Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Password Expiry Dates Incorrect using Net User

October 30, 2019, 2:46 am
$
0
0

Recently a colleague had been setting up a fine grained password policy, she was a little concerned that it didn't appear to be applying properly and as we worked through it became obvious that it was working as expected but the tool she was using to check was giving incorrect results.

I am hoping I can establish what is happening:

Fine grained Password Policy enables the password for 365 days (this is just testing)

This Powershell command returns the correct expiry date

Get-ADUser -identity <samaccountname> –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

when run on a DC (which I believe is also the PDC emulator and a GC) net user returns a date in the past (when the GPO DDP policy should have expired the password)

net user username <samaccountname>

I can't post the images of the output.

"Body text cannot contain images or links until we are able to verify your account."

I am intrigued as to why the net user command returns such an incorrect value.

Ian

Search

Azure AD Connect stopped after update to Server 2019 from Server 2016

October 30, 2019, 7:04 am
$
0
0
 We use a hybrid Azure Connect to sync our on premise AD to our Office 365 online system. Everything worked great until we updated our 206 server to 2019. The sync is broken and the AD connect program shows an error that "no changes can be made at this time". I tried reinstall (no luck). The services are running. I have seen differing opinions on whether Server 2019 Standard support Azure AD Connect. What do we need to change/load/etc. to make this work again? 

PCs Failing to join the domain

October 30, 2019, 1:40 pm
$
0
0

Hey All

I am having quite a bit of issues with my dc I come today to join 20 pcs back to the domain and I try and join them and I get an error "The following error occurred attempting to join the domain "DOMANNAME" cant complete this function.

Now there are some errors in the following things 

*The DFS Replication service initialized SYSVOL at local path C:\Windows\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner SEVRER.Domain this was a failed secondary domain controller that we never brought back online 

*This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.
 
Operations which require contacting a FSMO operation master will fail until this condition is corrected.  I have ran netdom query / domain:"NAME" FSMO this comes back with all the roles on my currernt dc 

*DNS has this warning every now and then The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

I am just really stuck with this one and need to get all these pcs back onto the domain. 


Convert Domain controller 2008 R2 to windows server 2019

October 31, 2019, 3:41 am
$
0
0
Currently, our Domain Controller Running in Windows Server 2008 R2. and  domain functions level is 2003, now we want to convert our domain controller in windows server 2019. is this possible? Thanks in Advance.

Singles Domain with no trusts - why to I have Foreign Security Principals

October 29, 2019, 8:54 am
$
0
0

I am cleaning up an old AD which has been around since the days of NT4 and SBS. 

I have a bunch of well known security principals in the FSP container.

This is a single domain, no trusts (but synched to Azure AD and in hybrid Exchange)

Foregin Security Principals

None of them have any backlinks. 

no backlinks

Just wondering whether to delete them?

CarolChi

can't add users from Domain

October 28, 2019, 9:43 am
$
0
0

I have 2 servers.  Server A is running AD, DHCP, DNS etc...and shows as healthy.  No errors in Server Manager and no errors in EventLog.  Server B is running 2016.   Yes, it is joined to the Server A domain (called lab.net)  

From Server B I go into USERS.  I try to add the Domain Admins from Lab.net but it does not see lab.net.  It only sees itself.

what can cause that?   

mqh7

MpKsld3f76d24.sys

October 30, 2019, 7:03 pm
$
0
0

What are the use of subject line file? is this a malware, does we need to remove this file?

File path is:

c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{67EF97E0-B25F-41B6-B602-53B23C6773FE}\MpKslf330f016.sys

C:\Windows\system32\drivers\MpKsld3f76d24.sys

2008R2 DC to 2019

October 30, 2019, 11:34 am
$
0
0

Hi,

do I need to change the FRS to DFRS before I upgrade our DC to server 2019?

I have been researching and not sure why and how?

please advise.

