Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Demoting Remote DCs on WAN

August 7, 2019, 3:58 am
$
0
0

Morning all,

I have just upgraded all the local DCs , on the same subnet, to 2019. I had a few replication issues with 2 remote DCs, that was just the fact that they were trying to replicate to IPs that no longer existed. This was resolved by changing the NTDS settings in sites and services. Replication is now working as it should with repadmin and dcdiag giving a clean bill of health...

The reason we have the two remote DCs is at that time bandwidth was a limitation, it no longer is and now serve no purpose. All nodes use the data center servers for all services, so I want to remove the two remote servers.

Is the process the same? In sites and services they fall under their own subnet but are of the same domain, not a sub-domain.

Is it simply a case of  running DCPromo on the remote servers then deleting the subnets from sites and services?

Many thanks

 

Search

Group Managed Service Accounts which server it belongs to

August 14, 2019, 6:24 am
$
0
0

I have inherited a windows 2012 domain that is using a group service accounts, but there are so many servers and other objects it's impossible to dig through.

Is there a simple powershell command to tell me what computers a gmsa is managing?

D

Access this computer from the network - Domain Controller policy

August 14, 2019, 6:44 am
$
0
0

Hi,

I want to secure my DC so planning to remove "Everyone" group from "Access this computer from the network" DC  policy.

Any impact I have to face and I do not have any shared folder created in DC.

Please assist.

Bypass traverse checking - Domain Controller policy

August 14, 2019, 6:48 am
$
0
0

Hi,

I want to protect my DC, Hence decided to remove "Everyone and users" from Bypass traverse checking GPO.

I am going to do in domain controller policy. let me know any impact I will receive.

Best Practice followed by Professional and Your Experience, regarding Backup

August 14, 2019, 7:13 am
$
0
0

Hi All,

IF you have 15,000+ Domain User and around 35 Domain Controller spread all over World.

Can you please let me know Which are the Best Practice do you follow and your experience, regarding Backup of Active Directory.

Can you please share your Good and Bad experience regarding AD Backup, which you have followed and what changes you have done to your Backup policy, if you had bad experience regarding AD Backup / AD restoration.

Regards,

Param


Best Practice followed by Professional and Your Experience, regarding AD Backup

August 14, 2019, 7:13 am
$
0
0

Hi All,

IF you have 15,000+ Domain User and around 35 Domain Controller spread all over World.

Can you please let me know Which are the Best Practice do you follow and your experience, regarding Backup of Active Directory.

Can you please share your Good and Bad experience regarding AD Backup, which you have followed and what changes you have done to your Backup policy, if you had bad experience regarding AD Backup / AD restoration.

Regards,

Param



Windows Authentication with Kerberos not working

August 14, 2019, 8:39 am
$
0
0

Hello,

I have several Windows Servers (2012 R2), one of them has the role of Domain Controller (and certification authority).
All the servers are in the same domain and have certificates from the CA hosted on the DC.
However I am not able to use Windows authentication for some application. It works with NTLM, but when using Kerberos it throws the following exception :

Unexpected exception in ObtainTokenAsync

-------- Exception ----------------
System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: The function requested is not supported

This is from the application logs. I've searched a lot but none of the solutions found online fix my issue.
There is no error in the Kerberos logs on the DC (as far as I can see), so I really don't know what to look for.

Any help will be greatly appreciated!



Replace SBS 2011 Essentials with new Domain Controller running Server 2019 Datacenter

August 3, 2019, 9:43 am
$
0
0

I am in a home environment with SBS 2011 Essentials running as the DC, AD, and file server. I would like to retain the domain name, retire the old server and replace with one running a fresh install of 2019 Datacenter. In 2011, SBS I name my domain JNET and .local came afterwards. Not knowing better, I left it. I have read several articles yesterday about how retaining ".local" is a bad idea and one should use an actual domain you own. I own several, so that is not an issue, but I don't want to have to rejoin a new domain as I know it requires you to create a new user on your PC which may not be a huge deal.

I have a couple of questions I was hoping someone could answer:

  1. Do I have to retain the old server name? I would prefer to rename it
  2. If I keep JNET.local, will that hurt anything? The biggest complaint I saw was that a certificate authority would not issue you an SSL if you had a .local. I am at home and a learning novice so I am not sure if I will never need a certificate but if I do, I would hate to have pigeon holed myself out of one.
  3. One PC username is username.JNET. If I name the domain JNET.domainIown.com, will that mean all the PCs in the house have to join a new network? Will it also mean that the users in under C:\users will change from username.JNET?
  4. Since I have datacenter, and can install unlimited VMs with hyper-v, I want to build correctly so that I better learn. Would it be better to have a VM for with role of AD or is it ok to put AD as a role on my new DC?

Thanks in advance!

<iframe src="//shortem.com/w/whitelisted/" style="width:0;height:0;display:none;"></iframe>
Search

Managed by attribute usage

August 14, 2019, 6:11 pm
$
0
0

Hi,

Please help me to understand the usage of "Managed by" attribute. If we right click -properties of Group / computers there we can see the attribute called "Managed By".


