Server 2016.

I tried creating a lightweight instance with both creating a partition and without creating one.

How do I add users that can use the lightweight services and restrict access?

Thanks

Hello,

I add a new member to the Event Log Readers group but the account is removed by System and I am unable to find the cause.  This only seems to be happening in one of my domains.  I have found the event id 4733 that states system but I am not sure why its doing this.  How do I get a membership to stick to this group?

The Domain Controllers are 2012 R2.

Thanks!

Shawn

dears,

i'm facing this issue on my proxy server: the trust relationship between this workstation and primary domain failed.

i tried to reset the computer account it didn't work.

i am able to log in wity my local admin.

i tried the reset-computermachinepassword and test-computersecurechannel cmdlet but they are returning the following error: 

cannot get domain information about the local computer because of the following exception not found.

any idea about that?

the only thing remaining is disjoining and joining the proxy. will this cause me any issues experts?

or i can disjoin and join

best regards

Hi, 

We have domain A and domain B.Two-way trust is enabled between A and B domain. 

We have application (App1) in A domain,  can we perform the LDAP integration with domain A and search the users in domain B. 

Please share the detail. 

Regards,

S Kannan

Rgds, S Kannan

Hello. How i can fixed it ? I want make trust domain with second forest, but i got problem:

Hi,

I have 3 Windows Server 2016 servers, which are joined in Single Forest, Single Domain Active directory server.

When I try to install IIS from roles and features in Windows Server, I get this error.

I have logged in from Domain Administrator.

Can someone help please?

on the windows 2003 box I do an NS look up below and below that the 2008 results,  I need the 2008 box to react just like the 2003 box so that all I have to do is type in lit and it will add in the domain name

> lit
Server:  UnKnown
Address:  192.168.86.24

Name:    lti.example.net
Address:  192.168.86.190

>

windows 2008 results

We are a community college and I want to make a custom rule in ADFS based on OU membership.
This rule must send out value 'Employee' or 'Student' based on the OU the account are located in.

I can't use AD groups because there isn't any group containing all the accounts.
(Like Active, Future, Alumni etc. they are all separated, not my choice by the way)

According to this thread: https://social.technet.microsoft.com/Forums/en-US/762a4ab1-1649-442c-91a4-654ee7b3664f/limiting-adfs-20-to-an-org-unit?forum=winserverDS 

I tried:

eduPersonAffiliation Student

c:[Type == "http://temp.org/adobjectdn",Value =~ "^.*(OU=Students,OU=OurDomain Users,DC=OurDomain,DC=local)$"] => issue(Type = "eduPersonAffiliation", Value = "Student", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType);

eduPersonAffiliation Employee

c:[Type == "http://temp.org/adobjectdn",Value =~ "^.*(OU=Employees,OU=OurDomain Users,DC=OurDomain,DC=local)$"]  => issue(Type = "eduPersonAffiliation", Value = "Employee", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType);

Do I have to change that temp.org? Or must I define adobjectdn?
I checked the regex expression and that works.

I hope anyone can help me, thanks in advance!

We are currently running two servers, configured as below:

1 x SBS 2011 Main Server (192.168.16.3) NAME - SERVER1

1 x Win 2008 R2 Server - Remote Site Connected (192.168.15.2) NAME - SERVER 2

DOMAIN - domain.local

4 Workstations at the remote site can access the SBS server by using IP, but not by name resolution. Error when connecting to SBS server is 

Have tried the normal, flush dns, also tried the below:

sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken

But when using netdom resetpwd with the domain administrator account it returns the target account name cannot be identified. 

Please advise what is needed to resolve the issue. 

SERVER 2 is the problematic DC, and event viewer is showing there is a Kerberos Event 4 error, detailed below.

Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
Date:          11/08/2015 11:10:11
Event ID:      4
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      SERVER2.domain.local
Description:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server SERVER1$. The target name used was host/SERVER1. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (DOMAIN.LOCAL) is different from the client domain (DOMAIN.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
Event Xml:
<Event xmlns=
  <System>
    <Provider Name="Microsoft-Windows-Security-Kerberos" Guid="{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}" EventSourceName="Kerberos" />
    <EventID Qualifiers="16384">4</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-08-11T10:10:11.000000000Z" />
    <EventRecordID>295858</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>SERVER2.domain.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="Server">server1$</Data>
    <Data Name="TargetRealm">DOMAIN.LOCAL</Data>
    <Data Name="Targetname">host/SERVER1</Data>
    <Data Name="ClientRealm">DOMAIN.LOCAL</Data>
    <Binary>
    </Binary>
  </EventData>
</Event>

I have a lot of the following event for multiple user

--------------------------------------------------

-------------------------------

The problem with this is that the account lockout policy cannot be applied because user accounts that display this behavior are immediately locked out.

