Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Windows 10 Lock Screen Slide Show (Mulitiple .JPEG images) Using group policy

$
0
0

I want the slideshow feature of the lockscreen to do this on all domain computers via GP instead of the screensaver .

I have around 2000 Windows 10 Enterprise clients.

DC : 2012 R2

Kind Regards,

RPadmam.


RJ


PDC not loading NTP Time source and defaults to local CMOS?

$
0
0

Good morning,
I have a darksite environment with 2 Domain controllers both virtualized Windows server 2012 R2.
Servers are multihomed with 2 interfaces.
1 to workstation network and 1 to server network
For ntp purpose access to an external time server (Still one inside the company) is made available.
I configured NTP on the PDC according to this document:
https://support.microsoft.com/en-us/help/816042/how-to-configure-an-authoritative-time-server-in-windows-server

I entered 2 ip adresses instead of DNS names. Because I directly entered IP adressen I did not append ,0x1 or something else.

Output of the following commands on the PDC:
1. w32tm /resync: Sending resync command to local computer
The computer did not resync because no time data was available

2. w32tm /monitor
PDCSERVERNAME *** PDC*** [ID]:
ICMP: 0ms delay
NTP: error ERROR_TIMEOUT - no response from server in 1000ms
2ndDCNAME [ip:port]:
NTP: error ERROR_TIMEOUT - no response from server in 1000ms

3. w32tm /query status:
more data
Source:local CMOS Clock
more data

4. w32tm /stripchart /computer:EXTERNAL NTP ADDRESS /dataonly /samples:5:
The current time is date and time
time, +12.4288498s
time, +12.4249894s
etc...

My conclusion for an unknown reason the configuration is not picket up and the configuration defaults back to local CMOS?

How to make the PDC sync with this time source?
If it gets the time with test 4, does that mean it has enough access to the time source or can there be a firewall port issue or some authentication issue that makes test 4 to return data but not work for synchronization?

Kind regards,

CA migration and its computer certificate

$
0
0

Hello everyone,

I'm continuing to upgrade old 2008 R2 servers to Windows Server 2019 and I have a question about CA server (Enterprise Root CA).

Basically, I prepared a Windows Server 2019 VM, gave it the same name than the old production CA. Then I imported its configuration that I exported from the old one. Removed old server; added new server to the domain and installed the CA role. I basically followed that procedure in detailed: https://kevinstreet.co.uk/2017/07/26/migrating-your-microsoft-pki-infrastructure-to-windows-server-2016-part-2/

I worked on a lab for doing that. Everything seems to be fine except that when I compare production CA server with the lab CA server after the upgrade to Server 2019, I can notice one difference: the old CA server has 1 certificate in its "Certificates (Local Computer) > Personal > Certificates" that is not on the new one in the lab (the one in yellow on the attached image).

The missing certificate has the FQDN name (hostname.domain.com).

Does anyone know if this is something we can ignore and then apply our actions in production or if there's anything to do to recreate that on the new server ?

I tried to export that certificate but I can't export the private key with it so it is useless.
I also noticed that this certificate appears in the certificate manager.

3rd party cert used for Secure LDAP has a root cert that expires before the LDAP cert expires

$
0
0

We use a 3rd party cert for Secure LDAP against our Active Directory at our organization.  We have the cert deployed to a load balancer (Citrix Netscaler) and then have individual 3rd party certs for each of the back end DC's.

I noticed the cert on the Netscaler has an expiration date of 2021, but looking at the chain the root expires in 2020.  

What will happen in 2020?

Thanks

Domain controller not getting populated in site and services

$
0
0

Domain controller not getting populated in site and services.

I just built a new Domain controller, but this is not getting populated in site and services - please can someone let me know how to fix this or can be added manually ?

if i add it manually then NTDS settings are not visible.


Paramesh KA

AD DS replication between DCs from different domains in the same Forrest

$
0
0

Hello,

I am learning about AD DS and I have a following question.

I understand that:

AD DS has these partitions:

a) Schema, b) configuration, c) domain, d) application (e.g. DNS)

Only DC which holds Schema FSMO role has RW copy of Schema partition, other DCs have RO copy of Schema partition

every DC in the forest has RW copy of configuration partition

every DC from the concrete domain has RW copy of domain partition 

application partition can be set up with different scope (domain, forest)

Do I understand it right?

