Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Cross-Forest AD Token Size

March 10, 2019, 9:03 pm
$
0
0
We have two forests with a one way trust between both forests. I want to know if i add a user from Forest A to the groups in Forest B will this affect the AD token size of the user in Forest A. Based on the whoami /groups command I run from Forest A I dont think that the users local kerberos token knows anything about the Forest B Groups. Does this mean that if I add user A to 1000 groups in Forest B then it will *not* break the Forest A account. Only the FSP in forest B would be affected?

Alan Burchill (MVP)
http://www.grouppolicy.biz

@alanburchill

Search

AD Replication issue - the destination server is rejecting replication

March 10, 2019, 8:31 pm
$
0
0

Hello, I have 3 DC servers, 2 in prod environment and 1 in DR and I just found out that the DNS Server is not replicating in the DR server. I change a DNS entry in 1 Prod dc last Mar 9. It replicated in the other prod DC but not in DR. So I just manually edit the entry in the DR. Is there a command to force replicate DNS changes from 1 DC to other? What other ways I can very if there is a issue in my DR server? Is there a log also to check maybe someone has edit it???


Planning and configurations Active Directory and DNS Services

March 7, 2019, 12:37 am
$
0
0

Dear All,

We have to plan and Design DC 2016 for 500-1000 Thousand Users, I need Proper Guidelines to set it up.

1. How many Domain Controllers do we require for the load Balancing or Failover Purpose?

2. How many DNS servers do we require for such amount of USERS, we would have a 500+ WIFI user using the same DNS Server.

3. I need Proper Servers Infrastructure Guidelines and Best Practices to Setup this environment.



AD backup

March 10, 2019, 10:25 pm
$
0
0

We have an Active Directory domain spanning multiple branches. Each branch is connected to each other and has two local GCs. While I am a developer at one of the branches, I am also a part-time administrator of the local branch network resources. I would like to ask about backing up the local GCs.

The local branch GCs run in Hyper-V virtual machines. In the event of a disaster, I understand that rebuilding a VM and letting it synchronize with the other should be sufficient for recovery. In an even worse case, if both local GCs die I could still rebuild one / both of the VMs and let them synchronize with the domain controllers located at the other branches. However, this does not seem like the ideal backup solution, as well as potentially having a protracted downtime.

As for backups, I do take scheduled state backups. But I'd like to ask about the acceptability of backing up the VM (VHDX disk) itself. If I were to store a backup of the VM disk, would simply restoring this back and waiting for synchronization be sufficient to restoring the GC? Is there any documentation / best practices with this method? Are there any significant problems that I should be aware of?

Thank you.

Script to Add User Account in Attribute Field in Active Directory

March 7, 2019, 12:14 am
$
0
0

Dears,

I have plan to add user manager account in division field in attribute field in active directory 2012. Kindly I'm looking for script to run in Power shell to set all user account managers in division field at one time, I have prepared excel sheet it has two fields one for user account and the other field it is for manager field.

Best Regards,

how to delegate AD rights for creating dns A Records and modify only

March 1, 2019, 2:23 am
$
0
0
Hi,

Can someone tell me if i can give permission to user to create only A records and modify them. I don't want user to create other DNS records  or delete current records

_msdcs deligation folder security tab error

March 8, 2019, 9:15 am
$
0
0

Hello,

I keep seeing that the security tab for the _msdcs delegation folder will not show security items.  Rather show a red 'X' with message "The requested security information is either unavailable or can't be displayed".

This is a brand new domain controller in a new forest, and the only thing that has been done is to setup secondary zones on servers on in another forest and made an outgoing trust from this forest to another.

Anyone else see this, is this normal?

Thanks

Robert

Hybrid Joined Devices - Windows Hello for Business

September 6, 2018, 10:58 am
$
0
0

Hey @all,

I've deployed 2 Windows Server 2016 VMs with Azure AD Connect and Hybrid Device Join. I've build a 2Tier PKI (based on 2 2k16 VMs) and followed these steps:

https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs

When I try to enroll the user certificate for WHFB I get the error

Certificate enrollment for user failed to enroll for a WHFBAuthentication certificate with request ID N/A from N/A (Failed to enroll for an NGC cert because there is NO Enterprise SSO. 0x801c03f6 (DSREG: 1014 DSREG_E_NGC_CERT_NO_ENTSSO)).

