Hi,
Is it possible to integrate newly installed Active Directory Domain Services to an existing DNS (on-premise) standard? If yes what would be the pre-requisites and steps to do?
Thank you!!
↧
ADDS to integrate to existing Domain Name System
↧
anyone know what kind of edition is ServerStandardACor ???
I have 5 Dell Poweredge R640 and R730. I used the same Windows 2016 Standard image to install the 5 servers.
When I use the command DISM /Online /get-currentEdition:
4 servers result:
Deployment Image Servicing and Management tool
Version: 10.0.17134.1
Image Version: 10.0.17134.1304
Current edition is:
Current Edition : ServerStandardCor
The operation completed successfully.
Only one of them shows:
Deployment Image Servicing and Management tool
Version: 10.0.17134.1
Image Version: 10.0.17134.1304
Current edition is:
Current Edition : ServerStandardACor
The operation completed successfully.
the 5 servers are registered with a Volume MAK channel
and when I try to update that server to DataCenterCore:
Command: dism /online /GET-TARGETEDITIONSDeployment Image Servicing and Management tool
Version: 10.0.17134.1
Image Version: 10.0.17134.1304
Editions that can be upgraded to:
Target Edition : ServerDatacenterACor
The operation completed successfully.
↧
↧
I am using ADFS 3.0 with WID database and i want to know backup and restore process on new hardware
Hi Support,
I am using ADFS 3.0 with WID database and now i want to plan to move ADFS on new hardware.
Can you share the best option and help me to share the backup and restore process.
↧
Lsass.exe crash during IADsUser->ChangePassword() (faulty module: msv1_0.DLL)
Hai,
When I try to change a network user's password using ADSI's IADsUser->ChangePassword(), the server machine where my application is running is getting rebooted.
- Error code during IADsUser->ChangePassword() = ERROR_CODE=800706ba :The RPC server is unavailable.
- RPC related services are working properly on the Domain controller. Also I haven't made changes to RPC service or ports.
Few event logs related to the incident before the restart,
- Event ID: 5000, Error, LSA(LsaSrv) - (system log) - The security package MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 generated an exception.
- Event ID: 1074, Info, User32(source) - (system log) - The process winint.exe has initiated the restart of computer on behalf of user for the following reason. Reason code : 0x50006, Comment: The System process 'C:\Windows\system32\lsass.exe' terminated unexpectedly with status code 255.
- Event ID: 1000, Error - (application log) - Faulty application name: lsass.exe(c:\Windows\system32\), version: 6.2.9200.20521; Faulty module name : msv1_0.DLL(c:\Windows\system32\), version: 6.2.9200.22978; Exception code: 0xc0000005
The log message are obtained when trying this in a Windows Server 2012 machine.
Any help would be appreciated as it seems a critical issue due to the reboot of the server machine.
↧
LDAP port 389 connect to AD used from client (Domain joined) computer across site and services subnets setting questionaire
Hi I have problem with my environment about active directory port ldap 389. My scenario is I have active directory for 2 sites, each sites have 2 active directory servers, I have specified all network to subnets in active directory site and subnet with correct configuration, I have DHCP server in each site which each site configure dns (DHCP option) point to each site of dns servers.
In my Firewall application which locate between site for investigate the traffic shows that it is have some client computer using DHCP calling ldap connection across site (e.g. Computer in site A call ldap 389 to Active directory server site B).
The problem I found that are list below
1. Is this ldap connection situation occur as normal from active directory configuration?, If not what component I have to check
2. It is possible that they have some application on the client computer that query some data from active directory and setting not properly and it let this application connect to another site ?
3. If it is not from active directory event to use this ldap (or involve with question 2), can you please confirm document guide or have the way to prove this.
Thank you
↧
↧
Domain Controller Decommission Error - can't find a GC server
Hello,
We have a Windows Server SBS 2008 DC that we are trying to decommission. It also was our exchange server (2007) but we migrated to O365. We have a new Server 2012 R2 DC up and running. Ive moved the following roles to the 2012 server:
- ADDS, DNS, DHCP
- FSMO roles
- Global Catalog Server
Now when I try to run dcpromo on the SBS server, it gets to the end and fails saying it can't find a global catalog server. Ive check the firewalls and also made sure the NIC is pointing to the new server for DNS. When I try to uninstall Exchange 2007 from the SBS server, I get the same error message stating it can't find a GC server. Does anyone have any suggestions?
Thanks.
↧
Delegation of rights
How to delegate the rights to a user without giving them access to a Domain Controller? I know the process of creating a group of users and putting them within
an OU and delegating rights. But would they still be connected to a DC?
↧
Difference between 'Never expire' and 'Not Defined' with regard to the Maximum password age field.
So I read that the value 0 in the Maximum password age field refers to the option of never expire, while a value of negative 1 refers to the option of not defined. What is the difference between the two? What happens when a value is not defined?
↧
Purpose of Distribution groups in Active Dirctory.