Then my question is about replication If:

I have two domains in the forest: domain1 and domain2

I have four sites in the forest: Site1, Site2, Site3, Site4

In the Site1 there are two DCs (DC1 and DC2) from domain1

In the Site2 there are two DCs (DC3 and DC4) from domain1

In the Site3 there are two DCs (DC5 and DC6) from domain2

In the Site4 there are two DCs (DC7 and DC8) from domain2

In AD Sites and services replication between Site1 and Site2 will be:

Site1 - Intrasite replication between DC1 and DC2 is set up automatically

Site1 - There will be automatically chosen Bridgehead server

Site2 - Intrasite replication between DC3 and DC4 is set up automatically

Site2-  There will be automatically chosen Bridgehead server

Then I will create Site link between Site 1 and Site 2 (I know that I also have to configure subnets for sites)

In AD Sites and services replication between Site3 and Site4 will be:

Site3 - Intrasite replication between DC5 and DC6 is set up automatically

Site3 - There will be automatically chosen Bridgehead server

Site4 - Intrasite replication between DC7 and DC8 is set up automatically

Site4- There will be automatically chosen Bridgehead server

Then I will create Site link between Site 3 and Site 4 (I know that I also have to configure subnets for sites)

Finally my question is: Do I have to set up replication (site link) between Site1, Site2 where are DCs from domain1 and Site3 and Site4 where are Dcs from domain2 If there are domain controllers from different domains?

From my understanding I do not have to do that in order to make sure that other partitions (schema, configuration and application) will be replicated to DCs in different domain, am I right?

I am just learning and trying to understand AD replication topology, I will be glad for explanation.

Thank you.

Issue with copying files to shared folder on 2019 DC from W10 workstation (Crossposted in File Services and Storage)

$
0
0

I posted this question in File Services and Storage and i was advised to post it here aswell.

I have a weird issue where i can't copy files or folders to shared folders on our Windows Server 2019 DC from my Windows 10 1903 workstation.

When i try to copy files or folders into the shared folder on the 2019 DC it just hangs until i get a message about missing network connection to the shared folder.

I have also noticed that File Explorer takes some time to show the drives on the DC locally while the copying job is active

However, when i copy something from our other servers (2008r2 and 2012r2) to the 2019 DC there is no problem at all. Also when i copy from the W10 workstation to the other servers there are no issues...

I have tried making new test-shares with full read/write access for everyone and also for my user specifically.

I also tried making a shared folder directly on the Hyper-V host and i get the same problem.

The 2019 DC is a VM in Hyper-V with failover cluster.

The physical machine is a Lenovo SR530 with Server 2019.

Seems to me that something is up with the communication when it comes to W10 and Server 2019...

Any help would be greatly appreciated!


How to export w32tm outupt in CSV

$
0
0

Is ther any way to export the below commands output in table format.

w32tm /monitor /domain:my_domain

Example:

Servername      ICMP         NTP

dc1               61ms delay  +0.0000000s offset from DC1.local.com


Domain Controller AD

$
0
0

Hi,

I recently configured domain controller.

I my previous company to join the client PC to the domain then we need to add the IP address of the server in client DNS. Then only it will connect with the server. But in some companies I have noticed, PC will join with the domain without adding the server IP address in client DNS. I come to know that we need to do DNS Role.. 

Can any one please help me?

Existing Setup..

Domain Controller IP: 192.168.100.xxx and one more server is also in that range.

Client PC IP Range: 192.168.110.xxx

Thank you



Repercussion of being Enterprise Admin and Domain Guest at the same time?

$
0
0

Hello,

Title is self-explanatory. I hope someone can share their experience or if you have any facts to share.

Thanks

Windows Server 2016 Domain Functionality and Macbooks Problem

$
0
0
     
                    We recently updated our domain to Windows Server 2016 functionality and are having problems with Macbooks logging in to the domain. No errors on the Windows side, but it just spins and returns back to the login screen. Has anyone seen any similar issues with updating theforeset to 2016? We have reached out to Apple as well, but still waiting to see if they find anything. Just wanted to reach out and see if anyone here has seen any similar issues with 2016 functionality and Macbooks. Thanks.

Client systems are getting out of domain while resetting the password-Windows 10

$
0
0

Our some users who are using windows 10 are facing issues like when they reset password, system automatically is getting out of domain. Then we have to rejoin the computer in domain. There are 4 laptop which are giving this kind of problem.

On-site engineer has informed that they all are laptop and they are observing this problem on wi-fi only.

I suggested IT Manager that we should try to run sysprep with generalize mode to reset its SID but they are not agree. What I guess that it could be that 2 systems SID is matching and while changing the password, DC is confused and throwing a system out of domain, WELL but I am not sure.

Any help highly appreciated . Thanks.


Arif




Change Domain user's password from outside the domain

$
0
0

Hi,

I am looking for a solution for the following use case:

A person has remote access to a domain (VPN), but his PC has not joined any domains at all. The person should be able to change his own domain user's password. Normally, this can be done usinc Ctrl+Alt+Delete and then changing the Domain\User first to the user whose password should be changed. Acces to a domain Controller can be provided via the VPN.

