Hi everyone:

I have two tier-PKI with server-1 as sub-ordinate enterprise/issuing CA. I have installed 'Certificte Authority Web Enrollment' on Server-2. when I open Server-2.domain.com/certsrv and go to ''Download a CA certificate, certificate chain or CRL' it returns 'Error: An unexpected error has occurred: The Certification Authority Service has not been started.' However it works fine from https://localhost/certsrv on server-2.

My problem is same as in the following thread and I have tried the solution advised but it hasn't worked for me:

https://social.technet.microsoft.com/Forums/en-US/4c7f41a5-21b0-470d-8c78-0fc237eb1da0/web-enrollemet-page-giving-error-quot-an-unexpected-error-has-occurred-the-certification?forum=winserversecurity

I have tried the following but nothing has changed:

https://support.microsoft.com/en-gb/help/300867/error-message-the-certification-authority-service-has-not-been-started

https://blogs.technet.microsoft.com/askds/2009/04/22/how-to-configure-the-windows-server-2008-ca-web-enrollment-proxy/

Please advise if I am missing something. Many thanks

Hello Everyone

Recently i Start migrating 700 users and computers with admt after that we going to migrate servers manually with Disjoin and join to new domain and without ADMT . 

So the problem is ( in some servers ) after we join them to new domain the Domain admins not automaticlly add to administrators group ! and in some of them after some while days or two it disapear from administrators group ! and we cannot connect via new domain account !

i must say that , i try to change some servers to workgroup and join them again , for now these servers are ok ! but the ones that join to new domain for the first time have above problem .

i cant find any solution for it and i dont even find what is the problem i know i can use GPO to force domain admins to join administrator group but i dont want do that ,  i want to know what is the problem and i dont have any gpo for my servers or OU that contain these Servers . 

in the old domain we have gpo for all computers to add administrator for local Computer ( windows server 2008)

in new domain we dont have this ( because its windows server 2016 and this policy is gone ) and we dont want it either

but i mentioned that if it can help .

please help me i want to have clean AD with Healthy servers not just apply some GPO to FIX the problem by Force

Hello, 

Can someone please help me with the following question,

If you have been using AD for any length of time you probably come across the senario where a computer cannot logon to the domain and you need to reset the computer account password (netdom, powershell etc.)

So I wanted to understand more about computer account password changes and how the above can happen so I read the following article

https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-password-process-2/

However the article appears to contradict itself, for example

it states the 'computer' ( the netlogon service on the computer) is responsible for changing the computer account password and 'never' AD. In other words (unless an administrator resets the computer account), AD will never change the password of a computer account.

So if you think about the above statement there should never be a case where the computer account password stored on the computer itself and the once in AD (against the computer object) should be out of sync.

The article then goes on to say,

the computer will change its password locally (first) then try to sync this change to AD, if it cannot comminicate with AD it will wait until the next scheduled interval (15 minutes by default) and try again, and again (until it can comminucate with AD).

it also says the computer and AD both keep a note of the 'previous' password so logically at all times even if the computer cannot sync the new password it just created to AD (and keeps on trying as above), then at least the computer and AD will both have the previous password then can both use to maintain the secure channel.

So again looking at the above, it would be logical that the computer account will always be able to authentication to AD (even it it had to use the previous password).

However at the end of the article if tries to show how the current and previous password on the computer and the ones in AD can be different (out of sync) but does not explain how to come about. 

Therefore I assume the following, which is where I need clarification

I can only assume if the computer account changes it password then tries to sync with AD but cannot, and therefore keeps trying, but 31 days go by (e.g. the computer has been trying to sync its new password with AD every 15 minutes but failing and 31 days have now passed). The computer will think it is time to change my password 'again' (despite the fact it has not manged to sync the last time it change its password), then change the password 'again' storing the last password change (that did not sync) in the previous password value and then try to sync the new password (e.g. the new new one if you like) to the DC. At this point both the computer passwords (current and previous) would be different on the computer and in AD.

Is my assumption correct ? as this is not explained in the article

Thanks

CXMelga

I recently joined a new computer to my 2016 Windows Server domain. As I was going through the processing of joining the computer to the domain. It asked me if I was wanted to create or add a user account to this new computer. For the domain I clicked "skip this step" which I believe just give default setting permission to this computer on the domain. It successfully joined the domain and everything. After this I went to go create a user account name "Drake" and it says "The pre-Windows 2000 logon name you have chosen is already in use in this domain." "Choose another pre-Windows 2000 logon name, and try again" When I right clicked in Activity Directory and click on "Find" and type in "Drake" it brings up name:"Administrator" Type:"User" but I can't actually find the "Drake" User account. I thought since I checked "Skip" that it would just throw the computer in the domain with no user account.when I looked at the member of Administrator groups etc I can't find the "Drake" account that was reference earlier. I do remember when I was joining the computer to the domain it had "User field" which was filled out with "Drake" account type was standard but again I clicked on skip on this part.If somehow it did create an account already called domain account name "Drake" when I joined the computer to the domain. How do I find it and delete it? So I can create a new account where I can actually set GPO and reset password etc for that domain user account. Because now I can't do none of the following things. Because I can't find the account it anyway in my domain. This is not a business domain this is a lab testing domain. With the domain controller and Activity directory all on the same Windows Server 2016 box. Thank you for reading this!

