Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Conversion of Domain Controller from Evalualtion version to licensed

January 9, 2020, 7:54 am
$
0
0

I have a domain controller running on 2016 Datacenter Evaluation version and the license is left only for few days now.

I want to make it licensed since the DC is critical  (Production DC in a multi - domain environment)

I have searched some forums and found the command ""DISM /online /Set-Edition:ServerEdition /ProductKey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX /AcceptEula" to make it licensed. However it says conversion is not possible on domain controllers.

My question here is, if I run the command, will it throw any error message and abort or  will it corrupt the AD Database?

What will be the impact? I don't want to test by running the command since it is in production.

Also any other solution to this problem would highly appreciated.

Search

Event ID 2088 Active Directory error on my Domain Controller

January 14, 2020, 1:19 pm
$
0
0
hi everyone, hope you can help... I got some errors on one  of the DCs in active directly.

####################
# Background
####################

In the site, i have two DCs. dc02and dc03. 

DC02 is running 2008R bridgehead, dns, and global catalog. THis is a vm.
DC03 is running 2012, dns and global catalog. This one is jsut setup back in few months ago

I am planning to demote DC02.



############################
# VM host crash
############################

Last week, the vm host which hosts the DC02 crashed because of the power outage. But fortunately I can recover the host. And all the VM servers seem to be fine...but....



########################
# Errors
########################

Bit not on the DC02.

The crashed is on the DC02. IT seems to be fine.  But I got errors on the DC03...which did not crash. I got the error 1311 saying "The knowledge Consistency Checker (KCC detected problems with the following directory partition..." . So I ran the dcdiag /test:connectivity /dc02... failed. Then I changed the bridgehead server from 02 to 03. NBut still failed the dcdiag /test:connectivity dc02...but others are fine.


Now the new error is now 2088, DS_RPC_CLeint, saying Active Directory Services could not use DNS to resolve the IP of the source domain contrller listed below (which is "DC02"). So I checked on the DNS records... it is there... including the _msdcs.... When I right clicked on the "zone" and go to "name servers" tab, I found something! The ip column of DC02 is shown as "unknown"... but other DCs are shown with IP. So I removed the DC02 and then added it again with Full domain name it says cannot find it.

SO I did Dcdiag /test:DNS on D03...it says " error: DNS server" DC02.x.com IP unavailable, [missing glue A record]". 

Besides, it also failed the "Del" and "RReg" test but the rest are passed. (I will try to do a screenshot on this.)


Again...I checked the zone info and all records for dc02 are still there.

True...if I cannot ping dc02.x.com while I can ping other domain controller without any problem.


################################
# Questions
################################

1.) SO how do i fix it?
2.) As mentioned, I will try to decommission DC02 by demoting it first.... so do you think if I can demote it even the error is  around? I wodner if the process demotion will fail though... 
3.) Or should I do the NTDS metabase cleanup? Any risk to mess up the whole AD this point?

Need help with ADV190023 update

December 11, 2019, 11:27 pm

Domain Admin Account Lockouts

January 14, 2020, 2:06 pm
$
0
0

I have done my best to find out where the lockouts are coming from. But, I am not successful. I turned on Netlogon and see that it is happening on a file server as shown below. Earlier it showed on a Citrix server. I logged in and logged off. But, most of it is now currently showing to File server. When I go and check the event log 4625 or 4740 I do not see anything in the Security logs. 

SamLogon: Transitive Network logon of  from  (via Fileservername) Returns 0xC000006A

How can I address this issue. I am not sure whether my admin account has been compromised, but I want to address this and take care. I know you could use NETWRIX, AD AUDIT PLus and many other tools to find the lockouts, but unfortunately my manager is not willing to spend the money to buy them. 

The Account Lockout tool only shows where the account got locked out, but it does not give more details than that. I used EventCombMT tool also and still the same. This is the log from the EventCombMT tool.

I have this problem going on for almost 6 months, and I am not wanting to be the one whose account has been compromised. I REALLY need to get to it. My Boss won't spend money on a call with Microsoft also.

Finding all events reguardless of date or time.
Searching Security Logs
Event IDs:   529 644 675 676 681 4740 4625
No Event Text specified.
No Event Source specified.
No Between Event IDs specified.
Will Search the following servers:
DMC01
DC01
DC02
HDMC01
HDMC02
DCVM
To find these events we'll need a search running. It has already begun....
 
