Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

GMSA login failure after reboot

March 2, 2020, 8:06 am
$
0
0

We have a GMSA set up for SQL Server for an Availability Group but since a week ago we encountered an issue. Every time we reboot the server, the GMSA account will not be able to logon onto the server with the correct credentials. The only solution is going to the Services -? Log on tab, delete the password field and hit apply (the default process for setting a GMSA login). The weird thing is this happens only on one of the nodes from the AG. The other node (where it works) is in the same domain and OU. 

Test-ADServiceAccount returns True on the faulty server,  PrincipalsAllowedToRetrieveManagedPassword contains both of the nodes, tried both DOMAIN\user and user@DomainFQDN, GMSA has Login as Service right and the GMSA group contains both of the servers.

Does anyone have a suggestion on what could make the GMSA unable to get its credentials when the VM starts up? Let me know if you need any additional info.

Thanks! 

Search

Two DC, DC2 doesnt work after turn of DC01

March 2, 2020, 2:13 pm
$
0
0

Hello Guys

I need some help, This is my situation I had DC00 running Windows Server 2008 r2, But we decide to move to Windows 2012 Standard. I use a virtual machine (win2012) to set a simulation moved all the fsmo roles to the virtual machine and is working fine. I wipe the 2008 server and set my new 2012 standard, transfer all the role from the vm but when I shutdown the VM the whole ADDS gone!

Any advise on this ?

Event 36886 Schannel

March 5, 2020, 3:10 am
$
0
0

Hello,

I am after a bit of advice on the warning event 36886,

'No suitable default server cred exists on this system'

Most articles i read say you can safely ignore this message if you don't use certificate services with AD, but with it being logged every 20 seconds i thought i would be best reach out.

We do actually have a CAS server but for a cert point of view its used for something completely separate to ADDS. So when checking some of what articles say checking in the cert store on a DC /personal it is empty.

Should we have a cert here? Should we be using certificates in ADDS?

If we need to do nothing about this can the events be suppressed only for the fact when running test/checks like dcdiag I hate seeing messages of any negative kind. Thus this one appears.

Many Thanks

 

Active directory FRS problems

March 4, 2020, 12:06 am
$
0
0

Hey, there

Im sort of stuck a bit in limbo with a domain, where Im getting these messages, thus Im unable to synch sysvol from this server. I know I didnt change the root path of the directory service, but yet I keep getting these messages in the FRS log. Any ideas how to proceed?

The File Replication Service has detected that the replica root path has changed from "c:\windows\sysvol\domain" to "c:\windows\sysvol\domain". If this is an intentional move then a file with the name NTFRS_CMD_FILE_MOVE_ROOT needs to be created under the new root path. 
This was detected for the following replica set: 
    "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" 
 
Changing the replica root path is a two step process which is triggered by the creation of the NTFRS_CMD_FILE_MOVE_ROOT file. 
 
 [1] At the first poll which will occur in 60 minutes this computer will be deleted from the replica set. 
 [2] At the poll following the deletion this computer will be re-added to the replica set with the new root path. This re-addition will trigger a full tree sync for the replica set. At the end of the sync all the files will be at the new location. The files may or may not be deleted from the old location depending on whether they are needed or not.

PowerShell script for Event ID LDAP

March 4, 2020, 5:09 am
$
0
0

Hi all,

according to the upcoming changes by LDAP we have to perform some audit of the logs and find the connections and accounts.

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-ldap-signing-requirements-march-2020/ba-p/921536

From what I've see there will be Event ID 3040 and 3041 which will collect the information every 24 hours. I've tried to test so far with the current Event IDs but with Directory Service logs and then export to cvs didn't worked very well. 

Did someone already to create a powershell script to export the information from the events and save them readable in scv?

Thanks in advance

Lsass.exe crash during IADsUser->ChangePassword() (faulty module: msv1_0.DLL)

March 6, 2020, 6:38 am
$
0
0

Hai,

When I try to change a network user's password using ADSI's IADsUser->ChangePassword(), the server machine where my application is running is getting rebooted.

