Hello All,
We are upgrading our environment (abc.com) to win2019 Domain controller so which mean SMBv1 will no longer will supported and we have external & forest trust relationship with few other Domain as well. will this upgrade have impact on all the trust relationship domain users as well?
abc.com = our environment
xyz.com - forest trust
nmz.com = external trust
Please advise
regards
AAmir Masthan
w
NA
Hello Microsoft Community,
I had this error before and after performing D2/D4 to recreate Sysvol and Netlogon folders.
I managed to recreate the folders but unfortunately the 1864 error kept accuring every 24hrs
Also I tried:
It did not help me..
List of tests that I was advised to do:
https://1drv.ms/u/s!AmqLiXvrm2MTggokH1Zpc7CFtoEe?e=v7WoDx
I don't really know what to do, so if anyone may give me any directions it will be awesome.
Gents,
I'm trying to find a way to have a comprehensive list of objects related to a AD computer (or possibly its SID) in order that, before deleting that Computer Account, there will be no orphaned object with link to this Computer
For example, let's say i have a GPO with a security based filter pointing to a computer (the question here is not about whether or not is it a best practice). If i deleted the computer, i will be left with the SID when i look at this GPO
The same applies for a Security Group which this computer could be a member of. If i delete the computer account, the security group will have an SID instead
To prevent this, i would like to have command lines or a script which would search amongst all AD objects and find which one has a relationship with the computer account (or its SID) so that i can make some cleaning BEFORE deleting the computer account
Does that make sense to you ? Anyone has already found something to reach that goal ?
Thanks very much for your feedback
Dear all,
I have the following topology:
Two domain controllers (windows server 2008 r2 ) and one cas/hub server and one mailbox server
We have to shut down the primary domain controllers for physical maintenance but before doing this I transferred the masters roles to the additional one ,then shutdown the domain controller but due to a failure in the hard disk of the domain controller I made a bare metal recovery then made a dcdiag and I found the following errors
please advuce
WIN-I1H2NPJ9ASV failed test DFSREventHi all
Theres's an problem when a tried to add a any user to a new Specific Group (Member Of). In this case this group controls the user Web Access in my company. In my AD exists FilterWeb_Level1, FilterWeb_Level2..
etc
If I Add I a User to new group in "Member Of". For exemple Addinng in "FilterWeb_Level2" and Removing from "FilterWeb_Level1" it is always rolling back to "FilterWeb_Level1" same state.
Any suggestion to solve this ?
Thanks
What's the best way to migrate 100+ ACL from one AD to another AD not in the same domain?
My employer purchased another company and need to migrate ACL running on AD Windows Server 2012 R2 to AD running Windows Server 2016R2?
I do need to rename the ACLs from Win Server 2012 to new naming convention.
Hi all,
I have two On-Prem Exchange environments; the legacy Exchange 2007 SP3 RU 16 (empty databases, no PF), and our Production Exchange 2013 CU22 infrastructure, which holds 1,400 mailboxes. We need to retire the legacy, empty Exchange 2007 SP3 RU16 only. We are keeping the Hybrid infrastructure for the foreseeable future, as we're moving to Exch Online in 4Q.<o:p></o:p>
<o:p></o:p>
Since we need to retire only the legacy Exchange 2007 SP3 RU 16 infrastructure, and our current AD structure is a mix of Windows 2012 R2 and Windows 2019 Datacenter with aFFL/DFL Windows 2012 R2, will it be possible to uninstall the legacy Exchange 2007 SP3 RU 16 infrastructure if we lower the FFL/DFL to Windows 2008R2? <o:p></o:p>
Also if anybody has a list of any known issues or caveats to lowering the FFL/DFL from Win2012R2 to Win2008R2, that would be helpful?<o:p></o:p>
Thanks in advance for any help.Here is a scenario:
So here is my question:
Is there anyway to configure delegation (short of permitting unconstrained delegation) where the 3 domain scenario that I am describing will work? Or is that just plain not supported?
Hello All,
I'm tasked with taking an old 2008 Active Domain structure and move it over to Server 2016. The Active Directory services is to be rebuilt from scratch.
