Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Modifying Subject/DN format in certificates

June 2, 2020, 10:29 am
$
0
0

Hi,

I have a need to add the serialNumber attribute (2.5.4.5) to the subject line of certificates generated via my MS CA. I have added the attribute to my users and I can see it in the attribute editor, but I can't figure out how to get it to show in the DN/Subject output of a certificate. I've dug around in both the schema and in the CA manager, and while I can disable automatically building the DN format from AD during enrollment, even when manually specifying the serialNumber attribute in the request it doesn't get added.

I'm assuming I need to somehow modify the default DN schema or something along those lines. I've seen certs in this format, so I'm reasonably sure it can be done. I'm just not knowledgeable enough to do it. I'm hoping someone here has done this and can share that knowledge.

FYI, this is an attempt to replicate a customer's issue with authentication using certificates with this DN format.

TIA

Search

Add SidHistory to a user

June 2, 2020, 5:38 am
$
0
0

Hi , 

    I´m working on delete  "sidhistory" .   At this moment I have all the resources without SidHistory , only the users have "sidhistory" . 

    I will delete de sidhistory field , but ,is it possible if some user has some issue , to paste his sidhistory without to do a restore from ad backup ¿¿??  

  Is it possible edit field with powershell and paste  older sidhistory ???  

Example:    Us1

SID                                  : S-1-5-21-4174452598-3359285060-3602202020-331244
SIDHistory                           : {S-1-5-21-3151815273-3026384734-512502699-5215}

I will delete  SidHistory

Us1

SID                                  : S-1-5-21-4174452598-3359285060-3602202020-331244
SIDHistory                           : {}

(not real sids used )

Is it possible,  set  "sidhistory"  in the future  with powershell if I need to solve an issue from usr1 ???

Thanks everybody :)


AD Claims - Use transformation rules within domain

June 4, 2020, 1:46 am
$
0
0

I'm having a hard time finding documentation for AD DS (not AD FS!) claims and how to use them for different scenarios. 

I can create a claim based on an attribute, that's not a problem. It also looks like claim transformation rules can be created and used for forest trusts. 

Can claim transformation rules be used within the issuing domain itself? 

Consider the following example, where I want to transform the canonicalName claim and pass it on, slightly modified, as the OU claim. 

New-ADClaimTransformPolicy -Name "canonicalName to OU" -Rule 'C1:[Type == "ad://ext/canonicalName:88d803ab2a08e1ab", Value =~ "contoso.com/Tier 1/Servers/*", ValueType=="string"] => Issue(Type = "ad://ext/ou:88d80239468c8835", Value = "contoso.com/Tier 1/Servers/", ValueType=C1.ValueType);'


https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/3aa672b6-a46b-4707-adff-01a02e97d956

An msDS-ClaimsTransformationPolicyType object MUST be associated with a TDO for a given claims-traversal direction in order to apply the claims transformation rules in the msDS-ClaimsTransformationPolicyType object to sets of claims that traverse the TDO in the specified direction.

This indicates that I can't use the above cmdlet to transform the claim within the domain. So that begs the question is this even possible to accomplish? 


Active Directory Best Practice

June 10, 2020, 11:20 pm
$
0
0

Hello - 

I am sure this question has been asked many times - but I can't find a direct answer.  I work in Active Directory at a large organization.  We have 15 domain forests.  Primarily - we have have 1 forest with 5 domains.  We will call this DF1.  Then we have a forest with a single domain that we are migrating to DF1.   We will call this DF2.   For years, I have preached not to use Universal groups because we need a domain local to add members from DF2 to DF1 - cross forest access.   So we standardized creating DLGs for the resources and Global groups for all the domains that have members and need access to resources where the domain local resides.  I have been so dead set that Universal groups are a bad practice because it limits scalability.   But now that we are collapsing domains - Universals would work - because we would all be on one domain forest.  So we could essentially create the DLG and nest a Universal - instead of creating 5 Global groups to span all the domains in the forest.   I still think this is a terrible idea because if we acquire another company's domain - then those Universal groups would be useless in granting access to resource cross forest if application analysts started applying those universals to the resource directly and not to the DLGs.   I can see a large company getting lazy and start creating only universals instead of the resource group (DLG).  So what is the best practice -  are there major downfalls (besides what I have mentioned) in doing a DLG for the resource and Universal Group verses DLGS with Globals that span each domain?  Is there a different security risk between Universals and Globals that I can present? 

