Hi Experts
I am logged in one of the jumpserver, i want to pull how many domain controllers are there in my domain. please help me with powershell syntax
↧
DC information
↧
Change the maximum password age to just a group
Hello,
I have created a group in active directory (password group) I'm trying to set 182 days maximum password age for this one group. I put only the office staff into this group and now looking to apply this policy. This a Windows Server 2016
Can this be done?
↧
↧
AD backup and Managed service accounts
Good morning,
My question for the forum today and I appreciate any feedback on best practise on this subject. We use Windows server backup to take a system state backup on a domain controller had hosts the fsmo roles.
We have been using historically an admin account to do this with a password that never expires. There are too many security risks now a days to have this kind of set up where a managed services account can be used instead.
My questions are simple ones at this point, can you use Manage services accounts to backup AD via Windows server backup and how can i set this up (if possible).
↧
windows server 2012 workgoup upgrade to domain server
I have windows server 2012 with accounts application on it and NO current users connected.
2 users using application remotely.
i need to upgrade to domain server. will it effect connectivity for remote user to use application.
can i install exchange server for email clients
anyone guide me soon.
↧
windows CAL
Sir
In my office we have windows server 2003 with active drectory and sql databse all are working fine.
Now we desided to buy a new server DELL R740 and we will install ourt Erp database(sql) on the new server. So the active directory will work in server 2003 and sql databse for erp and other file sharing service will work with server 2019 in new dell server.
My question are 1) Do i need to buy CAL for new server 2019?
2) Do i need to by CAL for a server without active directory?
Please provide me a solution for this...
Sincerely
Renjith
↧
↧
Auditing for dirsync attributes
Is there way to retrieve a log file (NOT THE LOGS AVAILABLE in MIIS client) which stores the attributes that were updated in the last synchronization.
We had a strange incident wherein a shared mailbox got converted into a user mailbox and none of the admins were aware of the same.
We are looking to retrieve the information as to when did this happen.
↧
Certain AD user accounts get deleted automatically
Recently I noticed that one of our users's account in AD gets deleted a few times during a day like every few hours.
The AD user account was created about 3 months ago and had been working fine till 2 days ago when this issue started to happen. And today the same thing is happening to another user. Both accounts were created at the same time (about 3 months ago). Both accounts in question are using the same ID (Username) as two of our previous staff members who left years ago whose accounts were deleted form AD back then.
Now we are re-using the usernames but those have different SID codes in AD now.
Have enabled auditing for account management on our DC and the the Security logs (Event ID 4726) show "ANONYMOUS LOGON" as the user account deleting AD objects as well as two different computer accounts one being a workstation (I have disabled the computer account in AD upon seeing this log) and one being the DC computer account itself. Disabling the computer account for the workstation has not helped as the account deletion is still happening. Would like to know if there is a way to find out more detail on the account that deletes AD objects, as in if we can IP address of the source machine/user who is deleting these objects in AD.
Thanks
↧
GPO to install and configure SNMP
Hello,
I've been trying to follow some posts out there that show how to setup and configure the SNMP feature in Windows server, however, the GPO alone never installs the service. I don;t know if I'm missing a step , or if it isn't possible to install the feature with a GPO.
I created a single GPO that creates a firewall rule to allow ICPMv4, and in the same GPO I have configured the settings for a typical snmp configuration.
I tried to follow this posts without editing the registry because I don't think it applies in my case:
https://glazenbakje.wordpress.com/2016/03/18/microsoft-snmp-settings-via-group-policy/
Is it possible that you can configure the settings in GPO but not actually install the feature? That would seem a little useless so I hope that's not the case. I could probably run a PS script from GPO if necessary.
Thanks
↧
Migrate domain controllers but keep ip addresses
Hi all,
We want to migrate our domain controllers (server 2012R2 / DL/FL 2008R2) to server 2019 core DL/FL 2016 and keep the ip addresses but change hostnames.
Reason to keep ip addresses : many devices like printers, scanners, applications have the dns/ldap/... ip addresses manually configured to point to the domain controllers.
Current situation :
Domain controllers A and B with ip address 1 and 2 (A-1, B-2)
A and B have DHCP in failover mode (load balance), DNS, DFS, and ADDS.
