Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

BitLocker - Migration of Computer Considerations

September 10, 2019, 5:31 am
$
0
0

One of our client has around 15000 computers in Forest A. these computer objects will be migrated to Forest B using Quest Migration Manager. In Forest A - bitlocker has been enabled in Forest A computers. What are the things we have to consider in BitLocker perspective before migration of Compuers from Forest A to Forest B.

- We  are thninking about the backup of Recovery key to Active Directory is the only consideration, please expects share your inputs on this.

Forest A domain Controllers are in Windows 2012 and Forest B are in Windows 2016. All the computers are running in Windows 10.

Thanks and Regards,

Hariharan

Search

Old dead domain conflict with new domain with same dc name and ip

September 10, 2019, 9:57 am
$
0
0
hello guys I have a problem with my domain controller I just joined a company that had a previous domain controller which is down but the users are still using their old passwords to login. I just installed windows 2012 server with active directory services but when the active directory is up running the users cannot login to their old domain user and pass I actually want to move them to the new domain with their profile what would be the issue as I checked the previous domain has 192.x.x.1 sub 255.255.2550 gateway 192.x.x.1 and dns is used of the isp which is different that’s from the old server and the new one I kept just 127.0.0.1  I would like to get the domain up and running so that I can join the Microsoft exchange 365 too can you please assist me.
Regards
Asger

Regards, Asger

Windows 2008 R2 SMB connect from MACs - Workaround

September 10, 2019, 10:29 am
$
0
0

We have a few MACs that on the network that need to connect to a Windows 2008 R2 server. This will be replaced next year.

Currently the SMB connection locks a folder, drops the connection to the folder and other odd connection issues.

I understand this is a known bug in 2008 R2 SMB2. What I was hoping to find is a workaround until we get a new server.

Thanks in advance.

Andy

software update on the local network

September 10, 2019, 1:28 am
$
0
0
Hey! I have such a case I am studyin computer science and I am on an internship at an IT company and I manage about 50 computers that are in different places in Poland I will add that everyone has win 10. And is it possible for software users to make themselves by computer users who are not administrators and have restrictions? Or is there any program that with one click will update all programs in the company via e.g. AD? My life is not enough for me to update it all manually via the remote desktop. Everyone uses several browsers where Mozilla releases new updates every week, not to mention other programs and the entire system.

Username to be a minimum of 7 characters

September 10, 2019, 7:29 am
$
0
0

Hi All,

I have a request to restrict usernames to be a minimum of 7 characters on server 2016.

Couldn't find any option on GPO for username, can it be done through PowerShell? 


IIS Windows Authentication : User of some domains in LDAP domain can't connect ( Invalid credentials ) , even if they part of Administrators Users

September 10, 2019, 7:57 am
$
0
0

Hello guys , 

I'm facing issues when connecting a certain user for certain in our LDAP/ Active directory domain .

What I want is to deny access to  my websites for all users except some belonging to certain domain .

To proceed , I have added the users domains to Administrators group or the specific user but it is not working . ( It is a bad practice but I want to force a little bit in order to understand it quickly 

Note that that the user can't connect to the windows server as normal user via Remote Desktop Connection also I don't know why

1)My basic question is : It is mandatory that in order to perform an Windows Authentication  via IIS , an user should have the right to connect to the windows server itself ( via RDP or whatever ) 

NTLM over LDAP against Active Directory

September 4, 2019, 1:05 pm
$
0
0

My Active Directory shows the following supported SASL mechs.

supportedSASLMechanisms (4): GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5; 

How can NTLM be enabled for support? 

When sending:

bindRequest(1) "NTLMSSP_AUTH" , NTLMSSP_AUTH, User: testuser

or

bindRequest(1) "NTLMSSP_AUTH" , NTLMSSP_AUTH, User: TESTDOMAIN\testuser1

I either get:

bindResponse(1) invalidCredentials (80090308: LdapErr: DSID-0C090671, comment: AcceptSecurityContext error, data 57, v23f0)

OR 

no response at all.

The cred sent in the request is the NTLM type 3 message from the client.

Does NTLM  need to be enabled in supportedSASLMechanisms? If so, how?

How can see LDAP related debug/events? 

account lock out policy not working

September 2, 2019, 12:56 am
$
0
0

Hi expert

after applying below policy in domain level 

we get below result in affected server 

result : account lock out not working and user never lock .

please give me hand to fix my issue 


Search

Adding a subordinate certification authority to an existing infrastructure

September 2, 2019, 8:59 pm
$
0
0
I have a valid root certification authority based on windows server 2003.
I want to add a slave server to Windows Server 2012 and redirect all requests to it. And disable the root (enable only to reissue the main certificate).
Tell me how to properly configure a subordinate center and transfer all requests to it? (smart cards, user authorization, mail).
That there would be revoked certificates and issued
There is very little information on the Internet that has helped me.

User unable to change the password

August 30, 2019, 8:06 am
$
0
0

Hi,

When user trying to change the password using CTRL+ALT+DEL, getting error like "Password complexity doesn't match" but following the password complexity correctly. Is there anything need to check from user account side or policy level.


What is the main difference between SYSVOL shared and SYSVOL replication?

September 8, 2019, 11:01 am
$
0
0

Hello,

I am giving a presentation on AD, so I need to know all the basics to define that.

So please anyone can clarify that doubt but only in technical details.

GPO Access

September 9, 2019, 5:56 am
$
0
0

Hi All,

I have only just noticed that I don't have access to the Edit option on some of the GPO I am responsible for in my Domain. For example I am a Domain Admins in the Domain and some of the GPOs I have noticed that the Edit option is greyed out. Cant remember this happening before.

Does anyone have any idea why this could be happening?

