Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Windows 10 clients rejecting multiple certificates at auto-enrollment / renewal

February 21, 2019, 5:01 am
$
0
0

Hello,

When my Windows 10 machine certificates enter their renewal period, they go ahead as planned and request their certificate renewals (which are automatically issued by the CA), but then they sometimes reject the issued certificate from the CA and don't install it.
In the Application event log you can see this corresponding error:
Automatic certificate enrollment for local system failed (0x800b0101) A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

On the workstation I'm currently looking at, this error shows twice in a 1-minute interval, at 8:16 and 8:17 (it seems to happens right after the system start-up at 8:15), and we can see the CA issuing the renewals twice at 8:16 and 8:17 too; but the workstation rejects it. For some reason the third renewal certificate for that machine was eventually installed successfully at 9:54.

Looking at the System / Windows Time logs, I suspect there could be a few seconds of difference between the CA and the workstation when those errors come up; I mean the issued certificates were probably received on the Windows 10 client a few seconds before their "NotBefore" date so the workstation refuses to install them.

While the ideal solution would obviously be a perfectly time-synced client/server environment 24/7, it is not a really easy task (especially with laptops coming in and out the network anytime) so I'd like to have answers to the following:

=> Is it normal behavior that the Win 10 autoenroll process rejects the certificates that aren't yet valid, even if it requested them?

=> Would it be possible to force Windows 10 clients to accept those certificates even it their 'NotBefore' date is a bit in the future? Would it be an acceptable practise in terms of security / PKI operations (what are the risks with this)?

=> Why could there be a 1-minute interval between the first two attempts then the 3rd one completes over 1 hour later?

=> Is there a way to make the Windows 10 clients more "patient" for auto-enrollment? For example is there a Group Policy or Registry setting that would allow a delay between the time it requests and receives the signed certificate from the CA? Or something to start the AutoEnroll process once the computer has had enough time to properly start-up?

=>Which Windows service does AutoEnrollment depend on? How about setting this service startup mode in "Automatic (Delayed)"?

If somebody knows a good article explaining the AutoEnrollment mechanisms on client side (ideally for Windows 10, even 7), I would appreciate it.

Thanks!







Search

CA migration: SHA1 to SHA2 in Windows 2016 OS

February 27, 2019, 4:48 am
$
0
0

Hi,

We currently have a single Root CA (AD integrated) in our organization and it uses SHA-1. We have issued some certificates internally by using this CA. So now we need to migrate  the certificate  from SHA-1 to SHA-2.


We have tested the migration in our test environment by using the command  below:

certutil -setreg ca\csp\CNGHashAlgorithm SHA256

Once we run this command  weobserved the Thumbprint algorithm as still to be SHA1 after upgrade of the CA from SHA1 to SHA2. Although the signature & signature hash alogrithm are SHA 256..

The other thing is we need to migrate the certificates which is issued by using SHA1 to SHA2. what are the step recommended for it?


Windows 2008 R2 Directory Services. Upgrade Server 2008 R2 to Server 2016

March 6, 2019, 4:47 am
$
0
0

Hi Team, 

One of our customer is running AD services on Windows 2008 R2. We are looking to migrate Directory services to Server 2016. 

What should be the right approach? 

- Does 2008 R2 supports in place upgrade directly to Server 2016?

- Shall we go with side by side approach. Installing Server 2016 as an additional DC and then transfer the FSMO roles from 2008 to 2016?

Regards,

Upgrading from Windows Server 2008 r2 to Windows Server 2016

March 6, 2019, 4:56 am
$
0
0

Hi,

I know you can't do a direct upgrade from 2008 to 2016 so it will be a step upgrade via 2012. However do i need to purchase a full version of 2012 for the sake of a couple hours or can i use the Trail Version of 2012 to get me to that step then upgrade to 2016 with my "retail" version and key?

It needs to be an in-place upgrade as we don't have any other hardware to migrate back and forward from.

Many Thanks for any advice

can delete perflogs data from additional domain controller ?( C drive cleaning)

March 5, 2019, 7:18 pm
$
0
0

Hi Team,

I want to clear disk space from C drive which is one of ADC. Kindly help on this .

Can we delete last year data  folder "data collector" from perflogs folder.

plz also suggest what is best practice of cleaning  cdrive from domain controller and precautions as well.

Can't authenticate to PC in another Domain

March 5, 2019, 11:49 am
$
0
0

Hello all, I need some assistance with authentication.

