Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

CCertRequest::Submit: The RPC server is unavailable.

April 24, 2019, 5:39 am
$
0
0
Hi,

I getting stuck when testing Windows Certificate authority. I am getting following error when running command from non domain joined computers

certutil -ping -config "test.domain.tld\Test_CA"

C:\Users\Avadhesh>certutil -ping -config "test.domain.tld\Test_CA"
Connecting to test.domain.tld\Test_CA ...
Server could not be reached: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE) -- (32ms)

CertUtil: -ping command FAILED: 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
CertUtil: The RPC server is unavailable.


but when running same command from domain joined computer it works perfectly

C:\Windows\system32>certutil -ping -config "test.domain.tld\Test_CA"
Connecting to test.domain.tld\Test_CA ...
Server "CostaCloud Secure CA" ICertRequest2 interface is alive (15ms)
CertUtil: -ping command completed successfully.


I want to run this command from non domain joined computers without any error


Have you any idea please ?
Search

Restore AD (Domain Controller)-VM

April 23, 2019, 2:19 pm
$
0
0
Our HV HDD was crush. We manage to restore AD Domain controller (Windows server 2012R) but when i boot the VM. I received this blue screen. I tried all the available solutions.
This is only one domain controller and we have to restore it.

Boot VM via 2012r2 ISO and perform below commands but still receive the same blue screen error.
SFC/scannow
bootrec / fixmbr
bootrec / fixboot
bootrec / rebuildbcd

IUSR vs. NETWORK SERVICE placeholder accounts

April 23, 2019, 8:54 am
$
0
0


I am performing an AD account/group audit for our production domain against a newly created sandbox domain. Both domains are at the Server 2016 level, but the production domain has been in service since roughly the year 2000.

In both production and sandbox domains, I have a built-in group called IIS_IUSRS. In the production domain, it has one user: NETWORK SERVICE which appears to be a placeholder account. In the sandbox domain, the group has one user:IUSR. It is also a placeholder account. These placeholder accounts are different between production & sandbox, yet both are Server 2016 domains.

My questions:

  1. Should I be concerned that these do not match?
  2. If NETWORK SERVICE an artifact of a legacy system, how can I configure them to match to avoid confusion going forward?
  3. What is a placeholder account for? What is the purpose?

Message: The SAM database was unable to lockout the account of Administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data)

April 23, 2019, 1:28 am
$
0
0

Hello All,

We are getting this alert for domain default admin account from only one server. We tried to check for services running under this account or any jobs running. 

Thanks

creating a trust relationship in a lab environment

April 21, 2019, 10:14 am
$
0
0

Guys,

i am stuck in my lab. I got 2 diferent hypervisors(vmware and virtual box). I want to connect my 2 testdomains through a trust, but i cant figure out how(i do know whete the create a trust console is offcourse). Also, i was thinking, shouldnt i first create a site to site vpn?

anyone who can help me with this, should i create a vpn first and how to create a trust from 2 different hypervisors?

both networks are having a microsoft server (STAND ALONE) router as their gateway 

many many thanks.



Sending Windows Events to a Linux Syslog Server

April 16, 2019, 8:13 am
$
0
0

I am trying to configure Windows Domain Controllers to send all events to a Linux syslog server (syslog-ng). Configured the Subscription Manager group policy to point to the URL of the syslog server to port 5985. But it is not working... have tried entering the Root and Intermediate thumbprint in the value of the subscription manger connection string.

Getting this error in the Event Viewer "Eventlog-ForwardingPlugin" 

The forwarder is having a problem communicating with subscription manager at address http://xxxxxxxx-xxx.xxxxxxxxxxxxns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859027" Machine="XXXXXXXX.xxxxxxxx.com"><f:Message>The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support the WS-Management protocol. </f:Message></f:WSManFault>.

Somehow, I don't think it is a certificate issue at this point.

Credential delegation and uses

April 26, 2019, 9:19 am
$
0
0

Hi,

I have a requirement in enabling the credential delegation, May I know the uses of credentials delegation in AD

Please assist with your answer.

I cannot login to child domain DCs with domain administrator account

April 26, 2019, 1:15 am
$
0
0

Hi,

I cannot login to child domain DCs with domain administrator account, previously I was able to login! Any help would be appreciated.

Thanks

Search

can a domain trust a non-domain source like SQL?

