Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Strange LDAP behavior

January 30, 2020, 11:03 am
$
0
0

Preparing for the LDAP/s transition, I noticed some strange behavior that I can't explain.  I used the ldp.exe tool to test these connections.  I have successfully configured LDAP/s on port 636 as well as continuing to allow the standard non-ssl connections over 389.  Here's the weirdness.. one of our domains allows the tree to be browsed without performing a bind after connecting.  It only works if the connection is made over 636 (ssl), not if made over 389.

So to sum up, if I connect over 389 without ssl, then attempt to browse the tree, I get the expected:

"Error comment: In order to perform this operation a successful bind must be completed on the connection"

If I connect over 636 with SSL, I am able to add the tree and browse all nodes.  

This is only happening in one of our domains, and it doesn't make any sense.  There are no anonymous permissions delegated, but I can't see why that would even matter, since it only let's me browse when I'm connected via 636.  Keep in mind I am not attempting a bind in either scenario.  Thoughts?



Search

SYSVOL / DFS Replication issues

May 17, 2018, 10:55 pm
$
0
0

 

Hi,
Just wondering if anyone can point me in the right direction for a problem I have been trying to troubleshoot for a while now.
The SYSVOL replication at the college I work at has stopped replicating between the 3 domain controllers.

Seems to be throwing a DFS database error every hour :

First Error : 1:34:45PM The DFS Replication service successfully recovered from an internal database error on volume C:. Replication has resumed on replicated folders on this volume. 

Additional Information: 
Volume: 758BD457-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Database: C:\System Volume Information\DFSR

Second Error : 1:34:45PM The DFS Replication service has detected an unexpected shutdown on volume C:. This can occur if the service terminated abnormally (due to a power loss, for example) or an error occurred on the volume. The service has automatically initiated a recovery process. The service will rebuild the database if it determines it cannot reliably recover. No user action is required. 

Additional Information: 
Volume: C: 
GUID: 758BD457-XXXX-XXXX-XXXX-XXXXXXXXXXXX

Third Error : 1:34:45PM The DFS Replication service failed to recover from an internal database error on volume C:. Replication has been stopped for all replicated folders on this volume. 

Additional Information: 
Error: 9214 (Internal database error (-1605)) 
Volume: 758BD457-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Database: C:\System Volume Information\DFSR

As you can see they all occur within a second of each other.

I have found some information on fixing it, but I am not sure what will happen as they are a bit vague. I have a full backup of all the SYSVOL/NETLOGON share so I can replace anything that needs to be replaced, I am just a bit reluctant to cause any more damage as we also had a DNS issue recently. I believe a restore fixed the DNS issue, but upon doing the restore I have created this new problem

Any assistance would be muchly appreciated, thank you in advance




Certification autority to secure mail

February 3, 2020, 8:31 am
$
0
0

Hi,

I've installed a local (Windows Server) certification autority (CA), in my active directory. I've used the CA to grant a personnal certificate to my users to encrypt and sign mail within my organisation. A certificate request is issued by the user and the CA accepts and delivers a personnal certificate to the user. Then the user can configure Outlook to use the certificate.

It usually works but the problem i got is, when the pc of the user dies and is replaced, i can't export the already issued certificate to the user. The user is forced to request a new certificate, which works with new emails but older ones cannot be read, because they are encrypted with the old one.

Is there a way to recuperate the old certificate from the CA and to reinstall it on the client PC?

Thanks

Luc

DNS _sites shows entries of demoted sites and DCs

January 29, 2020, 9:31 am
$
0
0

Hi all,

I've demoted several 2003 Servers during the last few months in our customer AD, moved subnets and succesfully deleted sites under ADSS.

So far, so good, but in DNS I can still see entries under _sites and nameserver domain properties tab.

As per the nameserver domain tab, I think they can be deleted as they are unreacheable/unresolvable records, I still got confused though by the _sites entries as some of them are not showing up and some others are still there and they has an entry under _tcp that point at a DC that has never belonged to the sites in object, but has some FSMO rules.

Some interesting points: 

  • repadmin /replsummary doesn't shows any old DC entry
  • the old DCs are now member servers

I'm somewhat new to advanced DNS management, How I can safely go further from here?

Thanks


How to restore deleted sites and subnets

February 2, 2020, 10:48 pm
$
0
0

Hi All,

Wrongly i have deleted few sites and subnets. I want to restore those sites and subnets. Can i restore from system state backup?. How i can restore it?

Thanks in advance

3 Domain controllers, migrate SYSVOL replication from FRS to DFS but then had to restore PDC to a backup which he was to FRS... now cannot replicate

February 3, 2020, 7:56 am
$
0
0

hello all,

have an issue and i would like some assistance.

i Have 3 domain controllers and i successfully migrated the SYSVOL replication from File Replication Service (FRS) to Distributed File System (DFS Replication) one week ago. 

then when i was trying something else my DHCP broke at the PDC so i had to restore to a backup and the latest backup which i had was prior the nigratoin of SYSVOL. so now i get error messages.

