Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Read Only Domain Controller resolving to wrong DC

June 4, 2020, 10:22 pm
$
0
0

I have a set of read only domain controllers on a segregated network.  Sites and Services are set to that subnet.  When pinging the domain, the first ping is always to an internal writable DC - which is not accessible by non DC's.  I set the host file to ping the RODC which works fine as a sort of fix and modified the LMHost file and registry.  I've also made changes to DNSDomainZones and DNSForestZones for the site within DNS to only include the RODC's.  I do see tcp/udp (for kpassword and ldap)further up to the root does not include the RODC's.     

When using Active Directory Explorer, the first lookup is always the internal DC's and then eventually the RODC's which takes 30 or more seconds.  For now the lookup is set to RODC host name (with the host record) - which works in under 3 seconds.  Anyone have any ideas on how to force the domain lookup to always go to the read only DC's?  Thank you in advance.

Search

Basic documentation about Active directory management

June 5, 2020, 3:17 am
$
0
0

I need to provide to a team of junior system administrators some pointers to up-to-date documentation about basic Active Directory management procedures on Windows server 2019 or Windows server 2016 servers, including creating users and groups, creating and applying Group Policies, assigning user rights, protecting files and directories and so on.

Up to now I was able to locate only outdated pages and some third party pages.

Where can I locate up-to-date and Comprehensive Microsoft documentation on the matter?

Regards

marius

 


Unable to Map Network Drive using %username% variable

June 3, 2020, 4:07 pm
$
0
0

We are running a windows server 2012 r2 AD environment and would like to dynamically map user specific network drives at time of logon to domain desktop sessions.  We created a network share on a 2012 R2 server with full share and security permissions for the everyone group just to see if it would work however whenever we use the following command on domain authenticated user session 

net use H: \\servername\home\%username%  OR net use H: \\servername\home\%LogonUser%

we receive the following error:

System error 55 has occurred. The specific network resource or device is no longer available.

In troubleshooting we tried ECHO %username% at a command prompt and receive the correct username.  We were able to use the same UNC path above in the builtin "Connect" feature under the Profile tab in AD to get the drive to map correctly.  The share is not hidden.

Any help would be greatly appreciated.

issue with Domain

June 4, 2020, 1:01 am
$
0
0

Hi,

We having an issue with adding a new PC to the domain. We can can't add machines to the AD.

We tried both NetBIOS name and FQDN both with the same result.

Any suggestion?


Active Directory - Last Logon is not logged when a user logs on using MAC or web browser

June 4, 2020, 7:35 am
$
0
0
Hello! We noted that the "last log on" of our AD users that uses MAC or mobile browser is not logged. Our Active Directory is on-premise. Please help. Thank you!

When a trust relationship between the workstation and the domain is broken.

June 9, 2020, 6:55 pm
$
0
0

Hi team!

  Is there an attribute on the computer account object in the domain that tells you when the trust relationship between the workstation and the domain is broken?

Hope I was clear enough.

Doria

Dns configuration in windows changes unintentionally to manual mode

June 9, 2020, 8:45 pm
$
0
0

We have a Domain controller (windows server 2012) in our LAN, there is also a DHCP server for clients to get them IP automatically.


all clients give right ip and dns configurations and work as well but these days we encounter a problem: some clients' DHCP configuration change to **use the following IP server ** unintentionally. and get some unknown DNS servers (172.18.x.x , 8.8.8.8)

tips:

  • There are no any modem or dhcp server else.
  • The users that login in clients don't have enough permission to change the configuration.


connect Windows10 to Active Directory

June 2, 2020, 9:27 pm
$
0
0
I have Windows Server 2016 on a cloud server, and want to use as AD DS.

After installing AD DS / dns on the server, joined server domain but there is a problem connecting to corporate PC(Windows 10 pro).

nslookup&host command could get IP for domain.
However, I couldn't connect Windows server.

Is it a problem that trying to connect to another network band using Public IP?
If so, is there any way to connect it?