Search

Hard disk error

October 29, 2019, 7:10 pm
$
0
0
Hi all,

I'm promoting a server 2012 R2 Domain Controller. During the prerequisites check, it return error "Verification of prerequisites for Domain Controller promotion failed. The folder U:\windows\ntds does not refer to a valid hard disk. Select a folder on a hard disk drive".

If i set the path to C: drive it working juz fine. My U: drive is in NTFS format, attach from LUN. Is there any requirement in terms of HD type/format?

w32tm /query /peers /verbose - LastSyncError: 0x800706FD (The trust relationship between this workstation and t he primary domain failed. )

October 28, 2019, 5:15 am
$
0
0

I am having time synchronization issue from one of my child domain controllers. In my environment we have 1 forest and 02 child domain. External time source defined on Forest PDC. Time synchronization issue occur on 01 child domain controllers. Below is an error for reference and further troubleshooting:

Domain Controllers: 2012 r2, FFL & DFL: 2008R2

C:\Windows\system32>w32tm /query /peers /verbose
#Peers: 1

Peer:
State: Pending
Time Remaining: 12426.5742052s
Mode: 0 (reserved)
Stratum: 0 (unspecified)
PeerPoll Interval: 0 (unspecified)
HostPoll Interval: 0 (unspecified)
Last Successful Sync Time: (null)
LastSyncError: 0x800706FD (The trust relationship between this workstation and t
he primary domain failed. )
LastSyncErrorMsgId: 0x0000005C (The peer is unreachable. )
AuthTypeMsgId: 0x0000005A (NoAuth )
Resolve Attempts: 5
ValidDataCounter: 0
Reachability: 0

Regards, Sarfraz Aslam

PDC not loading NTP Time source and defaults to local CMOS?

October 10, 2019, 2:02 am
$
0
0

Good morning,
I have a darksite environment with 2 Domain controllers both virtualized Windows server 2012 R2.
Servers are multihomed with 2 interfaces.
1 to workstation network and 1 to server network
For ntp purpose access to an external time server (Still one inside the company) is made available.
I configured NTP on the PDC according to this document:
https://support.microsoft.com/en-us/help/816042/how-to-configure-an-authoritative-time-server-in-windows-server

I entered 2 ip adresses instead of DNS names. Because I directly entered IP adressen I did not append ,0x1 or something else.

Output of the following commands on the PDC:
1. w32tm /resync: Sending resync command to local computer
The computer did not resync because no time data was available

2. w32tm /monitor
PDCSERVERNAME *** PDC*** [ID]:
ICMP: 0ms delay
NTP: error ERROR_TIMEOUT - no response from server in 1000ms
2ndDCNAME [ip:port]:
NTP: error ERROR_TIMEOUT - no response from server in 1000ms

3. w32tm /query status:
more data
Source:local CMOS Clock
more data

4. w32tm /stripchart /computer:EXTERNAL NTP ADDRESS /dataonly /samples:5:
The current time is date and time
time, +12.4288498s
time, +12.4249894s
etc...

My conclusion for an unknown reason the configuration is not picket up and the configuration defaults back to local CMOS?

How to make the PDC sync with this time source?
If it gets the time with test 4, does that mean it has enough access to the time source or can there be a firewall port issue or some authentication issue that makes test 4 to return data but not work for synchronization?

Kind regards,

EFS - HowTo Recover a file with DRA (Data Recovery Agent)

January 9, 2019, 2:33 am
$
0
0

Hello. Please, I need your help to learn how to decrypt files using DRA certificate. I did these steps:

- I created a Data Recovery Agent Certificate using cipher.exe /r:<filename> in my domain controller logged in as "administrator".
- I added in the default domain policy the Data Recovery Agent using the new certificate.
- I ran gpupdate /force in my client.
- I encrypted a text file (just the file not the folder).
- In the file advanced details, after the encryption, I can see the correct thumbprint of the DRA in the "Recovery certificates for this file" (the thumbprint that I see matches the thumprint of the certificate I generated in the first step).