April 30, 2019, 12:42 am
$
0
0

We have a SQL based authentication and authorization engine. Now, we are enabling active directory for our production boxes. With this, we have a challenge wherein during a machine / desktop login, we want the active directory to integrate with this non-AD source like SQL for user authentication and authorization. Is this possible?? also, we wanted to check if RADIUS communication can do this??

can a domain trust a non-domain source like SQL?

April 30, 2019, 12:43 am
$
0
0

We have a SQL based authentication and authorization engine. Now, we are enabling active directory for our production boxes. With this, we have a challenge wherein during a machine / desktop login, we want the active directory to integrate with this non-AD source like SQL for user authentication and authorization. Is this possible?? also, we wanted to check if RADIUS communication can do this??

Problems with SID history between domains in forest trust

April 11, 2019, 7:40 am
$
0
0

Hi everybody.

I've got a problem while migrating my domain ressources to another one.

Source domain is A.local (Windows 2008 R2). Target is B.com (Windows 2016).
There is a trust between the two forests, bidirectional and transitive. 

I use ADMT to migrate users and groups. While migrating these objects, I check the "Migrate SID History" button. 
Before that, I have desactivated the SID filtering between my forests with this command : 

- from the source domain : Netdom trust A.local /domain:B.com /enablesidhistory:yes /usero:administrator /passwordo:*

- from the target domain : Netdom trust B.com /domain:A.local /enablesidhistory:yes /usero:administrator /passwordo:*

When I try to access a share from the target domain, with a user who have share and security permissions, there is an error. I cannot access. 
If I modifiy the share settings to allow access to everyone in the source domain, access is ok for my user in the target domain.

And more, If on my source domain share, I put share permissions to the target user (or group), it's not working. If I do the same thing in the target domain, putting share permissions to the source user, everything is working fine. 

I've disabled / enabled SID history and SID filtering, nothing changed. Same things after broke and new creation of the trust.

I have checked the user account in the target domain, the SID history is correctly written in the users attributes.

No firewall or AV software on any DC. 

Does someone have an idea?  

create new object in Active Directory

April 25, 2019, 4:37 am
$
0
0

Hi,

Sorry for the novice question, but I'm trying to create a new class object so that any other system admin can create a new instance of it in Active Directory (as when adding a new user or group).

I created 2 attributes and 1 class with ADExplorer:

cn: myAttribute1

objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.38971.1.1.2
attributeSyntax: 2.5.5.12
isSingleValued: FALSE
adminDisplayName: myAttribute1
adminDescription: myAttribute1
oMSyntax: 64
searchFlags: 1
lDAPDisplayName: myAttribute1
systemOnly: FALSE

cn: myAttribute2
objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.38971.1.1.1
attributeSyntax: 2.5.5.12
isSingleValued: FALSE
adminDisplayName: myAttribute2
adminDescription: myAttribute2
oMSyntax: 64
searchFlags: 1
lDAPDisplayName: myAttribute2
systemOnly: FALSE

cn: myClassObject
objectClass: classSchema
governsID: 1.3.6.1.4.1.38971.1.2.1
rDNAttID: cn
adminDisplayName: myClassObject
adminDescription: myClassObject
objectClassCategory: 1
lDAPDisplayName: myClassObject
name: myClassObject
systemOnly: FALSE
subClassOf: groupOfNames
mayContain: myAttribute1
mustContain: myAttribute2

I rebooted the AD server.

I registered the schema management DLL and loaded it in MMC.

I confirmed that the object and attributes were there.

However, I have two issues:

1) I'd like to be able to add new myClassObject instances from the serverr's control panel instead of using AdExplorer or an ldif file. The object myClassObject  does not appear in the "create new" drop-down menu.

2) If I create a myClassObject instance with AdExplorer, and then assign a user as member all seems to work as expected except when I browse to the properties of the AD user, open the "membership" tab, scroll down the different groups, but as soon as I hover over and click myClassObject  with the mouse, the AD console crashes with an unknown error (nothing useful in the log).

Any ideas?

Anything wrong in my object/attribute definitions above?