C-3 and D-4 are newly installed server 2019 core domain controllers with the same roles but these domaincontrollers should have ip addresses 1 and 2 after the migration. This is our plan :
- migrate fsmo roles to C
- Create domain controllers C and D with ips 3 and 4, Server 2019 core, install all roles but dont authorize dhcp
- Demote B as ADDS (dhcp should not work now on B), authorize D as dhcp server, change dhcp failover replication partner on A to D (DHCP D should be synced with A now)
- Turn off B and remove NIC
- Change ip address D to 2 (old B address)
- Reboot D and monitor events (DHCP, DNS, ADDS, ...)
- Change DHCP replication partner D to C
- Demote A, turn off
- Change ip address C to 1 (old A ) + reboot
- check health state, monitor events, replication etc ...
- raise functional level to 2016 on domain,forest
- metadata cleanup
Any suggestions ?
kind regards
↧
↧
All workstation on network (Unauthenticated) after authoritative restore.
When you click on the network status icon in the notification area on the taskbar it says: "ddt.edu 2 (Unauthenticated)" and therefore, group policies are not applied to workstations.
I have two Windows 2016 Standard Servers (Version 1607) and 50 Windows 10 Education (Version 1709) workstations. All workstations and servers are x64. It was all working fine except SYSVOL was not replicating. We tried to fix the replication issue by doing an authoritative restore. Afterwards all workstations have Authentication issues. I have not found anything of help on the Internet. Most of the similar authentication problems I’ve found are just for some workstations on the network, not all of them. I have been banging my head against this one for a week. Help!
Workstations can still access shares on server with no problem.
We are in a secure environment with no internet access.
I can ping successfully using either name or IP so DNS and DHCP seem to work fine.
Connectivity under view you network properties says "Connected to unknown network" on workstations.
Tried removing workstation from domain then joining it back to domain. Did not get any error messages but after rebooting problem still persists.
Also tried creating a new user, connecting a new computer who’s name had never been used before, joining it to the domain and logging in to the network with the new user name. Didn’t help.
The primary domain controller/global catalog is called SERVER01
I demoted the second domain controller called SERVER02. Didn't help.
Group policies are not applied. Gpupdate /force returns:
Computer policy could not be updated successfully. The following errors were encountered:
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.
User Policy could not be updated successfully. The following errors were encountered:
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.
When I run repadmin /showreps I get:
LDAP error 81 (Server Down) Win32 Err 58
Ran nltest /sc_query:server01.ddt.edu
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
Ran Netdom reset EllisZ01 /Domain:ddt.edu /Server:Server01
Succeeds but does't help
Ran netdom resetpwd /server:server01.ddt.edu /UserD:MyUserName /PasswordD:*
Password resets successfully but doesn’t help.
Ran dcdiag /s:server01 and all tests passed except SystemLog which returned multiple Eventid: 0X0000272C errors and one Eventid: 0x800000003 error:
An error event occurred. EventID: 0x0000272C
Time Generated: 02/13/2019 07:29:13
Event String:
DCOM was unable to communicate with the computer SERVER02.ddt.edu using any of the configured protocols; requested by PID 2ab0 (C:\Windows\system32\ServerManager.exe).
An error event occurred. EventID: 0x80000003
Time Generated: 02/13/2019 07:29:40
Event String: A Kerberos error message was received:
An error event occurred. EventID: 0x0000272C
Time Generated: 02/13/2019 07:39:13
Event String:
DCOM was unable to communicate with the computer SERVER02.ddt.edu using any of the configured protocols; requested by PID 2ab0 (C:\Windows\system32\ServerManager.exe).
Group Policy fails with the following message in the event log of the workstation.
Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 2/7/2019 8:55:35 AM
Event ID: 1006
Task Category: None
Level: Error
Keywords:
User: DDT\EllisR
Computer: EllisZ01.ddt.edu
Description:
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
<EventID>1006</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>1</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-07T14:55:35.994342700Z" />
<EventRecordID>54940</EventRecordID>
<Correlation ActivityID="{E8639B9C-06D8-49E8-8A85-39C7D6993B6A}" />
<Execution ProcessID="6212" ThreadID="9680" />
<Channel>System</Channel>
<Computer>EllisZ01.ddt.edu</Computer>
<Security UserID="S-1-5-21-2772296466-3582803739-2678735995-1107" />
</System>
<EventData>
<Data Name="SupportInfo1">1</Data>
<Data Name="SupportInfo2">6154</Data>
<Data Name="ProcessingMode">0</Data>
<Data Name="ProcessingTimeInMilliseconds">890</Data>
<Data Name="ErrorCode">49</Data>
<Data Name="ErrorDescription">Invalid Credentials</Data>
<Data Name="DCName">
</Data>
</EventData>
</Event>
The following audit failure is in server event log. There are multiple entries with different client port numbers.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2/7/2019 1:35:55 PM
Event ID: 4771
Task Category: Kerberos Authentication Service
Level: Information
Keywords: Audit Failure
User: N/A
Computer: Server01.ddt.edu
Description:
Kerberos pre-authentication failed.
