Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Hybrid Joined Devices - Windows Hello for Business

September 6, 2018, 10:58 am
$
0
0

Hey @all,

I've deployed 2 Windows Server 2016 VMs with Azure AD Connect and Hybrid Device Join. I've build a 2Tier PKI (based on 2 2k16 VMs) and followed these steps:

https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs

When I try to enroll the user certificate for WHFB I get the error

Certificate enrollment for user failed to enroll for a WHFBAuthentication certificate with request ID N/A from N/A (Failed to enroll for an NGC cert because there is NO Enterprise SSO. 0x801c03f6 (DSREG: 1014 DSREG_E_NGC_CERT_NO_ENTSSO)).

Devices are correct joined in AD and Azure AD (hybrid joined). The only thing we do not have is ADFS, I also run the command on Sub CA.

certutil -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY

As mentioned here, WHFB with PTA should also work:

For non-federated environments, key trust deployments work in environments that have deployed Password Synchronization with Azure AD Connect and Azure Active Directory Pass-through-Authentication

https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs

Any suggestions or ideas? I would be really happy to get this running.

Freundliche Grüße

Sandro Reiter
Consultant Cloud Infrastructure

Search

AD lookup not using domain in 1809

March 6, 2019, 11:06 am
$
0
0

Most of my users upgraded to 1809 in the last week or two and now they are having issues with network resources. The symptom is an active directory user (Scanner) can no longer access their shared folder (\\machinename\Scans), even though that user has full read/write permissions. When I sit at the client computer and bring up properties for the folder, Security correctly shows the users with correct permissions. If I try to add a user to the list however, under Locations I am only shown the local computer, not the AD.  My guess is when the Scanner user attempts to connect to write a file the client machine looks for them in the local user store instead of the AD store and fails when it can't find them. Am I looking in the right direction, or am I totally off base?

I ran into the issue presenting in a different way as well today. when I'm logged into the computer and do a software install, registry edits fail. This is because you need Admin rights to write to the registry and the user credentials are domain credentials. I now have a dozen or so machines with the issue, all upgraded to 1809.

Can't authenticate to PC in another Domain

March 5, 2019, 11:49 am
$
0
0

Hello all, I need some assistance with authentication.

I just recently established and validated a Trust to another Domain. For some reason my domain (ABC ) users cannot authenticate to XYZ domain. We get hit with bad user name or password BUT XYZ can authenticate to pc's at ABC!

Event viewer shows successful - event ID 4672 and 4624, so I'm at a loss! Can someone please assist on what could be happening?

FSMO Transfer Roles automatic

March 7, 2019, 12:49 pm
$
0
0

Hi All,

I have 3 Domain controller under ABC.COM. All the five roles in DC1, DC2,DC3 additional domain controller. 

My requirement and query is when the DC1 is down due some failure. All FSMO roles need to move automatically to another DC. Either DC2 or DC3, If it possible ?.I have seen some articles in Microsoft that option is possible.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc780487(v=ws.10)

  • becomeRidMaster

  • becomeSchemaMaster

  • becomeDomainMaster

  • becomePDC

  • becomeInfrastructureMaster

GiveAwayAllFsmoRoles

Please share the steps how do it. or blog or link.


Change NTDS and sysvol path

March 6, 2019, 4:21 pm
$
0
0

Hi,

We have to move the sysvol and ntds file to new location on some domain controllers to have the same path.

what's the best practice to achieve the target new path?

how to Migrate AD LDS (ADAM) from 2008 R2 to 2006

March 5, 2019, 10:20 am
$
0
0

Hi,

I am trying to migrate AD LDS from 2008 R2 server to 2016 server. When i tried to install ADLDS on 2016 server from 2008 R2 server I am receiving below error

Active Directory Lightweight Directory Services could not enable the optional features that are enabled on the remote AD LDS instance.
Error code: 0x800720ee
The directory service encountered an internal failure.

Can somebody know what could be the issue?Are there any guidelines for 2008 to 2016 migration for ADLDS

Thanks,Venky



how to Migrate AD LDS (ADAM) from 2008 R2 to 2006

March 7, 2019, 2:43 pm
$
0
0

HI ,

While installing ADLDS from 2008 R2 to windows 2016 i was getting below error on "Active Directory Lightweight Directory Services Setup Wizard"

The selected service account cannot authenticate with the replica source Servername:port using Kerberos mutual authentication. The service account for the new Active Directory Lightweight Directory Services replica should be a domain account trusted by the configuration set. Also, verify that the replica source has a properly registered service principal name (SPN).

The authentication failed with error 0x80090342: The encryption type requested is not supported by the KDC.

Thanks,Venky

Thanks,venky

domain controller certificate expiring but CA gone

March 7, 2019, 4:04 pm
$
0
0

I have a domain with two domain controllers with certificates that will expire soon, but the issuing certificate authority has been demoted and the member server will be retired soon.
Certificate services have been removed and we don't plan on reinstalling if we can avoid it.

What happens to the domain controllers and active directory when the certificates expire? Do we need to do something manually before that happens?

Thank you.


Search

Changing IP address of 2 DCs

March 7, 2019, 6:16 pm
$
0
0

Hi,

I have a single domain in 2 sites with 2 DCs each:  DC1 and DC2 in Site1 and DC3 and DC4 in Site2.  Both sites are in different subnets.

I am required to change the subnet in Site1 which means changing the IP addresses of DC1 and DC2.

