I'm currently using ADFS to provide SSO to SharePoint Online sites for users within the organisation. There is now a plan to have one of those sites integrate with an internally hosted (on-prem) web service that is also to be published externally through
ADFS. Is there a way to get the ADFS to work so that once logged into the SharePoint Online site, the user is also authenticated for the web service?
↧
ADFS SSO
↧
Slow Domain Computer Logon - 2 to 5 Minute Hang On Welcome Screen
We've got a mix of people who are and are not experiencing this issue currently.
I've turned on verbose messages to figure out what process is causing it to hang but when I turned it on, it simply showed Welcome for 4 minutes and then when it loaded the profile/gpo/ect. everything went through about as fast as you would normally expect. I'm not sure what could be causing the hang at "Welcome" but I wanted to ask what things I could try to potentially log what exactly is happening at that point in time or potentially known issues. All computers experiencing the issue are on Windows 10 and there is a bit of a mix of OS version but mostly this is seen happening on OS 17134.
So far we've tried removing profile paths, resetting ip stack/dns, I tried to get the log in event viewer -> Applications and Services Logs, Microsoft, Windows, Diagnostics-Performance to show something, but it hasn't recorded any events. I'm not positive on how to set it up differently then default, however. I read that it dealt with regedit and this path -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Performance\ but I have no idea what each of these would actually do unfortunately.
I also have the performance tools from the SDK installed, but I'm not sure how to interpret the information it has given.
Any help with this is greatly appreciated.
↧
↧
Domain admin limit
Hello All,
is there a way to limit the number of Domain ADmin in a envioronment
in our environment we can add only 20 member as Domain Admin, for the 21st can be added and he reflecting as DA, but not able to login to any DC, its same error no access
how can we check this.
regards
Aamir Masthan
NA
↧
Active Directory Site Without Domain Controllers
We have a remote site with only 6 computers, connected via site-to-site VPN. We decided we won't put a DC in this location--users will have to authenticate over the VPN. Even though we don't have DC's at this site, we still want group policies to apply just to this one location.
Question: is it reasonable/responsible to create an Active Directory site for this remote office, that will have no DCs, yet still apply group policies to this office at the site level using the site node in group policy management console? Any reason why that wouldn't work?
↧
MpKsld3f76d24.sys
What are the use of subject line file? is this a malware, does we need to remove this file?
File path is:
c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{67EF97E0-B25F-41B6-B602-53B23C6773FE}\MpKslf330f016.sys
C:\Windows\system32\drivers\MpKsld3f76d24.sys
↧
↧
w32tm /query /peers /verbose - LastSyncError: 0x800706FD (The trust relationship between this workstation and t he primary domain failed. )
I am having time synchronization issue from one of my child domain controllers. In my environment we have 1 forest and 02 child domain. External time source defined on Forest PDC. Time synchronization issue occur on 01 child domain controllers. Below is an error for reference and further troubleshooting:
Domain Controllers: 2012 r2, FFL & DFL: 2008R2
C:\Windows\system32>w32tm /query /peers /verbose
#Peers: 1
Peer:
State: Pending
Time Remaining: 12426.5742052s
Mode: 0 (reserved)
Stratum: 0 (unspecified)
PeerPoll Interval: 0 (unspecified)
HostPoll Interval: 0 (unspecified)
Last Successful Sync Time: (null)
LastSyncError: 0x800706FD (The trust relationship between this workstation and t
he primary domain failed. )
LastSyncErrorMsgId: 0x0000005C (The peer is unreachable. )
AuthTypeMsgId: 0x0000005A (NoAuth )
Resolve Attempts: 5
ValidDataCounter: 0
Reachability: 0
Regards, Sarfraz Aslam
↧
2008R2 DC to 2019
Hi,
do I need to change the FRS to DFRS before I upgrade our DC to server 2019?
I have been researching and not sure why and how?
please advise.
↧
AD DS replication between DCs from different domains in the same Forrest
Hello,
I am learning about AD DS and I have a following question.