Spawning Thread for: DMC01
Thread Running for: DMC01
Spawning Thread for: DC01
Spawning Thread for: DC02
Thread Running for: DC01
Thread Running for: DC02
Spawning Thread for: HDMC01
Spawning Thread for: HDMC02
Thread Running for: HDMC01
Thread Running for: HDMC02
Spawning Thread for: DCVM
All threads Scheduled to run are running.
Thread Running for: DCVM
Security Log on DC01 was not available. GetLastError was 1783. Error text was: The stub received bad data.  
Security Log on DC01 not available. GetLastError was 131. Error text was: The stub received bad data.  
Security Log on DC02 was not available. GetLastError was 1783. Error text was: The stub received bad data.  
Security Log on HDMC02 was not available. GetLastError was 1783. Error text was: The stub received bad data.  
Security Log on DC02 not available. GetLastError was 131. Error text was: The stub received bad data.  
Security Log on HDMC02 not available. GetLastError was 131. Error text was: The stub received bad data.  
Security Log on HDMC01 was not available. GetLastError was 1783. Error text was: The stub received bad data.  
Security Log on HDMC01 not available. GetLastError was 131. Error text was: The stub received bad data.  
Exiting thread for: DC01
Exiting thread for: DC02
Exiting thread for: HDMC02
Exiting thread for: HDMC01
Security Log on DMC01 was not available. GetLastError was 1783. Error text was: The stub received bad data.  
Security Log on DMC01 not available. GetLastError was 131. Error text was: The stub received bad data.  
Exiting thread for: DMC01
Security Log on DCVM was not available. GetLastError was 1783. Error text was: The stub received bad data.  
Security Log on DCVM not available. GetLastError was 131. Error text was: The stub received bad data.  
Exiting thread for: DCVM
Total events searched: 0
Total matches found: 0
Servers/Logs Searched: 6
DLL Cache Contained: 0
SID Cache Contained: 0
Start time: Tue Jan 14 16:02:54 2020 
Finish time: Tue Jan 14 16:02:55 2020 
True records per second: 0.00


AA2913

SAML token format

January 14, 2020, 2:35 pm
$
0
0

I am trying to get a SAML token back from the Active Directory server with a Group claim in this format:

<Attribute Name="http://schemas.xmlsoap.org/claims/Group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><AttributeValue>Domain Users</AttributeValue><AttributeValue>PBCO_Users</AttributeValue><AttributeValue>PBCO_IT</AttributeValue></Attribute>

I followed the steps in this post:

https://social.technet.microsoft.com/Forums/en-US/9862bb2c-89c5-4c64-8776-b4dc09a7fc88/problem-creating-a-group-claim?forum=winserverDS

and was only able to get the token back like so:

<Attribute Name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><AttributeValue>Domain Users</AttributeValue><AttributeValue>PBCO_Users</AttributeValue><AttributeValue>PBCO_IT</AttributeValue></Attribute>

How can I achieve this?

Thanks!


exports users info

January 9, 2020, 3:12 am
$
0
0
Hi Experts

I have display names in CSV file in the below format.

Names
Tim A
Rob V

i want to import this csv file and get their userprincipalname,samaccountname, email address, office location and export them to csv file, experts please help with the syntax.

Group Policy Preferences Regional Settings - Regional format Unknown Locale

January 2, 2020, 11:50 pm
$
0
0

Hi all,

We have a problem with GPO Regional settings, DC servers Windows Server 2016 standard, all workstation are Windows 10 Pro. We need to change Regional format, we make changes on GPO, force update policy, but on workstation side Regional Format is Unknown locale: Regional format > Current format: Unknown Locale (sr-RS)

We have a Dynamic NAV, and need this setting. if we change manually (Regional format > Current format: Serbian (Latin,Serbia), we dont have a problem.

Maybe the problem is 'format', windows 10 need this one: sr-latn-RS, not sr-RS. Any ideas how to resolve this?

TNX

2012 AD Domain renaming with 1 parent and two child domain issues

January 2, 2020, 5:49 pm
$
0
0

Hi,

I am new to AD migration, and I am working on to rename a testing env with 1 parent domain and 2 child domain following link, all my DCs are running 2012.

"Appendix C: Checklists for the Domain Rename Operation" in docs.microsoft.com

I am directly running the procedure on parent DC, and running into errors in "rendom /prepare". 

