Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Get List of Sites,Subnets from AD Sites & Services Via PowerShell

August 6, 2019, 9:07 am
$
0
0
$Output = @()
[cmdletbinding()]            
param()            
$Sites = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites            
foreach ($Site in $Sites) {            

 $Obj = ""|Select @{N="SiteName";E={$Site.Name}},@{N="Subnets";E={$site.Subnets -Join "`n"}},@{N="Servers";E={$Site.Servers -Join "`n"}}
 $Obj            
 $Output += $Obj
}

$Output| Export-Csv ADSiteInfo.Csv -NTI -NoClobber
Search

CA Certificate Template KSP Not Available

August 6, 2019, 11:01 am
$
0
0

When I duplicate the Web Server template in Certificate Templates console, if I keep the Cryptography-Provider Category as "Legacy Cryptographic Service Provider" and then select that template as a new certificate template to issue, it shows as a certificate template on the certsrv url.

If I do the above, but set the Cryptography-Provider Category as "Key Storage Provider" and then select that template as a new certificate template to issue, it does not appear as a certificate template on the certsrv url.

Do you know how I can start using Web Server templates using KSP?  Thanks.

Downgrade Functional level from 2016 to 2012R2

August 6, 2019, 2:55 pm
$
0
0

HI all

It's possible "downgrade" the funcional level from Windows 2016 to Windows2012R2?

In our scenario, we have to realize a lot of differents trusts relationships, between our DC to another DC using Windows server 2008R2, Win2012, also Samba4.5. I think that is better if we can do a downdgrade to Windows2012R2 (just for compatibility)

I tried using the command: 

PS C:\Users\administrador.FSAAS> Set-ADDomainMode -Identity %ourdomainname% -DomainMode Windows2012R2Domain

Confirm
Are you sure you want to perform this action?
The "Set" operation is being performed on the destination "DC = fsaas, DC = cloud".
[S] Yes [O] Yes to all [N] No [T] No to all [U] Suspend [?] Help (the default is "S"): s
Set-ADDomainMode: The functional level of the domain (or forest) cannot be decreased to the requested value

also I tried to downgrade the Forestmode, but same error occurs.

I have  2 DC replicated using Win2016, it's possible to downgrade the funcional level to 2012?


Using scheduled tasks to export AD user reports?

August 6, 2019, 3:43 pm
$
0
0

Hey guys,

I have an application admin co-worker who wants to import some of our AD user information daily into that application.  The only way I can think to automate this is to script a get-aduser going out to a file that the co-worker can import each day.  If anyone can think of a better solution to export AD user information to an application(it does not have a native ldap connection setup), let me know.

So I have the powershell command, but ideally I would love to run it out through a scheduled task using a gMSA.  I know how to run a scheduled task with a gMSA, but it appears that if any user launches a get-aduser command besides a domain admin, you must use the (get-credential) option in that command, which is tough with a gMSA.

Does anyone have any suggestions for a simple and secure way to accomplish this task?  I might try dsquery and see if I can get it to work under a MSA(that has appropriate read permissions), but not sure if I can manage the output fields as good as I can with powershell

Thanks,

Dave






Joining Domain Failing

July 31, 2019, 5:21 am
$
0
0
I am upgrading all of my companies remaining Windows 7 machines to Windows 10 and I keep getting the error when trying to join the new machines to the domain  that smbv1 is not enabled.  From my understanding this feature was turned off in the Windows 10 1709 update for security reasons.  Why is AD requiring this to join the domain? Also, is there a way to prevent my network/AD from requiring smbv1 being enabled to join the domain?

AD

July 31, 2019, 12:00 am
$
0
0

Hi All,

We are in the process of server 2008 sunset. One of our Active Directory servers is on W2008. We are the main site for Europe and we have 4 AD servers. We have additional AD servers scattered around our European sites mostly one per site.

I need information on what is the best process to deal with this w2008 box. Would it be just a case of decommissioning the server and creating another depending on what roles are on the server or do I need to carry out any additional work?

Any information would be grateful.

Regards.

Remove "NT Authority\Anonymous Logon" from membership of the Pre-Windows 2000 Compatible Access security group

August 6, 2019, 8:44 pm
$
0
0

Hi,

I am working on securing my active directory domain controller. Based on ADRAP tool speaking 


what will be impact if I remove the "Remove "NT Authority\Anonymous Logon" from membership of the Pre-Windows 2000 Compatible Access security group"

my AD infrastructure details

1.) DC 2016 FFL

2.)very few windows xp3 and win 7 above clients

3.) server 2008R2 and above

File Replication Service Disabled from the Active Directory 2012 r2

July 31, 2019, 12:31 am
$
0
0

Hi Microsoft Technet,

I noticed from our Active Directory server, the File Replication Service status is set automatic, but we were unable to start the service and shows this kind of error.  https://imgur.com/wTTdnDD

"Windows could not start the File Replication service on Local."

is firewall port 139 use by the file replication service? 

do we also need to open port 49156 for the LSSAS service? 

