Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Directort Service 2016 consideration / advice

June 10, 2019, 3:33 am
$
0
0

hello everyone,

i have been task to design a forest with independent IT structure.

Company Layout

2 main office ( corporate Headquarters )

70 + Remote location with T1 Connection back to main Office

1000+ User in each remote Location

Approximately 100000 client throughout the organization

what we want to accomplish with forest

integrated structures for authentication and authorization
share point for all organization with specific privilage
hardware / software inventory in SCCM
Monitoring Servers in remote location with SCOM
Exchange mail server for all Users

what are you thought on the design? Do we run a parent with 70 child or we run another design ? what is your advice for this scenario ?










Search

AD LDS setup questions

June 9, 2019, 7:09 pm
$
0
0
Hi,
I have some questions on LDS. We already have an AD environment but want to setup an LDS server for specific applications.

In the part where Service Account Selection:

Since I am in a domain environment is it advisable to use a domain admin account?
The problem if using a domain admin account is that it is controlled by pam and passwords
change everyday. What will happen to my lds service with this situation?


Can LDS work hand in hand with AD DS?
So If I install LDS in an existing AD environment, all the data of AD will get replicated to LDS?
Is it a one way replication (ADDS -> LDS)? or is it two way?

Can I install another LDS? so in my AD environment i will now have 2 LDS along with our domain servers.
the 2nd lds will serve as backup to the 1st lds.

Help! I have no netlogon share, and sysvol empty

August 19, 2015, 5:49 am
$
0
0

I expect you've seen this before as there's a lot of it on the web, but I've tried allsorts and no joy.

Existing Server 2008 R2 as single domain controller, holding all 5 roles

built new 2012 server in workgroup, and without adding to domain I added ADDS role and then promoted to be a domain controller in one swift action - this is possibly where I went wrong but..

server added ok, sysvol share created, but no netlogon.

There don't seem to be any errors on original server and dcdiag errors just show problems about no netlogon share:

I've don't have this reg key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup

I've determined that FRS is eliminated on both old and new servers, so we should be using DFS, I've restarted that on both servers.

Can anyone help please as I can't carry on this migration without this working.  Should I demote the new DC and re-promote?

Thanks

difference between user account and computer account in active directory?

June 12, 2019, 11:24 pm
$
0
0

what are difference between user account and the computer account in terms of their functionality 

AD Replication Error 1726

June 7, 2019, 8:16 am
$
0
0

Hello Experts,

While >Repadmin /replsummary the following errors appears

I have checked the port 135 on both replicating partners and it is open and there are currently no firewall rules blocking either. What other troubleshooting steps can I proceed with

Create certificate for Chrome

June 12, 2019, 1:01 am
$
0
0

Dear all,

Anyone  know how to create a self signed certificate with Windows Server 2008 R2 AD CA that meet the requirement for Chrome, it kept reporting Subject Alternative Name missing.

DHCP Users group can not Access DHCP Server Console

July 31, 2013, 6:54 am
$
0
0

hi,

i ve got DHCP Server installed on Windows Server 2008 R2 Server Core...

it is separate from DC..

i want to grant access to user Limited access

as i read on technet, during the creation there is created 2 local groups: DHCP Administrators and DHCP Users.

i put that user on DHCP user group. but when he tries to access the DHCP console when he's trying to expand the dhcp server it shows red mark.. (see attachement)

any ideas?

Costa Curta

why do we have msds-cloudextensionattribute1 Attribute on windows 2008r2 domain level

June 13, 2019, 4:12 am
$
0
0

Hi All,

we are assessing the move to Office 365 and we were just wondering that we have msds-cloudextensionattribute1 in our 2008r2 environment available, as it states that this attribute was not available before server 2012.Could it be that Exchange 2010 SP3 added this attribute to our AD schema?Any ideas? Thank you very much.

Search

Windows 7 Lockout -- All Accounts Are Locked Out!?

March 19, 2014, 12:54 pm
$
0
0

Hi all, 

I'm having a terribly difficult problem to solve, trying to understand lockout issues with Windows 7 Ultimate. I have done vast amount of research on the topic, but to no avail, none of the suggestions seem to apply. 