====== error message. (it is not exact, translated) ======

The following domain controllers were verified in the query:

{server name}.{test domain}              <---- just 'test.com' also couldn't works.


But, the connection to the domain controller failed.

Common causes of this error are:

- Host (A) or [AAAA] record mapping the name of the domain controller to an IP address does not exist or has an invalid address.

- Domain controllers registered in DNS are not connected to the network or are not running.
Search

My user account is locked out automatically in a couple of minutes again and again after I unlock it.

June 3, 2020, 8:17 pm
$
0
0
Account locked out automatically. After I unlock it, The account will get locked again in a couple of minutes. I checked the logs in the Windows Event Viewer. It shows many logs like the following. It looks like user account always gets locked on the Domain Controller, not on the member servers or workstations. We have checked Account lockout tools, bad password count automatically.

Replacing wildcard certificate on DCs

June 10, 2020, 1:42 am
$
0
0

Hi,

Domain Controllers: Windows Server 2016

FFL/DFL: Windows 2012R2

Our current certificate *.mydomain.com from a trusted authority will expire in a few weeks. We have already ordered and received a new certificate with the same name from the same Trusted authority.

We have an application which runs on each DC and is dependent on the Thumbprint of the certificate. When we import the new cert, we will have to retrieve the Thumbprint and modify the config of the application to use the new certificate. This is no big deal!

My questions:

If I import the new certificate, I will have 2 certificates for the same domain.

  • Will the old certificate (not yet expired) be ignored?
  • I will have 2 certificates, 2 Thumbprints. Are both active?
  • If my application which is configured with the old Thumbprint, will the app still work OK?
  • If I import the new certificate, is a reboot of the DC required?

Regards,

David

AD Delegation for password change

June 10, 2020, 7:15 am
$
0
0

Hello,

I am stuck with this problem on Windows 2016 fresh installed.

I am trying to delegate my firewall to change expired AD user password.

The connection is in TLS and users are able to authenticate. Also if I test AD connectivity to the AD Server and user authentication everything works. 

On AD Server I delegate the bind user in the following way:

-Enabled ADUC

-Right click on the Domain Name, then Delegate Control, here I found my bind user and gave the permissions to "Reset user passwords and force password change at next logon"

My bind user is in group Domain Admins and Domain Users.

Then I checked:

- OU Users in Security tab I have my bind user with special permissions. In Advanced I can see that the bind user is repeated 2 times with the following permissions:

User entry #1 Permissions: Reset Password

User entry #2: Read pwdLastSet and Write pwdLastSet

The same permissions are also in the group that is inside the OU Users that I connected to the firewall, and also on the user itself that must change the password, so the permissions are inherited. 

What is he best practices to delegate the permission to my bind user?
Where can I find the logs related to the unsuccessful password change?

Thank you.

Fab


AD LDS new instance vs replica

June 10, 2020, 10:38 am
$
0
0
Hey Guys, i have the task to create new AD LDS servers as the older ones are 2K8 (Servers A/B) & needs to be retired. I have built new 2K12 (Server C/D) servers, now the task of migrating the instances, How does the AD LDS replication works? I have created a replicate instance on server C copying from server A, when i check the server details under sites - Configuration partition it shows me Server A/B and server C/D, so can i go ahead and decommission server A/B & it would be okay or it wont work as C/D is a replica instance of A and removing A will not make it work. or do i need to create new instance on the new C/D servers.

i have trouble. pls help me

June 10, 2020, 11:35 am
$
0
0

i need  to delete Chromium bar on top my Notebook screen.

i try  to Uninstall it already. but it´s doesn´t work.

AD FS ESL on update password page

June 8, 2020, 6:15 pm
$
0
0

Hello,

I trued to configure ADFS ESL

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection

but I test it with password update page

I set logs only mode and there is no event like Id=1203,1210. Only this one

Windows 2016

Config:

And of course my test account locked only with AD but not with ESL. So intruder can lock any account in domain with brute force.

How can I protect AD account, with  locking attempts before AD account will be locked?

Thank you!


