Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Kerberos issue with Jenkins windows slaves

April 18, 2019, 11:21 pm
$
0
0


I've been trying to figure out the differences between testa01 (success) and testa02 (failure) and it looks testa02 doesn't have Kerberos setup properly.

 

In testa01 when I visit jenkins.factset.com(or is.factset.com) as svc-hudson I am authenticated properly. However, in testa02 I get prompted for credentials.

 

I can also see Kerberos errors in the event viewer after enabling Kerbros vent logging in testa02.

kindly let us know to resolve the issue.

We are receiving Event 3 Security-kerberos continuously in logs.

Search

Group policy not able to applied on clients system

April 11, 2019, 2:20 am
$
0
0

Dear Support,

We are unable to applied group policy on clients system so please help us to resolve the same.

Regards,

Itsupport

Native tools for monitoring elevated group memberships ?

April 22, 2019, 2:42 am
$
0
0
Any recommendations on native tools for monitoring elevated group memberships ?  looking for real time notifications.

Cannot access to SYSVOL folder from domain controllers and some client computers

April 27, 2019, 2:18 am
$
0
0

Hi,

I have two domain controllers that are windows server 2019. The first one is primary dc and second one is secondary(additional) dc. The problem is that I can't access to SYSVOL share folder of domain controllers from each domain controller and I'm prompted for credentials. And when I enter username/password I get "Access denied" error. Please Note, some of the clients can successfully connect to SYSVOL share folder. I did non-autoritative sysvol restore based on DFSR and I saw the following error:

Log Name:      DFS Replication
Source:        DFSR
Date:          4/26/2019 7:02:35 PM
Event ID:      4614
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      AD-DC01.rsz.local
Description:
The DFS Replication service initialized SYSVOL at local path C:\WINDOWS\SYSVOL\domain and is waiting to perform
 initial replication. The replicated folder will remain in the initial synchronization state until it has replicated
 with its partner SRV-additional.rsz.local. If the server was in the process of being promoted to a domain controller
, the domain controller will not advertize and function as a domain controller until this issue is resolved. 
This can occur if the specified partner is also in the initial synchronization state, or if sharing violations 
are encountered on this server or the synchronization partner. If this event occurred during the migration of SYSVOL 
from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. 
This can cause the SYSVOL folder on this server to become out of sync with other domain controllers. 
Additional Information: 
Replicated Folder Name: SYSVOL Share 
Replicated Folder ID: 30DDCF9A-51E4-4610-A05A-E3C1A530A85D 
Replication Group Name: Domain System Volume 
Replication Group ID: 355A21AE-E72E-40F5-83B8-8FC9E05468B2 
Member ID: 0B7EE151-3FF3-438F-BA71-4262143017F1 
Read-Only: 0
Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="DFSR" /><EventID Qualifiers="32768">4614</EventID><Level>3</Level><Task>0</Task><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime="2019-04-26T14:32:35.612433700Z" /><EventRecordID>171</EventRecordID><Channel>DFS Replication</Channel><Computer>AD-DC01.rsz.local</Computer><Security /></System><EventData><Data>30DDCF9A-51E4-4610-A05A-E3C1A530A85D</Data><Data>C:\WINDOWS\SYSVOL\domain</Data><Data>SYSVOL Share</Data><Data>Domain System Volume</Data><Data>355A21AE-E72E-40F5-83B8-8FC9E05468B2</Data><Data>0B7EE151-3FF3-438F-BA71-4262143017F1</Data><Data>SRV-additional.rsz.local</Data><Data>0</Data></EventData></Event>

Hint: SYSVOL folder on both DCs is empty.

Any help would be appreciated.

Thanks for your efforts and time.

Best Regards

Problems with SID history between domains in forest trust

April 11, 2019, 7:40 am
$
0
0

Hi everybody.

I've got a problem while migrating my domain ressources to another one.

