Active Directory Certificate Services - Device Certificate

June 24, 2020, 10:41 am

≪ Previous: DFS shared folder throws 'unexpected network error' OR 'element not found' errors

Wanted to seek some clarification around device certificates which are applied from internal Certificate Services(ADCS).

1. When certificate is issued to Client machine/Windows10, how does it ensure that identity of machine every time?

2. Understand that certificate is issued to machine with hostname of machine. Is this the only parameter to prove the identity of machine?

Ex: Once certificate issued to machine and after that if that certificate is exported and applied to different machine where the hostname of new machine is also same as earlier one. Will this still work?

I know two machines with same hostname is not possible in Domain.

What if new machine is not joined to Domain or

its joined to domain as replacement of the earlier one...

Any thoughts and inputs are highly appreciated.

Regards:Mahesh

↧

DFSR - Change HUB member

June 23, 2020, 12:10 am

≫ Next: Active Directory Objects e.g user shows date and time of creation of the day of migration and not when it was originally created or disabled

≪ Previous: Active Directory Certificate Services - Device Certificate

Hi everyone!,

Thanks for reading!

We have a situation with one DFSR server in a HUB and Spoke configuration. Actually we have 1 HUB and 5 Spoke members.

HUB server have a hardware failure and we have to migrate it to a new server.

I have toyed around with the DFS console, but I dont see an option to make changes in the topology, I have only the option to create a new one (which says that will delete the current topology).

Actually the spokes members are working with the local copy, and my fear is if I delete the topology and create a new one, they folder will be deleted and created a new one.

Any other approach for this migration? Maybe there is some script somewhere to migrate this configuration to the new server?

Or maybe some powershell command to make this configuration?

Thanks in advance to everyone!!

↧

Active Directory Objects e.g user shows date and time of creation of the day of migration and not when it was originally created or disabled

June 16, 2020, 7:32 am

≫ Next: Revoke Net user command for non admin users

≪ Previous: DFSR - Change HUB member

Just wanted to know if I have a Windows Server 2008 which I use as domain controller since 2015.
where in users were created, disabled, deleted since 2015 on wards.

The Windows Team brought a new hardware recently in 2020 , where Windows 2016 OS was installed with Active directory and the user and groups from current AD were migrated to the new OS.

Recently there was an Internal Audit and the Auditor asked for few evidences for the past users account disabled , deleted etc. Some of these AD user accounts were disabled and deleted in 2018 and 2019.

But now the Windows Team says the dates will all show 2020 (the date of migration) for all the objects which were disabled or deleted in the past.

Is this how the normal migration process works for Microsoft active directory . Shouldn't it restore the original dates when a user object was created , disabled or modified v/s when it was migrated to maintain an objects Auditing and compliance records.

AD experts can provide their view.

is there a way to get the actual user disabled and modified details now from somewhere.

This is an on premises Active Directory Install scenario.

Thanks

Simon

↧

Revoke Net user command for non admin users

July 7, 2020, 3:29 am

≫ Next: Access to Security Group

≪ Previous: Active Directory Objects e.g user shows date and time of creation of the day of migration and not when it was originally created or disabled

In my domain local users can fetch users, groups and OU information by using net user or net group commands. I want to restrict local users by accessing such information by active directory. From where in AD I can set such settings?

↧

Access to Security Group

July 7, 2020, 5:35 am

≫ Next: Domain controllers 2K19 and 2K8r2.

≪ Previous: Revoke Net user command for non admin users

Hi All

i have security group and i need to provide access to one of my user john@contoso.com to add/remove members from this security group, if i give the permission of Write Members will it work for me.

Group-Security-Advanced-Add user(John) and select write members
Type: Allow
Applied to: This object and all descendant objects
Properties: Write Members

↧

Domain controllers 2K19 and 2K8r2.

July 7, 2020, 8:27 am

≫ Next: A migration plan.

≪ Previous: Access to Security Group

Hi everyone!

Is it possible to raise new DCs 2K19 alongside old DCs 2K8r2? In other words, add them to the existing domain and then remove the old ones later?

Thanks.

Doria

↧

A migration plan.