Account Information:
Security ID: DDT\ELLISZ01$
Account Name: ELLISZ01$
Service Information:
Service Name: krbtgt/ddt.edu
Network Information:
Client Address: ::ffff:111.111.111.12
Client Port: 49878
Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4771</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2019-02-07T19:35:55.282935600Z" />
<EventRecordID>23631687</EventRecordID>
<Correlation />
<Execution ProcessID="720" ThreadID="2184" />
<Channel>Security</Channel>
<Computer>Server01.ddt.edu</Computer>
<Security />
</System>
<EventData>
<Data Name="TargetUserName">ELLISZ01$</Data>
<Data Name="TargetSid">S-1-5-21-2772296466-3582803739-2678735995-6605</Data>
<Data Name="ServiceName">krbtgt/ddt.edu</Data>
<Data Name="TicketOptions">0x40810010</Data>
<Data Name="Status">0x18</Data>
<Data Name="PreAuthType">2</Data>
<Data Name="IpAddress">::ffff:111.111.111.12</Data>
<Data Name="IpPort">49878</Data>
<Data Name="CertIssuerName">
</Data>
<Data Name="CertSerialNumber">
</Data>
<Data Name="CertThumbprint">
</Data>
</EventData>
</Event>
The following is in the event log of the Domain controller Server01. There are many entries with different Account Names.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2/7/2019 1:21:04 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: Server01.ddt.edu
Description:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: LARUEZ02$
Account Domain: DDT.EDU
Failure Information:
Failure Reason: The user has not been granted the requested logon type at this machine.
Status: 0xC000015B
Sub Status: 0x0
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name:-
Source Network Address: 111.111.111.22
Source Port: 59243
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
.
.
.
Event Xml:
< Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2019-02-07T19:21:04.284065900Z" />
<EventRecordID>23628647</EventRecordID>
<Correlation />
<Execution ProcessID="720" ThreadID="10656" />
<Channel>Security</Channel>
<Computer>Server01.ddt.edu</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">LARUEZ02$</Data>
<Data Name="TargetDomainName">DDT.EDU</Data>
<Data Name="Status">0xc000015b</Data>
<Data Name="FailureReason">%%2308</Data>
<Data Name="SubStatus">0x0</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">Kerberos</Data>
<Data Name="AuthenticationPackageName">Kerberos</Data>
<Data Name="WorkstationName">-</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">111.111.111.22</Data>
<Data Name="IpPort">59243</Data>
</EventData>
< /Event>
Also in server event log
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2/7/2019 1:38:55 PM
Event ID: 4776
Task Category: Credential Validation
Level: Information
Keywords: Audit Failure
User: N/A
Computer: Server01.ddt.edu
Description:
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: ELLISZ01$
Source Workstation: ELLISZ01
Error Code:0xC000006A
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4776</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14336</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2019-02-07T19:38:55.434802400Z" />
<EventRecordID>23632339</EventRecordID>
<Correlation />
<Execution ProcessID="720" ThreadID="10656" />
<Channel>Security</Channel>
<Computer>Server01.ddt.edu</Computer>
<Security />
</System>
<EventData>
<Data Name="PackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
<Data Name="TargetUserName">ELLISZ01$</Data>
<Data Name="Workstation">ELLISZ01</Data>
<Data Name="Status">0xc000006a</Data>
</EventData>
</Event>
↧
AD Replication issue - not creating replication partner with WS2016 DCs
- We are having WS2008R2/2012R2 DCs, and in the process of upgrading to WS2016 DCs (13 WS 2016 DCs upgraded till yet).
- Our older version DCs has inter-site replication partners with other AD sites, and we have 11 AD sites.
- Now, the issue is that our new WS2016 DCs can’t create replication partnerships with other AD Sites DCs.
We are using Infoblox DNS service. We checked and no replication issues found.
Any suggestion as in coming days we are going to demote older versions DCs?
Rajneesh Kumar MCSE - Server Infra, MCITP - SA, CNA
↧
change expired password on rdweb / two domains with external trust / not working
Hi,
We are having problems to reset expired passwords on RDWEB.
