Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

FSMO roles and DC decommissioning

May 22, 2019, 12:28 pm
$
0
0

We are having WS2008R2/2012R2 DCs, and have upgraded to WS2016 DCs. Now we are planning to  move the FSMO roles to new DCs in our root and child domain. Root forest is empty, and child domain has all users/groups/app data.

As we are planning to move all the FSMO roles in both domains (root forest & child domain). I already made  plan to first move all the FSMO roles in both env. and then start decommissioning the older DCs first root and then child domain, but manager said first move all the FSMO roles in forest and decommission the older DCs from root, then move moved all FSMO roles in child domain and do decommissioning. I said that their steps are neither advisable nor recommended way to do so, but they are keep insisting on it. If we do so and go by manager's way, it will impact our whole AD infra.

Any article where the FSMO roles movement and decommissioning in this type of environment.

Just wanted to confirm is it the possible way Manager suggested? I don't think so.

Any thoughts on this?

Rajneesh Kumar MCSE - Server Infra, MCITP - SA, CNA

Search

Internet restriction on DC

May 22, 2019, 10:14 am
$
0
0

I want to restrict internet browsing on domain controller. Already I'm following the Microsoft recommendation.

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/securing-domain-controllers-against-attack

Does it possible to restrict internet for DC alone. we have firewall in perimeter network.

We have configured strict firewall policy for our enterprise. I have read few article via windows firewall we can block internet access however windows firewall was disabled on DC. Normally every enterprise no body use windows firewall on DC.

Please assist with your answer whether internet block is possible in DC ?

 

Backup AD and what have you done

May 22, 2019, 9:30 am
$
0
0

We have multiple domain controllers. I wanted to ask how have you guys prepared for these.

DR: I guess you can have Multiple domain controllers spread across geo-locations in Azure or other datacenters.

Ransomware, Virus, accidental DNS deletion and so on: What have you done to protect from this. Lets say accidentally it affects your AD. Can you restore AD via VM checkpoint (might not be supported) or restore the VM. Do you have to take system state backups or so on. Do you have a DC in remote location that you only communicate so often with HQ. 

I want to make sure we are protected and see what have you guys done for your AD infrastructure. 

Please suggest.

John

Active Director Group Member Created by User

May 22, 2019, 2:41 am
$
0
0
How can I determine who has created a member in a AD group?

AD LDS - Create new application partition

May 21, 2019, 10:48 am
$
0
0

Hello!

I have two 2 AD LDS instances in one configuration set and I am trying to create a new application partition. I am following an MSDN article (unfortunately I can not provide the link here, I do not have enough karma) which describes this process for Active Directory. Now for the instance that was the first in the set all works perfectly but when I am trying to create another application partition on the second server (create a domainDNS object) it gives me "Unwilling to perform" error.

My guess is that it has something to do with the first server being Naming Master. In case of Active Directory the document says that we need to bind to the server where we would like to create a partition with the delegation option to "allow the domain controller to contact the Domain-Naming FSMO role holder". The problem is that I could not find such an option for the ldap_connect function which I am using to connect to AD LDS servers.

Any help would be great, thank you.

Service account permission

May 28, 2019, 6:57 am
$
0
0

Hi guys,

Scenario: I have a service account that is granted permission to run a script on a server. I've noticed that when other users who are non-domain admin sometimes use the credentials for the account to run a script they get access is denied.

I come in and run the same exact script with the same service account credentials and it works. Funny part is once I run it and it works then when they try it works again till they have the issue again. The account is not locked, disabled or anything like that whenever this happens. Password is set to never expire.

This does not make sense to me because they are doing "run as" and using the same credentials I'm using.

Is there a permission that is needed from AD or maybe on the server for other users to be able to use the credentials?



Nitpicking 101: AD snapshot- correct way..

