Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

managed by

$
0
0

HI

we have an scenario that every user just login to only one PC

user1 computer 1

user2 computer2

1-when set log on to for user they can login but unable to login to mail server(OWA) and we should add our exchange server for user

2-when set managed by for computer that never work .

how can i doing this ?

Thank you in advance


Domain Join Issues - 'Exceeded the maximum number of computer accounts'

$
0
0

Hi,

I have a strange issue where I’m seeing support staff running out of attempts to add machines to the domain.

They receive the error "Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased”.

The users who are seeing this issue are being granted domain join rights via a GPO applied to the ‘Default Domain Controllers’ policy.

In this policy, under Windows Settings > Security Settings > Local Policies/User > Rights Assignment we have added a group named ‘Domain Join’ to the policy ‘Add workstations to domain’.

We then add our support staff into the group ‘Domain Join’.

When I look at effective access for the default ‘Computers’ container in AD for the affected user accounts, It does show that they have ‘Create All Child Objects’ and ‘Create Computer Objects’.

Is there anything obvious that I am missing here, or does it seem that this has been setup correctly?

Many thanks

userAccountControl attribute missing

$
0
0

Hello All,

I have been trying to implement a powershell script that used at a different company to the domain at my current job.

The script is pretty simple. It is to search for users that are supposed to belong to a group and add them if they are missing.

I am using a filter to ensure that this only works on user accounts that are not disabled however this is where I ran into the problem in this domain. 90% of the user account do not come back with the "Enabled" property. When I investigated I also found that these account do not have any value for the userAccountControl attribute (missing in ADSI edit).

I was under the impression that this userAccountControl attribute cannot be missing or null. 

If that is not the case how can I find disabled accounts that are missing the userAccountControl attribute.

Any help with this would be great! Thanks in advance.

test lab and bulk settings

$
0
0

Hello,

i would like to create a testlab with bulk settings. I dont want to create every single group,user,ou,shared file with its userrights manually, nor i would like to invent the names myselve. 

Are there any default scripts or files  somewhere available for download that create automatically folders with names and the right groups, useraccouns,...?

many thanks for any help.

Script to pull lastpwdchange on Windows Server 2012

$
0
0

Hello I will like to get these information from a Windows Server 2012. The accounts arelocal server accounts

(AccountID/AccountName/AccountDesc/PwdLastSetTime/PasswordLastSetDate/PwdExpirationAge/DaysUntilExpiration/TypeofAccount/AccountAccessLevel) in either a (.csv/.txt/excel format).

Thank you all for your help.

Error Message while renaming the AD domain "Failed to delete rename script on the DN"

$
0
0
Hi, 

I am trying to do the domain renaming. I am not able to finalize the domain renaming. When i executed the rendom /end i got this error message

Failed to delete rename script on the DN: CN=Partitions,CN=Configuration,DC=almo
hanna on host SRV10.almohanna.sa.
00002077: SvcErr: DSID-030F0EBF, problem 5003 (WILL_NOT_PERFORM), data 0
: Cannot complete this function. :1003

Sending Windows Events to a Linux Syslog Server

$
0
0

I am trying to configure Windows Domain Controllers to send all events to a Linux syslog server (syslog-ng). Configured the Subscription Manager group policy to point to the URL of the syslog server to port 5985. But it is not working... have tried entering the Root and Intermediate thumbprint in the value of the subscription manger connection string.

Getting this error in the Event Viewer "Eventlog-ForwardingPlugin" 

The forwarder is having a problem communicating with subscription manager at address http://xxxxxxxx-xxx.xxxxxxxxxxxxns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859027" Machine="XXXXXXXX.xxxxxxxx.com"><f:Message>The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support the WS-Management protocol. </f:Message></f:WSManFault>.

Somehow, I don't think it is a certificate issue at this point.

AADConnect User & Resource Forest Sync

$
0
0

User Forest: users.com (1000 enabled users)

Resource Forrest: resources.com (200 enabled users, 800 linked mailboxes)

I need to sync (and merge) to Azure AD for Office 365.

AADConnect Import Rules Precedence should be:

P1: User Join (users.com) - source of authority
P2: User Join (resources.com)
P3: User Exchange (resources.com) - contains correct Exchange attributes
P4: User Exchange (users.com)

I need to also ensure Mail and Proxy attributes only come from Resource forest and aren't overwritten.

