Hi, 

I have 3 Domain Controllers:

DC-1: Windows 2012 R2 -- This is the first DC that was installed

DC-2 and DC-3 Windows 2016

I have moved all the FSMO roles from controller 1 to controller 2. Now I'm trying to demote DC 1 but in "demotion" wizard, under "Removal Options" and ask to check the option  "Remove this DNS zone (this is the last DNS server that hosts the zone)". The "Next" button in the wizard won't activate if I don't select this option. 

I'm afraid of selecting this option and end up with my DNS zones removed. Am I confusing something here? I'm not sure why I'm being asked to confirm this option even though my forest/domain has two other DCs. 

I even tried uninstalling the DNS role from DC-1, but the "demote" wizard still shows the same options. 

In the first page of the wizard, I am NOT selecting "Last domain controller in the domain". 

Any ideas?

Thanks

I am running a powershell script that checks to see if services are running on remote servers and if not to start it.  

However when I schedule the task from a server running it as the gMSA account I get this error:

I'm thinking it is a permission error.  Script/task works fine with my account however when using the gMSA account i get that error.

The service is running as the gMSA account on the servers.

Any ideas?

I've spent countless hours researching, reading, and testing how to make LDAPS work with a .local internal domain and a 3rd party cert. Right now, it does and doesn't work. Let me start with my starting setup.

Windows AD Domain

• Forest Level: Server 2003
• Function Level: Server 2012
• Domain: domain.local
• Multiple .com domains and UPNs
• User UPN is user@example.com

I was able to make everything work with a self-signed certificate, but the external resource required a trusted 3rd party. LDAPS requires the true FQDN in the CN or SAN of a certificate and will not accept a .local in the certificate. No amount of DNS manipulation would allow me to get by this. I tried using a cert for dc1.example.com for dc1.domain.local and that would not work. I've tried auth.example.com forwarded to dc1.domain.local and that did not work.

After trying everything I could short of renaming the active directory, I decided to test a new domain in a trust forest. So I did the following:

• Created a new domain in a new forest for example2.com
• Created a stubzone in DNS for domain.local
• Removed the UPN for example2.com from domain.local
  
• Deleted the forward lookup zone for example2.com and recreated the zone as a stubzone pointing to dc1.example2.com
• Established a two-way trust between Forest1 (domain.local) and Forest2 (example2.com)
• Created external DNS record for dc1.example2.com and forwarded 636 to that internal IP address
• Requested and installed 3rd party cert for Forest2 dc
• Tested LDAPS from external host via ldp.exe to dc1.example2.com and was able to connect
• Tested binding user@domain.local and was authenticated to DOMAIN\user
• Tested binding user@example.com and was authenticated as DOMAIN\user
• Was able to view DC=example2,DC=com in the tree
• Was not able to view DC=domain,DC=local
• Created crossref in CN=Partitions on dc1.example2.com for domain.local
• Tested again and was not able to return results from the referral

Now if I was connected to the internal network it would all work, but not from an external. What I am trying to do is configure an LDAPS connection for [external app]->[example2.com]->[domain.local] and retrieve group and user attributes for an authenticated user on domain.local.

I read in another post that all queries need to be executed on the authenticating DC. So that would mean that dc1.domain.local would be the server to actually populate any query and not dc1.example2.com. So when LDAP tries to chase the referral, it hits domain.local and gets lost I think.

The external app wants to query users tied to a group on domain.local and pull attributes like cn, email, upn, etc. So it needs to search Base DN of DC=domain,DC=local and a group prefix of CN=group,OU=Users,DC=domain,DC=local. The external app cannot do this currently.

I'm current stuck on what to try next. About the only options I can see are migrate to a new domain that I own with a .com address or try to rename active directory. Does anyone have and other ideas?

• The directory server has failed to create the AD LDS serviceConnectionPoint object in Active Directory Lightweight Directory Services. This operation will be retried. 
  