May 19, 2019, 6:20 am
$
0
0

Hey,

In order to "snapshot" AD I go to cmd and use ntdsutil. When I read how to do it I see "2 schools" .

ntdsutil

activate instance ntds

snapshot 

create

http://www.rebeladmin.com/wp-content/uploads/2015/02/snap8.png

https://blogs.technet.microsoft.com/niraj_kumar/2009/02/04/active-directory-snapshot-new-feature-in-windows-2008/

---------------------------------

ntdsutil

snapshot 

activate instance ntds

create

https://social.technet.microsoft.com/wiki/contents/articles/28644.active-directory-snapshot.aspx

Both on Technet! Is there any difference between the two? Which one is a correct way. Most of the commands go only one way- thus me asking this question.

Thanks!

Account policy settings not being enforced

May 28, 2019, 5:27 am
$
0
0

Hello, we have a Password policy defined in the Default Domain Policy enforced in AD which is working on all our Windows 2008+ machines except recently deployed Windows 2016 machines.

On those machines which are in the appropriate OU, running gpresult /V shows that the Default Domain Policy is applied successfully.  Running RSOP also shows that it is enforced.  However, if I run "net accounts" from an Administrator command prompt it doesn't show the appropriate settings.  Additionally, access the Local group policy, doesn't show the settings, but they are greyed out.

I have removed one of the machines from the OU where this is defined to a test one which blocks inheritance and the settings are available in local policy to change, but are set to Windows defaults.I have gone through all the Group Policies to see if the settings are defined elsewhere and they are not.

The scope of the Default Domain Policy covers the machine.

Does anyone have any idea why the password policy isn't applying correctly? and how to fix it?

Thanks

Gerrard

Search

Dynamic security group

March 22, 2015, 1:50 am
$
0
0

I need to create a security group that contains all the enabled users in AD.

This group needs to be dynamic so that when a user is disabled it is automatically removed from it

Thanks

How to disable/Uninstall built in windows 10 app " Microsoft Edge" via gPO or locally for all users.

May 29, 2019, 7:31 am
$
0
0

Hi Team,
I want to disable Microsoft Edge and want to use default browser IE . i tried some few links for removal but not working 
For removal ,getting error:

PS C:\Windows\system32> get-appxpackage *edge*


Name              : Microsoft.MicrosoftEdge
Publisher         : CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Architecture      : Neutral
ResourceId        :
Version           : 25.10586.672.0
PackageFullName   : Microsoft.MicrosoftEdge_25.10586.672.0_neutral__8wekyb3d8bbwe
InstallLocation   :
IsFramework       : False
PackageFamilyName : Microsoft.MicrosoftEdge_8wekyb3d8bbwe
PublisherId       : 8wekyb3d8bbwe
IsResourcePackage : False
IsBundle          : False
IsDevelopmentMode : False



PS C:\Windows\system32> remove-appxpackage Microsoft.MicrosoftEdge_25.10586.672.0_neutral__8wekyb3d8bbwe
remove-appxpackage : Deployment failed with HRESULT: 0x80073CFA, Removal failed. Please contact your software vendor.
(Exception from HRESULT: 0x80073CFA)
error 0x80070032: AppX Deployment Remove operation on package
Microsoft.MicrosoftEdge_25.10586.672.0_neutral__8wekyb3d8bbwe from:
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe failed. This app is part of Windows and cannot be
uninstalled on a per-user basis. An administrator can attempt to remove the app from the computer using Turn Windows
Features on or off. However, it may not be possible to uninstall the app.
NOTE: For additional information, look for [ActivityId] 94700c0a-1625-0000-461b-70942516d501 in the Event Log or use
the command line Get-AppxLog -ActivityID 94700c0a-1625-0000-461b-70942516d501
At line:1 char:1
+ remove-appxpackage Microsoft.MicrosoftEdge_25.10586.672.0_neutral__8w ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (Microsoft.Micro...__8wekyb3d8bbwe:String) [Remove-AppxPackage], IOException
    + FullyQualifiedErrorId : DeploymentError,Microsoft.Windows.Appx.PackageManager.Commands.RemoveAppxPackageCommand

https://www.drivereasy.com/knowledge/how-to-remove-microsoft-edge-from-windows-10-solved/
FOr default browser :

https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy   template options its self not available.


