Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

LDAP query to add ForeignSecurityPrincipals to a group

April 9, 2019, 2:25 am
$
0
0

Hello,

I'm trying for a few days now to add people coming from AD1 in a domain local security group in AD2 where there's a trust between AD1 and AD2.

In the GUI it worked perfectly well and the people I already added to a group can be added to any other group because I can find their SID somewhere under CN=ForeignSecurityPrincipals,DC=MyAD2,DC=ads.

Adding them to another security groups is just a matter of finding the right SID. I need to build their AD2 local dn by replacing sid in CN={sid},CN=ForeignSecurityPrincipals,DC=MyAD2,DC=ads and update the group by adding a member attribute value.

My problem is when the people is not yet used in AD2, the SID is not anywhere in ForeignSecurityPrincipals and I can't reproduce the magic that is done in the UI.

I tried it in powershell hoping to capture ldiff or something that would help but I discovered the existence of ADWS (https://social.technet.microsoft.com/Forums/en-US/fcdb56de-2422-49ed-a7c1-093fa9542c60/adws-with-http-binding-and-access-from-a-java-client?forum=winserverDS)

I'm not confident is using ADWS with my java stack but I could git it a try with a little help...

Have you any idea on how I could make sure SID are imported in FSP ?

Search

Azure AD group naming standard

April 8, 2019, 3:21 am
$
0
0

Hi,

While creating AD groups in on-premises domain we have to follow our group naming standard.

We are planning to bring the naming standard for Azure Active Directory groups.

Let say end users can create their own AD groups however the naming standard should starts AzureAD-Groupname 

Please assist with your valuable answer.

Split domain controller

April 7, 2019, 10:09 am
$
0
0

i would like to know if there is any updates on split a domain controller in to two different domains and split the users to be two different entities.

the reason is our company split in to two companies and i want to half of users to the new one and i want to retain the same services .

User policy not getting applied for cross forest users

April 6, 2019, 8:55 am
$
0
0

Hi ,

We have one way trust between forest A and B.

A trust B

When users from B log on to A ,user policy from both the domain are not getting applied.

Enabled below settings in Forest A :

Loopbakc processing : Merge

Allow cross domain policy processing and roaming profile

Still no luck.

Please help me


Extract AD permissions

March 28, 2019, 9:07 am
$
0
0

How to extract AD permissions from current AD environment? Is there any script/command available to extract the report?

Thanks in advance.

Revoke SubCA Certificates

April 3, 2019, 6:48 am
$
0
0

Hallo,

we have an offline Root CA and two subordinate CAs. I renewed the SubCA certificates but made a mistake. I renewed the CA certificates once more with the right parameters. Now the "wrong" SubCA certificates are still in configured in the SubCAs. The new CAs are used for issuing new client certificates but the "wrong" certs are still published to the AD, at least inthe AIA information. I revoked the "wrong" SubCA certs in the root and issued a new revocation list. Looking at the options of the SubCA, the revoked certificates do not show as revoked. There are other previous SubCA certificates which are shown as revoked but are not in the revokation list!?

Any idea how to get the Certs to revoked?

Thanx

__Leo

Few Questions about RSAT

April 2, 2019, 6:45 pm
$
0
0

Hello all, I apologize if this has been answered somewhere, but after searching through the internet for half a day yesterday I've been unable to find anything for a few questions I've had. I would appreciate if anyone can help me out! I'm fairly new to this and currently trying to understand RSAT. I'm currently using it on Windows Server 2003 R2, but likely to test it on other systems in future.

1.) After installing RSAT, where is its file path? I have tried C:/Program Files/Microsoft but it is not there.

2.) What registries are affected and/or modified if I install RSAT on a Windows Server? (Currently testing on Windows Server 2003 R2)

3.) Are there any documentations on RSAT? The one I found on the Microsoft Docs website has not been very helpful. I've already have it installed but I would like to know understand the tool.

Thank you for taking the time to read this.

SSO from remote as user from child domain?

April 11, 2019, 11:30 pm
$
0
0

I have an application that uses windows authentication. We created several child domains for each department and one root domain.

