Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Change Domain user's password from outside the domain

October 16, 2019, 2:03 am
$
0
0

Hi,

I am looking for a solution for the following use case:

A person has remote access to a domain (VPN), but his PC has not joined any domains at all. The person should be able to change his own domain user's password. Normally, this can be done usinc Ctrl+Alt+Delete and then changing the Domain\User first to the user whose password should be changed. Acces to a domain Controller can be provided via the VPN.

But, the user does not have a Change password option on his computer. I googled it, it seems that this depends on the type of user used for login. On Windows 10 (only), when logged in using a Microsoft account, the option is never available Independent of how the group policy is set.

I did not find any other way how this user can change his password in the "foreign" domain. Everything seems to only work in the own Domain (when you are already logged in to Windows using a domain user, which is not the case), local users or the user you are logged in with. None of these applies.

So, is there some other way for this user to change his password I missed? Or some way to get the Change password Option back without changing the way the user logs in to his own Computer?

Thank you,

Felix Alter, SOLUTIONS GmbH

Search

Client systems are getting out of domain while resetting the password-Windows 10

October 17, 2019, 6:16 am
$
0
0

Our some users who are using windows 10 are facing issues like when they reset password, system automatically is getting out of domain. Then we have to rejoin the computer in domain. There are 4 laptop which are giving this kind of problem.

On-site engineer has informed that they all are laptop and they are observing this problem on wi-fi only.

I suggested IT Manager that we should try to run sysprep with generalize mode to reset its SID but they are not agree. What I guess that it could be that 2 systems SID is matching and while changing the password, DC is confused and throwing a system out of domain, WELL but I am not sure.

Any help highly appreciated . Thanks.

Arif




Event 4625 Destination Information Missing

October 17, 2019, 7:07 am
$
0
0
Hello! I noticed that my Domain Controller logs for Event 4625 (An account failed to logon) only gives me the source information. Should my DCs be recording the source AND destination for Event 4625? For example, if I attempt to access a remote file share, or RDP to a remote system, etc. should the 4625 log on the DC show both my IP address and the remote system I failed to connect to?



VMware

October 18, 2019, 4:43 am
$
0
0
Yesterday, when I installed the virtual machine, I was prompted that Microsoft VC redistributable had an error. Then the installation program rolled back and deleted it. In a flash, all my software couldn't be opened. The disk where the virtual machine was installed was completely emptied.

Making the EmployeeID attribute indexed.

October 18, 2019, 6:06 am
$
0
0

We have servers that query our Active Directory for the unindexed EmployeeID attribute.  Since it's unindexed we have to query each of our five domains individually when the domain that may contain the object is unknow.  

I'd like to make the EmployeeID indexed (So it will be in the GC) and unique to avoid duplicate values.  My systems team is telling me that this should not be done because of negative impacts to our directory services. We have a total of 5190 Users, contacts and groups across the 5 domains.  I can't see this one change causing an unacceptable or even noticeable impact.  Is there any documentation or real world example I can site to support my belief?

Robert W. Kirchhof


Issue with copying files to shared folder on 2019 DC from W10 workstation (Crossposted in File Services and Storage)

October 21, 2019, 1:14 am
$
0
0

I posted this question in File Services and Storage and i was advised to post it here aswell.

I have a weird issue where i can't copy files or folders to shared folders on our Windows Server 2019 DC from my Windows 10 1903 workstation.

When i try to copy files or folders into the shared folder on the 2019 DC it just hangs until i get a message about missing network connection to the shared folder.

I have also noticed that File Explorer takes some time to show the drives on the DC locally while the copying job is active

However, when i copy something from our other servers (2008r2 and 2012r2) to the 2019 DC there is no problem at all. Also when i copy from the W10 workstation to the other servers there are no issues...

I have tried making new test-shares with full read/write access for everyone and also for my user specifically.

I also tried making a shared folder directly on the Hyper-V host and i get the same problem.

The 2019 DC is a VM in Hyper-V with failover cluster.

The physical machine is a Lenovo SR530 with Server 2019.

Seems to me that something is up with the communication when it comes to W10 and Server 2019...

Any help would be greatly appreciated!


