Hello,

I have to enable support for LDAP over SSL and it requires a cert.

I can't buy 3rd party since domain is .local ...

I was planing to use following guide, any concerns about it .... how minimize risk of misuse of the cert.

Or any better way of doing it anyone ?

https://gist.github.com/magnetikonline/0ccdabfec58eb1929c997d22e7341e45#create-root-certificate

Thx!

Hi,

We have to demote the current ISTG and replaced it by new domain controller.

what's the best practice to perform this migration without any issue on replication topology 

Hi,

I have a Primary Domain Controller and Secondary Domain controller. The problem is that when Primary Domain Controllers goes down, Secondary Domain Controller does not authenticate the users.

I've an Exchange Server in the environment but everything goes down with Primary Domain Controller.

Any thoughts?

Thanks,

Guys,

When in a DFS environment, how should i create roaming profiles and home folders ? Anyone who has a decent tutorial for that?

I dont think it would be wise to let the profiles be synced. The homefolders could be synced by DFS, i guess.

thanks in advance. 

I installed a Window 2012 R2 Failover Cluster in order to virtualize servers with Hyper-V. Both physical servers of the cluster are namedSRV-SAN01 and SRV-SAN02 and were installed usingWin2012 R2 Datacenter. The name of the cluster is SRV-HV01.

My environment is very simple : a unique domain and a unique site with 2 Domain Controllers (one onWin2013 and the second one on Win2008R2).

I first added a new Win2012 R2 Standard Domain Controller on a physical server namedSRV-DC01 and transferred the following Operation Masters to it :PDC, RID, Schema Master and Domain Naming. It is alsoGlobal Catalog.

I installed another Win2012 R2 Standard Domain Controller as a Virtual Server in the cluster whose name isSRV-DC02. It has the Insfrastructure Operation Master and is also aGlobal Catalog.

More 3 Member Servers using Win2012 R2 were installed on the cluster.

Everything worked fine until I ran my first Cluster-Aware remote updating. I installed the Failover Cluster Manager onSRV-DC01 and executed a remote CAU successfully.

At the end of the process, the Server Manager on the first physical serverSRV-SAN01 had a Manageability problem. The EventViewer showed the following error during 12 hours:

Error 4 from source Microsoft-Windows-Security-Kerberos : “The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server srv-san01$. The target name used was HTTP/SRV-HV01.mydomain.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (MYDOMAIN.COM) is different from the client domain (MYDOMAIN.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.”

On the second physical server SRV-SAN02 the Manageability problem still goes on after 27 hours after CAU with the exactly same error 4 form SourceMicrosoft-Windows-Security-Kerberos.

On the Failover Cluster Manager, I also have a Error 1023 from sourceMicrosoft-Windows-ClusterAwareUpdating-Management:

“Failed to get CAU report. Details:Microsoft.ClusterAwareUpdating.ClusterUpdateException: There was a failure in a Common Information Model (CIM) operation, that is, an operation performed by software that Cluster-Aware Updating depends on. The computer was "SRV-HV01", and the operation was "Contacting the Cluster-Aware Updating software on the cluster node.". The failure was: (CimException) WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 

 Possible causes are:

 -The user name or password specified are invalid.

 -Kerberos is used when no authentication method and no user name are specified.

 -Kerberos accepts domain user names, but not local user names.

 -The Service Principal Name (SPN) for the remote computer name and port does not exist.

 -The client and remote computers are in different domains and there is no trust between the two domains.

 After checking for the above issues, try the following:

 -Check the Event Viewer for events related to authentication.

 -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.

 Note that computers in the TrustedHosts list might not be authenticated.

  -For more information about WinRM configuration, run the following command: winrm help config. HRESULT 0x8033809d ---> Microsoft.Management.Infrastructure.CimException: WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 

 Possible causes are:

 -The user name or password specified are invalid.

 -Kerberos is used when no authentication method and no user name are specified.

 -Kerberos accepts domain user names, but not local user names.

 -The Service Principal Name (SPN) for the remote computer name and port does not exist.

 -The client and remote computers are in different domains and there is no trust between the two domains.

 After checking for the above issues, try the following:

 -Check the Event Viewer for events related to authentication.

 -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.

 Note that computers in the TrustedHosts list might not be authenticated.

