Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Active Directory Web Services was unable to determine if the computer is a global catalog server

February 21, 2020, 6:58 am
$
0
0

Good Morning,

I have a problem, where the LDAP port stops responding for a few seconds every 30 minutes.

Looking at the Event Viewer, I get the following error message:
"Active Directory Web Services was unable to determine if the computer is a global catalog server"

Note: I have 5 domain controller, and the error is displayed every hour on a different DC.

Does anyone have any idea what it might be?

Thanks,

Felipe Pandolfi

334/5000
Good Morning,

I have a problem, where the LDAP port stops responding for a few seconds every 30 minutes.

Looking at the Event Viewer, I get the following error message:

"Active Directory Web Services was unable to determine if the computer is a global catalog server"

Does anyone have any idea what it might be?

Thanks,

Felipe Pandolfi
334/5000
Good Morning,

I have a problem, where the LDAP port stops responding for a few seconds every 30 minutes.

Looking at the Event Viewer, I get the following error message:

"Active Directory Web Services was unable to determine if the computer is a global catalog server"

Does anyone have any idea what it might be?

Thanks,

Felipe Pandolfi
Search

"WhenChanged" Attribute timestamp updates without having made changes.

February 27, 2020, 4:54 am
$
0
0

We have a windows 2012r2 based Forest root domain with four DC's.

We are noticing that the "WhenChanged" attribute for many Users, even for those who are disabled users, keep updating to some latest date & time on all Domain Controllers, although the users and admin are sure that no object changes in AD have been carried out.

Why this could be happening?


Network Path Cannot Be Found for Windows Server 2016

March 1, 2020, 4:42 am
$
0
0

I have been through all the online help forums, videos, and other online research and I cannot seem to find a solution to my problem. I was trying to access folders located on the file share service on the DC and am unable to access as I get the error code 0x80070035 which is the "Network path cannot be found".

Also my silly doubt is, Could this happens due to malware infection.

Please reply my answer. Thanks in advance. 

Prevent the laptop from connecting to non domain resources when off network

March 2, 2020, 9:16 am
$
0
0

We have single forest/single domain environment. We identified an issue that a domain joined laptop can connect to a home printer. We are looking for a way to prevent the laptop from connecting to non domain resources when it is off network. What are our options?

GMSA login failure after reboot

March 2, 2020, 8:06 am
$
0
0

We have a GMSA set up for SQL Server for an Availability Group but since a week ago we encountered an issue. Every time we reboot the server, the GMSA account will not be able to logon onto the server with the correct credentials. The only solution is going to the Services -? Log on tab, delete the password field and hit apply (the default process for setting a GMSA login). The weird thing is this happens only on one of the nodes from the AG. The other node (where it works) is in the same domain and OU. 

Test-ADServiceAccount returns True on the faulty server,  PrincipalsAllowedToRetrieveManagedPassword contains both of the nodes, tried both DOMAIN\user and user@DomainFQDN, GMSA has Login as Service right and the GMSA group contains both of the servers.

Does anyone have a suggestion on what could make the GMSA unable to get its credentials when the VM starts up? Let me know if you need any additional info.

Thanks! 

LADP with SSL authentication failed "The supplied credential is invalid", custom OU and email as username

March 5, 2020, 1:14 am
$
0
0

Hi team,

I have custom OU in which users are created and using email as username. Following code is throwing invalid credentials error.

Here are the queries.

1) how to fix this error.

2) if we need to configure it to use custom OU name and email as username.

protected void btnLoginEntity_Click(object sender, EventArgs e)
        {
            string server = "AAADVSD0S2-EED.eep.eed.ext";
            int port = 636;
            try
            {
                string currentURL = System.Web.HttpContext.Current.Request.Path.ToLower();

                string userName = txtUserNameEntity.Text.Trim();
                string password = txtPasswordEntity.Text.Trim();

                LdapDirectoryIdentifier ldi = new LdapDirectoryIdentifier(server, port);
                LdapConnection connection = new LdapConnection(ldi);

                connection.SessionOptions.SecureSocketLayer = true;

                connection.SessionOptions.VerifyServerCertificate = new VerifyServerCertificateCallback(ServerCallback);
                connection.Credential = new NetworkCredential(userName, password);

                connection.AuthType = AuthType.Ntlm;
                connection.Bind();

                //do something
            }
            catch (Exception ex)
            {
                throw ex;
                //ask relogin
            }
        }

LADP invalid creds error.

