I have setup with single forest and 4 domain and we have separated a domain from our infra. So we want to restrict that particular domain to access all other 3 domains in the same forest. 

Ie - Forest 1: Domain 1, domain 2, domain 3 domain 4.

Here domain 4 should not have any access to other domain even administrators can't access the remaining.

I have removed enterprise admin access for Domain 4 admins and removed the privilege from built-in administrators. Let me if any other missing parts and do required any GPO to restrict parentally 

Hello Folks,

Is event ID 1119 which says a domain controller is now a Global Catalog after promoting the server to domain controller in 2K8R2, is this event replaced by any other event in Windows 2016,I couldn't see it under directory service after promoting the server to DC in 2K16 whereas i could see the server is Global Catalog Ready and there is event 1394.

Regards,

Aatif

Regards, Aatif Kungle

I need to upgrade our Domain and our current domain name is not our corporate domain name due to legacy situation at time of creation and long before I was here. The plan is to create a new 2019 domain, create a full trust and migrate to it using the corporate domain name.

I have read up on making the migration using ADMT, but I want to make sure there isn't anything that could pose a problem I'm not aware of since our current domain is in hybrid state using the the corporate domain as our email domain. So while our current AD domain name is asdf.com our email domain name is corpname.com and is a hybrid Exchange 2010 / Office 365 configuration.

For one thing, currently we cannot user our UPN to log into our domain since it is different than our public /email domain name. When I migrate to the new Domain I am hoping I can seamlessly begin having them log in with there UPN.

I am hoping I can do the following:

Create new corp domain

Create Full Trust

Migrate Users to new Domain

Migrate User Computer accounts to new Domain

Migrate Servers to new Domain

Configure LDAP Authenticating devices to new Domain.

Break Full Trust

Disable Hybrid Exchange environment.

Decommission old Domain

- LZ

Net User /domain is supposed to list all user accounts in the domain.

By default, any authenticated user should be able to run the command and list all domain user accounts.

In certain cases, the following may be seen:

1. Command returns Access Denied

C:\>net user /domain
The request will be processed at a domain controller for domain Litware.com.

System error 5 has occurred.

Access is denied.

2. Network capture shows "nca_s_fault_access_denied" error from the domain controller

Request:

No.     Time           Source                SrcPort Destination           DstPort Protocol Info
   1189 25.835895      10.100.10.5           50848   10.100.10.4           445     SAMR     Connect5 request

Frame 1189: 314 bytes on wire (2512 bits), 314 bytes captured (2512 bits) on interface 0
Ethernet II, Src: Microsof_f4:cb:85 (00:0d:3a:f4:cb:85), Dst: 12:34:56:78:9a:bc (12:34:56:78:9a:bc)
Internet Protocol Version 4, Src: 10.100.10.5, Dst: 10.100.10.4
Transmission Control Protocol, Src Port: 50848, Dst Port: 445, Seq: 4195, Ack: 1518, Len: 260
NetBIOS Session Service
SMB2 (Server Message Block Protocol version 2)
    SMB2 Header
    Ioctl Request (0x0b)
        StructureSize: 0x0039
        Reserved: 0000
        Function: FSCTL_PIPE_TRANSCEIVE (0x0011c017)
        GUID handle File: samr
        Max Ioctl In Size: 0
        Max Ioctl Out Size: 1024
        Flags: 0x00000001
        Reserved: 00000000
        Blob Offset: 0x00000078
        Blob Length: 136
        In Data
        Blob Offset: 0x00000078
        Blob Length: 0
        Out Data: NO DATA
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Request, Fragment: Single, FragLen: 136, Call: 2, Ctx: 1, [Resp: #1195]
    Version: 5
    Version (minor): 0
    Packet type: Request (0)
    Packet Flags: 0x03
    Data Representation: 10000000 (Order: Little-endian, Char: ASCII, Float: IEEE)
    Frag Length: 136
    Auth Length: 0
    Call ID: 2
    Alloc hint: 112
    Context ID: 1
    Opnum: 64
    [Response in frame: 1195]
    Complete stub data (112 bytes)
SAMR (pidl), Connect5
    Operation: Connect5 (64)
    [Response in frame: 1195]
    Pointer to System Name (uint16): \\LitwareRootDC01.Litware.com
    Access Mask: 0x00000030
    Level In: 1
    Pointer to Info In (samr_ConnectInfo)

