Hello, due to new security requirements in my company I must enable encription for some folders in my network file share. For this purpose I decided to implement EFS (Encrypting File System).

After reading some documentation aobut this topic I came up to the Data Recovery Agent section. My question is: is it necesessary to implement AD CS in my domain for it? I read here (https://blogs.technet.microsoft.com/askds/2008/01/07/replacing-an-expired-dra-certificate/) that you can create it also by using cipher.exe utility and a self-signed certificate. What are pros and cons?

Thank you.

---

Francesco B.

Hello. Please, I need your help to learn how to decrypt files using DRA certificate. I did these steps:

- I created a Data Recovery Agent Certificate using cipher.exe /r:<filename> in my domain controller logged in as "administrator".
- I added in the default domain policy the Data Recovery Agent using the new certificate.
- I ran gpupdate /force in my client.
- I encrypted a text file (just the file not the folder).
- In the file advanced details, after the encryption, I can see the correct thumbprint of the DRA in the "Recovery certificates for this file" (the thumbprint that I see matches the thumprint of the certificate I generated in the first step).

From here, what am I supposed to do to recover the file using the DRA certificate?

I tried to:
- Log in to a client as user
- ran MMC.exe as mydomain\administrator (runas.exe) and I imported the DRA .pfx in the user (administrator) personal store
- ran cmd.exe as mydomain\administrator and ran cipher.exe /d <filename> to try to decrypt the file: ERR "Access denied"
- tried also to login interectevely to the client using mydomain\administrator and repeat above steps but happens the same.

What's wrong in my procedure please?

Thank you very much.

---

Francesco B.

I'm trying to restrict logon access to our org's domain controllers using an Authentication Policy and/or an Authentication Policies with an Authentication Policy Silo.  I'm working with a single privileged account, a bastion host, a management server and the forest domain controllers.  The only account not in the target Active Directory forest is the bastion host.

I've tried the instructions in each of the following articles, with no results:

Authentication Policies and Authentication Silos – Restricting Domain Controller Access

Using Authentication Policies to Restrict Privileged User Account Logons

How To Configure Protected Accounts - Authentication Policies

I've tried the suggestions in this thread and the few others I've managed to find:https://social.technet.microsoft.com/Forums/windowsserver/en-US/751659d0-aae0-486e-ab6d-820e5384a855/authentication-policies-and-silos-not-working-properly?forum=winserverDS

I've even tried removing the non-domain joined bastion from the equation by replacing it with a domain-joined workstation with direct access to the management server. 

Regardless of what I do, I continue to see events in the AuthenticationPolicyFailures-DomainController logs on the domain controllers like the following:

Additionally, after poring over the existing documentation, I've searched for more detailed information on the different parts of the authentication policy and how authentication policies work and have turned up nothing.

Has anyone set up an Authentication Policy and/or Authentication Policy Silo that actually works?  Is there any detailed information out there on the different parts/attributes of an authentication policy?

I am attempting to run the 2008 R2 Forestprep on a 2003 Domain in order to move off Server 2003 and towards 2012 R2. However when I run the 2008 R2 Forestprep I receive this list of errors. The domain currently has Services for Unix installed and it is actively being used, this includes NIS. I'm hoping there is a way of fixing these errors that won't break the existing NIS Deployment or alter any existing Unix Attributes.


ADPREP WARNING: 

Before running adprep, all Windows 2000 Active Directory Domain Controllers in the forest should be upgraded to Windows 2000 Service Pack 4 (SP4) or later. 


[User Action] 

If ALL your existing Windows 2000 Active Directory Domain Controllers meet this requirement, type C and then press ENTER to continue. Otherwise, type any other key and press ENTER to quit.



=============================================================================

"attributeId" attribute value for objects defined in Windows 2000 schema and extended schema do not match.


A previous schema extension has defined the attribute value as "1.2.840.113556.1.4.7000.187.70" for object "CN=uidNumber,CN=Schema,CN=Configuration,DC=domain,DC=com" differently than the schema extension needed for Windows Server 2008 R2.

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to resolve the inconsistency. Then run adprep again.


=============================================================================

"attributeId" attribute value for objects defined in Windows 2000 schema and extended schema do not match.


A previous schema extension has defined the attribute value as "1.2.840.113556.1.4.7000.187.71" for object "CN=gidNumber,CN=Schema,CN=Configuration,DC=domain,DC=com" differently than the schema extension needed for Windows Server 2008 R2.

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to resolve the inconsistency. Then run adprep again.



=============================================================================

"attributeId" attribute value for objects defined in Windows 2000 schema and extended schema do not match.


A previous schema extension has defined the attribute value as "1.2.840.113556.1.4.7000.187.97" for object "CN=gecos,CN=Schema,CN=Configuration,DC=domain,DC=com" differently than the schema extension needed for Windows Server 2008 R2.

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to resolve the inconsistency. Then run adprep again.



=============================================================================

"attributeId" attribute value for objects defined in Windows 2000 schema and extended schema do not match.


A previous schema extension has defined the attribute value as "1.2.840.113556.1.4.7000.187.72" for object "CN=loginShell,CN=Schema,CN=Configuration,DC=domain,DC=com" differently than the schema extension needed for Windows Server 2008 R2.

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to resolve the inconsistency. Then run adprep again.



=============================================================================

"attributeId" attribute value for objects defined in Windows 2000 schema and extended schema do not match.


