Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

ADFS3 as service provider using google as Identity Provider

May 30, 2019, 7:05 pm
$
0
0

our organisation use ADFS3 and we have configured several Relying party trusts to single sign on to third party service providers in cloud.

Now we have requirement to grant SSO to On-Prem SharePoint 2013 to users in different organisation using Google managed account. Such way that Google act as IDP and ADFS consume token issued by Google and grant access to SharePoint.

Any lead or web links relating to above info will be much appreciated.

thanks

Sa 

NSW DECC


More refined question is that it is well documented to have partner organizations to access resources via

Federated Web SSO design

https://docs.microsoft.com/en-au/windows-server/identity/ad-fs/design/federated-web-sso-design

Can such trust be created with Gsuite where GSuite act as Account partner organization ??

thanks

Search

I am unable to remove domain controller manual.

June 3, 2019, 5:05 am
$
0
0

Hi Support,

I have remove the domain controller 2008 r2 and promote again but name is still showing and RODC unable to communicate with new Domain controller.

I have remove all the old domain controller from DNS and site & services and active directory pc but still when run the below command the showing old server name:

C:\Windows\system32>Repadmin /replsum
Replication Summary Start Time: 2019-06-03 17:31:11

Beginning data collection for replication summary, this may take awhile:
  .....................

Source DSA          largest delta    fails/total %%   error
 TEST-LAB-DC-01    01d.21h:01m:01s   47 /  47  100  (8524) The DSA operation is unable to proceed because of a DNS lookup failure.
 LAB-TEST-ADC-01           13m:20s    0 /   5    0
 LAB-TEST-DC-01            06m:22s    0 /  10    0

 

Remove the Old server TEST-LAB-DC-01 ip address 10.0.045

 Active Directory Domain Services did not perform an authenticated re
mote procedure call (RPC) to another directory server because the desired servic
e principal name (SPN) for the destination directory server is not registered on
 the Key Distribution Center (KDC) domain controller that resolves the SPN.
         An Warning Event occurred.  EventID: 0x8000059B
            Time Generated: 06/03/2019   14:43:45
            Event String:
            The Knowledge Consistency Checker (KCC) encountered an unexpected er
ror while performing an Active Directory Domain Services operation.
         An Error Event occurred.  EventID: 0xC0000B1B
            Time Generated: 06/03/2019   14:43:45
            Event String:
            The Knowledge Consistency Checker was unable to locate a replication
 connection for the read-only local directory service.  A replication connection
 with the following option must exist in the forest for correct FRS system behai
vor.
         An Warning Event occurred.  EventID: 0x8000059B
            Time Generated: 06/03/2019   14:45:56
            Event String:
            The Knowledge Consistency Checker (KCC) encountered an unexpected er
ror while performing an Active Directory Domain Services operation.
         An Error Event occurred.  EventID: 0xC0000B1B
            Time Generated: 06/03/2019   14:45:56
            Event String:
            The Knowledge Consistency Checker was unable to locate a replication
 connection for the read-only local directory service.  A replication connection
 with the following option must exist in the forest for correct FRS system behai
vor.
         An Warning Event occurred.  EventID: 0x8000059B
            Time Generated: 06/03/2019   14:46:13
            Event String:
            The Knowledge Consistency Checker (KCC) encountered an unexpected er
ror while performing an Active Directory Domain Services operation.
         An Error Event occurred.  EventID: 0xC0000B1B
            Time Generated: 06/03/2019   14:46:13
            Event String:
            The Knowledge Consistency Checker was unable to locate a replication
 connection for the read-only local directory service.  A replication connection
 with the following option must exist in the forest for correct FRS system behaivor.

Strict replication consistency 2016 DC

June 3, 2019, 5:46 am
$
0
0
I am building a new Win2016 DC to add to a Win2012r2 domain/forest.  Do I still need to add the reg key for 'Strict Replication Consistency' to a 2016 DC?  Thx

I can't figure out how to replicate between two servers in different domains?

June 3, 2019, 6:23 am
$
0
0

Hello,

I posted originally in the Hyper-V section but it was suggested the question was a kerberos problem so I should post here.

've done replications between servers all the time - sometimes they aren't on the same subnet but never between two domains - first time - not sure if there is something different I need to do.

I have two servers each host running 2016 (and all guest VMs are 2016).   I have set up a trust between the two and conditional forwarders.  I can ping each server by name.

I have the hyperV settings set for kerberos.   I've disabled all firewalls on both servers - there are NO firewall policies, rules, or anything else between the two domains.    All firewalls are disabled.

