Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Creating posixGroup object in Directory

April 2, 2019, 2:02 am
$
0
0

I would like to create an item with the following attributes in the directory to map some user groups for Linux clients

cn=xx01-private

objectClass: posixGroup

gidNumber: 1945

memberUid:  xx01-private

these are so we can map the private groups for each Linux user - the aim is to make it easier for lookup by Linux clients.

When I try to create such an item using New-ADObject from powershell I get the error

PS C:\Windows\system32> New-ADObject -name "xx01-privater" -type posixGroup -Path "ou=PersonnalGroups,dc=a..."

      New-ADObject : The object cannot be added because the parent is not on the list of possible superiors                   At line:1 char:1                            + New-ADObject -name "xx01-private" -type posixGroup -Path "ou=PersonnalGroups,...                                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~                                         + CategoryInfo         : NotSpecified: (cn=xx01-private,ou=P...:String) [New-ADObject], ADException          + FullyQualifiedErrorId : The object cannot be added because the parent is not on the list of possible superiors,M     icrosoft.ActiveDirectory.Management.Commands.NewADObject                                                            

I also get an error if I try to create a group, then add objectClass posixGroup and remove group.

Advise on how to create the object or knowing it is not possible would be helpful.

Search

Adding Access Control Conditions?

March 25, 2019, 6:51 am
$
0
0

I am following this:

https://social.technet.microsoft.com/wiki/contents/articles/26945.authentication-policies-and-authentication-silos-restricting-domain-controller-access.aspx

Trying to add a computer access control condition as below but as shown in the second screen I don't see the AuthenticationSilo in the Drop down menu, nor I do see equal or Silo I created in the last field?   I have created a Authentication Silo Policy and linked to my Authentication Policy.  I rebooted the server too but no luck.

Thoughts?  Thank you



AD/Kerberos dropping SPN in database during ticket

March 26, 2019, 2:09 pm
$
0
0

forgive the double posting, but I selected the wrong forum initially.

I am having a problem with a user account getting this error consistently for the past few months.  I have finally narrowed it down using MS Network Monitor.

95613    9:26:00 AM 3/20/2019    2137.5229241        tigris.Accounting.local    DANUBE      KerberosV5    KerberosV5:AS Request Cname: user@domain.com Realm: ACCOUNTING.LOCAL Sname: krbtgt/ACCOUNTING.LOCAL     {TCP:3204, IPv4:15}
95614    9:26:00 AM 3/20/2019    2137.5234901        DANUBE      tigris.Accounting.local    KerberosV5    KerberosV5:KRB_ERROR  - KDC_ERR_C_PRINCIPAL_UNKNOWN (6)    {TCP:3204, IPv4:15}
95625    9:26:00 AM 3/20/2019    2137.5238680        tigris.Accounting.local    DANUBE      KerberosV5    KerberosV5:AS Request Cname: user@domain.com Realm: ACCOUNTING.EDT.LOCAL Sname: krbtgt/ACCOUNTING.LOCAL     {TCP:3205, IPv4:15}
95626    9:26:00 AM 3/20/2019    2137.5243039        DANUBE      tigris.Accounting.local    KerberosV5    KerberosV5:KRB_ERROR  - KDC_ERR_C_PRINCIPAL_UNKNOWN (6)    {TCP:3205, IPv4:15}
95643    9:26:00 AM 3/20/2019    2137.5795441        tigris.Accounting.local    DANUBE      KerberosV5    KerberosV5:AS Request Cname: user@domain.com Realm: ACCOUNTING.LOCAL Sname: krbtgt/ACCOUNTING.LOCAL     {TCP:3206, IPv4:15}

I have seen articles point to the SPN not being in the kerberos database but that is not the case here from what I see:

C:\WINDOWS\system32>setspn -L tigris
Registered ServicePrincipalNames for CN=tigris,CN=Computers,DC=Accounting,DC=local:
        MSSQLSvc/tigris.Accounting.local:1433
        MSSQLSvc/tigris.Accounting.local
        TERMSRV/TIGRIS
        TERMSRV/tigris.Accounting.local
        RestrictedKrbHost/TIGRIS
        HOST/TIGRIS
        RestrictedKrbHost/tigris.Accounting.local
        HOST/tigris.Accounting.local

C:\WINDOWS\system32>setspn -L user
Registered ServicePrincipalNames for CN=User,CN=Users,DC=Accounting,DC=local:

[ I noticed today that after I enable the account as Administrator, the user logs in but the kerberos ticket is non-existant until I do a setspn for the user name. ]

What am I missing? 

thanks

Federate to SQL server while doing a windows desktop login

April 2, 2019, 1:40 am
$
0
0
We have a SQL server which acts a user data source for some of our custom SSO services. Now, we are in the process of introducing Active Directory. Post this, we expect that whenever a user logs into a windows desktop, he is directly authenticated / authorized with a active directory and when the user credentials are not present in the active directory, then, it should federate to the SQL server (containing the other users) and do the authentication / authorization. Is this possible??

Offline files disappear when going back online

April 1, 2019, 1:53 am
$
0
0

Hello,

We are looking at deploying a fleet of laptops.

