Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Strange "reset password" behavior

$
0
0

Hi there,

we have a root domain (i.e. company.de) with some subdomains (i.e. lab.company.de & prod.company.de). Our admins (they are all created in prod.company.de) have the right to reset passwords in the subdomain (lab.company.de).

When the admins are using the dsa.msc console search feature and select "Find [Users, Contacts, and Groups] in [Entire Directory]", they are not allowed to reset the password of users in die lab.company.de domain.

Error message: access denied

When the same admin uses "Find [Users, Contacts, and Groups] in [lab.company.de]", he is allowed to reset the password without any error message.

Works as design or bug? Couldn't find further informations about this strange behavior.


What is the best practice to provide security policies to a junior system admin so that he/she can have access on Domain PCs.

$
0
0
Dears, what is the best practice to provide security policies to a junior system admin so that he/she can have access on PC to add in domain, can install printers and other related help desk jobs.

Event ID 2088 Active Directory error on my Domain Controller

$
0
0
hi everyone, hope you can help... I got some errors on one  of the DCs in active directly.

####################
# Background
####################

In the site, i have two DCs. dc02and dc03. 

DC02 is running 2008R bridgehead, dns, and global catalog. THis is a vm.
DC03 is running 2012, dns and global catalog. This one is jsut setup back in few months ago

I am planning to demote DC02.



############################
# VM host crash
############################

Last week, the vm host which hosts the DC02 crashed because of the power outage. But fortunately I can recover the host. And all the VM servers seem to be fine...but....



########################
# Errors
########################

Bit not on the DC02.

The crashed is on the DC02. IT seems to be fine.  But I got errors on the DC03...which did not crash. I got the error 1311 saying "The knowledge Consistency Checker (KCC detected problems with the following directory partition..." . So I ran the dcdiag /test:connectivity /dc02... failed. Then I changed the bridgehead server from 02 to 03. NBut still failed the dcdiag /test:connectivity dc02...but others are fine.


Now the new error is now 2088, DS_RPC_CLeint, saying Active Directory Services could not use DNS to resolve the IP of the source domain contrller listed below (which is "DC02"). So I checked on the DNS records... it is there... including the _msdcs.... When I right clicked on the "zone" and go to "name servers" tab, I found something! The ip column of DC02 is shown as "unknown"... but other DCs are shown with IP. So I removed the DC02 and then added it again with Full domain name it says cannot find it.

SO I did Dcdiag /test:DNS on D03...it says " error: DNS server" DC02.x.com IP unavailable, [missing glue A record]". 

Besides, it also failed the "Del" and "RReg" test but the rest are passed. (I will try to do a screenshot on this.)


Again...I checked the zone info and all records for dc02 are still there.

True...if I cannot ping dc02.x.com while I can ping other domain controller without any problem.


################################
# Questions
################################

1.) SO how do i fix it?
2.) As mentioned, I will try to decommission DC02 by demoting it first.... so do you think if I can demote it even the error is  around? I wodner if the process demotion will fail though... 
3.) Or should I do the NTDS metabase cleanup? Any risk to mess up the whole AD this point?

manage security group

$
0
0

Hi all

I have requirement to create security group and allow 3 users to manage this security group i.e these 3 users can add or remove users from this security group, In theManaged By Tab in security group i can only add one user, how do i allow 3 users to manage this security group. Do i also require to check the option Manager can update membership list.

2. These are normal users who has access to one of my windows 2012R2 server, what tool do i need to install so that these users can manage this security group.

My file server not accessable

$
0
0

My file server+ domain controller is not accessible on network. it is authenticating users but when i type \\server ip address on nay client computer, it is not responding. Even if type \\ server ip on the server itself it is not responding. i am running server 2008. 

i tried firewall disable also. Any solution plz?

Need help with ADV190023 update

Blocking internet access in active directory servers

$
0
0

Hello Everyone

We have active directory environment with internal DNS setup in our environment. 

As per security recommendation, we need to block internet access in our active directory servers.

