Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

How to export w32tm outupt in CSV

$
0
0

Is ther any way to export the below commands output in table format.

w32tm /monitor /domain:my_domain

Example:

Servername      ICMP         NTP

dc1               61ms delay  +0.0000000s offset from DC1.local.com


How to create Active Directory Trusts: "Realm" and "Shortcut"???

$
0
0

Hello,

I'd like to know how to create 2 types of trusts: Realm and Shortcut. Every article on the web touches on how to create forest or external trusts- oodles of them, but none tells how to build those remaining 2.

external and forest trust

This is "standard" screen you get when trying to establish trust-only 2 types there. On the web I found this screenshot:

realm trust

but God only knows how to get it. Where is the shortcut/real trust option?

Anyone?

Domain Controller AD

$
0
0

Hi,

I recently configured domain controller.

I my previous company to join the client PC to the domain then we need to add the IP address of the server in client DNS. Then only it will connect with the server. But in some companies I have noticed, PC will join with the domain without adding the server IP address in client DNS. I come to know that we need to do DNS Role.. 

Can any one please help me?

Existing Setup..

Domain Controller IP: 192.168.100.xxx and one more server is also in that range.

Client PC IP Range: 192.168.110.xxx

Thank you



How to debug 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED) in Certificate server

$
0
0

Hi!

I have two domains — with administrative accounts(ADM) and domain with resources(RES).

Domain RES trusts domain ADM, so users from ADM can login to domain RES.

ADM does not trust RES.

Our PKI (issuing and two pairs of ces+cep) are in RES domain.

I want to give rights to get certificates for users from ADM domain.

Access to read CA, templates, enroll specific templates is already granted for my account(user@ADM)

At the moment I(as user@ADM) can see the list of available certificates, but get an error when I try to get one.


For example:

#$admcred=Get-Credential

Get-Certificate  -SubjectName "CN=qqq" -template "User-manual" -Url "https://srv-caext-01.xxx.yyy/KeyBasedRenewal_ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP" -Credential $admcred -CertStoreLocation "Cert:\CurrentUser\My"

Errors from: certsrv.log

457.1846.0:<2019/10/16, 16:31:38>: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)

504.108.0:<2019/10/16, 16:31:38>: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)

515.349.0:<2019/10/16, 16:31:38>: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)

515.236.0:<2019/10/16, 16:31:38>: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)

Errors from powershell output:

Get-Certificate : CertEnroll::CX509Enrollment::Enroll:  The certificate request could not be submitted to the certification authority. A certificate 
could not be issued by the certification authority.: A message containing a fault was received from the remote endpoint. 0x803d0013 (-2143485933 
WS_E_ENDPOINT_FAULT_RECEIVED)
At line:2 char:1+ Get-Certificate  -SubjectName "CN=qqq" -template "User-manual" -Url " ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo          : NotSpecified: (:) [Get-Certificate], Exception+ FullyQualifiedErrorId : System.Exception,Microsoft.CertificateServices.Commands.GetCertificateCommand

I don't see any error in other logs from CA and DC. I see messages about successful authentication/impersonalization.

How to find more information about the error in certsrv.log?





Authoritative Restore

$
0
0
Dear Team,

I m trying to perform authoritative restore for one OU . but its not Woking
after replication restore object getting deleted.
Please find below step

1. Booting system in DSRM.
2. login with DSRM credential
3. Disabling AD services
4.Restoring system state using wbladmin
5. Performing authoritative restore command
    restore subtree "ou=***,DC=***,DC=***"
After restore rebooting AD in normal mode.

..But post replication restored OU gets deleted

R!t@$#

Active Directory Certificate Templates published more than listed on Enterprise Intermediate CA

$
0
0

Hi,

While looking at CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=<Example>,DC=<Example>,DC=Local (Example is just a place holder.) I found 45 Certificate templates published in AD but while looking at the Enterprise Intermediate CA I see only 26 that has been deployed by CA.  Why there is difference, is there any way I can find out who issued additional certificates in AD CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=<Example>,DC=<Example>,DC=Local.  Your feedback is appreciated.

Kind Regards,

AK  

Make a field as read-only for users

$
0
0

Hello, I need to make the field Office (physicalDeliveryOfficeName) read-only for my users.

So, nobody can edit the own Office field.

How can I do it? 

Many thanks to everyone!


Piero

Active Directory Certificate Services service could not be started

$
0
0

Background:

I have a Windows server 2019 that was migrated from SBS2011, the migration was done on March 2019.
Today I tried configuring RADIUS server and noticed that the AD Certificate Authority was down.

I cannot start the Active Directory Certificate Services service.
1)
net start certsvc
The Active Directory Certificate Services service is starting.
The Active Directory Certificate Services service could not be started.

A service specific error occurred: 3355444232.

More help is available by typing NET HELPMSG 3547.

