The Policy engine did not attempt to configure the settign. For more information, see %Windir%\security\logs\winlogon.log on the target machine

April 2, 2019, 7:50 am

≫ Next: Need LDIF file for the following information - Need to create attribute "NTLMID" in existing user class

≪ Previous: trust relationship and sites and services

$

0

0

Hello All,

We have one domain with default domain controller policy and other custom GPO. Both have certain common settings, Custom GPO is above the DDC policy in link order.

Any common settings between DDC policy and custom GPO,  Custom GPO should take the precedence as per the link order.

Currently it is applying the settings as per the link order precedence, However, we are getting a red mark in RSOP  with the below errors details.

The Policy engine did not attempt to configure the settings. For more information, see %Windir%\security\logs\winlogon.log on the target machine

Kindly Suggest 

---

Need LDIF file for the following information - Need to create attribute "NTLMID" in existing user class

April 16, 2019, 11:45 pm

≫ Next: Active Directory and Web Server Workstation Computer: Authentication

≪ Previous: The Policy engine did not attempt to configure the settign. For more information, see %Windir%\security\logs\winlogon.log on the target machine

$

0

0

Please help me to get  LDIF file with the following details

Class : user  ( Existing Class)

Attribute name I want to create is : NTLMID ( This is new attribute )

Domain Details :

dn: CN=NTLMID,CN=Schema,CN=Configuration,DC=infra,DC=jivehosted,DC=com

---

Thanks, Ram Ch

Active Directory and Web Server Workstation Computer: Authentication

April 23, 2019, 9:27 am

≫ Next: CCertRequest::Submit: The RPC server is unavailable.

≪ Previous: Need LDIF file for the following information - Need to create attribute "NTLMID" in existing user class

$

0

0

We have ADDS.

We have also a Windows Server Workstation that contains a web application with IIS (WebApp1). It's on isolate network.

What options do we have to authenticate users using their ADDS credentials when they access to WebApp1 ?

We could put a Firewall beetween ADDS and Workstation network...

CCertRequest::Submit: The RPC server is unavailable.

April 24, 2019, 5:39 am

≫ Next: Can you allow MMC/ADUC Snap-in for a Domain User on a Domain Controller

≪ Previous: Active Directory and Web Server Workstation Computer: Authentication

$

0

0

Hi,

I getting stuck when testing Windows Certificate authority. I am getting following error when running command from non domain joined computers

certutil -ping -config "test.domain.tld\Test_CA"

C:\Users\Avadhesh>certutil -ping -config "test.domain.tld\Test_CA"
Connecting to test.domain.tld\Test_CA ...
Server could not be reached: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE) -- (32ms)

CertUtil: -ping command FAILED: 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
CertUtil: The RPC server is unavailable.


but when running same command from domain joined computer it works perfectly

C:\Windows\system32>certutil -ping -config "test.domain.tld\Test_CA"
Connecting to test.domain.tld\Test_CA ...
Server "CostaCloud Secure CA" ICertRequest2 interface is alive (15ms)
CertUtil: -ping command completed successfully.


I want to run this command from non domain joined computers without any error


Have you any idea please ?

Can you allow MMC/ADUC Snap-in for a Domain User on a Domain Controller

October 9, 2012, 8:13 am

≫ Next: ADFS 2.0 - Error sync'ing from Primary ADFS to Secondaries

≪ Previous: CCertRequest::Submit: The RPC server is unavailable.

$

0

0

There are a lot of articles on this and I got it all to work using 2 servers.  

I loaded RSAT (just the "AD DS and AD LDS Tools" i.e. MMC) on a standalone server2008R2 with a user login (call it pwdhelpdesk / group "Users").   I created the same user (pwdhelpdesk / Group "Domain Users") on the DC and went through all the "Delegate Control" stuff using this article.  http://social.technet.microsoft.com/Forums/en-US/winserverManagement/thread/3f0dbf8e-636b-45fe-93db-f788d5b976fd/

I then tied the 2 servers together using this article http://technet.microsoft.com/en-us/library/dd759202.aspx

Back on the standalone server log in as "pwdhelpdesk" -> start MMC -> load the ADUC snap-in -> select ""Connect to Domain..." = the current source user "pwdhelpdesk" goes over to the DC as remote user "pwdhelpdesk" with "Delegated Control" for only password reset / unlock account. - PERFECT

NOW TO SET UP MY QUESTION: However - when "pwdhelpdesk" logs directly onto the DC - when attemping to run MMC or ADUC - the User Access Controls deny the ability.  Some articles say make "pwdhelpdesk" a member of Backup Operators, or Server Operators or even disable UAC.  None of these seem any good at all.