I have an exisiting topic on the forum here about it:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/f43f548d-1921-401d-8ff0-5f5979411c0e/expired-password-reset-option-rdweb-2012r2?forum=winserverTS
We dont found a solution yet and we think the issue is with the existing trust relationship between the 2 domains. My RD collection is on another domain then the users that login to it.
The trust between the domains is an external one, maybe to make this work we need to change it to an transistive trust?
However 100's of users are working on this enviroment. We dont want to break it.
Is it safe to change a trust relationship from external to transistive without breaking things? Could this be the solution for the problems we are experiencing?
Thanks,
↧
Windows 10 clients rejecting multiple certificates at auto-enrollment / renewal
Hello,
When my Windows 10 machine certificates enter their renewal period, they go ahead as planned and request their certificate renewals (which are automatically issued by the CA), but then they sometimes reject the issued certificate from the CA and don't install
it.
In the Application event log you can see this corresponding error:
Automatic certificate enrollment for local system failed (0x800b0101) A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
On the workstation I'm currently looking at, this error shows twice in a 1-minute interval, at 8:16 and 8:17 (it seems to happens right after the system start-up at 8:15), and we can see the CA issuing the renewals twice at 8:16 and 8:17 too; but the workstation
rejects it. For some reason the third renewal certificate for that machine was eventually installed successfully at 9:54.
Looking at the System / Windows Time logs, I suspect there could be a few seconds of difference between the CA and the workstation when those errors come up; I mean the issued certificates were probably received on the Windows 10 client a few seconds before their "NotBefore" date so the workstation refuses to install them.
While the ideal solution would obviously be a perfectly time-synced client/server environment 24/7, it is not a really easy task (especially with laptops coming in and out the network anytime) so I'd like to have answers to the following:
=> Is it normal behavior that the Win 10 autoenroll process rejects the certificates that aren't yet valid, even if it requested them?
=> Would it be possible to force Windows 10 clients to accept those certificates even it their 'NotBefore' date is a bit in the future? Would it be an acceptable practise in terms of security / PKI operations (what are the risks with this)?
=> Why could there be a 1-minute interval between the first two attempts then the 3rd one completes over 1 hour later?
=> Is there a way to make the Windows 10 clients more "patient" for auto-enrollment? For example is there a Group Policy or Registry setting that would allow a delay between the time it requests and receives the signed certificate from the CA? Or something to start the AutoEnroll process once the computer has had enough time to properly start-up?
=>Which Windows service does AutoEnrollment depend on? How about setting this service startup mode in "Automatic (Delayed)"?
If somebody knows a good article explaining the AutoEnrollment mechanisms on client side (ideally for Windows 10, even 7), I would appreciate it.
Thanks!
↧
↧
Server 2019: Active DIrectory: - DNC msDS-AllowedDNSSuffixes tattoos RootDSE namingContexts
Hi team,
I've been attempting to establish a domain with an disjointed namespace between DCs to support an SDLC within a single domain. Essentially the DNS root and R/W DCs will be secured and RODCs with subdomains will be established in different environments. each environment will have a separate but matched principles of administration through a common delegated admin model. However, I wish to keep DNS records isolated from different environments, only to be resolved through zone delegation to the relevant DCs for each environment.
I have setup a playpen to validate the configuration with two DCs and enabled, and commissioned the msDS-AllowedDNSSuffixes and updated the second DCs HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NV Domain to match. I have added the zone delegation to the first DC and created a new DNS partition and zone to hold these records.
I noticed that upon reboot the second DC has created subdomain records for _sites and _tcp records, unexpectedly. upon reversing the configuration and removing the msDS-AllowedDNSSuffixes records, rebooting both DCs, i notice the RootDSE namingContexts is not updated to remove the now superflous subdomain record. How should this record be removed?
Many thanks
↧
Active Directory remote siteTopologies
Hello ,
we are planning to rebuild our AD infrastructure .we have many remote sites in our country and other in internationnal.
our main DC is a VM in Vmware and in other Sites we have GLB DCs . in each Site there is one DC as global catalog .
we plan to reduce the number of the DC in the Sites and to implement a new physical DC in our main office to replace the DC VM .
for you , what are the parameters should i based on to define this Site should has a DC or Not ?
for me is the bandwith and number of ressources in the site ( users, printers ,...) but i dont have a good statistics like for example if i have the MPLS link is 30mb/s and have 30 users in the site , i can tell no need for DC ...
Regards
↧
Existing Fileservers and DFS
Hello,
When installing DFS at existing fileservers with real folders/data, how can i add the already existing folders. Do i need to add a folder from server A and it will auto sync to server B with the same user/group rights and content?
regards,
↧
Error when copying user - The name reference is invalid.
