Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

event id 2087

October 15, 2019, 3:45 am
$
0
0

dears,

i have 2 dcs running 2016.

i upgraded on of them to 2019, demoted one dc 2016. And switched the ips of the 2016 demoted one to the newly created 2019.

and registered the dns. i also cleaned the old dns records poiting to the demoted old dc

im receiving the event id 2087 on my new domain controller:

Active Directory could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions deletions and changes in Active Directory from replicating between one or more domain controllers in the forest. Security groups group policy users and computers and their passwords will be inconsistent between domain controllers until this error is resolved potentially affecting logon authentication and access to network resources.

any idea why is this happening?

Search

LDAP SSL - when is it used and how can i prove that it is utilized

October 5, 2019, 6:22 am
$
0
0

Hello all,

My company is new to active directory and because of audits we have every year, we are trying to make things secured. That said, I setup an Enterprise CA server, created a certificates from a domain controller template and issued the certificates to the domain controllers.

I tested LDAP SSL using the ldp.exe tool and everything appears fine using port 636 SSL and 3269 SSL. However, I would like to know whether sensitive traffic is encrypted. I do know that i cant block port 389 from the clients side because it is used for the AD authentication. Does anyone know any way to test whether traffic goes through LDAP SSL when needed, and can i block the port 3268 used for Global Catalogs since now the domain controllers have a certificate? Also can anyone mention the cases when traffic goes through LDAP SSL?

Thanks a lot for your time and sorry if my questions sounds kind of stupid.

Repercussion of being Enterprise Admin and Domain Guest at the same time?

October 17, 2019, 6:58 pm
$
0
0

Hello,

Title is self-explanatory. I hope someone can share their experience or if you have any facts to share.

Thanks

Missing in Attribute Editor

October 4, 2019, 10:13 am
$
0
0

I am an admin for our company domain.  I am looking to try and determine password expiration times for my end users, but when I go into Attribute Editor under properties for my user's, the "msDS-UserPasswordExpiryTimeComputed" field is not present.

What can I do to resolve this issue and have that field appear???  Does it make a difference if another admin is already logged in as he is able to view this information???

Any help resolving this is greatly appreciated.

Thank you.

to check DSRM password

October 4, 2019, 12:22 am
$
0
0

Hello,

Is there any way to check DSRM password without rebooting ?

AD group membership changes alert notification

October 16, 2019, 4:09 pm
$
0
0

Hi All,

I am looking for a powershell/simple solution to track few AD group changes. If any user added to that AD group, then it should send a email to administrator about the new user addition to that group. If any one using the solution like this, then please share it.

Thanks in advance...

UDP 389 LDAP did not respond ???

January 15, 2013, 6:32 pm
$
0
0

Hi All,

I've three Windows 2008 domain controllers. Using portqry to test LDAP connectivity it responds to TCP but not UDPtest in domain controller , no firewall.  I restart ADDS and retest UDP 389 are the same error .

Test returns the results are as follows:

 Starting portqry.exe -n computerIP -e 389 -p UDP ...

Querying target system called:

computerIP

Attempting to resolve IP address to a name...

IP address resolved to computerIP

querying...

UDP port 389 (unknown service): LISTENING or FILTERED

Using ephemeral source port

Sending LDAP query to UDP port 389...

LDAP query to port 389 failed

Server did not respond to LDAP query

portqry.exe -n computerIP -e 389 -p UDP exits with return code 0x00000001.

isoft

Primary Domain Controller not syncing with secondary

October 14, 2019, 3:39 am
$
0
0

Firstly, this was setup by a previous tech guy, so please forgive me if im not using the correct terms or if the setup is not best practice (trying to change that!)

We have 2 domain controllers, a primary (TITANIC) and a secondary (SERVERMCSERVERFACE)

When I make a change to our group policy, all changes appear to take place on our secondary domain controller and it never appears to sync with our PDC.

All of the client machines pull down our group policy from the PDC.

so the questions i have is

1) How can i check and ensure that our Primary domain controller is the TITANIC machine and that our secondary is SERVERMCSERVERFACE

2) How do i get these to sync the group policy between the 2.

3) For the number of clients we have (about 10) do we really need a secondary domain controller?

All servers are Windows Server 2012 r2.

Appreciate the help guys!

Search

How to debug 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED) in Certificate server

October 17, 2019, 1:14 am
$
0
0

Hi!

I have two domains — with administrative accounts(ADM) and domain with resources(RES).

Domain RES trusts domain ADM, so users from ADM can login to domain RES.

ADM does not trust RES.

Our PKI (issuing and two pairs of ces+cep) are in RES domain.

I want to give rights to get certificates for users from ADM domain.

Access to read CA, templates, enroll specific templates is already granted for my account(user@ADM)

At the moment I(as user@ADM) can see the list of available certificates, but get an error when I try to get one.