For example:

                   company.com

                      /           \

dep1.company.com   dep2.company.com

Each department has an own subnet and domain controller. The users did not actually join the domain. The computers are already in another domain from an independent organisazion and they only need to login to the application with the logins provided by us from the corresponding child domain.
This looks something like this:

Sorry, can't add an image.
(https://social.technet.microsoft.com/Forums/getfile/1427308)

The remote user (user@contoso.com) has the credentials stored in the access credential manager in order to make SSO possible.

What I suspect is that the sql server can't find the user@dep1.comany.com account in the child domain. At least SQL shows en error in the event viewer:

SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure.  [CLIENT: <named pipe>]

I double checked that every account is existing, the account has not been locked and neither needs the password to be changed.

There are transitive trusts between the toor domain and all child domains and one between the app.company.com and dep1.company.com
I tried adding a foreign security principal
Added an alias in the SQL Native Client 11.0 Configuration
Added an ODBC Bridge client side
Altered the "Access this computer from the network" in the secpol.msc
Both server and application server have permission to delegate (AD -> Computer objects -> Delegation)

I found a lot online but nothing has worked for me. I am a lost sysadmin and have reached google page 2.
Any help is much appreciated.

Search

AD groups

April 11, 2019, 11:39 pm
$
0
0

HI all,

How can we export all AD distribution groups which have more than 300 members?

Regards,

Sky

Certain attributes are not visible on Windows Server 2016 AD

April 8, 2019, 6:11 am
$
0
0

Hi,

In our environment we have 125 DCs including Windows Server 2008 DCs and Windows Server 2016 DCs. Using ldp.exe when I do a query for a user on a 2008 DC I get all the attributes and values. But when I do the same query on 2016 DC I get only few attributes. Attributes like badpwdcount, lastlogontimestamp, lastlogondate, extensionattributes are not visible. These attributes are visible only if I run ldp in elevated mode.

Why is this happening? I knew that everyone has read permissions on AD.

How do I cope with this when other applications are dependent on those attributes? 

On-Prem UPN being changed by DC's SYSTEM account

April 11, 2019, 3:39 pm
$
0
0

Hi,

I'm in the process of configuring a Server 2012 r2 DC in preparation for O365 SSO with Azure AD Connect.  The domain only has 1 DC and the functional level is also set to 2012 r2.  As part of this I am changing the UPN for the on-prem accounts to match their email address as follows:

Firstname: Test

Surname: Account

Original Username: TestA

Original UPN: TestA@Domain.domainname.co.nz

SMTP address: test.account@domainname.co.nz

I've added in domainname.co.nz as a suffix and can see it as an option, but when I change the on-prem UPN to be test.account@domainname.co.nz it works correctly and still allows the user to logon, but a short time later I find the UPN reverts itself back to testa@domain.domainname.co.nz.

I've turned on auditing to work out how/when this was happening and can see that an event 4738 is raised from my admin account when I initially change the UPN, and shortly after (always at the same time of the hour, at 37 mins past) this is changed back by the system account, as shown below:

A user account was changed.

Subject:
Security ID: SYSTEM
Account Name: servername$
Account Domain:DOMAIN
Logon ID:        0x208C31D6

Target Account:
Security ID: DOMAIN\testuser1
Account Name: testuser1
Account Domain:DOMAIN

Changed Attributes:
SAM Account Name:-
Display Name: -
User Principal Name:testuser1@DOMAIN.DOMAINNAME.CO.NZ

I've checked for scheduled tasks, any services running under this account, and other apps on the server and can't find anything.  Has anyone come across this before or have any advice on what else can be checked?  It happens regardless of which OU the account is in.

Thanks in advance!



Machine Cert Deleted After Auto Enrollment

April 3, 2019, 1:43 pm
$
0
0
Once a machine has used auto enrollment to get a machine cert for client auth what happens if someone deletes the certificate? In my testing it looks like the machine will not auto enroll a new cert. Is that expected? If so how can I force the machine to get another certificate?