I have windows server 2016 and was using exchange 2013 and about a year ago migrated to office365
Since then I have copied several users not sure why I am encountering this issue now (probably due to windows updates) as from what I read it seems to be related to exchange.
According to the following site https://www.vspbreda.nl/nl/ms-office/office-365/name-reference-invalid/ it has to do with the Default Global Address List and when I try and remove it on a test user I am getting an error.
Any ideas? also will it affect anything from my setup or is it safe to remove? TIA
↧
↧
I cannot join new machines to the AD "Network Path not found"
After having demoted and removed one of two domain controllers I cannot add any new servers to the AD. Both the DC and the server I am trying to add is running Server 2016. I have enabled netbios over TCP/IP. The new machine has only the DC as DNS, I have started the netlogon service and the DC passes all teh dcdiag tests. The new machine can ping the DC and vice versa. I am completely stumped.
↧
Phantom DNS records
I seem to be having a problem with my dns, it might not be my only problem, but it is the one i am currently trying to tackle. Sometimes DNS works to connect to computers, some times it doesn't. I ran a DCDiag /test:dns and got the below result. It tells me that all my srv records are missing. When i go into my dns, all my records appear to be in place. DNS in the adapter settings does point to itself.
Other symptoms of my overall problem include:
- Error when trying to connect a second DC server (Active Directoy Domain Services could not replicate the directory partition CN=Schema,CN=Configuration,DC=faicorp,DC=local from the remote Active Directory Domain Controller DC1.)
- can only connect a computer to the domain while it is running dhcp(cannot be staticed.)
dcdaig /test:dns; ipconfig /all; netdom query dc; detdom query fsmo; are all below.
Any help or guidance would be vastly appreciated. I've been bashing my head against this for a while now.
Thanks.
>dcdiag /test:dns
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC1
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\DC1
Starting test: Connectivity
......................... DC1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\DC1
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
......................... DC1 passed test DNS
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : faicorp
Running enterprise tests on : faicorp.local
Starting test: DNS
Test results for domain controllers:
DC: DC1
Domain: faicorp.local
TEST: Basic (Basc)
Warning: The A record for this DC was not found
No host records (A or AAAA) were found for this DC
TEST: Dynamic update (Dyn)
Warning: Failed to add the test record dcdiag-test-record in zone faicorp.local
TEST: Records registration (RReg)
Network Adapter [00000003] Microsoft Hyper-V Network Adapter:
Warning:
Missing A record at DNS server 172.16.156.11:
DC1
Warning:
Missing SRV record at DNS server 172.16.156.11:
_ldap._tcp.faicorp.local
Warning:
Missing SRV record at DNS server 172.16.156.11:
_ldap._tcp.eac4fbfb-f712-4e84-9da7-adfe7e839361.domains._msdcs.faicorp.local
Warning:
Missing SRV record at DNS server 172.16.156.11:
_kerberos._tcp.dc._msdcs.faicorp.local
Warning:
Missing SRV record at DNS server 172.16.156.11:
_ldap._tcp.dc._msdcs.faicorp.local
Warning:
Missing SRV record at DNS server 172.16.156.11:
_kerberos._tcp.faicorp.local
Warning:
Missing SRV record at DNS server 172.16.156.11:
_kerberos._udp.faicorp.local
Warning:
Missing SRV record at DNS server 172.16.156.11:
_kpasswd._tcp.faicorp.local
Warning:
Missing SRV record at DNS server 172.16.156.11:
_ldap._tcp.Default-First-Site-Name._sites.faicorp.local
Warning:
Missing SRV record at DNS server 172.16.156.11:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.faicorp.local
Warning:
Missing SRV record at DNS server 172.16.156.11:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.faicorp.local
Warning:
Missing SRV record at DNS server 172.16.156.11:
_kerberos._tcp.Default-First-Site-Name._sites.faicorp.local
Warning:
Missing SRV record at DNS server 172.16.156.11:
_ldap._tcp.gc._msdcs.faicorp.local
Warning:
Missing SRV record at DNS server 172.16.156.11:
_gc._tcp.Default-First-Site-Name._sites.faicorp.local
Warning:
Missing SRV record at DNS server 172.16.156.11:
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.faicorp.local
Warning:
Missing SRV record at DNS server 172.16.156.11:
_ldap._tcp.pdc._msdcs.faicorp.local
Warning:
Missing A record at DNS server 172.16.156.11:
DC1
Warning:
Missing SRV record at DNS server 172.16.156.11:
_ldap._tcp.faicorp.local
Warning:
Missing SRV record at DNS server 172.16.156.11:
_ldap._tcp.eac4fbfb-f712-4e84-9da7-adfe7e839361.domains._msdcs.faicorp.local
Warning:
Missing SRV record at DNS server 172.16.156.11:
_kerberos._tcp.dc._msdcs.faicorp.local
Warning:
Missing SRV record at DNS server 172.16.156.11:
_ldap._tcp.dc._msdcs.faicorp.local
Warning:
Missing SRV record at DNS server 172.16.156.11:
_kerberos._tcp.faicorp.local
Warning:
Missing SRV record at DNS server 172.16.156.11:
_kerberos._udp.faicorp.local
Warning:
Missing SRV record at DNS server 172.16.156.11:
_kpasswd._tcp.faicorp.local
Warning:
Missing SRV record at DNS server 172.16.156.11:
_ldap._tcp.Default-First-Site-Name._sites.faicorp.local
Warning:
Missing SRV record at DNS server 172.16.156.11:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.faicorp.local
Warning:
Missing SRV record at DNS server 172.16.156.11:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.faicorp.local
Warning:
Missing SRV record at DNS server 172.16.156.11:
_kerberos._tcp.Default-First-Site-Name._sites.faicorp.local
Warning:
Missing SRV record at DNS server 172.16.156.11:
_ldap._tcp.gc._msdcs.faicorp.local
Warning:
Missing SRV record at DNS server 172.16.156.11:
_gc._tcp.Default-First-Site-Name._sites.faicorp.local
Warning:
Missing SRV record at DNS server 172.16.156.11:
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.faicorp.local
Warning:
Missing SRV record at DNS server 172.16.156.11:
_ldap._tcp.pdc._msdcs.faicorp.local
Error: Record registrations cannot be found for all the network adapters
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
_________________________________________________________________
Domain: faicorp.local
DC1 PASS FAIL PASS PASS WARN FAIL n/a
......................... faicorp.local failed test DNS
Windows IP Configuration
Host Name . . . . . . . . . . . . : DC1
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : faicorp.local
Ethernet adapter Ethernet 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter #2
Physical Address. . . . . . . . . : 00-15-5D-D1-79-19
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.16.156.11(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 172.16.156.1
DNS Servers . . . . . . . . . . . : 172.16.156.11
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{FF5222BD-3646-4E33-9D9E-41A6193D6B4D}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
>netdom query dc
List of domain controllers with accounts in the domain:
DC1
The command completed successfully.
C:\Users\administrator.FAICORP>netdom query fsmo
Schema master DC1
Domain naming master DC1
PDC DC1
RID pool manager DC1
Infrastructure master DC1
The command completed successfully.
↧
How to properly remove empty OUs
We have many OUs in ADUC thing is I can run the below and find out empty OUs no problem but how would I incorporate any delegation, last used, or gpo associations?
Import-Module ActiveDirectory# Get a list of all the OUs in the domain
# Below the list is sorted by CanonicalName in descending order intentionally. This was
# done so that child OUs are checked first to determine if they are empty. This information
# is then used when checking the parent OU so that empty child OUs are not counted when
# determining if a parent OU should be considered empty.
$ouList = Get-ADOrganizationalUnit -Filter * -Properties CanonicalName |
Sort-Object -Property CanonicalName -Descending
# Put together a list of all empty OUs in the domain
$report = @()
foreach ($ou in $ouList) {
# The Where-Object line below is the logic that excludes any empty OUs underneath the
# current OU for purposes of determining if this OU should be considered empty.
# The Select-Object line is included here primarily to increase how quickly we process
# through the OUs as we don't really care how many objects are underneath the OU only
# that there are object (or not) underneath.
$objectList = Get-ADObject -Filter * -SearchBase $ou.DistinguishedName -SearchScope OneLevel |
Where-Object {$report.DistinguishedName -notcontains $_.DistinguishedName} |
Select-Object -First 1
# If we didn't find any objects underneath the OU, add it to the report
if (-not $objectList) {
$report += $ou
}
}
# Export the report
$report | Sort-Object -Property CanonicalName |
Select-Object CanonicalName, Name, DistinguishedName |
Export-Csv "$env:USERPROFILE\Desktop\EmptyOUs.csv" -NoTypeInformation
# Open the report
Invoke-Item -Path "$env:USERPROFILE\Desktop\EmptyOUs.csv"
↧