Thanks for your time. 

ADCS Installing CA Certificate

June 4, 2020, 6:07 pm
$
0
0


Just created a new, off-line root CA, and signed the SubCA request generated. All are on the same WS2016 Datacenter

Now I attempt to install this certificate and I receive an error about Invalid Data. The error is instructing me to re-run the wizard which would require I uninstall the role and start over. Then perform another root key ceremony to sign the SubCA request. The error also indicates that there was a subsequent .req file created, when there wasn't.

What are is the real cause of this error? Is there debug logging I can enable to learn more? I really do not know if this is a problem accessing the private key or not.

NTDS.dit securing

June 10, 2020, 8:21 pm
$
0
0

Hello All,

We have been questioned 

WHat configuration is required on Virtual Domain Controllers if the NTDS.ditexfiltrated file and cracked some password to get statistics on password usage

All our Domain controllers are on 2016 and the ntds.dit is stored on C drive with default permissions

Thanks HA

fSMORoleOwner really messed up. Unable to change it!

August 10, 2009, 10:41 am
$
0
0
Well I was trying to do a adprep for readonly domain controllers. I ran into problems and it wasn't able to complete:

Adprep could not contact a replica for partition DC=DomainDnsZones(and ForestDnsZones),DC=adem,DC=arkansas,DC=gov.

Error code: 0x0. Server extended error code: 0x0, Server error message: (null).


So I started to investigate and look for answers..
Somehow I ran into running this command:

dsquery * cn=InfrastrucuremDC=DomainDnsZones,dc=adem,dc=arkansas,dc=gov -attr fSMORoleOwner

And it returns a CN=ADEM-DC which is a VERY old domain controller that hasn't existed in probably 4 years (before my time here). So I read about how you can change it with ADSIEdit. It is not able to change it because it says it cannot read it.

So I do a netdom query fsmo
Schema, Domain naming, PDC, RID pool all point to DC1 which is our current primary DC (correct).
Infrastructure points to DC2 which is correct.

So how do I go about fixing this problem? I am at a lost?!? How do I change the fSMOOwner if it won't let me?
Ther exact error when trying to change it is:

Operation failed. Error code: 0x20ae
The role owner attribute could not be read.

000020AE: SvcErr: DSID-03152BF7, problem 5003 (WILL_NOT_PERFORM), data 0

Any help would be appreciated! Thank you

ADFS 2.0 - Federated to Azure - No sign on to O365 apps any longer possible.

June 11, 2020, 5:20 am
$
0
0

Hello,

Quick description & question for a problem i'm currently experiencing and don't seem to figure out on my own.

2 servers running ADFS farm (2008 R2) ADFS 2.0 (old, i know...)

In front of that, one proxy for ADFS services.

Since this morning when our users are trying to connect to our webmail site, sharepoint, and all other resources that required a adfs sign in, this is failing.

On the visual side, they enter on the site webmail.domain.com > enter their username@domain.com name.
Next it says "taking you to your signing page (for the adfs)

except it returns right away to the page where people have to re-enter their mail adress, etc, endless loop.

and just now, the following started appearing...

Sorry, but we’re having trouble signing you in.

AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: '00000002-0000-0ff1-ce00-000000000000'.

Search

DCDiag DNS Delegation Errors

June 27, 2011, 5:55 pm
$
0
0

Hello,

I ran some tests today on a client network in preparation of an upgrade from Windows 2003 domain controllers to Windows 2008 R2. I ran dcdiag and found a number of errors and was able to fortunately correct most of them except one. When runnign dcdiag /test:dns, it comes up with a failure on the Delegation piece. Essentially it is referencing old DNS servers that no longer exist, yet I cannot find them anywhere in DNS.

