Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Network Device Enrollment Service (NDES) Fails to Issue Certificate

March 4, 2020, 8:13 am
$
0
0

The following links were used as references for configuring NDES on Windows Server 2016 core:

  https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831498(v%3Dws.11)
  https://social.technet.microsoft.com/wiki/contents/articles/9063.active-directory-certificate-services-ad-cs-network-device-enrollment-service-ndes.aspx

The issuing CA is an enterprise intermediate/subordinate CA.  NDES is installed on a separate server using a service account (domain user, not gMSA).  The default password behavior is configured (required, max 5, expiring after an hour).  A custom certificate template has been created for devices, added as a template to issue on the CA, and configured on the NDES server.  Appropriate permissions have been set on the template and the CA for requesting and enrolling.

The mscep_admin page shows a password.  However, requests from devices fail.  The Application event log shows the following:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-NetworkDeviceEnrollmentService" Guid="{73144342-19D1-47A4-94DE-D38E6A054AD5}" /><EventID>29</EventID><Version>0</Version><Level>2</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2020-03-04T15:12:17.367859700Z" /><EventRecordID>1647</EventRecordID><Correlation /><Execution ProcessID="3732" ThreadID="3768" /><Channel>Application</Channel><Computer>NDES-Comp-Name.foo.bar</Computer><Security UserID="S-1-5-21-701053380-3347107659-2942889231-2638" /></System><EventData Name="EVENT_MSCEP_INVALID_PASSWORD" /></Event>

The mscep.log file shows the following:

  402.478.948: Begin: 3/4/2020 7:03 AM 24.845s
  402.483.0: w3wp.exe
  402.491.0: GMT - 8.00
  2901.1286.0:<2020/3/4, 7:03:24>: 0x80004005 (-2147467259 E_FAIL)
  2905.923.0:<2020/3/4, 7:03:24>: 0x80090349 (-2146892983 SEC_E_CERT_WRONG_USAGE): B96FCFEE D3EC2220 8077AF3F C2C46A2A 22BFBB57
  2905.923.0:<2020/3/4, 7:03:24>: 0x80090349 (-2146892983 SEC_E_CERT_WRONG_USAGE): 70553F1F 27D5F499 4493B530 038929AC 4A4AD191
  2905.947.0:<2020/3/4, 7:03:24>: 0x0 (WIN32: 0): CN=Issuing-CA-Name, DC=foo, DC=bar:1a25a5e55b879c18334c1ca24bb1b5f043d18dc6
  419.5431.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0)
  2905.1055.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0): CN=NDES-Request-Agent-Name, C=US:6d7e33f8e4a8fdd64f381815c18e8af0fe6fa144
  2905.1497.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0): CN=NDES-Request-Agent-Name, C=US:6d7e33f8e4a8fdd64f381815c18e8af0fe6fa144
  2905.923.0:<2020/3/4, 7:03:25>: 0x80090349 (-2146892983 SEC_E_CERT_WRONG_USAGE): 4ED75197 6054E100 DAE442EC 35A46969 120EA1EF
  2905.947.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0): CN=Issuing-CA-Name, DC=foo, DC=bar:1a25a5e55b879c18334c1ca24bb1b5f043d18dc6
  419.5431.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0)
  2905.1062.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0): CN=NDES-Request-Agent-Name, C=US:43c449746084d661e5345753dda96b2d7f53ee62
  2905.1534.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0): CN=NDES-Request-Agent-Name, C=US:43c449746084d661e5345753dda96b2d7f53ee62
  419.5431.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0)
  419.5431.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0)
  419.5431.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0)
  2906.1405.0:<2020/3/4, 7:03:57>: 0x8007007a (WIN32/HTTP: 122 ERROR_INSUFFICIENT_BUFFER)
  2902.419.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
  2905.4738.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
  2905.3690.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
  2905.5284.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
  2905.5823.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
  2905.5799.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
  2905.1864.0:<2020/3/4, 7:03:57>: 0x1 (WIN32: 1 ERROR_INVALID_FUNCTION)
  2905.1865.0:<2020/3/4, 7:03:57>: 0x3 (WIN32: 3 ERROR_PATH_NOT_FOUND)
  2905.1866.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
  2905.1867.0:<2020/3/4, 7:03:57>: 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)
  2905.2006.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)

Various sources recommend enabling the CAPI2 log.  However, that does not show any warnings or errors related to the attempt.  Are there any other logs worth examining?