I understand that:
AD DS has these partitions:
a) Schema, b) configuration, c) domain, d) application (e.g. DNS)
Only DC which holds Schema FSMO role has RW copy of Schema partition, other DCs have RO copy of Schema partition
every DC in the forest has RW copy of configuration partition
every DC from the concrete domain has RW copy of domain partition
application partition can be set up with different scope (domain, forest)
Do I understand it right?
Then my question is about replication If:
I have two domains in the forest: domain1 and domain2
I have four sites in the forest: Site1, Site2, Site3, Site4
In the Site1 there are two DCs (DC1 and DC2) from domain1
In the Site2 there are two DCs (DC3 and DC4) from domain1
In the Site3 there are two DCs (DC5 and DC6) from domain2
In the Site4 there are two DCs (DC7 and DC8) from domain2
In AD Sites and services replication between Site1 and Site2 will be:
Site1 - Intrasite replication between DC1 and DC2 is set up automatically
Site1 - There will be automatically chosen Bridgehead server
Site2 - Intrasite replication between DC3 and DC4 is set up automatically
Site2- There will be automatically chosen Bridgehead server
Then I will create Site link between Site 1 and Site 2 (I know that I also have to configure subnets for sites)
In AD Sites and services replication between Site3 and Site4 will be:
Site3 - Intrasite replication between DC5 and DC6 is set up automatically
Site3 - There will be automatically chosen Bridgehead server
Site4 - Intrasite replication between DC7 and DC8 is set up automatically
Site4- There will be automatically chosen Bridgehead server
Then I will create Site link between Site 3 and Site 4 (I know that I also have to configure subnets for sites)
Finally my question is: Do I have to set up replication (site link) between Site1, Site2 where are DCs from domain1 and Site3 and Site4 where are Dcs from domain2 If there are domain controllers from different domains?From my understanding I do not have to do that in order to make sure that other partitions (schema, configuration and application) will be replicated to DCs in different domain, am I right?
I am just learning and trying to understand AD replication topology, I will be glad for explanation.
Thank you.
↧
Sites and Services Best Practice question
I have 4 Sites.
Each Site has a DC.
Under each DC's NTDS Settings there are 3 Connections i.e. one to each of the other DCs.
Inter-site links are reliable and have good bandwidth i.e. 50Mb or above.
All 4 Sites are in a single Site Link with a Cost of 100 and a Replication Interval of 30 minutes.
Is this setup optimal, especially in terms of the single Site Link setup?
↧
↧
Unable to accessed sysvol and netlogon folder on windows server 2016 and on windows server 2019
Hi,
We have two domain controller, one is windows server 2012 (DC) and another is windows server 2008 R2 servers. we have installed and configured AD service on windows server 2019, but sysvol and netlogon folders not replicated on the same and not even shared it.
We also tried to accessed shared Sysvol and netlogon folders on windows server 2019 and 2016 (member servers) it showing "access is denied" and asking for credentials.
but on other members servers it is accessible (windows server 2012 / 2008/ 2008 R2).
Please help me to resolve this issue.
thanks in advance !!!
Regards, Prashant
↧
LDAPS and NTDS\Personal Question
We want to implement LDAPS and duplicate the certs so we can use additional SAN names. So I have been looking at implementing the Cert for this and am a little confused. Following these.
https://blogs.technet.microsoft.com/russellt/2016/06/03/custom-ldap-certs/
and
So you duplicate a cert that has Server Authentication. I get it. The links also say you should normally only have 1 cert that has this in the DCs personal store. All the DCS have two that have this. Kerberos Auth and Domain Controller Auth. These are added automatically so when they say you should only have 1 is that just one that you would add and not those that are already there from making it a DC?"You should be planning on having only one certificate on each LDAP server (i.e. domain controller or AD LDS computer) with the purpose of Server Authentication. "
So when I duplicate the Kerberos cert and call it say LDAPSSL like in the guide, after you export this from the personal store and import it into the NTDS\Personal, do you delete the one in the local personal that you added? If so is changing the security right like below still needed? I guess what is confusing is both sites say to me different things.