I just recently established and validated a Trust to another Domain. For some reason my domain (ABC ) users cannot authenticate to XYZ domain. We get hit with bad user name or password BUT XYZ can authenticate to pc's at ABC!

Event viewer shows successful - event ID 4672 and 4624, so I'm at a loss! Can someone please assist on what could be happening?

Hidden Domain Controllers still showing up in nltest and Get-ADDomainController (confused or misguided?)

March 5, 2019, 10:19 am
$
0
0

Hi,

Getting ready to decommission our legacy domain controllers.  In order to assist in identifying any hard-coded applications I have set the DnsAvoidRegisterRecords for the following service records

Ldap
Gc
DcByGuid
Kdc
Dc
Rfc1510Kdc
GenericGc
Rfc1510UdpKdc
Rfc1510Kpwd
Rfc1510UdpKpwd
LdapAtSite
Pdc
GcAtSite
KdcAtSite
DcAtSite
Rfc1510KdcAtSite
GenericGc
GenericGcAtSite

I have waited about a week to let client cache expire and when I run a Wireshark for LDAP or I run the DC data collector set I am still seeing workstations along with servers hitting the domain controllers.  I also found when I run nltest /dclist:domain.com it returns the domain controllers that are supposed to be "hidden".  Same with Get-ADDomaincontroller -ForceDiscover (which is equivilent)

I was under the assumption from my research that these would no longer be returned to the DC locator or DNS DC locator services, but I am still seeing them.  This is skewing results as I still see several (100) workstations hitting these domain controllers along with servers.

Post applying the policy I restarted the netlogon service and ensured that the records were de-registered.  The servers were also rebooted about a week ago.  I used powershell to find SRV records for one of the domain controllers and it came back with thousands?!?!  We do have several hundred sites, so that does make some sense.  

I am simply trying to see what could be hard-coded, but at this point despite effort I dont understand why these domain controllers still seem discoverable.  We have a single forest with 2 child domains and these domain controllers are in one of the child domains

Any help would be appreciated

Thanks

"I live and die by the command line" -JL 2010 © ©

AD domain consolidation\Restructuring.

March 6, 2019, 6:45 am
$
0
0

Hi Team,

We are in the process of AD domain consolidation\restructuring, I want to know from first to last what are the things that I need to consider, any response would be of great help

Thanks in advance.

Regards.


Search

Password Hash

March 4, 2019, 7:08 am
$
0
0

Hey guys,

I have done a lot of reading lately and still a bit confused. I would appreciate if someone can answer my questions plainly.

So i understand for authentication protocol for a 2008 + domain, its either Kerberos or NTLM.

Questions:

1) If the authentication protocol is different(Kerberos & NTLMv2) are the hashes the same for both?

2) What is the algorithm used for Kerberos and what is the hash? Is NT the hash for both kerberos and ntlmv2? (MD5 & NT Hash???)

3) What is the algorithm used for NTLMv2 and what is the hash? (MD4 & NT hash???)

4) If for example the hash is NT(not sure) how can i implement a more secured hash than the standard? If I don't want to implement a global action for this, can this be done on a user basis? How do I do this?

5) So there is NTLMv1 and v2 authentication protocol. Is the other term "NTLM" a hashing algorithm or something else?

Pretty much the reason for this is a complaint from security and I need to implement a solution ASAP:

"Weak hashing algorithms are utilized to protect passwords that are stored in the database." The recommendation was: "Sensitive data should be hashed using SHA-2 (512 , 384, 256, 224) or SHA-3 (512,384,256,224) family. 

Thanks






Linux unable to see unixUserPassword Attribute

March 6, 2019, 8:18 am
$
0
0
After migrating from Server 2003 SFU 3.0 to Server 2012 R2 with IDMU new user accounts are being created with only the unixUserPassword attribute and not the msSFU30Password attribute. Old accounts have both attributes. Our Linux servers are able to pull the msSFU30Password attribute fine using a standard service account and an ldap search. However the only way the Linux servers can read the new unixUserPassword attribute is if their service account they are using is given Domain Admin rights. The permissions on both attributes appear to be the same so I'm not sure why one works and the other doesn't. I obviously don't want to grant a service account domain admin rights so I'm hoping someone can tell me what needs to be changed in order to make this work.

Vincent Sprague


Move a Computer to an Active Directory with different credentials

March 6, 2019, 9:05 am
$
0
0

Hi,

I want to move computer/device from one OU to another OU using VB Code.

