Hi All,
What actually happen when I delete computer account from Active Directory? Will the computer automatically unjoin domain?
Nursyafika
↧
What actually happen when I delete computer account from Active Directory?
↧
Can you reset/modify/unlock same members of account operators?
Hi,
we have a helpdesk team that is under Account Operators group. They can unlock/reset password of users on different OU group, but cannot unlock users belonging on same group. Is this because, account operators is a built in group??
↧
↧
Problems with SID history between domains in forest trust
Hi everybody.
I've got a problem while migrating my domain ressources to another one.
Source domain is A.local (Windows 2008 R2). Target is B.com (Windows 2016).
There is a trust between the two forests, bidirectional and transitive.
I use ADMT to migrate users and groups. While migrating these objects, I check the "Migrate SID History" button.
Before that, I have desactivated the SID filtering between my forests with this command :
- from the source domain : Netdom trust A.local /domain:B.com /enablesidhistory:yes /usero:administrator /passwordo:*
- from the target domain : Netdom trust B.com /domain:A.local /enablesidhistory:yes /usero:administrator /passwordo:*
When I try to access a share from the target domain, with a user who have share and security permissions, there is an
error. I cannot access.
If I modifiy the share settings to allow access to everyone in the source domain, access is ok for my user in the target domain.
And more, If on my source domain share, I put share permissions to the target user (or group), it's not working. If I do the same thing in the target domain, putting share permissions to the source user, everything is working fine.
I've disabled / enabled SID history and SID filtering, nothing changed. Same things after broke and new creation of the trust.
I have checked the user account in the target domain, the SID history is correctly written in the users attributes.
No firewall or AV software on any DC.
Does someone have an idea?
↧
Domain Migration - old domain migrate to new domain with same O365 Tenant
Hello fellow engineers. I have been asking around and looking for 2 different solutions to pave a path to my goal here. Here is a breakdown of my situation:
I currently have a Win 2012 R2 domain that has a lot of history, lots of mystery and I have floated the idea of moving a new fresh forest. I understand the applications an everything that is involved in this type of request but lets just say for entertainment purposes that all of that is good to go. Here is the challenge:
How can I migrate/move from the old domain, to a new one and stay connected to the same O365 tenant?
One idea is creating all the users brand new in the new domain, then making sure the user in O365 is "cloud only" and modifying the UPN and the Immutable Object name for the user. Of course the new domain name would be added to O365 before hand. Is that a valid option?
Second idea was to use ADMT to move the user objects to the new domain, then modifying the users UPN and Immutable Object to make sure it points to the same O365 tenant, but my assumption is that since the user object is migrating that it should hold the attributes values to the O365 tenant.
Maybe there is a third option?
My question to this community of experts is:
1. I opened a ticket with my vendor (Insight) and they have a solution expert who said this is a common thing that happens but to make sure that this is what we want to do and not assume it is easy to perform. But if I need to do this then he suggested option 1. Has anyone done something like this before? How did it go?
2. Anyone do something like this but use a 3rd party tool to do the heavy lifting? How did that go and what was the name of the tool?
Thank you all for your time on this.
↧
Active Directory users and SAS Application
Hello ,
we are preparing to integrate our Active Directory into our SAS application for authetication .the authetication done by a SSO application but i'm worry about active directory users synchronization .im' worry if i change the name for user in active directory then when he is autneticated to do application may be he will lost the history data because the name changed .So the question , how can do even i change the name of user i can keeped the history , witch attribute can not changed even we change the name ?
Regards
↧
↧
DFS
Hello, we use DFSN,R a lot in our company.
I have a situation where I need to replicate a folder called USERS on Server 1 and another folder called USERS on Server 2.
I was doing a test to insure they would merge and not over write anything.
To my surprise DFS will not even let me set it up because the folder name is the same.
How should I be doing this?
↧
Child Domain DCs not Replicating (inboud + outbound replication disabled)
Question:
Can a child DC be forcefully removed from the forest domain manually while maintaining authentication services for the child domain?
I have a forest domain, x.com which is hosting (3) child domains, a.x.com, b.x.com, and c.x.com. The c.x.com DC specified in sites and services has not replicated with the primary forest DC in 5 years and is not reachable. However, the DC is still being used to authenticate users for the c.x.com domain on an isolated network. The unreachable DC is causing new DCs for the forest domain to fail promotion of a global catalog server due to the communication issue with unreachable DC.
