Hi,
We have a high amount of logon failures from a user account that belongs to a former employee.
It seems the credentials is being used in an email app from an Android device as we can see in the Exchange servers logs.
The user account is disabled but that doesn't avoid the logon attempt.
Is there any possibility to reject that kind of user logon attempts?
We're somewhat afraid of the DCs resources depletion.
Thank you.
HI,
We want to go ahad with new LDAP Signing and Channel Binding Changes in Active Directory
we have installed the March updates on both our server 2012 R2 DC and server 2016 member servers and set the
DC policy
Domain controller: LDAP server channel binding token requirements = Always
Domain controller: LDAP server signing requirements = Require singing
On member servers:
Network security: LDAP client signing requirements = Require singing
Also set the registry on DC to highest:
Enable LDAP Signing and LDAP Channel BindingInternal event: An LDAP client connection was closed because of an error.
Client IP:
10.0.10.11:50039
Additional Data
Error value:
1236 The network connection was aborted by the local system.
Internal ID:
c060410
Shahin
Hi everyone,
The domain account lockout issue has been continued for few month, but i have yet to found any solution, appreciate if anyone can provide me some feedback on this.
Our work from home user, login laptop using local account to work from home, for me there's no account lockout issue, however the account lockout issue has been happening to few of our user. not sure why this is keep happening to few of the user.
Here are the thing user need to enter in order to WFH:-
Local account: .\eric
Password: local account password
Login VPN: eric
Password: window domain password
Then connect skype for business: eric@contonso.onmicrosoft.com
Outlook: eric@contonso.com
password: window domain password (outlook will prompt for password everytime user open outlook)
I have also created .bat file for user to connect network drive so that there's no saved credential.
the batch file to connect are as below:-
net use Z: \\Shareserver /persistent:yes
pause
Troubleshot step taken:-
Clearer credential manager
Removed share drive connection
Removed skype for business
But the problem still persist for the user, but for my own account i did not face such issue.
Any one ?
Much appreciate.
Thanks.
We are using Server 2008 Standard and have around 400 users and 89 Organizational Unit.
Our Manager told me to activate delegation of control for one of our colleagues to only reset password and unlock users.
I give him delegation of control to target it Organizational Unit which This Organizational Unit contains sub Ous.
What the problem is he is able to only reset few of the users only he is unable to reset most of the users which is in the same OU.
I have checked the user which is able to reset its password and the user which he is not able to reset its password group membership they both have the same member ship of groups.
Thanks
Hello,
I have a situation that seems a bit unique and all of the information I have found online doesn't quite match up to my scenario.
I have two DC's server.domain1.local andserver.domain2.local when both domains are functioning normally by themselves, but I am trying to create a trust between the two. It would seem since they are both called server they cannot communicate even though they have different FQDN's.
When trying to create the trust I get an error "There are no logon servers available" I get the same error when trying to UNC from one to the other.
I did create the conditional forwarders before creating the trust, and want to point out that they are connected via VPN and as far as I can tell from the traffic log the VPN Firewall isn't blocking any traffic. I also turned off thewindows firewall temporarily as a test to see if that was the issue.
Any help would be appreciated.
Thanks
Hi Everyone,
In AD,there are a set of Default user attributes such as Description, IP Phone etc which show up in the ADUC. I wish now wish to display some hidden attributes that my client needs. I am not sure how to do this. What I need to do is:
When I open a user property in AD Users and Computers, I want to change the display of:
1: 'Division'
2: 'Office Extension'
3: 'Location'
and a few others.
Please suggest how I can do this?
Please help.
Thank you.
Shiv
Shivaram Venkatesh. The Digital Cognitive
Hi all,
I work in an environment where there are a lot of sites and domains and forests.
there are two domains domain A and domain B
where domain A belongs to forest A and domain B belongs to to forest b .
there is one way trust between domain A and domain B.
domain A and domain B are distributed in many sites .
in one of the sites
a member server to domian B ,I try to add a user from domain A to a local group in that member server but it seems that it couldn't contact with the domain controller in domain "A" as users are not showing up
accessing another member server to doamin "B" but in diffirent subnets than the other member servers ,I could add a user from domain "A" to local group of member server to domain b '
the question is how can I know the domain controller in the "trusting domain" that handles authentication for users in the "trusted domain " because I need to find what is the problem of this memmber server .we are sure that there is no problem in trust between domain "A" and domain "B" as there are member servers of doamain "B" that can see users of domain "A"
i used netstate in server in domain "B" that can see Domain "A" users and I found that the member server can communicate with domain controoller of domain "A"
but using netstate in server in domain "B" that can not see users in Domain "A" it doesn't show any connnection attempt for any domain controllers in domain "A"
is there another command can reveal connection attempts for the trusting domain controller .
