Windows 2012 to 2016 Migration

March 12, 2019, 11:10 am

≫ Next: DSC Pull Server Modules Path format

≪ Previous: GPO to install and configure SNMP

I am trying to migrate Active Directory from a Windows 2012 (TSSERVER) to Windows 2016 server (2016SERVER). I have already migrated the roles as per netdom fsmo query:

Schema master 2016SERVER.ABCCORP.local
Domain naming master 2016SERVER.ABCCORP.local
PDC 2016SERVER.ABCCORP.local
RID pool manager 2016SERVER.ABCCORP.local
Infrastructure master 2016SERVER.ABCCORP.local

So far so good, however when I run dcdiag, I am getting a bunch of error messages. Dcdiag completed with no errors when TSSERVER was the only domain controller. I have heard some of these could be DNS related. One other thing I have noticed is that if I try to ping 2016server from itself, I keep getting replies from ::1 even though I have done everything I can to disable IPv6.

Directory Server Diagnosis

Performing initial setup:

Trying to find home server...

Home Server = 2016SERVER

* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\2016SERVER

Starting test: Connectivity

......................... 2016SERVER passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\2016SERVER

Starting test: Advertising

Warning: DsGetDcName returned information for

\\TSSERVER.ABCCORP.local, when we were trying to reach 2016SERVER.

SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.

......................... 2016SERVER failed test Advertising

Starting test: FrsEvent

......................... 2016SERVER passed test FrsEvent

Starting test: DFSREvent

There are warning or error events within the last 24 hours after the

SYSVOL has been shared. Failing SYSVOL replication problems may cause

Group Policy problems.
......................... 2016SERVER failed test DFSREvent

Starting test: SysVolCheck

......................... 2016SERVER passed test SysVolCheck

Starting test: KccEvent

......................... 2016SERVER passed test KccEvent

Starting test: KnowsOfRoleHolders

......................... 2016SERVER passed test KnowsOfRoleHolders

Starting test: MachineAccount

......................... 2016SERVER passed test MachineAccount

Starting test: NCSecDesc

......................... 2016SERVER passed test NCSecDesc

Starting test: NetLogons

Unable to connect to the NETLOGON share! (\\2016SERVER\netlogon)

[2016SERVER] An net use or LsaPolicy operation failed with error 67,

The network name cannot be found..

......................... 2016SERVER failed test NetLogons

Starting test: ObjectsReplicated

......................... 2016SERVER passed test ObjectsReplicated

Starting test: Replications

[Replications Check,2016SERVER] A recent replication attempt failed:

From TSSERVER to 2016SERVER

Naming Context: CN=Schema,CN=Configuration,DC=ABCCORP,DC=local

The replication generated an error (1722):

The RPC server is unavailable.

The failure occurred at 2019-03-07 09:00:39.

The last success occurred at 2019-03-06 19:56:54.

13 failures have occurred since the last success.

The source TSSERVER is responding now.

[Replications Check,2016SERVER] A recent replication attempt failed:

From TSSERVER to 2016SERVER

Naming Context: CN=Configuration,DC=ABCCORP,DC=local

The replication generated an error (1722):

The RPC server is unavailable.

The failure occurred at 2019-03-07 08:59:57.

The last success occurred at 2019-03-06 19:56:54.

13 failures have occurred since the last success.

The source TSSERVER is responding now.

......................... 2016SERVER failed test Replications

Starting test: RidManager

......................... 2016SERVER passed test RidManager

Starting test: Services

......................... 2016SERVER passed test Services

Starting test: SystemLog

An error event occurred. EventID: 0x0000041E

Time Generated: 03/07/2019 08:38:52

Event String:

The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

An error event occurred. EventID: 0x0000041E

Time Generated: 03/07/2019 08:43:52

Event String:

The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

An error event occurred. EventID: 0x0000041E

Time Generated: 03/07/2019 08:48:52

Event String:

The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

An error event occurred. EventID: 0x0000041E

Time Generated: 03/07/2019 08:53:52

Event String:

The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

An error event occurred. EventID: 0x0000041E

Time Generated: 03/07/2019 08:58:52

Event String:

The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

An error event occurred. EventID: 0x0000041E

Time Generated: 03/07/2019 09:03:52

Event String:

The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

An error event occurred. EventID: 0x0000041E

Time Generated: 03/07/2019 09:08:52

Event String:

The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

An error event occurred. EventID: 0x0000041E

Time Generated: 03/07/2019 09:13:52

Event String:

The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

An error event occurred. EventID: 0x0000041E

Time Generated: 03/07/2019 09:18:52

Event String:

The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

An error event occurred. EventID: 0x0000041E

Time Generated: 03/07/2019 09:23:52

Event String:

The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

An error event occurred. EventID: 0xC0001B77

Time Generated: 03/07/2019 09:28:46

Event String:

The Server Infrastructure License Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 16 milliseconds: Restart the service.

An error event occurred. EventID: 0x0000041E

Time Generated: 03/07/2019 09:28:52

Event String:

The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

An error event occurred. EventID: 0xC00038D6

Time Generated: 03/07/2019 09:29:30

Event String:

The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

An error event occurred. EventID: 0x0000041E

Time Generated: 03/07/2019 09:33:52

Event String:

The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

......................... 2016SERVER failed test SystemLog

Starting test: VerifyReferences

......................... 2016SERVER passed test VerifyReferences

Running partition tests on : ForestDnsZones

Starting test: CheckSDRefDom

......................... ForestDnsZones passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... ForestDnsZones passed test

CrossRefValidation

Running partition tests on : DomainDnsZones

Starting test: CheckSDRefDom

......................... DomainDnsZones passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... DomainDnsZones passed test

CrossRefValidation

Running partition tests on : Schema

Starting test: CheckSDRefDom

......................... Schema passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration

Starting test: CheckSDRefDom

......................... Configuration passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... Configuration passed test CrossRefValidation

Running partition tests on : ABCCORP

Starting test: CheckSDRefDom

......................... ABCCORP passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... ABCCORP passed test CrossRefValidation

Running enterprise tests on : ABCCORP.local

Starting test: LocatorCheck

Warning: DcGetDcName(TIME_SERVER) call failed, error 1355

A Time Server could not be located.

The server holding the PDC role is down.

Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error

1355

A Good Time Server could not be located.

......................... ABCCORP.local failed test LocatorCheck

Starting test: Intersite

......................... ABCCORP.local passed test Intersite

What can I do to troubleshoot?

Thanks,

drdx

↧

DSC Pull Server Modules Path format

March 14, 2019, 12:24 pm

≫ Next: [SOLVED] LDAP - over SSL with a third-party certification authority

≪ Previous: Windows 2012 to 2016 Migration

I just setup our DSC pull server and I am reading though some documentation about how to add resources for DSC nodes. Can someone clarify this? If I remove the 'Version' folder that will delete everything inside (literal) or do I just create a new folder structure without the 'Version' folder and place the contents in there?

&quot;I live and die by the command line&quot; -JL 2010 © ©

↧

[SOLVED] LDAP - over SSL with a third-party certification authority

March 14, 2019, 12:42 pm

≫ Next: Harden the Active Directory Servers

≪ Previous: DSC Pull Server Modules Path format

I recently tried to update our wildcard certificate. Because some services are integrated with our LDAP/ADS Servers the wildcards are also used there. There are documentations how to integrate like:

https://support.microsoft.com/en-us/help/321051/how-to-enable-ldap-over-ssl-with-a-third-party-certification-authority

BUT there only mention that in server 2012 and later the certificate should be added via

mmc.exe
- Add snap-ins
- Certificates
- Service Accounts
- Active Directory Domain Services
--> and here into the Personal Store

However this way, no intermediate certificate will be delivered on port 636. And it doesn't help if you add the intermediate to Trusted Intermediate Certificates or anywhere else in the "Certification Store" of the Active Directory Domain Service (or NTDS ).