-Drake

Hi Team,

Happy Christmas!!

Please help me to add additional clock using group policy in client machine.

i have 100++ windows 7 machine where i want to add 4 more time zone .

I have followed the below link but bad luck.

http://dennisspan.com/configuring-regional-settings-and-windows-locales-with-group-policy/

Hello. Please, I need your help to learn how to decrypt files using DRA certificate. I did these steps:

- I created a Data Recovery Agent Certificate using cipher.exe /r:<filename> in my domain controller logged in as "administrator".
- I added in the default domain policy the Data Recovery Agent using the new certificate.
- I ran gpupdate /force in my client.
- I encrypted a text file (just the file not the folder).
- In the file advanced details, after the encryption, I can see the correct thumbprint of the DRA in the "Recovery certificates for this file" (the thumbprint that I see matches the thumprint of the certificate I generated in the first step).

From here, what am I supposed to do to recover the file using the DRA certificate?

I tried to:
- Log in to a client as user
- ran MMC.exe as mydomain\administrator (runas.exe) and I imported the DRA .pfx in the user (administrator) personal store
- ran cmd.exe as mydomain\administrator and ran cipher.exe /d <filename> to try to decrypt the file: ERR "Access denied"
- tried also to login interectevely to the client using mydomain\administrator and repeat above steps but happens the same.

What's wrong in my procedure please?

Thank you very much.

Francesco B.

Hello All,

we have 2012 R2 Domain controller in our environment.

now planning to install RODC. and could not see ActiveDirectoryRODCUpdate under configuration/forest updates in ADSI.

need to know from where can i get the Adprep.exe file.

i heard in 2012 we dont have to get it from mount CD drive, it is by default available

Can any one advise on how to proceed.

regards

Aamir Masthan

NA

We have a number of applications that use ldap authentication with Active Directory. Unfortunately, many of these applications only allow you to specify one server during configuration. We've had situations where the one domain controller specified in the application has had an issue, which has then prevented the application from working properly. My manager wants me to look at utilizing ldap aliases to get around situation; however, I have no experience with this nor can I find much information about it.

Can anyone shed some light on the situation?

Thanks.

I have 8 Servers accross the State Mixed 2008R2 and 2012R2.

Recently the sysvol has stopped working.

This is causing group policy not to function.

I have to rebuild it once a month or so.

This just started happening out of the blue.

I reset it using D4 and D2 on the burflags, and it fixes the issue for a while.

I have a simple AD LDS instance setup on a Windows 2016 server:

c:\windows\ADAM\adaminstall /answer:E:\ADLDS\instance3\adaminstall.cfg

with the content of E:\ADLDS\instance3\adaminstall.cfg

[ADAMInstall]
ApplicationPartitionsToReplicate=*
InstallType=Unique
InstanceName=instance2
LocalLDAPPortToListenOn=3891
LocalSSLPortToListenOn=6361
AddPermissionsToServiceAccount=Yes
NewApplicationPartitionToCreate=dc=com
DataFilesPath=E:\ADLDS\instance2\data
LogFilesPath=E:\ADLDS\instance2\log
Administrator=myAdminGroup

I can add a replica instance using the following installfile

[ADAMInstall]
ConfigurationSetLevel=5
ApplicationPartitionsToReplicate=*
InstallType=Replica
InstanceName=instance3
LocalLDAPPortToListenOn=3892
LocalSSLPortToListenOn=6362
DataFilesPath=E:\ADLDS\instance3\data
LogFilesPath=E:\ADLDS\instance3\log
SourceServer=localhost
SourceLDAPPort=3891
Administrator=MyAdminGroup

But if I change the functional level of the first instance to WIN2012R2 (msDS-Behavior-Version=6) before I create the replica instance, the creation of the replica fails:

Active Directory Lightweight Directory Services could not create the NTDS Settings object for this Active Directory Lightweight Directory Services
 instance CN=NTDS Settings,CN=<Server name>$instance3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={6BA71401-BACF-47A0-A59B-9F8CC
9A6E9C2} on the remote AD LDS instance localhost:3891. Ensure the provided network credentials have sufficient permissions.
Error code: 0x80072177
The version of the operating system installed on this server is incompatible with the functional level of the domain or forest.

This problem is already described in https://jorgequestforknowledge.wordpress.com/category/active-directory-lightweight-directory-services-adlds/functional-level/ but there the author saysthis issue does not exist in Windows 2016 anymore, but apparently it does.