Hi Everyone,
Would anyone know how I can display the location and division attributes (which are hidden by default) in the ADUC? This is a bit urgent as there has been an update in Office locations and changes in the Org structure. Management is keen to see this change and view it in the ADUC. Please help.
Thanks,
Shyam
Shivaram Venkatesh. The Digital Cognitive
Hi
We are looking how we can protect and optimize DNS settings on remote site.
We have two remote , the first site has two domain controller and the second one has no DC.
It's possible to install a DNS server on members server?
Hi
We are facing a issue on may user accounts are locked automatically when they try to access a Linux application.
Any Idea please ?
Hello I'm using windows server 2012 as a domain server.
My clients use files from the domain server.
Is it possible for the clients to see their own desktop with their own shortcuts on any client computer they use?
Dear Team,
I have setup 5 AD server 3 server on DC site and 2 Server on DR site. ( DC01,DC1 and DC2 on DC site and DR1 and DR2 DR site)
My DR AD is not getting replicate with any AD server and one of DR AD server DR1 is having old data. All role holder on DC site DC01 server. Now what to do, Shall I format my DR1 and DR2 server?
Please suggest. IF required I will share the logs also.
Dear Team,
I want to upgrade my WSUS server as 2012 to 2016. Current setup is I have 2012 WSUS server and I have created 2016 WSUS server as Downstream server. Now what next to do?
Can I do inplace upgrade of 2012 server to 2016.because I do not want to change the name and IP of server. The same IP and name should be there so I do not required changes on GPO.
Please suggest plan.
I'm trying to get some clarity on the guidelines/requirements that Microsoft released this month regarding AD and LDAP. My company produces software that queries AD for groups and users. We use several .NET classes within the System.DirectoryServices.
We have a customer who is requiring that we support LDAPS because they believe this is being mandated by Microsoft. From what I have been able to gather, the requirement is only that bindings be done in a secure manor, not necessarily that they be
done using one particular approach. However, I'm still not entirely certain that my interpretation is correct. If I could get answers to the following questions, I should be in a better position to know what we need to do for this customer.
Please keep in mind that we're only concerned with Active Directory.
1. By my reading, signing and sealing is secure, and is actually how
most Microsoft client/server applications bind. Is this correct?
2. LDAPS is probably only necessary to support clients that cannot use
signing/sealing (possibly because the client doesn't support NTLM or
Kerberos). Is this correct?
3. A domain with LDAPS support must still support LDAP (with
signing/sealing support). You can't somehow remove support for
regular LDAP as that would break many clients, correct?
4. If the first three assertions are correct, is there any real reason
why a client application that already supports signing/sealing
should want to support LDAPS?
Thanks in advance to anyone who can provide answers to any or all of these questions.
Hi,
I'm trying to implement ldap failover and this is what I did.
1. create host entry in dns ldap-aws and it's ip address is the ip of server11(10.10.10.11) and then another same host entry ldap-aws but then the ip is the ip of server12(10.10.10.12)
2. acquire certificate from our internal CA.
Am I doing the right thing with the certificates and DNS implementations?
After adding a new domain controller, in the below command Global catalog is blank. Whereas if I query through the command " Get-ADForest domain.com | FL GlobalCatalogs" it lists all DC servers.
PS C:\Users\dcuser> [system.directoryservices.activedirectory.Forest]::GetCurrentForest()
Name : domain.com
Sites : {SITE-A1, SITE-B1, Site-C1}
Domains : {domain.com}
GlobalCatalogs :
ApplicationPartitions : {DC=ForestDnsZones,DC=domain,DC=com, DC=DomainDnsZones,DC=domain,DC=com}
ForestModeLevel : 6
ForestMode : Windows2012R2Forest
RootDomain : domain.com
Schema : CN=Schema,CN=Configuration,DC=domain,DC=com
SchemaRoleOwner : DC2.domain.com
NamingRoleOwner : DC2.domain.com
And what kind of entries can be made there? Also please state some examples for the program file name and Start in field entries.
Hi..
How can i give an account (other than domain admins), the rights needed to restore deleted objects on my win 2008 R2 FL recycle Bin ? what are the minimum permissions ?