Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Grant User Read Access to DNS Server

February 21, 2014, 1:49 am
$
0
0

Hi,

I would like to allow a single user read access only to our DNS server.

On the Security tab of the DNS Server properties, I have added the user with Read only rights.

This does indeed allow him to connect to the DNS server, but what I have found is that he can actually make changes to the Forward Lookup Zones i.e. he can add new host A records and also delete existing records.

When I look at the Effective Access for the user, it comes back to tell me he has nothing but Read access (which is what I would expect), but he can indeed make changes.

Am I missing something here?

Thanks,

Bob

Search

How to enable read-only access to AD integrated DNS for a group of users when they use the DNS Administrative Tool?

June 7, 2016, 1:12 pm
$
0
0

Hi, hope you can help.

What is the easiest way to allow a group of users to view AD integrated DNS with the DNS Administrative Tool?

When trying to connect to a DC with the DNS Administrative Tool, the following message is displayed:

Access was denied. Would you like to add it anyway?

So, I'm guessing that means I don't have access.

AD Integrated DNS is being hosted on our Server 2012 R2 DCs and I'd like to give select IT users read-only access to the information in DNS, ideally using the DNS Administrative Tool. It would be great if they could have the same view of DNS that a Domain Admin would have, but a read-only view (so they cannot make any changes).

Functional levels are 2012 R2.

Any feedback is greatly appreciated. Thanks, Joe.

Access denied to member of DNSAdmins group

August 6, 2012, 5:06 am
$
0
0

Hello

I added users to the "DNSAdmins" groups.
These users need to manage dns records.

When any of these users wants to connect to the dns server (mcc > dns > server), it gets an access denied error.
The same happens on the command line with dnscmd.exe.

The DNS is running on the DC's. The users should not be able to login of the DC's.

I added the same users to the "DHCP Admins" group. Here it works fine.

Any suggestions? Thanks!

WiFi & Ethernet

April 15, 2019, 8:34 am
$
0
0

Hi All,

We have a situation where we have a machine with two IP addresses and DNS records. One for WiFi the other for Ethernet. No problem in this as it was designed to have both entries. When a user undocks his machine and switches to wireless it is seamless, however if someone were to ping the machine during the period he is on wireless we would not be getting a reply.

How long a period should it take for an administrator to ping the machine and to get a reply while the client is on wireless?

Any help to resolve this would be greatly appreciated.

Problem with promote windows server 2016 to be a domain controller

April 15, 2019, 10:17 am
$
0
0

Hi,

I've got an error while I was trying to promote windows server 2016 as a domain controller. Here it is:

I've tried this command :

net user Administrator /passwordreq:yes
and set a complex password on the local administrator account it didn't solve this error. How can I get rid of this error?

Thanks for your efforts and time.

Best Regards





bulk import / create users

April 15, 2019, 11:42 am
$
0
0

hello , 

i'm looking for a very basic power shell script to create some users in bulk . 

i found a script but i'm getting some errors , i just want to confirm i'm using the correct syntax., 

i already have all my users in a CSV file. 

Expire a certificate on a single computer

April 15, 2019, 6:34 pm
$
0
0

Hello,

We have enrolled a certificate to a group of computers. Now we want to expire the same certificate on a computer to test an application functionality. How can I expire the certificate?

Thank you

Odd process is running named 30000

April 10, 2019, 9:09 am
$
0
0

Hey guys, this screenshot is caputured by autoruns on our AD machine, we notice that one odd process named 30000 was attempting to running command"cmd.exe /c "cd /d "%USERPROFILE%" & start cmd.exe /k runonce.exe /AlternateShellStartup", but luckly. the file is not found. would you please advice if this is expected or not? or have u see this symptom before? Thanks for your advice.

Search

need hotfix kb/2260240

April 8, 2019, 4:17 am
$
0
0
We are raising the functional level on our domain and forest to 2008 R2 but need the hotfix above to cover an old .net application we have developed

Domain User Cannot Remote to Server 2012

April 9, 2019, 1:28 am
$
0
0

My domain is running on a server 2016 system, I also have a server 2012 system that admins can remote to.

