Is there any documentation available for designing a DR solution for AD or designing an effective offline backup for AD?
Also, i need some help on some artifacts on effective AD Governance and reporting. Can anyone point me to some good documentation please. Appreciate any help.
Pallab Chakraborty
Hi,
We have to demote the current ISTG and replaced it by new domain controller.
what's the best practice to perform this migration without any issue on replication topology
I have few domain controllers, i just installed a new 2016 dc . When I navigate from other dc's to the new dc \\DCXX there is no folders like sysvol etc...
here is the dcdiag /q output from the new server:
We have a resource domain (single domain/forest) in place that is used primarily for locked down systems like lab machines, kiosks, etc. We are in the process of uplifting the domain with new Windows 2019 DCs replacing the 2008 R2 DCs (DFL and FFL still 2008 R2 currently).
This is an inherited domain, and I *think* the issue is with the domain name being created with an underscore in the name: _resource.local - just looking for confirmation or if something else could be causing this issue.
The AD management tools work fine, but we are seeing errors with the PowerShell for AD. While the old DCs are around, they have been demoted and we don't know if this happened with them unfortunately. When you launch Active Directory Module for PowerShell, it returns this error below. Manually typing import-module ActiveDirectory succeeds without error.
import-module : Attempting to perform the InitializeDefaultDrives operation on the 'ActiveDirectory' provider failed.
At line:1 char:1
+ import-module ActiveDirectory
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Microsoft.Activ...ActiveDirectory:ProviderInfo) [Import-Module], Prov
iderInvocationException
+ FullyQualifiedErrorId : InitializeDefaultDrivesException,Microsoft.PowerShell.Commands.ImportModuleCommand
However, trying to run any AD cmdlet returns an error like this one below:
Get-ADDomain : Invalid URI: The server name 'DC20._RESOURCE.LOCAL' could not be parsed. You might need to enable
internationalized domain name support for class System.Uri. See help of class System.Uri for more details.
At line:1 char:1
+ Get-ADDomain
+ ~~~~~~~~~~~~
+ CategoryInfo : InvalidType: (_RESOURCE:ADDomain) [Get-ADDomain], UriFormatException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.UriFormatException,Microsoft.ActiveDirectory.Management.Com
mands.GetADDomain
I know there is a lot of stuff on how to track lockouts, but I've never had issues before. The list of things I tried below is not likely complete since I started looking at this before the COVID-19 situation hit and am just getting back to it now.
I have an elevated account for one of our network engineers that is locking out on a consistent basis. There is a 4740 event generated on the same DC on a consistent basis. The caller computer is blank. There are no other logs for this account on the DC or in our SIEM, which includes events forwarded from workstations.
The account locks when the user's machine is off.
The lockout tools state that there are bad password events on the DC, but there are none in the DC log and none in the SIEM.
There are no events on the local workstation for this account.
We have Netlogon logging enabled on the PDC and the local workstation and the account never shows up.
Cred manager for the user, user's elevated account and SYSTEM account on the workstation have been cleared.
I've checked the NPS logs on radius and there is no record of the account in those logs.
I'm a little stumped because I'm not sure how else to trace this. I always manage to trace these back, but this one has me banging my head against the wall since there are simply no records of this account doing anything except the lockout events. I suspect it is being used on a network device but without a caller computer name or a bad username/password event with an IP, I don't know of another way to trace this.
I was contemplating trying to capture network traffic to the DC, but that's a lot of traffic to sort through and I'm not sure if I would be able to filter it enough to determine the source of the lockout.
I'm looking for any other thoughts on places I can look or how I can track where the 4740 originates from.
Thanks in advance!
WB
Can you have a domain account/user with limited access to modify Active Directory attributes? So this user can run a powershell script that updates only a particular attribute(s) in AD and nothing else. IF not, what option do I have?
Thanks!
Hello,
We have recently migrated to ADFS 3.0. Everything is working except the update password feature. In the KB articlehttp://technet.microsoft.com/en-us/library/dn280950.aspx the section under Update Password says that I need to enable the ADFS endpoint -/adfs/portal/updatepassword/ and restart the ADFS service.
This has been done, but when I go to https://sts.domain.com/adfs/portal/updatepassword. All I get is a page that says "An error occurred. contact your administrator."
What I am trying to accomplish is this.
http://technet.microsoft.com/en-us/library/dn280950.aspx
Any help would be greatly appreciated.
Thanks
Cheston
I often see the following error
“The trust relationship between this workstation and the primary domain failed”
How can i find out these error workstations by powershell or other script?
Hi,
we have some PCs cannot enroll certificates, the error is:The specified domain either does not exist or could not be contacted.
these PCs are in the restricted network location, we have open below ports to specific servers:
To AD server: TCP/UDP 137&138&139&389&636&88&53&445, TCP 135 & 49152-65535.
to CA server: TCP 135 & 139 & 445 & 49152-65535.
is there something i miss, or how to troubleshoot the error ?
thanks in advance!
