Hello, I setup 2 domains with a bi-directional trusted relationship: domain1.com and domain2.com .

When I try to authenticate using user@domain1.com accessing resource.domain2.com (im using  winrm to test)

Get-WSManInstance  wmi/root/cimv2/* -Enumerate -Filter "SELECT * FROM Win32_ComputerSystem" -ComputerName resource.domain2.com -Authentication Kerberos -Credential user@domain1.com

Im getting following error. When I try to do that using user@domain2.com, everything is ok

Get-WSManInstance : An unknown security error occurred.
At line:1 char:1+ Get-WSManInstance  wmi/root/cimv2/* -Enumerate -Filter "SELECT * FROM ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo          : InvalidOperation: (:) [Get-WSManInstance], COMException+ FullyQualifiedErrorId : Exception,Microsoft.WSMan.Management.GetWSManInstanceCommand

Get-WSManInstance : <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150858909"
Machine="kitchen-unit"><f:Message>WinRM cannot process the request. The following error with errorcode 0x80090322
occurred while using Kerberos authentication: An unknown security error occurred.
 Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
 After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
use HTTPS transport.
 Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config.</f:Message></f:WSManFault>
At line:1 char:1+ Get-WSManInstance  wmi/root/cimv2/* -Enumerate -Filter "SELECT * FROM ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo          : InvalidOperation: (wmi/root/cimv2/*:Uri) [Get-WSManInstance], InvalidOperationException+ FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.GetWSManInstanceCommand

I think that something wrong with SPNs, but I have not found how SPNs should be configured for cross-realm authentification  

Should I create SPN's on Computer Account withing domain1.com?

how to export All computer list with operating system from AD and all attributes like disable or enable and OU location also?

I have tried with dsquery below but status is not showing there.

dsquery * -filter "(objectCategory=computer)" -attr name operatingSystem

Greetings,

  I have a script that tracks group membership changes. I recently converted it to using USN to make it more efficient. It works fine for most groups using:

$rep = Get-ADReplicationAttributeMetadata -Object $Group.objectguid -Server $dc -ShowAllLinkedValues |
            where {$_.AttributeName -eq 'member' -and $_.LocalChangeUsn -ge $previoushighestusn}

 However for the odd group that has clearly had membership changes, the member attributename does not exist in the replication metadata at all. Our DCs are 2012 and I ran a script some time back to convert all legacy groups. The groups that appear to have missing metadata seem to be groups that are created and then have members added soon after creation.

  So it appears the attributename 'member' can not be relied upon to track all groups membership changes.

  Anybody seen this?

Thanks

David Z

In the process of migrating DCs to new hardware. I have 2 - Windows 2008R2 DCs on older servers, 1 - 2012R2 VM DC on HyperV, and 1 - Windows 2012R2 DC on a new server. All was working well for several weeks. Four days ago, after a network outage on the new DC I started getting replication errors. I noticed DNS on the new server was not populating and the server was in the wrong time zone - we don't use DST. I corrected the time zona, reset that machines password using - netdom resetpwd and rebooted. DNS is now working but replication is not. Ran DCDiag and everything passes except for:

I can ping between all DCs using IP address, Name, or GUID. When I run repadmin /showreps all the other DCs are replicating but the BadDC3 shows "KCC could not add this Replica Link due to error" and "error 8453 Access was denied". I followed the ADSI edit articles and the BadDC3 has delegation, DNS is set the same as the other DCs, UserAccountControl shows 0X82000 (Server_Trust_Anchor|Trusted_For_Delegation) on all servers. AD Sites and Services I see 2 connectors between each domain controller - GoodDC01 connected to GoodDC03 and BadDC3, GoodDC02 connected to GoodDC03 and BadDC3, GoodDC03 connected to GoodDC01 and GoodDC02, except for BadDC3 which is connected to GoodDC01, GoodDC02, and GoodDC03. After two days I do not know what to look for?

Thoughts

eburch@lasertel.com

As the subject line suggests, when I enter the list of Forwarders under the domain controller "properties" the list stays there for about 20 minutes and then disappears. The list of Forwarders on my secondary DNS server (secondary as that as how it is assigned to domain PCs via DHCP) remain in tact.  

This is causing lookup requests that run through the PDC emulator to timeout. I'm looking for hints on if this is a common issue and there's a handy blog post about it or if there's a way to troubleshoot what's going on.

My CN=infrastructure,DC=ForestDnsZones,DC=XXX,DC=XXX attrib fsMORoleOwner value is wrong，what good value should I set?

