Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Monitoring LDAP queries to Active Directory

August 7, 2019, 9:38 am
$
0
0

I am looking for a solution to monitoring LDAP queries. I need to find a solution that uses monitors LDAP queries.

I was reading this blog "Domain and DC Migrations: How To Monitor LDAP, Kerberos and NTLM Traffic To Your Domain Controllers" that will not work for the solution I am looking for.

I need something that I can get a report from, and I need it in real time or something in semi-real time with a report. I was reading an article about being able to monitor using (SPA) Server Performance Analyzer. I was hoping someone could tell me if I can configure a good solution using SPA or if there was something else I can use. 

So, so everyone understands, I do not want to use a third-party solution. It needs to be native and preferably able to use SQL server. I can write a report out to gather the information from a report server

Any thoughts, ideas... suggestions... would be appreciated.

Search

lastLogon attribute on a read-only domain controller (RODC)?

August 7, 2019, 9:52 am
$
0
0

When authenticating against a read-only domain controller, the *lastLogon* attribute is not set. This is no surprise, because all attributes are read-only.

However, when a user authenticates against a RODC and the password is not cached on the RODC (e.g. because he never authenticated before) then the RODC forwards the attempt to a writable DC.

What I don't understand is, why both DCs don't have a value set for lastLogon.

Coincidentally, the very first logon immediately triggers the replication of the lastLogonTimeStamp attribute.

Eventually, the result is that lastLogon is never set on any domain controller and lastLogonTimeStamp will be every 14 days.

So... why is lastLogonTimeStamp updated, but lastLogon is not?

Audit log [LAPS]

September 18, 2017, 6:31 am
$
0
0

In implement LAPS, I have already run command "Set-AdmPwdAuditing -OrgUnit LAPSPC -AuditedPrincipals LAPSAdmin" but still cannot see audit log in security log on system event 4662.

Adding Banned Passwords to Password Policy in AD

March 23, 2017, 5:16 am
$
0
0

Good day,

We have a customer who wants to add a list of banned passwords from ever being used within the domain.

The customer uses Windows Server 2008 R2 Domain Controllers  and the complex password policy is enabled.

I haven't been able to find a suitable article that discusses with certainty how to apply a password filter on Windows Server 2008 R2 Active Directory.

The requirement is to supply a list of passwords so that AD must not accept them when users either reset or change passwords.

Some of the relevant information is below in other articles but nothing concrete.

https://social.technet.microsoft.com/Forums/windowsserver/en-US/997fab64-4aa3-45ab-b212-652de8f2e7be/w2k3-user-password-policy-list-of-banned-words-for-passwords?forum=winserversecurity

https://msdn.microsoft.com/en-us/library/windows/desktop/ms721766(v=vs.85).aspx

https://blogs.technet.microsoft.com/tristank/2005/07/18/custom-password-filters/

Further to proposing me a solution, please advise if tweaking the password filter is supported by Microsoft?

Is it risky and could updates or upgrades to the domain controllers could replace the customized password filter?

Is it recommended to use 3rd party tool for these tweaks, such as below:

https://specopssoft.com/product/specops-password-policy/

http://www.anixis.com/default.htm

http://www.nfrontsecurity.com/

Thank you,

Local Session Manager and Domain Logins

August 7, 2019, 10:40 am
$
0
0
Bought two new laptops (Lenovo Yogas) both came pre installed with windows 10 Pro. I have two users who can log in to their domain accounts while on our network however when they go anywhere else it states that they cannot find our domain. Our AD is configured to allow domain login using stored credentials however they receive an error that the domain is not available. Here's where it gets really odd, if I have them log in locally and shut off the wifi then reboot it allows them to connect using their domain credentials and then turn their wifi back on to vpn and connect to our network again. Any ideas??

Moving FSMO roles to another Datacenter during planned outage

August 7, 2019, 10:29 am
$
0
0

Hi

In our infra we have 4 X Windows 2016 Domain Controllers with 2 DCs in main datacenter and rest 2 in remote DC. The Main DC will be down for 10 hours. We plan to move all the FSMO roles to one of Domain Controllers in remote site and once we complete the activity, we will move all FSMO roles back to same Domain Controller. Is there anything should be taken care during this FSMO migration?