When mails could be distributed even using security groups, why do w need distribution groups in active directory? Every post I see only lists the differences between Security and Distribution groups, but why distribution groups are needed in the first
place when the same function can be achieved through security groups
↧
↧
I have a couple of questions around KeyTab files please
Can someone kindly help with the following
I have been reading the following Microsoft document
https://social.technet.microsoft.com/wiki/contents/articles/36470.active-directory-using-kerberos-keytabs-to-integrate-non-windows-systems.aspx
Which deals with KeyTab files, but somethings are still unclear to me, I reached out the the author but did not get a reply, therefore can someone else please asssit
Question 1:
As far as I understand it a KeyTab file allows an AD user to authenticate against a non-Windows system (e.g. a standalone Kerberos capable Linux host running a WEB App for example), is that correct?
Question 2:
The above document, includes the following command line
ktpass -out centos1-dev-local.keytab -mapUserkrbCentos@DEV.LOCAL+rndPass -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -princHTTP/centos1.dev.local@DEV.LOCAL
The parts I am particularly interested in I have highlighted in bold above, the AD user name (first bold item) is obviously the AD User. The second item in bold is an SPN registered against the AD User krbCentos
So they want I think it works is if X (what ever X is), wants to use the service HTTP/centos12.dev.local (as this is the SPN registered) then the resulting Kerberos service ticket (ST) will be encrypted with the long term key of the AD User krbCentos. Now this is the same information held in the KeyTab (SPN and encrypted key), so they match and the Kerberos service ticket can be de-crypted by the Linux host (in possession of the KeyTab file) and thereby allow access
Is my assumption/understanding above correct?
Question 3:
Also, what about the TGT, I assume the AD User already has a TGT in the normal fashion, as if it did not already have one (as perhaps the above process was kicked off by a script and krbCentoshad not already logged into the domain yet), you cannot obtain a Kerberos service ticket without presenting a TGT how does this come together when using a KeyTab?
Question 4
Is the process of authentication using KeyTab files always kicked of on the Active Directory side, i.e. some process running on AD says OK I need a service ticket for HTTP/centos12.dev.local, then requests a service ticket as mentioned above.
What I really want to know from this question if can the Linux (no domain joined and no realm trust) kick of off the process? meaning some process or script on the Linux side says I need to authentication to AD to access some information or files and use its
KeyTab to perform the authentication by the Linux box being the one requesting TGT/TGS from the Windows KDC (using the information in the keytab to authenticate) ?
Thanks all, I would be grateful for some help with my understanding (clearing things up), in relation to the above
Charlie
↧
Ldap issue
HI,
We want to go ahad with new LDAP Signing and Channel Binding Changes in Active Directory
we have installed the March updates on both our server 2012 R2 DC and server 2016 member servers and set the
DC policy
Domain controller: LDAP server channel binding token requirements = Always
Domain controller: LDAP server signing requirements = Require singing
On member servers:
Network security: LDAP client signing requirements = Require singing
Also set the registry on DC to highest:
Enable LDAP Signing and LDAP Channel BindingLDAPServerIntegrity = 2
LdapEnforceChannelBinding = 2
Internal event: An LDAP client connection was closed because of an error.
Client IP:
10.0.10.11:50039
Additional Data
Error value:
1236 The network connection was aborted by the local system.
Internal ID:
c060410
Shahin
↧
Post update checklist
Hi,
I am on the stage of creating a list of steps in patching Active Directory (VM's). Can you guys help me with a list that I MUST check after patching AD?
Regards,
Richard
↧
No cached kerberos ticket on multiple clients, but not always...
Hi people,
I have various load/speed troubles over my network. Not only on my location, but also with SAAS-services throuch MPLS-network or the other way around via VPN to my location.
I reported it with central IT who administrates the network connections. He showed me the "klist.exe" command as a way to prove Kerberos is working as it should.
It resulted in:
Credentials cache C:\Users\username\krb5cc_username not found.
He pointed to this as the main reason for my problems.
Searching the Internet give zero information, but the info that the client having this result uses probably NTLM to authenticate. That could explane (some) of the slow connections.
Config:
- Servers: Windows 2016 DC, domain functional level 2016
- Windows 2008R2 fileserver
- Synology NAS as archive
Client:
- Windows 7
- Windows 10
It happens on multiple clients, but, a client can have the problem one day while having normal multiple tickets the next day. Without me knowing why...
"klist.exe" on the domaincontrollers and the servers always results in Kerberos tickets.
On clients without tickets: "kinit.exe" creates a ticket, but no additional ticket is made when I access a new resource on the network.
Does anybody know a way to address this problem?
All the best,
Jan
↧
↧
Error connection client to new domain.
I'm new working with server and i'm trying to connection a client with a new domain. The name of this domain is for example: microsoft and complete name is microsoft.com.
In my client dns i change it the first one for the IP of my Server. So when i try to join the client to domain server only with microsoft aske me for my user and my password, i insert all data and after that get a error about cant solved the name DNS, but if i try to connect the client with microsoft.com i get another error: error 0x0000232B RCODE_NAME_ERROR).
Say the DNS not exist. i dont know if i have to create or configurate the DNS from my server. I read a lot in a many pages but i cant solved. i really appreciate any help!.