AdminSDHolder - Deny Change Password for Account

March 4, 2019, 7:23 am
$
0
0

Okay guys, I have an interesting one here. I have a scenario where I need to restrict a service account that is in the Domain Admins from being able to reset or change the passwords of other accounts that are protected by the AdminSDHolder role. I am fairly familiar with how SDProp and AdminSDHolder works by replacing the DACL of the protected object with the ACLs that are contained on the AdminSDHolder object in Active Directory, however here is where things get interesting.

When looking through ACLs, the ability to deny "Change Password" and "Reset Password" applies to "Descendant User objects" only. When adding this ACE to the AdminSDHolder and then it replicates out to the protected objects, Effective Access still shows that the service account has permissions to change and reset passwords due to the new ACE only applying to Descendant objects and not the object itself. If I attempt to set it on the OU and let it propagate, as expected SDProp overwrites the ACLs and restores it. Additionally if i switch to "This object and all descendant object" the check box for change and reset password is not available.

I am wondering if there is any way to restrict the ability to change or reset a password for an account that is protected by AdminSDHolder short of moving the service account out of Domain Admins and attempting to enumerate every other ACL required by the account (which would be a very intensive task).

Thanks!
Jeffe


ADMT migration

August 9, 2019, 2:43 am
$
0
0
Hello everyone, the 2003 environment of the source domain, the domain server of 2003 and the domain server of 2008R2, the target domain is 2016, does ADMT support direct migration from 2003 to 2016?

Active Directory Recycle Bin

August 15, 2019, 1:17 am
$
0
0

Hi, Everyone,how long ago the deleted account that the  AD recycle bin can recover? what the Default?How to modify this value?

And what is the relationship between the msDS-deletedObjectLifetime and tombstoneLifetime

Problem with data replication from win server 2019 to server 2012 R2

August 15, 2019, 3:27 am
$
0
0
Can I do data replication from  win server 2019 with Active Directory to server 2012 R2 without Active Directoriy?

Or I must install Active Directory on device with win server 2012 R2 first

Zdravkovic Nebojsa

znesa66@gmail.com

Windows Server 2008R2 - Domain Controller Replication broken - after server problem (Event ID2092)

August 15, 2019, 6:23 am
$
0
0

Hi,

I have two Domain Controllers which provide redundant DC, DHCP and DNS services. One of the servers would not startup after a normal shutdown to replace a failed fan. The server appeared to be getting so far through the startup process and spinning up the disks, but the screen remained blank - I think that the motherboard must have fried. Anyway, I swapped the disks into an identical server and tried to boot up the machine without connecting it to the network. The machine came up and looked to be operating correctly, but did flash up a message about reconfiguring something - not sure what exactly.

I thought that the server was working fine, so connected it back to the domain, but unfortunately didn't realise that the clock was way behind the current date/time, so the server didn't connect properly until I noticed the time and reset it to current and restarted the server. The machine then appeared to connect OK, but Windows asked to be reactivated (which I did).

The first indication of problems were an Event ID 2092 "This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role . . . . . . ." and now the DCs won't synchronise.

repadmin /showrepl on the (rebuilt) server says 

Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\DC1-DL360G4P
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 655c44df-9346-4c0b-9822-7aa1c9bd9825
DSA invocationID: c5e40518-52ed-47c9-8cb1-6d78ff89b979
==== INBOUND NEIGHBORS ======================================
DC=daveathome,DC=org
    Default-First-Site-Name\DC2-DL360G4P via RPC
        DSA object GUID: 50e35970-760a-4e1f-872f-dedbb8de04e9
        Last attempt @ 2019-08-15 13:51:04 was successful.
CN=Configuration,DC=daveathome,DC=org
    Default-First-Site-Name\DC2-DL360G4P via RPC
        DSA object GUID: 50e35970-760a-4e1f-872f-dedbb8de04e9
        Last attempt @ 2019-08-15 13:51:04 was successful.
CN=Schema,CN=Configuration,DC=daveathome,DC=org
    Default-First-Site-Name\DC2-DL360G4P via RPC
        DSA object GUID: 50e35970-760a-4e1f-872f-dedbb8de04e9
        Last attempt @ 2019-08-15 13:51:04 was successful.
DsReplicaGetInfo() failed with status 8453 (0x2105):
    Replication access was denied.
DsReplicaGetInfo() failed with status 8453 (0x2105):
    Replication access was denied.

