Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Active Directory clean up/ restructure

March 24, 2019, 7:29 pm
$
0
0

Hi I need some advice here.

Background: I worked for a MSP and now work as in house IT for one of the clients I did work for and both parties are happy about this.

Active directory users & computers is a mess and on top of it most users having local admin privileges to their machines which is preventing me from turning on PS remoting out of concern.

The business owns 3 different companies (company.com, othercompany.com, onlinecompany.com) who are all under the One domain tree using the same OU which has their own nested OU to separate them, each holding their own OU for groups, computers, and users.

The MSP installed and used server essentials dashboard which I want to disable and use AAD Connect, during my prep to make the change I started to think about the structure and what I should do with it.

Any thoughts on what I should do, leave it, create a domain for each company, trash it all and start fresh with server nano?

If there is a better place to ask this question let me know.

Search

Rename Active Directory

March 24, 2019, 4:23 pm
$
0
0

Hi,
I have the following problem.

For now, in speak general  in the company I was hired in, someone in the Active Directory Domain implemented a one-member name"company" instead of, for example,„company.local”. Such configuration in some situations will create difficulties, for example in the implementation of PKI.

I would like to change the name of this domain to company.local. Next, I would connect clients (workstations) and servers to the new domain.

I still have the hardest part to configure - Microsoft Exchange 2013 to the new Active Directory name.

Can anyone give me a hint?
Thank you in advance for your help :)

Microsoft Tech Net

NTFRS 13552/13555 on a single DC.

March 18, 2019, 7:21 am
$
0
0

Inherited a bit of a mess here....  I have one DC that has been in this condition for as far back as the logs go, which is 10/17/2015.  I found the following article:

https://support.microsoft.com/en-us/help/2986364/event-id-13552-and-13555-are-logged-in-the-file-replication-service-lo

Since I have another DC with a clean ntfrs, I assume I would just want to perform steps 6 - 10 on the problematic DC?  Is it really necessary to delete all those files manually, or can I just stop ntfrs, set burflag D2, and start ntfrs to recover from this?

Thanks!


Adding Access Control Conditions?

March 25, 2019, 6:51 am

Authentication Policies and Silos not working properly

December 11, 2017, 2:00 pm
$
0
0

This has totally got me stumped..

Been trying for weeks now to get Active Directory Authentication Policies and Silos working to restrict where a domain admin can authenticate.

The goal is to only allow domain admins to authenticate to domain controllers and specific member servers.

My problem is, I cannot achieve consistent results. I have followed numerous walkthroughs on configuring this. 
So far I have

1. Enabled Kerberos support for claims and armoring

2. Set Domain Controllers to support Dynamic Access Control with "Always provide claims"

3. Created an Authentication Silo

4. Added a test server and test user to the silo (and assigned them)

5. Created an Authentication Policy

6. Specified the Ticket Granting Ticket lifetime for user accounts to 240 mins

7. Under the "Specify access control conditions that restrict devices that can request a Ticket Granting Ticket for the user accounts assigned to this policy" I have the Authentication Silo attached.

Now, from my understanding, my test account inside the silo should only be able to login to the test server that is also a member of the silo.

However, it cannot login to any machine.

If someone has had success implementing this feature in AD I would really appreciate the help!!

Environment: Server 2012 R2 DCs and member servers

Thanks so much!

Trying to resolve AD errors on new domain controller

March 22, 2019, 7:02 am
$
0
0

Getting a lot of 1311 KCC problems in event viewer on a 2008 R2 domain controller we recently put in place (planning to upgrade whole AD to 2016 but project not yet approved).