  Additional Data 
  SCP object DN:
  CN={1460ad70-fafc-4154-a1f4-8258379add7e},CN=SERVER,OU=Domain Controllers,DC=******,DC=net 
  Error value:
  5 Access is denied. 
  Server error:
  00000005: SecErr: DSID-031528D2, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
  
  Internal ID:
  33903d2 
  AD LDS service account:
  NT AUTHORITY\NETWORK SERVICE 
  
  User Action 
  If AD LDS is running under a local service account, it will be unable to update the data in Active Directory Lightweight Directory Services. Consider changing the AD LDS service account to either NetworkService or a domain account. 
  
  If AD LDS is running under a domain user account, make sure this account has sufficient rights to create the serviceConnectionPoint object. 
  
  ServiceConnectionPoint object publication can be disabled for this instance by setting msDS-DisableForInstances attribute on the SCP publication configuration object.
• LDAP over Secure Sockets Layer (SSL) will be unavailable at this time because the server was unable to obtain a certificate. 
  
  Additional Data 
  Error value:
  8009030d The credentials supplied to the package were not recognized
• 
  

I have a problem connecting to LDAPS (port 636). I have installed Enterprise CA, exported the root certificate and distributed it via Group Policy as a recognised root authority certificate. After updating, I can't connect to LDAPS using ldp tool.

ld = ldap_sslinit("address of dc", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to address of dc.

Hi all

I have requirement to create security group and allow 3 users to manage this security group i.e these 3 users can add or remove users from this security group, In theManaged By Tab in security group i can only add one user, how do i allow 3 users to manage this security group. Do i also require to check the option Manager can update membership list.

2. These are normal users who has access to one of my windows 2012R2 server, what tool do i need to install so that these users can manage this security group.

Hi ,

I have 4 DC which is 2012 R2 located as below.

HQ - AD1

HQ - AD2 (FSMO all roles)

Site 1 = AD3

Site 2 - AD4

Having an issue with AD4 which is in site 2 for group policy sysvol folder sync. we have around 36 GP and all folder (Sysvol policy) are available in other DCs except on AD4. There is no issue with AD object sync.

AD replication works fine with out any issue.

I can see Event ID 5008 for DFSR and dcdiag of AD4 is followed below.

Hi,
Was wondering if anybody had a Java example of binding using DIGEST-MD5 bind against Active Directory that works..

I send the oracle example which is here  which for easy is also shown below:

	// Set up environment for creating initial context
        Hashtable<String, Object> env = new Hashtable<String, Object>(11);
	env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
	env.put(Context.PROVIDER_URL, "ldap://localhost:389/o=JNDITutorial");

	// Authenticate as C. User and password "mysecret" in realm "JNDITutorial"
	env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");

	env.put(Context.SECURITY_PRINCIPAL, "dn:cn=C. User, ou=NewHires, o=JNDITutorial");
	env.put(Context.SECURITY_CREDENTIALS, "mysecret");
	env.put("java.naming.security.sasl.realm", "JNDITutorial");

	try {
	    // Create initial context
	    DirContext ctx = new InitialDirContext(env);

	    System.out.println(ctx.lookup("ou=NewHires"));

	    // do something useful with ctx

	    // Close the context when we're done
	    ctx.close();
	} catch (NamingException e) {
	    e.printStackTrace();
	}

I've tried the principal name as the following with the realm not being provided:

1. DN (cn=user, dc=example, dc=com) and get  AcceptSecurityContext error, data 51f, v3839
2. SAMACCOUNTNAME (user) and get The digest-uri does not match any LDAP SPN's registered for this server
3. DOMAIN\SAMACOUNTNAME (example\user) and get AcceptSecurityContext error, data 52e, v3839

I also tried adding the realm of EXAMPLE, but that didn't seem to make a difference.

I have tried the LDP.EXE on windows to bind using digest and do get any issues using the following parameters:

1. user = user
2. password = users password
3. domain = example
4. bind type = Advanced(DIGEST)

So was wondering if anybody had any thoughts or suggestions ?

