( running windows server 2012 R2) can return such as error?
If there a recommended way to get related logs from KDC for such error?
Hi All!
We currently run Microsoft Advanced Threat Analytics, and we quite often get the following error for Windows client PCs and ADFS servers:
I have been over this documentation here: https://docs.microsoft.com/en-us/advanced-threat-analytics/suspicious-activity-guide and
used their Aorato Skeleton Key Malware Remote DC Scanner tool, but found nothing.
I opened a ticket with Microsoft about this, and they believe it is due to the fact that these accounts haven't changed their passwords in a long time (a lot of them are old
accounts for various strange purposes and VIPs that whinge about having to change their password - but lets not get into that, we are soon going to force them into line)
I am only slightly knowledgeable about Kerberos, I want to know the whys/whats/hows about it. Forgive me if I am wrong, I understand that your password is used to hash certain
information and that is sent to the KDC, the KDC uses the hash of the password at its end to decyrpt the message, and if it can, then your password is correct. So your password is never sent over the wire.
I'm assuming, that because these accounts have their passwords hashed with some older cipher, than the KDC tells the client to user an older cipher to encrypt the message, and
this is why I am getting the error? Is that correct? and why Microsoft is asking me to change their passwords.
I have a few questions (assuming my assumptions are correct)
Thanks all, I apologise for my ignorance!
Some notes:
Hello,
We got a client with a problem with weak passwords, currently the complexity level is 3/4 but it is not enough and we would like to create a banned password list in order to forbids 123456aA passwords.
How can we do it using the AD ?
Thank you in advance
Golan
Hi,
I'm seeking to understand whether the following scenario is a supported / recommended / possible upgrade path for AD DS.
We currently have a 2008 R2 domain (native) with around 20 domain controllers in a single domain forest. Due to potential issues with third party application compatibility we're not ready to jump straight to a 2016 functional level, but is it possible (and sensible?) to migrate all domain controllers to the Server 2016 OS, but only upgrade the schema and functional levels (domain and forest) from 2008 R2 to 2012 R2?
Thanks
Tony
Dears,
any one can help to create wmi user with non-admin privilege, user will be able to scan all windows computer and can read all information from domain computers?
if you can provide me a steps or powershell script!
Domain Controller windows 2012 R2
Thanks,
I am using the Get-addomain -identity my.domain.local (its a domain in a forest) | select-object -property *
However the results are limited and cannot see all the attributes.
Or if that is not possible. I can see the name in the properties, but I dont know if changing the name would have any effect on the domain and it's children any effect at all
Thank you for your assistance
[2018/10/18:11:31:10.528]
ERROR: Import from file D:\support\adprep\sch78.ldf failed. Error file is saved in C:\Windows\debug\adprep\logs\20181018113106\ldif.err.78.
If the error is "Insufficient Rights" (Ldap error code 50), please make sure the specified user has rights to read/write objects in the schema and configuration containers, or log off and log in as an user with these rights and rerun forestprep. In
most cases, being a member of both Schema Admins and Enterprise Admins is sufficient to run forestprep.
[2018/10/18:11:31:11.559]
ERROR: The directory service refused the request for schema upgrade: 52 (Unavailable)
If the error code is "Insufficient Rights", make sure you supply a user who is a member of the schema admin group.
[2018/10/18:11:31:11.591]
Adprep was unable to upgrade the schema on the schema master.
[Status/Consequence]
The schema will not be restored to its original state.
[User Action]
Check the Ldif.err log file in the C:\Windows\debug\adprep\logs\20181018113106 directory for detailed information.
[2018/10/18:11:31:11.606]
Adprep was unable to update forest information.
[Status/Consequence]
Adprep requires access to existing forest-wide information from the schema master in order to complete this operation.
[User Action]
Check the log file, ADPrep.log, in the C:\Windows\debug\adprep\logs\20181018113106 directory for more information.
Entry DN: CN=Expiring Group Membership Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=corp,DC=xxxxxx,DC=com
Add error on entry starting on line 11: Server Down
An error has occurred in the program
Hello,
I have been using MS ATA is find systems & apps making clear text LDAP connections to our domain controllers and have reconfigured them to use SLDAP / port 636. I have the clear text connections down to zero, but the count for the "performed without signing" is showing several thousand. (This is from the event 2887 in the Directory Service log.) I want to set the GPO mentioned in this article: https://support.microsoft.com/en-us/help/935834/how-to-enable-ldap-signing-in-windows-server-2008
My question is could I break anything? No one is using clear text anymore but there are a ton of non-signed connections. Can I block one and not the other? Thanks!
Number of simple binds performed without SSL/TLS: 0
Number of Negotiate/Kerberos/NTLM/Digest binds performed without signing: 3267
I am running Windows 2012R2 and have an AD service account that creates ServiceConnectionPoint (SCP) objects in a container. By default when it creates these objects it has "Full Control" rights on them and is able to therefore delete them. I want to prevent the service account from being able to delete these objects. The service account does not have domain admin rights or AD elevated privileges.
I delegated the "Deny" right to "Delete" and "Delete subtree" on the container and all descendant objects, to the service account, but that does not work. Any suggestion on how to achieve my objective?
As per subject, I used the rendom procedure to rename my domain. That all seemed to go ok.
However checking group policy on a domain controller it reports all GPO links as "Not Found" and i can see on the details of the broken link, that they are pointing to the old domain name, which no longer exists.
The GPOs themselves are still there, its just the links that are broken. Is there a way to fix this?
I tried running gpfixup /olddns:oldname.com /newdns:newname.com, but it crashes out with an NT5DS error of 80070057 "The parameter is incorrect"
I tried doing a manual search and replace via the registry, and as far as i can see I have replaced every single reference to the old domain, with the new one, but it hasn't updated the paths in the GPO links. I guess they aren't in the registry?
Any ideas how i can fix the links?
We have a batch file on a server (Server B) that runs an executable that makes calls to a SQL server (Server C) and a file server. Would like to invoke the batch file from a third server (Server A) but running into the Kerberos double hop issue. I would prefer not to use CredSSP.
I'm able to successfully access the file server but get Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON to the SQL server. I know in a typical double hop scenario the first hop would be something like a web server and I could configure KCD on the web server service account to the SQL server service. But in this case there is no web server so nothing to create an SPN on and no service account to configure for delegation.
I got it to work by setting Trust this computer for delegation to any service (Kerberos only) on Server B but that is unconstrained and not an acceptable solution. I also tried using Trust this computer for delegation to specified services only on Server B and adding the SPN for the SQL service on Server C but that didn't work.
So is there a way to make this work securely without a service account and SPN on server B to set the delegation on?
Thank you.
Kenny
I have a weird problem. when I do a nslookup on this particular domain name, it shows timed out on my Windows 10 client and I can't access this website, but if I log onto the DC/name server, DC02, it works just fine.
All other websites work just fine.
Any suggestion as why this is happening and how to resolve this?
On the client:
C:\Users\JSMITH>nslookup p2energysolutions-my.sharepoint.com
Server: dc02.company.com
Address: 172.16.9.212
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to dc02.company.com timed-out
On the DC02
C:\Users\JSMITH_da>nslookup p2energysolutions-my.sharepoint.com