Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

How do i restrict group Access

January 15, 2019, 4:14 am
$
0
0

Hi All,

We are migrating from a .com to a .co.jp Domain. Currently on the .com Forest\Dom we have 9 different sites scattered across Europe. We have 10 users who have Full Domain Admins across the Forest and another 10 who are IT administrators and are employed at their local site, Spain, Russia, France etc. These Locally employed IT Staff do not have full Domain Admins access, and are members of less restrictive groups. 

The New Forest\Domain is global and covers all 5 continents. Our part of the Domain has a European OU with our own layout. The Builtin Container lives outside of our OU. If I give our Local IT Administrators access to a particular group within the Builtin container I suspect it would allow them to change any of the containers for other sites also?

What I would like to do is restrict our Local IT users access to only our European OU.  

Any ideas how I could achieve this?

Regards.

Search

AD integrated authentication IE problem logon return lower case

January 15, 2019, 5:00 am
$
0
0

HI I have problem with  some users, when user logon on webapplication on IIS. Webrowser on header return lower case samaccountname example.

User logon integrated, header return DOMAIN\user.

on the other header return DOMAIN\USER.

I think is the problem on AD, but where ?

Thank's for suggestions.

Troubleshoot assist for AD / Internal DNS issue?

January 15, 2019, 6:07 am
$
0
0

Hello TechNet,

One of my customers are experiencing issue with GPO executions during logon, especially the map network drive.

My GPO settings are set to await network connectivity before running.

The network drive GPO, is set up with the update action, and reconnect enabled.

As an example, one PC is connected wired to the network.

It's a flat layer 2 network, no subnet segmentation and no firewall in-between. 

When the user logs on, it takes a while. After, the network drives are not loaded (even though I have my settings as mentioned).

When I look the event log, I see warnings and alerts with DNS towards the domain controllers, and GPO not being able to run due to no connection to DC

But if I execute an NSLookup and as for the domain or domain controllers, it resolves. Also after an IPCONFIG /FLUSHDNS and reboot.

If I clock on the "disconnected network-dive" I get connection the the drives. 

I've been searching the web for troubleshooting steps and where to start. But I havn't found a solution that works yet.

A bit more info:
Domain controller are 1 2003 server and 1 2008R2 server. Both are internal DNS server as well, pointing towards each other as primary DNS.

They are virtual

The PC is connected to one access switch, with an 1Gb/s uplink to the core switch. The hyper visor are connected to the core witch as well with several 1Gb/s uplinks. 

Network speed test show close to 1Gb/s internal with both down-and upload from PC to server

Looking forwards to hear some suggestions.

Kind regards

Jonas 

_mcdcs delegation missing

January 15, 2019, 7:24 am
$
0
0

I have a ADI _mcdcs forward zone and a ADI standard domain forward DNS zone, but I am missing the delegate zone.  My question is what does the delegate _msdcs zone actually do?  I know I can create it but before I take it to my director for a change control to have it added I need to get some info.

What does the _mcdcs delegate zone do?  I have my DC locator zone already and DNS is resolving.  Running DCDIAG is am not seeing any errors. 

Is the _mcdcs zone needed?

Is there a performance gain by adding the zone?

Failed. Error Code 1816 - Uninstalling software

January 15, 2019, 6:22 am
$
0
0

Hi All,

I am uninstalling a software using Ansible from a windows machine.

During un-installation internally we unregister/stop services.
We are getting error in this. "Failed Error Code: 1816".

The command we are using to stop/unregister:
- net stop ServiceName /Yes
- AppName /U<g class="gr_ gr_53 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling" data-gr-id="53" id="53">nregserver</g>

I searched and this error code is pointing to "Not Enough Space to Process".
I have checked that we have allocated around 40 GB for offline/temporary files in this system.

Any pointers to resolve this would be really helpful.



query AD domain to get all users

January 15, 2019, 8:04 am
$
0
0

Hi,

I am trying to use linked server to query AD to fetch all users from domain.There are no filters except that Object class=User and our directory has over 7000 users.The problem is ,the top limit set up at Ad that just lets me fetch 7000 rows and I cant change that.Please help me with solution that will enable me to query users beyond the limit.I am aware of a concept called paged search but not sure how to implement it via linkedserver.I dont want to use powershell.I tried to seek answers in msdn sql server forums,but no luck.They suggested to loop through the search,but it didnt work.

I tried the following but couldnt get more than 7000 rows:

 SELECT SAMAccountName, displayName,userPrincipalName
FROM OpenQuery (ADSI,  
                'SELECT SAMAccountName, employeeID, displayName, givenname, sn, 
                        scriptpath, distinguishedName,userPrincipalName,mail
                 FROM ''LDAP://abc.com/DC=abc,DC=com'' 
                 WHERE objectClass =  ''User''
                 ') AS A 


RSAT not showing under Windows features

March 13, 2018, 8:45 am
$
0
0

Hello

I have a colleague who is experiencing problems with getting the  Remote Server Administration Tools in his windows features. We have followed the installation proccess for RSAT windows 10, and everything goes smoothly. However, after the required restart, active directory does not show up when searching for it.  When trying to enable RSAT in Windows features, there is no "Remote Server Administration Tools". When searching for a solution, it was suggested to delete the english language package and reinstall it. This did not solve the issue. Active directory isessential for some work tasks, so we really need to solve it.

