Hello, I setup 2 domains with a bi-directional trusted relationship: domain1.com and domain2.com .

When I try to authenticate using user@domain1.com accessing resource.domain2.com (im using  winrm to test)

Get-WSManInstance  wmi/root/cimv2/* -Enumerate -Filter "SELECT * FROM Win32_ComputerSystem" -ComputerName resource.domain2.com -Authentication Kerberos -Credential user@domain1.com

Im getting following error. When I try to do that using user@domain2.com, everything is ok

Get-WSManInstance : An unknown security error occurred.
At line:1 char:1+ Get-WSManInstance  wmi/root/cimv2/* -Enumerate -Filter "SELECT * FROM ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo          : InvalidOperation: (:) [Get-WSManInstance], COMException+ FullyQualifiedErrorId : Exception,Microsoft.WSMan.Management.GetWSManInstanceCommand

Get-WSManInstance : <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150858909"
Machine="kitchen-unit"><f:Message>WinRM cannot process the request. The following error with errorcode 0x80090322
occurred while using Kerberos authentication: An unknown security error occurred.
 Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
 After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
use HTTPS transport.
 Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config.</f:Message></f:WSManFault>
At line:1 char:1+ Get-WSManInstance  wmi/root/cimv2/* -Enumerate -Filter "SELECT * FROM ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo          : InvalidOperation: (wmi/root/cimv2/*:Uri) [Get-WSManInstance], InvalidOperationException+ FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.GetWSManInstanceCommand

I think that something wrong with SPNs, but I have not found how SPNs should be configured for cross-realm authentification  

Should I create SPN's on Computer Account withing domain1.com?

Hi,

I am in situation where I need to check the which version of LDAP 2 or 3 used in my domain.

can anyone suggest how to check it.

Thanks

With read/write access granted to "Notes" field in the Telephone tab of Active Directory, the data entered into the field is not visible after entry for those granted with only read/write. Those granted Create/Delete User objects however, can see this.   Is there a way to grant permissions without having to give Create/Delete User objects?  On Windows Server 2008 R2 if that helps any.

My CN=infrastructure,DC=ForestDnsZones,DC=XXX,DC=XXX attrib fsMORoleOwner value is wrong，what good value should I set?

My CN=infrastructure,DC=XXX,DC=XXX attrib fsMORoleOwner value is right，but I can not set the value attrib fsMORoleOwner  of CN=infrastructure,DC=ForestDnsZones,DC=XXX,DC=XXX .the err is 

can you help me

...

I am trying to upgrade to dc 2012

I get this error :

Verification of prerequisites for Active Directory preparation failed. The specified user is not a member of the following groups: Enterprise Admins group.

but I use Administrator user that is member of Enterprise admin

Help please

[2018/11/17:15:05:07.325]
Adprep created the log file 'C:\Windows\debug\adprep\logs\20181117150507-test\ADPrep.log'
[2018/11/17:15:05:07.325]
Adprep successfully initialized global variables.

[Status/Consequence]

