Inheritance not working for one user

June 14, 2019, 7:33 am

≫ Next: Unable to Start AD Certificate Services

We have a file folder (FolderA) with inheritance enabled. UserA is the owner of the folder. The AD groups associated in advanced security settings like this:

Type Principal Access Inherited From Applies To

Allow AD Group A Modify FolderB This folder, subfolder and files

Allow UserA Full Control FolderB This folder only

Allow Creator Owner Full Control FolderB Subfolder and files only

Allow Administrators Modify FolderB This folder, subfolder and files

The checkbox "Only apply these permissions to objects and/or containers within this container" is NOT checked. I don't find that checked up the chain either.

When UserA drops any files in this FolderA, the security on them is limited to UserA and Administrators. None of the users in AD Group A have any access to the files. I am certainly not very experienced with NTFS permissions, but that doesn't seem correct. When any other user that is a member of AD Group A drops files into FolderA, inheritance is working.

Any ideas what might be wrong?

↧

Unable to Start AD Certificate Services

July 31, 2019, 12:57 pm

≫ Next: Issue with workstations domain membership

≪ Previous: Inheritance not working for one user

Hello,
I receive the following error when starting ADCS.

The revocation funActive Directory Certificate Services did not start: Could not load or verify the current CA certificate. BPGLTD-PHLCERT02-CA The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE).

I can start the service after executing "certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE", but that is not ideal.

I ran certutil on the SubCA Cert (I have a 2 tier, offline root CA) and the only error is related to "Wrong Issuer".

If I run just certutil, I see remanants of an old CA which was removed (PHLMON03) using the link below.

https://social.technet.microsoft.com/wiki/contents/articles/3527.how-to-decommission-a-windows-enterprise-certification-authority-and-how-to-remove-all-related-objects.aspx

Any help or next steps would be greatly appreciated.

C:\Users\administrator.BPGLTD>certutil -verify -urlfetch c:\Users\administrator.BPGLTD\Desktop\phlcert02.cer
Issuer:
CN=PHLCERT01-CA
Name Hash(sha1): ab8ddcb27b2a64e7a6225b62ba2ea82b673404c1
Name Hash(md5): ebb9c17263d1ef40d50de13975e6a861
Subject:
CN=BPGLTD-PHLCERT02-CA
DC=BPGLTD
DC=com
Name Hash(sha1): 7b76c3b45a13d912a9cea0d1c8d350c398c0e2ee
Name Hash(md5): 3c9e995bf348ba7e480701bf5cc0f3d0
Cert Serial Number: 6946f31d000100000009

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 6 Hours, 20 Minutes

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 6 Hours, 20 Minutes

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=PHLCERT01-CA
NotBefore: 6/30/2015 1:37 PM
NotAfter: 6/30/2025 1:47 PM
Subject: CN=BPGLTD-PHLCERT02-CA, DC=BPGLTD, DC=com
Serial: 6946f31d000100000009
Template: SubCA
Cert: 7da4c19973befb78e1f5eed78e50e849ab81ae25
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Wrong Issuer "Certificate (0)" Time: 0 7c8f12418d8fdfca82e8422692b719c37f2b290f
[0.0] ldap:///CN=PHLCERT01-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Bpgltd,DC=Com?cACertificate?base?objectClass=certificationAuthority

Verified "Certificate (1)" Time: 0 483c8163ac0db3ff24199546a4548e757e992755
[0.1] ldap:///CN=PHLCERT01-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Bpgltd,DC=Com?cACertificate?base?objectClass=certificationAuthority

Verified "Certificate (1)" Time: 0 483c8163ac0db3ff24199546a4548e757e992755
[1.0] http://pki.bpgltd.com/CertEnroll/phlcert01_PHLCERT01-CA(1).crt

---------------- Certificate CDP ----------------
Verified "Base CRL (1b)" Time: 0 862492913b0dac9187385932ec341c354cafa30d
[0.0] ldap:///CN=PHLCERT01-CA(1),CN=phlcert01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Bpgltd,DC=Com?certificateRevocationList?base?objectClass=cRLDistributionPoint