A previous schema extension has defined the attribute value as "1.2.840.113556.1.4.7000.187.92" for object "CN=shadowLastChange,CN=Schema,CN=Configuration,DC=domain,DC=com" differently than the schema extension needed for Windows Server 2008 R2.

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to resolve the inconsistency. Then run adprep again.



=============================================================================

"attributeId" attribute value for objects defined in Windows 2000 schema and extended schema do not match.


A previous schema extension has defined the attribute value as "1.2.840.113556.1.4.7000.187.93" for object "CN=shadowMin,CN=Schema,CN=Configuration,DC=domain,DC=com" differently than the schema extension needed for Windows Server 2008 R2.

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to resolve the inconsistency. Then run adprep again.



=============================================================================

"attributeSyntax" attribute value for objects defined in Windows 2000 schema and extended schema do not match.


A previous schema extension has defined the attribute value as "2.5.5.5" for object "CN=shadowMin,CN=Schema,CN=Configuration,DC=domain,DC=com" differently than the schema extension needed for Windows Server 2008 R2.

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to resolve the inconsistency. Then run adprep again.


=============================================================================

"attributeId" attribute value for objects defined in Windows 2000 schema and extended schema do not match.


A previous schema extension has defined the attribute value as "1.2.840.113556.1.4.7000.187.90" for object "CN=shadowMax,CN=Schema,CN=Configuration,DC=domain,DC=com" differently than the schema extension needed for Windows Server 2008 R2.

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to resolve the inconsistency. Then run adprep again.


=============================================================================

"attributeId" attribute value for objects defined in Windows 2000 schema and extended schema do not match.


A previous schema extension has defined the attribute value as "1.2.840.113556.1.4.7000.187.91" for object "CN=shadowWarning,CN=Schema,CN=Configuration,DC=domain,DC=com" differently than the schema extension needed for Windows Server 2008 R2.

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to resolve the inconsistency. Then run adprep again.


=============================================================================

"attributeSyntax" attribute value for objects defined in Windows 2000 schema and extended schema do not match.


A previous schema extension has defined the attribute value as "2.5.5.5" for object "CN=shadowWarning,CN=Schema,CN=Configuration,DC=domain,DC=com" differently than the schema extension needed for Windows Server 2008 R2.

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to resolve the inconsistency. Then run adprep again.


=============================================================================

"attributeId" attribute value for objects defined in Windows 2000 schema and extended schema do not match.


A previous schema extension has defined the attribute value as "1.2.840.113556.1.4.7000.187.89" for object "CN=shadowInactive,CN=Schema,CN=Configuration,DC=domain,DC=com" differently than the schema extension needed for Windows Server 2008 R2.

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to resolve the inconsistency. Then run adprep again.


=============================================================================

"attributeId" attribute value for objects defined in Windows 2000 schema and extended schema do not match.


A previous schema extension has defined the attribute value as "1.2.840.113556.1.4.7000.187.88" for object "CN=shadowExpire,CN=Schema,CN=Configuration,DC=domain,DC=com" differently than the schema extension needed for Windows Server 2008 R2.

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to resolve the inconsistency. Then run adprep again.


=============================================================================

"attributeId" attribute value for objects defined in Windows 2000 schema and extended schema do not match.


A previous schema extension has defined the attribute value as "1.2.840.113556.1.4.7000.187.87" for object "CN=shadowFlag,CN=Schema,CN=Configuration,DC=domain,DC=com" differently than the schema extension needed for Windows Server 2008 R2.

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to resolve the inconsistency. Then run adprep again.


=============================================================================

"attributeId" attribute value for objects defined in Windows 2000 schema and extended schema do not match.


A previous schema extension has defined the attribute value as "1.2.840.113556.1.4.7000.187.86" for object "CN=memberUid,CN=Schema,CN=Configuration,DC=domain,DC=com" differently than the schema extension needed for Windows Server 2008 R2.

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to resolve the inconsistency. Then run adprep again.


=============================================================================

"attributeId" attribute value for objects defined in Windows 2000 schema and extended schema do not match.


A previous schema extension has defined the attribute value as "1.2.840.113556.1.4.7000.187.79" for object "CN=memberNisNetgroup,CN=Schema,CN=Configuration,DC=domain,DC=com" differently than the schema extension needed for Windows Server 2008 R2.

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to resolve the inconsistency. Then run adprep again.


=============================================================================

"attributeSyntax" attribute value for objects defined in Windows 2000 schema and extended schema do not match.


A previous schema extension has defined the attribute value as "2.5.5.1" for object "CN=memberNisNetgroup,CN=Schema,CN=Configuration,DC=domain,DC=com" differently than the schema extension needed for Windows Server 2008 R2.

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to resolve the inconsistency. Then run adprep again.


=============================================================================

"attributeId" attribute value for objects defined in Windows 2000 schema and extended schema do not match.


A previous schema extension has defined the attribute value as "1.2.840.113556.1.4.7000.187.74" for object "CN=ipServicePort,CN=Schema,CN=Configuration,DC=domain,DC=com" differently than the schema extension needed for Windows Server 2008 R2.

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to resolve the inconsistency. Then run adprep again.


=============================================================================

"attributeId" attribute value for objects defined in Windows 2000 schema and extended schema do not match.