For example:

#$admcred=Get-Credential
Get-Certificate  -SubjectName "CN=qqq" -template "User-manual" -Url "https://srv-caext-01.xxx.yyy/KeyBasedRenewal_ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP" -Credential $admcred -CertStoreLocation "Cert:\CurrentUser\My"

Errors from: certsrv.log

457.1846.0:<2019/10/16, 16:31:38>: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
504.108.0:<2019/10/16, 16:31:38>: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
515.349.0:<2019/10/16, 16:31:38>: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
515.236.0:<2019/10/16, 16:31:38>: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)

Errors from powershell output:

Get-Certificate : CertEnroll::CX509Enrollment::Enroll:  The certificate request could not be submitted to the certification authority. A certificate 
could not be issued by the certification authority.: A message containing a fault was received from the remote endpoint. 0x803d0013 (-2143485933 
WS_E_ENDPOINT_FAULT_RECEIVED)
At line:2 char:1+ Get-Certificate  -SubjectName "CN=qqq" -template "User-manual" -Url " ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo          : NotSpecified: (:) [Get-Certificate], Exception+ FullyQualifiedErrorId : System.Exception,Microsoft.CertificateServices.Commands.GetCertificateCommand

I don't see any error in other logs from CA and DC. I see messages about successful authentication/impersonalization.

How to find more information about the error in certsrv.log?





How can a user authenticate with AD while connected to private internet.

October 16, 2019, 2:48 pm
$
0
0

Hello, 

I am currently working on a project. Please does anyone know How can a User Authenticate with Active Directory while connected to Private Internet. 

Kindly provide me with the solutions. 

Thank you



Iniobong Nkanga

User authentication test against specific DC

October 16, 2019, 10:12 pm
$
0
0

Greetings all,

Is there any tool, PowerShell cmdlets or any way to test user <g class="gr_ gr_10 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del" data-gr-id="10" id="10">logon</g> from a server against specific DC.

Thanks


PDC not loading NTP Time source and defaults to local CMOS?

October 10, 2019, 2:02 am
$
0
0

Good morning,
I have a darksite environment with 2 Domain controllers both virtualized Windows server 2012 R2.
Servers are multihomed with 2 interfaces.
1 to workstation network and 1 to server network
For ntp purpose access to an external time server (Still one inside the company) is made available.
I configured NTP on the PDC according to this document:
https://support.microsoft.com/en-us/help/816042/how-to-configure-an-authoritative-time-server-in-windows-server

I entered 2 ip adresses instead of DNS names. Because I directly entered IP adressen I did not append ,0x1 or something else.

Output of the following commands on the PDC:
1. w32tm /resync: Sending resync command to local computer
The computer did not resync because no time data was available

2. w32tm /monitor
PDCSERVERNAME *** PDC*** [ID]:
ICMP: 0ms delay
NTP: error ERROR_TIMEOUT - no response from server in 1000ms
2ndDCNAME [ip:port]:
NTP: error ERROR_TIMEOUT - no response from server in 1000ms

3. w32tm /query status:
more data
Source:local CMOS Clock
more data

4. w32tm /stripchart /computer:EXTERNAL NTP ADDRESS /dataonly /samples:5:
The current time is date and time
time, +12.4288498s
time, +12.4249894s
etc...

My conclusion for an unknown reason the configuration is not picket up and the configuration defaults back to local CMOS?

How to make the PDC sync with this time source?
If it gets the time with test 4, does that mean it has enough access to the time source or can there be a firewall port issue or some authentication issue that makes test 4 to return data but not work for synchronization?

Kind regards,

Distribution of FSMO Roles

October 13, 2019, 8:45 pm
$
0
0

Hi All,

I would like to seek for your expertise regarding our FSMO Roles. What would be the best setup and who will be the holder/s of this FSMO roles considering our below current setup.

 - We have 2 physical office sites ( Site A and Site B)

 - We have 2 domain controller each site ( DC1, DC2 on Site A and DC3, DC4 on Site B)

 - Currently all FSMO roles are assigned to DC1 

 - Both sites are operational and has workstations

CA migration and its computer certificate

October 15, 2019, 7:47 am
$
0
0

Hello everyone,

I'm continuing to upgrade old 2008 R2 servers to Windows Server 2019 and I have a question about CA server (Enterprise Root CA).

Basically, I prepared a Windows Server 2019 VM, gave it the same name than the old production CA. Then I imported its configuration that I exported from the old one. Removed old server; added new server to the domain and installed the CA role. I basically followed that procedure in detailed: https://kevinstreet.co.uk/2017/07/26/migrating-your-microsoft-pki-infrastructure-to-windows-server-2016-part-2/

I worked on a lab for doing that. Everything seems to be fine except that when I compare production CA server with the lab CA server after the upgrade to Server 2019, I can notice one difference: the old CA server has 1 certificate in its "Certificates (Local Computer) > Personal > Certificates" that is not on the new one in the lab (the one in yellow on the attached image).

