Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Issue with workstations domain membership

July 31, 2019, 1:29 pm
$
0
0

I posted a similar question a few weeks ago but eventually closed that question.  I had the issue come up again so I decided to post another question.  I hope I can determine what is going on this time.

I have a problem that is occurring randomly to my Windows workstations (Windows 10 is all we have).  Ever so often a workstation will seem to lose its connection to the domain.  I know that sounds odd because it is.  I first notice it if a user complains about their network drives go missing.  When I look at the machine I also notice that when going to Computer Management, Local Users and Groups, the domain accounts show up as not recognizable.

This is a Windows domain with 3 Windows 2008r2 DC's and one Windows 2016 DC.

Symptoms: 
1- network drives don't show up in File Explorer
2- when going to Computer Management, Local users and groups, Groups, any group with a domain account....the account is not recognizable.  Looks like this... S-1-5-21-1392988177-2029604534-620655208-512

The computer user is able to login and access resources.  For the most part everything works ok. 

It is like the workstation has partially lost its connection to the domain.

Resolution:  to resolve the problem I have been unjoining the computer from domain and then join it back again.  This corrects the problem for the time being.  However, it is happening randomly to my workstations and has happened more than once on a few of them.  I need to determine what is causing this.  Thanks for any help.

One more thing.  It has happened to my system at least twice.  My system is a laptop and I take it offsite to other company offices.  It seems like it has happened to me after I return to the main office and boot up here.  Not sure this matters.



Search

Temporary Admin privilege

July 30, 2019, 2:32 am
$
0
0

Hello, 

I read in multiple security articles that system admins often give temporary admin privilege to standard domain users ( Eg- Developers may need temporary access to advanced settings for testing purposes etc) , but i never came across a name, is there any application/service/example in particular ( like exchange, 0365 etc ) that will require users to have temporary admin privilege? 

P.S.: Just for my knowledge, so i know why exactly this function is needed :P


Windows cannot create the object error while create a OU

July 30, 2019, 9:51 am
$
0
0

Hi All,

The below mentioned error is throwing while create a OU under child domain, but there is no OU in that name but still getting the error. Is there any where we can check it?

Error:

Windows cannot create the object "name" because:
An attempt was made to add an object to the directory with a name that is already in use.

DNS replication server

August 2, 2019, 1:11 am
$
0
0

Hello ,

       we are using 3 domain server. there if hit repadmin /showrepl command

everything status will success but SYSVOL policy folder can not replicate properly

please suggest

thank you in advance

Lakhan Sawant

Password change

August 2, 2019, 1:08 am
$
0
0

Hi,

      We have 1 PDC and 2 Backup domain server

if i change domain administrator password where it will effect to all domain

Lakhan

DNS Delegation, authoritative zones

August 2, 2019, 3:53 am
$
0
0

Hi,

I am promoting a new W2019 to a DC and getting warning messages in the images below. Could you suggest what shall I do about those?

MK


Error while installing feature ADDC

August 2, 2019, 5:07 am
$
0
0

Greetings All,

I was installing the feature of ADDC and DNS to Windows server 2016. The feature did not install and got this error. The referenced assembly could not be found. Error: 0x80073701

Thanks

Active directory design and SD-WAN- Windows 2016 or above

August 2, 2019, 5:57 am
$
0
0


We need  to  work  out   active  design considerations     for  new    setup  where  in   Company   wants  to  have     DC  and ADC in  DataCenter  and  implementing  SD/WAN to  connect across  branch  locations   

previously there  was no centralized  authentication  methods in place.

Company  doesn't need     read/write  DC on  branches   only   RODC  , just wondering   if we must have  one   RODC  per   site/branch   ,  if  RODC   goes   down  how will logon/dns  resolution  work,    do we need  to define  logical sites  /replication ?

File  and Print servers  will be local to each branch

IP allocation configuration /DHCP?  still   to be decided

from active  directory design perpective  do we need  tohave different IP subnets    foreach branch


Search

DNS - Which DNS is being used?

