Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Unable to Remove Child Domains (Windows 2008 R2 Functional Level)

May 2, 2019, 1:49 pm
$
0
0

Hi All,

I'm running into an issue when deleting (3) child domains on a Windows 2008 R2 functional level domain. The child domains have been severed for several years and the child domain DCs have been removed from the domain utilizing NTDSUTIL. When attempting to use ntsdutil: metadata cleanup > remove selected domain, I receive error: DsRemoveDsDomainW error 0x2015(The directory service can perform the requested operation only on a leaf object.)

Output:

metadata cleanup: select operation target
select operation target: list sites
Found 4 site(s)
0 - CN=site1,CN=Sites,CN=Configuration,DC=domain1,DC=com
1 - CN=site2,CN=Sites,CN=Configuration,DC=domain1,DC=com
2 - CN=site3,CN=Sites,CN=Configuration,DC=domain1,DC=com
3 - CN=site4,CN=Sites,CN=Configuration,DC=domain1,DC=com
select operation target: list domains
Found 4 domain(s)
0 - DC=domain1,DC=com
1 - DC=child1,DC=domain1,DC=com
2 - DC=child2,DC=domain1,DC=com
3 - DC=child3,DC=domain1,DC=com
select operation target: select domain 1
No current site
Domain - DC=child1,DC=domain1,DC=com
No current server
No current Naming Context
select operation target: quit
metadata cleanup: remove selected domain
DsRemoveDsDomainW error 0x2015(The directory service can perform the requested operation only on a leaf object.)

After looking up the error, it appears it's due to the DomainDnsZones still being available. So I ran NTDSUTIL: partition management > list and have (10) naming contexts available, but I'm not sure which ones to remove.

C:\Windows\system32\ntdsutil.exe: partition management
partition management: list
Note: Directory partition names with International/Unicode characters will only display correctly if appropriate fonts a
nd language support are loaded
Found 10 Naming Context(s)
0 - CN=Configuration,DC=domain1,DC=com
1 - CN=Schema,CN=Configuration,DC=domain1,DC=com
2 - DC=domain1,DC=com
3 - DC=child1,DC=domain1,DC=com
4 - DC=child2,DC=domain1,DC=com
5 - DC=child3,DC=domain1,DC=com
6 - DC=DomainDnsZones,DC=child1,DC=domain1,DC=com
7 - DC=DomainDnsZones,DC=domain1,DC=com
8 - DC=DomainDnsZones,DC=child2,DC=domain1,DC=com
9 - DC=ForestDnsZones,DC=domain1,DC=com
partition management:

Do I remove the DomainDNSZones entries for the child domains I'm attempting to remove or do I remove all child domain records above?

Search

LastLogonTimestamp again

March 13, 2012, 2:53 am
$
0
0

Hi all,

coming back to this topic (previous thread at: http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/94a3e405-0d65-41a6-8508-2619f01871cc) here is a summary of our findings since:

  • looking at lastlogontimestamp values of all our AD users, we found that occasionally a large number of them get updated in a very short time (e.g. last event caused 350 updates within 3 minutes, in 'normal' periods see 0 - 2 llts/minute)
  • all updates happened on same DC (repadmin/showmeta...)
  • all kind of AD accounts got updated (normal users, service accounts, from almost any OU - i.e. from around the globe)
  • also user accounts with expired passwords get updated (as determined by passwordlastset and date of the occurence and password not set to never expire)
  • no disabled accounts get updated
  • lastlogon attribute of the users does not get updated (on the DC)
  • the llts updates correlate with series of events logged in the security log on the DC which come from a service user on a Sharepoint system (events 562,565 and 673 failure - same number of individual events in the same time period)
  • according to our Sharepoint guys, the server was having an issue with the timer service during this period. They suspect that two jobs controlled by this service (profile synchronization/quick profile synchronization) could have caused the issue.
  • the Sharepoint server and the service account are trusted for delegation in AD

I am aware of the difference between lastlogon and lastlogontimestamp and that some logon types do update lastlogontimestamp, but not lastlogon.

But I still struggle to understand why this happens in the above scenario and would like to know,if this is normal, expected behaviour.