Thanks

Hi Guys,

I have changed my last names to capitals and its not effecting in display name

I run the below script made the changes in AD lastnames

now i want to change Display name as first + Last name.

So My Display name should be like = kiran MANNE

Ram

Hi there,

we have a root domain (i.e. company.de) with some subdomains (i.e. lab.company.de & prod.company.de). Our admins (they are all created in prod.company.de) have the right to reset passwords in the subdomain (lab.company.de).

When the admins are using the dsa.msc console search feature and select "Find [Users, Contacts, and Groups] in [Entire Directory]", they are not allowed to reset the password of users in die lab.company.de domain.

Error message: access denied

When the same admin uses "Find [Users, Contacts, and Groups] in [lab.company.de]", he is allowed to reset the password without any error message.

Works as design or bug? Couldn't find further informations about this strange behavior.

Hi Team,

 We are having an issue when accessing DFS share but no issue in accessing file share directly from other Trusted Forest(which was running fine earlier).

If file share is accessed directly using Server name , its working fine but when trying to connect to DFS Namespace , its prompting for password & then throwing the error System cannot contact a domain controller to service the authentication request.

Steps Done :-

Validated the trust , no issue in that.

Please help out.

Regards,

Sumit

Event Type: Error

Event Source: NETLOGON

Event Category: None

Event ID: 3210

Date: <Date > Time: <Time>M

User: N/A

Computer: <Computer name>

Description: This computer could not authenticate with <Computer name>, a Windows domain controller for domain<Domain>, and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator.

Hi,

• I am having an enterprise application (which can't be stop due to business need), always running on Windows 10. To access the machine our team (10 members) use the single domain account, password of that account is shared with everyone.
• We take the RDP of the machine and never logoff, instead we disconnect the RDP session so that application keeps running in background. When next user login with the same username, he sees the application still processing.
• It's a stand alone App and we can't see any associated service running under services.msc.
• Now due to the new company policy, password for one account can't be shared. We also can't use the local account or remove system out of domain. Is there any way we can use the application in same way? Means can we use our individual accounts (10 different domain accounts) but still find the same status of running application?

Regards, Nilabh Verma

Hello All,

Thanks HA

Hi,

I know that in march there is a security update coming https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023 

I'm assuming that once the update is applied/installed that the only way to support simple binding is:

1. use SSL
2. without SSL (Digest-MD5, NTLM, Kerberos)
3. Uninstall the security update.

Thanks

Hi,

Does anyone know what the explicit permissions needed for being able to validate a trust?  I know you can add to Domain Admins or Enterprise Admins, etc but I would like to be able to give a specific user account the rights just to be able to validate a trust and not access to all of Active Directory.

Kind regards

I am running a powershell script that checks to see if services are running on remote servers and if not to start it.  

However when I schedule the task from a server running it as the gMSA account I get this error:

I'm thinking it is a permission error.  Script/task works fine with my account however when using the gMSA account i get that error.

The service is running as the gMSA account on the servers.

Any ideas?

I have been having frequent account lockouts on a daily basis for the last several months. I checked the event logs for 474 and 4625 etc.. but I could not find where the source is. So, I turned on Netlogon service and here is what I saw in Netlogon log. 