Can the record for the unreachable DC be removed from sites and services without impacting authentication attempts by the users on the c.x.com domain?
↧
Bginfo and active directory attributes
Hello,
As you know the "Bginfo" use to set the computer and user information on the workstations standalone or domain users desktop's background wallpaper.
i'm thinking if i can add some of the user AD attributes on the user desktops like their "employeeID".
how can i let the Bginfo sync that attributes with the user AD?
hope you can help me.
↧
PasswordLastSet
I am trying to get PasswordLastSet property from CSV list, I have this script, but it´s not working.
import-csv .\user.csv | ForEach-Object {get-aduser -filter * -properties passwordlastset -Identity $_.samaccountname}| ft Name, passwordlastset | Export-CSV .\results.csv -NoTypeInformation
↧
↧
Replication time and Authoritative or Non-Authoritative Restore
Hi all,
Can anybody tell me what is exact replication time frame when we talk aboutAuthoritative or Non-Authoritative Restore of Active Directory? The key issue here is exact time: "not yet replicated" vs "already replicated" thing. I saw these docs:
Performing an Authoritative Restore of Active Directory Objects
Performing a Nonauthoritative Restore of a Domain Controller
How can I know if it has already replicated if I know the deleted objects have been there for 1h? 2h? 1/2 hour? What's thedefault replication interval?
Can somebody briefly elaborate on "not yet replicated" vs "already replicated" thing when we talk AD restoration of deleted objects?
↧
X.509 certificate based authentication in ADFS
Hi Experts,
I am struggling from past one week for configuring certificate authentication in our ADFS setup.
ADFS SAML with basic authentication (username and password) works fine.
I enabled certificate authentication but when i select option "Sign in using X.509 certificate" it throws error "No valid client certificate found in the request. No valid certificates found in the user's certificate store. Please try again choosing a different authentication method."
I have created user certificate and placed in MMC --> personal but i cant see certificate populated / displayed on ADFS page.
Followed many links but no use.
Could someone pls pls help me on this
1. How and where to create user client certificate
2. Where to place these certificates etc.
Pls help me with detailed document steps how to configure this, how do i get user certificates listed in ADFS page.
Thanks
↧
Error promoting Server 2019 domain controller
Were having an issue attempting to promote a Win 2019 server to a domain controller we get the error:
Error getting the list of sites from the target environment. the user name or password is incorrect.
We have tried using a different domain admin account etc however we have the same issue.
I had an ip assigned through DHCP for the server but suspect it may be a DNS issue.
Anyone have any ideas?
↧
active directory error "-2147016645" occured when looking for global catalogs in forest "domain_name.co.uk": "A local error has occrred"
We are doing windows patching in skype for business servers, when I have done the fail over it was normal, as soon as I was doing Failback this kind of errors occurred
PLease HELP !
↧
↧
Cannot install Additional DC 2016
Hi,
I have a windows server 2016 that ADDS role was installed on that. And I have an additional dc with windows server 2008, too. I'm going to install a windows server 2016 as a second additional domain controller but I got the below error:
Image may be NSFW.
Clik here to view.The server that I want to promote it to the additional domain controller has been joined to the domain and can ping the domain controller. Any help would be appreciated.
Thanks
↧
Recommendation on 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)
Hi
We are in the process of hardening DC security. All our DCs are Windows 2016 (1607) and clients are Windows 2012, 2012 R2 and Windows 10 (1607 & 1803). We found event IDs 2887 & enabled detailed event log (HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" with a DWORD value of “2.”), not yet started analyzing the logs.
If we apply this policy at DC level, then do we need to configure at client OU as well? Also what about other appliances in network?
What is the normal suggestion / recommendation to enable this setting?
Thanks in advance
LMS
↧
On-Prem UPN being changed by DC's SYSTEM account
Hi,
I'm in the process of configuring a Server 2012 r2 DC in preparation for O365 SSO with Azure AD Connect. The domain only has 1 DC and the functional level is also set to 2012 r2. As part of this I am changing the UPN for the on-prem accounts to match their email address as follows:
Firstname: Test
Surname: Account
Original Username: TestA
Original UPN: TestA@Domain.domainname.co.nz
SMTP address: test.account@domainname.co.nz
I've added in domainname.co.nz as a suffix and can see it as an option, but when I change the on-prem UPN to be test.account@domainname.co.nz it works correctly and still allows the user to logon, but a short time later I find the UPN reverts itself back to testa@domain.domainname.co.nz.