#####################################

6 servers contacted, 6 servers returned Errors

The operation completed successfully.

C:\Users\Administrator>

###################################

when I re-run the "rendom /prepare", it worked once...any idea what I could be missing?

Highly appreciated!

Search

AD Trust Selective or Forest Wide Authentication

January 10, 2020, 4:31 am
$
0
0

Hi Everyone

I have a question regarding AD Trust

We have a single forest with mutiple domain which have and incomming trust with another domain

The trust is set up like this

*Forest Trust

*Domain Wide Authentication

But as we do not want users from one of our child domain being able to access resources in the other domain i was wondring how this can be resoloved

First i though of using selective authentication but this require to musch administrative work i guess. Is there any way  to still use domain wide authentication and prevent access from the childdomain


Active Directory synchronization

January 9, 2020, 11:15 pm
$
0
0

Hi Folks,

I have several DC's divided over two sites;

Site 1: DC1, DC2, DC3
Site 2: AZ-DC1, AZ-DC2

When I take a look in AD Sites & Services the replication between the sites and the DC's is configured like shown in the screenshot below....

Is this configured correctly, or do I have to configure this in a different (better) way?

Windows Server 2012 inplace upgrade from Windows Server 2008 Standard R2

January 8, 2020, 7:11 am
$
0
0
While installing  Windows Server 2012 R2 Standard, the system does a compatibility check and informs that it needs to run adprep.exe . On checking with Windows Server 2012 R2 under sources folder there is no file ADPREP.exe and on looking at WS 2008 cd drive it has a folder named ADPREP.exe and when I try to run it it comes out NETAPI dll error. I am not able to instal the WS 2012 R2. please let me know.

Create a security group in AD for ( 10 machines which should allow the logged users ( local admin rights ) )

January 8, 2020, 5:41 am
$
0
0

Hello Folks,

I need to create a security group for 10 computers in AD, Which ever users logons to those machines he should have full logon rights.

Appreciate the feedback

Thanks !

What if group policy is not defined, Will the Default access take effect

January 13, 2020, 6:48 am
$
0
0

I have not configured few group policy settings which are having default values. If i leave those policies, will the default settings take affect ? I could also see the default settings when i open local group policy editor but not on Domain GP editor.

Below sample policy FYR.

"

Change the system time

This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.

This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

Default on workstations and servers:
Administrators
Local Service

Default on domain controllers:
Administrators
Server Operators
Local Service

"

Cannot enable TLS for LDAP

January 9, 2020, 6:51 am
$
0
0

My configuration (php 5.6, apache 2.4, Windows 10)

I use ldap_start_tls() function. I have add root cert to C:\OpenLDAP\sysconf\certs.

ldap.conf:
TLS_REQCERT demand
TLS_CACERT C:\OpenLDAP\sysconf\certs\root.pem

ldap_start_tls() return warning:
Warning (2): ldap_start_tls(): Unable to start TLS: Connect error

What's wrong, why function does return warning?

Thanks

Frequent Account Lockout - Wondering whether the account has been compromised?

January 14, 2020, 8:02 am
$
0
0

I have been having frequent account lockouts on a daily basis for the last several months. I checked the event logs for 474 and 4625 etc.. but I could not find where the source is. So, I turned on Netlogon service and here is what I saw in Netlogon log. 

01/14 03:02:56 [LOGON] [560] domain: SamLogon: Transitive Network logon of domain\domainadminaccount from  (via FileServer) Entered
01/14 03:02:56 [LOGON] [560] domain: SamLogon: Transitive Network logon of domain\domainadminaccount from  (via FileServer) Returns 0xC0000234
01/14 03:02:56 [LOGON] [560] domain: SamLogon: Transitive Network logon of domain\domainadminaccount from  (via FileServer) Entered
01/14 03:02:56 [LOGON] [560] domain: SamLogon: Transitive Network logon of domain\domainadminaccount from  (via FileServer) Returns 0xC0000234
01/14 03:02:57 [LOGON] [560] domain: SamLogon: Transitive Network logon of domain\domainadminaccount from  (via FileServer) Entered
01/14 03:02:57 [LOGON] [560] domain: SamLogon: Transitive Network logon of domain\domainadminaccount from  (via FileServer) Returns 0xC0000234
01/14 03:02:57 [LOGON] [560] domain: SamLogon: Transitive Network logon of domain\domainadminaccount from  (via FileServer) Entered
01/14 03:02:57 [LOGON] [560] domain: SamLogon: Transitive Network logon of domain\domainadminaccount from  (via FileServer) Returns 0xC0000234
01/14 03:02:57 [LOGON] [560] domain: SamLogon: Transitive Network logon of domain\domainadminaccount from  (via FileServer) Entered
01/14 03:02:57 [LOGON] [560] domain: SamLogon: Transitive Network logon of domain\domainadminaccount from  (via FileServer) Returns 0xC0000234