  • Error code during IADsUser->ChangePassword() = ERROR_CODE=800706ba :The RPC server is unavailable.
  • RPC related services are working properly on the Domain controller. Also I haven't made changes to RPC service or ports. 

Few event logs related to the incident before the restart,

  • Event ID: 5000, Error, LSA(LsaSrv) - (system log) - The security package MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 generated an exception.
  • Event ID: 1074, Info, User32(source) - (system log) - The process winint.exe has initiated the restart of computer on behalf of user for the following reason. Reason code : 0x50006, Comment: The System process 'C:\Windows\system32\lsass.exe' terminated unexpectedly with status code 255. 
  • Event ID: 1000, Error - (application log) - Faulty application name: lsass.exe(c:\Windows\system32\), version: 6.2.9200.20521; Faulty module name : msv1_0.DLL(c:\Windows\system32\), version: 6.2.9200.22978; Exception code: 0xc0000005

The log message are obtained when trying this in a Windows Server 2012 machine.

Any help would be appreciated as it seems a critical issue due to the reboot of the server machine.

I am using ADFS 3.0 with WID database and i want to know backup and restore process on new hardware

March 7, 2020, 4:57 am
$
0
0

Hi Support,

I am using ADFS 3.0 with WID database and now i want to plan to move ADFS on new hardware.

Can you share the best option and help me to share the backup and restore process.

AD replication errors

February 20, 2020, 7:11 am
$
0
0

Any ideas on what to troubleshoot for an AD 8464 error while doing repadmin /showrepl?

Also repadmin/replsum has a pair of DCs out of sync for 5 d.. how do i correct this?

I really appreciate the help

/syd

Source: MAIN\DC-01
******* 1 CONSECUTIVE FAILURES since 2020-02-20 09:52:51
Last error: 8464 (0x2110):
            Synchronization attempt failed because the destination DC is currently waiting to synchronize new partial attributes from source. This condition is normal if a recent schema change modified the partial attribute set. The destination partial attribute set is not a subset of source partial attribute set.

Source DSA                          largest delta    fails/total %%   error
 DC-01                             05d.17h:05m:11s    0 /  33    0
 DC-02                                 01h:09m:17s    0 /  16    0
 dc-02m\0ACNF:c0411909-b13f-4b...           19m:49s    0 /   6    0
 DC-03                                     11m:45s    0 /   6    0
 DC-04                                 01h:11m:46s    0 /  22    0
 DC-06                                     09m:17s    0 /  10    0
 DC-09                                     08m:07s    0 /   5    0


Destination DSA     largest delta    fails/total %%   error
 DC-01                 01h:11m:49s    0 /  18    0
 DC-01M                    19m:50s    0 /  22    0
 DC-02                 01h:08m:07s    0 /  17    0
 DC-03             05d.17h:05m:14s    0 /   6    0
 DC-04                 01h:09m:17s    0 /  18    0
 DC-06                     27m:01s    0 /  12    0
 DC-09                     05m:00s    0 /   5    0

Sydney Cherian

Search

LDAP Works, LDAPS doesn't, two different domains in the mix

March 5, 2020, 3:44 am
$
0
0

Hi There,

Please Bear with me, this issue has been dumped in my lap and it's not my usual area of expertise..

Our organisation has two domains (lets say old.net and new.uk, which are in a trust together) with AD services on both, but all of our users are on the old.net domain. We have a server in the new.uk domain which runs an application which needs to use AD for user authentication and this works fine when using LDAP, however as LDAP will be depreciated very soon there's a need to get LDAPS working which it does not

I can connect via LDAPS from the server to the AD services on the new.uk domain, but for reasons we can't move users into this domain, they have to remain on old.net.