I've turned on auditing to work out how/when this was happening and can see that an event 4738 is raised from my admin account when I initially change the UPN, and shortly after (always at the same time of the hour, at 37 mins past) this is changed back by the system account, as shown below:
A user account was changed.Subject:
Security ID: SYSTEM
Account Name: servername$
Account Domain:DOMAIN
Logon ID: 0x208C31D6
Target Account:
Security ID: DOMAIN\testuser1
Account Name: testuser1
Account Domain:DOMAIN
Changed Attributes:
SAM Account Name:-
Display Name: -
User Principal Name:testuser1@DOMAIN.DOMAINNAME.CO.NZ
I've checked for scheduled tasks, any services running under this account, and other apps on the server and can't find anything. Has anyone come across this before or have any advice on what else can be checked? It happens regardless of which OU the account is in.
Thanks in advance!
↧
Cannot Create DFS Namespace with error "Specified Server cannot perform the requested operation"
We are trying to configure new file server mirrors with DFS + DFSR on them and our existing file servers in our three environments. Sandbox-Dev-Live. All are under the same domain. I was able to successfully create a namespace from the "new" sandbox-FS02, \\domain.net\sbox\, and had no issues getting replication up and running and all was looking sunny and easy.
In "dev", however, things are not so easy. When attempting to create the \\domain.net\dev namespace, I receive an error error on both dev-fs01 and dev-fs02. For the sake of simplicity here I'm leaving everything default. Not changing anything with shared folder location, details, or path. The shared folder does not exist before creation. Default path of C:\DFSRRoots\Dev is being used. "All Users have Read-Only Permissions" is checked. Domain based, with 2008 mode checked.
The namespace in question has never been successfully created and there are no associated registry entries for the namespace on any DC.
The error in question is as follows:
"\\domain.net\dev: The namespace server \\dev-fs01 cannot be added. The specified server cannot perform the requested operation".
There is no associated EventViewer Log Error, on either file server or any domain controller within the domain.
I have done a lot of troubleshooting already in terms of network connectivity between the servers and the PDC, permissions, verifying NETLOGON shares, AD replication... out of ideas at this point. I can provide any (sanitized) information that is desired about the environment or the error.
↧
↧
Event ID 4 with replication and authentication failures
We have a Windows Server 2012R2 domain controller which generates the error below when attempting to connect to a working domain controller in AD:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server$. The target name used was ldap/server.domain.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (domain.LOCAL) is different from the client domain (domain.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
Site replication is configured to a domain controller which generates the above error when it tries to establish a connection. This is resulting in replication not succeeding. The DC can connect to certain other DCs and not to others.
Repadmin /showreps generates:
******* 1 CONSECUTIVE FAILURESLast error: 1396 (0x574):
The target account name is incorrect.
Naming Context: DC=DomainDnsZones,DC=domain,DC=local
******* WARNING: KCC could not add this REPLICA LINK due to error.
This is also resulting in file share authentication failures to a second trusted domain.
Primary domain authentication for users is successful.
I've reset the faulty DC's computer account by running:
net stop kdcklist purge
netdom resetpwd /server:workingDC.domain.local /userD:domain.local\DomainAdministrator/passwordD:*
net start kdc
That made no difference.
I also started to build a second domain controller for the site, but when selecting the DC to replicate with during the promotion phase, the same errors appear as above, which led me to believe having a second DC wouldn't make a difference.
Any tips would be appreciated :/
↧
metadata cleanup
Hi experts
How to clean up old metadata of the domain controllers which doesnot exists now. Currently i am using Windows 2012 R2 DC. please guide me with the procedure.
How to clean up old metadata of the domain controllers which doesnot exists now. Currently i am using Windows 2012 R2 DC. please guide me with the procedure.
↧
Extract AD permissions
How to extract AD permissions from current AD environment? Is there any script/command available to extract the report?
Thanks in advance.
↧