I have two domain controllers both running Windows Server 2019 and within AD I have built two Granular password settings one for End Users and one for Admins. Within these settings I have set the password expiration time to 90 days however whilst the rest of the settings are applying (confimed with adjusting password length settings) the password expiration setting is not applying and defaults to 42 days.

I've gone over all group policy objects and ensured there are no password expiration settings enabled in all of them.

Can anyone assist or point me in the right direction of what I am missing please

Thanks 

Rob

hello,

we sync our on-premise directory to AD and enabled ADFS. and the password hash is not sync to AAD.

in this  case, we found something interesting, we joined a windows 10 to AAD. and the user able to login this AAD joine computer via their domain credential.

and if they change the password on on-premise AD, they can use the new password to login the computer. 

but as I know, AAD dont has the password hash sync, and during the windows 10 login, there not ADFS login page show up, 

how AAD know the password, how the authentication work?

thanks

Hi all,

My environment: 5 Domain controllers + 1 RODC , all DCs OS are Windows Server 2012 R2 or 2016 , except 1 with Windows Server 2008 R2.
My Domain Functional Level is 2008 R2 .
5 FSMO roles are hold by a DC with Windows Server 2016 OS .

Now I want to upgrade my last Windows Server 2008 R2 DC OS to 2012 R2 and raise my Domain Functional Level to 2012 r2.
I assume the steps :
- Insert Windows Server 2012 R2 OS cd into my DC and run setup.exe ?
- Raise my Domain Functional Level to 2012 r2 ?

I don't want to remove this DC from domain then reinstall and rejoin it cause it is Printer server.
Please give me some advice , thank you very much.

Hi 

I have been looking for following servers

1. Exchange servers ( Currently in exchange 2010 SP3 which supports DFL and FFL 2016)

2. CA server ( We have upgraded to 2016 server)

3. PKI server ( We have upgraded to 2016 server but i have my old server still running on 2008 R2) 

4. ADFS servers ( We have upgraded to 2016 server)

My PKI server as it has still server with 2008R2 will that support my new FFL and DFL ? 

Also please let me know if any other applications i need to consider before i raise DFL and FFL.

Hi everyone
Please give me advice

The situation

I have two forests separated by firewall
I need to setup one way trust from FOREST-A to FOREST-B
FOREST-A is resource forest where resides web server - intranet-portal.contoso.com
FOREST-B is users forest
Users from FOREST-B should be able to authtenticate with web server intranet-portal.contoso.com using Kerberos (SSO)

The question about trust

Should all DCs from FOREST-A be able to comminicate with all DCs from FOERST-B (see picture VARIANT-1 green arrows Ports(Trust))?
Or i can restrict communication between DCs from SITE-A-1 and DCs from SITE-B-1(see picture VARIANT-2 green arrows Ports(Trust))?

There is an Authenticated NTP in Hybrid (Windows NTP Server,Linux  NTP Client, Cisco NTP Client) environment? 

A have a CiscoSX20 which supports NTP Keys, to authenticate to NTP Servers and modern Linux RHEL also supports it.

There is an  NATIVE "authenticated" NTP Server in Widows, allowing me to allow only authenticated NTP clients from synching time? (i.e., Linux, cisco, etc)

I´m not talking about kerberos/intra-doain authentication, but insted, hybrid clients being allowed to sync time from Windows, with some sort of security?

My Windows 2k8 AD Master server was recently hit with Ransomware. I restored an image of the server I had created using Windows Backup. Once the image was restored I used ntdsutil to seize the FSMO roles. Now I am getting a replication error when I try to sync the 2 DCs.

Dave

Hello,

I met a problem in my script who, at first view is simple but I don't understand the result, I need to check for all enabled user wome attribute and if those attribute are empty then my scritp have to return them to me.

Here it is :

Import-Module ActiveDirectory

Get-aduser -filter {info -notlike "*" -and Enabled -eq $true} -properties info, name | Select name | foreach {

Write-Host "$($_.name) n'a aucune valeur dans le champ info "

}

Get-ADUser -LDAPFilter "(&(!manager=*)(userAccountControl=512))" -Properties * | Select name | foreach {

Write-Host "$($_.name) n'a aucune valeur dans le champ manager "

}

Get-ADUser -LDAPFilter "(&(!matriculeRH=*)(userAccountControl=512))" -Properties * | Select name | foreach {

Write-Host "$($_.name) n'a aucune valeur dans le champ matriculeRH "

}

for the first one, the INFO attribute it works just fine but for the other it return me only one user while there is a lot more with empty attribute. 

Thank you very much ! 

I have a small office setup.

2 x Windows Server 2019 Domain Controllers:

• HQDC01 10.0.0.1
• HQDC02 10.0.0.2

Both are in AD Site: HQSite

Subnets assigned to this AD Site are:

• 10.0.0.0/24 (all member servers inc. DCs)
• 192.168.0.0/24 (all client PCs)

I have deployed a new 3rd Domain Controller:

• HQDC03 10.0.0.3

I am creating a new second AD Site: ClientHQSite. and assigning the client subnet to this site with the intention of forcing client PCs to prefer this Domain Controller.