  -For more information about WinRM configuration, run the following command: winrm help config.

  at Microsoft.Management.Infrastructure.Internal.Operations.CimAsyncObserverProxyBase`1.ProcessNativeCallback(OperationCallbackProcessingContext callbackProcessingContext, T currentItem, Boolean moreResults, MiResult operationResult, String errorMessage, InstanceHandle errorDetailsHandle)

--- End of stack trace from previous location where exception was thrown ---

  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

  at MS.Internal.ClusterAwareUpdating.Logger.<_TraceCallWorker>d__0`1.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

  at MS.Internal.ClusterAwareUpdating.Logger.<TraceCall>d__5`1.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

  at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()

  at MS.Internal.ClusterAwareUpdating.Wmi.ClientConnectionManager.<CreateInstancePreparationTask>d__0.MoveNext()

  --- End of inner exception stack trace ---

  at MS.Internal.ClusterAwareUpdating.Wmi.ClientConnectionManager.<CreateInstancePreparationTask>d__0.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

  at MS.Internal.ClusterAwareUpdating.Wmi.AbstractCauStreamedMethod`1.<OnInvokeAsync>d__0.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

  at MS.Internal.ClusterAwareUpdating.Wmi.AbstractCauMethod`1.<InvokeAsync>d__0.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

  at MS.Internal.ClusterAwareUpdating.Util.Await[TResult](Task`1 t)

  at MS.Internal.ClusterAwareUpdating.ReportManagerImpl.GetReportListFromMachine(String machineName, ClientConnectionManager clientConnectionMgr, Task instancePrepTask, CancellationToken cancelToken)

  at MS.Internal.ClusterAwareUpdating.ReportManagerImpl.GetReportInternal(String clusterName, PSCredential credential, DateTime reportTimestamp, CancellationToken cancelToken)

--- End of stack trace from previous location where exception was thrown ---

  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

  at MS.Internal.ClusterAwareUpdating.ReportManagerImpl.GetReportInternal(String clusterName, PSCredential credential, DateTime reportTimestamp, CancellationToken cancelToken)”

I have not found anything about that on the Internet.

Could you please help me with these errors ?

Thanks in advance.

Hi,

We have One domain and which has 10 DC with mix of windows 2008r2, windows 2012 and windows 2016. The current domain functional level is windows 2008 r2. All FSMO rolls are on windows 2008r2 server. Now we want to upgrade domain functional level to windows 2016.How can we do?  Now raise domain functional level no option to upgrade. Our all DCs are working fine without any issues. Please guide me with tutorial if possible. We have ADFS and ADFS proxy servers with windows 2008r2 OS.

Thanks.

Hi Team,

We are in the process of AD domain consolidation\restructuring, I want to know from first to last what are the things that I need to consider, any response would be of great help

Thanks in advance.

Regards.

i've created an OU higharcy and delegated access to a group with full control over all objects and descendant objects. Why cant a member of the group with delegated access rename a domain joined computer in the OU? i've verified the group is local admin on the server and even created a second delegation for the write all properties of descendant computer objects in the OU. I can see in the security setting on the server object all of the settings are as expected.  there are no deny's in any of the settings on the OU. Could there be a GPO i'm not thinking of that is restricting this? 

i've gone through multiple pages on technet looking for answer that isnt local admin / write all properties on the computer object.

thanks,

jason

Most of my users upgraded to 1809 in the last week or two and now they are having issues with network resources. The symptom is an active directory user (Scanner) can no longer access their shared folder (\\machinename\Scans), even though that user has full read/write permissions. When I sit at the client computer and bring up properties for the folder, Security correctly shows the users with correct permissions. If I try to add a user to the list however, under Locations I am only shown the local computer, not the AD.  My guess is when the Scanner user attempts to connect to write a file the client machine looks for them in the local user store instead of the AD store and fails when it can't find them. Am I looking in the right direction, or am I totally off base?

I ran into the issue presenting in a different way as well today. when I'm logged into the computer and do a software install, registry edits fail. This is because you need Admin rights to write to the registry and the user credentials are domain credentials. I now have a dozen or so machines with the issue, all upgraded to 1809.

Greetings,

First of all, sorry, english is not my mother tongue.

In my company, we are currently preparing an AD migration from a domain to another. The other domain is available and i'm preparing the migration by recreating the OUs in the new domain.

