Here's a scenario I would like to share: In a present enterprise where I work, We constantly change computers from position A to position B, C... Sometimes its a painstaking process to insert a name into a machine ( accordingly to the model - abbreviation
of physical site location, where its your position , operational, Finances dept, and its number), and then inserting it manually into a domain. Is there any batch scripting where i can automatize this process, and insert a name into a machine, by making it
be identified through your ip adress ( For example: Baker street operations machine number 1034 - It would become BKST-OPE-1034. I want to automatize the proccess to insert the name, through the ip adress of each machine, and after that the automatic insertion
in an active directory domain).
↧
inserting a client into an active directory domain using its ip adress
↧
3rd party cert used for Secure LDAP has a root cert that expires before the LDAP cert expires
We use a 3rd party cert for Secure LDAP against our Active Directory at our organization. We have the cert deployed to a load balancer (Citrix Netscaler) and then have individual 3rd party certs for each of the back end DC's.
I noticed the cert on the Netscaler has an expiration date of 2021, but looking at the chain the root expires in 2020.
What will happen in 2020?
Thanks
I noticed the cert on the Netscaler has an expiration date of 2021, but looking at the chain the root expires in 2020.
What will happen in 2020?
Thanks
↧
↧
Missing GPO Settings in RSOP - Folder Redirection
I'm scratching my head on this. I have a GPO that configures folder redirection as well as a logon/logoff script. I have a security filter on the GPO based on a user's group membership. When a user logs into a machine for the first time, they get all of the settings from the GPO except for the folder redirection. When I run a gpresult /h I don't see the folder redirection policies but I see all of the other settings from the policy in the RSOP. Now the kicker is this is only on some machines that this problem occurs. On other machines the folder redirection policies are present in RSOP.
Any idea? I don't get it.. See picture below from RSOP output:
↧
Raising domain level from 2008r2 to 2012r2 impacted Domain Admin account
HI
I am running a 2012r2 Domain and getting ready to migrate to a 2016 Domain.
I recently raised the domain level from 2012 to 2012r2 on a 2012r2 Domain Controller. Immediately my account (domain admin) would no longer logon to my laptop or RDP to the many servers I manage. Looking in the event viewer, I found failure errors of "unknow user name or bad password" that pertain to the many servers that I had previously been able to logon and administer.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/1/2019 3:31:11 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: xxxx
Description:
An account failed to log on.
Source: Microsoft-Windows-Security-Auditing
Date: 10/1/2019 3:31:11 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: xxxx
Description:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: xxx
Account Domain:
Security ID: NULL SID
Account Name: xxx
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006E
Sub Status: 0xC000006E
Failure Reason: Unknown user name or bad password.
Status: 0xC000006E
Sub Status: 0xC000006E
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name:xxxx
Source Network Address: xxxxx
Source Port: 54623
Workstation Name:xxxx
Source Network Address: xxxxx
Source Port: 54623
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
***************************
Looking in the System Event Viewer Log, I found this error.
Log Name: System
Source: Microsoft-Windows-Kerberos-Key-Distribution-Center
Date: 9/30/2019 11:12:50 AM
Event ID: 14
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: xxxxx
Description:
While processing an AS request for target service krbtgt, the account xxx did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes : 18 17 23 3 1 24 -135. The accounts
available etypes : 23 -133 -128. Changing or resetting the password of xxx will generate a proper key.
So I logged into Active Directory with another Admin Account and reset my Domain Admin user account password then rebooted my laptop. I could now logon to the Active Directory and RDP administer machines. However, I can no longer open my Outlook 2016 that is connected to our on premise Exchange 2016 Server. I also can not open my SL Dynamics time sheet. I contacted Microsoft and the Exchange guru worked on it for about 3 hours with no success. He is supposed to call back today and do another remote session.
My feeling is that it is an Active Directory problem. With the fact that I am the only person affected, I think something has happened to my AD user name object. Somehow, something has become corrupted but I am at a loss. I am hoping someone from this forum can shed some light...
Thanks in advance,
Bob
Bob Andres
↧
Domain Controller Sync Issues
I will apologize in advance as this is a somewhat confusing situation with a bunch of back story. I will try to relay only relevant information.
We have 3 DCs in our parent domain, all 3 are physical servers and are (now) in the same physical location. We also have 1 VM in the cloud (Rackspace) which is the solo DC in our child domain.