Best Regards,

AJ


Search

Configure administrative accounts to prevent delegation

August 6, 2019, 8:50 pm
$
0
0

HIi,

I am working on securing my DC. ADRAP tool insisting to enable the "Configure administrative accounts to prevent delegation".

before the enabling the option checking with AD SME what will be the benefit of  this settings.

Please assist with your answer.

Issue with workstations domain membership

July 31, 2019, 1:29 pm
$
0
0

I posted a similar question a few weeks ago but eventually closed that question.  I had the issue come up again so I decided to post another question.  I hope I can determine what is going on this time.

I have a problem that is occurring randomly to my Windows workstations (Windows 10 is all we have).  Ever so often a workstation will seem to lose its connection to the domain.  I know that sounds odd because it is.  I first notice it if a user complains about their network drives go missing.  When I look at the machine I also notice that when going to Computer Management, Local Users and Groups, the domain accounts show up as not recognizable.

This is a Windows domain with 3 Windows 2008r2 DC's and one Windows 2016 DC.

Symptoms: 
1- network drives don't show up in File Explorer
2- when going to Computer Management, Local users and groups, Groups, any group with a domain account....the account is not recognizable.  Looks like this... S-1-5-21-1392988177-2029604534-620655208-512

The computer user is able to login and access resources.  For the most part everything works ok. 

It is like the workstation has partially lost its connection to the domain.

Resolution:  to resolve the problem I have been unjoining the computer from domain and then join it back again.  This corrects the problem for the time being.  However, it is happening randomly to my workstations and has happened more than once on a few of them.  I need to determine what is causing this.  Thanks for any help.

One more thing.  It has happened to my system at least twice.  My system is a laptop and I take it offsite to other company offices.  It seems like it has happened to me after I return to the main office and boot up here.  Not sure this matters.



DNS - Which DNS is being used?

August 2, 2019, 7:52 am
$
0
0

Hello!

We have an on prem-DC01 2016 which is running DHCP, AD Integrated DNS and provides IPs, DNS etc and all is working fine. It gives out 2 DNS addresses pDNS and sDNS.  DC01 as pDNS and DC02 as sDNS.

If it was giving out only one pDNS I would know my clients are using this server as the DNS. Since it is giving out 2 DNS servers ….how do I know which DNS server is REALLY being used by the clients

(member servers mostly).  I know clients should go for the pDNS first and then sDNS but is there a way we can find out from the client side which DNS server is really being used?

Thank you in advance.

2012R2 Backup DC not working correctly

July 30, 2019, 12:49 am
$
0
0

We have a simple domain, 2012R2, 2 domain controllers and a dozen member servers, pretty much out of the box.

When both DCs are up it appears as if everything is working fine, BPA and AD Replication status tools show no errors, DNS works off both machines. The only thing that seems to show any issue is Get-ADDomainController which only lists the primary.

However when the PDC is off the BDC will still function as a DNS server, but not as a domain controller.

We had some issues with the backup domain controller's DNS which were due to it being multi homed.  We removed the second interface and resolved the DNS issues but still have the same problems.  We demoted the server back to member and re-promoted it to a DC to no real effect.

when the primary is off BPA will fail with the following errors:

The AD DS BPA should be able to collect data about the hostname of the forest root PDC from the forest root PDC

The Default Domain Controllers Policy in the domain domain.name should be applied to the OU OU=Domain Controllers,DC=domain,DC=name

The domain controller bdc.domain.name must be able to connect to the PDC emulator master in this domain

The domain controller bdc.domain.name must be able to connect to the RID master in this domain

But no errors are logged by the BPA when the PDC is up.

Where should I go from here in troubleshooting the issue?


certificate's role in ldaps for windows and linux clients

August 1, 2019, 10:53 pm
$
0
0

Hi,

I would like to know how certificates work in both windows and Linux clients.

Here is my setup. We have a windows internal CA, we have windows domain controllers that serve as our ldap server. We have in dns Host A record ldap-dc.domain.com point to two ip address of our domain controllers. We did this so that they will use the FQDN in ldaps connection string for failover.

1. Will windows based applications that connect via ldaps require a certificate? If so, where did that certificate should come from? Should it come from our Domain controller which its certificate is issued by our internal CA?

2. The  certificate of our domain controllers did it came automatically from our CA since I don't recall requesting for certificate when setting up domain controller? How will windows client machines make use of this certificate? Do they receive it automatically?

3. How about for apps based on Linux that will use ldaps? Where should it's certificate come from? Does it need to request for certificate or will it use the domain controller's certificate by importing it on the Linux machine?