Ransomware encrypted GPT.ini

May 29, 2019, 12:45 pm
$
0
0

In a Server 2003 setting, the gpt.ini file in our SYSVOL folder has been encrypted across all our DCs.   I have a backup of the "system state" on the DCs made using NTBackup and was going to just restore the GPT.ini file that had been corrupted but it appears NTBackup will only restore the entire system state at once.  I can try to redirect that restore to an alternative location but I'm not sure that will have the desire affect and instead the full system state will be restored, which I don't want since I know that group policy had not been changed since the last system state backup.   I could run the dcgpofix tool but we are also running Exchange server and I'm worried that resetting the GPO back to the default will cause problems there.  Any suggestions for recovering my domain and DC policy?   

couple more Qs before upgrading the Domain and Forest function level

May 29, 2019, 11:10 am
$
0
0

hi everyone,

I am about to raise the domain and forest function level to 2008r2. Currently we are running 6x 2012 and 2x 2008r2 domain controllers while its domain and forest level is still in 2003.  From some of the response from my last post I know I need to raise the domain level first and then the forest level.

Here are some questions:

I would like to ask if it matters to raise the level on any one of the domain controllers?

Also, I  assume I only need to do once on raising the domain level then follow by the forest level (meaning I do not need to do the same steps on each of the domain controllers).

After raising the domain level, do I need to wait for a while (for the sync between the DCs) before I can raise the forest level?

Finally I just did a full server backup on one of my domain controllers by using the Windows backup running 2012...do you think this will help restore the AD (which I do not expect this happens).

Thank you for your help in advance.


Takami Chiro


Get list of deleted AD users

October 4, 2018, 11:22 am
$
0
0

Hi there.

There are people setting up a 3rd party system that retrieves information from our AD.

During testing, they found that they could capture the creation of new users and modifications of users and get their system to act accordingly.

The problem is for deletions.

When a user is deleted, they have no way of knowing it.

I tried every command from this post: https://social.technet.microsoft.com/Forums/scriptcenter/en-US/5424e204-d601-4330-a7ed-331134e47e18/filter-deleted-users-in-getadobject-cmdlet-also-returns-deleted-computers?forum=ITCG

But did not get the deleted users.

Note that Active Directory Recycle Bin is not enabled on our AD.

I also tried the steps from this article: https://www.lepide.com/how-to/restore-deleted-objects-in-active-directory.html

The weird thing is that when I used LDP.exe, I found the deleted users!

Can anybody please help?

Schema Master role owner is down need to recover

May 28, 2019, 11:39 am
$
0
0

I came to know that schema master role holder is down however, PDC and other FSMO role holders are up and running. What will be the best course of action?

Schema Master role owner is a VM, can I restore from snapshot or shall I need to seize this role to other server?


FSMOcheckFail

May 26, 2019, 11:41 pm
$
0
0

Hello Everyone,

 We are running one script for our Active directory health Check and in that health check we are getting most of the things fine but only one thing is showing fail as below.Can anyone help me about this why this is failing and what should we need to do to fix this issue.



Search

Unexpected issue with GPO

May 24, 2019, 3:19 am
$
0
0

Hi,

I have created one GPO with some security settings suggested by our security team. The GPO contains only Computer Settings. I had to apply it to the OU with 80 computer accounts (Hyper-V servers). I have put those 80 computers in a Group and then add that group into the security filtering of that GPO. Then I linked that GPO to that specific OU, containing those servers. 

Everything goes well for almost 15 days.

Then I thought that since the settings needs to be implemented to all the computers in that OU, I have deleted the group from security filtering and add "Authenticated Users" in the security filtering.

Once the replication done, I have lost connection to ALL computers in the entire domain. All Hyper-V host was down and I was not able to connect to ANY computers, including the DC as it was also the VM. I have accessed the physical host and took the console of DC and unlink that GPO from that OU which fixed the issue.

Now my question is, what exactly went wrong? I have just changed the security filtering to "Authenticated Users" from computers accounts. Why it was working when Computer accounts were added in the security filtering and why it wend down after I have added the "Authenticated Users" account. Anyhow we had to apply that GPO to all the computers inside that OU. Also there was not any User related settings in that GPO. Can someone please help me understand this?

