Hi all,
In a multidomain environment, where there is one way or two-way trusts configured. How do find out below?
Is there any tool regarding these?
Thanks
One of the networks I just came in to , has 1 2008R2 DC and a 2003 DC with FSMO roles. The 2003 is the one with the above error. We were planning to retire the 2003 DC and promote a new 2008R2 server to DC. I would rather not go thru the steps to fix the above error if not neccesary. Would this error prevent moving the fsmo roles and demoting to a member server or would I need to do a metadata cleanup with NTDSUTIL ?
Regards
Craig
Hi,
a few weeks ago I've upgraded AD servers from WS 2008 to WS 2016.
We use Sharepoint foundation at my company and new users created are not appearing when I want share any folder with them. Old users are appearing so I suppouse that the issues is realted with the AD upgrading.
I also use Dynamics Nav and there are some erros related to this. Looks like the servers are trying to find the old AD server instead the new ones.
I did: dns flush on each one and if I do a nslookup is looking to the AD actual.
Server names are different but IP address are the same as the old ones.
Thanks in advance for any help provided.
regards
Hello, I need to make the field Office (physicalDeliveryOfficeName) read-only for my users.
So, nobody can edit the own Office field.
How can I do it?
Many thanks to everyone!
Piero
Hello,
I have adopted a Sever 2003 AD environment at work which every now and then has Trust relationship issues when logging on.
Normally i would remove the server from the domain, restart and add back to the domain.
When i try to do this i get the error Logon Failure : the target name is incorrect.
When i look at the event viewer on the the primary DC (DC001) it shows Event ID 2042 It has been too long since this machine last replicated with the named source machine.
I am told that this machine died a while ago and was some how brought back to life after several days and re-added to
the domain which seems to be when the
replication issues started.
My plan was to seize the FSMO to the secondary DC (DC002) and demote the primary DC (DC001) the only issue is when i look in sites and services we only
have 1 Global Catalog (DC001) can i make the secondary DC a global Catalog even though the original GC is having problems.
Any help would be greatly appreciated!!
Hi All,
I have been asked to setup a trust relationship between two domains. Also, I was asked the question whether I could add a CA into the domain trust as well. I am not sure of a way to do this via AD? Is it a case that I will have to add a CA via GPO?
Any information would be greatly received.
Regards.
I am cleaning up an old AD which has been around since the days of NT4 and SBS.
I have a bunch of well known security principals in the FSP container.
This is a single domain, no trusts (but synched to Azure AD and in hybrid Exchange)
None of them have any backlinks.
Just wondering whether to delete them?
CarolChi
I created a test AD 2008 R2 domain to mimic our production domain. Developers use this test domain to try out changes to their applications.
The problem: Our production domain once had Exchange installed and extended the AD domain schema to add attributes like extensionattribute1.
Question: How can I add this attribute to my test domain?
Thanks for your advice.
I wonder if is it possible to do authentication by ssh key on linux machines. These machines use Windows server AD for authenticating users.
I'm already able to authenticate linux machines using AD by following the tutorial https://www.rootusers.com/how-to-join-centos-linux-to-an-active-directory-domain/
if i am using Get-ADGroupMember -Recursive on a universal group that has members from other domains within the same forest in it you get the following error:
Get-ADGroupMember : An operations error occurred
this only happens if the command is run from a remote jump server. if its run from the domain controllers themselves it works just fine.
I looked at the kerberos ticket on that jump server and i see that the ticket is not forwadable.
1- is that by default that kerberos tickets are not forwardable ?
2- if yes then what can be the issue that the same account that is a domain admin can get the result from domain controller when run that command but not from the jump server that has active directory administrative tools installed in ?
Hi,
There are 5 domain controllers in the domain and the issue with only one domain controller, when object was created in this domain controller it's not showing in remaining 4 domain controllers but if the object created in other domain controller it is showing in this domain controller, so it looks like one way replication working fine. Is there any way to check/fix it.
Good morning,
I have a darksite environment with 2 Domain controllers both virtualized Windows server 2012 R2.
Servers are multihomed with 2 interfaces.
1 to workstation network and 1 to server network
For ntp purpose access to an external time server (Still one inside the company) is made available.
I configured NTP on the PDC according to this document:
https://support.microsoft.com/en-us/help/816042/how-to-configure-an-authoritative-time-server-in-windows-server
I entered 2 ip adresses instead of DNS names. Because I directly entered IP adressen I did not append ,0x1 or something else.
Output of the following commands on the PDC:
1. w32tm /resync: Sending resync command to local computer
The computer did not resync because no time data was available
2. w32tm /monitor
PDCSERVERNAME *** PDC*** [ID]:
ICMP: 0ms delay
NTP: error ERROR_TIMEOUT - no response from server in 1000ms
2ndDCNAME [ip:port]:
NTP: error ERROR_TIMEOUT - no response from server in 1000ms
3. w32tm /query status:
more data
Source:local CMOS Clock
more data
4. w32tm /stripchart /computer:EXTERNAL NTP ADDRESS /dataonly /samples:5:
The current time is date and time
time, +12.4288498s
time, +12.4249894s
etc...
My conclusion for an unknown reason the configuration is not picket up and the configuration defaults back to local CMOS?
How to make the PDC sync with this time source?