Verified "Base CRL (1b)" Time: 0 862492913b0dac9187385932ec341c354cafa30d
[1.0] http://pki.bpgltd.com/CertEnroll/PHLCERT01-CA(1).crl

---------------- Base CRL CDP ----------------
No URLs "None" Time: 0 (null)
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0 (null)
--------------------------------
CRL 1b:
Issuer: CN=PHLCERT01-CA
ThisUpdate: 7/31/2019 9:14 AM
NextUpdate: 1/31/2020 9:34 PM
CRL: 862492913b0dac9187385932ec341c354cafa30d

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=PHLCERT01-CA
NotBefore: 6/30/2015 12:58 PM
NotAfter: 6/30/2035 1:08 PM
Subject: CN=PHLCERT01-CA
Serial: 3c41ae9e5c1c56964d80c2d1848531ee
Cert: 483c8163ac0db3ff24199546a4548e757e992755
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0 (null)
---------------- Certificate CDP ----------------
No URLs "None" Time: 0 (null)
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0 (null)
--------------------------------

Exclude leaf cert:
Chain: 88452600745c160aeec7f24682f4f58656d2d101
Full chain:
Chain: 2d572c64b2648c5b8d901a4ffd1dea495e03c430
------------------------------------
Verified Issuance Policies: None
Verified Application Policies: All
Cert is a CA certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.

C:\Users\administrator.BPGLTD>certutil
Entry 0:
Name: "PHLCERT01-CA"
Organizational Unit: ""
Organization: ""
Locality: ""
State: ""
Country/region: ""
Config: "PHLMON03.BPGLTD.com\PHLCERT01-CA"
Exchange Certificate: ""
Signature Certificate: ""
Description: ""
Server: "PHLMON03.BPGLTD.com"
Authority: "PHLCERT01-CA"
Sanitized Name: "PHLCERT01-CA"
Short Name: "PHLCERT01-CA"
Sanitized Short Name: "PHLCERT01-CA"
Flags: "1"
Web Enrollment Servers: ""

Entry 1: (Local)
Name: "BPGLTD-PHLCERT02-CA"
Organizational Unit: ""
Organization: ""
Locality: ""
State: ""
Country/region: ""
Config: "PHLCERT02.BPGLTD.com\BPGLTD-PHLCERT02-CA"
Exchange Certificate: ""
Signature Certificate: "PHLCERT02.BPGLTD.com_BPGLTD-PHLCERT02-CA.crt"
Description: ""
Server: "PHLCERT02.BPGLTD.com"
Authority: "BPGLTD-PHLCERT02-CA"
Sanitized Name: "BPGLTD-PHLCERT02-CA"
Short Name: "BPGLTD-PHLCERT02-CA"
Sanitized Short Name: "BPGLTD-PHLCERT02-CA"
Flags: "13"
Web Enrollment Servers: ""

Entry 2:
Name: "PHLCERT01-CA"
Organizational Unit: ""
Organization: ""
Locality: ""
State: ""
Country/region: ""
Config: "phlcert01\PHLCERT01-CA"
Exchange Certificate: ""
Signature Certificate: "phlcert01_PHLCERT01-CA.crt"
Description: ""
Server: "phlcert01"
Authority: "PHLCERT01-CA"
Sanitized Name: "PHLCERT01-CA"
Short Name: "PHLCERT01-CA"
Sanitized Short Name: "PHLCERT01-CA"
Flags: "20"
Web Enrollment Servers: ""
CertUtil: -dump command completed successfully.

↧

Issue with workstations domain membership

July 31, 2019, 1:29 pm

≫ Next: active directory in DMZ

≪ Previous: Unable to Start AD Certificate Services

I posted a similar question a few weeks ago but eventually closed that question. I had the issue come up again so I decided to post another question. I hope I can determine what is going on this time.