Thanks!


Password change issue

August 2, 2019, 9:16 pm
$
0
0

Hi All,

We are facing some strange issue with our Active Directory built on windows server 2016.

User are not able to change their password when it is expired.

However, if we reset it from AD console and force to change at next logon, user are able to change their passwords.

but not able to change using CRTL+ALT+DEL.

Our Password complexity settings are as per the standards.

 

Enforce Password history = 12

Maximum Password age = 60 Days

Minimum Password age = 5 days ( i have also change it to 1 and 0)

Minimum Password length = 8 

Password must meet complexity requirements = Enabled

Store password using reversible encryption= Disabled

Any help will be appreciated.

Thanks 

GUI tool to creare users

August 5, 2019, 11:22 pm
$
0
0

I'm interesting to create Active Directory users by customized GUI, where I can give only some fields like user password, OU source , OU target, user home directory, and other AD fields.

What tool can I use to build this graphical tool to create AD users? Suggestions?

Search

Password change

August 2, 2019, 1:08 am
$
0
0

Hi,

      We have 1 PDC and 2 Backup domain server

if i change domain administrator password where it will effect to all domain

Lakhan

Get List of Home Folders in CSV Through Powershell

August 7, 2019, 3:40 am
$
0
0

Below script helpmed to get Users home directories information. (Input csv should have first column as "name")

Import-Module ActiveDirectory
$Userslist = Import-Csv -path "C:\Script\Users.csv"
$Table = @()
$Outputfile = $Month + $Day + $Year + "-HomeFolders.Csv"

Foreach ($User in $Userslist)

{
$HomeFolderPath = Get-ADUser $User.Name -pr * | Select SamAccountName, DisplayName, Mail, HomeDirectory, Enabled

    If ($HomeFolderPath)
    {
    "=============================================================================="
    $Objrecord = "" | Select Nameonfile,SamAccountName, DisplayName, Mail, HomeDirectory, Enabled
    $Objrecord.Nameonfile = $User.Name
    $Objrecord.SamAccountName = $HomeFolderPath.SamAccountName
    $Objrecord.DisplayName = $HomeFolderPath.DisplayName
    $Objrecord.Mail = $HomeFolderPath.Mail
    $ObjRecord.Enabled=$HomeFolderPath.Enabled
    $Objrecord.HomeDirectory = $HomeFolderPath.HomeDirectory
    $Objrecord
    $Table += $objRecord
    $HomeFolderPath = @()

    }
    Else
    {
    $Objrecord = ""|  Select SamAccountName, DisplayName, Mail, HomeDirectory, Enabled
    $Objrecord.Nameonfile = $User.Name
    $Objrecord.SamAccountName = $HomeFolderPath.SamAccountName
    $Objrecord.DisplayName = $HomeFolderPath.DisplayName
    $Objrecord.Mail = $HomeFolderPath.Mail
    $Objrecord.HomeDirectory = "No Home Folder"
    $ObjRecord.Enabled=$HomeFolderPath.Enabled
    $Objrecord
    $Table += $objRecord
    $HomeFolderPath = @()
    }
}
$Table | Export-Csv -path "C:\Script\Homefolders.csv" -NTI

    

Demoting Remote DCs on WAN

August 7, 2019, 3:58 am
$
0
0

Morning all,

I have just upgraded all the local DCs , on the same subnet, to 2019. I had a few replication issues with 2 remote DCs, that was just the fact that they were trying to replicate to IPs that no longer existed. This was resolved by changing the NTDS settings in sites and services. Replication is now working as it should with repadmin and dcdiag giving a clean bill of health...

The reason we have the two remote DCs is at that time bandwidth was a limitation, it no longer is and now serve no purpose. All nodes use the data center servers for all services, so I want to remove the two remote servers.

Is the process the same? In sites and services they fall under their own subnet but are of the same domain, not a sub-domain.

Is it simply a case of  running DCPromo on the remote servers then deleting the subnets from sites and services?

Many thanks

 

Sensitive forest and domain operation

August 7, 2019, 5:16 am
$
0
0
Please help me to understand the below two. I received the report from ADRAP tool.
  1. Restrict Sensitive Forest-level Operations Delegation
  2. Restrict Sensitive Domain-level Operations Delegation

what's is this alert and what MS trying to convey the AD guys. Please assist with your answers.

Different reponse for nslookup

August 7, 2019, 8:59 am
$
0
0

Hi,

When I do nslookup lookup for a domain from the DNS server ABC.NET, I get list of name servers

However, when a do nslookup from another Windows servers, which is configured with ABC.NET as its DNS server, the same nslookup gives a very diffrent output?

What could be the reason why I'm getting different results from same DNS server, even though Im trying from different machines.

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>