Response:

No.     Time           Source                SrcPort Destination           DstPort Protocol Info
   1195 25.836898      10.100.10.4           445     10.100.10.5           50848   DCERPC   Fault: call_id: 2, Fragment: Single, Ctx: 1, status: nca_s_fault_access_denied

Frame 1195: 202 bytes on wire (1616 bits), 202 bytes captured (1616 bits) on interface 0
Ethernet II, Src: AristaNe_6b:0a:b7 (74:83:ef:6b:0a:b7), Dst: Microsof_f4:cb:85 (00:0d:3a:f4:cb:85)
Internet Protocol Version 4, Src: 10.100.10.4, Dst: 10.100.10.5
Transmission Control Protocol, Src Port: 445, Dst Port: 50848, Seq: 1518, Ack: 4455, Len: 148
NetBIOS Session Service
SMB2 (Server Message Block Protocol version 2)
    SMB2 Header
    Ioctl Response (0x0b)
        StructureSize: 0x0031
        Unknown: 0000
        Function: FSCTL_PIPE_TRANSCEIVE (0x0011c017)
        GUID handle File: samr
        Reserved: 00000000
        Reserved: 00000000
        Blob Offset: 0x00000070
        Blob Length: 0
        In Data: NO DATA
        Blob Offset: 0x00000070
        Blob Length: 32
        Out Data
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Fault, Fragment: Single, FragLen: 32, Call: 2, [Req: #1189]
    Version: 5
    Version (minor): 0
    Packet type: Fault (3)
    Packet Flags: 0x03
    Data Representation: 10000000 (Order: Little-endian, Char: ASCII, Float: IEEE)
    Frag Length: 32
    Auth Length: 0
    Call ID: 2
    Alloc hint: 32
    Context ID: 1
    Cancel count: 0
    Fault flags: 0x00
    Status: nca_s_fault_access_denied (0x00000005)
        [Expert Info (Note/Response): Fault: nca_s_fault_access_denied]
            [Fault: nca_s_fault_access_denied]
            [Severity level: Note]
            [Group: Response]
    Reserved: 00000000
    [Opnum: 64]
    [Request in frame: 1189]
    [Time from request: 0.001003000 seconds]
    Fault stub data (0 bytes)

This may be accompanied by the following event in the SYSTEM log of the domain controller:

Log Name:      System
Source:        Microsoft-Windows-Directory-Services-SAM
Date:          10/24/2019 2:30:03 PM
Event ID:      16963
Task Category: None
Level:         Information
Keywords:      
User:          SYSTEM
Computer:      LitwareRootDC01.Litware.com
Description:
Remote calls to the SAM database are being restricted using the configured registry security descriptor: O:BAG:BAD:(A;;RC;;;BA).
For more information please see http://go.microsoft.com/fwlink/?LinkId=787651.

CAUSE

The following policy setting is applying to the domain controller:

Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ Security Options - Network access: Restrict clients allowed to make remote calls to SAM

Note: The Group Policy setting is only available on computers that run Windows Server 2016 or Windows 10, version 1607 and later. This is the only option to configure this setting by using a user interface (UI).

