Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

AD Delegation

May 14, 2019, 2:15 am
$
0
0

Dear All,

I did delegate a user to reset domain user passwords and modified their properties, he can do his tasks on majority of domain users but not for others. I did check those users and they'r member of a security group " technical support" which has the privileges to do remote desktop on domain computers and also member of domain computers. All members of that group are having admincount 1, and as my understanding even i remove this value it well added back after an hour. I did add that user to same group" technical support" and he's admincount 1 but still he can't reset any member of that group. Enable inheritance is disabled for those users as well, i did enable it but it disabled again. Is there is any way to let that user to reset all members on that group.

Thank You

Search

LDAP VIP name configuration

May 19, 2019, 6:11 am
$
0
0

Hi,

I have 3 sites UK,US,Germany each AD site contains 3 domain controllers so totally 9 domain controllers.

I want to create LDAP virtual name using 3 domain controller this should be done according to GEO region.

Three LDAP VIP name required to create LDAPUK.domain.com etc.,

So the application team can hardcode the nearest LDAP  VIP name for authentication and redundancy purpose.

If one LDAP server goes offline another LDAP server will respond the query help me to create VIP name in DNS

please assist with your answer.

Nitpicking 101: AD snapshot- correct way..

May 19, 2019, 6:20 am
$
0
0

Hey,

In order to "snapshot" AD I go to cmd and use ntdsutil. When I read how to do it I see "2 schools" .

ntdsutil

activate instance ntds

snapshot 

create

http://www.rebeladmin.com/wp-content/uploads/2015/02/snap8.png

https://blogs.technet.microsoft.com/niraj_kumar/2009/02/04/active-directory-snapshot-new-feature-in-windows-2008/

---------------------------------

ntdsutil

snapshot 

activate instance ntds

create

https://social.technet.microsoft.com/wiki/contents/articles/28644.active-directory-snapshot.aspx

Both on Technet! Is there any difference between the two? Which one is a correct way. Most of the commands go only one way- thus me asking this question.

Thanks!

Replication access denied

May 12, 2019, 6:11 am
$
0
0

Hi Support,

We have two Windows 2012 Standard DCs.

We did not make any recent changes.

When checked replication today we have seen the below error

Repadmin: running command /showrepl against full DC localhost

Default-First-Site-Name\AD1

DSA Options: IS_GC

Site Options: (none)

DSA object GUID: 653b6bb0-39bc-4610-a4a7-b08248b940d6

DSA invocationID: 86a9e6b9-5f25-47f9-9147-3d8a13a108f1



DsBindWithCred to localhost failed with status 5 (0x5):

    Access is denied.

The other DC, AD2 is fine. That dc is having inbound replication from the problematic DC. AD2 is the primary DC.

Please let me know how do I troubleshoot this.

path to become expert in Active Directory

May 14, 2019, 2:03 am
$
0
0

Hello Team,

I am new to Active Directory. So I want to ask that what is the path to learn active directory and get certified in that.

Also want to know that what is the pre-requisite required to learn Active Directory.

Regards,

Vipin

No Computer in Directory Users and Computers list

May 17, 2019, 11:27 pm
$
0
0

Hello,

I am trying to add an organizational unit to the active directory I created on my Virtualbox with windows server 2016. However, I realize that there is no computer in the active directory computer list on my DNS domain (Server Manager > Tools > AD Users and Computer > domain > Computers). I did set up ADDS, DNS and DHCP through server manager. Changed the Network settings, changed the system name. Every possible thing has been tried, but I fail to understand why there is no computer in the active directory computer list on my DNS domain. The Domain name and the full computer name (Name.DomainName.com) does show up in the system properties. Please help me out.

Thank you


Shared Folder Access only For Particular OU

May 19, 2019, 8:41 am
$
0
0

Dear Team,

How We can configure shared folder access through GPO? Also i need to set the permission to the shared folder only for a particular Organization Unit (OU).

Regards

Aghil


Domain Controller shows SID with its Name

May 16, 2019, 5:39 pm
$
0
0

I recently migrated all the domain controllers in a multi site environment to Server 2016. In one of the sites one domain controller shows its name with some kind of a code (I believe its SID). Now it doesn't allow me to transfer fsmo roles to new server using the new server name (STWN-AD03), See attached. In sits and services and /replsummary also shows the server name with same name. 