Adprep is continuing.
[2018/11/17:15:05:07.330]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Schema,CN=Configuration,DC=Shalgham,DC=lo,DC=com.
[2018/11/17:15:05:07.332]
LDAP API ldap_search_s() finished, return code is 0x0
[2018/11/17:15:05:07.332]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=AD2018-1,CN=Servers,CN=Shalgham,CN=Sites,CN=Configuration,DC=Shalgham,DC=lo,DC=com.
[2018/11/17:15:05:07.333]
LDAP API ldap_search_s() finished, return code is 0x0
[2018/11/17:15:05:07.333]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Schema,CN=Configuration,DC=Shalgham,DC=lo,DC=com.
[2018/11/17:15:05:07.333]
LDAP API ldap_search_s() finished, return code is 0x0
[2018/11/17:15:05:07.334]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Infrastructure,DC=Shalgham,DC=lo,DC=com.
[2018/11/17:15:05:07.335]
LDAP API ldap_search_s() finished, return code is 0x0
[2018/11/17:15:05:07.335]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=AD2018-1,CN=Servers,CN=Shalgham,CN=Sites,CN=Configuration,DC=Shalgham,DC=lo,DC=com.
[2018/11/17:15:05:07.335]
LDAP API ldap_search_s() finished, return code is 0x0
[2018/11/17:15:05:07.346]
Adprep discovered the schema FSMO: AD2018-1.Shalgham.lo.com.
[2018/11/17:15:05:07.350]
Adprep connected to the schema FSMO: AD2018-1.Shalgham.lo.com.
[2018/11/17:15:05:07.350]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2018/11/17:15:05:07.351]
LDAP API ldap_search_s() finished, return code is 0x0
[2018/11/17:15:05:07.351]
Adprep successfully retrieved information from the Active Dcomectory Domain Services.
[2018/11/17:15:05:07.351]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=Shalgham,DC=lo,DC=com.
[2018/11/17:15:05:07.352]
LDAP API ldap_search_s finished, return code is 0x0
[2018/11/17:15:05:07.352]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2018/11/17:15:05:07.353]
LDAP API ldap_search_ext_s finished, return code is 0x0
[2018/11/17:15:05:07.353]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2018/11/17:15:05:07.354]
LDAP API ldap_search_s finished, return code is 0x0
[2018/11/17:15:05:07.357]
Adprep discovered the Infrastructure FSMO: AD2018-1.Shalgham.lo.com.
[2018/11/17:15:05:07.360]
Adprep connected to the Infrastructure FSMO: AD2018-1.Shalgham.lo.com.
[2018/11/17:15:05:07.360]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2018/11/17:15:05:07.361]
LDAP API ldap_search_s() finished, return code is 0x0
[2018/11/17:15:05:07.361]
Adprep successfully retrieved information from the Active Dcomectory Domain Services.
[2018/11/17:15:05:07.361]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=Shalgham,DC=lo,DC=com.
[2018/11/17:15:05:07.361]
LDAP API ldap_search_s finished, return code is 0x0
[2018/11/17:15:05:07.361]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2018/11/17:15:05:07.362]
LDAP API ldap_search_ext_s finished, return code is 0x0
[2018/11/17:15:05:07.362]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2018/11/17:15:05:07.362]
LDAP API ldap_search_s finished, return code is 0x0
[2018/11/17:15:05:07.384]
Adprep successfully logged on to the local machine using the specified credentials for network connections.
[2018/11/17:15:05:07.384]
Adprep successfully made the network connection to the Active Dcomectory Domain Controller AD2018-1.Shalgham.lo.com.
[2018/11/17:15:05:07.406]
Adprep successfully stopped using the specified credentials for network connections.
[2018/11/17:15:05:07.406]
Adprep successfully closed the network connection to the Active Dcomectory Domain Controller AD2018-1.Shalgham.lo.com.

If I query the hostname I get results, but if I include the domain I get these errors:

PS C:\Windows\system32> setspn -L sub.domain.ad
FindDomainForAccount: Call to DsGetDcNameWithAccountW failed with return value 0x00000525 
Could not find account sub.domain.ad

PS C:\Windows\system32> setspn -L machine.sub.domain.ad
FindDomainForAccount: Call to DsGetDcNameWithAccountW failed with return value 0x00000525

PS C:\Windows\system32> setspn -L sub
FindDomainForAccount: Call to DsGetDcNameWithAccountW failed with return value 0x00000525 
Could not find account sub

I realized when I was doing an installation of sql based app and had to set the spn with hostname manually, cause it was failing to set it with the domain fqdn as per script (SkypeFB).

At present I don't have any problems with dependent applications, but I'd like to be able to query at least.

I couldn't find much by searching the error code.

Hi

Can we apply MS Security Baseline for Windows 2016 with servers in workgroup?

