Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

IUSR vs. NETWORK SERVICE placeholder accounts

April 23, 2019, 8:54 am
$
0
0


I am performing an AD account/group audit for our production domain against a newly created sandbox domain. Both domains are at the Server 2016 level, but the production domain has been in service since roughly the year 2000.

In both production and sandbox domains, I have a built-in group called IIS_IUSRS. In the production domain, it has one user: NETWORK SERVICE which appears to be a placeholder account. In the sandbox domain, the group has one user:IUSR. It is also a placeholder account. These placeholder accounts are different between production & sandbox, yet both are Server 2016 domains.

My questions:

  1. Should I be concerned that these do not match?
  2. If NETWORK SERVICE an artifact of a legacy system, how can I configure them to match to avoid confusion going forward?
  3. What is a placeholder account for? What is the purpose?
Search

new windows 2016 cert auth server

April 23, 2019, 11:08 am
$
0
0
we moved the cert auth service and role to a new windows 2016 server from a 2008 server.  in PKIView.msc, it shows the old server in the left pane.  in the right pane, the CDP location #1 is expiring, the Delta CRL Location is Expired.  The location for all four entries are still showing the OLD server.
I don't know what steps to take to rectify this and make the cert auth reflect the new server name in all aspects.  I also want to confirm that the new cert server is properly working.

Can't log in to UI if DC is connected to network

April 23, 2019, 1:50 pm
$
0
0

Ok here is a strange one.  This is happening on both virtual and physical DCs.  Demoting to member server eliminates the problem. DCDiag shows everything is good. 

After reboot, the DCs in our child domain won't always allow you to log in to the console(Master domain doesn't have any users)

If the network is not present, you can log in using cached creds. 

It started a long time ago before I started working here, I thought I had fixed it with patching, but it impacts 2012r2 and 2016 (our domain is at 2008r2 currently, I just retired our old 2008r2 DC) 

It was working fine until I had to force remove the last 2008r2 server from the DC pool, well at least it appeared it was. 

Symptoms: Once rebooted ram spikes at max,  vm reboots a bunch, and eventually stabilizes. ram still at 100%

If I reboot with network disconnected, everything starts up fine.  

I've run dcdiag until I'm blue in the face looking for anything,  

Restore AD (Domain Controller)-VM

April 23, 2019, 2:19 pm
$
0
0
Our HV HDD was crush. We manage to restore AD Domain controller (Windows server 2012R) but when i boot the VM. I received this blue screen. I tried all the available solutions.
This is only one domain controller and we have to restore it.

Boot VM via 2012r2 ISO and perform below commands but still receive the same blue screen error.
SFC/scannow
bootrec / fixmbr
bootrec / fixboot
bootrec / rebuildbcd

Active Directory OU Security TAB (best practice)

January 13, 2017, 8:31 am
$
0
0

Okay I'm not a beginner to Active Directory, but it isn't my specialty.  I've had this AD for a long time and I never really took at a look at OU Security until I had an issue related to it.  Then I saw the mess that my OU Security was.  This AD has been upgraded and migrated since windows 2000 and there is a lot of legacy and weird security entries in the OU's that was causing a while wack of issues.

My question is, if I want to clean this up what is the best practices for OU security? I tried to look this up, but it seems like 99% of people never even look at this.

Would love to hear what people have to say

Domain controllers replication issue

April 21, 2019, 1:33 am
$
0
0

Hi,

I have two domain controller that they have been working for about two years. Also, I had another domain controller that had problem and I've disconnected that from the network. And I cleanup that metadata's from other DCs. Yesterday for some changes I turned off the domain controllers and after powering those on I saw that additional dc cannot see primary dc. Here is the error I got:

Active Directory Domain Services was unable to establish a connection with the global catalog. 
Additional Data 
Error value:
8430 The directory service encountered an internal failure. 
Internal ID:
3200db0 
User Action: 
Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem.
 