I need to add a new user to allow rdp to the server 2012 rig. I added the user "Paul" to the Builtin Remote Desktop Users Group.

This was no use. I am not an administrator on the domain but i am allowed rdp. I removed myself from the RDP group to test and i am still able to connect to the 2012 server. I must be missing a seting or group as nothing is working for me.

Conrad Ryan

DFS Migration

April 15, 2019, 8:19 am
$
0
0
Have 2 Servers configured to a DFS link folder (Server A, Server B). Server A is going away and uses a SAN drive. What's the best  way for this migration to occur without any data being wiped,etc. 1. Remove the server from replication group then 2. Remove link  DFS folder then 3. Unmap drive from Server A and add to new server C. 4. add server C to replication groups and DFS link folders

Recommendation on 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)

April 14, 2019, 4:55 am
$
0
0

Hi

We are in the process of hardening DC security. All our DCs are Windows 2016 (1607) and clients are Windows 2012, 2012 R2 and Windows 10 (1607 & 1803). We found event IDs 2887 & enabled detailed event log (HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" with a DWORD value of “2.”), not yet started analyzing the logs.

If we apply this policy at DC level, then do we need to configure at client OU as well? Also what about other appliances in network?

What is the normal suggestion / recommendation to enable this setting?

Thanks in advance

LMS


Global Catalog Server

April 16, 2019, 2:22 am
$
0
0
Can we search the objects of other domains through global catalog if other domains are shut down. Is this process happen in background that Global Catalog first search the object in its indexing and then send the query to the object domain. What if object domain is shut down in this case. 

On-Prem UPN being changed by DC's SYSTEM account

April 11, 2019, 3:39 pm
$
0
0

Hi,

I'm in the process of configuring a Server 2012 r2 DC in preparation for O365 SSO with Azure AD Connect.  The domain only has 1 DC and the functional level is also set to 2012 r2.  As part of this I am changing the UPN for the on-prem accounts to match their email address as follows:

Firstname: Test

Surname: Account

Original Username: TestA

Original UPN: TestA@Domain.domainname.co.nz

SMTP address: test.account@domainname.co.nz

I've added in domainname.co.nz as a suffix and can see it as an option, but when I change the on-prem UPN to be test.account@domainname.co.nz it works correctly and still allows the user to logon, but a short time later I find the UPN reverts itself back to testa@domain.domainname.co.nz.

I've turned on auditing to work out how/when this was happening and can see that an event 4738 is raised from my admin account when I initially change the UPN, and shortly after (always at the same time of the hour, at 37 mins past) this is changed back by the system account, as shown below:

A user account was changed.

Subject:
Security ID: SYSTEM
Account Name: servername$
Account Domain:DOMAIN
Logon ID:        0x208C31D6

Target Account:
Security ID: DOMAIN\testuser1
Account Name: testuser1
Account Domain:DOMAIN

Changed Attributes:
SAM Account Name:-
Display Name: -
User Principal Name:testuser1@DOMAIN.DOMAINNAME.CO.NZ

I've checked for scheduled tasks, any services running under this account, and other apps on the server and can't find anything.  Has anyone come across this before or have any advice on what else can be checked?  It happens regardless of which OU the account is in.

Thanks in advance!



Bginfo and active directory attributes

April 11, 2019, 11:58 am
$
0
0

Hello,

As you know the "Bginfo" use to set the computer and user information on the workstations standalone or domain users desktop's background wallpaper.

i'm thinking if i can add some of the user AD attributes on the user desktops like their "employeeID".

how can i let the Bginfo sync that attributes with the user AD?

hope you can help me.


Search

AADConnect User & Resource Forest Sync

April 16, 2019, 5:20 am
$
0
0

User Forest: users.com (1000 enabled users)

Resource Forrest: resources.com (200 enabled users, 800 linked mailboxes)

I need to sync (and merge) to Azure AD for Office 365.