I have a problem that is occurring randomly to my Windows workstations (Windows 10 is all we have). Ever so often a workstation will seem to lose its connection to the domain. I know that sounds odd because it is. I first notice it if a user complains about their network drives go missing. When I look at the machine I also notice that when going to Computer Management, Local Users and Groups, the domain accounts show up as not recognizable.

This is a Windows domain with 3 Windows 2008r2 DC's and one Windows 2016 DC.

Symptoms:
1- network drives don't show up in File Explorer
2- when going to Computer Management, Local users and groups, Groups, any group with a domain account....the account is not recognizable. Looks like this... S-1-5-21-1392988177-2029604534-620655208-512

The computer user is able to login and access resources. For the most part everything works ok.

It is like the workstation has partially lost its connection to the domain.

Resolution: to resolve the problem I have been unjoining the computer from domain and then join it back again. This corrects the problem for the time being. However, it is happening randomly to my workstations and has happened more than once on a few of them. I need to determine what is causing this. Thanks for any help.

One more thing. It has happened to my system at least twice. My system is a laptop and I take it offsite to other company offices. It seems like it has happened to me after I return to the main office and boot up here. Not sure this matters.

↧

active directory in DMZ

July 31, 2019, 10:00 pm

≫ Next: Replication complains

≪ Previous: Issue with workstations domain membership

Hi expert

we have below scenario:

1-we need to have ftp server in our DMZ for internal and external user .

2-AD user authenticated in DMZ to access their file and folder in DMZ server

3-i have no idea about external user!

so what is best solution for our scenario to have AD authenticate in DMZ server without security issue ?

should i use RODC ?

please let me know if you have any idea or i'm using wrong path !

thank you in advance

↧

Replication complains

July 29, 2019, 11:37 am

≫ Next: AD

≪ Previous: active directory in DMZ

I have 10 DC and they are in different sites and all part of the same domain.

A user changes password but cannot login to an application as he/she has to wait for 15 minutes for the replication to complete on all DC's before they can login to a website that uses there domain credentials.

I get tons of complains everyday. What is the best way to have near real-time replication between the DC's.

How to you handle these situations in your company.

John

↧

July 31, 2019, 12:00 am

≫ Next: Login is from an untrusted domain

≪ Previous: Replication complains

Hi All,

We are in the process of server 2008 sunset. One of our Active Directory servers is on W2008. We are the main site for Europe and we have 4 AD servers. We have additional AD servers scattered around our European sites mostly one per site.

I need information on what is the best process to deal with this w2008 box. Would it be just a case of decommissioning the server and creating another depending on what roles are on the server or do I need to carry out any additional work?

Any information would be grateful.

Regards.

↧

Login is from an untrusted domain

August 1, 2019, 2:01 am

≫ Next: Can not access to Active direcory domain service

≪ Previous: AD

I have searched all over the internet for an answer so hopefully someone here can help.

I have an SQL 2017 server set to use Windows or SQL authentication.

The DB's that are on it work fine using either authentication method on the LAN.

My issue is that when a user tries to connect over our VPN it will fail with the above error message about its login is from an untrusted domain.

However, if I use an SQL credential (SA) it connects no issues.

Both server and PC are on the same domain and the PC is regularly connected to the LAN during the day, its just when they go home and use the VPN that it doesn't work and I get this untrusted domain error. This happens for all users over VPN.

↧

Can not access to Active direcory domain service

July 26, 2019, 10:20 am

≫ Next: Add a manages tab to Active Directory

≪ Previous: Login is from an untrusted domain

Hi guys,

Today All my Domain Controller Server could not connect to Active Directory domain service.

It show:

Naming information cannot be located because:
The specified domain either does not exist or could not be contacted.
Contact your system administrator to verify that your domain is properly configured and is currently online.

But DNS Service is running property.

I have tried many ways to fix it but no luck.

Please help me to resolve this issue.

Thanks you.

↧

Add a manages tab to Active Directory

July 25, 2019, 11:53 pm

≫ Next: How to configure LDAP referrals between two different forest

≪ Previous: Can not access to Active direcory domain service

Hello there

So for a while now we have been using the "managed by" tab in Active Directory to keep track of who owns what computer.