I can ping the domain controllers but I cannot access to shared folders on them. Therefore, I was forced to remove DNS server and re-install it again. Here is the DCDIAG result:

C:\Windows\system32>Dcdiag /test:checksecurityerror
Directory Server Diagnosis
Performing initial setup:
   Trying to find home server...
   Home Server = SRV-additional
   [SRV-additional] Directory Binding Error 1722:
   The RPC server is unavailable.
   This may limit some of the tests that can be performed.
   * Identified AD Forest.
   Done gathering initial info.
Doing initial required tests
   Testing server: Default-First-Site-Name\SRV-ADDITIONAL
      Starting test: Connectivity
         [SRV-ADDITIONAL] DsBindWithSpnEx() failed with error 1722,
         The RPC server is unavailable..
         Got error while checking LDAP and RPC connectivity. Please check your
         firewall settings.
         ......................... SRV-ADDITIONAL failed test Connectivity
Doing primary tests
   Testing server: Default-First-Site-Name\SRV-ADDITIONAL
   Running partition tests on : ForestDnsZones
   Running partition tests on : DomainDnsZones
   Running partition tests on : Schema
   Running partition tests on : Configuration
   Running partition tests on : rsz
   Running enterprise tests on : rsz.local


Active Directory Domain Services could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory Domain Services from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources. 
Source domain controller: 
 SRV2 
Failing DNS host name: 
 352c21fa-a86d-4fc7-9a2b-a93345b5410d._msdcs.rsz.local 
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur.  To log all individual failure events, set the following diagnostics registry value to 1: 
Registry Path: 
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client 
User Action: 
 1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498. 
 2) Confirm that the source domain controller is running Active Directory Domain Services and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>". 
 3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns 
  dcdiag /test:dns 
 4) Verify that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows: 
  dcdiag /test:dns 
 5) For further analysis of DNS error failures see KB 824449: 
   http://support.microsoft.com/?kbid=824449 
Additional Data 
Error value: 
 11004 The requested name is valid, but no data of the requested type was found.

C:\Windows\system32>netdom /query fsmo
The RPC server is unavailable.
The command failed to complete successfully.

C:\Windows\system32>Repadmin /kcc childdc2
Repadmin can't connect to a "home server", because of the following error.  Try
specifying a different
home server with /homeserver:[dns name]
Error: An LDAP lookup operation failed with the following error:
    LDAP Error 81(0x51): Server Down
    Server Win32 Error 0(0x0):
    Extended Information:
C:\Windows\system32>NETDIAG Trust Relationship
'NETDIAG' is not recognized as an internal or external command,
operable program or batch file.
C:\Windows\system32>NETDIAG
'NETDIAG' is not recognized as an internal or external command,
operable program or batch file.
C:\Windows\system32>Repadmin /showrepl
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\SRV-ADDITIONAL
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 03e194c8-f399-405c-b7a7-475375591d51
DSA invocationID: 220c4c6b-3636-4073-b51f-098a1211020c
==== INBOUND NEIGHBORS ======================================
DC=rsz,DC=local
    Default-First-Site-Name\SRV2 via RPC
        DSA object GUID: 352c21fa-a86d-4fc7-9a2b-a93345b5410d
        Last attempt @ 2019-04-20 10:17:00 failed, result 1722 (0x6ba):
            The RPC server is unavailable.
        28 consecutive failure(s).
        Last success @ 2019-04-19 15:43:46.
CN=Configuration,DC=rsz,DC=local
    Default-First-Site-Name\SRV2 via RPC
        DSA object GUID: 352c21fa-a86d-4fc7-9a2b-a93345b5410d
        Last attempt @ 2019-04-20 10:17:25 failed, result 1722 (0x6ba):
            The RPC server is unavailable.
        28 consecutive failure(s).
        Last success @ 2019-04-19 15:27:05.
CN=Schema,CN=Configuration,DC=rsz,DC=local
    Default-First-Site-Name\SRV2 via RPC
        DSA object GUID: 352c21fa-a86d-4fc7-9a2b-a93345b5410d
        Last attempt @ 2019-04-20 10:17:51 failed, result 1722 (0x6ba):
            The RPC server is unavailable.
        28 consecutive failure(s).
        Last success @ 2019-04-19 15:27:05.
DC=DomainDnsZones,DC=rsz,DC=local
    Default-First-Site-Name\SRV2 via RPC
        DSA object GUID: 352c21fa-a86d-4fc7-9a2b-a93345b5410d
        Last attempt @ 2019-04-20 10:17:00 failed, result 1256 (0x4e8):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
        31 consecutive failure(s).
        Last success @ 2019-04-19 15:27:05.
DC=ForestDnsZones,DC=rsz,DC=local
    Default-First-Site-Name\SRV2 via RPC
        DSA object GUID: 352c21fa-a86d-4fc7-9a2b-a93345b5410d
        Last attempt @ 2019-04-20 10:17:00 failed, result 1256 (0x4e8):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
        31 consecutive failure(s).
        Last success @ 2019-04-19 15:27:05.

