Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Windows Active Directory -> Nat on DNS service only

April 2, 2020, 4:45 am
$
0
0

Hello everybody,

we are making some test on AD deployed on Win2016 Servers, and we would like to use the max capacity of DNS Server (include Scope and Policies).

For that porpouse, we are planning to create a DNAT/SNAT policy, only for the DNS Server (53/udp), that allow as to use Scope policies with Subnets filters (we only would have to use the Subnet of the IPs of the SNAT policies).

The question we have is, Does Microsoft support this kind of solution? I mean apply SNAT/DNAT only on DNS server and the rest of communications go on a transparent way.

Thanks for the help.

BR.

Search

Certificate enrollment failed - 0x8007054b

April 2, 2020, 11:50 pm
$
0
0

Hi,

we have some PCs cannot enroll certificates, the error is:The specified domain either does not exist or could not be contacted.

these PCs are in the restricted network location, we have open below ports to specific servers:

To AD server: TCP/UDP 137&138&139&389&636&88&53&445, TCP 135 & 49152-65535. 

to CA server: TCP 135 & 139 & 445 & 49152-65535. 

is there something i miss, or how to troubleshoot the error ?

thanks in advance!

remote computers authenticating to DCs

March 23, 2020, 10:53 am
$
0
0

Our remote engineers have VM's on their laptops that they use to connect to our customer systems for support.  They are part of our domain but very rarely connect to our VPN to authenticate.  I ran a PS script to see the last time these VMs have communicated with our DCs and have found that they all did authenticate in the last day or so but I know that they haven't connected to VPN in weeks.

My question is how are they communicating to the DCs with no direct connection to our domain?  

Thanks,

Paul

How to find out unused security groups

March 31, 2020, 1:52 pm
$
0
0

Hi

We are looking for a way to get a list of unused security groups including the empty ones. 

Thanks in advance

LMS

Can I be member of thousands of AD distribution groups?

April 2, 2020, 8:09 am
$
0
0

Hi,

I know the Windows limits ("Active Directory Maximum Limits" https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc756101(v=ws.10) ) regarding security groups.
But what about AD distribution groups: Can I be member in thousands of them?

Background:
Many applications in our company use AD groups to control access within the appl. 
When a user logs on, the appl uses LDAP to connect to AD and to determine in which AD groups the user is. They dont use/need the group SID, they just rely on the group names, they just need groups and memberships.
So my thoughts are:
In these cases a distribution group might be enough. This would not blow up the token size of the users.
I know that such a group could not be re-used to control access to a CIFS share.

Thanks
Walter

FSP objects from Internal Domain

April 4, 2020, 3:47 am
$
0
0

Hello,

In my AD environment, there are lot of FSP objects from my Internal domain showing under Foreign Security Principals container. I mean SID value of FSP objects (showing under Name column in FSP container) resolves to Internal Domain user accounts rather than trusted external domain user accounts. Moreover, Readable Name of FSP objects is showing as "Internal Domain\samAccountName" rather than trusted external domain samAccountName.

Please explain and let me know actual root cause of this.

Naming information cannot be located

April 7, 2020, 2:45 am
$
0
0

Hi TEam,

Im getting atatched error "naming information cannot be located......." in my Additional Domain controller while accessing"Active Directory users and computers".

attribute editor for computer object

April 7, 2020, 7:34 am
$
0
0

2012 R2 domain. i'm a domain admin, i've enabled advanced features in ADUC. i can see the "attribute editor" tab when i open a user's properties, but i do not see an "attribute editor" tab when i open a computer's properties. is that expected? 

Search

windows server 2003 Primary DC recover +exchange server 2003

April 3, 2020, 2:47 pm
$
0
0

Hi,

in my scenario,

i have 1 DC + dns (windows server 2003 r2 enterprise  with all fsmo roles + exchange server 2003 , 1 ADC server + dhcp +dns

but suddenly my dc serevr stopped to boot server is not getting on.  

how can we recover my domain controller with fsmo roles and exchange server we ahve more than 50 users live working?

what will be steps for recover without my old primary dc  on.

