Hi All,

I have become the Domain Admins for our environment. What I would like to do is create an Audit via GPO in order to oversee who has amended, deleted, or created an object within our domain.

I believe the way to achieve this would be through  Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > DS Access and then Audit Directory service changes. Does anyone know if this is the right policy for Auditing changes within AD objects.     Any information would be greatly appreciated.

I am trying to configure Windows Domain Controllers to send all events to a Linux syslog server (syslog-ng). Configured the Subscription Manager group policy to point to the URL of the syslog server to port 5985. But it is not working... have tried entering the Root and Intermediate thumbprint in the value of the subscription manger connection string.

Getting this error in the Event Viewer "Eventlog-ForwardingPlugin" 

The forwarder is having a problem communicating with subscription manager at address http://xxxxxxxx-xxx.xxxxxxxxxxxxns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859027" Machine="XXXXXXXX.xxxxxxxx.com"><f:Message>The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support the WS-Management protocol. </f:Message></f:WSManFault>.

Somehow, I don't think it is a certificate issue at this point.

Hi,

I extracted the Active Directory events from %SystemRoot%\System32\en-US\ntdsmsg.dll.mui. Below are the events which got newly added in Windows Server 2019.

New Events --> 2998, 2999, 3001, 3002, 3006, 3007, 3008, 3016, 3003, 3009, 3010, 3011, 2997, 3000, 3004, 3005, 3012, 3013

 i) I am unable to find the any info related these events.

ii) How to generate these events.

There was a recent divestiture and we are in the process of amalgamating systems under a single domain

Based on the requirement from the Department of Energy listed below:

"Ensure individuals will have access to the controlled information governed by
Part 810 only as needed for their responsibilities and that they will not have access to classified information, or
information deemed to be sensitive nuclear technology, while employed by company"

Is there away to grant a system administrator access through ADUC so that they can do everything they need in a specific region (Canada / US) without allowing them access to commercially sensitive data or classified information? ACL's and security groups should be suffice correct?

Some of the "Administrators" duties would include:

ADUC administration (limited capacity, group management, adding servers, login scripts, powershell), Troubleshooting, Backup and Restores, SCCM administration, Networking, Software Installations, VMware, configuration management, Server deployment, among a few others.

Could the forest be setup the following way to enable this based on the model below?

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/using-the-organizational-domain-forest-model

Also a rough non-biased opinion, this is a smaller company1000 employees, how long would this take to configure and setup?

Hi,

I cannot login to child domain DCs with domain administrator account, previously I was able to login! Any help would be appreciated.

Thanks

Hi,

I have two domain controller that they have been working for about two years. Also, I had another domain controller that had problem and I've disconnected that from the network. And I cleanup that metadata's from other DCs. Yesterday for some changes I turned off the domain controllers and after powering those on I saw that additional dc cannot see primary dc. Here is the error I got:

Active Directory Domain Services was unable to establish a connection with the global catalog. 
Additional Data 
Error value:
8430 The directory service encountered an internal failure. 
Internal ID:
3200db0 
User Action: 
Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem.

I can ping the domain controllers but I cannot access to shared folders on them. Therefore, I was forced to remove DNS server and re-install it again. Here is the DCDIAG result:

C:\Windows\system32>Dcdiag /test:checksecurityerror
Directory Server Diagnosis
Performing initial setup:
   Trying to find home server...
   Home Server = SRV-additional
   [SRV-additional] Directory Binding Error 1722:
   The RPC server is unavailable.
   This may limit some of the tests that can be performed.
   * Identified AD Forest.
   Done gathering initial info.
Doing initial required tests
   Testing server: Default-First-Site-Name\SRV-ADDITIONAL
      Starting test: Connectivity
         [SRV-ADDITIONAL] DsBindWithSpnEx() failed with error 1722,
         The RPC server is unavailable..
         Got error while checking LDAP and RPC connectivity. Please check your
         firewall settings.
         ......................... SRV-ADDITIONAL failed test Connectivity
Doing primary tests
   Testing server: Default-First-Site-Name\SRV-ADDITIONAL
   Running partition tests on : ForestDnsZones
   Running partition tests on : DomainDnsZones
   Running partition tests on : Schema
   Running partition tests on : Configuration
   Running partition tests on : rsz
   Running enterprise tests on : rsz.local

