Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Windows Active Directory -> Nat on DNS service only

April 2, 2020, 4:45 am
$
0
0

Hello everybody,

we are making some test on AD deployed on Win2016 Servers, and we would like to use the max capacity of DNS Server (include Scope and Policies).

For that porpouse, we are planning to create a DNAT/SNAT policy, only for the DNS Server (53/udp), that allow as to use Scope policies with Subnets filters (we only would have to use the Subnet of the IPs of the SNAT policies).

The question we have is, Does Microsoft support this kind of solution? I mean apply SNAT/DNAT only on DNS server and the rest of communications go on a transparent way.

Thanks for the help.

BR.

Search

Can I be member of thousands of AD distribution groups?

April 2, 2020, 8:09 am
$
0
0

Hi,

I know the Windows limits ("Active Directory Maximum Limits" https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc756101(v=ws.10) ) regarding security groups.
But what about AD distribution groups: Can I be member in thousands of them?

Background:
Many applications in our company use AD groups to control access within the appl. 
When a user logs on, the appl uses LDAP to connect to AD and to determine in which AD groups the user is. They dont use/need the group SID, they just rely on the group names, they just need groups and memberships.
So my thoughts are:
In these cases a distribution group might be enough. This would not blow up the token size of the users.
I know that such a group could not be re-used to control access to a CIFS share.

Thanks
Walter

Active Directory/Terminal Services/DNS - Best practices

April 2, 2020, 8:54 am
$
0
0

I have some time to move our three (non-virtual) Server 2008 Terminal services servers and create domain controller during this coronavirus window forced slowdown.

Our new environment consists of two Servers running server 2012, and have hyper -v on both. I was going to create three server 2012 RDS services VM's to replace the separate physical servers.

I want to add the Domain Controller role SOMEWHERE in this environment. I have not used a domain controller before, but am coming up to speed quickly.

1. What type of server should the Domain controller/AD be installed on?

-can it (SHOULD IT) be installed on a hyper-v VM?

-should it be installed on a separate server

2. What is the purpose of the DNS role with AD? So far all users are getting DNS services/routing from the local router

Our business consists of  5 remote showrooms, which all users will be logging in against the DC/AD and RDS servers over VPN connections.

I know this is a broad question, but  I appreciate any experience comments in this regard.

Best

Client profile on windows server 2012

March 29, 2020, 12:31 am
$
0
0

Hello I'm using windows server 2012 as a domain server.

My clients use files from the domain server.

Is it possible for the clients to see their own desktop with their own shortcuts on any client computer they use?

Multiple Failed Logon Attempts

April 2, 2020, 6:46 pm
$
0
0

Hi,

I am finding multiple failed logon attempts on our domain.  These are occurring on servers and desktops.  We have policy to lock an account after 3 failed logon attempts.  Why would I see numbers in the 30's and 40's of failed attempts?  It doesn't make sense.

Also, I have different types of users making these attempts also.  I have GUEST and ADMINISTRATOR (Which I know are disabled on the domain).
I also have users attempting to login with their full domain name (for example user_name@xxxdomain.com).
Lastly, I have users who do not even exist with a user account on the domain.

How is all of this happening?
Does anyone have any suggestions?
Any ideas would be greatly appreciated.

LDAPS using domain name or domain controller host name?

March 31, 2020, 8:01 am
$
0
0

Hi everybody

To configure LDAP authentication I prefer to enter the domain name as domain controller or host for example contoso.com. With this the advantage is, if I need to change the domain controllers, I do not need to update all systems with the new domain controller names. This makes a domain controller migration easier.

On the other hand, with LDAPS, I guess the common name is checked and the certificate of the domain controller only contains the host name of the domain controller and not the domain. So if I configure LDAPS with the domain controller it works, if I use the domain name, it does not work, as the host name does not match the common name in the certificate.

What is recommended or best practices to use?

The domain name? If yes, how do you resolve the certificate issue? Change the certificates on the domain controllers so it contains the domain name as SAN?

The domain controllers? If yes, how do you migrate the domain controllers without changing the domain controllers on all systems?

Thank you in advance!

Best regards,

Power22

Windows Server 2012 - Replication Event on Secondary Domain Controller

March 29, 2020, 12:14 pm
$
0
0
We are looking for a way to track when a user account was created/delete/changed on the secondary domain controller. When we make the change on the primary, I can see the event in the event log but we want to see that replication event on the secondary domain controller. I'm not sure what I'm looking for and we have so many logon/logoff events that the event log only holds 2-3 minutes of data before filling up. Since it takes time to replicate, I can't catch the event.


