Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

ADFS Setup

April 8, 2019, 4:45 am
$
0
0

Hi All,

We are wanting to setup ADFS as a business. We already have Azure AD connect running. The main reason is for the setup is security side of office365, blocking access externally etc. The only Azure package that we have is the standard AD account that comes with Office 365 so no Azure Premium package for Conditional Access Rules etc.

I am reading about the setup which seems easy enough in terms of the role install etc but i am seeing a lot of conflicting information around what i actually need to setup. Any help with the below questions would be appreciated.

1. Will i need the web proxy role on another server to do what i am wanting to do?

2. We are only wanting to block access externally for office 365 products. We have block OWA, Active Sync etc already. 

3. How will it work with the current AD Sync in place.

Thanks in advance

Search

Certain attributes are not visible on Windows Server 2016 AD

April 8, 2019, 6:11 am
$
0
0

Hi,

In our environment we have 125 DCs including Windows Server 2008 DCs and Windows Server 2016 DCs. Using ldp.exe when I do a query for a user on a 2008 DC I get all the attributes and values. But when I do the same query on 2016 DC I get only few attributes. Attributes like badpwdcount, lastlogontimestamp, lastlogondate, extensionattributes are not visible. These attributes are visible only if I run ldp in elevated mode.

Why is this happening? I knew that everyone has read permissions on AD.

How do I cope with this when other applications are dependent on those attributes? 

GPO override/chagne for local user only - help

April 3, 2019, 6:35 am
$
0
0

Hello,
I have users in domain MSB, but computers (where users log in) are in different domain MSA. I cannot change that, it by design.
I needed to setup profile redirect, drive mappings, etc. These settings are part of user policy, so I had to enable loopback processing. This works fine as expected.
How can I disable policy (e.g. profile redirect) processing for local users only? I need to have local user on these computers since they are portable.
Can you recommend me possible solutions? I have an idea to run logon script where some settings can be changed for local user, but I am not sure whether this is proper solution.
Thanks in advance!!

Scaveging not deleting the old stale record

April 1, 2019, 8:15 am
$
0
0

Hello Team,

I have enabled Scavenging on DNS plus have enabled scavenging on one particular zone (7 days) default settings. I have manually executed to delete the stale record.

I can see event generated that says that it has deleted 180 records. There are many old time stamp records (2014,2015) still exist are not deleted

OS is Windows 2008 R2 Ent

Some reference says that they need to manually deleted?

Appreciate your assistance.

Event ID: 1864 - Replication Issues

April 5, 2019, 9:44 am
$
0
0

This is becoming an issue ... I took this new post and there are tons of replication issue with AD, DNS etc and I am told there were few DCs and exchange servers that were not gracefully removed so lingering objs are there as the metadata is not cleaned up etc.

 We are a single domain/forest with about 8 DCs in remote sites a ... and all the DCs got a mind of their own in terms of replication.  Sometimes I have to force replication to get things moving across to other DCs

I see the following on the server that hold all the roles.   I want to start here. 

Log Name:      Directory Service

Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          4/5/2019 2:35:48 AM
Event ID:      1864
Task Category: Replication
Level:         Error
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:     fqdn of the DC
Description:
This is the replication status for the following directory partition on this directory server. 

Directory partition:
DC=DomainDnsZones,DC=ourdomain,DC=local 

This directory server has not recently received replication information from a number of directory servers.  The count of directory servers is shown, divided into the following intervals. 

More than 24 hours:

More than a week:

More than one month:

More than two months:

More than a tombstone lifetime:

Tombstone lifetime (days):
180 

Directory servers that do not replicate in a timely manner may encounter errors. They may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled. 

Running repadmin /replsum shows zero fails

Please assist.... thank you.

     

metadata cleanup

April 8, 2019, 11:26 am
$
0
0
Hi experts

How to clean up old metadata of the domain controllers which doesnot exists now. Currently i am using Windows  2012 R2 DC. please guide me with the procedure. 

Adding Access Control Conditions?

March 25, 2019, 6:51 am
$
0
0

I am following this:

https://social.technet.microsoft.com/wiki/contents/articles/26945.authentication-policies-and-authentication-silos-restricting-domain-controller-access.aspx

Trying to add a computer access control condition as below but as shown in the second screen I don't see the AuthenticationSilo in the Drop down menu, nor I do see equal or Silo I created in the last field?   I have created a Authentication Silo Policy and linked to my Authentication Policy.  I rebooted the server too but no luck.

