I new install RODC. then  assign to UserA.

This RODC do not enable DNS and GC.

When I access to RODC via UserA. In ADUC can change DC to RWDC. then UserA can modify "member of".

if ADUC connect to RODC, any user can read-only.

I need to allow UserA access to RODC only.

How can I disable change DC in ADUC for UserA. or disable modify "member of" permission?

Problem:

When you click on the network status icon in the notification area on the taskbar it says: "ddt.edu 2 (Unauthenticated)" and therefore, group policies are not applied to workstations.

I have two Windows 2016 Standard Servers (Version 1607) and 50 Windows 10 Education (Version 1709) workstations. All workstations and servers are x64. It was all working fine except SYSVOL was not replicating. We tried to fix the replication issue by doing an authoritative restore. Afterwards all workstations have Authentication issues. I have not found anything of help on the Internet. Most of the similar authentication problems I’ve found are just for some workstations on the network, not all of them. I have been banging my head against this one for a week. Help!

Workstations can still access shares on server with no problem.

We are in a secure environment with no internet access.

I can ping successfully using either name or IP so DNS and DHCP seem to work fine.

Connectivity under view you network properties says "Connected to unknown network" on workstations.

Tried removing workstation from domain then joining it back to domain. Did not get any error messages but after rebooting problem still persists.

Also tried creating a new user, connecting a new computer who’s name had never been used before, joining it to the domain and logging in to the network with the new user name. Didn’t help.

The primary domain controller/global catalog is called SERVER01

I demoted the second domain controller called SERVER02. Didn't help.

Group policies are not applied. Gpupdate /force returns:

Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.

User Policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

When I run repadmin /showreps I get:

      LDAP error 81 (Server Down) Win32 Err 58

Ran nltest /sc_query:server01.ddt.edu

I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

Ran Netdom reset EllisZ01 /Domain:ddt.edu /Server:Server01

     Succeeds but does't help

Ran netdom resetpwd /server:server01.ddt.edu /UserD:MyUserName /PasswordD:*

      Password resets successfully but doesn’t help.

Ran dcdiag /s:server01 and all tests passed except SystemLog which returned multiple Eventid: 0X0000272C errors and one Eventid: 0x800000003 error:

An error event occurred. EventID: 0x0000272C

           Time Generated: 02/13/2019   07:29:13

           Event String:

     DCOM was unable to communicate with the computer SERVER02.ddt.edu using any of the configured protocols; requested by PID    2ab0 (C:\Windows\system32\ServerManager.exe).

 An error event occurred. EventID: 0x80000003

           Time Generated: 02/13/2019   07:29:40

           Event String: A Kerberos error message was received:

        An error event occurred.  EventID: 0x0000272C

           Time Generated: 02/13/2019   07:39:13

           Event String:

           DCOM was unable to communicate with the computer SERVER02.ddt.edu using any of the configured protocols; requested by PID    2ab0 (C:\Windows\system32\ServerManager.exe).

Group Policy fails with the following message in the event log of the workstation.

Log Name:     System

Source:       Microsoft-Windows-GroupPolicy

Date:         2/7/2019 8:55:35 AM

Event ID:     1006

Task Category: None

Level:        Error

Keywords:     

User:         DDT\EllisR

Computer:     EllisZ01.ddt.edu

Description:

The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />

    <EventID>1006</EventID>

    <Version>0</Version>

    <Level>2</Level>

    <Task>0</Task>

    <Opcode>1</Opcode>

    <Keywords>0x8000000000000000</Keywords>

    <TimeCreated SystemTime="2019-02-07T14:55:35.994342700Z" />

    <EventRecordID>54940</EventRecordID>

    <Correlation ActivityID="{E8639B9C-06D8-49E8-8A85-39C7D6993B6A}" />

    <Execution ProcessID="6212" ThreadID="9680" />

    <Channel>System</Channel>

    <Computer>EllisZ01.ddt.edu</Computer>

    <Security UserID="S-1-5-21-2772296466-3582803739-2678735995-1107" />

  </System>

  <EventData>

    <Data Name="SupportInfo1">1</Data>

    <Data Name="SupportInfo2">6154</Data>

    <Data Name="ProcessingMode">0</Data>

    <Data Name="ProcessingTimeInMilliseconds">890</Data>

    <Data Name="ErrorCode">49</Data>

    <Data Name="ErrorDescription">Invalid Credentials</Data>

    <Data Name="DCName">

    </Data>

  </EventData>

</Event>

The following audit failure is in server event log. There are multiple entries with different client port numbers.