How to create Active Directory Trusts: "Realm" and "Shortcut"???

October 18, 2019, 10:11 am
$
0
0

Hello,

I'd like to know how to create 2 types of trusts: Realm and Shortcut. Every article on the web touches on how to create forest or external trusts- oodles of them, but none tells how to build those remaining 2.

external and forest trust

This is "standard" screen you get when trying to establish trust-only 2 types there. On the web I found this screenshot:

realm trust

but God only knows how to get it. Where is the shortcut/real trust option?

Anyone?

Domain controller not getting populated in site and services

October 20, 2019, 11:56 pm
$
0
0

Domain controller not getting populated in site and services.

I just built a new Domain controller, but this is not getting populated in site and services - please can someone let me know how to fix this or can be added manually ?

if i add it manually then NTDS settings are not visible.

Paramesh KA

Search

AD DS replication between DCs from different domains in the same Forrest

October 21, 2019, 12:39 am
$
0
0

Hello,

I am learning about AD DS and I have a following question.

I understand that:

AD DS has these partitions:

a) Schema, b) configuration, c) domain, d) application (e.g. DNS)

Only DC which holds Schema FSMO role has RW copy of Schema partition, other DCs have RO copy of Schema partition

every DC in the forest has RW copy of configuration partition

every DC from the concrete domain has RW copy of domain partition 

application partition can be set up with different scope (domain, forest)

Do I understand it right?

Then my question is about replication If:

I have two domains in the forest: domain1 and domain2

I have four sites in the forest: Site1, Site2, Site3, Site4

In the Site1 there are two DCs (DC1 and DC2) from domain1

In the Site2 there are two DCs (DC3 and DC4) from domain1

In the Site3 there are two DCs (DC5 and DC6) from domain2

In the Site4 there are two DCs (DC7 and DC8) from domain2

In AD Sites and services replication between Site1 and Site2 will be:

Site1 - Intrasite replication between DC1 and DC2 is set up automatically

Site1 - There will be automatically chosen Bridgehead server

Site2 - Intrasite replication between DC3 and DC4 is set up automatically

Site2-  There will be automatically chosen Bridgehead server

Then I will create Site link between Site 1 and Site 2 (I know that I also have to configure subnets for sites)

In AD Sites and services replication between Site3 and Site4 will be:

Site3 - Intrasite replication between DC5 and DC6 is set up automatically

Site3 - There will be automatically chosen Bridgehead server

Site4 - Intrasite replication between DC7 and DC8 is set up automatically

Site4- There will be automatically chosen Bridgehead server

Then I will create Site link between Site 3 and Site 4 (I know that I also have to configure subnets for sites)

Finally my question is: Do I have to set up replication (site link) between Site1, Site2 where are DCs from domain1 and Site3 and Site4 where are Dcs from domain2 If there are domain controllers from different domains?

From my understanding I do not have to do that in order to make sure that other partitions (schema, configuration and application) will be replicated to DCs in different domain, am I right?

I am just learning and trying to understand AD replication topology, I will be glad for explanation.

Thank you.

Protect domain admins group users

October 21, 2019, 8:48 pm
$
0
0

Hi Sir,

We would like to prevent domain admin users’ credentials being abused on the devices where they log in.  We are thinking of using Protected Users security group. However, there have some restrictions when put domain admin user under Protected Users security group. 

Or anyone have better idea how to protect domain admin users?

Regards,

Shiro

To generate AD Replication Tool

October 17, 2019, 9:54 am
$
0
0

Dear Team,

I want to do ad replication on daily bases and generate the report for audit prospective.

Third Party DNS and Disjoint Namespaces

October 23, 2019, 10:02 pm
$
0
0

In an environment using a third party (Infoblox) for internal DNS and DHCP, let's assume DNS is not AD integrated, and using disjoint namespaces do AD sites still play a role in domain members locating domain controllers? Second question, does using disjoint namespaces, when DNS is not AD integrated, make locating domain controllers more efficient for member computers? If so how so? If anyone knows of supporting documentation to show a positive or negative affect of using disjoint DNS in this scenario I'd love to see it. 

I've all of the following docs but still seeking clarity on this question. 

