Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

domain naming master

March 10, 2020, 4:24 am
$
0
0

hi all ,

i have two domains :

1- domain-1

2-domain-2

and my domain name is example.com 

everything is working fine and replicated fine also , i have an issue when i try to turn off my main server for maintenance because all my service and sso setting are configured to example.com so when i turnoff the main domain (domain-1) ( also i transfer the 5 FSMO rules before i turn it off ) most of the service stopped i found  if i ping the example.com the domain-1 always replies for the ping's and request how to switch this thing to domain-2 to turn domain-1 off and do the maintenance ( hardware upgrade right now everything so working fine with no error's on event viwer i check the replication with  AD replication status tools and everything is fine )

Search

Help with Active Directory group not giving permissions

March 10, 2020, 6:33 am
$
0
0

Hi. This is my first post here, so sorry for any formatting oddities. I am the new IT tech at my job and the techs above me do not know what is happening either.


I am currently trying to give access to a shared folder to a user in my organization. The shared folder is called marketing and the group of users who have access to said shared folder is also called marketing.

So, the users who are currently in the group have access to the shared drive on their computers with no problems. When I try to add a new user to that group, they are added in, but do not get permissions to view the group.

I added myself as a user to the shared drive and was able to access the drive no problem, but I took myself out and re added myself to the group and, again, no access.

There are no explicit deny permissions for this shared drive.

Does anyone have any thoughts?
Thank you in advance!

Error connection client to new domain.

March 10, 2020, 9:57 am
$
0
0

I'm new working with server and i'm trying to connection a client with a new domain. The name of this domain is for example: microsoft and complete name is microsoft.com.

In my client dns i change it the first one for the IP of my Server. So when i try to join the client to domain server only with microsoft aske me for my user and my password, i insert all data and after that get a error about cant solved the name DNS, but if i try to connect the client with microsoft.com i get another error:  error 0x0000232B RCODE_NAME_ERROR).

Say the DNS not exist. i dont know if i have to create or configurate the DNS from my server. I read a lot in a many pages but i cant solved. i really appreciate any help!.

Aditional note: I cant ping microsoft.com, but i can create a new dns with the name microsoft.com and ping but nothing change with the error.

Upgrade Domain Controller

March 6, 2020, 12:59 pm
$
0
0

Hi!

What is the simplest way to upgrade a Microsoft Domain Controller from 2008R2 to 2019 version?

Should I migrate from version to version (ex: from 2008 to 2012, then from 2012 to 2016 and so on) or can I upgrade directly to the latest version?

Are DNS and DHCP services running on the same DC server is impacted during this upgrade procedure? Should they also under go a specific procedure during this upgrade?

tks!

Bruno


Unable to connect to domain

March 7, 2020, 9:44 pm
$
0
0
I just recently created a AD DS and I can't seam to join from another computer on my network. I believe it to be a dns issue because im not able to ping the domain But I can't seam to figure out what it is.

LastLogonTimeStamp and PingFederate SSO

March 3, 2020, 10:07 pm
$
0
0

There is so much information on Lastlogontimestamp but I still cannot find a definitive answer to this.

We have PingFederate SSO running to authenticate users.  Ping is configured to authenticate with AD for SSO.

When a user logs authenticates with PING (or any other LDAP or SSO application) does this update the lastlogontimestamp?

I know there is an algorithm for this attribute.. but my real point is when a user DOES NOT do an interactive login and are authenticate via LDAP enabled application like Ping SSO, would that trigger an update to Lastlogon or lastlogontimestamp.

Thanks

C

-C-

Multiple CAs - Autoenrollment on network level

March 3, 2020, 6:15 am
$
0
0

Hi,

we have multiple CAs in various sites. If a client or user requests a certificate, which CA will be addressed first? Which aspects is it dependent on or how can it be controlled which CA is used for autoenrollment?

We have some cases where the client/user of site A receives a certificate from a CA on site B, and not site A for example.

Event 36886 Schannel

March 5, 2020, 3:10 am
$
0
0

Hello,

I am after a bit of advice on the warning event 36886,

'No suitable default server cred exists on this system'

Most articles i read say you can safely ignore this message if you don't use certificate services with AD, but with it being logged every 20 seconds i thought i would be best reach out.

We do actually have a CAS server but for a cert point of view its used for something completely separate to ADDS. So when checking some of what articles say checking in the cert store on a DC /personal it is empty.

Should we have a cert here? Should we be using certificates in ADDS?