For illustrative purposes, the DC's are as follows:
Physical DC's
- NRLHOURDC01
- NRLHOUDC03
- NRLHOUDC04
Virtual DC hosted in cloud
- NINAHOUDC02 (We previously had NINAHOUDC01 as our Virtual DC but ran into issues and ended up having to prop up another DC to demote that one....long story)
All 3 of the physical DC's have FSMO roles set to DC04.
NINAHOUDC02 FSMO roles are set as follows:
- Schema Master: NRLHOUDC03
- Domain Naming Master: NRLHOUDC03
- PDC: NINAHOUDC01
- RID Pool Manager: NINAHOUDC01
- Infrastructure Manager: NINAHOUDC01
When I try to set the FSMO roles for NINAHOUDC02 to NRLHOUDC04, I run into errors:
- Binding to NRLHOUDC04 ...
DsBindWithSpnExW error 0x80090350(The system cannot contact a domain controller to service the authentication request. Please try again later.)
ldap_search for attribute supportedCapabilities failed with 0x59(89 (Parameter Error).
AD Sites and Services is different on every single DC and I don't see all servers on any of the sites and services consoles. There are 4 sites: 1900STJAMES, 2506WMAIN, 4400, RACKSPACE. Our 2 old locations were 1900STJAMES (which housed NRLHOUDC03 and NRLHOUDC04) and 2506WMAIN (which housed NRLHOURDC01). I created 4400 when we moved to our new office, which we are currently in, and moved all of the DC's into that site thinking that as long as I added the correct subnet, everything would fall into place. It didn't.
I've also run repadmin /replsum on each DC
NRLHOUDC04:
C:\Windows\system32>repadmin /replsum
Replication Summary Start Time: 2019-10-16 16:38:13
Beginning data collection for replication summary, this may take awhile:
.......
Source DSA largest delta fails/total %% error
NRLHOUDC03 46m:02s 0 / 6 0
Destination DSA largest delta fails/total %% error
NRLHOUDC04 46m:02s 0 / 6 0
Experienced the following operational errors trying to retrieve replication info
rmation:
8341 - NINAHOUDC01.nina.hsc.nrlmortgage.com
8341 - NINAHOUDC02.nina.hsc.nrlmortgage.com
NRLHOUDC03:
Replication Summary Start Time: 2019-10-16 16:39:15
Beginning data collection for replication summary, this may take awhile:
......
Source DSA largest delta fails/total %% error
Destination DSA largest delta fails/total %% error
Experienced the following operational errors trying to retrieve replication info
rmation:
8341 - NINAHOUDC01.nina.hsc.nrlmortgage.com
8341 - NINAHOUDC02.nina.hsc.nrlmortgage.com
NRLHOURDC01:
Replication Summary Start Time: 2019-10-16 16:40:17
Beginning data collection for replication summary, this may take awhile:
.......
Source DSA largest delta fails/total %% error
NRLHOUDC03 41m:43s 0 / 6 0
Destination DSA largest delta fails/total %% error
NRLHOURDC01 41m:43s 0 / 6 0
Experienced the following operational errors trying to retrieve replication info
rmation:
8341 - NINAHOUDC01.nina.hsc.nrlmortgage.com
8341 - NINAHOUDC02.nina.hsc.nrlmortgage.com
NINAHOUDC02:
Replication Summary Start Time: 2019-10-16 13:13:58Beginning data collection for replication summary, this may take awhile:
......
Source DSA largest delta fails/total %% error
NINAHOUDC01 18m:47s 0 / 6 0
NRLHOUDC03 42d.15h:00m:00s 4 / 4 100 (1908) Could not find the domain controller for this domain.
Destination DSA largest delta fails/total %% error
NINAHOUDC02 42d.15h:00m:05s 4 / 10 40 (1908) Could not find the domain controller for this domain.
Experienced the following operational errors trying to retrieve replication information:
8341 - NRLHOUDC03.hsc.nrlmortgage.com
8341 - NINAHOUDC01.nina.hsc.nrlmortgage.com
I've been troubleshooting this on and off for the past month or so and plan to do some heavy configuration changes this weekend but I don't know if I need to just start demoting DC's, clearing metadata and then re promoting or if there is an easier way to force the DC's to see each other.