The environment is a private network in which the computer in question does not join the domain. One issue is that users must vary authentication between domain services and local computer services -- i.e. if they want to map a network drive or connect to MS Exchange Server through Outlook, then they must authenticate with their DOMAIN account. If they want to install software they must authenticate with the LOCAL ADMIN account. There are several local accounts on the computer, including administrator accounts. This computer is not connected to the internet. It is regularly updated though with Microsoft and other application security patches. It is also significantly locked down from a security perspective. 

Users that experience the issue all SEEM to have one common denominator in that they are using the "Switch User" function to switch between various user accounts. This could be a factor of locking out one account and switching to the next or could actually be part of the root problem. 

The users report that "ALL ACCOUNTS HAVE BEEN LOCKED OUT". I did not even know such a state was possible unless you single-handedly went through each account and failed with the password three times. 

Is there a known issue in Windows 7 Ult that will trigger the account to be locked out because of switching users? Or anything that could lock out ALL accounts? 

Please help this problem does not seem to go away. It is the single greatest failure in the system right now. 

Event 4771 hourly since Office 365 2FA Enabled

June 13, 2019, 5:49 am
$
0
0

Since enabling two factor authentication for two of my Office 365 accounts I am noticing that hourly Event 4771 is logged on my domain controllers for these accounts.  No other accounts alert with this event ID.

I know it has probably something to do with the app password that Office 365 2FA requires you to use, but I cannot figure out how to get it to stop other than disabling 2FA which I do not want to do.

Additional Information:

               Ticket Options:                 0x40810010

               Failure Code:                    0x18

               Pre-Authentication Type:            2

Any suggestions

ANy 
ANy 

DirSync preference for search in Active Directory.

June 9, 2019, 9:03 pm
$
0
0

We are using the DirSync method for a IDirectory search in an Active Directory Domain Controller. Since the user credentials does not have administrative rights the search is not executed. But a replication error gets logged in the event viewer of the DC. Why is this happening? Can we prevent the event from being logged?

We are fine with the search not being able to execute and do not want to give the user the admin credentials or replicating directory changes permission. It is part of a scheduled search and is hence causing a lot of error logs in the event viewer. 

Delegate permissions in OU's: cannot move objects

February 20, 2018, 11:51 pm
$
0
0

Hi,

I have been asked to configure a set of permissions for level 1 staff in my Active Directory.

The scenario is as follows: A group of users, have to be able to administer Computer objects at domain level. This means that those users have to be able to join computers to the domain, remove computers from it, and move computers between organizational units.

So I have create the group, and delegate the full control permission to the Computers objects at domain level to it.

And here is the weird issue. I create two OU's. I put a computer into one of them. By default, both OU's are created with the 'Protect against accidental deletion' checked. The user tries to move the computer from one OU to the other, and gets an 'access denied' message.

I then watch the ACL's of both OU's, and Everyone Group has 'Special' checked to 'Deny'. If I remove the check 'protect against accidental deletion', the user still cannot move the computers. If I remove the Everyone group from both ACL lists, or if I unmark the deny box, then, the user can move the computer.

Now, If I create an OU without the 'prevent against accidental deletion' check mark, the Everyone ACL is not created. 

So it seems like if there is a kind of bug: when create an OU with protection, an Everyone Deny ACL is created, and from then on, no matter you uncheck the box, the protection remains until you remove the Everyone ACL. 

This doesn't affects administrators and operators builtin group members. But for normal users and not builtin groups, this is not working as it is supposed, and we cannot delegate this tasks correctly.

Can anybody help?

Question on AD LDS User Management

June 5, 2019, 1:40 pm
$
0
0
We currently use AD LDS on Windows 2008 server as Directory server for authentication to our Cognos 10.2 reporting application. The user management in AD LDS is done via Cognos Access Manager within a Cognos namespace created in AD LDS, as it provides a user friendly GUI interface to create/delete/disable user accounts/roles and add several User attributes.