Also how the user accounts / credential security can be compared in Domain environment Vs in a Workgroup environment? Because we are asked to remove our backup server (backing up data to locally attached LUN and also duplicates to Tape) from Domain and keep it in Workgroup. We are checking all the concepts in security point of view before making this change

Thanks in advance

LMS

Hi,

We decommissioned one of our windows 2012 R2 DCs a few months ago and now we need to use the same name and IP address of that DC to prepare a new one. Is there a tool that can help find if there are still any traces available for the decommissioned DC in our main DC or it should be checked manually? If manual process is required then what is the correct procedure?

Thanks.

Hello everyone, I have opened a discussion about accounts being locked constantly.

At that point I was on my annual leave and I was unable to respond to all the kind messages.

So basically, yesterday I was granted access to AD Audit plus and have set a few parameters to filter for one user that is getting locked 4-5 times per day. Down below is the queries she's trying to do.

It seems that the domain is constantly asking for a password? I was on her machine and cleared all of her passwords and yet this one is showing up in the audit log.

Is it possible to be explained how is this done and if there is a way to remove the domain from query her?

Dear Team,

This is sateesh here, whenever we are trying to do changes on group policy on windows server 2008R2 we are getting below message error popup on screen.

Error Popup : Unhandled exception has occurred in a component in your application if you click continue. the application will ignore this error and attempt to continue. 

the process cannot access the file because it is being used bye another process (Exception from HRESULT :0X80070020).

Note : after clicking continue also policy is not getting applied please help me to resolve this. 



Dear All,

IN my organisation Windows server 2012 is configured along with active directory. Clients computers are of Windows 7, Windows 8 & Windows 10.

For the last 1 week almost all the clients computer are giving the error i.e. the trust relationship between this workstation & primary domain failed. For the time being i am dis joining from the domain and rejoining it back. It works for couple of days& after that again I get this error. Its not possible for me to go to each & every location to trouble shoot it. 

My concern is why this is happening frequently & how to solve it permanently.

Please help as i am in a very difficult situation.

Regards,

Thomas 



Hi guys 

i'm going to implement the default domain password policy to our AD prod environment. we haven't set any password policy before.

the question is : assume we set the max password age to 90 days. Would the setting ask our current domain users to change the password immediately during next logon since most of their's password age was longer than 90 days. 

Or the password age calculated only when our applied the policy?

Thanks

Jacky 

hi,

I wan to move all FSMO role to 2nd dc so 1st dc which hold all fsmo can be decommission from environment , but when going to change operation master role it wont display 2nd domain controller . Same in schema .

Hi Experts

I want to export below users info from AD, Please help me with shell command

Display Name 
SAM Account Name 
when created 
last Logon Time 
Account Status 
Email Address 

Hello, All!

How i can found users in some OU in domain in case when bindDN it is a root of domain?

As far as i understand i must use https://ldapwiki.com/wiki/LDAP_MATCHING_RULE_DN_WITH_DATA for this.

I'm stuck at creating filter. My variant is:

(Common-Name:1.2.840.113556.1.4.2253:=S:4:myou:dc=td,dc=local)

What i must use at place where "Common-Name"?

What i must use at place where "S:4:myou"?

Will be glad for any information related to this issue.

Hi

I have setup a new AD Site in Azure to authenticate O365 users via ADFS. There are 1 DC, 2 ADFS servers and 2 WAPs. It doesn't matter the fact the servers are in Azure. There is VPN connecting to the on premises netowrk with the rest of DCs holding the FSMO roles.

The point of having this in Azure is to ensure ADFS still works in the event of disaster in our HQ. The thing is that when the VPN goes down, ADFS only works for a few hours and even the DC stops working. The DC is GC and has localhost as primary DNS server. So it does ADFS servers and I am sure they use the closest DC to authenticate. 

I checked the tombstone lifetime and it is not set. So I don't know why the DC stops authenticating. Any clue?

I have recently migrated a Windows 2012 R2 DC to Windows Server 2016. Afterwards I started noticing series of this particular error.