Thanks in advance

LMS

Windows cannot create the object error while create a OU

July 30, 2019, 9:51 am
$
0
0

Hi All,

The below mentioned error is throwing while create a OU under child domain, but there is no OU in that name but still getting the error. Is there any where we can check it?

Error:

Windows cannot create the object "name" because:
An attempt was made to add an object to the directory with a name that is already in use.

RODC in place upgrade recommendations

July 29, 2019, 5:44 am
$
0
0

Hi All,

We are having a client with 20 Domain controllers in Data Center and 500 RODC's in Windows 2008 R2 OS. They want to introduce Windows 2012 R2 domain controllers in Data Center and perform windows 2012 R2 in-place upgrade for all the 500 RODC's. I would like to know the recommendations for in-place upgrade of 500 RODCs . All RODC's are in VM.

Please help on provide the best practice and recommended approaches. 

Thanks and Regards,

Hariharan

Search

CA Certificate Template KSP Not Available

August 6, 2019, 11:01 am
$
0
0

When I duplicate the Web Server template in Certificate Templates console, if I keep the Cryptography-Provider Category as "Legacy Cryptographic Service Provider" and then select that template as a new certificate template to issue, it shows as a certificate template on the certsrv url.

If I do the above, but set the Cryptography-Provider Category as "Key Storage Provider" and then select that template as a new certificate template to issue, it does not appear as a certificate template on the certsrv url.

Do you know how I can start using Web Server templates using KSP?  Thanks.

User's reading comprehension in this forums is a joke

August 7, 2019, 9:52 am
$
0
0
The users in this forum can't read for shit and their replies are as far away from the question and the earth is from the sun.

disable smbv3 multichannel on domain controller

August 7, 2019, 11:48 pm
$
0
0

Hi,

We have a domain controller windows server 2016 with 1 nic connected.

I would like to know what would happen if smb multichannel is disabled on the domain controller? I understand that it's purpose is chose nics to transfer data to.

Secondly what would happen if smbv3 is disabled in the domain controller? I have read that smbv2 and smbv3 are on the same stack and that disabling one will also disable the other.

Thanks in Advance!

Edit Remote Desktop profile path "Operation Failed: Operation Completed Successfully"

November 7, 2017, 9:27 am
$
0
0

As the title says, i cant edit the item which is showing a blank value on both DC's for one user, so far.  Replication is showing good.  The problem is we are deploying a new remote desktop server and it is picking up a path in this attribute.  But i cant save it or change its value at all, so logging on to the new server results in a temporary profile.  I'm hoping to not have to delete the user as exchange is in use on this account. 

Remove "NT Authority\Anonymous Logon" from membership of the Pre-Windows 2000 Compatible Access security group

August 6, 2019, 8:44 pm
$
0
0

Hi,

I am working on securing my active directory domain controller. Based on ADRAP tool speaking 


what will be impact if I remove the "Remove "NT Authority\Anonymous Logon" from membership of the Pre-Windows 2000 Compatible Access security group"

my AD infrastructure details

1.) DC 2016 FFL

2.)very few windows xp3 and win 7 above clients

3.) server 2008R2 and above

Change on-premises domain name from .net to .com

August 5, 2019, 11:33 pm
$
0
0

Hello,

I am reading some articles where you can change the AD DNS suffix to all the users, but not finding what I am looking for: Changing the domain name, hence also changing the DNS suffix if I am not mistaken.

I would need to change my domain name from .net to .com

Is that possible? All I am finding is how to change the DNS suffix to all the users or to a specific set.

Thanks in advance.

Luis Olías.

Server 2012 R2 Start menu

August 8, 2019, 3:54 am
$
0
0

Hi, We have noticed a issue with Server 2012's start menu in that if you click start it opens the tiles, click an app it opens however if you want to open another copy of the app so you do the same thing it doesn't open the app again. It works fine from the desktop or other locations just not the start menu. I cannot find any articles or people with the same query as me. Is this expected behavior or is it a known bug? 