If we need to do nothing about this can the events be suppressed only for the fact when running test/checks like dcdiag I hate seeing messages of any negative kind. Thus this one appears.

Many Thanks

 

Search

The server with this IP address is not authoritative for the required zone?

March 7, 2020, 1:48 am
$
0
0

Hi team,

 I created two Forest with 1 DC in both. Checked Reverse Lookup zone is created. The issue I'm facing is with conditional Forwarders which is on entering the IP address, I'm getting "The server with this IP address is not authoritative for the required zone" . The other point is once Forwarder is created and  when I open the conditional forwarder and then edit the record , there its working fine. So, I'm confused why its throwing this error , am I missing some configuration ?

Kerberos Pre-Authentication Failed ID 4771 (code: 0xE)

March 6, 2020, 11:33 pm
$
0
0

Hello,

I would like to seek assistance on how to track the service or application that is causing this event failed. I am seeing a lot of this error from multiple machines so I am expecting all are coming from the same services but I have do idea how to locate the exact service or application.

Failure Code is 0xE, Pre-Authentication Type: 0

Kerberos pre-authentication failed.

Account Information:

Security ID:

Corporate\service_account

Service Information:

Service: krbtgt\Corporate

Network Information:

Clients Address: ::ffff:10.125.**.**

Client Port: 64679

Additional Information:

Ticket Options: 0x40810010

Failure Code: 0xE

Pre-Authentication Type: 0

Thank you in advance

Active directory FRS problems

March 4, 2020, 12:06 am
$
0
0

Hey, there

Im sort of stuck a bit in limbo with a domain, where Im getting these messages, thus Im unable to synch sysvol from this server. I know I didnt change the root path of the directory service, but yet I keep getting these messages in the FRS log. Any ideas how to proceed?

The File Replication Service has detected that the replica root path has changed from "c:\windows\sysvol\domain" to "c:\windows\sysvol\domain". If this is an intentional move then a file with the name NTFRS_CMD_FILE_MOVE_ROOT needs to be created under the new root path. 
This was detected for the following replica set: 
    "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" 
 
Changing the replica root path is a two step process which is triggered by the creation of the NTFRS_CMD_FILE_MOVE_ROOT file. 
 
 [1] At the first poll which will occur in 60 minutes this computer will be deleted from the replica set. 
 [2] At the poll following the deletion this computer will be re-added to the replica set with the new root path. This re-addition will trigger a full tree sync for the replica set. At the end of the sync all the files will be at the new location. The files may or may not be deleted from the old location depending on whether they are needed or not.

Replication between sites not working

December 4, 2019, 6:53 am
$
0
0

Hi,

a new DC was joined to the existing domain. It's in site A and able to replicate from/to other DCs in site A. But the other DCs in site B don't see the newly joined DC.

In the "NTDS Settings Properties" of the new DC I can see the other DCs in "Replicate from". In "Replicate to" I can only see the DCs of site A, but not of site B.

dcdiag /test:dns doesn't report any errors. Dynamic DNS updates are activated.

How can I fix it? Is it possible to add more DCs in "Replicate to"? The OS is Windows Server 2016 Standard.

List of all user attributes with value (including empty one)

March 11, 2020, 2:45 am
$
0
0

Hi,

I want to get all the Attributes listed for a user under "Attribute Editor" including values. That list should have that attributes too that doesn't have values. I am running following command but it's not giving empty attributes:

get-aduser username -properties * | out-file "attributes.csv"

Can some one please help me to get what I need?

Regards, Nilabh Verma

Can an application always running with different users

January 9, 2020, 6:52 am
$
0
0

Hi,

  • I am having an enterprise application (which can't be stop due to business need), always running on Windows 10. To access the machine our team (10 members) use the single domain account, password of that account is shared with everyone.
  • We take the RDP of the machine and never logoff, instead we disconnect the RDP session so that application keeps running in background. When next user login with the same username, he sees the application still processing.
  • It's a stand alone App and we can't see any associated service running under services.msc.
  • Now due to the new company policy, password for one account can't be shared. We also can't use the local account or remove system out of domain. Is there any way we can use the application in same way? Means can we use our individual accounts (10 different domain accounts) but still find the same status of running application?

Regards, Nilabh Verma


DirectAccess Infrastructure Server Change - will this break existing DA?

March 11, 2020, 3:33 am
$
0
0

Hi all

We have a long-running Single 2012 DirectAcces Server that has served us well for nearly 5 years now.