But, the user does not have a Change password option on his computer. I googled it, it seems that this depends on the type of user used for login. On Windows 10 (only), when logged in using a Microsoft account, the option is never available Independent of how the group policy is set.

I did not find any other way how this user can change his password in the "foreign" domain. Everything seems to only work in the own Domain (when you are already logged in to Windows using a domain user, which is not the case), local users or the user you are logged in with. None of these applies.

So, is there some other way for this user to change his password I missed? Or some way to get the Change password Option back without changing the way the user logs in to his own Computer?

Thank you,

Felix Alter, SOLUTIONS GmbH

User authentication test against specific DC

$
0
0

Greetings all,

Is there any tool, PowerShell cmdlets or any way to test user <g class="gr_ gr_10 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del" data-gr-id="10" id="10">logon</g> from a server against specific DC.

Thanks


How can a user authenticate with AD while connected to private internet.

$
0
0

Hello, 

I am currently working on a project. Please does anyone know How can a User Authenticate with Active Directory while connected to Private Internet. 

Kindly provide me with the solutions. 

Thank you




Iniobong Nkanga


How Mobile Users can Authenticate with AD while connected to Private Internet.

$
0
0

Hello, 

I am currently working on a project. Please does anyone know How Mobile Users can Authenticate with AD while connected to Private Internet. 

Kindly provide me with the solutions. 

Thank you



Iniobong Nkanga

rpc server is unavailable

$
0
0

dears,

kindly note the below.

i have 2 ad sites: site 1 and site 2 and each site one domain controller domaincont1 and domaincont2.

both servers are 2012 r2, i'm planning to upgrade to 2019.

before upgrading i checked the following: in each site, under connections in ad sites and services connections are automatically generated between the domain controllers in the 2 sites.

i upgraded my domain cont1 in my first site, and i checked that the connection didnt get automatically created, waited for one day same thing, therefore i manually created the connection. Created a test user and checked if it replicates on other site. It worked.

the issue is the following when i try to replicate manually the connection created it shows this error: 

your help is appreciated

Is it possible to add temporary extra and secondary passwords to my Windows account registered in my organization's Active Directory ?

$
0
0
Is it possible to add temporary extra and secondary passwords to my Windows account registered in my organization's Active Directory ?

As a developer, this would be very useful for me to execute tests with a temporary password, creatable and revocable easily and quickly.

I am actually testing command lines on a server, but these commands are logged in the traces of my organization.

Without an additional temporary password, I will then be forced to change my unique password, which is more complicated. And if I do not do it, my only password will be compromised.

Domain Controller Sync Issues

$
0
0

I will apologize in advance as this is a somewhat confusing situation with a bunch of back story.  I will try to relay only relevant information.

We have 3 DCs in our parent domain, all 3 are physical servers and are (now) in the same physical location.  We also have 1 VM in the cloud (Rackspace) which is the solo DC in our child domain.  

For illustrative purposes, the DC's are as follows:

Physical DC's

  • NRLHOURDC01
  • NRLHOUDC03
  • NRLHOUDC04

Virtual DC hosted in cloud

  • NINAHOUDC02 (We previously had NINAHOUDC01 as our Virtual DC but ran into issues and ended up having to prop up another DC to demote that one....long story)

All 3 of the physical DC's have FSMO roles set to DC04.

NINAHOUDC02 FSMO roles are set as follows:

  • Schema Master: NRLHOUDC03
  • Domain Naming Master: NRLHOUDC03
  • PDC: NINAHOUDC01
  • RID Pool Manager: NINAHOUDC01
  • Infrastructure Manager: NINAHOUDC01

When I try to set the FSMO roles for NINAHOUDC02 to NRLHOUDC04, I run into errors:

  • Binding to NRLHOUDC04 ...
    DsBindWithSpnExW error 0x80090350(The system cannot contact a domain controller to service the authentication request. Please try again later.)
    ldap_search for attribute supportedCapabilities failed with 0x59(89 (Parameter Error).

AD Sites and Services is different on every single DC and I don't see all servers on any of the sites and services consoles.  There are 4 sites: 1900STJAMES, 2506WMAIN, 4400, RACKSPACE.  Our 2 old locations were 1900STJAMES (which housed NRLHOUDC03 and NRLHOUDC04)  and 2506WMAIN (which housed NRLHOURDC01).  I created 4400 when we moved to our new office, which we are currently in, and moved all of the DC's into that site thinking that as long as I added the correct subnet, everything would fall into place.  It didn't.

