I have a domain that has a few server 2003 servers on it. I am wanting to add a new domain controller using server 2019 to it. When I try to promote the second DC I get a prompt about needing to upgrade to dfs from frs. I have found documentation on how
t
↧
Upgrading FRS to DFS
↧
Applocker logs(Exe and dll) are not generated in Eventviewer after adding a registry key for Microsoft-Windows-AppLocker/EXE and DLL in regedit
Hi Everyone,
I am happy if someone take this issue
I can able to see AppLocker/EXE and DLL logs in eventviewer. But when I created new registry keys "Microsoft-Windows-AppLocker/EXE and DLL" in "HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Service > eventlog" Latest events are no more coming to Event Viewer - Applications and services logs - Microsoft - Windows - Applocker - EXE and DLL.
I have tried for other eventsource by creating a registry key based on the logname . i can able to latestevents.
My Question is
how do i setup to get the Applocker exe and dll latest events after creating a new registry key(Microsoft-Windows-AppLocker/EXE and DLL) in the above mentioned path ?
Thanks in advance.
I am happy if someone take this issue
I can able to see AppLocker/EXE and DLL logs in eventviewer. But when I created new registry keys "Microsoft-Windows-AppLocker/EXE and DLL" in "HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Service > eventlog" Latest events are no more coming to Event Viewer - Applications and services logs - Microsoft - Windows - Applocker - EXE and DLL.
I have tried for other eventsource by creating a registry key based on the logname . i can able to latestevents.
My Question is
how do i setup to get the Applocker exe and dll latest events after creating a new registry key(Microsoft-Windows-AppLocker/EXE and DLL) in the above mentioned path ?
Thanks in advance.
↧
↧
dfsrmig /getglobalstatus is "eliminated" and stops sysvol share on RWDC
Hi all.
I have two Domain Controlles with 2012 R2 (DC 1 and DC2), both RWDC. I have the necessity to create other server with Win 2019 but for this I have to change de technology replication from FRS to DFS.
So, I ran the commands on the existing AD: "dfsrmig /setglobalstate 1", after that "dfsrmig /setglobalstate 2", "dfsrmig /setglobalstate 3".
After that, I ran "dfsrmig /getglobalstate" and the result was "Eliminated" and the result is "completed succesfully".
With the command "dfsrmig /getmigrationstate" the results is that "Migration has not reached a consistent state on all Domain Controllers state information might be stale due to AD latency"
All the users lost resource connectivity that needs AD authentication. I tried repeat the process but it's not possible. It's give me a message "Invalid state change requested"
I's very worried about this. Can anyone help me please? What can I do for work back?
Thank you.
↧
My user account is locked out automatically in a couple of minutes again and again after I unlock it.
Account locked out automatically. After I unlock it, The account will get locked again in a couple of minutes. I checked the logs
in the Windows Event Viewer. It shows many logs like the following. It looks like user account always gets locked on the Domain Controller, not on the member servers or workstations. We have checked Account lockout tools, bad password count automatically.
↧
ldap certiciate question
Hi,
So I heard there is one-way and two-way ssl certificate for ldap. When you request for certificate do you need some special parameters for this or the oneway twoway function is more of how the ldap client and ldap server behaves?
For this example:
web application authenticating to AD via ldap, what certificate should this be? one-way or two-way?
↧
↧
web application connecting to DC via ldap
We have a web application in the internet and we want to use our active directory controller on-premise for authentication via ldap when logging in to the application. Can it be done? Or we need a third party software to interface between our web app and active directory since the web app is public and the DC is private?
↧
Error on AD itself!!! Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running
I´m trying to run a simple powershell, trying to grab a list of Computers
The weird part is: I´m running a powershell instance, with full administrative privileges and on the DC/AD itself!!!
How can I see an error like that, running the command on AD/DC itself?
So, the error is:
Get-ADComputer : Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.
At line:1 char:1
+ Get-ADComputer -filter {Enabled -eq $True} -properties Name,Enabled,O ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [Get-ADComputer], ADServerDownException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADComputer
The weird part is:
When using the cmdlet, with screen outpu (no text output) it only shows a few computers at timne, let´s say, it shows 10, waits a little moment, more 10 and so on
No matter how, exporting csv, TXT or sscreen, it´s very slow
The cmdlet
Get-ADComputer -filter {Enabled -eq $True} -properties Name,Enabled,OperatingSystem,OperatingSystemVersion,IPv4Address,Created,LastLogonDate,Modified,whenCreated,PasswordLastSet,lastLogonTimestamp,Description | ft Name,Enabled,OperatingSystem,OperatingSystemVersion,IPv4Address,Created,LastLogonDate,Modified,whenCreated,PasswordLastSet,@{Name="LastLogonTimeStamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp).ToString('yyyy-MM-dd')}},Description
↧
configured ISCSI with one Virtual disk and asign to 3 servers initiator
i am configured ISCSI with one Virtual disk and asign to 3 servers initiator (server1,Server2,Server3)
i have copy file to server1 then i go to server2, server3 don't see the file. sometime i need to take offline disk on server2,server3 then online disk to see the file.
anyone knew what wrong?
