Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Removing Write all properties from OU security permissions

April 2, 2020, 3:04 am
$
0
0

Hi all

I faced an issue recently which the Domain users on my domain can delete, enable and disable other users when I investigated the issue I found that the authenticated users group on the targeted OU had the following permission:

1: List all content

2:read all properties

3:write all properties

4: read permissions

5: Delete

when I deleted "delete" permission I prevented the domain users from deleted each others but when I tried to delete the "write all properties" I failed as check box recheck itself every time I remove it

Search

AD Disaster Recovery from Snapshot

April 5, 2020, 2:57 am
$
0
0

Hi,

I have a forest and 2 domains where all the DCs have Windows 2012R2 operating system and FEL/DFL also have Windows 2012R2.

I am going to perform Disaster Recovery of the above DCs. I have a baremetal backup with me and the snapshot as well which is from Rubrik and stores in different datastore. We can clone the DC using Rubrik to isolated network.

Now my question is, Is snapshot(Clone) backup recommended by Microsoft for Windows server 2012R2 or Do I need to install OS on a new VM and recover from baremetal backup?

AD Delegation Not Working

April 5, 2020, 2:32 am
$
0
0

Hello all,

I want to delegate a group of users to manage active directory users ( create users\ groups + reset password), i created a group then i delegate these permissions " through delegation wizard on OU " on OU level, but its not working. I tried to grant these permissions by right click on the required OU ten advanced then add required AD group and then i select required permissions, but still not working. So i did give these permissions on a user not group and it did work " i delegated a test user through delegation wizard and it worked, but i need to delegate these tasks to a group then i can add users to it rather than individual user(s).

Any idea why its not working for AD group.

Thank you

Active Directory/Terminal Services/DNS - Best practices

April 2, 2020, 8:54 am
$
0
0

I have some time to move our three (non-virtual) Server 2008 Terminal services servers and create domain controller during this coronavirus window forced slowdown.

Our new environment consists of two Servers running server 2012, and have hyper -v on both. I was going to create three server 2012 RDS services VM's to replace the separate physical servers.

I want to add the Domain Controller role SOMEWHERE in this environment. I have not used a domain controller before, but am coming up to speed quickly.

1. What type of server should the Domain controller/AD be installed on?

-can it (SHOULD IT) be installed on a hyper-v VM?

-should it be installed on a separate server

2. What is the purpose of the DNS role with AD? So far all users are getting DNS services/routing from the local router

Our business consists of  5 remote showrooms, which all users will be logging in against the DC/AD and RDS servers over VPN connections.

I know this is a broad question, but  I appreciate any experience comments in this regard.

Best

AD Replication

March 29, 2020, 2:40 pm
$
0
0

Dear Team,

I have setup 5 AD server 3 server on DC site and 2 Server on DR site. ( DC01,DC1 and DC2 on DC site and DR1 and DR2 DR site)

My DR AD is not getting replicate with any AD server and one of DR AD server DR1 is having old data. All role holder on DC site DC01 server. Now what to do, Shall I format my DR1 and DR2 server?

Please suggest. IF required I will share the logs also.

Windows Server 2012 - Replication Event on Secondary Domain Controller

March 29, 2020, 12:14 pm
$
0
0
We are looking for a way to track when a user account was created/delete/changed on the secondary domain controller. When we make the change on the primary, I can see the event in the event log but we want to see that replication event on the secondary domain controller. I'm not sure what I'm looking for and we have so many logon/logoff events that the event log only holds 2-3 minutes of data before filling up. Since it takes time to replicate, I can't catch the event.


I've gone into the group policy settings for the domain controllers and turned on advanced audit for the replication service but it's really only showing me that it was able to talk to the other domain controller, not what was actually replicated.


I'm hoping there is a way that we can track the change, even if it is as simple as something like a change was made. It doesn't have to be in great detail. If maybe someone knows what event id is that I need to look for then I can filter through and find it.


Maybe I'm looking in the wrong place all together? Any help would be greatly appreciated.

Safe to remove abandoned SIDs from domain root?

April 1, 2020, 8:46 am
$
0
0

Hi,

I "inherited" a domain that has multiple abandoned SIDs, looking like "Account Unknown(S1-5-etc)" left in the domain root ACL. They are inherited on all sub OU's.