July 7, 2020, 8:43 am

≫ Next: Throw error while deleting OU containing child objects Protected from accidental deletion(Use Subtree Server Control)

≪ Previous: Domain controllers 2K19 and 2K8r2.

Hello everyone!

We will need to migrate our old domain controllers to a more current version of OS Windows. However, applications that make use of the domain point to the existing address of one of the old controllers (we have two). In order to avoid the need for changes in the applications, is it possible and viable to perform the migration according to the suggestion below:

-> Remove one of the old domain controllers and raise a new one with the same network address? Then, perform the same procedure for the other old controller.

Is it a silly idea or is there some other risk involved?

Hope I was clear enough.

Doria

↧

Throw error while deleting OU containing child objects Protected from accidental deletion(Use Subtree Server Control)

July 7, 2020, 9:40 am

≫ Next: Old Default Domain Policy that has uneditable settings

≪ Previous: A migration plan.

While deleting OU in active directory containing child objects protected from accidental deletion the above shown alert appears.If Use Delete Subtree server control is not selected error will be thrown if any child object is protected from accidental deletion.I would like to implement the same using cpp.

My current solution is to iterate all child objects and check if they are protected from accidental deletion.However that would be costly and hence i'm looking for better solution . How does microsoft determine if any child object is protected instantly. Are there any ace set in parent OU if child object is protected?? Any insights would be helpful.

↧

Old Default Domain Policy that has uneditable settings

June 23, 2020, 12:17 pm

≫ Next: FRS to DFS Migration and Diagnostic Tools

≪ Previous: Throw error while deleting OU containing child objects Protected from accidental deletion(Use Subtree Server Control)

Hello, I'm left with a very old Default Domain Policy that when I look at it's "Settings", I can see settings that, when I go to edit the GP, are not present at all. Clearly, these settings should never have ever been placed in this GP, but I can't see a way to fix this. What's the safest way to correct/delete/rebuild this GP to be able to delete the missing settings? I have a fresh Default Domain Policy backup from a lab domain, can I restore the blank GP over this malfunctioning one? Or is is safest to rebuild with dcgpofix? My main goal is safety here!

Forest and Directory level 2008 R2.

Thanks!

↧

FRS to DFS Migration and Diagnostic Tools

July 2, 2020, 8:30 am

≫ Next: Active Directory health reports shows errors

≪ Previous: Old Default Domain Policy that has uneditable settings

Hello,

In our environment, all of our domain controllers are running Windows 2008, using FRS. We plan very soon to cut over to DFS, so we can add Domain Controllers running Server 2019 to the domain.

It appears there are several tools to verify domain replication, namely 1)FRSdiag tool, 2)Ultrasound 3)ADReplStatus
1. The FRSdiag tool doesn't appear to work on Windows 10.
2. The Ultrasound tool is no longer available.

The ADReplStatus tool installs and runs on Windows 10. My question is, will it verify AD replication in an environment with Server 2008, currently running FRS?

↧

Active Directory health reports shows errors

July 6, 2020, 5:33 am

≫ Next: Event id 4776

≪ Previous: FRS to DFS Migration and Diagnostic Tools

Hi,

Few weeks before we migrated our 3 DC's from 2008 R2 to 2016 currently both Forest & Domain functional lever is Windows Server 2008R2, everything seems to be fine but when generated AD Active Health report shows the following error message in all 3 DC's

1. Sysvol mode is not DFS-R

2. Advertising failed, consider running: dcdiag.exe /test:Advertising

3. DNS failed, consider running: dcdiag.exe /test:DNS

4. VerifyEnterpriseReferences failed, consider running: dcdiag.exe /test:verifyEnterpriseReference.

When executing the dcdiag receive with the following result, kindly advise further!