I can also connect via LDAPS from within the old.net domain to the old.net AD services, so I don't think there's an issue with LDAPS not being set up on the old.net

But, the new.uk domain won't connect to the old.net domain over LDAPS and I believe this is where the issue is and I'm fairly sure it's certificate related (the error shown in the event log of the new.uk DC is "The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate.") but this is where my knowledge of how this works breaks down

I've put the certificates I found in the personal certificate store of the old.net DC into the trusted root certification authorities store, as it sounded like this was the issue, but either I've used the wrong certificates, i've put them in the wrong place, or i'm barking up the wrong tree

Any advice at all would be appreciated as I am at a loss!

Many Thanks

RODC Setup with two domains

March 3, 2020, 9:01 pm
$
0
0

Hi All,

    We have two domains and trying to setup the trust and allow users login to ABC RODC in DMZ.

   So computers are xyz domain joined but users are login  to abc domain.  Do i have to set only RODC IP in client DNS?

  Will this setup works or any better solution? I got around 1000+ user/computers in xyz. 

 

As


LDAP cannot authentication via samaccountname

February 24, 2020, 8:31 pm
$
0
0

Customer designed internet access must authentication with domain user. implememt FortiGate connect LDAP to ADDS. After connected I test login via FortiGate GUI LDAP menu, it success login. But when I login from client, it cannot access internet without error.

I open ticket to Fortinet. He create new domain user then test login. then client can access internet with new domain user authentication. So Fortinet said this issue from ADDS. then close ticket.

I tried change authentication with other attributes. All domain user can login and access internet. But only SAMACCOUNTNAME type cannot authentication.

I tried change user. All current user cannot access internet via SAMACCOUNTNAME. But new user can access internet via SAMACCOUNTNAME. example attributes: phone, first name, last name.

This ADDS migrate from 2003 to 2008. What issue acount ADDS 2003?

Customer need to authentication with SAMACCOUNTNAME. So I must fix it.

SQL & AD connectivity issue.

March 9, 2020, 2:18 am
$
0
0

SQL & AD connectivity issue.

I have an AD (WinServer_08_R2) & a database server_Sql (WinServer_2016_R2);

While trying to connect with my database it wont connect.

But after pinging few minutes the TTL value increased from 64 to 128 and then it connects.   

recently database migrated from WinServer_08_R2 to WinServer_2016_R2.

How can i connect to my sql easily without pinging?

AD Migration from 2008 with DFL-2003 and FFL-2003 to 2016 server

March 9, 2020, 5:52 am
$
0
0

Team

i have rather a funny scenerio where i want to migrate my current AD running on server 2008 R2 with Domain Functional Level 2003 and Forest functional level 2003 to windows server 2016. the problem is when i try to promote the 2016 server, i get a message that " the server cannot be promoted on a windows 2000 server forest function level" which i even dont have on my entire network. is there a way i can proceed from here?? 

i have tried to run adrep no changes .. help 

Microsoft Tiered Administration - "Tier 0 Replication Maintenance" Purpose

March 5, 2020, 10:18 am
$
0
0

Hi, I am currently preparing to implement Microsoft's Tiered Administration model + PAWs. I have been following the documentation here: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-access-workstations#phase-1-immediate-deployment-for-active-directory-administrators

Phase 1 results in the creation of several security groups, including a "Tier 0 Replication Maintenance" group but then does not referenceit again. Based on the PowerShell scripts from https://gallery.technet.microsoft.com/Privileged-Access-3d072563 this group is assigned the following rights to various AD partitions/OUs:

  • "Manage Replication Topology" (DS-Replication-Manage-Topology)
  • "Replicating Directory Changes"
  • "Replicating Directory Changes All"
  • "Replication Synchronization"
  • "Monitor active directory Replication"

Can someone help me understand what the specific capabilities of users in this group would be? It seems to provide a mixture of capabilities wherein users are not Domain Admin equivalents, nor can they add/remove DCs. They are able to replicate password information and similar attributes, and check AD replication data. I'm not certain this kind of group is actually needed in the deployment we are planning but I would like to understand what we would be losing by not including it.