My CN=infrastructure,DC=XXX,DC=XXX attrib fsMORoleOwner value is right，but I can not set the value attrib fsMORoleOwner  of CN=infrastructure,DC=ForestDnsZones,DC=XXX,DC=XXX .the err is 

can you help me

...

Hi

Can we apply MS Security Baseline for Windows 2016 with servers in workgroup?

Also how the user accounts / credential security can be compared in Domain environment Vs in a Workgroup environment? Because we are asked to remove our backup server (backing up data to locally attached LUN and also duplicates to Tape) from Domain and keep it in Workgroup. We are checking all the concepts in security point of view before making this change

Thanks in advance

LMS

I am at a loss here. I have checked the network settings the <g class="gr_ gr_41 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" data-gr-id="41" id="41">dns</g> is the same <g class="gr_ gr_58 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" data-gr-id="58" id="58">ip</g> address of the server. only one NIC is enabled. I have flushed <g class="gr_ gr_292 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" data-gr-id="292" id="292">dns</g> and registered <g class="gr_ gr_348 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" data-gr-id="348" id="348">dns</g> followed by reset of <g class="gr_ gr_416 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling" data-gr-id="416" id="416">netlogon</g> and <g class="gr_ gr_435 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" data-gr-id="435" id="435">dns</g>. Still no luck. I notice that in the forwards that the domain only shows an A record as static. 

<g class="gr_ gr_1071 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling" data-gr-id="1071" id="1071">ipconfig</g> /all 

Enabling ipv6 <g class="gr_ gr_686 gr-alert gr_tiny gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling multiReplace" data-gr-id="686" id="686">i</g> get this error on <g class="gr_ gr_699 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling" data-gr-id="699" id="699">dcdiag</g> 

 Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator.MERCEDES>dcdiag test:dns
Invalid Syntax: Invalid option test:dns. Use dcdiag.exe /h for help.

C:\Users\Administrator.MERCEDES>dcdiag /test:dns

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = Mercedes2
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\MERCEDES2
      Starting test: Connectivity
         ......................... MERCEDES2 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\MERCEDES2

      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minutes...
 ERROR: NO DNS servers for IPV6 stack was found
         ......................... MERCEDES2 passed test DNS

   Running partition tests <g class="gr_ gr_930 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" data-gr-id="930" id="930"><g class="gr_ gr_925 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Punctuation only-del replaceWithoutSep" data-gr-id="925" id="925">on :</g></g> ForestDnsZones

   Running partition tests <g class="gr_ gr_927 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" data-gr-id="927" id="927"><g class="gr_ gr_920 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Punctuation only-del replaceWithoutSep" data-gr-id="920" id="920">on :</g></g> DomainDnsZones

   Running partition tests <g class="gr_ gr_931 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" data-gr-id="931" id="931"><g class="gr_ gr_926 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Punctuation only-del replaceWithoutSep" data-gr-id="926" id="926">on :</g></g> Schema

   Running partition tests <g class="gr_ gr_923 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" data-gr-id="923" id="923"><g class="gr_ gr_921 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Punctuation only-del replaceWithoutSep" data-gr-id="921" id="921">on :</g></g> Configuration

   Running partition tests <g class="gr_ gr_928 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" data-gr-id="928" id="928"><g class="gr_ gr_922 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Punctuation only-del replaceWithoutSep" data-gr-id="922" id="922">on :</g></g> Mercedes

   Running enterprise tests <g class="gr_ gr_929 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" data-gr-id="929" id="929"><g class="gr_ gr_924 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Punctuation only-del replaceWithoutSep" data-gr-id="924" id="924">on :</g></g> Mercedes
      Starting test: DNS
         Test results for domain controllers:

            DC: Mercedes2.Mercedes
            Domain: Mercedes


               TEST: Basic (Basc)
                  Warning: The AAAA record for this DC was not found

               TEST: Dynamic update (Dyn)
                  Warning: Failed to delete the test record <g class="gr_ gr_933 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling" data-gr-id="933" id="933">dcdiag</g>-test-record i
n zone Mercedes

               TEST: Records registration (RReg)
                  Network Adapter
                  [00000012] Broadcom NetXtreme Gigabit Ethernet:
                     Warning:
                     Missing AAAA record at DNS server 206.89.179.3:
                     Mercedes2.Mercedes

               Warning: Record Registrations not found in some network adapters

               Mercedes2                    PASS WARN PASS PASS WARN WARN n/a
         ......................... Mercedes passed test DNS

C:\Users\Administrator.MERCEDES>

Is there something I am missing here? This was a server 2000 upgraded to 2008 r2. When I disable ipv6 the error is still present but <g class="gr_ gr_1502 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling" data-gr-id="1502" id="1502">dcdiag</g> runs all pass. 