A previous schema extension has defined the attribute value as "1.2.840.113556.1.4.7000.187.75" for object "CN=ipServiceProtocol,CN=Schema,CN=Configuration,DC=domain,DC=com" differently than the schema extension needed for Windows Server 2008 R2.

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to resolve the inconsistency. Then run adprep again.


=============================================================================

"attributeId" attribute value for objects defined in Windows 2000 schema and extended schema do not match.


A previous schema extension has defined the attribute value as "1.2.840.113556.1.4.7000.187.76" for object "CN=ipProtocolNumber,CN=Schema,CN=Configuration,DC=domain,DC=com" differently than the schema extension needed for Windows Server 2008 R2.

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to resolve the inconsistency. Then run adprep again.



=============================================================================

"attributeId" attribute value for objects defined in Windows 2000 schema and extended schema do not match.


A previous schema extension has defined the attribute value as "1.2.840.113556.1.4.7000.187.81" for object "CN=oncRpcNumber,CN=Schema,CN=Configuration,DC=domain,DC=com" differently than the schema extension needed for Windows Server 2008 R2.

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to resolve the inconsistency. Then run adprep again.


=============================================================================

"attributeId" attribute value for objects defined in Windows 2000 schema and extended schema do not match.


A previous schema extension has defined the attribute value as "1.2.840.113556.1.4.7000.187.82" for object "CN=ipHostNumber,CN=Schema,CN=Configuration,DC=domain,DC=com" differently than the schema extension needed for Windows Server 2008 R2.

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to resolve the inconsistency. Then run adprep again.


=============================================================================

"attributeId" attribute value for objects defined in Windows 2000 schema and extended schema do not match.


A previous schema extension has defined the attribute value as "1.2.840.113556.1.4.7000.187.77" for object "CN=ipNetworkNumber,CN=Schema,CN=Configuration,DC=domain,DC=com" differently than the schema extension needed for Windows Server 2008 R2.

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to resolve the inconsistency. Then run adprep again.


=============================================================================

"attributeId" attribute value for objects defined in Windows 2000 schema and extended schema do not match.


A previous schema extension has defined the attribute value as "1.2.840.113556.1.4.7000.187.78" for object "CN=ipNetmaskNumber,CN=Schema,CN=Configuration,DC=domain,DC=com" differently than the schema extension needed for Windows Server 2008 R2.

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to resolve the inconsistency. Then run adprep again.


=============================================================================

"attributeId" attribute value for objects defined in Windows 2000 schema and extended schema do not match.


A previous schema extension has defined the attribute value as "1.2.840.113556.1.4.7000.187.85" for object "CN=macAddress,CN=Schema,CN=Configuration,DC=domain,DC=com" differently than the schema extension needed for Windows Server 2008 R2.

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to resolve the inconsistency. Then run adprep again.


=============================================================================

"attributeId" attribute value for objects defined in Windows 2000 schema and extended schema do not match.


A previous schema extension has defined the attribute value as "1.2.840.113556.1.4.7000.187.96" for object "CN=bootParameter,CN=Schema,CN=Configuration,DC=domain,DC=com" differently than the schema extension needed for Windows Server 2008 R2.

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to resolve the inconsistency. Then run adprep again.


=============================================================================

"attributeId" attribute value for objects defined in Windows 2000 schema and extended schema do not match.


A previous schema extension has defined the attribute value as "1.2.840.113556.1.4.7000.187.98" for object "CN=bootFile,CN=Schema,CN=Configuration,DC=domain,DC=com" differently than the schema extension needed for Windows Server 2008 R2.

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to resolve the inconsistency. Then run adprep again.


=============================================================================

"attributeId" attribute value for objects defined in Windows 2000 schema and extended schema do not match.


A previous schema extension has defined the attribute value as "1.2.840.113556.1.4.7000.187.94" for object "CN=nisMapName,CN=Schema,CN=Configuration,DC=domain,DC=com" differently than the schema extension needed for Windows Server 2008 R2.

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to resolve the inconsistency. Then run adprep again.

=============================================================================

"isSingleValued" attribute value for objects defined in Windows 2000 schema and extended schema do not match.


A previous schema extension has defined the attribute value as "FALSE" for object "CN=nisMapName,CN=Schema,CN=Configuration,DC=domain,DC=com" differently than the schema extension needed for Windows Server 2008 R2.

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to resolve the inconsistency. Then run adprep again.

=============================================================================

"attributeId" attribute value for objects defined in Windows 2000 schema and extended schema do not match.


A previous schema extension has defined the attribute value as "1.2.840.113556.1.4.7000.187.95" for object "CN=nisMapEntry,CN=Schema,CN=Configuration,DC=domain,DC=com" differently than the schema extension needed for Windows Server 2008 R2.

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to resolve the inconsistency. Then run adprep again.



=============================================================================

"isSingleValued" attribute value for objects defined in Windows 2000 schema and extended schema do not match.


A previous schema extension has defined the attribute value as "FALSE" for object "CN=nisMapEntry,CN=Schema,CN=Configuration,DC=domain,DC=com" differently than the schema extension needed for Windows Server 2008 R2.

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to resolve the inconsistency. Then run adprep again.


=============================================================================

"governsId" attribute value for objects defined in Windows 2000 schema and extended schema do not match.


A previous schema extension has defined the attribute value as "1.2.840.113556.1.5.7000.106.58" for object "CN=nisMap,CN=Schema,CN=Configuration,DC=domain,DC=com" differently than the schema extension needed for Windows Server 2008 R2.

