Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Cross realm Kerberos and SPN

$
0
0

Hello, I setup 2 domains with a bi-directional trusted relationship: domain1.com and domain2.com .

When I try to authenticate using user@domain1.com accessing resource.domain2.com (im using  winrm to test)

Get-WSManInstance  wmi/root/cimv2/* -Enumerate -Filter "SELECT * FROM Win32_ComputerSystem" -ComputerName resource.domain2.com -Authentication Kerberos -Credential user@domain1.com

Im getting following error. When I try to do that using user@domain2.com, everything is ok


Get-WSManInstance : An unknown security error occurred.
At line:1 char:1+ Get-WSManInstance  wmi/root/cimv2/* -Enumerate -Filter "SELECT * FROM ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo          : InvalidOperation: (:) [Get-WSManInstance], COMException+ FullyQualifiedErrorId : Exception,Microsoft.WSMan.Management.GetWSManInstanceCommand

Get-WSManInstance : <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150858909"
Machine="kitchen-unit"><f:Message>WinRM cannot process the request. The following error with errorcode 0x80090322
occurred while using Kerberos authentication: An unknown security error occurred.
 Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
 After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
use HTTPS transport.
 Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config.</f:Message></f:WSManFault>
At line:1 char:1+ Get-WSManInstance  wmi/root/cimv2/* -Enumerate -Filter "SELECT * FROM ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo          : InvalidOperation: (wmi/root/cimv2/*:Uri) [Get-WSManInstance], InvalidOperationException+ FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.GetWSManInstanceCommand

I think that something wrong with SPNs, but I have not found how SPNs should be configured for cross-realm authentification  

Should I create SPN's on Computer Account withing domain1.com?



how to export All computer list with operating system from AD and all attributes like disable or enable and OU location also?

$
0
0

how to export All computer list with operating system from AD and all attributes like disable or enable and OU location also?

I have tried with dsquery below but status is not showing there.

dsquery * -filter "(objectCategory=computer)" -attr name operatingSystem

Trying to Demote 2008R2 AD Server but cannot remove AD Certificate Services, keep getting error 0x80073701

$
0
0
I am trying to Demote a 2008R2 AD Server that has Certificate Services installed but when I try to remove AD Certificate Services keep getting error 0x80073701.  I have tried everything to remove it with no luck.  Any Ideas, we want to upgrade our network to the latest servers and Exchange but cant because we cannot raise the functional level of the Forest and the domain

Missing member attribute in replication metadata

$
0
0

Greetings,

  I have a script that tracks group membership changes. I recently converted it to using USN to make it more efficient. It works fine for most groups using:

$rep = Get-ADReplicationAttributeMetadata -Object $Group.objectguid -Server $dc -ShowAllLinkedValues |
            where {$_.AttributeName -eq 'member' -and $_.LocalChangeUsn -ge $previoushighestusn}

 However for the odd group that has clearly had membership changes, the member attributename does not exist in the replication metadata at all. Our DCs are 2012 and I ran a script some time back to convert all legacy groups. The groups that appear to have missing metadata seem to be groups that are created and then have members added soon after creation.

  So it appears the attributename 'member' can not be relied upon to track all groups membership changes.

  Anybody seen this?

Thanks

David Z

KCC could not add this Replica Link due to error

$
0
0

In the process of migrating DCs to new hardware. I have 2 - Windows 2008R2 DCs on older servers, 1 - 2012R2 VM DC on HyperV, and 1 - Windows 2012R2 DC on a new server. All was working well for several weeks. Four days ago, after a network outage on the new DC I started getting replication errors. I noticed DNS on the new server was not populating and the server was in the wrong time zone - we don't use DST. I corrected the time zona, reset that machines password using - netdom resetpwd and rebooted. DNS is now working but replication is not. Ran DCDiag and everything passes except for:

From GoodDC02 to BadDC3
            Naming Context: DC=ourdomain,DC=com
            The replication generated an error (8453):
            Replication access was denied.
            The failure occurred at 2018-11-13 09:46:03.
            The last success occurred at 2018-11-09 09:59:37.
            98 failures have occurred since the last success.
            The machine account for the destination BadDC3.
            is not configured properly.
            Check the userAccountControl field.
            Kerberos Error.
            The machine account is not present, or does not match on the.
            destination, source or KDC servers.
            Verify domain partition of KDC is in sync with rest of enterprise.
            The tool repadmin/syncall can be used for this purpose.
         REPLICATION LATENCY WARNING
         ERROR: Expected notification link is missing.
         Source GoodDC02
         Replication of new changes along this path will be delayed.
         This problem should self-correct on the next periodic sync.