This sets the following registry value:

HKLM \ System \ CurrentControlSet \ Control \ Lsa - RestrictRemoteSam

And the user running the command is not assigned permission to make remote calls to SAM

For more information see Network access: Restrict clients allowed to make remote calls to SAM - https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls

RESOLUTION:

Since a user can use SAMRPC to enumerate users, including privileged accounts such as local or domain administrators, or to enumerate groups and group memberships from Active Directory, and this information can provide important context and serve as a starting point for an attacker to compromise a domain or networking environment, over the long term, enable this setting and using a security group, allowremote RPC connections to SAM and Active Directory for users and groups that you define.

Since this setting has the potential to affect applications and services, it is recommended to implement the following registryas well to test applications before enabling the policy in production:

HKLM \ SYSTEM \ CurrentControlSet \ Control \ Lsa - RestrictRemoteSamAuditOnlyMode (DWORD): 1

This allows all users to make SAMR calls but logs the following events in the SYSTEM event log of the domain controllers:

Log Name:      System
Source:        Microsoft-Windows-Directory-Services-SAM
Date:          10/25/2019 3:03:56 PM
Event ID:      16968
Task Category: None
Level:         Warning
Keywords:      
User:          SYSTEM
Computer:      LitwareRootDC01.Litware.com
Description:
Audit only mode is currently enabled for remote calls to the SAM database.
The following client would have been normally denied access:
Client SID: S-1-5-21-1004346403-213167161-248345275-1607 from network address: 10.100.10.5. 
For more information please see http://go.microsoft.com/fwlink/?LinkId=787651.

You can use the Events 16962 - 16969 Reader script to parse the event logs, as explained in the next section.

Hi

I have tried to change extension attribute 15 for users in one OU with the following command

get-aduser*-searchbase"OU=Printing,OU=Toronto,DC=domain,DC=com"-Properties*|set-aduser-Add@{extensionAttribute15="General"}

in domain .com there is OU named Toronto and then there is child OU named Printing

But when I execute this command I get the following

what could be wrong with this

Dalibor Bosic

Hi all;

I have a server with Windows Server 2008 R2 SP1 than belongs to a domain. I have installed AD LDS role on it and created an instance named Instance1. Now I want to connect to Instance1 by using ADSI Edit. The following is the output of thedsdbutil "list instance" command:

Instance Name:         instance1
Long Name:              instance1
LDAP Port:                50000
SSL Port:                  50001
Install folder:            C:\Windows\
Database file:           C:\Program Files\Microsoft ADAM\instance1\data\adamntds.dit
Log folder:                C:\Program Files\Microsoft ADAM\instance1\data
Service state:            Running

The following is the values of the Connection Settings window of the ADSI Edit:

Name: Instance1

Select Or Type A Distinguished Name Or Naming Context: CN=instance1,DC=Fabrikam,DC=com

Select Or Type A Domain Or Server: Server02:50000

With the above settings, when I click on the OK button, the following error message appears:

Operation failed: Error code: 0x202b

A referral was returned from the server.

0000202B: RefErr:DSID-031007EF , data 0, 1 access points

ref 1: 'fabrikam.com'

Any ideas?

Thanks

Hello,

When the active directory domain was originally set up the internal domain was set to domain.lan.    We later added, the upn suffix ourdomain.com so they could log in with their public email address or the local domain account.    We are migrating to 365 and not everyone has the account default for user logon name set to msmith@ourdomain.com   some might be bjoel@domain.lan.    

Is there a way to change them all to use ourdomain.com for the logon name?

Thanks.

Error states:

"Some of the object names cannot be shown in their user-friendly form. This can happen if the object is from an external domain and that domain is not available to translate the object's name"

We are receiving this error when we click on a group with ADUC and the members of that group were added from the trusted domain.  Domain A has a one way non transitive trust wtih domain B that is in place and active.

We have checked every possible setting and configuration and cannot resolve this problem.  Domain A has Windows 2008 R2, domain B is 2003.  Domain A is at a windows 2008 functional leve, domain b is at a 2003 functional level.

YOu can add account from domain B into domain A , but they immediately turn to SIDS once you hit "apply".

