Helle,

I'm trying to do an upgrade of my domain replication method from the old one (FRS) to the new one DFRS.

The idea behind it is to replace old Domain Controllers W2k8R2 with new ones W2k16.

The existing servers (domain Controllers) are 2 W2k8 R2 and one W2k16 and one RODC  W2k12R2.

The prepared step is done on all DC's and RODC says "waiting for the initial sync".

On all servers there is a folder SYSVOL and SYSVOL_DFRS with the same content...

What can I do to continue with the migration .....

Hi All,

Recently am unable to access ADMT tool, when i launch is it shows database error. Have checked and found that database is available in OS drive, but unable to find the SQL application in the server. So installed the SQL express edition and now also not able to access it. Tried to attach the database in SQL but it's giving some different error.

Is there any way to get back the ADMT tool as working condition? 

Thanks in advance.

Hi All,

Recently am unable to access ADMT tool, when i launch is it shows database error. Have checked and found that database is available in OS drive, but unable to find the SQL application in the server. So installed the SQL express edition and now also not able to access it. Tried to attach the database in SQL but it's giving some different error.

Is there any way to get back the ADMT tool as working condition? 

Thanks in advance.

I have found this Powershell script and am having trouble modifying it to only pull Computer objects that do not have a BitLocker Key stored in AD. IThis script pulls all computers but I am struggling to sort out computers with keys. Any help would be appreciated Thanks in advance. 

Powershell:

Get-ADComputer -Filter 'ObjectClass -eq "computer"' -SearchBase "OU=Asia,OU=Branches,DC=corp,DC=company,DC=com" | foreach-object {
$Computer = $_.name
#Check if the Computer Object exists
$Computer_Object = Get-ADComputer -Filter {cn -eq $Computer} -Property msTPM-OwnerInformation, msTPM-TpmInformationForComputer
if($Computer_Object -eq $null){
Write-Host "Error..."
}
#Check if the computer object has had a BitLocker Recovery Password
$Bitlocker_Object = Get-ADObject -Filter {objectclass -eq 'msFVE-RecoveryInformation'} -SearchBase $Computer_Object.DistinguishedName -Properties 'msFVE-RecoveryPassword' | Select-Object -Last 1
if($Bitlocker_Object.'msFVE-RecoveryPassword'){
$BitLocker_Key = $BitLocker_Object.'msFVE-RecoveryPassword'
}else{
$BitLocker_Key = "none"
}
#Display Output
$strToReport = $Computer + "," + $BitLocker_Key
Write-Host $strToReport
#Save to Report
$strToReport | Out-File C:\temp\Report.txt -append
} 

Hi Guys,

We have come across an issue whereby we need to add some groups from a Domain A to Domain B so that they are able to access network shares.

I login to AD and attempt to include the group from Dom A to Dom B but when I change domain at the point it asks me to include the group I only see Dom A. I have previously seen both Domains at this stage but all of a sudden I cannot.

Any idea what I might need to do in order to resolve this issue.

With Regards.

Hello!

We have a Terminal Server where published Outlook.

When user logon on server and use Outlook with the same user account - everything is all right. But when we use another account in Outlook (another from that we used to logon to server), it waits 20 minutes and then logons. In Wireshark traffic we see that server tries to bind with DC located in its Site on port 88, but then DC sends TCP Reset to it. After that Terminal server sends bind join request again and binds. But then goes to other DCs from different Sites, many of them are unavailable. I checked 88, 3268 and 389 ports with telnet on first DC, all they opened. All subnets linked to right Sites. Why Outlook tries all DCs in all Sites to authenticate? Or may be find Exchange Server?

Thank you.

We have a linux machine comp1 which is connected to Microsoft Windows Active Directory i.e we have a machine account created on the AD server. Along with that, we have domain user accounts created on AD server. Hence when those users login to comp1, they are authenticated using their AD accounts.

As per my limited knowledge, the machine (comp1) account secret/password keeps changing periodically and this change is initiated by the client (comp1). Once this the secret/password for comp1 account is updated on the AD server, then it is updated locally on comp1. For Linux, there is a process which handles this in the background.

In our customer's environment, I observed in the logs that, the secret/password change was done on 11/21 after which we started seeing PreAuthentication failures.

My question is that, is it possible that the secret/password change for Machine Account which it initiated fail to get updated on AD server resulting into a miss match ? Is there any similar known issue for any windows AD server versions i.e Machine Account password update fails?

When we execute the command to join our Linux Machine (comp1) to the Windows AD server from comp1, we get the following error ->

Failed to join Domain: Failed to set Machine SPN:Operations Error

Do you have sufficient permissions to create Machine account.

The user we are using to do the join is a Domain Admin account.

What can be a possible cause of this issue ? 

Can this be related to permissions that the user account has on AD server ?