TEST: Delegations (Del)
                  Warning: DNS server: server1.administration.company.com IP: <Unavailable> Failure:Missing glue A record
                  Warning: DNS server: server2.administration.company.com IP: <Unavailable> Failure:Missing glue A record

I cannot find them anywhere. Where would this entry be coming from? Is it hidden somewhere deep in AD?

Thanks,


         

Replacing wildcard certificate on DCs

June 10, 2020, 1:42 am
$
0
0

Hi,

Domain Controllers: Windows Server 2016

FFL/DFL: Windows 2012R2

Our current certificate *.mydomain.com from a trusted authority will expire in a few weeks. We have already ordered and received a new certificate with the same name from the same Trusted authority.

We have an application which runs on each DC and is dependent on the Thumbprint of the certificate. When we import the new cert, we will have to retrieve the Thumbprint and modify the config of the application to use the new certificate. This is no big deal!

My questions:

If I import the new certificate, I will have 2 certificates for the same domain.

  • Will the old certificate (not yet expired) be ignored?
  • I will have 2 certificates, 2 Thumbprints. Are both active?
  • If my application which is configured with the old Thumbprint, will the app still work OK?
  • If I import the new certificate, is a reboot of the DC required?

Regards,

David

LAPS Implementation Issue

June 25, 2019, 2:44 pm
$
0
0

Good day, 

For almost 2 weeks I've been trying to implement LAPS in my company's small infrastructure. 
I've gone through the steps in the following tutorial:

https://blog.thesysadmins.co.uk/deploying-microsoft-laps-part-1.html
https://blog.thesysadmins.co.uk/deploying-microsoft-laps-part-2.html

I'm using 2 computers for testing purposes, one is a virtual machine running Windows 10 and the other a laptop running Windows 7. Here's what I've done so far:

- I extended the computer objects' schema to include the fields needed by LAPS; I then inspected the computer objects corresponding to my 2 tests subjects and verified that these attributed were indeed created.

- I delegated the necessary permissions to the computers through the Set-AdmPwdComputerSelfPermission cmdlet; I then checked the 2 computers' ACE list and verified that write permissions for AdmPwd and write/read permissions for AdmPwdExpirationTime were granted to the SELF trustee. 

- I delegated the permissions to read and reset passwords to the domain admins through the Set-AdmPwdReadPasswordPermission and Set-AdmPwdResetPasswordPermission cmdlets; I then verified these permissions through the 2 computers' permission entry lists. (I think this step is unnecessary since domain admins should have these permissions by default)

- I deployed LAPS.msi through GPO and verified that "Local Administrator Password Solution" was present in the 2 computer's Apps and Features list. I also verified that AdmPwd.dll was in the Program Files folder for both computers. 

LAPS doesn't seem to work, however. I, as domain administrator, get an empty field whenever I query a computer's password through the UI or through Powershell, and the password's attribute field in the computer objects remain empty. I've read many related posts here in this forum but have not been able to solve this issue.

The DC is running Windows Server 2012 R2 and the domain functional level is 2012 R2.

Do you have any idea on what could be going wrong?

Regards

Account lockout from non domain caller computer name

June 11, 2020, 1:58 pm
$
0
0
Good day,


We have a few accounts being locked out. I checked Caller Computer Name and they are all from computers not on the domain:


Caller Computer Name: Windows7 
Caller Computer Name: Windows2012
Caller Computer Name: Windows2016
Caller Computer Name: Windows10
Caller Computer Name: FreeRDP
Computer Name: Rdesktop
Caller Computer Name: mstsc 
Caller Computer Name: Windows2019


My understanding is that normally the computer name would indicate a computer on the network which I can than go to and troubleshoot. 


What do I do if none of these are network machines?


Thank you.


Andrei.


Some users have a value for "LastLogonTimeStamp" even though they have never logged on

June 9, 2020, 10:13 am
$
0
0

Hi All,

I am trying to track down some weirdness with some test accounts in our domain.

These accounts were created years ago and have never logged on, yet they have a date in the replicated "Lastlogontimestamp" attribute. This date seems to change regularly and is always showing as being within the last week.