I've gone into the group policy settings for the domain controllers and turned on advanced audit for the replication service but it's really only showing me that it was able to talk to the other domain controller, not what was actually replicated.


I'm hoping there is a way that we can track the change, even if it is as simple as something like a change was made. It doesn't have to be in great detail. If maybe someone knows what event id is that I need to look for then I can filter through and find it.


Maybe I'm looking in the wrong place all together? Any help would be greatly appreciated.

Certificate enrollment failed - 0x8007054b

April 2, 2020, 11:50 pm
$
0
0

Hi,

we have some PCs cannot enroll certificates, the error is:The specified domain either does not exist or could not be contacted.

these PCs are in the restricted network location, we have open below ports to specific servers:

To AD server: TCP/UDP 137&138&139&389&636&88&53&445, TCP 135 & 49152-65535. 

to CA server: TCP 135 & 139 & 445 & 49152-65535. 

is there something i miss, or how to troubleshoot the error ?

thanks in advance!

Search

Logon Unsuccessful: The user name you typed is the same as the user name you logged in with

April 30, 2010, 6:34 am
$
0
0
Windows 2003 domain. I get the following message when using a user with domain admin permissions:
"Logon Unsuccessful: The user name you typed is the same as the user name you logged in with. That user name has already been tried. A domain controller cannot be found to verify that user name."
other domain admin level users have no issues (yet?)
when I try to connect to the same services from same PCs or servers using a different administrator, it is working - I take it as something faulty with the user, not with network connectivity or local PCs
this is coming and going without any noticeable reason
http://ITDualism.wordpress.com

Active Directory: can "Licensing Site Setting" object safely deleted?

April 3, 2020, 5:41 am
$
0
0

Hi 

Over the years our domain has been updated several times (Windows NT-Windows 2000-Windows2003-Windows 2008R2-Windows2019)

As a result, it certainly has objects that are no longer really needed.

For example, in some sites, we have a "Licensing Site Settings" object.

After researching on the Internet, we have only found that earlier (Windows 2000/2003) on the domain controllers had a "License Logging Service" and this object comes from this time.
In Windows 2008 Server and newer, this service ("License Logging Service") has disappeared.
Unfortunately, the "Licensing Site Settings"- objcet still exist in some sites.

Can we delete the "Licensing Site Settings" object without concern?

Thanks in advance.

Usage of -ServicePrincipalNames when creating gMSA accounts

September 8, 2018, 2:07 am
$
0
0

This question is based on the below article,

https://docs.microsoft.com/en-us/powershell/module/addsadministration/new-adserviceaccount?view=win10-ps

As per the example the usage will look like below for gMSA accounts,
New-ADServiceAccount gMSAsqlservice -ServicePrincipalNames @{Add='MSSQLSvc/sqlserver.xxxxxxx.com:GMSA','MSSQLSvc/sqlserver.xxxxxxx.com:<port#>'} -DNSHostName gMSAsqlservice.xxxxxxx.com -PrincipalsAllowedToRetrieveManaged SQL_gMSA_group

We always get the below error,

New-ADServiceAccount : The name reference is invalid
At line:1 char:1
+ New-ADServiceAccount gMSAsqlservice -ServicePrincipalNames @{Add="MSSQLSvc/sql ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (CN=gMSAsqlservice,CN=Man...=xxxxxxx,DC=com:String) [New-ADServiceAccount], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:8373,Microsoft.ActiveDirectory.Management.Commands.NewADServiceAccount

Was able to fix the issue using the below format. Not sure if the approach was correct but SPNs did get auto-registered in SQL Server.

New-ADServiceAccount gMSAsqlservice -ServicePrincipalNames ("MSSQLSvc/sqlserver.xxxxxxx.com:GMSA","MSSQLSvc/sqlserver.xxxxxxx.com:<port#>") -DNSHostName gMSAsqlservice.xxxxxxx.com PrincipalsAllowedToRetrieveManaged SQL_gMSA_group
************************************************************************************************************
Questions :
*****************************************
1> Which is the correct syntax to create gMSA using -ServicePrincipalNames ?
2> In the above example I have just used one server SPNs[ie., sqlserver]. But when we have several servers added to the gMSA Security Group, how do we use -ServicePrincipalNames?