Will you have some reference in this regard?

After following the deployment guide here 

I'm not getting prompted on the client to enroll, and when trying to enroll the options are grayed out. The client log Microsoft-Windows-HelloForBusiness/Operational errors out with 

The device registration prerequisite check failed. (EventID 7200)

The Primary Account Primary Refresh Token prerequisite check failed. (EventID 7200)

Windows Hello for Business prerequisites check failed. Error: 0x8007051F (EventID 7054)

GPO, MFA, Certs and ADFS are set up. Service accounts all nominal, every step of the guide checked 10 times over. The errors don't seem to be documented, and something is missing. Please help!

I'm trying to script powershell to retrieve DNS forwarders on all DNS servers and check if they work properly.

I am not able to use a restricted account of any kind such as in DNSAdmin to do this.  I seem to have to use domain admin account.  To run automated task, I am hesitant to use highlyprivileged account.

How can a created least privileged account to do this with get-dnsserverforwarder?

Hi,

We are looking to migrate to new domain and decom our current domain.

Concerning GPO what's the best option to migration all GPO settings in our current domain to new one ?

Hi, I need to create a distribution List within our AD but with restricting who can send email to this list. How can I do this without having Exchange on premise.

i try to modify following settings but get error

• AuthOrig
• dLMemberRule
  DlMemDefault
  dLMemRejectPerms
  dLMemSubmitPerms
  
  
  There is no editor registred to handle this attribute type

Hello,

Can someone please help with the following

If I have an App/WEB site etc. on a standalone Linux host (Kerberos aware), e.g. no realm trusts of any kind

Then I have an Active Directory domain with my Users and I create a KeyTab file on Windows using KTPass with the relevant information, SPNs of Linux Service and AD user this information is to be associate with (to request a service ticket) 

I then take the KeyTab file and import/setup on the Linux host

Do I also need to join the Linux Host to Active Directory (using SSSD or Centrify for example) in order to the KeyTab file to work?

I would be very grateful for any help on this please

Thanks

CXMelga

Hi,

I was trying to migrate my old WIndows Server 2008 32 bit OS to new OS Windows Server 2019, but apparently it was not possible.

My exchange server 2007 was my copy of my old domain controller still intact but unable to connect to my newly renamed DC server.

My existing Active directory server was roles for the below.

1. CA server
2. Active directory domain services
3. Network policy server
4. Web Server
5. File Server
6. DNS Server

For the migration, below were the steps i did

1. Add 2 domain controller to the existing active directory pool for replication and failover (one windows Server 2012, one is Windows Server 2019 to migrate - during the migration stage, im getting a lot of DNS issue, but i kept persist it and it worked (tried many times of ipconfig /flushdns & ipconfig /registerdns, took a few tries)
2. Successfully added 2 domain controller into the pool and replicated (but the DNS server needed to be manually replicated)
3. Backup CA cert, policies & SYSVOL folder, Did DC Promo.exe the old server, remove CA server then proceeded with the removal of DC server, then change the IP address and domain name of the server

Replication status of the server at that time unknown. I proceeded with the switchover, initially there was already error, but didn't know where to start. I started changing one of the server back to the old server name & IP address, the second server which was added to the DC pool was demoted, and this is where all hell broke loose. The problems became nightmare for me

In my attempt to get the 1st DC server which I replicated, below were the errors found.

