Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

ADFS Authentication with Multiple Forests for Remote Desktop Services

April 14, 2020, 6:04 am
$
0
0
Hello,

How can I do ADFS Authentication with Multiple Forests for Remote Desktop Services?

I have an on-premises Remote Desktop environment and now we are merged with other company and they want to access our Remote Desktop Environment with their AD User through Active Directory Federation Services (ADFS).

They don't want to use a VPN tunnel for AD trust.

Is there any way, we can do ADFS Authentication with AD Forest trust for on-premises Remote Desktop environment? 

Thanks
Search

fine-grained password policy not working

April 14, 2020, 8:17 am
$
0
0

hello, I setup a PSO several years ago and now users tell me that they can change their passwords to "blanK"

I reviewed the PSO policy and everything looks normal, then I go to any applied object to verify the attribute but it is not there, msDS-ResultantPSO attribute is missing.

when I do a result set on a group or users that the PSO is applied to it says there is no policy applied.

all my DC's are 2019, we are in hybrid mode with AAD

Can you please help?

update - when I add a single test users the PSO is applied.

what could be wrong with the group? I have 1 group with 50 nested groups.




ACTIVE DIRECTORY CERTIFICATE SERVICES (AD CS)

April 14, 2020, 5:19 pm
$
0
0

I am new to AD CS and have a few questions about it. A little bit of a background: I have a customer who wants to set up AD CS to authenticate domain PCs as well as to encrypt network traffic.

Now with the questions:

  1.  it was my understanding that as soon as AD CS is set up and certificate is pushed to the domain using GPO, PCs will receive certificate from the server and that what is needed for authentication. Is this correct?
  2. I can't find any information on what is needed for network traffic encryption. Does anyone has a tutorial or can point me in right direction.
  3. Is there anything I need to do for the devices like firewall, etc that are using LDAP to communicate with DC.

Thank you in advance for any help I can get.

 

Serge

Question about 'account options' on the AD user need to include 'this account supports AES 256 bit encryption'

April 6, 2020, 12:30 pm
$
0
0
I read the following blog post,


https://social.technet.microsoft.com/wiki/contents/articles/36470.active-directory-using-kerberos-keytabs-to-integrate-non-windows-systems.aspx

The post says 'account options' on the AD user need to include 'this account supports AES 256 bit encryption'

I build an new Windows 2019 DC (all default settings)

I added a new AD user, entered the password and left everything else at defaults

I created a KeyTab using AES-256 only

I take the KeyTab file to a standalone Ubuntu client with Kerberos installed

From the Ubuntu server I execute kinit -k -t <kytabfile> <principal>

I get a TGT encrypted with AES-256 (e.g. klist -e)

The thing is the principal (lets call him Fred) does not have the check mark against his account  'this account supports AES 256 bit encryption'  but I still get back an AES TGT

Can someone kindly explain at to me?

In other words if 'account options' on the AD user need to include 'this account supports AES 256 bit encryption' in Not selected, why do I still get a TGT encrypted with AES?


Or does this setting only apply to Service Tickets I would receive back from the KDC (DC)?  fo example a Service Ticket to a Linux/WEB Server (whose SPN in listed against Fred and the one in the KeyTab file)

I do not have a WEB server installed on Linux so I cannnot test this part

If someone could explain this to me I would be most grateful
Thanks
CXMelga

AD DS unable to establish connection with a Domain Controller

April 7, 2020, 2:08 pm
$
0
0

Hello all!

We are having trouble bringing up a second domain contoller in an AWS VPC.  The First DC went up fine.  It promoted, installed DNS etc.  We were able to join three servers to the Domain it now hosts.

When we try to bring up a second DC, it hangs at "Configuring the local computer to host Active Directory Domain Services."

The last entry on the Active Directory Domain Services Configuration Wizard reads: "A delegation for this DNS server cannot be created because the authoritative parents zone cannot be found or it does not run Windows DNS server."

The last entry in the Event Log is Event ID 1962, "Internal Event: The local directory service recieved an exception from a remote procedure call (RPC)."  Error value is 2148074306.