Devices are correct joined in AD and Azure AD (hybrid joined). The only thing we do not have is ADFS, I also run the command on Sub CA.

certutil -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY

As mentioned here, WHFB with PTA should also work:

For non-federated environments, key trust deployments work in environments that have deployed Password Synchronization with Azure AD Connect and Azure Active Directory Pass-through-Authentication

https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs

Any suggestions or ideas? I would be really happy to get this running.

Freundliche Grüße

Sandro Reiter
Consultant Cloud Infrastructure

Search

Can't authenticate to PC in another Domain

March 5, 2019, 11:49 am
$
0
0

Hello all, I need some assistance with authentication.

I just recently established and validated a Trust to another Domain. For some reason my domain (ABC ) users cannot authenticate to XYZ domain. We get hit with bad user name or password BUT XYZ can authenticate to pc's at ABC!

Event viewer shows successful - event ID 4672 and 4624, so I'm at a loss! Can someone please assist on what could be happening?

Change\SWAP RODC IP address

March 8, 2019, 3:25 am
$
0
0

Hi All,

This is regarding RODC migration from Windows 2018 to Windows 2012.

Environment : Single Forest single Domain environment  with 2 RWDC and 4 RODC.  All DC are running in Widnws 2008R2.

We are in process of migrating our domain controller to Windows 2012 . As part of this activity we introduced new windows 2012 RWDC as additional domain controller and everything is working as expected with any issue.

Now We have planned to replace Windows 2008 RODC with Windows 2012 RODC .Some of the application is RODC site depended RODC's IP address, So i have planned to swap the existing Windows 2008 RODCs IP addresses with new Widnows 2012 RODC.

Question  : Swapping IP address between old and new RODC will cause any issues ?  I have not found any article in internet about swapping\change  IP address for RODC . Please provide you valuable idea\suggestion to swap\change  RODC IP address without any interruption.

(RWDC IP change articles are available in internet but not for RODC)

Thanks in advance.

 

                    

domain controller certificate expiring but CA gone

March 7, 2019, 4:04 pm
$
0
0

I have a domain with two domain controllers with certificates that will expire soon, but the issuing certificate authority has been demoted and the member server will be retired soon.
Certificate services have been removed and we don't plan on reinstalling if we can avoid it.

What happens to the domain controllers and active directory when the certificates expire? Do we need to do something manually before that happens?

Thank you.


Disabled user sscript

March 8, 2019, 1:06 pm
$
0
0

I found this script in a older forum. I was not able to reply so I thought I would repost. It works well I needed it to export to  a csv . 

param([parameter(Position=0,ValueFromPipeline= $true,ValueFromPipelineByPropertyName= $true, mandatory=$false)][string]$SearchBase,[parameter(Position=0,ValueFromPipeline= $true,ValueFromPipelineByPropertyName= $true, mandatory=$false)][int]$Days)Import-ModuleActiveDirectory;if($searchBase -eq ""){
  $searchBase =(Get-ADRootDSE).defaultNamingContext;}if($Days -lt 1){
  $Days =1;}

$Days *=-1;

$output =New-ObjectObject|Add-MemberNoteProperty mail ''-PassThru|Add-MemberNoteProperty sAMAccountName ''-PassThru|Add-MemberNoteProperty userAccountControl ''-PassThru|Add-MemberNoteProperty changed ''-PassThru;

$users =Get-ADObject-Filter{ objectCategory -eq "Person"-and(userAccountControl -bor 2)}-SearchBase $SearchBase -Properties sAMAccountName;