Would it be safe to remove them, or should I be cautious?

AD Can not Replicate Error : 2148074274 and Event ID : 1925 and Target Principal Name is Incorrect

April 1, 2020, 7:26 am
$
0
0

Hello ,

We have Domain Controller which was OFF for long time , But After We started it , replication is not working for this Domain Controller

The description for Event ID 1925 from source Microsoft-Windows-ActiveDirectory_DomainService cannot be found.

2148074274 The handle is invalid

Also Other events like : Target Principal Name is Incorrect and Access Denied while manual sync usingrepadmin /syncall

From the google it suggest that to reset password using netdom command but I am having below confusion :

1. From Which Domain Controller Should I run the Command , the Probelmetic Domain controller which we turned on after few Days OR from the Good Domain Controller which holds our all FSMO roles

2. Also from Which Domain controller the KDC service should be stopped on the Problematic or the Good domain controller ?

Ref : https://support.microsoft.com/en-in/help/3073945/how-to-troubleshoot-active-directory-replication-error-5-access-is-den

Appropriate for your Help.

Thanks

 

Thanks , Prakash ,Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

Search

How to add Division field in Active directory under Organization Tab

March 30, 2020, 2:15 am
$
0
0

Hi All,

How to add Division field in Active directory under Organization Tab

Migrate FRS to DFS for Domain Controller

April 6, 2020, 12:21 am
$
0
0

Hello,

I have a task to migrate FRS to DFS, currently we have around 60 DC worldwide. I have done few research and i found most of article mention if your DC have SYSVOL and NETLOGON replication issue, please fix that before migrate to DFS. Unfortunately 8 of our DC encounter SYSVOL/NETOLOGON  replication issue. I might need to demote and re-promote back the DC in order to solve the issue. But the problem i have tight deadline to complete this task since our management want to move to Windows server 2019 for new DC (unable to promote new DC due to FRS).

1. What is the real impact if i proceed to migrate FRS to DFS even few DC got SYSVOL replication issue? Because most of the article not mention what is exactly the issue.

2. Is it possible to migrate to DFS first, then after that i will demote and re-promote the problematic Domain controller (SYSVOL replication issue)? or i MUST to fix it first before i can migrate.

3. What is the impact if during migration process, one of our DC suddenly down? Is it can be serious issue?

Thanks

Update on a script - Error Handling - Success and Unsuccessful

April 6, 2020, 6:38 am
$
0
0


Hello Experts,

I need help on two things on below scipt,

1. Logging changes on below script, like disabling the accounts are success and Account was not found/disable was not success. Need in a csv or log file so that I can review it.
2. Remove each users from all groups. I have written it but it does not works and unable to understand why.

Can any one help me on this, please.


Get-Content "D:\Scripts\Adoc\Disable-Account.csv" | 
ForEach { Get-ADUser -Filter "samaccountname -eq '$_'" -properties * } | Move-ADObject -TargetPath "OU=Disabled Users,DC=tpl,DC=local" -PassThru | Disable-ADAccount

$users = import-csv "D:\Scripts\Adoc\Disable-Account.csv"

foreach ($user in $users)
{
$adgroups = Get-ADPrincipalGroupMembership -Identity $user.sname
foreach ($singlegroup in $adgroups)
{
if ($singlegroup.SamAccountName -notlike "*Domain Users*")
{
    Remove-ADPrincipalGroupMembership -Identity $user.sname -MemberOf $singlegroup.SamAccountName -confirm:$false
}
}
}

Event ID 1005 - ADWS on domain controller 2016.

March 3, 2020, 2:40 am
$
0
0

Hi,

I am getting Event ID 1005 - ADWS on domain controller 2016.

Detail :

Active Directory Web Services could not change its advertising state. The Netlogon service might not be running. Restart Netlogon and then restart Active Directory Web Services.
 
 Desired state: True

Pls help me solve this problem.

Thanks and best your regard.

