Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Same as parent folder Host A record missing for DCs

April 16, 2020, 7:19 am
$
0
0

Hello Folks,<o:p></o:p>

Can someone please help me to understand why I don't see all the DC's Host A record under (same as parent folder). Is this behavior normal? Although I don't see any issues with DNS but would like to understand the same and also when I do an nslookup to my domain name I don't see all the DC's IP. But the Name Servers tab displays all the DC's properly.<o:p></o:p>

Would like to understand how these whole thing works Precisely.<o:p></o:p>

Regards,

Aatif Kungle

Regards, Aatif Kungle

Search

A user account was locked out.

April 30, 2020, 5:45 am
$
0
0

Hello team,

We are using one AD FTP account where it is getting "A user account was locked out" alerts every day.How to fix it?

----------------------

A user account was locked out.

Subject:
Security ID: SYSTEM
Account Name: DC03$
Account Domain:PRODUCT

Account That Was Locked Out:
Security ID: PRODUCT\SSTEST
Account Name: SSTEST

Additional Information:
Caller Computer Name:CMF04

-----------------

Regards,

PR

Add a new attribute to the user object.

April 30, 2020, 6:35 am
$
0
0

Hi everyone!

  How can I add an user attribute in AD dictionary? I would like to and a new field to the user object. Is there any howto material? May someone share it, please?

Thanks.

Doria

IT

April 30, 2020, 11:29 am
$
0
0
no active directory yet fsmo roles are shutting down server 2012 r2

Domain Users accidentally added Administrators group in Active Directory and gets re-added because AdminSDholder

April 30, 2020, 11:55 am
$
0
0
Because we wanted to apply a password policy to our domain we disabled block inheritance on the domain controllers OU.

But we did not know there was a gpo active on domainlevel that would added the local administrator and the domain users to the builtin administrators. Really bad design... but even badder we did not noticed. 
This gpo is no problem for the workstations but for the domain controllers it is!
This meant all the domain users suddenly were members of the administrators security group. Something you really don't want.
When we noticed we deleted the membership.

But because of the AdminSDholder the membership gets re-added after some time.
How can we prevent the re-adding of the membership to the Administrators group?

Kind regards,

Richard

Azure AD Domain Services with Multiple Azure AD Domains

April 30, 2020, 12:22 pm
$
0
0

Hello Experts,

I'm evaluating the use of Azure AD Domain Services in Azure.

So the scenario is this...I have an AD Forest with multiple subdomains, these subdomains are currently being synced with Azure AD using AD Connect.

Now I want to spin up a new Azure AD Domain Services instance in Azure that will connect to Azure AD. My question is can an instance of Azure AD Domain Services sync with multiple replicated domains in Azure AD?

Regards,

Shola Lawani

The import failed because the store was read only, the store was full or the store did not open

April 28, 2020, 2:43 am
$
0
0

If I am trying to import PFX or CER certificate in PERSONAL folder then I am getting error " The import failed because the store was read only, the store was full or the store did not open"

Arif

adprep /forestprep fails with constraint violation

April 28, 2020, 10:48 am
$
0
0
Dear all,


i am running into a problem while preparing for update to add Windows 2016 Servers as domain controllers.


The AD is verified, Schema Version is at 69 and everything looks fine, then this happens


<-- snip -->


Current Schema Version is 69


Upgrading schema to version 88


Verifying file signature
Connecting to "ad01.domain.com"
Logging in as "DOMAINADMIN" in domain "domain.com" using SSPI
Importing directory from file "D:\support\adprep\sch70.ldf"
Loading entries......
5 entries modified successfully.

The command has completed successfully
Verifying file signature
Connecting to "ad01.domain.com"
Logging in as "DOMAINADMIN" in domain "domain.com" using SSPI
Importing directory from file "D:\support\adprep\sch71.ldf"
Loading entries........
12 entries modified successfully.

The command has completed successfully
Verifying file signature
Connecting to "ad01.domain.com"
Logging in as "DOMAINADMIN" in domain "domain.com" using SSPI
Importing directory from file "D:\support\adprep\sch72.ldf"
Loading entries......
17 entries modified successfully.

The command has completed successfully
Verifying file signature
Connecting to "ad01.domain.com"
Logging in as "DOMAINADMIN" in domain "domain.com" using SSPI
Importing directory from file "D:\support\adprep\sch73.ldf"
Loading entries......
22 entries modified successfully.

The command has completed successfully
Verifying file signature
Connecting to "ad01.domain.com"
Logging in as "DOMAINADMIN" in domain "domain.com" using SSPI
Importing directory from file "D:\support\adprep\sch74.ldf"
Loading entries.
Add error on entry starting on line 1: Constraint Violation
The server side error is: 0x2082 A value for the attribute was not in the acceptable range of values.
The extended server error is:
00002082: AtrErr: DSID-03151817, #2:
       0: 00002082: DSID-03151817, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20022 (rangeLower):len 4
       1: 00002082: DSID-03151817, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20023 (rangeUpper):len 4

22 entries modified successfully.
An error has occurred in the program
ERROR: Import from file D:\support\adprep\sch74.ldf failed. Error file is saved in C:\Windows\debug\adprep\logs\20200428193051\ldif.err.74.