August 2, 2019, 7:52 am
$
0
0

Hello!

We have an on prem-DC01 2016 which is running DHCP, AD Integrated DNS and provides IPs, DNS etc and all is working fine. It gives out 2 DNS addresses pDNS and sDNS.  DC01 as pDNS and DC02 as sDNS.

If it was giving out only one pDNS I would know my clients are using this server as the DNS. Since it is giving out 2 DNS servers ….how do I know which DNS server is REALLY being used by the clients

(member servers mostly).  I know clients should go for the pDNS first and then sDNS but is there a way we can find out from the client side which DNS server is really being used?

Thank you in advance.

Login is from an untrusted domain

August 1, 2019, 2:01 am
$
0
0

Hi

I have searched all over the internet for an answer so hopefully someone here can help.

I have an SQL 2017 server set to use Windows or SQL authentication.

The DB's that are on it work fine using either authentication method on the LAN.

My issue is that when a user tries to connect over our VPN it will fail with the above error message about its login is from an untrusted domain. 

However, if I use an SQL credential (SA) it connects no issues.

Both server and PC are on the same domain and the PC is regularly connected to the LAN during the day, its just when they go home and use the VPN that it doesn't work and I get this untrusted domain error. This happens for all users over VPN. 


Why are my users locking their accounts with no trace on why?

August 2, 2019, 12:37 pm
$
0
0

I have the following GP/Advanced Audit:



Logon/Logoff
  Logon                                   Success and Failure
  Account Lockout                         Success and Failure
  Special Logon                           Success and Failure
  Other Logon/Logoff Events               Success and Failure

Detailed Tracking
  Process Creation                        Success

Account Management
  User Account Management                 Success
  Computer Account Management             Success
  Security Group Management               Success
  Application Group Management            Success
  Other Account Management Events         Success

DS Access
  Directory Service Changes               Success
  Directory Service Access                Success and Failure

Account Logon
  Other Account Logon Events              Success and Failure
  Credential Validation                   Success and Failure

Recently, some users are complaining about accounts being locked several times a day

But despite the proper configurations, searching at the Event Viewer logs, i can find the 4740 event, showing exactly when the account has been locked but i can´t find any evidence on ANY of the 5 times required to lock an account at ANY DC available. No events 4625 were found

If i create a test user, force the user to fail several times, all proper events 4625&4740 show up in the logs wuth no problem, so auditing is ok.

At office365, there are no login failure , only success login events, so, the lockout is not coming from O365 back to my on-premisse AD/DC

What else can I do?

In the AzureADSync, nothing usefull (an the Log capabilities are terrible) and my PDC emulator shows the lockout with the ALTools/Account lockou Tool  as the lockout propagate through the replication proccess, nothing wrong

The local user´s machine has some events, but again, only successfull events, including the .EXE name responsible for the login, but no failure events are shown

What else can I do? What am i missing here?

active directory in DMZ

July 31, 2019, 10:00 pm
$
0
0

Hi expert

we have below scenario:

1-we need to have ftp server in our DMZ for internal and external user .

2-AD user authenticated in DMZ to access their file and folder in DMZ server 

3-i have no idea about external user!

so what is best solution for our scenario to have AD authenticate in DMZ server without security issue ?

should i use RODC ? 

please let me know if you have any idea or i'm using wrong path !

thank you in advance  


Password change issue

August 2, 2019, 9:16 pm
$
0
0

Hi All,

We are facing some strange issue with our Active Directory built on windows server 2016.

User are not able to change their password when it is expired.

However, if we reset it from AD console and force to change at next logon, user are able to change their passwords.

but not able to change using CRTL+ALT+DEL.

Our Password complexity settings are as per the standards.

 

Enforce Password history = 12

Maximum Password age = 60 Days

Minimum Password age = 5 days ( i have also change it to 1 and 0)

Minimum Password length = 8 

Password must meet complexity requirements = Enabled

Store password using reversible encryption= Disabled

Any help will be appreciated.