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/dns-and-ad-ds

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc781627(v=ws.10)?redirectedfrom=MSDN

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/disjoint-namespace

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755926(v=ws.10)?redirectedfrom=MSDN

https://blogs.msdn.microsoft.com/servergeeks/2014/07/05/how-do-servers-locate-a-domain-controller-in-a-network/

https://support.microsoft.com/en-us/help/247811/how-domain-controllers-are-located-in-windows

BI For SCCM https://www.fatstacks.tech/home/bi | Register for a Free Demo

Restrict RPC Dynamic Ports in domain controller

October 25, 2019, 2:25 am
$
0
0

I am planning to implement read only domain controller in DMZ, so I have to restrict the RPC Dynamic ports.

I have below questions. Thanks.

1. Need to set static RPC port on all domain controllers?

2. Will it affect the performance (e.g. login, replication) because it is limited to one port?

3. I can't find any Microsoft document about RODC for Windows server 2019. Grateful if you could share.

Service account Configuration in Active Directory

October 25, 2019, 2:29 am
$
0
0

Hi Team,

We want to setup service account which will interact with all the servers in our infrastructure.

In order to fullfill our requirement, service account should have domain admin permissions but as per our security policy we should not directly grant domain admin privileges to any service account.

Is there any other solution where service account will have domain admin privileges but it should not directly link domain admin privileges to respective service account.



DFS Shares randomly not accessible

October 24, 2019, 2:15 am
$
0
0

Hello,

we have a DFS Namespace with some shared folders defined. We have 4 Domain Controllers configured as Namespace Servers, all 4 are located in same site and are in one LAN. Randomly users can not access these shares, it might work after a short while again. I feel like two of our 4 Namespace Serves have issues. Because if I do a "net share mx" on these two servers I suspect, I get an Access deied. While the same command works on th eother two Namespace servers.

Both servers with issues are our newest DCs, which are running Windows Server 2019, while the two ones which work, are 2008r2 and 2012r2. I have recently (well, about 2 month ago) moved all FSMO roles from the 2008r2 to one of the 2019.

But I I look to the sharing permissoins, all have the same settings. In DFS Mangement Everyone has Read, while sharing + ntfs permissions do not have permissions for everyone, but none fo the servers has.

net share mx
Share name        mx
Path              C:\DFSRoots\mx
Remark
Maximum users     No limit
System error 5 has occurred.

Access is denied.

The same command works on the old Namespace Servers:

net share mx
Share name        mx
Path              C:\DFSRoots\mx
Remark
Maximum users     No limit
Users             koster
Caching           Manual caching of documents
Permission        Everyone, READ

The command completed successfully.


I also get some Access Denied errors when I run "DFSDiag /TestDFSConfig /DFSRoot:\\mobilex.intra\mx" on these two servers in charge

on dc1-2019:

Validating registry entries...
Comparing DC1 - DC1-2012R2.
Comparing DC1-2012R2 - DC2-2019.mobileX.intra.
Comparing DC2-2019.mobileX.intra - DC1-2019.mobileX.intra.
Error: Access is denied.
Ignoring the following server for comparison: DC1-2019.mobileX.intra
Success: The registry values under HKLM\CCS\Services\Dfs\Parameters are consistent on all compared servers.
Finished TestDfsConfig.

on dc2-2019:

Validating registry entries...
Comparing DC1 - DC1-2012R2.
Comparing DC1-2012R2 - DC2-2019.mobileX.intra.
Error: Access is denied.
Ignoring the following server for comparison: DC2-2019.mobileX.intra
Success: The registry values under HKLM\CCS\Services\Dfs\Parameters are consistent on all compared servers.
Finished TestDfsConfig.

The same command on my older Namespace Servers do not return any error:

Validating registry entries...
Comparing DC1 - DC1-2012R2.
Comparing DC1-2012R2 - DC2-2019.mobileX.intra.
Comparing DC2-2019.mobileX.intra - DC1-2019.mobileX.intra.
Success: The registry values under HKLM\CCS\Services\Dfs\Parameters are consistent on all compared servers.
Finished TestDfsConfig.