$searchFrom =(Get-Date("0:00")).AddDays($Days);foreach($userEntry in $users){
  $user =Get-ADObject-Filter{ sAMAccountName -eq $userEntry.sAMAccountName }-Properties sAMAccountName, userAccountControl, mail,"msDS-ReplAttributeMetaData";
  $repData = $repData =[xml]("<root>"+ $user."msDS-ReplAttributeMetaData"+"</root>").Replace([char]0," ")foreach($attribute in $repData.root.DS_REPL_ATTR_META_DATA){if($attribute.pszAttributeName -eq "userAccountControl"){
      $changedDate =Get-Date($attribute.ftimeLastOriginatingChange);if($changedDate -gt $searchFrom){
        $output.mail = $user.mail;
        $output.sAMAccountName = $user.sAMAccountName;
        $output.userAccountControl  = $user.userAccountControl;
        $output.changed = $changedDate;
        $output;}}}}

IF our DC Down user not able to access file folder and network printer or network resource

March 4, 2019, 11:46 pm
$
0
0

Hello Team ,

We have DC server and ADC server domain and forest functional level 2000 Native . DC and ADC sync successfully if our DC Down ( which is hold all FSMO role)  user not able to access file folder and network resource . when our DC again online user to able to access the file folder and network resource.

WMI Query for Office 2016/Office ProPlus(Click to Run)

March 11, 2019, 1:58 am
$
0
0

Hi All,

Could you please guide me to apply a GPO using WMI filter so that Office 2016 and Office 365 ProPlus can be targeted at the same time or through a single query.

Why CA refreshes templates from DC

March 11, 2019, 2:12 am
$
0
0

List of Certificate Templates  seems to be refreshed periodically. If  ADCS is inactive (no certificate is issued) for approx. 15-20 minutes it takes a long time (20-25s) refresh the list of Certificate Templates from DC. (It is equivalent  to the process of displaying certificate templates  in: mmc console –> module certification authority –> folder Certificate Templates)
- Until the Certificate Template list is downloaded it is not possible to issue a certificate, so this behavior  add unacceptable delay to whole certificate issuance process.
- The error was observed in both Windows Server 2012R2 and 2016 versions.
-  Any repeated request (which is sent after the Certificate Templates are refreshed) is processed immediately (overall delay <1s)
- After 15-20 minutes of ADCS inactivity (no certificate is issued) the situation with 20s delay repeats.

Is this by design ?

Can we control the behavior and delay time?

Search

Additional Domain Controller is not authenticating when Primary Domain Controller goes down

February 26, 2019, 4:02 am
$
0
0

Hi,

I have a Primary Domain Controller and Secondary Domain controller. The problem is that when Primary Domain Controllers goes down, Secondary Domain Controller does not authenticate the users.

I've an Exchange Server in the environment but everything goes down with Primary Domain Controller.

Any thoughts?

Thanks,

AD Win2K8 R2 Native Mode ... IsDomainMaster and MaintServerList

December 5, 2011, 12:10 pm
$
0
0

Hello - we have 100+ Win2K8 R2 DC's deployed, running native mode ... noticed even the PDC Emulator has "IsDomainMaster" registry key set to "blank".  The MaintServerList is set to Auto on all DCs.  This is the default, we did not make any changes, however we do have many clients (member servers and wrkst's) reporting they are now the master.

Q1:  Should we adjust our Win2K8 R2 DC's to IsDomainMaster=Yes, MaintServerList=Yes ... also should this be on all DCs, on the PDC Emulator only, or only on 1 DC on each subnet.  (I've seen multiple answers for all 3 options).

Q2:  Could change all clients (servers/wrksts) to be No,No on both reg keys, but is this safe to do without changing any of the DC's (in Q1).

Thanks.

Remove-ADOrganizationalUnit : Access is denied

January 6, 2016, 3:43 pm
$
0
0

I have a windows server 2008r2 domain called sl13.mycompanytest.biz.  I am running powershell on the server as a user that is a member of the following groups : Domain Admins, Enterprise Admins, Domain Users, Schema Admins, Organization Management.

I have created an OU called Test (OU=Test,DC=sl13,DC=mycompanytest,DC=biz).  This object is *not* marked with the protection from accidental deletion checkbox.  I can create and delete this OU just fine with the ADUC control panel applet.