When I set up a replication from one host to other using kerberos, I get these two messages

event 3200 Hyper-V failed to enable replication for virtual machine 'Test': A connection with the server could not be established (0x00002EFD). (Virtual machine ID 71EFDF26-BD0D-4C85-81FB-6C6918AA036E)

THis is the setting on the server I'm replicating from - 

Not sure if that ! about configuration details is the source of the issue.

These are settings on the server I'm replicating to - 

event 29230 Hyper-V cannot connect to the specified Replica server 'HOST1'. Error: A connection with the server could not be established (0x00002EFD). Verify that the specified server is enabled as a Replica server, allows inbound connection on port '443', and supports the same authentication scheme.

No windows firewall on either server.  There is no additional antivirus/firewall and the windows firewall is disabled in services as well as through the gui.  There is a VPN tunnel between the two but no filtering or policies - wide open.

Both servers can resolve to each other by name to the right IP- I don't have to include the domain for them to resolve. When I do I still get that error when try to replicate.

The two errors I get are -  (there are no other errors on either host)

3200 Hyper-V failed to enable replication for virtual machine 'Test': A connection with the server could not be established (0x00002EFD). (Virtual machine ID 71EFDF26-BD0D-4C85-81FB-6C6918AA036E)

event 29230 Hyper-V cannot connect to the specified Replica server 'HOST1'. Error: A connection with the server could not be established (0x00002EFD). Verify that the specified server is enabled as a Replica server, allows inbound connection on port '443', and supports the same authentication scheme.


ADFS 2016 failing to add a node to farm - missing SPNs

May 31, 2019, 5:32 am
$
0
0

Hi all,

Pulling my hair out over this, as I truly feel it shouldn't be this hard!

Background:

New ADFS deployment on Server 2016 (I believe that makes it ADFS 4.0)

Staged all required service accounts

Opted for gMSA (this is where I believe my issues stem from)

DB on Active/Passive clustered SQL 2017

Domain functional level 2012R2 (althought the majority of DCs are 2016)

Servers:

ADFS1

ADFS2

SQLclstr

Accounts:

svcADFS (gMSA)

fs (domain federation service address)

I've deployed the first node without an issues; ADFS1, the database has been created on SQLclstr and it seems to be operational.

Before I can use this in a production environment I need it to be HA. When I attempt to add a second node to ADFS it receive the below errors from the prerequisites check:

There were no SPNs set on the following service account 'contoso\svcADFS$'. Specify the service account used to configure the other Federation Servers in the farm, or set host SPN for the farm on the service account.

Unable to determine the Service SPN. There were no SPNs set on the following service account 'contoso\svcADFS$'. Specify the service account used to configure the other Federation Servers in the farm, or set host SPN for the farm on the service account.

The SPNs do exist, firstly because ADFS1 wouldn't work if they didn't and I've checked from setspn and ADSIedit

Current configured SPNs against svcADFS are:

host/fs

host/fs.contoso.com

http/fs

http/fs.contoso.com

I've exhausted all the google links I can find for the things I know and I'm stuck. Please help me!

Thanks,

-Damo.

Changing Local account passwords in bulk across multiple machines in Domain

May 7, 2019, 11:25 am
$
0
0

We have a local admin account on all of our workstations that we use with our remote software to login. The Problem is that that same account on all of the workstations has had the same password for years and some of the users now have it and could possibly login locally. How can I change the password for this local user account so that it resets on all of the machines in Bulk rather than me going to each machine individually and resetting it? If it cannot be done through a GPO what would the powershell command be to reset the password for the same local account in bulk on over 200 machines?

Support analyst

setspn or adding rights in AD on Windows Server 2016

June 3, 2019, 11:55 am
$
0
0

I'm trying to follow this article but I'm doing something wrong and or misunderstanding what I'm supposed to do.    https://www.jacksontechnical.com/article.htm?id=57

I'm trying to replicate between two 2016 servers in different domains.   Perhaps I'm trying to modify the wrong objects or looking under the wrong names for services in 2016.

I tried setspn but failed

setspn -S "Hyper-V Replica Service/hostname" host1

or 

setspn -S "Hyper-V Replica Service/host1" host1 or with the domain extension

Call to DsGetDcNameWithAccountW failed with return value 0x00000525

I can get to the other by name by ping or smb file share.

I'm trying to find the AD settings in the link above in 2016 and must be looking in the wrong place.  I'm in active directory users and computers.   I went to advanced view.   I selected the host server properties.   I have no idea how to add Microsoft Virtual Console Service or any of the other services listed there.   I have found a few similar articles but can't find something I can follow on how to add the service.


How to Perform Domain Joining with different subnets or networks??

