Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

AD to external DNS

March 19, 2019, 6:43 pm
$
0
0

Dear Sir,

There is a network that contain zywall usg-100 router(192.168.1.5), AD 2008r2 with dhcp (192.168.1.17), Client PC win7 pro(192.168.1.120)....
in fact, there are some win7 pro also get this problem...total about 60-70 client.

I keep AD server gateway blank as I don't allow the AD Server access internet....

ISP provide dns 

218.102.23.228

210.87.253.13

I also set 8.8.8.8 and 8.8.4.4 to DNS

It happen suddenly.

Client PC can ping server and router.but it can not access internet....

tracert and ping yahoo.com but also failed....

nslookup yahoo.com and the dns server is router(192.168.1.5)...it is scucess... but still can not ping yahoo.com

I process ipconfig /release and ipconfig /new  it is OK again....

but it also happen suddenly again after 1-3 hours

please advise....


Search

NTFRS 13552/13555 on a single DC.

March 18, 2019, 7:21 am
$
0
0

Inherited a bit of a mess here....  I have one DC that has been in this condition for as far back as the logs go, which is 10/17/2015.  I found the following article:

https://support.microsoft.com/en-us/help/2986364/event-id-13552-and-13555-are-logged-in-the-file-replication-service-lo

Since I have another DC with a clean ntfrs, I assume I would just want to perform steps 6 - 10 on the problematic DC?  Is it really necessary to delete all those files manually, or can I just stop ntfrs, set burflag D2, and start ntfrs to recover from this?

Thanks!


Disable password logon as an option - but still want ability to use the Change Password feature with Ctl+Alt+Delete

March 21, 2019, 6:06 am
$
0
0

Hello,

We are using H4B with PIN to logon to our desktop.  We remove password login as an option so the only option is PIN.  However, we still want users to be able to Change their passwords through Ctl+Alt+Delete because they do still user password for other applications and services in our organization.  How that be achieved?

Security

March 21, 2019, 6:20 am
$
0
0

Named Pipes and Shares can be accessed anonymously

ADPREP /Forestprep Failing on Windows 2012R2 DC

March 21, 2019, 6:31 am
$
0
0

I have a Windows 2012R2 DC that I am trying to prep to add two Windows 2016 servers to. After completion, I will then upgrade the 2012R2 DC. The 2012R2 is the production machine so don't want to too much to it since it has all the user accounts currently. I am using the admin account that is member of Schema, Enterprise, and Domain Admin groups. I have run DCDIAG and all tests pass so health is good. I have two DNS servers, the 2012R2 and one of the 2016 servers. DNS is setup for secure updates only.

When I run the /forestprep I am getting the following errors:

Adprep was unable to create the object CN=AuthN Policies,CN=AuthN Policy Configuration,CN=Services,CN=Configuration,DC=local,DC=gscsda,DC=org in Active Directory Domain Services.
[Status/Consequence]
This Adprep operation failed.
[User Action]
Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20190321073420
 directory for more information. Restart Adprep.

Adprep encountered an LDAP error.
Error code: 0x10. Server extended error code: 0x57, Server error message: 00000057: LdapErr: DSID-0C090E21, comment: Error in attribute conversion operation, data 0, v2580

Adprep was unable to update forest information.
[Status/Consequence]
Adprep requires access to existing forest-wide information from the schema master in order to complete this operation.
[User Action]
Check the log file, ADPrep.log, in the C:\Windows\debug\adprep\logs\20190321073420 directory for more information.

DotNet Core application failing on Server with error "Trust relationship between primary domain and the trusted domain failed"

January 14, 2019, 3:01 pm
$
0
0

I have a .net core application (API) deployed on a windows server under IIS with anonymous auth set to false and windows auth set to true.

In the application, I have an authorization middleware that checks if the current user is in a specific AD group and uses a map (pulled from SQL) to see if that user group has access to read, write, create, delete on the specific application/endpoint

When running the application in the production environment all API request fail with the error "Trust relationship between primary domain and the trusted domain failed"

Deploying the exact same zip file (excluding configuration files) to a QA environment the API endpoint works. comparing the config files the difference is in the SQL connection string

Turning on Info logging for the application the error is being thrown calling 

     System.Security.Principal.NTAccount.TranslateToSids(IdentityReferenceCollection sourceAccounts, Boolean& someFailed)

This leads me to think it is a domain problem however the in house domain team is saying there is no problem.

Please let me know how to better track down the problem.

AD Replication

March 20, 2019, 12:39 am
$
0
0

Hi All,

I run an AD replication Tool once a week as part of our maintenance process. There have not been any problems highlighted by this tool during replication, however, one of the server seems to have an issue on it. The error we are getting on the File Replication log is "The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR" however, as I say when I run the AD replication tool it does not detect any issues.

