Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Single sign-on and UPN and domain trust

July 22, 2019, 10:40 am
$
0
0
Our internet domain is contoso.com.
Our e-mail addresses are like first_name.last_name@contoso.com
Our Active Directory FQDN (UPN suffix) is local.contoso.com (created due to split-brain DNS problems).
We have been in process of migration from old Active Directory domain contoso.com to newlocal.contoso.com.
This process is going to take another 3-6 months from now.
Our management has just decided to migrate our (non-Exchange) infrastructure into Office365 within 2 months.
We would like to utilize SSO mainly for OneDrive.

How to do it?
I am worried about conflicts with old domain if I change UPN from local.contoso.com tocontoso.com.




Search

AD CS: Cannot request certificate using Webserver Template

July 25, 2019, 5:44 am
$
0
0

Hello,

I'm trying to request a Web Server certificate via the certificates snap in. The permissions are set accordingly (user & computer account should be able to access the CA and the Web Server template, as configured in the security tabs on the CA and template).

When I try to request a certificate via certmgr.msc it tells me I do not have permissions to request my custom Web Server certificate template, as this type of certificate could only be issued to computers (which makes sense in a way).

When I try to request a certificate via certlm.msc it cannot fetch the certificate registration policy:

URL: ldap:
Error: Access Denied 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)

This is true: ADSI tells me CN=Public Key Services,CN=Services,CN=Configuration,DC=test and its children are actually not accessible for computer accounts. Giving read permissions to "Domain Computers" to the element above and the sub-elements CN=Enrollment Services and CN=Certificate Templates does not help either.

What do I need to do to be able to request a webserver template? Can I change anything inside the template to allow users to request it? Most of our PKI users will probably try to request their templates via the web ui, submitting their certificate requests created by OpenSSL on their Linux servers.

Thanks!


AD/DNS server running high CPU

July 17, 2019, 10:49 am
$
0
0

Hi,

we have 2 DC on a site which are using high cpu (100%) everyday at 1pm which make server unresponding, cant login or view anything until we restart the DC and then its all ok.

This then also effect some of the PC where dont response to anything until they are force restart or wait for DC to come to live.

Both DC have 4 CPU, 16GB memory, lots of disk space on C drive.
Both DC have been reboot few times
Checked event logs and cant see anything which might show why this is happening
Both servers are on wmware
Server are running Server 2012 R2 (Domain/Forst Level: 2008)

Is they anything else I can check to see why this is only happening at 1pm everyday.



JOINING COMPUTERS ON A NEW DOMAIN

July 23, 2019, 3:57 am
$
0
0

Hello,

I did a migration of users and computers from old domain to totally different new domain.I was able to transfer the users on their end pcs on the same network as the new AD.But when i try to join computers on a different subnet by creating a new password for the users . I get this error.

Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied.

i have disabled firewall but no success

MCP

RODC in place upgrade recommendations

July 29, 2019, 5:44 am
$
0
0

Hi All,

We are having a client with 20 Domain controllers in Data Center and 500 RODC's in Windows 2008 R2 OS. They want to introduce Windows 2012 R2 domain controllers in Data Center and perform windows 2012 R2 in-place upgrade for all the 500 RODC's. I would like to know the recommendations for in-place upgrade of 500 RODCs . All RODC's are in VM.

Please help on provide the best practice and recommended approaches. 

Thanks and Regards,

Hariharan

Creating kerberos realm for publicly routeable domain?

July 29, 2019, 6:42 am
$
0
0

I'm attempting to validate if we can use PKINIT for SSO with ADFS to O365. I've run into an issue that because our UPN suffixes are set to the publicly routeable domain we cannot request kerberos tickets for them. So far I've created the necessary DNS entries to get the client to domain controller however we get a KDC_ERR_WRONG_REALM error back from the KDC. This makes perfect sense of course as the domain controller doesn't know anything about our external domain. However is there a way to get around with the Realm mapping? If so what do we need to do, or are there any other solutions?