↧
WiFi Authentication With Active Directory
Hi Team,
I want to deploy wifi authentication with Active Directory, below the information.
1. WiFi authentication from Active Directory.
2. I will time mention ( will remain connected 2 or 3 hr) then will auto disconnect.
3. Need networking presentation details.
Please advice, share me ms documentation link.↧
↧
How to cluster Web Application Proxy?
Hi,
I'm trying to figure out how to cluster WAP? Where to start? What would be the steps?How to make WAP highly available?
Thank you!
↧
AD Users and Computers Hang
Hello,
when i tried to unlock user account or reset password , it takes the user propertied window hang and take about 3 minutes to apply the change.
this is Child domain , contains 3 sites
every site have 2 DCs
the issue only at one of the sites at both DCs.
↧
Unexpected switch at this level
Hi,
We seeing event 2213 on our server 2012 DC that has the 5 fsmo roles. we have 5 DC's in our doamin, 2 in the same site and the rest in different site.
The event viewer says run this command:
wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig where volumeGuid="32D935BE-37DF-11E2-93E7-806E6F6E6963" call ResumeReplication
I did run this command from Powershell as admin and run the above command and get the message:
Unexpected switch at this level
Should I run the command from command prompt? or the above messge has other meaning?
Thanks
Shahin
↧
upgrade additional 2008 ad server
Hi
In our environment we have 2012 r2 DC Server with all the roles in it
We also have 2008 r2 server that function as secondary DC , we would like to upgrade it to Server 2012 R2
Is there any thing I should do except upgrading OS ?
↧
↧
Errors
Error 1
A fatal error occurred while creating a TLS client credential. The internal error state is 10013.
Error 2
Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
NTLM is a weaker authentication mechanism. Please check:
Which applications are using NTLM authentication?
Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication?
If NTLM must be supported, is Extended Protection configured?
Details on how to complete these checks can be found at http://go.microsoft.com/fwlink/?LinkId=225699.
Error 3
The WinRM service failed to create the following SPNs: WSMAN/WIN-5QDUAHBF4SG.projectok.com; WSMAN/WIN-5QDUAHBF4SG.
Additional Data
The error received was 8344: %%8344.
User Action
The SPNs can be created by an administrator using setspn.exe utility.
Error 4
The EDS Job manager failed to start the following jobs:
Job: 'PFAssistantLog' creation failed.
Job: 'OwaClientLog' creation failed.
Job: 'OwaClientLocation' creation failed.
Job: 'OAuthCafeLog' creation failed.
Job: 'OABDownloadLog' creation failed.
Job: 'MRSAvailabilityLog' creation failed.
Error 5
An exception occurred during ADFilteringSettingWatcher.Start. Message='System.ApplicationException: Could not setup AD Change Handler
at Microsoft.Forefront.ActiveDirectoryConnector.ADFilteringSettingsWatcher.Start()'
Error 6
Process ForefrontActiveDirectoryConnector.exe (PID=4584). WCF request (Get Servers for projectok.com) to the Microsoft Exchange Active Directory Topology service on server (TopologyClientTcpEndpoint (localhost)) failed. Make sure that the service is running.
In addition, make sure that the network ports that are used by Microsoft Exchange Active Directory Topology service are not blocked by a firewall. The WCF call was retried 3 time(s). Error Details
System.ServiceModel.EndpointNotFoundException: Could not connect to net.tcp://localhost:890/Microsoft.Exchange.Directory.TopologyService. The connection attempt lasted for a time span of 00:00:02.0056424. TCP error code 10061: No connection could be made
because the target machine actively refused it 127.0.0.1:890. ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 127.0.0.1:890
at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
--- End of inner exception stack trace ---
Server stack trace:
at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
at System.ServiceModel.Channels.BufferedConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at System.ServiceModel.ICommunicationObject.Open()
at Microsoft.Exchange.Net.ServiceProxyPool`1.GetClient(Int32 retry, Boolean& doNotReturnProxyAfterRetry, Boolean useCache)
at Microsoft.Exchange.Net.ServiceProxyPool`1.TryCallServiceWithRetry(Action`1 action, String debugMessage, WCFConnectionStateTuple proxyToUse, Int32 numberOfRetries, Boolean doNotReturnProxyOnSuccess, Exception& exception)
AND MANY MORE.....