In order to determine the last time an account has logged on, I have a script which checks every Domain Controller on our domain for the "lastlogon" attribute, compares the values from each Domain Controller, and then takes the most recent value as the true last logon time. When I run this script against these test accounts, they show as never having logged in which is what I expect.

However when I issue "get-aduser <user> -Properties LastLogonDate" (Which queries the "lastlogontimestamp" attribute), I get a date within the last week. Even thought these accounts have no value for "lastlogon" on any of our domain controllers, and have a cumulative "logoncount" of zero, they do for some reason have a value in the "lastlogontimestamp" attribute.

This does not make any sense to me and I was wondering if there is something I am not getting about this attribute.

Any insights to this behavior would be appreciated.

Thank you,

John.

Read Only Domain Controller resolving to wrong DC

June 4, 2020, 10:22 pm
$
0
0

I have a set of read only domain controllers on a segregated network.  Sites and Services are set to that subnet.  When pinging the domain, the first ping is always to an internal writable DC - which is not accessible by non DC's.  I set the host file to ping the RODC which works fine as a sort of fix and modified the LMHost file and registry.  I've also made changes to DNSDomainZones and DNSForestZones for the site within DNS to only include the RODC's.  I do see tcp/udp (for kpassword and ldap)further up to the root does not include the RODC's.     

When using Active Directory Explorer, the first lookup is always the internal DC's and then eventually the RODC's which takes 30 or more seconds.  For now the lookup is set to RODC host name (with the host record) - which works in under 3 seconds.  Anyone have any ideas on how to force the domain lookup to always go to the read only DC's?  Thank you in advance.

Basic documentation about Active directory management

June 5, 2020, 3:17 am
$
0
0

I need to provide to a team of junior system administrators some pointers to up-to-date documentation about basic Active Directory management procedures on Windows server 2019 or Windows server 2016 servers, including creating users and groups, creating and applying Group Policies, assigning user rights, protecting files and directories and so on.

Up to now I was able to locate only outdated pages and some third party pages.

Where can I locate up-to-date and Comprehensive Microsoft documentation on the matter?

Regards

marius

 


Search

issue with Domain

June 4, 2020, 1:01 am
$
0
0

Hi,

We having an issue with adding a new PC to the domain. We can can't add machines to the AD.

We tried both NetBIOS name and FQDN both with the same result.

Any suggestion?


web application connecting to DC via ldap

June 5, 2020, 10:54 am
$
0
0

We have a web application in the internet and we want to use our active directory controller on-premise for authentication via ldap when logging in to the application. Can it be done? Or we need a third party software to interface between our web app and active directory since the web app is public and the DC is private?

ADAMSync and two Domains

June 8, 2020, 1:35 am
$
0
0

Hello

I've got a working AD LDS instance on Server 2019. I should now sync two different domains, which works if I do this on the cmd.

For each domain I have a special user to sync the data. What I did not master yet, how can I automatize the synchronization, if the two usernames of the two domains are different. It seems that every time I use one of the two /install commands:

ADAMSync /install localhost:50000 c:\windows\ADAM\MS-AdamSyncConf_domainB_v2.xml /passprompt
ADAMSync /install localhost:50000 c:\windows\ADAM\MS-AdamSyncConf_domainA_v2.xml /passprompt

it will overwrite/delete the password of the user configured in the xml file. Is this correct?

All the manuals I've seen, talk about using a Batch file and run it as a scheduled task for synchronization, that would mean that I've to enter a (nearly) domain admin credential into a text file, something I don't really like. Do I miss something in the documentation here?

Thanks for help

Patrick

How to export Member of list from Active directory group

June 8, 2020, 8:23 am
$
0
0
How to export csv Member of list from Active directory group.

How to get my active directory users and computers to log in when they are connected at home using their personal Internet access. /

June 8, 2020, 7:25 pm
$
0
0

Hola. en tiempos de trabajo remoto... ideas para que los usuarios que están en trabajo remoto y utilizando la internet del hogar; inicien sesión y actualicen sus claves kerberos ??? 


Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>