I need to create some computer accounts to specific Organization Units before to join computers to domain.
So I create these computer accounts in OU, then I tried to join a computer but I got this message "another computer in the domain is already using the specified new computer name" .... what can I solve it please ?
we are connecting to Active Directory using PrincipalContext (C# .Net)
System.DirectoryServices.AccountManagement.PrincipalContext class.
As per microsoft update:
Microsoft to disable use of unsigned LDAP port 389
https://msandbu.org/upcoming-change-microsoft-to-disable-use-of-unsigned-ldap-port-389/
Is there any impact on this as well. I don't find any docs regarding the same.
Hi All,
Hello,
Sure everyone's familiar with...
2020 LDAP channel binding and LDAP signing requirement for Windows
https://support.microsoft.com/en-gb/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows
From what I can tell, LDAP connections will be made secure;
Current Windows computers are capable of LDAP signing. But non-Windows computers may not be; instead, they should use STARTTLS to switch to LDAPS.
The domain controllers I am looking at are already listening on TCP/636;
Get-ADDomainController -filter * | select name,ldapport,sslport name ldapport sslport ---- -------- ------- [redacted] 389 636 [redacted] 389 636 [redacted] 389 636 [redacted] 389 636 [redacted] 389 636
If a computer isn't capable of LDAP signing [typically, non-Windows], then it should use the STARTTLS to use LDAP channel binding.
That's where the fun begins!
LDAPS is LDAP over TLS.
TLS requires a certificate.
Where should this certificate come from?
Should it be from an internal certification authority, which won't be trusted by [non-Windows domain member] LDAP clients by default. But internal hosts can check the certification authority CRLs.
Or, should it be from an public certification authority (https://letsencrypt.org/ might do!)
BUT if I use a public certification authority, then do my LDAP clients now need to be able to examine the public certification authorities certificate revocation list or OCSP? That may not always be possible.
How to enable LDAP over SSL with a third-party certification authority
https://support.microsoft.com/en-gb/help/321051/how-to-enable-ldap-over-ssl-with-a-third-party-certification-authority
Kind regards,
Anwar
Hi All,
We have two domains and trying to setup the trust and allow users login to ABC RODC in DMZ.
So clients are xyz domain joined but login to abc domain. Do i have to set only RODC IP in client DNS?
Will this setup works or any better solution? I got around 1000+ user/computers in xyz.
As
Hi,
keep getting these error in event viewer:
Source: Microsoft-Windows-Kerberos-Key-Distribution-Center
Category: None
Type: Error
Event ID: 11
Description: The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is 7979EA7936BE9B11F22E2C417EA06B26BBC68B71E51D237EBB584F8AA0F35EBB (of type KEY ID). This may result in authentication failures or
downgrades to NTLM. In order to prevent this from occurring remove the duplicate entries for 7979EA7936BE9B11F22E2C417EA06B26BBC68B71E51D237EBB584F8AA0F35EBB in Active Directory.
Can anyone help on how to find the target object?
Thank you in advance,
Nuno
There is so much information on Lastlogontimestamp but I still cannot find a definitive answer to this.
We have PingFederate SSO running to authenticate users. Ping is configured to authenticate with AD for SSO.
When a user logs authenticates with PING (or any other LDAP or SSO application) does this update the lastlogontimestamp?
I know there is an algorithm for this attribute.. but my real point is when a user DOES NOT do an interactive login and are authenticate via LDAP enabled application like Ping SSO, would that trigger an update to Lastlogon or lastlogontimestamp.
Thanks
C
-C-
Hi,
I followed this guide to set up an ADFS 2.0 lab environment. The only difference that I have is that I did not set up the ADFS server and the WIF application to be on the same box but rather on 2 different.
My server configuration is as follows:
I successfully created my ADFS configuration STS and could add that as a STS reference in the .Net application in Visual Studio 2008 on my dev environment. I then needed to configure the WIF application to be a valid Trusted Relying Party and followed these steps:
No matter what URL I put in https://win7dev.mydomain.com/ClaimsAwareWebAppWithManagedSTS (is what it is on my dev environment IIS), I just cannot seem to get this going.
I can run my app now from the ADFS box by connection to https://win7dev.mydomain.com/ClaimsAwareWebAppWithManagedSTS but that url would just not work when adding as a trusted relying party :(
Could a certificate mismatch error be the problem?