Search

SQL & AD connectivity issue.

March 9, 2020, 2:18 am
$
0
0

SQL & AD connectivity issue.

I have an AD (WinServer_08_R2) & a database server_Sql (WinServer_2016_R2);

While trying to connect with my database it wont connect.

But after pinging few minutes the TTL value increased from 64 to 128 and then it connects.   

recently database migrated from WinServer_08_R2 to WinServer_2016_R2.

How can i connect to my sql easily without pinging?

Authenticating with PIV across Forest Trust

March 9, 2020, 11:48 am
$
0
0

Guys...

I am at a loss here. Googled and Binged all day and have ZIP.

I have two forests each with one domain. I established a two way forest trust and can ACL objects and log in with username and password. The issue is I need to be able to log in with a PIV card. So... I need to log into forest A with my PIV and have it also provide me access to all the resources of forest B. I have no idea where to even start.

Suggestions? Someone point me in the right direction?


Setting up AD lightweight services

March 12, 2020, 10:43 am
$
0
0

Server 2016.

I tried creating a lightweight instance with both creating a partition and without creating one.

How do I add users that can use the lightweight services and restrict access?

Thanks

List of all user attributes with value (including empty one)

March 11, 2020, 2:45 am
$
0
0

Hi,

I want to get all the Attributes listed for a user under "Attribute Editor" including values. That list should have that attributes too that doesn't have values. I am running following command but it's not giving empty attributes:

get-aduser username -properties * | out-file "attributes.csv"

Can some one please help me to get what I need?

Regards, Nilabh Verma

Windows 2016 BPA error - Cannot find directory server with identity: 'UServer$'

March 11, 2020, 9:35 pm
$
0
0

Hi Support,

When run the BPA in the Windows 2016 DC, we found one of the DC have many error as below: 

  Issue:
  The Active Directory Domain Services Best Practices Analyzer (AD DS BPA) is not able to collect data about the hostname DNS A/AAAA records from the DNS servers.

  Impact:
  The AD DS BPA will not be able to validate configuration data about the hostname DNS A/AAAA records.

  Resolution:
  Troubleshoot the DNS servers to determine the root cause of the problem.

When check the DirectoryServices_EngineReport, it have this error:
                          <HostNameDnsRecord>
                                            <Error>
                                              <Report>true</Report>
                                              <DataItem>the hostname DNS A/AAAA records</DataItem>
                                              <Computer>the DNS servers</Computer>
                                              <Message>This element requires a valid Server Hostname</Message>
                                              <FullyQualifiedErrorId>This element requires a valid Server Hostname</FullyQualifiedErrorId>
                                              <Exception>
                                                <Type>System.ArgumentException</Type>
                                                <Message>This element requires a valid Server Hostname</Message>
                                                <InnerException>
                                                  <Type>Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException</Type>
                                                  <Message>Cannot find directory server with identity: 'Server$'.</Message>

I checked DNS have the server record. Try to use ntdsutil and the server can be found. The replication on all DC is healthly.

Any idea?

Best Regards

Chong


Unable to delete the child object of a computer-Server 2012 R2

February 24, 2020, 4:49 am
$
0
0

Recently, my a lots of local ITs are migrating from 2008 R2 to 2012 R2. We have created delegation for all local IT people so they can create/delete/join computers servers in domain. They are able to delete the servers except few and they reported it to me. when I checked found that those computers have child object because of that local IT team are not able to delete it. So for testing purpose, I deleted child object for one computer then asked local IT to delete the computer, it was successful. So I suspect child object is causing problem.I exported the permission of PARENT and CHILD object using DSACLS command, seems no problem. Inheritance is enabled. Though from exported permission no issue found but when I manually verify child object permission, seems "Create Child and Delete child object" permission is missing from child object but same is applied at parent and inheritance applied. Any assistance highly appreciated. Thank you.

