Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

AD connect + Exchange migration

March 20, 2020, 6:41 am
$
0
0

We have an on prem AD environment. We installed the AD Connect sync software on an on prem domain member server and established a successful sync with an Azure Tenant.

We did this so that we can start offering Sharepoint services to our users.

We also have a hosted Exchange 2013 environment which we would now like to sync into our AD tenant to take advantage of O365 Exchange.

Is there a preferred method to do this Exchange to Tenant migration. We were suggested by our migration partner to stop the AD sync first, do the Exchange 2013 migration to the tenant and start the sync again

We are concerned this may lead to errors/duplication of UPNs etc.?  Does anyone know if there is a documented approach on this?  Do we need a CLEAN  AD tenant before starting Exchange migration ?

Sydney Cherian

Search

Removing ‘Authenticated Users’ from the Pre-Windows 2000 Compatible Access Group

March 25, 2020, 11:29 am
$
0
0

Hi,

May I know the  impact of Removing ‘Authenticated Users’ from the Pre-Windows 2000 Compatible Access Group. 

During domain promotion  dynamically "Authenticated users"was added in Pre-Windows 2000 Compatible group.

I don't have any legacy domain in my infrastructure.

Authenticating with PIV across Forest Trust

March 9, 2020, 11:48 am
$
0
0

Guys...

I am at a loss here. Googled and Binged all day and have ZIP.

I have two forests each with one domain. I established a two way forest trust and can ACL objects and log in with username and password. The issue is I need to be able to log in with a PIV card. So... I need to log into forest A with my PIV and have it also provide me access to all the resources of forest B. I have no idea where to even start.

Suggestions? Someone point me in the right direction?


What's the 'Start in' field in the environment tab of the user properties used for?

March 23, 2020, 5:58 am
$
0
0

And what kind of entries can be made there? Also please state some examples for the program file name and Start in field entries.





ldap failover

March 23, 2020, 7:45 pm
$
0
0

Hi,

I'm trying to implement ldap failover and this is what I did.

1. create host entry in dns ldap-aws and it's ip address is the ip of server11(10.10.10.11) and then another same host entry ldap-aws but then the ip is the ip of server12(10.10.10.12)

2. acquire certificate from our internal CA.



Am I doing the right thing with the certificates and DNS implementations? 

Remove Foreign Security Principals from domain local groups post migration

March 23, 2020, 8:14 am
$
0
0

Hello,

I've seen articles where it is mentioned that After a successful migration you have to remove Foreign Security Principals  from the domain local groups.

I need to understand and know the reason of the same.

Is this really necessary to remove Foreign Security Principals from domain local groups post migration? Shall it be considered as post migration activity or task?

What are side effects or is there any impact if not doing so?

G-ONE

AD SYSVOL - Symbolik link

March 26, 2020, 12:50 am
$
0
0
Hello,

I have installed AD on Windows server 2016 and I have problem with access to "domain.local" folder in SYSVOL from remote computer.

I can access to SYSVOL and NETLOGON folder from remote computer. But i can not access to "domain.local" folder from remote computer.

Here is error message from remote computer:
#---------------------------
\\domain.local\sysvol\domain.local is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permission.
 
The symbolic link can not  be followed because it is type is disabled.
#---------------------------

I am Domain admin and i have full permission.

From Domain Computer:
#---------------------------
C:\>fsutil behavior query SymlinkEvaluation
Local to local symbolic links are enabled.
Local to remote symbolic links are enabled.
Remote to local symbolic links are enabled.
Remote to remote symbolic links are enabled.
#---------------------------

Symbolik link created:
mklink /D "C:\Windows\SYSVOL\sysvol\domain.local" "C:\Windows\SYSVOL\domain"

How i can allow network access from remote computer? When it does not work omputers can not download GPO policy from Domain Controller.

Thanks.

