Hello all, I need some assistance with authentication.
I just recently established and validated a Trust to another Domain. For some reason my domain (ABC ) users cannot authenticate to XYZ domain. We get hit with bad user name or password BUT XYZ can authenticate to pc's at ABC!
Event viewer shows successful - event ID 4672 and 4624, so I'm at a loss! Can someone please assist on what could be happening?
Hi
I'm trying to create a new child domain (F) in a mixed 2012R2 / 2016 DC environment best pictured as follows
Root
/ \
A B
/ | | \
C D E F
Summary of domains
Root - 2012 R2 DCs / Domain and Forest Function Levels 2012R2
A, C, D - 2012 R2 DCs / Domain Function Level 2012R2
B - 2016 DCs / Domain Function Level 2016
E - 2016 DCs / Domain Function Level 2012R2
F - Failing to create first DC
All replication and firewall rules appear to look fine, however on trying to create the first domain controller for the Domain F (basically the same setup as Domain E) I get the following error in the GUI
The operation failed because
Active Directory Domain Services could not replicate the directory partition CN=Schema,CN=Configuration,DC=…… from the remote Active Directory Domain Controller ….
"The replication operation encountered a database error"
DCPROMO.LOG on the server shows the following and I'm struggling to find any relevant information for a fix
-----------------------------------------
------------------------------------------
All sensible suggestions gratefully received
Thanks
In my network, I share MAP Drive and all users can access this. The path of this Drive is a Folder name(Share) in this Drive.
In his folder, A normal user can create a folder, file but not Delete it. How can it make this kind of policy?
Actually, A normal user can't access to delete anything in my shared Drive Although he is the owner of his folder, file.
Hi,
We currently have a single Root CA (AD integrated) in our organization and it uses SHA-1. We have issued some certificates internally by using this CA. So now we need to migrate the certificate from SHA-1 to SHA-2.
We have tested the migration in our test environment by using the command below:
certutil -setreg ca\csp\CNGHashAlgorithm SHA256
Once we run this command weobserved the Thumbprint algorithm as still to be SHA1 after upgrade of the CA from SHA1 to SHA2. Although the signature & signature hash alogrithm are SHA 256..
The other thing is we need to migrate the certificates which is issued by using SHA1 to SHA2. what are the step recommended for it?
Hi,
Can someone please guide me is there any tool or script which will automatically unlock my account after xx minutes of interval or <g class="gr_ gr_74 gr-alert gr_tiny gr_spell gr_inline_cards gr_run_anim ContextualSpelling multiReplace" data-gr-id="74" id="74">i</g> can schedule on task scheduler.
Hi,
I have a Primary Domain Controller and Secondary Domain controller. The problem is that when Primary Domain Controllers goes down, Secondary Domain Controller does not authenticate the users.
I've an Exchange Server in the environment but everything goes down with Primary Domain Controller.
Any thoughts?
Thanks,
Hi Team,
I want to clear disk space from C drive which is one of ADC. Kindly help on this .
Can we delete last year data folder "data collector" from perflogs folder.
plz also suggest what is best practice of cleaning cdrive from domain controller and precautions as well.
Hey guys,
I have done a lot of reading lately and still a bit confused. I would appreciate if someone can answer my questions plainly.
So i understand for authentication protocol for a 2008 + domain, its either Kerberos or NTLM.
Questions:
1) If the authentication protocol is different(Kerberos & NTLMv2) are the hashes the same for both?
2) What is the algorithm used for Kerberos and what is the hash? Is NT the hash for both kerberos and ntlmv2? (MD5 & NT Hash???)
3) What is the algorithm used for NTLMv2 and what is the hash? (MD4 & NT hash???)
4) If for example the hash is NT(not sure) how can i implement a more secured hash than the standard? If I don't want to implement a global action for this, can this be done on a user basis? How do I do this?
5) So there is NTLMv1 and v2 authentication protocol. Is the other term "NTLM" a hashing algorithm or something else?
Pretty much the reason for this is a complaint from security and I need to implement a solution ASAP:
"Weak hashing algorithms are utilized to protect passwords that are stored in the database." The recommendation was: "Sensitive data should be hashed using SHA-2 (512 , 384, 256, 224) or SHA-3 (512,384,256,224) family.
ThanksHi,
Was trying to integrate an application for which object class posixaccount and posixgroup is required.
1-Was not able to trace this attributes to user or groups (searched in attribute editor) where to find this attribute other then the schema editor(Already exist).
2-We have also configured an user custom attribute which I do not find in user's attribute editor, How do I add it(options with out using ADSI editor)
Rgs,
Sntsh.
TIA,
Shehan.