C:\Windows\system32>dcdiag.exe

Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
Home Server = DC1
* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\DC1
Starting test: Connectivity
......................... DC1 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\DC1
Starting test: Advertising
......................... DC1 passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
......................... DC1 passed test FrsEvent
Starting test: DFSREvent
......................... DC1 passed test DFSREvent
Starting test: SysVolCheck
......................... DC1 passed test SysVolCheck
Starting test: KccEvent
......................... DC1 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DC1 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DC1 passed test MachineAccount
Starting test: NCSecDesc
......................... DC1 passed test NCSecDesc
Starting test: NetLogons
......................... DC1 passed test NetLogons
Starting test: ObjectsReplicated
......................... DC1 passed test ObjectsReplicated
Starting test: Replications
......................... DC1 passed test Replications
Starting test: RidManager
......................... DC1 passed test RidManager
Starting test: Services
......................... DC1 passed test Services
Starting test: SystemLog
An error event occurred. EventID: 0x00002720
Time Generated: 07/06/2020 14:29:48
Event String:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
An error event occurred. EventID: 0x00002720
Time Generated: 07/06/2020 14:30:31
Event String:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
An error event occurred. EventID: 0x00002720
Time Generated: 07/06/2020 14:31:18
Event String:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
......................... DC1 failed test SystemLog
Starting test: VerifyReferences
......................... DC1 passed test VerifyReferences

Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation

Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation

Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation

Running partition tests on : ***********
Starting test: CheckSDRefDom
......................... *********** passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... *********** passed test CrossRefValidation

Running enterprise tests on : ***********.com
Starting test: LocatorCheck
......................... ***********.com passed test LocatorCheck
Starting test: Intersite
......................... ***********.com passed test Intersite

C:\Windows\system32>

Thanks in advance

↧

Event id 4776

July 4, 2020, 9:11 am

≫ Next: Unable to open ADUC

≪ Previous: Active Directory health reports shows errors

Hi,

I have configured the settings in default domain controller policy "SendNLTMv2Responseonly,Refuse LM and NTLM request"

one of my domain user created 1000 of event id 4776 with error code C000006A.

He used work group pc and configured his domain account in the script.

The particular script failed to execute in the work group pc.

domain controller does not locked out the account even after 1000 failure login attempt.

I don't have any fine grained password policy configured.

May I know the reason for not causing the lockout out.

↧

Unable to open ADUC

June 30, 2020, 3:39 am

≫ Next: How to create a user without any password required to logon?

≪ Previous: Event id 4776

Hi,

We are continuously facing problem opening ADUC on our windows 2012 DC after every few days and getting the below message under DNS console. After restarting the server it comes back. We followed almost all the articles related to DNS troubleshooting but no benefit.

Event Type:   Warning
Event Source:   DNS
Event Category:   None
Event ID:   4013
Date:       5/1/2020
Time:       3:04:43 AM
User:       N/A
Computer:    dc1
Description:
The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

↧

How to create a user without any password required to logon?

June 26, 2012, 11:57 pm

≫ Next: I am unable to create new objects on AD - Windows cannot create object because the directory service was unable to allocate the relative identifier

≪ Previous: Unable to open ADUC

I want to create a user account in AD that should require no password to logon. I will put this user in an OU. I want all other users in that OU to have passwords, except for one user account. The reason is, I have created a custom user interface through gpo for this user. So I want anyone to log in to the domain using this account without password and access that particular application. How do i do this?

Thanks and Regards, Radhakrishnan

↧

I am unable to create new objects on AD - Windows cannot create object because the directory service was unable to allocate the relative identifier

June 29, 2020, 5:00 am

≫ Next: While opening - Active directory users and services getting an error "Logon Failure: the user has not been granted the requested logon type at this computer"

≪ Previous: How to create a user without any password required to logon?

Windows cannot create object because the directory service was unable to allocate the relative identifier

Is there a fix for this ?

I do not have access to the 2nd server the server died. I need to be able to create new users and add new computers to AD

Please assist

↧

While opening - Active directory users and services getting an error "Logon Failure: the user has not been granted the requested logon type at this computer"

July 3, 2020, 8:06 am

≫ Next: dcdiag - The system object reference (serverReference)

≪ Previous: I am unable to create new objects on AD - Windows cannot create object because the directory service was unable to allocate the relative identifier

Hello,

While opening - Active directory users and services getting an error "Logon Failure: the user has not been granted the requested logon type at this computer"

Can you please help.