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to resolve the inconsistency. Then run adprep again.

---

Vincent Sprague

Hi All,

Is there any group policy in windows 2012 R2,which will send mail to administrator. If any users system went idle more than 20min.

I am receiving a 4625 logon failure on my domain controller (2012 R2) every six hours after changing the domain administrator password. This password is changed every 45 days, but I've never encountered this problem in the past. I can't find a service or scheduled task running with this account. There are no saved passwords that I can find. Restarting the server resets the time the event occurs, but it's exactly every six hours from that point forward. Here's the audit failure in the event viewer:

An account failed to log on.

　

Subject:

Security ID: SYSTEM

Account Name: XXXXXXX$

Account Domain: domain name

Logon ID: 0x3E7

　

Logon Type: 3

　

Account For Which Logon Failed:

Security ID: NULL SID

Account Name: administrator name

Account Domain: domain name

　

Failure Information:

Failure Reason: Unknown user name or bad password.

Status: 0xC000006D

Sub Status: 0xC000006A

　

Process Information:

Caller Process ID: 0x334

Caller Process Name: C:\Windows\System32\lsass.exe

　

Network Information:

Workstation Name: domain server

Source Network Address: domain server IP

Source Port: 51128

　

Detailed Authentication Information:

Logon Process: Advapi 

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Transited Services: -

Package Name (NTLM only): -

Key Length: 0

Any ideas on where to look would be appreciated.

Thanks in advance.

I have a .net core application (API) deployed on a windows server under IIS with anonymous auth set to false and windows auth set to true.

In the application, I have an authorization middleware that checks if the current user is in a specific AD group and uses a map (pulled from SQL) to see if that user group has access to read, write, create, delete on the specific application/endpoint

When running the application in the production environment all API request fail with the error "Trust relationship between primary domain and the trusted domain failed"

Deploying the exact same zip file (excluding configuration files) to a QA environment the API endpoint works. comparing the config files the difference is in the SQL connection string

Turning on Info logging for the application the error is being thrown calling 

     System.Security.Principal.NTAccount.TranslateToSids(IdentityReferenceCollection sourceAccounts, Boolean& someFailed)

This leads me to think it is a domain problem however the in house domain team is saying there is no problem.

Please let me know how to better track down the problem.

Hi, 

I'm hoping that I might get some guidance on the setup of DFSR best practice and Namespace with CLI. 

My use case is moving on prem to cloud, my data set is 2Tb of randomly sized files spread across multiple shares. This is expected to grow over time. All my setup is via CLI via powershell. 

My questions are: 

a) Should I nest the shares I plan to migrate into one replication group or setup a replication group for each of these share? Largest share size that is being migrated is close to 1Tb.

b) In terms of achieving the best performance any tips on a multi-AZ setup? (disk config, replication staging quota) 

c) My namespace cli isn't working for me, haven't found a good reference point online to correct this yet - feedback, recommendations & correction welcome:

code: FileServer-01,FileServer-02 | ForEach-Object { Invoke-Command –ComputerName $_ –ScriptBlock { mkdir "D:\DFSRoots\NS\Test"; New-SmbShare –Name "Test" –Path "D:\FS\Test" } }

d) I'm in the process of syncing data via a scheduled task script still from onsite to cloud. I am however getting the following warnings in my logs:

- The DFS Replication service has detected that the staging space in use for the replicated folder at local path D:\Data is above the high watermark

I have increased my quota from 4Gb to 8Gb for my replication group till the migration is completed, I'm using server 2012 r2.

Looking forward to hearing from you guys.

Thanks in advance. 

Hello All,

we have 2012 R2 Domain controller in our environment.

now planning to install RODC. and could not see ActiveDirectoryRODCUpdate under configuration/forest updates in ADSI.

need to know from where can i get the Adprep.exe file.

i heard in 2012 we dont have to get it from mount CD drive, it is by default available

Can any one advise on how to proceed.

regards

Aamir Masthan

---

NA

Hi,

I got the "Access is denied" error when I attempt to create an GPO. Can anyone help me? Thanks

Dear everyone,
I have set up "net share" command result in AD001 as follows.
But NETLOGON and SYSVOL are not shared in AD002.
So I think that DFS replication does not work properly.

Could anyone help me to resolve this problem? i try but not successful
Thank you very much.

AD001:

C:\Windows\system32>net share

Share name   Resource                        Remark

-------------------------------------------------------------------------------
C$           C:\                             Default share
IPC$                                         Remote IPC
ADMIN$       C:\Windows                      Remote Admin
NETLOGON     C:\Windows\SYSVOL\sysvol\fptgiocloud.net\SCRIPTS
                                             Logon server share
SYSVOL       C:\Windows\SYSVOL\sysvol        Logon server share
The command completed successfully.

AD002:

C:\Users\Administrator.fptgiocloud>net share

Share name   Resource                        Remark

------------------------------------------------------------------------------
C$           C:\                             Default share
IPC$                                         Remote IPC
ADMIN$       C:\Windows                      Remote Admin
The command completed successfully.

I would like to know the default owner that should be of the domain root (acme.local) in the advanced security of the properties --> security --> advanced button in ADUC. and what the consequences of changing this is? would there be any reason to change this? normally when the domain is created/installed the account is a domain admin account and the administrators group 'is' the owner. I just need some more information that I have not been able to find on the NET. thank you in advance.