Arif

ADDS to integrate to existing Domain Name System

March 10, 2020, 3:34 am
$
0
0

Hi,

Is it possible to integrate newly installed Active Directory Domain Services to an existing DNS (on-premise) standard? If yes what would be the pre-requisites and steps to do?

Thank you!!

Search

Domain Controller Decommission Error - can't find a GC server

March 11, 2020, 9:47 pm
$
0
0

Hello,

We have a Windows Server SBS 2008 DC that we are trying to decommission.  It also was our exchange server (2007) but we migrated to O365.  We have a new Server 2012 R2 DC up and running.  Ive moved the following roles to the 2012 server:

  • ADDS, DNS, DHCP
  • FSMO roles
  • Global Catalog Server

Now when I try to run dcpromo on the SBS server, it gets to the end and fails saying it can't find a global catalog server.  Ive check the firewalls and also made sure  the NIC is pointing to the new server for DNS.  When I try to uninstall Exchange 2007 from the SBS server, I get the same error message stating it can't find a GC server.  Does anyone have any suggestions? 

Thanks.



Active Directory account look out behaviour

March 12, 2020, 3:31 am
$
0
0

Hi Team,

I have some doubts in the AD 2019 user account lock out issue.

I have two user say user1 and user2 in AD with account lockout settings of 3 wrong password.

  • user1 tries to login with wrong password 2 times.
  • then user2 login with correct credentials and log out.
  • again user1 tries to login 2 times with wrong password(Totally 4 times wrong password)
  • still no account lock out for user1

The account lock out will happen if it exceeds 3 times consecutively. That is in a single attempt.

If any other user logged in the middle means , the previous count of wrong password is getting reset.

Could you please confirm on this behavior, also if possible please share official link to understand it properly.

Thanks in Advance.

Regards,

Venkadesh


Post update checklist

March 12, 2020, 8:37 pm
$
0
0

Hi,

I am on the stage of creating a list of steps in patching Active Directory (VM's). Can you guys help me with a list that I MUST check after patching AD?

Regards,

Richard

Delegation of rights

March 13, 2020, 4:19 am
$
0
0
How to delegate the rights to a user without giving them access to a Domain Controller? I know the process of creating a group of users and putting them within an OU and delegating rights. But would they still be connected to a DC? 

Active Directory ( Best Practises for Managing )

March 15, 2020, 11:51 pm
$
0
0

Hello Folks,

Can anyone suggest the best practises document for managing Active Directory.

I mean in terms of users, groups and security etc.

Appreciate your feedback, Thanks 

anyone know what kind of edition is ServerStandardACor ???

March 11, 2020, 9:07 am
$
0
0

I have 5 Dell Poweredge R640 and R730. I used the same Windows 2016 Standard image to install the 5 servers.

When I use the command DISM /Online /get-currentEdition:

4 servers result: 

Deployment Image Servicing and Management tool
Version: 10.0.17134.1

Image Version: 10.0.17134.1304

Current edition is:

Current Edition : ServerStandardCor

The operation completed successfully.

Only one of them shows:

Deployment Image Servicing and Management tool
Version: 10.0.17134.1

Image Version: 10.0.17134.1304

Current edition is:

Current Edition : ServerStandardACor

The operation completed successfully.

the 5 servers are registered with a Volume MAK channel

and when I try to update that server to DataCenterCore:

Command: dism /online /GET-TARGETEDITIONS

Deployment Image Servicing and Management tool
Version: 10.0.17134.1

Image Version: 10.0.17134.1304

Editions that can be upgraded to:

Target Edition : ServerDatacenterACor

The operation completed successfully.

distribution List with restricting sender without exchange on premise

March 11, 2020, 9:57 am
$
0
0

Hi, I need to create a distribution List within our AD but with restricting who can send email to this list. How can I do this without having Exchange on premise.

i try to modify following settings but get error

  • AuthOrig
  • dLMemberRule
    DlMemDefault
    dLMemRejectPerms
    dLMemSubmitPerms


    There is no editor registred to handle this attribute type

Search

Need Configuration of ADDS / DNS

March 14, 2020, 12:59 am
$
0
0

Dear Folks,

I have hosted server with public IP, I have installed ADDS and role on it, right I'm unable to join client to that domain becuase the my server ip is public so can you guide me how can resolve this issue for joining my client from outside network.