We are planning to discontinue using Access Manager, due to end of support after a year and we plan to do user management tasks via Powershell scripts and ADSI Edit. However we are unable to create new user roles via Powershell or ADSI Edit..            Is anyone aware of a similar user friendly tool, like Access Manager available for user management for AD LDS?                                                                 Thanks, Satish Vartak


Track interactive logins - Server 2008 R"

June 13, 2019, 12:16 pm
$
0
0

Hi

We are using a Server 2008 R2 DFL

I'm looking to detect "interactive" logins via a powershell script however I don't see an interactive logon property on user accounts.

I have searched online and see a group policy to show interactive logon messages but didn't see clearly how to enable interactive login auditing of user accounts.

From what I can gather id set a policy on domain controllers telling them to record interactive logins and thereafter I can use power shell to fetch this information.

I cant seem to find the specific steps to toggle the auditing of interactive logins to on within group policy.

Am I on the right track ?

confuseis

Find identity of local group

June 11, 2019, 3:07 pm
$
0
0

How do I get identifying information about a Window Server local group?

Background.  We have installed Machine Learning Services for SQL Server 2017.  When you do, it creates a local group called "SQLRUserGroup".  This will create a service called LaunchPad that will spin up python or r sessions with an identify of MSSQLSERVER?? (numbered) which are members of the SQLRUserGroup.  We set up the login and permissions for the SQLRUserGroup on SQL Server and the process ran.

Getting closer to my question.  We did something (I'm not sure what, upgraded Python packages, reinstalled the Machine Learning Services).  At that point SQL Server no longer recognized the MSSQLSERVER?? logins as valid logins.

What I did to fix the problem was to drop the SQLRUserGroup login in SQL Server that we had created and recreated it.  Python worked great.

My theory is that the upgrade/reinstall created a new SQLRUserGroup local group that had a different internal id from the one that worked before the upgrade/reinstall.  I would have expected that the SQLRUserGroup would have a different internal id that would cause our loads to fail.

Here is where I am puzzled.  Before I dropped the SQLRUserGroup login, I recorded the SID that SQL Server recorded for that windows group.  After I created the SQLRUserGroup login I recorded the SID again and it was the same as it was before recreating the SQLRUserGroup login.

So, back to my question.  Is there some means (cmd line, PowerShell, gui, registry setting) that I can use to find out the actual internal identify of a Windows Local group?

Russel Loski, MCSE Data Platform/Business Intelligence Twitter: @sqlmovers; blog: www.sqlmovers.com

Search

W32Time : Non PDCe Domain Controller choosing the time source from VM Host ESXi Server.

May 12, 2016, 10:14 pm
$
0
0

Hi Friends,

Need your big help in this issue, in our environment all the Domain Controllers (Windows Server 2008R2 & Windows Server 2012R2) were in one single forest domain are Vmware Virtual Machines including the PDCe.

We started to see the domain time sync hierarchy broken between PDCe and other Domain controllers. and also observed, when to DCs rebooting they are left with huge time difference and causing the time sync issue.

Currently what we observing few DCs are syncing time with PDCe successfully and advertising themselves as a time servers. But 80% Non-PDC DCs were got broken, i mean, they are trying to see the time source from  ESXi Host and getting response too.

But, how can we force Non-PDC DCs to fetch from peers DCs or PDCe?

How can we force a DC which should sync for time source from a specific peer Domain Controller.

So far the below mentioned actions are performed on the DCs. 

1. Verified the PDCe and found, it's configured to fetch time from the External NTP and it is functional and advertising as time source.

2. Verified the Registry settings, all were good.. all the non PDC DCs set with : NS5DS

3. In all the VM DCs, we verified below command to see whether DCs configured to check the time with Host. but the command output is "Disabled"

C:\>"Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe" timesync status

Disabled

We ran the below commands to configure a backup Domain controllers for automatic domain time synchronization

a. Open a Command Prompt.

b. Type the following command and then press ENTER:

w32tm /config /syncfromflags: domhier /update

c. Type the following command and then press ENTER:

net stop w32time

d. Type the following command and then press ENTER:

net start w32time.

Finally we re-registered the w32tm service on the DCs and tried above commands also but no luck.

==

We ran the W32tm /Monitor command, but few DCs result showing as below..

member.domain.com [x.x.x.x]:

ICMP: error IP_REQ_TIMED_OUT - no response in 1000ms
NTP: error ERROR_TIMEOUT - no response from server in 1000ms

DC3.domain.com [x.x.x.x]:

ICMP: 4ms delay.