I feel we need to have more elaborate explanations to the -ServicePrincipalNames.

windows server 2003 Primary DC recover +exchange server 2003

April 3, 2020, 2:47 pm
$
0
0

Hi,

in my scenario,

i have 1 DC + dns (windows server 2003 r2 enterprise  with all fsmo roles + exchange server 2003 , 1 ADC server + dhcp +dns

but suddenly my dc serevr stopped to boot server is not getting on.  

how can we recover my domain controller with fsmo roles and exchange server we ahve more than 50 users live working?

what will be steps for recover without my old primary dc  on.

Thanks and Regards

khalid Hussain 

PKI-related issue with Domain Controller and "custom" certificate

April 3, 2020, 4:19 pm
$
0
0

I'm honestly not sure if this is a PKI-related issue involving AD, or an AD-related issue involving PKI...  But there is no PKI-specific option under "Windows Server" for this forum site.

What I'm trying to do: Use a special Domain Controller certificate template to make a certificate request on a DC which includes a list of SANs (Subject Alternative Names). (Yes, I know auto-enroll will not work!!) With a SAN, you can use a load-balancer with Secure LDAP (port 636/tcp) and a common name.

I've done this before and it worked great. Downside is you have to manually renew certs. Not a problem here. I am NOT trying to publish the certificate into AD: that option is UNchecked in the certificate template.

The issue is that I am getting this error on the step where I run the command

    certreq -f -submit -config "ca.corp.nydomain.com\My PKI Name" $csrFile $certFile

Where I get an error:

Certificate retrieved(Issued) Issued  Could not publish Certificate.  Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)

In the CAPI2 event log, the only message helpful is:

The certificate is not valid for the requested usage.
[ value] 800B0110

I actually cloned the new template from the default/built-in "Domain Controllers" template, it's just be updated to 2012 R2 with some other parameters for the usage I am trying implement.

I've gone through all the things that come to mind, like special rights for "cert publishers" on the template, making sure the "Domain Admins" and "Domain Controllers" groups have rights... I'm not sure if I've MISSED something simple!!!

I'm probably going to have to open a Premier ticket, but I was hoping that someone might point out something obvious I've missed.

The domain structure is a root domain, and I am working in a sub-domain, and the AD-integrated PKI servers are domain members of a different sub-domain. (So "A" is the root domain, "B" is the corp sub-domain, and "C" is the sub-domain under "A" in which I am working on with the DC's.)

The DC is Windows Server 2012 R2 and the CA server is Windows Server 2012 R2.

Any thoughts would be greatly appreciated!!

-- Rob "I" --

FSP objects from Internal Domain

April 4, 2020, 3:47 am
$
0
0

Hello,

In my AD environment, there are lot of FSP objects from my Internal domain showing under Foreign Security Principals container. I mean SID value of FSP objects (showing under Name column in FSP container) resolves to Internal Domain user accounts rather than trusted external domain user accounts. Moreover, Readable Name of FSP objects is showing as "Internal Domain\samAccountName" rather than trusted external domain samAccountName.

Please explain and let me know actual root cause of this.

Move user to new domain-forest

April 4, 2020, 6:21 am
$
0
0

I am needing to move users from a Win2K12R2 domain a new domain-forest(Win2k19) and need to have user connect to their current Office 365 mailbox. The UPN in domain.old is the same upn in Office365. The on-prem domain name is changing to match the Office 365 domain. I have Azure AD connect working in old domain and presently working on install ADFS and Federation in new domain. I am thinking I can take the object GUID of user and group objects and import that into new domain to sync up with office 365 and that would give a match. But some reading said the object GUID is globally only in a forest. Which is what led me to hear.

Thanks in advance for any help. Stay Safe

Lane

Search

site to site dns

April 4, 2020, 7:20 am
$
0
0

lets say i got 2 sites in my domain with different subnets. Both sites got 2 dc's, how should i allow the dns to sync?  in site A dc1 is syncing to dc2 and dc 2 is syncing to dc1.

In site 2 dc the same scenario.

Hope someone can clear this out to me.

Delete an attribute

March 7, 2017, 8:02 am
$
0
0

Hello,

for a test in my test network i added the attribute MSExchHideFromAddressLists manually. Unfortunately i did it with wrong syntax.
Now i'm trying to install Exchange 2016 on Windows Server 2016. And i'm getting an error:

Entry DN: CN=ms-Exch-Hide-From-Address-Lists,CN=Schema,CN=Configuration,DC=domain,DC=com
Add error on entry starting on line 123: Unwilling To Perform

The server side error is: 0x20be Schema update failed: duplicate LDAP display name.