Hi,this is on Window Server 2018 R2 Enterprise edition.

I got this error when I added organization Unit.

org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException: 00002082: AtrErr: DSID-03050C79, #1:
        0: 00002082: DSID-03050C79, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att b (ou):len 160

I'm guessing that length of organization unit casues error.

So here's my question. where can I find the maximum length of strings I can use?

Thank you. 

Hi Everyone,

We are planning to upgrade all our Domain Controllers from 2008R2 to 2012R2 or 2016. Presently all our DCs are running with 2008R2 versions where DDL and FFL are 2008R2 and Schema version is 87.

As per as Schema versions is concerned, we can easily put 2012R2 or 2016 in the environment.

I am bit concerned about the MS application like environment still having ShaePoint 2007, Lync 2010, Exchange 2010 and all are in phase of transition to O365.

My concerns : 

1) Will there be any impact to ShaePoint 2007, Lync 2010, Exchange 2010 - if we bring directly 2016 servers without raising DDL or FFL?

2) How do we keep track or get the report of AD integrated applications presently running?

3) What all measures to be taken prior doing this?

We are taking the approach to bring new servers with 2016> join to Domain> Promote as a DC with different IP and hostname> Shutdown old server for 24 hours to check> Demote the old DC and assign the old IP to new server (HostName will be changed).

Last attempted DC will be PDC followed by role transfer and NTP server migration.

Would request all of you to suggest if it can be done in better way or any tool which can identify the applications hard-coded with IPs and HostName.

Thanks in Advance.