Thanks and Regards

khalid Hussain 

how to denest nested AD group. (AD group embedded as member in another group) for bulk users larger enterprise (> 10,000 accounts)

April 7, 2020, 10:08 am
$
0
0

how to denest Nested AD group. Here AD group is embedded in another AD group. Nesting is done in multiple levels. here is need to denest AD groups and make every AD group independent.

Apart from powershell scripting . is there any other ways to accomplish this denesting for larger enterprise perspective.

let me know the pros and cons

suresh arasu

AD DS unable to establish connection with a Domain Controller

April 7, 2020, 2:08 pm
$
0
0

Hello all!

We are having trouble bringing up a second domain contoller in an AWS VPC.  The First DC went up fine.  It promoted, installed DNS etc.  We were able to join three servers to the Domain it now hosts.

When we try to bring up a second DC, it hangs at "Configuring the local computer to host Active Directory Domain Services."

The last entry on the Active Directory Domain Services Configuration Wizard reads: "A delegation for this DNS server cannot be created because the authoritative parents zone cannot be found or it does not run Windows DNS server."

The last entry in the Event Log is Event ID 1962, "Internal Event: The local directory service recieved an exception from a remote procedure call (RPC)."  Error value is 2148074306.

Another entry in the Event Log is Event ID 1125, "The Active Directory Domain Services Installtion Wizard (Dcpromo) was unable to establish connection with the following domain controller."  Error value 2148074306.  The encryption type is not supported by the KDC.

I checked the encryption levels in the Local Security Policies, ADUC object attributes and GPOs.  They are all identical.

I also tried restart the KDC service on the DC.  That didn't work either.

Any help would be appreciated.

Foreign Security Principals showing under Domain Local Groups of Target domain

March 25, 2020, 3:39 am
$
0
0

Hello,

I need more clarity and information on FSP showing in Domain Local groups of Target Domain:

1. What are those objects in Source Domain showing FSP objects as members in Domain Local groups of target domain?

2. Are those objects only belong to members of Domain Local groups AND members of other groups on other domains via existing trusts in source domain.

3. Can we remove all FSP whether it is orphaned or not from Domain Local groups post migration?

Kindly reply specific to above mentioned points.

Thanks

Alex Lee


Microsoft's Secure LDAP Requirements

April 7, 2020, 9:10 pm
$
0
0
Can someone please clarify whether Microsoft is going to require Active Directory installations to use LDAPS?  The recent guidance that Microsoft has issued regarding securing AD has led some IT departments that we deal with to believe that they have to implement LDAPS and that they must require all applications using LDAP to be converted to use LDAPS.  As a developer of software that uses AD, this was not our interpretation, but we are meeting others who believe that we must adjust our software to use LDAPS.  While it's not a tremendous effort to support LDAPS, we would like to know what the real requirement is.  Thanks in advance.

New DC on SITE B LDAP Problems

April 4, 2020, 12:57 pm
$
0
0

Hi everyone, recently we install a new DC in my company. We assign new sub net in sites and services for the new site and the new DC is in this sub net. Also, we apply a GPO to enable clients to locate the next close domain controller but some workstations ands servers still go to the DC on the other site. 

Also some linux and for example one application in java that uses ldap authentication go to this new DC. I made some traffic capture and the java application request the A records for mydomain.com an the reply is all a records including the new DC. 

I don´t see that only request the ldap servers for the site A.

Another question is: how I do for a workstation in site B when use \\mydomain.com\netlogon go to \\dcsiteb\netlogon and not any dc, because I think that when doing \\mydomain.com\\netlogon only search for  A records, the same situation with the java application. 

I hope you understan my poor english.

Thanks!


