Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Why use nonauthoritative restore during forest recovery?

May 9, 2020, 5:00 pm
$
0
0

Lets say all your DC's are corrupted and unusable.  You need to perform a full forest recovery.

I have been reading:

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-procedures

You take all the DC's offline. 

You restore a DC with system state from backup.

Why do we perform a nonauthoritative restore on the DC?  I thought you do this when there are other DC's still online and working...and the recovered DC will get its update from the online DC's.  If the entire forest is gone and you restore only 1 DC... the only DC in the environment... shouldn't you set an authoritative restore?  Or does it matter?  I see that you do an authoritative restore on the SYSVOL ..per document above..

Can someone clarify this?

-C-

Search

Active Directory Migration Issue

May 7, 2020, 9:25 am
$
0
0

I am attempting my first active directory migration and having some problems Google can't help me resolve.

In order to utilize resources on the new domain ahead of the AD migration, the users have been manually created in the new AD. The idea of the migration is to:

  • Remove the old domain from use once complete turning a PDC into BDC
  • Migrate the users to new domain so they do not have to remember multiple account credentials
  • Maintain Security/Distribution groups
  • Computers will be moved manually so they can be "cleaned" and standard/approved software is available.
  • Users will be migrated with a merge, meaning any attributes that are set for newdomain\User will be maintained and not overwritten, only missing atrributes will be added again because we only created them to access specific resources on new domain)

I have two domains set up, users/groups/etc in both domains. I have created a trust and validated incoming and outgoing from each domain successfully. I made a test olddomain\User with Password123 and used ADMT to migrate the User to the new domain where newdomain\User with Password456 already existed. I then logged into a computer (still on old domain) with newdomain\username and Password456 successfully.

When I check AD it appears not one of the Security or Distribution groups were migrated along with the user. Some Googling led me to believe I should have migrated the groups first. I created a test Security group and placed this test User inot the group, then attempted to migrate the group and I'm met with"

    "Could not verify auditing and TcpipClientSupport on domains. Will not be able to migrate Sid's. Access is denied"

I tried adding the olddomain\domainadmin to my Built-In Admin group on the new domain but the error persists.

This is where I'm stuck, I'm not sure what the point of migrating these groups is if I can't migrate SID's. Has anyone seen and overcome this error?

upgrade additional 2008 ad server

May 14, 2020, 6:10 am
$
0
0

Hi 

In our environment we have 2012 r2 DC Server with all the roles in it 

We also have 2008 r2 server that function as secondary DC , we would like to upgrade it to Server 2012 R2 

Is there any thing I should do except upgrading OS ? 

Azure MFA with a local on-prem equipment

May 14, 2020, 7:01 am
$
0
0

Hello,

We started to use Azure MFA to safe gaurd our 365 accounts. It works great with 365 teams, exchange, sharepoint, etc. However, we are in Hybrid mode and was wondering if there is a way to extend the Azure MFA to our on-prem exchange and login for desktops/laptops? 

Is there an article or setup we can do? Thank you in advance.

Read and edit permissions for all AD User accounts ( Permission Delegation - Active Directory)

May 14, 2020, 11:03 am
$
0
0

Hi,

We need to delegate "Read and edit permissions for all AD User accounts" to one of our users. Does any one familiar with delegating these permissions ?

Regards,

Mr.POP 

Admin of OU

May 7, 2020, 9:15 am
$
0
0

Hello,

I have a forest with a domain that corresponds to my company.

This company is made up of several entities which have their own IT. I would like these computer scientists to be administrators of their OU.

That they can also be administrator of the domains of the servers of their OU, but only their OU and their children.

How to proceed?

Thanks a lot.

Security Eventlog 7470

May 8, 2020, 6:03 am
$
0
0

Hi,

I have a question, The event 7470 (lockout account), it is replicating to the controller with the all fsmo rolls, is that normal?

I thought the security events does not replicate betewen controllers.

Best regards 

Child domains are replication islands

May 11, 2020, 2:26 pm
$
0
0

Just started a new position, and in discovering the AD structure I ran across the following issue. We have 11 child domains, and 6 of those haven't replicated with the parent domain in over 2 months. 

In digging through things, the 6 affected domains had a single replication partner with the parent domain, and that domain controller was replaced due to an OS corruption where it wouldn't start. This left the child domains stranded on their own replication islands. 

Overall topology is 7 dc's in the parent domain, but only 2 of which are reachable by the child domains. Both of the DC's that are reachable have been replaced with new OS's with different names, but the same IP addresses. 

Each child domain is restricted by network rules from communicating with another child domain since they are customer purposed domains. 

For example, childdc1.child1.parent.int can only reach parentdc102.parent.int and parentdc110.parent.int, but orginally it only had a replication partner of parentdc101.parent.int which is no longer available. 

When childdc1.child1.parent.int attempts to replicate with parentdc101.parent.int it reaches parentdc110.parent.int but it fails replication due to event 1645. 

Active Directory Domain Services did not perform an authenticated remote procedure call (RPC) to another directory server because the desired service principal name (SPN) for the destination directory server is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.
 
