Capacity plan for Active directory 2019

June 9, 2020, 2:17 am

≫ Next: How to cluster Web Application Proxy?

≪ Previous: How to get my active directory users and computers to log in when they are connected at home using their personal Internet access. /

$

0

0

Hi All,

please suggest me for a capacity plan for Active Directory 2019( (Virtual and Physical) for 500 Users
Which RAID is recommended?
What type of HDD is recommended(Thick or thin)
How much size is required?
How much VCPU IS REcommended?

---

How to cluster Web Application Proxy?

June 6, 2020, 9:47 am

≫ Next: configured ISCSI with one Virtual disk and asign to 3 servers initiator

≪ Previous: Capacity plan for Active directory 2019

$

0

0

Hi,

I'm trying to figure out how to cluster WAP? Where to start? What would be the steps?How to make WAP highly available?

Thank you!

configured ISCSI with one Virtual disk and asign to 3 servers initiator

June 6, 2020, 2:18 am

≫ Next: AD transfer

≪ Previous: How to cluster Web Application Proxy?

$

0

0

i am configured ISCSI with one Virtual disk and asign to 3 servers initiator (server1,Server2,Server3)

i have copy file to server1 then i go to server2, server3 don't see the file. sometime i need to take offline disk on server2,server3 then online disk to see the file.

anyone knew what wrong?

AD transfer

June 12, 2020, 3:45 am

≫ Next: Forums continue to evolve - not even sure best place to post questions

≪ Previous: configured ISCSI with one Virtual disk and asign to 3 servers initiator

$

0

0

i have live AD 2003 server , just i will make one new 2012 r2 server i want all the live 2008r2 existing AD services move my now newely create server 2012 r2 then what steps and how possible 

after transfer AD i will down 2003 server and main server we keep newely configure 2012 r2

Forums continue to evolve - not even sure best place to post questions

June 12, 2020, 7:50 am

≫ Next: Why am I unable to add and/or remove multiple entries in a multi valued attribute from within the AD User Attribute Editor.

≪ Previous: AD transfer

$

0

0

Hi,

This is a really general question and only posted here because I am often looking for server/AD stuff...

It seems as though the "official" place to post tech related questions (from an IT admin person's point of view) is constantly changing - or has changed and because I am not here that often, I missed what is going on.

Which MSFT forum is the best spot to post things where there are other IT pros and lots of activity.  I seem to get matches now in docs.microsoft.com (which is where my old technet.microsoft.com takes me now) and I recently got matches in https://techcommunity.microsoft.com/ but not sure if that is deprecated or ??

Just want to go where the most answers are...

Thanks.

Why am I unable to add and/or remove multiple entries in a multi valued attribute from within the AD User Attribute Editor.

June 13, 2020, 12:52 pm

≫ Next: How to enable to all Domain Users Login password complexity with custom dictionary.

≪ Previous: Forums continue to evolve - not even sure best place to post questions

$

0

0

Hi, 

I need remove the entries in a multi value attribute a user. But I am not able to and the option to add and/or remove is greyed out. 

I have Enterprise and Schema Admin permissions too. 

I've also gone into ADSI edit and tried to remove them from there. 

The one that I am trying to remove is a value from a Backlink, but I've getting the same with normal attributes too. 

Thanks 

How to enable to all Domain Users Login password complexity with custom dictionary.

June 14, 2020, 12:36 am

≫ Next: Dns configuration in windows changes unintentionally to manual mode

≪ Previous: Why am I unable to add and/or remove multiple entries in a multi valued attribute from within the AD User Attribute Editor.

$

0

0

Hi Team,

Please help to enable all Domain Users Login password complexity with custom dictionary.

---

Regards, Pradhap P

Dns configuration in windows changes unintentionally to manual mode

June 9, 2020, 8:45 pm

≫ Next: Account Operators permissions missing

≪ Previous: How to enable to all Domain Users Login password complexity with custom dictionary.

$

0

0

We have a Domain controller (windows server 2012) in our LAN, there is also a DHCP server for clients to get them IP automatically.

all clients give right ip and dns configurations and work as well but these days we encounter a problem: some clients' DHCP configuration change to **use the following IP server ** unintentionally. and get some unknown DNS servers (172.18.x.x , 8.8.8.8)

tips:

• There are no any modem or dhcp server else.
• The users that login in clients don't have enough permission to change the configuration.