Thanks

LDAPS certificate instalaltion

April 28, 2019, 9:06 pm
$
0
0

Hi

If i install LDAPS certificate from digicert to implement LDAPS would that affect any existing infrastructure ? we have exchange 2016, sharepoint, file server etc. Appreciate your inputs

Thanks

Windows 2008 R2 active directory upgrade to Windows 2019 active directory using join domain method. (Not in-place upgrade)

April 29, 2019, 10:01 pm
$
0
0

Dear Sir,  

    It has a Windows 2008 R2 Server environment with Root domain in Site 1 and Child domain in Site 2:

Existing Topology:

1. Site1 Location:          AD forest with 2 x DC Windows 2008R R2 Active directory - Root domain

2. Site2 Location: Same AD forest with 2 x DC Windows 2008R2 Active directory    - Child domain  

    I am planning:

Step1. Install new Windows 2019 AD server x4 with

-   2 servers will join into existing Site 1 root domain.,

-   2 Servers will join into existing Site 2 child domain.

Step2: DCPromotion of Site 1 & Site 2 Windows 2019 servers x4 to domain controller, then transfer operation master

Step3: Demotion of Site 1 Windows 2008R2 domain controller

Step4: Demotion of Site 2 Windows 2008R2 domain controller

Step5: Upgrade functional and forest level of AD to Windows 2016 / 2019 active directory

      I try to search this migration procedures but no official information to support whether it is a possible solution design.

Anyone comment on the step and design whether it is workable?

Regards,

Joe Tam




Windows Active Ditrectory integration with OpenID based External Authentication system

April 30, 2019, 5:34 am
$
0
0

Hi,

I want to use PowerBI Report server which uses Windows Authentication with IBM ID (supports OpenID connect). IBMID will be used as external Identity provider for Authentication. I believe we need to use ADFS between Windows AD and IBMID(OpenID Connect).

Can somebody provide step by step by step guidance on this?

Regards
Rajaniesh

Search

Decommission DC

April 30, 2019, 5:21 am
$
0
0

Hi Guy's,

We have 2 physical DC and both are 2008 R2. we have to remove both of the DC's becuse both servers have problem with one of thier none OS drives and we cannot backup the systemstate anymore.

I did install a server 2012 R2 on a Hyper-v Host and made it the 3rd DC and almost week later move all of the FSMO roles from server 2008 R2 to this server 2012 R2. and it looks like login and opening shares is working without any issue.

The domain level is 2008 and forest level is 2003.

Now we want to decommission the old DC that had the FSMO roles. I made usre that the DNS of the clients/servers in the domain are pointgin to the new server 2012 R2 DC.

Can I now run the dcpromo on the DC 2008 R2 that we want to remove?

Thanks

Shahin

Accidentally denied Logon locally and remotely to Windows 2008 Domain

April 30, 2019, 12:07 pm
$
0
0

A coworker was trying to meet a government  security requirement and accidentally denied logon locally and remotely to the domain admin and enterprise admin groups in group policy for a Windows 2008 Domain.  The policy was applied to all the servers including the domain controllers.  Now all of our elevated accounts are locked out of the domain.  Is there a way to hack the domain gpo to remove the deny logon settings?

Thanks for any help

DCs not present under NTDS Settings

April 30, 2019, 12:39 pm
$
0
0

Hi,

I have four DCs (DC1, DC2, DC3, DC4) running Windows Server 2016.  After running repadmin /kcc only two out of three server connections show up under NTDS Settings for each DC.  For example:

  • NTDS Settings for DC1 include DC2 and DC3 (DC 4 missing)
  • NTDS Settings for DC2 include DC1 and DC4 (DC 3 missing)
  • NTDS Settings for DC3 include DC1 and DC4 (DC 2 missing)
  • NTDS Settings for DC4 include DC2 and DC3 (DC 1 missing)

I am able to *manually* add the missing connections on each one, but I want these to be automatically generated.  I have also run dcdiag and there are no errors listed.

How can I systematically pinpoint the issue(s) causing this behavior?

thank you!

-sul.

Active Directory attributes 'name' and 'Name'

October 24, 2017, 3:52 pm
$
0
0

When renaming an AD object it is said that you need both the write 'name' and write 'Name' permissions (as well as write DN). What exactly is the difference between name and Name? And given that there is no write 'samaccountname' permission is one of these names actually the samaccountname?

Thanks

David Z

Display-Name vs Display-name-printable

April 30, 2019, 4:11 pm
$
0
0

Greetings,

AD has two 'display name' attributes: 'Display name' and 'display name printable'.

The Public information property set allows write to the 'printable' attribute but not 'display name'. Does that mean I have to set the write property permission for the display name separately or are they both the same thing i.e. if I give the write permission to 'Public information' they will also have the permission to modify the display name property?

Thanks

David Z

Viewing all 31638 articles
Browse latest View live
Search