Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Event ID 4776 failure events on the domain controller, even username and password is correct

February 26, 2019, 12:42 am
$
0
0

Hi Team,

I am observing failure event ID 4776 (The computer attempted to validate the credentials for an account with code 0xc000006a) is getting generated on my domain controller, even i am entering correct login details. can some one help me to understood this event.

As i know this event generates when NTLM authentication happens, but in my case i can see failure event with ID 4776.

If its bad password attempts then;

>> Account should get locked, but i cant see account lock or any event with ID 4740.

>> I cant see bad password count on lockout.exe.

Could some one please provide some information on event 4776, i searched google but not getting an proper information.


Search

Trust between 2 external domains

February 25, 2019, 2:30 pm
$
0
0

Hi All,

We created a one way external trust with our vendor which means Vendor.com domain now trust our Client.com domain. Therefore we can (Client.com) access resources hosted in vendor.com domain. 

We created a GPO to add URL hosted in our vendor domain to the trusted site of our machines in client.com. Now when we try to access these URLs it prompts for id & pwd. So we applied the GPO to select option in IE "Automatic Logon only in Intranet zone" . we were hoping that it will bypass the prompt and will automatically log us in but it still prompts for id & pwd.

First prompt is to enter the credentials for Vendor.com domain so we cancel the screen and then we are prompted for our client.com credentials. Once we enter the client.com credentials manually then it let us in. Any suggestions




Cannot contact Domain Controller

February 25, 2019, 6:57 pm
$
0
0

Hello,

I'm having issues that I cannot figure out for the life of me. Some background on my environment, I have two hyper-v nodes running in a failover cluster(Server 2016). Each node is connected via 3 1GB connections all on the same subnet. My storage for the cluster is a Server 2019 storage spaces via SMB, which is also connected via 3 1GB connections all on the same subnet. I run 2 DC's in the failover cluster and 1 DC locally on one of the hyper-v host just in cast anything happens (All GC DC's and DNS fully replicating). Well something happened and I had one of the nodes paused and I forgot to un-pause it, so everything failed including the 2 DC's in the cluster, but the DC running locally is working just fine, but no matter what nothing will contact the DC. I have most DNS pointing to my firewall (pfsense) that then forwards to my 3 DC's. I've also tried pointing DNS to just the running DC but that doesn't help either. Each DC only has 1 IP address.

My VM's are set by the hostname of the storage that the VHD's are sitting on and since I cant get it resolved I cant get any of the VM's edited or running again. Let me know if you have any ideas

(DC Firewalls are set to off)

(SRV Records show up for LDAP and Kerberos)

LAPS password taking time to reset or not doing it at all

February 27, 2019, 2:44 am
$
0
0

Hi All,

We have a setup with a main domain and a subdomain.

I recently installed LAPS onto my system. But the issue is that sometimes the password resets after a little time, and sometimes the password never sets a password.

The Password Expiry time changes every time I do a request. If I do it in the GUI it always said password reset request was successful. I have tried it in powershell as well.

I went through all the following steps.

Installed Laps (both on my management server and DC)

Import-Module AdmPwd.Ps

Update-AdmPwdSchema

Went and checked and after that I have the ms-MCS-AdmExpirationTime and ms-Mcs-AdmPwd attributes.

Then I ran

Set-AdmPwdComputerSelfPermission -Identity Workstations

Set-AdmPwdReadPasswordPermission -OrgUnit Workstations -AllowedPrincipals Myuser

I also tried running

Set-AdmPwdResetPermission -Orgunit Workstations -AllowedPrincipals Myuser

Oh and I have gone and configured all the necessary GPO's and distributed them to the workstations in question.

If I go into a computer in that OU and look at the effective permissions Myuser has full control and is allowed to change the ms-mcs attributes. Self has access to Write ms-Mcs-AdmPwd and Ms-Mcs-AdmPwdExpirationTime and Read ms-Mcs-AdmPwdExpirationTime.

Is there something that I am missing here?

Store Disabled Date in Custom Attributes in Active Directory

February 27, 2019, 2:32 am
$
0
0

Hi, For Auditing purposes, I need to keep track of Disabled date of user/computer accounts in Active Directory. Keeping these details in Excel file is not very reliable. I want to add a custom attribute in AD which stores the disabled date of any user/computer account.

Adding custom attribute to Active Directory is fine and I was able to do this. What I want is, this attribute should be updated automatically when a user/computer account is disabled manually or automatically (using powershell script).

