Active Directory clean up/ restructure

March 24, 2019, 7:29 pm

≪ Previous: ad / sysvol version mismatch although all AD and SYSVOL GP versions correct

Hi I need some advice here.

Background: I worked for a MSP and now work as in house IT for one of the clients I did work for and both parties are happy about this.

Active directory users & computers is a mess and on top of it most users having local admin privileges to their machines which is preventing me from turning on PS remoting out of concern.

The business owns 3 different companies (company.com, othercompany.com, onlinecompany.com) who are all under the One domain tree using the same OU which has their own nested OU to separate them, each holding their own OU for groups, computers, and users.

The MSP installed and used server essentials dashboard which I want to disable and use AAD Connect, during my prep to make the change I started to think about the structure and what I should do with it.

Any thoughts on what I should do, leave it, create a domain for each company, trash it all and start fresh with server nano?

If there is a better place to ask this question let me know.

↧

Rename Active Directory

March 24, 2019, 4:23 pm

≫ Next: NTFRS 13552/13555 on a single DC.

≪ Previous: Active Directory clean up/ restructure

Hi,
I have the following problem.

For now, in speak general in the company I was hired in, someone in the Active Directory Domain implemented a one-member name"company" instead of, for example,„company.local”. Such configuration in some situations will create difficulties, for example in the implementation of PKI.

I would like to change the name of this domain to company.local. Next, I would connect clients (workstations) and servers to the new domain.

I still have the hardest part to configure - Microsoft Exchange 2013 to the new Active Directory name.

Can anyone give me a hint?
Thank you in advance for your help :)

Microsoft Tech Net

↧

NTFRS 13552/13555 on a single DC.

March 18, 2019, 7:21 am

≫ Next: Adding Access Control Conditions?

≪ Previous: Rename Active Directory

Inherited a bit of a mess here.... I have one DC that has been in this condition for as far back as the logs go, which is 10/17/2015. I found the following article:

https://support.microsoft.com/en-us/help/2986364/event-id-13552-and-13555-are-logged-in-the-file-replication-service-lo

Since I have another DC with a clean ntfrs, I assume I would just want to perform steps 6 - 10 on the problematic DC? Is it really necessary to delete all those files manually, or can I just stop ntfrs, set burflag D2, and start ntfrs to recover from this?

Thanks!

↧

Adding Access Control Conditions?

March 25, 2019, 6:51 am

≫ Next: Authentication Policies and Silos not working properly

≪ Previous: NTFRS 13552/13555 on a single DC.

I am following this:

https://social.technet.microsoft.com/wiki/contents/articles/26945.authentication-policies-and-authentication-silos-restricting-domain-controller-access.aspx

Trying to add a computer access control condition as below but as shown in the second screen I don't see the AuthenticationSilo in the Drop down menu, nor I do see equal or Silo I created in the last field?

Thoughts? Thank you

↧

Authentication Policies and Silos not working properly

December 11, 2017, 2:00 pm

≫ Next: Trying to resolve AD errors on new domain controller

≪ Previous: Adding Access Control Conditions?

This has totally got me stumped..

Been trying for weeks now to get Active Directory Authentication Policies and Silos working to restrict where a domain admin can authenticate.

The goal is to only allow domain admins to authenticate to domain controllers and specific member servers.

My problem is, I cannot achieve consistent results. I have followed numerous walkthroughs on configuring this.
So far I have

1. Enabled Kerberos support for claims and armoring

2. Set Domain Controllers to support Dynamic Access Control with "Always provide claims"

3. Created an Authentication Silo

4. Added a test server and test user to the silo (and assigned them)

5. Created an Authentication Policy

6. Specified the Ticket Granting Ticket lifetime for user accounts to 240 mins

7. Under the "Specify access control conditions that restrict devices that can request a Ticket Granting Ticket for the user accounts assigned to this policy" I have the Authentication Silo attached.

Now, from my understanding, my test account inside the silo should only be able to login to the test server that is also a member of the silo.

However, it cannot login to any machine.

If someone has had success implementing this feature in AD I would really appreciate the help!!

Environment: Server 2012 R2 DCs and member servers

Thanks so much!

↧

Trying to resolve AD errors on new domain controller

March 22, 2019, 7:02 am

≫ Next: user profile service failed the sign in user profile be loaded

≪ Previous: Authentication Policies and Silos not working properly

Getting a lot of 1311 KCC problems in event viewer on a 2008 R2 domain controller we recently put in place (planning to upgrade whole AD to 2016 but project not yet approved).