01/14 03:02:56 [LOGON] [560] domain: SamLogon: Transitive Network logon of domain\domainadminaccount from  (via FileServer) Entered
01/14 03:02:56 [LOGON] [560] domain: SamLogon: Transitive Network logon of domain\domainadminaccount from  (via FileServer) Returns 0xC0000234
01/14 03:02:56 [LOGON] [560] domain: SamLogon: Transitive Network logon of domain\domainadminaccount from  (via FileServer) Entered
01/14 03:02:56 [LOGON] [560] domain: SamLogon: Transitive Network logon of domain\domainadminaccount from  (via FileServer) Returns 0xC0000234
01/14 03:02:57 [LOGON] [560] domain: SamLogon: Transitive Network logon of domain\domainadminaccount from  (via FileServer) Entered
01/14 03:02:57 [LOGON] [560] domain: SamLogon: Transitive Network logon of domain\domainadminaccount from  (via FileServer) Returns 0xC0000234
01/14 03:02:57 [LOGON] [560] domain: SamLogon: Transitive Network logon of domain\domainadminaccount from  (via FileServer) Entered
01/14 03:02:57 [LOGON] [560] domain: SamLogon: Transitive Network logon of domain\domainadminaccount from  (via FileServer) Returns 0xC0000234
01/14 03:02:57 [LOGON] [560] domain: SamLogon: Transitive Network logon of domain\domainadminaccount from  (via FileServer) Entered
01/14 03:02:57 [LOGON] [560] domain: SamLogon: Transitive Network logon of domain\domainadminaccount from  (via FileServer) Returns 0xC0000234

So, I logged into that file server shown above and logged off. I am not sure what else I an do. We also have a PAM (Privileged access management solutions) that changes password every 7 days. Since, the PAS solution changes the password over the weekend, if my account gets locked out, it automatically sends out an alert that it is unable to reconcile the account and change the password. So, I want to know from looking at the above log, is there anyway that my account could have been compromised? 

Appreciate your Input and feedback.

Thanks ahead of time

AA2913

I've spent countless hours researching, reading, and testing how to make LDAPS work with a .local internal domain and a 3rd party cert. Right now, it does and doesn't work. Let me start with my starting setup.

Windows AD Domain

• Forest Level: Server 2003
• Function Level: Server 2012
• Domain: domain.local
• Multiple .com domains and UPNs
• User UPN is user@example.com

I was able to make everything work with a self-signed certificate, but the external resource required a trusted 3rd party. LDAPS requires the true FQDN in the CN or SAN of a certificate and will not accept a .local in the certificate. No amount of DNS manipulation would allow me to get by this. I tried using a cert for dc1.example.com for dc1.domain.local and that would not work. I've tried auth.example.com forwarded to dc1.domain.local and that did not work.

After trying everything I could short of renaming the active directory, I decided to test a new domain in a trust forest. So I did the following:

• Created a new domain in a new forest for example2.com
• Created a stubzone in DNS for domain.local
• Removed the UPN for example2.com from domain.local
  
• Deleted the forward lookup zone for example2.com and recreated the zone as a stubzone pointing to dc1.example2.com
• Established a two-way trust between Forest1 (domain.local) and Forest2 (example2.com)
• Created external DNS record for dc1.example2.com and forwarded 636 to that internal IP address
• Requested and installed 3rd party cert for Forest2 dc
• Tested LDAPS from external host via ldp.exe to dc1.example2.com and was able to connect
• Tested binding user@domain.local and was authenticated to DOMAIN\user
• Tested binding user@example.com and was authenticated as DOMAIN\user
• Was able to view DC=example2,DC=com in the tree
• Was not able to view DC=domain,DC=local
• Created crossref in CN=Partitions on dc1.example2.com for domain.local
• Tested again and was not able to return results from the referral

Now if I was connected to the internal network it would all work, but not from an external. What I am trying to do is configure an LDAPS connection for [external app]->[example2.com]->[domain.local] and retrieve group and user attributes for an authenticated user on domain.local.

I read in another post that all queries need to be executed on the authenticating DC. So that would mean that dc1.domain.local would be the server to actually populate any query and not dc1.example2.com. So when LDAP tries to chase the referral, it hits domain.local and gets lost I think.

The external app wants to query users tied to a group on domain.local and pull attributes like cn, email, upn, etc. So it needs to search Base DN of DC=domain,DC=local and a group prefix of CN=group,OU=Users,DC=domain,DC=local. The external app cannot do this currently.

I'm current stuck on what to try next. About the only options I can see are migrate to a new domain that I own with a .com address or try to rename active directory. Does anyone have and other ideas?