So we have a fairly standard AD environment. One forest root domain <company.inc> and multiple child domains <child1.company.inc>, <child2.company.inc>, etc. We have a universal security group in the parent domain that is used to grant VPN access to users in multiple child domains. So here's the weird part. Everything used to work fine but now when I add a child domain user to the parent domain security group (from an ADUC connection to a DC in the parent domain) the membership does not replicate to the user object in the child domain (when viewed from an ADUC connection to a DC in the child domain). What's even weirder is that if I follow the same procedure but add the child domain user to a security group in it's own child domain the membership replicates and is visible within minutes.

Any ideas?

Thank you,

John

Hi, Recently our network team runs vulnerability test in our network. In the result we got SSL V3 Vulnerability error in windows server 2008 r2 in the ports 3269 and 636. I have read out some documents, articles and i did some security patches for this issue but it couldn't resolve. I need some clarification and also a solution for this issue. 

I appreciate your help. 

Hi,

I work on a WCF service to manage groups members from an ASP.NET MVC web application hosted on IIS webserver with Windows Authentification enabled. Like that :

Client (web browser) -> Website (ASP.NET MVC 5) -> Webservice WCF -> AD

Users are connected successfully to the service with their identity but they can't change groups membership, Save() method of GroupPrincipal class returns "Access is denied" Exception.

Server stack trace: 
   at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply, MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter)
   at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at GHESPAR_WEB.ServiceAPI.IGhesparService.AddMembersToGroup(String groupName, String[] users)
   at GHESPAR_WEB.ServiceAPI.GhesparServiceClient.AddMembersToGroup(String groupName, String[] users)
   at GHESPAR_WEB.Controllers.HomeController.AddUsersToGroup(String groupName, String[] users)

At the same time, user can update membership list without any problem with RSAT, so it isn't a "simple" permission issue.

The website works well on my computer with IIS Express and Visual Studio, with same AD and my Windows account. When I try with production server, access is denied too. So IIS is probably misconfigured or maybe my webservices.

Source code :

AddMembersToGroup() Method in WCF service :

[OperationBehavior(Impersonation = ImpersonationOption.Required)]
public void AddMembersToGroup(string groupName, string[] users)
{
    string identity = ServiceSecurityContext.Current.WindowsIdentity.Name;
    string domain = identity.Split('\\')[0];

    using (HostingEnvironment.Impersonate())
    {
        using (PrincipalContext context = new PrincipalContext(ContextType.Domain, domain))
        {
            GroupPrincipal group = GroupPrincipal.FindByIdentity(context, groupName);

            foreach (var user in users)
            {
                group.Members.Add(context, IdentityType.Name, user);
            }

            group.Save(); // <- Access is denied exception
        }
    }
}

ServiceSecurityContext server side properties values when user is connected seems good.

I have same values with Visual studio debugger on my desktop computer and IIS Express.

AddUsersToGroup() Controller Method in ASP.NET webapp :

[HttpPost]
[Route("addMembersToGroup")]
public ActionResult AddUsersToGroup(string groupName, string[] users)
{
    try
    {
        GhesparServiceClient client = new GhesparServiceClient();
        client.ClientCredentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Impersonation;
        client.ChannelFactory.Credentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials;
        client.AddMembersToGroup(groupName, users);
        client.Close();
    }
    catch (FaultException<Fault> fault)
    {
        return Json(new { success = false, message = fault.Detail.Message });
    }
    catch (Exception e)
    {
        return Json(new { success = false, message = e.Message, trace = e.StackTrace });
    }

    return Json(new { success = true });
}

Configuration files on production server :

WCF web.config : https://pastebin.com/YCUFSbaY

ASP.NET web.config : https://pastebin.com/6FDPmPXH

IIS configuration on production server :

- I enabled ASP.NET Impersonation, Windows Authentification and disabled Anonymous Authentication for ASP.NET app.

- I enabled Windows Authentification and disabled Anonymous Authentication for WCF app.

- Switch Managed pipeline mode to "classic" and identity to ApplicationPoolIdentity for ASP.NET application pool.

- Switch Managed pipeline mode to "Integrated" and identity to ApplicationPoolIdentity for WCF application pool.

UPDATE: When I change the IIS WCF application pool to run under a user domain account instead of the Application Pool Identity, it works. How can I run a WCF application pool under current user identity without getting "Access is Denied" Exception on GroupPrincipal.Save() method ?

UPDATE 2 : I tried with "ServiceSecurityContext.Current.WindowsIdentity.Impersonate()" instead of "HostingEnvironment.Impersonate()" to impersonate user identity before calling Save() Method but I got this exception :"An operations error occurred"

Did I forget something ? :)

Best regards.