AD servers RDP issue

April 23, 2020, 2:40 pm
$
0
0

Hi, 

i have installed AD server and its sitting behind the NSX edge firewall, when i have enabled the firewall i am not able to access it:

its show as internal error occurred 

if i disable the firewall i can access the server.

i can telen the 3389 ( if  firewall is enabled)

i can ping the server ( if firewall is enabled)

but i cant access the box 

Jumpbox >> Edge firewall >> Active Dir servers

please help me to fix this issue 

Nagesh

Search

Problem replication after add a second DC after having promoted it (2019 new Dc - existing DC 2012)

June 10, 2020, 10:53 am
$
0
0

Hi everyone, 

when the promote was finish, the replication between the 2 DC seems failed, i'll translate my dcdiag

I did not get an error message during the promotion, just noticed that on the dc 2012 the DFS namespace service was not starting, the administrator account was not a member of "schema administrator", I does that after "promote"

here is the dcdiag of win srv 2019:

 Test start: Advertising
         Warning: DsGetDcName returned information for \\ nameofdc2012.yyy.local when trying to access
         SRV-xxx-01.
         The server is not responding or is not suitable.
         ......................... The Advertising test
          from SRV-xxx-01 failed
      Start of the test: FrsEvent
         ......................... The FrsEvent test
          from SRV-xxx-01 succeeded
      Start of the test: DFSREvent
         Errors or warnings detected in the last 24 hours after sharing SYSVOL. Problems
         related to SYSVOL replication failure can cause Group Policy issues.
         ......................... The DFSREvent test
          from SRV-xxx-01 failed
      Start of the test: SysVolCheck
         ......................... The SysVolCheck test
          from SRV-xxx-01 succeeded
      Test start: KccEvent
         ......................... The KccEvent test
          from SRV-xxx-01 succeeded
      Test start: KnowsOfRoleHolders
         ......................... The KnowsOfRoleHolders test
          from SRV-xxx-01 succeeded
      Test start: MachineAccount
         ......................... The MachineAccount test
          from SRV-xxx-01 succeeded
      Start of the test: NCSecDesc
         ......................... The NCSecDesc test
          from SRV-xxx-01 succeeded
      Test start: NetLogons
         Unable to connect to the NETLOGON share. (\\ SRV-xxx-01 \ netlogon)
         [SRV-xxx-01] A net use operation or LsaPolicy failed with error 67, Network name not found.
         ......................... The NetLogons test
          from SRV-xxx-01 failed

all the others are successful.

basically there was only one server the DC 2012

xxx = dc 2019

help, I'm a beginner

thks

DNS Servers in the Default Domain Controllers OU

June 10, 2020, 5:30 pm
$
0
0

We have DNS Servers, DHCP Servers, and Certificate Authority Servers in  Default Domain Controllers OU.  Is it ok to move these to a new OU? I have an OU called Member Servers with Sub OUs. I can make OUs for these servers.

The only policy that's linked to the Default Domain Controllers OU is the Default Domain Controllers policy.  

Don't know what the impact will be.  Thanks for your help.

How to Track User Logon and Logoff reports in Active Directory (Server 2016)

June 9, 2020, 9:49 am
$
0
0

Hi Team,

I want to track users logon and logoff report in Active Directory (Server 2016), please share the documents url, if possible take process and CSV file.

Regards

Parvez

Account Operators permissions missing

June 10, 2020, 9:01 pm
$
0
0

Hello everyone, my current forest domain functional levelis 2012 R2, and include 6 DCs of windows server 2016 operating systems, and 1 DC of the 2012R2 operating system. In My OU, there are many missing Account Operators permissions, Sub-OU permissions is normal,The newly created account is normal, just  old account,What's the matter?as shown in the figure:


WiFi Authentication With Active Directory

March 17, 2020, 11:29 pm
$
0
0

Hi Team,

I want to deploy wifi authentication with Active Directory, below the information.

1. WiFi authentication from Active Directory.

2. I will time mention ( will remain connected 2 or 3 hr) then will auto disconnect.

3. Need networking presentation details.

Please advice, share me ms documentation link. 



Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>