Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Merge existing on prem Active Directory to existing office 365 environment

June 7, 2019, 7:14 am
$
0
0

We currently have an On premises Active Directory with close to 500 users as well as a separate office 365 account that contains as many users as well as distribution lists, public folders, and shared mailboxes. When creating a new user, we have to create an ad account and then create the user in office 365. Both systems have 2 different passwords for the user as they are running completely separate from each other.

The question is simply how can I merge these two systems so that

1. when I create an account in active directory, it creates the office 365 account.

2. Links the current AD user to it's respective office 365 account.

3. The account uses the AD password for both computer logins and email

4. When the users accounts are synced, I do not loose the distribution lists and security groups within office 365.

and finally as our company is in the medical field can I set up a test environment using our existing ad and office 365 information to simulate the merging and ensure it works before actually committing to this merging. 

thanks

Search

AD Replication Error 1726

June 7, 2019, 8:16 am
$
0
0

Hello Experts,

While >Repadmin /replsummary the following errors appears

I have checked the port 135 on both replicating partners and it is open and there are currently no firewall rules blocking either. What other troubleshooting steps can I proceed with

Interactive Log On, badPwdCount not correct

May 27, 2019, 1:44 pm
$
0
0

Hello,

I've been scouring the internet without finding anything that is helping my situation. My problem is that it seems like some of our workstations on the interactive logon screen show an wrong number of failed logins when an empty password is used (this has nothing to do with n-1 or 2 passwords), some show the proper number, and others don't. I've checked the AD with a powershell script to see the actual number and the numbers I get coincide with what the failed login screen is saying. Has anyone run into this problem before? I'm stumped. I should mention this is a Win 10 workstation and Win 2012R2 server being used.

As an aside, has anyone used SmartCard with the interactive login and found that they actually do count the number of failed logins? I feel as though because the authentication happens on the smart card, they are likely never going to be counted and will always show no interactive failed attempts.

Thanks,

Brandon


DNS Issue - Can not find external web site

June 7, 2019, 12:27 pm
$
0
0
Recently moved location of website from 1 external hosting company to another.  My internal network is not finding the website after the move.  My NSLookup from the DNS server is pointing to the correct godaddy IP address.  I am getting 'page can not be displayed on my internal network.  I have an AD environment.  Everything has been working for over 2 years until I moved the website to a different hosting company.  I believe it is a DNS issue on the AD.  If I change the DNS IP on a workstation from AD IP to google 8.8.8.8 the website comes up fine.  However for the domain, I have to have the internal AD IP in the workstation DNS or it drops off the domain.   I have triple checked that I have a www   A record pointing to correct IP in my DNS.  I have rebooted routers and severs.  Need help on what may be the issue. 

Deleted Domain System Volume. How do I recreate it; I have no backups

January 31, 2019, 2:37 am
$
0
0

As the title suggest I am basically screwed. Before all this happen; I had one problem: My group policies were not replicating from PDC to other DCs.

My Fault is, i deleted all setting record in CN=DFSR-GlobalSettings\CN=Content  ( Default naming context => DC=  =>  CN=SYSTEM  => CN=DFSR-GlobalSettings => CN=Content )   in ASDI Management.

Event 6002 says: The DFS Replication service detected invalid msDFSR-Subscriber object data while polling for configuration information. I went back to DFS management and run a diagnostic report and I got the error like below: 

+DFS Replication service detected an inconsistent msDFSR-Subscription object while polling domain controller xxx.xxxxx.local for configuration information. The object at CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=xxx,OU=Domain Controllers,DC=xxxx,DC=local references another object at C50C1C08-B937-41F0-A2D4-CA1EB33A343C that does not exist. Event ID: 6006

Please help me and teach me fix, i have research in internet but i dont know clearly to fix issue. 

Thank so much and have a good day!

setspn or adding rights in AD on Windows Server 2016

June 3, 2019, 11:55 am
$
0
0

I'm trying to follow this article but I'm doing something wrong and or misunderstanding what I'm supposed to do.    https://www.jacksontechnical.com/article.htm?id=57

I'm trying to replicate between two 2016 servers in different domains.   Perhaps I'm trying to modify the wrong objects or looking under the wrong names for services in 2016.