If the error is "Insufficient Rights" (Ldap error code 50), please make sure the specified user has rights to read/write objects in the schema and configuration containers, or log off and log in as an user with t


Adprep was unable to upgrade the schema on the schema master.
[Status/Consequence]
The schema will not be restored to its original state.
[User Action]
Check the Ldif.err log file in the C:\Windows\debug\adprep\logs\20200428193051 directory for detailed information.


Adprep was unable to update forest information.
[Status/Consequence]
Adprep requires access to existing forest-wide information from the schema master in order to complete this operation.
[User Action]
Check the log file, ADPrep.log, in the C:\Windows\debug\adprep\logs\20200428193051 directory for more information.


<-- snip -->


can someone point me to the right direction with this issue


cheers

soeren
Search

Local account locking out domain account with the same name

May 1, 2020, 7:56 am
$
0
0

We have a 2012R2 Standard Application server that has a local account configured that is used for the day to day operations of the locally installed application. We have a domain account with the same name but with a different password that is used for a service that performs file copies and print jobs to network locations.

We are seeing that the domain account is getting locked out even when the domain account is not in use or the service is not running. From the event logs on the DC (2016) we can see that the domain account is getting locked out from the 2012R2 application server but it would appear that the local account is querying and locking out the domain account?

I have seen other articles in which this is referenced, can you advise if this is expected behavior and why would the local account be attempting to authenticate against the domain?

Servers are not getting authenticated with their Gateway servers through Kerberos.

May 1, 2020, 1:23 pm
$
0
0

Hi ,

We recently faced a issue where some of the servers are not getting authenticated with their Gateway servers through Kerberos. So we received few alerts for heartbeat failure. When we check the status of the server, they were pingable and able to RDP. 

we tried restarting the Microsoft Monitoring Agent service(MMA) but still the alert is not getting cleared from SCOM.

Here the environment is Parent and Child. for example: AAA.local is the Parent domain and bbbb.AAA.local is the child domain.

Servers in child domain have alerted as unable to authenticate Gateway server in Parent domain through kerberos 

We are asked by the client to check Kerberos authentication between Parent and Child in the domain.

Following troubleshooting steps we performed:

1>We checked the Trust between Parent and Child domain, its getting validated. No errors.

2> We checked the PDC emulator of child domain, its showing no errors.

3>We checked few servers which alerted and no event found for the same at the time when alert got generated.

Looking for some advice/suggestion in this case. Please assist.

Renwing the internal CA certificat fails

May 2, 2020, 2:24 am
$
0
0

Hi everyone.

My internal CA certificate will expire soon (windows server 2008) and when I proceed to renewing process using the console the wizard end normally no error but when vewing the certificate Index number there is no new one and the same certificate remains the same.

Please help

RODC DNS Server

May 2, 2020, 7:23 am
$
0
0

Hello,

I have a DC a RODC (Both 2016). I configured my RODC DNS server to forward non AD queries (internet queries) to my ISP&#39;s DNS. My workstations have the RODC as primary dns server and the DC as secondary. The name resolution works fine but I realized that my domain controller also caches the requests of of my workstations. I checked that RODC have only my ISP&#39;s DNS in forwarders.

Now I wonder if DC and RODC synchronize the cache or my RODC do not actually forward the requests to my ISP but to the DC for some reason.

Thank you in advance.

Volatile Environment registry value LOGONSERVER causing authentication issues when one DC is off line

May 2, 2020, 1:00 pm
$
0
0

Recently, I needed to shutdown one of our domain controllers.  At the end of the day I logged out of the network.  Next day I started my computer and logged in, but when my logon script tried to execute it froze and eventually timed out.  After reviewing my system I noticed that the LOGONSERVER environment variable was pointing to the server I took off line the day before.  Our network logon scripts are bat files and use the LOGONSERVER variable throughout.  I tried many times to reset that variable until I finally found it in the "Volatile Environment" registry key.  Once I changed it to the DC that is accessible, I was able to successfully log on and run my script.  I realize it's not often that a DC would be offline, but I would think this variable should auto update whenever a user gets a response back from the DC that answers the call for authentication.  I must have something configured incorrectly but I don't know where to go to fix this.  Can you please point me in the right direction?  Thank you.

Block Inheritance in Domain level

May 3, 2020, 3:09 am
$
0
0

Hi,

If you right click the domain in GPMC console, we can see "Block Inheritance" what is the benefit of enabling block inheritance in domain level.

what type of situation block inheritance really helps for us.

Blocking Default Domain policy

May 3, 2020, 3:07 am
$
0
0

Hi,

If I enable Block inheritance in OU level,Does Default domain policy settings will fully block or partially blocked ?

what type of settings are allowed for blocking and what type of settings not allowed for blocking.

Example: Account lockout,password policy can not be blocked.

Even though block inheritance is enabled account lockout and password policy are excepmted from blocking.