DCDIAG issue: Guid DNS name resolved to the wrong IP address

March 26, 2020, 6:03 am
$
0
0

Hi there,

strange issue since a few days. Result of 'dcdiag /e /q'

Although the Guid DNS name (10f02f39-2583-8919-da86-2a28687f088a._msdcs.lab.de) resolved to the IP address
(10.10.1.8), which could not be pinged, the server name (LABSRV01.test.lab.de) resolved to the IP address
(10.10.2.9) and could be pinged. Check that the IP address is registered correctly with the DNS server.
Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
......................... LABSRV01 failed test Connectivity

When I nslookup the Guid DNS Name

nslookup 10f02f39-2583-8919-da86-2a28687f088a._msdcs.lab.de
Server: labdc01.lab.de
Address: 10.10.2.1

Name: LABSRV01.test.lab.de
Address: 10.10.2.9
Aliases: 10f02f39-2583-8919-da86-2a28687f088a._msdcs.lab.de

The DNS PTR record is fine and holds the right IP address. Why does DCDIAG ignore this PTR record and resolves/uses a wrong IP address?

Thanks and regards

Search

Displaying the Location and Division in the ADUC Console

March 28, 2020, 5:25 am
$
0
0

Hi Everyone,

              Would anyone know how I can display the location and division attributes (which are hidden by default) in the ADUC? This is a bit urgent as there has been an update in Office locations and changes in the Org structure. Management is keen to see this change and view it in the ADUC. Please help. 

Thanks,

Shyam

Shivaram Venkatesh. The Digital Cognitive

how to find the domain controller who handle authentication for users int the trusted domain

March 28, 2020, 5:01 am
$
0
0

Hi all,

I work in an environment where there are a lot  of sites and domains and forests.

there are two domains domain A and domain B 

where domain A belongs to forest A and domain B belongs to to forest b .

there is one way  trust between domain A and domain B.

domain A and domain B are  distributed in many sites .

in one of the sites 

a member server to domian B ,I try to add a user from domain A to a local group in that member server but it seems that it couldn't contact with the domain controller in domain "A" as users are not showing up 

accessing another member server to doamin "B" but in diffirent subnets  than the other member servers ,I could add a user from domain "A" to local group of member server to domain b '

the question is how can I know the domain controller in the "trusting domain" that handles authentication for users in the "trusted domain " because I need to find what is the problem of this memmber server .we are sure that there is no problem in trust between domain "A" and domain "B" as there are member servers of doamain "B" that can see users of domain "A"

i used netstate in server in domain "B" that can see Domain "A" users and I found that the member server can communicate with domain controoller of  domain "A"

but using netstate in server in domain "B" that can not see users in Domain "A" it doesn't show any connnection attempt for any domain controllers in domain "A"

is there another command can reveal connection attempts for the trusting domain controller .

How should I set the keyUsage field of a subodinate CA in AD CS?

April 8, 2020, 12:42 am
$
0
0

Well, from this post,https://social.technet.microsoft.com/Forums/windows/en-US/406ce00d-5a29-483e-9b81-7d4867139dad/how-do-i-set-the-keyusage-field-in-my-offline-standalone-root-ca-certificate-to-criticalyes

I learned that keyUsage of ROOT CA can be set in CAPolicy.inf file.

But the certificates issued by a offline-standalone root ca always has the same keyUsage field, that is Digital Signature, Certificate Signing, Off-line Signing, CRL Signing.

I'd like to remove the Digital Signature field. 

How should I achieve that?

DFS Replication Failing for Domain System Volume

March 30, 2020, 7:37 am
$
0
0
Hi, 

I am setting up a 2 node Domain controller (windows sever 2019 [1809]) DC01 and DC02.

So that the SYSVOL is sync'd between the two I have installed DFS NameSpaces and Repiication on both servers, with DC01 being the primary Domain Controller.



The issue that I am having is after install and restart of both domain controllers, event viewer is giving the following error:

In addition the Heath report indicates that DC02 is "This member is waiting for initial replication for replicated folder SYSVOL Share. "



Any thoughts on what could be causing this would be much appricated.


Problem of Replication and membership in groups between 2 domains of controller

March 27, 2020, 8:07 am
$
0
0
Problem: When users with active Directory Directory and using VPN FortiClient plan to connect to the internal network, they get the correct password error (expire password) because after their Login inside exchange webmail account and changing the VPN Forticlient, the will also cause a regression error. But if Admin at the Active Directory console of each 2 domains, the Feedback Controller is resolved. This is the complete lack of Replicate. It's between 2 DC, but I wanted to go over this issue with details and to fix it carefully.
Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>