Kind regards

Hakan

Parent Domain Group Membership Not Replicating To Child Domain User Object

January 10, 2019, 8:09 pm
$
0
0

So we have a fairly standard AD environment. One forest root domain <company.inc> and multiple child domains <child1.company.inc>, <child2.company.inc>, etc. We have a universal security group in the parent domain that is used to grant VPN access to users in multiple child domains. So here's the weird part. Everything used to work fine but now when I add a child domain user to the parent domain security group (from an ADUC connection to a DC in the parent domain) the membership does not replicate to the user object in the child domain (when viewed from an ADUC connection to a DC in the child domain). What's even weirder is that if I follow the same procedure but add the child domain user to a security group in it's own child domain the membership replicates and is visible within minutes.

Any ideas?

Thank you,

John

Search

AD account locked out

January 15, 2019, 8:41 am
$
0
0

I reset my password and my account began to lock out. I set my password back to the original, but the account continues to lock out. Using accountlockoutstatus from Sysinternals I was able to determine the domain controller that is receiving the failed attempt (it's always the same DC). I parsed through the typical security events on the the DC receiving the failures and the PDC, but the offending computer is just showing as LOCALHOST and I can't find an IP address. I used Netwrix Account lockout examiner, but I receive the exact same information... I can't find the offending device. I ran a script to find all machines on the domain where the account is logged in or has a disconnected status. I logged out of all the machines and my account didn't lockout for a day. However, the next morning it was locked out again. I ran the script again and I found no sessions. We map drives with group policy, but this account has never had mapped drives. The account is not used on any mobile devices, and I have not cached credentials. 

How can I find the offending device?

Thank you in advance for your help!!!

User password

January 15, 2019, 12:37 pm
$
0
0

Good afternoon.

I had a user reset her Windows password this morning, and she was unable to logon after that.

I've changed her password again in AD, and it's still not working.  I've also tried from several different computers, and they all say "The username or password is incorrect."  i can logon to the same computers normally using my account.

is her domain account damaged and does it need to be recreated?

Thank you for your help.

365 Sync - What if local AD is hit by ransomware

January 15, 2019, 12:43 pm
$
0
0

Good evening!

I'm currently learning more about AD/security and are curious to know how 365 user accounts would be affected by ransomware or if the local AD directory. Will it completely render all 365 accounts useless and change things like names and PW?

Will the 365 AD sync tool stop syncing if the local files are damaged or will it actually overwrite O365 user accounts aswell? Have anyone encountered this issue or know what will happen in this scenario. I think we are protecting ourselves well enough but knowing how a worst case scenario could happen is good for looking into other solutions to secure myself even more. 

Hopefully my question is understandable.

Appreciate any answer here :)

Unable to connect to the NETLOGON share! (\\servername\netlogon)

January 26, 2017, 1:19 am
$
0
0

I have joined a new server (server 2012 R2) to an existing domain (existing dc is SBS 2008) and promoted it to a domain controller. 

When i run repadmin /showrepl the replication is fine.

But when i run dcdiag i get this error:

Starting test: Netlogons

Unable to connect to the NETLOGON share! (\\servername\netlogon)

[SERVERNAME] An net use or LsaPolicy operation failed with error 67, The network name cannot be found. . 

................................SERVERNAME failed test NetLogons

I have tried demoting it and then promoting it again but i still have the same error.

I have also tried changing the SysvolReady flag from 0 to 1 and then back to 0 (under this path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters)


The primary DNS server is the other DC, the secondary DNS server is itself.

Searching through forums has got me information out of my understanding, at a basic level what's the problem and how do i fix it?

This server is due to take over from the SBS 2008 server (which will be shut down and removed) and was due to take over the FSMO roles but i'm not comfortable going ahead with that until i can fix this issue. 




Active Directory new records not updated on third party applications via LDAP

January 15, 2019, 3:38 pm
$
0
0

Hi 

We have paper-cut, checkpoint VPN client, etc and via LDAP we have AD authentication. Just few weeks ago we had disk issue and needed consolidation and due to that we rebooted our AD's. Also changed the domain administrator Password. 

Now user accounts used in the Third party applications is not syncing with AD with new records or changes. 

Enviroment running: windows server 2008 R2, Active Directory server

Appreciate your assistance please

thanks
Regards
Vish

Deleting primary domain controller metadata from additional domain controller

January 13, 2019, 5:01 am
$
0
0

Hi,

I want to promote an virtual additional dc to physical primary dc and delete primary dc metadata from the additional dc. The SYSVOL replication using between these domain controller is DFSR. How can I delete any metadata that related to the primary dc? Thanks

cross domain remote dcdiag fail advertising and locator test

January 11, 2019, 12:15 am
$
0
0

Hello,

I'm trying to get a health status from dcdiag of all domain controllers in a single forest multi domain structure, but when I run the dcdiag with /s from the parent DC and choose a remote child dc server in a remote site  dcdiag fails advertising and locator test, but when running from locally and remotely from the same child domain DC it's running fine, is it normal ? my guess is that since advertising test tries to access it using a netbios name instead of the fqdn it fails any thoughts or reommendations ?