Requesting your kind inputs on what perquisites/settings I need to validate before blocking internet access to ensure none of the related services gets impacted.

Thank You

DFSR not working Event_ID 6104

$
0
0

So setting up a new AD server to replace an existing but having problems getting it to sync so i can turn the old server off.

Event viewer has:

The DFS Replication service failed to register the WMI providers. Replication is disabled until the problem is resolved. 
 
Additional Information: 
Error: 2147749889 (1001)

Please note i have already tried to mofcopy and regserv32 the things in system32\wbem and this has not helped in anyway same exact error in event viewer.

How to delete a folder on one of the servers included in DFSR group?

$
0
0

Hi all,

let me explain our set up: 

- Replication group 'RG1'

- 3 members (=servers) included in RG1: Server1, Server2, Server3

- Folders Folder1, Folder2, Folder3 are replicating between Server1 and Server2. Because the disk on Server2 started running out of space, I've added Server3 to the replication group RG1 and started replicating Folder 3 between Server1, Server2 and Server3. The other folders are replicating only between Server1 and Server2.

What I'm trying to achieve? I want do physically delete Folder3 from Server2 to free up disk space on Server2. So Folder3 will be replicating between Server 1 and Server2 and the other folders will keep replicating between Server1 and Server2.

---

How to do this? Can I just disable Sever2 target on Folder3 and then remove the data from Server2? I doubt I'll be alloved by the system to do that?

I don't want to break replication for the other folders included in RG1. I'd really appreciate your advice.

A diagram can be helpful:

Current state RG1:

Server1                    Server2                    Server3

Folder1<------------>Folder1           

Folder1<------------>Folder1 

Folder1<------------>Folder1<------------>Folder1    

Desired State RG1:

Server1                    Server2                    Server3

Folder1<------------>Folder1           

Folder1<------------>Folder1 

Folder1<------------------------------------->Folder1    

Best Regards, J

Directory Service Impact if we install Trusted Authority Certificate from Internal CA server into Domain Controller as per VA assessment remediation steps

$
0
0

During the assessment it was found that
1. Certificate chain sent by the remote host is signed by an unknown certificate authority.
2. Self Signed Certificate Used

Remediation Step: 

Purchase/Generate certificate under Trusted authority


LDAPS with .local domain and 3rd party cert (dns, trusts, crossref, etc)

$
0
0

I've spent countless hours researching, reading, and testing how to make LDAPS work with a .local internal domain and a 3rd party cert. Right now, it does and doesn't work. Let me start with my starting setup.

Windows AD Domain

  • Forest Level: Server 2003
  • Function Level: Server 2012
  • Domain: domain.local
  • Multiple .com domains and UPNs
  • User UPN is user@example.com

I was able to make everything work with a self-signed certificate, but the external resource required a trusted 3rd party. LDAPS requires the true FQDN in the CN or SAN of a certificate and will not accept a .local in the certificate. No amount of DNS manipulation would allow me to get by this. I tried using a cert for dc1.example.com for dc1.domain.local and that would not work. I've tried auth.example.com forwarded to dc1.domain.local and that did not work.

After trying everything I could short of renaming the active directory, I decided to test a new domain in a trust forest. So I did the following:

  • Created a new domain in a new forest for example2.com
  • Created a stubzone in DNS for domain.local
  • Removed the UPN for example2.com from domain.local
  • Deleted the forward lookup zone for example2.com and recreated the zone as a stubzone pointing to dc1.example2.com
  • Established a two-way trust between Forest1 (domain.local) and Forest2 (example2.com)
  • Created external DNS record for dc1.example2.com and forwarded 636 to that internal IP address
  • Requested and installed 3rd party cert for Forest2 dc
  • Tested LDAPS from external host via ldp.exe to dc1.example2.com and was able to connect
  • Tested binding user@domain.local and was authenticated to DOMAIN\user
  • Tested binding user@example.com and was authenticated as DOMAIN\user
  • Was able to view DC=example2,DC=com in the tree
  • Was not able to view DC=domain,DC=local
  • Created crossref in CN=Partitions on dc1.example2.com for domain.local
  • Tested again and was not able to return results from the referral

Now if I was connected to the internal network it would all work, but not from an external. What I am trying to do is configure an LDAPS connection for [external app]->[example2.com]->[domain.local] and retrieve group and user attributes for an authenticated user on domain.local.