2)
file not found 0xc8000713 (ESE: - 1811 JET-errFileNotFound)

3) after *.edb restore from backup:
Cannot access file, the file id locked or in use 0x8000408 (ESE: -1032 JET_errFileAccessDenied)

I tried to use esentutl:
Those are the commands I tried:

Perform a defragmentation of the Perfca.edb database
%systemdrive%\windows\system32\certlog>esentutl -d <CA Name>.edb
replay: Operation terminated with error -1209 (JET_errInvalidDatabaseVersion, Database engine is incompatible with database)

Examine the integrity of the Perfca.edb database
%systemdrive%\windows\system32\ certlog >esentutl /g <CA Name>.edb
replay: Operation completed successfully

Perform database recovery
%systemdrive%\windows\system32\ certlog >esentutl /r edb
replay: Operation terminated with error -1003 (JET_errInvalidParameter, Invalid API parameter)

Perform a lossy repair of the Perfca.edb database
%systemdrive%\windows\system32\ certlog >esentutl /p <CA Name>.edb
repaly: Operation completed successfully

View the Perfca.edb database in File Dump mode
%systemdrive%\windows\system32\ certlog >esentutl /mh <CA Name>.edb

4)
After removing the logs from the folder %systemdrive%\windows\system32\Certlog and keeping only the .edb file, instead of doing a Recovery on the DB file I did a Repair instead.  (esentutl.exe /p "path_to_edb_file"
replay: file not found 0xc8000713 (ESE: - 1811 JET-errFileNotFound)


None of them worked.

Thanks,

Tomer


AD Health Check

$
0
0

Hello,

I'm getting the script about AD health check from this site gallery.technet.microsoft.com/scriptcenter/Active-Directory-Health-709336cd#content and the output not so good. Previously we just run Repadmin command especially repadmin /replsummary in order to check our AD health check. But from this script, the result was not so good and im not really understand about Test Failed since we dont encounter any replication error.

PingSTatusNetlogonServiceNTDSServiceDNSServiceStatusNetlogonsTestReplicationTestServicesTestAdvertisingTestFSMOCheckTest
SuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesPassedAdvertisingPassedFSMOCheckPassed
SuccessRunningRunningRunningNetlogonsTimeoutReplicationsTimeoutServicesTimeoutAdvertisingTimeoutFSMOCheckTimeout
SuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesPassedAdvertisingPassedFSMOCheckPassed
SuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesPassedAdvertisingPassedFSMOCheckPassed
SuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesPassedAdvertisingPassedFSMOCheckPassed
SuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesPassedAdvertisingPassedFSMOCheckPassed
SuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesFailAdvertisingPassedFSMOCheckPassed
SuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesPassedAdvertisingPassedFSMOCheckPassed
SuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesPassedAdvertisingPassedFSMOCheckPassed
SuccessRunningRunningRunningNetlogonsFailReplicationsPassedServicesPassedAdvertisingPassedFSMOCheckPassed
SuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesPassedAdvertisingPassedFSMOCheckPassed
SuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesFailAdvertisingPassedFSMOCheckPassed


The serviceTimeout error i found out because the script wait-job status for 60 sec and after manually run  dcdiag /s:DC03 /a /test:Netlogon the result was good. It just need more than 60sec.

Anyway the real issue now is about test fail NetlogonsFail, ServicesFail (Bold). I'm wonder whether we just can ignore this error or this error can caused replication issue? I'm already checking the replication was good from repadmin /replsummary and also from dcdiag not mention about replication error. The attribute also replicate well between the DC.

Meanwhile when we run dcdiag /s:DC03 /a /test:Netlogon on server encounter NetlogonFail, the error is valid. Below is the error:

Unable to connect to the NETLOGON share! (\\DC07\netlogon)
[DC07] An net use or LsaPolicy operation failed with error
67, The network name cannot be found..
......................... DC07 failed test NetLogons

Now im start to worry whether our DC in good condition or not. Previously we just rely on repadmin replsummary and repadmin command to checking the replication. Kindly advise.

P/s: Sorry, im unable to insert picture due to Body text cannot contain images or links until we are able to verify your account.



Windows 10 Lock Screen Slide Show (Mulitiple .JPEG images) Using group policy

$
0
0

I want the slideshow feature of the lockscreen to do this on all domain computers via GP instead of the screensaver .

I have around 2000 Windows 10 Enterprise clients.

DC : 2012 R2

Kind Regards,

RPadmam.


RJ

find where account was logged in

$
0
0

Hi,

I have one domain admin account that was created long time ago for some specific task...

No one doesn't remember what it served for. Sure I can disable it and wait what will pop up...

But may be there is a script that can help to find where the account was logged in last time.

Thx.


--- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

pwdLastSet attribute blank on AD user objects

$
0
0

Hello all,

I have a situation where, I have user objects in Active Directory that do not have passwords set, Attribute = pwdLastSet. The user object is not disabled either.