Main error
Exchange server services are not starting after reboot. I want to start automatically.
↧
lingering objects issue in AD
Hi Team,
I am facing lingering objects issue but I am unable to delete the lingering objects in the below patch .please help.
Path:
CN=Deleted Objects,CN=Configuration,DC=test,DC=local
Source domain controller:
14090997-c0b3-4732-9332-e572beb0c820._msdcs.test.local
Object:
CN=DC03\0ADEL:a818857b-a342-44cf-ac87-578c59284be7,CN=Deleted Objects,CN=Configuration,DC=test,DC=local
Object GUID:
a818857b-a342-44cf-ac87-578c59284be7 This event is being logged because the source DC contains a lingering object which does not exist on the local DCs Active Directory Domain Services database. This replication attempt has been blocked.
↧
DSQUERY.EXE and VPN users.
Hi everyone!
We are running W2K8 DCs and the following command...
%SystemRoot%\System32\dsquery.exe user "DC=mydomain,DC=local" -inactive 8 -s localhost -limit 1000
... but it seens DSQUERY.EXE counts users who connect to work using VPN too. It is a false positive. Is it the expect behavior? In other words, it only updates the last logon attribute if user connects interactively?
Doria
↧
Add SidHistory to a user
Hi ,
I´m working on delete "sidhistory" . At this moment I have all the resources without SidHistory , only the users have "sidhistory" .
I will delete de sidhistory field , but ,is it possible if some user has some issue , to paste his sidhistory without to do a restore from ad backup ¿¿??
Is it possible edit field with powershell and paste older sidhistory ???
Example: Us1
SID : S-1-5-21-4174452598-3359285060-3602202020-331244
SIDHistory : {S-1-5-21-3151815273-3026384734-512502699-5215}
I will delete SidHistory
Us1
SID : S-1-5-21-4174452598-3359285060-3602202020-331244
SIDHistory : {}
(not real sids used )
Is it possible, set "sidhistory" in the future with powershell if I need to solve an issue from usr1 ???
Thanks everybody :)
↧
↧
Modifying Subject/DN format in certificates
Hi,
I have a need to add the serialNumber attribute (2.5.4.5) to the subject line of certificates generated via my MS CA. I have added the attribute to my users and I can see it in the attribute editor, but I can't figure out how to get it to show in the DN/Subject
output of a certificate. I've dug around in both the schema and in the CA manager, and while I can disable automatically building the DN format from AD during enrollment, even when manually specifying the serialNumber attribute in the request it doesn't get
added.
I'm assuming I need to somehow modify the default DN schema or something along those lines. I've seen certs in this format, so I'm reasonably sure it can be done. I'm just not knowledgeable enough to do it. I'm hoping someone here has done this and can share
that knowledge.
FYI, this is an attempt to replicate a customer's issue with authentication using certificates with this DN format.
TIA
↧
Active Directory - Last Logon is not logged when a user logs on using MAC or web browser
Hello! We noted that the "last log on" of our AD users that uses MAC or mobile browser is not logged. Our Active Directory
is on-premise. Please help. Thank you!
↧
AD Claims - Use transformation rules within domain
I'm having a hard time finding documentation for AD DS (not AD FS!) claims and how to use them for different scenarios.
I can create a claim based on an attribute, that's not a problem. It also looks like claim transformation rules can be created and used for forest trusts.
Can claim transformation rules be used within the issuing domain itself?
Consider the following example, where I want to transform the canonicalName claim and pass it on, slightly modified, as the OU claim.
New-ADClaimTransformPolicy -Name "canonicalName to OU" -Rule 'C1:[Type == "ad://ext/canonicalName:88d803ab2a08e1ab", Value =~ "contoso.com/Tier 1/Servers/*", ValueType=="string"] => Issue(Type = "ad://ext/ou:88d80239468c8835", Value = "contoso.com/Tier 1/Servers/", ValueType=C1.ValueType);'
An msDS-ClaimsTransformationPolicyType object MUST be associated with a TDO for a given claims-traversal direction in order to apply the claims transformation rules in the msDS-ClaimsTransformationPolicyType object to sets of claims that traverse the TDO in the specified direction.
This indicates that I can't use the above cmdlet to transform the claim within the domain. So that begs the question is this even possible to accomplish?
↧