Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Client Workstations - Group Policy Objects not applying

January 8, 2020, 9:26 pm
$
0
0

We already open all this ports on our AD environment going to the 2nd AD Domain, but we would also like to identify which ports should be open, going to client workstations.

Apparently both of our AD Environment is on seperate location:

  Current Setup of Domain & Client Workstation: 

AD Domain 1: (Primary) Located at City 1

AD Domain 2: (Secondary) Located at City 2

Client Workstations: Located at City 3

Connection use is via firewall policies to connect to the primary domain on different location.

Port Description                                               Port Details

LDAP                                                                      TCP -389

LDAP SSL                                                               TCP - 636

Kerberos                                                                  TCP - 88

DNS                                                                         TCP - 53

LDAP                                                                      TCP - 389

LDAP (Secure)                                                        TCP - 636

RPC / Replication                                                    TCP – 135

DFSN, NetBIOS Session Service, Net Logon          TCP - 139

Global Catalog                                                         TCP - 3268

Global Catalog (Secure)                                          TCP - 3269

Authentication, Trusts and Group Policy

Kerberos Password Change                                   TCP - 464

DFSR, File Replication                                            TCP – 5722

Replication, User / Computer                                  TCP - 49152-65535 (are this port range required to be open ranging from 49152 up to 65535?) 

What are the risk in opening all this ports? as we need to justify on the audit team each port with risk that will be needed for the ad policies to work properly. 

Appreciate if you can help me on this case.


Search

syntax error

January 19, 2020, 11:03 pm
$
0
0

Hi All i am using the below query but still i am getting in output IT manager which i am not supposed to, experts guide me

$Input = “((Office -like '*XYZ*') -and ((description -like '*System Engineer*') -or (description -like '*System Manager*') or (description -like '*Manager*') ) -and ((description -notlike '*System Administrator*') -or (description -notlike '*IT Manager*')))”
Get-ADUser -Filter $Input -properties DisplayName,Userprincipalname,title,description,co,personalTitle

Step by step guide for troubleshooting GPO issues

January 19, 2020, 9:25 pm
$
0
0

Hi,

Please provide the step by step guide for troubleshooting GPO issues.

some times if we are unable to troubleshoot the GPO issues, However MS Support guy able to troubleshoot guy issues.

How MS engineer able to assist the GPO issue is there any special tool they are using it.

SPN HOST/IP overrides

January 3, 2020, 1:35 pm
$
0
0

Hi guys,

I'm trying to configure additional SPNs leading to the IP address of the server for TERMSRV and HOST. The server is the domain controller.

setspn -S TERMSRV/172.29.2.19 Sec-Lab-Win19
setspn -S HOST/172.29.2.19 Sec-Lab-Win19

A short time after the configuration, HOST/172.29.2.19 disappears from the list of SPNs, while TERMSRV/172.29.2.19 remains there. How can I prevent HOST/172.29.2.19 to be deleted / overridden? Is there a way to find out what overrides the HOST/ SPN record?

Thank you

Regards,

Max

Active directory domain level encryption

January 13, 2020, 6:47 am
$
0
0
Hey guys ,  i need help with my Active directory domain lab.
I want to have a folder on my domain that is open for sharing and security for everyone , have a user from a client computer create an encrypted file there .
I can see that it is possible , and that other users cant enter the file even if they are on the same machine. 
My issue comes when I want to share the encrypted file with another user , because a simple user from a simple machine cannot have access to domain level certificates , ( or can he? i cannot find even the own user domain level certificate thumb prints) even of his own , which means he cannot share another user with his domain level certificates other than in the way of asking the administrator for him to add the user to the encrypted file sharing.
Is there a way for a user to share a domain level encrypted file on his own? or the only way for him to do that is asking the administrator?
thank you. 

Event ID 2088 Active Directory error on my Domain Controller

January 14, 2020, 1:19 pm
$
0
0
hi everyone, hope you can help... I got some errors on one  of the DCs in active directly.

####################
# Background
####################

In the site, i have two DCs. dc02and dc03. 

DC02 is running 2008R bridgehead, dns, and global catalog. THis is a vm.
DC03 is running 2012, dns and global catalog. This one is jsut setup back in few months ago

I am planning to demote DC02.



############################
# VM host crash
############################

Last week, the vm host which hosts the DC02 crashed because of the power outage. But fortunately I can recover the host. And all the VM servers seem to be fine...but....