June 3, 2019, 6:14 pm
$
0
0

Dear Team,

Consider my organization having different  subnets or networks

My Domain Controller (With DNS)

Ip : 172.17.23.152

subnetmask : 255.255.255.0

Gateway : 172.17.23.1

2ND Domain controller (With DNS)

Ip : 172.17.23.153

subnetmask : 255.255.255.0

Gateway : 172.17.23.1

Client 1( machine joined to domain Successfully)

Ip : 172.17.23.20

subnetmask : 255.255.255.0

Gateway : 172.17.23.1

and DNS we have given

primary 172.17.23.152 ( ip of 1st domain controller )

secondary 172.17.23.153 ( ip od 2nd domain controller )

Client 2(different subnet and gateway & not able to join domain)

Ip : 172.17.21.56

subnetmask : 255.255.255.0

Gateway : 172.17.21.1

and DNS we have given

primary 172.17.23.152 ( ip of 1st domain controller )

secondary 172.17.23.153 ( ip of2nd domain controller )

while trying to join domain it is giving error 

Note: This information is intended for a network administrator.  If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\Windows\debug\dcdiag.txt.

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "domain.com"

The error was: "This operation returned because the timeout period expired."
(error code 0x000005B4 ERROR_TIMEOUT)

The query was for the SRV record for _ldap._tcp.dc._msdcs.domain.com

The DNS servers used by this computer for name resolution are not responding. This computer is configured to use DNS servers with the following IP addresses:

 172.17.23.152

 172.17.23.153 



Verify that this computer is connected to the network, that these are the correct DNS server IP addresses, and that at least one of the DNS servers is running.

how can  i join my client 2 to domain??

Regards 

Aghil

Search

Ransomware encrypted GPT.ini

May 29, 2019, 12:45 pm
$
0
0

In a Server 2003 setting, the gpt.ini file in our SYSVOL folder has been encrypted across all our DCs.   I have a backup of the "system state" on the DCs made using NTBackup and was going to just restore the GPT.ini file that had been corrupted but it appears NTBackup will only restore the entire system state at once.  I can try to redirect that restore to an alternative location but I'm not sure that will have the desire affect and instead the full system state will be restored, which I don't want since I know that group policy had not been changed since the last system state backup.   I could run the dcgpofix tool but we are also running Exchange server and I'm worried that resetting the GPO back to the default will cause problems there.  Any suggestions for recovering my domain and DC policy?   

adprep.exe /DomainPrep /GPPrep

May 30, 2019, 1:39 am
$
0
0

 when i try to excute adprep in my Ad i have this error ,please some help 

C:\adprep>adprep.exe  /DomainPrep /GPPrep
Running domainprep ...


Adprep was unable to modify the security descriptor on object CN=Domain System V
olume (SYSVOL share),CN=File Replication Service,CN=System,DC=xxxx,DC=xx.
[Status/Consequence]
ADPREP was unable to merge the existing security descriptor with the new access
control entry (ACE).
[User Action]
Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20190530093213
 directory for more information.

Adprep encountered an LDAP error.
Error code: 0x20. Server extended error code: 0x208d, Server error message: 0000
208D: NameErr: DSID-031001E4, problem 2001 (NO_OBJECT), data 0, best match of:
        'CN=File Replication Service,CN=System,DC=xxxx,DC=xx'
.



Adprep was unable to update domain information.
[Status/Consequence]
Adprep requires access to existing domain-wide information from the infrastructu
re master in order to complete this operation.

Event ID - 4015 : The DNS server has encountered a critical error from the Active Directory.

May 15, 2019, 2:06 am
$
0
0

Hi,

My RODC showing the following event.

"The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error."

But DNS service is ok and AD is functioning properly. So why this type of event is created and how can I solve the error?

Or, is this error avoidable?? 

Thank You,

Mosharrof

Linux computer lost trusted relationship

June 2, 2019, 9:32 pm
$
0
0

Hello,

Linux administrators use ADDS for user authentication and provide roaming profiles using samba. But for some reason computer broke trust with AD (or AD broke trust with PC). Linux administrator trying to explain the pattern:

On A computer

1.User logon and authenticate in AD
2.Try get profile, go to samba server
3.Samba using user credentials ask group membership 
4.AD give group membership
5.User sync his profile

If client try logon from other computer "B". Than AD begin not trust for "A" computer if user again come back on computer "A".

Possible for A computer answer DC01 and for B computer answer DC02.

What reason could there be?

Extend Our Schema with a Customized Schema Attribute

May 30, 2019, 10:44 am
$
0
0
Hope I placed this in the correct Forum. We are in need of creating a BadgeNum attribute in our Active Directory Schema - defaults won't do.  We have never done this before but would guess that the use of adsiedit.msc would be required.  Does anyone one have proven steps on how to go about this?  

Francisco Mercado Jr.