Thoughts?  Thank you



active directory

April 8, 2019, 1:08 pm
$
0
0
how I can start study active directory from the beginning?
Search

Domain Migration - old domain migrate to new domain with same O365 Tenant

April 8, 2019, 4:55 pm
$
0
0

Hello fellow engineers.  I have been asking around and looking for 2 different solutions to pave a path to my goal here.  Here is a breakdown of my situation:

I currently have a Win 2012 R2 domain that has a lot of history, lots of mystery and I have floated the idea of moving a new fresh forest.  I understand the applications an everything that is involved in this type of request but lets just say for entertainment purposes that all of that is good to go.  Here is the challenge:

How can I migrate/move from the old domain, to a new one and stay connected to the same O365 tenant?

One idea is creating all the users brand new in the new domain, then making sure the user in O365 is "cloud only" and modifying the UPN and the Immutable Object name for the user.  Of course the new domain name would be added to O365 before hand.  Is that a valid option?

Second idea was to use ADMT to move the user objects to the new domain, then modifying the users UPN and Immutable Object to make sure it points to the same O365 tenant, but my assumption is that since the user object is migrating that it should hold the attributes values to the O365 tenant. 

Maybe there is a third option?

My question to this community of experts is:

1.  I opened a ticket with my vendor (Insight) and they have a solution expert who said this is a common thing that happens but to make sure that this is what we want to do and not assume it is easy to perform.  But if I need to do this then he suggested option 1.  Has anyone done something like this before?  How did it go?

2.  Anyone do something like this but use a 3rd party tool to do the heavy lifting?  How did that go and what was the name of the tool?

Thank you all for your time on this.  

 

LDAPS not working

April 8, 2019, 5:20 pm
$
0
0

I was able to connect to LDAPS to access an address book from a multifunction printer and it seems to be working fine with SSL enabled.

I also was able to run the LDP tool locally on the relevant DCs and the bind tests all passed.

People who manage various web apps on the Intranet say LDAPS isn't working and that they need to use plain text LDAP for user login.  They just tell us the connection fails

Not all of our domain controllers are configured for LDAPS but we gave them the host names and IP address of the DCs that are have the SSL certificates installed and working.  We installed third party certificates from a major public CA on the DCs so that that the certificates should be recognized as coming from a trusted root CA automatically.


Is there anything they need besides a user name and password for an account that has read access to AD plus TCP port 636 connectivity between their server and the domain controller?

How can we verify that everything needed for remote servers to connect is properly configured on our side so that we can either fix those issues or tell them the issue is definitively on their side?


Cross-Forest AD Token Size

March 10, 2019, 9:03 pm
$
0
0
We have two forests with a one way trust between both forests. I want to know if i add a user from Forest A to the groups in Forest B will this affect the AD token size of the user in Forest A. Based on the whoami /groups command I run from Forest A I dont think that the users local kerberos token knows anything about the Forest B Groups. Does this mean that if I add user A to 1000 groups in Forest B then it will *not* break the Forest A account. Only the FSP in forest B would be affected?

Alan Burchill (MVP)
http://www.grouppolicy.biz

@alanburchill

LDAPS and Server Name Indication (SNI) support

April 2, 2019, 1:53 pm
$
0
0

Hi,

When searching topics about Windows Server and SNI support, the results often lead to articles related to SNI support in IIS.  I have questions about SNI in Windows Server as relates specifically to LDAPS.  For example:

  1. In which server version was SNI first supported for LDAPS?
  2. For whichever version is the answer to question #1 - from that point forward - is it REQUIRED that a client use SNI extension during SSL handshake for LDAPS?
  3. If YES to question #2, is it possible to selectively turn that requirement ON/OFF?

Thank you,

DaveC

windows 2k8 r2 AD replications Error :DsReplicaSync() failed with status 1722 (0x6ba): & 1256

April 7, 2019, 11:35 pm
$
0
0

Hi Team,

My ad replications health checkup is failing .kindly help .

eRROR DETAILS:

C:\Windows\system32>repadmin /replicate DC1  DC2a DC=ForestDnsZones,DC=abc,DC=com
DsReplicaSync() failed with status 1722 (0x6ba):
    The RPC server is unavailable.

2. C:\Windows\system32>repadmin /showrepl * /csv > c:\replsd.csv

LDAP error 81 (Server Down) Win32 Err 58.
LDAP error 81 (Server Down) Win32 Err 58.
LDAP error 81 (Server Down) Win32 Err 58.