To do so, i used the tool "LDIFDE". Everything worked fine, but i noticed that some OU's were not created by the ldifde command.

After some investigation, i concluded that the not created OUs were those who had avery long distinguished name.

In our current domain, we have a very long active directory tree. Some OUs (those not created by ldifde) have, for example,312 characters.

Currently, we do not have problems with those OUs, but does anyone know if that DN lenght can cause troubles ?

Is there a limitation recommended by Microsoft ?

Thanks, regards.

Hi All,

I have 3 Domain controller under ABC.COM. All the five roles in DC1, DC2,DC3 additional domain controller. 

My requirement and query is when the DC1 is down due some failure. All FSMO roles need to move automatically to another DC. Either DC2 or DC3, If it possible ?.I have seen some articles in Microsoft that option is possible.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc780487(v=ws.10)

• becomeRidMaster

• becomeSchemaMaster

• becomeDomainMaster

• becomePDC

• becomeInfrastructureMaster

GiveAwayAllFsmoRoles

Please share the steps how do it. or blog or link.

Hi,

I know you can't do a direct upgrade from 2008 to 2016 so it will be a step upgrade via 2012. However do i need to purchase a full version of 2012 for the sake of a couple hours or can i use the Trail Version of 2012 to get me to that step then upgrade to 2016 with my "retail" version and key?

It needs to be an in-place upgrade as we don't have any other hardware to migrate back and forward from.

Many Thanks for any advice

I have configured a Windows 2016 system with an AD LDS role, SSL enabled it and am trying to do some additional verifcation of the environment.  I have a defined account within the directory that is enabled and has a password assigned.  I had expected to use LDP to remotely confirm the authentication of the system from my workstation as I had already confirmed that I could attach to the directory locally from the server with the appropriate host name, ssl enabled and port defined.

My connection via LDP from the local server (while authenticated as an admin account) returns this:

ld = ldap_sslinit("MYINTERNAL.SERVER.NAME.HERE", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 0 = ldap_connect(hLdap, NULL);
Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 256 bits

I am able to subsequently bind using the directory account without any apparent issues.

My remote connection from my workstation via LDP (from an entirely different AD domain and account) returns, while using the same connection paramters, this:

ld = ldap_sslinit("MYINTERNAL.SERVER.NAME.HERE", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to tswadslds03.qa.int.dmz.hban.us.

and concludes with a pop up window stating: Cannot open connection

When I do a bind from the local client using the directory account AFTER attempting this connection it would appear that the account had authenticated but while using port 389 as reflected below:

ld = ldap_open("MYINTERNAL.SERVER.NAME.HERE", 389);
Established connection to MYINTERNAL.SERVER.NAME.HERE.
Retrieving base DSA information...
Getting 1 entries:
Dn: (RootDSE)

I am guessing that LDP in this instance is not getting connected successfully via SSL as originally attempted BUT do not understand exactly why it worked locally via SSL.  When I attempt the connection via SSL using the IP address, I get an Schannell error specifying that the certificate did not match the name but no error at all when using the FQDN from the local client.

Any insights / suggestions / references on this would be appreciated.

sgw

We replicate a number of vital PROD servers to our DR site and are having a major issue. In the DR site, there is a domain controller (not the PDC) which syncs with the domain controllers in the PROD site so it is always up-to-date.

I our tests we failed over our PROD servers to the DR site and found that the domain controller in the DR site, when rebooted, takes around 90 minutes to boot up and gets stuck at the "Applying Group Policy" screen.

Looking at the logs, I can see EVENTID 3096, "The primary domain controller for this domain could not be located" and I feel that this is the reason the DR domain controller is taking so long to boot.

Is there a fix for this - where we can stop the DR domain controller from looking for the PDC??

The DR domain controller is Windows 2008 R2. Thanks.

EDIT:

I just found out that the domain controller is set to DHCP for an IP and it does not look like it found a DHCP server!.

| +-- JDMils |

I new install RODC. then  assign to UserA.

This RODC do not enable DNS and GC.

When I access to RODC via UserA. In ADUC can change DC to RWDC. then UserA can modify "member of".

if ADUC connect to RODC, any user can read-only.

I need to allow UserA access to RODC only.

How can I disable change DC in ADUC for UserA. or disable modify "member of" permission?