What factors would allow an object to have this criteria, pwdLastSet = blank and the user object not disabled? My understanding is if a user object has no password it should be disabled, especially if password complexity is set, which it is in my environment.

thank you in advance for your assistance on this question.


Matt Burgos

How to restict particulat domain admins to access other domains on the same forest.

$
0
0

I have setup with single forest and 4 domain and we have separated a domain from our infra. So we want to restrict that particular domain to access all other 3 domains in the same forest. 

Ie - Forest 1: Domain 1, domain 2, domain 3 domain 4.

Here domain 4 should not have any access to other domain even administrators can't access the remaining.

I have removed enterprise admin access for Domain 4 admins and removed the privilege from built-in administrators. Let me if any other missing parts and do required any GPO to restrict parentally 



Migrated DC from server 2008 to 2012

$
0
0

I have successfully migrated the server 2008 to 2012 and FSMO also change to new server but I got this error "error determining whether the target server is already a domain controller:the domain controller promotion completed,but the server is not advertising as a domain controller" 

Could you please help me to fix this issue 

I cant find Printers in AD

$
0
0
Hello today, I installed RSAT for my Windows 10 computer, I see all the options or tabs except the printers, can someone help me thanks

Sysvol folder is not replicated after server migration

$
0
0

Consider my scenario  i have 3 server (physical machine dell poweedge 730 )

1.server A is windows server 2012 R2 standard- PDC

2.server B is win server 2012 R2 Standard-BDC

3 server C is new deployed server  server 2016 standard no roles is installed 

Server A hold all fsmo roles  the 3 are connected same lan segment inbetween no firewall is located

We migrate server A to C and we follow below guide

http://www.rebeladmin.com/2016/10/step-step-guide-migrate-active-directory-fsmo-roles-windows-server-2012-r2-windows-server-2016/ 

After migration all user and group and fsmo sucessfully but sysvol folder and netlogon is not replicated ,why?any thing need to changed 

Third Party DNS and Disjoint Namespaces

$
0
0

In an environment using a third party (Infoblox) for internal DNS and DHCP, let's assume DNS is not AD integrated, and using disjoint namespaces do AD sites still play a role in domain members locating domain controllers? Second question, does using disjoint namespaces, when DNS is not AD integrated, make locating domain controllers more efficient for member computers? If so how so? If anyone knows of supporting documentation to show a positive or negative affect of using disjoint DNS in this scenario I'd love to see it. 

I've all of the following docs but still seeking clarity on this question. 

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/dns-and-ad-ds

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc781627(v=ws.10)?redirectedfrom=MSDN

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/disjoint-namespace

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755926(v=ws.10)?redirectedfrom=MSDN

https://blogs.msdn.microsoft.com/servergeeks/2014/07/05/how-do-servers-locate-a-domain-controller-in-a-network/

https://support.microsoft.com/en-us/help/247811/how-domain-controllers-are-located-in-windows


BI For SCCM https://www.fatstacks.tech/home/bi | Register for a Free Demo

Client systems are getting out of domain while resetting the password-Windows 10

$
0
0

Our some users who are using windows 10 are facing issues like when they reset password, system automatically is getting out of domain. Then we have to rejoin the computer in domain. There are 4 laptop which are giving this kind of problem.

On-site engineer has informed that they all are laptop and they are observing this problem on wi-fi only.

I suggested IT Manager that we should try to run sysprep with generalize mode to reset its SID but they are not agree. What I guess that it could be that 2 systems SID is matching and while changing the password, DC is confused and throwing a system out of domain, WELL but I am not sure.

Any help highly appreciated . Thanks.


Arif




"Locked for editing..." by a generic username, not the named user

$
0
0

Hi,

Following on from my thread here: https://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_domains-mso_o365b/locked-for-editing-by-a-generic-username-not-the/b71cf68d-1bbf-47e5-a3c2-e6d449c965b2?messageId=674853fc-ae11-4b2a-adeb-dc2d1ac2a2e1

It was suggested that I post in here as it could be an AD issue.

Essentially we have a scenario where we have Users who are unable to see who is locked to a file that is being used on a network share. The file is locked for editing by 'Staff/Research Student' rather than the specific Username of the person.

The department used to have Windows 7 and Office 2010, which was never an issue - when the file was open, it would identify by username who it was locked too.

They have since been updated to Windows 10 and Office365 and now they're presented with the above, more generic option.

I am wondering if anyone has seen this prior and whether anyone may have any advice.

Thanks.

DCDIAG Failures

$
0
0

Hi All,

I have created a script which runs DCDIAG and Repadmin which produces output from all Domain Controllers on the Domain. However, I have a few failures on some DC's which I have not troubleshot before.

The failures I have are MachineAccount, Netlogons, Replications, Services, System Log. I know the issue with the MachineAccount which is the fact that the Domain Controllers are not in the built in OU in AD but live outside.

The question is are there any trouble shooting tools which I can use give the failures above?

Any help or guidance would be appreciated.

Regards.

Viewing all 31638 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>