Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Computer object and removing computer from domain

May 19, 2020, 10:53 am
$
0
0

Hello fellow techs, hope i am in the correct forum.  if not, i apologize!

in the past, when i removed computers from AD domain, after restarting the computer and some time after, the computer acccount/object would be disabled.  I have recently been managing a 2019 domain and i don't see this process taking place.  the computer account is still enabled.  thought it was replication and have left the accounts over night.

Has this behavior changed or is their a setting that must be configured?

appreciate your feedback.

Hamid

Regards, H a m i d A z e e z

Search

Deleted SPN's keep coming back

May 19, 2020, 1:28 pm
$
0
0
I have several duplicate SPN's associated with one of my DC's.  I have deleted each of them multiple times, using both setspn -D and ADSIedit, but after a few minutes these SPN's all re-appear.  How can I permanently delete them?  Where do they come from?  In case it's relevant, I re-named one of my DC's--was named "Blue", now named "Green", to make way for a new server named "Blue."  The problem is server Green still has several "Blue" SPN's in addition to the "Green" SPN's, and those Blue SPN's conflict with the Blue SPN's on the new server Blue.  The duplicates are not creating any obvious problems except for Kerberos error events logged in the System Log on the new server Blue.

New field in Active Directory

April 8, 2020, 10:05 am
$
0
0

Hi All,

I want add new field in users properties under

Organization tab. 

Attribute name : division

This division attribute already available attribute editor but 

I want add as division field under organization tab.

Please help.

Group Policy Priority issue

May 13, 2020, 9:32 am
$
0
0

Hi, 

We have a OU called NewPCs.

There is a GP linked to NewPCs that disables Remote Desktop connections and it is marked as enforced.

Under NewPCs there is another OU called ABVM

There is a GP linked to ABVM that Enables Remote Desktop connections and it is marked as enforced.

I expect that the GP applied to the more specific OU would have the highest priority and that remote desktop would be enabled for computers in the ABVM OU.

However,, remote desktop is being disabled by GP.

Does anyone know what is going on with this?

This exact same heiarchy works flawlessly in other OUs, so I have no idea why it isn't working here.

wallpaper GPO

May 12, 2020, 9:12 am
$
0
0

Dear All,

I have apply GPO of changing wallpaper to my workstation in domain. The policy working fine when workstation connect to network. then i disconnect laptop from network and login to computer as offline profile and the wallpaper not show. what the problem?

dfj

sff


Read and edit permissions for all AD User accounts ( Permission Delegation - Active Directory)

May 14, 2020, 11:03 am
$
0
0

Hi,

We need to delegate "Read and edit permissions for all AD User accounts" to one of our users. Does any one familiar with delegating these permissions ?

Regards,

Mr.POP 

Domain trust and user credentials

May 19, 2020, 11:57 pm
$
0
0

Hi everyone,

I am looking for an theoretic answer on the next question: 

Imagine we have two independent domains A and B.

A trusts B, there is one-way trust where A is a resource trusting domain, B is an account trusted domain. 

The workstation W is joined to domain A. So W is a part of the domain A.  

Q:

Can a user managed by the domain B login to the workstation W with his B credentials?

Opinion running 2016 & 2012 Active directory in the environment

May 20, 2020, 2:56 am
$
0
0

Hi Experts,

Currently we are running Primary & secondary domain on win 2016 server and would like to add 2012 as 3rd DC and the reason being using is to utilize the Local administrator account management policies which not available in 2016 & 2019 but supports LAPS which is good solution but since the program shows in the add/remove program files I personally don't feel using it.

recently I installed 2008 R2 as 3rd DC and deployed the local admin account mgmt policy and it works fine considering this I linked to domain computers since then the policy not affect to even single workstation checked the rsop it applied but not affecting not sure what went wrong, so need to try with 2012 for this option.

Kindly advice if I can run both 2016 & 2012 dc's in the environment.