Active Directory Domain Services could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory Domain Services from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources. 
Source domain controller: 
 SRV2 
Failing DNS host name: 
 352c21fa-a86d-4fc7-9a2b-a93345b5410d._msdcs.rsz.local 
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur.  To log all individual failure events, set the following diagnostics registry value to 1: 
Registry Path: 
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client 
User Action: 
 1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498. 
 2) Confirm that the source domain controller is running Active Directory Domain Services and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>". 
 3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns 
  dcdiag /test:dns 
 4) Verify that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows: 
  dcdiag /test:dns 
 5) For further analysis of DNS error failures see KB 824449: 
   http://support.microsoft.com/?kbid=824449 
Additional Data 
Error value: 
 11004 The requested name is valid, but no data of the requested type was found.

C:\Windows\system32>netdom /query fsmo
The RPC server is unavailable.
The command failed to complete successfully.

C:\Windows\system32>Repadmin /kcc childdc2
Repadmin can't connect to a "home server", because of the following error.  Try
specifying a different
home server with /homeserver:[dns name]
Error: An LDAP lookup operation failed with the following error:
    LDAP Error 81(0x51): Server Down
    Server Win32 Error 0(0x0):
    Extended Information:
C:\Windows\system32>NETDIAG Trust Relationship
'NETDIAG' is not recognized as an internal or external command,
operable program or batch file.
C:\Windows\system32>NETDIAG
'NETDIAG' is not recognized as an internal or external command,
operable program or batch file.
C:\Windows\system32>Repadmin /showrepl
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\SRV-ADDITIONAL
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 03e194c8-f399-405c-b7a7-475375591d51
DSA invocationID: 220c4c6b-3636-4073-b51f-098a1211020c
==== INBOUND NEIGHBORS ======================================
DC=rsz,DC=local
    Default-First-Site-Name\SRV2 via RPC
        DSA object GUID: 352c21fa-a86d-4fc7-9a2b-a93345b5410d
        Last attempt @ 2019-04-20 10:17:00 failed, result 1722 (0x6ba):
            The RPC server is unavailable.
        28 consecutive failure(s).
        Last success @ 2019-04-19 15:43:46.
CN=Configuration,DC=rsz,DC=local
    Default-First-Site-Name\SRV2 via RPC
        DSA object GUID: 352c21fa-a86d-4fc7-9a2b-a93345b5410d
        Last attempt @ 2019-04-20 10:17:25 failed, result 1722 (0x6ba):
            The RPC server is unavailable.
        28 consecutive failure(s).
        Last success @ 2019-04-19 15:27:05.
CN=Schema,CN=Configuration,DC=rsz,DC=local
    Default-First-Site-Name\SRV2 via RPC
        DSA object GUID: 352c21fa-a86d-4fc7-9a2b-a93345b5410d
        Last attempt @ 2019-04-20 10:17:51 failed, result 1722 (0x6ba):
            The RPC server is unavailable.
        28 consecutive failure(s).
        Last success @ 2019-04-19 15:27:05.
DC=DomainDnsZones,DC=rsz,DC=local
    Default-First-Site-Name\SRV2 via RPC
        DSA object GUID: 352c21fa-a86d-4fc7-9a2b-a93345b5410d
        Last attempt @ 2019-04-20 10:17:00 failed, result 1256 (0x4e8):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
        31 consecutive failure(s).
        Last success @ 2019-04-19 15:27:05.
DC=ForestDnsZones,DC=rsz,DC=local
    Default-First-Site-Name\SRV2 via RPC
        DSA object GUID: 352c21fa-a86d-4fc7-9a2b-a93345b5410d
        Last attempt @ 2019-04-20 10:17:00 failed, result 1256 (0x4e8):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
        31 consecutive failure(s).
        Last success @ 2019-04-19 15:27:05.

Any help would be appreciated. Thanks

We have ADDS.

We have also a Windows Server Workstation that contains a web application with IIS (WebApp1). It's on isolate network.

What options do we have to authenticate users using their ADDS credentials when they access to WebApp1 ?

We could put a Firewall beetween ADDS and Workstation network...

Hi,

I have a problem with access to DFS using name space \\domainname\dfs\share using Excel, Word or other Office applicartions. The shared drive is mapped usiong groupo policy and I can navigate through the shared drive using explorer without any problems.