↧

Harden the Active Directory Servers

March 13, 2019, 6:11 am

≫ Next: Export list of everyone that can create a user in my Active Directory

≪ Previous: [SOLVED] LDAP - over SSL with a third-party certification authority

Dear Team,

I have install the Active directory servers and find out the multiple ports are open on the system

Used netstat -a command and got multiple open ports are listening which is the risk

Can some one guide how to harden or shut those ports?

↧

Export list of everyone that can create a user in my Active Directory

March 8, 2019, 11:01 am

≫ Next: Active Directory Certificate Services disable

≪ Previous: Harden the Active Directory Servers

I help administer an AD that contains circa 65000 user accounts, 20000 server objects, 25000 security groups and 40 level 1 OUs (all with many OUs under that). I want to know who has delegated rights to create user objects anywhere in my domain. I've tried exporting dsacls but the results are just colossal as I don't know how to only return the "create child user" permission. Is there a flag(s) to append to dsacls that will ignore all the other permissions and not return them in the export? Or am I going about it wrong and there is a better tool?

Just to reiterate, at the moment I am only trying to view these permissions, not make any changes (yet).

MANY!!!! thanks to anyone that can help.

↧

Active Directory Certificate Services disable

March 13, 2019, 5:06 am

≫ Next: WMI Query for Office 2016/Office ProPlus(Click to Run)

≪ Previous: Export list of everyone that can create a user in my Active Directory

Active Directory Certificate Services is disabled automatically after 10-15 min

Dharmendra

↧

WMI Query for Office 2016/Office ProPlus(Click to Run)

March 11, 2019, 1:58 am

≫ Next: Enable Intranet zone enable

≪ Previous: Active Directory Certificate Services disable

Hi All,

Could you please guide me to apply a GPO using WMI filter so that Office 2016 and Office 365 ProPlus can be targeted at the same time or through a single query.

↧

Enable Intranet zone enable

March 13, 2019, 5:06 am

≫ Next: Clean up DFSR folder after replication group reconfiguration

≪ Previous: WMI Query for Office 2016/Office ProPlus(Click to Run)

Hello,

i have create a group policy for internet explorer which is "*.domian.com" add in Local Intranet Site for auto login a application.

but now problem is internet security zone now disable and i can't add another site or domain. so, i need another GPO for enable.

see the below image.

↧

Clean up DFSR folder after replication group reconfiguration

March 11, 2019, 11:16 pm

≫ Next: Replacing Dead Domain Controller

≪ Previous: Enable Intranet zone enable

Hi guys,

DFSR replication group(s) were reconfigured and now almost 500GB of iles left under E:\System Volume Information\DFSR folder.

The System Volume Information is not visible and I only can see it in TreeSize Free software.

Please advise if it is safe to delete files and and which folders I should delete.

Regards

↧

Replacing Dead Domain Controller

March 11, 2019, 8:59 am

≫ Next: AD backup

≪ Previous: Clean up DFSR folder after replication group reconfiguration

I will be resetting the computer account of a dead domain controller in active directory and replace it with another computer with the same OS, IP, name. The goal is to decommission the server and remove it from AD entirely.

Is there anything I need to do besides the following?

Reset computer account in AD
Join new computer to domain.
Promote to DC.
Demote DC.
Remove from domain.

Thanks!

↧

AD backup

March 10, 2019, 10:25 pm

≫ Next: Delegation for user

≪ Previous: Replacing Dead Domain Controller

We have an Active Directory domain spanning multiple branches. Each branch is connected to each other and has two local GCs. While I am a developer at one of the branches, I am also a part-time administrator of the local branch network resources. I would like to ask about backing up the local GCs.

The local branch GCs run in Hyper-V virtual machines. In the event of a disaster, I understand that rebuilding a VM and letting it synchronize with the other should be sufficient for recovery. In an even worse case, if both local GCs die I could still rebuild one / both of the VMs and let them synchronize with the domain controllers located at the other branches. However, this does not seem like the ideal backup solution, as well as potentially having a protracted downtime.