Thanks in advance

Search

DHCP Services Not Issues Ip Addresses

May 20, 2020, 5:35 am
$
0
0

Hello,

This is to request some guidance.

I do have a Default scope on my DC Server and it leasing ip address already.

I have created a new Subnet in my Network for users. Which i have created aScope on the Same DHCP Server, it's not leasing or giving out ip.

Please advise.

Thanks and Regards,

Ronald.

Cross Domain Migration 2003 to 2012

May 20, 2020, 8:18 am
$
0
0

Hi,

 I've got a 2003 domain with 2 DCs (2003 SP2) which needs to be migrated to another forest. The target forest has 2012 R2 DCs with a 2003 domain and forest functional levels. The forests have DNS and 2 way trust setup between them.

I'm after a step by step guide on how to migrate users, computers and required resources from the 2003 forest to the newer forest with 2012 DCs. Ideally, I'd like to do this with free tools such as ADMT.

Please can someone advise?

Thanks

 

IT Support/Everything

Groups Missing from DC Local Administrators Group

May 20, 2020, 1:35 pm
$
0
0

After rebooting for this month's security updates, we're unable to logon to our DCs with our Domain Admin accounts, via RDP nor locally. We get a message that says "the user has not been granted the requested logon type at this computer". I discovered that the local administrators group on the DCs no longer contains the Domain Admins or Enterprise Admins groups, but it does contain the local administrator account. I'm aware that I can manually run a command to add those groups back, but is that the best approach to resolve this? Also, if I add a group to the local admins on one DC, will that replicate to all DCs?

Some details:
We're running all Windows Server 2012 R2 DCs on 2008 R2 Forest and Domain level functionality. We have a hub and spoke topoligy. Replication appears to be working.

We're still able to manage the domain with our Domain Admin accounts via mmc from other hosts, so this seems to only affect local authentication to DCs.

Gpresults doesn't show any GPOs manipulating the local Administrators group.

Volatile Environment registry value LOGONSERVER causing authentication issues when one DC is off line

May 2, 2020, 1:00 pm
$
0
0

Recently, I needed to shutdown one of our domain controllers.  At the end of the day I logged out of the network.  Next day I started my computer and logged in, but when my logon script tried to execute it froze and eventually timed out.  After reviewing my system I noticed that the LOGONSERVER environment variable was pointing to the server I took off line the day before.  Our network logon scripts are bat files and use the LOGONSERVER variable throughout.  I tried many times to reset that variable until I finally found it in the "Volatile Environment" registry key.  Once I changed it to the DC that is accessible, I was able to successfully log on and run my script.  I realize it's not often that a DC would be offline, but I would think this variable should auto update whenever a user gets a response back from the DC that answers the call for authentication.  I must have something configured incorrectly but I don't know where to go to fix this.  Can you please point me in the right direction?  Thank you.

DFS Domain Migration

May 18, 2020, 11:57 am
$
0
0

Forgive me if I put this question in the wrong forum.

We are currently in the middle of a domain migration.  We are migrating all of servers and system from one domain to another.  It is time to migrate our DFS server but I know it is not just joining to new domain.  Anybody has any ideas on how to go about this without having to reinvent the whole wheel.

I will have to migrate DFS from domain.xyz to domain.com.

thanks.

Child domains are replication islands

May 11, 2020, 2:26 pm
$
0
0

Just started a new position, and in discovering the AD structure I ran across the following issue. We have 11 child domains, and 6 of those haven't replicated with the parent domain in over 2 months. 

In digging through things, the 6 affected domains had a single replication partner with the parent domain, and that domain controller was replaced due to an OS corruption where it wouldn't start. This left the child domains stranded on their own replication islands. 

Overall topology is 7 dc's in the parent domain, but only 2 of which are reachable by the child domains. Both of the DC's that are reachable have been replaced with new OS's with different names, but the same IP addresses. 

Each child domain is restricted by network rules from communicating with another child domain since they are customer purposed domains. 