Hi,this is on Window Server 2018 R2 Enterprise edition.

I got this error when I added organization Unit.

org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException: 00002082: AtrErr: DSID-03050C79, #1:
        0: 00002082: DSID-03050C79, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att b (ou):len 160

I'm guessing that length of organization unit casues error.

So here's my question. where can I find the maximum length of strings I can use?

Thank you. 

Hi all,

I have two AD which are AD01(Win2k12 FSMO) and AD02(WIN2k8 R2 SP1). One day my AD01 crashed and I have restored the AD01 but backup date was one month earlier than current.

The problem now is AD02 set to FSMO during AD01 are offline. When I turn ON AD01 to online and tried to replciared data from AD02 to AD01 and its not working. now AD01 turned off back due to credential issue.

AD01 netdom query

C:\Windows\system32>netdom query fsmo
Schema master                    AD01.mydomain.com
Domain naming master        AD01.mydomain.com
PDC                                      AD01.mydomain.com
RID pool manager                AD01.mydomain.com
Infrastructure master          AD01.mydomain.com
The command completed successfully.

AD02 netdom query

C:\Windows\system32>netdom query fsmo
Schema master                    AD02.mydomain.com
Domain naming master        AD02.mydomain.com
PDC                                      AD02.mydomain.com
RID pool manager                AD02.mydomain.com
Infrastructure master           AD02.mydomain.com
The command completed successfully.

Do you have any idea to resolve this.I have plan to

From AD01 server

1. Transfer all to AD02

2. Sync all udpated ActiveDrirectory

after all done, switch back FSMO to AD01.

Hello,

I'm trying to get a health status from dcdiag of all domain controllers in a single forest multi domain structure, but when I run the dcdiag with /s from the parent DC and choose a remote child dc server in a remote site  dcdiag fails advertising and locator test, but when running from locally and remotely from the same child domain DC it's running fine, is it normal ? my guess is that since advertising test tries to access it using a netbios name instead of the fqdn it fails any thoughts or reommendations ?

Hi,

in organization two domain with two way trust qwe.com and zxc.com. I add two new domain controllers to zxc.com and have a problem.

When I add user from qwe.com to group of zxc.com, and after that try to show members.

On new domain controller I cam see this

and on old domain controllers - ok

From new domain controller I can search users from qwe.com directory. In ForeignSecurityPrincipals OU (on new domain controller) I can see objects like SID and can not see there attributes. On the old controller, I can see the objects and their properties.

BPA error is:

Title:
Domain controller DC02.zxc.com must have "Access this Computer from the Network" granted to the appropriate security principals
Severity
Error
Problem:
Domain Controller DC02.zxc.com does not have user right "Access this computer from the network" granted to 'Builtin Administrators', 'Enterprise Domain Controllers' or 'Authenticated Users', or has the user right "Deny access to this computer from the network" assigned to either of those groups or 'Everyone'.

Impact:
Replication operations initiated by other domain controllers in the domain or by administrators may fail. Users and computers may also experience failure to apply Group Policy objects.

Resolution
Verify that the domain controllers in the domain zxc.com have this user right granted to the appropriate security principals. Using Group Policy Management and Group Policy Results, verify that the winning Group Policy for the "Access this computer from the network" user right grants that right to the 'Builtin Administrators', 'Enterprise Domain Controllers', and 'Authenticated Users' groups. Verify that the policy setting "Deny access to this computer from the network" does not have 'Everyone', 'Authenticated Users', 'Builtin Administrators' or 'Enterprise Domain Controllers' groups defined in it.

I check policy, and all permission are default.

Title:
Domain controller DC02.zxc.com must have "Enable computer and user accounts to be trusted for delegation" granted to the Builtin Administrators security group

Problem:
Domain controller DC02.zxc.com must have the "Enable computer and user accounts to be trusted for delegation" user right granted to the Builtin Administrators security group if domain controller DC02.zxc.com is used as a replication partner during a domain controller promotion.

Impact:
Installation of additional domain controllers (promoting replica domain controllers) in domain zxc.com may fail if they select domain controller DC02.zxc.com as a replication partner during the installation.

Resolution
Verify that the current domain controllers in domainzxc.com  have the "Enable computer and users accounts to be trusted for delegation" user right granted to the Builtin Administrators group

http://go.microsoft.com/fwlink/?LinkId=168842

http://go.microsoft.com/fwlink/?LinkId=168864

I have network shared drive (hosted on my file server) that I would like to audit. On my DC I have set up group policy called "My auditing policy". 