Václav

EventId 4231 and 5719 - server is loosing connection with AD controller

March 26, 2020, 12:53 am
$
0
0

Hi,

we have problem with one physical Windows Server 2016 - once every couple of  days it's loosing connection with domain controller, after restart everything is going back to normal. 

In the event log there are two events right before loosing connection:

4231 "A request to allocate an ephemeral port number from the global TCP port space has failed due to all such ports being in use.."

And right after that

5719 This computer was not able to set up a secure session with a domain controller in domain CPLUS due to the following: The RPC server is unavailable.

We have another server with the same specification and configuration in the same network and everything there is working without any problems.

Microsoft iSCSI Initiator Service is disabled
Search

AD account keep unlock never block

March 23, 2020, 11:14 am
$
0
0

Hi,

could you help me please, how to make my AD account never lock, the problem is every time our users add wrong password and account is locked, and we are not able to RDP to the servers 

thank you

DCDIAG issue: Guid DNS name resolved to the wrong IP address

March 26, 2020, 6:03 am
$
0
0

Hi there,

strange issue since a few days. Result of 'dcdiag /e /q'

Although the Guid DNS name (10f02f39-2583-8919-da86-2a28687f088a._msdcs.lab.de) resolved to the IP address
(10.10.1.8), which could not be pinged, the server name (LABSRV01.test.lab.de) resolved to the IP address
(10.10.2.9) and could be pinged. Check that the IP address is registered correctly with the DNS server.
Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
......................... LABSRV01 failed test Connectivity

When I nslookup the Guid DNS Name

nslookup 10f02f39-2583-8919-da86-2a28687f088a._msdcs.lab.de
Server: labdc01.lab.de
Address: 10.10.2.1

Name: LABSRV01.test.lab.de
Address: 10.10.2.9
Aliases: 10f02f39-2583-8919-da86-2a28687f088a._msdcs.lab.de

The DNS PTR record is fine and holds the right IP address. Why does DCDIAG ignore this PTR record and resolves/uses a wrong IP address?

Thanks and regards

Active Directory sync errors: 2148074274 The target principal name is incorrect

March 23, 2020, 8:44 am
$
0
0
For some time now, a customer of our has Active Directory Sync issues. A colleague and I are trying to solve this but have not yet succeeded.
The customer has 5 Domain controllers, 1 Forest, but the DC's are in 4 different countries.
See sync errors below:

I tried to change the computer account password, according to the articles below, but that did not fix the problem
https://support.microsoft.com/en-us/help/2751452/dns-zones-do-not-load-event-4000-4007
https://neilbryan.ca/the-target-principal-name-is-incorrect-active-directory-domain-controller-replication-issue/

I did this on 1 DC ..
srv01 is the DC with all FSMO roles.

Firewall is operated by another department, but according to them there has been no change to the firewall that could cause such issues. How can i troubleshoot/solved this?

Thanks in advance.

remote computers authenticating to DCs

March 23, 2020, 10:53 am
$
0
0

Our remote engineers have VM's on their laptops that they use to connect to our customer systems for support.  They are part of our domain but very rarely connect to our VPN to authenticate.  I ran a PS script to see the last time these VMs have communicated with our DCs and have found that they all did authenticate in the last day or so but I know that they haven't connected to VPN in weeks.

My question is how are they communicating to the DCs with no direct connection to our domain?  

Thanks,

Paul

Cross Forest - Two Tier PKI

March 26, 2020, 9:29 am
$
0
0

Hello All,

I need a clarification in cross forest ADCS-Two tier PKI. Below are the details,

Existing environment:

Forest\Domain - contoso.com

Root CA and Issuing CA installed and configured with HSM

CDP/AIA URL's published in standalone IIS server

New forest\domain - fabrikam.com

Planned to install the Issuing CA by making use of existing Root CA in contoso.com

No AD trust between the forests

I planned to install the Issuing CA and export the request and get the certificate from Root CA. 