I tried setspn but failed

setspn -S "Hyper-V Replica Service/hostname" host1

or 

setspn -S "Hyper-V Replica Service/host1" host1 or with the domain extension

Call to DsGetDcNameWithAccountW failed with return value 0x00000525

I can get to the other by name by ping or smb file share.

I'm trying to find the AD settings in the link above in 2016 and must be looking in the wrong place.  I'm in active directory users and computers.   I went to advanced view.   I selected the host server properties.   I have no idea how to add Microsoft Virtual Console Service or any of the other services listed there.   I have found a few similar articles but can't find something I can follow on how to add the service.


I am unable to remove domain controller manual.

June 3, 2019, 5:05 am
$
0
0

Hi Support,

I have remove the domain controller 2008 r2 and promote again but name is still showing and RODC unable to communicate with new Domain controller.

I have remove all the old domain controller from DNS and site & services and active directory pc but still when run the below command the showing old server name:

C:\Windows\system32>Repadmin /replsum
Replication Summary Start Time: 2019-06-03 17:31:11

Beginning data collection for replication summary, this may take awhile:
  .....................

Source DSA          largest delta    fails/total %%   error
 TEST-LAB-DC-01    01d.21h:01m:01s   47 /  47  100  (8524) The DSA operation is unable to proceed because of a DNS lookup failure.
 LAB-TEST-ADC-01           13m:20s    0 /   5    0
 LAB-TEST-DC-01            06m:22s    0 /  10    0

 

Remove the Old server TEST-LAB-DC-01 ip address 10.0.045

 Active Directory Domain Services did not perform an authenticated re
mote procedure call (RPC) to another directory server because the desired servic
e principal name (SPN) for the destination directory server is not registered on
 the Key Distribution Center (KDC) domain controller that resolves the SPN.
         An Warning Event occurred.  EventID: 0x8000059B
            Time Generated: 06/03/2019   14:43:45
            Event String:
            The Knowledge Consistency Checker (KCC) encountered an unexpected er
ror while performing an Active Directory Domain Services operation.
         An Error Event occurred.  EventID: 0xC0000B1B
            Time Generated: 06/03/2019   14:43:45
            Event String:
            The Knowledge Consistency Checker was unable to locate a replication
 connection for the read-only local directory service.  A replication connection
 with the following option must exist in the forest for correct FRS system behai
vor.
         An Warning Event occurred.  EventID: 0x8000059B
            Time Generated: 06/03/2019   14:45:56
            Event String:
            The Knowledge Consistency Checker (KCC) encountered an unexpected er
ror while performing an Active Directory Domain Services operation.
         An Error Event occurred.  EventID: 0xC0000B1B
            Time Generated: 06/03/2019   14:45:56
            Event String:
            The Knowledge Consistency Checker was unable to locate a replication
 connection for the read-only local directory service.  A replication connection
 with the following option must exist in the forest for correct FRS system behai
vor.
         An Warning Event occurred.  EventID: 0x8000059B
            Time Generated: 06/03/2019   14:46:13
            Event String:
            The Knowledge Consistency Checker (KCC) encountered an unexpected er
ror while performing an Active Directory Domain Services operation.
         An Error Event occurred.  EventID: 0xC0000B1B
            Time Generated: 06/03/2019   14:46:13
            Event String:
            The Knowledge Consistency Checker was unable to locate a replication
 connection for the read-only local directory service.  A replication connection
 with the following option must exist in the forest for correct FRS system behaivor.

Should cross forest clients be authenticating against my domain controller

June 8, 2019, 11:59 am
$
0
0

We have a forest trust between A and B.

Clients in A have accounts in B and access resources in B using those accounts.

Nothing has been granted to B to access A.

Our PDC is logging No_Client_Site authentications for all kinds of clients from B.  I checked the security log and couldn't match any audit success or failure to the Netlogon.log entries.  So I'm unclear why these clients would even be touching my domain controller.  Is this normal?

Thanks!

Search

Problem to Deploy LAPS

June 10, 2019, 4:28 pm
$
0
0

Hello Everyone,

I'm with a problem when i try deploy LAPS in my infrastructure.

I looked for the solution here but in my case it didnt solve.