Event 36886 Schannel

March 5, 2020, 3:10 am
$
0
0

Hello,

I am after a bit of advice on the warning event 36886,

'No suitable default server cred exists on this system'

Most articles i read say you can safely ignore this message if you don't use certificate services with AD, but with it being logged every 20 seconds i thought i would be best reach out.

We do actually have a CAS server but for a cert point of view its used for something completely separate to ADDS. So when checking some of what articles say checking in the cert store on a DC /personal it is empty.

Should we have a cert here? Should we be using certificates in ADDS?

If we need to do nothing about this can the events be suppressed only for the fact when running test/checks like dcdiag I hate seeing messages of any negative kind. Thus this one appears.

Many Thanks

 

security log

October 18, 2016, 5:10 am
$
0
0

hello - We have a 2012 mode single domain with 50 Domain Controllers

In 1 of those sites that has a single domain controller the local IT person would like "view" access only to the domain controllers security log from the event viewer.

I am ok with that but no other domain controller.

I see that the "Manage Auditing and security log" is managed at a higher level than I wish to delegate and if I do it locally it is greyed out.

Could I somehow created a custom log from the security log and give him rights to that?

Thoughts? Ideas? Thanks!



Search

LDAP Works, LDAPS doesn't, two different domains in the mix

March 5, 2020, 3:44 am
$
0
0

Hi There,

Please Bear with me, this issue has been dumped in my lap and it's not my usual area of expertise..

Our organisation has two domains (lets say old.net and new.uk, which are in a trust together) with AD services on both, but all of our users are on the old.net domain. We have a server in the new.uk domain which runs an application which needs to use AD for user authentication and this works fine when using LDAP, however as LDAP will be depreciated very soon there's a need to get LDAPS working which it does not

I can connect via LDAPS from the server to the AD services on the new.uk domain, but for reasons we can't move users into this domain, they have to remain on old.net.

I can also connect via LDAPS from within the old.net domain to the old.net AD services, so I don't think there's an issue with LDAPS not being set up on the old.net

But, the new.uk domain won't connect to the old.net domain over LDAPS and I believe this is where the issue is and I'm fairly sure it's certificate related (the error shown in the event log of the new.uk DC is "The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate.") but this is where my knowledge of how this works breaks down

I've put the certificates I found in the personal certificate store of the old.net DC into the trusted root certification authorities store, as it sounded like this was the issue, but either I've used the wrong certificates, i've put them in the wrong place, or i'm barking up the wrong tree

Any advice at all would be appreciated as I am at a loss!

Many Thanks

Event ID 1302 (error 1307) DFS replication service encountered an error while writing to the debug log file

September 8, 2015, 10:51 am
$
0
0

Hello.

We are at the step 0 of the migration from FRS to DFSR sysvol replication on Windows 2008R2 DC.

Every time I run powershell DFSRMIG / GETMIGRATIONSTATE it says:

"Unable to create DFSR Migration Log file. Error 1307.

All Domain Controllers have migrated successfully to Global state 'Start'.

Migration has reached a consistent state on all domain Controllers.

Succeeded."

It creates an event ID 1302 in the "DFS Replication" event log, explaining what error 1307 means:"This security ID may not be assigned as the ownder of this object".

I already checked the space limits, quotas, permissions on C:\windows\debug according to Microsoft support article but I was unable to fix it.

Although, there are new entries added to DFSR00095.txt log file despite this error. This is the only DFSRXXXX file that has not been archived into .GZ format, and, I beleive, it contains all DFSR diagnostics and events.

