Hi All,
I would like to seek for your assistance on our plan to add a domain controller for our DR site, May i know what are the requirements, pre-requisites and things i need to configure after promoting my domain controller? role of this additional domain controller is to replicate the primary domain controller. If possible please guide me in a step by step format. Thank you!
Also, Can i control/limit/schedule/transfer rate? Thanks!
Regards,
Pao
Guys,
i am stuck in my lab. I got 2 diferent hypervisors(vmware and virtual box). I want to connect my 2 testdomains through a trust, but i cant figure out how(i do know whete the create a trust console is offcourse). Also, i was thinking, shouldnt i first create a site to site vpn?
anyone who can help me with this, should i create a vpn first and how to create a trust from 2 different hypervisors?
both networks are having a microsoft server (STAND ALONE) router as their gateway
many many thanks.
We have an Active Directory domain spanning multiple branches. Each branch is connected to each other and has two local GCs. While I am a developer at one of the branches, I am also a part-time administrator of the local branch network resources. I would like to ask about backing up the local GCs.
The local branch GCs run in Hyper-V virtual machines. In the event of a disaster, I understand that rebuilding a VM and letting it synchronize with the other should be sufficient for recovery. In an even worse case, if both local GCs die I could still rebuild one / both of the VMs and let them synchronize with the domain controllers located at the other branches. However, this does not seem like the ideal backup solution, as well as potentially having a protracted downtime.
As for backups, I do take scheduled state backups. But I'd like to ask about the acceptability of backing up the VM (VHDX disk) itself. If I were to store a backup of the VM disk, would simply restoring this back and waiting for synchronization be sufficient to restoring the GC? Is there any documentation / best practices with this method? Are there any significant problems that I should be aware of?
Thank you.
Hi All,
I have been having an issue with my password for at least a month now. The issue I am getting is that my admin password for server administration gets locked out almost on a nightly basis. I use the lockout status tool which identifies what Domain controllers have locked out my account.
First question: Not all the Domain controllers show a "locked out" status, which I find odd. I thought that once an account would get locked out it would be locked out across the domain and show as locked on every DC?
Second question: What could be locking out my account? I do logon to various servers simultaneously and I may forget to logoff some but should that lock your account?
Any information to resolve this issue would be greatly appreciated.
Regards.
We're trying to follow the guidance provided here. On 5/14/2019 this change will be the default for new trusts and on 7/9/2019 this will be the enforced behavior and the EnableTGTDelegation setting will be ignored. We operate out of a primary domain and manage several other forests from there. After running the command below where "ourdomain.local" is our domain and "otherdomain.local" is the domain that trusts our domain we started seeing errors with Get-ADGroupMembership for groups in "otherdomain.local" when run from "ourdomain.local". Running the dsget variant of this PowerShell command works. This seems to only occur if the group contains a Foreign Security Principal (FSP). These commands are run from the same location and with the same ID. PowerShell fails and dsget works. "Authenticated Users" is a member of the "Builtin\Users" group in both domains.
netdom.exe trust ourdomain.local /domain:otherdomain.local /EnableTGTDelegation:No
PowerShell command that fails:
Get-ADGroupMember "account operators" -Server otherdomain.local
dsget variant of it that works:
dsget group "CN=account operators,CN=builtin,DC=otherdomain,DC=local" -members
Error:
Get-ADGroupMember : The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the<serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs. At line:1 char:1+ Get-ADGroupMember "account operators" -Server otherdomain.local+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : NotSpecified: (account operators:ADGroup) [Get-ADGroupMember], ADException+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
Full error:
Microsoft.ActiveDirectory.Management.ADException: The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the<serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs. ---> System.ServiceModel.FaultException: The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs. Server stack trace: at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply, MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter) at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.AccountManagement.GetADGroup Member(GetADGroupMemberRequest request) at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetADGroupMemberRequest request) --- End of inner exception stack trace --- at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(FaultException faultException) at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetADGroupMemberRequest request) at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Ma nagement.IADAccountManagement.GetADGroupMember(ADSessionHandle handle, GetADGroupMemberRequest request) at Microsoft.ActiveDirectory.Management.ADAccountManagement.GetGroupMembers(String partitionDN, String groupDN, Boolean recursive) at Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember.GetADGroupMemberProcessCSR outine() at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke() at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()
We have multiple domains and forest in our environment, connected with two way trust. We are in process of Consolidating all the domains in single domain single forest. Our On prem. AD objects are synced with Azure through ADConnect.
Our Main domain is xxxx.pri. Right now we are moving all Users and Machines from yyyy.com domain to xxxx.pri. We would like to retain the users UPN @yyyy.com. when we add this yyyy.com as suffix in AD Domains and Trust. Trust breaks between xxxx.pri and yyyy.com.