The below code is working great under login of service account into target PC.

but is there any way to execute below code with different credentials. I did google and tried but not able to make it work?

if you guys have worked on this scenario and please share some thoughts?


' *****************************************************************************
strLDAPofOU="OU=Desktops,OU=Computers,DC=domain,DC=locale"
' *****************************************************************************
On Error Resume Next
'Get MachineObjectOU Value
Set wshNetwork = CreateObject("WScript.Network")
Set oFso = CreateObject("Scripting.FileSystemObject")
Set objSysInfo = CreateObject( "ADSystemInfo" )
Set ArgObj = WScript.Arguments
'Use first argument as target OU
strMachineObjectOU = strLDAPofOU
strComputerDN = objSysInfo.ComputerName
'msgbox(strMachineObjectOU)
nComma = InStr(strComputerDN,",")
strCurrentOU = Mid(strComputerDN,nComma+1)
strComputerName = Left(strComputerDN,nComma - 1)
'msgbox(strCurrentOU)
'If current ou is different than target OU. Move object
If UCase(strCurrentOU) <> UCase(strMachineObjectOU) Then
    Set objNewOU = GetObject("LDAP://" & strMachineObjectOU)
    Set objMoveComputer = objNewOU.MoveHere("LDAP://" & strComputerDN, strComputerName)
    'msgbox("LDAP://" & strComputerDN & strComputerName)
End If 
'//----------------------------------------------------------------------------
'//  End Script
'//----------------------------------------------------------------------------

Regards

Er Reddy

Rename a Domain Joined Computer

March 6, 2019, 10:20 am
$
0
0

i've created an OU higharcy and delegated access to a group with full control over all objects and descendant objects. Why cant a member of the group with delegated access rename a domain joined computer in the OU? i've verified the group is local admin on the server and even created a second delegation for the write all properties of descendant computer objects in the OU. I can see in the security setting on the server object all of the settings are as expected.  there are no deny's in any of the settings on the OU. Could there be a GPO i'm not thinking of that is restricting this? 

i've gone through multiple pages on technet looking for answer that isnt local admin / write all properties on the computer object.

thanks,

jason

AD lookup not using domain in 1809

March 6, 2019, 11:06 am
$
0
0

Most of my users upgraded to 1809 in the last week or two and now they are having issues with network resources. The symptom is an active directory user (Scanner) can no longer access their shared folder (\\machinename\Scans), even though that user has full read/write permissions. When I sit at the client computer and bring up properties for the folder, Security correctly shows the users with correct permissions. If I try to add a user to the list however, under Locations I am only shown the local computer, not the AD.  My guess is when the Scanner user attempts to connect to write a file the client machine looks for them in the local user store instead of the AD store and fails when it can't find them. Am I looking in the right direction, or am I totally off base?

I ran into the issue presenting in a different way as well today. when I'm logged into the computer and do a software install, registry edits fail. This is because you need Admin rights to write to the registry and the user credentials are domain credentials. I now have a dozen or so machines with the issue, all upgraded to 1809.

failed to open the group policy object. you may not have the appropriate rights. network access is denied

July 15, 2015, 8:49 am
$
0
0

We have a one way forest trust Forest A and Forest B, have created the Universal group and added the members in Forest A.  Then added this to a Domain Local group in Forest B.

We want (certain) users from Forest A to be able to manage group policies on Forest B.

We've Delegated the Local Group rights to Edit a GPO but whenever we try to Edit it (even though the option is available) we get the error: "Failed to open the group policy object. You may not have the appropriate rights. Network access is denied"

Any ideas what this could be?

The "network access is denied" part of the error is throwing me as well.  Doesn't give any further info on this.

Might be something simple that we've missed but if so we must keep missing it :) !

Any help appreciated!

DFSR Migration Stuck

January 4, 2019, 7:18 am
$
0
0

A few weeks ago the domain controllers in our Lab domain was attempted to be migrated from FRS to DFS. The domain is at Windows 2008 R2 functionality level and the DC's are on Windows 2019. When the migration was initiated with Dfrsmig this error appeared every 5 minutes when it tries to migrate SYSVOL:

 

DFSR was unable to copy the contents of the SYSVOL share located at C:\Windows\SYSVOL\domain to the SYSVOL_DFSR folder located at C:\Windows\SYSVOL_DFSR\domain. This could be due to<g class="gr_ gr_222 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins replaceWithoutSep" data-gr-id="222" id="222">lack</g> of availability of disk space or due to sharing violations. 