(I know that 'trust for delegation' allows a server to impersonate a user when doing requests to other systems, but my understanding is that for this it needs a valid TGT ticket from the user, and TGTs would have an expiry time. So even if the 'trusted' system would have somehow cached a TGT of a user, after some time [hours] this TGT should have expired and the request for a service ticket would no longer be possible. Maybe this explains the 673 failures we see?)

Thanks and regards

PiQu

Promote Existing DC/Member Server to another forest/Domain

May 13, 2019, 4:40 am
$
0
0

Hey, we have a requirement to move current AD infra to Azure.

we have already existing AD running named domain A in azure, Now we planning to migrate on-prem Forest/Domain B

can i directly add member server/DC of domain B to Domain A.

Or do i need to demote/unistall existing member role and re-install role pointing to new Domain/forest.

Ragav

SBS2003 transfer FSMO roles to Windows 2012 R2 server

May 6, 2019, 6:01 am
$
0
0

I have inherited a network in which a SBS 2003 server is still running AD in the network. Everything has been moved away in the past by the former administrator. Only SQL 2005 as archive is still running but can be decommissioned. 

Exchange 2010 is running on premise on a new server. The functional level of AD is 2003 and there is an active W2012 R2 server with DC, DNS and DHCP. 

The only step remaining seems to be to transfer the FSMO roles and I am wondering why this never happened in the past. 

I found this link and compared the situation. The old GPO rules and WMI filters have not been removed but everything is working properly. I checked clients and they are getting their policy from the W2012 R2 DC. There is a script active with GroupMap.vbs in it but the SBS setup clients command is edited out. 

In my opinion moving the FSMO and demoting the SBS2003 server should not be much of a problem. Maybe raising the AD functional level afterwards due to the GPO and WMI filters?

Am I missing something? 

TIA,

Fred


Should Hybrid joined computers allow login with UPN first

May 7, 2019, 8:18 pm
$
0
0

Hi, I'm looking to understand if hybrid domain joined computers should be able to logon with the users UPN in the first instance when no direct line of site to an on premises domain controller.

We have examples at our organisation where a user is permanently based offsite and we wish to send them a brand new computer that they have not logged onto before. Currently we either ask them to come collect the computer and log onto it before taking it away or we set them up with a local account (really want to move away from this option).

We have implemented hybrid domain joined computers as we cannot move away from group policy at this stage but none of our hybrid domain joined computers allow UPN login when no line of site to a domain controller. Is this normal behaviour?

Note: UPN logon does work if line of site to a domain controller and with locally cached username.

Replication problems

April 26, 2019, 4:10 am
$
0
0

Hello,

While investigating the cause of the event 13508 (The File Replication Service is having trouble enabling replication from DC to DC2 for c:\windows...) I got confused with the following facts:

1)


Q1: How it's possible to display the replication from DC to DC2 as working from the DC2's point of view and as in the error state from the DC's point of view? How DC can show there's the error replicating from DC to DC2 if this successfull replication can be seen on DC2, especially when NO errors can be seen on both servers after runningrepadmin /showrepl?


2)

Q2: Although DC is the owner of all roles it believes some partitions have never been replicated - how does it correlate with no errors in therepadmin /showrepl output above?


3) Furthemore, almost non-functioning  DC2 (missing sysvol and netlogon share don't allow it to be "a real dc") believes it holds one of the roles (I tried to remove DC2 and got this error):

Q3: How can these two screenshots exist simultaneously???

Thank you in advance,
Michael


AD FS 2019 user consent (Oauth2 authorization code grant flow)

May 13, 2019, 6:58 am
$
0
0

Hi,

We created an application group with a Web App (client) and Web API (RP) in AD FS 2019 to support the oauth2 autorisation code grant flow between the two of them (Web Browser to Web App with Oauth confidential client).  Everything is working as expected, I can get the authorization code, the acess token and validate the token using the corresponding Owin middleware in our API. However, there is one thing I was not expecting: the user is never prompted for consent.<o:p></o:p>

From the documentation of that specific scenario (ADFS scenarios for développer), it appears to be the normal behavior :

Because AD FS uses a model of administrator consent, users are not prompted for consent when accessing resources. By configuring the application group, the administrator in effect provides consent on behalf of all application users.

Thing is, I am not sure in our case that an admin consent is acceptable (we are using oauth2 specifically so that the user can give their consent). So, I was wondering if there is a way to have a user consent page in AD FS 2019?  A bit like in Azure AD (as from the consent framework documentation).