It's happening about every 15 minutes for the following partitions:
CN=Configuration,DC=(company),DC=biz

DC=Alpha,DC=(company),DC=biz
(Alpha is a now-retired subdomain/child domain whose DC no longer exists

DC=int,DC=(company),dc=biz
(Int is a similar case to Alpha, though its DC is still up and running)


And the output from the usual commands:
DCDIAG output:
https://drive.google.com/open?id=1-vl_3S8PUL3E0S_nh-Dt_urX5_NdYH2m

REPADMIN /REPLSUM output:
https://drive.google.com/open?id=10J06XVanNIKQ714tRr9yVojrT40KP2Fg


Can someone give me a hand with getting this sorted out?  The "ORD4" site is going away as we migrate out of our colo datacenter so I have to make sure the ORD1, AUS and AWS sites will all continue to replicate independent of ORD4. 

Thank you!



user profile service failed the sign in user profile be loaded

March 25, 2019, 10:20 am
$
0
0

hi all

i have problem to login  machine to domain  i describe my  issue:

i have two domain differnet between side the frist  domain name is Mac.Org and other domain name the is Mac.org (the Same name)

conncet between domains by VPN 

i login to frist domain by using account Ahmed.Yehia@Mac.Org 

and i login to other Domain by Using The same Account and password

(notes i doesnt make trust between domains and i access resoures by using VPN And OS are runing windows server 2012 r2)

when i try to login frist domain i found out load profile from second Domain and my pc arleady downloaded profile from frist domian and my pc on NTDS Frist domain 

why my pc is try to load profile from second domian )

my pc in the rang pool dhcp 





power shell script to requried to extract AD users along with , Department, Manager, Jobtitle Telephone number

March 25, 2019, 11:11 am
$
0
0

Hi,

Can you please provide  scripts ?

power shell script to requried to extract AD users along with , Department, Manager, Jobtitle Telephone number

Regards,

Mohammed Ghouse

Search

Child Domain DCs not Replicating (inboud + outbound replication disabled)

March 22, 2019, 1:47 pm
$
0
0

Question: 
Can a child DC be forcefully removed from the forest domain manually while maintaining authentication services for the child domain?

I have a forest domain, x.com which is hosting (3) child domains, a.x.com, b.x.com, and c.x.com. The c.x.com DC specified in sites and services has not replicated with the primary forest DC in 5 years and is not reachable. However, the DC is still being used to authenticate users for the c.x.com domain on an isolated network. The unreachable DC is causing new DCs for the forest domain to fail promotion of a global catalog server due to the communication issue with unreachable DC.

Can the record for the unreachable DC be removed from sites and services without impacting authentication attempts by the users on the c.x.com domain?

DNS event 4010

December 29, 2011, 8:33 am
$
0
0

After recreating msdcs.domain.local zone on domain controllers I'm getting error 4010 in the DNS event log.

The DNS server was unable to create a resource record for  62ebf5b9-1450-4eef-aeaf-f4eb0a16457c._msdcs.domain.local. in zone domain.local. The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.

The DNS server was unable to create a resource record for  1c9ddd24-8672-4052-a22a-22f853d81269._msdcs.domain.local. in zone domain.local. The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.

I tried locating this resource records, but no luck.

What is the proper way to fix this error

 

Thanks!

Enable recycle bin in a domain

March 24, 2019, 4:56 am
$
0
0

Hi,

We have a forest with three domain.

We would like enable recycle bin only on 2 domain.

How we can perform this target settings?

Migrated old 2008R2 to 2016 AD but cannot access DC when old server is turned off

March 21, 2019, 7:42 pm
$
0
0

I migrated an old 2008R2 server to a 2016 server.  Moved the FSMO roles, added the 2016 server to be a global catalog, moved DNS, pointed the new server to itself and had all the computers DNS pointed to the new server.  I did a fsmo query to make sure the new server had all the roles, I also did a nslookup to make sure the new server was answering DNS calls.  I turned off the old server to test everything out before I uninstall exchange and demote the server.  However, when I turn off the old DC and restart a workstation computer.  They can log in, but they can't access the file share with an error message saying it cannot contact the domain controller.  This smells like DNS to me, but I am not sure what I am missing (I thought I was relatively thorough)  Can anyone help out?  Anything you guys think I might have missed?

Thank you in advance.