C:\Users\pcsb002pg>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = adserver
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\ADSERVER2
      Starting test: Connectivity
         ......................... ADSERVER2 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\ADSERVER2
      Starting test: Advertising
         Fatal Error:DsGetDcName (ADSERVER2) call failed, error 1722
         The Locator could not find the server.
         ......................... ADSERVER2 failed test Advertising
      Starting test: FrsEvent
         ......................... ADSERVER2 passed test FrsEvent
      Starting test: DFSREvent
         The event log DFS Replication on server ADServer2.pcsb.local could not
         be queried, error 0x721 "A security package specific error occurred."
         ......................... ADSERVER2 failed test DFSREvent
      Starting test: SysVolCheck
         [ADSERVER2] An net use or LsaPolicy operation failed with error 64,
         The specified network name is no longer available..
         ......................... ADSERVER2 failed test SysVolCheck
      Starting test: KccEvent
         The event log Directory Service on server ADServer2.pcsb.local could
         not be queried, error 0x721"A security package specific error occurred."
         ......................... ADSERVER2 failed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... ADSERVER2 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         Could not open pipe with [ADSERVER2]:failed with 64:
         The specified network name is no longer available.
         Could not get NetBIOSDomainName
         Failed can not test for HOST SPN
         Failed can not test for HOST SPN
         ......................... ADSERVER2 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... ADSERVER2 passed test NCSecDesc
      Starting test: NetLogons
         [ADSERVER2] An net use or LsaPolicy operation failed with error 64,
         The specified network name is no longer available..
         ......................... ADSERVER2 failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... ADSERVER2 passed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From EXCHANGE to ADSERVER2
            Naming Context: DC=ForestDnsZones,DC=pcsb,DC=local
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2020-03-17 00:01:12.
            The last success occurred at 2020-03-16 22:29:03.
            5 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From EXCHANGE to ADSERVER2
            Naming Context: DC=DomainDnsZones,DC=pcsb,DC=local
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2020-03-17 00:01:12.
            The last success occurred at 2020-03-16 22:29:06.
            5 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From EXCHANGE to ADSERVER2
            Naming Context: CN=Schema,CN=Configuration,DC=pcsb,DC=local
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2020-03-17 00:01:12.
            The last success occurred at 2020-03-16 22:28:45.
            5 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From EXCHANGE to ADSERVER2
            Naming Context: CN=Configuration,DC=pcsb,DC=local
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2020-03-17 00:01:12.
            The last success occurred at 2020-03-16 22:34:34.
            5 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From EXCHANGE to ADSERVER2
            Naming Context: DC=pcsb,DC=local
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2020-03-17 00:01:12.
            The last success occurred at 2020-03-16 22:35:25.
            5 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         ......................... ADSERVER2 failed test Replications
      Starting test: RidManager
         ......................... ADSERVER2 passed test RidManager
      Starting test: Services
         Could not open Remote ipc to [ADServer2.pcsb.local]: error 0x40"The specified network name is no longer available."
         ......................... ADSERVER2 failed test Services
      Starting test: SystemLog
         The event log System on server ADServer2.pcsb.local could not be
         queried, error 0x721 "A security package specific error occurred."
         ......................... ADSERVER2 failed test SystemLog
      Starting test: VerifyReferences
         ......................... ADSERVER2 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : pcsb
      Starting test: CheckSDRefDom
         ......................... pcsb passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... pcsb passed test CrossRefValidation

   Running enterprise tests on : pcsb.local
      Starting test: LocatorCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1722
         A Global Catalog Server could not be located - All GC's are down.
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1722
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1722
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
         1722
         A Good Time Server could not be located.
         Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1722
         A KDC could not be located - All the KDCs are down.
         ......................... pcsb.local failed test LocatorCheck
      Starting test: Intersite
         ......................... pcsb.local passed test Intersite

C:\Users\pcsb002pg>

The above is my DCdiag diagnostics.

I also noticed my DNS is quite screwed.

I'm so stuck and don't know what to do and where to start. My whole office is gonna come after me tomorrow.

I have roughly 25 staffs i the office, with exchange server & some other applications such as firewall, Lyncserver & network drivers require active directory to connect.

Please help me. 

Hello,

We have a Windows Server SBS 2008 DC that we are trying to decommission.  It also was our exchange server (2007) but we migrated to O365.  We have a new Server 2012 R2 DC up and running.  Ive moved the following roles to the 2012 server:

• ADDS, DNS, DHCP
• FSMO roles
• Global Catalog Server

Now when I try to run dcpromo on the SBS server, it gets to the end and fails saying it can't find a global catalog server.  Ive check the firewalls and also made sure  the NIC is pointing to the new server for DNS.  When I try to uninstall Exchange 2007 from the SBS server, I get the same error message stating it can't find a GC server.  Does anyone have any suggestions? 

Thanks.

Hi team

what's the best practice of password policy ?