Our long term goal is to remove all users from Domain Admins, only adding them in when DC/AD operations require it. I would like to make sure that the Tier 0 staff are still able to monitor, troubleshoot and possibly resolve AD replication issues without necessarily needing to be added into Domain Admins. Is that the function of this group? As I don't see why it would need "Replicating Directory Changes All" for maintenance since this seems excessive.

Thanks.

Authenticating with PIV across Forest Trust

March 9, 2020, 11:48 am
$
0
0

Guys...

I am at a loss here. Googled and Binged all day and have ZIP.

I have two forests each with one domain. I established a two way forest trust and can ACL objects and log in with username and password. The issue is I need to be able to log in with a PIV card. So... I need to log into forest A with my PIV and have it also provide me access to all the resources of forest B. I have no idea where to even start.

Suggestions? Someone point me in the right direction?


Search

migrating sbs 2011 fsmo roles to new win2019 server

March 8, 2020, 3:08 am
$
0
0

hello,

Little help.  New Windows 2019 server, old SBS 2011.  Joined domain, started the process to complete domain setup, raised level from 2003 to 2008.  Both servers are now DCs but the 2019 Server lists the Domain Masters as ERROR. 

Event log: Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.

i traced one issue to an old/deleted account with inherited permissions. that's been removed.  i'm unable to trace/find the others. 

I've followed these steps. 

2.    Use RSoP to identify the specific User Rights, Restricted Groups, and Source GPOs that contain the problem accounts: a.    Start -> Run -> RSoP.msc

b.    Review the results for Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment and Computer Configuration\Windows Settings\Security Settings\Local Policies\Restricted Groups for any errors flagged with a red X.

c.   User Right or Restricted Group with red X, the corrpnding GPO that contains problem policy is listed under column entitled "Source GPO". Note specific User Rights, Restricted Grps and containing Source GPOs that are generating errors.

ac

Esentutl error: unable to find the callback library ntdsai.dll

March 10, 2020, 1:06 am
$
0
0

Hi,

I started

esentutl /p ntds.dit

and get error:

Unable to find the callback library ntdsai.dll

Operation terminated with error -2102 (JET_errCallbackNotResolved, A callback function could not be found)

What i do wrong?

Thanks.

LDAP port 389 connect to AD used from client (Domain joined) computer across site and services subnets setting questionaire

March 10, 2020, 2:15 am
$
0
0

Hi I have problem with my environment about active directory port ldap 389. My scenario is I have active directory for 2 sites, each sites have 2 active directory servers, I have specified all network to subnets in active directory site and subnet with correct configuration, I have DHCP server in each site which each site configure dns (DHCP option) point to each site of dns servers.

In my Firewall application which locate between site for investigate the traffic shows that it is have some client computer using DHCP calling ldap connection across site (e.g. Computer in site A call ldap 389 to Active directory server site B).

The problem I found that are list below

1. Is this ldap connection situation occur as  normal from active directory configuration?, If not what component I have to check

2. It is possible that they have some application on the client computer that query some  data from active directory and setting not properly and it let this application connect to another site ?

3. If it is not from active directory event to use this ldap (or involve with question 2), can you please confirm document guide or have the way to prove this.

Thank you

 

Do GPO will re-install that application already installed locally?

March 10, 2020, 1:40 am
$
0
0

Hi

I want to deploy application agent into our workstation using GPO. But few computer have been installed locally by our technical support. If the application agent version deploy is same, do GPO will re-install again? Or it smart enough to detect the apps already installed and ignore the installation process?

Thanks

ADDS to integrate to existing Domain Name System

March 10, 2020, 3:34 am
$
0
0

Hi,

Is it possible to integrate newly installed Active Directory Domain Services to an existing DNS (on-premise) standard? If yes what would be the pre-requisites and steps to do?

Thank you!!

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>