Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Deplyable (sub/child?) domain infrastructure

June 24, 2019, 9:23 am
$
0
0

We currently have a standalone LAN with two domain controllers (Windows Server 2016).

We are tasked with creating a "deployable" part of the same LAN that will disconnect from the primary domain for up to three weeks at a time, at least three times a year. We want to be able to replicate certain portions of the domain (GPOs) to this deployable LAN, as well as windows updates, backups and auditing while it is connected to the main domain. But we want to avoid any kind of sync or replication errors when the LAN is not connected, and allow the domain controllers on the deployed LAN to still accomplish their roles.

The deployed LAN will have a separate DNS, DHCP and volume licensing from the main LAN.

Can someone suggest a solution that will allow us to accomplish this task?

Thank You!!

Search

Multi-Site Environment : Clients randomly grabbing wrong LOGONSERVER and causing major issues

June 24, 2019, 7:06 am
$
0
0

Good morning,

First off let me fill you in on my environment.  I manage the windows environment for Pre-K through 12th grade public education.  For some reason some of our clients are getting the wrong logonserver which when this happens always ends up being the Pre-K domain server.  All of our other DCs/Sites are connected across town by 10gig fiber backbone, yet this one is connected through a 1 to 1 nat slow internet connection...yet the few times this happens and the LOGONSERVER is incorrectly selected it's ALWAYS this site.

I'll show you our site links / costs / replication Intervals if that helps...but I'm at a loss from staring at this too long and sure I'm overlooking something obvious.

Any Input/Suggestions are greatly appreciated!

Thank you!

Maximum Password age Password Policies

June 21, 2019, 9:04 am
$
0
0

Hello,

I would like to change the Maximum Password Policy settings from 90 Days  to 14 Days on temporary basis later it will be back to 90 days the concern is how it will impact the  users and what are the best practice to do this change.

Like if suppose the password  policy is set to 14 Days from 90 Days  on Monday 24th June when it will be effective on end users like all the users password expire attribute will be changed and they will reset the password after 14 days in a single day or the  password will be  expired as per the password last set attribute value and based on it users will change the password with in this  14 days and what about the users those  who have changed their password on 1st June as per current policy their password will expire in the month of August will they have to change their password on immediate basis or after 14 days as per the policy.

Kindly suggest the best practices and recommendation to carry out this change without much big impact.

Thanks

Aatif Kungle

Regards, Aatif Kungle

Forest Trust between 2016 and 2003 functional level

June 18, 2019, 12:16 pm
$
0
0

Hi all,

We are doing a takeover on a Customer's plattform that currently has an AD on 2003 FFL/DFL.

However all the DCs are on 2008R2 OS.

Now, we're building a new platform for them, where we are going to deploy a new Forest on 2016 OS and 2016 FFL/DFL.

Obviously, they want us to create a Forest Trust between both ADs, until we can de-provision the old one.

Anybody know about limitations/Issues on this scenario? I mean, I've been searching on MSFT official documenation regarding Functional levels and I only can find DC OS compatibility, but nothing regarding Trust compatibilities or issues.

Furthermore, does anybody know about issues between these OS versions. Maybe something related with SMB protocol?

Thanks a lot in advance.

My manually added local administrators get replaced by GPO - can they append instead?

June 27, 2019, 6:58 am
$
0
0

Hey,

we're currently struggling with planning our new domain strategy.

We do have sometime the situation to give external service company local administrator rights on a server. The entry will be replaced after the server GPO applied again.

Have you an idea how to append the groups of the GPO?

Regards,

Paul


Windows Security Log Event ID 4776

June 24, 2019, 9:16 am
$
0
0
I'm seeing event ID 4776 on member servers that run batch jobs from a SQL server.  The service account has the correct permissions as jobs will run successfully several nights in a row, but then randomly fails on another night part way through with this code  MS-Security-Microsoft-Windows-Security-Auditing-4776  0xC0000064 meaning the account doesn't exist?  Is my DC developing Alzheimer's?

Windows Server 2012 R2 - software permissions not working, unwanted admin user and password prompt

June 21, 2019, 1:56 am
$
0
0

Hello

I have a network of computers with Windows Server 2012 R2 and Windows 8.1 pro as clients.

On the server I have active directory and I don't understand why every time I try to run a executable, windows asks me for a administrator user and password.

I have configured software policies, in User Configuration\Policies\Windows Settings\Security Settings\Software Restrictions Policies\Security Levels -Unrestricted. So all applications should install without user and password prompt.