Source domain is A.local (Windows 2008 R2). Target is B.com (Windows 2016).
There is a trust between the two forests, bidirectional and transitive. 

I use ADMT to migrate users and groups. While migrating these objects, I check the "Migrate SID History" button. 
Before that, I have desactivated the SID filtering between my forests with this command : 

- from the source domain : Netdom trust A.local /domain:B.com /enablesidhistory:yes /usero:administrator /passwordo:*

- from the target domain : Netdom trust B.com /domain:A.local /enablesidhistory:yes /usero:administrator /passwordo:*

When I try to access a share from the target domain, with a user who have share and security permissions, there is an error. I cannot access. 
If I modifiy the share settings to allow access to everyone in the source domain, access is ok for my user in the target domain.

And more, If on my source domain share, I put share permissions to the target user (or group), it's not working. If I do the same thing in the target domain, putting share permissions to the source user, everything is working fine. 

I've disabled / enabled SID history and SID filtering, nothing changed. Same things after broke and new creation of the trust.

I have checked the user account in the target domain, the SID history is correctly written in the users attributes.

No firewall or AV software on any DC. 

Does someone have an idea?  

Migrating Directory Service Servers to a New Server

April 28, 2019, 7:34 pm
$
0
0

Hi all,

I'm planning to migrate one of my clients directory servers to windows server 2016. At the moments there  is a mix of Server 2008R2 and Server 2012. Customer got 3 sites. 2 sites got separate VMS for root domain controllers and other site small site is replicating AD from one of the big sites i mentioned earlier. Forest and Domain functional levels are Server 2003. 

I want to know what is the best approach in upgrading these servers? I want to migrate all these servers to newly installed servers. I'm familiar with that. Confusion is with the complication added by site replication and separate servers for root and local domains. This customer doesn't have Local exchange. File servers are already updated to 2016 and heavily depend on authentication. 

Any ideas ? 

Janindu Nanayakkara

LDAPS certificate instalaltion

April 28, 2019, 9:06 pm
$
0
0

Hi

If i install LDAPS certificate from digicert to implement LDAPS would that affect any existing infrastructure ? we have exchange 2016, sharepoint, file server etc. Appreciate your inputs

Thanks

Chrome Single Sign on not working correctly.

April 17, 2019, 3:16 am
$
0
0

Hi Everyone 

I have an odd one for you all. 

we migrated to O365 for SharePoint and Outook however the new core Corporate  system was designed for Chrome so this has become the default browser for most users.

This has lead to the following issue

when users on the corporate network try to sign into the corporate sharepoint for there are prompted to select there user name from the list it then signs them as expected.

Are getting a lot of complaints about this as we have moved our corporate intranet to sharepoint and this opens when chrome opens so users are getting prompted 2 or3 times a day.

we thought adding Chrome to WIA would work but this hasn't resolved the issue.

(worth noting we have found a work around if I sign the user in on an external network they get the "do you want to reduce the number of times you sign in" prompt if you click yes this caches the token and they no longer get prompted externally or on the corporate network. for is it's ideal as I have 2,500 desktop users with no access to an external network) 

so I need a method of either fixing chrome of forcing the reduce sign-ins prompt for all users. 

Thanks in Advance 

 

Search

ADFS database [dbo].[IdentityServerNotificationCleanup] could not obtain information about windows NT group/user

April 26, 2019, 9:48 am
$
0
0

I posted this is a different SQL forum but it seems to be more related to ADFS IdentityServerPolicy. 

There are a couple of adfs servers (pri and sec) with backend adfsconfiguration database. This was installed by an ex-employee and that user is the database owner (account does not exist in AD anymore). However, the ADFS service runs on a service account and that service account also owns the schema for IdentityServerPolicy in database and is a user within the database. Please NOTE that ADFS service has been functional and is NOT down. 

BUT,

On a reboot of the SQL server we started seeing the following in the sql logs. It wasn't happening before and started after a reboot of sql. And this is logged every few seconds flooding the current log file. 