PDC: when i run the command: dfsrmig /getmigrationstate i get the the PDC is in (eliminating) state

when i run the same command from the other two domain controllers i get: "Unable to connect to the PDC emulator. Make sure that the PDC is reachable and retry the command later."

any help would be appreciated.


After updating Exchange 2016 to latest CU 15, having major DNS errors!

February 3, 2020, 1:12 pm
$
0
0

Hello All,

I have a network that was upgrading their Exchange to the latest CU 15. During the upgrade the process stopped around 98%.  They rebooted the servers(Exchange 2016, PDC running CA and a secondary DC running DNS) and when they came back up there were major issues. The first and foremost is(I think) an RPC error 1722 between the PDC and the secondary DC. I have run all the dcdiag tests along with dtcping and each shows the RPC error 1722. This is where it gets interesting. Most of the tests will come back that they have passed(except for the 1722 error). After digging into the system for the day I found that the security settings for the secondary as well as the primary DNS servers are showing SIDs for about half of their accounts.  The on site Enterprise CA is not working with RPC server unavailable errors. The on-premise Exchange 2016 server will not boot due to this issue either. Under Server manager when trying to access the other DC I receive"target not accessible" error message. There are DCOM 10028 errors about connecting to the other servers(unable to communicate using any of the configured protocols). It looks like the DC1(which is the PDC-Em) holds the RID/PDC/Infra roles(according to itself) when looked at from the ADU&C snap-in. On DC2 it shows unknown for each. 

1: the last event viewer entries show DC 1&2 that Active directory Web Service is servicing the directory instance as GC, LDAP & SSL.

2: DFSR is showing 1727 on each DC. It reported that the last time it worked was about noon today.

3: Port Query shows port 135 (epmap) listening on both servers. It lists 120+ endpoints for each server.
4: DNS was/is signed. I can remove from DC1 dns and reapply, but not from DC2(I tried to remove and transfer the Key Master role to no avail. 

5: I have tried to reset the machine and user account passwords.

What am I missing???

 

Devin

How migrate GPO settings to another forest

February 3, 2020, 1:20 pm
$
0
0

Hi,

Can we migrate GPO settings to another forest?

Search

DSRM Password change

January 30, 2020, 8:10 am
$
0
0
Hi,

I have 2 DC let say dc1 and dc2.

I have set the different directory service restore mode password for my 2 DC. Due to security reason i don’t want to set same DSRM password for my dc's

I created 2 domain user account according to the dc name like dsrmdc1,dsrmdc2

whenever i am changing the password for above 2 dsrm domain accounts the same password want to be synchronized automatically to "administrator" account.

I did some research on my query but not able to achieve the goal.

Lot of article floating in the internet telling to configure a GPO for sync the password from domain account to administrator account that is suitable when we have single dsrm account scenario.

However i am using independent account on each dc.

Let say dsrm1 account password want to sync with dc1 administrator account

Let say dsrm2 account password want to sync with dc2 administrator account

How to create scheduled task via according to my requirement

Do I need to create independent task on task scheduler ? Please assist.   




Delegation not working (Helpdesk users to unlock admin user's Accounts (customized without domain admin))

February 3, 2020, 5:22 pm
$
0
0

Hi,

We have a requirement where a security group of helpdesk users is required to unlock admin accounts. I understand if the user is member of domain admin account than it is not possible to delegate the permission to reset/unlock his/her account by a helpdesk user.

However, in out case most of the admin users are not member of domain admins and when we delegate the rights to helpdesk group to be able to "Read LockoutTime" and "Write LockoutTime", helpdesk is able to unlock normal users but not able to unlock admin accounts (customized power users)

Can you please highlight on how this works and what I am missing here...

Referenced Links...

https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc700835(v=technet.10)?redirectedfrom=MSDN

https://docs.microsoft.com/en-us/previous-versions/technet-magazine/ee361593(v=msdn.10)?redirectedfrom=MSDN

Junaid Abrar

Group Policies Best Practices

February 3, 2020, 4:32 pm
$
0
0

Can anyone tell me what are the best practices to be followed while configuring Group Policies in a domain.

I would like to know in particular what all User and Computer policies need to be configured following best practices, in which level in the AD the group policies should be configured ideally, etc etc.

Thanks

Pallab Chakraborty

Cross Forest Trust and User Traffic

February 3, 2020, 3:44 pm
$
0
0

Hi,

  We are trying to integrate with another AD environment.  We need to access Data from this new Domain.

We are creating the One way Trust. So do we need a RODC setup in new domain?

As 

  

Why a user inside a group can't change the password on an Object even the group have password reset on that object?

January 28, 2020, 8:42 am
$
0
0

Hello all,

As my question tells everything but still I will use an example to explain.

I have a group name 'Group1' which is having password reset on a user named "user1". Inside that group, there is my controlled user named "attacker1". Now when I tried to change the password of the "user1" it shows access denied. Now what am I missing here? What should I try?