Currently our desktop users have Folder Redirection and DFS.

We would like to utilize this for our laptops, but with the added feature of offline files for when they are not connect to the network.

I have created a group policy and enabled offline files, and when logging into the network on a laptop I can see that this looks like it works.

While offline, if I create a new file and connect back to the network the file disappears.

If I modify a file that was created online, the changes sync fine.

Does anyone have any experience with this kind of setup?  Is there something/somewhere I can look to see where these files are going and what is causing this?  I suspect it is DFS - I think I must be missing something.....

thanks.

DNS Forwarder

April 2, 2019, 11:30 pm
$
0
0

Team,

Please share me best practice link for DNS forwarder.... Currently my infra configured directly pointing to public, which is not safe.

Replication time and Authoritative or Non-Authoritative Restore

March 29, 2019, 8:31 am
$
0
0

Hi all,

Can anybody tell me what is exact replication time frame when we talk aboutAuthoritative or Non-Authoritative Restore of Active Directory? The key issue here is exact time: "not yet replicated" vs "already replicated" thing. I saw these docs:

Performing an Authoritative Restore of Active Directory Objects

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc779573(v%3dws.10)

Performing a Nonauthoritative Restore of a Domain Controller

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc784922(v=ws.10)

How can I know if it has already replicated if I know the deleted objects have been there for 1h? 2h? 1/2 hour? What's thedefault replication interval?

Can somebody briefly elaborate on  "not yet replicated" vs "already replicated" thing when we talk AD restoration of deleted objects? 

Thanks

DFS Replication Errors

March 29, 2019, 6:00 am
$
0
0

Hello I'm sort of new to DFS replication.

I'd like to get our DFS jobs running again.  One thing I'm worried about is replicating in the wrong direction and having our user community lose production files.  I'm also seeing this error event in the logs.  

Can you walk me through a safe process?  

Log Name:      DFS Replication
Source:        DFSR
Date:          3/29/2019 2:58:41 AM
Event ID:      4012
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      ************
Description:
The DFS Replication service stopped replication on the folder with the following local path: D:\Users. This server has been disconnected from other partners for 307 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder until this error is corrected. 
 
To resume replication of this folder, use the DFS Management snap-in to remove this server from the replication group, and then add it back to the group. This causes the server to perform an initial synchronization task, which replaces the stale data with fresh data from other members of the replication group. 
 


Search

Need to know the default value for LdapSrvPriority and LdapSrvWeight for Read Only Domain Controller Windows 2008R2

April 3, 2019, 12:19 am
$
0
0

Hi,

I would like to know what are the default values ​​for the priority LdapSrvPriority in an RODC and the default weight (LdapSrvWeight) in an Read Only Domain Controller.

We are working with Windows 2008 R2.

Thanks in advanced.

ad / sysvol version mismatch although all AD and SYSVOL GP versions correct

March 22, 2019, 7:53 am
$
0
0

Hi

I am suddenly getting "ad / sysvol version mismatch" error on few group policies when doing gpresult. I have checked all the GPOs versions in AD and SYSVOL on all 3 DCs and they are correct, Sysvol sync runs fine with no errors, so I just dont know what else to check.

Any idea? 

Thanks

Custom attribute

March 28, 2019, 11:43 pm
$
0
0

Hello! Is this possible to create attribute for user which value is part of DN of this user.

dn=cn=username,ou=ou2,ou=ou1,dc=mydomain,dc=local

I need ou name which is parent for parent ou of object - "ou1".

Is this possible to solve this on ad side instead of external scripts?


How much RAM does each 'secure channel connection' to a Windows Server (Domain Controller) require

March 24, 2019, 2:32 am
$
0
0

Hello :)

I am trying to obtain a more accurate way of working out the RAM for a domain controller, I know RAM is relatively cheap and I could therefore just add more RAM ant not think about it too much. However I do want to understand certain aspects of the OS to determine the RAM in a more granular fashion.

Question

If I have two sites, where one site has a domain controller with say 300 users connecting to the domain controller (Server 2019), and another site where 6000 users are connecting to the domain controller. It would seem logical on the surface the latter server may require more RAM.

For example does each connection to the domain controller by a client (secure channel so the client can download group policies etc.) require a small amount of RAM? (possible the LSASS.exe require some extra RAM for each incoming connection it has to deal with/maintain)?

Also, once a user has connected to a domain controller, authenticated (TGT, TGS) and download their computer/user groups policies from the DC, does the client connection remain open? e.g. TCP/Secure pipes connection still active and therefore may require memory to maintain the connection (as asked above), or is the connection torn down and re-established when the client needs to go back to the DC to another TGS or to renew the TGT for example ?

Is there perhaps a performance counter in Windows that shows he amount of RAM taken up by each connection to the Server ?

Any help and advise, most welcome

CXMelga

question about ad lds authentication in workgroup and replicated from active directory

March 27, 2019, 11:29 pm
$
0
0

Hello,

I have an application which is designed to use directory services for authentication and its network is not controlled by our organization..