Regards,

Yogesh

↧

dcdiag - The system object reference (serverReference)

July 3, 2020, 5:12 am

≫ Next: Fail-over between IPv6 & IPv4 during AD Replication

≪ Previous: While opening - Active directory users and services getting an error "Logon Failure: the user has not been granted the requested logon type at this computer"

Hi,

Noticed with dcdiag that we had some references to old/temporary host names. It does not give us any error, but I guess it could. The host names does not exists and was temporary host names for the DC after replacing them 2-3 years ago.

*****************************'

      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=DCTS1,OU=Domain Controllers,DC=domain,DC=local and backlink on
         CN=DCTS1,CN=Servers,CN=Site,CN=Sites,CN=Configuration,DC=domain,DC=local
         are correct.
         The system object reference (serverReferenceBL)
         CN=DCTSNEW,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=domain,DC=local
         and backlink on
         CN=NTDS Settings,CN=DCTS1,CN=Servers,CN=Site,CN=Sites,CN=Configuration,DC=domain,DC=local
         are correct.
         The system object reference (msDFSR-ComputerReferenceBL)
         CN=DCTSNEW,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=domain,DC=local
         and backlink on CN=DCTS1,OU=Domain Controllers,DC=domain,DC=local
         are correct.
         ......................... DCTS1 passed test VerifyReferences

      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=DCBS1,OU=Domain Controllers,DC=domain,DC=local and backlink on
         CN=DCBS1,CN=Servers,CN=Site,CN=Sites,CN=Configuration,DC=domain,DC=local
         are correct.
         The system object reference (serverReferenceBL)
         CN=DCBSTMP,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=domain,DC=local
         and backlink on
         CN=NTDS Settings,CN=DCBS1,CN=Servers,CN=Site,CN=Sites,CN=Configuration,DC=domain,DC=local
         are correct.
         The system object reference (msDFSR-ComputerReferenceBL)
         CN=DCBSTMP,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=domain,DC=local
         and backlink on CN=DCBS1,OU=Domain Controllers,DC=domain,DC=local
         are correct.
         ......................... DCBS1 passed test VerifyReferences

***************************

DCTSNEW does not exists

DCBSTMP does not exists

DCTS1 exists

DCBS1 exists

So do I need to clean this up, and could I cause problems with just right click and delete them ?

Thanks for answers.

/Regards Andreas

↧

Fail-over between IPv6 & IPv4 during AD Replication

July 8, 2020, 3:00 am

≫ Next: Certificate autoenrollment and Group policy Loopback

≪ Previous: dcdiag - The system object reference (serverReference)

Team,

IPv6 & IPv4 both are present in ADCs. AD Replication is happened over the IPv6 because IPv6 & IPv4 both are present. AD replication is failing between two sites while IPv6 having some issue from local ISP side.

Is there any way to auto fail-over between IPv6 & Ipv4 ? Replication should work over Ipv6 (working) and while IPv6 will be failed AD replication should work over Ipv4 and while IPv6 service is restored , again replication should work over the Ipv6 !

Any input highly appreciated . Thanks in advance & so far.

bshwjt a.k.a Biswajit

[If a post helps to resolve your issue, please click the"Mark as Answer" of that post or click "Vote as helpful" button of that post. By marking a post as Answered or Helpful, you help others find the answer faster. ]

↧

Certificate autoenrollment and Group policy Loopback

July 8, 2020, 3:56 am

≫ Next: Access to Security Group

≪ Previous: Fail-over between IPv6 & IPv4 during AD Replication

We have AD with group policy Loopback configured. We are planning for Certificate Autoenrollment for user and computers.

How will it work for user autoenrollment having group policy loopback?

↧

Access to Security Group

July 7, 2020, 5:35 am

≫ Next: Windows Server 2008 R2 domain controller suddenly lost network connection

≪ Previous: Certificate autoenrollment and Group policy Loopback

Hi All

i have security group and i need to provide access to one of my user john@contoso.com to add/remove members from this security group, if i give the permission of Write Members will it work for me.

Group-Security-Advanced-Add user(John) and select write members
Type: Allow
Applied to: This object and all descendant objects
Properties: Write Members

↧