Thanks,

David

Migrate Server 2008r2 to 2016 Rebuilding Active Directory from Scratch with same Domain Name

July 29, 2019, 9:11 am
$
0
0

Hello All,

  I'm tasked with taking an old 2008 Active Domain structure and move it over to Server 2016.  The Active Directory services is to be rebuilt from scratch.

  I've got to keep the old domain online as I build out the new domain and transfer objects.  How can I do this with one domain name?

Application LDAP connections to wrong AD Site

July 29, 2019, 10:39 am
$
0
0

Hi,

I have some application that points to mydomain.com to lookup the domains available.

the problem is it returns all the domains in both sites.

is it possible if I ask for domain controlers it will only show me the DC's in Site 1 not Site 1 and Site 2?

Site 2 the application doesn't have access to that DC network rules are blocked.

I believe DNS is not site aware? what are my options? create separate dns records for Site A called ldap.mydomain.com and point the applications to that dns record instead? 

Search

Replication complains

July 29, 2019, 11:37 am
$
0
0

I have 10 DC and they are in different sites and all part of the same domain.

A user changes password but cannot login to an application as he/she has to wait for 15 minutes for the replication to complete on all DC's before they can login to a website that uses there domain credentials.

I get tons of complains everyday. What is the best way to have near real-time replication between the DC's.

How to you handle these situations in your company.

John

FRS to DFSR question

July 29, 2019, 12:20 pm
$
0
0

I’m about to demote my last 2003 Domain Controller this week and I was wondering when do I upgrade FRS to DFSR? Right now I’ve left the 2003 box running but with the NIC unplugged since Friday. Plan to demote this upcoming Friday if there are no issues.

After that, I’m going to upgrade the Domain Functional level to 2008 as my goal is to upgrade the entire Domain level to 2019. The 2008 is just a stepping stone. Once I get rid of the 2003 server and have the Domain upgraded to the 2008 level, is that the time to change FRS to DFSR?

Nltest /dsregdns shows ERROR_NO_LOGON_SERVERS

September 3, 2018, 12:36 am
$
0
0

Hi,

3 domain controllers, 2 in site A, 1 in site B

We have replaced our domain controller in site B, so it is now running Windows Server 2016. All replication seems fine, and can not see anything spesific error in dcdiag or repadmin.

But when we run the command "Nltest /dsregdns" we are getting this error

********************

C:\Windows\system32>Nltest /dsregdns
Flags: 0
Connection Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
The command completed successfully

C:\Windows\system32>

********************

I read another question on the forum that the problem had solved it selft after a couple of days, but now our domain controller has not been rebooted for 4 days, so I guess it will not self heal itself :)

The domain controller is pointing to itself for DNS, it is a global catalog (all servers in the domain are).
The DNS service is running and will permit me to ping other domain controllers.

The other 2 domain controllers are reporting ok on the command

********************

PS C:\Windows\system32> Nltest /dsregdns
Flags: 0
Connection Status = 0 0x0 NERR_Success
The command completed successfully
PS C:\Windows\system32>
********************

Suggestions ?

/Regards Andreas

Failed to open the group policy object. you may not have appropriate rights

July 29, 2019, 4:01 pm
$
0
0

We have parent domain which is Parent.com & then a child domain which is Child.parent.com domain. We are currently facing the issues in child domain only. All GPOs in child domain are fine except the ones linked to Sites. When I try to edit any Site level policy I get below error. I tried using process explorer and figured out that its trying to find below policy in \\PDC_Server.parent.com\sysvol\Child.parent.com\policies\{GUID}\user\registry.pol

Result shows : Path not found (Because its looking for child domain folder under sysvol in parent)

Any ideas? I've checked permissions and I do have all permissions to open and edit this policy.



windows services account password auto update

July 29, 2019, 8:56 pm
$
0
0

hi there, 

since some policys, some services accounts need to change the passoword every 180 days,  and then we need to go over all the server to change the "saved services account credential " on service.msc

I wanna know if there have any way or tools can support auto update the password when the password is changed??

thanks

Disabling NTLMv1

December 13, 2018, 6:41 am
$
0
0

Hi,

how to disable NTLMv1 in an Active directory infrastructure. If I disable NTLMv1 will there any outage occurs.