I can access share direcly from server \\dfs-01\shared without any problems. We have 280 users but not all of them have this problem (it's around 20-20 of them) .

If I use my DA account the problem dosn't exists and I can open Excel or Word files without any problems. Can you please help? 

Regards,

Jan

Hi,

Sorry for the novice question, but I'm trying to create a new class object so that any other system admin can create a new instance of it in Active Directory (as when adding a new user or group).

I created 2 attributes and 1 class with ADExplorer:

cn: myAttribute1

objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.38971.1.1.2
attributeSyntax: 2.5.5.12
isSingleValued: FALSE
adminDisplayName: myAttribute1
adminDescription: myAttribute1
oMSyntax: 64
searchFlags: 1
lDAPDisplayName: myAttribute1
systemOnly: FALSE

cn: myAttribute2
objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.38971.1.1.1
attributeSyntax: 2.5.5.12
isSingleValued: FALSE
adminDisplayName: myAttribute2
adminDescription: myAttribute2
oMSyntax: 64
searchFlags: 1
lDAPDisplayName: myAttribute2
systemOnly: FALSE

cn: myClassObject
objectClass: classSchema
governsID: 1.3.6.1.4.1.38971.1.2.1
rDNAttID: cn
adminDisplayName: myClassObject
adminDescription: myClassObject
objectClassCategory: 1
lDAPDisplayName: myClassObject
name: myClassObject
systemOnly: FALSE
subClassOf: groupOfNames
mayContain: myAttribute1
mustContain: myAttribute2

I rebooted the AD server.

I registered the schema management DLL and loaded it in MMC.

I confirmed that the object and attributes were there.

However, I have two issues:

1) I'd like to be able to add new myClassObject instances from the serverr's control panel instead of using AdExplorer or an ldif file. The object myClassObject  does not appear in the "create new" drop-down menu.

2) If I create a myClassObject instance with AdExplorer, and then assign a user as member all seems to work as expected except when I browse to the properties of the AD user, open the "membership" tab, scroll down the different groups, but as soon as I hover over and click myClassObject  with the mouse, the AD console crashes with an unknown error (nothing useful in the log).

Any ideas?

Anything wrong in my object/attribute definitions above?

Thanks

Hi,

Looking for some guidelines to merge three domains into single domain in the same forest.

Any one have experience with this, please share your experience.

Thanks in advance.

hi,

my company is planning to update Active Directory forest function level to 2016 but we are wondering if it is downwards comparable to intergated windows authentication(IWA) service 2003. what are the important things to check before bringing up the forest function level to 2016?

1) Value "domainReplica" (in ADSI) is "PHOBOS" in "DC=ads,DC=DOMAIN,DC=kz". I can't clean this attibute in ADSI - error return "ERROR_DS_ATTRIBUTE_OWNED_BY_SAM,8346,0x209A,Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM)."

2) GPRESULT RETURN:

Microsoft (R) Windows (R) Operating System Group Policy Copyright (C) Microsoft Corp. 1981-2001

Created On 24.02.2009 at 10:00:30

RSOP data for DOMAIN\Administrator on DC1 :
-------------------------------------------------------------------
OS Type:                     Microsoft(R) Windows(R) Server 2003, Enterprise Edition
OS Configuration:            Primary Domain Controller
OS Version:                  5.2.3790
Terminal Server Mode:        Remote Administration
Site Name:                   GO
Roaming Profile:
Local Profile:               C:\Documents and Settings\Administrator
Connected over a slow link?: No

COMPUTER SETTINGS
------------------
    CN=DC1,OU=Domain Controllers,DC=ads,DC=DOMAIN,DC=kz
    Last time Group Policy was applied: 24.02.2009 at 9:57:17
    Group Policy was applied from:      DC1.ads.domain.kz
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        ads
    Domain Type:                        WindowsNT 4

    Applied Group Policy Objects
    -----------------------------
        Default Domain Controllers Policy
        WSUS
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups
    -------------------------------------------------------
    <deleted>

USER SETTINGS
--------------
    CN=Administrator,OU=GO,DC=ads,DC=DOMAIN,DC=kz
    Last time Group Policy was applied: 24.02.2009 at 9:53:55
    Group Policy was applied from:      DC1.ads.domain.kz
    Group Policy slow link threshold:   0 kbps
    Domain Name:                        DOMAIN
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        IT policy
        Global Users Settings
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Admins Computers Group Settings
            Filtering:  Denied (Security)

        Connect Network Disk
            Filtering:  Disabled (GPO)

        WSUS
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
     <deleted>

3) Domain and Forest - Windows 2003 Native mode, Windows 2003 have Service Pack 2.