Users can below error while connecting xxxx.pri domain servers.
"The Security System detected an authentication error for the server. The failure code from authentication protocol Kerberos was “The name or SID of the domain specified is inconsistent with the trust information for that domain."
In Name Suffix Routing shows Conflict with yyyy.com domain.
I've been trying to figure out the differences between testa01 (success) and testa02 (failure) and it looks testa02 doesn't have Kerberos setup properly.
In testa01 when I visit jenkins.factset.com(or is.factset.com) as svc-hudson I am authenticated properly. However, in testa02 I get prompted for credentials.
I can also see Kerberos errors in the event viewer after enabling Kerbros vent logging in testa02.
kindly let us know to resolve the issue.
We are receiving Event 3 Security-kerberos continuously in logs.
Dear Support,
We are unable to applied group policy on clients system so please help us to resolve the same.
Regards,
Itsupport
Dear All,
Out org has multiple forests(separate AD domains) and no trusts between them, all forest are on 2008R2.
We plan to move to Azure AD. what should be our approach?
1. Consolidate all AD's to one AD and then use Azure AD connect.
2. Directly setup a tenant in Azure AD and use Multi forest single tenant approach.
Let me know if more info is required on Scenario.
PS consider me a Novice
Hi,
Currently have domain three domain controllers (DC1, DC2, DC3), with the FSMO roles spread across DC1 & DC2. DC1 & DC2 are located in site A and DC3 is located in site B. Due to misconfiguration of the network, DC3 wasn't able to communicate with DC1 or DC2 for quite some time, resulting in the tombstone lifetime being as reached i.e. 180 days. As far as i understand, the DC3 is essentially unrecoverable now because of this. What are my options here to get DC3 removed from the domain completely, added back to the domain and promoted to a DC?
1. Restore network communication is, demote DC3 so it's just a member server then re-add to the domain and promote to dc?
2. Force removal of DC3 from the domain and perform metadata cleanup then re-add to the domain and promote to dc?
What makes things worse is DC3 is also a print server which I would like to remain intact. By performing these action, I presume that any computers establishing a connection with DC3 will be broken and will need to be rejoined to the domain?
Looking for some input for a clean resolution to my problem.
Cheers
Hi,
I extracted the Active Directory events from %SystemRoot%\System32\en-US\ntdsmsg.dll.mui. Below are the events which got newly added in Windows Server 2019.
New Events --> 2998, 2999, 3001, 3002, 3006, 3007, 3008, 3016, 3003, 3009, 3010, 3011, 2997, 3000, 3004, 3005, 3012, 3013
i) I am unable to find the any info related these events.
ii) How to generate these events.
Question:
Can a child DC be forcefully removed from the forest domain manually while maintaining authentication services for the child domain?
I have a forest domain, x.com which is hosting (3) child domains, a.x.com, b.x.com, and c.x.com. The c.x.com DC specified in sites and services has not replicated with the primary forest DC in 5 years and is not reachable. However, the DC is still being used to authenticate users for the c.x.com domain on an isolated network. The unreachable DC is causing new DCs for the forest domain to fail promotion of a global catalog server due to the communication issue with unreachable DC.
Can the record for the unreachable DC be removed from sites and services without impacting authentication attempts by the users on the c.x.com domain?
I am trying to configure Windows Domain Controllers to send all events to a Linux syslog server (syslog-ng). Configured the Subscription Manager group policy to point to the URL of the syslog server to port 5985. But it is not working... have tried entering the Root and Intermediate thumbprint in the value of the subscription manger connection string.
Getting this error in the Event Viewer "Eventlog-ForwardingPlugin"
The forwarder is having a problem communicating with subscription manager at address http://xxxxxxxx-xxx.xxxxxxxxxxxxns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859027" Machine="XXXXXXXX.xxxxxxxx.com"><f:Message>The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support the WS-Management protocol. </f:Message></f:WSManFault>.
Somehow, I don't think it is a certificate issue at this point.
Could someone explain me an access token creation process for user with two AD forests (2003 - 2008R2) that are joined by forest trust.
Domain and Forest functional levels are 2003 native and 2008 R2 respectively.
http://technet.microsoft.com/en-us/library/cc780455(v=ws.10).aspx
As I understood from the link above (not only from there), when user logs on to the domain joined computer the LSA subsystem constructs the user’s access token by virtue of netlogon.dll that communicates with localDC+GC+ForestRootDC to get:
- user’s own SID;
- user’s SIDhistory attribute, if any
- SIDs of all the groups that the user is member of (global, universal, domain local, computer local) along with their SIDs, if any
- well-known groups’ SIDs (depending on access type)
- privileges and other pieces
If I add user (DOM1\User1) from one forest to “domain local” group of the second forest (DOM2\DL-Group2) (for assigning permissions to resources in DOM2) this will lead toForeignSecurityPrincipals object creation in the second forestDOM2.