Here are some of the latest entries:

20150908 08:47:27.867 11616 SYSM  3354 Migration::SysVolMigration::GetSysVolReadyFlag [MIG] Sysvol Is Ready
20150908 08:47:27.867 11616 SYSM   456 Migration::SysvolMigrationTask::Step [MIG] Starting sharing out NTFRS SYSVOL because globalState is 'Start'
20150908 08:47:27.867 11616 CREG  2457 Config::RegWriter::SetSysVolReadyFlag Set key:System\CurrentControlSet\Services\Netlogon\Parameters valueNameSysvolReady value:1
20150908 08:47:27.867 11616 SYSM  1045 Migration::SysVolMigration::Migrate [MIG] Migrate to state 'Start'
20150908 08:47:27.867 11616 SYSM  1056 Migration::SysVolMigration::Migrate [MIG] Begin migrate count:1
20150908 08:47:27.867 11616 SYSM  4836 [WARN] Migration::SysVolMigration::SetLocalStateInLocalAd [MIG] (Ignored) Local Settings does not exist because DC is in START state.
20150908 08:47:27.867 11616 SYSM  1144 Migration::SysVolMigration::Migrate [MIG] Begin migrate: migration to state 'Start' completed
20150908 08:47:27.867 11616 SYSM  4376 Migration::SysVolMigration::DeleteRoMember [MIG] Deleting DFSR member object
20150908 08:47:27.867 11616 SYSM  4396 Migration::SysVolMigration::DeleteRoMember [MIG] Current global state is 'Start



I am hesitatnt to start the Step 1 of migration until that error is fixed or determined to be benign...  Please, help!

Slava

Microsoft Tiered Administration - "Tier 0 Replication Maintenance" Purpose

March 5, 2020, 10:18 am
$
0
0

Hi, I am currently preparing to implement Microsoft's Tiered Administration model + PAWs. I have been following the documentation here: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-access-workstations#phase-1-immediate-deployment-for-active-directory-administrators

Phase 1 results in the creation of several security groups, including a "Tier 0 Replication Maintenance" group but then does not referenceit again. Based on the PowerShell scripts from https://gallery.technet.microsoft.com/Privileged-Access-3d072563 this group is assigned the following rights to various AD partitions/OUs:

  • "Manage Replication Topology" (DS-Replication-Manage-Topology)
  • "Replicating Directory Changes"
  • "Replicating Directory Changes All"
  • "Replication Synchronization"
  • "Monitor active directory Replication"

Can someone help me understand what the specific capabilities of users in this group would be? It seems to provide a mixture of capabilities wherein users are not Domain Admin equivalents, nor can they add/remove DCs. They are able to replicate password information and similar attributes, and check AD replication data. I'm not certain this kind of group is actually needed in the deployment we are planning but I would like to understand what we would be losing by not including it.

Our long term goal is to remove all users from Domain Admins, only adding them in when DC/AD operations require it. I would like to make sure that the Tier 0 staff are still able to monitor, troubleshoot and possibly resolve AD replication issues without necessarily needing to be added into Domain Admins. Is that the function of this group? As I don't see why it would need "Replicating Directory Changes All" for maintenance since this seems excessive.

Thanks.

sysvol and netlogon report

March 5, 2020, 12:11 pm
$
0
0

Hi,

I have 10 DC located in multiple Geographical region.

I want to generate a report on sysvol and netlogon includes share and NTFS permission.

This report should be based on all domain controllers.

someone provide the script for me generate it.

NETDOM TRUST error

March 5, 2020, 12:42 pm
$
0
0

Hi,

I am working on Active Directory Risk Assessment program one of the recommendation is "Disable cross forest TGT delegation"

Here is the explanation provided by MS

Cross forest TGT delegation is currently allowed for one or more forest trusts. When full delegation is enabled for Kerberos on a server, the server can use the delegated ticket-granting ticket (TGT) to connect as the user to any server, including those across a one way trust. In Windows Server 2012, a trust across forests can be configured to enforce the security boundary by disallowing forwarding TGTs to enter other forests.

I entered the below command received the error message. Please assist.

I logged as domain Administrator

netdom trust AD.COM /domain:ABC.net /enabletgtdelegation:no
Access is denied.

The command failed to complete successfully.

DCDiag & Repadmin Deep Dive!!

