Hi All,

I hope someone can help.

We are in the middle of a global migration rollout. I noticed through SET a vast majority of users were, and still are having slow connections to the HQ site were logging into Domain Controllers that were in another country, and not local to them.  

Upon investigation I found a GPO that sets a policy System/Net Logon/DC Locator DNS Records - Try Next Closest Site. So I guess this issue might come from that setting? I have also checked Sites and services and all the European sites have their Cost set at 100. On the legacy Domain they are all set differently and only HQ has the cost set at 100.

Does anyone know what might be the issue here. I need to get this resolved as a matter of urgency as we cannot have client machines traversing the wan for a connection that is hundreds sometimes thousands of miles away.

Any help would be greatly appreciated.

Regards.

I want to delete an user from the Active Directory but it contains an object. As it turns out there is a ExchangeActiveSyncDevices object under the user object.

When I try to delete the ExchangeActiveSyncDevices object I get the following error:

Windows cannot delete ExchangeActiveSyncDevices because the specified directory service attribute or value does not exist.

If I go to properties > security I noticed that I am not an owner of the object. There are no permissions assigned to the object at all. I tried to get ownership of the object, but that is not possible.

How can I delete this object?

I created a thread in the Elasticsearch forums with the information below.   From a MS perspective is there any other info on the paths for Active Directory perfmon that I can look at.  I've looked at a lot of the links that come up in these (TechNet) forums but they've provided very little insight on the proper info to put into my metricbeat windows module yaml.  Any insight would be appreciated.

Elasticsearch post:

I'm looking for a little guidance on how to build out the windows.yml module in Metricbeat.  If this is being built out correctly we may need 3-4 lines to ship the Active Directroy perfmon out.  The issue that I'm having is that I'm not able to find a lot of specified info on AD perfmon so if anyone has any links that I could be missing that would be appreciated.  From my research it seems like these perfmon counters are also under NTDS so I'm not sure how this fits into the syntax as well.  I should be able to replicate what the memory section but that might not necessarily be the case.  Overall were trying to replicate some Splunk dashboards in Kibana but there isnt a specific app like there is in Splunk.

```
# ########## Memory
    - instance_label: memory.name      
      instance_name: memory.page.total.reads_sec
      measurement_label: memory.page.total.reads_sec
      query: '\Memory\Page Reads/sec'
```
```
# ########## Active Directory
    - instance_label: ntds.name
      instance_name: ntds.ds.directory.reads_sec
      measurement_label: ?
      query: '\DS Directory Reads/sec'
```

Hello,

I'd like to know how to create 2 types of trusts: Realm and Shortcut. Every article on the web touches on how to create forest or external trusts- oodles of them, but none tells how to build those remaining 2.

This is "standard" screen you get when trying to establish trust-only 2 types there. On the web I found this screenshot:

but God only knows how to get it. Where is the shortcut/real trust option?

Anyone?

Group Managed Service Accounts have been implemented in the domain. The gMSAs are running various SQL services on a number of servers but these are not in a SQL farm or cluster. This is OK but on closer investigation, the gMSAs have been given a DNS Host name of the domain controller which hold all roles. (This is a very small shop, only 40 servers) 

Is this a security hole? I've done a lot with AD in the past and domain controllers were to be protected at all costs but this seems bad to me.

Any detailed explanations gratefully accepted.

Christopher

Hi,

I'm getting this error when trying to promote a Server 2016 Standard server to a DC.

"ADPrep execution failed - System.ComponentModel.Win32Exception (0x80004005): A device attached to the system is not functioning."

The user account is a member of Enterprise Admins, Domain Admins, Schema Admins.

All DCs are online and I am able to login to all of them remotely.

Current schema version is 77.

Remote Registry service is turned on.

Currently 6 DCs in the domain and all are 2012 R2.

Domain and Forest Functional levels are 2012 R2.

Here is the output of the adprep log file:

[2019/11/25:14:32:16.083]
Adprep created the log file 'C:\Windows\debug\adprep\logs\20191125143216\ADPrep.log'
[2019/11/25:14:32:16.083]
Adprep successfully initialized global variables.