PS: I don't want to use any third party software like AD management pro etc. for this purpose. However, powershell or VB script is acceptable.

CA migration: SHA1 to SHA2 in Windows 2016 OS

February 27, 2019, 4:48 am
$
0
0

Hi,

We currently have a single Root CA (AD integrated) in our organization and it uses SHA-1. We have issued some certificates internally by using this CA. So now we need to migrate  the certificate  from SHA-1 to SHA-2.


We have tested the migration in our test environment by using the command  below:

certutil -setreg ca\csp\CNGHashAlgorithm SHA256

Once we run this command  weobserved the Thumbprint algorithm as still to be SHA1 after upgrade of the CA from SHA1 to SHA2. Although the signature & signature hash alogrithm are SHA 256..

The other thing is we need to migrate the certificates which is issued by using SHA1 to SHA2. what are the step recommended for it?


Auto Unlock Account

February 27, 2019, 4:28 am
$
0
0

Hi,

Can someone please guide me is there any tool or script which will automatically unlock my account after xx minutes of interval or <g class="gr_ gr_74 gr-alert gr_tiny gr_spell gr_inline_cards gr_run_anim ContextualSpelling multiReplace" data-gr-id="74" id="74">i</g> can schedule on task scheduler.


I cannot join new machines to the AD "Network Path not found"

February 22, 2019, 6:19 am
$
0
0

After having demoted and removed one of two domain controllers I cannot add any new servers to the AD. Both the DC and the server I am trying to add is running Server 2016. I have enabled netbios over TCP/IP. The new machine has only the DC as DNS, I have started the netlogon service and the DC passes all teh dcdiag tests. The new machine can ping the DC and vice versa. I am completely stumped. 

Search

DFS Question

February 14, 2019, 6:33 pm
$
0
0

Hi I have a question regarding my DFS. 

I started DFS replication between 2 servers about a week ago. The sending server has 475GB to send over

The receiving server has a 1TB partition dedicated. I can see that on the receiving server has 344GB used up. When I look inside the folders I see that the entire folder structure is present however everything seems to be empty. When I go to properties of the folder it is telling me only 20GB is used. I was getting a few errors regarding staging quotas that were set too low. I ran 2 commands which told me that the recommended size was to be 71GB which I set it to.

So I am trying to understand why I don't see anything in the receiving server yet? Is it simply not finished yet?

If it is not finished how can I see what is going on. I've scoured the Internet to find some kind of tool that can tell me verbosly what the DFS is doing but such a tool does not seem to exist. I am looking for something that says something to the effect of

Sending server is sending XXX file at XXX% or DFS replication is at XXX% complete.

Basically, anything that can give me a little information as to what exactly is going on, there doesn't seem to be much information as to what the DFS is doing, how much bandwidth it is consuming, resources..ETC..

Thanks!

DFSR Private folder huge and doesn't match DFS management console.

February 26, 2019, 8:07 am
$
0
0

We have inherited this DFS situation and neither my coworker or I have ever used DFS other than for AD.  I am showing all of my user folders in DFSR\private folder.  We had a comm failure at one of the locations then we saw this.  I don't see these folders or their location listed in the DFS management console, but I do show them in DFSR/Private with TreeSize.  Is it safe to delete these folders? I have a good backup of the data.  We are also planning on removing DFS for the file servers at our two locations.

They are located in the "preExisting" folder


Sending results to a Txt or CSV file

February 27, 2019, 1:14 pm
$
0
0

Ran the below Script, not having much luck in getting all the output seen on the Screen into a File.  Any help, greatly appreciated.  Thanks.

$OUS = Get-ADOrganizationalUnit -Filter {name -like "*"} | select -expandproperty distinguishedname
foreach ($OU in $OUS){
$counter = 0
$gpos = Get-GPInheritance -target "$OU" |select -ExpandProperty inheritedgpolinks
foreach ($gpo in $gpos){
$counter++ 
$gponame = $gpo.displayname
"$counter","$gponame","$OU"
}
}

Can't restore a deleted object after recycle bin activation

February 27, 2019, 2:13 pm
$
0
0

Hi,

I can't restore a deleted object after recycle-bin activation.

Do you have any idea? 

Schema upgrade using Windows 2019

February 27, 2019, 3:46 pm
$
0
0

Hi Expert

I have a question about domain controller migration from Windows 2008 R2 to Windows 2016.