Sysvol folder on domain controller does not exist

April 6, 2020, 8:57 am
$
0
0

I have few domain controllers, i just installed a new 2016 dc . When I navigate from other dc's to the new dc \\DCXX there is no folders like sysvol etc...

here is the dcdiag /q output from the new server:


Question about 'account options' on the AD user need to include 'this account supports AES 256 bit encryption'

April 6, 2020, 12:30 pm
$
0
0
I read the following blog post,


https://social.technet.microsoft.com/wiki/contents/articles/36470.active-directory-using-kerberos-keytabs-to-integrate-non-windows-systems.aspx

The post says 'account options' on the AD user need to include 'this account supports AES 256 bit encryption'

I build an new Windows 2019 DC (all default settings)

I added a new AD user, entered the password and left everything else at defaults

I created a KeyTab using AES-256 only

I take the KeyTab file to a standalone Ubuntu client with Kerberos installed

From the Ubuntu server I execute kinit -k -t <kytabfile> <principal>

I get a TGT encrypted with AES-256 (e.g. klist -e)

The thing is the principal (lets call him Fred) does not have the check mark against his account  'this account supports AES 256 bit encryption'  but I still get back an AES TGT

Can someone kindly explain at to me?

In other words if 'account options' on the AD user need to include 'this account supports AES 256 bit encryption' in Not selected, why do I still get a TGT encrypted with AES?


Or does this setting only apply to Service Tickets I would receive back from the KDC (DC)?  fo example a Service Ticket to a Linux/WEB Server (whose SPN in listed against Fred and the one in the KeyTab file)

I do not have a WEB server installed on Linux so I cannnot test this part

If someone could explain this to me I would be most grateful
Thanks
CXMelga

I have a couple of questions around KeyTab files please

March 13, 2020, 6:23 am
$
0
0

Can someone kindly help with the following

I have been reading the following Microsoft document

https://social.technet.microsoft.com/wiki/contents/articles/36470.active-directory-using-kerberos-keytabs-to-integrate-non-windows-systems.aspx

Which deals with KeyTab files, but somethings are still unclear to me, I reached out the the author but did not get a reply, therefore can someone else please asssit

Question 1:

As far as I understand it a KeyTab file allows an AD user to authenticate against a non-Windows system (e.g. a standalone Kerberos capable Linux host running a WEB App for example), is that correct?

Question 2:

The above document, includes the following command line 

ktpass -out centos1-dev-local.keytab -mapUserkrbCentos@DEV.LOCAL+rndPass -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -princHTTP/centos1.dev.local@DEV.LOCAL

The parts I am particularly interested in I have highlighted in bold above, the AD user name (first bold item) is obviously the AD User.  The second item in bold is an SPN registered against the AD User krbCentos

So they want I think it works is if X (what ever X is), wants to use the service  HTTP/centos12.dev.local (as this is the SPN registered) then the resulting Kerberos service ticket (ST) will be encrypted with the long term key of the AD User krbCentos. Now this is the same information held in the KeyTab (SPN and encrypted key), so they match and the Kerberos service ticket can be de-crypted by the Linux host (in possession of the KeyTab file) and thereby allow access

Is my assumption/understanding above correct?

Question 3:

Also, what about the TGT, I assume the AD User already has a TGT in the normal fashion, as if it did not already have one (as perhaps the above process was kicked off by a script and krbCentoshad not already logged into the domain yet), you cannot obtain a Kerberos service ticket without presenting a TGT how does this come together when using a KeyTab?

Question 4
Is the process of authentication using KeyTab files always kicked of on the Active Directory side, i.e. some process running on AD says OK I need a service ticket for HTTP/centos12.dev.local, then requests a service ticket as mentioned above.
What I really want to know from this question if can the Linux (no domain joined and no realm trust) kick of off the process? meaning some process or script on the Linux side says I need to authentication to AD to access some information or files and use its KeyTab to perform the authentication by the Linux box being the one requesting TGT/TGS from the Windows KDC (using the information in the keytab to authenticate) ?

Thanks all, I would be grateful for some help with my understanding (clearing things up), in relation to the above

Charlie

Search

set up a trust as external, then realized it should have been Forest. Deleted it and recreated as Forest, wont validate. bogus error about type mismatch

April 6, 2020, 1:49 pm
$
0
0

It keeps giving the error message that the trust is Forest on one side but external on other side, and vice versa if i try to verify from the other side. So it is hanging on to something from the old trust.