Queries:

Any configuration on Root CA needs to be done for fabrikam.com issuing CA like configDN, etc?

Any changes for CDP/AIA url's?

Is it possible to change the CDP/AIA URL's and have a separate IIS server in fabrikam.com?

Any other configuration to be taken care of?

Enabling windows firewall in domain controllers pros and cons

March 26, 2020, 11:13 am
$
0
0

Hi,

I am working Active Directory Risk assessment program, There is an action item for us to enable the windows firewall in domain controller.

Let me know the pros and cons of enabling windows firewall in Active directory domain controller.

SMB1 logs event id's

March 26, 2020, 11:18 am
$
0
0

Hi,

I am working on deprecating SMB1 in my active directory domain,servers and clients.

Before disabling the SMB1 I want to determine who are all using SMB1. Please assist with your answers.

My infra details

2016 AD FFL

Windows 7 and above clients

few Server 2003 servers and above.

Search

domain controller issue

March 24, 2020, 3:17 pm
$
0
0

Hi

We are facing when we change the DC Ip address.

Some client are unable to authenticate and replication error.

Any idea please ?

Modifying user pwdLastSet to 0

March 26, 2020, 3:55 pm
$
0
0

Hi all

I need to set the user pwdLastSet to -100 (to make user change password)

I was wondering what is the powershell syntax please?


I just delete last domain controller from DC1-(WS2008) Delete/demot/remove/uninstall

March 22, 2020, 3:08 am
$
0
0

Windows server 2008 standaard. I just remove domain controller, DNS complete out of the server. 

then In the LAN card. properties>TCp/IP>IPV4>Advance>TAB DNS> remove DNS Suffix for this connection.

I mad my server completly stand alone server.

My Question. 

  1. I loged in to server as local administrator. Then i opened cmd. I saw users/administrator.s1.000??. 
  2. administrator.s1.000 ???? What does this mean????

Global catalog

March 23, 2020, 4:12 am
$
0
0

After adding a new domain controller, in the below command Global catalog is blank. Whereas if I query through the command " Get-ADForest domain.com | FL GlobalCatalogs" it lists all DC servers.

PS C:\Users\dcuser> [system.directoryservices.activedirectory.Forest]::GetCurrentForest()

Name                  : domain.com
Sites                 : {SITE-A1, SITE-B1, Site-C1}
Domains               : {domain.com}
GlobalCatalogs        : 
ApplicationPartitions : {DC=ForestDnsZones,DC=domain,DC=com, DC=DomainDnsZones,DC=domain,DC=com}
ForestModeLevel       : 6
ForestMode            : Windows2012R2Forest
RootDomain            : domain.com
Schema                : CN=Schema,CN=Configuration,DC=domain,DC=com
SchemaRoleOwner       : DC2.domain.com
NamingRoleOwner       : DC2.domain.com

Server 2019 Domain Controller Does Not Create IPv6 PTR Record

March 20, 2020, 10:10 am
$
0
0

I have a new Server 2019 domain controller running and my network has IPv4 and IPv6 functionality and a static IP address for both protocols has been configured, in DNS I can see the A and AAAA records created for the domain controller and in the reverse lookup zone for IPv4, I can see the PTR record for the IPv4 address created along with a time stamp added on to it matching today's date and the time of it's registration.

But in the reverse lookup zone for IPv6, no PTR record is created, as a result, if I do nslookup domain.contoso.com the Server shows up as UnKnown because it's preferring IPv6 and no PTR record for the IPv6 address exists. I've tried configuring the DNS Client group policies that specify it should register the PTR record regardless, register it if the A record succeeds, including setting the Refresh Interval policy to 6 hours so that it matches the Refresh Interval for DNS scavenging and fiddling with settings in the Network Adapter such as Use This Connection's DNS Suffix in DNS Registration and Register This Connections Addresses in DNS and nothing changes.

Does anyone have any ideas?

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>