Validated trust on both ends

triple checked DNS and see no issues

checked policies

dcdiag returns no errors

Could this be a bug with having a trusted domain on 2003 and the non-trusted domain on 2008 R2?

Server1 is my "primary" DC and DCdiag runs fine.

Server2 was recently added and promoted to DC

I noted 1864 replication errors in event viewer and after running DCdiag on server 2 got the following:   

Starting test: KnowsOfRoleHolders
         [BE2013] LDAP bind failed with error 1326,
         The user name or password is incorrect..
         Warning: Server1 is the Schema Owner, but is not responding to LDAP
         Bind.
         Warning: Server1 is the Domain Owner, but is not responding to LDAP
         Bind.
         Warning: Server1 is the PDC Owner, but is not responding to LDAP Bind.
         Warning: Server1 is the Rid Owner, but is not responding to LDAP Bind.
         Warning: Server1 is the Infrastructure Update Owner, but is not
         responding to LDAP Bind.
         ......................... Server2 failed test KnowsOfRoleHolders

I did go into credentials manager and re-entered my password but no change.  My account is a domain admin account.  These are both 2012 servers and the only servers on the network (small network, 30 users).  NSUTIL shows no orphaned DC's.

Thanks for any help

Jim Θ¿Θ¬

Hello,

I'm getting the script about AD health check from this site gallery.technet.microsoft.com/scriptcenter/Active-Directory-Health-709336cd#content and the output not so good. Previously we just run Repadmin command especially repadmin /replsummary in order to check our AD health check. But from this script, the result was not so good and im not really understand about Test Failed since we dont encounter any replication error.

The serviceTimeout error i found out because the script wait-job status for 60 sec and after manually run  dcdiag /s:DC03 /a /test:Netlogon the result was good. It just need more than 60sec.

Anyway the real issue now is about test fail NetlogonsFail, ServicesFail (Bold). I'm wonder whether we just can ignore this error or this error can caused replication issue? I'm already checking the replication was good from repadmin /replsummary and also from dcdiag not mention about replication error. The attribute also replicate well between the DC.

Meanwhile when we run dcdiag /s:DC03 /a /test:Netlogon on server encounter NetlogonFail, the error is valid. Below is the error:

Unable to connect to the NETLOGON share! (\\DC07\netlogon)
[DC07] An net use or LsaPolicy operation failed with error
67, The network name cannot be found..
......................... DC07 failed test NetLogons

Now im start to worry whether our DC in good condition or not. Previously we just rely on repadmin replsummary and repadmin command to checking the replication. Kindly advise.

P/s: Sorry, im unable to insert picture due to Body text cannot contain images or links until we are able to verify your account.

Hi all

I need to find all the computers based on sites. Is there any way to do that using sites and services for example..?

Thanks

hi all ,

currently we are trying to bring new active directory , the situation is this  

we three active servers ( two windows 2012 and one windows 2008 ) the primary server that have all the roles is the 2012 server now . we have issue with this primary one the sysvol file got a virus and re recover the from the backup . 

now when  trying to add new AD to our environment we are facing the below error : 

Verification of prerequisites for Active Directory preparation failed. Unable to connect to the replication source domain controller ad03.domain.com..
Exception: A directory service error has occurred

Verification of prerequisites for Domain Controller promotion failed. Failed to examine the Active Directory forest. The error was: The operation cannot continue because LDAP connect/bind operation failed: error: 1326 (The user name or password is incorrect.).

any suggestion  ? 

Hello,

we have a DFS Namespace with some shared folders defined. We have 4 Domain Controllers configured as Namespace Servers, all 4 are located in same site and are in one LAN. Randomly users can not access these shares, it might work after a short while again. I feel like two of our 4 Namespace Serves have issues. Because if I do a "net share mx" on these two servers I suspect, I get an Access deied. While the same command works on th eother two Namespace servers.