THE QUESTION: Can a non-admin (Domain User) be configured precisely / surgically to execute MMC or ADUC on a DC?  Please don't say it is not recommended for users to log in to a DC.  I just want to know if it is possible - so I can be thorough in my "help desk reset password / unlock account" architectural report to management.

BTW: I prefer the 2 server method - The standalone can run TS and multiple user CAL Licenses and act as a sort of Jump Host.

Thank you.

ADFS 2.0 - Error sync'ing from Primary ADFS to Secondaries

March 9, 2015, 8:09 am

≫ Next: managed by

≪ Previous: Can you allow MMC/ADUC Snap-in for a Domain User on a Domain Controller

$

0

0

Hi,

First of all, thanks for reading this, english is not my mother tongue, so, don't hit me hard if I write something incorrect.

By the way, you guys are doing an awesome job, I can't count the number these "social Technet forums" has solved for me.

After navigating so much, and without finding any useful info, or solution that work on my environment, Im kindly asking for help.

By the way, the primary ADFS is working and is authenticating from Office 365 without problems.

The environment :

* 3 ADFS Backend 2.0 servers - All in Server 2012

* 3 ADFS proxies 

* Windows Internal Database in ADFS Backends.

The problem is that on the secondary servers im getting in the ADFS event logs : 345 and 344.

There was a communication error during AD FS configuration database synchronization. Synchronization of data from the primary federation server to a secondary federation server did not occur. 

Additional Data 

Master Name : ADFS1.contoso.com 
Endpoint Uri : http://adfs1.contoso.com/adfs/services/policystoretransfer 
Exception details: 
System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at http://adfs1.contoso.com/adfs/services/policystoretransfer that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. ---> System.Net.WebException: The remote server returned an error: (404) Not Found.
   at System.Net.HttpWebRequest.GetResponse()
   at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   --- End of inner exception stack trace ---

Server stack trace: 
   at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
   at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
   at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
   at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Microsoft.IdentityServer.Protocols.PolicyStore.IPolicyStoreReadOnlyTransfer.GetHeaders()
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreReadOnlyTransferClient.GetHeaders()
   at Microsoft.IdentityServer.Service.Synchronization.SyncAdministrationManager.Sync(Boolean syncAll)
   at Microsoft.IdentityServer.Service.Synchronization.SyncAdministrationManager.Sync()

I have checked :

* Date and time on the servers - All OK

* Ports opened between them : 80,443,1500 and 1501 seems to be open. I can connect with telnet from the secondary to primary.

* ADFSsrv Account is local administrator in the 3 servers. It is the account which I start all the ADFS Services in all the servers. The WID service account is one generated with a MSSQL something in there.

* Three WIDs can be accesed and I can see the pipe data source using a get-wmi command (I dont remember

which one)

* Updated on the three servers the Accepted protocols to be http,net.tcp

* Same patch level on all the nodes . I know this is not the best scenario, but due to a problema with the WSUS, these servers have never been updated (so, no patches for the three of them).

* I can't see any endpoints for the Policystoretransfer, I guess is something internal always approved.

By the way something curious, if I try to access the url on the error description : http://adfs1.contoso.com/adfs/services/policystoretransfer ,I can't access from any of the hosts (even the primary). And I can't see this on the IIS (I have on IIS only ADFS and LS virtual directories).

Thanks in advance to all!

Cheers,

Problem_Finder

managed by

April 16, 2019, 11:26 pm

≫ Next: AD objects without BitLocker keys stored in AD

≪ Previous: ADFS 2.0 - Error sync'ing from Primary ADFS to Secondaries

$

0

0

HI

we have an scenario that every user just login to only one PC

user1 computer 1

user2 computer2

1-when set log on to for user they can login but unable to login to mail server(OWA) and we should add our exchange server for user

2-when set managed by for computer that never work .

how can i doing this ?

Thank you in advance

AD objects without BitLocker keys stored in AD

March 26, 2019, 8:29 am

≫ Next: Removing Tombstone Server 2016 Domain Controller, re-add to domain and promote to DC

≪ Previous: managed by

$

0

0

I have found this Powershell script and am having trouble modifying it to only pull Computer objects that do not have a BitLocker Key stored in AD. IThis script pulls all computers but I am struggling to sort out computers with keys. Any help would be appreciated Thanks in advance. 