As for backups, I do take scheduled state backups. But I'd like to ask about the acceptability of backing up the VM (VHDX disk) itself. If I were to store a backup of the VM disk, would simply restoring this back and waiting for synchronization be sufficient to restoring the GC? Is there any documentation / best practices with this method? Are there any significant problems that I should be aware of?

Thank you.

↧

Delegation for user

March 10, 2019, 8:57 am

≫ Next: Recovering Domain Controller

≪ Previous: AD backup

3) Take the security group "TestGroup" and add it to the created OU "TestOU". The only security rights i want "TestGroup" to have is the following:

Create User Objects

Delete user Objects

Apply to: This object and all descendant objects.

I appreciate any help regarding step 3 :)

Thank you.

↧

Recovering Domain Controller

March 9, 2019, 6:44 am

≫ Next: Deleted AD User by mistake

≪ Previous: Delegation for user

Hello friends,

which is the correct procedure for reestablishing an environment with multiple domain controllers in the same domain, where, for example, after applying an operating system hotfix to a domain controller, it presented a problem.

I have a snapshot or full server backup.

This being my main, with the master functions for example.

If it is a server that does not have master functions, I could follow the recommendation to clean the domain and promote a new one.

But I kept thinking, because we often patched many domain controller servers. If any problem arise how could we use the snapshot or the full VM backup?

Thank you.

↧

Deleted AD User by mistake

March 9, 2019, 2:10 am

≫ Next: Move a Computer to an Active Directory with different credentials

≪ Previous: Recovering Domain Controller

Hi, I just landed myself into major difficulties...

Basically upgraded a network from SBS 2011 to Windows Server 2019, including Microsoft Exchange Server 2019. After hours of battling, I eventually got all installed and migrated ok. I noticed some email accounts were showing on Exchange that I did not require, although I accidentally decided to remove some mailboxes which has also removed the users from AD.

Is there any method of recovering these users in AD?

Methods tried already:

I have tried connectingto a deleted mailbox via EAC although there is no deleted mailboxes showing
I have tried enabling the recycle bin

Any suggestions please??

Adrian Kelly

↧

Move a Computer to an Active Directory with different credentials

March 6, 2019, 9:05 am

≫ Next: customized password expiration message

≪ Previous: Deleted AD User by mistake

Hi,

I want to move computer/device from one OU to another OU using VB Code.

The below code is working great under login of service account into target PC.

but is there any way to execute below code with different credentials. I did google and tried but not able to make it work?

if you guys have worked on this scenario and please share some thoughts?

' *****************************************************************************
strLDAPofOU="OU=Desktops,OU=Computers,DC=domain,DC=locale"
' *****************************************************************************
On Error Resume Next
'Get MachineObjectOU Value
Set wshNetwork = CreateObject("WScript.Network")
Set oFso = CreateObject("Scripting.FileSystemObject")
Set objSysInfo = CreateObject( "ADSystemInfo" )
Set ArgObj = WScript.Arguments
'Use first argument as target OU
strMachineObjectOU = strLDAPofOU
strComputerDN = objSysInfo.ComputerName
'msgbox(strMachineObjectOU)
nComma = InStr(strComputerDN,",")
strCurrentOU = Mid(strComputerDN,nComma+1)
strComputerName = Left(strComputerDN,nComma - 1)
'msgbox(strCurrentOU)
'If current ou is different than target OU. Move object
If UCase(strCurrentOU) <> UCase(strMachineObjectOU) Then
    Set objNewOU = GetObject("LDAP://" & strMachineObjectOU)
    Set objMoveComputer = objNewOU.MoveHere("LDAP://" & strComputerDN, strComputerName)
    'msgbox("LDAP://" & strComputerDN & strComputerName)
End If 
'//----------------------------------------------------------------------------
'//  End Script
'//----------------------------------------------------------------------------

Regards

Er Reddy

↧

customized password expiration message

March 13, 2019, 9:28 am

≫ Next: Alert from Non Existant machine????

≪ Previous: Move a Computer to an Active Directory with different credentials

We have Windows 2012 R2 domain and in the process of upgrading to 2016 AD.