1. Can I simply set:

P5: User Common (resources.com)
P6: User Common (users.com)


My concern here is that UPN would come from resources.com instead of users.com (it is a User Common attribute).

2. Or do I simply remove the Mail and Proxy Attributes from User Common (users.com).


Kerberos issue with Jenkins windows slaves

$
0
0


I've been trying to figure out the differences between testa01 (success) and testa02 (failure) and it looks testa02 doesn't have Kerberos setup properly.

 

In testa01 when I visit jenkins.factset.com(or is.factset.com) as svc-hudson I am authenticated properly. However, in testa02 I get prompted for credentials.

 

I can also see Kerberos errors in the event viewer after enabling Kerbros vent logging in testa02.

kindly let us know to resolve the issue.

We are receiving Event 3 Security-kerberos continuously in logs.

SSO from remote as user from child domain?

$
0
0

I have an application that uses windows authentication. We created several child domains for each department and one root domain.

For example:

                   company.com

                      /           \

dep1.company.com   dep2.company.com

Each department has an own subnet and domain controller. The users did not actually join the domain. The computers are already in another domain from an independent organisazion and they only need to login to the application with the logins provided by us from the corresponding child domain.
This looks something like this:

Sorry, can't add an image.
(https://social.technet.microsoft.com/Forums/getfile/1427308)

The remote user (user@contoso.com) has the credentials stored in the access credential manager in order to make SSO possible.

What I suspect is that the sql server can't find the user@dep1.comany.com account in the child domain. At least SQL shows en error in the event viewer:

SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure.  [CLIENT: <named pipe>]

I double checked that every account is existing, the account has not been locked and neither needs the password to be changed.

There are transitive trusts between the toor domain and all child domains and one between the app.company.com and dep1.company.com
I tried adding a foreign security principal
Added an alias in the SQL Native Client 11.0 Configuration
Added an ODBC Bridge client side
Altered the "Access this computer from the network" in the secpol.msc
Both server and application server have permission to delegate (AD -> Computer objects -> Delegation)

I found a lot online but nothing has worked for me. I am a lost sysadmin and have reached google page 2.
Any help is much appreciated.

Recommendation on 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)

$
0
0

Hi

We are in the process of hardening DC security. All our DCs are Windows 2016 (1607) and clients are Windows 2012, 2012 R2 and Windows 10 (1607 & 1803). We found event IDs 2887 & enabled detailed event log (HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" with a DWORD value of “2.”), not yet started analyzing the logs.

If we apply this policy at DC level, then do we need to configure at client OU as well? Also what about other appliances in network?

What is the normal suggestion / recommendation to enable this setting?

Thanks in advance


LMS


Expire a certificate on a single computer

$
0
0

Hello,

We have enrolled a certificate to a group of computers. Now we want to expire the same certificate on a computer to test an application functionality. How can I expire the certificate?

Thank you

problem consistently accessing group policy objects from \\.edu\SYSVOL

$
0
0

Hello Experts,

We are a windows domain environment with DNS service running on all 3 of our domain controllers DC1, DC2, and DC3. Our domain name is the same as our website name. Our DC's with the DNS service have A-records that point <domain>.edu to DC1's IP address, D2's IP address, and D3's ip address, so when we UNC path over to \\<domain>.edu\SYSVOL, we can always see the NETLOGON and SYSVOL folders, and pull down group policy objects from 1 of the 3 domain controllers.

A previous administrator added a static A-record for <domain>.edu pointing it to our web server's IP address, so that when you type <domain>.edu (without the wwww) into the web browser, you would get redirected to www.<domain>.edu. This "worked" for the website, but also broke alot of other group policy-related stuff.

My question is, how can we make it so both group policy works consistently and we can consistently access the SYSVOL folder, AND also so that if someone types <domain>.edu into the browser they get redirected to www.<domain>.edu. Do we need to install a web server on our Domain Controllers to redirect web traffic on port 80 and 443 or is there a more elegant solution?

Windows Server 2008R2 Unable to dcpromo new Domain Controllers on Samba4 Network

$
0
0

I am working on a network of samba4 domain controllers. I would like to add new Windows Server 2008R2 domain controllers thand then demote the linux samba4 domain controllers.

Initially I successfully added 3-4 domain controllers without problems. Suddenly when I was adding the last one I started to have the following problem. This happens even if I create a new VM and try to dcpromo on the new machine, so I cannot dcpromo on new machines. I also deleted the old machines where dcpromo worked and demoted them.