The issue has now bee rectified but the question remains why does the tool not pick up these kind of issues, and why does the Tool report back the replication between this server and another AD server is ok?

Any information would be greatly appreciated.

Regards.

Identify potential domain joined computers.

March 20, 2019, 1:18 pm
$
0
0
Hello, 

We need to deploy a very important group policy and we need to make sure every computer in the domain has a "healthy" connection to Active Directory and will get the GPO. 

Is there a way to identify computers which are not connecting properly, secured channel is broken and so on?

Please advise. 

Many thanks. 
Search

LSASS generating high and unknown network traffic to trusted domain

November 11, 2011, 1:09 am
$
0
0

Recently in one domain we have seen lots of constant network traffic from our DCs to trusted domain's DCs. It is several Mbps from our DCs to another domain all the time. This can not be normal in our environment.

There is two way selective trust between these domains. There are also other trusts and nothing is unusual with those.

Source of this traffic is LSASS process and destination port 1025.
Network capture with wireshark is full of these and only these between DCs
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Request, Fragment: Single, FragLen: 144, Call: 1375247 Ctx: 0
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Response, Fragment: Single, FragLen: 128, Call: 1375247 Ctx: 0

AD Diagnostics data collection and report does not identify any problems. Everything is running okay but this does generate extra CPU and network load.
What could be the reason for this?

 

LDIFDE Computer Object Export

March 21, 2019, 12:27 pm
$
0
0

Hello.

I'm trying to use LDIFDE to export a single computer account to an *.LDF file, then trying ot import that computer account after it's been deleted. At this point it's more academic, but it could morph into something else down the road.

------------

The export cmd I'm using is: 
ldifde -d "OU=Test,DC=Domain,DC=Local" -p subtree -o "uSNCreated,uSNChanged,objectguid,whencreated,whenchanged,objectSid,dSCorePropagationData,accountExpires,pwdLastSet" -j c:\temp -f test9.ldf

-------------

The export always seems to work just fine. But importing them is where I'm getting stuck. Here's my import cmd:
ldifde -i -k -j c:\temp -f test9.ldf

When I run the above cmd, I get the following error:

-------------------------

PS C:\> ldifde -i -k -j c:\temp -f c:\temp\test9.ldf
Connecting to "DC01.domain.local"
Logging in as current user using SSPI
Importing directory from file "c:\temp\test9.ldf"
Loading entries.
Add error on entry starting on line 1: Unwilling To Perform
The server side error is: 0x209a Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM).
The extended server error is:
0000209A: SvcErr: DSID-031A101A, problem 5003 (WILL_NOT_PERFORM), data 0

0 entries modified successfully.
An error has occurred in the program

----------------------------

So, I'm confused on what AD thinks is happening and what attribute the SAM owns and won't let go of. Do I need ot run the import in DSRM mode?

::- T.I.A. -::

AD lookup not using domain in 1809

March 6, 2019, 11:06 am
$
0
0

Most of my users upgraded to 1809 in the last week or two and now they are having issues with network resources. The symptom is an active directory user (Scanner) can no longer access their shared folder (\\machinename\Scans), even though that user has full read/write permissions. When I sit at the client computer and bring up properties for the folder, Security correctly shows the users with correct permissions. If I try to add a user to the list however, under Locations I am only shown the local computer, not the AD.  My guess is when the Scanner user attempts to connect to write a file the client machine looks for them in the local user store instead of the AD store and fails when it can't find them. Am I looking in the right direction, or am I totally off base?

I ran into the issue presenting in a different way as well today. when I'm logged into the computer and do a software install, registry edits fail. This is because you need Admin rights to write to the registry and the user credentials are domain credentials. I now have a dozen or so machines with the issue, all upgraded to 1809.

Migrating Single Domain Controller

March 21, 2019, 2:15 pm
$
0
0

We recently were testing the use of Domain on our internal network. Till recently the benefits were not really there to make the change worthwhile. A few of us are on the Domain and have been using it to test and hammer out some functions. This was during an evaluation period.

I am now hitting some critical issues such as being unable to activate my version of 2019 essentials. I have a brand new key that should have no issues.

If this was just another PC, I would just do a reinstall without worry. But considering if I lose the domain, then my user basically becomes locked out...

I am trying to find the correct solution to repair any issues. Is there a way to backup my AD config and Domain settings, so I can import them on a fresh install? I would prefer to start from scratch but the few of us cant risk losing access to our files. If i was to do some form of reinstall, is there a way to make sure everything stays? and that the PC's can reconnect to the repaired Domain after without and loss?

Any advice would be greatly appreciated. Thank you!

Root Certificate Authority Certificate Renewal

December 7, 2008, 3:59 pm
$
0
0
Hi all,

I have a situation here where we have a single root certificate authority (standard version) which has a ca certificate which is due to expire in a month or two. I am not very experienced with certificate authority so I had a couple of questions. I will give you a brief summary of our requirements to explain it a little better.