So when i use the "Update-AdmPwdADSchema" the error appears:

"Update-AdmPwdADSchema: An Operation error occurred.

At line:1 char:1

...

+CategoryInfo             : NotSpecified: (:) [Update-AdmPwdADSchema], DirectoryOperationException

+ FullyQualifiedErrorId : System.DirectoryServices.Protocols.DirectoryOperationException,AdmPwd.PS.UpdateADSchema"

I'm using the domain administrator account whitin the group Schema Admin.

I downloaded the LAPS from the official MS site and beforehand i installed and used the command "import-module admpwd.ps".

I'm using Windows Server 2016 and the firewall is disabled.

Anyone have this solution?

Thaks!!!




AD not trust samba after user logon on other computer

June 10, 2019, 10:56 am
$
0
0

Hello,

linux users use Active Directory for authentication and use samba server to get own profile.

1. User enter AD credentials on Linux-PC-01

2. AD approving and allow enter to computer. User getting kerberos ticket.

3. Then on this PC internal service try connect to  samba and ask access to profile

4. Samba validate user through AD

5. AD approve and user start mount and copy profile

The problem begins i user logon on other computer Linux-PC-02. He pass authentication successful (steps 1-3), then try mount profile. Samba ask AD and ADSOME TIME answer, - "Do not trust for this user". As a result samba deny access to profile, and user have local (temp) profile.

After few hours, if re-try mount profile the problem is not arises.

P.S. In organization two domains, in each domain own samba and client. In A domain there no problems, but in new domain B the problem is present. Some thin options  are present in "A" AD domain (previous administrator configure it), but this options are lost in "B" domain.

FRS to DFSR migration and Journal Wrap

June 10, 2019, 3:35 am
$
0
0

Hi,

Not sure if this is the right place to ask, please let me know if not.

We have some 2008 R2 DCs. They were running FRS for Sysvol but they went in to Journal Wrap. 

We fixed that using burflags and everything was working OK, so we started the DFSRMIG and got to stage 2 where DFSR is active but there is still FRS. However, we stayed in that state for too long and hit another FRS journal wrap.

What would be the correct way to fix this?

Can we just "eliminate" FRS by going to step 3?

Do we have to fix FRS first (just to turn it off) and if we do have to fix this - can we fix this in the current state (step 2) or do we have to dial it back to fix it?

Thanks

We are facing issue user able to change password through own system but user not able to login on own desktop

June 10, 2019, 10:47 pm
$
0
0

Hello Team,

Please help me we our some system in our network face trust relation ship error  frequently randomly systems are facing trust relation ship error and  user able to change password  but not able to login  on own desktop.

Directort Service 2016 consideration / advice

June 10, 2019, 3:33 am
$
0
0

hello everyone,

i have been task to design a forest with independent IT structure.

Company Layout

2 main office ( corporate Headquarters )

70 + Remote location with T1 Connection back to main Office

1000+ User in each remote Location

Approximately 100000 client throughout the organization

what we want to accomplish with forest

integrated structures for authentication and authorization
share point for all organization with specific privilage
hardware / software inventory in SCCM
Monitoring Servers in remote location with SCOM
Exchange mail server for all Users

what are you thought on the design? Do we run a parent with 70 child or we run another design ? what is your advice for this scenario ?










Why do I need a secure-pipes connection to use Kerberos authentication to a DC

June 2, 2019, 10:09 am
$
0
0

Can someone please help me with the following as I have never found an answer to this question

As far as I know/have heard/read etc.

In a Windows Active Directory Domain environment, if I (the user) want to authenticate to a domain controller (logon) using Kerberos then the computer I am login in from must be domain joined. In other words the computer has to already share a secure (symmetric key/computer account password) with the DC in order that the computer authenticates in the first instance with the DC, and sets up a secure channel over which data can be encrypted to/from the computer and DC (leave Kerberos armoring to one side a moment as not relevant to my question).

So the computer has a secure connection to the DC (which I believe most people refer to as a secure-pipes connection, due to the pipes protocol).