DC1DC=DomainDnsZones,DC=abc,DC=comsitesdc2aRPC14 4/8/2019 11:22 4/8/2019 7:521256
DC1 CN=Configuration,DC=abc,DC=comsites dc2aRPC 15 4/8/2019 11:22 4/8/2019 7:52 1722

3. C:\Windows\system32>repadmin /replsum

DC1 03h:58m:59s 5/40 12 1722 The RPC server is unavailable.

DC2a 03h:58m:56s 5/10   50 1722 The RPC server is unailable.

My observations:

1. I checked  All dc server is UP and running fine ( rpc,netlogon services,adds).
2. Dcdiag /test: advertising is also Passed

3 Ports are open ::   RPC endpoint mapper135 137,139,445,389,3268,3269,88, 53  






Extract AD permissions

March 28, 2019, 9:07 am
$
0
0

How to extract AD permissions from current AD environment? Is there any script/command available to extract the report?

Thanks in advance.

Domain User Cannot Remote to Server 2012

April 9, 2019, 1:28 am
$
0
0

My domain is running on a server 2016 system, I also have a server 2012 system that admins can remote to.

I need to add a new user to allow rdp to the server 2012 rig. I added the user "Paul" to the Builtin Remote Desktop Users Group.

This was no use. I am not an administrator on the domain but i am allowed rdp. I removed myself from the RDP group to test and i am still able to connect to the 2012 server. I must be missing a seting or group as nothing is working for me.

Conrad Ryan

Search

ad / sysvol version mismatch although all AD and SYSVOL GP versions correct

March 22, 2019, 7:53 am
$
0
0

Hi

I am suddenly getting "ad / sysvol version mismatch" error on few group policies when doing gpresult. I have checked all the GPOs versions in AD and SYSVOL on all 3 DCs and they are correct, Sysvol sync runs fine with no errors, so I just dont know what else to check.

Any idea? 

Thanks

Active Directory attributes 'name' and 'Name'

October 24, 2017, 3:52 pm
$
0
0

When renaming an AD object it is said that you need both the write 'name' and write 'Name' permissions (as well as write DN). What exactly is the difference between name and Name? And given that there is no write 'samaccountname' permission is one of these names actually the samaccountname?

Thanks

David Z

LDAP query to add ForeignSecurityPrincipals to a group

April 9, 2019, 2:25 am
$
0
0

Hello,

I'm trying for a few days now to add people coming from AD1 in a domain local security group in AD2 where there's a trust between AD1 and AD2.

In the GUI it worked perfectly well and the people I already added to a group can be added to any other group because I can find their SID somewhere under CN=ForeignSecurityPrincipals,DC=MyAD2,DC=ads.

Adding them to another security groups is just a matter of finding the right SID. I need to build their AD2 local dn by replacing sid in CN={sid},CN=ForeignSecurityPrincipals,DC=MyAD2,DC=ads and update the group by adding a member attribute value.

My problem is when the people is not yet used in AD2, the SID is not anywhere in ForeignSecurityPrincipals and I can't reproduce the magic that is done in the UI.

I tried it in powershell hoping to capture ldiff or something that would help but I discovered the existence of ADWS (https://social.technet.microsoft.com/Forums/en-US/fcdb56de-2422-49ed-a7c1-093fa9542c60/adws-with-http-binding-and-access-from-a-java-client?forum=winserverDS)

I'm not confident is using ADWS with my java stack but I could git it a try with a little help...

Have you any idea on how I could make sure SID are imported in FSP ?

DFS namespace problem on disc mounted to NTFS folder

March 27, 2019, 4:14 am
$
0
0

Hello

We map disc not like letter (D:\ etc), but use Mount to NTFS folder. When I create DFS namespace at this disc (for example c:\storage\DISC1\test_DFS) and perform restart of service DFS (or restart server), we could observe new folder with strange symbol in name (겱Test01). 

And new folders coming in every next service restart. We are sure it is bug in DFS namespace.

Preview of this issue below.

Is there a chance to resolve this problem?

Zdenek

Zdenek Mozis

Cannot install Additional DC 2016

March 29, 2019, 11:47 pm
$
0
0

Hi,

I have a windows server 2016 that ADDS role was installed on that. And I have an additional dc with windows server 2008, too. I'm going to install a windows server 2016 as a second additional domain controller but I got the below error:

The server that I want to promote it to the additional domain controller has been joined to the domain and can ping the domain controller. Any help would be appreciated.

Thanks

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>