Search

Primary DC not sync to Secondary DC after longtime down

January 10, 2019, 11:44 pm
$
0
0

Hi all,

I have two AD which are AD01(Win2k12 FSMO) and AD02(WIN2k8 R2 SP1). One day my AD01 crashed and I have restored the AD01 but backup date was one month earlier than current.

The problem now is AD02 set to FSMO during AD01 are offline. When I turn ON AD01 to online and tried to replciared data from AD02 to AD01 and its not working. now AD01 turned off back due to credential issue.

AD01 netdom query

C:\Windows\system32>netdom query fsmo
Schema master                    AD01.mydomain.com
Domain naming master        AD01.mydomain.com
PDC                                      AD01.mydomain.com
RID pool manager                AD01.mydomain.com
Infrastructure master          AD01.mydomain.com
The command completed successfully.

AD02 netdom query

C:\Windows\system32>netdom query fsmo
Schema master                    AD02.mydomain.com
Domain naming master        AD02.mydomain.com
PDC                                      AD02.mydomain.com
RID pool manager                AD02.mydomain.com
Infrastructure master           AD02.mydomain.com
The command completed successfully.

Do you have any idea to resolve this.I have plan to

From AD01 server

1. Transfer all to AD02

2. Sync all udpated ActiveDrirectory

after all done, switch back FSMO to AD01.

Authentication Policies and Silos not working properly

December 11, 2017, 2:00 pm
$
0
0

This has totally got me stumped..

Been trying for weeks now to get Active Directory Authentication Policies and Silos working to restrict where a domain admin can authenticate.

The goal is to only allow domain admins to authenticate to domain controllers and specific member servers.

My problem is, I cannot achieve consistent results. I have followed numerous walkthroughs on configuring this. 
So far I have

1. Enabled Kerberos support for claims and armoring

2. Set Domain Controllers to support Dynamic Access Control with "Always provide claims"

3. Created an Authentication Silo

4. Added a test server and test user to the silo (and assigned them)

5. Created an Authentication Policy

6. Specified the Ticket Granting Ticket lifetime for user accounts to 240 mins

7. Under the "Specify access control conditions that restrict devices that can request a Ticket Granting Ticket for the user accounts assigned to this policy" I have the Authentication Silo attached.

Now, from my understanding, my test account inside the silo should only be able to login to the test server that is also a member of the silo.

However, it cannot login to any machine.

If someone has had success implementing this feature in AD I would really appreciate the help!!

Environment: Server 2012 R2 DCs and member servers

Thanks so much!

Como configurar um servidor de arquivos separado do AD

January 10, 2019, 9:02 am
$
0
0
Olá pessoal.
Estou iniciando os estudos na área de infraestrutura e me deparo com a seguinte questão: como configurar o AD e um servidor de arquivos que estejam em máquinas diferentes?
Pesquisei sobre o assunto e li que é recomendável que o servidor de arquivos esteja em uma máquina separada do servidor AD, no entanto não achei nenhum material que explicasse o passo a passo de como realizar as configurações para que essa infraestrutura funcione e para que eu possa controlar o acesso dos usuários às pastas através do AD.
Assim, gostaria de ajuda ou indicação de algum material que explique como realizar esse procedimento.
Obrigado desde já.

Certification Authority Web Enrollment Error: An unexpected error has occurred: The Certification Authority Service has not been started. when open link 'Download a CA certificate, certificate chain or CRL'

January 6, 2019, 2:39 pm
$
0
0

Hi everyone:

I have two tier-PKI with server-1 as sub-ordinate enterprise/issuing CA. I have installed 'Certificte Authority Web Enrollment' on Server-2. when I open Server-2.domain.com/certsrv and go to ''Download a CA certificate, certificate chain or CRL' it returns 'Error: An unexpected error has occurred: The Certification Authority Service has not been started.' However it works fine from https://localhost/certsrv on server-2.

My problem is same as in the following thread and I have tried the solution advised but it hasn't worked for me:

https://social.technet.microsoft.com/Forums/en-US/4c7f41a5-21b0-470d-8c78-0fc237eb1da0/web-enrollemet-page-giving-error-quot-an-unexpected-error-has-occurred-the-certification?forum=winserversecurity

I have tried the following but nothing has changed:

https://support.microsoft.com/en-gb/help/300867/error-message-the-certification-authority-service-has-not-been-started

https://blogs.technet.microsoft.com/askds/2009/04/22/how-to-configure-the-windows-server-2008-ca-web-enrollment-proxy/

Please advise if I am missing something. Many thanks

Service Account

January 11, 2019, 2:47 am
$
0
0

Hi Experts

How to create a service Account in AD?

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>