[Status/Consequence]

Adprep is continuing.
[2019/11/25:14:32:16.098]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Schema,CN=Configuration,DC=****,DC=****.
[2019/11/25:14:32:16.098]
LDAP API ldap_search_s() finished, return code is 0x0
[2019/11/25:14:32:16.098]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=****1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=****,DC=****.
[2019/11/25:14:32:16.099]
LDAP API ldap_search_s() finished, return code is 0x0
[2019/11/25:14:32:16.099]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Schema,CN=Configuration,DC=****,DC=****.
[2019/11/25:14:32:16.099]
LDAP API ldap_search_s() finished, return code is 0x0
[2019/11/25:14:32:16.111]
Adprep discovered the schema FSMO: ****1.****.****.
[2019/11/25:14:32:16.114]
Adprep connected to the schema FSMO: ****1.****.****.
[2019/11/25:14:32:16.114]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2019/11/25:14:32:16.115]
LDAP API ldap_search_s() finished, return code is 0x0
[2019/11/25:14:32:16.115]
Adprep successfully retrieved information from the Active Directory Domain Services.
[2019/11/25:14:32:16.115]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=****,DC=****.
[2019/11/25:14:32:16.115]
LDAP API ldap_search_s finished, return code is 0x0
[2019/11/25:14:32:16.115]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2019/11/25:14:32:16.115]
LDAP API ldap_search_ext_s finished, return code is 0x0
[2019/11/25:14:32:16.116]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2019/11/25:14:32:16.116]
LDAP API ldap_search_s finished, return code is 0x0
[2019/11/25:14:32:16.127]
Adprep discovered the schema FSMO: ****1.****.****.
[2019/11/25:14:32:16.129]
Adprep connected to the schema FSMO: ****1.****.****.
[2019/11/25:14:32:16.130]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Schema,CN=Configuration,DC=****,DC=****.
[2019/11/25:14:32:16.130]
LDAP API ldap_search_s() finished, return code is 0x0
[2019/11/25:14:32:16.131]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=****1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=****,DC=****.
[2019/11/25:14:32:16.131]
LDAP API ldap_search_s() finished, return code is 0x0
[2019/11/25:14:32:16.131]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Schema,CN=Configuration,DC=****,DC=****.
[2019/11/25:14:32:16.131]
LDAP API ldap_search_s() finished, return code is 0x0
[2019/11/25:14:32:16.132]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2019/11/25:14:32:16.132]
LDAP API ldap_search_s() finished, return code is 0x0
[2019/11/25:14:32:16.132]
Adprep successfully retrieved information from the Active Directory Domain Services.
[2019/11/25:14:32:16.132]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=UID,CN=Schema,CN=Configuration,DC=****,DC=****.
[2019/11/25:14:32:16.133]
LDAP API ldap_search_s() finished, return code is 0x0
[2019/11/25:14:32:16.133]
Adprep successfully determined whether Microsoft Windows Services for UNIX (SFU) is installed or not. If adprep detected SFU, adprep also verified that Microsoft hotfix Q293783 for SFU has been applied.
[2019/11/25:14:32:16.162]
Adprep successfully retrieved data from the Active Directory Domain Controller ****1.****.**** through WMI.
[2019/11/25:14:32:16.165]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Schema,CN=Configuration,DC=****,DC=****.
[2019/11/25:14:32:16.166]
LDAP API ldap_search_s() finished, return code is 0x0
[2019/11/25:14:32:16.166]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=****1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=****,DC=****.
[2019/11/25:14:32:16.166]
LDAP API ldap_search_s() finished, return code is 0x0
[2019/11/25:14:32:16.166]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Schema,CN=Configuration,DC=****,DC=****.
[2019/11/25:14:32:16.167]
LDAP API ldap_search_s() finished, return code is 0x0
[2019/11/25:14:32:16.167]
Adprep is about to upgrade the Active Directory Schema on the Domain Controller ****1.****.****.
[2019/11/25:14:32:16.169]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2019/11/25:14:32:16.169]
LDAP API ldap_search_s() finished, return code is 0x0
[2019/11/25:14:32:16.169]
Adprep successfully retrieved information from the Active Directory Domain Services.
[2019/11/25:14:32:16.169]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=****,DC=****.
[2019/11/25:14:32:16.170]
LDAP API ldap_search_s finished, return code is 0x0
[2019/11/25:14:32:16.170]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2019/11/25:14:32:16.170]
LDAP API ldap_search_ext_s finished, return code is 0x0
[2019/11/25:14:32:16.170]
Current Schema Version is 77
[2019/11/25:14:32:16.170]
Upgrading schema to version 87
[2019/11/25:14:32:16.292]
The command line passed to ldifde is ldifde -i -f "C:\Windows\system32\adprep\sch78.ldf" -s "****1.****.****" -h -j "C:\Windows\debug\adprep\logs\20191125143216" -$ "C:\Windows\system32\adprep\schupgrade.cat"
[2019/11/25:14:32:17.469]
ERROR: Import from file C:\Windows\system32\adprep\sch78.ldf failed. Error file is saved in C:\Windows\debug\adprep\logs\20191125143216\ldif.err.78.