I can go through dcpromo until the directory replication. It always replicates all the objects but the last one and every time I repeat this operation the number of objects to replicate grows. So at this point dcpromo stalls and stop responding.

I already tried to clean entries and dirty data on the other domain controllers.

This is the log

04/19/2019 11:45:28 [INFO] Operazione sul controller di dominio completata.
04/19/2019 11:45:28 [INFO] DsRolepSetOperationDone returned 0
04/19/2019 11:45:57 [INFO] Promotion request for replica domain controller
04/19/2019 11:45:57 [INFO] DnsDomainName  samdom.xxx.it
04/19/2019 11:45:57 [INFO]     ReplicaPartner  xxx.samdom.xxx.it
04/19/2019 11:45:57 [INFO]     SiteName  Default-First-Site-Name
04/19/2019 11:45:57 [INFO]     DsDatabasePath  C:\Windows\NTDS, DsLogPath  C:\Windows\NTDS
04/19/2019 11:45:57 [INFO]     SystemVolumeRootPath  C:\Windows\SYSVOL
04/19/2019 11:45:57 [INFO]     Account samdom.xxx.it\administrator
04/19/2019 11:45:57 [INFO]     Options  1179840
04/19/2019 11:45:57 [INFO] Validate supplied paths
04/19/2019 11:45:57 [INFO] Validating path C:\Windows\NTDS.
04/19/2019 11:45:57 [INFO]     Path is a directory
04/19/2019 11:45:57 [INFO]     Path is on a fixed disk drive.
04/19/2019 11:45:57 [INFO] Validating path C:\Windows\NTDS.
04/19/2019 11:45:57 [INFO]     Path is a directory
04/19/2019 11:45:57 [INFO]     Path is on a fixed disk drive.
04/19/2019 11:45:57 [INFO] Validating path C:\Windows\SYSVOL.
04/19/2019 11:45:57 [INFO]     Path is on a fixed disk drive.
04/19/2019 11:45:57 [INFO]     Path is on an NTFS volume
04/19/2019 11:45:57 [INFO] Start the worker task
04/19/2019 11:45:57 [INFO] Request for promotion returning 0
04/19/2019 11:45:57 [INFO] Forcing time sync
04/19/2019 11:45:57 [INFO] Forzatura della sincronizzazione dell'ora con xxx.samdom.xxx.it
04/19/2019 11:45:58 [INFO] Ricerca di un controller di dominio per il dominio samdom.xxx.it contenente l'account DCXXX03$
04/19/2019 11:45:59 [INFO] Individuato controller di dominio xxx.samdom.xxx.it per il dominio samdom.xxx.it.
04/19/2019 11:45:59 [INFO] Directing kerberos authentication to xxx.samdom.xxx.it returns 0
04/19/2019 11:45:59 [INFO] DsRolepFlushKerberosTicketCache() successfully flushed the Kerberos ticket cache
04/19/2019 11:45:59 [INFO] Per il server xxx.samdom.xxx.it verrà utilizzato il sito Default-First-Site-Name.
04/19/2019 11:45:59 [INFO] Arresto del servizio NETLOGON
04/19/2019 11:45:59 [INFO] Arresto del servizio NETLOGON
04/19/2019 11:46:00 [INFO] Configuring service NETLOGON to 1 returned 0
04/19/2019 11:46:00 [INFO] Stopped NETLOGON
04/19/2019 11:46:00 [INFO] Deleting current sysvol path C:\Windows\SYSVOL
04/19/2019 11:46:01 [INFO] Created system volume path
04/19/2019 11:46:01 [INFO] Copia del file di database iniziale del servizio directory C:\Windows\system32\ntds.dit su C:\Windows\NTDS\ntds.dit
04/19/2019 11:46:01 [INFO] Installazione del servizio directory in corso...
04/19/2019 11:46:01 [INFO] Calling NtdsInstall for samdom.xxx.it
04/19/2019 11:46:01 [INFO] Avvio dell'installazione di Servizi di dominio Active Directory
04/19/2019 11:46:01 [INFO] Convalida delle opzioni fornite dall'utente.
04/19/2019 11:46:01 [INFO] Determinazione in corso di un sito in cui effettuare l'installazione
04/19/2019 11:46:01 [INFO] Analisi di una foresta esistente in corso...
04/19/2019 11:46:01 [INFO] Avvio di un ciclo di repliche tra xxx.samdom.xxx.it e il master operazioni RID (bbb.samdom.xxx.it) in corso. In questo modo, la nuova replica sarà in grado di creare utenti, gruppi e oggetti computer...
04/19/2019 11:46:01 [INFO] Configurazione del computer locale per l'hosting di Servizi di dominio Active Directory
04/19/2019 11:46:03 [INFO] EVENTLOG (Warning): NTDS General / Configurazione interna : 1463
Alcuni indici probabilmente danneggiati sono stati rilevati ed eliminati durante l'inizializzazione.