What permissions are needed for the user account being used ? 

Any suggestions to solve this?

We currently have the firewall (domain profile) turned off on our domain controllers to ensure all services are available.

I have been having second thoughts about this. Should I enable to firewall? If so, how should I configure it?

Thanks

forgive the double posting, but I selected the wrong forum initially.

I am having a problem with a user account getting this error consistently for the past few months.  I have finally narrowed it down using MS Network Monitor.

95613    9:26:00 AM 3/20/2019    2137.5229241        tigris.Accounting.local    DANUBE      KerberosV5    KerberosV5:AS Request Cname: user@domain.com Realm: ACCOUNTING.LOCAL Sname: krbtgt/ACCOUNTING.LOCAL     {TCP:3204, IPv4:15}
95614    9:26:00 AM 3/20/2019    2137.5234901        DANUBE      tigris.Accounting.local    KerberosV5    KerberosV5:KRB_ERROR  - KDC_ERR_C_PRINCIPAL_UNKNOWN (6)    {TCP:3204, IPv4:15}
95625    9:26:00 AM 3/20/2019    2137.5238680        tigris.Accounting.local    DANUBE      KerberosV5    KerberosV5:AS Request Cname: user@domain.com Realm: ACCOUNTING.EDT.LOCAL Sname: krbtgt/ACCOUNTING.LOCAL     {TCP:3205, IPv4:15}
95626    9:26:00 AM 3/20/2019    2137.5243039        DANUBE      tigris.Accounting.local    KerberosV5    KerberosV5:KRB_ERROR  - KDC_ERR_C_PRINCIPAL_UNKNOWN (6)    {TCP:3205, IPv4:15}
95643    9:26:00 AM 3/20/2019    2137.5795441        tigris.Accounting.local    DANUBE      KerberosV5    KerberosV5:AS Request Cname: user@domain.com Realm: ACCOUNTING.LOCAL Sname: krbtgt/ACCOUNTING.LOCAL     {TCP:3206, IPv4:15}

I have seen articles point to the SPN not being in the kerberos database but that is not the case here from what I see:

C:\WINDOWS\system32>setspn -L tigris
Registered ServicePrincipalNames for CN=tigris,CN=Computers,DC=Accounting,DC=local:
        MSSQLSvc/tigris.Accounting.local:1433
        MSSQLSvc/tigris.Accounting.local
        TERMSRV/TIGRIS
        TERMSRV/tigris.Accounting.local
        RestrictedKrbHost/TIGRIS
        HOST/TIGRIS
        RestrictedKrbHost/tigris.Accounting.local
        HOST/tigris.Accounting.local

C:\WINDOWS\system32>setspn -L user
Registered ServicePrincipalNames for CN=User,CN=Users,DC=Accounting,DC=local:

[ I noticed today that after I enable the account as Administrator, the user logs in but the kerberos ticket is non-existant until I do a setspn for the user name. ]

What am I missing? 

thanks

I have a service account that was created in 2010. I have a high suspicion that it was never logged into. However, both the lastlogon (1/24/19 on all DCs) and lastlogondate (3/18/19) are giving me dates that are recent. Could anything update these values other than a true logon? 

Reasons for believing it has never been logged into:

PasswordLastSet is null

The account must be changed on next logon is ticked

The guy that created it is no longer here (for years) and nobody from his area has any knowledge of the account.

It just seems very unlikely that someone could have logged in to an account that nobody claims to be using which has those values set. So something must have updated those other attributes, but how or what?