"Add new ACE’s for each of the special DC’s (or possibly a security group with them in) that are to receive the custom certificates and ensure they have the “Read" and "Enroll” security right only. Check that no other entries include Enroll or Autoenroll except administrative user groups. Make sure you enable "Computer Objects" in the select objects prompt."
"Now that our new template for the "special" DC's is ready to go, open the original “Kerberos Authentication” template and the security tab. Add the Deny “Enroll” and "Auto Enroll" right to the special DC’s you are giving custom certificates to. This will stop them from getting the standard Kerberos Authentication certificates during the auto enrolment process."
I am guessing that you are adding enroll on the new cert and denying it on the original kerberos cert because it is being left here and you want clients to use one over the other? If
When creating the new cert is there any recommendation on what to select for the CSP or KSP? DCs are 2016 and most clients are W10 except for some W7. Any harm in just keeping it CSP. Honestly just not sure how to choose on this. Rest of the options I get.
Thx
↧
DC Promo 2016 server created duplicate SVR records in DNS
Hi all,
I know how to fix the issue. This is a link to that process.
How important is it that I do it immediately? Everything seems to be working fine and I don't see any issues other than duplicate SVR entries.
Thank you
Charles
↧
Does the Active Directory attribute msDS-AuthenticatedAtDC (forward link) have a time to live value
Do you know if the linked value msDS-AuthenticatedAtDC (on the user) timeout after a period of time (e.g. TTL)
What I mean by this say a user called Fred authenticates via RODC01 (for example he logs onto a PC at the site hosting RODC01) the attribute on his user object (which is the forward link) will show he authenticated at RODC01.
How lets say he goes back to his main office and does not return to the site containing RODC01 and two years have passed. If I look at Fred user account will RODC01 still show up under msDS-AuthenticatedAtDC ?
I know when he Fred changes his password at a read-write DC, his password cashed on RODC01 wull be removed. However what about msDS-AuthenticatedAtDC is that updated at any point so his RODC01 no longer show up?
Thanks, please email me
cxmelga
What I mean by this say a user called Fred authenticates via RODC01 (for example he logs onto a PC at the site hosting RODC01) the attribute on his user object (which is the forward link) will show he authenticated at RODC01.
How lets say he goes back to his main office and does not return to the site containing RODC01 and two years have passed. If I look at Fred user account will RODC01 still show up under msDS-AuthenticatedAtDC ?
I know when he Fred changes his password at a read-write DC, his password cashed on RODC01 wull be removed. However what about msDS-AuthenticatedAtDC is that updated at any point so his RODC01 no longer show up?
Thanks, please email me
cxmelga
↧
↧
I can´t enable sIDHistory
Hello everyone.
I am migrating from domain 1 to domain 2. I have configured everything as it comes in the ADMT guide and when I migrate users keep the sidHistory attribute in the new domain, computer migrations work correctly, passwords ....
The problem is that users cannot access the resources of the old domain. I do the following:
1º (in Dom2 DC) Netdom trust dom2 /D:dom1 /quarantine:No /userD:AdminDom2 /passwordD:PassDom2
The answer is that there is no SID filtering. So far so good.
2º (in Dom1 DC) Netdom trust dom1 /D:dom2 /enablesidhistory:yes /userD:AdminDom1 /passwordD:PassDom1
Here is the problem, it always returns that the sidhistory is disabled for this trust. It's like something prevents me from enabling it but I don't know what it is.
Anyone who has happened or know that I may be forgetting?
Thanks!!!!!
↧
PDC not loading NTP Time source and defaults to local CMOS?
Good morning,
I have a darksite environment with 2 Domain controllers both virtualized Windows server 2012 R2.
Servers are multihomed with 2 interfaces.
1 to workstation network and 1 to server network
For ntp purpose access to an external time server (Still one inside the company) is made available.
