I am getting an login prompt and "Access is denied." message when trying to browse \\2008DC\sysvol from a newly built 2019DC.

1. We have an old test environment with 2008 DC (single DC and not R2 version).
2. The forest level was increased to 2008 and FRS migrated to DFS-R.
3. New 2019 box promoted to DC with no issues.

Any idea what may be causing the prompts?

hello i have been trying to visualize a specific OU structure without exporting the information from exchange by using visio 

is there a tool or a script that can pull the information into a CSV file or a text that can be imported into Visio ?

i want to pull personal information and who is the manager of that person 

We're trying to follow the guidance provided here. On 5/14/2019 this change will be the default for new trusts and on 7/9/2019 this will be the enforced behavior and the EnableTGTDelegation setting will be ignored. We operate out of a primary domain and manage several other forests from there. After running the command below where "ourdomain.local" is our domain and "otherdomain.local" is the domain that trusts our domain we started seeing errors with Get-ADGroupMembership for groups in "otherdomain.local" when run from "ourdomain.local". Running the dsget variant of this PowerShell command works. This seems to only occur if the group contains a Foreign Security Principal (FSP). These commands are run from the same location and with the same ID. PowerShell fails and dsget works. "Authenticated Users" is a member of the "Builtin\Users" group in both domains.

netdom.exe trust ourdomain.local /domain:otherdomain.local /EnableTGTDelegation:No

PowerShell command that fails:

Get-ADGroupMember "account operators" -Server otherdomain.local

dsget variant of it that works:

dsget group "CN=account operators,CN=builtin,DC=otherdomain,DC=local" -members

Error:

Get-ADGroupMember : The server was unable to process the request due to an internal error.  For more information about
the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the<serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or
turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs.
At line:1 char:1+ Get-ADGroupMember "account operators" -Server otherdomain.local+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo          : NotSpecified: (account operators:ADGroup) [Get-ADGroupMember], ADException+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember

Full error:

Microsoft.ActiveDirectory.Management.ADException: The server was unable to process the request
due to an internal error.  For more information about the error, either turn on
IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the<serviceDebug> configuration behavior) on the server in order to send the exception
information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK
documentation and inspect the server trace logs. ---> System.ServiceModel.FaultException: The
server was unable to process the request due to an internal error.  For more information about
the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute
or from the <serviceDebug> configuration behavior) on the server in order to send the
exception information back to the client, or turn on tracing as per the Microsoft .NET
Framework SDK documentation and inspect the server trace logs.

Server stack trace:
   at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply,
MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter)
   at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation,
ProxyRpc& rpc)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway,
ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage
methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage
retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.AccountManagement.GetADGroup
Member(GetADGroupMemberRequest request)
   at
Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetADGroupMemberRequest
request)
   --- End of inner exception stack trace ---
   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(FaultException
faultException)
   at
Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetADGroupMemberRequest
request)
   at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Ma
nagement.IADAccountManagement.GetADGroupMember(ADSessionHandle handle, GetADGroupMemberRequest
request)
   at Microsoft.ActiveDirectory.Management.ADAccountManagement.GetGroupMembers(String
partitionDN, String groupDN, Boolean recursive)
   at Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember.GetADGroupMemberProcessCSR
outine()
   at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()
   at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()

I'm in the process of retiring a legacy domain controller on my network that's running Windows Server 2003 R2.  The server does not hold any of the FSMO roles but it is defined as a GC and a bridgehead server.  I do have other GCs.  And the bridgehead servers were automatically assigned by KCC.

My question is when I run DCPROMO to retire the DC, will KCC automatically remove this server as a bridgehead server or must I do this step manually prior to running DCPROMO?  I currently have 2 sites and KCC has defined the necessary bridgehead servers that I can see when I run repadmin /bridgeheads.  

Thanks for any input.

Ken

I have found this Powershell script and am having trouble modifying it to only pull Computer objects that do not have a BitLocker Key stored in AD. IThis script pulls all computers but I am struggling to sort out computers with keys. Any help would be appreciated Thanks in advance. 

Powershell:

Get-ADComputer -Filter 'ObjectClass -eq "computer"' -SearchBase "OU=Asia,OU=Branches,DC=corp,DC=company,DC=com" | foreach-object {
$Computer = $_.name
#Check if the Computer Object exists
$Computer_Object = Get-ADComputer -Filter {cn -eq $Computer} -Property msTPM-OwnerInformation, msTPM-TpmInformationForComputer
if($Computer_Object -eq $null){
Write-Host "Error..."
}
#Check if the computer object has had a BitLocker Recovery Password
$Bitlocker_Object = Get-ADObject -Filter {objectclass -eq 'msFVE-RecoveryInformation'} -SearchBase $Computer_Object.DistinguishedName -Properties 'msFVE-RecoveryPassword' | Select-Object -Last 1
if($Bitlocker_Object.'msFVE-RecoveryPassword'){
$BitLocker_Key = $BitLocker_Object.'msFVE-RecoveryPassword'
}else{
$BitLocker_Key = "none"
}
#Display Output
$strToReport = $Computer + "," + $BitLocker_Key
Write-Host $strToReport
#Save to Report
$strToReport | Out-File C:\temp\Report.txt -append
} 

Guys,

In a lab, when having a trust relationship between 2 dc's, do i need to add the second DC in the sites and services parts of AD?