Log Name:     Security

Source:       Microsoft-Windows-Security-Auditing

Date:         2/7/2019 1:35:55 PM

Event ID:     4771

Task Category: Kerberos Authentication Service

Level:        Information

Keywords:     Audit Failure

User:         N/A

Computer:     Server01.ddt.edu

Description:

Kerberos pre-authentication failed.

Account Information:

      Security ID:           DDT\ELLISZ01$

      Account Name:          ELLISZ01$

Service Information:

      Service Name:          krbtgt/ddt.edu

Network Information:

      Client Address:        ::ffff:111.111.111.12

      Client Port:           49878

Additional Information:

      Ticket Options:        0x40810010

      Failure Code:          0x18

      Pre-Authentication Type:     2

Certificate Information:

      Certificate Issuer Name:          

      Certificate Serial Number:  

      Certificate Thumbprint:           

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />

    <EventID>4771</EventID>

    <Version>0</Version>

    <Level>0</Level>

    <Task>14339</Task>

    <Opcode>0</Opcode>

    <Keywords>0x8010000000000000</Keywords>

    <TimeCreated SystemTime="2019-02-07T19:35:55.282935600Z" />

    <EventRecordID>23631687</EventRecordID>

    <Correlation />

    <Execution ProcessID="720" ThreadID="2184" />

    <Channel>Security</Channel>

    <Computer>Server01.ddt.edu</Computer>

    <Security />

  </System>

  <EventData>

    <Data Name="TargetUserName">ELLISZ01$</Data>

    <Data Name="TargetSid">S-1-5-21-2772296466-3582803739-2678735995-6605</Data>

    <Data Name="ServiceName">krbtgt/ddt.edu</Data>

    <Data Name="TicketOptions">0x40810010</Data>

    <Data Name="Status">0x18</Data>

    <Data Name="PreAuthType">2</Data>

    <Data Name="IpAddress">::ffff:111.111.111.12</Data>

    <Data Name="IpPort">49878</Data>

    <Data Name="CertIssuerName">

    </Data>

    <Data Name="CertSerialNumber">

    </Data>

    <Data Name="CertThumbprint">

    </Data>

  </EventData>

</Event>

The following is in the event log of the Domain controller Server01. There are many entries with different Account Names.

      Log Name:      Security

      Source:        Microsoft-Windows-Security-Auditing

      Date:          2/7/2019 1:21:04 PM

      Event ID:      4625

      Task Category: Logon

      Level:         Information

      Keywords:      Audit Failure

      User:          N/A

      Computer:      Server01.ddt.edu

      Description:

      An account failed to log on.

      Subject:

           Security ID:          NULL SID

           Account Name:          -

           Account Domain:        -

           Logon ID:         0x0

      Logon Type:            3

      Account For Which Logon Failed:

           Security ID:          NULL SID

            Account Name:         LARUEZ02$

           Account Domain:        DDT.EDU

      Failure Information:

           Failure Reason:        The user has not been granted the requested logon type at this machine.

           Status:                0xC000015B

           Sub Status:       0x0

      Process Information:

           Caller Process ID:     0x0

           Caller Process Name:   -

      Network Information:

           Workstation Name:-

           Source Network Address:      111.111.111.22

           Source Port:          59243

      Detailed Authentication Information:

           Logon Process:         Kerberos

           Authentication Package:      Kerberos

           Transited Services:    -

           Package Name (NTLM only):    -

           Key Length:       0

      This event is generated when a logon request fails. It is generated on the computer where access was attempted.

      .

      .

      .