If it gets the time with test 4, does that mean it has enough access to the time source or can there be a firewall port issue or some authentication issue that makes test 4 to return data but not work for synchronization?
Kind regards,
Hi,
While looking at CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=<Example>,DC=<Example>,DC=Local (Example is just a place holder.) I found 45 Certificate templates published in AD but while looking at the Enterprise Intermediate CA I see only 26 that has been deployed by CA. Why there is difference, is there any way I can find out who issued additional certificates in AD CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=<Example>,DC=<Example>,DC=Local. Your feedback is appreciated.
Kind Regards,
AK
Background:
I have a Windows server 2019 that was migrated from SBS2011, the migration was done on March 2019.
Today I tried configuring RADIUS server and noticed that the AD Certificate Authority was down.
I cannot start the Active Directory Certificate Services service.
1)
net start certsvc
The Active Directory Certificate Services service is starting.
The Active Directory Certificate Services service could not be started.
A service specific error occurred: 3355444232.
More help is available by typing NET HELPMSG 3547.
2)
file not found 0xc8000713 (ESE: - 1811 JET-errFileNotFound)
3) after *.edb restore from backup:
Cannot access file, the file id locked or in use 0x8000408 (ESE: -1032 JET_errFileAccessDenied)
I tried to use esentutl:
Those are the commands I tried:
Perform a defragmentation of the Perfca.edb database
%systemdrive%\windows\system32\certlog>esentutl -d <CA Name>.edb
replay: Operation terminated with error -1209 (JET_errInvalidDatabaseVersion, Database engine is incompatible with database)
Examine the integrity of the Perfca.edb database
%systemdrive%\windows\system32\ certlog >esentutl /g <CA Name>.edb
replay: Operation completed successfully
Perform database recovery
%systemdrive%\windows\system32\ certlog >esentutl /r edb
replay: Operation terminated with error -1003 (JET_errInvalidParameter, Invalid API parameter)
Perform a lossy repair of the Perfca.edb database
%systemdrive%\windows\system32\ certlog >esentutl /p <CA Name>.edb
repaly: Operation completed successfully
View the Perfca.edb database in File Dump mode
%systemdrive%\windows\system32\ certlog >esentutl /mh <CA Name>.edb
4)
After removing the logs from the folder %systemdrive%\windows\system32\Certlog and keeping only the .edb file, instead of doing a Recovery on the DB file I did a Repair instead. (esentutl.exe /p "path_to_edb_file"
replay: file not found 0xc8000713 (ESE: - 1811 JET-errFileNotFound)
None of them worked.
Thanks,
Tomer
Hello,
Been grappling with a problem for some time now:
We have a parent domain and a child domain with domain admin accounts in both domains.
Both domains contain two domain controllers each.
We recently performed an activity and upgraded all our domain controllers to Server 2016. The process we followed to "upgrade" the domain controllers was - joined the Server 2016 machines to the domains, then promoted these 2016 machines as domain controllers.
The older(Server 2012 R2) machines were demoted gracefully.
However, after this activity, we cannot login to the child domain's domain controllers using the domain admin accounts in the child domain. The only to login to these domain controllers is through the domain admin accounts in the parent domain.
We get the following error in the login screen:
You must be granted the Allow log on through the Remote Desktop Services Right.
We have verified that the account used to attempt a login to the domain controller is a member of the domain admins group and has the "Allow logon locally", "Access this computer from the network", "Allow logon through remote desktop services" privileges.
Any help or leads to help with this problem is greatly appreciated.
Cheers!
Hi all,
We have CIS benchmark windows OS hardening documents. Now we are manually doing all the Hardening policies to all client machines one by one, by this way its getting too delay to achieve our goal. Manual hardening take around 5 to 6 hours we have around
4000 machines.
Now we want to deploy all the Hardening policies to all the domain clients by using a GPO or any scripts to achieve our goal shortly. Is there any possible ways to solve this. Kindly suggest me on this issue. Awaiting for your positive responses.
Thanks,
Lee
Recently a colleague had been setting up a fine grained password policy, she was a little concerned that it didn't appear to be applying properly and as we worked through it became obvious that it was working as expected but the tool she was using to check was giving incorrect results.
I am hoping I can establish what is happening:
Fine grained Password Policy enables the password for 365 days (this is just testing)
This Powershell command returns the correct expiry date
Get-ADUser -identity <samaccountname> –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}when run on a DC (which I believe is also the PDC emulator and a GC) net user returns a date in the past (when the GPO DDP policy should have expired the password)
net user username <samaccountname>
I can't post the images of the output.
"Body text cannot contain images or links until we are able to verify your account."
I am intrigued as to why the net user command returns such an incorrect value.
Ian
Our some users who are using windows 10 are facing issues like when they reset password, system automatically is getting out of domain. Then we have to rejoin the computer in domain. There are 4 laptop which are giving this kind of problem.
On-site engineer has informed that they all are laptop and they are observing this problem on wi-fi only.
I suggested IT Manager that we should try to run sysprep with generalize mode to reset its SID but they are not agree. What I guess that it could be that 2 systems SID is matching and while changing the password, DC is confused and throwing a system out of domain, WELL but I am not sure.
Any help highly appreciated . Thanks.
Arif