Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Third Party DNS and Disjoint Namespaces

October 23, 2019, 10:02 pm
$
0
0

In an environment using a third party (Infoblox) for internal DNS and DHCP, let's assume DNS is not AD integrated, and using disjoint namespaces do AD sites still play a role in domain members locating domain controllers? Second question, does using disjoint namespaces, when DNS is not AD integrated, make locating domain controllers more efficient for member computers? If so how so? If anyone knows of supporting documentation to show a positive or negative affect of using disjoint DNS in this scenario I'd love to see it. 

I've all of the following docs but still seeking clarity on this question. 

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/dns-and-ad-ds

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc781627(v=ws.10)?redirectedfrom=MSDN

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/disjoint-namespace

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755926(v=ws.10)?redirectedfrom=MSDN

https://blogs.msdn.microsoft.com/servergeeks/2014/07/05/how-do-servers-locate-a-domain-controller-in-a-network/

https://support.microsoft.com/en-us/help/247811/how-domain-controllers-are-located-in-windows

BI For SCCM https://www.fatstacks.tech/home/bi | Register for a Free Demo

Search

Authoritative Restore

October 23, 2019, 5:16 am
$
0
0
Dear Team,

I m trying to perform authoritative restore for one OU . but its not Woking
after replication restore object getting deleted.
Please find below step

1. Booting system in DSRM.
2. login with DSRM credential
3. Disabling AD services
4.Restoring system state using wbladmin
5. Performing authoritative restore command
    restore subtree "ou=***,DC=***,DC=***"
After restore rebooting AD in normal mode.

..But post replication restored OU gets deleted

R!t@$#

Cross Domain slow logon issues

October 24, 2019, 11:46 pm
$
0
0

Hello

Issue:

One of our partners have started upgrading their client fleet to Windows 10, and since they have done this when our users attempt to logon to our domain via their devices it can take over 40 minutes to logon.  The Windows 7 devices take the usual 5 minutes or so.  This is happening on all of their sites.  Whilst I believe the issue is something client related, I am wondering if there is anything we need to change in our AD world...

Setup:

Partner Remote Site - Private Network - Partner DC - City Wide Network - Our Network - Our DC

DCs have full access to each other

My understanding is that their DC will check the token with our DC and then pass it back, which in theory should be quite quick.

Any articles or advice that can be given would be appreciated

Service account Configuration in Active Directory

October 25, 2019, 2:29 am
$
0
0

Hi Team,

We want to setup service account which will interact with all the servers in our infrastructure.

In order to fullfill our requirement, service account should have domain admin permissions but as per our security policy we should not directly grant domain admin privileges to any service account.

Is there any other solution where service account will have domain admin privileges but it should not directly link domain admin privileges to respective service account.



account lock status

October 28, 2019, 6:58 am
$
0
0

Dear all, 

When user login computer by ldap account , if they fail login more than 5 times, their account will be locked. Is there tool which can find which computer does they be locked ? Thanks a lot.

Best Regards, Anderson

Recommended NTFS permissions for Home folders - Windows 2016

October 30, 2019, 4:05 am
$
0
0

Hi,

What are the recommended NTFS permissions from user home drives when you want to automate their creation from the Profile tab of each user account in AD?  I dug around and tried some of the older recommendations but I am getting odd results.

Here is what I have done and the results:
Windows Server 2016
Created folder = Home
Shared folder as Home and share permissions Everyone = Full Control

NTFS Permissions on Home

SYSTEM
Full Control
This folder, subfolders and files

Company_Home_Admins
Full Control
This folder, subfolders and files

CREATOR OWNER
Special
All permissions EXCEPT Change permissions, Take ownership
Subfolders and files only

Authenticated Users
Special
Traverse folder/execute file, List folder/read data, Read attributes, Create folders/append data
This folder only

Then on my AD user account, go to the Profile tab, and set I the Home folder path to:
\\file_server\Home\%username%
Click OK
As expected it changes the path to:
\\file_server\Home\JeffP
Look at the file server in the Home folder I see a JeffP folder created...but the permissions are not what I expect.

NTFS Permissions on Home\JeffP

SYSTEM
Full Control
This folder, subfolders and files
Inherited from D:\Home
This is as expected

Company_Home_Admins
Full Control
This folder, subfolders and files
Inherited from D:\Home
This is as expected

CREATOR OWNER
Special which is all permissions EXCEPT Change permissions, Take ownership
Subfolders and files only
Inherited from D:\Home
This is as expected

JeffP
Full Control
This folder, subfolders and files
Inherited from None
Why is the user getting Full?  We don't want them to be able to Take Ownership or Change Permissions.

File_Server\Administrators
Full Control
This folder, subfolders and files
Inherited from None
How is this getting on here?  We dont want the Windows serer admins to have any permissions.  They are not NTFS educated.