BI For SCCM https://www.fatstacks.tech/home/bi | Register for a Free Demo

Active Directory - How to Auto-Select to the right OU

April 12, 2019, 12:25 am
$
0
0

Hi 

Then a new clients and servers in AD, I want the server or client  add in the right OU, 

Please help ;-)

Sokoban

----- S-O-K-O-B-A-N -----

Active Directory 2016 Testing help

April 5, 2019, 10:38 am
$
0
0
In my organization, Infra team building new Windows 2016 AD servers and planning to migrate only the users account from the existing Windows 2003 AD servers. As part of testing team, i need to make sure all the migration activity and AD 2016 is working fine as part of SIT, UAT, OAT. Can anyone please help me to put together some generic AD testing functionality which we need to test in this scenario in different phases of testing. Thanks.

windows 2k8 r2 AD replications Error :DsReplicaSync() failed with status 1722 (0x6ba): & 1256

April 7, 2019, 11:35 pm
$
0
0

Hi Team,

My ad replications health checkup is failing .kindly help .

eRROR DETAILS:

C:\Windows\system32>repadmin /replicate DC1  DC2a DC=ForestDnsZones,DC=abc,DC=com
DsReplicaSync() failed with status 1722 (0x6ba):
    The RPC server is unavailable.

2. C:\Windows\system32>repadmin /showrepl * /csv > c:\replsd.csv

LDAP error 81 (Server Down) Win32 Err 58.
LDAP error 81 (Server Down) Win32 Err 58.
LDAP error 81 (Server Down) Win32 Err 58.

DC1DC=DomainDnsZones,DC=abc,DC=comsitesdc2aRPC14 4/8/2019 11:22 4/8/2019 7:521256
DC1 CN=Configuration,DC=abc,DC=comsites dc2aRPC 15 4/8/2019 11:22 4/8/2019 7:52 1722

3. C:\Windows\system32>repadmin /replsum

DC1 03h:58m:59s 5/40 12 1722 The RPC server is unavailable.

DC2a 03h:58m:56s 5/10   50 1722 The RPC server is unailable.

My observations:

1. I checked  All dc server is UP and running fine ( rpc,netlogon services,adds).
2. Dcdiag /test: advertising is also Passed

3 Ports are open ::   RPC endpoint mapper135 137,139,445,389,3268,3269,88, 53  






Search

active directory

April 8, 2019, 1:08 pm
$
0
0
how I can start study active directory from the beginning?

LDAPS not working

April 8, 2019, 5:20 pm
$
0
0

I was able to connect to LDAPS to access an address book from a multifunction printer and it seems to be working fine with SSL enabled.

I also was able to run the LDP tool locally on the relevant DCs and the bind tests all passed.

People who manage various web apps on the Intranet say LDAPS isn't working and that they need to use plain text LDAP for user login.  They just tell us the connection fails

Not all of our domain controllers are configured for LDAPS but we gave them the host names and IP address of the DCs that are have the SSL certificates installed and working.  We installed third party certificates from a major public CA on the DCs so that that the certificates should be recognized as coming from a trusted root CA automatically.


Is there anything they need besides a user name and password for an account that has read access to AD plus TCP port 636 connectivity between their server and the domain controller?

How can we verify that everything needed for remote servers to connect is properly configured on our side so that we can either fix those issues or tell them the issue is definitively on their side?


need hotfix kb/2260240

April 8, 2019, 4:17 am
$
0
0
We are raising the functional level on our domain and forest to 2008 R2 but need the hotfix above to cover an old .net application we have developed

DNS Server Integration

April 4, 2019, 7:28 am
$
0
0

Hi,

Is there any way to check my DNS server is integrated with Active Directory? I hope all the DC servers are running with DNS service is integared with Active Directory. Is that correct or wrong?


Domain User Cannot Remote to Server 2012

April 9, 2019, 1:28 am
$
0
0

My domain is running on a server 2016 system, I also have a server 2012 system that admins can remote to.

I need to add a new user to allow rdp to the server 2012 rig. I added the user "Paul" to the Builtin Remote Desktop Users Group.

This was no use. I am not an administrator on the domain but i am allowed rdp. I removed myself from the RDP group to test and i am still able to connect to the 2012 server. I must be missing a seting or group as nothing is working for me.

Conrad Ryan

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>