      Event Xml:

      <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

        <System>

           <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />

           <EventID>4625</EventID>

           <Version>0</Version>

           <Level>0</Level>

           <Task>12544</Task>

           <Opcode>0</Opcode>

           <Keywords>0x8010000000000000</Keywords>

           <TimeCreated SystemTime="2019-02-07T19:21:04.284065900Z" />

           <EventRecordID>23628647</EventRecordID>

           <Correlation />

           <Execution ProcessID="720" ThreadID="10656" />

           <Channel>Security</Channel>

           <Computer>Server01.ddt.edu</Computer>

           <Security />

        </System>

        <EventData>

           <Data Name="SubjectUserSid">S-1-0-0</Data>

           <Data Name="SubjectUserName">-</Data>

           <Data Name="SubjectDomainName">-</Data>

           <Data Name="SubjectLogonId">0x0</Data>

           <Data Name="TargetUserSid">S-1-0-0</Data>

           <Data Name="TargetUserName">LARUEZ02$</Data>

           <Data Name="TargetDomainName">DDT.EDU</Data>

           <Data Name="Status">0xc000015b</Data>

           <Data Name="FailureReason">%%2308</Data>

           <Data Name="SubStatus">0x0</Data>

           <Data Name="LogonType">3</Data>

           <Data Name="LogonProcessName">Kerberos</Data>

           <Data Name="AuthenticationPackageName">Kerberos</Data>

           <Data Name="WorkstationName">-</Data>

           <Data Name="TransmittedServices">-</Data>

           <Data Name="LmPackageName">-</Data>

           <Data Name="KeyLength">0</Data>

           <Data Name="ProcessId">0x0</Data>

           <Data Name="ProcessName">-</Data>

           <Data Name="IpAddress">111.111.111.22</Data>

           <Data Name="IpPort">59243</Data>

        </EventData>

      </Event>

Also in server event log

Log Name:     Security

Source:       Microsoft-Windows-Security-Auditing

Date:         2/7/2019 1:38:55 PM

Event ID:     4776

Task Category: Credential Validation

Level:        Information

Keywords:     Audit Failure

User:         N/A

Computer:     Server01.ddt.edu

Description:

The computer attempted to validate the credentials for an account.

Authentication Package:     MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Logon Account:   ELLISZ01$

Source Workstation:   ELLISZ01

Error Code:0xC000006A

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />

    <EventID>4776</EventID>

    <Version>0</Version>

    <Level>0</Level>

    <Task>14336</Task>

    <Opcode>0</Opcode>

    <Keywords>0x8010000000000000</Keywords>

    <TimeCreated SystemTime="2019-02-07T19:38:55.434802400Z" />

    <EventRecordID>23632339</EventRecordID>

    <Correlation />

    <Execution ProcessID="720" ThreadID="10656" />

    <Channel>Security</Channel>

    <Computer>Server01.ddt.edu</Computer>

    <Security />

  </System>

  <EventData>

    <Data Name="PackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>

    <Data Name="TargetUserName">ELLISZ01$</Data>

    <Data Name="Workstation">ELLISZ01</Data>

    <Data Name="Status">0xc000006a</Data>

  </EventData>

</Event>

Hi,

I want to move computer/device from one OU to another OU using VB Code.

The below code is working great under login of service account into target PC.

but is there any way to execute below code with different credentials. I did google and tried but not able to make it work?

if you guys have worked on this scenario and please share some thoughts?

' *****************************************************************************
strLDAPofOU="OU=Desktops,OU=Computers,DC=domain,DC=locale"
' *****************************************************************************
On Error Resume Next
'Get MachineObjectOU Value
Set wshNetwork = CreateObject("WScript.Network")
Set oFso = CreateObject("Scripting.FileSystemObject")
Set objSysInfo = CreateObject( "ADSystemInfo" )
Set ArgObj = WScript.Arguments
'Use first argument as target OU
strMachineObjectOU = strLDAPofOU
strComputerDN = objSysInfo.ComputerName
'msgbox(strMachineObjectOU)
nComma = InStr(strComputerDN,",")
strCurrentOU = Mid(strComputerDN,nComma+1)
strComputerName = Left(strComputerDN,nComma - 1)
'msgbox(strCurrentOU)
'If current ou is different than target OU. Move object
If UCase(strCurrentOU) <> UCase(strMachineObjectOU) Then
    Set objNewOU = GetObject("LDAP://" & strMachineObjectOU)
    Set objMoveComputer = objNewOU.MoveHere("LDAP://" & strComputerDN, strComputerName)
    'msgbox("LDAP://" & strComputerDN & strComputerName)
End If 
'//----------------------------------------------------------------------------
'//  End Script
'//----------------------------------------------------------------------------

Regards

Er Reddy

Hi All,

This is regarding RODC migration from Windows 2018 to Windows 2012.