- DC1 is a DHCP and DNS server

- DC2 is a DNS server

- DC1 uses DC2 as its primary DNS server, and itself as the secondary

- DC2 uses DC1 as its primary DNS server, and itself as the secondary

I'm wondering what the right order to do things is.

Does this seem right?:

1. Change IP + Gateway + DNS servers of DC1

2. Run "ipconfig /flushdns", "ipconfig /registerdns", and "dcdiag /fix"

3. Repeat Steps 1-2 for DC2

Is this all I need to do?  I don't need to touch any of the static DNS records of the DCs right?  Will replication from DC 3/4 in Site2 work properly?

I already know I have to create a new DHCP scope, I created a new reverse zone in the DNS, and I added the new subnet in Sites and Services.

Thanks

대전오피 ▷유유닷컴◁ ≫uuzoa2.com ≪ 섹파

March 7, 2019, 6:17 pm

Is NETLOGON folder necessary for domain controller?

March 6, 2019, 3:03 am
$
0
0

Hi,

I know that the NETLOGON folder is used for Backward Compatibility for the domain controllers. My question is that is that folder necessary for proper functioning of the domain controller?

Thanks


“uuzoa2.com ” 대구오피 →유유닷컴← 밤문화사이트

March 7, 2019, 6:40 pm

{uuzoa2.com } 대전오피 *유유닷컴* 룸싸롱후기

March 7, 2019, 6:41 pm

【www닷uuzoa2,com】 전주오피 (유유닷컴) 유흥사이트

March 7, 2019, 6:42 pm

〔uuzoa2닷com〕 광주오피 〔유유닷컴〕 룸싸롱후기

March 7, 2019, 6:42 pm
Search

{uuzoa2.com } 천안오피 〔유유닷컴〕 오피사이트

March 7, 2019, 6:42 pm

Azure AD Connect Multiple Forest - Resource Domain - Account Domain

March 5, 2019, 7:39 am
$
0
0

Good Afternoon. 

Hope your well. Wanted to ask a quick question in regards to filtering in Azure AD Connect. We have an account domain, which contains active directory accounts, and a resource domain, which contains Exchange mailboxes (linked). When setting up AD Connect we were able to add the two domains, and set the sync to identify users based on ObjectSID and MSExchangeMasterAccountSID. 

Everything has appeared to work OK, however, currently if a mailbox exists in the resource domain, with the corresponding account having been moved to an OU that is not syncing, an account gets created in Azure for that object. Ideally we would want to say that if there is no link between accounts on the resource domain and account domain, please ignore. 

Any assistance would be appreciated. 

The Following error occurred during the attempt to contact the Domain Controller. The target principal name is incorrect.

March 5, 2019, 4:50 am
$
0
0
 The target principal name is incorrect.

Active Directory migrate from windows 2008 to 2016

March 4, 2019, 11:19 pm
$
0
0

Hello Team,

Please help me we have DHCP server and active directory we are facing a issue ,we have configured Scope with DNS IP of our domain controller . But we we connect Laptop to our network  it gets IP from DHCP server  from laptop we are able to resolve Domain controller when we perform domain join we get error DNS resolution  . we we put DNS IP manually we are able to join the domain. that why customer want to migrate DC from 2008 to 2016 and want to resolved this problem

Can a USN rollback be fixed by using a FRS non-authoritative restore?

March 4, 2019, 11:00 pm
$
0
0

An associate was in the middle of retiring some old servers, and soon migrating to new ones, at the moment, there is 1 domain, 2 sites (vpn), 1 DC at each site, replication failed between sites couple days ago due to USN rollback.

- SiteAServer5 Server 2016 (physical) (FSMO roles, GC)
- SiteBServer4 Server 2012r2 (physical) (GC)
- AD functional level is still 2003 (FRS).

Server5 (problem child) was in the process of being virtualized (not HyperV), and instead of doing an instant cut-over, a live clone was made of that server to a VM... while the old physical server was left running a week... then the VM was put in to service, which of course was using an old USN and triggered a rollback on Server4. The Server5 VM was shutdown and production went back to the physical box.

Server5 is in rollback indicated by this reg key:
HKLM\System\CurrentControlSet\​Services\NTDS\Parameters\Dsa Not Writable=4

In retrospect its crystal clear a USN rollback happened, and documented solutions are pretty drawn out, restore system state, or demote and cleanup etc, not thrilled with those. No AD account adds/dels were done during this process, so the AD on either server are usable, or either one could be abandoned. 

My question is, could I run a FRS Non-authoritative SYSVOL restore to force Server5 to come back to a functional state and let replication overwrite Server4's copy of AD? Clear the DSA Not Writeable key, run repadmin /syncall /AdeP

http://kpytko.pl/active-directory-domain-services/non-authoritative-sysvol-restore-frs/

Gone over this: https://support.microsoft.com/en-us/help/875495/how-to-detect-and-recover-from-a-usn-rollback-in-windows-server-2003-w

I feel this is a potential alternative, since this is now the mechanism adopted by the MS design of Hyper-V since server 2012 to prevent USN rollbacks in this exact scenario of VM cloning/snapshotting/restoring or P2V procedures:
https://blogs.technet.microsoft.com/reference_point/2012/12/10/usn-rollback-virtualized-dcs-and-improvements-on-windows-server-2012/ 
From that page: "5. The virtualized DC synchronizes the SYSVOL:

If using FRS, it stops the NTFRS service and sets the BURFLAGS registry value (D2). 
It then starts the NTFRS service, thus performing a non-authoritative restore of the SYSVOL."
Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>