March 3, 2020, 9:30 am
$
0
0

Hi Team,

 Could you please share any link or provide information about DCDiag & Repadmin Tool functionality and how each test works and fetches the details?

PKI - LDAPS / KDC Certificate with Certreq private key not exportable

February 27, 2020, 7:12 am
$
0
0

I try to automate cert requests for LDAPS certificate. When i request the my cert template the certificates private key is exportable. But never, when I try with certreq. 

This is my Inf:

[Version]Signature="$Windows NT$

[NewRequest] 
; At least one value must be set in this section 
Subject="CN=dc01"
KeySpec=1
KeyLength=4096
Exportable=TRUE
ProviderType=12
RequestType=PKCS10
KeyUsage=0xa0

[RequestAttributes]
CertificateTemplate="KDC_TEMPLATE"


[Extensions]
_continue_ = "dns=dc01&"
_continue_ = "dns=dc01.mydomain.dom&"
_continue_ = "dns=mydomain.dom&"
_continue_ = "dns=MYDOMAIN&"
_continue_ = "dns=ldap.mydomain.dom&"

Then I try
certreq -new c:\_scripts\request2.inf c:\_scripts\result.txt
certreq -config pki.mydomain.dom\myCERT-CA -submit c:\_scripts\result.txt c:\_scripts\certificate.cer 
certreq -accept c:\_scripts\certificate.cer 

I got a powershell script to put the cert to NTDS Store.

But the private key ist never exportable when I script this, only when I use MMC an request manual.

Does anyone has an idea, what I do wrong??

Search

Repromoting RODC Fails Because Previous KRBTGT_xxx Account in Recycle Bin.

March 5, 2020, 6:27 pm
$
0
0

So, in my environment we have a good number of Read Only domain controllers. Occasionally, i've had to demote one for various reasons. I've run into issues every time where the demotion process moves the KRBTGT account for the DC to the Recycle Bin. Once there, the server can't be promoted again because the object exists in the recycle bin. I've tried to restore the object, but it look like it restores the account, but doesn't completely remove it from the recycle bin, so it still fails. This is the first company i've worked for that uses RODC's...is this normal behavior? If so, is there anything I can do other than give the server a different name and try again? Thanks for any feedback or suggestions in advance...

Seth

PowerShell script for Event ID LDAP

March 4, 2020, 5:09 am
$
0
0

Hi all,

according to the upcoming changes by LDAP we have to perform some audit of the logs and find the connections and accounts.

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-ldap-signing-requirements-march-2020/ba-p/921536

From what I've see there will be Event ID 3040 and 3041 which will collect the information every 24 hours. I've tried to test so far with the current Event IDs but with Directory Service logs and then export to cvs didn't worked very well. 

Did someone already to create a powershell script to export the information from the events and save them readable in scv?

Thanks in advance

"Enable computer and user accounts to be trusted for delegation" rights is disabled for Administrator account despite delegation option in the "AD Computer Properties" being "Trust this computer for delegation to any service (Kerberos only)"

March 1, 2020, 3:29 am
$
0
0

Hi all,

"Enable computer and user accounts to be trusted for delegation" rights is disabled for Administrator account as shown below


despite changing delegation option being "Trust this  computer for delegation to any service (Kerberos only)" as shown below


I am doing this to change the name of the domain controller that requires the above mentioned right, or else I get "access denied error".

Pls tell me how to enable the above mentioned right to the current user who is Administrator ?

Tks in advance

Joe




New AD Domain Setup server 2019

March 3, 2020, 7:45 am
$
0
0

Hi all,

it is a long time ago that i have created a new domain.

I used to create a domain with .local.

but i understand thats a bad idea.

i have to setup a new server 2019 in a new domain.

if my top level is for example : company.com

should i use that as domain name?

or is it better to use : corp.company.com or something else like  ....?



Delegate 'info' attribute for security groups

February 28, 2020, 10:03 am
$
0
0

Hi,

I need to delegate 'info' attribute for security groups in our Active Directory environment. Since this attribute is not available in delegate wizard, I checked dssec.dat file but it's not even there. Any ideas how modification of this attribute can be delegated to a user or a security group?

Thanks in advance!

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>