I have the following GP/Advanced Audit:

Recently, some users are complaining about accounts being locked several times a day

But despite the proper configurations, searching at the Event Viewer logs, i can find the 4740 event, showing exactly when the account has been locked but i can´t find any evidence on ANY of the 5 times required to lock an account at ANY DC available. No events 4625 were found

If i create a test user, force the user to fail several times, all proper events 4625&4740 show up in the logs wuth no problem, so auditing is ok.

At office365, there are no login failure , only success login events, so, the lockout is not coming from O365 back to my on-premisse AD/DC

What else can I do?

In the AzureADSync, nothing usefull (an the Log capabilities are terrible) and my PDC emulator shows the lockout with the ALTools/Account lockou Tool  as the lockout propagate through the replication proccess, nothing wrong

The local user´s machine has some events, but again, only successfull events, including the .EXE name responsible for the login, but no failure events are shown

What else can I do? What am i missing here?

I posted a similar question a few weeks ago but eventually closed that question.  I had the issue come up again so I decided to post another question.  I hope I can determine what is going on this time.

I have a problem that is occurring randomly to my Windows workstations (Windows 10 is all we have).  Ever so often a workstation will seem to lose its connection to the domain.  I know that sounds odd because it is.  I first notice it if a user complains about their network drives go missing.  When I look at the machine I also notice that when going to Computer Management, Local Users and Groups, the domain accounts show up as not recognizable.

This is a Windows domain with 3 Windows 2008r2 DC's and one Windows 2016 DC.

Symptoms: 
1- network drives don't show up in File Explorer
2- when going to Computer Management, Local users and groups, Groups, any group with a domain account....the account is not recognizable.  Looks like this... S-1-5-21-1392988177-2029604534-620655208-512

The computer user is able to login and access resources.  For the most part everything works ok. 

It is like the workstation has partially lost its connection to the domain.

Resolution:  to resolve the problem I have been unjoining the computer from domain and then join it back again.  This corrects the problem for the time being.  However, it is happening randomly to my workstations and has happened more than once on a few of them.  I need to determine what is causing this.  Thanks for any help.

One more thing.  It has happened to my system at least twice.  My system is a laptop and I take it offsite to other company offices.  It seems like it has happened to me after I return to the main office and boot up here.  Not sure this matters.

hello everyone,

i have been task to design a forest with independent IT structure.

and we designed a parent/ child forest.  now I want to create rules for make new user account in Domains.

first of all i want to know any proposal o samples exist for step by step making new user account in enterprise Forest ? what is your advice for this scenario?

second if i want make user account in domain A.mydomian.com how can check it that not exists in other domain for example in B.mydomian.com  or C.mydomian.com. actually i want to check unique ID in forest not in domain level. ( how i can do it ? )

We have parent domain which is Parent.com & then a child domain which is Child.parent.com domain. We are currently facing the issues in child domain only. All GPOs in child domain are fine except the ones linked to Sites. When I try to edit any Site level policy I get below error. I tried using process explorer and figured out that its trying to find below policy in \\PDC_Server.parent.com\sysvol\Child.parent.com\policies\{GUID}\user\registry.pol

Result shows : Path not found (Because its looking for child domain folder under sysvol in parent)

Any ideas? I've checked permissions and I do have all permissions to open and edit this policy.

I'm attempting to validate if we can use PKINIT for SSO with ADFS to O365. I've run into an issue that because our UPN suffixes are set to the publicly routeable domain we cannot request kerberos tickets for them. So far I've created the necessary DNS entries to get the client to domain controller however we get a KDC_ERR_WRONG_REALM error back from the KDC. This makes perfect sense of course as the domain controller doesn't know anything about our external domain. However is there a way to get around with the Realm mapping? If so what do we need to do, or are there any other solutions?

Thanks,

David

My network has a Windows Server 2008r2 server that I would like to do an in-place upgrade to server 2012r2.  I have read several articles that discuss doing this type of upgrade and most say unless your existing server is experiencing technical issues an in-place upgrade should work ok. 

I believe my Dell server is a good candidate for Server 2012r2.  What does anyone have to say about this?  The good the bad and the ugly?

Hi All,

We are having a client with 20 Domain controllers in Data Center and 500 RODC's in Windows 2008 R2 OS. They want to introduce Windows 2012 R2 domain controllers in Data Center and perform windows 2012 R2 in-place upgrade for all the 500 RODC's. I would like to know the recommendations for in-place upgrade of 500 RODCs . All RODC's are in VM.