Destination directory server:
aa22c8a7-e66a-4d55-b134-30574d01c1c1._msdcs.parent.int
SPN:
E3514235-4B06-11D1-AB04-00C04FC2DCD2/aa22c8a7-e66a-4d55-b134-30574d01c1c1/parent.int@parent.int

I've tried adding that SPN to the parent110.parent.int DC, but it gets removed by the KDC I'm assuming. 

What other ways can I try to spoof the Kerberos call from childdc1.child.parent.int to parent110.parent.int? Or how can I force the replication between the child and parent domain to use NTLMV2 instead of Kerberos for authentication?

Thanks,

Scott

Scott Monroe

Search

ADFS : Relay Party Creation

May 14, 2020, 9:39 pm
$
0
0

HI Guys,

I'm new to AD FS and requirement is to use Application from Browser and Mobile App as well.

ADFS infra running 2016 & 2019. 

If i create Relay Party it is working only in Browser. How i can make identity with Both?

I have created rely party and application to ADFS IDP redirection not happening (HTTP Error Code 302). getting error CORS blocked. I tried that SAML response copy pasted in new tap and i got the IDP page then login was successful. post login it redirect to application page.

Here, I don't know about CORS blocked. How to fix.

Another query, how to create the identity for mobile application. 

Please guide me.

Delegate Permission to user in Specific organisation unite in Active directory 2012

May 4, 2020, 3:02 am
$
0
0

Hello Dears,<o:p></o:p>

We have to delegate permission to specific IT support account in specific organization unite which is belong to all IT support team to make enable and disable their account, I did all the steps for delegation control in the IT support OU but it is not working, because all the IT members are member in another security account to have permission to join computers to the domain.<o:p></o:p>

Kindly any solution appreciates.<o:p></o:p>

FGPP is applied, but still getting drop down notifications that password is expiring

May 7, 2020, 2:54 pm
$
0
0

Hey guys,

I am a domain admin and have a 2012R2 domain with Windows 10 clients(1909).  We have a default domain GPO the specifies maximum password is 90 days, but my account also booted up being member of an AD group that has a FineGrainedPasswordPolicy that is applied and says maximum password age is 10675199.  When I login to some web consoles, they are telling me that my account with expire in 12 days.  Does anyone have any ideas what I might be missing?

I saw this with Windows 7, but was assuming it is fixed with Windows 10

https://social.technet.microsoft.com/Forums/en-US/f3e1753d-1eff-41f4-9dd0-2cb5a41efc15/fine-grained-password-policypassword-expiration-reminder-frequency-and-custom-message?forum=winserverDS

Thanks,

Dave


Remove Demote Child Domain with multiple domain controllers within it

May 11, 2020, 2:12 am
$
0
0

Hello ,

We have four child domains.

For Example :

DEV.myparent.pri

ITS.myparent.pri

OPS.myparent.pri

QAD.myparent.pri

We need to remove one of Child Domain (myChildDom1.myparent.pri) which is having multiple domain controllers on it. 

(DC01.OPS.myparent.pri, DC02.OPS.myparent.pri , DC03.OPS.myparent.pri, DC04.OPS.myparent.pri )

Do I need to demote each DC one by one then for select "This is last domain controller" for the last domain controller for OPS.myparent.pri

or any other Steps of Method do i need to follow for successful removal of child DC.

Please find below screenshot.


Thanks , Prakash ,Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

large no of Events 5858 from WMI-Activity are appearing in the Microsoft-Windows-WMI-Activity/Operational log.

May 15, 2020, 4:43 am
$
0
0

OS: Server 2012 R2 (Domain Controllers)

Same kind of events are appearing in all domain controllers

Servers are physical, Virtual and also in Azure

All domain controllers are replicating properly. No issue for updating group policies.

Simlar questions are asked here 
https://community.spiceworks.com/topic/418993-wmi-activity-5858-errors-on-windows-2012-server
https://social.technet.microsoft.com/Forums/windowsserver/en-US/84d42b34-6941-4b60-9908-450ef8305813/event-5858-from-wmiactivity?forum=winserver8gen
https://social.technet.microsoft.com/Forums/en-US/f912470e-7f59-49f0-896d-e9833ba98b0b/domain-controllers-do-not-sync-policies?forum=winserverGP


Is this a bug?

Event 5858, WMI-Activity ()


Id = {7D2F77DC-AF83-4741-87D0-8E17D958E58D}; ClientMachine = Hostname; User = ; ClientProcessId = 1680; Component = Unknown; Operation = Start IWbemServices::DeleteInstance - Root\Rsop\Computer : RSOP_ExtensionStatus.extensionGuid=&#34;{B087BE9D-ED37-454f-AF9C-04291E351182}&#34;; ResultCode = 0x80041002; PossibleCause = Unknown


Process id 1680 is pointing to svchost.exe(netsvcs) 



Regards
DoFast

Laps Active Directory Schema

May 15, 2020, 5:49 am
$
0
0

when trying to update the schema for laps, i am using the following code:

