Hi,

Wanted to know how to get logon users domain. So suppose there is multidomain structure with two way trust. If a user is logging into another domain, how do we get the details of user and which domain he/she belongs to ?

Thanks,

Biswajeet

I have 2 servers.  Server A is running AD, DHCP, DNS etc...and shows as healthy.  No errors in Server Manager and no errors in EventLog.  Server B is running 2016.   Yes, it is joined to the Server A domain (called lab.net)  

From Server B I go into USERS.  I try to add the Domain Admins from Lab.net but it does not see lab.net.  It only sees itself.

what can cause that?   

mqh7

I am having time synchronization issue from one of my child domain controllers. In my environment we have 1 forest and 02 child domain. External time source defined on Forest PDC. Time synchronization issue occur on 01 child domain controllers. Below is an error for reference and further troubleshooting:

Domain Controllers: 2012 r2, FFL & DFL: 2008R2

C:\Windows\system32>w32tm /query /peers /verbose
#Peers: 1

Peer:
State: Pending
Time Remaining: 12426.5742052s
Mode: 0 (reserved)
Stratum: 0 (unspecified)
PeerPoll Interval: 0 (unspecified)
HostPoll Interval: 0 (unspecified)
Last Successful Sync Time: (null)
LastSyncError: 0x800706FD (The trust relationship between this workstation and t
he primary domain failed. )
LastSyncErrorMsgId: 0x0000005C (The peer is unreachable. )
AuthTypeMsgId: 0x0000005A (NoAuth )
Resolve Attempts: 5
ValidDataCounter: 0
Reachability: 0

Regards, Sarfraz Aslam

Hi,

What are the recommended NTFS permissions from user home drives when you want to automate their creation from the Profile tab of each user account in AD?  I dug around and tried some of the older recommendations but I am getting odd results.

Here is what I have done and the results:
Windows Server 2016
Created folder = Home
Shared folder as Home and share permissions Everyone = Full Control

NTFS Permissions on Home

SYSTEM
Full Control
This folder, subfolders and files

Company_Home_Admins
Full Control
This folder, subfolders and files

CREATOR OWNER
Special
All permissions EXCEPT Change permissions, Take ownership
Subfolders and files only

Authenticated Users
Special
Traverse folder/execute file, List folder/read data, Read attributes, Create folders/append data
This folder only

Then on my AD user account, go to the Profile tab, and set I the Home folder path to:
\\file_server\Home\%username%
Click OK
As expected it changes the path to:
\\file_server\Home\JeffP
Look at the file server in the Home folder I see a JeffP folder created...but the permissions are not what I expect.

NTFS Permissions on Home\JeffP

SYSTEM
Full Control
This folder, subfolders and files
Inherited from D:\Home
This is as expected

Company_Home_Admins
Full Control
This folder, subfolders and files
Inherited from D:\Home
This is as expected

CREATOR OWNER
Special which is all permissions EXCEPT Change permissions, Take ownership
Subfolders and files only
Inherited from D:\Home
This is as expected

JeffP
Full Control
This folder, subfolders and files
Inherited from None
Why is the user getting Full?  We don't want them to be able to Take Ownership or Change Permissions.

File_Server\Administrators
Full Control
This folder, subfolders and files
Inherited from None
How is this getting on here?  We dont want the Windows serer admins to have any permissions.  They are not NTFS educated.

File_Server\Administrators
Special which is all permissions EXCEPT Change permissions, Take ownership
This folder only
Inherited from D:\Home
How is this getting on here?  And inherited?  The local administrators group is no where applied to the Home folder.

Is this happening because the folder is getting created via the AD account and therefore it considers the user to be an administrator?  The local Administrators group getting applied twice and in one instance saying it is inherited when it is absolutely not inherited is just baffling me.

If you made it this far thanks in advance!

I need to upgrade our Domain and our current domain name is not our corporate domain name due to legacy situation at time of creation and long before I was here. The plan is to create a new 2019 domain, create a full trust and migrate to it using the corporate domain name.

I have read up on making the migration using ADMT, but I want to make sure there isn't anything that could pose a problem I'm not aware of since our current domain is in hybrid state using the the corporate domain as our email domain. So while our current AD domain name is asdf.com our email domain name is corpname.com and is a hybrid Exchange 2010 / Office 365 configuration.