The activated proc '[dbo].[IdentityServerNotificationCleanup]' running on queue 'AdfsConfiguration.dbo.IdentityServerNotificationsQueue' output the following:  'Could not obtain information about Windows NT group/user 'mydomain\ex-employee', error code 0x534.'

Any insight on how to rectify this? Thanks much.

AD objects without BitLocker keys stored in AD

March 26, 2019, 8:29 am
$
0
0

I have found this Powershell script and am having trouble modifying it to only pull Computer objects that do not have a BitLocker Key stored in AD. IThis script pulls all computers but I am struggling to sort out computers with keys. Any help would be appreciated Thanks in advance. 

Powershell:

Get-ADComputer -Filter 'ObjectClass -eq "computer"' -SearchBase "OU=Asia,OU=Branches,DC=corp,DC=company,DC=com" | foreach-object {
$Computer = $_.name
#Check if the Computer Object exists
$Computer_Object = Get-ADComputer -Filter {cn -eq $Computer} -Property msTPM-OwnerInformation, msTPM-TpmInformationForComputer
if($Computer_Object -eq $null){
Write-Host "Error..."
}
#Check if the computer object has had a BitLocker Recovery Password
$Bitlocker_Object = Get-ADObject -Filter {objectclass -eq 'msFVE-RecoveryInformation'} -SearchBase $Computer_Object.DistinguishedName -Properties 'msFVE-RecoveryPassword' | Select-Object -Last 1
if($Bitlocker_Object.'msFVE-RecoveryPassword'){
$BitLocker_Key = $BitLocker_Object.'msFVE-RecoveryPassword'
}else{
$BitLocker_Key = "none"
}
#Display Output
$strToReport = $Computer + "," + $BitLocker_Key
Write-Host $strToReport
#Save to Report
$strToReport | Out-File C:\temp\Report.txt -append
}

adding subnets to ad sites and servcies

April 29, 2019, 10:18 am
$
0
0

hello i have setup a brand new ad forest / domain 

we have only 1 domain controller in site #1

should i be adding all subnets from all sites to ad sites and services?

should i still be creating separate sites if i only have 1 domain controller in site #1 ? and then adding the corresponding subnets there?

thanks, 

Would not replicate

April 29, 2019, 12:03 pm
$
0
0

I went inside active directory sites and services and right clicked into "NTDS" services. I right clicked and selected "Replicate configuration to the selected DC" then I get this error.

---------------------------
Replicate Now
---------------------------
The following error occurred during the attempt to synchronize naming context CN=Configuration,DC=domain,DC=org from Domain Controller DC001 to Domain Controller ServerName-SERVER:

The target principal name is incorrect.



This operation will not continue.
---------------------------
OK   
---------------------------


userAccountControl attribute missing

April 18, 2019, 8:10 am
$
0
0

Hello All,

I have been trying to implement a powershell script that used at a different company to the domain at my current job.

The script is pretty simple. It is to search for users that are supposed to belong to a group and add them if they are missing.

I am using a filter to ensure that this only works on user accounts that are not disabled however this is where I ran into the problem in this domain. 90% of the user account do not come back with the "Enabled" property. When I investigated I also found that these account do not have any value for the userAccountControl attribute (missing in ADSI edit).

I was under the impression that this userAccountControl attribute cannot be missing or null. 

If that is not the case how can I find disabled accounts that are missing the userAccountControl attribute.

Any help with this would be great! Thanks in advance.

Pasta pública mais pasta base

April 29, 2019, 1:05 pm
$
0
0

Olá pessoal,

Alguém poderia me indicar algum tutorial que me ensine criar além da pasta base do usuário, uma pasta pública por grupo para que todos acessem. Configurei a pasta base e está funcionando mas preciso que aparece uma pasta liberada para todos do grupo..

Desde já agradeço.