Import-ModuleAdmPwd.PS

Update-AdmPwdADSchema

I am in a server 2019 lab environment, functional levels are both at 2016(there is no 2019)

But, i get the following error when using the update-admpwdadschema command:


Update-AdmPwdADSchema : An operation error occurred.
At line:1 char:1
+ Update-AdmPwdADSchema
+ ~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Update-AdmPwdADSchema], DirectoryOperationException
    + FullyQualifiedErrorId : System.DirectoryServices.Protocols.DirectoryOperationException,AdmPwd.PS.UpdateADSchema

Anyone who knows what i am doing wrong?

regards,

Johan

Event id 16969 on a 2019 DC

May 15, 2020, 6:28 am
$
0
0

After promoting to 2019 DC i see Warnings with eventid 16969:

6 remote calls to the SAM database have been denied in the past 900 seconds throttling window.

Is this something i should be worry about? Should i add "Domain Users" and "Domain Computers"?

There is a new registry setting on 2019 DC: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteS = O:BAG:BAD:(A;;RC;;;BA) that is not controlled by GPO.

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls

Search

question admins in builtin administrator group getting kicked out randomly in active directory

May 15, 2020, 6:28 am
$
0
0
Good morning guys, recently I've been having issues where some of our users who were apart of the member of in the administrators built in group in active directory keep getting randomly kicked out of the group. What I've been doing is heading into the admin server and re adding the administrators to the group and then press apply after I add them (do I also have to run a gpupdate?) and then after a while I go back to go check they are removed in the member of in the administrator group again and I have checked in the audit logs it seems to be kicking them off but noone in my department is going in there and removing users. Another thing that has happened is our domain users are no longer administrators on there own their own devices so they cant access task manager for example without having to input administrative credentials, how can I fix this issue also when I try to make a user a domain administrator on that device I get access denied. We currently had to reboot our servers and had an ad sync not sure if either of those could cause a problem. Thanks in advanced for you help. 

Domain Controller Access

May 13, 2020, 2:17 am
$
0
0
how to give access to monitoring tool service account on DC event viewer only

Domain Administrator For local machine

May 15, 2020, 1:48 pm
$
0
0

Happy Friday! Recently I ran into a problem. We had our users part of the administrators members group as their domain names. And we recently had a ad azure sync issue where it stopped working. After we fixed the issue for the ad sync I think it kicked out the domain users under the member of the administrative groups. This has cause members to not be able to access certain things like add and remove programs etc. 

1. Why could that have happened? 

2. Is there a way I can add my members domains back to the administrator group? 

And when I try to add a member back to the administrative group I get this following message.

"The following error occurred while attempting to save properties for group administrators on computer *Computer* Access is denied" 

*Using domain admin account to try an add domain account member of administrative member on local machine. 


"Access denied" - Azure AD Connect Group Writeback

May 16, 2020, 4:25 am
$
0
0

Hi,

My active directory has MSOL user, user has full priveleges (temporaly, to be sure). MSOL is synchronised account.

I get "permission denied" error (all details show in screenshots)

Err1.png ACTIVE AD CONNECT

MSOL FIGURES HERE.

Err2.png ERROR AT SYCHRO SERVICES

ERROR "ACCESS DENIED".

Err3.png Validate Object Against Schema - attributes missing (samaccountname, cn) (but in MSOL exists)

Because of message from this forum "Body text cannot contain images or links until we are able to verify your account." I will upload images after verification

Any ideas?


Lost a single DC and the other domain controllers have no idea what to do

May 16, 2020, 12:00 pm
$
0
0

I just lost a DC out of 3 total  and eventually managed to get a backup, only it doesn't match the database because it changed its name.

I tried repairing the trust (Test-ComputerSecureChannel -Repair) but it can't be done because it can't find the computer's account. I brought up a new server and tried joining it to the network to promoted it but it cannot contact the domain even though two domain controllers are online. The even seem to replicated (repadmin /syncall) with each other  both saying one if offline. I cannot open AD Sites and Services to clean up because neither of the online DCs can connect to the domain.

One of the domain controllers can connect to itself and therefor to the domain using ntdsutil, but when I try to seize roles, not only it has them all, allegedly, but it thinks its name is the domain name, as in the TLD, like "example.com" without the host part. It is really confusing, the hand't happen before. It wasn't long I got the third DC for exactly this, yet it happed just the same.

DNS was replicating fine, there were no issues with domains, accounts, address resolutions or with computers joining and discovering things in the domain successfully but the moment a single DC falls down it becomes apparent that that one could have been doing the work for the rest. I had been off before for quick reboots from updates and stuff but thing like DNS kept working with the other two online.

What could be the reason of this? What the best way to recover data, should I recover from the much older data from the DC with the wrong name or from one of the two working DCs that somehow think the can't run a domain by themselves with the other one?? I know it something like an authoritative restore, haven't had this issues in forever. I don't mind losing a month or two of data as long as it's not everything. I think I just need to ID the the proper DC first. I'm rambling now.

Thanks for your help, I'm really picnicking a bit here.

I bet you think this post is about you. Don't you…don't you. ♪

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>