Hello,
I need more clarity and information on FSP showing in Domain Local groups of Target Domain:
1. What are those objects in Source Domain showing FSP objects as members in Domain Local groups of target domain?
2. Are those objects only belong to members of Domain Local groups AND members of other groups on other domains via existing trusts in source domain.
3. Can we remove all FSP whether it is orphaned or not from Domain Local groups post migration?
Kindly reply specific to above mentioned points.
Thanks
Alex Lee
Now we have onpremise primary a secondary Domain Controller. We will clone secondary DC server to cloud, this clone will not be connected with original primaryDC and secondaryDC for example 30days, clone DC will have new IP from different range. During this 30days users will use original DCs.
Is it possible after 30 days shutdown original DCs - will clone DC2 work for users, when we change users DNS server to new IP of cloned server?
Yes i know, this is bad solution, but we dont have another option.
thanks.
I'm honestly not sure if this is a PKI-related issue involving AD, or an AD-related issue involving PKI... But there is no PKI-specific option under "Windows Server" for this forum site.
What I'm trying to do: Use a special Domain Controller certificate template to make a certificate request on a DC which includes a list of SANs (Subject Alternative Names). (Yes, I know auto-enroll will not work!!) With a SAN, you can use a load-balancer
with Secure LDAP (port 636/tcp) and a common name.
I've done this before and it worked great. Downside is you have to manually renew certs. Not a problem here. I am NOT trying to publish the certificate into AD: that option is UNchecked in the certificate template.
The issue is that I am getting this error on the step where I run the command
certreq -f -submit -config "ca.corp.nydomain.com\My PKI Name" $csrFile $certFile
Where I get an error:
Certificate retrieved(Issued) Issued Could not publish Certificate. Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)
In the CAPI2 event log, the only message helpful is:
| The certificate is not valid for the requested usage. |
| [ value] | 800B0110 |
I actually cloned the new template from the default/built-in "Domain Controllers" template, it's just be updated to 2012 R2 with some other parameters for the usage I am trying implement.
I've gone through all the things that come to mind, like special rights for "cert publishers" on the template, making sure the "Domain Admins" and "Domain Controllers" groups have rights... I'm not sure if I've MISSED something simple!!!
I'm probably going to have to open a Premier ticket, but I was hoping that someone might point out something obvious I've missed.
The domain structure is a root domain, and I am working in a sub-domain, and the AD-integrated PKI servers are domain members of a different sub-domain. (So "A" is the root domain, "B" is the corp sub-domain, and "C" is the sub-domain under "A" in which I am working on with the DC's.)
The DC is Windows Server 2012 R2 and the CA server is Windows Server 2012 R2.
Any thoughts would be greatly appreciated!!
-- Rob "I" --
hello team ,
currently we have two domain controller one 2008R2 ( Primary) and 2012(secondary ) and we are planning to migrate the the 2008R2 domain controller to 2012 , this primary domain has some applications that depend on it as IP address . how can we migrate this domain to new server and keep the same ip ?
appreciate your advice on such issue
I currently have a domain with abc.local domain name. Everything is on-premise including a 2013 Exchange server. I am planning a deployment of cloud services for voice and would like to use ADFS to authenticate the cloud softphones.
If I add an additional UPN Domain suffix of xyz.com to the existing domain will ADFS allow me to use the newly created UPN suffix (user@xyz.com) to authenticate the users?
Brian Modlin
I am trying to sync our AD into AD LDS, but running into issues getting some users to sync in. All others work just fine.
- Server 2016 running AD LDS named instance.
Here is a copy of the error I am getting from adamsync:
Processing Entry: Page 320, Frame 1, Entry 12, Count 1, USN 0 Processing source entry <guid=15ee001d0eadb14d8b3150da1d38661e> Processing in-scope entry 15ee001d0eadb14d8b3150da1d38661e. Adding target object CN=Russell\, Craig,OU=Employees - IT,OU=Users,OU=Corporate,OU=Edit,dc=Edit,dc=corp. Adding attributes: sourceobjectguid, sn, givenName, instanceType, employeeID, objectSid, sAMAccountName, mail, lastagedchange, objectclass, Ldap error occured. ldap_add_sW: Unwilling To Perform. Extended Info: 000020E7: SvcErr: DSID-03153500, problem 5003 (WILL_NOT_PERFORM), data 8471 . Ldap error occured. ldap_add_sW: Unwilling To Perform. Extended Info: 000020E7: SvcErr: DSID-03153500, problem 5003 (WILL_NOT_PERFORM), data 8471 . ************ ************ ************ A fatal error occured in the program while processing entry ************ <GUID=15ee001d0eadb14d8b3150da1d38661e>. ************ The error will be ignored at user request. Continuing... ************ ************
This server is a Test AD LDS instance that is having issues. I have a Prod AD LDS setup that works just fine, syncing all users in.
Hi All,
I want add new field in users properties under
Organization tab.
Attribute name : division
This division attribute already available attribute editor but
I want add as division field under organization tab.
Please help.