I've got to keep the old domain online as I build out the new domain and transfer objects. How can I do this with one domain name?
hi all,
today tI found that replication was not occuring because of one of the objects can not be updates
as follow
ctive Directory Domain Services could not update the following object with changes received from the following source directory service. This is because an error occurred during the application of the changes to Active Directory Domain Services on the directory
service.
Object:
CN=M M,OU=Users,OU=HD,OU=Technical Support,OU=Users,DC=mydoamin,DC=local
Synchronization of the directory service with the source directory service is blocked until this update problem is corrected.
This operation will be tried again at the next scheduled replication.
so I fix this solution making a defragment of the ntds database .but after that i run dcdiag and found
this warning in KCC what should I do about it
Event String:
The security of this directory server can be significantly enhanced
by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest)
LDAP binds that do not request signing (integrity verification) and LDAP simple
binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. E
ven if no clients are using such binds, configuring the server to reject them wi
ll improve the security of this server.
Hi,
I would like to know how certificates work in both windows and Linux clients.
Here is my setup. We have a windows internal CA, we have windows domain controllers that serve as our ldap server. We have in dns Host A record ldap-dc.domain.com point to two ip address of our domain controllers. We did this so that they will use the FQDN in ldaps connection string for failover.
1. Will windows based applications that connect via ldaps require a certificate? If so, where did that certificate should come from? Should it come from our Domain controller which its certificate is issued by our internal CA?
2. The certificate of our domain controllers did it came automatically from our CA since I don't recall requesting for certificate when setting up domain controller? How will windows client machines make use of this certificate? Do they receive it automatically?
3. How about for apps based on Linux that will use ldaps? Where should it's certificate come from? Does it need to request for certificate or will it use the domain controller's certificate by importing it on the Linux machine?
Thanks!
Hi,
I have some application that points to mydomain.com to lookup the domains available.
the problem is it returns all the domains in both sites.
is it possible if I ask for domain controlers it will only show me the DC's in Site 1 not Site 1 and Site 2?
Site 2 the application doesn't have access to that DC network rules are blocked.
I believe DNS is not site aware? what are my options? create separate dns records for Site A called ldap.mydomain.com and point the applications to that dns record instead?
We have a simple domain, 2012R2, 2 domain controllers and a dozen member servers, pretty much out of the box.
When both DCs are up it appears as if everything is working fine, BPA and AD Replication status tools show no errors, DNS works off both machines. The only thing that seems to show any issue is Get-ADDomainController which only lists the primary.
However when the PDC is off the BDC will still function as a DNS server, but not as a domain controller.
We had some issues with the backup domain controller's DNS which were due to it being multi homed. We removed the second interface and resolved the DNS issues but still have the same problems. We demoted the server back to member and re-promoted it to a DC to no real effect.
when the primary is off BPA will fail with the following errors:
The AD DS BPA should be able to collect data about the hostname of the forest root PDC from the forest root PDC
The Default Domain Controllers Policy in the domain domain.name should be applied to the OU OU=Domain Controllers,DC=domain,DC=name
The domain controller bdc.domain.name must be able to connect to the PDC emulator master in this domain
The domain controller bdc.domain.name must be able to connect to the RID master in this domain
But no errors are logged by the BPA when the PDC is up.
Where should I go from here in troubleshooting the issue?
Hi All,
We are having a client with 20 Domain controllers in Data Center and 500 RODC's in Windows 2008 R2 OS. They want to introduce Windows 2012 R2 domain controllers in Data Center and perform windows 2012 R2 in-place upgrade for all the 500 RODC's. I would like to know the recommendations for in-place upgrade of 500 RODCs . All RODC's are in VM.
Please help on provide the best practice and recommended approaches.
Thanks and Regards,
Hariharan
Hi All
I'm current trying to retire my 2003 SBS Server, it was the only domain controller but I now have a 2016 DC will all roles migrated over to it. Issue is when I run DC promo to demote the 2003 server I get an error as it thinks its the only DC in the domain.
The box indicating that this domain controller is the last controller for the domain domain.local is unchecked. However, no other Active Directory domain controllers for that domain can be contacted.
Do you wish to proceed anyway? If you click Yes, any Active Directory changes that have been made on this domain controller will be lost.