---

Account Operators permissions missing

June 10, 2020, 9:01 pm

≫ Next: Account lockout from non domain caller computer name

≪ Previous: Dns configuration in windows changes unintentionally to manual mode

$

0

0

Hello everyone, my current forest domain functional levelis 2012 R2, and include 6 DCs of windows server 2016 operating systems, and 1 DC of the 2012R2 operating system. In My OU, there are many missing Account Operators permissions, Sub-OU permissions is normal，The newly created account is normal， just  old account，What's the matter？as shown in the figure:

Account lockout from non domain caller computer name

June 11, 2020, 1:58 pm

≫ Next: ADCS Installing CA Certificate

≪ Previous: Account Operators permissions missing

$

0

0

Good day,


We have a few accounts being locked out. I checked Caller Computer Name and they are all from computers not on the domain:


Caller Computer Name: Windows7 
Caller Computer Name: Windows2012
Caller Computer Name: Windows2016
Caller Computer Name: Windows10
Caller Computer Name: FreeRDP
Computer Name: Rdesktop
Caller Computer Name: mstsc 
Caller Computer Name: Windows2019


My understanding is that normally the computer name would indicate a computer on the network which I can than go to and troubleshoot. 


What do I do if none of these are network machines?


Thank you.


Andrei.

ADCS Installing CA Certificate

June 4, 2020, 6:07 pm

≫ Next: AD LDS new instance vs replica

≪ Previous: Account lockout from non domain caller computer name

$

0

0

Just created a new, off-line root CA, and signed the SubCA request generated. All are on the same WS2016 Datacenter

Now I attempt to install this certificate and I receive an error about Invalid Data. The error is instructing me to re-run the wizard which would require I uninstall the role and start over. Then perform another root key ceremony to sign the SubCA request. The error also indicates that there was a subsequent .req file created, when there wasn't.

What are is the real cause of this error? Is there debug logging I can enable to learn more? I really do not know if this is a problem accessing the private key or not.

AD LDS new instance vs replica

June 10, 2020, 10:38 am

≫ Next: DNS Servers in the Default Domain Controllers OU

≪ Previous: ADCS Installing CA Certificate

$

0

0

Hey Guys, i have the task to create new AD LDS servers as the older ones are 2K8 (Servers A/B) & needs to be retired. I have built new 2K12 (Server C/D) servers, now the task of migrating the instances, How does the AD LDS replication works? I have created a replicate instance on server C copying from server A, when i check the server details under sites - Configuration partition it shows me Server A/B and server C/D, so can i go ahead and decommission server A/B & it would be okay or it wont work as C/D is a replica instance of A and removing A will not make it work. or do i need to create new instance on the new C/D servers.

DNS Servers in the Default Domain Controllers OU

June 10, 2020, 5:30 pm

≫ Next: NTDS.dit securing

≪ Previous: AD LDS new instance vs replica

$

0

0

We have DNS Servers, DHCP Servers, and Certificate Authority Servers in  Default Domain Controllers OU.  Is it ok to move these to a new OU? I have an OU called Member Servers with Sub OUs. I can make OUs for these servers.

The only policy that's linked to the Default Domain Controllers OU is the Default Domain Controllers policy.  

Don't know what the impact will be.  Thanks for your help.

NTDS.dit securing

June 10, 2020, 8:21 pm

≫ Next: Why is AD replicating user objetcs, but not some COMPUTER objetcs?

≪ Previous: DNS Servers in the Default Domain Controllers OU

$

0

0

Hello All,

We have been questioned 

WHat configuration is required on Virtual Domain Controllers if the NTDS.ditexfiltrated file and cracked some password to get statistics on password usage

All our Domain controllers are on 2016 and the ntds.dit is stored on C drive with default permissions

---

Thanks HA

Why is AD replicating user objetcs, but not some COMPUTER objetcs?

June 8, 2020, 11:10 am

≫ Next: GC authentication for un

≪ Previous: NTDS.dit securing

$

0

0

I´ts possible for AD, to replicate correctly "user" objetcts, but not "computer objects"?

A HelpDesk user told me thta he´s suspecting a problem at AD replication

So i tried to check using repadmin /showobjmeta to check the version of certain attributes for some users and everything was fine, severals users are replicating with no problem, it looked like a case closed

But i noticed that for COMPUTER objects, it seams to be a problem:

here, the details:

In a particular object, the changes has been made locally on that site, but the change has not been replicated

Object was changed today, on DC3, a simple "description" entry, but nothing it seams to be replicated to other DCs

The weird part, is that other computer objects and some users i checked, are not affected, replicating normally

repadmin /showobjmeta DC3 
1765457                         DC3\BRAMS-SRV0005   1765457 2020-06-08 12:24:50 1037 description

repadmin /showobjmeta DC1
7150700                         DC3\BRAMS-SRV0005   1509159 2020-05-10 14:18:45 1007 description

repadmin /showobjmeta DC2 
93243789                         DC3\BRAMS-SRV0005   1509159 2020-05-10 14:18:45 1007 description

So i begun to investigate further and noticed that it loks like replication is not taking place OUTBOUND, objects go but it doens´t came back! And i´m sure no one turned on options to disable outbound replication!