I can ping between all DCs using IP address, Name, or GUID. When I run repadmin /showreps all the other DCs are replicating but the BadDC3 shows "KCC could not add this Replica Link due to error" and "error 8453 Access was denied". I followed the ADSI edit articles and the BadDC3 has delegation, DNS is set the same as the other DCs, UserAccountControl shows 0X82000 (Server_Trust_Anchor|Trusted_For_Delegation) on all servers. AD Sites and Services I see 2 connectors between each domain controller - GoodDC01 connected to GoodDC03 and BadDC3, GoodDC02 connected to GoodDC03 and BadDC3, GoodDC03 connected to GoodDC01 and GoodDC02, except for BadDC3 which is connected to GoodDC01, GoodDC02, and GoodDC03. After two days I do not know what to look for?

Thoughts


eburch@lasertel.com

DNS Forwarders disappear on Server 2012 R2 PDC emulator

$
0
0

As the subject line suggests, when I enter the list of Forwarders under the domain controller "properties" the list stays there for about 20 minutes and then disappears. The list of Forwarders on my secondary DNS server (secondary as that as how it is assigned to domain PCs via DHCP) remain in tact.  

This is causing lookup requests that run through the PDC emulator to timeout. I'm looking for hints on if this is a common issue and there's a handy blog post about it or if there's a way to troubleshoot what's going on.

Active Directory Web Services

$
0
0
Hello.

Recently I noticed a problem.

There are 4 DC:

DC1 \ DC2 on OC 2016

DC3 \ DC4 2 on OS 2012R2

Problem associated with Active Directory Web Services, when requested in PS:

Get-ADGroupMember -Identity "Domain Users" - after 5 minutes the timeout takes off.

The timeout limit was exceeded

This problem is only on 2 DC3 and DC2 hosts. ADWS configs are identical, the limits for the test were raised - no change. There are more than enough resources, when full logging is enabled, there are no errors, it is just clear that the request for problem 2 DCs is more than 5 minutes, and very slowly (on DC1 \ DC4, the result takes about 15-20 seconds) ( so no, already rolled up the most recent.

Can anyone come across? or send in the right direction.

Thank you in advance!

wrong fsMORoleOwner

$
0
0

My CN=infrastructure,DC=ForestDnsZones,DC=XXX,DC=XXX attrib fsMORoleOwner value is wrong,what good value should I set?

My CN=infrastructure,DC=XXX,DC=XXX attrib fsMORoleOwner value is right,but I can not set the value attrib fsMORoleOwner  of CN=infrastructure,DC=ForestDnsZones,DC=XXX,DC=XXX .the err is 

can you help me


...


Apply MS Security Baseline for Windows 2016 settings with server in Workgroup

$
0
0

Hi

Can we apply MS Security Baseline for Windows 2016 with servers in workgroup?

Also how the user accounts / credential security can be compared in Domain environment Vs in a Workgroup environment? Because we are asked to remove our backup server (backing up data to locally attached LUN and also duplicates to Tape) from Domain and keep it in Workgroup. We are checking all the concepts in security point of view before making this change

Thanks in advance



LMS

The DNS server 206.89.179.3 on Local Area Connection 2 did not successfully resolve the name for the start of authority (SOA) record of the zone hosting the computer's primary DNS domain name.