Now the problem is that if we know which pc we want to find the user for its easy, but the other way around(User->pc) we have been using powershell to find, this is a bit of a hurdle and would be nice to just integrate in AD. So my question is: is there a way to add a tab on a user that has a list of pc's owned by that user (some have multiple pc's). In the same way the "member of" tab works.

Thanks in advance

Albert

↧

How to configure LDAP referrals between two different forest

July 25, 2019, 1:53 am

≫ Next: Windows cannot create the object error while create a OU

≪ Previous: Add a manages tab to Active Directory

Hi,

I am having two different forest running in our infra. Forest A and Forest B. One of the application is part of Forest A. The users available under forest B wants to access the application with their domain credentials. We do not want to create any trust between them because the requirement is to access LDAP only.

How do i create a LDAP referrals between those forest to access LDAP?

Any help is highly appreciate.

↧

Windows cannot create the object error while create a OU

July 30, 2019, 9:51 am

≫ Next: JOINING COMPUTERS ON A NEW DOMAIN

≪ Previous: How to configure LDAP referrals between two different forest

Hi All,

The below mentioned error is throwing while create a OU under child domain, but there is no OU in that name but still getting the error. Is there any where we can check it?

Error:

Windows cannot create the object "name" because:
An attempt was made to add an object to the directory with a name that is already in use.

↧

JOINING COMPUTERS ON A NEW DOMAIN

July 23, 2019, 3:57 am

≫ Next: Forest Trust between server 2016 domain and Server 2003 domain

≪ Previous: Windows cannot create the object error while create a OU

Hello,

I did a migration of users and computers from old domain to totally different new domain.I was able to transfer the users on their end pcs on the same network as the new AD.But when i try to join computers on a different subnet by creating a new password for the users . I get this error.

Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied.

i have disabled firewall but no success

MCP

↧

Forest Trust between server 2016 domain and Server 2003 domain

January 29, 2019, 6:46 am

≫ Next: Computer SID

≪ Previous: JOINING COMPUTERS ON A NEW DOMAIN

Hello

Is it possible to create a Forest trust between a Server 2016 functional domain/forest and a Server 2003 functional level?

When I try to do it, I get RPC errors and now I am not sure that it even is possible to create the trust between these forests.

"The Local Security Authority is unable to obtain an RPC connection to the Active Directory Domain Controller "DC1.contoso.local". Please check that the name can be resolved and that the server is available.

- Name resolving works.
- Needed ports for the trusts have been opened.

Client Port(s)	Server Port	Service
49152 -65535/UDP	123/UDP	W32Time
1024 -65535/TCP	135/TCP	RPC Endpoint Mapper
49152 -65535/TCP	464/TCP/UDP	Kerberos password change
1024 -65535/TCP	1024-65535/TCP	RPC for LSA, SAM, Netlogon (*)
1024 -65535/TCP/UDP	389/TCP/UDP	LDAP
1024 -65535/TCP	636/TCP	LDAP SSL
1024 -65535/TCP	3268/TCP	LDAP GC
1024 -65535/TCP	3269/TCP	LDAP GC SSL
53, 1024 -65535/TCP/UDP	53/TCP/UDP	DNS
1024 -65535/TCP	1024 -65535/TCP	FRS RPC (*)
1024 -65535/TCP/UDP	88/TCP/UDP	Kerberos
1024 -65535/TCP/UDP	445/TCP	SMB (**)
49152 -65535/TCP	49152-65535/TCP	DFSR RPC (*)

↧

Computer SID

August 1, 2019, 10:02 am

≫ Next: Active directory reports

≪ Previous: Forest Trust between server 2016 domain and Server 2003 domain

Hi All,

I have 3 domains in my environment (1 root and 2 sub). In every domain there are 5 Domain controllers running and when i just checked the SID of each domain controllers in the same domain i could see that SID is same for all 5 domain controllers in the same domain. Is it a usual behavior or any issue with that.