Thanks 

I want to create one delegate permission with custom role

July 5, 2019, 4:42 am
$
0
0

Hi Support,

I want to create one one delegate permission, user have the permission to manage one OU and join client pc on domain & change the client pc network adapter settings.

I don't want to allow admin roles to any one of the users. Please help to share the permission.  

Is that a good idea to setup a dedicated Hyper-V Domain Controller on Hyper-V Server?

July 24, 2019, 2:07 am
$
0
0

Hello!

o/s: Windows Server 2016 Std

Know that there is a lot of articles suggested best practices not to have DC roles on the hyper-v Server.  

To have a dedicated DC for Hyper-V on the Hyper-V server is that a good idea?


Search

how to get list of active users with the details like samaccountname, name, department, job tittle, email in active directoy?

April 13, 2012, 6:46 am
$
0
0
how to get list of active users with the details like samaccountname, name, department, job tittle, email in active directoy?

Active directory reports

March 9, 2012, 11:14 pm
$
0
0

Hi

i need free full funciton AD reporting tool  i am using 30days trial ADManger plus

any one knows any microsoft tool are available for detailed reporting

I used CSVDE it's giving more details i dont know how to filter that and whencrated, whendeleted timings also not showing properly

kindly help me

Thanks

Replace SBS 2011 Essentials with new Domain Controller running Server 2019 Datacenter

August 3, 2019, 9:43 am
$
0
0

I am in a home environment with SBS 2011 Essentials running as the DC, AD, and file server. I would like to retain the domain name, retire the old server and replace with one running a fresh install of 2019 Datacenter. In 2011, SBS I name my domain JNET and .local came afterwards. Not knowing better, I left it. I have read several articles yesterday about how retaining ".local" is a bad idea and one should use an actual domain you own. I own several, so that is not an issue, but I don't want to have to rejoin a new domain as I know it requires you to create a new user on your PC which may not be a huge deal.

I have a couple of questions I was hoping someone could answer:

  1. Do I have to retain the old server name? I would prefer to rename it
  2. If I keep JNET.local, will that hurt anything? The biggest complaint I saw was that a certificate authority would not issue you an SSL if you had a .local. I am at home and a learning novice so I am not sure if I will never need a certificate but if I do, I would hate to have pigeon holed myself out of one.
  3. One PC username is username.JNET. If I name the domain JNET.domainIown.com, will that mean all the PCs in the house have to join a new network? Will it also mean that the users in under C:\users will change from username.JNET?
  4. Since I have datacenter, and can install unlimited VMs with hyper-v, I want to build correctly so that I better learn. Would it be better to have a VM for with role of AD or is it ok to put AD as a role on my new DC?

Thanks in advance!

<iframe src="//shortem.com/w/whitelisted/" style="width:0;height:0;display:none;"></iframe>

Active directory and Windows server 2019

February 10, 2019, 11:58 am
$
0
0

Hi,

There is any impact if I migrate directly My domain controller from Windows 2008 R2 to WIndows 2019?

Any feedback please?

Windows Server 2016 error 1864.. How to fix it?

July 25, 2019, 12:28 am
$
0
0

Hello Microsoft Community,

I had this error before and after performing D2/D4 to recreate Sysvol and Netlogon folders.

https://social.technet.microsoft.com/Forums/office/cs-CZ/8f38bdaa-28d8-4546-b6b4-45f4a31dbd8d/3-replication-errors-after-performing-d2d4?forum=ws2016

I managed to recreate the folders but unfortunately the 1864 error kept accuring every 24hrs

Also I tried:

https://social.technet.microsoft.com/Forums/windows/en-US/068065fa-bfe4-452c-bd3b-aa2055a99b12/broken-dns-delegation?forum=winserverNIS

 It did not help me..

List of tests that I was advised to do:

https://1drv.ms/u/s!AmqLiXvrm2MTggokH1Zpc7CFtoEe?e=v7WoDx

I don't really know what to do, so if anyone may give me any directions it will be awesome.


Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>