Thanks!

Nilabh Verma

DNS - Server addressess

May 29, 2019, 12:05 am
$
0
0

Hi All,

I am having some difficulty with client machines not logging into the nearest Domain Controller at their local site. For example some of our client machines in HQ connect to a satellite site some distance away. Dito for some clients on satellite sites who sometimes connect to other satellite sites. Information from client machines has been gathered via CMD and SET command, the logonserver shows Domain controller.

Our sites and services have been verified, configured correctly and have the appropriate IP Subnets setup. The costs etc are all setup as per Microsoft recommendation.

I am now looking at DNS configuration on the Server network cards. The way it is set-up now is that we apply a static IP address on all  servers and click the Radio button "Use the following DNS server addresses:". The addresses we use are the local DNS server and a DNS server that points to the replication DNS server, for example: a Satellite Server would have its own DNS IP settings configured as Preferred and the HQ DNS IP Settings would have the Alternative settings set. I am beginning to doubt if these setting are correct as it seems everything in Sites and Services is correct.

Any help or advice on how I can overcome this problem would be very gratefully received.

User Permission

May 29, 2019, 12:13 am
$
0
0

Hi everybody, 

I would like to created a kind of restricted policy that make the user power  :

- Joining computers to domain in network 

- adding/removing users to/from a groups 

- access to all shared folders on network ( READ ONLY )

I appreciate in advanced.

Regards

Yashica

Replication access denied

May 12, 2019, 6:11 am
$
0
0

Hi Support,

We have two Windows 2012 Standard DCs.

We did not make any recent changes.

When checked replication today we have seen the below error

Repadmin: running command /showrepl against full DC localhost

Default-First-Site-Name\AD1

DSA Options: IS_GC

Site Options: (none)

DSA object GUID: 653b6bb0-39bc-4610-a4a7-b08248b940d6

DSA invocationID: 86a9e6b9-5f25-47f9-9147-3d8a13a108f1



DsBindWithCred to localhost failed with status 5 (0x5):

    Access is denied.

The other DC, AD2 is fine. That dc is having inbound replication from the problematic DC. AD2 is the primary DC.

Please let me know how do I troubleshoot this.

How to make LDAP SSL call using DsBrowseForContainerW API

May 24, 2019, 8:12 am
$
0
0

Hi, 

I am using DsBrowseForContainerW( ) to load all container (OUs ) from given domain.

 Internally Its using LDAP Non SSL call to read data from domain controller. But I want to use LDAP SSL communication to read data  from Domain Controllers.

How can I achieve this?

case-1 : ADsPath  = "LDAP://Domain100.Lab/DC=Domain100,DC=Lab"   working fine and LDAP Non SSL calls

case-2 : ADsPath  = "LDAP://dc12.Domain100.Lab:389/DC=Domain100,DC=Lab"   working fine and LDAP Non SSL calls

case-2 : ADsPath  = "LDAP://dc12.Domain100.Lab:636/DC=Domain100,DC=Lab"   NOT working fine 

LDAP Non SSL port = 389

LDAP SSL Port = 636

Code :

DSBrowseInfo dsbi = new DSBrowseInfo();
dsbi.cbStruct = System.Runtime.InteropServices.Marshal.SizeOf(dsbi);
dsbi.pszCaption = caption;
dsbi.pszTitle = title;
dsbi.pszRoot =  ldapPath;
dsbi.pszPath = sResult;
dsbi.cchPath = 1024;
dsbi.hwndOwner = hwnd;

if (user != null && user.Length > 0)
{
dsbi.pUserName = user;
dsbi.pPassword = password;
dsbi.dwFlags |= DSBI_HASCREDENTIALS;
}
int ret = DsBrowseForContainerW(ref dsbi);

In case-3, its giving error as unable to connect to domain with given user name and password.

Please help me to solve the issue. How can achieve LDAP SSL communication by using DsBrowseForContainerW() api.

Thanks & Regards

Prasad


Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>