If the error is "Insufficient Rights" (Ldap error code 50), please make sure the specified user has rights to read/write objects in the schema and configuration containers, or log off and log in as an user with these rights and rerun forestprep. In most cases, being a member of both Schema Admins and Enterprise Admins is sufficient to run forestprep.
[2019/11/25:14:32:18.480]
ERROR: The directory service refused the request for schema upgrade: 81 (Server Down)



If the error code is "Insufficient Rights", make sure you supply a user who is a member of the schema admin group.
[2019/11/25:14:32:18.480]
Adprep was unable to upgrade the schema on the schema master.

[Status/Consequence]

The schema will not be restored to its original state.

[User Action]

Check the Ldif.err log file in the C:\Windows\debug\adprep\logs\20191125143216 directory for detailed information.
[2019/11/25:14:32:18.481]
Adprep was unable to update forest information.

[Status/Consequence]

Adprep requires access to existing forest-wide information from the schema master in order to complete this operation.

[User Action]

Check the log file, ADPrep.log, in the C:\Windows\debug\adprep\logs\20191125143216 directory for more information.

Hello,

we are currently migrating old 2008R2 DCs to 2019. The old DCs are demoted and new DCs with different names are installed. The new DCs get the IP addresses of the old DCs so that DNS name resolution is not broken.

I noticed that some of the old DCs still have dynamically registered SRV-records in DNS, mainly under "_sites.dc._msdcs.<domain>.<suffix>"

I can find the _ldap and the _Kerberos entries for the new DCs but also for the old DCs. If I attempt to delete the old records I can do so successfully but when I hit F5 the entries ARE BACK IMMEDIATELY. So it seems that the entries are not replicated back from somewhere or recreated by NETLOGON. It seems that they just aren't deleted properly.

We do not have Scavenging turned on on _msdcs. I never had problems deleting these type of entries after demotions in the past. Does anybody have an idea what could be wrong?

Thanks for your help!

HarryNew

Hi Experts,

We have following network topology.

We have Single Forest and Single Domain with Multiple Sites names as NRA, JRN, HO, DC and CHL. All sites have there local domain controller (Windows Sever 2012R2).

When i am running below command i am getting below error.

Command :

repadmin /replsummary

Error : 

Replication Summary Start Time: 2019-11-26 12:53:10



Beginning data collection for replication summary, this may take awhile:

  ............









Destination DSA     largest delta    fails/total %%   error

 ADC-CO-DOMAIN             04m:44s    0 /  10    0  

 CSJRN-ADC                 29m:26s    0 /  10    0  

 HO-ADC                    04m:14s    0 /  15    0  

 HO-DC                     02m:04s    0 /  20    0  

 JRN-DC                    57m:23s    0 /  10    0  

 NRA-DC           >60 days           10 /  20   50  (1722) The RPC server is unavailable.





Experienced the following operational errors trying to retrieve replication information:

          58 - NRA-ADC.csaplho.pk

          58 - chl-dc.csaplho.pk

          58 - NRA-DC2.csaplho.pk

Our Servers  (NRA-ADC, NRA-DC2) are not operational  and i will demote them in future however NRA-DC is operational but as mention above we are facing 1722 RPC network error.

Please guide us how can i resolve this error.

Im looking for a way to push OpenSSL certificates into Active Directory, and then authenticate users using it. Im looking for a programmatic automated approach for this although i can do this manually. In an enterprise level for more than 1500 users, its not an easy thing to handle this manually therefore can anyone suggest me a better way to do this?

Im having a windows 2016 server on a local machine and im authenticating WiFi users through it(Radius authentication).
My end target is to fetch AD certs and push it into mobile devices and them authenticate them automatically inside out WiFi network using our own MDM platform. But the certificate should be generated from OpenSSL and pushed to AD.