The DC Locator returns a list of DCs and uses a subnet lookup to identify the AD site the client is in and the preferred DC. 

Will this cause an issue in this setup as my 3rd DC is in the same subnet as the other DCs? I can re-IP my new DC to same subnet as client PCs if needed but my preference is not to.

Can Domain Controllers been on the same subnet but assigned to different AD sites?

hey guys,

I have an webpage application that allows users to update their contact details and the result is updated in Outlooks Address book.

The code does the following:

Display a web app

Get the computer's current user name, and display the current users name on the webpage

User updates data on the webpage

Use Active Directory to update the LDAP fields

The results:

The app works on Windows 7 and an early build of Windows 10 laptop.

On a later build version of the Windows 10 laptop, the app displays errors ‘User details for <UserID> not found, which is from the applications sub  PublicSub UpdateData()

The application is no longer able to Read/Write to AD/ LDAP.

I’m wondering if on the new Windows 10 build, a policy is ‘blocking/ or locking’ the application from reading and writing to AD/ LDAP. and what that maybe?

Any ideas as I need to provide the Win10 build guys information.

Ive attached the C# code, however I feel its image build related and not code related.

TIA

        Public Shared Function FindUserID() As String
            Return SecurityHelper.GetCurrentUserName().ToUpper()
        End Function


        Public Function GetData() As SearchResultCollection
            Dim lDAPMgr As LdapManager = New LdapManager()
            m_UserID = FindUserID()
            m_LdapUserFilter = String.Format("(&(objectclass=user)(" & LdapUserNameKey & "={0}))", m_UserID)
            Dim searchResultCollection As SearchResultCollection = Nothing

            Try
                searchResultCollection = lDAPMgr.DoSearch(New String() {}, m_LdapUserFilter)
            Catch e As Exception

                If searchResultCollection IsNot Nothing AndAlso searchResultCollection.Count = 0 Then
                    Throw New Exception(m_UserID.ToUpper() & " not found.", e)
                Else
                    LogExceptionDetails(e)
                End If
            End Try

            Return searchResultCollection
        End Function




        Public Sub UpdateData(ByVal bus As String, ByVal bus2 As String, ByVal fax As String, ByVal home As String, ByVal home2 As String, ByVal mob As String, ByVal pager As String, ByVal notes As String)
            Dim ds As DirectorySearcher = New DirectorySearcher()
            Dim de As DirectoryEntry = New DirectoryEntry()

            Try
                ds.Filter = m_LdapUserFilter
                de.Path = ds.FindOne().Path
                AssignPropertyValue(bus, ADProperties.Business, de)
                AssignPropertyValue(bus2, ADProperties.Business2, de)
                AssignPropertyValue(fax, ADProperties.Fax, de)
                AssignPropertyValue(home, ADProperties.Home, de)
                AssignPropertyValue(home2, ADProperties.Home2, de)
                AssignPropertyValue(mob, ADProperties.Mobile, de)
                AssignPropertyValue(pager, ADProperties.Pager, de)
                AssignPropertyValue(notes, ADProperties.Notes, de)
                de.CommitChanges()
            Catch __unusedUnauthorizedAccessException1__ As UnauthorizedAccessException
                Throw New Exception("Access denied.")
            Catch e As Exception
                LogExceptionDetails(e)
            End Try
        End Sub


    Module ADProperties
        Public Const Name As String = "name"
        Public Const Desc As String = "description"
        Public Const Title As String = "title"
        Public Const Dept As String = "department"
        Public Const Comp As String = "company"
        Public Const Business As String = "telephonenumber"
        Public Const Business2 As String = "othertelephone"
        Public Const Fax As String = "facsimiletelephonenumber"
        Public Const Home As String = "homephone"
        Public Const Home2 As String = "otherhomephone"
        Public Const Mobile As String = "mobile"
        Public Const Pager As String = "pager"
        Public Const Notes As String = "info"
    End Module

Hi, we have suppressed SRV Record so that client machine won't go to that DC for authentication.Now, what i want to know that, after SRV Suppressed what are the parameters & time it takes to actually starts doing that.

Thanks!

Hi All,

I am using server 2012r2 for both primary DC and RODC.  I am getting below error (the account must added to the allowed list for this RODC) while pre-populating user created on the primary DC to RODC.  I have already added these new users in the "Allowed RODC password replication group" and ran gpupdate /force command on both DC, but I am still not able to login with new users on RODC server.   

Also, I would like to understand if my understanding is correct or not.  Once the new created user's password on the primary DC are pre-populated, I will be able to login those users in presence of  RODC while primary DC is not in working state.  Is this correct behavior?  

I am facing this issue for some time now.

Hello!

