Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Delete an old OU

April 16, 2020, 7:39 am
$
0
0
Hi everyone!

I'm trying to delete an old OU, but it's impossible!

This OU was a computer container but I already changed it using the redircmp command and I already unchecked the "Protect object form accidental deletion" but when I click with right button on OU it doesn't show the delete option.

When I open ADSIEdit in "Default naming context" and try to delete the OU, I get the message: 
"Operation failed. Error code: 0x20ce The requested delete operation could not performed.". 

When I open the OU properties, the "isCriticalSystemObject" attribute has the value "TRUE", and when I try to change it to "FALSE" or "Not set" and click on the apply button, I get the message:
"Operation failed. Error code: 0x2077 Illegal modiy operation. Some aspect of the modification is not permitted."

I am domain administrator and I have already added my account to the Security tab with all permissions, but I still cannot delete this OU. 

Can someone help me? 
Search

Syntax error

April 22, 2020, 5:59 pm
$
0
0

Hi Experts

When i am executing the below syntax in powershell ISE. i am getting error, experts guide me on this.

+ Get-ADUser -Filter $input -properties DisplayName,Userprincipalname,title ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ParserError: (:) [Get-ADUser], ADFilterParsingException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADFilterParsingException,Microsoft.ActiveDirectory.Management.Commands.GetADUser

$input = "((Office -like '* United State of America*') -or (Office -like '* Berlin*') -or (Office -like '* Japan*') -or (co -like '* United State of America*') -or (co -like '* Germany*') -or (co -like '* Japan*'))"
Get-ADUser -Filter $input -properties DisplayName,Userprincipalname,title,description,co,Office,personalTitle,EmployeeNumber,EmployeeType,EmployeeID  | Select DisplayName,Userprincipalname,title,description,co,Office,personalTitle,EmployeeNumber,EmployeeType,EmployeeID |export-csv C:\list.csv -Notypeinformation


AD FS Unable to find Expired certificate

April 16, 2020, 3:04 am
$
0
0

Hello,

I recently setup an ADFS connection with an external service and get a "connection not secure message" when I am redirected to our /adfs page due to a certificate that has expired
I have looked everywhere on the server I am unable to find it to get the service working.

In the AD FS console, all 3 certificates (Service communication, Token-decrypting and Token-signing) are all valid.

Can you please help me find where the expired certificate is?

Thanks!

Migrate FRS to DFS for Domain Controller

April 6, 2020, 12:21 am
$
0
0

Hello,

I have a task to migrate FRS to DFS, currently we have around 60 DC worldwide. I have done few research and i found most of article mention if your DC have SYSVOL and NETLOGON replication issue, please fix that before migrate to DFS. Unfortunately 8 of our DC encounter SYSVOL/NETOLOGON  replication issue. I might need to demote and re-promote back the DC in order to solve the issue. But the problem i have tight deadline to complete this task since our management want to move to Windows server 2019 for new DC (unable to promote new DC due to FRS).

1. What is the real impact if i proceed to migrate FRS to DFS even few DC got SYSVOL replication issue? Because most of the article not mention what is exactly the issue.

2. Is it possible to migrate to DFS first, then after that i will demote and re-promote the problematic Domain controller (SYSVOL replication issue)? or i MUST to fix it first before i can migrate.

3. What is the impact if during migration process, one of our DC suddenly down? Is it can be serious issue?

Thanks

PKI-related issue with Domain Controller and "custom" certificate

April 3, 2020, 4:19 pm
$
0
0

I'm honestly not sure if this is a PKI-related issue involving AD, or an AD-related issue involving PKI...  But there is no PKI-specific option under "Windows Server" for this forum site.

What I'm trying to do: Use a special Domain Controller certificate template to make a certificate request on a DC which includes a list of SANs (Subject Alternative Names). (Yes, I know auto-enroll will not work!!) With a SAN, you can use a load-balancer with Secure LDAP (port 636/tcp) and a common name.

I've done this before and it worked great. Downside is you have to manually renew certs. Not a problem here. I am NOT trying to publish the certificate into AD: that option is UNchecked in the certificate template.

The issue is that I am getting this error on the step where I run the command

    certreq -f -submit -config "ca.corp.nydomain.com\My PKI Name" $csrFile $certFile

Where I get an error:

Certificate retrieved(Issued) Issued  Could not publish Certificate.  Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)

In the CAPI2 event log, the only message helpful is:

The certificate is not valid for the requested usage.
[ value] 800B0110

I actually cloned the new template from the default/built-in "Domain Controllers" template, it's just be updated to 2012 R2 with some other parameters for the usage I am trying implement.