PROBLEM:
1) GPO applied only on computer restart and not applied on 5 minutes interval.
2) GPRESULT domain type different for COMPUTER and USER

Somebody knows a solution to the problem ?

Hello,

While investigating the cause of the event 13508 (The File Replication Service is having trouble enabling replication from DC to DC2 for c:\windows...) I got confused with the following facts:

1)

Q1: How it's possible to display the replication from DC to DC2 as working from the DC2's point of view and as in the error state from the DC's point of view? How DC can show there's the error replicating from DC to DC2 if this successfull replication can be seen on DC2, especially when NO errors can be seen on both servers after runningrepadmin /showrepl?

2)

Q2: Although DC is the owner of all roles it believes some partitions have never been replicated - how does it correlate with no errors in therepadmin /showrepl output above?

3) Furthemore, almost non-functioning  DC2 (missing sysvol and netlogon share don't allow it to be "a real dc") believes it holds one of the roles (I tried to remove DC2 and got this error):

Q3: How do these two screenshots exist simultaneously???

Thank you in advance,
Michael

Hi Guys,

I have an issue where a User with login to the Android/IOS and if they make a failed attempt 3 times, there AD account should lock them out but it is not.

About our environment:Users are located in China.  We use Gmail but as the users are in china weactive-sync Gmail with Outlook 365.When in the office they we have VPN to access google.  When they leave the office and use there phones for email and they have a failed login 3 times they cant be locked out for some reason.

So the question is how can i lock there accounts after 3 login attempt on the outlook app without using a mobile VPN?

Note: we have policies in place to lock the accounts but China Users devices ignore thesepolicies.

Hi,

I have a requirement in enabling the credential delegation, May I know the uses of credentials delegation in AD

Please assist with your answer.

I posted this is a different SQL forum but it seems to be more related to ADFS IdentityServerPolicy. 

There are a couple of adfs servers (pri and sec) with backend adfsconfiguration database. This was installed by an ex-employee and that user is the database owner (account does not exist in AD anymore). However, the ADFS service runs on a service account and that service account also owns the schema for IdentityServerPolicy in database and is a user within the database. Please NOTE that ADFS service has been functional and is NOT down. 

BUT,

On a reboot of the SQL server we started seeing the following in the sql logs. It wasn't happening before and started after a reboot of sql. And this is logged every few seconds flooding the current log file. 

The activated proc '[dbo].[IdentityServerNotificationCleanup]' running on queue 'AdfsConfiguration.dbo.IdentityServerNotificationsQueue' output the following:  'Could not obtain information about Windows NT group/user 'mydomain\ex-employee', error code 0x534.'

Any insight on how to rectify this? Thanks much.

I have a pair of DCs in one location (Azure) and another DC in another location. All are replicating correctly, dcdiag is confirming everything is good. Replication between sites is set to USE_NOTIFY, too, but my issue is present even within a single site.

Now, within the Azure subnet, on a Windows machine say CCC01, I run an application (Java, no source code available) that creates a Domain Group (using LDAP) and seemingly picks a random DC to do that (which should be OK, anyway). That is successful, but mostly uses the DC in the other location, which I would.

It also creates a directory within a Fileshare on a Fail-over Cluster (FS01 + FS02 forming SOFS), and thendelegates the permission assignment to another Windows machine, say CCC02. That permission assignment (running on CCC02) to the folder fails with the error message that the domain group does not exist. And indeed, the domain group takes a couple of seconds (15-20 usually) to be replicated to all DCs, so I am guessing that CCC02 (or one of the FS0* machines?) at that stage is querying a different DC than where the group was actually created.

So, my question is, short of only leaving one DC in the infrastructure, is there any way to tell CCC01 and CCC02 (or would I have to include FS01 and FS02, too?) to actually work with DCs in a specific order?

Of course, if the program was mine, I'd change that behavior altogether, but that's not an option in this case.

Hope somebody has an idea than can help...

Thanks!

Joerg.

how do i fix the time on my PDC???