AD repliation failing

September 7, 2019, 12:23 pm
$
0
0

Hi,

I have two locations connected through ipsec vpn. I installed one main DC in HO and another in BO, then i added a 3rd DC in BO and demoted the 2nd DC in BO. Now the replication between HO DC and BO DC is not working.

The below results are from BO DC.

C:\>repadmin /replsum
Replication Summary Start Time: 2019-09-07 22:21:05

Beginning data collection for replication summary, this may take awhile:
  .....


Source DSA          largest delta    fails/total %%   error
 HO-DC            04d.19h:23m:51s    5 /   5  100  (1726) The remote procedure
call failed.


Destination DSA     largest delta    fails/total %%   error
 BO-DC2           04d.19h:24m:11s    5 /   5  100  (1726) The remote procedure
call failed.


Experienced the following operational errors trying to retrieve replication info
rmation:
          58 - ho-dc.domain.local

AD Replication Status Tool

September 5, 2019, 10:12 am
$
0
0

Good Afternoon, 

    Is there anyway for me to see what objects were replicated during the last cycle using ADRST 1.0 or would anyone know of an app that will do that? 

gpo - não deixa alterar palavra passe

September 12, 2019, 4:29 am
$
0
0

Bom dia

tenho as gpo disable e não consiguo alterar a palavra passe nos postos de trabalho dá a seguinte informação "impossivel atualizar a palavra passe. O valor fornecido para a nova palavra passe não preenche os requisitos de história, complexidade ou comprimento do domínio"

Podem ajudar?

obrigado.

Paulo Mourão

Search

Inplace upgrade from server 2012 r2 to server 2016 - unable to create domain users / computers or security groups

August 22, 2017, 5:19 am
$
0
0

Hi Guys,

Wondering if someone can help with a problem I have.

We are a school in the uk and currently testing our move to server 2016.

We tryied an inplace upgrade on our Forest root and the other dc from 2012 r2 to server 2016

everything looked fine however we are unable to create any new domain users , join any stations nor add security groups
on the 2016 - the message "Aciive Directory Domain Servers : Windows cannot create the object (username) becuase of an internal error occurred) - we can do anything else move users / delete users / rename users / delete objects.

I'm stumped - dcdiag reports no errors

netdom query fsmo reports all is well on both forest root 2016 server / and the other dc

RID pool manager numbers still have a very very long way to go

there is noting in the event viewer reporting a problem when we attempted to create users

We upped the domain and forest root levels to Server 2016 this made no difference either.

Any adivce greatly appricated.

Many thanks

Ryan

Updates made AD unreacable

September 12, 2019, 12:00 pm
$
0
0
After applying updates to Server 2019, I can't get any computers to join the domain because the domain cannot be reached or is unavailable.

Replication issue or non issue

September 12, 2019, 12:35 pm
$
0
0

I'm going to be removing 2x 2008 DC's.  I have 3x2016 dc's running now. I'm running dcdiag on all of them to make sure it's all clean.  When I run dcdiag /e on dc4 I get this error message about replication issue. When I run repadmin /showrepl everything is successful.

So how do I get this error to clear out. I don't feel I have any replication issues.

Starting test: ObjectsReplicated
            Authoritative attribute servicePrincipalName on DC1 (writeable)
               usnLocalChange = 416077538
               LastOriginatingDsa = SRVDC1
               usnOriginatingChange = 416077538
               timeLastOriginatingChange = 2019-09-12 12:29:54
               VersionLastOriginatingChange = 13
            Out-of-date attribute servicePrincipalName on DCDR2 (writeable)
               usnLocalChange = 17336
               LastOriginatingDsa = 62d713d5-cc97-43f6-9115-c32186315289
               usnOriginatingChange = 136976688
               timeLastOriginatingChange = 2015-06-19 15:06:49
               VersionLastOriginatingChange = 12
            Authoritative attribute options on DC4 (writeable)
               usnLocalChange = 7071389
               LastOriginatingDsa = SRVDC4
               usnOriginatingChange = 7071389
               timeLastOriginatingChange = 2019-09-12 12:27:09
               VersionLastOriginatingChange = 2
            Out-of-date attribute options on DCDR2 (writeable)
               usnLocalChange = 13979
               LastOriginatingDsa = 27a7d69e-1a9c-4496-b550-366442b0b9f6
               usnOriginatingChange = 21162515
               timeLastOriginatingChange = 2009-07-16 13:30:29
               VersionLastOriginatingChange = 1

Need to define an audit policy

September 12, 2019, 7:36 pm
$
0
0
I have been asked to define an audit policy baseline for a (2016) domain

Couple things that have always confused me, the basic and advanced settings, none of the MS articles even mention the basic ones anymore, yet I always see them configured on cust domains. Is there any reason to have them enabled in both places | does it cause a double-up of events if both are enabled? (say for account logon for instance)

DD Policy:
This doc contains recommendations:
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations

Every domain I have even seen has the account login and other common audit settings enabled in the DD policy, yet the above article doesn't mention those as a setting to apply to domain controllers. is this correct?  Certainly the DC security logs are currently capturing user logon events to the domain when those are enabled in the DDP

Does anyone have a recommended settings for a balance between capturing events and sensible sec log size. I currently have a situation where we are over auditing, the PDC has a 6gb sec log file and it's only holding records for about 4 days, literally millions of records in the log.

TIA

What Encrytpion method used in Windows Server 2012R2 Active Directory? How to verify trasnmit only cryptographically protected password?

September 12, 2019, 9:09 pm
$
0
0

Hi Folks,

What Encryption method used in Windows Server 2012R2 Active Directory? What does mean of "transmit only cryptographically protected password?"

Thanks

Anikeet

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>