The extended server error is:

000020BE: SvcErr: DSID-0326036D, problem 5003 (WILL_NOT_PERFORM), data 8382


An error has occurred in the program

i tried to delete by this article, but without succes. How can i delete the attribute or change its syntax ?

Thank you!

Active Directory Global Catalog and SCOM issue

April 4, 2020, 12:35 pm
$
0
0

Hi All!

Let me quicky describe env, Root Domain with 10DC all GC's, Child domain over 100DC all GC's in both cases DNS in infoblox.

We started to recieving SCOM alerts on over 90dc in child domain about:

Global Catalog query returned 0 results
from Global Catalog Search Availability Data Source script
Microsoft.Windows.Server.10.0.AD.Availability.GCResponse.DataSource (DataSourceModuleType)

here is the script:

https://systemcenter.wiki/?GetElement=Microsoft.Windows.Server.10.0.AD.Availability.GCResponse.DataSource&Type=DataSourceModuleType&ManagementPack=Microsoft.Windows.Server.AD.2016.Monitoring&Version=10.0.0.0

1. DcDiag has no errors or issues

2. all DNS srv records are valid we have reRegistered them anyway

3. Sysvol and Netlogon shares are working fine

4. All ports are open from scom to 3268,3269,389 on DC and DCs <-->DCs

5.We can connect to GC's using ADSI or LDP.exe no issue there

6. No replication issues

7.no CHGs in the ENV where done or we knows about.

digging further we where able to establish that:

ADO connector used by SCOM return 1 if corect and 0 when fail.

1 is returned in Root no issues there

0 is returend in ChildDomain

here is the outupt from the scrip for child (diff in bold)

Properties       : System.__ComObject
AbsolutePosition : -1
ActiveConnection : System.__ComObject
BOF              : True
Bookmark         :
CacheSize        : 1
CursorType       : 3
EOF              : True
Fields           : System.__ComObject
LockType         : 1
MaxRecords       : 0
RecordCount      : 0     <--- Here  BAD =)
Source           : <GC://ny.acme.com>;(objectCategory=DMD);cn;subtree
AbsolutePage     : -1
EditMode         : 0
Filter           : 0
PageCount        : 0
PageSize         : 10
Sort             :
Status           :
State            : 1
CursorLocation   : 2
MarshalOptions   : 0
DataSource       : System.__ComObject
ActiveCommand    :
StayInSync       : True
DataMember       :
Index            :

Root:

Properties       : System.__ComObject
AbsolutePosition : 1
ActiveConnection : System.__ComObject
BOF              : False
Bookmark         : 0
CacheSize        : 1
CursorType       : 3
EOF              : False
Fields           : System.__ComObject
LockType         : 1
MaxRecords       : 0
RecordCount      : 1   <--- GOOD
Source           : <GC://acme.com>;(objectCategory=DMD);cn;subtree
AbsolutePage     : 1
EditMode         : 0
Filter           : 0
PageCount        : 1
PageSize         : 10
Sort             :
Status           : 0
State            : 1
CursorLocation   : 2
MarshalOptions   : 0
DataSource       : System.__ComObject
ActiveCommand    :
StayInSync       : True
DataMember       :
Index            :

Any Ideas?

Thanks

New DC on SITE B LDAP Problems

April 4, 2020, 12:57 pm
$
0
0

Hi everyone, recently we install a new DC in my company. We assign new sub net in sites and services for the new site and the new DC is in this sub net. Also, we apply a GPO to enable clients to locate the next close domain controller but some workstations ands servers still go to the DC on the other site. 

Also some linux and for example one application in java that uses ldap authentication go to this new DC. I made some traffic capture and the java application request the A records for mydomain.com an the reply is all a records including the new DC. 

I don´t see that only request the ldap servers for the site A.

Another question is: how I do for a workstation in site B when use \\mydomain.com\netlogon go to \\dcsiteb\netlogon and not any dc, because I think that when doing \\mydomain.com\\netlogon only search for  A records, the same situation with the java application. 

I hope you understan my poor english.

Thanks!


How to find out unused security groups

March 31, 2020, 1:52 pm
$
0
0

Hi

We are looking for a way to get a list of unused security groups including the empty ones. 

Thanks in advance

LMS

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>