$
0
0

I am at a loss here. I have checked the network settings the <g class="gr_ gr_41 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" data-gr-id="41" id="41">dns</g> is the same <g class="gr_ gr_58 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" data-gr-id="58" id="58">ip</g> address of the server. only one NIC is enabled. I have flushed <g class="gr_ gr_292 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" data-gr-id="292" id="292">dns</g> and registered <g class="gr_ gr_348 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" data-gr-id="348" id="348">dns</g> followed by reset of <g class="gr_ gr_416 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling" data-gr-id="416" id="416">netlogon</g> and <g class="gr_ gr_435 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" data-gr-id="435" id="435">dns</g>. Still no luck. I notice that in the forwards that the domain only shows an A record as static. 

<g class="gr_ gr_1071 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling" data-gr-id="1071" id="1071">ipconfig</g> /all 

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator.MERCEDES>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Mercedes2
   Primary Dns Suffix  . . . . . . . : Mercedes
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : Mercedes

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet #2
   Physical Address. . . . . . . . . : 54-9F-35-1E-24-AE
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2603:3014:23be:8000:d0f5:3492:1c72:e8a5(P
referred)
   Link-local IPv6 Address . . . . . : fe80::d0f5:3492:1c72:e8a5%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 206.89.179.3(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::3817:e1ff:fef5:2a82%10
                                       206.89.179.125
   DNS Servers . . . . . . . . . . . : 206.89.179.3
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{69735297-E6C5-499E-AC88-599137266A2D}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

C:\Users\Administrator.MERCEDES>

Enabling ipv6 <g class="gr_ gr_686 gr-alert gr_tiny gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling multiReplace" data-gr-id="686" id="686">i</g> get this error on <g class="gr_ gr_699 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling" data-gr-id="699" id="699">dcdiag</g> 

 Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator.MERCEDES>dcdiag test:dns
Invalid Syntax: Invalid option test:dns. Use dcdiag.exe /h for help.

C:\Users\Administrator.MERCEDES>dcdiag /test:dns

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = Mercedes2
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\MERCEDES2
      Starting test: Connectivity
         ......................... MERCEDES2 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\MERCEDES2

      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minutes...
 ERROR: NO DNS servers for IPV6 stack was found
         ......................... MERCEDES2 passed test DNS

   Running partition tests <g class="gr_ gr_930 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" data-gr-id="930" id="930"><g class="gr_ gr_925 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Punctuation only-del replaceWithoutSep" data-gr-id="925" id="925">on :</g></g> ForestDnsZones

   Running partition tests <g class="gr_ gr_927 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" data-gr-id="927" id="927"><g class="gr_ gr_920 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Punctuation only-del replaceWithoutSep" data-gr-id="920" id="920">on :</g></g> DomainDnsZones

   Running partition tests <g class="gr_ gr_931 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" data-gr-id="931" id="931"><g class="gr_ gr_926 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Punctuation only-del replaceWithoutSep" data-gr-id="926" id="926">on :</g></g> Schema

   Running partition tests <g class="gr_ gr_923 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" data-gr-id="923" id="923"><g class="gr_ gr_921 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Punctuation only-del replaceWithoutSep" data-gr-id="921" id="921">on :</g></g> Configuration

   Running partition tests <g class="gr_ gr_928 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" data-gr-id="928" id="928"><g class="gr_ gr_922 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Punctuation only-del replaceWithoutSep" data-gr-id="922" id="922">on :</g></g> Mercedes

   Running enterprise tests <g class="gr_ gr_929 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" data-gr-id="929" id="929"><g class="gr_ gr_924 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Punctuation only-del replaceWithoutSep" data-gr-id="924" id="924">on :</g></g> Mercedes
      Starting test: DNS
         Test results for domain controllers:

            DC: Mercedes2.Mercedes
            Domain: Mercedes


               TEST: Basic (Basc)
                  Warning: The AAAA record for this DC was not found

               TEST: Dynamic update (Dyn)
                  Warning: Failed to delete the test record <g class="gr_ gr_933 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling" data-gr-id="933" id="933">dcdiag</g>-test-record i
n zone Mercedes

               TEST: Records registration (RReg)
                  Network Adapter
                  [00000012] Broadcom NetXtreme Gigabit Ethernet:
                     Warning:
                     Missing AAAA record at DNS server 206.89.179.3:
                     Mercedes2.Mercedes

               Warning: Record Registrations not found in some network adapters

               Mercedes2                    PASS WARN PASS PASS WARN WARN n/a
         ......................... Mercedes passed test DNS

C:\Users\Administrator.MERCEDES>

Is there something I am missing here? This was a server 2000 upgraded to 2008 r2. When I disable ipv6 the error is still present but <g class="gr_ gr_1502 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling" data-gr-id="1502" id="1502">dcdiag</g> runs all pass. 