Another entry in the Event Log is Event ID 1125, "The Active Directory Domain Services Installtion Wizard (Dcpromo) was unable to establish connection with the following domain controller."  Error value 2148074306.  The encryption type is not supported by the KDC.

I checked the encryption levels in the Local Security Policies, ADUC object attributes and GPOs.  They are all identical.

I also tried restart the KDC service on the DC.  That didn't work either.

Any help would be appreciated.

Issue with Active Directory module for PowerShell

April 9, 2020, 6:58 am
$
0
0

We have a resource domain (single domain/forest) in place that is used primarily for locked down systems like lab machines, kiosks, etc.  We are in the process of uplifting the domain with new Windows 2019 DCs replacing the 2008 R2 DCs (DFL and FFL still 2008 R2 currently). 

This is an inherited domain, and I *think* the issue is with the domain name being created with an underscore in the name:  _resource.local - just looking for confirmation or if something else could be causing this issue.

The AD management tools work fine, but we are seeing errors with the PowerShell for AD.  While the old DCs are around, they have been demoted and we don't know if this happened with them unfortunately. When you launch Active Directory Module for PowerShell, it returns this error below. Manually typing import-module ActiveDirectory succeeds without error.

import-module : Attempting to perform the InitializeDefaultDrives operation on the 'ActiveDirectory' provider failed.
At line:1 char:1
+ import-module ActiveDirectory
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Microsoft.Activ...ActiveDirectory:ProviderInfo) [Import-Module], Prov
   iderInvocationException
    + FullyQualifiedErrorId : InitializeDefaultDrivesException,Microsoft.PowerShell.Commands.ImportModuleCommand

However, trying to run any AD cmdlet returns an error like this one below:

Get-ADDomain : Invalid URI: The server name 'DC20._RESOURCE.LOCAL' could not be parsed. You might need to enable
internationalized domain name support for class System.Uri. See help of class System.Uri for more details.
At line:1 char:1
+ Get-ADDomain
+ ~~~~~~~~~~~~
    + CategoryInfo          : InvalidType: (_RESOURCE:ADDomain) [Get-ADDomain], UriFormatException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.UriFormatException,Microsoft.ActiveDirectory.Management.Com
   mands.GetADDomain

DCPROMO never completes

April 15, 2020, 6:37 am
$
0
0

Hi All,

I'm busy with 2 new DCs for a client. Done numerous DCPROMO's without an issue up until now.

When I DCPROMO, the prerequisites all pass with no issues. It then starts to prepare the installation, and seemingly stalls on preparing the local computer for ADDS. There is 1 error in the event log:

8524 - The DSA Operation is unable to proceed because of a DNS lookup failure.

However, I can perform an NSLOOKUP with no issues to any of the 3 existing DCs.

Things I have done:

* Restarted the VMs, and then uninstalled DNS / ADDS before restarting and trying again (I deleted any SYSVOL/NTDS folders);

* Deleted the computer object out of AD Sites & Services;

* Checked NSLOOKUP as I mentioned and it passes;

* Firewalls turned off on source / destination VMs;

* No traffic passing through a firewall on the network.

I am a member of the Domain Admins group, and the existing DCs are running Windows Server 2016 v. 1607 (14393.3564) while the new DCs are running Windows Server 2016 v. 1607 (14393.3504).

Any help would be appreciated.

Thanks!

Non Admin users appearing in User Account Management on Domain Controllers

April 15, 2020, 8:14 am
$
0
0

I am not sure if this is a problem. If it is not then I would appreciate someone to walk me though it.

If we log on to one of our Domain Controllers and go to Control Panel > User Accounts > Manage User Accounts, in the new User Accounts window we can see several non-admin User accounts listed.

I don't think that this is necessarily a problem, but we want to be sure that it is normal and it is not the sign of an issue, as it seems strange that a Domain Controller would have nominal User Accounts to Manage.

We want to be sure that there has not been too much access granted to people that should not have it in an unobvious way.

Search

ADFS via Internet

April 15, 2020, 9:32 am
$
0
0

Dear Technet, hope you can help me moving forward.

I have a WebApp Proxy with ADFS in place. Is it possible to use SSO via Internet: take my laptop outside of the network, connect it via mobile phone to the Internet and access then a resources of the company. ADFS is then asking for credentials (login with username & password working). Can I delegate my creds I used to sing in on the laptop to ADFS?

Thanks for your input,

Chris

How to link my active directory forest root domain to my purchased domain ?

April 8, 2020, 1:02 am
$
0
0
suppose I have a domain named  mycompany.com. and I deployed a active directory in windows server 2012 R2  whose forest root domain is  AD.mycompany.com so how can I link to my domain. I have searched so much on the web but not able to find much. Can anyone please help me with this ?

Error while seizing the Schema Master " ldap_modify_sW error 0x32(50 (Insufficient Rights)."

April 15, 2020, 10:49 am
$
0
0
We have two domain controller and one domain controller DC01 containing the Schema Master Role crashed. I am trying to seize  the schema master role to DC02 but its giving me the following error.

My user is administrator and its member of Enterprise Admins and Schema Admins.

fsmo maintenance: seize schema master
Attempting safe transfer of schema FSMO before seizure.
ldap_modify_sW error 0x32(50 (Insufficient Rights).
Ldap extended error message is 00002098: SecErr: DSID-03152832, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x2098(Insufficient access rights to perform the operation.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of schema FSMO failed, proceeding with seizure ...
ldap_modify of SD failed with 0x32(50 (Insufficient Rights).
Ldap extended error message is 00000005: SecErr: DSID-031528D2, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

When does LDAP turn into Kerberos

April 15, 2020, 1:02 pm
$
0
0

Hello

Can someone help me with the following question please,

If I am a client computer, I query my configured DNS server looking for an LDAP server, once I have the IP address of the LDAP server I can connect over port 389 

Now then LDAP v3 supports simple authentication (username/password) or SASL (simple authentication and security layer) which I believe kicks off Kerberos negotiation (possibly via SPNEGO) 

The reason I ask is I want to put LDAP queries via a load balancer, so if a client  want to query LDAP they point to a load balanced VIP.

However Kerberos (port 88) does not play nicely or at least easily with load balancers (due to the SPNs) 

So I want to understand when does a client go from its initial LDAP connection to a DC (port 389) to negotiating and using Kerberos (port 88) ?

I am assuming LDAP is used to querying AD and updating AD (adding a user to a group) or are updated to AD done over RPC by the client? 

I am a bit confused about all this, I understand Kerberos and TGT and Service tickets, the PAC in the Kerberos ticket is turned into a Windows token, which is then used to check for authorisation. In which case logically I will need a Kerberos service ticket for the LDAP service on the DC so it can be turned  this Kerberos ticket into a Windows token to check the ACEs (in the ACL)to see  if I have rights to add a user to a group for example.