RSAT Active Directory Amin Center is not opening for me

April 25, 2019, 1:01 pm
$
0
0

I am running Windows 10 version 1809. 

I have ran the downloads and installed (WindowsTH-RSAT_WS_1709-x64.msu,WindowsTH-RSAT_WS_1803-x64.msu, and WindowsTH-RSAT_WS2016-x64.msu)

I have followed all the instructions in the Windows support material named "Remote Server Administration Tools (RSAT) for Windows operating systems"

When I search for and find RSAT Active Directory, I click on it, and nothing happens.

Any suggestions would be great. 

Thanks

Search

Windows 2008 R2 active directory upgrade to Windows 2019 active directory using join domain method. (Not in-place upgrade)

April 29, 2019, 10:01 pm
$
0
0

Dear Sir,  

    It has a Windows 2008 R2 Server environment with Root domain in Site 1 and Child domain in Site 2:

Existing Topology:

1. Site1 Location:          AD forest with 2 x DC Windows 2008R R2 Active directory - Root domain

2. Site2 Location: Same AD forest with 2 x DC Windows 2008R2 Active directory    - Child domain  

    I am planning:

Step1. Install new Windows 2019 AD server x4 with

-   2 servers will join into existing Site 1 root domain.,

-   2 Servers will join into existing Site 2 child domain.

Step2: DCPromotion of Site 1 & Site 2 Windows 2019 servers x4 to domain controller, then transfer operation master

Step3: Demotion of Site 1 Windows 2008R2 domain controller

Step4: Demotion of Site 2 Windows 2008R2 domain controller

Step5: Upgrade functional and forest level of AD to Windows 2016 / 2019 active directory

      I try to search this migration procedures but no official information to support whether it is a possible solution design.

Anyone comment on the step and design whether it is workable?

Regards,

Joe Tam




unknown users in domain admin group

April 29, 2019, 12:29 am
$
0
0

Hi,

I have noticed these two accounts and the OU, I have never created it, so what program has created this ?

The ServerAdmin is also part of Domain Admins group.

This is a Windows 2016 domain, containing Windows standard servers, but I know one guy installed a Essentials version once (removed now), and I am wondering if this could have been created then....

I want to delete these accounts, but need to be sure.

Any suggestions ?

/Regards Andreas


Azure AD group naming standard

April 8, 2019, 3:21 am
$
0
0

Hi,

While creating AD groups in on-premises domain we have to follow our group naming standard.

We are planning to bring the naming standard for Azure Active Directory groups.

Let say end users can create their own AD groups however the naming standard should starts AzureAD-Groupname 

Please assist with your valuable answer.

Side effects of removing a child domain and join clients to parent domain

April 24, 2019, 10:12 am
$
0
0

Hello

In an environment there is a domain named X.com with 3 sites, each site contains 2 additional DC. there is another child domain Y.X.com in another site with 2 DCs. We need to demote this DCs and join all servers and clients to new DCs like other 3 sites. I need to know any side effects and risks that may happen or considerations that I have to notice. I need an step by step or checklist to perform this job. (There are .1x and mcAfee epolicy and some other services in this environment working and some GPOs)

Thanks in advance.

The Directory Service is unavailable + The DNS server has encountered a critical error from the Active Directory.

April 25, 2019, 2:27 pm
$
0
0

So something is broken on my AD. I have two servers one being removed and one new one. All services have been moved from Old to new (DNS, DHCP and FSMO Roles) no errors. When both servers are powered on i have no issues, Dcdiag passes no problem. I turned off the old server for a pre-decom check and the new server is reporting that it can not talk to the domain.

DNS is pointed to itself by private ip not loopback. Name resolution works fine. When i try and load Group policy manager it says Directory service is unavailable and i can choose the dc i want to use and when i select the new server the error repeats.

Also getting a DNS error every 5 min that says "The DNS server has encountered a critical error from the Active Directory. "

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>