Environment : Single Forest single Domain environment  with 2 RWDC and 4 RODC.  All DC are running in Widnws 2008R2.

We are in process of migrating our domain controller to Windows 2012 . As part of this activity we introduced new windows 2012 RWDC as additional domain controller and everything is working as expected with any issue.

Now We have planned to replace Windows 2008 RODC with Windows 2012 RODC .Some of the application is RODC site depended RODC's IP address, So i have planned to swap the existing Windows 2008 RODCs IP addresses with new Widnows 2012 RODC.

Question  : Swapping IP address between old and new RODC will cause any issues ?  I have not found any article in internet about swapping\change  IP address for RODC . Please provide you valuable idea\suggestion to swap\change  RODC IP address without any interruption.

(RWDC IP change articles are available in internet but not for RODC)

Thanks in advance.

Noticed there was a big DNS issue with a DC (all servers running 2008).

Did a bit of research and did a dsquery for FSMOroleowner, and it indicates an old DC long gone.

Thought I could just change it in ADSIEDIT but in both ForestDnsZones and DomainDnsZones in good and problematic DCs the value is correct.

Trying to run the fixfsmo script but its not accepting my argument 

cscript fixfsmo.vbs DC=DomainDnsZones,DC=mydomain,DC=com

returning  

usage: cscript fixfsmo.vbs NdncDN
Please advise, thanks.

Rob

Hello,

I keep seeing that the security tab for the _msdcs delegation folder will not show security items.  Rather show a red 'X' with message "The requested security information is either unavailable or can't be displayed".

This is a brand new domain controller in a new forest, and the only thing that has been done is to setup secondary zones on servers on in another forest and made an outgoing trust from this forest to another.

Anyone else see this, is this normal?

Thanks

Robert

Hello all, I need some assistance with authentication.

I just recently established and validated a Trust to another Domain. For some reason my domain (ABC ) users cannot authenticate to XYZ domain. We get hit with bad user name or password BUT XYZ can authenticate to pc's at ABC!

Event viewer shows successful - event ID 4672 and 4624, so I'm at a loss! Can someone please assist on what could be happening?

I have a very strange thing occurring. It appears that if we disable a computer account in active directory, and the computer is still on the network, it will lockout the Domain Administrator account. I have been trouble shooting this for several months and have determined that it is the disabled computers that are causing the lockout. I have renamed the Domain Administrator account, and now the disabled computers are locking out the renamed account. By simply re-enabling the computer account the lockout stop.

There is no services using the account, no scheduled task, no network mapped drives, and no remote RDP Sessions. If it were any of these areas that would have been using the Administrator account, the renaming the account should have stopped it from locking out the renamed account. It seem that the disabled computers are some how tied to the Domain Administrator SSID. We have scanned for viruses and malware with several different products and not finding anything.

I have been working with Microsoft for almost 3 weeks, and they of course have no idea, and the case is still open. I am posting this in the Community because I normally have better luck in getting things resolved here rather than Microsoft. Has anyone ever seen this?

David

David Moore

Hi

I help administer an AD that contains circa 65000 user accounts, 20000 server objects, 25000 security groups and 40 level 1 OUs (all with many OUs under that). I want to know who has delegated rights to create user objects anywhere in my domain. I've tried exporting dsacls but the results are just colossal as I don't know how to only return the "create child user" permission. Is there a flag(s) to append to dsacls that will ignore all the other permissions and not return them in the export? Or am I going about it wrong and there is a better tool?