For one thing, currently we cannot user our UPN to log into our domain since it is different than our public /email domain name. When I migrate to the new Domain I am hoping I can seamlessly begin having them log in with there UPN.

I am hoping I can do the following:

Create new corp domain

Create Full Trust

Migrate Users to new Domain

Migrate User Computer accounts to new Domain

Migrate Servers to new Domain

Configure LDAP Authenticating devices to new Domain.

Break Full Trust

Disable Hybrid Exchange environment.

Decommission old Domain

- LZ

Hello,

I am learning about AD DS and I have a following question.

I understand that:

AD DS has these partitions:

a) Schema, b) configuration, c) domain, d) application (e.g. DNS)

Only DC which holds Schema FSMO role has RW copy of Schema partition, other DCs have RO copy of Schema partition

every DC in the forest has RW copy of configuration partition

every DC from the concrete domain has RW copy of domain partition 

application partition can be set up with different scope (domain, forest)

Do I understand it right?

Then my question is about replication If:

I have two domains in the forest: domain1 and domain2

I have four sites in the forest: Site1, Site2, Site3, Site4

In the Site1 there are two DCs (DC1 and DC2) from domain1

In the Site2 there are two DCs (DC3 and DC4) from domain1

In the Site3 there are two DCs (DC5 and DC6) from domain2

In the Site4 there are two DCs (DC7 and DC8) from domain2

In AD Sites and services replication between Site1 and Site2 will be:

Site1 - Intrasite replication between DC1 and DC2 is set up automatically

Site1 - There will be automatically chosen Bridgehead server

Site2 - Intrasite replication between DC3 and DC4 is set up automatically

Site2-  There will be automatically chosen Bridgehead server

Then I will create Site link between Site 1 and Site 2 (I know that I also have to configure subnets for sites)

In AD Sites and services replication between Site3 and Site4 will be:

Site3 - Intrasite replication between DC5 and DC6 is set up automatically

Site3 - There will be automatically chosen Bridgehead server

Site4 - Intrasite replication between DC7 and DC8 is set up automatically

Site4- There will be automatically chosen Bridgehead server

Then I will create Site link between Site 3 and Site 4 (I know that I also have to configure subnets for sites)

From my understanding I do not have to do that in order to make sure that other partitions (schema, configuration and application) will be replicated to DCs in different domain, am I right?

I am just learning and trying to understand AD replication topology, I will be glad for explanation.

Thank you.

Hello,

Been grappling with a problem for some time now:

We have a parent domain and a child domain with domain admin accounts in both domains.

Both domains contain two domain controllers each.

We recently performed an activity and upgraded all our domain controllers to Server 2016. The process we followed to "upgrade" the domain controllers was - joined the Server 2016 machines to the domains, then promoted these 2016 machines as domain controllers.

The older(Server 2012 R2) machines were demoted gracefully.

However, after this activity, we cannot login to the child domain's domain controllers using the domain admin accounts in the child domain. The only to login to these domain controllers is through the domain admin accounts in the parent domain.

We get the following error in the login screen:

You must be granted the Allow log on through the Remote Desktop Services Right.

We have verified that the account used to attempt a login to the domain controller is a member of the domain admins group and has the "Allow logon locally", "Access this computer from the network", "Allow logon through remote desktop services" privileges.

Any help or leads to help with this problem is greatly appreciated.

Cheers!

Hello,

we have a DFS Namespace with some shared folders defined. We have 4 Domain Controllers configured as Namespace Servers, all 4 are located in same site and are in one LAN. Randomly users can not access these shares, it might work after a short while again. I feel like two of our 4 Namespace Serves have issues. Because if I do a "net share mx" on these two servers I suspect, I get an Access deied. While the same command works on th eother two Namespace servers.

Both servers with issues are our newest DCs, which are running Windows Server 2019, while the two ones which work, are 2008r2 and 2012r2. I have recently (well, about 2 month ago) moved all FSMO roles from the 2008r2 to one of the 2019.

But I I look to the sharing permissoins, all have the same settings. In DFS Mangement Everyone has Read, while sharing + ntfs permissions do not have permissions for everyone, but none fo the servers has.

net share mx
Share name        mx
Path              C:\DFSRoots\mx
Remark
Maximum users     No limit
System error 5 has occurred.

Access is denied.