NTP: -1.2811858s offset from dc2.domain.com
    RefID: unspecified / unsynchronized [0.0.0.0]

We planned to propose below action plan to be implemented to edit .vmx files of VM system Domain Controllers.

As per the KB Article : https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1189

 Add configuration options in the virtual machines .vmx file:

  1. Power off the virtual machine.
  2. Connect to the host with an SSH session. For more information, see Using ESXi Shell in ESXi 5.x (2004746).
  3. Open the virtual machines configuration file, located at/vmfs/volumes/datastore_name/vm_name/vm_name.vmx using a text editor. For more information, see Editing configuration files in VMware ESXi and ESX (1017022).
  4. Set these options to zero. If the entries do not exist, add them.Note: 0 = disabled, 1 = enabled.tools.syncTime = "0"time.synchronize.continue = "0"time.synchronize.restore = "0"time.synchronize.resume.disk = "0"time.synchronize.shrink = "0"time.synchronize.tools.startup = "0"time.synchronize.tools.enable = "0"time.synchronize.resume.host = "0"

Ravi Ch



User can edit object on RODC server

February 27, 2019, 12:00 am
$
0
0

I new install RODC. then  assign to UserA.

This RODC do not enable DNS and GC.

When I access to RODC via UserA. In ADUC can change DC to RWDC. then UserA can modify "member of".

if ADUC connect to RODC, any user can read-only.

I need to allow UserA access to RODC only.

How can I disable change DC in ADUC for UserA. or disable modify "member of" permission?

DNS Issue - Can not find external web site

June 7, 2019, 12:27 pm
$
0
0
Recently moved location of website from 1 external hosting company to another.  My internal network is not finding the website after the move.  My NSLookup from the DNS server is pointing to the correct godaddy IP address.  I am getting 'page can not be displayed on my internal network.  I have an AD environment.  Everything has been working for over 2 years until I moved the website to a different hosting company.  I believe it is a DNS issue on the AD.  If I change the DNS IP on a workstation from AD IP to google 8.8.8.8 the website comes up fine.  However for the domain, I have to have the internal AD IP in the workstation DNS or it drops off the domain.   I have triple checked that I have a www   A record pointing to correct IP in my DNS.  I have rebooted routers and severs.  Need help on what may be the issue. 

AD LDS setup questions

June 9, 2019, 7:09 pm
$
0
0
Hi,
I have some questions on LDS. We already have an AD environment but want to setup an LDS server for specific applications.

In the part where Service Account Selection:

Since I am in a domain environment is it advisable to use a domain admin account?
The problem if using a domain admin account is that it is controlled by pam and passwords
change everyday. What will happen to my lds service with this situation?


Can LDS work hand in hand with AD DS?
So If I install LDS in an existing AD environment, all the data of AD will get replicated to LDS?
Is it a one way replication (ADDS -> LDS)? or is it two way?

Can I install another LDS? so in my AD environment i will now have 2 LDS along with our domain servers.
the 2nd lds will serve as backup to the 1st lds.

Powershell get-aduser returns a false postive

June 14, 2019, 12:28 am
$
0
0

Hi there,

here is the situation:

We have over the years moved from desktops to laptops, back in the day we mapped the users drive to a unc path in ADUC:

\\contoso\office\userdir$\%USERNAME%.

Now we have moved most people to GPP using the server path \\FileServer-01\Office\UserDir$\%USERNAME%

We have used targeting in the GPP and have reached a point where we want to turn that off so the policy applies to all, but first we need to find all the users that still have a drive mapped in ADCU -> Profile -> Home folder

Now we want to check which users are still using the  ADCU method. So I run a powershell command to find those with homeDrive set.

Get-ADUser-Filter{(office-eq"office1")}-Properties* -SearchBase"OU=Departments,DC=contoso,DC=net"|selectName,office,HomeDrive,homeDirectory 

This spits out a list of people with the HomeDir set. And it looks pretty good. The problem is its a lie. I checked the top 30 results and found that none of them we set  in ADCU. As in the Profile tab -> Local Path is blank.

 Does anyone have any better methods?

Chad the Dad

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>