File_Server\Administrators
Special which is all permissions EXCEPT Change permissions, Take ownership
This folder only
Inherited from D:\Home
How is this getting on here?  And inherited?  The local administrators group is no where applied to the Home folder.

Is this happening because the folder is getting created via the AD account and therefore it considers the user to be an administrator?  The local Administrators group getting applied twice and in one instance saying it is inherited when it is absolutely not inherited is just baffling me.

If you made it this far thanks in advance!

Azure AD Connect stopped after update to Server 2019 from Server 2016

October 30, 2019, 7:04 am
$
0
0
 We use a hybrid Azure Connect to sync our on premise AD to our Office 365 online system. Everything worked great until we updated our 206 server to 2019. The sync is broken and the AD connect program shows an error that "no changes can be made at this time". I tried reinstall (no luck). The services are running. I have seen differing opinions on whether Server 2019 Standard support Azure AD Connect. What do we need to change/load/etc. to make this work again? 

AD Assessment O365 migration

October 30, 2019, 7:43 am
$
0
0

All,

I have a customer who plans to migrate from on-prem exchange server to O365. Before the migration they have asked to do an AD and SharePoint assessment for both the forests. Basically around health check and find any shortcomings for which remediation can be done so as there should not be issues while Office365 migration. 

Is there any document available explaining on carrying out this kind of AD/SharePoint assessment? Appreciate any response.

Thanks 

Search

Recreate failed DC from scratch with same name and IP

October 30, 2019, 8:07 am
$
0
0

Hi,

We have 3 DCs (Windows 2012 R2), but number 2 crashed because of disk failure. We don't have backup as we have 3 DCs on separate physical hosts and even separate locations.

However, we have several applications pointing to the failed DC either by name or IP.

Is there a procedure to recreate a DC using the same name and IP than the failed one without screwing up the AD ?

Can we just remove the old DC from AD Objects and proceed with creation or is there a risk of remaining objects that would result in issues ?

Thanks

Error when manage certificate templates after domain rename

October 30, 2019, 8:27 am
$
0
0

We renamed a domain years ago, and had no problems issuing updated certificates from the Enterprise root CA. We need to add a new template so I right-click on the "Certificate Templates" node in the CA console and choose Manage. The following error is displayed.

"Windows encountered problems enumerating Writable Domain Controllers for the <old domain name> Domain. The specified domain either does not exist or could not be contacted. Certificate templates are not available."

If I press OK the Certificate Templates console loads and I see our templates. I checked CN=Certificate Templates in the Configuration Partition with ADSI Edit, but I don't see any references to any specific domains. Does anyone know where in AD the Certificate templates "lookup list" is located? I figure I just need to remove the old domain name from that object so the Certificate Templates console doesn't try to query the old domain name when loading.

Powershell Script to identify Accounts which are enabled and has an expiry date older than today and reset password with random one

October 30, 2019, 10:32 am
$
0
0

Hello,

I am looking for a PowerShell script to identify users which are still enable and has an expiry date which has a passed date (anything before today) and reset their password to some random one.

Thanks in adavcne

Eskay

Active Directory Auditing

October 30, 2019, 10:39 am
$
0
0

I have enabled Auditing by following the directions using ADSI Edit here: https://www.lepide.com/how-to/track-and-audit-active-directory-group-membership-changes.html

If I create a Security Group while connected to DC02, I see the Event Viewer Security Log event on DC02.  If I create a Security Group while connected to DC03, I see the Event Viewer Security Log event on DC03.

When I create a new Security Group, should I see an entry in both Event Logs or is it by design that we only see the event on the domain controller that the security group was created.

Just want to make sure I understand how this is supposed to work.  

Thank you in advance.  

Matt Dillon

2008R2 DC to 2019

October 30, 2019, 11:34 am
$
0
0

Hi,

do I need to change the FRS to DFRS before I upgrade our DC to server 2019?

I have been researching and not sure why and how?

please advise.

GPO to assign security group to have Admin privilege - Server 2016

October 30, 2019, 12:28 pm
$
0
0

Hi IT Experts,

My objective is to delegate IT support team to have full local admin privilege but same time should be denied accessing to all the servers either directly or remotely. 

To accomplish this task, I created one security group and deploy the policy, while testing found the members of this security group has admin privilege to all the PC's but same time they can also have remote access to all the servers but not to domain, 

My question is, how to restrict completely accessing to any servers via remotely to the same security group.

TIA



Active Directory: Recovery of accidentally deleted OUs and their objects

October 28, 2019, 12:48 pm
$
0
0
On our client's Server 2008 R2 Domain Controller, I discovered this morning that 2 custom OUs (on single domain network) were accidentally deleted along with their objects (multiple user profiles and groups).
At least one remote user with laptop had trouble logging into domain this morning.
Need help recovering deleted OU's and objects (user profiles, groups, etc)
A full server backup including system state was completed last night and is readily available.