I hope you can help me find what caused it. Like I mentioned this domain has 3 sites and changes replicated throughout all sites.

I was thinking replication delays might have caused it while I'm upgrading, because after upgrading Site A, I didn't check all changes are replicated to other 2 sites before moving on to Site B. Any thoughts? 

How can I fix this? I there any way without going for a fresh server? (because we already migrated a payroll application to the new server)

 

Janindu Nanayakkara

Search

Enable Remote Desktop access for Domain user

May 15, 2019, 9:05 pm
$
0
0

On a newly setup Windows 2019 Server Essentials domain, a user requires to RDP into their workstation.

I have added the user to the Builtin Remote Desktop Users group but they are still unable to RDP into either the server or their workstation.

If I add them to the Builtin Administrators group they can RDP into the server, but not their workstation.

Any suggestions please?

LDAP connection on Domain Controller

May 15, 2019, 3:41 am
$
0
0

Hi,

Is there any tool/method to find the incoming LDAP connection for the specific Domain Controller. Also confirm is it possible to extract these data from logs rather than real time?

Thanks in advance.

Importing an LDIF file

May 14, 2019, 12:15 pm
$
0
0

I am a complete rookie when it comes to these things, so please bear with me.

I have an LDIF file myfile.ldif with the following contents:

dn: dc=mydomain,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: MyOrg

There  is more stuff after this, but this will do.

When I try to import it, I am getting the following:

C:\sds>ldifde -i -f myfile.ldif
Connecting to "<ip-address>"
Logging in as current user using SSPI
Importing directory from file "myfile.ldif"
Loading entries.
Add error on entry starting on line 1: Unwilling To Perform
The server side error is: 0x2079 The specified instance type is not valid.
The extended server error is:
00002079: SvcErr: DSID-033308F0, problem 5003 (WILL_NOT_PERFORM), data 0

0 entries modified successfully.
An error has occurred in the program
No log files were written.  In order to generate a log file, please
specify the log file path via the -j option.

I have no clue as why this is failing, and on the first line too. Any suggestions on how to diagnose and fix this?

Forest Trust Relationships

May 14, 2019, 2:35 am
$
0
0

Hello

In our Organization we have configure 2-way forest trust relationship between 2 forest domains(ForestA and ForestB) with Transitive mode "Yes", Name Suffix Routing is properly set.

When checking for the trust validation the next window appear:

While checking with nltest /dclist:DomainB also give a list of DCs in the DomainB.

ForestA contain two child domain child1.ForestA and child2.ForeastA. ForestB dont have child domain.

Adding account from ForestB to ForestA's Domain Local group is success. But when we are trying to add account from ForestB to the Domain Local group in child1.ForestA it gives an error window below:

 

P. S. Conditional Forwarders is configured properly, all FQDNs of DomainB resolves successfully


Microsoft AD - SQL server integration for desktop login

May 14, 2019, 12:56 am
$
0
0 
Hi Microsoft Team,

We are facing an issue which is as follows:

1.	We have a SQL based user management system.
2.	Now, we are planning to getting AD enabled for our production.
3.	The challenge is to see if for a desktop login, we can have the Active directory (AD) talk to the non-AD source like SQL for user authentication / authorization. We will need your help here in checking the technical feasibility of this.

Please let me remind you that this is a non-cloud based infrastructure.

Also, wanted to check if this is possible with a RADIUS configuration with AD (for desktop login).



My Domain Controller has every month 1 min TIME DELAY

May 13, 2019, 9:33 pm
$
0
0

Hi Dears, 

I want to know why my Domain Controller has Time Delay every month approximately one minute, in there months has three minutes, however I set the  Date and Time at local time zone,

please help me

Ram

How to restrict access to certain attribute in Active Directory for Global Address List ( Outlook)

May 10, 2019, 6:34 am
$
0
0

He would like to add some personal employee information in Active Directory which should be accessible by only a few users in Outlook GAL on their phones. At present all telephone numbers , mobile phones are available to everyone when you search for a user via contact list on an iPhone. Once we add employee's home address we want only a few people to have access to that info when they search for the same person/s via GAL on their mobile or desktop outlook contact list.