For example, childdc1.child1.parent.int can only reach parentdc102.parent.int and parentdc110.parent.int, but orginally it only had a replication partner of parentdc101.parent.int which is no longer available. 

When childdc1.child1.parent.int attempts to replicate with parentdc101.parent.int it reaches parentdc110.parent.int but it fails replication due to event 1645. 

Active Directory Domain Services did not perform an authenticated remote procedure call (RPC) to another directory server because the desired service principal name (SPN) for the destination directory server is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.
 
Destination directory server:
aa22c8a7-e66a-4d55-b134-30574d01c1c1._msdcs.parent.int
SPN:
E3514235-4B06-11D1-AB04-00C04FC2DCD2/aa22c8a7-e66a-4d55-b134-30574d01c1c1/parent.int@parent.int

I've tried adding that SPN to the parent110.parent.int DC, but it gets removed by the KDC I'm assuming. 

What other ways can I try to spoof the Kerberos call from childdc1.child.parent.int to parent110.parent.int? Or how can I force the replication between the child and parent domain to use NTLMV2 instead of Kerberos for authentication?

Thanks,

Scott

Scott Monroe

AD 2019 and client XP´s

May 18, 2020, 8:03 am
$
0
0

Hello everyone,

I have a domain on servers 2019 with forest functional level and domain 2012.

I have tried to join XP client computers to the domain, but it gives me "internal error".I have enabled SMB1 on the DCs and it still doesn't work.

Would it be possible to add those XP computers in the domain?

Thank you.

Search

ldap certiciate question

May 20, 2020, 11:48 pm
$
0
0

Hi,

So I heard there is one-way and two-way ssl certificate for ldap. When you request for certificate do you need some special parameters for this or the oneway twoway function is more of how the ldap client and ldap server behaves?

For this example:

web application authenticating to AD via ldap, what certificate should this be? one-way or two-way?

In domain forest,it a few sites, how can a client ping the domain name of domain, DNS will return only dc of local site but not dc of external site?

May 20, 2020, 7:09 pm
$
0
0

In domain forest,it a few sites, how can a client ping the domain name of domain, DNS will return only dc of local site but not dc of external site?

For excample, I have a AD: A.com, and two sites: Site A and Site B.

Site A have DCs: DC01.a.com and DC02.a.com, Site B have DCs: DC03.a.com and DC04.a.com.

AD replicate between DC01 and DC03 ad bridge. other machine in Site A can't connect to Site B, the same for Site B's machine.

client of Site A, try ping a.com, it will only revert DC01 and DC02 IP Address.

Is that feasible? If yes, how to do?

Demotion of 2016 Domain controller from Sites and Services

May 21, 2020, 1:43 am
$
0
0

Hello Expters,

We have multiple 2016 Domain Controllers

We have demoted one DC from GUI and it was successful , But after removal of DC , this DC still shows in Sites and Services .

So ,  any Idea why its not deleted from Sites and Services , 

Did I miss any steps for demotion ?

Thanks for your help.

Thanks , Prakash ,Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.


Password hash synchronization agent is continuously getting RPC error from domain ""

May 21, 2020, 3:35 am
$
0
0
When changed user password in on-prem AD, it does not reflect in Office365.

Run AADC troubleshoot and got these errors

------------------------------------------start---------------------------------------------------------

AD Connector - abc.ad

Password Hash Synchronization is enabled

Latest Password Hash Synchronization heartbeat is detected at: 05/21/2020 09:19:18 UTC

        Directory Partitions:

        =====================

        Directory Partition - abc.ad

        Password Hash Synchronization agent is continuously getting failures for domain "abc.ad"

        Please check 611 error events in the application event logs for details

        The latest 611 error event for the domain "abc.ad" is generated at: 05/21/2020 09:37:26 UTC

        Password Hash Synchronization agent is continuously getting RPC errors from domain "abc.ad"