↧
↧
How can a user authenticate with AD while connected to private internet.
Hello,
I am currently working on a project. Please does anyone know How can a User Authenticate with Active Directory while connected to Private Internet.
Kindly provide me with the solutions.
Thank you
Iniobong Nkanga
↧
AD group membership changes alert notification
Hi All,
I am looking for a powershell/simple solution to track few AD group changes. If any user added to that AD group, then it should send a email to administrator about the new user addition to that group. If any one using the solution like this, then please share it.
Thanks in advance...
↧
User authentication test against specific DC
Greetings all,
Is there any tool, PowerShell cmdlets or any way to test user <g class="gr_ gr_10 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del" data-gr-id="10" id="10">logon</g> from a server against specific DC.
Thanks
↧
Immediate replication between sites
I have multiple sites default site, site A and Site B.
On default site i have configured 0x1 (USE_NOTIFY). so when i create a user in default site it shows up in site A and Site B in 15 seconds. However, from SiteA or Site B when i create a user it doesn't show up in Default site domian controller till 15 minutes later. How can i fix this.
I want immediate replication across all my sites including password changes. How to fix it.
John
↧
↧
How to debug 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED) in Certificate server
Hi!
I have two domains — with administrative accounts(ADM) and domain with resources(RES).
Domain RES trusts domain ADM, so users from ADM can login to domain RES.
ADM does not trust RES.
Our PKI (issuing and two pairs of ces+cep) are in RES domain.
I want to give rights to get certificates for users from ADM domain.
Access to read CA, templates, enroll specific templates is already granted for my account(user@ADM)
At the moment I(as user@ADM) can see the list of available certificates, but get an error when I try to get one.
For example:
#$admcred=Get-Credential
Get-Certificate -SubjectName "CN=qqq" -template "User-manual" -Url "https://srv-caext-01.xxx.yyy/KeyBasedRenewal_ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP" -Credential $admcred -CertStoreLocation "Cert:\CurrentUser\My"
Errors from: certsrv.log
457.1846.0:<2019/10/16, 16:31:38>: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
504.108.0:<2019/10/16, 16:31:38>: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
515.349.0:<2019/10/16, 16:31:38>: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
515.236.0:<2019/10/16, 16:31:38>: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
Errors from powershell output:
Get-Certificate : CertEnroll::CX509Enrollment::Enroll: The certificate request could not be submitted to the certification authority. A certificate could not be issued by the certification authority.: A message containing a fault was received from the remote endpoint. 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED) At line:2 char:1+ Get-Certificate -SubjectName "CN=qqq" -template "User-manual" -Url " ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : NotSpecified: (:) [Get-Certificate], Exception+ FullyQualifiedErrorId : System.Exception,Microsoft.CertificateServices.Commands.GetCertificateCommand
I don't see any error in other logs from CA and DC. I see messages about successful authentication/impersonalization.
How to find more information about the error in certsrv.log?
↧
evenid 1863, error sync two domain controler
Hi all,
my company have two domain controllers, they are in subnet 10.63.97.0/24 and no firewall between them. A few day ago two DC sync normal, yesterday i check then error sync.
This is the replication status for the following directory partition on this directory server.
Directory partition:
DC=DomainDnsZones,DC=north,DC=vbsa,DC=vn
This directory server has not received replication information from a number of directory servers within the configured latency interval.
Latency Interval (Hours):
24
Number of directory servers in all sites:
1
Number of directory servers in this site:
1
The latency interval can be modified with the following registry key.
Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours)
To identify the directory servers by name, use the dcdiag.exe tool.
You can also use the support tool repadmin.exe to display the replication latencies of the directory servers. The command is "repadmin /showvector /latency <partition-dn>".
any one can help me,
Thanks in advance!
contact me skype name: cuongtha
my company have two domain controllers, they are in subnet 10.63.97.0/24 and no firewall between them. A few day ago two DC sync normal, yesterday i check then error sync.
This is the replication status for the following directory partition on this directory server.
Directory partition:
DC=DomainDnsZones,DC=north,DC=vbsa,DC=vn
This directory server has not received replication information from a number of directory servers within the configured latency interval.
Latency Interval (Hours):
24
Number of directory servers in all sites:
1
Number of directory servers in this site:
1
The latency interval can be modified with the following registry key.
Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours)
To identify the directory servers by name, use the dcdiag.exe tool.
You can also use the support tool repadmin.exe to display the replication latencies of the directory servers. The command is "repadmin /showvector /latency <partition-dn>".
any one can help me,
Thanks in advance!
contact me skype name: cuongtha
↧
M domain users can not login anymore
When my domainusers try to login to my 2016 server, they get an "access denied" message.
This has been so for two days. The computer rebooted as result of internal error for some two days ago. I don't thinks this is the problem.
Now when I create a new 2016 server from scratch, build it up as domain controller - also my new domain users cant login - they also get "access denied".
Is this a CAL licence issue? I do not know how to procees.
↧
rpc server is unavailable
dears,
kindly note the below.
i have 2 ad sites: site 1 and site 2 and each site one domain controller domaincont1 and domaincont2.
both servers are 2012 r2, i'm planning to upgrade to 2019.
before upgrading i checked the following: in each site, under connections in ad sites and services connections are automatically generated between the domain controllers in the 2 sites.
i upgraded my domain cont1 in my first site, and i checked that the connection didnt get automatically created, waited for one day same thing, therefore i manually created the connection. Created a test user and checked if it replicates on other site. It worked.
the issue is the following when i try to replicate manually the connection created it shows this error:
your help is appreciated
↧
↧
Client systems are getting out of domain while resetting the password-Windows 10
Our some users who are using windows 10 are facing issues like when they reset password, system automatically is getting out of domain. Then we have to rejoin the computer in domain. There are 4 laptop which are giving this kind of problem.
On-site engineer has informed that they all are laptop and they are observing this problem on wi-fi only.
I suggested IT Manager that we should try to run sysprep with generalize mode to reset its SID but they are not agree. What I guess that it could be that 2 systems SID is matching and while changing the password, DC is confused and throwing a system out of domain, WELL but I am not sure.
Any help highly appreciated . Thanks.
Arif
↧
Event 4625 Destination Information Missing
Hello! I noticed that my Domain Controller logs for Event 4625 (An account failed to logon) only gives me the source information. Should my DCs be recording the source AND destination for Event 4625? For example, if I attempt to access a remote file share,
or RDP to a remote system, etc. should the 4625 log on the DC show both my IP address and the remote system I failed to connect to?
↧
Windows Server 2016 Domain Functionality and Macbooks Problem
We recently updated our domain to Windows Server 2016 functionality and are having problems with Macbooks logging in to the domain. No errors
on the Windows side, but it just spins and returns back to the login screen. Has anyone seen any similar issues with updating theforeset to 2016? We have reached out to Apple as well, but still waiting to see if they find anything. Just wanted to reach out
and see if anyone here has seen any similar issues with 2016 functionality and Macbooks. Thanks.
↧
cannot delete user account directory Object cannot be found
Hi
2003 AD
I have a user account that another admin attempted to delete. I still see the account when I go to Aduc and do a search on the entire directory. The account shows up with the users name and CNF;40313388-803e-4fb9-922d-7c8dddfd8c38 info behind it. when I try to delete it I am getting Windows cannot delete object because directory object not found.
Any suggestions on how to get this account deleted ?
2003 AD
I have a user account that another admin attempted to delete. I still see the account when I go to Aduc and do a search on the entire directory. The account shows up with the users name and CNF;40313388-803e-4fb9-922d-7c8dddfd8c38 info behind it. when I try to delete it I am getting Windows cannot delete object because directory object not found.
Any suggestions on how to get this account deleted ?
↧
↧
AD Object Delete Event
Dear Team,
Please help us to find ad object delete events. Currently audit policy is not yet enabled.
↧
To generate AD Replication Tool
Dear Team,
I want to do ad replication on daily bases and generate the report for audit prospective.
↧
2008r2 DC has everyone denied delete?
I have two 2008r2 DCs which I am trying to upgrade before the EOL date. One has all the FSMO roles, and I am trying an in-place upgrade on the "secondary" DC. I noticed that under AD Sites and Services, the server security properties
has a non-inherited permission to deny delete, and deny delete subtree to Everyone. The NTDS properties do NOT have the check for prevent accidental deletion. How does such a property get set, and what should the best set of permissions look like?
↧