I want to create customize password expiration message in active directory that notifies my domain users that their password with customized message with guidelines.

How can i create customized password expiration message?

Thank You

Tek-Nerd

↧

Alert from Non Existant machine????

March 15, 2019, 5:11 am

≫ Next: Can't authenticate to PC in another Domain

≪ Previous: customized password expiration message

Hi All,

Had a ticket that came to my attention some days ago which states that a particular User continues to receive an email from an internal server related to WSUS status. This has been happening over a period of months.

I believe its source is an old WSUS Update Server which was decommissioned many months ago.

Tracing the SMTP message via the SMTP server it looks like the message is being sent from a machine with ip address xx.xx.xx.xx. but this was decommissioned many months ago.

The weird thing is I am able to ping the ip address and the DNS record that displays for the ip address is the machine that was decommissioned? Am I missing something here. Reluctant to delete the DNS record incase there is another machine associated somehow with this IP Address.

Any help or advise in how to resolve this would be extremely useful.

Regards.

↧

Can't authenticate to PC in another Domain

March 5, 2019, 11:49 am

≫ Next: ASA LDAPS not working after upgrade from 2012R2DC to Server 2016

≪ Previous: Alert from Non Existant machine????

Hello all, I need some assistance with authentication.

I just recently established and validated a Trust to another Domain. For some reason my domain (ABC ) users cannot authenticate to XYZ domain. We get hit with bad user name or password BUT XYZ can authenticate to pc's at ABC!

Event viewer shows successful - event ID 4672 and 4624, so I'm at a loss! Can someone please assist on what could be happening?

↧

ASA LDAPS not working after upgrade from 2012R2DC to Server 2016

March 15, 2019, 6:42 am

≫ Next: Can't Demote Windows 2012 R2 DC - DCPROMO - Access is denied. Account is in "Enable computer and user accounts to be trusted for delegation"

≪ Previous: Can't authenticate to PC in another Domain

Recently upgraded to 2016 Domain Controllers and now the VPN will not work via LDAPS. I've verified that LDAPS works on our client machines and using the LDP.exe tool and can establish a connection. Below is the error when performing a test on the ASA.

"Connect to LDAP server failed"

"Unable to read rootDSE"

Not sure if this an ASA or Domain Controller(2016) issue and ran wireshark which shows a "RST flag" from the ASA. Also came across this thread but the URL the user posted seemed to show a different problem. https://www.reddit.com/r/networking/comments/7ey59e/asa_ldaps_issues_after_updating_dcs_from_2008r2/

↧

Can't Demote Windows 2012 R2 DC - DCPROMO - Access is denied. Account is in "Enable computer and user accounts to be trusted for delegation"

March 13, 2019, 12:38 pm

≫ Next: AD lookup not using domain in 1809

≪ Previous: ASA LDAPS not working after upgrade from 2012R2DC to Server 2016

Hello!

I have two Windows Server 2012 R2 DC's which I'd like to demote from a domain leaving two Windows Server 2019 DC's to remain as the sole DC's. When I try to demote the 2012 R2 DC's I get a message "The operation failed because: The Active Directory Domain Services Installation Wizard (DCpromo.exe) would not configure the computer account <2012 DC> on the remote Active Directory Domain Controller <2019 DC>. Verify that the user running dcpromo.exe is granted the "Enable computer and user accounts to be trusted for delegation" user right in the Default Domain Controllers Policy. The error was: Access is denied".

I tried both my domain admin account and the domain Administrator account and both get this same error. Both of these accounts are added to the "Enable computer and user accounts to be trusted for delegation" user right in the Default Domain Controllers Policy.

"repadmin" shows that everything is replicated between all DC's. In fact the only hint that I see of any AD problem is that in the Group Policy Management is that from "Detect Now" on the status page, the two older DC's show that replication in progress. (And this never changes).

Anyone have any idea what I should look at? I suppose I could just do a "Force" on the DCPROMO demotion and then clean up the metadata by following the steps to manually remove a failed DC.

I appreciate anyone's help!

dave

↧

Latest Images