AD:2008R2

Client PC: XP3 and above used in my network.

Please assist with your valuable answer. 

Upgrading offline root CA in two tier environment?

July 30, 2019, 12:00 am
$
0
0

Hi, our root and issuing CA's needs renewing because the lifetime is being reduced.

The current offline root CA is based on a Windows 2003 which does not support SHA-2. So I had a clever idea to set up a new root (Windows 2019)

I have done so now and published the new root certificate and crl in the domain.

However I am very uncertain what will happen now if I choose to renew the publishing CA (intermediate) with the new root? I am not going to revoke any older Root or Intermediate since they have not been compromised.

We rely on device certificates that has been issued with the older root.

In the NPS when it renews the RAS certificate it will not be the same chain for example?

A little guidance here would be very much appreciated.

Search

Powershell Script replace an attribute Value for User in AD

July 24, 2019, 1:59 am
$
0
0

Hi everything is in the title, 

I want to replace the info attribute of my AD user by 1 or 0 depending of what is write in IT

if into the info attribute it's "INT" what is write then it will replace by 1 and if it is "EXT" it will replace by 0

here is my script it works without errors but it do nothing

Import-Module ActiveDirectory

$_ = Get-ADUser -filter {Enabled -eq $True } | select info | foreach { 

    if($_.info -eq "INT"){

    set-ADUser -Identity $_ -Replace @{info= "1"}
        
    }
    
    elseif ($_.info -eq "EXT") {

        set-ADUser -Identity $_ -Replace @{info= "0"}
    }

}

Thank You 

2012R2 Backup DC not working correctly

July 30, 2019, 12:49 am
$
0
0

We have a simple domain, 2012R2, 2 domain controllers and a dozen member servers, pretty much out of the box.

When both DCs are up it appears as if everything is working fine, BPA and AD Replication status tools show no errors, DNS works off both machines. The only thing that seems to show any issue is Get-ADDomainController which only lists the primary.

However when the PDC is off the BDC will still function as a DNS server, but not as a domain controller.

We had some issues with the backup domain controller's DNS which were due to it being multi homed.  We removed the second interface and resolved the DNS issues but still have the same problems.  We demoted the server back to member and re-promoted it to a DC to no real effect.

when the primary is off BPA will fail with the following errors:

The AD DS BPA should be able to collect data about the hostname of the forest root PDC from the forest root PDC

The Default Domain Controllers Policy in the domain domain.name should be applied to the OU OU=Domain Controllers,DC=domain,DC=name

The domain controller bdc.domain.name must be able to connect to the PDC emulator master in this domain

The domain controller bdc.domain.name must be able to connect to the RID master in this domain

But no errors are logged by the BPA when the PDC is up.

Where should I go from here in troubleshooting the issue?


Is that a good idea to setup a dedicated Hyper-V Domain Controller on Hyper-V Server?

July 24, 2019, 2:07 am
$
0
0

Hello!

o/s: Windows Server 2016 Std

Know that there is a lot of articles suggested best practices not to have DC roles on the hyper-v Server.  

To have a dedicated DC for Hyper-V on the Hyper-V server is that a good idea?


Temporary Admin privilege

July 30, 2019, 2:32 am
$
0
0

Hello, 

I read in multiple security articles that system admins often give temporary admin privilege to standard domain users ( Eg- Developers may need temporary access to advanced settings for testing purposes etc) , but i never came across a name, is there any application/service/example in particular ( like exchange, 0365 etc ) that will require users to have temporary admin privilege? 

P.S.: Just for my knowledge, so i know why exactly this function is needed :P


Migration from RFS to DFSr issue

July 11, 2019, 1:35 am
$
0
0

Dear All,

Greetings,

After runining  Dfsrmig /setglobalstate 1

The following is "Dfsrmig /getmigrationstate" results:

and below is "Dfsrmig /getglobalstate"

kindly, need your help to solve the issue.

Thanks in advance.

Regards,

Faisal

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>