I have built a brand new vanilla build server as well as existing company server and I can replicate it on all of them

Search

Login is from an untrusted domain

August 1, 2019, 2:01 am
$
0
0

Hi

I have searched all over the internet for an answer so hopefully someone here can help.

I have an SQL 2017 server set to use Windows or SQL authentication.

The DB's that are on it work fine using either authentication method on the LAN.

My issue is that when a user tries to connect over our VPN it will fail with the above error message about its login is from an untrusted domain. 

However, if I use an SQL credential (SA) it connects no issues.

Both server and PC are on the same domain and the PC is regularly connected to the LAN during the day, its just when they go home and use the VPN that it doesn't work and I get this untrusted domain error. This happens for all users over VPN. 


Group Policy Error Event ID: 7126

October 17, 2017, 2:58 pm
$
0
0

We have a Remote Desktop Services server (running Windows Server 2012 R2 Standard) that is sometimes logging an Error Event ID 7126 when performing a periodic group policy processing for the users logged into the server.  This error occurs for only two users (out of about 10 different users that log into the server), but does not always occur for those users (in other words, sometimes the periodic group policy processing for a given user is successful, sometimes not).  All the users are configured in an identical manner and are part of the same domain and local groups as far as I can tell (and I was the one that originally setup all of those users, all at the same time when we brought up the server a few months ago).

This error event appears in the Microsoft > Windows > Group Policy > Operational log, and the errors are displayed in the Event Log summary ("Summary of Administrative Events"), which is how it was brought to my attention. 

This event always occurs immediately after a 4257 Event ("Starting to download policies").  In the times where this error *doesn't* occur (i.e., the periodic processing works), the 4257 Event is followed up by a 5327 Event ("Estimated network bandwidth on one of the connections: 4618712 kbps.").  Because of this, I suspect the actual error has something to do with the determination of the network bandwidth.  However, if this was the case, I would expect to see a 7327 Error Event ("Error estimated bandwidth event: Estimating the bandwidth for a network interface did not complete.") and not a 7126 Error Event (found that information here: https://technet.microsoft.com/en-us/library/7e940882-33b7-43db-b097-f3752c84f67f).

I've done a couple Google searches on the 7126 event ID and have found very little.  I see this event happening about once an hour (the Event Log shows 27 occurrences in the last 24 hours, 179 occurrences in the past 7 days).

The Domain Controller and this server are on the same local network and are hosted servers (hosted in AWS - so I don't have direct access to the hardware level).  No other authentication problems have been reported.  I do not see any errors or audit failures on the Domain Controller around the times of these errors.  No other errors are being logged on the RDS server around this time either.

If this is an event that I can safely ignore, that is fine, but I wanted to dig a little deeper to see if this event is something I should be concerned about.  Does anyone have any insight into this specific event, or have experienced this error themselves (and if so, is there a way to fix this error)?

The full details of the Event ID (specific domain and user information scrubbed):

Log Name:      Microsoft-Windows-GroupPolicy/Operational
Source:        Microsoft-Windows-GroupPolicy
Date:          10/17/2017 4:06:16 PM
Event ID:      7126
Task Category: None
Level:         Error
Keywords:      
User:          DOMAIN\user01
Computer:      RDSServer.DOMAIN.com
Description:
Group Policy could not get applicable GPOs from the domain controller.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
    <EventID>7126</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x4000000000000000</Keywords>
    <TimeCreated SystemTime="2017-10-17T16:06:16.169910500Z" />
    <EventRecordID>139654</EventRecordID>
    <Correlation ActivityID="{AD0091D3-354A-4A38-B69F-61D0496AB0A5}" />
    <Execution ProcessID="952" ThreadID="11184" />
    <Channel>Microsoft-Windows-GroupPolicy/Operational</Channel>
    <Computer>RDSServer.DOMAIN.com</Computer>
    <Security UserID="S-1-1-11-1111111111-1111111111-111111111-1111" />
  </System>
  <EventData>
    <Data Name="IsMachine">false</Data>
    <Data Name="ErrorCode">1</Data>
    <Data Name="GPODownloadTimeElapsedInMilliseconds">0</Data>
  </EventData>
</Event>