It's happening about every 15 minutes for the following partitions:
CN=Configuration,DC=(company),DC=biz

DC=Alpha,DC=(company),DC=biz
(Alpha is a now-retired subdomain/child domain whose DC no longer exists

DC=int,DC=(company),dc=biz
(Int is a similar case to Alpha, though its DC is still up and running)

And the output from the usual commands:
DCDIAG output:
https://drive.google.com/open?id=1-vl_3S8PUL3E0S_nh-Dt_urX5_NdYH2m

REPADMIN /REPLSUM output:
https://drive.google.com/open?id=10J06XVanNIKQ714tRr9yVojrT40KP2Fg

Can someone give me a hand with getting this sorted out? The "ORD4" site is going away as we migrate out of our colo datacenter so I have to make sure the ORD1, AUS and AWS sites will all continue to replicate independent of ORD4.

Thank you!

↧

user profile service failed the sign in user profile be loaded

March 25, 2019, 10:20 am

≫ Next: power shell script to requried to extract AD users along with , Department, Manager, Jobtitle Telephone number

≪ Previous: Trying to resolve AD errors on new domain controller

hi all

i have problem to login machine to domain i describe my issue:

i have two domain differnet between side the frist domain name is Mac.Org and other domain name the is Mac.org (the Same name)

conncet between domains by VPN

i login to frist domain by using account Ahmed.Yehia@Mac.Org

and i login to other Domain by Using The same Account and password

(notes i doesnt make trust between domains and i access resoures by using VPN And OS are runing windows server 2012 r2)

when i try to login frist domain i found out load profile from second Domain and my pc arleady downloaded profile from frist domian and my pc on NTDS Frist domain

why my pc is try to load profile from second domian )

my pc in the rang pool dhcp

↧

power shell script to requried to extract AD users along with , Department, Manager, Jobtitle Telephone number

March 25, 2019, 11:11 am

≫ Next: Child Domain DCs not Replicating (inboud + outbound replication disabled)

≪ Previous: user profile service failed the sign in user profile be loaded

Hi,

Can you please provide scripts ?

power shell script to requried to extract AD users along with , Department, Manager, Jobtitle Telephone number

Regards,

Mohammed Ghouse

↧

Child Domain DCs not Replicating (inboud + outbound replication disabled)

March 22, 2019, 1:47 pm

≫ Next: DNS event 4010

≪ Previous: power shell script to requried to extract AD users along with , Department, Manager, Jobtitle Telephone number

Question:
Can a child DC be forcefully removed from the forest domain manually while maintaining authentication services for the child domain?

I have a forest domain, x.com which is hosting (3) child domains, a.x.com, b.x.com, and c.x.com. The c.x.com DC specified in sites and services has not replicated with the primary forest DC in 5 years and is not reachable. However, the DC is still being used to authenticate users for the c.x.com domain on an isolated network. The unreachable DC is causing new DCs for the forest domain to fail promotion of a global catalog server due to the communication issue with unreachable DC.

Can the record for the unreachable DC be removed from sites and services without impacting authentication attempts by the users on the c.x.com domain?

↧

DNS event 4010

December 29, 2011, 8:33 am

≫ Next: Enable recycle bin in a domain

≪ Previous: Child Domain DCs not Replicating (inboud + outbound replication disabled)

After recreating msdcs.domain.local zone on domain controllers I'm getting error 4010 in the DNS event log.

The DNS server was unable to create a resource record for 62ebf5b9-1450-4eef-aeaf-f4eb0a16457c._msdcs.domain.local. in zone domain.local. The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.

The DNS server was unable to create a resource record for 1c9ddd24-8672-4052-a22a-22f853d81269._msdcs.domain.local. in zone domain.local. The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.

I tried locating this resource records, but no luck.

What is the proper way to fix this error

Thanks!

↧

Enable recycle bin in a domain

March 24, 2019, 4:56 am

≫ Next: Migrated old 2008R2 to 2016 AD but cannot access DC when old server is turned off

≪ Previous: DNS event 4010

Hi,

We have a forest with three domain.

We would like enable recycle bin only on 2 domain.

How we can perform this target settings?