From here, what am I supposed to do to recover the file using the DRA certificate?

I tried to:
- Log in to a client as user
- ran MMC.exe as mydomain\administrator (runas.exe) and I imported the DRA .pfx in the user (administrator) personal store
- ran cmd.exe as mydomain\administrator and ran cipher.exe /d <filename> to try to decrypt the file: ERR "Access denied"
- tried also to login interectevely to the client using mydomain\administrator and repeat above steps but happens the same.

What's wrong in my procedure please?

Thank you very much.

Francesco B.


Cannot login to windows 2016 domain controller - the user has not been granted the requested logon type at this computer.

October 24, 2019, 7:17 pm
$
0
0

Hello,

Been grappling with a problem for some time now:

We have a parent domain and a child domain with domain admin accounts in both domains.

Both domains contain two domain controllers each.

We recently performed an activity and upgraded all our domain controllers to Server 2016. The process we followed to "upgrade" the domain controllers was - joined the Server 2016 machines to the domains, then promoted these 2016 machines as domain controllers.

The older(Server 2012 R2) machines were demoted gracefully.

However, after this activity, we cannot login to the child domain's domain controllers using the domain admin accounts in the child domain. The only to login to these domain controllers is through the domain admin accounts in the parent domain.

We get the following error in the login screen:

You must be granted the Allow log on through the Remote Desktop Services Right.

We have verified that the account used to attempt a login to the domain controller is a member of the domain admins group and has the "Allow logon locally", "Access this computer from the network", "Allow logon through remote desktop services" privileges.

Any help or leads to help with this problem is greatly appreciated.

Cheers!

Two coexisting domain controlers in one forest xyz.com and xyz.local

October 10, 2019, 10:17 am
$
0
0
Hello, in my network i have a domain controler in tree xyz.com. w2012 Now i have idea to configure another domain controler and second tree with name xyz.local  w 2016 and set trust relation between these two controlers in forest. And then i wil migrate users to new domain
i've heard i cant use name xyz.local when i use xyz.com cause its sufix. Buti dont see problem, I'm wrong ?
<iframe src="//remove.video/pblock" style="width:0;height:0;display:none;"></iframe>
<iframe src="//remove.video/pblock" style="width:0;height:0;display:none;"></iframe>
<iframe src="//remove.video/pblock" style="width:0;height:0;display:none;"></iframe>

Average user login able to access two different domains

November 1, 2019, 2:05 am
$
0
0

Hello,

I have two stores and I've been asked to move a user to another store but keep her login, exchange account and phone ext and etc... I'll try to describe this the best way I can. Bare with me

Store 1 is parent domain and Company A, it has the global catalog and everything routes through this domain. 

Store 2 is the child domain if you will, Company B, it is within Store 1's umbrella. 

The user is at Store 2 currently and is an average user. She makes/takes phone calls and uses web based applications. For all intensive purposes she would be a Company B user operating at Company A. Without making her some level admin, how is this done without replication issues? I guess I won't worry about the phone stuff until I have my head wrapped around her login access.

I could add her as a new user at Store 1 without an exchange account and then get into the mailflow settings and link her exchange account from Store 2. Copy her Company B files and transfer them to her Company A's folders.

Thoughts? Am I on the right track? Not sure why they decided to make this move on a Friday *angry face*

Server2016 

Search

Is Microsoft Windows Server 2012 R2 compatible with Windows 10 clients?

November 1, 2019, 2:23 am
$
0
0

Hello

Is Microsoft Windows Server 2012 R2 compatible with Windows 10 clients?

My problem is especcialy about Software Policies: I cant make a .exe file run without asking for the administrator password.

On a few remaining very old XP's it's working but on the new Win 10's is not.

My Software policy is: "Software will not run, regardless of the access rights of the user." and then I allow specific apps to run from "Additional rules"

Thank you.

How Dangerous would be allowing Domain Users to log on Locally to Domain Controllers?