Usage of -ServicePrincipalNames when creating gMSA accounts

September 8, 2018, 2:07 am
$
0
0

This question is based on the below article,

https://docs.microsoft.com/en-us/powershell/module/addsadministration/new-adserviceaccount?view=win10-ps

As per the example the usage will look like below for gMSA accounts,
New-ADServiceAccount gMSAsqlservice -ServicePrincipalNames @{Add='MSSQLSvc/sqlserver.xxxxxxx.com:GMSA','MSSQLSvc/sqlserver.xxxxxxx.com:<port#>'} -DNSHostName gMSAsqlservice.xxxxxxx.com -PrincipalsAllowedToRetrieveManaged SQL_gMSA_group

We always get the below error,

New-ADServiceAccount : The name reference is invalid
At line:1 char:1
+ New-ADServiceAccount gMSAsqlservice -ServicePrincipalNames @{Add="MSSQLSvc/sql ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (CN=gMSAsqlservice,CN=Man...=xxxxxxx,DC=com:String) [New-ADServiceAccount], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:8373,Microsoft.ActiveDirectory.Management.Commands.NewADServiceAccount

Was able to fix the issue using the below format. Not sure if the approach was correct but SPNs did get auto-registered in SQL Server.

New-ADServiceAccount gMSAsqlservice -ServicePrincipalNames ("MSSQLSvc/sqlserver.xxxxxxx.com:GMSA","MSSQLSvc/sqlserver.xxxxxxx.com:<port#>") -DNSHostName gMSAsqlservice.xxxxxxx.com PrincipalsAllowedToRetrieveManaged SQL_gMSA_group
************************************************************************************************************
Questions :
*****************************************
1> Which is the correct syntax to create gMSA using -ServicePrincipalNames ?
2> In the above example I have just used one server SPNs[ie., sqlserver]. But when we have several servers added to the gMSA Security Group, how do we use -ServicePrincipalNames?

I feel we need to have more elaborate explanations to the -ServicePrincipalNames.

AD to external DNS

March 19, 2019, 6:43 pm
$
0
0

Dear Sir,

There is a network that contain zywall usg-100 router(192.168.1.5), AD 2008r2 with dhcp (192.168.1.17), Client PC win7 pro(192.168.1.120)....
in fact, there are some win7 pro also get this problem...total about 60-70 client.

I keep AD server gateway blank as I don't allow the AD Server access internet....

ISP provide dns 

218.102.23.228

210.87.253.13

I also set 8.8.8.8 and 8.8.4.4 to DNS

It happen suddenly.

Client PC can ping server and router.but it can not access internet....

tracert and ping yahoo.com but also failed....

nslookup yahoo.com and the dns server is router(192.168.1.5)...it is scucess... but still can not ping yahoo.com

I process ipconfig /release and ipconfig /new  it is OK again....

but it also happen suddenly again after 1-3 hours

please advise....


Sysvol Folder Replication Stuck ( DFSR )

March 25, 2019, 4:10 pm
$
0
0

Hi Team,

I am facing issue for sysvol folder replication, we are using DFSR.

Server Details are below:

GPADSORO01

ReplicatedFolderName ReplicationGroupName  State

SYSVOL Share         Domain System Volume  4

BPADSODC01

ReplicatedFolderName ReplicationGroupName  State

SYSVOL Share         Domain System Volume  4

GPADSODC01

ReplicatedFolderName ReplicationGroupName  State

SYSVOL Share         Domain System Volume  4

GPADSODC02

ReplicatedFolderName ReplicationGroupName  State

SYSVOL Share         Domain System Volume  4

APADSODC01

ReplicatedFolderName ReplicationGroupName  State

SYSVOL Share         Domain System Volume  4

MPADSODC01

ReplicatedFolderName ReplicationGroupName  State

SYSVOL Share         Domain System Volume  4

GPADSODC03

ReplicatedFolderName ReplicationGroupName  State

SYSVOL Share         Domain System Volume  2

Problematic server is  GPADSODC03 his database state is 2

Following Action performed D2.non-Auth Performed on server GPADSODC03

Total Files to be replication 11000 in sysvol folder.