O365 Integration

$
0
0

Hi,

Please find the below scenario,

Client A - AD Domain name is A.COM and Email domain is A1.com

Client B - AD Domain Name is A.COM and Email domain is B1.com

In this situation can both client utilize O365 as email solutions, if so what is complexity?

Thanks in advance. 

delegation permissions: access to deny after one move !!!!

$
0
0

Hello
I delegated permissions to a group to move users from one OU to another OU.After moving them once, if they want to move them another time, they have access to deny.

they have also the permission to create and delete users.

Is someone understand what is happening.

thanks

Active Directory Merge and rename. Best approach rename or migrate

$
0
0

I have 2 2016 domains. DomainA.local and domainB.corp. Separate forests. DoainA has our ERP software and related servers. Mainly an SQL server and an application which is accessed by a terminal server in that same domain. DomainB hosts all other servers and workstations. We don’t have Exchange. Using office 365 with our public domain name. I want to join the 2 domains into one domain name which is a sub of our public domain for example AD.public.ca

my goals are

-not to disrupt existing security settings for ERP and SQL in domainA

- to keep permissions on the file server folders in DomainB

- for users in DomainB to keep their local user profiles after joining the new domain. 

what will be my best approach? Migrate using ADMT? Rename DomainA and merge DomainB with it? I don’t mind keeping the NetBIOS names as is. I just want the end result to be 1 domain which is a sub domain of our public domain AD.public.ca

Ad to Ad replication not working

$
0
0

Dear Support,

We have recently install PDC in our network and moved the roles for the same and its working properly.

But our AD to AD replication not working which is previously working fine.

So please give us solution for the same.

Regards,

Itsupport

Change UPN for a group of Users

$
0
0
<#
1. Import Data from a CSV file
2. Process each object in CSV file:
a. Foreach Object
b. Validate the Existence of the User in AD: 
-> if found - Proceed to Step 3
-> If Not Found, Update the Array Variable used for Exporting the Script Execution outcome And/OR Update the Log file
3. Trigger or Attempt to Change the UPN using the value using the reference variable corresponding to the user which is available on the CSV File.
a. IF Successful , Update the Output Array with outcome being successful And/Or write to a Log
b. If Not Successful (On Error), Get the Error Exception indicating the reason for failure and update the array with the exception

4. Export Data to CSV File to Review the execution and outcome of Set-ADUser triggered for UPN Change`

#>


$FileData = Import-CSv "CSV File Path"
$OutputData = @()

Import-module activeDirectory
$UserCount = ($FileData| Measure).Count
$StartCount = 0
Foreach($User in $FileData)
{
$StartCount += 1
$CurrentUser = $User.SamAccountName
$CurrentUPN = ""
$NewUPN = ""
Write-Host "Processing User [$CurrentUser - $StartCount] - Out of [$UserCount]" -ForeGroundColor CYAN
$UserInfo = Get-ADUser $CurrentUser -Properties SamAccountName, UserPrincipalName|Select SamAccountName,UserPrincipalName
if($UserInfo)
{
$CurrentUPN = $UserInfo.UserPrincipalName
$NewUPN = $CurrentUser + "@UPNSuffix"
Set-ADUser $CurrentUser -UserPrincipalName $NewUPN -WhatIf
$OutObj = "" | Select User,CurrentUPN,NewUPN,ChangeStatus
$OutObj.User = $CurrentUser
$OutObj.CurrentUPN = $CurrentUPN
$OutObj.NewUPN = $NewUPN
$OutObj.ChangeStatus = "UPN Change Successful"
$OutputData += $OutObj
$OutObj
}
Else
{
$CurrentUPN = "$CurrentUser - Not IN AD"
$NewUPN = "$CurrentUser - Not IN AD"
$OutObj = "" | Select User,CurrentUPN,NewUPN,ChangeStatus
$OutObj.User = $CurrentUser
$OutObj.CurrentUPN = $CurrentUPN
$OutObj.NewUPN = $NewUPN
$OutObj.ChangeStatus = "User Not In AD"
$OutputData += $OutObj
$OutObj
}
}
$OutputData | Export-Csv UPNChangeStatus.Csv -NTI