The file I must execute is named siui_extra_setup_4.2.9.exe and is found on the client computer in the directory C:\Program Files (x86)\SIUI-Extra\updates.

I also added:
- a "Hash rule" unrestricted for this file 
- and a "Path rule" unrestricted for the path C:\Program Files (x86)\SIUI-Extra\updates\*.*

How can I skip this user and password prompt?

This is the full policy extracted with gpresult from a computer with this problem: http://cc123.caido.ro/gpreport2.html




ADAM (AD LDS) sync issue

June 29, 2019, 12:09 am
$
0
0

Dear All 

We lost the VM of ad lds server which we are using for multiforest telephone directory for CUCM. We restored the VM but it was more then 6 months old and thus instance was not running. After changing the date and time and started the service and we rejoined to domain. Now service is running fine even the logs are OK but now for any domain if I run "ADAMSync /Install localhost:389 C:\Windows\ADAM\AdamSyncMydomain.xml /log C:\Windows\ADAM\logs\Mydomain.log", in the log I am getting this error 

Adamsync.exe v1.0 (6)

Establishing connection to target server localhost:389.

Updating configuration file on C:\Windows\ADAM\AdamSyncMydomain.xml.

Reading Configuration File from C:\Windows\ADAM\AdamSyncMydomain.xml

Saving Configuration File on dc=adlds,dc=local

Unable to read attribute objectclass on dc=abc,dc=local.

Unable to read attribute objectclass on dc=abc,dc=local.

Search

I am unable to remove domain controller manual.

June 3, 2019, 5:05 am
$
0
0

Hi Support,

I have remove the domain controller 2008 r2 and promote again but name is still showing and RODC unable to communicate with new Domain controller.

I have remove all the old domain controller from DNS and site & services and active directory pc but still when run the below command the showing old server name:

C:\Windows\system32>Repadmin /replsum
Replication Summary Start Time: 2019-06-03 17:31:11

Beginning data collection for replication summary, this may take awhile:
  .....................

Source DSA          largest delta    fails/total %%   error
 TEST-LAB-DC-01    01d.21h:01m:01s   47 /  47  100  (8524) The DSA operation is unable to proceed because of a DNS lookup failure.
 LAB-TEST-ADC-01           13m:20s    0 /   5    0
 LAB-TEST-DC-01            06m:22s    0 /  10    0

 

Remove the Old server TEST-LAB-DC-01 ip address 10.0.045

 Active Directory Domain Services did not perform an authenticated re
mote procedure call (RPC) to another directory server because the desired servic
e principal name (SPN) for the destination directory server is not registered on
 the Key Distribution Center (KDC) domain controller that resolves the SPN.
         An Warning Event occurred.  EventID: 0x8000059B
            Time Generated: 06/03/2019   14:43:45
            Event String:
            The Knowledge Consistency Checker (KCC) encountered an unexpected er
ror while performing an Active Directory Domain Services operation.
         An Error Event occurred.  EventID: 0xC0000B1B
            Time Generated: 06/03/2019   14:43:45
            Event String:
            The Knowledge Consistency Checker was unable to locate a replication
 connection for the read-only local directory service.  A replication connection
 with the following option must exist in the forest for correct FRS system behai
vor.
         An Warning Event occurred.  EventID: 0x8000059B
            Time Generated: 06/03/2019   14:45:56
            Event String:
            The Knowledge Consistency Checker (KCC) encountered an unexpected er
ror while performing an Active Directory Domain Services operation.
         An Error Event occurred.  EventID: 0xC0000B1B
            Time Generated: 06/03/2019   14:45:56
            Event String:
            The Knowledge Consistency Checker was unable to locate a replication
 connection for the read-only local directory service.  A replication connection
 with the following option must exist in the forest for correct FRS system behai
vor.
         An Warning Event occurred.  EventID: 0x8000059B
            Time Generated: 06/03/2019   14:46:13
            Event String:
            The Knowledge Consistency Checker (KCC) encountered an unexpected er
ror while performing an Active Directory Domain Services operation.
         An Error Event occurred.  EventID: 0xC0000B1B
            Time Generated: 06/03/2019   14:46:13
            Event String:
            The Knowledge Consistency Checker was unable to locate a replication
 connection for the read-only local directory service.  A replication connection
 with the following option must exist in the forest for correct FRS system behaivor.