Also, when i would like to replace the second DC with its own domainname9the other company) through a RODC in the domain of DC1, but i want the active directory structure, shared folder,... available at the second DC migrated, how should i do that?

many thanks in advance

Hello All,

I have been trying to implement a powershell script that used at a different company to the domain at my current job.

The script is pretty simple. It is to search for users that are supposed to belong to a group and add them if they are missing.

I am using a filter to ensure that this only works on user accounts that are not disabled however this is where I ran into the problem in this domain. 90% of the user account do not come back with the "Enabled" property. When I investigated I also found that these account do not have any value for the userAccountControl attribute (missing in ADSI edit).

I was under the impression that this userAccountControl attribute cannot be missing or null. 

If that is not the case how can I find disabled accounts that are missing the userAccountControl attribute.

Any help with this would be great! Thanks in advance.

We have a Windows Server 2012R2 domain controller which generates the error below when attempting to connect to a working domain controller in AD:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server$. The target name used was ldap/server.domain.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (domain.LOCAL) is different from the client domain (domain.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Site replication is configured to a domain controller which generates the above error when it tries to establish a connection. This is resulting in replication not succeeding. The DC can connect to certain other DCs and not to others.

Repadmin /showreps generates:

This is also resulting in file share authentication failures to a second trusted domain.

Primary domain authentication for users is successful.

I've reset the faulty DC's computer account by running:

That made no difference. 

I also started to build a second domain controller for the site, but when selecting the DC to replicate with during the promotion phase, the same errors appear as above, which led me to believe having a second DC wouldn't make a difference.

Any tips would be appreciated :/

I have the following Active Directory Configuration:

Site 1

• DC1: Holds all 5 FSMO Roles
• DC2

Site 2

• DC3
• DC4

I have two questions:

1. What should the primary & Secondary DNS be for each of these domain controllers?
2. Which domain controllers should replicate between sites?

Thank you in advance!!

Brian Modlin

Hi all,

I face below error message of joining PCs to domain.

Changing the Primary Domain DNS name of this computer to “ ” failed.
The name will remain “ABC.com”.
The error was:

The specified server cannot perform the requested operation.

The computer object was successfully created in [Computers] OU.
PCs restarted and able to logon domain with Domain user account. but it took long time to login , if i tried to Dsjoin PC the computer object still remaining in DC

DC : Server 2016 

IT Helpdesk

Hi everybody.

I've got a problem while migrating my domain ressources to another one.

Source domain is A.local (Windows 2008 R2). Target is B.com (Windows 2016).
There is a trust between the two forests, bidirectional and transitive. 

I use ADMT to migrate users and groups. While migrating these objects, I check the "Migrate SID History" button. 
Before that, I have desactivated the SID filtering between my forests with this command : 

- from the source domain : Netdom trust A.local /domain:B.com /enablesidhistory:yes /usero:administrator /passwordo:*

- from the target domain : Netdom trust B.com /domain:A.local /enablesidhistory:yes /usero:administrator /passwordo:*

Hi, 

I am facing issue while performing Directory Search with CROSS domains.  I have two different domains  DOMAIN100.LAB and  DOMAIN200.LAB . There is no TRUST relationship between these two domains. 

My app is running in DOMAIN100.LAB  and performing Directory search operation on   DOMAIN200.LAB .  The application able to bind with DC and able to access properties but Directory search failing with below exception. 

Note: It's working fine, if I set the TRUST relation between two domains DOMAIN100.LAB and DOMAIN200.LAB 

Exception msg: "The user name or password is incorrect.\r\n"

at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)

   at System.DirectoryServices.DirectoryEntry.Bind()

   at System.DirectoryServices.DirectoryEntry.get_AdsObject()

   at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)

   at System.DirectoryServices.DirectorySearcher.FindAll()

   at ConsoleApp1.Program.Main(String[] args) in C:\Users\administrator.DRDOM450\source\repos\MyApp1\ConsoleApp1\Program.cs:line 229