Gli indici eliminati verranno ricostruiti.

04/19/2019 11:46:04 [INFO] EVENTLOG (Informational): NTDS Database / Elaborazione interna : 2013
È in corso la ricostruzione del numero di indici seguente come parte del processo di inizializzazione.



Indici:
6

04/19/2019 11:46:04 [INFO] EVENTLOG (Informational): NTDS Database / Elaborazione interna : 2014
Ricostruzione del numero di indici seguente completata.



Indici:
6

04/19/2019 11:46:04 [INFO] EVENTLOG (Informational): NTDS General / Schema DS : 1464
Durante la ricerca di un indice è stata rilevata la necessità di un nuovo indice per l'attributo seguente.



Attributo:
msFVE-VolumeGuid

Nome nuovo indice:
INDEX_LP_000907CE_0410



Verrà creato automaticamente un nuovo indice.



Dati aggiuntivi

Valore errore:
-1404 JET_errIndexNotFound, No such index

04/19/2019 11:46:04 [INFO] EVENTLOG (Informational): NTDS General / Schema DS : 1137
Creazione di un indice per l'attributo seguente completata.



Identificatore attributo:
591822

Nome attributo:
msFVE-VolumeGuid

04/19/2019 11:46:04 [INFO] EVENTLOG (Informational): NTDS General / Schema DS : 1464
Durante la ricerca di un indice è stata rilevata la necessità di un nuovo indice per l'attributo seguente.



Attributo:
msFVE-RecoveryGuid

Nome nuovo indice:
INDEX_LP_000907AD_0410



Verrà creato automaticamente un nuovo indice.



Dati aggiuntivi

Valore errore:
-1404 JET_errIndexNotFound, No such index

04/19/2019 11:46:05 [INFO] EVENTLOG (Informational): NTDS General / Schema DS : 1137
Creazione di un indice per l'attributo seguente completata.



Identificatore attributo:
591789

Nome attributo:
msFVE-RecoveryGuid

04/19/2019 11:46:05 [INFO] EVENTLOG (Informational): NTDS General / Configurazione interna : 2120
Questo server di Servizi di dominio Active Directory non supporta il Cestino. È possibile annullare l'eliminazione di oggetti, tuttavia è possibile che alcuni attributi di un oggetto di cui è stata annullata l'eliminazione vadano persi. È inoltre possibile che vadano persi anche gli attributi di altri oggetti che fanno riferimento all'oggetto di cui si annulla l'eliminazione.

04/19/2019 11:46:05 [INFO] È in corso la creazione dell'oggetto Impostazioni NTDS per questo controller di dominio Active Directory nel controller di dominio Active Directory remoto xxx.samdom.xxx.it
04/19/2019 11:46:05 [INFO] Replica della partizione di directory dello schema in corso
04/19/2019 11:46:06 [INFO] Replica di CN=Schema,CN=Configuration,DC=samdom,DC=xxx,DC=it: ricevuti circa 1000 oggetti su 1550.
04/19/2019 11:46:07 [INFO] Replica di CN=Schema,CN=Configuration,DC=samdom,DC=xxx,DC=it: ricevuti circa 1550 oggetti su 1550.
04/19/2019 11:46:07 [INFO] Il contenitore degli schemi è stato replicato.
04/19/2019 11:46:07 [INFO] Aggiornamento della cache dello schema completato.
04/19/2019 11:46:07 [INFO] Replica della partizione di directory di configurazione in corso
04/19/2019 11:46:08 [INFO] EVENTLOG (Error): NTDS Replication / Client DS RPC : 1962
Internal event: The local directory service received an exception from a remote procedure call (RPC) connection. Extended error information is not available.



directory service:
xxx.samdom.xxx.it



Additional Data

Error value:
La chiamata di procedura remota non è riuscita. (1726)

04/19/2019 11:46:18 [INFO] Replica di CN=Configuration,DC=samdom,DC=xxx,DC=it: ricevuti circa 1000 oggetti su 1793.
04/19/2019 11:46:18 [INFO] EVENTLOG (Informational): NTDS General / Elaborazione interna : 2041
Le voci duplicate del registro degli eventi sono state soppresse.