Software installation permission in all domain client machines

July 1, 2019, 4:20 am
$
0
0

Hi team, 

In my organization every users need to install software's and application in day to day activities. Every time server administrator should involve this task. we need to give that only the software installation permission to one particular user but he wont access any other activities and modification in the Active Directory domain level. 

Is there any Group policies or any other solutions to overcome the issue. 

Thanks, 

Lee

Query on creating the Active Directory Trust

July 1, 2019, 4:51 am
$
0
0

Hi All,

We have just bought a new company which is in different forest. Let's call our company as domain A and newly bought company as domain B

We have our network connectivity in place and we are planning to add conditional forwarders. We have created domain B users in Domain A. But there are still resources in domain B that needs to be accessed newly migrated domain A users. I need to understand below things before we create a trust on Domain A.

1. What type of trust I need to create in Domain A? External or Forest

2. What type of direction of trust i should created in Domain A? One way incoming or outgoing (my understanding is incoming)

3. What type of trust and direction we should created in Domain B?

Thanks in Advance!

Resource-based constrained delegation across domains

June 25, 2019, 8:07 am
$
0
0

I have read the article 'Kerberos Constrained Delegation Overview'.

I have the following scenarios:

1/

Server1 (Domain1) -> Server2 (Domain2) -> Server3 (Domain2)

2/

UserMachine1 (Domain1) -> Server2 (Domain2) -> Server3 (Domain2).

The examples I have seen on online are for scenario 1, where we have one UserId which we can switch delegation on for.

But what about scenario 2? We have multiple users wanting to access a RestApi directly under their own username with cross domain delegation.

Thanks in advance!

Arun

FSMOcheckFail

May 26, 2019, 11:41 pm
$
0
0

Hello Everyone,

 We are running one script for our Active directory health Check and in that health check we are getting most of the things fine but only one thing is showing fail as below.Can anyone help me about this why this is failing and what should we need to do to fix this issue.



NO cert coming back from server

July 1, 2019, 8:33 am
$
0
0

I installed the certificate as done for other servers where it works perfectly fine except one which gives nothing out at all:

I have installed the need chain of certificates to no avail. Checked DNS, etc as well. As i mentioned i have done this for almost 4 servers till date and those seem to work. 

CONNECTED(00000188)
write:errno=10054
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1561988142
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no

Run into a problem when trying to rename an AD Domain using RENDOM

June 26, 2019, 11:55 pm
$
0
0

Hello there, I have been tasked with the job of renaming an AD domain for a small organisation (primary school) in order for us to be able to build trust (we have two domains (separate forests) but both of them are having the same Netbios name :(

I have run the above task in a test environment and its seems to be straight forward in my case - single forest,single domain with only 1 DC (never having functional level and the schema extended etc, no special applications eg exchange or DFS share. Simple server in a box sort of scenario).

That said after creating the new DNS zone, run rendom /list / show and upload I am getting an error when trying to run rendom /prepare

I am getting error that 1 out of 1 server can not be contacted and an error code of 8599.

What I have try so far is to reboot the server, make sure that the existing DNS zone does not have any invalid records, double check that we do not have any applications installed on the server that can trigger this error.

Any one has to deal with the same error code? 

Any advises are much appreciated 

Best regards

Ignat

Search

Importance of SID migration during AD migration

June 27, 2019, 4:34 pm
$
0
0

I am going to do inter-forest and intraforest migration after migrating users and group I will be shutting down the source Domain.

Additionally I will be migrating servers and desktops from source to destination.

If I am not migrating the SID during user migration upon completing the user migration process end users will be denied in accessing the files and folder what they had in source domain.

Please assist with your answer for migrating the SID

 


LAPS Implementation Issue

June 25, 2019, 2:44 pm
$
0
0

Good day, 

For almost 2 weeks I've been trying to implement LAPS in my company's small infrastructure. 
I've gone through the steps in the following tutorial:

https://blog.thesysadmins.co.uk/deploying-microsoft-laps-part-1.html
https://blog.thesysadmins.co.uk/deploying-microsoft-laps-part-2.html

I'm using 2 computers for testing purposes, one is a virtual machine running Windows 10 and the other a laptop running Windows 7. Here's what I've done so far:

- I extended the computer objects' schema to include the fields needed by LAPS; I then inspected the computer objects corresponding to my 2 tests subjects and verified that these attributed were indeed created.