Is there any way one can add a replica to a AD LDS instance where the functional level is on WIN2012R2?

Hi, 

I have 4 2012 DCs, LDAP SSL is already enabled using a SHA1 certificate from an old Certificate Authority (CA) we have. The DCs currently have a "Domain Controller" certificate template.

 Recently we deployed a new 20126 SHA256 AD CS CA. I want each DC to get a new SHA256 certificate from the new CA. I'm planning on making the "Kerberos Authentication" certificate available to the 2012 DCs and configuring the default domain controller's GPO so that the DCs automatically get the Kerberos template and renew the certificate as needed.

A couple of questions:

1. Are there any issues with having a "Domain Controller" and Kerberos certificate on a DC simultaneously?

2. Generally, should I need to configure GPOs to deploy DC certificates or is it just by AD automatically?

Thanks in advance

IT Support/Everything

Vincent Sprague

Hi, Recently our network team runs vulnerability test in our network. In the result we got SSL V3 Vulnerability error in windows server 2008 r2 in the ports 3269 and 636. I have read out some documents, articles and i did some security patches for this issue but it couldn't resolve. I need some clarification and also a solution for this issue. 

I appreciate your help. 

Hi Support,

I have two sites (172.16.10.5  Noida PDC & 172.16.55.2 & 172.16.55.3 both ADC delhi) and i want setup Delhi user only authenticate only Delhi ADC not PDC noida.

• What step need to follow for this process ?
• What is Ethernet setting for ADC ?

Hi,

I work on a WCF service to manage groups members from an ASP.NET MVC web application hosted on IIS webserver with Windows Authentification enabled. Like that :

Client (web browser) -> Website (ASP.NET MVC 5) -> Webservice WCF -> AD

Users are connected successfully to the service with their identity but they can't change groups membership, Save() method of GroupPrincipal class returns "Access is denied" Exception.

Server stack trace: 
   at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply, MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter)
   at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at GHESPAR_WEB.ServiceAPI.IGhesparService.AddMembersToGroup(String groupName, String[] users)
   at GHESPAR_WEB.ServiceAPI.GhesparServiceClient.AddMembersToGroup(String groupName, String[] users)
   at GHESPAR_WEB.Controllers.HomeController.AddUsersToGroup(String groupName, String[] users)

At the same time, user can update membership list without any problem with RSAT, so it isn't a "simple" permission issue.

The website works well on my computer with IIS Express and Visual Studio, with same AD and my Windows account. When I try with production server, access is denied too. So IIS is probably misconfigured or maybe my webservices.

Source code :

AddMembersToGroup() Method in WCF service :

[OperationBehavior(Impersonation = ImpersonationOption.Required)]
public void AddMembersToGroup(string groupName, string[] users)
{
    string identity = ServiceSecurityContext.Current.WindowsIdentity.Name;
    string domain = identity.Split('\\')[0];

    using (HostingEnvironment.Impersonate())
    {
        using (PrincipalContext context = new PrincipalContext(ContextType.Domain, domain))
        {
            GroupPrincipal group = GroupPrincipal.FindByIdentity(context, groupName);

            foreach (var user in users)
            {
                group.Members.Add(context, IdentityType.Name, user);
            }

            group.Save(); // <- Access is denied exception
        }
    }
}

ServiceSecurityContext server side properties values when user is connected seems good.

I have same values with Visual studio debugger on my desktop computer and IIS Express.

AddUsersToGroup() Controller Method in ASP.NET webapp :

[HttpPost]
[Route("addMembersToGroup")]
public ActionResult AddUsersToGroup(string groupName, string[] users)
{
    try
    {
        GhesparServiceClient client = new GhesparServiceClient();
        client.ClientCredentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Impersonation;
        client.ChannelFactory.Credentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials;
        client.AddMembersToGroup(groupName, users);
        client.Close();
    }
    catch (FaultException<Fault> fault)
    {
        return Json(new { success = false, message = fault.Detail.Message });
    }
    catch (Exception e)
    {
        return Json(new { success = false, message = e.Message, trace = e.StackTrace });
    }

    return Json(new { success = true });
}

Configuration files on production server :

WCF web.config : https://pastebin.com/YCUFSbaY

ASP.NET web.config : https://pastebin.com/6FDPmPXH

IIS configuration on production server :

- I enabled ASP.NET Impersonation, Windows Authentification and disabled Anonymous Authentication for ASP.NET app.

- I enabled Windows Authentification and disabled Anonymous Authentication for WCF app.

- Switch Managed pipeline mode to "classic" and identity to ApplicationPoolIdentity for ASP.NET application pool.

- Switch Managed pipeline mode to "Integrated" and identity to ApplicationPoolIdentity for WCF application pool.

Did I forget something ? :)

Best regards.