Search

Netlogon 5807 and Cross-Domain Trust AD

May 3, 2020, 7:39 am
$
0
0

Hi there,

We've got set up a two way AD Cross-Domain Trust in our environment. Everything works well.

However, I've noticed netlogon warning (id: 5807)

Description:
During the past 4.23 hours there have been 123450 connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise. Those clients, therefore, have undefined sites and may connect to any Domain Controller including those that are in far distant locations from the clients. A client's site is determined by the mapping of its subnet to one of the existing sites. To move the above clients to one of the sites, please consider creating subnet object(s) covering the above IP addresses with mapping to one of the existing sites.

The Netlogon.log entries:
11/25 17:30:11 [6524] DomainB: NO_CLIENT_SITE: VM1 172.15.6.5
11/25 18:00:07 [2948] DomainB: NO_CLIENT_SITE: VM2 172.18.0.8
11/25 18:00:07 [6524] DomainB: NO_CLIENT_SITE: VM2 172.18.0.8
11/25 18:16:26 [6524] DomainB: NO_CLIENT_SITE: VM1 172.15.6.5
11/25 19:00:07 [1532] DomainB: NO_CLIENT_SITE: VM2 172.18.0.8

The subnets: 172.15.6.*, 172.18.0.* are assigned to DomainA.

What shoud I do (in the way I don't destroy anything :) ), so that the netlogon.log won't increasing?

Best regards
Adam Erot

LAPS Install: Update-AdmPwdADSchema : The requested attribute does not exist

April 21, 2020, 8:44 am
$
0
0

has anyone seen this issue before, I'm having problem running the following command for LAPS to work but its takes me nowhere using online search

This is what i have done

1. I'm an schema master admin, domain admin and enterprise admins and running the powershell command on FSMO server

2. Running the commands from elevated powershell

3. running update-admpwdADSchema works for the first two entries AddSchemaAttribute, third step update-admpwdadschema throws an error message "Update-AdmPwdADSchema : The requested attribute does not exist."

4. there is no logs i can see why its breaking. 

Using GMSA Account for LDAP Bind/Search in Java Application

April 29, 2020, 1:28 pm
$
0
0

This questions is related to : Group Managed Service Accounts

Use Case:

We have customers who have configured GMSA Account for running services and connecting to SQL Sever, We also have a Java Based Authentication Facade that connects to Active Directory to Search User/Authenticate Users.

Customer requesting that we use GMSA Account to do LDAP Bind when connecting and searching for users in Active Directory instead of currently provisioned Service Account and Password to do LDAP Bind. 

Question/Assistance/Help:

Can GMSA Account be used in Java Application? i.e can we use GMSA Account to do a LDAP Bind a Search from Java.

 

I tried a C# utility which requests GMSA password however our Java Bind does not work with the GMSA Account and Retrieved GMSA Password.

 

We used steps similar to pointed out in dsinternals.com  - retrieving-cleartext-gmsa-passwords-from-active-directory to get GMSA Password.

A test C# program can retrieve GMSA Password and can bind to LDAP and Search Users using GMSA Account and GMSA Password - All running on the same machine which is permissioned to retrieve GMSA Password as per GMSA requirements.

However using same GMSA Account and Retrieved GMSA Password does not work with Java - Simple Bind and also Bind via Kerberos GSSAPI


Again running on the same machine which is permissioned to retrieve GMSA Password.

We get the following error:

[LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580 ]

Indicating credential is invalid

Any pointers much appreciated - Thank you.


Configure LDAPS TLS

April 28, 2020, 2:27 am
$
0
0

Hello,

I run into a strange scenario where an AD server requests a client certificate whenever one initiate a TLS session to reach the LDAP server.

We use hardware tokens which are pin protected. People using a specific application will get prompted for the pincode by their windows workstation each time a TLS session to the LDAP server is initiated. This looks like a normal behaviour - the server request an optional certificate, and the client uses a valid pkcs11 driver to pull a potential certificate from a token. However the users are prompted for the pincode every other minutes and it's starting to become a problem.

Is there a way to configure the LDAP server, or maybe the Schannel library responsible for this, to NOT request a client certificate?

The DCs are Windows 2012r2 servers.

2012 Active Directory Restore Plan Best Practice

May 3, 2020, 6:05 pm
$
0
0

I have one surviving vm DC in the environment that holds no fsmo roles. Its virtual. 

My primary dc contains all fsmo roles (all servers are 2012) and its dying.

1. My plan is to transfer the fsmo roles to the virtual dc.

2. demote old server.

3. Skip the process of restoring other VM DC from backup and just create new DC's and have them talk to the new virtual pc holding the fsmo roeles.

4. Clear metadata of the decommissioned dc using ntdsutil.

5.Remove reference of removed server from DNS.

6. Delete Old server from Sites and Services.

repeat steps 4-7 for all the other VM DC's that were replaced by newly spun up dc's.

This should avoid painful lessons and keep me in the clearly with no surprises in 90 days correct?

Or is there a painful piece of information I'm overlooking?


Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>