The same command works on the old Namespace Servers:

I also get some Access Denied errors when I run "DFSDiag /TestDFSConfig /DFSRoot:\\mobilex.intra\mx" on these two servers in charge

on dc1-2019:

Validating registry entries...
Comparing DC1 - DC1-2012R2.
Comparing DC1-2012R2 - DC2-2019.mobileX.intra.
Comparing DC2-2019.mobileX.intra - DC1-2019.mobileX.intra.
Error: Access is denied.
Ignoring the following server for comparison: DC1-2019.mobileX.intra
Success: The registry values under HKLM\CCS\Services\Dfs\Parameters are consistent on all compared servers.
Finished TestDfsConfig.

on dc2-2019:

Validating registry entries...
Comparing DC1 - DC1-2012R2.
Comparing DC1-2012R2 - DC2-2019.mobileX.intra.
Error: Access is denied.
Ignoring the following server for comparison: DC2-2019.mobileX.intra
Success: The registry values under HKLM\CCS\Services\Dfs\Parameters are consistent on all compared servers.
Finished TestDfsConfig.

The same command on my older Namespace Servers do not return any error:

Validating registry entries...
Comparing DC1 - DC1-2012R2.
Comparing DC1-2012R2 - DC2-2019.mobileX.intra.
Comparing DC2-2019.mobileX.intra - DC1-2019.mobileX.intra.
Success: The registry values under HKLM\CCS\Services\Dfs\Parameters are consistent on all compared servers.
Finished TestDfsConfig.

I am not very familier with this topic, hope someone can explain and point me to some right direction.

kr

Dieter

Hello, I need to make the field Office (physicalDeliveryOfficeName) read-only for my users.

So, nobody can edit the own Office field.

How can I do it? 

Many thanks to everyone!

Piero

Hi, 

I have 5 DC in three different networks, and now I try to update a secondary DC from Windows Server 2008 R2 sp1 to Windows Server 2012 R2 Std.

Domain and Forest functional level are: Windows Server 2008 (not R2)

All DC are VM on Microsoft Hyper-V.

I attached the Windows Server 2012 ISO file to the CD on the secondary DC, and I try to run the command from command prompt run as administrator: 

d:\support\adprep\adprep /forestprep

But I receive a popup with this error:

D:\support\adprep\adprep.exe /forestprep is not a valid Win32 application

And in the command prompt I see the error:

access is denaided.

The user that run the command is member of: Domains Admin (principal), Schema Admin and Enterprise Admin

All DC are Windows Server 2008 R2 sp1 x64 

Thanks for the support.

Marco

I have setup with single forest and 4 domain and we have separated a domain from our infra. So we want to restrict that particular domain to access all other 3 domains in the same forest. 

Ie - Forest 1: Domain 1, domain 2, domain 3 domain 4.

Here domain 4 should not have any access to other domain even administrators can't access the remaining.

I have removed enterprise admin access for Domain 4 admins and removed the privilege from built-in administrators. Let me if any other missing parts and do required any GPO to restrict parentally 

Is there any tool regarding these?

Thanks

Hello,

we have 2 DC's. server2(not a fsmo owner) is turned off about a mounth.

server1(fsmo owner) worked fine but after reboot it doesn't. Event id shows DNS events 4000 and 4007.

DNS snap in throws Access denied. Both servers have same problem. OS on both Win2008R2

DNS servers on Server1 NIC configured with primary dns his own ip, secondary 127.0.0.1

How can I fix primary DC dns service?

Tried this https://support.microsoft.com/en-us/help/2751452/dns-zones-do-not-load-event-4000-4007

but no luck.

Hi,

We have two accounts for one person, one account the is regular RDP user, and another account the has local admin rights.

The users typically RDP into a server with the regular account, and are prompted for admin credentials if they need to do some admin tasks. Now since this adm account does not get prompted to change password, and do not get any notification since they do not login with RDP how can I they change their password.

What we will do is run a script(that sends an email) that tells them that the ADM account password is soon to expire, please change the password. We don`t have any 3 part self service portal, and we are not looking to pay for anything. I know they can off course use RDP with their ADM account and then change the password, but is there another way. Anyone setup for example a web page where you type in username +old passord + new password ?

Another customer have the following solution if your password has expired you must do a RDP to a Windows 2008 server with your ADM account, and then login, right away you are prompted to change the password right away, after we have changed the password we are automatically denied login so that server is only for changing password.