########################
# Errors
########################

Bit not on the DC02.

The crashed is on the DC02. IT seems to be fine.  But I got errors on the DC03...which did not crash. I got the error 1311 saying "The knowledge Consistency Checker (KCC detected problems with the following directory partition..." . So I ran the dcdiag /test:connectivity /dc02... failed. Then I changed the bridgehead server from 02 to 03. NBut still failed the dcdiag /test:connectivity dc02...but others are fine.


Now the new error is now 2088, DS_RPC_CLeint, saying Active Directory Services could not use DNS to resolve the IP of the source domain contrller listed below (which is "DC02"). So I checked on the DNS records... it is there... including the _msdcs.... When I right clicked on the "zone" and go to "name servers" tab, I found something! The ip column of DC02 is shown as "unknown"... but other DCs are shown with IP. So I removed the DC02 and then added it again with Full domain name it says cannot find it.

SO I did Dcdiag /test:DNS on D03...it says " error: DNS server" DC02.x.com IP unavailable, [missing glue A record]". 

Besides, it also failed the "Del" and "RReg" test but the rest are passed. (I will try to do a screenshot on this.)


Again...I checked the zone info and all records for dc02 are still there.

True...if I cannot ping dc02.x.com while I can ping other domain controller without any problem.


################################
# Questions
################################

1.) SO how do i fix it?
2.) As mentioned, I will try to decommission DC02 by demoting it first.... so do you think if I can demote it even the error is  around? I wodner if the process demotion will fail though... 
3.) Or should I do the NTDS metabase cleanup? Any risk to mess up the whole AD this point?

AD Site Link Creation

January 2, 2020, 5:02 am
$
0
0

Hello Folks,

I've started working at a company a little over a month ago and one of my projects is cleaning up Active Directory. I resolved a bunch of replication errors and have managed to get everything syncing. I'm moving with caution but making great strides. I need to reconfigure the AD Sites & Services>Sites>Inter-Site Transports>IP>Site Links.

It looks like they tried to setup a hub and spoke using Site-A – Site-D – Site-G with the other sites hanging off their respective location's site head. Last weekend Site-D relocated to a different office and the server had hardware issues which caused it to be down for a few days. This caused Site-E & Site-F to not receive replication. The DEFAULTIPSITELINK was deleted long before I got here and there is a lot of manual creations in the NTDS Settings in the sites.

There are MPLS connections to Site-A from everywhere. Speed/connectivity is not an issue at any site. All sites connect directly to Site-A. Other sites connect to each other but not all sites are connected to all sites.

Site-A is HQ for the company and most but not all accounts are generated here. But it is critical that all DCs replicate to and from HQ for various O365 & related reasons.

The goal is to recreate the IP Site Links and have <automatically generated> connections in the NTDS Settings. So I know I will need to delete any manually created connections and force KCC to create the<automatically generated> NTDS connections after the Site Links are recreated.

How do I go about reconfiguring the Inter-Site Transports>IP>Site Links? Do I create one Site Link and add all sites to it and enable BASL? Could it be that simple because it's only one domain?

1 forest and 1 domain

10 DCs  Site-A Windows 2016 Std. All else Windows 2019 Std.

9 physical locations

Bridge All Site Links is disabled

Americas

Site-A = DC01(FSMO) & DC02

Site-B = DC03

Site-C = DC04

Europe

Site-D = DC05

Site-E = DC06

Site-F = DC07

Asia

Site-G = DC08

Site-H = DC09

Site-I = DC10

Any help is appreciated. Thanks in advance!


<style></style>

Display should be First name + Last name

January 14, 2020, 12:20 am
$
0
0

Hi Guys,

I have changed my last names to capitals and its not effecting in display name

I run the below script made the changes in AD lastnames

$targetUsers = Get-ADuser -SearchBase "OU=india,DC=study,DC=com" -Filter {Surname -Like "*"} | Select DistinguishedName, Surname
$targetUsers | foreach-object {

set-aduser $_ -Surname $_.surname.toupper()
}

now i want to change Display name as first + Last name.

So My Display name should be like = kiran MANNE


Ram

Search

Forest trust validation permissions

January 9, 2020, 12:23 am
$
0
0

Hi,

Does anyone know what the explicit permissions needed for being able to validate a trust?  I know you can add to Domain Admins or Enterprise Admins, etc but I would like to be able to give a specific user account the rights just to be able to validate a trust and not access to all of Active Directory.