Log Name:      System

Source:        Microsoft-Windows-Kerberos-Key-Distribution-Center

Date:          11/27/2018 9:24:24 AM

Event ID:      11

Task Category: None

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      BBL-DC-CDC01.bd.bracbank.com

Description:

The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is D5B2E9E1E8C74C45D7F939E93ED09C7B0315FE69EE06D2F2458E0A050E453763 (of type KEY ID). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occurring remove the duplicate entries for D5B2E9E1E8C74C45D7F939E93ED09C7B0315FE69EE06D2F2458E0A050E453763 in Active Directory.

Event Xml:

<Event xmlns="">

  <System>

    <Provider Name="Microsoft-Windows-Kerberos-Key-Distribution-Center" Guid="{3FD9DA1A-5A54-46C5-9A26-9BD7C0685056}" EventSourceName="KDC" />

    <EventID Qualifiers="49152">11</EventID>

    <Version>0</Version>

    <Level>2</Level>

    <Task>0</Task>

    <Opcode>0</Opcode>

    <Keywords>0x80000000000000</Keywords>

    <TimeCreated SystemTime="2018-11-27T03:24:24.310757900Z" />

    <EventRecordID>3984</EventRecordID>

    <Correlation />

    <Execution ProcessID="0" ThreadID="0" />

    <Channel>System</Channel>

    <Computer>BBL-DC-CDC01.bd.bracbank.com</Computer>

    <Security />

  </System>

  <EventData>

    <Data Name="Name">D5B2E9E1E8C74C45D7F939E93ED09C7B0315FE69EE06D2F2458E0A050E453763</Data>

    <Data Name="Type">KEY ID</Data>

    <Binary>

    </Binary>

  </EventData>

</Event>

I have been struggling with this error for the last few days. Even though Event 11 is a very common error and there are clear instructions on how to mitigate the error, they fail to address my specific scenario.

All the solutions I got so far is related to "Type DS_SERVICE_PRINCIPAL_NAME" but mine is "Type KEY ID ". Basically this error says that KDC encountered duplicate names and then spits out a large string of hexadecimal no. rather than producing which SPN is duplicated. Therefore, it's difficult to solve the issue with "setspn" cmdlet.

I'm an amateur when it comes to Windows Server Active Directory, so any help is highly appreciated. Thanks.

Hi all,

I need to demote&remove my old internal standalone Root CA (an old windows 2k8 R2 server) and replace it with a brand new W2016 server.

The new server cannot be renamed as the old one, so I just need to know which steps I should take in order to avoid any clients issues.

My environment: W2k8 R2 domain

The standalone Root CA is a domain member server (not in workgroup!).

I also have an Enterprise Root Certificate Authority server (sub CA), which is obviously binded to the standalone Root CA.

Any ideas?

I recently deleted my user account from ADUC and recreated it (with the same user name). The Group Policy should automatically map the drives, and it did, for one of them. When I look at a GP result it tells me that all of the drive mappings were a success. I tried manually mapping the drives but I get an error, "The network folder specified is currently mapped to a different user name and password...first disconnect any existing mappings to this network share."  I have a hunch it's my old account that's blocking me.

A few things to note:

- All 3 folders I'm attempting to connect  to (including the one that is successful) on are the exact same file server.

- Running the net use command I only see a connection to the one share that's currently visible

- I went to the "C:...AppData/Roaming/Microsoft/Windows/Network Shortcuts" folder on my old account to make sure there wasn't anything listed.

-WMIC useraccount get name,sid verifies that the old SID isn't lingering around on the domain

- The old account wasn't deleted from the computer prior to making the new one so under users I now show as [username.domain] rather than just username.

Do I need to completely delete the user account from the C: of the local machine or is there some way to view/manage mappings from the File Server itself?

windows 2008 R2  domain controller

How can I resolve this problem. Last time  LastLogonDate is showing.  I need to check who last logon over 90days. 

Search-ADAccount -UsersOnly -SearchBase "ou=Users,ou=bo,dc=dat,dc=com" -AccountIna  -TimeSpan 90