Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Login is from an untrusted domain

$
0
0

Hi

I have searched all over the internet for an answer so hopefully someone here can help.

I have an SQL 2017 server set to use Windows or SQL authentication.

The DB's that are on it work fine using either authentication method on the LAN.

My issue is that when a user tries to connect over our VPN it will fail with the above error message about its login is from an untrusted domain. 

However, if I use an SQL credential (SA) it connects no issues.

Both server and PC are on the same domain and the PC is regularly connected to the LAN during the day, its just when they go home and use the VPN that it doesn't work and I get this untrusted domain error. This happens for all users over VPN. 



Migrating Active Directory Certificate Services to another forest\domain

$
0
0
Please advise the step by step process for migrating Active Directory Certificate Services from one to forest to another forest

What is the reason for creating a .local suffix domain?

$
0
0

Hi, 

I've seen some people create domains with a .local suffix and I was wondering why? 

I know that the domain is non routable, so it's probably as the name suggests local only. Therefore to my understanding it can't be looked up externally and it is private from the internet. But, I tend to create my forest with a routable tld like .com so that it matches with my public registered DNS name. 

The problem with .local is that what happens if you want to use directory sync, or have your users use a .com suffix later on? 

Is it not prudent these days to just use a public .tld suffix when creating your forest? I even think that this is recommended in the ADDS Wizard.  

Thanks 

DC replication issue

$
0
0

Hi All,

When i run the below command against schema database, I could see few deleted DSA entries and these DC's were removed some time back but still exists in this result. Is it normal one or need to cleanup from somewhere?

repadmin /showvector /latency

Also could see two GUID entries as well. Hope these GUID entries are belongs to old DC's.

certificate's role in ldaps for windows and linux clients

$
0
0

Hi,

I would like to know how certificates work in both windows and Linux clients.

Here is my setup. We have a windows internal CA, we have windows domain controllers that serve as our ldap server. We have in dns Host A record ldap-dc.domain.com point to two ip address of our domain controllers. We did this so that they will use the FQDN in ldaps connection string for failover.

1. Will windows based applications that connect via ldaps require a certificate? If so, where did that certificate should come from? Should it come from our Domain controller which its certificate is issued by our internal CA?

2. The  certificate of our domain controllers did it came automatically from our CA since I don't recall requesting for certificate when setting up domain controller? How will windows client machines make use of this certificate? Do they receive it automatically?

3. How about for apps based on Linux that will use ldaps? Where should it's certificate come from? Does it need to request for certificate or will it use the domain controller's certificate by importing it on the Linux machine?

Thanks!


Force removal of failed DC--cleanup

$
0
0

Hi there. We had a Server 2012 R2 domain controller. It's a HyperV VM and the host it was running on had a serious hardware failure that resulted in the VM being corrupted and blue screening even in safe mode. No luck with safe mode etc or the Directory Services repair options. So we did a force removal of the DC in AD. This particular DC had no FSMO roles and wasn't a file server, so there wasn't much needed to recover that we didn't already have from backups. After the host was repaired, we built a new DC VM to replace the dead one and linked it to the same subnet in AD Sites and Services etc. We gave it a different name.

Things appear to be working normally. I ran a number of AD replication tests using Microsoft's AD Replication Status tool and no errors are coming up. I've gone through DNS and removed any references to the dead DC. The dead DC does not show up anywhere in AD Sites and Services.

My question is about NTDSUtil. I know that if you have to force remove a DC, you should clean up the metadata using NTDSUtil. The problem(?) is NTDSutil couldn't find any reference to the failed DC for me to remove. Is there anything left to check? The Microsoft articles I found simply said that if the dead DC couldn't be found there, it may have already been removed.... So does that mean I'm in the clear?

Thanks in advance,

Sir Timbit.

DNS replication server

$
0
0

Hello ,

       we are using 3 domain server. there if hit repadmin /showrepl command

everything status will success but SYSVOL policy folder can not replicate properly

please suggest

thank you in advance


Lakhan Sawant

lsass.exe terminates unexpectedly and restarts 2008 R2 Domain Controller

$
0
0

Hi,

The 2008 R2 DC restarts intermittently. Please see the event log below. Could you please suggest how to fix ?