- I delegated the necessary permissions to the computers through the Set-AdmPwdComputerSelfPermission cmdlet; I then checked the 2 computers' ACE list and verified that write permissions for AdmPwd and write/read permissions for AdmPwdExpirationTime were granted to the SELF trustee. 

- I delegated the permissions to read and reset passwords to the domain admins through the Set-AdmPwdReadPasswordPermission and Set-AdmPwdResetPasswordPermission cmdlets; I then verified these permissions through the 2 computers' permission entry lists. (I think this step is unnecessary since domain admins should have these permissions by default)

- I deployed LAPS.msi through GPO and verified that "Local Administrator Password Solution" was present in the 2 computer's Apps and Features list. I also verified that AdmPwd.dll was in the Program Files folder for both computers. 

LAPS doesn't seem to work, however. I, as domain administrator, get an empty field whenever I query a computer's password through the UI or through Powershell, and the password's attribute field in the computer objects remain empty. I've read many related posts here in this forum but have not been able to solve this issue.

The DC is running Windows Server 2012 R2 and the domain functional level is 2012 R2.

Do you have any idea on what could be going wrong?

Regards

Log on from a computer in a different domain

July 1, 2019, 9:33 pm
$
0
0

Hi there,

We have a domain a.com that is not trusted by domain b.com i.e.,

a.com trusts b.com

b.com does not trust a.com

I have run into a problem where a user in a.com fails to logon from a computer in b.com wanting to access resources in a.com. The user was able to log on before and I don't know what may have changed.

We have a trust setup in 2012r2 which is the a.com domain but due to lack of network visibility I am unable to confirm what kind of trust it really is. Once I get visibility back I can check that out but in the meantime could I get some advise on what I need to check.

Many thanks,

Tony

Some failures in DCdiag.exe

May 10, 2012, 4:33 pm
$
0
0

So, I'm apparently a domain administrator now, and I have a lot to learn apparently.  The following is a dcdiag.exe results that have been sanitized and someone explain to me what I'm seeing and what may be going on?

C:\Users\USERNAME>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = SERVERNAME
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\SERVERNAME
      Starting test: Connectivity
         ......................... SERVERNAME passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\SERVERNAME
      Starting test: Advertising
         ......................... SERVERNAME passed test Advertising
      Starting test: FrsEvent
         ......................... SERVERNAME passed test FrsEvent
      Starting test: DFSREvent
         ......................... SERVERNAME passed test DFSREvent
      Starting test: SysVolCheck
         ......................... SERVERNAME passed test SysVolCheck
      Starting test: KccEvent
         ......................... SERVERNAME passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... SERVERNAME passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... SERVERNAME passed test MachineAccount
      Starting test: NCSecDesc
         ......................... SERVERNAME passed test NCSecDesc
      Starting test: NetLogons
         [SERVERNAME] User credentials does not have permission to perform
         this operation.
         The account used for this test must have network logon privileges
         for this machine's domain.
         ......................... SERVERNAME failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... SERVERNAME passed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,SERVERNAME] DsReplicaGetInfo(PENDING_OPS, NULL)
         failed, error 0x2105 "Replication access was denied."
         ......................... SERVERNAME failed test Replications
      Starting test: RidManager
         ......................... SERVERNAME passed test RidManager
      Starting test: Services
            Could not open NTDS Service on SERVERNAME, error 0x5
            "Access is denied."
         ......................... SERVERNAME failed test Services
      Starting test: SystemLog
         ......................... SERVERNAME passed test SystemLog
      Starting test: VerifyReferences
         ......................... SERVERNAME passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : domainName
      Starting test: CheckSDRefDom
         ......................... domainName passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... domainName passed test CrossRefValidation

   Running enterprise tests on : domainName.MyDomain.org
      Starting test: LocatorCheck
         ......................... domainName.MyDomain.org passed test
         LocatorCheck
      Starting test: Intersite
         ......................... domainName.MyDomain.org passed test
         Intersite

C:\Users\USERNAME>

Maximum Groupmemberships still 1024

July 2, 2019, 4:05 am
$
0
0

Hi,

does somebody know if there are any news in terms of the hardlimit of 1024 groupmemberships of a single SID?
I tried my best in research but didnt find anything related to the topic of raising the limit

If the kerberos token size got an update, I dont see why there would still be a limit of maximum groupmemberships.

Our company heavily works with group nesting and multiple domains so the limit is near.

Thank you very much!



Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>