AccountExpirationDate              : 
accountExpires                     : 0
AccountLockoutTime                 : 
AccountNotDelegated                : False
AllowReversiblePasswordEncryption  : False
BadLogonCount                      : 
CannotChangePassword               : False
CanonicalName                      : domain/Users and 
                                     Groups/OU/OU/SERVICEACCOUNT
Certificates                       : {}
City                               : 
CN                                 : SERVICEACCOUNT
codePage                           : 0
Company                            : 
Country                            : 
countryCode                        : 0
Created                            : 12/7/2010 4:24:42 PM
createTimeStamp                    : 12/7/2010 4:24:42 PM
Deleted                            : 
Department                         : 
Description                        : Service Account description
DisplayName                        : SERVICEACCOUNT
DistinguishedName                  : CN=SERVICEACCOUNT,OU=SystemAccounts,OU=OU,OU=Users and 
                                     Groups,DC=DC,DC=DC,DC=DC
Division                           : 
DoesNotRequirePreAuth              : False
dSCorePropagationData              : {3/5/2019 7:31:08 AM, 9/13/2018 2:57:21 PM, 4/27/2018 
                                     2:54:13 PM, 3/28/2018 5:11:30 PM...}
EmailAddress                       : 
EmployeeID                         : 
EmployeeNumber                     : 
Enabled                            : True
Fax                                : 
GivenName                          : 
HomeDirectory                      : 
HomedirRequired                    : False
HomeDrive                          : 
HomePage                           : 
HomePhone                          : 
Initials                           : 
instanceType                       : 4
isDeleted                          : 
LastBadPasswordAttempt             : 
LastKnownParent                    : 
LastLogonDate                      : 3/18/2019 12:09:58 PM
lastLogonTimestamp                 : 131974025981047237
LockedOut                          : False
LogonWorkstations                  : 
Manager                            : 
MemberOf                           : {}
MNSLogonAccount                    : False
MobilePhone                        : 
Modified                           : 3/18/2019 12:09:58 PM
modifyTimeStamp                    : 3/18/2019 12:09:58 PM
msDS-User-Account-Control-Computed : 8388608
Name                               : SERVICEACCOUNT
nTSecurityDescriptor               : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                     : CN=Person,CN=Schema,CN=Configuration,DC=DC,DC=DC
ObjectClass                        : user
ObjectGUID                         : GUID
objectSid                          : SID
Office                             : 
OfficePhone                        : 
Organization                       : 
OtherName                          : 
PasswordExpired                    : True
PasswordLastSet                    : 
PasswordNeverExpires               : False
PasswordNotRequired                : False
POBox                              : 
PostalCode                         : 
PrimaryGroup                       : CN=Domain Users,CN=Users,DC=DC,DC=DC,DC=DC
primaryGroupID                     : 513
ProfilePath                        : logon.bat
ProtectedFromAccidentalDeletion    : False
pwdLastSet                         : 0
SamAccountName                     : SERVICEACCOUNT
sAMAccountType                     : 805306368
ScriptPath                         : 
sDRightsEffective                  : 0
ServicePrincipalNames              : {}
SID                                : SID
SIDHistory                         : {}
SmartcardLogonRequired             : False
State                              : 
StreetAddress                      : 
Surname                            : 
Title                              : 
TrustedForDelegation               : False
TrustedToAuthForDelegation         : False
UseDESKeyOnly                      : False
userAccountControl                 : 512
userCertificate                    : {}
userParameters                     : 
UserPrincipalName                  : SERVICEACCOUNT@Domain
uSNChanged                         : 513394461
uSNCreated                         : 118739
whenChanged                        : 3/18/2019 12:09:58 PM
whenCreated                        : 12/7/2010 4:24:42 PM

Can I setup a non-transitive trust between root domains within the same forest?

I have 5 domains within a forest. They are not child domains. All root domains.

I want to create a two way trust between:

Domain A and Domain B
Domain A and Domain C
Domain A and Domain D
Domain A and Domain E

I don't want Domains B, C, D or E to have any trusts between them though.

Is that possible?

Hi Team,

I am facing issue for sysvol folder replication, we are using DFSR.

Server Details are below:

GPADSORO01

ReplicatedFolderName ReplicationGroupName  State

SYSVOL Share         Domain System Volume  4

BPADSODC01

ReplicatedFolderName ReplicationGroupName  State

SYSVOL Share         Domain System Volume  4

GPADSODC01

ReplicatedFolderName ReplicationGroupName  State

SYSVOL Share         Domain System Volume  4

GPADSODC02

ReplicatedFolderName ReplicationGroupName  State

SYSVOL Share         Domain System Volume  4

APADSODC01

ReplicatedFolderName ReplicationGroupName  State

SYSVOL Share         Domain System Volume  4

MPADSODC01

ReplicatedFolderName ReplicationGroupName  State

SYSVOL Share         Domain System Volume  4

GPADSODC03

ReplicatedFolderName ReplicationGroupName  State

SYSVOL Share         Domain System Volume  2

Problematic server is  GPADSODC03 his database state is 2

Following Action performed D2.non-Auth Performed on server GPADSODC03

Total Files to be replication 11000 in sysvol folder.

Replication partner selected GPADSODC01 as per event logs

When we ran backlog command 9000 files showing in backlogs.

We tried with database rename still replication stuck at 9000 file, their is no scheduled replication, full bandwidth allocated.

 Below registry file is not created on problematic server 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DFSR\Parameters\SysVols\Seeding SysVols\Parent Computer”

But replication partner is GPADSODC01 for GPADSODC03, when we check backlog is stuck at 9000.

Please suggest.

We were having the below site infrastructure ..