If I use a setup of Windows 2019 to upgrade schema version , can we promote later a DC on windows 2016 or I have to use a setup of Windows 2016 ?

upgrading Windows and can't unlock EFS locked files

February 27, 2019, 5:03 pm
$
0
0

Hello,

I recently upgraded to Windows 10 from 7 and found I can no longer access files I encrypted. I don't remember setting a password when I encrypted them, did it default to my Windows user password? I'm not even sure I had one at the time I encrypted the files! Not sure what to do next.

Owen

AD CS - Restricted enrollment agents issue

February 26, 2019, 6:35 am
$
0
0
Hello, everybody.

Currently I'm struggling to implement something according to this docs.
For simplicity sake, my test setup is configured with single enrollment agents group and single certificate template. My goal is to prevent enrollment agents from issuing certificates to some priviledged users. To make that happen I have configured two following permission entries for restricted enrollment agents:
DOMAIN\Domain Users - Allow
BUILTIN\Administrators - Deny

And what if particular user is a member (direct or indirect) of BOTH of the above groups? What is the effect of above restrictions? Will the certificate request be allowed or denied? Common sense suggests that the request should be denied. But in my test environment it is not, which is very confusing. I tried many different combinations of denied/allowed groups and have got contradicting results.

The ultimate question is - what is definitive way to allow enrollment agent to request certificate on behalf of ANY user, EXCEPT members of particular domain security groups (local, global, universal, in this domain, in the whole forest, and including members of BUILTIN\ groups).
I havent found any particular guidance in Microsoft documentation or otherwise. It would be great if you shed some light on this matter.

Thanks in advance.
Search

ADUC MMC Crash

February 25, 2019, 8:34 am
$
0
0

Have an odd situation. I have a Win10 build 1809 MMC version 3.0 and a Windows Server 2012 R2 build 9600 MMC version 3.0.

My issue is that when in ADUC on the Win10 pc and the ADUC mmc open (it opens fine) I try to open the properties of a specific user the ADUC mmc crashes and closes.

However, when doing the same actions on the Windows Server 2012 R2 (which is also a AD DS server) opening the properties on that user is fine and can do anything I need to do.

This only happens on that particular user, all other AD objects are not having this issue. Made a copy of this particular user and gave it a new name and the account properties open just fine no issues with the copied account.

I have other AD admins that are seeing the same issue when trying to open this user and all other AD objects are fine. Other AD admins are running Win10 and Win7 with RSAT tools installed.

Has anyone seen this situation before? I'm thinking this is account related not ADUC related per say since all other accounts are able to be managed as they should be.

Any and all help is greatly appreciated.

Len

Leonard Hoffman


GPO to delet a local profile

February 25, 2019, 8:08 am
$
0
0
Would anyone happen to know if there is a GPO that I could setup in AD on Server 2012 that I can use to delete one specific local profile off of about 200 machines?

Support analyst

Active Directory remote siteTopologies

February 22, 2019, 1:51 am
$
0
0

Hello ,

we are planning to rebuild our AD infrastructure .we have many remote sites in our country and other in internationnal.

our main DC is a VM in Vmware and in other Sites we have GLB DCs . in each Site there is one  DC as global catalog .

we plan to reduce the number of the DC in the Sites and to implement a new physical DC in our main office to replace the DC VM  .

for you , what are the parameters should i based on to define this Site should has a DC or Not ?

for me is the bandwith and number of ressources in the site (  users, printers ,...) but i dont have a good statistics like for example if i have the MPLS link is 30mb/s and have 30 users in the site , i can tell no need for DC ...

Regards 


Problem with replication DFS

February 13, 2019, 10:16 am
$
0
0

Hi,

please help me understand and resolve the problem.

One node do not want replicate data to two other (small test txt file). The problem with 4 replication groups. Other 12 groups work properly.

result of diag report

STOR02

STOR03

STOR04

If i try run Propagation Test. On STOR02 or STOR03, I receive error (at STOR04 no problems).

Run test as administrator, at share "everyone" full access permissions.


Place two DFS servers in multi sites

February 25, 2019, 1:43 pm
$
0
0

Hi All,

   I got 10 physical sites and two site and services ( S1 and S2 ) So some of the subnets are belong to S1 and some are in S2.

  How do i place two DFS servers?  All sites are IPVPN.

  

As

  

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>