The thing is I do not see why this secure connection is require for a user to perform Kerberos authentication to a DC for the (e.g. from a standalone workstation) following reason 

As long as the DC/KDC know the users long term key (password hash) e.g. entered by an Admin when the user was created, and the user know to password too. The the usual Kerberos Pre-authentication (encrypt time stamp with hash) can take place between the user and the DC (along with the rest of the Kerberos handshake protocol exchange). For example a TGT along with a session key can be delivered to the user (session key encrypted using user password has as the key). etc....

So why on earth does it state everywhere I have come across this you need an existing secure connection (domain joined) computer before the user can use kerberos to authenticate themselves?

I would appreciate it if someone could explain (what I am missing, if anything), and if I am pointed to a URL please make it one with the answer in it to this specific question rather than a general discussion on Kerberos

Thanks very much everyone 

CXMelga

Active Directory & Exchange Deployment on HCI (Hyper-converged infrastructure)

June 6, 2019, 3:54 am
$
0
0

Dear All,

We are planning to deploy AD with Roaming Profile, DNS, DHCP & Exchange server for 1000+ users on HCI.

Requesting for the hardware specification/sizing for the same. 

Regards,

Vijaiprabu N. 

Search

LDAP Bind function call failed

June 6, 2019, 3:08 am
$
0
0

I've a clean Win2016 server soon to be our DC. The machine is patched and joined to Winw2008 R2 DC.

Everything seem perfect until I run "gpupdate /force" I'm getting the LDAP Bind failed. Our current DC is a Win2008 r2 and I inherited it from previous SA and I'm not aware of previous restore or rebuild issues. The patches on the DC are not update due to many reason (closed area and no internet connection) and runs everything-file and print, DHCP, dns, etc. etc.  

When I run gpresult -h c:\temp\results.html -f  this is what I get.

Four event IDs- 7017, 1006, 7017 and 7326 were found and trying to see how other solved this problem.

Also, when I'm log on the Win2016 server I keep getting authentication error msg asking me to "lock and unlock the computer in order to login"

Here is a screenshot...... 

C:\Windows\system32>gpupdate /force
Updating policy...

"Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.
User Policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results"

nslookup works fine but I can't run gpupdate on this node.C:\Windows\system32>nslookup
Default Server:  abc.com
Address:  10.221.1.201



NameServers for a DNS Zone not working

May 31, 2019, 8:17 am
$
0
0

Hello,

We have a Windows Server 2016 running AD, we added a new Zone to its DNS server and configure that Zone to have not only the internal NameServers, but also its external NameServers, but for some reason it only uses its internal NameServers, so when an external site is called, it can't find it, for example:

Internal URL:

https://intranet.example.com

External URL:

https://www.example.com

What can we do so it points to the correct destination?

We want the Windows DNS to look in both places Internal and External NameServers for this.

Thanks.

DNS Scavenging for 3 domain infrastructure

June 5, 2019, 2:37 am
$
0
0

Hi All,

We have 3 different domains under same forest and DNS scavenging is working good for 2 domains (zones) and for another one it's not working as expected. Is there any way to find and fix it?

I hope, DNS scavenging option can be enabled in any of the DC for the 3 domains or it's necessary to enable scavenging in all the DC in the domain/forest?

Thanks in advance.

Changing DHCP settings in a fail-over cluster

June 6, 2019, 10:06 am
$
0
0

Hello,

We have followed this guide and have two DHCP servers in load sharing mode not split scope. 

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831385(v=ws.11)

Now when we go and manage scope items in DHCP are the changes supposed to replicate between the two servers?

AD LDS setup questions

June 9, 2019, 7:09 pm
$
0
0
Hi,
I have some questions on LDS. We already have an AD environment but want to setup an LDS server for specific applications.

In the part where Service Account Selection:

Since I am in a domain environment is it advisable to use a domain admin account?
The problem if using a domain admin account is that it is controlled by pam and passwords
change everyday. What will happen to my lds service with this situation?


Can LDS work hand in hand with AD DS?
So If I install LDS in an existing AD environment, all the data of AD will get replicated to LDS?
Is it a one way replication (ADDS -> LDS)? or is it two way?

Can I install another LDS? so in my AD environment i will now have 2 LDS along with our domain servers.
the 2nd lds will serve as backup to the 1st lds.
Viewing all 31638 articles
Browse latest View live
Search