I have been asked to add some URL's to the infrastructure that should be accessible whilst on DirectAccess, which requires me to add the addresses to the Infrastructure section of the DA Configruation.

My question would be, if I make this change, this will force a GPO update to reflect the changes.  So will  this break DA for all remote users that are using DA at the moment.  Will all users be required to log back onto DirectAccess to get the new GPO before DA will function again?

Thanks

N

Search

Authenticating with PIV across Forest Trust

March 9, 2020, 11:48 am
$
0
0

Guys...

I am at a loss here. Googled and Binged all day and have ZIP.

I have two forests each with one domain. I established a two way forest trust and can ACL objects and log in with username and password. The issue is I need to be able to log in with a PIV card. So... I need to log into forest A with my PIV and have it also provide me access to all the resources of forest B. I have no idea where to even start.

Suggestions? Someone point me in the right direction?


Help with Active Directory group not giving permissions

March 10, 2020, 6:33 am
$
0
0

Hi. This is my first post here, so sorry for any formatting oddities. I am the new IT tech at my job and the techs above me do not know what is happening either.


I am currently trying to give access to a shared folder to a user in my organization. The shared folder is called marketing and the group of users who have access to said shared folder is also called marketing.

So, the users who are currently in the group have access to the shared drive on their computers with no problems. When I try to add a new user to that group, they are added in, but do not get permissions to view the group.

I added myself as a user to the shared drive and was able to access the drive no problem, but I took myself out and re added myself to the group and, again, no access.

There are no explicit deny permissions for this shared drive.

Does anyone have any thoughts?
Thank you in advance!

LDAP issue after hardening both Domain Controllers

February 18, 2020, 8:53 am
$
0
0

Hi team,

Recently I had been asked to apply some GPOs to both Domain Controllers in order to improve security. I applied them and after restarting both Domain Controllers the LDAP protocol stopped working as we expected. 

LDAP works if a Microsoft servers sends the query, but if we  try to use LDAP from Linux it doesn't works.

Running Wireshark on one of the DC I've got the following messages:



LdapErr is the following:

LDAPMessage searchResDone(182) operationsError (000004DC: LdapErr: DSID-0C0907C2, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580) [0 results]
    messageID: 182
    protocolOp: searchResDone (5)
    [Response To: 7]
    [Time: 0.000252000 seconds]

Already rollback the following GPOs for DC, and this is how they are now:

Network security: LDAP client signing requirements - None
Domain controller: LDAP server signing requirements- None
Domain member: Digitally encrypt secure channel data (when possible) - Enabled 
Domain member: Digitally sign secure channel data (when possible) - Enabled 


What else can be causing this LDAP behaviour?

Thanks in advance,

Will

Question has a reply: Active user accounts from local domain and unused FSP objects in Foreign Security Principals Container

February 16, 2020, 8:41 am
$
0
0
Hello,

I have local domain: Accounts.root.corp. There is 2 way external trust relationship with external domains: infra1.local and infra2.local.

In my local domain Accounts.root.corp under Foreign Security Principals container, there are FSP objects showing from external domains infra1.local and infra2.local. However, I'm wondering why there are so many active user accounts from local domain: Accounts.root.corp showing under Foreign Security Principals? As per the definition, it should only contains security Principals in a trusted external domain/forest.

Apart from this, how do I validate usage of FSP objects in my domain. How do I determine whether certain FSP objects should be removed or not from my local domain?

anyone know what kind of edition is ServerStandardACor ???

March 11, 2020, 9:07 am
$
0
0

I have 5 Dell Poweredge R640 and R730. I used the same Windows 2016 Standard image to install the 5 servers.

When I use the command DISM /Online /get-currentEdition:

4 servers result: 

Deployment Image Servicing and Management tool
Version: 10.0.17134.1

Image Version: 10.0.17134.1304

Current edition is:

Current Edition : ServerStandardCor

The operation completed successfully.

Only one of them shows:

Deployment Image Servicing and Management tool
Version: 10.0.17134.1

Image Version: 10.0.17134.1304

Current edition is:

Current Edition : ServerStandardACor

The operation completed successfully.

the 5 servers are registered with a Volume MAK channel

and when I try to update that server to DataCenterCore:

Command: dism /online /GET-TARGETEDITIONS

Deployment Image Servicing and Management tool
Version: 10.0.17134.1

Image Version: 10.0.17134.1304

Editions that can be upgraded to:

Target Edition : ServerDatacenterACor

The operation completed successfully.

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>