↧

Migrated old 2008R2 to 2016 AD but cannot access DC when old server is turned off

March 21, 2019, 7:42 pm

≫ Next: Usage of -ServicePrincipalNames when creating gMSA accounts

≪ Previous: Enable recycle bin in a domain

I migrated an old 2008R2 server to a 2016 server. Moved the FSMO roles, added the 2016 server to be a global catalog, moved DNS, pointed the new server to itself and had all the computers DNS pointed to the new server. I did a fsmo query to make sure the new server had all the roles, I also did a nslookup to make sure the new server was answering DNS calls. I turned off the old server to test everything out before I uninstall exchange and demote the server. However, when I turn off the old DC and restart a workstation computer. They can log in, but they can't access the file share with an error message saying it cannot contact the domain controller. This smells like DNS to me, but I am not sure what I am missing (I thought I was relatively thorough) Can anyone help out? Anything you guys think I might have missed?

Thank you in advance.

↧

Usage of -ServicePrincipalNames when creating gMSA accounts

September 8, 2018, 2:07 am

≫ Next: AD to external DNS

≪ Previous: Migrated old 2008R2 to 2016 AD but cannot access DC when old server is turned off

This question is based on the below article,

https://docs.microsoft.com/en-us/powershell/module/addsadministration/new-adserviceaccount?view=win10-ps

As per the example the usage will look like below for gMSA accounts,
New-ADServiceAccount gMSAsqlservice -ServicePrincipalNames @{Add='MSSQLSvc/sqlserver.xxxxxxx.com:GMSA','MSSQLSvc/sqlserver.xxxxxxx.com:<port#>'} -DNSHostName gMSAsqlservice.xxxxxxx.com -PrincipalsAllowedToRetrieveManaged SQL_gMSA_group

We always get the below error,

New-ADServiceAccount : The name reference is invalid
At line:1 char:1
+ New-ADServiceAccount gMSAsqlservice -ServicePrincipalNames @{Add="MSSQLSvc/sql ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (CN=gMSAsqlservice,CN=Man...=xxxxxxx,DC=com:String) [New-ADServiceAccount], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8373,Microsoft.ActiveDirectory.Management.Commands.NewADServiceAccount

Was able to fix the issue using the below format. Not sure if the approach was correct but SPNs did get auto-registered in SQL Server.

New-ADServiceAccount gMSAsqlservice -ServicePrincipalNames ("MSSQLSvc/sqlserver.xxxxxxx.com:GMSA","MSSQLSvc/sqlserver.xxxxxxx.com:<port#>") -DNSHostName gMSAsqlservice.xxxxxxx.com PrincipalsAllowedToRetrieveManaged SQL_gMSA_group
************************************************************************************************************
Questions :
*****************************************
1> Which is the correct syntax to create gMSA using -ServicePrincipalNames ?
2> In the above example I have just used one server SPNs[ie., sqlserver]. But when we have several servers added to the gMSA Security Group, how do we use -ServicePrincipalNames?

I feel we need to have more elaborate explanations to the -ServicePrincipalNames.

↧

AD to external DNS

March 19, 2019, 6:43 pm

≫ Next: Sysvol Folder Replication Stuck ( DFSR )

≪ Previous: Usage of -ServicePrincipalNames when creating gMSA accounts

Dear Sir,

There is a network that contain zywall usg-100 router(192.168.1.5), AD 2008r2 with dhcp (192.168.1.17), Client PC win7 pro(192.168.1.120)....
in fact, there are some win7 pro also get this problem...total about 60-70 client.

I keep AD server gateway blank as I don't allow the AD Server access internet....

ISP provide dns

218.102.23.228

210.87.253.13

I also set 8.8.8.8 and 8.8.4.4 to DNS

It happen suddenly.

Client PC can ping server and router.but it can not access internet....

tracert and ping yahoo.com but also failed....

nslookup yahoo.com and the dns server is router(192.168.1.5)...it is scucess... but still can not ping yahoo.com

I process ipconfig /release and ipconfig /new it is OK again....

but it also happen suddenly again after 1-3 hours

please advise....

↧

Sysvol Folder Replication Stuck ( DFSR )

March 25, 2019, 4:10 pm

≫ Next: Write in Machine's Description Field of Windows Active Directory from a MacBook Machine

≪ Previous: AD to external DNS

Hi Team,

I am facing issue for sysvol folder replication, we are using DFSR.

Server Details are below:

GPADSORO01