C:\>DCDIAG

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = HPDC1
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\HPDC1
      Starting test: Connectivity
         ......................... HPDC1 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\HPDC1
      Starting test: Advertising
         ......................... HPDC1 passed test Advertising
      Starting test: FrsEvent
         ......................... HPDC1 passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL
         replication problems may cause Group Policy problems.
         ......................... HPDC1 failed test DFSREvent
      Starting test: SysVolCheck
         ......................... HPDC1 passed test SysVolCheck
      Starting test: KccEvent
         A warning event occurred.  EventID: 0x8000051B
            Time Generated: 01/15/2019   15:14:30
            Event String:
            The Knowledge Consistency Checker (KCC) has detected that attempts to establish a replication link with the following directory service has consistently failed.
         A warning event occurred.  EventID: 0x8000051C
            Time Generated: 01/15/2019   15:14:30
            Event String:
            The Knowledge Consistency Checker (KCC) has detected that successive attempts to replicate with the following directory service has consistently failed.
         A warning event occurred.  EventID: 0x8000051B
            Time Generated: 01/15/2019   15:14:30
            Event String:
            The Knowledge Consistency Checker (KCC) has detected that attempts to establish a replication link with the following directory service has consistently failed.
         A warning event occurred.  EventID: 0x8000051B
            Time Generated: 01/15/2019   15:14:30
            Event String:
            The Knowledge Consistency Checker (KCC) has detected that attempts to establish a replication link with the following directory service has consistently failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 01/15/2019   15:14:37
            Event String:
            The attempt to establish a replication link for the following writable directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 01/15/2019   15:14:39
            Event String:
            The attempt to establish a replication link for the following writable directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 01/15/2019   15:14:39
            Event String:
            The attempt to establish a replication link for the following writable directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 01/15/2019   15:14:39
            Event String:
            The attempt to establish a replication link for the following writable directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 01/15/2019   15:14:39
            Event String:
            The attempt to establish a replication link for the following writable directory partition failed.
         A warning event occurred.  EventID: 0x80000786
            Time Generated: 01/15/2019   15:14:39
            Event String:
            The attempt to establish a replication link to a read-only directory partition with the following parameters failed.
         A warning event occurred.  EventID: 0x8000051B
            Time Generated: 01/15/2019   15:15:48
            Event String:
            The Knowledge Consistency Checker (KCC) has detected that attempts to establish a replication link with the following directory service has consistently failed.
         A warning event occurred.  EventID: 0x8000051C
            Time Generated: 01/15/2019   15:15:48
            Event String:
            The Knowledge Consistency Checker (KCC) has detected that successive attempts to replicate with the following directory service has consistently failed.
         A warning event occurred.  EventID: 0x8000051B
            Time Generated: 01/15/2019   15:15:48
            Event String:
            The Knowledge Consistency Checker (KCC) has detected that attempts to establish a replication link with the following directory service has consistently failed.
         A warning event occurred.  EventID: 0x8000051B
            Time Generated: 01/15/2019   15:15:48
            Event String:
            The Knowledge Consistency Checker (KCC) has detected that attempts to establish a replication link with the following directory service has consistently failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 01/15/2019   15:15:55
            Event String:
            The attempt to establish a replication link for the following writable directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 01/15/2019   15:15:57
            Event String:
            The attempt to establish a replication link for the following writable directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 01/15/2019   15:15:57
            Event String:
            The attempt to establish a replication link for the following writable directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 01/15/2019   15:15:57
            Event String:
            The attempt to establish a replication link for the following writable directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 01/15/2019   15:15:57
            Event String:
            The attempt to establish a replication link for the following writable directory partition failed.
         A warning event occurred.  EventID: 0x80000786
            Time Generated: 01/15/2019   15:15:57
            Event String:
            The attempt to establish a replication link to a read-only directory partition with the following parameters failed.
         A warning event occurred.  EventID: 0x8000051B
            Time Generated: 01/15/2019   15:17:51
            Event String:
            The Knowledge Consistency Checker (KCC) has detected that attempts to establish a replication link with the following directory service has consistently failed.
         A warning event occurred.  EventID: 0x8000051C
            Time Generated: 01/15/2019   15:17:51
            Event String:
            The Knowledge Consistency Checker (KCC) has detected that successive attempts to replicate with the following directory service has consistently failed.
         A warning event occurred.  EventID: 0x8000051B
            Time Generated: 01/15/2019   15:17:51
            Event String:
            The Knowledge Consistency Checker (KCC) has detected that attempts to establish a replication link with the following directory service has consistently failed.
         A warning event occurred.  EventID: 0x8000051B
            Time Generated: 01/15/2019   15:17:51
            Event String:
            The Knowledge Consistency Checker (KCC) has detected that attempts to establish a replication link with the following directory service has consistently failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 01/15/2019   15:17:57
            Event String:
            The attempt to establish a replication link for the following writable directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 01/15/2019   15:17:59
            Event String:
            The attempt to establish a replication link for the following writable directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 01/15/2019   15:17:59
            Event String:
            The attempt to establish a replication link for the following writable directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 01/15/2019   15:17:59
            Event String:
            The attempt to establish a replication link for the following writable directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 01/15/2019   15:17:59
            Event String:
            The attempt to establish a replication link for the following writable directory partition failed.
         A warning event occurred.  EventID: 0x80000786
            Time Generated: 01/15/2019   15:17:59
            Event String:
            The attempt to establish a replication link to a read-only directory partition with the following parameters failed.
         ......................... HPDC1 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... HPDC1 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... HPDC1 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... HPDC1 passed test NCSecDesc
      Starting test: NetLogons
         ......................... HPDC1 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... HPDC1 passed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,HPDC1] A recent replication attempt failed:
            From DC-VLZ to HPDC1
            Naming Context: DC=ForestDnsZones,DC=hpddomain,DC=com,DC=ph
            The replication generated an error (1256):
            The remote system is not available. For information about network troubleshooting, see Windows Help.
            The failure occurred at 2019-01-15 14:51:54.
            The last success occurred at 2019-01-15 09:58:17.
            5 failures have occurred since the last success.
         [DC-VLZ] DsBindWithSpnEx() failed with error 1722,
         The RPC server is unavailable..
         [Replications Check,HPDC1] A recent replication attempt failed:
            From DC-VLZ to HPDC1
            Naming Context: DC=DomainDnsZones,DC=hpddomain,DC=com,DC=ph
            The replication generated an error (8524):
            The DSA operation is unable to proceed because of a DNS lookup failure.
            The failure occurred at 2019-01-15 14:53:55.
            The last success occurred at 2019-01-15 10:07:46.
            14 failures have occurred since the last success.
            The guid-based DNS name 9d9a0759-1d8b-4fda-8c13-6bbe01fa994d._msdcs.hpddomain.com.ph
            is not registered on one or more DNS servers.
         [Replications Check,HPDC1] A recent replication attempt failed:
            From DC-VLZ to HPDC1
            Naming Context: CN=Schema,CN=Configuration,DC=hpddomain,DC=com,DC=ph
            The replication generated an error (8524):
            The DSA operation is unable to proceed because of a DNS lookup failure.
            The failure occurred at 2019-01-15 14:52:01.
            The last success occurred at 2019-01-15 09:58:11.
            5 failures have occurred since the last success.
            The guid-based DNS name 9d9a0759-1d8b-4fda-8c13-6bbe01fa994d._msdcs.hpddomain.com.ph
            is not registered on one or more DNS servers.
         [Replications Check,HPDC1] A recent replication attempt failed:
            From DP-DICOMSERVER to HPDC1
            Naming Context: CN=Configuration,DC=hpddomain,DC=com,DC=ph
            The replication generated an error (8606):
            Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.

            The failure occurred at 2019-01-15 14:52:03.
            The last success occurred at (never).
            99 failures have occurred since the last success.
         [Replications Check,HPDC1] A recent replication attempt failed:
            From DC-VLZ to HPDC1
            Naming Context: CN=Configuration,DC=hpddomain,DC=com,DC=ph
            The replication generated an error (8524):
            The DSA operation is unable to proceed because of a DNS lookup failure.
            The failure occurred at 2019-01-15 14:53:49.
            The last success occurred at 2019-01-15 10:03:23.
            13 failures have occurred since the last success.
            The guid-based DNS name 9d9a0759-1d8b-4fda-8c13-6bbe01fa994d._msdcs.hpddomain.com.ph
            is not registered on one or more DNS servers.
         [Replications Check,HPDC1] A recent replication attempt failed:
            From DP-DICOMSERVER to HPDC1
            Naming Context: DC=hpddomain,DC=com,DC=ph
            The replication generated an error (8606):
            Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.