Any help would be appreciated. Thanks


Chrome Single Sign on not working correctly.

April 17, 2019, 3:16 am
$
0
0

Hi Everyone 

I have an odd one for you all. 

we migrated to O365 for SharePoint and Outook however the new core Corporate  system was designed for Chrome so this has become the default browser for most users.

This has lead to the following issue

when users on the corporate network try to sign into the corporate sharepoint for there are prompted to select there user name from the list it then signs them as expected.

Are getting a lot of complaints about this as we have moved our corporate intranet to sharepoint and this opens when chrome opens so users are getting prompted 2 or3 times a day.

we thought adding Chrome to WIA would work but this hasn't resolved the issue.

(worth noting we have found a work around if I sign the user in on an external network they get the "do you want to reduce the number of times you sign in" prompt if you click yes this caches the token and they no longer get prompted externally or on the corporate network. for is it's ideal as I have 2,500 desktop users with no access to an external network) 

so I need a method of either fixing chrome of forcing the reduce sign-ins prompt for all users. 

Thanks in Advance 

 

serivces won't start after promotion

April 17, 2019, 5:00 am
$
0
0
Hi!
I have tested migration win2003r2 active directory domain to win 2012r2. Everything works fine, until i promoted 2012 server as domain controller. First time server boot's up and server manager shows 1 error.. software protection service won't start because it cant ..says access denied. After one more restart, sever go crazy and shows up 6 services that won't start. software protection, dps, user access logging, dhcp client, ip helper and network location awerness. Does anybody knows why this happen????.. after i add network and local services to local admin group, everything works fine except dps..for dps to work i have to enter regedit and manually add permissions for service. My second question is.. is it safe for active directory controller to add all network and local services to localadmin group.. what about viruses, ransomware and other malicious software who can use that permission??.. please help ...if anyone knows something.. 
Search

managed by

April 16, 2019, 11:26 pm
$
0
0

HI

we have an scenario that every user just login to only one PC

user1 computer 1

user2 computer2

1-when set log on to for user they can login but unable to login to mail server(OWA) and we should add our exchange server for user

2-when set managed by for computer that never work .

how can i doing this ?

Thank you in advance

GPO ntfs permission replicating problem

April 17, 2019, 4:43 am
$
0
0
I am having issues where NTFS permissions on group policy templates (in SYSVOL) are not replicating to DC02 in my two-dc  setup.  When I modify the security filtering on a GPO (for example add a user on the scope tab) on DC02 it will immediately reflect the change on the GPT in sysvol on DC01, but not on the GPT in sysvol of itself. However, If I modify the security filtering on a GPO on DC01, it will reflect the change on the GPT in sysvol on both Servers.
i.e. any action start from DC01 will trigger no problem. From DC02, If I create a new GPO policy, the folder will be replicated to SYSVOL on both servers, but if I modify the security filtering on this GPO,  you will see the change have been made on both server from the GUI,, but when you check through 
 the actual ntfs permission of the folder within SYSVOL, you will find the change has been replicated to DC01, the ntfs permissions of this GPO on DC02 remain unchanged.