I configured NTP on the PDC according to this document:
https://support.microsoft.com/en-us/help/816042/how-to-configure-an-authoritative-time-server-in-windows-server
I entered 2 ip adresses instead of DNS names. Because I directly entered IP adressen I did not append ,0x1 or something else.
Output of the following commands on the PDC:
1. w32tm /resync: Sending resync command to local computer
The computer did not resync because no time data was available
2. w32tm /monitor
PDCSERVERNAME *** PDC*** [ID]:
ICMP: 0ms delay
NTP: error ERROR_TIMEOUT - no response from server in 1000ms
2ndDCNAME [ip:port]:
NTP: error ERROR_TIMEOUT - no response from server in 1000ms
3. w32tm /query status:
more data
Source:local CMOS Clock
more data
4. w32tm /stripchart /computer:EXTERNAL NTP ADDRESS /dataonly /samples:5:
The current time is date and time
time, +12.4288498s
time, +12.4249894s
etc...
My conclusion for an unknown reason the configuration is not picket up and the configuration defaults back to local CMOS?
How to make the PDC sync with this time source?
If it gets the time with test 4, does that mean it has enough access to the time source or can there be a firewall port issue or some authentication issue that makes test 4 to return data but not work for synchronization?
Kind regards,
↧
Old Domain/Forest still has SBS 2003 things in it, can I remove those?
Hi,
We recently setup Azure AD sync in our Windows 2016 network. We are getting notifications about some administrative templates from SBS 2003 not synchronizing to Azure.
They show up under MyBusiness -> SBSUsers I am pretty sure we no longer use any of this and I would rather just remove it if possible but is there any way to find orphaned and no longer used objects in your AD just so I can be sure that it's not in use?
Thanks.
↧
Delete AD Group/Members
Hi All
I have AD groups in csv file, i want to delete all the members of that groups. Will the below syntax help me.
Below is my csv file(there is space between Group and 01)
GroupName
Group 01
Group 02
Group 03
$groups=import-csv "C:\myadgroups.csv"
foreach($group in $groups)
{
Get-ADGroupMember -Identity $group.GroupName | %{Remove-ADGroupMember -Identity $group.GroupName -Members $_.userprincipalname -Confirm:$false}
}If i need to delete group members for a single AD group will the below syntax help me.
Get-ADGroupMember -Identity "Group 01" | %{Remove-ADGroupMember -Identity "Group 01" -Members $_.userprincipalname -Confirm:$false}If i need to delete AD groups will the below syntax help me
import-csv "C:\myadgroups.csv" | %{ Remove-ADGroup -Identity $_."GroupName" -Confirm:$false}↧
↧
LDAP SSL in AD
Hi,
we are planning to use LDAP SSL connections with LB VIP wherein will have 4 DCs. My colleague has generated the CSR from each of those DCs with LDAPS.corpnet.domain.com and SiteA-DC1.corpnet.domain.com. He did this same for each individual DCs.
My point where is the HA when we are having one certificate with LDAPS.corpnet.domain.com and SiteA-DC1.corpnet.domain.com, if anyhow in future something bad happens with that DC then whole domain or any external app using ldaps cert. would have the certificate issue as other DCs is not in SAN name list.
My understanding that is to generate a CSR from one DC with SAN name including other DCs as well. Then after installing the certificate in one DC where the CSR was generated, export the certificate from there and import it to other DCs.
Any suggestions?
Thanks
Rajneesh Kumar MCSE - Server Infra, MCITP - SA, CNA
↧
Maximum Password Length
Hi,
May i know what is the minimum and maximum password length that a user can set for their mailbox in Exchange 2010, 2013, 2016 and also O365?
Regards
Jaya Prakash
↧
Convert a RODC to R/W domain controller
Hi
How we ca convert a RODC to R/W domain controller?
I have 3 RODC and I want to convert them by R/W without any impact .
D you have any idea please ?
↧