            The failure occurred at 2019-01-15 14:51:48.
            The last success occurred at (never).
            97 failures have occurred since the last success.
         [Replications Check,HPDC1] A recent replication attempt failed:
            From DC-VLZ to HPDC1
            Naming Context: DC=hpddomain,DC=com,DC=ph
            The replication generated an error (8524):
            The DSA operation is unable to proceed because of a DNS lookup failure.
            The failure occurred at 2019-01-15 15:18:55.
            The last success occurred at 2019-01-15 10:06:52.
            190 failures have occurred since the last success.
            The guid-based DNS name 9d9a0759-1d8b-4fda-8c13-6bbe01fa994d._msdcs.hpddomain.com.ph
            is not registered on one or more DNS servers.
         [Replications Check,HPDC1] A recent replication attempt failed:
            From DC-VLZ to HPDC1
            Naming Context: DC=sharepoint2k16,DC=hpddomain,DC=com,DC=ph
            The replication generated an error (1256):
            The remote system is not available. For information about network troubleshooting, see Windows Help.
            The failure occurred at 2019-01-15 14:51:54.
            The last success occurred at 2019-01-15 09:58:20.
            5 failures have occurred since the last success.
         [Replications Check,HPDC1] A recent replication attempt failed:
            From DC-VLZ to HPDC1
            Naming Context: DC=HP-SHAREPOINT,DC=hpddomain,DC=com,DC=ph
            The replication generated an error (1256):
            The remote system is not available. For information about network troubleshooting, see Windows Help.
            The failure occurred at 2019-01-15 14:51:54.
            The last success occurred at 2019-01-15 09:58:26.
            5 failures have occurred since the last success.
         ......................... HPDC1 failed test Replications
      Starting test: RidManager
         ......................... HPDC1 passed test RidManager
      Starting test: Services
         ......................... HPDC1 passed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0x0000165B
            Time Generated: 01/15/2019   14:29:11
            Event String:
            The session setup from computer 'LP-DARRYL' failed because the security database does not contain a trust account 'LP-DARRYL$' referenced by the specified computer.
         An error event occurred.  EventID: 0x000016AD
            Time Generated: 01/15/2019   14:31:15
            Event String:
            The session setup from the computer LP-DARRYL failed to authenticate. The following error occurred:
         An error event occurred.  EventID: 0x0000165B
            Time Generated: 01/15/2019   14:33:58
            Event String:
            The session setup from computer 'SUC-IMAGING1' failed because the security database does not contain a trust account 'SUC-IMAGING1$' referenced by the specified computer.
         An error event occurred.  EventID: 0x000016AD
            Time Generated: 01/15/2019   14:36:08
            Event String:
            The session setup from the computer SUC-IMAGING1 failed to authenticate. The following error occurred:
         An error event occurred.  EventID: 0x0000165B
            Time Generated: 01/15/2019   14:37:25
            Event String:
            The session setup from computer 'HPUSERPC' failed because the security database does not contain a trust account 'HPUSERPC$' referenced by the specified computer.
         An error event occurred.  EventID: 0x000016AD
            Time Generated: 01/15/2019   14:39:26
            Event String:
            The session setup from the computer HPUSERPC failed to authenticate. The following error occurred:
         An error event occurred.  EventID: 0x0000165B
            Time Generated: 01/15/2019   14:41:18
            Event String:
            The session setup from computer 'DS-PHLEBOA' failed because the security database does not contain a trust account 'DS-PHLEBOA$' referenced by the specified computer.
         An error event occurred.  EventID: 0x000016AD
            Time Generated: 01/15/2019   14:43:48
            Event String:
            The session setup from the computer DS-PHLEBOA failed to authenticate. The following error occurred:
         An error event occurred.  EventID: 0x0000165B
            Time Generated: 01/15/2019   14:49:58
            Event String:
            The session setup from computer 'SI-IMAGING2' failed because the security database does not contain a trust account 'SI-IMAGING2$' referenced by the specified computer.
         An error event occurred.  EventID: 0x0000165B
            Time Generated: 01/15/2019   14:51:04
            Event String:
            The session setup from computer 'SR-PHLEBO2' failed because the security database does not contain a trust account 'SR-PHLEBO2$' referenced by the specified computer.
         An error event occurred.  EventID: 0x000016AD
            Time Generated: 01/15/2019   14:52:03
            Event String:
            The session setup from the computer SI-IMAGING2 failed to authenticate. The following error occurred:
         An error event occurred.  EventID: 0x000016AD
            Time Generated: 01/15/2019   14:53:12
            Event String:
            The session setup from the computer SR-PHLEBO2 failed to authenticate. The following error occurred:
         An error event occurred.  EventID: 0x40000004
            Time Generated: 01/15/2019   14:58:06
            Event String:
            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server ml-imageserver$. The target name used was cifs/ML-DICOM.hpddomain.com.ph. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (HPDDOMAIN.COM.PH) is different from the client domain (HPDDOMAIN.COM.PH), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
         An error event occurred.  EventID: 0x0000165B
            Time Generated: 01/15/2019   15:11:35
            Event String:
            The session setup from computer 'AL2-IMAGING61' failed because the security database does not contain a trust account 'AL2-IMAGING61$' referenced by the specified computer.
         An error event occurred.  EventID: 0x0000165B
            Time Generated: 01/15/2019   15:12:08
            Event String:
            The session setup from computer 'HPUSER-PC' failed because the security database does not contain a trust account 'HPUSER-PC$' referenced by the specified computer.
         An error event occurred.  EventID: 0x000016AD
            Time Generated: 01/15/2019   15:13:59
            Event String:
            The session setup from the computer AL2-IMAGING61 failed to authenticate. The following error occurred:
         An error event occurred.  EventID: 0x000016AD
            Time Generated: 01/15/2019   15:14:50
            Event String:
            The session setup from the computer HPUSER-PC failed to authenticate. The following error occurred:
         ......................... HPDC1 failed test SystemLog
      Starting test: VerifyReferences
         ......................... HPDC1 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : hpddomain
      Starting test: CheckSDRefDom
         ......................... hpddomain passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... hpddomain passed test CrossRefValidation