Both domain controllers are 2016, in the same AD site and on the same subnet - using DFSR for sysvol.  There is no routing or firewall between these two servers.  The DFSR log on both sheds no light, there are a few periodic RPC errors relating to"too busy to process" or "endpoint mapper."  The system log sheds no light either.  I have confirmed that AD replication is working with no issue and the NTFS permissions are replicated on the GPC in AD.  And likewise, creating new folders in sysvol replicate instantly, it's just the permissions on the folder on DC02 ( only happened hen making change from DC02) .  This is impacting the creation and editing of GPOs from DC02 as there are constantly permissions mismatched.

Domain Controller backup not working

April 20, 2019, 12:00 am
$
0
0

Hi,

I have two DC( Primary and Additional) with Windows Server 2016 that both of them are running on Hyper-V. I've backed up from primary dc and I've restored that to another location and then I've turned off primary dc. Unfortunately, Primary DC's backup didn't work and additional dc cannot work when primary dc is not turn on. Therefore, client's outlook asked for credentials when it was authenticating the users. Any help would be appreciated.

Thanks

Active Dirctory issue

April 21, 2019, 3:44 am
$
0
0

I have windows server 2012 standard and I configured  AD for our organization, before it worked very well but since last 10days, when i joining win10 or win8 to domain controller it's not joining and the bellow message is appearing,

(the specified domain dose not exist or could not be contacted).

need your help in this regard

How to use AD password policy to restrict some characters of login password

April 17, 2019, 8:51 am
$
0
0

Dear Support, 

Could we use AD password policy to restrict the users using some pattern of characters as the login password (e.g. Company Name)?

Thanks!

Best Regards, 

Daniel

CNAME Record Across Domains

April 23, 2019, 5:04 pm
$
0
0

Hello,

I have a network where EVERYTHING is being run inside the sub domain. sub1.domain.com

There is no domain controller / DNS server inside the root domain of domain.com.

I have been asked to create a CNAME record to point server1.domain.com to server2.sub1.domain.com

How would i go about accomplishing this? For temporary fix i have added a line into the host record to resolve the name. However do i need to create a new domain called domain.com inside the same forest, and then create a dns forwarder?

Global Catalog Server

April 16, 2019, 2:22 am
$
0
0
Can we search the objects of other domains through global catalog if other domains are shut down. Is this process happen in background that Global Catalog first search the object in its indexing and then send the query to the object domain. What if object domain is shut down in this case. 
Search

Schema Extension 2019 - will we be able to install older server versions afterwards?

April 24, 2019, 12:16 am
$
0
0

Hi

We currently have FunctionalLevel 2012R", but want to extend the Schema to 2019 level

1) Will we be able to install Windows Server 2012R2 and 2016 afterwards, or are we then only able to install WinSrv 2019?

Thanks in advance

/Peter

Powershell script to get user details for multiple DL groups in Active Directory

April 23, 2019, 2:17 am
$
0
0

Hi All,

is there any script to get all user details for given DL details in Active Directory.

Thanks,

Raj

How to generate these event in Windows Server 2019

April 24, 2019, 12:25 am
$
0
0

Hi,

I extracted the Active Directory events from %SystemRoot%\System32\en-US\ntdsmsg.dll.mui. Below are the events which got newly added in Windows Server 2019.

New Events --> 2998, 2999, 3001, 3002, 3006, 3007, 3008, 3016, 3003, 3009, 3010, 3011, 2997, 3000, 3004, 3005, 3012, 3013

 i) I am unable to find the any info related these events.

ii) How to generate these events.


Message: The SAM database was unable to lockout the account of Administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data)

April 23, 2019, 1:28 am
$
0
0

Hello All,

We are getting this alert for domain default admin account from only one server. We tried to check for services running under this account or any jobs running. 

Thanks

trust relationship and sites and services

April 22, 2019, 6:52 am
$
0
0

Guys,

In a lab, when having a trust relationship between 2 dc's, do i need to add the second DC in the sites and services parts of AD?

Also, when i would like to replace the second DC with its own domainname9the other company) through a RODC in the domain of DC1, but i want the active directory structure, shared folder,... available at the second DC migrated, how should i do that?

many thanks in advance

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>