Code : C# code from My app as below: for listing all DCs from Domain DOMAIN200.LAB

           string userName = "DOMAIN100\\administrator";
            string password = "Control123";

          string strDCName = "MYDC201.DOMAIN200.LAB";

            try
            {
                SearchResultCollection results = null;              
                DirectoryEntry deRootDSE =  new DirectoryEntry($"LDAP://{strDCName}/rootDSE", userName, password, AuthenticationTypes.SecureSocketsLayer );
                if (null != deRootDSE)
                {
                    string strPath = @"LDAP://" + deRootDSE.Properties["configurationNamingContext"].Value.ToString();
                    DirectoryEntry de = new DirectoryEntry(strPath, userName, password, AuthenticationTypes.SecureSocketsLayer);
                    if (null != de)
                    {
                        string []strPropList = { "name" };
                        DirectorySearcher searcher = new DirectorySearcher(de, "(objectcategory=server)", strPropList);
                        if (null != searcher)
                        {
                            results = searcher.FindAll();
                        }
                    }
                }
            }
            catch (Exception exxx)
            {
                Console.WriteLine($"exception {exxx.Message}");
            }

Please help to fix the issue.

Thanks & Regards 

Prasad

Hello All,

We are getting this alert for domain default admin account from only one server. We tried to check for services running under this account or any jobs running. 

Thanks

Hi All,

is there any script to get all user details for given DL details in Active Directory.

Thanks,

Raj

Hello All,

We have one domain with default domain controller policy and other custom GPO. Both have certain common settings, Custom GPO is above the DDC policy in link order.

Any common settings between DDC policy and custom GPO,  Custom GPO should take the precedence as per the link order.

Currently it is applying the settings as per the link order precedence, However, we are getting a red mark in RSOP  with the below errors details.

The Policy engine did not attempt to configure the settings. For more information, see %Windir%\security\logs\winlogon.log on the target machine

Kindly Suggest 

I'm in the process of retiring an older DC running Windows Server 2003 R2.  Prior to making this change, I have tested my AD health with DCdiag and other tools.  All is well.  One thing I did notice when I checked AD Sites and Services is that the automatically created NTDS connections have all appropriate connections as my servers are now.  However, when I DCpromo the old server and the NTDS connections are removed for this old server, my replication structure between my 2 AD sites will not be complete any longer.  My question is will KCC automatically adjust and setup new NTDS connections once the old server is demoted and retired?  

I did manually create a new NTDS connection with IP as the transport, which will solve the issue if KCC doesn't automatically add or adjust my replication settings and connections.  Should I remove this manually created NTDS connection prior to running DCpromo and allow KCC to automatically setup the connections or will the end-result be the same?

Thanks for any input.

Ken

Hi everyone,

Hope you can help... A small story on this first :)

4 years ago we migrated our emails from 2010 Exchange server totally into the Microsoft cloud Office365 (no premise server on site). We used Directsync to sync between our AD DCs to the O365.  

After all the emails, when a consulting firm check into our system to implement some security features on O365, they figured out our Exchange server did not decommission correctly. What our Exchange admin just did was just "unplug" the network cable of the servers from the network instead of uninstalling it. (And the original hardware that hosted the Exchange server got wiped out. ) When the consultant works on the o365 security, now he can still find some old Exchange old attributes in our AD. Our AD currently is still running on 2003 mode even though we have only windows 2008 and 2012 Domain controllers running.

I would like to ask:

1.) Should I do a clean up to remove the old Exchange attributes from our Active Directory? Currently we do not have any errors or problems at all.   Is it very necessary? Let's say...we will not implement in house Exchange server any more?

2.) If we keep the old attributes, would there be any risk for the future...eg: upgrade to 2012 domain level or even 2016 level (if exist...or even something I could not think of at this point)

3.) If #1 is recommended, what should I do to remove the attributes from our AD? May you tell me step by steps?

4.) Currently I would like to upgrade my forest and domain level from 2003 to 2008 (again, I do not have any 2003 domain controllers)..may I do this with the old Exchange attritubes around? We would like to upgrade our desktop to Win10 so we would like to get a GPO structure to support that..

Add on question :)... when I raise the domain and forest level, which one should I raise the level first?

Thank you very much for your help

Takami Chiro

We have ADDS.

We have also a Windows Server Workstation that contains a web application with IIS (WebApp1). It's on isolate network.

What options do we have to authenticate users using their ADDS credentials when they access to WebApp1 ?

We could put a Firewall beetween ADDS and Workstation network...

I am trying to configure Windows Domain Controllers to send all events to a Linux syslog server (syslog-ng). Configured the Subscription Manager group policy to point to the URL of the syslog server to port 5985. But it is not working... have tried entering the Root and Intermediate thumbprint in the value of the subscription manger connection string.

Getting this error in the Event Viewer "Eventlog-ForwardingPlugin" 

The forwarder is having a problem communicating with subscription manager at address http://xxxxxxxx-xxx.xxxxxxxxxxxxns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859027" Machine="XXXXXXXX.xxxxxxxx.com"><f:Message>The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support the WS-Management protocol. </f:Message></f:WSManFault>.

Somehow, I don't think it is a certificate issue at this point.