I would like to know if I can deploy an ad lds instance which contains only a small part of user accounts allows to use this application and should be synced periodically with the actual active directory database,

I would like to know if it is possible and if there is any online manuals for that,

Thank you

Some users do not have any timestamp information

April 3, 2019, 6:05 am
$
0
0

Hi there,

I faced an issue while trying to detect legacy user accounts in MS AD environment. I used PS tool to load all active users with "LastLogonDate" property and found out that only few users have this feald filled in, most of the users have it empty. Further I looked at all properties of the accounts with empty "LastLogonDate" and saw that they lack any timestamps (created, modified, lastbadpassword, etc.). No time information at all!

I have one-forest-one-domain infrastructure with two DC's. Forest level is 2008, domain level is 2012. DC are under Win2k16. I requested all DC's and the response is the same.

Could anybody advice where to dig in further. Thanks in advance.

GPO override/chagne for local user only - help

April 3, 2019, 6:35 am
$
0
0

Hello,
I have users in domain MSB, but computers (where users log in) are in different domain MSA. I cannot change that, it by design.
I needed to setup profile redirect, drive mappings, etc. These settings are part of user policy, so I had to enable loopback processing. This works fine as expected.
How can I disable policy (e.g. profile redirect) processing for local users only? I need to have local user on these computers since they are portable.
Can you recommend me possible solutions? I have an idea to run logon script where some settings can be changed for local user, but I am not sure whether this is proper solution.
Thanks in advance!!

Search

Revoke SubCA Certificates

April 3, 2019, 6:48 am
$
0
0

Hallo,

we have an offline Root CA and two subordinate CAs. I renewed the SubCA certificates but made a mistake. I renewed the CA certificates once more with the right parameters. Now the "wrong" SubCA certificates are still in configured in the SubCAs. The new CAs are used for issuing new client certificates but the "wrong" certs are still published to the AD, at least inthe AIA information. I revoked the "wrong" SubCA certs in the root and issued a new revocation list. Looking at the options of the SubCA, the revoked certificates do not show as revoked. There are other previous SubCA certificates which are shown as revoked but are not in the revokation list!?

Any idea how to get the Certs to revoked?

Thanx

__Leo

Few Questions about RSAT

April 2, 2019, 6:45 pm
$
0
0

Hello all, I apologize if this has been answered somewhere, but after searching through the internet for half a day yesterday I've been unable to find anything for a few questions I've had. I would appreciate if anyone can help me out! I'm fairly new to this and currently trying to understand RSAT. I'm currently using it on Windows Server 2003 R2, but likely to test it on other systems in future.

1.) After installing RSAT, where is its file path? I have tried C:/Program Files/Microsoft but it is not there.

2.) What registries are affected and/or modified if I install RSAT on a Windows Server? (Currently testing on Windows Server 2003 R2)

3.) Are there any documentations on RSAT? The one I found on the Microsoft Docs website has not been very helpful. I've already have it installed but I would like to know understand the tool.

Thank you for taking the time to read this.

AD lookup not using domain in 1809

March 6, 2019, 11:06 am
$
0
0

Most of my users upgraded to 1809 in the last week or two and now they are having issues with network resources. The symptom is an active directory user (Scanner) can no longer access their shared folder (\\machinename\Scans), even though that user has full read/write permissions. When I sit at the client computer and bring up properties for the folder, Security correctly shows the users with correct permissions. If I try to add a user to the list however, under Locations I am only shown the local computer, not the AD.  My guess is when the Scanner user attempts to connect to write a file the client machine looks for them in the local user store instead of the AD store and fails when it can't find them. Am I looking in the right direction, or am I totally off base?

I ran into the issue presenting in a different way as well today. when I'm logged into the computer and do a software install, registry edits fail. This is because you need Admin rights to write to the registry and the user credentials are domain credentials. I now have a dozen or so machines with the issue, all upgraded to 1809.

constrained delegation for sql

April 3, 2019, 8:12 am
$
0
0

my domain has an spn for domain\AppAccount for mssqlsvc/MySqlServer.domain.com. appaccount is running the sql service on MySqlServer.

assume unconstrained delegation has been working with this setup for years.

when I go into the delegation tab of appaccount to enable constrained delegation, and click add, users or computers, and search for MySqlServer, it lists services for all sorts of things, like host and www and http, but not for MSSQLSvc.

shouldn't there be an mssqlsvc? do I also have to register an SPN for the machine MySqlServer itself, even though the SQL service is running as Appaccount ?  will those not conflict?

Active Directory 2016 Multi factor authentication

April 3, 2019, 10:09 am
$
0
0
Hi all, I have been looking for info on this for a little while but i haven't been able to get a solid answer so i was hoping you guys might have some more info. My company is looking to deploy some form of active directory multi factor authentication but ideally we would like it to have some form of memory of previously authorized computers and not require the second factor if they have successfully authorized that machine before. So for example if Jane uses her computer every day she would get the verification code the first time she logs in to her computer but every time after that it would only need her password, but were she to try to sign in on a different computer with her same directory account it would then require the multi factor authentication. Thanks tons in advance for any knowledge or advice you are able to impart and if you need any more details or clarification id love to provide it.
Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>