Site infrastructure

Location : A

Site1: All subnets authenticating through this site

DC1

Site1-Win2K8: no subnet authenticated (Not sure if previous Owner explicitly defined it somewhere in the registry - it was required in the past to have separate site when the upgrade from Windows Server 2003 to Windows Server 2008 was done)

DC2

Site1-DMZ : DMZ subnets authenticated to this site

RoDC

which have a connection to DC2

I want to get rid of  Site-Win2K8 and move DC2 to Site 1 but I am not sure if it will affect the connection with DMZ .. I need to confidently move DC2 to Site 1 without affecting the connection between DC2 and RoDC

Hello,

I'm trying to setup a new server farm in my domain and I built a gMSA called NewFarm where i put two servers: SVR01 and SVR 02. When i run the following command:

Get-ADServiceAccount NewFarm -Properties * | Select PrincipalsAllowedToRetrieveManagedPassword

I get:

PrincipalsAllowedToRetrieveManagedPassword                                                                                                                                                                                                                
------------------------------------------                                                                                                                                                                                                                    
{CN=SVR02,OU=NewFarm,DC=contoso,DC=net, CN=SVR01,OU=NewFarm,DC=contoso,DC=net}

The installation on the SVR01 server goes, but into the second one i get the following error:

Install-ADserviceAccount NewFarm

Install-ADServiceAccount : Cannot install service account. Error Message: 'An unspecified error has occurred'.

I take a look into the Operational Log and i found this error description:

Netlogon failed to add NewFarm as a managed service account to this local machine. The specified Domain did not exist

What am I doing worng?

Hi,

We are planning for AD upgradation from 2008R2 to 2016. So before upgradation what are the recommended prerequisites to be done? like assessment of existing Active Directory Infrastructure.. what all things to be tested before upgradation?

Getting a lot of 1311 KCC problems in event viewer on a 2008 R2 domain controller we recently put in place (planning to upgrade whole AD to 2016 but project not yet approved).

It's happening about every 15 minutes for the following partitions:
CN=Configuration,DC=(company),DC=biz

DC=Alpha,DC=(company),DC=biz
(Alpha is a now-retired subdomain/child domain whose DC no longer exists

DC=int,DC=(company),dc=biz
(Int is a similar case to Alpha, though its DC is still up and running)

And the output from the usual commands:
DCDIAG output:
https://drive.google.com/open?id=1-vl_3S8PUL3E0S_nh-Dt_urX5_NdYH2m

REPADMIN /REPLSUM output:
https://drive.google.com/open?id=10J06XVanNIKQ714tRr9yVojrT40KP2Fg

Can someone give me a hand with getting this sorted out?  The "ORD4" site is going away as we migrate out of our colo datacenter so I have to make sure the ORD1, AUS and AWS sites will all continue to replicate independent of ORD4. 

Thank you!

I have a rather interesting issue I'm hoping the community may be able to point me in the direction of what I should look at for troubleshooting the matter.

My first question is how does the DNS GUI retrieve DNS records?
I ask because when I'm logged directly into the Domain Controller I can see all DNS entries in the forward lookup zone for my domain.  It then get interesting when I log into a management server and open DNS there, I connect to the same DC as above but now I'm missing a number of records. (it would appear all computers on my domain can no longer translate these missing dns entry computer names to IP).  However reverse lookup of the IP address do resolve to the name.
The plot get more interesting when I run the following powershell command on the DC the GUI shows all records.

the powershell command is suffering the same missing dns entries as all the rest, so I'm curious on how the GUI does the look up locally versus remotely.

This is obviously having a flow on affect as name resolution failure leads to monitor failures and connection issues.

This may be related but I'm unsure as I remove a security group from the network thatpenetration testing claimed they got access to members and therefore access to edit the domain admins group.  however again when running effective permissions on the DC it should they did not have the rights, however connecting to the same DC from a management server the effective permissions should they did. (I tested with an account they didn't have the rights so it was a false positive result) I can't help but wonder if the two issues are linked.

one thought could be replication but surely connecting to the same DC (let alone running the powershell locally on the DC) would rule this out.

anyone have any thoughts on what paths I should be looking into?  Currently running 2008 R2 level (there is a project to upgrade 2016 hopefully in the next month so who knows this could be my cure)

Named Pipes and Shares can be accessed anonymously

Hello.

I'm trying to use LDIFDE to export a single computer account to an *.LDF file, then trying ot import that computer account after it's been deleted. At this point it's more academic, but it could morph into something else down the road.

------------

The export cmd I'm using is: 
ldifde -d "OU=Test,DC=Domain,DC=Local" -p subtree -o "uSNCreated,uSNChanged,objectguid,whencreated,whenchanged,objectSid,dSCorePropagationData,accountExpires,pwdLastSet" -j c:\temp -f test9.ldf

-------------

The export always seems to work just fine. But importing them is where I'm getting stuck. Here's my import cmd:
ldifde -i -k -j c:\temp -f test9.ldf

When I run the above cmd, I get the following error:

-------------------------

----------------------------

So, I'm confused on what AD thinks is happening and what attribute the SAM owns and won't let go of. Do I need ot run the import in DSRM mode?

::- T.I.A. -::