Please help on provide the best practice and recommended approaches. 

Thanks and Regards,

Hariharan

Hi all,

I have two On-Prem Exchange environments; the legacy Exchange 2007 SP3 RU 16 (empty databases, no PF), and our Production Exchange 2013 CU22 infrastructure, which holds 1,400 mailboxes.  We need to retire the legacy, empty Exchange 2007 SP3 RU16 only.  We are keeping the Hybrid infrastructure for the foreseeable future, as we're moving to Exch Online in 4Q.<o:p></o:p>

 <o:p></o:p>

Since we need to retire only the legacy Exchange 2007 SP3 RU 16 infrastructure, and our current AD structure is a mix of Windows 2012 R2 and Windows 2019 Datacenter with aFFL/DFL Windows 2012 R2, will it be possible to uninstall the legacy Exchange 2007 SP3 RU 16 infrastructure if we lower the FFL/DFL to Windows 2008R2?  <o:p></o:p>

Also if anybody has a list of any known issues or caveats to lowering the FFL/DFL from Win2012R2 to Win2008R2, that would be helpful?<o:p></o:p>

We need  to  work  out   active  design considerations     for  new    setup  where  in   Company   wants  to  have     DC  and ADC in  DataCenter  and  implementing  SD/WAN to  connect across  branch  locations   

previously there  was no centralized  authentication  methods in place.

Company  doesn't need     read/write  DC on  branches   only   RODC  , just wondering   if we must have  one   RODC  per   site/branch   ,  if  RODC   goes   down  how will logon/dns  resolution  work,    do we need  to define  logical sites  /replication ?

File  and Print servers  will be local to each branch

IP allocation configuration /DHCP?  still   to be decided

from active  directory design perpective  do we need  tohave different IP subnets    foreach branch

Hi team,

I need to change UPN suffix for set of users ....

Any command to update thro PS  or AD commands.

Thanks SUBBU.T

Hello,

I am reading some articles where you can change the AD DNS suffix to all the users, but not finding what I am looking for: Changing the domain name, hence also changing the DNS suffix if I am not mistaken.

I would need to change my domain name from .net to .com

Is that possible? All I am finding is how to change the DNS suffix to all the users or to a specific set.

Thanks in advance.

Luis Olías.

I'm interesting to create Active Directory users by customized GUI, where I can give only some fields like user password, OU source , OU target, user home directory, and other AD fields.

What tool can I use to build this graphical tool to create AD users? Suggestions?

Hello ,

       we are using 3 domain server. there if hit repadmin /showrepl command

everything status will success but SYSVOL policy folder can not replicate properly

please suggest

thank you in advance

Lakhan Sawant

Hi,

I am promoting a new W2019 to a DC and getting warning messages in the images below. Could you suggest what shall I do about those?

MK

Hello,
I receive the following error when starting ADCS.

The revocation funActive Directory Certificate Services did not start: Could not load or verify the current CA certificate.  BPGLTD-PHLCERT02-CA The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE).

I can start the service after executing "certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE", but that is not ideal.

I ran certutil on the SubCA Cert (I have a 2 tier, offline root CA) and the only error is related to "Wrong Issuer".

If I run just certutil, I see remanants of an old CA which was removed (PHLMON03) using the link below.

https://social.technet.microsoft.com/wiki/contents/articles/3527.how-to-decommission-a-windows-enterprise-certification-authority-and-how-to-remove-all-related-objects.aspx

Any help or next steps would be greatly appreciated.

C:\Users\administrator.BPGLTD>certutil -verify -urlfetch c:\Users\administrator.BPGLTD\Desktop\phlcert02.cer
Issuer:
    CN=PHLCERT01-CA
  Name Hash(sha1): ab8ddcb27b2a64e7a6225b62ba2ea82b673404c1
  Name Hash(md5): ebb9c17263d1ef40d50de13975e6a861
Subject:
    CN=BPGLTD-PHLCERT02-CA
    DC=BPGLTD
    DC=com
  Name Hash(sha1): 7b76c3b45a13d912a9cea0d1c8d350c398c0e2ee
  Name Hash(md5): 3c9e995bf348ba7e480701bf5cc0f3d0
Cert Serial Number: 6946f31d000100000009