AADConnect Import Rules Precedence should be:

P1: User Join (users.com) - source of authority
P2: User Join (resources.com)
P3: User Exchange (resources.com) - contains correct Exchange attributes
P4: User Exchange (users.com)

I need to also ensure Mail and Proxy attributes only come from Resource forest and aren't overwritten.

1. Can I simply set:

P5: User Common (resources.com)
P6: User Common (users.com)


My concern here is that UPN would come from resources.com instead of users.com (it is a User Common attribute).

2. Or do I simply remove the Mail and Proxy Attributes from User Common (users.com).

CA migration: SHA1 to SHA2 in Windows 2016 OS

February 27, 2019, 4:48 am
$
0
0

Hi,

We currently have a single Root CA (AD integrated) in our organization and it uses SHA-1. We have issued some certificates internally by using this CA. So now we need to migrate  the certificate  from SHA-1 to SHA-2.


We have tested the migration in our test environment by using the command  below:

certutil -setreg ca\csp\CNGHashAlgorithm SHA256

Once we run this command  weobserved the Thumbprint algorithm as still to be SHA1 after upgrade of the CA from SHA1 to SHA2. Although the signature & signature hash alogrithm are SHA 256..

The other thing is we need to migrate the certificates which is issued by using SHA1 to SHA2. what are the step recommended for it?


LDAP query to add ForeignSecurityPrincipals to a group

April 9, 2019, 2:25 am
$
0
0

Hello,

I'm trying for a few days now to add people coming from AD1 in a domain local security group in AD2 where there's a trust between AD1 and AD2.

In the GUI it worked perfectly well and the people I already added to a group can be added to any other group because I can find their SID somewhere under CN=ForeignSecurityPrincipals,DC=MyAD2,DC=ads.

Adding them to another security groups is just a matter of finding the right SID. I need to build their AD2 local dn by replacing sid in CN={sid},CN=ForeignSecurityPrincipals,DC=MyAD2,DC=ads and update the group by adding a member attribute value.

My problem is when the people is not yet used in AD2, the SID is not anywhere in ForeignSecurityPrincipals and I can't reproduce the magic that is done in the UI.

I tried it in powershell hoping to capture ldiff or something that would help but I discovered the existence of ADWS (https://social.technet.microsoft.com/Forums/en-US/fcdb56de-2422-49ed-a7c1-093fa9542c60/adws-with-http-binding-and-access-from-a-java-client?forum=winserverDS)

I'm not confident is using ADWS with my java stack but I could git it a try with a little help...

Have you any idea on how I could make sure SID are imported in FSP ?

Sending Windows Events to a Linux Syslog Server

April 16, 2019, 8:13 am
$
0
0

I am trying to configure Windows Domain Controllers to send all events to a Linux syslog server (syslog-ng). Configured the Subscription Manager group policy to point to the URL of the syslog server to port 5985. But it is not working... have tried entering the Root and Intermediate thumbprint in the value of the subscription manger connection string.

Getting this error in the Event Viewer "Eventlog-ForwardingPlugin" 

The forwarder is having a problem communicating with subscription manager at address http://xxxxxxxx-xxx.xxxxxxxxxxxxns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859027" Machine="XXXXXXXX.xxxxxxxx.com"><f:Message>The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support the WS-Management protocol. </f:Message></f:WSManFault>.

Somehow, I don't think it is a certificate issue at this point.

Domain admin account getting locked every 5 minutes, Caller Computer Name:_MSTSC

April 16, 2019, 9:41 am
$
0
0

Hi,

A really <g class="gr_ gr_50 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="50" id="50">anonoying</g> case

A very important account, member of domain admins, gets locked every 5 or so minutes

When I go to 2008 R2 DC of ours to find the source - Event <g class="gr_ gr_529 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" data-gr-id="529" id="529">ID :</g> 4740 (then the reason: scheduled task, script, <g class="gr_ gr_327 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling" data-gr-id="327" id="327">rdp</g> or ..) it says

Caller Computer Name:    MSTSC

Domain administrator (the default account) also gets locked with this reason many times a day

Searched so much on the net. no chance.

Any help?

Thanks

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>