   Running enterprise tests on : hpddomain.com.ph
      Starting test: LocatorCheck
         ......................... hpddomain.com.ph passed test LocatorCheck
      Starting test: Intersite
         ......................... hpddomain.com.ph passed test Intersite

C:\>

Hello

i am trying to audit all file accesses for a specific folder structure (right-click on folder --> Properties --> Security --> Advanced --> Auditing) but i want to exclude one single user (service account "acct.deletefiles", deleting old files based on a schedule).

My understanding is that i have to add an condition to the audit-rule as below:

https://imgur.com/a/GNQ5DJl

User     Group      Not member of each        Value        1 item(s) selected

"1 item(s) selected" is an Domain Local Active Directory Security Group in which account ".acct.deletefiles" is member of.

Nevertheless, all file accesses for this user are logged, what am i doing wrong?

Thanks in advance

Hi,

I think this question has been asked for many times in Technet by other users. I read related posts but I'm not sure it will work or not. I delegate a user in ADUC to rename a computer and I gave full access permission to that user for the computer objects. When I log in to a client machine with the created and delegated help desk user account and type sysdm.cpl and enter it asked me domain user credentials. If delegating in active directory work or not?

Thanks

Hi,

in organization two domain with two way trust qwe.com and zxc.com. I add two new domain controllers to zxc.com and have a problem.

When I add user from qwe.com to group of zxc.com, and after that try to show members.

On new domain controller I cam see this

 

and on old domain controllers - ok

From new domain controller I can search users from qwe.com directory. In ForeignSecurityPrincipals OU (on new domain controller) I can see objects like SID and can not see there attributes. On the old controller, I can see the objects and their properties.

BPA error is:

Title:
Domain controller DC02.zxc.com must have "Access this Computer from the Network" granted to the appropriate security principals
Severity
Error
Problem:
Domain Controller DC02.zxc.com does not have user right "Access this computer from the network" granted to 'Builtin Administrators', 'Enterprise Domain Controllers' or 'Authenticated Users', or has the user right "Deny access to this computer from the network" assigned to either of those groups or 'Everyone'.

Impact:
Replication operations initiated by other domain controllers in the domain or by administrators may fail. Users and computers may also experience failure to apply Group Policy objects.

Resolution
Verify that the domain controllers in the domain zxc.com have this user right granted to the appropriate security principals. Using Group Policy Management and Group Policy Results, verify that the winning Group Policy for the "Access this computer from the network" user right grants that right to the 'Builtin Administrators', 'Enterprise Domain Controllers', and 'Authenticated Users' groups. Verify that the policy setting "Deny access to this computer from the network" does not have 'Everyone', 'Authenticated Users', 'Builtin Administrators' or 'Enterprise Domain Controllers' groups defined in it.

http://go.microsoft.com/fwlink/?LinkId=168844

I check policy, and all permission are default.

Title:
Domain controller DC02.zxc.com must have "Enable computer and user accounts to be trusted for delegation" granted to the Builtin Administrators security group

Problem:
Domain controller DC02.zxc.com must have the "Enable computer and user accounts to be trusted for delegation" user right granted to the Builtin Administrators security group if domain controller DC02.zxc.com is used as a replication partner during a domain controller promotion.

Impact:
Installation of additional domain controllers (promoting replica domain controllers) in domain zxc.com may fail if they select domain controller DC02.zxc.com as a replication partner during the installation.

Resolution
Verify that the current domain controllers in domainzxc.com  have the "Enable computer and users accounts to be trusted for delegation" user right granted to the Builtin Administrators group

http://go.microsoft.com/fwlink/?LinkId=168842

Title:
SID filtering is not enabled for external trust qwe.com

Problem:
SID filtering is not enabled for external trust qwe.com established with domain zxc.com

Impact:
If authentication occurs across an external trust boundary (where the user and the computer hosting the resource are in different domains), a vulnerability exists because domain zxc.com (the trusting domain) does not verify that the trusted domain qwe.com is actually authoritative for all the SIDs in the authorization data (that is, the access token). It is possible for an attacker or rogue administrator to insert SIDs into the authorization data presented to this trusting domain  zxc.com.

Resolution
Enable SID filtering for external trust qwe.com by using the netdom trust /quarantine:yes command. Enabling SID filtering may prevent users from accessing resources in your environment. Before enabling SID filtering for the trust, you should review the detailed resolution procedures for this BPA rule.

http://go.microsoft.com/fwlink/?LinkId=168864

Hi,

I've configured the Account Lockout Policy in windows server 2012 domain controller for a specific OU. After deleting the GPO the policy still applying on the user. How can I disable the Account Lockout Policy?

Thanks

Hi,

DCs: Windows 2012 R2

I have noticed in DNS (non Windows DNS) that we have 3 PTR records created for each Domain Controller. They are:

nslookup

> 10.10.10.32

Name: gc._msdsc.mydomain.com

Name: mydomain.com

Name: DC01.mydomain.com

Can someone explain how the first two entries have been created. Normally, only the last entry should be created.

dave