I am an admin for our company domain. I am looking to try and determine password expiration times for my end users, but when I go into Attribute Editor under properties for my user's, the "msDS-UserPasswordExpiryTimeComputed" field is not present.
What can I do to resolve this issue and have that field appear??? Does it make a difference if another admin is already logged in as he is able to view this information???
Any help resolving this is greatly appreciated.
Thank you.
Hello all,
My company is new to active directory and because of audits we have every year, we are trying to make things secured. That said, I setup an Enterprise CA server, created a certificates from a domain controller template and issued the certificates to the domain controllers.
I tested LDAP SSL using the ldp.exe tool and everything appears fine using port 636 SSL and 3269 SSL. However, I would like to know whether sensitive traffic is encrypted. I do know that i cant block port 389 from the clients side because it is used for the AD authentication. Does anyone know any way to test whether traffic goes through LDAP SSL when needed, and can i block the port 3268 used for Global Catalogs since now the domain controllers have a certificate? Also can anyone mention the cases when traffic goes through LDAP SSL?
Thanks a lot for your time and sorry if my questions sounds kind of stupid.
Hello,
our security manager would like to know if all Windows systems within the same domain/forest encrypted LDAP connections to the DCs or not.
I am mainly asking for the following dialogbox:
If I click the "Check Names"-Button, will the connection to the selected domain be encrypted?
Our DCs have the needed certificate to secure LDAP connections, I tested this with ldp.exe.
But will Windows use secure connections (LDAPS or STARTTLS) or will it be a plain unencrypted connection?
Thanks in advance
Paul
Hey Guys, Any workarround for SID Migration? I need that users from a new domain be able to access resources such as their redirected folders that are still in the old domain file server.
Note. we are not migrating Users, they are created already in the new Domain.
Note. We cant disable SID history filtering in the target Domain since my department was just delegated an OU specificly for us but this OU doenst include Users .
Hi,
We have a one way outgoing external non-transitive trust between us and our customer over a VPN.
Their users access some RDS services on our domain using their own AD account.
When their users authenticate, is this encrypted at all? do their credentials actually get sent to our domain or is it some sort of session token that gets created and the domains just validate that with each other before letting them on?
Thanks
Good morning,
I have a darksite environment with 2 Domain controllers both virtualized Windows server 2012 R2.
Servers are multihomed with 2 interfaces.
1 to workstation network and 1 to server network
For ntp purpose access to an external time server (Still one inside the company) is made available.
I configured NTP on the PDC according to this document:
https://support.microsoft.com/en-us/help/816042/how-to-configure-an-authoritative-time-server-in-windows-server
I entered 2 ip adresses instead of DNS names. Because I directly entered IP adressen I did not append ,0x1 or something else.
Output of the following commands on the PDC:
1. w32tm /resync: Sending resync command to local computer
The computer did not resync because no time data was available
2. w32tm /monitor
PDCSERVERNAME *** PDC*** [ID]:
ICMP: 0ms delay
NTP: error ERROR_TIMEOUT - no response from server in 1000ms
2ndDCNAME [ip:port]:
NTP: error ERROR_TIMEOUT - no response from server in 1000ms
3. w32tm /query status:
more data
Source:local CMOS Clock
more data
4. w32tm /stripchart /computer:EXTERNAL NTP ADDRESS /dataonly /samples:5:
The current time is date and time
time, +12.4288498s
time, +12.4249894s
etc...
My conclusion for an unknown reason the configuration is not picket up and the configuration defaults back to local CMOS?
How to make the PDC sync with this time source?
If it gets the time with test 4, does that mean it has enough access to the time source or can there be a firewall port issue or some authentication issue that makes test 4 to return data but not work for synchronization?
Kind regards,
1. Followed an instruction from MS and finished by "Eliminated" as below
2. After, I see an error logs as below
- DFSR was unable to create the SYSVOL_DFSR folder at C:\SYSVOL_DFSR. This could be due to lack of availability of disk space.
3. I've made some space now around 16.5GB but when I ran above command I doubt there was enough space.
4. Also after this, SYSVOL share stopped as File Replication Server had stopped. All domain services stopped including file share etc.
5. For an emergency purpose, I restarted FRS and Domain services started as normal.
6. New Service DFS replication, I stopped as this service will stop FRS.
We have only one single SBS 2011 serves as domain controller and trying to upgrade to Windows Server 2019 as a domain controller decommissioning old SBS box.
Please help!