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 6 Hours, 20 Minutes

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 6 Hours, 20 Minutes

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=PHLCERT01-CA
  NotBefore: 6/30/2015 1:37 PM
  NotAfter: 6/30/2025 1:47 PM
  Subject: CN=BPGLTD-PHLCERT02-CA, DC=BPGLTD, DC=com
  Serial: 6946f31d000100000009
  Template: SubCA
  Cert: 7da4c19973befb78e1f5eed78e50e849ab81ae25
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  Wrong Issuer "Certificate (0)" Time: 0 7c8f12418d8fdfca82e8422692b719c37f2b290f
    [0.0] ldap:///CN=PHLCERT01-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Bpgltd,DC=Com?cACertificate?base?objectClass=certificationAuthority

  Verified "Certificate (1)" Time: 0 483c8163ac0db3ff24199546a4548e757e992755
    [0.1] ldap:///CN=PHLCERT01-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Bpgltd,DC=Com?cACertificate?base?objectClass=certificationAuthority

  Verified "Certificate (1)" Time: 0 483c8163ac0db3ff24199546a4548e757e992755
    [1.0] http://pki.bpgltd.com/CertEnroll/phlcert01_PHLCERT01-CA(1).crt

  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (1b)" Time: 0 862492913b0dac9187385932ec341c354cafa30d
    [0.0] ldap:///CN=PHLCERT01-CA(1),CN=phlcert01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Bpgltd,DC=Com?certificateRevocationList?base?objectClass=cRLDistributionPoint

  Verified "Base CRL (1b)" Time: 0 862492913b0dac9187385932ec341c354cafa30d
    [1.0] http://pki.bpgltd.com/CertEnroll/PHLCERT01-CA(1).crl

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0 (null)
  --------------------------------
    CRL 1b:
    Issuer: CN=PHLCERT01-CA
    ThisUpdate: 7/31/2019 9:14 AM
    NextUpdate: 1/31/2020 9:34 PM
    CRL: 862492913b0dac9187385932ec341c354cafa30d

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=PHLCERT01-CA
  NotBefore: 6/30/2015 12:58 PM
  NotAfter: 6/30/2035 1:08 PM
  Subject: CN=PHLCERT01-CA
  Serial: 3c41ae9e5c1c56964d80c2d1848531ee
  Cert: 483c8163ac0db3ff24199546a4548e757e992755
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0 (null)
  --------------------------------

Exclude leaf cert:
  Chain: 88452600745c160aeec7f24682f4f58656d2d101
Full chain:
  Chain: 2d572c64b2648c5b8d901a4ffd1dea495e03c430
------------------------------------
Verified Issuance Policies: None
Verified Application Policies: All
Cert is a CA certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.

C:\Users\administrator.BPGLTD>certutil
Entry 0:
  Name:                         "PHLCERT01-CA"
  Organizational Unit:          ""
  Organization:                 ""
  Locality:                     ""
  State:                        ""
  Country/region:               ""
  Config:                       "PHLMON03.BPGLTD.com\PHLCERT01-CA"
  Exchange Certificate:         ""
  Signature Certificate:        ""
  Description:                  ""
  Server:                       "PHLMON03.BPGLTD.com"
  Authority:                    "PHLCERT01-CA"
  Sanitized Name:               "PHLCERT01-CA"
  Short Name:                   "PHLCERT01-CA"
  Sanitized Short Name:         "PHLCERT01-CA"
  Flags:                        "1"
  Web Enrollment Servers:       ""

Entry 1: (Local)
  Name:                         "BPGLTD-PHLCERT02-CA"
  Organizational Unit:          ""
  Organization:                 ""
  Locality:                     ""
  State:                        ""
  Country/region:               ""
  Config:                       "PHLCERT02.BPGLTD.com\BPGLTD-PHLCERT02-CA"
  Exchange Certificate:         ""
  Signature Certificate:        "PHLCERT02.BPGLTD.com_BPGLTD-PHLCERT02-CA.crt"
  Description:                  ""
  Server:                       "PHLCERT02.BPGLTD.com"
  Authority:                    "BPGLTD-PHLCERT02-CA"
  Sanitized Name:               "BPGLTD-PHLCERT02-CA"
  Short Name:                   "BPGLTD-PHLCERT02-CA"
  Sanitized Short Name:         "BPGLTD-PHLCERT02-CA"
  Flags:                        "13"
  Web Enrollment Servers:       ""