Kind regards


SAML token format

January 14, 2020, 2:35 pm
$
0
0

I am trying to get a SAML token back from the Active Directory server with a Group claim in this format:

<Attribute Name="http://schemas.xmlsoap.org/claims/Group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><AttributeValue>Domain Users</AttributeValue><AttributeValue>PBCO_Users</AttributeValue><AttributeValue>PBCO_IT</AttributeValue></Attribute>

I followed the steps in this post:

https://social.technet.microsoft.com/Forums/en-US/9862bb2c-89c5-4c64-8776-b4dc09a7fc88/problem-creating-a-group-claim?forum=winserverDS

and was only able to get the token back like so:

<Attribute Name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><AttributeValue>Domain Users</AttributeValue><AttributeValue>PBCO_Users</AttributeValue><AttributeValue>PBCO_IT</AttributeValue></Attribute>

How can I achieve this?

Thanks!


Blocking internet access in active directory servers

January 17, 2020, 5:25 am
$
0
0

Hello Everyone

We have active directory environment with internal DNS setup in our environment. 

As per security recommendation, we need to block internet access in our active directory servers.

Requesting your kind inputs on what perquisites/settings I need to validate before blocking internet access to ensure none of the related services gets impacted.

Thank You

How to delete a folder on one of the servers included in DFSR group?

January 15, 2020, 5:51 am
$
0
0

Hi all,

let me explain our set up: 

- Replication group 'RG1'

- 3 members (=servers) included in RG1: Server1, Server2, Server3

- Folders Folder1, Folder2, Folder3 are replicating between Server1 and Server2. Because the disk on Server2 started running out of space, I've added Server3 to the replication group RG1 and started replicating Folder 3 between Server1, Server2 and Server3. The other folders are replicating only between Server1 and Server2.

What I'm trying to achieve? I want do physically delete Folder3 from Server2 to free up disk space on Server2. So Folder3 will be replicating between Server 1 and Server2 and the other folders will keep replicating between Server1 and Server2.

---

How to do this? Can I just disable Sever2 target on Folder3 and then remove the data from Server2? I doubt I'll be alloved by the system to do that?

I don't want to break replication for the other folders included in RG1. I'd really appreciate your advice.

A diagram can be helpful:

Current state RG1:

Server1                    Server2                    Server3

Folder1<------------>Folder1           

Folder1<------------>Folder1 

Folder1<------------>Folder1<------------>Folder1    

Desired State RG1:

Server1                    Server2                    Server3

Folder1<------------>Folder1           

Folder1<------------>Folder1 

Folder1<------------------------------------->Folder1    

Best Regards, J

"The replication operation was preempted" and DNS unavailable

January 8, 2020, 6:33 pm
$
0
0

Hello,

i have promote new domain controller, now it almost 6 hour after it first reboot for complete promotion. I noticed got three issue:

1. Error opening DNS  on new promotion server" Server could not be contacted. Error: DNS service is unavailable".

2. When im run repadmin /showrepl it show (got few delay result) + few success result:

==== INBOUND NEIGHBORS ======================================

DC=mydomain,DC=com
    siteB\MN01SRV001 via RPC
        DSA object GUID: ddd6d4f4-c37a-47cd-8a03-29573d5cc203
        Last attempt @ 2020-01-08 23:43:04 was delayed for a normal reason, result 8418 (0x20e2):

3. When im repadmin /replsummary "The replication operation was preempted"

Based on above error, im wonder whether it because of replication not yet been completed or im getting "real" issue on this? for additional info, when im run repadmin /queue i can see few replication on queue. This server also got few replication partner. So should i just leave it and keep monitor or need to demote and promote again. 

Thanks



Prompt for Credentials when Accessing DFS share in Trusted Forest!!!

January 8, 2020, 11:57 pm
$
0
0

Hi Team,

 We are having an issue when accessing DFS share but no issue in accessing file share directly from other Trusted Forest(which was running fine earlier).

If file share is accessed directly using Server name , its working fine but when trying to connect to DFS Namespace , its prompting for password & then throwing the error System cannot contact a domain controller to service the authentication request.

Steps Done :-

Validated the trust , no issue in that.

Please help out.