However I understand LDAP on its own supports CRUD operations (create, read, update, delete), so logically I could to without Kerberos or NTLM if I can do a simple bind to the DC an use pure LDAP to make the updates?

As you can see I am a bit confused on how this all fits together please help! :)

CXMelga


Deleted Object Only shows in Global Catalog

March 15, 2011, 9:43 am
$
0
0

I am trying to remove an old Exchange 2003 server.

The Uninstall mentions that there are still mailboxes hosted on the server. Searching the Entire Directory shows that there is an AD Object with a mailbox on the server I am trying to remove however when I go to the corresponding Child domain to remove the object it is not present. I.e. the object is only in the Global Catalog and not the Child directory.

How can I remove this object?

Trying to delete the object I get the error.

Windows cannot delete object Test User because:

Directory object not found.

 

Thanks in advance

Gavin

 

AD FS Unable to find Expired certificate

April 16, 2020, 3:04 am
$
0
0

Hello,

I recently setup an ADFS connection with an external service and get a "connection not secure message" when I am redirected to our /adfs page due to a certificate that has expired
I have looked everywhere on the server I am unable to find it to get the service working.

In the AD FS console, all 3 certificates (Service communication, Token-decrypting and Token-signing) are all valid.

Can you please help me find where the expired certificate is?

Thanks!

Delete ip subnet

April 16, 2020, 4:39 am
$
0
0

Hi,

While a go beside dfsn we have added new test site and therefore we had to configure ip subnet for both test and dfsn site. 

Now we want to delete test site and its ip subnet and i dont think there is any problem with that.

My question is: Am i going to get some problem with deleting ip subnet from dfsn? It is the only site we had from start and was working fine so we just want to go back as we had.

Regards,




Search

Share personal certificate of LDAPS server to Clients

April 16, 2020, 6:01 am
$
0
0

We have enabled LDAPS on the DCs and that means that each of them has it own personal certificate. Some application owners (java untill now) request from us that pesonal certificate of the domain controller in order to embended it to their application. I would like to ask if to give the personal certificate of a domain controller to a member server is a valid practice and if that could be mean a security issue.

Thank you

Same as parent folder Host A record missing for DCs

April 16, 2020, 7:19 am
$
0
0

Hello Folks,<o:p></o:p>

Can someone please help me to understand why I don't see all the DC's Host A record under (same as parent folder). Is this behavior normal? Although I don't see any issues with DNS but would like to understand the same and also when I do an nslookup to my domain name I don't see all the DC's IP. But the Name Servers tab displays all the DC's properly.<o:p></o:p>

Would like to understand how these whole thing works Precisely.<o:p></o:p>

Regards,

Aatif Kungle

Regards, Aatif Kungle

Delete an old OU

April 16, 2020, 7:39 am
$
0
0
Hi everyone!

I'm trying to delete an old OU, but it's impossible!

This OU was a computer container but I already changed it using the redircmp command and I already unchecked the "Protect object form accidental deletion" but when I click with right button on OU it doesn't show the delete option.

When I open ADSIEdit in "Default naming context" and try to delete the OU, I get the message: 
"Operation failed. Error code: 0x20ce The requested delete operation could not performed.". 

When I open the OU properties, the "isCriticalSystemObject" attribute has the value "TRUE", and when I try to change it to "FALSE" or "Not set" and click on the apply button, I get the message:
"Operation failed. Error code: 0x2077 Illegal modiy operation. Some aspect of the modification is not permitted."

I am domain administrator and I have already added my account to the Security tab with all permissions, but I still cannot delete this OU. 

Can someone help me? 

Event 2887 "performed without SSL/TLS:" vs "performed without signing"

October 18, 2018, 10:01 am
$
0
0

Hello,

I have been using MS ATA is find systems & apps making clear text LDAP connections to our domain controllers and have reconfigured them to use SLDAP / port 636. I have the clear text connections down to zero, but the count for the "performed without signing" is showing several thousand. (This is from the event 2887 in the Directory Service log.) I want to set the GPO mentioned in this article: https://support.microsoft.com/en-us/help/935834/how-to-enable-ldap-signing-in-windows-server-2008

My question is could I break anything? No one is using clear text anymore but there are a ton of non-signed connections. Can I block one and not the other? Thanks!

Number of simple binds performed without SSL/TLS: 0

Number of Negotiate/Kerberos/NTLM/Digest binds performed without signing: 3267

Active Directory: can "Licensing Site Setting" object safely deleted?

April 3, 2020, 5:41 am
$
0
0

Hi 

Over the years our domain has been updated several times (Windows NT-Windows 2000-Windows2003-Windows 2008R2-Windows2019)

As a result, it certainly has objects that are no longer really needed.

For example, in some sites, we have a "Licensing Site Settings" object.

After researching on the Internet, we have only found that earlier (Windows 2000/2003) on the domain controllers had a "License Logging Service" and this object comes from this time.
In Windows 2008 Server and newer, this service ("License Logging Service") has disappeared.
Unfortunately, the "Licensing Site Settings"- objcet still exist in some sites.

Can we delete the "Licensing Site Settings" object without concern?

Thanks in advance.

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>