Repl outbound was not blocked:

C:\Windows\system32>repadmin /options brams-srv0005 -DISABLE_OUTBOUND_REPL
Current DSA Options: IS_GC
New DSA Options: IS_GC


C:\Windows\system32>repadmin /options brams-srv0005 +DISABLE_OUTBOUND_REPL
Current DSA Options: IS_GC
New DSA Options: IS_GC DISABLE_OUTBOUND_REPL


C:\Windows\system32>repadmin /options brams-srv0005 -DISABLE_OUTBOUND_REPL
Current DSA Options: IS_GC DISABLE_OUTBOUND_REPL
New DSA Options: IS_GC


C:\Windows\system32>repadmin /options brams-srv0005 -DISABLE_OUTBOUND_REPL
Current DSA Options: IS_GC
New DSA Options: IS_GC

---

GC authentication for un

June 8, 2020, 10:03 am

≫ Next: Replacing wildcard certificate on DCs

≪ Previous: Why is AD replicating user objetcs, but not some COMPUTER objetcs?

$

0

0

Hi folks,

I have question about GC. If there are AD accounts with the same sAMAccountName (for example johndoe" but in different child domains ( for example, the forest root is company.com and the 2 domains are hr.company.com and it.company.com), what will happen when johndoe is authenticated? Will GC only allow a unique sAMAccountName in forest or successfully find the user in proper domain? 

Thanks in advance.

Replacing wildcard certificate on DCs

June 10, 2020, 1:42 am

≫ Next: Use DSQuery and DSGet to retrieve specific attributes.

≪ Previous: GC authentication for un

$

0

0

Hi,

Domain Controllers: Windows Server 2016

FFL/DFL: Windows 2012R2

Our current certificate *.mydomain.com from a trusted authority will expire in a few weeks. We have already ordered and received a new certificate with the same name from the same Trusted authority.

We have an application which runs on each DC and is dependent on the Thumbprint of the certificate. When we import the new cert, we will have to retrieve the Thumbprint and modify the config of the application to use the new certificate. This is no big deal!

My questions:

If I import the new certificate, I will have 2 certificates for the same domain.

• Will the old certificate (not yet expired) be ignored?
• I will have 2 certificates, 2 Thumbprints. Are both active?
• If my application which is configured with the old Thumbprint, will the app still work OK?
• If I import the new certificate, is a reboot of the DC required?

Regards,

David

Use DSQuery and DSGet to retrieve specific attributes.

June 15, 2020, 6:44 am

≫ Next: ADAMSync and two Domains

≪ Previous: Replacing wildcard certificate on DCs

$

0

0

Hi team!

  How can I use the DSQuery and DSGet utilities to retrieve the 'dNSHostName' and 'servicePrincipalName' attributes from a computer object?

Thanks.

---

Doria

ADAMSync and two Domains

June 8, 2020, 1:35 am

≫ Next: AD Delegation for password change

≪ Previous: Use DSQuery and DSGet to retrieve specific attributes.

$

0

0

Hello

I've got a working AD LDS instance on Server 2019. I should now sync two different domains, which works if I do this on the cmd.

For each domain I have a special user to sync the data. What I did not master yet, how can I automatize the synchronization, if the two usernames of the two domains are different. It seems that every time I use one of the two /install commands:

ADAMSync /install localhost:50000 c:\windows\ADAM\MS-AdamSyncConf_domainB_v2.xml /passprompt
ADAMSync /install localhost:50000 c:\windows\ADAM\MS-AdamSyncConf_domainA_v2.xml /passprompt

it will overwrite/delete the password of the user configured in the xml file. Is this correct?

All the manuals I've seen, talk about using a Batch file and run it as a scheduled task for synchronization, that would mean that I've to enter a (nearly) domain admin credential into a text file, something I don't really like. Do I miss something in the documentation here?

Thanks for help

Patrick

AD Delegation for password change

June 10, 2020, 7:15 am

≫ Next: Cannot join Server 2012 R2 to Domain

≪ Previous: ADAMSync and two Domains

$

0

0

Hello,

I am stuck with this problem on Windows 2016 fresh installed.

I am trying to delegate my firewall to change expired AD user password.

The connection is in TLS and users are able to authenticate. Also if I test AD connectivity to the AD Server and user authentication everything works. 

On AD Server I delegate the bind user in the following way:

-Enabled ADUC

-Right click on the Domain Name, then Delegate Control, here I found my bind user and gave the permissions to "Reset user passwords and force password change at next logon"

My bind user is in group Domain Admins and Domain Users.

Then I checked:

- OU Users in Security tab I have my bind user with special permissions. In Advanced I can see that the bind user is repeated 2 times with the following permissions:

User entry #1 Permissions: Reset Password

User entry #2: Read pwdLastSet and Write pwdLastSet

The same permissions are also in the group that is inside the OU Users that I connected to the firewall, and also on the user itself that must change the password, so the permissions are inherited. 

What is he best practices to delegate the permission to my bind user?
Where can I find the logs related to the unsuccessful password change?

Thank you.

Fab