Vigneshan Seshamany

Hay

How can i tell if My computers in dc retrieve Environment Variables setting from a gpo?

I cant find it when i run rsop.msc

Thanks

Elad

what's this SAN type for? what's the syntax? where is it documented? 

Hello,

I have this issue, how to resolve that ?

I have check on Active Directory and the zone is not exist.

Regards, 

Event Type:Warning
Event Source:DNS
Event Category:None
Event ID:4521
Date:
Time:
User:N/A
Computer:
Description:
The DNS server encountered error 32 attempting to load zone x.x.x from Active Directory. The DNS server will attempt to load this zone again on the next timeout cycle. This can be caused by high Active Directory load and may be a transient condition.

gotti.francois@outlook.com

Good afternoon,
I use powershell remoting alot in my current project, but there is one server that does not allow to connect:

Windows Server 2012 R2
PSVersion 4.0
Source and target are both member servers in the same domain.
Error: Connecting to remote server XXXXXXX failed with the following error message: winRM cannot process the request. The following error with errorcode 0x80090322 occurred while using kerberos authentication: An unknown security error occurred.
Possible causes are:
- The user name or password specified are invalid.
- Kerberos is used when no authentication method and no user name are specified.
etc...

I tried many things:
when using -credentials switch its still not working
When using IP, it is still not working
I compared SPNs with a working server with setspn -l server name and entries on both servers are the same
There are no events displayed in the target machine if I try to connect
I tryed to disable the firewall
Using another source server makes not difference.

The problem is that I am not sure where to continue troubleshooting because I dont know where to get more information out of the system about this problem.

Any ideas?

Before anything, I am fully aware that Windows 2000 is NOT supported and has long been that way.

Notwithstanding, this client presently has a Domain which is still running on it and is being decommissioned.

The 2000 Domain (Domain A) has a Trust Relationship with a Windows 2003 R2 Domain (Domain B).  Domain B is in the process of being upgraded to Windows 2012 R2 and presently has a mix of 2003 R2 and 2012 R2 DC's.

Using NETDOM to verify the trust, if the the 2012 R2 DC's are switched off, everything reports back as successful and permissions assigned to folders in Domain A with Domain B users and groups are OK. 

Once the 2012 DC's are powered back on, NETDOM can no longer verify the trust and gives an error stating 'the trust relationship between the primary domain and the trusted domain failed' and the assigned permissions revert to SID's.  Switch 2012 DC's off again and everything starts working again.  The 2003 and 2012 DC's get different Domain Controller GPO's via WMI filtering as we want 2012 to get the more stringent Microsoft Baseline settings (We relaxed the ability to use LM and NTLM for legacy application reasons).

Does anyone know why the AD Trust would fail with 2012 DC's present and the the permissions would revert to SID's? 

Thanks,

Martin

Hi everyone,

How to extend the properties of ADUC
Allows me to directly query the user name of the last logon with one computer.

Thank you in advance.

Best regards,

Yuxiang

Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Hello, my company is implementing Fine Grained Password Policies. Articles mention that the rights to modify these can be delegated by I cannot seem to find an article showing how. Could someone point me in the right direction?

Thanks

Hi

I have a DC that was in production (was local domain for special need).

I am afraid that when I will disjoin from domain (basically seize a domain, if I can call it so), I will loose login option as I don't know local admin password (by chance it could be the same as current domain admin).

Yes it is not just a DC it contains a lot of data and some crappy stuff that I would like to keep intact for a while.

What are the options for removing AD from this thing?

Thanks.

--- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

Hi,

We have Linux integrated in our AD so all users can log in to their linux machines with their AD accounts,

now we have a program that runs on the Windows pc and that program access a linux machine to start a job/service but it doesnt work with the AD accounts because of case sensitivity of the names is there a way to make it case insensitive or to always get and send the correct cased username to a linux?

Hi, 

i'm in a small business, i've two forests with a domain in each one (Active directory 2008 and windows server 2003)

When i try to add in the file system a domain local group (i try to follow aggdlg), system can't resolve.

But if i switch the group to universal i can see it, but i can't add another group from the other forest !!

the only solution i found was to create the group as universal and add it to the folder and transform it  to domain local group .