Thanks
Mike
Hi all,
"Enable computer and user accounts to be trusted for delegation" rights is disabled for Administrator account as shown below
despite changing delegation option being "Trust this computer for delegation to any service (Kerberos only)" as shown below
I am doing this to change the name of the domain controller that requires the above mentioned right, or else I get "access denied error".
Pls tell me how to enable the above mentioned right to the current user who is Administrator ?
Tks in advance
Joe
Hi Team,
Please help me to understand how DCs create UTDV tables as DC wont have direct connection to every DCs in the entire forest?
Hey, there
Im sort of stuck a bit in limbo with a domain, where Im getting these messages, thus Im unable to synch sysvol from this server. I know I didnt change the root path of the directory service, but yet I keep getting these messages in the FRS log. Any ideas how to proceed?
The File Replication Service has detected that the replica root path has changed from "c:\windows\sysvol\domain" to "c:\windows\sysvol\domain". If this is an intentional move then a file with the name NTFRS_CMD_FILE_MOVE_ROOT needs to be created under the new root path.I try to automate cert requests for LDAPS certificate. When i request the my cert template the certificates private key is exportable. But never, when I try with certreq.
This is my Inf:
[Version]Signature="$Windows NT$ [NewRequest] ; At least one value must be set in this section Subject="CN=dc01" KeySpec=1 KeyLength=4096 Exportable=TRUE ProviderType=12 RequestType=PKCS10 KeyUsage=0xa0 [RequestAttributes] CertificateTemplate="KDC_TEMPLATE" [Extensions] _continue_ = "dns=dc01&" _continue_ = "dns=dc01.mydomain.dom&" _continue_ = "dns=mydomain.dom&" _continue_ = "dns=MYDOMAIN&" _continue_ = "dns=ldap.mydomain.dom&"
Then I try
certreq -new c:\_scripts\request2.inf c:\_scripts\result.txt
certreq -config pki.mydomain.dom\myCERT-CA -submit c:\_scripts\result.txt c:\_scripts\certificate.cer
certreq -accept c:\_scripts\certificate.cer
I got a powershell script to put the cert to NTDS Store.
But the private key ist never exportable when I script this, only when I use MMC an request manual.
Does anyone has an idea, what I do wrong??
Hi,
I need to delegate 'info' attribute for security groups in our Active Directory environment. Since this attribute is not available in delegate wizard, I checked dssec.dat file but it's not even there. Any ideas how modification of this attribute can be delegated to a user or a security group?
Thanks in advance!
Hi All,
we have a domain ABC, it has 10 domain controllers. we are in the phase of demoting old domain controllers (2008 servers).
we found most of our domain controllers dependent on DC04 to be used fortime sync. I tried a few of the domain controller servers to see if they can resync (w32tm /resync) with any other DC or not but I observed it's still pointing toDC04 only.
Because sometime ago, manually pointed the few of the other DCs to DC04 to get the time source(may be some work around to fix the issue). When i ran the w32tm /resync /rediscover /nowait to get the time source automatically but no luck and not getting it.
I would like to fix this issue and get all the domain controllers should get the time source as per domain hierarchy and it should get automatically .
Could you please help here and let us know the solution to fix the issue or any commands here to get the time source by re-syncing it.
Doubt: If we changed any DC or member server time source manually. is there any way to get the time source automatically or any other permanent solution.
Regards
CHANDU
CHANDU
Hi all,
according to the upcoming changes by LDAP we have to perform some audit of the logs and find the connections and accounts.
From what I've see there will be Event ID 3040 and 3041 which will collect the information every 24 hours. I've tried to test so far with the current Event IDs but with Directory Service logs and then export to cvs didn't worked very well.
Did someone already to create a powershell script to export the information from the events and save them readable in scv?
The following links were used as references for configuring NDES on Windows Server 2016 core:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831498(v%3Dws.11)
https://social.technet.microsoft.com/wiki/contents/articles/9063.active-directory-certificate-services-ad-cs-network-device-enrollment-service-ndes.aspx
The issuing CA is an enterprise intermediate/subordinate CA. NDES is installed on a separate server using a service account (domain user, not gMSA). The default password behavior is configured (required, max 5, expiring after an hour). A custom certificate template has been created for devices, added as a template to issue on the CA, and configured on the NDES server. Appropriate permissions have been set on the template and the CA for requesting and enrolling.