Richard Ojel...

Search

User profile Service

May 19, 2019, 8:14 pm
$
0
0

Hi Team,

In my environment we are facing below issue,out of 100 systems we are getting 15 systems  below error . please suggest me what changes i should made. I am using server 2019.

Thanks in advance

Bhaskar G R

export Distribution group members

May 17, 2019, 12:47 am
$
0
0

Hi Experts

I have a distribution group and i want to export the member of that distribution group to csv file and i am getting error. please guide me as the below syntax is not working.

Get-ADGroupMember -identity “My-DistributionGroup” | Select DisplayName, Email Address, EmployeeID  | Export-csv -path C:\output.csv -NoTypeInformation 

SYSVOL, NETLOGON share problem

May 16, 2019, 4:48 am
$
0
0

Hi All,

I have faced an AD problem yesterday, and I have no experience in this kind of problem so I need some advice. We have a customer with multiple sites. They had moved their HQ to another city two months before while they're also working in the previous site, so we had built another infrastructure at the new site. Previously they had a single site with one server running 2012 (non-R2) Foundation in a single domain environment. Then, we installed a Linux based firewall at the new HQ and the old site, connected the sites by IPSec and installed the new DC (Win 2016 Standard) to the new HQ by joining it to the domain and promote as DC in the existing infrastructure. AD was fine as we had installed 3-4 more Win Servers in the new site, joined to the domain and everything was fine in the past 2 months. Now they're on a migration to a new site at the old HQ so there's the time to move FSMO roles to the new HQ and demote the old DC, as only a few PCs will remain in the prevoius city, they'll work fine through IPSec and no need for a new DC there. I had moved the FSMO roles 2 days before, first of all, and configured DHCP and DNS resolver on the Linux FW to forward DNS queries to HQ DC. Before FSMO move I had checked AD replication and run the dcdiag diagnostics and there wasn't any problem with the new DC. At the end of this project I have just stopped DNS and DHCP services to be sure that everything works through IPSec. I planned to demote the DC at the next evening if everything is fine on the test day. But users complained that DNS is not working as expected. After a few hours of investigation I have found that there's a problem with Active Directory. I had tried a server restart and then I got a lot of errors in event logs. Tried dcdiag again and found these problems:

(Netlogons) Unable to connect to the NETLOGON share! An net use or LsaPolicy operation failed with error 67

(DFSREvent) There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems.

(Advertising) Warning: DsGetDcName returned information for \\SERVER..., when we were trying to reach SRV.... IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.

NETLOGON and SYSVOLT shares are missing. All other tests were successfull.

I had googled a lot and found the D2/D4 DFSR solution. It is unclear for me what to choose, the authoritative or the non-authoritative restore and that on what DC I have to run the guide? In a case of a failure what Will lost, so in addition to normal backup that files I have to backup manually? I had moved the FSMO roles back to the old DC as it's dcdiag was fine, so can be a better solution to demote the new DC and install the role again? What could cause this problem as before FSMO move dcdiag was fine?

Every advice or idea is also appreciated!

Issue with LinkID on Linked Custom Attribute Pair in AD

May 20, 2019, 2:22 am
$
0
0

Hi All,

I have a weird issue when creating a linked custom attribute pair in AD.

The process I am following is firstly create the forward attribute with the LinkID of 1.2.840.113556.1.2.50. This apparently auto generates the LinkID. Reload schema and create the back-link attribute using the OID of the forward attribute. This goes all OK apart from when I look at the attribute details, the link ID is a negative number. For example..

The forward attribute is 

The BackLink attribute is

From all the information I have read, the forward attribute link ID should be positive even number and the back-link should be positive odd number. 

I'm using powershell to create the attributes. Forward attribute script is..