Per informazioni dettagliate, vedere il registro degli eventi precedente. Per duplicato si intende una voce
per cui il codice dell'evento e tutti i parametri di inserzione siano identici. Il periodo di tempo per
l'esecuzione dei duplicati va dal momento dell'evento precedente a quello dell'evento specificato.



Codice dell'evento:
c00007aa

Numero delle voci duplicate:
1

04/19/2019 11:46:18 [INFO] EVENTLOG (Informational): NTDS General / Replica : 1695
Questo servizio directory supporta la replica del valore collegato. Ciascun valore di un attributo multivalore viene replicato individualmente per ridurre la larghezza di banda della rete e garantire un livello di risoluzione dei conflitti più dettagliato.

04/19/2019 11:46:19 [INFO] Replica di CN=Configuration,DC=samdom,DC=xxx,DC=it: ricevuti circa 1792 oggetti su 1793.
04/19/2019 11:46:20 [INFO] EVENTLOG (Error): NTDS Replication / Client DS RPC : 1962
Internal event: The local directory service received an exception from a remote procedure call (RPC) connection. Extended error information is not available.



directory service:
xxx.samdom.xxx.it



Additional Data

Error value:
La chiamata di procedura remota non è riuscita. (1726)

04/19/2019 11:46:29 [INFO] Replica di CN=Configuration,DC=samdom,DC=xxx,DC=it: ricevuti circa 1792 oggetti su 1793.
04/19/2019 11:46:39 [INFO] Replica di CN=Configuration,DC=samdom,DC=xxx,DC=it: ricevuti circa 1792 oggetti su 1793.
04/19/2019 11:46:48 [INFO] Replica di CN=Configuration,DC=samdom,DC=xxx,DC=it: ricevuti circa 1792 oggetti su 1793.
04/19/2019 11:46:58 [INFO] Replica di CN=Configuration,DC=samdom,DC=xxx,DC=it: ricevuti circa 1792 oggetti su 1793.

Can anybody help me to solve this problem?

What is DHCF

$
0
0
It says my lease expired.  what does thhat mean and how do I fix?

Event ID: 4729 and 4728 not logging

$
0
0

Hi all,

trying to get event IDs 4729 and 4728 to log so then we can monitor changes to security groups in AD but after configuration we're still not seeing them. I have double checked group policy settings and permission based settings as shown on the following article: https://www.itsupportguides.com/server-side-tips/active-directory-logging-changes-to-groups/

Can anyone suggest another policy that could be disabling the function?

Thanks. 

Reset password for local account

$
0
0
Hi, Regarding Windows Server 2012 I would like to know if there is a way to reset the password on one particular local client user account on a couple of hundred client machines on our Domain. I presently already use LAPS for the local admin account on all of them but there is another user account That has administrative rights where we believe the password may have been compromised and we would like to prevent users from logging in locally. It would be very tedius to have to go in and change the password on every workstation. Any feedback would be appreciated.

Support analyst

managed by

$
0
0

HI

we have an scenario that every user just login to only one PC

user1 computer 1

user2 computer2

1-when set log on to for user they can login but unable to login to mail server(OWA) and we should add our exchange server for user

2-when set managed by for computer that never work .

how can i doing this ?

Thank you in advance

user log on to bug

$
0
0

HI all

we have below scenario

after add computer for user in log on to

2-user login to ICT009 but unable to login all web application like OWA

by adding server to user log on to problem fix but w have lot of web application and its impossible to add all web application for user log on to.

Thank you in advance

Domain Controller backup not working

$
0
0

Hi,

I have two DC( Primary and Additional) with Windows Server 2016 that both of them are running on Hyper-V. I've backed up from primary dc and I've restored that to another location and then I've turned off primary dc. Unfortunately, Primary DC's backup didn't work and additional dc cannot work when primary dc is not turn on. Therefore, client's outlook asked for credentials when it was authenticating the users. Any help would be appreciated.

Thanks

Viewing all 31638 articles
Browse latest View live