I've gone through all the things that come to mind, like special rights for "cert publishers" on the template, making sure the "Domain Admins" and "Domain Controllers" groups have rights... I'm not sure if I've MISSED something simple!!!

I'm probably going to have to open a Premier ticket, but I was hoping that someone might point out something obvious I've missed.

The domain structure is a root domain, and I am working in a sub-domain, and the AD-integrated PKI servers are domain members of a different sub-domain. (So "A" is the root domain, "B" is the corp sub-domain, and "C" is the sub-domain under "A" in which I am working on with the DC's.)

The DC is Windows Server 2012 R2 and the CA server is Windows Server 2012 R2.

Any thoughts would be greatly appreciated!!

-- Rob "I" --

Delegate permission to create keytab file

April 17, 2020, 4:52 am
$
0
0

hello All,

we have an service account, is there a way to delegate this service account to create keytab file at OU level.

Please let us know if there is any such option available.

regards

Aamir 

NA

Windows 2016 Failover Cluster Fails Active Directory Authentication

April 13, 2020, 5:47 am
$
0
0

Hello All.

I originally posted this to the High Availability forum but it was recommended that I post this to the Directory Services forum, so the below is a copy-and-paste of my original post.

I have an environment with three domain controllers all within the same site that are replicating between each other.  We set up a Failover Cluster on two Windows 2016 nodes and noticed that it failed the Active Directory Configuration validation tests.  The nodes failed this one test 100% of the time.  After digging in the Event Viewer, we noticed that the error messages for cluster creation included the message "A more secure authentication method is required."  We require the the group policy setting "Domain controller: LDAP server signing requirements" to be set to "Require signing", but out of curiosity we set it to "None" and lo and behold, the nodes started connecting to Active Directory.

But it doesn't end there.  Although the Active Directory validation tests started succeeding, they only succeeded sometimes.  In other words, sometimes Node 1 would succeed and Node 2 fails, sometimes Node 1 fails but Node 2 succeeds, sometimes they both fail, and sometimes they both succeed.  Through a long mess of troubleshooting, we found out that if we removed one of the domain controllers from the DNS IP list on the nodes' NIC IPv4 properties, the validation tests would succeed 100% of the time.  This points to a DNS issue, I'm guessing, but I'm not too sure.

When querying the domain suffix in nslookup, all three domain controllers return the correct IPs.  All three domain controllers respond to port 636 and offer the correct certificate.

So my question is two-fold:  what is preventing the nodes from connecting to Active Directory while LDAP server signing is required, and what manner of DNS issue prevents them from connecting if it is not?

Windows Server 2019 domain controller deployment

April 20, 2020, 9:24 pm
$
0
0

Hello, we have 4 domain controllers.  Three are running windows server 2008 R2 and 1 is running windows server 2012 R2.  Our primary domain controller is one of the windows 2008 R2 servers.  Our domain fuctional level is "Windows Server 2008 R2" and our forest functional level is "Windows Server 2003."  Are there any implications in introducing a windows server 2019 domain controller into this environment?  We would eventually like to retire the windows server 2008 R2 domain controllers.

Thank you for your assistance!

Search

migrate from 2008

April 23, 2020, 4:29 am
$
0
0

hi guys,

is it feasible to install active directory 2016 in an organization running active directory 2003 and 2008?

i am planning to migrate to 2016

many thanks

Windows Hello for Business - On Prem Certificates - Client Side Errors

August 23, 2018, 7:26 am
$
0
0

After following the deployment guide here 

I'm not getting prompted on the client to enroll, and when trying to enroll the options are grayed out. The client log Microsoft-Windows-HelloForBusiness/Operational errors out with 

The device registration prerequisite check failed. (EventID 7200)

The Primary Account Primary Refresh Token prerequisite check failed. (EventID 7200)

Windows Hello for Business prerequisites check failed. Error: 0x8007051F (EventID 7054)

GPO, MFA, Certs and ADFS are set up. Service accounts all nominal, every step of the guide checked 10 times over. The errors don't seem to be documented, and something is missing. Please help!


Access Denied while updating GPO from Domain Controller &

April 21, 2020, 2:06 pm
$
0
0

I have OU for Server in DC (blocked inheritance) with over 100 Servers in it, there are around 6 policies applied. I have two issues described below:

1. While applying "Group Policy update" from OU in the DC, 70 Servers return 'Successful' and remaining return error '0x80070005'Access denied. these server have no special permissions and having same OS.