        Please setup reliable preferred domain controllers. Please see "Connectivity problems" section at https://clicktime.symantec.com/3RkdZT5JN8p6wng3WtLAJGz7Vc?u=https%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3Flinkid%3D847231

        Please check 611 error events in the application event logs for details

        The latest RPC error event for the domain "abc.ad" is generated at: 05/21/2020 09:37:26 UTC

        Last successful attempt to synchronize passwords from this directory partition started at: 5/21/2020 9:03:09 AM UTC and ended at: 5/21/2020 9:03:10 AM UTC

        Only Use Preferred Domain Controllers: False

        Checking connectivity to the domain...

        Domain "abc.ad" is reachable

        Directory Partition - child.abc.ad

        Last successful attempt to synchronize passwords from this directory partition started at: 5/21/2020 9:37:26 AM UTC and ended at: 5/21/2020 9:37:26 AM UTC

        Only Use Preferred Domain Controllers: False

        Checking connectivity to the domain...

        Domain "child.abc.ad" is reachable

-------------------------------------end------------------------------------------------------------------------------------------

Below are error from Event Viewer. Event ID 611

------------------------------------start--------------------------------------------------------------------------

System 

  - Provider 

   [ Name]  : Directory Synchronization 
 
  - EventID : 611 

   [ Qualifiers]  : 0 
 
   Level : 2 
 
   Task : 0 
 
   Keywords : 0x80000000000000 
 
  - TimeCreated 

   [ SystemTime]  : 2020-05-21T04:33:31.498363500Z 
 
   EventRecordID : 364538 
 
   Channel : Application 
 
   Computer : aadc-server 
 
   Security 
 

- EventData 

   Password hash synchronization failed for domain: abc.ad, domain controller hostname: dc01.child.abc.ad, domain controller IP address: xxx.xxx.xxx.xxx. Details: Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Recovery task failed. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8465 : The replication synchronization attempt failed because a master replica attempted to sync from a partial replica. There was an error calling _IDL_DRSGetNCChanges. at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnReplicateSingleObject(DsName directoryName) at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.ReplicateSingleObject(Guid objectGuid, String distinguishedName) at Microsoft.Online.PasswordSynchronization.RecoveryTask.<>c__DisplayClass9_0.<RetrieveObjectChangesFromAD>b__1(IDrsConnection c) at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy) at Microsoft.Online.PasswordSynchronization.RecoveryTask.RetrieveObjectChangesFromAD(List`1 retryObjects) at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud() --- End of inner exception stack trace --- at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud() at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets() at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain() at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext) Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Recovery task failed. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8465 : The replication synchronization attempt failed because a master replica attempted to sync from a partial replica. There was an error calling _IDL_DRSGetNCChanges. at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnReplicateSingleObject(DsName directoryName) at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.ReplicateSingleObject(Guid objectGuid, String distinguishedName) at Microsoft.Online.PasswordSynchronization.RecoveryTask.<>c__DisplayClass9_0.<RetrieveObjectChangesFromAD>b__1(IDrsConnection c) at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy) at Microsoft.Online.PasswordSynchronization.RecoveryTask.RetrieveObjectChangesFromAD(List`1 retryObjects) at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud() --- End of inner exception stack trace --- at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud() at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets() at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain() at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext) . <forest-info><partition-name>abc.ad</partition-name> <connector-id>6d0e17a4-f299-47a7-af40-4f536ccbfda2</connector-id> </forest-info> 


LDAP to AD, successfully authenticates with incorrect password

May 21, 2020, 9:06 am
$
0
0

Hello,

I have an issue with our AD, when I use the LDAP too, and I try to authenticate with the full UPN and and incorrect password, it will successfully authenticate.

Example 1

user@company.co.uk and incorrect password = authenticates successfully

Example 2

user and incorrect password = authentication fails

When you use the full UPN when using LDAP it seems to successfully authenticate. Any ideas why this is happening?

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>