Log Name:      System
Source:        USER32
Date:          8/15/2019 4:17:02 PM
Event ID:      1074
Task Category: None
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      Server1.mydomain.com
Description:
The process wininit.exe has initiated the restart of computer Server1 on behalf of user  for the following reason: No title for this reason could be found
 Reason Code: 0x50006
 Shutdown Type: restart
 Comment: The system process 'C:\Windows\system32\lsass.exe' terminated unexpectedly with status code -1073740940.  The system will now shut down and restart.

Thanks..!


Managed by attribute usage

$
0
0

Hi,

Please help me to understand the usage of "Managed by" attribute. If we right click -properties of Group / computers there we can see the attribute called "Managed By".


14017 error

$
0
0

Hello everybody,

Does anyone met with error 14017 on AD/DNS server?

I have configured domain authentication on third party appliance and it work fine till adding ip addresses of DNS servers to it's configuration.

After adding DNS IP's i get 14017 error and I'm not able to login with domain credentials. After removing DNS IP i can once again authenticate.

AD and DNS are located on the same server and IP address.

Any advise will be appreciated.

Below description isn't really helpful:

ERROR_SXS_INVALID_ASSEMBLY_IDENTITY_ATTRIBUTE

14017 (0x36C1)

The manifest contains an attribute for the assembly identity which is not valid.

Why are my users locking their accounts with no trace on why?

$
0
0

I have the following GP/Advanced Audit:



Logon/Logoff
  Logon                                   Success and Failure
  Account Lockout                         Success and Failure
  Special Logon                           Success and Failure
  Other Logon/Logoff Events               Success and Failure

Detailed Tracking
  Process Creation                        Success

Account Management
  User Account Management                 Success
  Computer Account Management             Success
  Security Group Management               Success
  Application Group Management            Success
  Other Account Management Events         Success

DS Access
  Directory Service Changes               Success
  Directory Service Access                Success and Failure

Account Logon
  Other Account Logon Events              Success and Failure
  Credential Validation                   Success and Failure

Recently, some users are complaining about accounts being locked several times a day

But despite the proper configurations, searching at the Event Viewer logs, i can find the 4740 event, showing exactly when the account has been locked but i can´t find any evidence on ANY of the 5 times required to lock an account at ANY DC available. No events 4625 were found

If i create a test user, force the user to fail several times, all proper events 4625&4740 show up in the logs wuth no problem, so auditing is ok.

At office365, there are no login failure , only success login events, so, the lockout is not coming from O365 back to my on-premisse AD/DC

What else can I do?

In the AzureADSync, nothing usefull (an the Log capabilities are terrible) and my PDC emulator shows the lockout with the ALTools/Account lockou Tool  as the lockout propagate through the replication proccess, nothing wrong

The local user´s machine has some events, but again, only successfull events, including the .EXE name responsible for the login, but no failure events are shown

What else can I do? What am i missing here?

Disable cross forest TGT delegation

$
0
0

Hi,

Please help me to understand the use case of "Disable cross forest TGT delegation"

what is the use of TGT delegation and why MS recommended to disable the cross forest TGT delegation

ADMT migration

$
0
0
Hello everyone, the 2003 environment of the source domain, the domain server of 2003 and the domain server of 2008R2, the target domain is 2016, does ADMT support direct migration from 2003 to 2016?

Windows cannot access domain share \\domain.local

$
0
0

Hello Tech Masters,

Hope everyone is having a great day. 

I am investigating an Active Directory issue in Windows 2008 R2 domain. 

The environment is single 2008 R2 forest with 3 2008 R2 domains. Each domain has at least 3 2008 R2 domain controllers. 

My goal is to promote both the forest and domains to 2016 functional level.

I am replacing all 2008 R2 and 2012 R2 domain controllers by building new 2016 domain controllers. 

Issue: Browsing any of the 3 domains by domain name \\domain.local works if domain.local is pointing to specific domain controller (old PDC DC). This is happens in all 3 domains. Otherwise, it will error out "Windows cannot access \\domain.local.  

The issue is global to all computers in the 3 domains. 