Force removal of failed DC--cleanup

August 8, 2019, 8:34 am
$
0
0

Hi there. We had a Server 2012 R2 domain controller. It's a HyperV VM and the host it was running on had a serious hardware failure that resulted in the VM being corrupted and blue screening even in safe mode. No luck with safe mode etc or the Directory Services repair options. So we did a force removal of the DC in AD. This particular DC had no FSMO roles and wasn't a file server, so there wasn't much needed to recover that we didn't already have from backups. After the host was repaired, we built a new DC VM to replace the dead one and linked it to the same subnet in AD Sites and Services etc. We gave it a different name.

Things appear to be working normally. I ran a number of AD replication tests using Microsoft's AD Replication Status tool and no errors are coming up. I've gone through DNS and removed any references to the dead DC. The dead DC does not show up anywhere in AD Sites and Services.

My question is about NTDSUtil. I know that if you have to force remove a DC, you should clean up the metadata using NTDSUtil. The problem(?) is NTDSutil couldn't find any reference to the failed DC for me to remove. Is there anything left to check? The Microsoft articles I found simply said that if the dead DC couldn't be found there, it may have already been removed.... So does that mean I'm in the clear?

Thanks in advance,

Sir Timbit.

Windows Time server - Domain Controller

August 8, 2019, 10:56 am
$
0
0

Hi All,

In our root domain, we have a domain controller (Server1.par.com) on old hardware and its currently acting as time server with below configuration

Type: NTP

NTPServer: Defined some outside IP

Looks like other DC's shows Type as NT5DS & their NTPServer registry is pointing to Server1 but not all because in our child domains I took one of our child domain DC (ServerDC2.child.par.com) and run command "w32tm /query /source" then it shows a DC name (ServerDC3.child.par.com) which exists in same child domain but when I check the registry on ServerDC2 then it shows NTPServer as "time.windows.com,0x9".

To check further I logged on to ServerDC3.child.par.com and when I run "w32tm /query /source" it shows DC name as "Server1.par.com" but when I check the NTPServer registry , its currently set to "time.windows.com,0x9".

My question:

1. Is our current configuration for time source looks correct on DCs?

2. We have to decommission Server1.par.com , how do I check all DC's which are pointing to this Server1.par.com as their time source?

3. Once we have answer to question 2 above then to make another DC as authoritative time (Server2.par.com) server should I just set Type as NTP and set its NTPServer registry setting? How will I tell my other DC's , servers, member machines that now we have a new time server in place?

Please if anyone have a plan for above situation then please help me out


Schema mismatch in domain with 2012 R2 FSMO roles, but additinal 2016 DCs - adding 2019 DC

August 8, 2019, 1:17 pm
$
0
0

I discovered an issue while working on adding a new 2019 Server as a DC on a domain with two 2012 R2 DCs and 4 2016 DCs.

The Domain Function level is 2012 R2.

I discovered a schema mismatch. The two 2012 R2 DCs show a schema level of 69 (2012) in the registry, while all of the 2016 DCs show a schema level of 87 (2016).

It appears that at some point, the 2016 DCs were added/promoted without a 2016 schema upgrade being done to the domain. I didn't think the promo wizard would allow this, but that's what it looks like happened. Everything is functioning normally, otherwise.

I need to promote a 2019 server to a DC in this domain (using it as a 2019 RDS Licensing server, as well). Since this mismatch exists and this seems to be a state that the domain shouldn't be in:

1. Am I safe doing a 2016 adprep/schema update from the 2012 R2 Operations Master using the 2016 media even though 2016 DCs already exist?

2. Or am I even safe just skipping the 2016 schema update and directly doing a 2019 adprep/schema update from the 2012 R2 Operations Master using the 2019 media?

or 3. Am I better off just opening a single incident support ticket from Microsoft to keep from potentially creating issues with the domain?

Viewing all 31638 articles
Browse latest View live
Search