Just to reiterate, at the moment I am only trying to view these permissions, not make any changes (yet).

MANY!!!! thanks to anyone that can help. 

I found this script in a older forum. I was not able to reply so I thought I would repost. It works well I needed it to export to  a csv . 

param([parameter(Position=0,ValueFromPipeline= $true,ValueFromPipelineByPropertyName= $true, mandatory=$false)][string]$SearchBase,[parameter(Position=0,ValueFromPipeline= $true,ValueFromPipelineByPropertyName= $true, mandatory=$false)][int]$Days)Import-ModuleActiveDirectory;if($searchBase -eq ""){
  $searchBase =(Get-ADRootDSE).defaultNamingContext;}if($Days -lt 1){
  $Days =1;}

$Days *=-1;

$output =New-ObjectObject|Add-MemberNoteProperty mail ''-PassThru|Add-MemberNoteProperty sAMAccountName ''-PassThru|Add-MemberNoteProperty userAccountControl ''-PassThru|Add-MemberNoteProperty changed ''-PassThru;

$users =Get-ADObject-Filter{ objectCategory -eq "Person"-and(userAccountControl -bor 2)}-SearchBase $SearchBase -Properties sAMAccountName;

$searchFrom =(Get-Date("0:00")).AddDays($Days);foreach($userEntry in $users){
  $user =Get-ADObject-Filter{ sAMAccountName -eq $userEntry.sAMAccountName }-Properties sAMAccountName, userAccountControl, mail,"msDS-ReplAttributeMetaData";
  $repData = $repData =[xml]("<root>"+ $user."msDS-ReplAttributeMetaData"+"</root>").Replace([char]0," ")foreach($attribute in $repData.root.DS_REPL_ATTR_META_DATA){if($attribute.pszAttributeName -eq "userAccountControl"){
      $changedDate =Get-Date($attribute.ftimeLastOriginatingChange);if($changedDate -gt $searchFrom){
        $output.mail = $user.mail;
        $output.sAMAccountName = $user.sAMAccountName;
        $output.userAccountControl  = $user.userAccountControl;
        $output.changed = $changedDate;
        $output;}}}}

HI ,

While installing ADLDS from 2008 R2 to windows 2016 i was getting below error on "Active Directory Lightweight Directory Services Setup Wizard"

The selected service account cannot authenticate with the replica source Servername:port using Kerberos mutual authentication. The service account for the new Active Directory Lightweight Directory Services replica should be a domain account trusted by the configuration set. Also, verify that the replica source has a properly registered service principal name (SPN).

The authentication failed with error 0x80090342: The encryption type requested is not supported by the KDC.

Thanks,Venky

Thanks,venky

I have AD with Redirected folders enabled.  I also have offline sync enabled to.  On one particular user who works at 3 separate computers her firefox doesn't offline sync properly on each of the clients.  Anyone one have any idea why? Resetting the offline cache fixes the issue but this is not a solution.

Thanks,

Trevor

Hello Team ,

We have DC server and ADC server domain and forest functional level 2000 Native . DC and ADC sync successfully if our DC Down ( which is hold all FSMO role)  user not able to access file folder and network resource . when our DC again online user to able to access the file folder and network resource.

A part of our current company is split off and will start operating on its own. It has been agreed upon to split the current forest into 2 separate entities that will continue operating independently.

There will be no network connectivity between the 2 companies anymore.

I know this is not supported by MS, but it has been decided nonetheless for various reasons.

Does anyone have experience with this scenario? What would be the high-level steps to accomplish this? Any critical steps we definitely should not overlook?

Hi, I just landed myself into major difficulties... 

Basically upgraded a network from SBS 2011 to Windows Server 2019, including Microsoft Exchange Server 2019. After hours of battling, I eventually got all installed and migrated ok. I noticed some email accounts were showing on Exchange that I did not require, although I accidentally decided to remove some mailboxes which has also removed the users from AD. 

Is there any method of recovering these users in AD? 

Methods tried already:

• I have tried connectingto a deleted mailbox via EAC although there is no deleted mailboxes showing
• I have tried enabling the recycle bin

Any suggestions please??

Adrian Kelly