Regards,

Sumit

Can an application always running with different users

January 9, 2020, 6:52 am
$
0
0

Hi,

  • I am having an enterprise application (which can't be stop due to business need), always running on Windows 10. To access the machine our team (10 members) use the single domain account, password of that account is shared with everyone.
  • We take the RDP of the machine and never logoff, instead we disconnect the RDP session so that application keeps running in background. When next user login with the same username, he sees the application still processing.
  • It's a stand alone App and we can't see any associated service running under services.msc.
  • Now due to the new company policy, password for one account can't be shared. We also can't use the local account or remove system out of domain. Is there any way we can use the application in same way? Means can we use our individual accounts (10 different domain accounts) but still find the same status of running application?

Regards, Nilabh Verma


Search

LDAP server signing requirements

January 13, 2020, 2:33 am
$
0
0

Hi,

As I understand MS will automatically enable the use of signing for LDAP as of March patches, correct ?

https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

We have an environment today with some old servers windows 2003, 2008 and Windows 7 clients. Is there any Windows applications that will have issues with this ?

I know there could be 3part applications that could have a issue, do you have a link to find out which these applications are ? I have had a link earlier, but cannot find it.

Correct me if i am wrong, but i do not need to have any Certificate Authority configured to enable this signing thing right ?

And If I now would like to test it, is it these to GPO settings that I need to enable ?

Domain controller: LDAP server signing requirements
Network Security: LDAP client signing requirements

Thanks for reply!

/Regard Andreas

Active directory

January 15, 2020, 12:26 pm
$
0
0

Dear All,

We have 5 active directory servers now, 3 for HQ site and 2 for DR site. one of the DR site domain server is holding all FSMO roles. 

If I shutdown all 3 AD servers which is in HQ site and all network connectivity established from DR site to windows servers/client machines, 

1. shall we face any kind of issue like, trust relationship error or no logon server available issue?

2. if yes, how to overcome this situation.

3. if we connect this HQ site after few days, will it replicate automatically?

Regards,

Group Policy Preferences Regional Settings - Regional format Unknown Locale

January 2, 2020, 11:50 pm
$
0
0

Hi all,

We have a problem with GPO Regional settings, DC servers Windows Server 2016 standard, all workstation are Windows 10 Pro. We need to change Regional format, we make changes on GPO, force update policy, but on workstation side Regional Format is Unknown locale: Regional format > Current format: Unknown Locale (sr-RS)

We have a Dynamic NAV, and need this setting. if we change manually (Regional format > Current format: Serbian (Latin,Serbia), we dont have a problem.

Maybe the problem is 'format', windows 10 need this one: sr-latn-RS, not sr-RS. Any ideas how to resolve this?

TNX

Trust relationship stopped working

January 20, 2020, 6:01 am
$
0
0

Hi,

I have a very strange problem with a forest trust. Some time ago, I created a bidirectiona, forest, external trust relationship between to forest, call it Domain1 and Domain2. For doing it, I created conditional DNS forwarders in both domain, in order to be able of resolving each other domain names. In a domain controller of domain 1, it appeared the bidirectional relationship with the other, and in a domain controller of domain 2, it appeared the bidirectional relationship with the domain1. All was correctly validated.

Today, I have noticed that I could not add a user from domain 1 to a group in domain 2. I have opened the console in domain 1 and in domain 2. In domain 1, I stll see the bidirectional relationship, but in domain 2, the list is empty. First surprise. In domain 1, I try to validate relationship and I get the following message:

Outgoing relationship correctly validated. Error verifying secure channel (SC) in the Active Directory Domain controller DC01.domain2.dom of domain2.dom domain to domain1.dom domain. Specified domain doesn't exist or cannot be contacted.

If I try to restablish the relationship, I get the same message.  Specified domain doesn't exist or cannot be contacted.

If I try to delete the relationship, again I get the same message.

If I try to create again the relationship in domain 2, I get a message telling the relationship already exists.

So I am totally blocked. There is no firewall nor router between servers (are connected to the same switch) and local firewalls are disabled. Name resolution works perfectly. I am totally lost.

LDAPS

January 11, 2020, 8:38 am
$
0
0

I have a problem connecting to LDAPS (port 636). I have installed Enterprise CA, exported the root certificate and distributed it via Group Policy as a recognised root authority certificate. After updating, I can't connect to LDAPS using ldp tool.

ld = ldap_sslinit("address of dc", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to address of dc.

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>