Additional Information: 
Sysvol NTFRS folder: C:\Windows\SYSVOL\domain 
Sysvol DFSR folder: C:\Windows\SYSVOL_DFSR\domain 
Error: 367 (The process creation has been blocked.)

Replication between the two domain controllers <g class="gr_ gr_265 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar multiReplace" data-gr-id="265" id="265">were</g> working without any issues. I've tried just about everything to fix the problem, adjusting permissions on the folders, running the Robocopy command manually (which did copy all the folders and files without error), deleting all GPO's not being used, running DCGPOFIX, removing all DC's except one, even performing a System State restore to a new DC (with an auth restore of AD and Sysvol). Rolling back the migration and starting again.<g class="gr_ gr_1532 gr-alert gr_gramm gr_inline_cards gr_run_anim Style replaceWithoutSep" data-gr-id="1532" id="1532">Nothing</g> has corrected the issue. 

Has anyone seen this error or have any suggestions?


Search

AdminSDHolder - Deny Change Password for Account

March 4, 2019, 7:23 am
$
0
0

Okay guys, I have an interesting one here. I have a scenario where I need to restrict a service account that is in the Domain Admins from being able to reset or change the passwords of other accounts that are protected by the AdminSDHolder role. I am fairly familiar with how SDProp and AdminSDHolder works by replacing the DACL of the protected object with the ACLs that are contained on the AdminSDHolder object in Active Directory, however here is where things get interesting.

When looking through ACLs, the ability to deny "Change Password" and "Reset Password" applies to "Descendant User objects" only. When adding this ACE to the AdminSDHolder and then it replicates out to the protected objects, Effective Access still shows that the service account has permissions to change and reset passwords due to the new ACE only applying to Descendant objects and not the object itself. If I attempt to set it on the OU and let it propagate, as expected SDProp overwrites the ACLs and restores it. Additionally if i switch to "This object and all descendant object" the check box for change and reset password is not available.

I am wondering if there is any way to restrict the ability to change or reset a password for an account that is protected by AdminSDHolder short of moving the service account out of Domain Admins and attempting to enumerate every other ACL required by the account (which would be a very intensive task).

Thanks!
Jeffe


Upgrade AD

March 6, 2019, 2:32 pm
$
0
0

Hi,

We have One domain and which has 10 DC with mix of windows 2008r2, windows 2012 and windows 2016. The current domain functional level is windows 2008 r2. All FSMO rolls are on windows 2008r2 server. Now we want to upgrade domain functional level to windows 2016.How can we do?  Now raise domain functional level no option to upgrade. Our all DCs are working fine without any issues. Please guide me with tutorial if possible. We have ADFS and ADFS proxy servers with windows 2008r2 OS.

Thanks.

One-Way Trust not working after renaming Domain Controller

March 6, 2019, 4:03 pm
$
0
0

Hello,

After setting up a brand new forest (dmz.example.com) a one-way trust was created with a trusted domain (example.com), and with brief testing it looked to work.  But then I needed to rename the only domain controller, and now there is odd behavior from the trusted domain, where my test client cant access the trusting domain.

From a client when attempting to access network share \\dmz.example.com a pop-up comes up and request login, with error "The system cannot contact a domain controller to service the authentication request.  Please try again later".  But I can ping the domain controller and the domain name.

This is a one-way trust where dmz.exmple.com is the trusting forest and the example.com is the trusted forest.  and clients on the example.com get a pop-up when attempting to access \\dmz.example.com.

Any thoughts?

Thx

Robert


Change NTDS and sysvol path

March 6, 2019, 4:21 pm
$
0
0

Hi,

We have to move the sysvol and ntds file to new location on some domain controllers to have the same path.

what's the best practice to achieve the target new path?

AD Lockout coming from Exchange HUBCAS

March 6, 2019, 4:42 pm
$
0
0

I have several account lockout issues in AD and I have traced the lockout and its coming from our Exchange HUBCAS server.

How I trace the lockout:

1. I used the Account lockout status tool to check which server it is getting bad password.

2. In DC server I check the security logs and found a 4771 event ID. In the Network Information of the log, The Client Addess is pointing in our Exchange HUBCAS server.

---------

Now from this, I tried to check the security log of this HUBCAS but I cannot find any related information pointing to that account. In exchange side, are there other logs I can check to validate this lockout account?

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>