We use CA for our management and other senior bodies so they are able to send secure internal email to certificate holders, not everyone is given a certificate.

We also have domain controller certificates which I believe are just generated as normal DC activity? We have this certificate enabled for "auto enroll" under the default domain controllers group policy object.

So now for the questions:

1. If I renew the root CA certificate with the same keypair for another 5 years and then renew the user certificates when they expire in a month or two, will they still be able to read previous emails signed with their old certificate or does the new CA certificate invalidate previous ones?
2. Will the domain controller certificates continue to issue by them self or do I need to do something first?
3. What do the domaincontroller template certificates actually do?

I have read various online documents but can't seem to find what i'm after, it should also tie in with my MS Server 2008 AD study too, I really appreciate any help with this.

Thanks
Brad

Migrated old 2008R2 to 2016 AD but cannot access DC when old server is turned off

March 21, 2019, 7:42 pm
$
0
0

I migrated an old 2008R2 server to a 2016 server.  Moved the FSMO roles, added the 2016 server to be a global catalog, moved DNS, pointed the new server to itself and had all the computers DNS pointed to the new server.  I did a fsmo query to make sure the new server had all the roles, I also did a nslookup to make sure the new server was answering DNS calls.  I turned off the old server to test everything out before I uninstall exchange and demote the server.  However, when I turn off the old DC and restart a workstation computer.  They can log in, but they can't access the file share with an error message saying it cannot contact the domain controller.  This smells like DNS to me, but I am not sure what I am missing (I thought I was relatively thorough)  Can anyone help out?  Anything you guys think I might have missed?

Thank you in advance.


Logon ID 0xf681c880

March 20, 2019, 5:07 am
$
0
0

Hello, does anyone know what is this logon ID 0xf681c880 in AD??

The event ID is 4726 = a user account was deleted and that was the logon ID used.

The security ID is: Domain\ExchangeMailboxServer$

The Account Name is:ExchangeMailbox$

Search

New domain trust - not receiving all options

March 20, 2019, 9:11 am
$
0
0

Hi There,

We are trying to set up a new trust with one of our partners however we are not getting any of the options we are normally expecting, we want to set this up with a shared trust password instead of setting up user accounts in the other domain.

We have set up the necessary DNS zones as per this article - https://www.interfacett.com/blogs/how-to-configure-forest-level-trust-in-windows-server/

However when setting up the trust we are put straight onto this screen after entering the domain name (removed for privacy) and none of the options before it.

Any ideas?

Thanks

Unable to Disjoin and Rejoin Exchange server 2019

March 21, 2019, 12:27 am
$
0
0

In my sandbox environment, I'm trying to disjoin and rejoin my exchange 2019 server from/to domain, but somehow i got the error as below. 



I've tried to disable the network connection, disable exchanges services, but still failed. Any idea?

Thanks.

after promote RODC domain controller successfully but not showing in repadmin /replsum

March 20, 2019, 7:30 pm
$
0
0

Hello everybody,

I have windows server 2012 domain controller, and I have another server will be function as  as RODC.

I promoted the server to be RODC server, the promotion was successfull and first i can see in domain controller by using repadmin /replsum. After several time, i checked it again by using repadmin /replsum and i cannot see my new RODC.

my domain controller and RODC are in same segment IP address.

I have tried to reinstall but still same problem.

Please help us to solve it.

Thank you.

Dodi.

AD Domain join - list all device objects joined by specific account

March 18, 2019, 8:42 am
$
0
0

So i have this user in my ad that can join 10 objects. After this number is exceeded we start to get the known message that this is no longer possible. I am looking for a way - powershell script or similar to list all device objects joined to domain by specific user.

Some time ago i was able to do this, but can't find my notes and google doesn't give me much to work with.

Remove demoted DC from replication

March 17, 2019, 10:58 am
$
0
0

Dear all, 

I have a demoted Domain Controller (2012 R2), never fully promoted from the previous SysAdmin to be exact and I have demoted it correctly.

It shows up when I repadmin /replsummary and of course on "AD Sites and Services" also.

I want to remove it from the the replication list & showing up as a DC.

The problem now is that this server is still up and running since it is an active File Server so I can not force deleted it as an object.

So I need to find a way to force remove it as a domain controller but not as a server, like when you dcpromo a DC and it then turns to a server.

I have seen the following guides:

https://www.petri.com/delete_failed_dcs_from_ad

https://www.dtonias.com/forced-removal-domain-controller/

https://blogs.technet.microsoft.com/canitpro/2016/02/17/step-by-step-removing-a-domain-controller-server-manually/

But I don't now which way is the correct one in my case.

Can you assist me?

Thanks!

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>