2. I have configured policy for Auditing and applied to all servers, i have checked the Servers after update and all of them couldn't configure it with message "the policy engine didn't attempt to configure the settings". i doubled checked and there is no duplicated policy for Auditing.

(see the attached image)

Extract objects attributes from an ou within a server using powershell

April 23, 2020, 8:23 am
$
0
0

Hi,

I have a task where we need to gather all the attributes of the objects within an OU in our AD domain server. Do we have powershell script to perform this action. Like some script which extract all the attributes of objects in excel file.

Regards,

Delegate Moving User between OUs

April 23, 2020, 1:31 pm

AD servers RDP issue

April 23, 2020, 2:40 pm
$
0
0

Hi, 

i have installed AD server and its sitting behind the NSX edge firewall, when i have enabled the firewall i am not able to access it:

its show as internal error occurred 

if i disable the firewall i can access the server.

i can telen the 3389 ( if  firewall is enabled)

i can ping the server ( if firewall is enabled)

but i cant access the box 

Jumpbox >> Edge firewall >> Active Dir servers

please help me to fix this issue 

Nagesh

NIS server alternatives for Windows Server 2016

April 17, 2020, 2:28 am
$
0
0

It seems NIS server is no longer available since Windows Server 2016.

Currently we're using Windows Server 2012:

Anyone knows alternatives for Windows Server 2016?

thanks in advance,

oli

oli

Search

RODC in DMZ - User Accounts can authenticate - Computer Accounts can not

April 21, 2020, 6:30 am
$
0
0

Hi everyone,

i am having a RODC in a DMZ. Useraccount Authentication works fine (IIS and RDS Gateway) - but computer authentication does not.

Our RDS Gateway works with non domain joined computers. But when i try to connect from a domain joined - it fails.

Our Software Deployment Webserver can be accessed by browser with username and password but fails with the computer account.

Is the setup just not right for this purpose or did i miss something?

I removed the global catalog from the RODC because "some applications may not work right" but this did not fix it.

Anyone can help me out?

Best regards

Stephan

<h3>Regards Stephan</h3>

Best Practice for Adding Subnet in Site and Services (Domain Controller)

April 23, 2020, 7:40 pm
$
0
0

Hello,

We have open new Office and ip range will start with 10.200.X.X. Those ip will separate in a lot of subnet like 10.200.192.0/24, 10.200.94.0/23, 10.200.191.0/24. There is a lot of prefix need to be add.

I'm just thinking, since it involve so many subnet, can we just add bigger prefix subnet instead of need to add one by one? Example 10.200.0.0/16. Is it a good practice? Our purpose is only to make sure those machine in this office pointing to correct DC. From my perspective i dont see any harm since all those multiple subnet almost occupied 10.200.0.0/16. But im not sure if got any issue i cant foreseen especially for security issue.

2. Another thing can we do same to PTR Record in DNS? Just put 10.200.0.0/16 instead of add one by one the separate subnet. I dont know what is the impact if do like this.

THanks




Same as parent folder Host A record missing for DCs

April 16, 2020, 7:19 am
$
0
0

Hello Folks,<o:p></o:p>

Can someone please help me to understand why I don't see all the DC's Host A record under (same as parent folder). Is this behavior normal? Although I don't see any issues with DNS but would like to understand the same and also when I do an nslookup to my domain name I don't see all the DC's IP. But the Name Servers tab displays all the DC's properly.<o:p></o:p>

Would like to understand how these whole thing works Precisely.<o:p></o:p>

Regards,

Aatif Kungle

Regards, Aatif Kungle

PowerShell script for Event ID LDAP

March 4, 2020, 5:09 am
$
0
0

Hi all,

according to the upcoming changes by LDAP we have to perform some audit of the logs and find the connections and accounts.

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-ldap-signing-requirements-march-2020/ba-p/921536

From what I've see there will be Event ID 3040 and 3041 which will collect the information every 24 hours. I've tried to test so far with the current Event IDs but with Directory Service logs and then export to cvs didn't worked very well. 

Did someone already to create a powershell script to export the information from the events and save them readable in scv?

Thanks in advance

Limit users who query AD ldap

April 24, 2020, 3:35 am
$
0
0

Hi,

How do I prevent ordinary users from querying ldap? We have an application which we had one account used for application to connect to AD Ldap. What we have noticed is that ordinary users can do query against ldap. Can we apply delegation so that ordinary users cannot do query? If so, what would be the permissions? If ever we apply these permissions will it prevent them from logging in to the domain controller or use some other services?

Thanks,

Janus

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>