Suggestions :) ?

Thanks for reply

/Regards Andreas

We will be deploying a new resource domain and need to setup a one way Active Directory trust.

I think I will have to setup DNS resolution which I plan to do by implementing conditional forwarding in our user domain. So that will require DNS port to be opened. So should that be port 53 both tcp and udp?

I also will need to open ports for the trust to work. MS article lists all the below ports:-

I think I don't need the port 123 as all clients will be syncing time with user domain servers.

Do I need all other ports to be opened as users won't be logging onto the resource domain?

From my understanding when the user tries to access a resource (lets say network file share) then the resource domain server will try to authenticate the user against its domain controller(DC) and then the resource domain DC will send a referral to the server and ask it to check against the user domain DC. So basically the resource server acts as the client for the user domain DC. And thus would these rpc dynamic ports will need to be opened from the resource domain subnet to the user domain DCs?

From user domain DCs -> resource domain DCs will I only need to open following ports only:-

53   TCP/UDP  DNS
135  TCP      Portmapper 
88   TCP/UDP  Kerberos
389  TCP/UDP  LDAP
445  TCP      SMB
636  TCP      LDAP (SSL)
Net Logon fixed port     TCP    For object picker to work

What are other things to consider?

We renamed a domain years ago, and had no problems issuing updated certificates from the Enterprise root CA. We need to add a new template so I right-click on the "Certificate Templates" node in the CA console and choose Manage. The following error is displayed.

"Windows encountered problems enumerating Writable Domain Controllers for the <old domain name> Domain. The specified domain either does not exist or could not be contacted. Certificate templates are not available."

We have a web server that uses AD LDS for managing tabs, roles, security, etc. running on Windows Server 2016.

I am currently having an issue backing up AD LDS using the DSDBUTIL.  It has been running for years but has recently started having problems and fails to write the backup either to a network share or a local folder (I have tried both during troubleshooting).  Also I cannot correlate when it started failing to any server or application changes.   

When attempting to run a bat file that contains the DSDBUTIL command, the ADAM (INSTANCE-NAME) Writer reverts to the FAILED State as shown below.

Writer name: 'ADAM (INSTANCE-NAME) Writer'

The writer also reports the following error when trying to do the backup:

A VSS writer has rejected an event with error 0x800423f4, The writer experienced a non-transient error.  If the backup process is retried,

the error is likely to reoccur.

Changes that the writer made to the writer components while handling the event will not be available to the requester. Check the event log for related events from the application hosting the VSS writer.

If anyone can point me in the right direction it would be appreciated.  We also have a replicated instance of the same web server and the backup using DSDBUTIL works fine from there.  I have also tried using Windows Backup but it also fails, causing the ADAM (INSTANCE-NAME) Writer to fail again.  I have to restart the ADAM (INSTANCE-NAME) service to place the writer back in the READY state.

Thanks 

What are the use of subject line file? is this a malware, does we need to remove this file?

File path is:

c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{67EF97E0-B25F-41B6-B602-53B23C6773FE}\MpKslf330f016.sys

C:\Windows\system32\drivers\MpKsld3f76d24.sys

Hello!

We’re updating an 2008r2 DC environment (2 DCs) to 2016 but after installing the new 2016 server and promoted it to Domain Controller we get this error when we run Nltest /dsregdns:
Flags: 0
Connection Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
The command completed successfully

We have transferred the fsmo roles to the 2016 server and demoted and shutdown the old 2008r2 server, installed another 2016 server and promoted it to Doman controller. But when running the Nltest /dsregdns: we get the error on the second DC, if we transfer the PDC to the second DC the Nltest /dsregdns command is Ok on the second (logic), but if we run it on the first DC it will fail again.

We do not see any other errors in the EventViewer.
We have checked the DNS but can’t see anything wrong, we have tried deletes and let it recreate the DC’s entry’s but it seems not to help, and we can see that the DNS works fine.
No SPN doublets or mismatches.
Sites and services look fine.

I got the same problem in my lab VM environment (separated) when I tried to go from 2012r2 to 2016 and the only related thig I can think of is that the two environment is isolated and not connected to internet and Windows is not registered, but we register it in the real environment but it did not help.

Any help is appreciated, I think we have read most of the articles about it but nothing seems to apply.
Thanks, Peter