Thanks

Difference between 'Never expire' and 'Not Defined' with regard to the Maximum password age field.

March 13, 2020, 4:21 am
$
0
0
So I read that the value 0 in the Maximum password age field refers to the option of never expire, while a value of negative 1 refers to the option of not defined. What is the difference between the two? What happens when a value is not defined?

Extending Active Directory into China (Data privacy and regulatory concerns)

March 11, 2020, 8:50 am
$
0
0

We are a North American company with head office in China (China office already a different forest and domain). However, we want to extend the North American domain and Active Directory into China. The employees of China office will be using ~80% of the services currently utilized globally. This includes all the SSO, Exchange, same O365 Tenant, etc.

There have been some concerns raised about replicating non-Chinese employee's AD data (and other regulatory considerations like GDPR) through the Great Firewall of China. The new cybersecurity laws in China allow PKI and AD traffic encryption but not without the ability for the government to have access to this information.

I am wondering what have other companies in North America and Europe done to overcome this challenge? 

We chatted shortly about a stand alone forest with a trust but this may or may not be the best solution.


Purpose of Distribution groups in Active Dirctory.

March 13, 2020, 4:17 am
$
0
0
When mails could be distributed even using security groups, why do w need distribution groups in active directory? Every post I see only lists the differences between Security and Distribution groups, but why distribution groups are needed in the first place when the same function can be achieved through security groups

I have a couple of questions around KeyTab files please

March 13, 2020, 6:23 am
$
0
0

Can someone kindly help with the following

I have been reading the following Microsoft document

https://social.technet.microsoft.com/wiki/contents/articles/36470.active-directory-using-kerberos-keytabs-to-integrate-non-windows-systems.aspx

Which deals with KeyTab files, but somethings are still unclear to me, I reached out the the author but did not get a reply, therefore can someone else please asssit

Question 1:

As far as I understand it a KeyTab file allows an AD user to authenticate against a non-Windows system (e.g. a standalone Kerberos capable Linux host running a WEB App for example), is that correct?

Question 2:

The above document, includes the following command line 

ktpass -out centos1-dev-local.keytab -mapUserkrbCentos@DEV.LOCAL+rndPass -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -princHTTP/centos1.dev.local@DEV.LOCAL

The parts I am particularly interested in I have highlighted in bold above, the AD user name (first bold item) is obviously the AD User.  The second item in bold is an SPN registered against the AD User krbCentos

So they want I think it works is if X (what ever X is), wants to use the service  HTTP/centos12.dev.local (as this is the SPN registered) then the resulting Kerberos service ticket (ST) will be encrypted with the long term key of the AD User krbCentos. Now this is the same information held in the KeyTab (SPN and encrypted key), so they match and the Kerberos service ticket can be de-crypted by the Linux host (in possession of the KeyTab file) and thereby allow access

Is my assumption/understanding above correct?

Question 3:

Also, what about the TGT, I assume the AD User already has a TGT in the normal fashion, as if it did not already have one (as perhaps the above process was kicked off by a script and krbCentoshad not already logged into the domain yet), you cannot obtain a Kerberos service ticket without presenting a TGT how does this come together when using a KeyTab?

Question 4
Is the process of authentication using KeyTab files always kicked of on the Active Directory side, i.e. some process running on AD says OK I need a service ticket for HTTP/centos12.dev.local, then requests a service ticket as mentioned above.
What I really want to know from this question if can the Linux (no domain joined and no realm trust) kick of off the process? meaning some process or script on the Linux side says I need to authentication to AD to access some information or files and use its KeyTab to perform the authentication by the Linux box being the one requesting TGT/TGS from the Windows KDC (using the information in the keytab to authenticate) ?

Thanks all, I would be grateful for some help with my understanding (clearing things up), in relation to the above

Charlie

Viewing all 31638 articles
Browse latest View live
Search