Replication partner selected GPADSODC01 as per event logs

When we ran backlog command 9000 files showing in backlogs.

We tried with database rename still replication stuck at 9000 file, their is no scheduled replication, full bandwidth allocated.

 Below registry file is not created on problematic server 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DFSR\Parameters\SysVols\Seeding SysVols\Parent Computer”

But replication partner is GPADSODC01 for GPADSODC03, when we check backlog is stuck at 9000.

Please suggest.

 


Search

Write in Machine's Description Field of Windows Active Directory from a MacBook Machine

March 25, 2019, 2:00 am
$
0
0

Hi All,

I will need to write a script to modify the "description" attribute of the Macbook computer account in the Windows Active Directory with the values like username, serial number of the MacBooks, time of last login.

I had managed to write same script like this requirement for Windows machines, and 
the script is working well (VBS Code). I have give permissions in the Active Directory
so the "description" attributes of a account could be modified from external sources.
Is this requirement is feasible to be done, if yes - could 
anybody guide me on how writing the required script. 
Thank you very much for your help.


AD Replication

March 20, 2019, 12:39 am
$
0
0

Hi All,

I run an AD replication Tool once a week as part of our maintenance process. There have not been any problems highlighted by this tool during replication, however, one of the server seems to have an issue on it. The error we are getting on the File Replication log is "The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR" however, as I say when I run the AD replication tool it does not detect any issues.

The issue has now bee rectified but the question remains why does the tool not pick up these kind of issues, and why does the Tool report back the replication between this server and another AD server is ok?

Any information would be greatly appreciated.

Regards.

While Removing a computer from a domain does not deletes the computer object from active directory

March 25, 2019, 2:04 am
$
0
0

Hello,

While Removing a computer from a domain does not deletes the computer object from active directory. Please help me in this regards.

Thanks,

Venkat.

+91 9989361116

after promote RODC domain controller successfully but not showing in repadmin /replsum

March 20, 2019, 7:30 pm
$
0
0

Hello everybody,

I have windows server 2012 domain controller, and I have another server will be function as  as RODC.

I promoted the server to be RODC server, the promotion was successfull and first i can see in domain controller by using repadmin /replsum. After several time, i checked it again by using repadmin /replsum and i cannot see my new RODC.

my domain controller and RODC are in same segment IP address.

I have tried to reinstall but still same problem.

Please help us to solve it.

Thank you.

Dodi.

EventID 529 - Unknown user name or bad password

March 26, 2019, 3:36 am
$
0
0

We are currently having trouble tracing back the source of multiple failed login attempts, please help. It seems that we have a device trying to brute force its way into our network. When I check our DC Security Logs, I see multiple (1000+) Failed audits, EventID 529 with limited information. Below is an example of Windows Security Logs and Debug Netlogon logs. I've replace any and all site specific information.

When I check the security logs on 'Server1', they don't show any failed login attempts or anything suspicious. I ran a packet capture on 'Server1' while the failed logins generated to see if I could find the source. I was unable to find any of the failed audit account names, 'administrator' in this case, in the capture results. 

3/26/19
5:23:28.000 PM
03/26/2019 05:23:28 PM
LogName=Security
SourceName=Security
EventCode=529
EventType=16
Type=Failure Audit
ComputerName=xxxxxx
User=SYSTEM
Sid=S-1-5-18
SidType=1
Category=2
CategoryString=Logon/Logoff
RecordNumber=1147571840
Message=Logon Failure:

Reason: Unknown user name or bad password

User Name: xxxxxxxxx$

Domain: xxxxxxxx

Logon Type: 3

Logon Process:NtLmSsp 

Authentication Package:NTLM

Workstation Name:xxxxxxxxxx

Caller User Name:-

Caller Domain:-

Caller Logon ID:-

Caller Process ID:-

Transited Services:-

Source Network Address:'xxxxxxxxxx'

Source Port: 50152

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>