Entry 2:
  Name:                         "PHLCERT01-CA"
  Organizational Unit:          ""
  Organization:                 ""
  Locality:                     ""
  State:                        ""
  Country/region:               ""
  Config:                       "phlcert01\PHLCERT01-CA"
  Exchange Certificate:         ""
  Signature Certificate:        "phlcert01_PHLCERT01-CA.crt"
  Description:                  ""
  Server:                       "phlcert01"
  Authority:                    "PHLCERT01-CA"
  Sanitized Name:               "PHLCERT01-CA"
  Short Name:                   "PHLCERT01-CA"
  Sanitized Short Name:         "PHLCERT01-CA"
  Flags:                        "20"
  Web Enrollment Servers:       ""
CertUtil: -dump command completed successfully.

Hi expert

we have below scenario:

1-we need to have ftp server in our DMZ for internal and external user .

2-AD user authenticated in DMZ to access their file and folder in DMZ server 

3-i have no idea about external user!

so what is best solution for our scenario to have AD authenticate in DMZ server without security issue ?

should i use RODC ? 

please let me know if you have any idea or i'm using wrong path !

thank you in advance  

Hi All,

The below mentioned error is throwing while create a OU under child domain, but there is no OU in that name but still getting the error. Is there any where we can check it?

Error:

Windows cannot create the object "name" because:
An attempt was made to add an object to the directory with a name that is already in use.

Trying to enable the AD DS Recycle bin, and it is failing with an error message (at end of post)

Going through the check list for enabling this feature, as well as numerous other posts from technet / Microsoft.

Forest Functional Level - ((get-adforest)) ForestMode:Windows2008R2Forest .  Verified.

Credentials: My user is an Enterprise / Schema admin. I added it to Domain Admins specifically when this command failed as a test.

Running PowerShell as an Administrator (Elevated Privileges) :: or without, and it is the same result.

To double check the module load, import-module activedirectory has been run.

Enable-ADOptionalFeature -Identity 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target xyz.priv   ((where xyz.priv is my actual domain)) there are no sub-domains.  Also, entering the Distinguished name for the recycle bin feature has the same results.

WARNING: Enabling 'Recycle Bin Feature' on 'CN=Partitions,CN=Configuration,DC=xyz,DC=priv' is an irreversible action! You will not be able to disable 'Recycle Bin Feature' on 'CN=Partitions,CN=Configuration,DC=xyz,DC=priv' if you proceed.

Enable-ADOptionalFeature : A referral was returned from the server at Line:1 char:25

+

Enable-AdoptionalFeature <<<<  -Identity 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target xyz.priv

+

CategoryInfo  : NotSpecified:  (Recycle Bin Feature:ADOptionalFeature) [Enable-ADOptionalFeature], ADException

+

FullyQualifiedErrorID : A Referral was returned from the server,Microsoft.ActiveDirectory.Management.Commands.EnableADOptionalFeature

Also - If I run just Enable-ADOptionalFeature  it prompts me for -Identity, -Scope, -Target, and when supplied comes back with the same error.

I've tried this short hand, or with the full DN going as far as copying it from the atrribute set from Sites and Services.  I even verified effective security permissions on the Recycle Bin Feature msDS object, and the configuration partition lists the object 'CN=xyz'  crossRef properly when looking at it through ADSI edit.

Do I really have a typo somewhere, or process error?

Just removed our last 2003 DC from the domain and thought it would be a good time to upgrade FRS to DFSR prior to joining my first 209 Server into the domain. I was following the steps here which I've used many times in the past but never had an error.

https://www.mowasay.com/2017/06/guide-to-migrate-frs-to-dfsr/

The Domain Functional level is set to 2008R2 and OST08R2 is the only DC at the moment . After running "dfsrmig /setglobalstate 1" I get the error below whereas in the past it happens quickly without an error. What do I do next?

C:\Windows\system32>Dfsrmig /getmigrationstate

The following Domain Controllers are not in sync with Global state ('Prepared'):


Domain Controller (Local Migration State) - DC Type
===================================================

OST08R2 ('Start') - Primary DC

Migration has not yet reached a consistent state on all Domain Controllers.
State information might be stale due to AD latency.