Within the last couple of weeks, I did a major overhaul of the Sites and Services on a relatively new domain within our organization. This domain had been set up by a former employee who had since left the company in the middle of the project. Since that time, several new sites had been added without all of the necessary setup actually being complete. No subnets had been created. While there were separate sites defined, all of the servers were in a single Site Link as well as being in individual site links between the primary domain controllers and each site. As a result ISTG and KCC were creating replication partnerships that were a mashup between a hub-and-spoke model and a mesh model. All authentications were being done against one single server which was not intended to be the PDC, machines were passing traffic across the country instead of to their local Domain Controller because they did not identify themselves as being a part of a site, and one of the Domain Controllers had so many errors that it tombstoned and became its own little Active Directory island. Fun times.

I've mostly untangled the knot as far as I can tell. Subnets are now created, there are Inter-site transports with two and only two sites in them linking each site to one of the two Domain Controllers in the "Tier I" headquarters site. Replication is flowing, authentication requests are going to the right place according to the networking team, and I am not having any weird problems anymore. But I do still see several errors when I run dcdiag and repadmin /showrepl.

I cleared the legacy errors out of the Event Viewer so that only new problems would show up, and everything is clear except for Directory Service on the Read Only DCs, which throw Event IDs 1311, 2904, 1865, and 1566 about every 15 minutes. The errors listed say that "The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site" followed by several of the sites in our domain. I found a similar question that said the problem was the other sites could not be reached because ports were blocked.

But... I know the sites aren't reachable from this RODC. It's at a location where the firewall rules are very restrictive, on purpose, for a reason. This domain controller is never going to be able to reach those other sites, not ever. And based on my understanding of the topology that's now been generated in the Intersite Transports, it's not supposed to, either. This server is supposed to replicate with its replication partner, which is in the hub. Why is it trying to replicate with other Spoke servers which are not its partner (and who do not have this server listed as one of their inbound replication partners)? The KB article for Event 2904 recommends going to one of the RWDCs, selecting the site, and performing a "replicate configuration to selected Domain Controller" step, which I have done and which succeeds, but it does not stop the error from occurring.

Is this something I still need to track down and try to fix, or can this safely be ignored?

Hello

I need help creating a script that can move my computers to the right organizational unit

All my computers are named as follows: D (for desktop) + Site Code (4 numbers) + Computer Number (2 numbers) ===> D.0000.01

D000001 to P000010 ===> Site A
P001001 to P001010 ===> Site B
P002001 to P002010 ===> Site C

I need a PowerShell script that does the following:
1- Find all Active computers in AD that are not servers or domain controller
2- Depending on the site code, move the computers to the correct organizational unit
3- If the computer is already in the correct organizational unit, do not do anything.

Examples :

--------------

Computers named P000001 till P000010 MUST BE moved to CN=Site A, DC=test,DC=IT

Computers named P001001 till P001010 MUST BE moved to CN=Site B, DC=test,DC=IT

Computers named P002001 till P002010 MUST BE moved to CN=Site C, DC=test,DC=IT

Thanks

partager

On a 2019 server based AD with the bitlocker role installed on the DC, the recovery keys of all clients are successfully backed up to AD and visible on the "bitlocker recovery" tab in ADUC as well as in ADSIedit.

However, if I encrypt the DC itself, despite showing "the recovery key was backed up to AD successfully", the key is not backed up, it's not in ADSIedit, either, nor can it be retrieved using scripts.

This seems to be a dangerous bug, please try to reproduce this, Microsoft.

Steps to reproduce:

-install AD on server 2019

-install the BL role plus management tools

-on the DC itself, bitlock a test partition x:

manage-bde -on x: -used -pw -rp

->copy the recovery key protector ID that you see

-Afterwards, use this command to backup the key to AD

manage-bde -protectors -adbackup x: -id {84E151C1...yourID...7A62067A512}

Now verify if you can find the key backed up to AD. It won't be there.

Hi Microsoft team,

Confirming if the File replication service should be disabled or enabled by default? 

as for our environment I noticed once check the windows server 2012 r2, under windows services.

Do we need to enable this service? as per checking on enabling the service it displays the current error.

Screenshot:

https://imgur.com/DuqfH9y

https://imgur.com/WnjBabO

Hi,

I have two Windows 2012 Domain Controllers connected through ipsec. One in HO and another in BO. The connection is good but the domain logon process is very slow in BO. Both DCs are Global Catalog.

Any suggestions?

Thanks.

Hi,

What is this error i getting in the server. I did domote the server all FMSO role are currently mapped to this server only but still why i am getting this error?

This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.

Operations which require contacting a FSMO operation master will fail until this condition is corrected.

FSMO Role: DC=ad,DC=Contoso,DC=com

User Action:

1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors.  Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.
3. In the rare event that all replication partners are expected to be offline (for example, because of maintenance or disaster recovery), you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.

The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

Thanks &amp; Regards, D.Nithyananthan.