Is it something we're missing in the application group configuration (or AD FS oauth implementation altogether)?   

Thank you,

Simon




Find last login machine details for user

May 13, 2019, 7:10 am
$
0
0

Hi,

Is there any command available to get the user's last login machine details. I have user's details and i can get the last login details from one script, but unable to find the last login machine details for that user.

Thanks in advance.

Search

last interactively sign-in timings

May 13, 2019, 2:45 am
$
0
0
Can somebody explain the timings about the last login here? According to this, I checked in the event log. But there no any login event related to 7:08:20 AM for this particular user. The user has login to the  pc at 8.10am. I can see that event in the event log. But no events related to the 7.08am. What could be the reason for this ?

How to audit DNS (AD Integrated) changes

May 13, 2019, 4:02 pm
$
0
0

   Hello to all, I need to audit DNS changes (creation, edition and deletion of zones and records) in a DNS environment that is integrates with AD. DC versions: Win2003, 2008,  2008 R2, 2012, 2012R2 and 2016. 

   I know that there are specific configurations to generate DNS events and they depend of the DC version. Until Win2012 (included) one should use GPO + ADSEdit and with Windows 2012R2 and later an enhanced method appeared named "DNS Logging and Diagnostics" (https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11). I didn't see any reference in "DNS Logging and Diagnostics" article and others, citing any reference to ADSIEdit. Questions:

   1-  How to configure DNS audit events (zone and record - deletion, creation and edition) on a single domain that have DCs in versios like 2008, 2012 and 2016? Will one kind ("legacy" x "Logging and Diagnostics") of configuration impact on another one? How to enable DNS audit to get DNS events on several types of DCs - like the ones written here?

   2- is there a GPO to configure "Logging and Diagnostics"? 

   Thanks in advance.

   Regards, EEOC.



   

Raise forest Level Impact on older Servers

May 13, 2019, 5:10 pm
$
0
0

Hello,

I am installing Exchange 2016 on a 2012R2 Server and must upgrade the forest level to 2012R2 for it to install. I am concerned in doing this as we still have a 2008 Server as one of the DC's.

FSMO role is currently on Server 2012R2.

We have 3 Domain Controllers: 2 x 2012R2 and one 2008R2 (Exchange installed). 

The 2008 Server has Exchange 2010.

Will raising the Forest Level affect the 2008 Server? Or it just doesnt matter?

Thanks.

Changing Local account passwords in bulk across multiple machines in Domain

May 7, 2019, 11:25 am
$
0
0

We have a local admin account on all of our workstations that we use with our remote software to login. The Problem is that that same account on all of the workstations has had the same password for years and some of the users now have it and could possibly login locally. How can I change the password for this local user account so that it resets on all of the machines in Bulk rather than me going to each machine individually and resetting it? If it cannot be done through a GPO what would the powershell command be to reset the password for the same local account in bulk on over 200 machines?

Support analyst

My Domain Controller has every month 1 min TIME DELAY

May 13, 2019, 9:33 pm
$
0
0

Hi Dears, 

I want to know why my Domain Controller has Time Delay every month approximately one minute, in there months has three minutes, however I set the  Date and Time at local time zone,

please help me

Ram

1. FRS replication and 2 DFS replication

May 13, 2019, 10:53 pm
$
0
0

Hi.. all,

FRS:

How to check FRS replication?

How to monitor FRS replication?

How to find the error logs?

FRS advantage and disadvantage ?

DFS:

1. DFS advantage and disadvantage

2. DFS error logs path?


How to determine the IP Address from MAC Address

May 3, 2019, 6:44 am
$
0
0

How does one find the IP Address from the MAC Address.  When using the ARP-a command, I do not see the item listed.  Since I know the MAC Address is there a way to use the ARP + MAC Address to reveal the IP Address?

Search

trust relationship cannot add to domain anymore

May 4, 2019, 6:51 am
$
0
0
hello,

in a lab environment, i got 2 domains who trust eachother, Domain A and domain B, both outgoing and incoming.

Domain A has a conditional forwarder to domain B its DC and a forwarder to that DC. Domain B also.

The problem is, i cannot add any device in domain A anymore. The errors are telling me the following:

Type Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

although they can ping by name and ip from DC to device to add and vice versa.