Then under In “Group Policy Management Editor” under  “Computer Configuration” - “Policies” - “Windows Settings” - "Security Settings" -  “Local Policies” and under "Audit Policy" I defined policy to audit "Success" and Failure". Then On my DC I run "gpupdate /force" which gave me warning that some policy will involve re-directed drives and that I needed to log off in order for policy to take effect which I did.

I then proceeded to my file server where this network shared drive is located. This drive has sub directories...

    my shared drive

• directory 1
• directory 2
• directory 3
• ..............
• ...............

   I right click directory 2 and then "Properties" - "Security" - "Advanced" and enabled auditing of this folder (where Principal was  "Everyone").

I went as a regular user (usernameA) on different computer (all machines are domain members) and opened file within directory 2 and when I went into my file server machine and looked in Event Viewer under security I could not find any logs  for "usernameA". So I have 2 questions...

1. How does the policy know which directory needs to be audited?
2. Why am I not seeing any logs in Event Viewer on my file server?

Hi, Richard.

I'm not sure where to post question so i'll ask it here and you can tell me if you want me to ask it somewhere else. I have a domain named, lets say, foo.bar. Using Multi-valued Distinguished Name With Security Principal Editor i want to add another member to some object. When I select user or user group, lets say MyGroup, from that domain (after clicking 'Add Windows Account...' button), In the members window I see MyGroup@FOO as if FOO is domain. I'm not sure why I see selected group in that format and if it is expected or not. I expected MyGroup@foo.bar. Do you know what has happened? Thank you in advance.

Kind regards,

Hi Everyone,

We are planning to upgrade all our Domain Controllers from 2008R2 to 2012R2 or 2016. Presently all our DCs are running with 2008R2 versions where DDL and FFL are 2008R2 and Schema version is 87.

As per as Schema versions is concerned, we can easily put 2012R2 or 2016 in the environment.

I am bit concerned about the MS application like environment still having ShaePoint 2007, Lync 2010, Exchange 2010 and all are in phase of transition to O365.

My concerns : 

1) Will there be any impact to ShaePoint 2007, Lync 2010, Exchange 2010 - if we bring directly 2016 servers without raising DDL or FFL?

2) How do we keep track or get the report of AD integrated applications presently running?

3) What all measures to be taken prior doing this?

We are taking the approach to bring new servers with 2016> join to Domain> Promote as a DC with different IP and hostname> Shutdown old server for 24 hours to check> Demote the old DC and assign the old IP to new server (HostName will be changed).

Last attempted DC will be PDC followed by role transfer and NTP server migration.

Would request all of you to suggest if it can be done in better way or any tool which can identify the applications hard-coded with IPs and HostName.

Thanks in Advance.

Hello Everyone

Recently i Start migrating 700 users and computers with admt after that we going to migrate servers manually with Disjoin and join to new domain and without ADMT . 

So the problem is ( in some servers ) after we join them to new domain the Domain admins not automaticlly add to administrators group ! and in some of them after some while days or two it disapear from administrators group ! and we cannot connect via new domain account !

i must say that , i try to change some servers to workgroup and join them again , for now these servers are ok ! but the ones that join to new domain for the first time have above problem .

i cant find any solution for it and i dont even find what is the problem i know i can use GPO to force domain admins to join administrator group but i dont want do that ,  i want to know what is the problem and i dont have any gpo for my servers or OU that contain these Servers . 

in the old domain we have gpo for all computers to add administrator for local Computer ( windows server 2008)

in new domain we dont have this ( because its windows server 2016 and this policy is gone ) and we dont want it either

but i mentioned that if it can help .

please help me i want to have clean AD with Healthy servers not just apply some GPO to FIX the problem by Force

I have a simple AD LDS instance setup on a Windows 2016 server:

c:\windows\ADAM\adaminstall /answer:E:\ADLDS\instance3\adaminstall.cfg

with the content of E:\ADLDS\instance3\adaminstall.cfg

[ADAMInstall]
ApplicationPartitionsToReplicate=*
InstallType=Unique
InstanceName=instance2
LocalLDAPPortToListenOn=3891
LocalSSLPortToListenOn=6361
AddPermissionsToServiceAccount=Yes
NewApplicationPartitionToCreate=dc=com
DataFilesPath=E:\ADLDS\instance2\data
LogFilesPath=E:\ADLDS\instance2\log
Administrator=myAdminGroup

I can add a replica instance using the following installfile

[ADAMInstall]
ConfigurationSetLevel=5
ApplicationPartitionsToReplicate=*
InstallType=Replica
InstanceName=instance3
LocalLDAPPortToListenOn=3892
LocalSSLPortToListenOn=6362
DataFilesPath=E:\ADLDS\instance3\data
LogFilesPath=E:\ADLDS\instance3\log
SourceServer=localhost
SourceLDAPPort=3891
Administrator=MyAdminGroup

But if I change the functional level of the first instance to WIN2012R2 (msDS-Behavior-Version=6) before I create the replica instance, the creation of the replica fails:

Active Directory Lightweight Directory Services could not create the NTDS Settings object for this Active Directory Lightweight Directory Services
 instance CN=NTDS Settings,CN=<Server name>$instance3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={6BA71401-BACF-47A0-A59B-9F8CC
9A6E9C2} on the remote AD LDS instance localhost:3891. Ensure the provided network credentials have sufficient permissions.
Error code: 0x80072177
The version of the operating system installed on this server is incompatible with the functional level of the domain or forest.