I've also run repadmin /replsum on each DC

NRLHOUDC04:

C:\Windows\system32>repadmin /replsum
Replication Summary Start Time: 2019-10-16 16:38:13

Beginning data collection for replication summary, this may take awhile:
  .......


Source DSA          largest delta    fails/total %%   error
 NRLHOUDC03                46m:02s    0 /   6    0


Destination DSA     largest delta    fails/total %%   error
 NRLHOUDC04                46m:02s    0 /   6    0


Experienced the following operational errors trying to retrieve replication info
rmation:
        8341 - NINAHOUDC01.nina.hsc.nrlmortgage.com
        8341 - NINAHOUDC02.nina.hsc.nrlmortgage.com

NRLHOUDC03:

Replication Summary Start Time: 2019-10-16 16:39:15

Beginning data collection for replication summary, this may take awhile:
  ......


Source DSA          largest delta    fails/total %%   error


Destination DSA     largest delta    fails/total %%   error


Experienced the following operational errors trying to retrieve replication info
rmation:
        8341 - NINAHOUDC01.nina.hsc.nrlmortgage.com
        8341 - NINAHOUDC02.nina.hsc.nrlmortgage.com

NRLHOURDC01:

Replication Summary Start Time: 2019-10-16 16:40:17

Beginning data collection for replication summary, this may take awhile:
  .......


Source DSA          largest delta    fails/total %%   error
 NRLHOUDC03                41m:43s    0 /   6    0


Destination DSA     largest delta    fails/total %%   error
 NRLHOURDC01               41m:43s    0 /   6    0


Experienced the following operational errors trying to retrieve replication info
rmation:
        8341 - NINAHOUDC01.nina.hsc.nrlmortgage.com
        8341 - NINAHOUDC02.nina.hsc.nrlmortgage.com

NINAHOUDC02:

Replication Summary Start Time: 2019-10-16 13:13:58

Beginning data collection for replication summary, this may take awhile:
  ......


Source DSA          largest delta    fails/total %%   error
 NINAHOUDC01               18m:47s    0 /   6    0
 NRLHOUDC03        42d.15h:00m:00s    4 /   4  100  (1908) Could not find the domain controller for this domain.


Destination DSA     largest delta    fails/total %%   error
 NINAHOUDC02       42d.15h:00m:05s    4 /  10   40  (1908) Could not find the domain controller for this domain.


Experienced the following operational errors trying to retrieve replication information:
        8341 - NRLHOUDC03.hsc.nrlmortgage.com
        8341 - NINAHOUDC01.nina.hsc.nrlmortgage.com

I've been troubleshooting this on and off for the past month or so and plan to do some heavy configuration changes this weekend but I don't know if I need to just start demoting DC's, clearing metadata and then re promoting or if there is an easier way to force the DC's to see each other.


Permissions NOT propagating properly

$
0
0

Here's the setup:

E Drive
|->Share A (Domain Admin Group - FULL - This and all Subfolders & Obj) (ShareA Users Group - FULL - This and all Subfolders & Obj)
       |-> SubFolder A (Domain Admin Group - FULL - inherited from Share A - This and all Subfolders & Obj) (ShareA Users Group - FULL - inherited from Share A - This and all Subfolders & Obj)
           |-> SUB SubFolder A (Domain Admin Group - FULL - inherited from Share A - This and all Subfolders & Obj) (ShareA Users Group - FULL - inherited from Share A - This and all Subfolders & Obj)

E Drive
|->Share B (Domain Admin Group - FULL - This and all Subfolders & Obj) (ShareA Users Group - FULL - This and all Subfolders & Obj)
       |-> Newly Created SubFolder 1 (Domain Admin Group - Special [actually full] - inherited from Share B -This Folder Only) (ShareA Users Group - Special [actually full] - inherited -This Folder Only)
           |-> SUB SubFolder 1 (Local AdministratorsSpecial [actually full] -Not inherited - This Folder Only) (SYSTEMSpecial [actually full] - Not inherited- This Folder Only)

All other shares on our File Server are fine EXCEPT this one. As seen above, I have described in as much detail as to what we are seeing. The root folder in that shared directory is set up exactly like all others and no other shares are having any issues like this.  Any sub folder that we create in the affected Share tree has permissions that state that they are inherited however the only thing for the Domain Admin Group selected is the "Special" and if you go into the advanced settings, it states full however it now becomes "This Folder Only". Any sub folder beyond that has just Local Admin and System as the "Special" permissions. This is a relatively new issue and since it was originally created, this department's share has become quite large.

Does anyone have any idea why it is occurring like this or should we just create a new subfolder for that group and move everything over? However, I'm not 100% sure that it would fix our issue. I would love to know the cause. Any help would be appreciated.

Viewing all 31638 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>