When adding through the GUI, i get the following error:

the domain could not be contacted. Also, i noticed in the details part, i also see the following notification:

The following domain controllers were identified by the query:

dc1 of domain B

however no domain controllers could be contacted.

Common causes of this error include:

- Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect addresses.

- Domain controllers registered in DNS are not connected to the network or are not running.

when checking the DNS at the DC of domain A, i noticed in the forward lookupzone of Domain A's DC, i see the NS for domain B, not for domain A,

anyone who an help me with this? What did i do wrong in the trust relationship/dnspart?

Logon issues when pending reboot/shutdown on domain controllers

May 14, 2019, 12:43 am
$
0
0

Is it safe to stop the Netlogon service before shutdown on domain controllers? We are experiencing logon issues with some applications (mostly BizTalk) when automatically patching our DCs using Windows Update.

Event 6913 can be seen in the BizTalk Server log.

An attempt to connect to "BizTalkMgmtDb" SQL Server database on server "BIZTALKDBSERVER" failed.
 Error: "Login failed. The login is from an untrusted domain and cannot be used with Windows authentication."


I’ve read about others experiencing the same issues here:
 
https://blogs.msdn.microsoft.com/biztalknotes/2013/08/22/biztalk-hosts-fail-when-domain-controllers-are-rebooted/
https://support.microsoft.com/de-de/help/2683606/domain-members-fail-authentication-when-domain-controller-is-shut-down
 
Also, from what I can find on the matter, it has long been a problem that domain controllers stop dealing with authentication requests before reboot/shutdown. Shouldn’t this be fixed from Microsoft? Of course we can all set up scheduled tasks via GPOs, however that is no real solution to the actual problem.
 
Thank you.

Replication access denied

May 12, 2019, 6:11 am
$
0
0

Hi Support,

We have two Windows 2012 Standard DCs.

We did not make any recent changes.

When checked replication today we have seen the below error

Repadmin: running command /showrepl against full DC localhost

Default-First-Site-Name\AD1

DSA Options: IS_GC

Site Options: (none)

DSA object GUID: 653b6bb0-39bc-4610-a4a7-b08248b940d6

DSA invocationID: 86a9e6b9-5f25-47f9-9147-3d8a13a108f1



DsBindWithCred to localhost failed with status 5 (0x5):

    Access is denied.

The other DC, AD2 is fine. That dc is having inbound replication from the problematic DC. AD2 is the primary DC.

Please let me know how do I troubleshoot this.

Adding custom DNS A record for a public domain

May 6, 2019, 2:58 am
$
0
0

Hello,

We need to add a custom internal IP (A Record) for an available domain, that's for example I need the servers farm to resolve www.google.com with an internal IP (ex. 10.10.10.10) instead of resolving its real IP. How can we achieve this in Windows 2016 DC. Knowing that I know that using a hosts file on a single server will work but I need it on Domain Controller.

Thanks in advance

Ports required for firewall communication between DC to DC and Client to DC

May 14, 2019, 1:06 am
$
0
0

Hi All,

I wanted to know about the exact ports which are required for communication between domain controller to domain controller and client to domain controller. I have to allow these ports through the firewall.

I have followed the technet library link and after my own testing created this list -

Client to DC Communication -

TCP/UDP 137-139NetLogon, NetBIOS Name Resolution, DFS, Group Policy, NetBIOS Datagram Service
TCP/UDP 88Kerberos
TCP/UDP 53DNS
TCP/UDP 123NTP
TCP 9389SOAP
UDP 67 & UDP 2535DHCP, MADCAP, PXE

DC to DC communication -

TCP/UDP 135RPC, EPM, MSMQ
TCP/UDP 137-139DFSN, NetBIOS Session Service, NetLogon
TCP/UDP 389LDAP
TCP 636LDAP SSL
TCP 3268LDAP GC
TCP 3269LDAP GC SSL
TCP/UDP 445SMB, CIFS, SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc
TCP 5722RPC, DFSR (SYSVOL)
TCP 9389ADWS
TCP/UDP 49152-65535, TCP/UDP 1024 - 5000RPC randomly allocated high TCP ports, DCOM
TCP 593RPC over HTTPS
TCP/UDP 464Replication, User and Computer Authentication, Trusts (Kerberos change/set password)

Does these ports looks good ?

Experts please help.

Thanks,

Neeraj.

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>