Also when the 2003 server is shut down, it still shows as the logon server for clients and users have issues accessing shares on the file server.Any help would be greatly appreciated.
Thanks
One of my clients has an existing data folder with a layout similar to this:
Part 1
-Drawings
-Specifications
-Inspection
-Notes
Part 2
-Drawings
-Specifications
-Inspection
-Notes
through a few hundred parts.
They want to have new rights implemented that would give certain groups rights over the Drawings subfolder in every part, different rights to every Specifications subfolder, and so on. When new parts are created, the Subfolder and Rights structures would then be in place moving forward.
Is this possible without 'touching' every single folder and subfolder?
Hi,
Older user Profiles on our domain were set up as local profiles. Any new user accounts are now being set up as roaming profiles.
Is there a way to convert the older local user profiles to roaming profiles?
Thanks
D
Hello,
I receive the following error when starting ADCS.
The revocation funActive Directory Certificate Services did not start: Could not load or verify the current CA certificate. BPGLTD-PHLCERT02-CA The revocation function was unable to check revocation because the revocation server was offline. 0x80092013
(-2146885613 CRYPT_E_REVOCATION_OFFLINE).
I can start the service after executing "certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE", but that is not ideal.
I ran certutil on the SubCA Cert (I have a 2 tier, offline root CA) and the only error is related to "Wrong Issuer".
If I run just certutil, I see remanants of an old CA which was removed (PHLMON03) using the link below.
https://social.technet.microsoft.com/wiki/contents/articles/3527.how-to-decommission-a-windows-enterprise-certification-authority-and-how-to-remove-all-related-objects.aspx
Any help or next steps would be greatly appreciated.
C:\Users\administrator.BPGLTD>certutil -verify -urlfetch c:\Users\administrator.BPGLTD\Desktop\phlcert02.cer
Issuer:
CN=PHLCERT01-CA
Name Hash(sha1): ab8ddcb27b2a64e7a6225b62ba2ea82b673404c1
Name Hash(md5): ebb9c17263d1ef40d50de13975e6a861
Subject:
CN=BPGLTD-PHLCERT02-CA
DC=BPGLTD
DC=com
Name Hash(sha1): 7b76c3b45a13d912a9cea0d1c8d350c398c0e2ee
Name Hash(md5): 3c9e995bf348ba7e480701bf5cc0f3d0
Cert Serial Number: 6946f31d000100000009
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 6 Hours, 20 Minutes
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 6 Hours, 20 Minutes
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=PHLCERT01-CA
NotBefore: 6/30/2015 1:37 PM
NotAfter: 6/30/2025 1:47 PM
Subject: CN=BPGLTD-PHLCERT02-CA, DC=BPGLTD, DC=com
Serial: 6946f31d000100000009
Template: SubCA
Cert: 7da4c19973befb78e1f5eed78e50e849ab81ae25
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Wrong Issuer "Certificate (0)" Time: 0 7c8f12418d8fdfca82e8422692b719c37f2b290f
[0.0] ldap:///CN=PHLCERT01-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Bpgltd,DC=Com?cACertificate?base?objectClass=certificationAuthority
Verified "Certificate (1)" Time: 0 483c8163ac0db3ff24199546a4548e757e992755
[0.1] ldap:///CN=PHLCERT01-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Bpgltd,DC=Com?cACertificate?base?objectClass=certificationAuthority
Verified "Certificate (1)" Time: 0 483c8163ac0db3ff24199546a4548e757e992755
[1.0] http://pki.bpgltd.com/CertEnroll/phlcert01_PHLCERT01-CA(1).crt
---------------- Certificate CDP ----------------
Verified "Base CRL (1b)" Time: 0 862492913b0dac9187385932ec341c354cafa30d
[0.0] ldap:///CN=PHLCERT01-CA(1),CN=phlcert01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Bpgltd,DC=Com?certificateRevocationList?base?objectClass=cRLDistributionPoint
Verified "Base CRL (1b)" Time: 0 862492913b0dac9187385932ec341c354cafa30d