I can ping all 3 domains by name successfully. 

I am able to navigate directly to any domain controller shares (Netlogon and Sysvol) using FGDN (ex: dc01.domain.local). 

Domain AD replication work properly in all domains. 

Group polices apply properly to users’ computers.

See attached error (screen shot).


 

 

Please share your thoughts if your thought if you have experienced same issue or you have the knowledge to help.

Thank You 

Raed

Demoting Remote DCs on WAN

$
0
0

Morning all,

I have just upgraded all the local DCs , on the same subnet, to 2019. I had a few replication issues with 2 remote DCs, that was just the fact that they were trying to replicate to IPs that no longer existed. This was resolved by changing the NTDS settings in sites and services. Replication is now working as it should with repadmin and dcdiag giving a clean bill of health...

The reason we have the two remote DCs is at that time bandwidth was a limitation, it no longer is and now serve no purpose. All nodes use the data center servers for all services, so I want to remove the two remote servers.

Is the process the same? In sites and services they fall under their own subnet but are of the same domain, not a sub-domain.

Is it simply a case of  running DCPromo on the remote servers then deleting the subnets from sites and services?

Many thanks

 


DSACLS and Full Control

$
0
0

I need to setup a scheduled task to delegate full control permissions. This task will be run late at night. I probably need to use DSACLS unless you recommend otherwise.

Question. What is the correct syntax for DSACLS to allow a user to have full control over an OU and the ability to create/delete all classes of objects within that OU?

Thanks again.


ADLDS Recycle bin feature

$
0
0

Hi Everyone,

We have an ADLDS Instance running on windows server 2008 R2  and forest functional level of instance is windows server 2003 R2. We have an application which is relying on this instance and it already extended the schema with the application attributes. Initially ADsync was running which is now stopped and accounts are created manually.Now we are planning to include the recycle bin feature on this instance , my query is can we promote the forest functional level without upgrading schema? since i have read the article regarding enabling recycle bin needs to import the below .ldf files which i suspect it may conflict with application attributes.

MS-ADAM-Upgrade-1 and MS-ADAM-Upgrade-2 

Thanks in advance

The time service has stopped advertising as a time source because the local clock is not synchronized.

$
0
0

Hi,

I am unable to update the Time Services i tried numerous ways but i am unable to find what is the issue is, I have run a dcdiag please find the results below, someone could help me as this server is running on the live environment.

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = ADServer2
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\ADSERVER2
      Starting test: Connectivity
         ......................... ADSERVER2 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\ADSERVER2
      Starting test: Advertising
         Warning: ADSERVER2 is not advertising as a time server.
         ......................... ADSERVER2 failed test Advertising
      Starting test: FrsEvent
         ......................... ADSERVER2 passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL
         replication problems may cause Group Policy problems.
         ......................... ADSERVER2 failed test DFSREvent
      Starting test: SysVolCheck
         ......................... ADSERVER2 passed test SysVolCheck
      Starting test: KccEvent
         A warning event occurred.  EventID: 0x80000603
            Time Generated: 08/12/2019   19:48:46
            Event String:
            Active Directory Domain Services could not disable the software-based disk write cache on the following hard disk.
         A warning event occurred.  EventID: 0x80000B46
            Time Generated: 08/12/2019   19:47:49
            Event String:
            The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection.  Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.
         A warning event occurred.  EventID: 0x800004C4
            Time Generated: 08/12/2019   19:48:12
            Event String:
            LDAP over Secure Sockets Layer (SSL) will be unavailable at this time because the server was unable to obtain a certificate.
         A warning event occurred.  EventID: 0x8000082C
            Time Generated: 08/12/2019   19:48:50
            Event String:
         ......................... ADSERVER2 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... ADSERVER2 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... ADSERVER2 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... ADSERVER2 passed test NCSecDesc
      Starting test: NetLogons
         ......................... ADSERVER2 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... ADSERVER2 passed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From DCSERVER01 to ADSERVER2
            Naming Context: DC=ForestDnsZones,DC=ad,DC=contoso,DC=com
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2019-08-12 19:48:53.
            The last success occurred at 2019-08-12 19:15:19.
            1 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From DCSERVER01 to ADSERVER2
            Naming Context: CN=Schema,CN=Configuration,DC=ad,DC=contoso,DC=com
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2019-08-12 19:48:53.
            The last success occurred at 2019-08-12 19:15:19.
            1 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From DCSERVER01 to ADSERVER2
            Naming Context: CN=Configuration,DC=ad,DC=contoso,DC=com
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2019-08-12 19:48:53.
            The last success occurred at 2019-08-12 19:15:19.
            1 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From DCSERVER01 to ADSERVER2
            Naming Context: DC=ad,DC=contoso,DC=com
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2019-08-12 19:48:53.
            The last success occurred at 2019-08-12 19:48:00.
            1 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         ......................... ADSERVER2 failed test Replications
      Starting test: RidManager
         ......................... ADSERVER2 passed test RidManager
      Starting test: Services
            Invalid service type: w32time on ADSERVER2, current value WIN32_OWN_PROCESS, expected value
            WIN32_SHARE_PROCESS
         ......................... ADSERVER2 failed test Services
      Starting test: SystemLog
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:34:36
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:33:44          
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x0000008E
            Time Generated: 08/12/2019   19:41:33
            Event String:
            The time service has stopped advertising as a time source because the local clock is not synchronized.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:41:36
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
        