The missing certificate has the FQDN name (hostname.domain.com).

Does anyone know if this is something we can ignore and then apply our actions in production or if there's anything to do to recreate that on the new server ?

I tried to export that certificate but I can't export the private key with it so it is useless.
I also noticed that this certificate appears in the certificate manager.

Create a GPO and bind powershell script to it

October 11, 2019, 7:05 am
$
0
0

Hi Team,

Recently we had an virus attack on one of the server in the domain. We had to turn off the machine and disable the network. It was a Domain Controller. Now the security team wants us to run a powershell script through GPO on the domain to check whether the malware is present on any workstations, computers or servers in the domain. I tried creating a GPO by running scheduled tasks under computer preferences and mapping to the server OU but no result.

Script is stored in the shared location and output to be stored at same place.

Could any one please suggest a way to create a GPO with the required settings to run on all the machines to look out for the file? 

Search

Upgrade from AD DS 2008 to 2016, forest and domain level impact

October 11, 2019, 12:48 pm
$
0
0

I'm upgrading the current Active Directory from 2008 R2 to 2016.

The current Forest and domain level is 2008 R2.

As soon I will have all the Domain Controller at 2016, having still some 2003 and 2008 R2 member server, which will be the appropriate Forest and Domain level that I should Raise?

Can I move directly to Forest and domain level 2016, or will be better to keep a more conscious approach just more to 2012 R2 at least at the beginning.

Kind regards

Andrea

How Mobile Users can Authenticate with AD while connected to Private Internet.

October 16, 2019, 4:02 am
$
0
0

Hello, 

I am currently working on a project. Please does anyone know How Mobile Users can Authenticate with AD while connected to Private Internet. 

Kindly provide me with the solutions. 

Thank you


Iniobong Nkanga

Botched migration from FRS - DFRS

October 13, 2019, 9:38 am
$
0
0

Server 2012 r2 standard ADDS Only DC had a vm dc, but it got hosed from a cluster failure. (another story)

The process hung. I waited over night. Still hung. Re ran adds cleanup, and found an old dc that was hunting me. deleted it.

Tried again same result. Since it was the only dc ( I read the warning about no turning back.) I pushed throuh the eliminated state.

Result: The SYSVOL_DFSR was created, but nothing in it. Looking at ADSIEdit the DC is still pointing to the original SYSVOL folder. When the login problems started, I found the DFSR services was running, and the FRS service was disabled. I reversed this and authentication started working again.

What a pickle I brought up two new DC's and the are both Windows 2016 OS. The information in AD DS is being replicated to the two new servers, but in spite of moving all of the roles to what was supposed to be the new PDC if the old PDC is not on line AD DS breaks. If I add a new user, change a password on any DC it takes effect on all 3. I did notice however I cannot edit a GPO on the other DC's, not even the new PDC.

What can I do to straighten this out. I can redo the two new DC's, but if I bring them down how can I get the old dc to move to DSFR? How might I get any one of the DC's to function as the PDC? I'm trying to do this without having to completely rebuild Active Directory from scratch.

Kerry M. Guillory

Is it possible to add temporary extra and secondary passwords to my Windows account registered in my organization's Active Directory ?

October 10, 2019, 2:02 am
$
0
0
Is it possible to add temporary extra and secondary passwords to my Windows account registered in my organization's Active Directory ?

As a developer, this would be very useful for me to execute tests with a temporary password, creatable and revocable easily and quickly.

I am actually testing command lines on a server, but these commands are logged in the traces of my organization.

Without an additional temporary password, I will then be forced to change my unique password, which is more complicated. And if I do not do it, my only password will be compromised.

Domain upgrade from SBS 2011 (Build 7601 SP1) to Windows Server STD 2019 with error converting FRS to DFS

October 9, 2019, 8:19 am
$
0
0

1. Followed an instruction from MS and finished by "Eliminated" as below

2. After, I see an error logs as below

-         DFSR was unable to create the SYSVOL_DFSR folder at C:\SYSVOL_DFSR. This could be due to lack of availability of disk space.

3. I've made some space now around 16.5GB but when I ran above command I doubt there was enough space.

4. Also after this, SYSVOL share stopped as File Replication Server had stopped. All domain services stopped including file share etc.

5. For an emergency purpose, I restarted FRS and Domain services started as normal.

6. New Service DFS replication, I stopped as this service will stop FRS.

We have only one single SBS 2011 serves as domain controller and trying to upgrade to Windows Server 2019 as a domain controller decommissioning old SBS box.

Please help!


Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>