Powershell:

Get-ADComputer -Filter 'ObjectClass -eq "computer"' -SearchBase "OU=Asia,OU=Branches,DC=corp,DC=company,DC=com" | foreach-object {
$Computer = $_.name
#Check if the Computer Object exists
$Computer_Object = Get-ADComputer -Filter {cn -eq $Computer} -Property msTPM-OwnerInformation, msTPM-TpmInformationForComputer
if($Computer_Object -eq $null){
Write-Host "Error..."
}
#Check if the computer object has had a BitLocker Recovery Password
$Bitlocker_Object = Get-ADObject -Filter {objectclass -eq 'msFVE-RecoveryInformation'} -SearchBase $Computer_Object.DistinguishedName -Properties 'msFVE-RecoveryPassword' | Select-Object -Last 1
if($Bitlocker_Object.'msFVE-RecoveryPassword'){
$BitLocker_Key = $BitLocker_Object.'msFVE-RecoveryPassword'
}else{
$BitLocker_Key = "none"
}
#Display Output
$strToReport = $Computer + "," + $BitLocker_Key
Write-Host $strToReport
#Save to Report
$strToReport | Out-File C:\temp\Report.txt -append
} 

---

Removing Tombstone Server 2016 Domain Controller, re-add to domain and promote to DC

April 24, 2019, 9:06 am

≫ Next: IUSR vs. NETWORK SERVICE placeholder accounts

≪ Previous: AD objects without BitLocker keys stored in AD

$

0

0

Hi,

Currently have domain three domain controllers (DC1, DC2, DC3), with the FSMO roles spread across DC1 & DC2. DC1 & DC2 are located in site A and DC3 is located in site B. Due to misconfiguration of the network, DC3 wasn't able to communicate with DC1 or DC2 for quite some time, resulting in the tombstone lifetime being as reached i.e. 180 days. As far as i understand, the DC3 is essentially unrecoverable now because of this. What are my options here to get DC3 removed from the domain completely, added back to the domain and promoted to a DC?

1. Restore network communication is, demote DC3 so it's just a member server then re-add to the domain and promote to dc?

2. Force removal of DC3 from the domain and perform metadata cleanup then re-add to the domain and promote to dc?

What makes things worse is DC3 is also a print server which I would like to remain intact. By performing these action, I presume that any computers establishing a connection with DC3 will be broken and will need to be rejoined to the domain?

Looking for some input for a clean resolution to my problem.

Cheers

IUSR vs. NETWORK SERVICE placeholder accounts

April 23, 2019, 8:54 am

≫ Next: What is DHCF

≪ Previous: Removing Tombstone Server 2016 Domain Controller, re-add to domain and promote to DC

$

0

0

I am performing an AD account/group audit for our production domain against a newly created sandbox domain. Both domains are at the Server 2016 level, but the production domain has been in service since roughly the year 2000.

In both production and sandbox domains, I have a built-in group called IIS_IUSRS. In the production domain, it has one user: NETWORK SERVICE which appears to be a placeholder account. In the sandbox domain, the group has one user:IUSR. It is also a placeholder account. These placeholder accounts are different between production & sandbox, yet both are Server 2016 domains.

My questions:

1. Should I be concerned that these do not match?
2. If NETWORK SERVICE an artifact of a legacy system, how can I configure them to match to avoid confusion going forward?
3. What is a placeholder account for? What is the purpose?

What is DHCF

April 19, 2019, 6:26 am

≫ Next: Side effects of removing a child domain and join clients to parent domain

≪ Previous: IUSR vs. NETWORK SERVICE placeholder accounts

$

0

0

It says my lease expired.  what does thhat mean and how do I fix?

Side effects of removing a child domain and join clients to parent domain

April 24, 2019, 10:12 am

≫ Next: Child Domain DCs not Replicating (inboud + outbound replication disabled)

≪ Previous: What is DHCF

$

0

0

Hello

In an environment there is a domain named X.com with 3 sites, each site contains 2 additional DC. there is another child domain Y.X.com in another site with 2 DCs. We need to demote this DCs and join all servers and clients to new DCs like other 3 sites. I need to know any side effects and risks that may happen or considerations that I have to notice. I need an step by step or checklist to perform this job. (There are .1x and mcAfee epolicy and some other services in this environment working and some GPOs)

Thanks in advance.

Child Domain DCs not Replicating (inboud + outbound replication disabled)

March 22, 2019, 1:47 pm

≫ Next: dcpromo stuck with samba active directory

≪ Previous: Side effects of removing a child domain and join clients to parent domain

$

0

0

Question: 
Can a child DC be forcefully removed from the forest domain manually while maintaining authentication services for the child domain?

I have a forest domain, x.com which is hosting (3) child domains, a.x.com, b.x.com, and c.x.com. The c.x.com DC specified in sites and services has not replicated with the primary forest DC in 5 years and is not reachable. However, the DC is still being used to authenticate users for the c.x.com domain on an isolated network. The unreachable DC is causing new DCs for the forest domain to fail promotion of a global catalog server due to the communication issue with unreachable DC.