Password reset for remote workers - without AlwaysON VPN or another self connecting VPN - no contact to ad server

$
0
0

Hi everyone,

sorry for the long topic. But these are the first suggestions i get which i cannot deploy easily.

How to you deal with remote workers "all over the world" that might have lost their password?

Even if you reset in your AD they won't be able to log in because they have no connection to your AD servers.

We have Azure AD P1 with Azure Sync if that would help. We will hybrid join any client we have. 

Does this help? How do you cope with this?


<h3>Regards Stephan</h3>

i configured the schedule to sync between domain controllers but its not working

$
0
0

well the idea is to make one domain controller sync after 5 days ... so that if any thing gets wrong with the mains like virus or corruption we would still have one domain controller active that did not sync for 5 days

i went to trust and sites and edited the schedule to sync for 6 hours on one day but whenever i change anything in the active directory it changes on all other servers including the delayed one

did i get the schedule idea wrong ? is it for something else ? is there a missing step to make the idea work as expected .

Get AD accounts created between specific dates

$
0
0

Hi Team,

Could any one help me pulling out ad users created between specific dates, I have heard that it is possible to do with Quest AD power shell, Can any one help me on this. Please help.

Trying to pull information with below command but need accounts created between specific dates.


get-adobject -Filter {ObjectClass -eq "user" -and ObjectClass -ne "computer"} -IncludeDeletedObjects -Properties * | Select-Object displayName,samaccountname,Created,mail,extensionattribute5,IsDeleted,LastKnownParent

Regards

Sriman

User Migration with ADMT

$
0
0

Hello,

We are migrating users, groups, computer objects from one forest to another forest domain. and user name is different in each domain. below is the scenario,

Source Domain User : 10025@abc.com (User Name: 10025)

Target Domain User: KES052@xyz.com (User Name: KES052)

we have created users in Target domain with new user id (common id), when i am migrated SID for those users is replace with user name. (10025 is replacing with KES052), how could i migrate only SID without replacing anything from source domain?

In ADMT console i am performing include file and merging the user and excluded all the attributes but only username is changing, all SAM and UPN as is target.

Appreciate if inputs to get rid of this.

Regards,

Vinay

Deleted/Recreated ADUC User, Drive Mapping Fails

$
0
0

I recently deleted my user account from ADUC and recreated it (with the same user name). The Group Policy should automatically map the drives, and it did, for one of them. When I look at a GP result it tells me that all of the drive mappings were a success. I tried manually mapping the drives but I get an error, "The network folder specified is currently mapped to a different user name and password...first disconnect any existing mappings to this network share."  I have a hunch it's my old account that's blocking me.

A few things to note:

- All 3 folders I'm attempting to connect  to (including the one that is successful) on are the exact same file server.

- Running the net use command I only see a connection to the one share that's currently visible

- I went to the "C:...AppData/Roaming/Microsoft/Windows/Network Shortcuts" folder on my old account to make sure there wasn't anything listed.

-WMIC useraccount get name,sid verifies that the old SID isn't lingering around on the domain

- The old account wasn't deleted from the computer prior to making the new one so under users I now show as [username.domain] rather than just username.

Do I need to completely delete the user account from the C: of the local machine or is there some way to view/manage mappings from the File Server itself?

-Edit: Turns out it really was the most simple problem. In short I took a look at my permissions and realized I had them for one domain but not the other. Once I added that it was fixed.
Viewing all 31638 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>