Hi,

Please find the below scenario,

Client A - AD Domain name is A.COM and Email domain is A1.com

Client B - AD Domain Name is A.COM and Email domain is B1.com

In this situation can both client utilize O365 as email solutions, if so what is complexity?

Thanks in advance. 

Hello
I delegated permissions to a group to move users from one OU to another OU.After moving them once, if they want to move them another time, they have access to deny.

they have also the permission to create and delete users.

Is someone understand what is happening.

thanks

I have 2 2016 domains. DomainA.local and domainB.corp. Separate forests. DoainA has our ERP software and related servers. Mainly an SQL server and an application which is accessed by a terminal server in that same domain. DomainB hosts all other servers and workstations. We don’t have Exchange. Using office 365 with our public domain name. I want to join the 2 domains into one domain name which is a sub of our public domain for example AD.public.ca

my goals are

-not to disrupt existing security settings for ERP and SQL in domainA

- to keep permissions on the file server folders in DomainB

- for users in DomainB to keep their local user profiles after joining the new domain. 

what will be my best approach? Migrate using ADMT? Rename DomainA and merge DomainB with it? I don’t mind keeping the NetBIOS names as is. I just want the end result to be 1 domain which is a sub domain of our public domain AD.public.ca

Dear Support,

We have recently install PDC in our network and moved the roles for the same and its working properly.

But our AD to AD replication not working which is previously working fine.

So please give us solution for the same.

Regards,

Itsupport

Hi everyone,

sorry for the long topic. But these are the first suggestions i get which i cannot deploy easily.

How to you deal with remote workers "all over the world" that might have lost their password?

Even if you reset in your AD they won't be able to log in because they have no connection to your AD servers.

We have Azure AD P1 with Azure Sync if that would help. We will hybrid join any client we have. 

Does this help? How do you cope with this?

<h3>Regards Stephan</h3>

well the idea is to make one domain controller sync after 5 days ... so that if any thing gets wrong with the mains like virus or corruption we would still have one domain controller active that did not sync for 5 days

i went to trust and sites and edited the schedule to sync for 6 hours on one day but whenever i change anything in the active directory it changes on all other servers including the delayed one

did i get the schedule idea wrong ? is it for something else ? is there a missing step to make the idea work as expected .

Hi Team,

Could any one help me pulling out ad users created between specific dates, I have heard that it is possible to do with Quest AD power shell, Can any one help me on this. Please help.

Trying to pull information with below command but need accounts created between specific dates.

Regards

Sriman

Hello,

We are migrating users, groups, computer objects from one forest to another forest domain. and user name is different in each domain. below is the scenario,

Source Domain User : 10025@abc.com (User Name: 10025)

Target Domain User: KES052@xyz.com (User Name: KES052)

we have created users in Target domain with new user id (common id), when i am migrated SID for those users is replace with user name. (10025 is replacing with KES052), how could i migrate only SID without replacing anything from source domain?

In ADMT console i am performing include file and merging the user and excluded all the attributes but only username is changing, all SAM and UPN as is target.

Appreciate if inputs to get rid of this.

Regards,

Vinay

I recently deleted my user account from ADUC and recreated it (with the same user name). The Group Policy should automatically map the drives, and it did, for one of them. When I look at a GP result it tells me that all of the drive mappings were a success. I tried manually mapping the drives but I get an error, "The network folder specified is currently mapped to a different user name and password...first disconnect any existing mappings to this network share."  I have a hunch it's my old account that's blocking me.

A few things to note:

- All 3 folders I'm attempting to connect  to (including the one that is successful) on are the exact same file server.

- Running the net use command I only see a connection to the one share that's currently visible

- I went to the "C:...AppData/Roaming/Microsoft/Windows/Network Shortcuts" folder on my old account to make sure there wasn't anything listed.

-WMIC useraccount get name,sid verifies that the old SID isn't lingering around on the domain

- The old account wasn't deleted from the computer prior to making the new one so under users I now show as [username.domain] rather than just username.

Do I need to completely delete the user account from the C: of the local machine or is there some way to view/manage mappings from the File Server itself?