Aditional note: I cant ping microsoft.com, but i can create a new dns with the name microsoft.com and ping but nothing change with the error.
↧
Need Configuration of ADDS / DNS
Dear Folks,
I have hosted server with public IP, I have installed ADDS and role on it, right I'm unable to join client to that domain becuase the my server ip is public so can you guide me how can resolve this issue for joining my client from outside network.
Thanks
↧
pull users using AD attribute
Hi Experts
I want to make a dynamic distribution list but before that i am trying to write a query to pull Johns ogranization of manager who has direct reports and without direct reports
We have below custom attribute in AD for example
for paul i have customattribute01 as |john|roger|<paul>|
for tim i have customattribute01 as|john|roger|paul|<tim>|
If i use the below query i am getting the output but i dont see tims name because tim doesnot have direct reports, even though tim doesnot have direct reports i want to pull tim as well. experts guide me on this to modify the below query to include tim as well.
((extensionAttribute01 -like '*john*') -and (directReports -like '*' ))
$input = "((extensionAttribute01 -like '*john*') -and (directReports -like '*' ))"
Get-ADUser -Filter $input -properties DisplayName,Userprincipalname| Select DisplayName,Userprincipalname |export-csv C:\data.csv -Notypeinformation
I want to make a dynamic distribution list but before that i am trying to write a query to pull Johns ogranization of manager who has direct reports and without direct reports
We have below custom attribute in AD for example
for paul i have customattribute01 as |john|roger|<paul>|
for tim i have customattribute01 as|john|roger|paul|<tim>|
If i use the below query i am getting the output but i dont see tims name because tim doesnot have direct reports, even though tim doesnot have direct reports i want to pull tim as well. experts guide me on this to modify the below query to include tim as well.
((extensionAttribute01 -like '*john*') -and (directReports -like '*' ))
$input = "((extensionAttribute01 -like '*john*') -and (directReports -like '*' ))"
Get-ADUser -Filter $input -properties DisplayName,Userprincipalname| Select DisplayName,Userprincipalname |export-csv C:\data.csv -Notypeinformation
↧
Does my Linux host need to be joined to AD in order for me to use KeyTab files for Kerberos authentication
Hello,
Can someone please help with the following
If I have an App/WEB site etc. on a standalone Linux host (Kerberos aware), e.g. no realm trusts of any kind
Then I have an Active Directory domain with my Users and I create a KeyTab file on Windows using KTPass with the relevant information, SPNs of Linux Service and AD user this information is to be associate with (to request a service ticket)
I then take the KeyTab file and import/setup on the Linux host
Do I also need to join the Linux Host to Active Directory (using SSSD or Centrify for example) in order to the KeyTab file to work?
I would be very grateful for any help on this please
Thanks
CXMelga
↧
↧
Active Directory 2008 R2 Migration to Active Direcotry 2016 or 2019
Dear TechNet Members
In our environment currently we have windows server 2008 R2 Active directory 3 DC at Head Office and 2 Domain Controller at DR site As per Microsoft End of support and End of Life we are planning to upgrade our DC's to Windows Server 2016 or Windows Server 2019
I need expert advice for the migration as I have my ROOT DC as on Physical IBM Blade.
I have below concerns
1. We have ROOT CA on Additional Domain controller
2. We have many application which still doesn't support TLS 1.2
3. Currently We are using Exchange Server 2013 CU 23 in our environment
4. We have 1000 plus users inside our Organization
5. Currently We are using SCCM and SCOM 2016
6. Symantec Enterprise Vault 12.3 & Symantec NetBackup as Backup Solution
7. Some Applications are directly connected to ROOT DC with ROOT DC DNS Name and its point of concerns for us.
I need some expert advise prior to migration so I will not miss out any point during the Migration as its very critical task for the organization.
↧
An active directory domain controller cannot be contacted
Hi,
I built a server 2019 domain controller. I successfully promoted the server to domain controller. I also built a windows 10 computer to use as a workstation.
When I try to join the windows 10 computer to the domain I get error :
"An Active Directory Domain controller (AD DC) for the domain "domain" could not be contacted."
DNS was successfully queried for service location (SRV) resource record used to locate a domain controller for domain "domain":
The query was fo SRV record _ldap._tcp.dc._msdcs.domain.com
The following domain controllers were identified by the query:
(no Active Directory Domain Controllers found)
However no domain controllers could be contacted.
Please advice I am trying to build a lap on my laptop and I am using public wifi for connection.
Thanks,
Senait
↧
Migrated User accounts showing under Foreign Security Principals Container
Hello,
There are user accounts that had been migrated (by using ADMT tool) from trusted external domain and external domain SID is visible under Name column in Foreign Security Principals Container of internal local domain ADUC.
These user accounts also showing under Target OU (during migration) of internal local domain.
But My question is why these migrated user accounts showing under Foreign Security Principals container?
Is there any known issue in ADMT for duplication of accounts during migration or post migration?
Kindly explain the above mentioned scenario along with root cause.
Just FYI, 2 way external trust is still established between internal local domain and external domain(separate from internal domain forest).
Tech9
↧