Both servers with issues are our newest DCs, which are running Windows Server 2019, while the two ones which work, are 2008r2 and 2012r2. I have recently (well, about 2 month ago) moved all FSMO roles from the 2008r2 to one of the 2019.

But I I look to the sharing permissoins, all have the same settings. In DFS Mangement Everyone has Read, while sharing + ntfs permissions do not have permissions for everyone, but none fo the servers has.

net share mx
Share name        mx
Path              C:\DFSRoots\mx
Remark
Maximum users     No limit
System error 5 has occurred.

Access is denied.

The same command works on the old Namespace Servers:

I also get some Access Denied errors when I run "DFSDiag /TestDFSConfig /DFSRoot:\\mobilex.intra\mx" on these two servers in charge

on dc1-2019:

Validating registry entries...
Comparing DC1 - DC1-2012R2.
Comparing DC1-2012R2 - DC2-2019.mobileX.intra.
Comparing DC2-2019.mobileX.intra - DC1-2019.mobileX.intra.
Error: Access is denied.
Ignoring the following server for comparison: DC1-2019.mobileX.intra
Success: The registry values under HKLM\CCS\Services\Dfs\Parameters are consistent on all compared servers.
Finished TestDfsConfig.

on dc2-2019:

Validating registry entries...
Comparing DC1 - DC1-2012R2.
Comparing DC1-2012R2 - DC2-2019.mobileX.intra.
Error: Access is denied.
Ignoring the following server for comparison: DC2-2019.mobileX.intra
Success: The registry values under HKLM\CCS\Services\Dfs\Parameters are consistent on all compared servers.
Finished TestDfsConfig.

The same command on my older Namespace Servers do not return any error:

Validating registry entries...
Comparing DC1 - DC1-2012R2.
Comparing DC1-2012R2 - DC2-2019.mobileX.intra.
Comparing DC2-2019.mobileX.intra - DC1-2019.mobileX.intra.
Success: The registry values under HKLM\CCS\Services\Dfs\Parameters are consistent on all compared servers.
Finished TestDfsConfig.

I am not very familier with this topic, hope someone can explain and point me to some right direction.

kr

Dieter

Hello

Issue:

One of our partners have started upgrading their client fleet to Windows 10, and since they have done this when our users attempt to logon to our domain via their devices it can take over 40 minutes to logon.  The Windows 7 devices take the usual 5 minutes or so.  This is happening on all of their sites.  Whilst I believe the issue is something client related, I am wondering if there is anything we need to change in our AD world...

Setup:

Partner Remote Site - Private Network - Partner DC - City Wide Network - Our Network - Our DC

DCs have full access to each other

My understanding is that their DC will check the token with our DC and then pass it back, which in theory should be quite quick.

Any articles or advice that can be given would be appreciated

Hello,

we have 2 DC's. server2(not a fsmo owner) is turned off about a mounth.

server1(fsmo owner) worked fine but after reboot it doesn't. Event id shows DNS events 4000 and 4007.

DNS snap in throws Access denied. Both servers have same problem. OS on both Win2008R2

DNS servers on Server1 NIC configured with primary dns his own ip, secondary 127.0.0.1

How can I fix primary DC dns service?

Tried this https://support.microsoft.com/en-us/help/2751452/dns-zones-do-not-load-event-4000-4007

but no luck.

Is there any tool regarding these?

Thanks

Hello, I need to make the field Office (physicalDeliveryOfficeName) read-only for my users.

So, nobody can edit the own Office field.

How can I do it? 

Many thanks to everyone!

Piero

Hello all,

I have a situation where, I have user objects in Active Directory that do not have passwords set, Attribute = pwdLastSet. The user object is not disabled either.

What factors would allow an object to have this criteria, pwdLastSet = blank and the user object not disabled? My understanding is if a user object has no password it should be disabled, especially if password complexity is set, which it is in my environment.

thank you in advance for your assistance on this question.

Matt Burgos