I read in another post that all queries need to be executed on the authenticating DC. So that would mean that dc1.domain.local would be the server to actually populate any query and not dc1.example2.com. So when LDAP tries to chase the referral, it hits domain.local and gets lost I think.

The external app wants to query users tied to a group on domain.local and pull attributes like cn, email, upn, etc. So it needs to search Base DN of DC=domain,DC=local and a group prefix of CN=group,OU=Users,DC=domain,DC=local. The external app cannot do this currently.

I'm current stuck on what to try next. About the only options I can see are migrate to a new domain that I own with a .com address or try to rename active directory. Does anyone have and other ideas?

Domain Admin Account Lockouts

$
0
0

I have done my best to find out where the lockouts are coming from. But, I am not successful. I turned on Netlogon and see that it is happening on a file server as shown below. Earlier it showed on a Citrix server. I logged in and logged off. But, most of it is now currently showing to File server. When I go and check the event log 4625 or 4740 I do not see anything in the Security logs. 

SamLogon: Transitive Network logon of  from  (via Fileservername) Returns 0xC000006A

How can I address this issue. I am not sure whether my admin account has been compromised, but I want to address this and take care. I know you could use NETWRIX, AD AUDIT PLus and many other tools to find the lockouts, but unfortunately my manager is not willing to spend the money to buy them. 

The Account Lockout tool only shows where the account got locked out, but it does not give more details than that. I used EventCombMT tool also and still the same. This is the log from the EventCombMT tool.

I have this problem going on for almost 6 months, and I am not wanting to be the one whose account has been compromised. I REALLY need to get to it. My Boss won't spend money on a call with Microsoft also.

Finding all events reguardless of date or time.
Searching Security Logs
Event IDs:   529 644 675 676 681 4740 4625
No Event Text specified.
No Event Source specified.
No Between Event IDs specified.
Will Search the following servers:
DMC01
DC01
DC02
HDMC01
HDMC02
DCVM
To find these events we'll need a search running. It has already begun....
 
Spawning Thread for: DMC01
Thread Running for: DMC01
Spawning Thread for: DC01
Spawning Thread for: DC02
Thread Running for: DC01
Thread Running for: DC02
Spawning Thread for: HDMC01
Spawning Thread for: HDMC02
Thread Running for: HDMC01
Thread Running for: HDMC02
Spawning Thread for: DCVM
All threads Scheduled to run are running.
Thread Running for: DCVM
Security Log on DC01 was not available. GetLastError was 1783. Error text was: The stub received bad data.  
Security Log on DC01 not available. GetLastError was 131. Error text was: The stub received bad data.  
Security Log on DC02 was not available. GetLastError was 1783. Error text was: The stub received bad data.  
Security Log on HDMC02 was not available. GetLastError was 1783. Error text was: The stub received bad data.  
Security Log on DC02 not available. GetLastError was 131. Error text was: The stub received bad data.  
Security Log on HDMC02 not available. GetLastError was 131. Error text was: The stub received bad data.  
Security Log on HDMC01 was not available. GetLastError was 1783. Error text was: The stub received bad data.  
Security Log on HDMC01 not available. GetLastError was 131. Error text was: The stub received bad data.  
Exiting thread for: DC01
Exiting thread for: DC02
Exiting thread for: HDMC02
Exiting thread for: HDMC01
Security Log on DMC01 was not available. GetLastError was 1783. Error text was: The stub received bad data.  
Security Log on DMC01 not available. GetLastError was 131. Error text was: The stub received bad data.  
Exiting thread for: DMC01
Security Log on DCVM was not available. GetLastError was 1783. Error text was: The stub received bad data.  
Security Log on DCVM not available. GetLastError was 131. Error text was: The stub received bad data.  
Exiting thread for: DCVM
Total events searched: 0
Total matches found: 0
Servers/Logs Searched: 6
DLL Cache Contained: 0
SID Cache Contained: 0
Start time: Tue Jan 14 16:02:54 2020 
Finish time: Tue Jan 14 16:02:55 2020 
True records per second: 0.00



AA2913

UserCertificate and Certificates attribute.