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:47:36
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:47:36
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x0000008E
            Time Generated: 08/12/2019   19:47:39
            Event String:
            The time service has stopped advertising as a time source because the local clock is not synchronized.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:47:51
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:47:51
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:47:51
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x0000008E
            Time Generated: 08/12/2019   19:47:59
            Event String:
            The time service has stopped advertising as a time source because the local clock is not synchronized.
         A warning event occurred.  EventID: 0x000727A5
            Time Generated: 08/12/2019   19:48:06
            Event String: The WinRM service is not listening for WS-Management requests.
         A warning event occurred.  EventID: 0x80040020
            Time Generated: 08/12/2019   19:48:46
            Event String:
            The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.
         A warning event occurred.  EventID: 0x80040020
            Time Generated: 08/12/2019   19:48:46
            Event String:
            The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.
         A warning event occurred.  EventID: 0x80040020
            Time Generated: 08/12/2019   19:48:46
            Event String:
            The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.
         A warning event occurred.  EventID: 0x800009CF
            Time Generated: 08/12/2019   19:47:51
            Event String:
            The server service was unable to recreate the share WSUSTemp because the directory C:\Program Files\Update Services\LogFiles\WSUSTemp no longer exists.  Please run "net share WSUSTemp /delete" to delete the share, or recreate the directory C:\Program Files\Update Services\LogFiles\WSUSTemp.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:48:12
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:48:12
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:48:12
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:48:27
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:48:27
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:48:27
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         ......................... ADSERVER2 failed test SystemLog
      Starting test: VerifyReferences
         ......................... ADSERVER2 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : ad
      Starting test: CheckSDRefDom
         ......................... ad passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ad passed test CrossRefValidation

   Running enterprise tests on : ad.contoso.com
      Starting test: LocatorCheck
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
         A Good Time Server could not be located.
         ......................... ad.contoso.com failed test LocatorCheck
      Starting test: Intersite
         ......................... ad.contoso.com passed test Intersite


Thanks & Regards, D.Nithyananthan.

AD admin center not opening

$
0
0

Hello All,

we are using win2012 R2 and DFL 2012R2, when tryging to open the AD admin center in DC, it gives error "cannot find available server in xXXXX domain that is running ADWS"

However ADWS services are running and i have restarted it

i have cheked in 3 DC and all 3 says same.

can you please advise.

regards

Aamir Masthan


NA

Lost of namespaceserver DFS

$
0
0

Hi,

I had 2 DC 2008R2 were DFS namespace SERVER

These 2 DCs have been replaced by new 2016 DCs but the DFS namespace server roles has not been installed.

Now my DFS namespace are not reachable, i tried to install dfs namespace role on my new DCs, i can see my name spaces but when i add it to the DFS management snap in i can't browse.

I can see my namespace in ADSIedit



Viewing all 31638 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>