So, I logged into that file server shown above and logged off. I am not sure what else I an do. We also have a PAM (Privileged access management solutions) that changes password every 7 days. Since, the PAS solution changes the password over the weekend, if my account gets locked out, it automatically sends out an alert that it is unable to reconcile the account and change the password. So, I want to know from looking at the above log, is there anyway that my account could have been compromised? 

Appreciate your Input and feedback.

Thanks ahead of time

 

AA2913


Search

Domain Controller 2016 priority not work

January 2, 2020, 6:54 pm
$
0
0

Hi Support,

We have some Windows 2008R2 DC and prompting Windows 2016 DC. We configure the "LdapSrvPriority" in registry to limit user will not contact target DC. It works on Windows 2008R2 DC. User only contact the priority 0 (by default) DC, they will not contact the higher value DC.

After we prompt a Windows 2016 DC and configure the same setting, we found that user still connect to the new 2016 DC. We checked the values is updated in the DNS already.

Do the priority setting is not available on Windows 2016 DC?

Thanks

Chong  

Migration of FRS to DFSR

January 10, 2020, 7:23 am
$
0
0

Hello all,

I was after a bit of final advise on the following.

We were in the process of moving from FRS to DFSR, which we wanted to do before adding in 2016 DCs.

We have x2 2008 r2 servers and x2 2012 r2 all the health checks etc passed.

My question is after following various guides I cannot find a concrete answer to the following.

We moved to the 'prepared' state a couple months back but due to unconnected things we put a hold on the move. Now we want to finish off i wanted to confirm what the next stage does. 

FRS and DFSR has different files now since new scripts policies etc have been created,deleted,edited since the initial movie to the prepared state.

If we run the cmd on the PDC to the redirected state does it copy all the modifications done in frs since to the outdated dfsr folder?

Or do we need to preform one of the following (based on articles i have come across)

mainly robocopy sysvol to get the latest files or revert back to start state and redo the prepared state ?

Thanks for the help!

Directory Service Impact if we install Trusted Authority Certificate from Internal CA server into Domain Controller as per VA assessment remediation steps

January 11, 2020, 9:55 pm
$
0
0

During the assessment it was found that
1. Certificate chain sent by the remote host is signed by an unknown certificate authority.
2. Self Signed Certificate Used

Remediation Step: 

Purchase/Generate certificate under Trusted authority


cross forest dfs ?

January 12, 2020, 4:44 pm
$
0
0

I wanna konw if it is possible to deploy dfs share across mutiple forest domain ?

I have three forest domain

  1. ucda.com
  2. ucdb.com
  3. ucdc.com

They are all single forest , beacuse I find that dfs cannot cross forest domain from Microsoft docs ,so I really wanna know for sure if it is right that dfs cnnot cross forest domain.

Thank you very much.

Please help.



SAML token format

January 14, 2020, 2:35 pm
$
0
0

I am trying to get a SAML token back from the Active Directory server with a Group claim in this format:

<Attribute Name="http://schemas.xmlsoap.org/claims/Group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><AttributeValue>Domain Users</AttributeValue><AttributeValue>PBCO_Users</AttributeValue><AttributeValue>PBCO_IT</AttributeValue></Attribute>

I followed the steps in this post:

https://social.technet.microsoft.com/Forums/en-US/9862bb2c-89c5-4c64-8776-b4dc09a7fc88/problem-creating-a-group-claim?forum=winserverDS

and was only able to get the token back like so:

<Attribute Name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><AttributeValue>Domain Users</AttributeValue><AttributeValue>PBCO_Users</AttributeValue><AttributeValue>PBCO_IT</AttributeValue></Attribute>

How can I achieve this?

Thanks!


Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>