ID

Search

PCs Failing to join the domain

October 30, 2019, 1:40 pm
$
0
0

Hey All

I am having quite a bit of issues with my dc I come today to join 20 pcs back to the domain and I try and join them and I get an error "The following error occurred attempting to join the domain "DOMANNAME" cant complete this function.

Now there are some errors in the following things 

*The DFS Replication service initialized SYSVOL at local path C:\Windows\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner SEVRER.Domain this was a failed secondary domain controller that we never brought back online 

*This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.
 
Operations which require contacting a FSMO operation master will fail until this condition is corrected.  I have ran netdom query / domain:"NAME" FSMO this comes back with all the roles on my currernt dc 

*DNS has this warning every now and then The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

I am just really stuck with this one and need to get all these pcs back onto the domain. 


MpKsld3f76d24.sys

October 30, 2019, 7:03 pm
$
0
0

What are the use of subject line file? is this a malware, does we need to remove this file?

File path is:

c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{67EF97E0-B25F-41B6-B602-53B23C6773FE}\MpKslf330f016.sys

C:\Windows\system32\drivers\MpKsld3f76d24.sys

AD Health Check

October 22, 2019, 11:22 pm
$
0
0

Hello,

I'm getting the script about AD health check from this site gallery.technet.microsoft.com/scriptcenter/Active-Directory-Health-709336cd#content and the output not so good. Previously we just run Repadmin command especially repadmin /replsummary in order to check our AD health check. But from this script, the result was not so good and im not really understand about Test Failed since we dont encounter any replication error.

PingSTatusNetlogonServiceNTDSServiceDNSServiceStatusNetlogonsTestReplicationTestServicesTestAdvertisingTestFSMOCheckTest
SuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesPassedAdvertisingPassedFSMOCheckPassed
SuccessRunningRunningRunningNetlogonsTimeoutReplicationsTimeoutServicesTimeoutAdvertisingTimeoutFSMOCheckTimeout
SuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesPassedAdvertisingPassedFSMOCheckPassed
SuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesPassedAdvertisingPassedFSMOCheckPassed
SuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesPassedAdvertisingPassedFSMOCheckPassed
SuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesPassedAdvertisingPassedFSMOCheckPassed
SuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesFailAdvertisingPassedFSMOCheckPassed
SuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesPassedAdvertisingPassedFSMOCheckPassed
SuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesPassedAdvertisingPassedFSMOCheckPassed
SuccessRunningRunningRunningNetlogonsFailReplicationsPassedServicesPassedAdvertisingPassedFSMOCheckPassed
SuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesPassedAdvertisingPassedFSMOCheckPassed
SuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesFailAdvertisingPassedFSMOCheckPassed


The serviceTimeout error i found out because the script wait-job status for 60 sec and after manually run  dcdiag /s:DC03 /a /test:Netlogon the result was good. It just need more than 60sec.

Anyway the real issue now is about test fail NetlogonsFail, ServicesFail (Bold). I'm wonder whether we just can ignore this error or this error can caused replication issue? I'm already checking the replication was good from repadmin /replsummary and also from dcdiag not mention about replication error. The attribute also replicate well between the DC.

Meanwhile when we run dcdiag /s:DC03 /a /test:Netlogon on server encounter NetlogonFail, the error is valid. Below is the error:

Unable to connect to the NETLOGON share! (\\DC07\netlogon)
[DC07] An net use or LsaPolicy operation failed with error
67, The network name cannot be found..
......................... DC07 failed test NetLogons

Now im start to worry whether our DC in good condition or not. Previously we just rely on repadmin replsummary and repadmin command to checking the replication. Kindly advise.

P/s: Sorry, im unable to insert picture due to Body text cannot contain images or links until we are able to verify your account.



Event ID 1119 for Global Catalog Win2K16

October 21, 2019, 10:48 am
$
0
0

Hello Folks,

Is event ID 1119 which says a domain controller is now a Global Catalog after promoting the server to domain controller in 2K8R2, is this event replaced by any other event in Windows 2016,I couldn't see it under directory service after promoting the server to DC in 2K16 whereas i could see the server is Global Catalog Ready and there is event 1394.

Regards,

Aatif

Regards, Aatif Kungle

Persistent route IPv6

October 30, 2019, 3:52 pm
$
0
0

Hi,

Can anyone tell me how to add the following IPv6 route to my new server? I cant seem to get the syntax right.

Persistent Routes:
 If Metric Network Destination      Gateway
  0 4294967295 2a01:85c0::/48           2a01:85c0:0:4159::1

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>