Hello Team ,
We have DC server and ADC server domain and forest functional level 2000 Native . DC and ADC sync successfully if our DC Down ( which is hold all FSMO role) user not able to access file folder and network resource . when our DC again online user to able to access the file folder and network resource.
An associate was in the middle of retiring some old servers, and soon migrating to new ones, at the moment, there is 1 domain, 2 sites (vpn), 1 DC at each site, replication failed between sites couple days ago due to USN rollback.
Okay guys, I have an interesting one here. I have a scenario where I need to restrict a service account that is in the Domain Admins from being able to reset or change the passwords of other accounts that are protected by the AdminSDHolder role. I am fairly familiar with how SDProp and AdminSDHolder works by replacing the DACL of the protected object with the ACLs that are contained on the AdminSDHolder object in Active Directory, however here is where things get interesting.
When looking through ACLs, the ability to deny "Change Password" and "Reset Password" applies to "Descendant User objects" only. When adding this ACE to the AdminSDHolder and then it replicates out to the protected objects,
Effective Access still shows that the service account has permissions to change and reset passwords due to the new ACE only applying to Descendant objects and not the object itself. If I attempt to set it on the OU and let it propagate, as expected SDProp
overwrites the ACLs and restores it. Additionally if i switch to "This object and all descendant object" the check box for change and reset password is not available.
I am wondering if there is any way to restrict the ability to change or reset a password for an account that is protected by AdminSDHolder short of moving the service account out of Domain Admins and attempting to enumerate every other ACL required by the account (which would be a very intensive task).
Thanks!
Jeffe
Hello,
I've a Windows Server 2016 standard with 1 physical network card with 2 ethernet ports.
I'll create an active directory in that server and an remote desktop environment for pc client connect to his published application using remote desktop services..
If after created that active directory I change the ip of one ethernet port (changing ip, Gateway and netmask), can it Will be some kind of problema in my server? Will active directory work ok after that change? Will remote desktop work as expected
after that change?
Now the two ethernet ports are using dhcp for obtaining ip address, only one port connected.
Before creating active directory i'll change the ip of the port connected to one statically ip, Gateway and netmask. Next, after created domain directory, i'll create an "remote desktop environment" for accesing remote desktops to that
server from remote pc clients. They Will use the web for accesing remote desktop web Access and then access to his published application using remote desktop services.
Regards,
David.
Good Afternoon.
Hope your well. Wanted to ask a quick question in regards to filtering in Azure AD Connect. We have an account domain, which contains active directory accounts, and a resource domain, which contains Exchange mailboxes (linked). When setting up AD Connect we were able to add the two domains, and set the sync to identify users based on ObjectSID and MSExchangeMasterAccountSID.
Everything has appeared to work OK, however, currently if a mailbox exists in the resource domain, with the corresponding account having been moved to an OU that is not syncing, an account gets created in Azure for that object. Ideally we would want to say that if there is no link between accounts on the resource domain and account domain, please ignore.
Any assistance would be appreciated.
We are trying to troubleshoot an issue for a client environment that was set up by the previous IT company. We have been troubleshooting this issue for a week and have had a ticket with Microsoft open for six days with no resolution. I could write a book about all the things we have tried over the last week.
To boil it down, on our DC01 domain controller, port 135 is blocked somehow. Our DC02 can't communicate with DC01 and we can't turn up new domain controllers. If you run PortQuery tool on DC01, it can communicate on port 135 on 127.0.0.1, but it
can't communicate if you use the network ip address 192.168.10.23. Obviously, none of the other servers on the network can communicate with DC01 on port 135. Same results using telnet. It can telnet to itsself on 127.0.0.1, but not to itsself
on 192.168.10.23.
It must be something super obscure. We have tried all of the normal reasons you see on Google and we have been working with Microsoft Support for six days. I am just hoping that someone has seen this before.
We are currently using LDAP. I plan to install certificates on the specific domain controllers applications are configured to connect to and reconfigure the applications to connect over LDAPS.
What can be done to disallow unencrypted LDAP communication to any domain controller on the domain?
Hi,
2 Questions here:
1. On the Windows Active Directory server, where can I get any event log of "Reset Account" action performed on a computer/system account listed on the AD server directory. If audit logging is not enabled.
2. When we do a "Reset Account" to a computer account say 'comp1", we need to connect back to AD server from comp1. Can we have a policy or a rule on AD server to do this, if yes then where can I find such a rule/policy enabled ? Is there any other way the connection between comp1 and AD server can break ?
More info: Comp1 is an linux machine using Samba Winbind to connect to Windows AD server.
Hi,
I know that the NETLOGON folder is used for Backward Compatibility for the domain controllers. My question is that is that folder necessary for proper functioning of the domain controller?
Thanks