↧

Active directory reports

March 9, 2012, 11:14 pm

≫ Next: make new user account in AD Service 2016 consideration / advice

≪ Previous: Computer SID

i need free full funciton AD reporting tool i am using 30days trial ADManger plus

any one knows any microsoft tool are available for detailed reporting

I used CSVDE it's giving more details i dont know how to filter that and whencrated, whendeleted timings also not showing properly

kindly help me

Thanks

↧

make new user account in AD Service 2016 consideration / advice

August 1, 2019, 1:19 pm

≫ Next: Cannot join domain "the network path was not found"

≪ Previous: Active directory reports

hello everyone,

i have been task to design a forest with independent IT structure.

and we designed a parent/ child forest. now I want to create rules for make new user account in Domains.

first of all i want to know any proposal o samples exist for step by step making new user account in enterprise Forest ? what is your advice for this scenario?

second if i want make user account in domain A.mydomian.com how can check it that not exists in other domain for example in B.mydomian.com or C.mydomian.com. actually i want to check unique ID in forest not in domain level. ( how i can do it ? )

↧

Cannot join domain "the network path was not found"

October 10, 2018, 8:03 am

≫ Next: Force check User Account in Forest not in local domain -- consideration / advice

≪ Previous: make new user account in AD Service 2016 consideration / advice

I recently inherited a system when my company purchased another small comany. They are 4 states away so I'm trying to do everything remotely. There is a Server 2003R2 set up as AD, DC, DHCP, DNS. This has been set up for years and working fine. All of a sudden 2 days ago, no one could see any other pc on the network. There are a couple of shared folders to databases that everyone needs to access. When trying to access those shared files on the server, they now get a 'network path cannot be found' error. I tried joining a new pc to the domain I'm using to access their network remotely and I also got the network path cannot be found error. I can ping the server by name and ip and vice versa. nslookup give me correct info. File and print sharing active, client for microsoft active. I can see all the printers on the network from the server and from all the other clients, just no other pcs show. All the workstations I'm dealing with first are windows 10 pro. I'm at a loss of what else to look for. Googled everything and it seems it may be something with the DNS but I don't know exactly what I'm looking for. I've rebooted everything on the system numerous times. Any help is appreciated!

↧

Force check User Account in Forest not in local domain -- consideration / advice

August 1, 2019, 1:19 pm

≫ Next: Single sign-on and UPN and domain trust

≪ Previous: Cannot join domain "the network path was not found"

hello everyone,

i have been task to design a forest with independent IT structure.

and we designed a parent/ child forest. now I want to create rules for make new user account in Domains.

first of all i want to know any proposal o samples exist for step by step making new user account in enterprise Forest ? what is your advice for this scenario?

↧

Single sign-on and UPN and domain trust

July 22, 2019, 10:40 am

≫ Next: Is that a good idea to setup a dedicated Hyper-V Domain Controller on Hyper-V Server?

≪ Previous: Force check User Account in Forest not in local domain -- consideration / advice

Our internet domain is contoso.com.
Our e-mail addresses are like first_name.last_name@contoso.com
Our Active Directory FQDN (UPN suffix) is local.contoso.com (created due to split-brain DNS problems).
We have been in process of migration from old Active Directory domain contoso.com to newlocal.contoso.com.
This process is going to take another 3-6 months from now.
Our management has just decided to migrate our (non-Exchange) infrastructure into Office365 within 2 months.
We would like to utilize SSO mainly for OneDrive.

How to do it?
I am worried about conflicts with old domain if I change UPN from local.contoso.com tocontoso.com.

↧

Is that a good idea to setup a dedicated Hyper-V Domain Controller on Hyper-V Server?

July 24, 2019, 2:07 am

≫ Next: SMBv1 for trusting and trusted Domain

≪ Previous: Single sign-on and UPN and domain trust

Hello!

o/s: Windows Server 2016 Std

Know that there is a lot of articles suggested best practices not to have DC roles on the hyper-v Server.

To have a dedicated DC for Hyper-V on the Hyper-V server is that a good idea?

↧