This problem is already described in https://jorgequestforknowledge.wordpress.com/category/active-directory-lightweight-directory-services-adlds/functional-level/ but there the author saysthis issue does not exist in Windows 2016 anymore, but apparently it does.

Is there any way one can add a replica to a AD LDS instance where the functional level is on WIN2012R2?

Hello !

I need to generate domain users list that are local admin on theirs computer in my organization.

I found this script below but when I launch it, I have nothing in the txt and csv file... So It seems not work for me.

Could you help me ?

Many thanks.

function get-localusers {         param(     [Parameter(Mandatory=$true,valuefrompipeline=$true)]     [string]$strComputer)     begin {}     Process {         $adminlist =""         $powerlist =""         $computer = [ADSI]("WinNT://" + $strComputer + ",computer")         $AdminGroup = $computer.psbase.children.find("Administrators")         $powerGroup = $computer.psbase.children.find("Power Users")         $Adminmembers= $AdminGroup.psbase.invoke("Members") | %{$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}         $Powermembers= $PowerGroup.psbase.invoke("Members") | %{$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}         foreach ($admin in $Adminmembers) { $adminlist = $adminlist + $admin + "," }         foreach ($poweruser in $Powermembers) { $powerlist = $powerlist + $poweruser + "," }         $Computer = New-Object psobject         $computer | Add-Member noteproperty ComputerName $strComputer         $computer | Add-Member noteproperty Administrators $adminlist         $computer | Add-Member noteproperty PowerUsers $powerlist         Write-Output $computer           } end {} 
}  Get-Content c:\adminscript\computers.txt | get-localusers | Export-Csv c:\adminscript\localusers.csv 

Julien.

Hi Experts

How to create a service Account in AD?

So I have been through all the online help forums, tutorials, videos, and other online research and I cannot seem to find a solution to my problem. I was trying to access folders located on the file share service on the DC and am unable to as I get the error code 0x80070035 which is the "Network path cannot be found". Then I go into the event viewer and get and error with an event ID: 1058. 

"The processing of Group Policy failed. Windows attempted to read the file %9 from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 
a) Name Resolution/Network Connectivity to the current domain controller. 
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). 
c) The Distributed File System (DFS) client has been disabled."

OpCode: (1)

I tried to resolve a, b, and c; but all of the services were on, sharing permissions were enabled, and nothing was fixing this error. I've tried to force the DFS to replicate, however it cannot do that because again, "Network Path not found". 

I am able to ping, nslookup, the DC

I ran a dcdiag /v /c /q and the following tests failed:

It appears that I'm having an authentication failure/issue, but I cannot find a solution. I am aware that some of the configuration with whats placed in the DC and not having a BDC are faults on my part, but this is the first server I've put up and I am trying to learn how to make it right so I don't run into this issue again or can avoid it.

I've tried deleting the replicated dfs files, but it won't allow me access to that, I've tried running the DC in a virtual environment and trying to fix/repair with the installation media.

If you'd like me to run other commands I am more than happy to do so. I hope this is enough information for someone to point me in the right direction. Any help would be much appreciated. I'll post some images as well once my account is verified.



Thank you in advance,

Tony 

Hi

we have a user that keeps getting locked out. its happened more frequently since he changed his password last week.

I rebooted our secondary DC as I thought it was a sync issue between the 2 DC's with credentials however it still happening.

I checked the security logs which is where I normally check when an account gets locked out however no PC name is listed, please let me know where else I can check.

Thank you.

Mahesh

I'm attempting to implement our reverse lookup zones. I set them up according to this article: http://datacenter-flo.de/?p=347 

However, the reverse lookup zones are not populating and when I run a nslookup <ip address> a DNS name does not appear, instead I get the following error: *** UnKnown can't find<ip address>: Non-existent domain

I have run ipconfig /registerdns on PC which puts the ip address into Forware lookup but not in reverse lookup.

• We dont have DHCP server, Ip address are lease out by the switch
• We are running Server 2008 R2, 2012 R2 and 2016 Std for our DNS.
• Domain level 2008 R2