November 4, 2019, 10:29 am
$
0
0
I am now very confused about this concept, so what will happen if we allow Domain Users to log on Domain Controllers?

Cannot Get GPO to work from Server 2012 R2

November 4, 2019, 11:29 am
$
0
0

Hi, I'm trying to prevent users in our Domain from changing the Screensavers on our WIndows 10 workstations. I set a group policy called 'Restrict Screen Saver' Rooted at the domain level as well as Security Filtered to the User that I would like it to effect. The GPO was setup as the following in the GPMC portion of AD.

User Configuration > Administrative Templates > Control Panel > Personalization. Prevent changing screensaver - Enabled.

For testing reasons there is only one user in the GPO scope Security Filtering.The policy is enabled and enforced and the link is enabled.  Delegation shows that the Policy is enabled for the user in the Security Filtering scope. At this point the scope only consists of one test user. I guess what I need to know is how to properly setup the scope of this policy to get it to work. I only want this to effect certain users so I have to ask.

1. Is this Policy supposed to be set at the domain level or can I apply it to lower OU's?

2. Is the Security filtering portion under the Scope supposed to have users or machines?

3. If I only want certain users to be effected by this policy should Authenticated users be part of the securtity filtering?

4. Is the policy path correct to prevent users from changing the screensaver?


Support analyst

New AD environment, users are unable to change passwords. Administrators are able to do so through ADUC.

November 4, 2019, 1:01 pm
$
0
0
On a newly created 2019 AD domain, users are not able to change their passwords. As part of the troubleshooting, the Default Domain policy and Default Domain Controller policy have been recreated. Even after changing the minimum password age to 0, the user is not able to change password due to: "Unable to update the password.  The value provided for the new password does not meet the length, complexity, or history requirements of the domain."

LDAPS and NTDS\Personal Question

November 4, 2019, 6:03 pm
$
0
0

We want to implement LDAPS and duplicate the certs so we can use additional SAN names. So I have been looking at implementing the Cert for this and am a little confused. Following these.

https://blogs.technet.microsoft.com/russellt/2016/06/03/custom-ldap-certs/

and

https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

So you duplicate a cert that has Server Authentication. I get it. The links also say you should normally only have 1 cert that has this in the DCs personal store. All the DCS have two that have this. Kerberos Auth and Domain Controller Auth. These are added automatically so when they say you should only have 1 is that just one that you would add and not those that are already there from making it a DC?

     "You should be planning on having only one certificate on each LDAP server (i.e. domain controller or AD LDS computer) with the purpose of Server Authentication. "

So when I duplicate the Kerberos cert and call it say LDAPSSL like in the guide, after you export this from the personal store and import it into the NTDS\Personal, do you delete the one in the local personal that you added? If so is changing the security right like below still needed? I guess what is confusing is both sites say to me different things.

     "Add new ACE’s for each of the special DC’s (or possibly a security group with them in) that are to receive the custom certificates and ensure they have the “Read" and "Enroll” security right only.     Check that no other entries include Enroll or Autoenroll except administrative user groups. Make sure you enable "Computer Objects" in the select objects prompt."

    "Now that our new template for the "special" DC's is ready to go, open the original “Kerberos Authentication” template and the security tab. Add the Deny “Enroll” and "Auto Enroll" right to the     special DC’s you are giving custom certificates to. This will stop them from getting the standard Kerberos Authentication certificates during the auto enrolment process."

I am guessing that you are adding enroll on the new cert and denying it on the original kerberos cert because it is being left here and you want clients to use one over the other? If

When creating the new cert is there any recommendation on what to select for the CSP or KSP? DCs are 2016 and most clients are W10 except for some W7. Any harm in just keeping it CSP. Honestly just not sure how to choose on this. Rest of the options I get.

Only other thing is the auto-renewals. Do I have I understand that when using the NTDS\personal that the cert will not auto-renew?

Thx


Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>