User Permission

May 29, 2019, 12:13 am
$
0
0

Hi everybody, 

I would like to created a kind of restricted policy that make the user power  :

- Joining computers to domain in network 

- adding/removing users to/from a groups 

- access to all shared folders on network ( READ ONLY )

I appreciate in advanced.

Regards

Yashica

Is Windows 2019 released or not?

May 28, 2019, 3:35 pm
$
0
0
Hi,

Is it already available to use Windows 2019 to change my domain controllers?

Is the procedure for installing in a domain and changing DCs the same as what we usually do?

- Promotion new DCs
- Transfer functions

Thank you.
Search

Interactive Log On, badPwdCount not correct

May 27, 2019, 1:44 pm
$
0
0

Hello,

I've been scouring the internet without finding anything that is helping my situation. My problem is that it seems like some of our workstations on the interactive logon screen show an wrong number of failed logins when an empty password is used (this has nothing to do with n-1 or 2 passwords), some show the proper number, and others don't. I've checked the AD with a powershell script to see the actual number and the numbers I get coincide with what the failed login screen is saying. Has anyone run into this problem before? I'm stumped. I should mention this is a Win 10 workstation and Win 2012R2 server being used.

As an aside, has anyone used SmartCard with the interactive login and found that they actually do count the number of failed logins? I feel as though because the authentication happens on the smart card, they are likely never going to be counted and will always show no interactive failed attempts.

Thanks,

Brandon


Errors in DCDIAG

May 27, 2019, 9:57 am
$
0
0

Scenario:

Site A (Being Decommissioned):

  • DC1
  • DC2

Site B (New Data Center):

  • DC3
  • DC4

Issue:

After building out net new DC3 and DC4 into the domain, and having them joined to the domain and promoted to domain controllers, I have moved the PDC role off from DC2 to DC4; When about to shut down DC1 and DC2, we noticed that when they are shut down any PCs are not able to login to the domain when they are shut off. Long story short, DCDIAG showed a bunch of errors listed below:

  • DC1 - Failing dcdiag LocatorCheck PDC Error 1355
  • DC2 - Failing dcdiag LocatorCheck PDC Error 1355
  • DC3 - Failing Advertising, DSGetName returned info for DC1 when trying DC3
  • DC3 - NetLogons failing (Unable to connect to Netlogon Share \\DC3\netlogon, Error 67)
  • DC3 - Failing dcdiag LocatorCheck PDC Error 1355
  • DC4 - Failing Advertising, DSGetName returned info for DC2 when trying DC4
  • DC4 - NetLogons failing (Unable to connect to Netlogon Share \\DC4\netlogon, Error 67)

Any idea on what may be causing some of this and how to correct it so that I am able to properly decommission DC1 and DC2?

DFSR Database cloning: Copy(as pre-seed) vs copy a database

May 27, 2019, 5:16 am
$
0
0

Hi,

I just have a simple question. In order to clone a database from SRV 1 toSRV2 we need to first export the database. Then there is a time to do bothpre-seeding of data plus copying the aforementioned database. Do I userobocopy in both situations? Then import database with powershell?

Thanks for the answer!


AD LDS - Create new application partition

May 21, 2019, 10:48 am
$
0
0

Hello!

I have two 2 AD LDS instances in one configuration set and I am trying to create a new application partition. I am following an MSDN article (unfortunately I can not provide the link here, I do not have enough karma) which describes this process for Active Directory. Now for the instance that was the first in the set all works perfectly but when I am trying to create another application partition on the second server (create a domainDNS object) it gives me "Unwilling to perform" error.

My guess is that it has something to do with the first server being Naming Master. In case of Active Directory the document says that we need to bind to the server where we would like to create a partition with the delegation option to "allow the domain controller to contact the Domain-Naming FSMO role holder". The problem is that I could not find such an option for the ldap_connect function which I am using to connect to AD LDS servers.

Any help would be great, thank you.

Replication access denied

May 12, 2019, 6:11 am
$
0
0

Hi Support,

We have two Windows 2012 Standard DCs.

We did not make any recent changes.

When checked replication today we have seen the below error

Repadmin: running command /showrepl against full DC localhost

Default-First-Site-Name\AD1

DSA Options: IS_GC

Site Options: (none)

DSA object GUID: 653b6bb0-39bc-4610-a4a7-b08248b940d6

DSA invocationID: 86a9e6b9-5f25-47f9-9147-3d8a13a108f1



DsBindWithCred to localhost failed with status 5 (0x5):

    Access is denied.

The other DC, AD2 is fine. That dc is having inbound replication from the problematic DC. AD2 is the primary DC.

Please let me know how do I troubleshoot this.

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>