When I try to remove the OU using Powershell I get : Access is denied.  When I look at the security tab for the entire domain (or the OU) I can see that enterprise admins has "full control" and all boxes checked, including all deletion options.  However, when I click advanced and click on effective permission for the domain object (or the OU object), and enter the name of my administrative user (who is a member of enterprise admins), it shows he does not have full control and *none* of the deletion permissions are checked.  If I enter the 'Administrator' username in the effective permissions box, I see the same thing : not full control, no deletion options checked.  Both of these users can clearly delete anything they want through ADUC due to being members of enterprise admins, but for some reason, not through powershell.

Here is the powershell output:

PS C:\Users\nathan> Remove-ADOrganizationalUnit $ouToRemove -Recursive -Confirm:$false
Remove-ADOrganizationalUnit : Access is denied
At line:1 char:28
+ Remove-ADOrganizationalUnit <<<<  $ouToRemove -Recursive -Confirm:$false
    + CategoryInfo          : PermissionDenied: (OU=Test,DC=sl13,DC=mycompanytest,DC=
   biz:ADOrganizationalUnit) [Remove-ADOrganizationalUnit], UnauthorizedAcces
  sException
    + FullyQualifiedErrorId : Access is denied,Microsoft.ActiveDirectory.Manag
   ement.Commands.RemoveADOrganizationalUnit

So several questions:

1)Why would my effective permission differ in powershell and ADUC?

2)How in the heck would anything override the permisson of the "enterprise admins" group to deny it delete permission?

3)How Do I fix this?  I see that there is an "everyone" user who is specifically denied all delete permissions, but that should not overwrite my enterprise admin privileges should it?  And if so, why does it only overwrite them through powershell but not through ADUC?

Local Admin GPO Strange Behavior

March 11, 2019, 4:14 am
$
0
0

Hi I have a problem with GPO. We have LAPS configured.  All computers located in one OU named Corp_Computers. Also we have group named "workstation_admins"( members are helpdesks) which granted to read LAPS passwords. Also granted member of local administrators group of computers. Now we want to create separate OUs in Corp_Computers OU for sub company computers and create groups for each for helpdesk users( exp : a_workstation_admins). Remove parent GPO and create GPO for each OU for local administrators group membership. But thinks get stranger from this. When i applied GPO for A_Corp_Computers( Local admins GPO setting configured with GPO preferences) workstation_admins and a_workstation_admins in here. I create separate OU and try without any configured GPO only default domain policy(unconfigured) and did gpupdate /force  but workstation_admins appears in Administrators goup.

Sorry for my bad English 

DFSR Migration Stuck

January 4, 2019, 7:18 am
$
0
0

A few weeks ago the domain controllers in our Lab domain was attempted to be migrated from FRS to DFS. The domain is at Windows 2008 R2 functionality level and the DC's are on Windows 2019. When the migration was initiated with Dfrsmig this error appeared every 5 minutes when it tries to migrate SYSVOL:

 

DFSR was unable to copy the contents of the SYSVOL share located at C:\Windows\SYSVOL\domain to the SYSVOL_DFSR folder located at C:\Windows\SYSVOL_DFSR\domain. This could be due to<g class="gr_ gr_222 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins replaceWithoutSep" data-gr-id="222" id="222">lack</g> of availability of disk space or due to sharing violations. 

Additional Information: 
Sysvol NTFRS folder: C:\Windows\SYSVOL\domain 
Sysvol DFSR folder: C:\Windows\SYSVOL_DFSR\domain 
Error: 367 (The process creation has been blocked.)

Replication between the two domain controllers <g class="gr_ gr_265 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar multiReplace" data-gr-id="265" id="265">were</g> working without any issues. I've tried just about everything to fix the problem, adjusting permissions on the folders, running the Robocopy command manually (which did copy all the folders and files without error), deleting all GPO's not being used, running DCGPOFIX, removing all DC's except one, even performing a System State restore to a new DC (with an auth restore of AD and Sysvol). Rolling back the migration and starting again.<g class="gr_ gr_1532 gr-alert gr_gramm gr_inline_cards gr_run_anim Style replaceWithoutSep" data-gr-id="1532" id="1532">Nothing</g> has corrected the issue. 

Has anyone seen this error or have any suggestions?


Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>