I am not very familier with this topic, hope someone can explain and point me to some right direction.

kr

Dieter


Search

Active Directory Certificate Services service could not be started

October 23, 2019, 8:06 am
$
0
0

Background:

I have a Windows server 2019 that was migrated from SBS2011, the migration was done on March 2019.
Today I tried configuring RADIUS server and noticed that the AD Certificate Authority was down.

I cannot start the Active Directory Certificate Services service.
1)
net start certsvc
The Active Directory Certificate Services service is starting.
The Active Directory Certificate Services service could not be started.

A service specific error occurred: 3355444232.

More help is available by typing NET HELPMSG 3547.

2)
file not found 0xc8000713 (ESE: - 1811 JET-errFileNotFound)

3) after *.edb restore from backup:
Cannot access file, the file id locked or in use 0x8000408 (ESE: -1032 JET_errFileAccessDenied)

I tried to use esentutl:
Those are the commands I tried:

Perform a defragmentation of the Perfca.edb database
%systemdrive%\windows\system32\certlog>esentutl -d <CA Name>.edb
replay: Operation terminated with error -1209 (JET_errInvalidDatabaseVersion, Database engine is incompatible with database)

Examine the integrity of the Perfca.edb database
%systemdrive%\windows\system32\ certlog >esentutl /g <CA Name>.edb
replay: Operation completed successfully

Perform database recovery
%systemdrive%\windows\system32\ certlog >esentutl /r edb
replay: Operation terminated with error -1003 (JET_errInvalidParameter, Invalid API parameter)

Perform a lossy repair of the Perfca.edb database
%systemdrive%\windows\system32\ certlog >esentutl /p <CA Name>.edb
repaly: Operation completed successfully

View the Perfca.edb database in File Dump mode
%systemdrive%\windows\system32\ certlog >esentutl /mh <CA Name>.edb

4)
After removing the logs from the folder %systemdrive%\windows\system32\Certlog and keeping only the .edb file, instead of doing a Recovery on the DB file I did a Repair instead.  (esentutl.exe /p "path_to_edb_file"
replay: file not found 0xc8000713 (ESE: - 1811 JET-errFileNotFound)


None of them worked.

Thanks,

Tomer

Using Group policy to deploy the Hardening policies to all client

October 25, 2019, 3:48 am
$
0
0

Hi all,

We have CIS benchmark windows OS hardening documents. Now we are manually doing all the Hardening policies to all client machines one by one, by this way its getting too delay to achieve our goal. Manual hardening take around 5 to 6 hours we have around 4000 machines.

Now we want to deploy all the Hardening policies to  all the domain clients by using a GPO or any scripts to achieve our goal shortly. Is there any possible ways to solve this. Kindly suggest me on this issue. Awaiting for your positive responses.

Thanks,

Lee

Password Policy - General question

October 25, 2019, 5:39 am
$
0
0

I built out a Fine Grained Password Policy using ADAC with a minimum password length of 14 characters and applied to a Global Security Group.  Tested it on a couple user accounts doing the following:

1. User Account with 14 character password - went to change the password and tried using a password that had less than 14 characters.  Policy worked as expected and said I needed to meet the requirements before the password change would apply.  Yay!.

2. User Account with 8 character password - Not sure what the expected behavior is.  I waited a good hour before trying it out to make sure everything replicated.  I was able to log in, but was not prompted to change the password.  

Was hoping someone could tell me what the expected behavior is for a user account that has a password that does not meet requirements and was created before the password policy was created.  I was hoping it would just force a password change on the accounts that do not meet the requirements.  If this is not the case, it there a powershell script that can show me all accounts that do not have passwords that are 14 characters?  

Thank you in advance,

Matt 

Matt Dillon

LAPS on multiple DC's

October 24, 2019, 3:59 am
$
0
0
From a global infrastructure perspective, can you install the LAPS UI on multiple DC's? or does it need to be on one "Master DC"?

Domain admin limit

October 25, 2019, 6:50 am
$
0
0

Hello All,

is there a way to limit the number of Domain ADmin in a envioronment

in our environment we can add only 20 member as Domain Admin, for the 21st can be added and he reflecting as DA, but not able to login to any DC, its same error no access

how can we check this.

regards

Aamir Masthan

NA

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>