Hi,
Following on from my thread here: https://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_domains-mso_o365b/locked-for-editing-by-a-generic-username-not-the/b71cf68d-1bbf-47e5-a3c2-e6d449c965b2?messageId=674853fc-ae11-4b2a-adeb-dc2d1ac2a2e1
It was suggested that I post in here as it could be an AD issue.
Essentially we have a scenario where we have Users who are unable to see who is locked to a file that is being used on a network share. The file is locked for editing by 'Staff/Research Student' rather than the specific Username of the person.
The department used to have Windows 7 and Office 2010, which was never an issue - when the file was open, it would identify by username who it was locked too.
They have since been updated to Windows 10 and Office365 and now they're presented with the above, more generic option.
I am wondering if anyone has seen this prior and whether anyone may have any advice.
Thanks.
Hello,
I have encounter this issue since last month and until now still cant solve that. I have one DC (HCCNSHA50) in Site D and should replicate with DC in Site B (KLCNPEK01SRV300). Suddenly it unable to replicate. From repadmin /replsummary it shown:
(8418) The replication operation failed because of a schema mismatch between the servers involved.
I'm doing further troubleshooting and found out, _msdcs record and all record inside (SRV,kerberos) for that server already disappear in others DC except in problematic DC (HCCNSHA50)
repadmin /showrepl output shown ******* WARNING: KCC could not add this REPLICA LINK due to error.
So i expected this DC now not able to update the DNS and caused the replication error. The last replication success was 22 august 2019. I tried to force register DNS (pointing DC in site B as primary DNS )with command ipconfig /registerdns and net stop netlogon& net start netlogon and encounter the error event 5774. It goes same result for _msdcs result.
Im checking the firewall port, and found those port already open for both server 135,389, 636, 3268, 3269, 88, 53, 445,139
One more thing im noticed, if i open \\KLCNPEK01SRV300 from HCCNSHA50, it unable to open. unless im using the IP address for KLCNPEK01SRV300. Fyi HCCNSHA50 A record already manually register in other domain controller.
Really appreciate if someone can hel.
Firstly, this was setup by a previous tech guy, so please forgive me if im not using the correct terms or if the setup is not best practice (trying to change that!)
We have 2 domain controllers, a primary (TITANIC) and a secondary (SERVERMCSERVERFACE)
When I make a change to our group policy, all changes appear to take place on our secondary domain controller and it never appears to sync with our PDC.
All of the client machines pull down our group policy from the PDC.
so the questions i have is
1) How can i check and ensure that our Primary domain controller is the TITANIC machine and that our secondary is SERVERMCSERVERFACE
2) How do i get these to sync the group policy between the 2.
3) For the number of clients we have (about 10) do we really need a secondary domain controller?
All servers are Windows Server 2012 r2.
Appreciate the help guys!
Hi!
I have two domains — with administrative accounts(ADM) and domain with resources(RES).
Domain RES trusts domain ADM, so users from ADM can login to domain RES.
ADM does not trust RES.
Our PKI servers are in RES domain.
Is there any way to give adm-users rights/ability to get certificates from RES PKI?
dears,
kindly note the below.
i have 2 ad sites: site 1 and site 2 and each site one domain controller domaincont1 and domaincont2.
both servers are 2012 r2, i'm planning to upgrade to 2019.
before upgrading i checked the following: in each site, under connections in ad sites and services connections are automatically generated between the domain controllers in the 2 sites.
i upgraded my domain cont1 in my first site, and i checked that the connection didnt get automatically created, waited for one day same thing, therefore i manually created the connection. Created a test user and checked if it replicates on other site. It worked.
the issue is the following when i try to replicate manually the connection created it shows this error:
your help is appreciated
I have multiple sites default site, site A and Site B.
On default site i have configured 0x1 (USE_NOTIFY). so when i create a user in default site it shows up in site A and Site B in 15 seconds. However, from SiteA or Site B when i create a user it doesn't show up in Default site domian controller till 15 minutes later. How can i fix this.
I want immediate replication across all my sites including password changes. How to fix it.
John
Hi All
I have a Root domain with 10 child domains. Is replications between child domains necessary? Or should replication be between Root and child only?
dears,
i want your help to clarify for me the below:
i have 2 dcs 2016
i want to demote my dc 2016, i will do it from server maanger with remove roles and features option.
my question is the following: demoting the dc will remove the computer object from adds? remove it from active directory sites and services? remove it from dns?
thank you
I got this error from repadmin summary of child DC.
(8606) Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.
I tried to do repadmin /syncall and only the child dc are getting errors:
Error issuing replication: 8453 (0x2105):
Replication access was denied.