In both domains, the trust shows as a Forest trust, yet the error persists after 2 hours. When i try to validate, it says the trust types do not match. Do i just need to keep waiting? 

How can i get this resolved? both are server 2016, domain functional level says at the highest level in both domains.

The external trust was in place for a few days and worked as it should and validated fine. We just realized that it was not the ideal choice and all instructions were to simply delete the external trust and create a forest trust. 


PKI-related issue with Domain Controller and "custom" certificate

April 3, 2020, 4:19 pm
$
0
0

I'm honestly not sure if this is a PKI-related issue involving AD, or an AD-related issue involving PKI...  But there is no PKI-specific option under "Windows Server" for this forum site.

What I'm trying to do: Use a special Domain Controller certificate template to make a certificate request on a DC which includes a list of SANs (Subject Alternative Names). (Yes, I know auto-enroll will not work!!) With a SAN, you can use a load-balancer with Secure LDAP (port 636/tcp) and a common name.

I've done this before and it worked great. Downside is you have to manually renew certs. Not a problem here. I am NOT trying to publish the certificate into AD: that option is UNchecked in the certificate template.

The issue is that I am getting this error on the step where I run the command

    certreq -f -submit -config "ca.corp.nydomain.com\My PKI Name" $csrFile $certFile

Where I get an error:

Certificate retrieved(Issued) Issued  Could not publish Certificate.  Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)

In the CAPI2 event log, the only message helpful is:

The certificate is not valid for the requested usage.
[ value] 800B0110

I actually cloned the new template from the default/built-in "Domain Controllers" template, it's just be updated to 2012 R2 with some other parameters for the usage I am trying implement.

I've gone through all the things that come to mind, like special rights for "cert publishers" on the template, making sure the "Domain Admins" and "Domain Controllers" groups have rights... I'm not sure if I've MISSED something simple!!!

I'm probably going to have to open a Premier ticket, but I was hoping that someone might point out something obvious I've missed.

The domain structure is a root domain, and I am working in a sub-domain, and the AD-integrated PKI servers are domain members of a different sub-domain. (So "A" is the root domain, "B" is the corp sub-domain, and "C" is the sub-domain under "A" in which I am working on with the DC's.)

The DC is Windows Server 2012 R2 and the CA server is Windows Server 2012 R2.

Any thoughts would be greatly appreciated!!

-- Rob "I" --

How to solve AD circular group nestings

March 31, 2020, 2:33 pm
$
0
0
My customer has 85 groups which have like circular group nestings. So what is the best way to solve this, any script available to find out this and if yes, how to resolve this issue after investigation

Pallab Chakraborty

Active Directory Certificate Services Trigger Publishing of crt file (click steps/powershell)

April 1, 2020, 2:09 am
$
0
0

I configured an enterprise root ca which should publish the crl and crt on (a) share(s).

I configured the CDP and AIA extension as follows:

CDP:C:\Windows\system32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crlldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>http://pki.domain.local/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl\\FILESHARE.domain.local\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
AIA:
C:\Windows\system32\CertSrv\CertEnroll\<ServerDNSName>_<CaName><CertificateName>.crtldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key Services,CN=Services,<ConfigurationContainer><CAObjectClass>http://pki.domain.local/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt\\FILESHARE.domain.local\CertEnroll\<ServerDNSName>_<CaName><CertificateName>.crt

If I click in the Certificate Authority mmc --> Revoked Certificates --> All-Tasks --> Publish the crl gets published, but not the crt file.

How can I trigger the publishing of the crt file?

Active Directory: can "Licensing Site Setting" object safely deleted?

April 3, 2020, 5:41 am
$
0
0

Hi 

Over the years our domain has been updated several times (Windows NT-Windows 2000-Windows2003-Windows 2008R2-Windows2019)

As a result, it certainly has objects that are no longer really needed.

For example, in some sites, we have a "Licensing Site Settings" object.

After researching on the Internet, we have only found that earlier (Windows 2000/2003) on the domain controllers had a "License Logging Service" and this object comes from this time.
In Windows 2008 Server and newer, this service ("License Logging Service") has disappeared.
Unfortunately, the "Licensing Site Settings"- objcet still exist in some sites.

Can we delete the "Licensing Site Settings" object without concern?

Thanks in advance.

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>