[1.0] http://pki.bpgltd.com/CertEnroll/PHLCERT01-CA(1).crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0 (null)
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0 (null)
--------------------------------
CRL 1b:
Issuer: CN=PHLCERT01-CA
ThisUpdate: 7/31/2019 9:14 AM
NextUpdate: 1/31/2020 9:34 PM
CRL: 862492913b0dac9187385932ec341c354cafa30d
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=PHLCERT01-CA
NotBefore: 6/30/2015 12:58 PM
NotAfter: 6/30/2035 1:08 PM
Subject: CN=PHLCERT01-CA
Serial: 3c41ae9e5c1c56964d80c2d1848531ee
Cert: 483c8163ac0db3ff24199546a4548e757e992755
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0 (null)
---------------- Certificate CDP ----------------
No URLs "None" Time: 0 (null)
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0 (null)
--------------------------------
Exclude leaf cert:
Chain: 88452600745c160aeec7f24682f4f58656d2d101
Full chain:
Chain: 2d572c64b2648c5b8d901a4ffd1dea495e03c430
------------------------------------
Verified Issuance Policies: None
Verified Application Policies: All
Cert is a CA certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
C:\Users\administrator.BPGLTD>certutil
Entry 0:
Name: "PHLCERT01-CA"
Organizational Unit: ""
Organization: ""
Locality: ""
State: ""
Country/region: ""
Config: "PHLMON03.BPGLTD.com\PHLCERT01-CA"
Exchange Certificate: ""
Signature Certificate: ""
Description: ""
Server: "PHLMON03.BPGLTD.com"
Authority: "PHLCERT01-CA"
Sanitized Name: "PHLCERT01-CA"
Short Name: "PHLCERT01-CA"
Sanitized Short Name: "PHLCERT01-CA"
Flags: "1"
Web Enrollment Servers: ""
Entry 1: (Local)
Name: "BPGLTD-PHLCERT02-CA"
Organizational Unit: ""
Organization: ""
Locality: ""
State: ""
Country/region: ""
Config: "PHLCERT02.BPGLTD.com\BPGLTD-PHLCERT02-CA"
Exchange Certificate: ""
Signature Certificate: "PHLCERT02.BPGLTD.com_BPGLTD-PHLCERT02-CA.crt"
Description: ""
Server: "PHLCERT02.BPGLTD.com"
Authority: "BPGLTD-PHLCERT02-CA"
Sanitized Name: "BPGLTD-PHLCERT02-CA"
Short Name: "BPGLTD-PHLCERT02-CA"
Sanitized Short Name: "BPGLTD-PHLCERT02-CA"
Flags: "13"
Web Enrollment Servers: ""
Entry 2:
Name: "PHLCERT01-CA"
Organizational Unit: ""
Organization: ""
Locality: ""
State: ""
Country/region: ""
Config: "phlcert01\PHLCERT01-CA"
Exchange Certificate: ""
Signature Certificate: "phlcert01_PHLCERT01-CA.crt"
Description: ""
Server: "phlcert01"
Authority: "PHLCERT01-CA"
Sanitized Name: "PHLCERT01-CA"
Short Name: "PHLCERT01-CA"
Sanitized Short Name: "PHLCERT01-CA"
Flags: "20"
Web Enrollment Servers: ""
CertUtil: -dump command completed successfully.
Hi, our root and issuing CA's needs renewing because the lifetime is being reduced.
The current offline root CA is based on a Windows 2003 which does not support SHA-2. So I had a clever idea to set up a new root (Windows 2019)
I have done so now and published the new root certificate and crl in the domain.
However I am very uncertain what will happen now if I choose to renew the publishing CA (intermediate) with the new root? I am not going to revoke any older Root or Intermediate since they have not been compromised.
We rely on device certificates that has been issued with the older root.
In the NPS when it renews the RAS certificate it will not be the same chain for example?
A little guidance here would be very much appreciated.
hello everyone,
i have been task to design a forest with independent IT structure.
and we designed a parent/ child forest. now I want to create rules for make new user account in Domains.
first of all i want to know any proposal o samples exist for step by step making new user account in enterprise Forest ? what is your advice for this scenario?
second if i want make user account in domain A.mydomian.com how can check it that not exists in other domain for example in B.mydomian.com or C.mydomian.com. actually i want to check unique ID in forest not in domain level. ( how i can do it ? )