$RootDSE = [System.DirectoryServices.DirectoryEntry]([ADSI]"LDAP://RootDSE")
# Retrieve the Schema naming context, the distinguished name of the Schema container in AD.
$SchemaNC = $RootDSE.schemaNamingContext
# Bind to the Schema object.
$Schema = [ADSI]"LDAP://$SchemaNC"

# Create object of class "attributeSchema" with common name "MyCompany-MyAttribute".
$NewAttr = $Schema.Create("attributeSchema", "cn=Test-SoftwareDeliveryPrimaryUser")


$NewAttr.Put("attributeID", "1.2.840.113556.1.8000.2554.1.1")
# Unicode string attribute, similar to the title attribute."
$NewAttr.Put("oMSyntax", 127)
$NewAttr.Put("attributeSyntax", "2.5.5.1")
$NewAttr.Put("isSingleValued", $False)
$NewAttr.Put("isMemberOfPartialAttributeSet", $False)
$NewAttr.Put("searchFlags", 1)
$NewAttr.Put("lDAPDisplayName", "Test-SoftwareDeliveryPrimaryUser")
$newAttr.Put("LinkID", "1.2.840.113556.1.2.50")
# Create the new attribute.
$NewAttr.CommitChanges()

# Assign optional attributes.
$NewAttr.Put("description", "Test AD attribute -Forward")
#$NewAttr.Put("rangeLower", 1)
#$NewAttr.Put("rangeUpper", 128)
# Update the new attribute.
$NewAttr.CommitChanges()

For the Back link, I am using...

$RootDSE = [System.DirectoryServices.DirectoryEntry]([ADSI]"LDAP://RootDSE")
# Retrieve the Schema naming context, the distinguished name of the Schema container in AD.
$SchemaNC = $RootDSE.schemaNamingContext
# Bind to the Schema object.
$Schema = [ADSI]"LDAP://$SchemaNC"

# Create object of class "attributeSchema" with common name "MyCompany-MyAttribute".
$NewAttr = $Schema.Create("attributeSchema", "cn=Test-SoftwareDeliveryPrimaryUser-BL")


$NewAttr.Put("attributeID", "1.2.840.113556.1.8000.2554.1.2")
# Unicode string attribute, similar to the title attribute."
$NewAttr.Put("oMSyntax", 127)
$NewAttr.Put("attributeSyntax", "2.5.5.1")
$NewAttr.Put("isSingleValued", $False)
$NewAttr.Put("isMemberOfPartialAttributeSet", $False)
$NewAttr.Put("searchFlags", 1)
$NewAttr.Put("lDAPDisplayName", "Test-SoftwareDeliveryPrimaryUser-BL")
$newAttr.Put("LinkID", "1.2.840.113556.1.8000.2554.1.1")
# Create the new attribute.
$NewAttr.CommitChanges()

# Assign optional attributes.
$NewAttr.Put("description", "Test AD attribute -Backlink")
#$NewAttr.Put("rangeLower", 1)
#$NewAttr.Put("rangeUpper", 128)
# Update the new attribute.
$NewAttr.CommitChanges()


Environment is a test environment consisting of a single Windows Server 2012 R2 Domain Controller

I could manually declare the LinkID, but I was trying to keep user error out of the equation and thus wanted to use the auto generated method. Anyone one know why I am getting a negative number as a linkID

Thanks for taking the time to read this

Steve

Ran Burflags D4 (authoritative restore) when I shouldn't have.

May 16, 2019, 5:10 am
$
0
0

Made an idiotic mistake. Was trying to solve a sysvol/netlogon issue on a newly built off site DC. Was doing research and someone wrote that I should run the d4 flag in burflags. It was flagged as the correct answer so I didn't dig into it further as it  was1am. And I've never had to do a restore so was unaware of what that flag was. After I ran it I started digging more into it and realized what I've done. I checked my other DCs and they seem to be fine, I did not disable frs on the other DCs nor did I run an unauthoritative restore on them.

So I don't know how to assess the damage I've done. GPOs are fine, dns changes, user changes seem to replicate just fine.

To be honest, I want to just demote this problematic off site DC, remove the meta data and start over but considering I already ran the authoritative restore on it, I wanted to see if anyone knew if there were some steps I needed to perform or items to check before I demote this server and start over. Any guidance be appreciated. 



Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>