The mscep_admin page shows a password. However, requests from devices fail. The Application event log shows the following:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-NetworkDeviceEnrollmentService" Guid="{73144342-19D1-47A4-94DE-D38E6A054AD5}" /><EventID>29</EventID><Version>0</Version><Level>2</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2020-03-04T15:12:17.367859700Z" /><EventRecordID>1647</EventRecordID><Correlation /><Execution ProcessID="3732" ThreadID="3768" /><Channel>Application</Channel><Computer>NDES-Comp-Name.foo.bar</Computer><Security UserID="S-1-5-21-701053380-3347107659-2942889231-2638" /></System><EventData Name="EVENT_MSCEP_INVALID_PASSWORD" /></Event>The mscep.log file shows the following:
402.478.948: Begin: 3/4/2020 7:03 AM 24.845s
402.483.0: w3wp.exe
402.491.0: GMT - 8.00
2901.1286.0:<2020/3/4, 7:03:24>: 0x80004005 (-2147467259 E_FAIL)
2905.923.0:<2020/3/4, 7:03:24>: 0x80090349 (-2146892983 SEC_E_CERT_WRONG_USAGE): B96FCFEE D3EC2220 8077AF3F C2C46A2A 22BFBB57
2905.923.0:<2020/3/4, 7:03:24>: 0x80090349 (-2146892983 SEC_E_CERT_WRONG_USAGE): 70553F1F 27D5F499 4493B530 038929AC 4A4AD191
2905.947.0:<2020/3/4, 7:03:24>: 0x0 (WIN32: 0): CN=Issuing-CA-Name, DC=foo, DC=bar:1a25a5e55b879c18334c1ca24bb1b5f043d18dc6
419.5431.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0)
2905.1055.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0): CN=NDES-Request-Agent-Name, C=US:6d7e33f8e4a8fdd64f381815c18e8af0fe6fa144
2905.1497.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0): CN=NDES-Request-Agent-Name, C=US:6d7e33f8e4a8fdd64f381815c18e8af0fe6fa144
2905.923.0:<2020/3/4, 7:03:25>: 0x80090349 (-2146892983 SEC_E_CERT_WRONG_USAGE): 4ED75197 6054E100 DAE442EC 35A46969 120EA1EF
2905.947.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0): CN=Issuing-CA-Name, DC=foo, DC=bar:1a25a5e55b879c18334c1ca24bb1b5f043d18dc6
419.5431.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0)
2905.1062.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0): CN=NDES-Request-Agent-Name, C=US:43c449746084d661e5345753dda96b2d7f53ee62
2905.1534.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0): CN=NDES-Request-Agent-Name, C=US:43c449746084d661e5345753dda96b2d7f53ee62
419.5431.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0)
419.5431.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0)
419.5431.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0)
2906.1405.0:<2020/3/4, 7:03:57>: 0x8007007a (WIN32/HTTP: 122 ERROR_INSUFFICIENT_BUFFER)
2902.419.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
2905.4738.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
2905.3690.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
2905.5284.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
2905.5823.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
2905.5799.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
2905.1864.0:<2020/3/4, 7:03:57>: 0x1 (WIN32: 1 ERROR_INVALID_FUNCTION)
2905.1865.0:<2020/3/4, 7:03:57>: 0x3 (WIN32: 3 ERROR_PATH_NOT_FOUND)
2905.1866.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
2905.1867.0:<2020/3/4, 7:03:57>: 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)
2905.2006.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
Various sources recommend enabling the CAPI2 log. However, that does not show any warnings or errors related to the attempt. Are there any other logs worth examining?
Hi,
I am looking for a way to check the usage of a certain application from the users in my domain.
Specifically i would like to know when users start to use the application. Over a certain timeframe what the maximum count of users is that are active in that certain application at the same time. etc..
Is there a way to do this and monitor this data?
Thanks in advance
Hello Guys
I need some help, This is my situation I had DC00 running Windows Server 2008 r2, But we decide to move to Windows 2012 Standard. I use a virtual machine (win2012) to set a simulation moved all the fsmo roles to the virtual machine and is working fine. I wipe the 2008 server and set my new 2012 standard, transfer all the role from the vm but when I shutdown the VM the whole ADDS gone!
Any advise on this ?