Thanks and regards

remove active directory server not exist

January 26, 2020, 5:12 am
$
0
0

hi all  ,

we need to remove old domain controller from our environment which is already not exist i.e. just an object shown under Active directory container and under Default-First-Site-Name  as well . 

my question is , this server is not exist and i need to remove  , under Active Directory Sites and Services we have three site as below : 

Default-Frist-Site-Name ( have the domain controller we need to remove )

Site1 (  have three domain Controller ) 

Site2 ( have no domain controller ) 

my question is it safe to delete this object from the active directory and under the Default-First-Site-Name will be no any domain shown ? 

what is needed to do this remove safely since it is the only domain controller shown under Default-First-Site-Name

thanks 

 

Replication issue between the Sites DCs

February 3, 2020, 9:40 pm
$
0
0

Hi Guys, we have a domain and two sites, one head office and a branch in different City. Head office has two DC as DC1 and DC2 on Windows 2008 R2 and also a DC3 in branch Windows 2008 R2. now the issue is there is no replication between branch and head office, once dig into the issue found KCC events. the scenario as follows.

VPN link is ok between the sites.

DCs can ping each other with IP and Names.

net view \\DC1 and net view \\DC2 is fine as vise versa

But  net view \\DC1 or \\DC2 from Brach office DC3 is showing errors. its like cant access shared folders from Branch office and also from Head office DC to branch.

The attempt to establish a replication link for the following writable directory partition failed. 
 
Directory partition: 
DC=Domain,DC=com 
Source directory service: 
CN=NTDS Settings,CN=DC1,CN=Servers,CN=Headoffice,CN=Sites,CN=Configuration,DC=Domain,DC=com 
Source directory service address: 
k826e336-99a7-4g2d-bdab-113db2a0f5f6._msdcs.domain.com 
Intersite transport (if any): 
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=Domain,DC=com
 
This directory service will be unable to replicate with the source directory service until this problem is corrected. 
 
User Action 
Verify if the source directory service is accessible or network connectivity is available. 
 
Additional Data 
Error value: 
1722 The RPC server is unavailable.

Search

Azure AD pass-through authentication

February 3, 2020, 11:56 pm
$
0
0
Hi,

I currently use ADFS for SSO authentication.

The screen that appears for external users is a popup window for entering user and password.

When we change to (Azure AD pass-through authentication) which screen will be presented to external users?

Internal users will continue to log in SSO already logged into the internal network, right? Just include the site in the IE GPO as it is done in ADFS.

Can someone show me the screen that appears when the external user connects to the O365 portal using Azure AD pass-through authentication?

Thanks.

Slow value update on AD extensions

February 4, 2020, 12:56 am
$
0
0

Good afternoon, we have a problem that bugs us, it is related to Azure Active Active Directory (sorry if it is the wrong section, but I did not find a forum for Active Directory). Users are created in Active directory:

( login microsoft online)



Data of users is accessed through 

( graph windows net)

We use an extension to store some extra bits of information that don't fit into the profile..

the problem is that even though we use the correct methods to update the user information, sometimes (not always).
that update is very slow.. (to propagate?), hence when a user pay a registration fee, a extension boolean field "payComplete" is setted to true. But when the user read back his information that flag is still false, sometimes this goes up to 1 minute.

This is not always reproducible. Update and read are done from the same datacenter (same webapp instance slot).

(sorry for links with "DOT" but I'm not allowed to post links yet.. those are just contextual links to make clear which APIs we are using.)


Sign in names not accessible from Microsoft Graph, if users are created in AAD Graph API

February 4, 2020, 1:02 am
$
0
0

We have users on 

( graph windows net)

they login with

( login microsoft online)

We tried to read/update data of users from

(graph.microsoft.com)

but sign in names are not available and hence we cannot move to that API until we are able to do most basic things

( see original email from signIn names in example).
There are also problems with extensions:
we can update extensions values on Microsoft Graph API

(so if I know that user has a extensions "extensions_blabalbalblab_value", I

can update and query its value)

however the API for listing all extensions (Microsoft Graph API), do not display"extensions_blabalbalblab_value" which is an extension created through AAD Graph API)


LdapEnforceChannelBinding logging

January 31, 2020, 2:33 am
$
0
0

Hi All,

With March 2020 quickly approaching, we want to set LdapEnforceChannelBinding to 1 on our domain controllers - so that we can hopefully log when clients that don't support channel binding connect to our domain controllers.

Do the domain controllers log when clients that don't support channel binding try to connect? We want to be able to report back to service owners if their software wont work when we set LdapEnforceChannelBinding to 2.

Are there logs? Do I have to enable them? Where do I look to find these logs?

Hopefully my question makes sense. Thanks very much!


UPN change impact

February 4, 2020, 4:32 am
$
0
0

Hello Expert,

I am performing Office 365 migration from exchange server 2010.

My issue AD user present have userprincipalname set to abc@test.local and my Primary SMTP domain is test.com.

If i change upn for my AD users to abc@test.com will it impact their current windows profiles ??

Do they need to reconfigure windows profile after changing UPN.

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>