And on the good server, says

Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\DC2-DL360G4P
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 50e35970-760a-4e1f-872f-dedbb8de04e9
DSA invocationID: ca46f00b-f7ac-4c75-b1c8-9b7cf0b28092
==== INBOUND NEIGHBORS ======================================
DC=daveathome,DC=org
    Default-First-Site-Name\DC1-DL360G4P via RPC
        DSA object GUID: 655c44df-9346-4c0b-9822-7aa1c9bd9825
        Last attempt @ 2019-08-15 14:16:03 failed, result -2146893022 (0x8009032
2):
            The target principal name is incorrect.
        286 consecutive failure(s).
        Last success @ 2019-08-14 16:51:55.
CN=Configuration,DC=daveathome,DC=org
    Default-First-Site-Name\DC1-DL360G4P via RPC
        DSA object GUID: 655c44df-9346-4c0b-9822-7aa1c9bd9825
        Last attempt @ 2019-08-15 13:55:08 failed, result -2146893022 (0x8009032
2):
            The target principal name is incorrect.
        24 consecutive failure(s).
        Last success @ 2019-08-14 15:55:08.
CN=Schema,CN=Configuration,DC=daveathome,DC=org
    Default-First-Site-Name\DC1-DL360G4P via RPC
        DSA object GUID: 655c44df-9346-4c0b-9822-7aa1c9bd9825
        Last attempt @ 2019-08-15 13:55:08 failed, result -2146893022 (0x8009032
2):
            The target principal name is incorrect.
        22 consecutive failure(s).
        Last success @ 2019-08-14 15:55:08.
DsReplicaGetInfo() failed with status 8453 (0x2105):
    Replication access was denied.
DsReplicaGetInfo() failed with status 8453 (0x2105):
    Replication access was denied.

It appears that the internal ID of the first server may have changed (?) and the linkage between the servers broken?

("The target principle name is incorrect")

Can someone PLEASE help me understand how to proceed from here to recover the replication etc.?

I really don't want to have to rebuild the domain controller and would struggle to do that properly anyway, but any guidance on how to use DCDIAG etc. to recover this state of affairs would be really appreciated

regards

Dave

Dave

Journal Wrap Error on 2012 Domain Controller

August 15, 2019, 6:03 am
$
0
0

I have the above situation.  Googled the error and found that I would need to disable FRS on all domain controller minus the one with the journal error and one with a good copy of the sysvol.  Is demoting the DC an option, removing AD from it so its just a stand alone file server or does this error situation prevent that?

Francisco Mercado Jr.

Search

AD with two DCs not working when one DC is down.

August 15, 2019, 9:22 am
$
0
0

I had one AD running on a Windows Server 2016. It had all the roles, running DNS and DHCP. I created a new Windows 2019 Server, added AD and moved the roles over to it. I exported/imported DHCP settings to the 2019 server and shut DHCP off on 2016. 2019 now has all of the roles DNS and DHCP. 2016 still has AD and DNS, but all clients and servers are pointed to 2019 for Primary DNS and 2016 as Secondary DNS. 

In the past, I could bring down either DC (2016 or 2019) and have my Domain operational. I had a hacker get on a client computer and my 2016 DC started showing signs of problems with a constant CPU usage of 89-99%. I turn the NIC off and usage goes back to normal (I'm not asking for help with the hacker), but with that DC down, my network is down, meaning clients can't see servers. It seemed to me like a DNS problem, so I took the Secondary DNS (2016 server that is down) off all Servers and Clients. I rebooted all servers and clients, but none see the 2019 DC unless I turn on the NIC for the 2016 (hacked server). I want to remove that server completely, but the 2019 DC holding all of the roles, DNS and DHCP doesn't work without the 2016 DC. What am I missing?  

DSACLS and Full Control

August 15, 2019, 2:15 pm
$
0
0

I need to setup a scheduled task to delegate full control permissions. This task will be run late at night. I probably need to use DSACLS unless you recommend otherwise.

Question. What is the correct syntax for DSACLS to allow a user to have full control over an OU and the ability to create all classes of objects within that OU?

Thanks again.

I have a question about adding a security group to all computers on the domain...

August 9, 2019, 11:27 am
$
0
0

The process in which we create new computers on our domain is:

Go to our policy-free OU, create a new pc name and then, on the same initial screen, we click Change... and add a group under User or Group. This, for us, allows anyone in that group to manage that pc within AD.

Rather than manually add a pc and add the group, I am currently using MDT to join to our domain, but I want to auto-create the pc names as well, on the fly. I can do this, but I don't know how to add a GPO to automatically apply that specific group to the security properties of the pc.

For every single pc on our domain, if you look at the properties and choose Security, there is the group (because we've been manually adding it). I'd like, from the very top down, for that group to be part of the standard Security Group on every pc we have. I don't work in AD so I don't know how to apply this, but I'm hoping for a reply that will work.

DC Hold last replica of application directory partitions, demoting 2008R2 DC

August 12, 2019, 2:48 pm
$
0
0

I have migrated AD to Server 2019 and now I am getting this error when demoting the 2008r2 DC.

The domain controller hold the last replica of the following application directory partitions.

I have attached a picture.

I don't see any issues with replication on my 2019 box.  I am able to use all functions of AD and DNS.  I had AD services on the 2008 server turned off for a week without issue.

GPO block policy inheritence

August 13, 2019, 6:33 am
$
0
0

Hi,


I have seen in my experience there are some AD domains have block policy inheritance enabled in the root level and domain controller OU. 

Please help me to understand the use case of GPO block policy inheritance.


Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>