This foreign object will be seen as part of part of a particular DOM2\DL-Group2 group and vice versa.
The question is the following:
How “LSA + netlogon.dll + something else (WHAT ? )” know that user is member of some group in different AD forest so that to include SID of that group into user’s access token ?
Could someone provide me with a detailed mechanisms and processes that are taking place that cover inter-forest resource access in conjunction with cross-forest access token creation?
1. When DOM1\User1 logs on to DOM1\PC1and access resources in foreign forest
2. When DOM1\User1 logs on to DOM2\PC2and access resources in foreign forest
Any help is appreciated!
I have 3 AD sites configured in my network. Site A, Site B and Site C. When I join any client computer to domain in any Site, computer establishes secure-channel connection with site C domain controllers. Why do machine not create secure channel connection to domain controller in its own AD site.
Please help me to understand how client machine find domain controller in network with AD sites defined.
Hi,
Sorry for the novice question, but I'm trying to create a new class object so that any other system admin can create a new instance of it in Active Directory (as when adding a new user or group).
I created 2 attributes and 1 class with ADExplorer:
cn: myAttribute1
objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.38971.1.1.2
attributeSyntax: 2.5.5.12
isSingleValued: FALSE
adminDisplayName: myAttribute1
adminDescription: myAttribute1
oMSyntax: 64
searchFlags: 1
lDAPDisplayName: myAttribute1
systemOnly: FALSE
cn: myAttribute2
objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.38971.1.1.1
attributeSyntax: 2.5.5.12
isSingleValued: FALSE
adminDisplayName: myAttribute2
adminDescription: myAttribute2
oMSyntax: 64
searchFlags: 1
lDAPDisplayName: myAttribute2
systemOnly: FALSE
cn: myClassObject
objectClass: classSchema
governsID: 1.3.6.1.4.1.38971.1.2.1
rDNAttID: cn
adminDisplayName: myClassObject
adminDescription: myClassObject
objectClassCategory: 1
lDAPDisplayName: myClassObject
name: myClassObject
systemOnly: FALSE
subClassOf: groupOfNames
mayContain: myAttribute1
mustContain: myAttribute2
I rebooted the AD server.
I registered the schema management DLL and loaded it in MMC.
I confirmed that the object and attributes were there.
However, I have two issues:
1) I'd like to be able to add new myClassObject instances from the serverr's control panel instead of using AdExplorer or an ldif file. The object myClassObject does not appear in the "create new" drop-down menu.
2) If I create a myClassObject instance with AdExplorer, and then assign a user as member all seems to work as expected except when I browse to the properties of the AD user, open the "membership" tab, scroll down the different groups, but as soon as I hover over and click myClassObject with the mouse, the AD console crashes with an unknown error (nothing useful in the log).
Any ideas?
Anything wrong in my object/attribute definitions above?
Thanks
Hi everybody.
I've got a problem while migrating my domain ressources to another one.
Source domain is A.local (Windows 2008 R2). Target is B.com (Windows 2016).
There is a trust between the two forests, bidirectional and transitive.
I use ADMT to migrate users and groups. While migrating these objects, I check the "Migrate SID History" button.
Before that, I have desactivated the SID filtering between my forests with this command :
- from the source domain : Netdom trust A.local /domain:B.com /enablesidhistory:yes /usero:administrator /passwordo:*
- from the target domain : Netdom trust B.com /domain:A.local /enablesidhistory:yes /usero:administrator /passwordo:*
When I try to access a share from the target domain, with a user who have share and security permissions, there is an
error. I cannot access.
If I modifiy the share settings to allow access to everyone in the source domain, access is ok for my user in the target domain.
And more, If on my source domain share, I put share permissions to the target user (or group), it's not working. If I do the same thing in the target domain, putting share permissions to the source user, everything is working fine.
I've disabled / enabled SID history and SID filtering, nothing changed. Same things after broke and new creation of the trust.
I have checked the user account in the target domain, the SID history is correctly written in the users attributes.
No firewall or AV software on any DC.
Does someone have an idea?
Hi
We are in the process of hardening DC security. All our DCs are Windows 2016 (1607) and clients are Windows 2012, 2012 R2 and Windows 10 (1607 & 1803). We found event IDs 2887 & enabled detailed event log (HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" with a DWORD value of “2.”), not yet started analyzing the logs.
If we apply this policy at DC level, then do we need to configure at client OU as well? Also what about other appliances in network?
What is the normal suggestion / recommendation to enable this setting?
Thanks in advance
LMS