$
0
0

In the userCertificate and Certificates Attribute.
Inside my AD, I have a user who did not generate these attributes when logging in to workstations, so they do not have personal certificates in Windows.
Can I force via PowerShell to create these attributes?



Migrate FRS to DFSR SYSVOL

$
0
0

Hi,

What's the prerequisite to migrate the FRS to DFSR for sysvol replication?

syntax error

$
0
0

Hi All i am executing the below script in Powershell ISE i am getting the error experts guide me on this.

$Input = "((Office -like '*Singapore*') and ((departmentNumber -eq 1234) or (departmentNumber -eq 1235) or  (departmentNumber -eq 1236)))"
Get-ADUser -Filter $Input -properties DisplayName,Userprincipalname,title,departmentNumber| Select DisplayName,Userprincipalname,title,departmentNumber |export-csv C:\output.csv -Notypeinformation

Get-ADUser : Error parsing query: '((Office -like '*Singapore*') and ((departmentNumber -eq 1234) or (departmentNumber -eq 1235) or (departmentNumber -eq 1236)))' Error Message: 'syntax error' at position: '32'.
At line:2 char:1
+ Get-ADUser -Filter $Input -properties DisplayName,Userprincipalname,title ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ParserError: (:) [Get-ADUser], ADFilterParsingException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADFilterParsingException,Microsoft.ActiveDirectory.Management.Commands.GetADUser


How to set the "Manager can update membership list" on an Active Directory Group from Python?

$
0
0

In Active Directory, you can set a managed by group or user for a group and there is a checkbox in the UI for "Manager can update membership list". I have been able to set a group or user via a Python LDAP library. However, I have not found a way to check that box. Is there a way to do that via LDAP?

Using the ADSI Edit tool, it seems that this is actually a Security Permission and not an Attribute on the Group, so I'm not sure if it's possible. Does anyone know of a way to modify Security Permissions from Python? I've only found references online to do it from Powershell.

Export list of all users with their management hierarchy from AD

$
0
0

Hi,

I need to export a list of all users from an OU with not only their manager but also their Managers managers Manager, I can easily export the manager as this is an attribute on the users profile but obviously there is no attribute for the higher level managers, does anyone know any powershell commands or even existing scripts that could achieve this?

Display should be First name + Last name

$
0
0

Hi Guys,

I have changed my last names to capitals and its not effecting in display name

I run the below script made the changes in AD lastnames

$targetUsers = Get-ADuser -SearchBase "OU=india,DC=study,DC=com" -Filter {Surname -Like "*"} | Select DistinguishedName, Surname
$targetUsers | foreach-object {

set-aduser $_ -Surname $_.surname.toupper()
}

now i want to change Display name as first + Last name.

So My Display name should be like = kiran MANNE



Ram

SPN HOST/IP overrides

$
0
0

Hi guys,

I'm trying to configure additional SPNs leading to the IP address of the server for TERMSRV and HOST. The server is the domain controller.

setspn -S TERMSRV/172.29.2.19 Sec-Lab-Win19
setspn -S HOST/172.29.2.19 Sec-Lab-Win19

A short time after the configuration, HOST/172.29.2.19 disappears from the list of SPNs, while TERMSRV/172.29.2.19 remains there. How can I prevent HOST/172.29.2.19 to be deleted / overridden? Is there a way to find out what overrides the HOST/ SPN record?

Thank you

Regards,

Max

Upgrade the functional level from Windows 2003 to Windows 2008 R2

$
0
0

Hi,

What's the prerequisites to upgrade the functional level from Windows 2003 to Windows 2008R2?

Viewing all 31638 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>