Can the record for the unreachable DC be removed from sites and services without impacting authentication attempts by the users on the c.x.com domain?

dcpromo stuck with samba active directory

April 24, 2019, 5:44 pm

≫ Next: Problems with SID history between domains in forest trust

≪ Previous: Child Domain DCs not Replicating (inboud + outbound replication disabled)

$

0

0

greetings,

i have issue promoting windows 2008 r2 sp1 as a dc in zentyal (samba directory), the dc promo stuch in replicating configuration :

Replicating data CN=Configuration,DC=x,DC=x: Received 1660 out of approximately 1660 objects and 29 out of approximately 29 distinguished name (DN) values

it just stuck there forever, i left it once for 2 days and never completed, any idea is really appreciated

Problems with SID history between domains in forest trust

April 11, 2019, 7:40 am

≫ Next: Changing the Primary Domain DNS name of this computer to “ ” failed.

≪ Previous: dcpromo stuck with samba active directory

$

0

0

Hi everybody.

I've got a problem while migrating my domain ressources to another one.

Source domain is A.local (Windows 2008 R2). Target is B.com (Windows 2016).
There is a trust between the two forests, bidirectional and transitive. 

I use ADMT to migrate users and groups. While migrating these objects, I check the "Migrate SID History" button. 
Before that, I have desactivated the SID filtering between my forests with this command : 

- from the source domain : Netdom trust A.local /domain:B.com /enablesidhistory:yes /usero:administrator /passwordo:*

- from the target domain : Netdom trust B.com /domain:A.local /enablesidhistory:yes /usero:administrator /passwordo:*

When I try to access a share from the target domain, with a user who have share and security permissions, there is an error. I cannot access. 
If I modifiy the share settings to allow access to everyone in the source domain, access is ok for my user in the target domain.

And more, If on my source domain share, I put share permissions to the target user (or group), it's not working. If I do the same thing in the target domain, putting share permissions to the source user, everything is working fine. 

I've disabled / enabled SID history and SID filtering, nothing changed. Same things after broke and new creation of the trust.

I have checked the user account in the target domain, the SID history is correctly written in the users attributes.

No firewall or AV software on any DC. 

Does someone have an idea?  

---

Changing the Primary Domain DNS name of this computer to “ ” failed.

April 22, 2019, 4:37 pm

≫ Next: userAccountControl attribute missing

≪ Previous: Problems with SID history between domains in forest trust

$

0

0

Hi all,

I face below error message of joining PCs to domain.

Changing the Primary Domain DNS name of this computer to “ ” failed.
The name will remain “ABC.com”.
The error was:

The specified server cannot perform the requested operation.

The computer object was successfully created in [Computers] OU.
PCs restarted and able to logon domain with Domain user account. but it took long time to login , if i tried to Dsjoin PC the computer object still remaining in DC

DC : Server 2016 

---

IT Helpdesk

userAccountControl attribute missing

April 18, 2019, 8:10 am

≫ Next: Secure Channel issue

≪ Previous: Changing the Primary Domain DNS name of this computer to “ ” failed.

$

0

0

Hello All,

I have been trying to implement a powershell script that used at a different company to the domain at my current job.

The script is pretty simple. It is to search for users that are supposed to belong to a group and add them if they are missing.

I am using a filter to ensure that this only works on user accounts that are not disabled however this is where I ran into the problem in this domain. 90% of the user account do not come back with the "Enabled" property. When I investigated I also found that these account do not have any value for the userAccountControl attribute (missing in ADSI edit).

I was under the impression that this userAccountControl attribute cannot be missing or null. 

If that is not the case how can I find disabled accounts that are missing the userAccountControl attribute.

Any help with this would be great! Thanks in advance.

Secure Channel issue

April 24, 2019, 10:55 pm

≫ Next: Schema Extension 2019 - will we be able to install older server versions afterwards?

≪ Previous: userAccountControl attribute missing

$

0

0

I have 3 AD sites configured in my network. Site A, Site B and Site C. When I join any client computer to domain in any Site, computer establishes secure-channel connection with site C domain controllers. Why do machine not create secure channel connection to domain controller in its own AD site.

Please help me to understand how client machine find domain controller in network with AD sites defined.

Schema Extension 2019 - will we be able to install older server versions afterwards?

April 24, 2019, 12:16 am

≫ Next: Native tools for monitoring elevated group memberships ?

≪ Previous: Secure Channel issue

$

0

0

Hi

We currently have FunctionalLevel 2012R", but want to extend the Schema to 2019 level

1) Will we be able to install Windows Server 2012R2 and 2016 afterwards, or are we then only able to install WinSrv 2019?

Thanks in advance

/Peter

Native tools for monitoring elevated group memberships ?

April 22, 2019, 2:42 am

≫ Next: Additional Domain Controller for DR site

≪ Previous: Schema Extension 2019 - will we be able to install older server versions afterwards?

$

0

0

Any recommendations on native tools for monitoring elevated group memberships ?  looking for real time notifications.