Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

ADFS

$
0
0

Hi All,

I have been asked quite a few questions about our infrastructure and in particular ADFS (Active Directory Federation Services). I have no idea as I don't have anything to do with Federated Services. I don't even know if it is set up in our Domain. I basically need to find out if we have Federation Services installed. Would anyone have any advice on how to check if we even have Federation Services installed on our Domain.

Any information would be greatly received.

Regards.


Cannot Promote Server 2012 R2 Server to DC??

$
0
0

I have a freshly installed Server 2012 R2 Core Edition with all of the latest updates as of today.  I did the following:

- Changed name to DC6
- Joined it to the existing domain.
- Logged in as domain admin.
- Set fixed IP address & set DNS servers to other DNS servers already on the network.

I then installed the AD DC via Server Manager from my computer and that went through fine.  I then logged into the server itself and ran the following command:

Install-ADDSDomainController via powershell and answer the commands as requested for the current domain and safe mode administrator password.  I get the following error:

Verification of prerequisites for Active Directory preparation failed.  The specified user does not have SESecurityPrivilegeEnabled.

I ensured that domain admins (I'm logged in as a domain admin) are in the local admin group and that hasn't helped.  NOTE:  I haven't had any problems adding domain controllers in the past, only with this Server 2012 R2 version.  I'm currently running Server 2008 R2 DC's at the 2008 forest level.

Anybody have any ideas?

Local Security Policy cannot be contacted

$
0
0

Hi,

We have two Windows 2012 DCs. After the primary DC went down, users were unable to login to an RDP Server and getting error message, "Local security policy cannot be contacted". Does this mean the second DC is not working fine. Both DCs have the same roles installed.

Thanks.

ADMT 3.2 User Migration issue

$
0
0

I am using ADMT 3.2 inter-domain user Migration with in the forest.

After the migration below issues are occurring:

1. UPN suffix is getting changed- I know this is common but its not setting it to the destination domain suffix instead using one of my email domain suffix which i have manually added in UPN suffixes under Domains and Trusts.

2. "user must change password at next logon" getting checked.

3. While checking the creation date i found the user is showing as a newly created user at the Destination and SiDhistory is showing some values which is contradicting and of course i am doing migration and not newly creating the users in the Destination domain.

checked GPO and nothing is related to this.

checked UPNSuffix attribute for the domain if that is hardcoded somehow via GPO or OU properties but this is not the case either.

Is there something needs to be checked at ADMT or this is related to something else, please help me with your feedback.

How to find which *Active* users are not logged in AD for 120 days?

$
0
0

I want to export a list

prephare using LDAP and not Powershell bat it can be both

with all users that haven't logged in on the past 120 days and are still active (not the disabled ones)

I need only their display name, email and descriptions.

Set a specific expiration date in AD

$
0
0

I want to set 1 days password expireation in AD. how can I do that?

SysVol Permissions for one or more GPO's are not in sync

ADFS certificate-based authentication using machine (not user) certificates

$
0
0

I have an environment running Windows 2012 R2 ADFS. We've set up certificate-based authentication using client certificates (user certificates) and it's working as expected. They would like to use machine certificates instead of user certificates for the certificate-based authentication. Is this possible and, if so, how do I do it?

Thanks!


Active directory rouge client

$
0
0

Hello,

Just want to know if one pc client joined AD (A) with identical Domain controller name with AD(B) and switch to network AD (B) that not belong to but still same client client hostname that exist in AD (B) what info can that rouge client PC pull from DC(B)? Can AD detect those rouge client. Sorry for my english.


Attribute for AD User password expire date

$
0
0

Hi,

How to enable the attribute for AD user password expire date details. I know, we can get the details using simple command/powershell but want to know this detail in user account attribute itself.

Thanks in advance.

Event id 4776

$
0
0

Hi,

I have configured the settings in default domain controller policy "SendNLTMv2Responseonly,Refuse LM and NTLM request"

one of my domain user created 1000 of event id 4776 with error code C000006A.

He used work group pc and configured his domain account in the script.

The particular script failed to execute in the work group pc.

domain controller does not locked out the account even after 1000 failure login attempt.

I don't  have any fine grained password policy configured.

May I know the reason for not causing the lockout out.



Throw error while deleting OU containing child objects Protected from accidental deletion(Use Subtree Server Control)

$
0
0

While deleting OU in active directory containing child objects protected from accidental deletion the above shown alert appears.If Use Delete Subtree server control is not selected error will be thrown if any child object is protected from accidental deletion.I would like to implement the same using cpp.

My current solution is to iterate all child objects and check if they are protected from accidental deletion.However that would be costly and hence i'm looking for better solution . How does microsoft determine if any child object is protected instantly. Are there any ace set in parent OU if child object is protected?? Any insights would be helpful.

How to list Email Changes in last 24hrs in Active Directory?

$
0
0

How to list Email Changes in last 24hrs in Active Directory? is there any flag that we can specifically check on?

"Whenchanged" attribute is getting updated for all values changes. But I would like to list any email changes in some time frame.

Please help me.

Windows Server 2012 R2 Domain Controller Hang and "Please wait for the System Event Notification Service" Message

$
0
0
The problem we are experiencing is intermittent. At some point overnight (typically, but there are no error messages logged to pin to a specific time) the domain controller DRDC02 began to refuse to launch new programs. All DCs are seeing this issue. All DCs are VMs. DRDC02 is just the most recent case.

If we connect to the VM desktop using vSphere remote console or using MSTSC.EXE over remote desktop protocol, we can sign in to the desktop of the hung DRDC02:
 1. I can launch notepad, calculator, file explorer and other simple programs.
 2. I cannot launch ServerManager.exe, eventvwr.msc or other MMC management tools.
 3. Ctrl-Alt-Del (Ctrl-Alt-End) works, but cannot launch Task Manager from the resulting splash screen.
 4. Programs>Run CMD opens a command window, but cannot perform commands in that command window, or if I can (NSLOOKUP, for instance) the command never ends and returns to the C:\> command prompt. I am then unable to close the command window.
 5. I can perform remote WMI operations (example, connect to DRDC02 to run eventvwr.msc remotely), or perform a remote restart ("SHUTDOWN -R -M \\DRDC02").
 6. I can perform remote SMB operations (example, connect to \\DRDC02\SYSVOL share).
 7. If I manually run an incremental backup of the DRDC02 client using our backup product
a.Active Directory agent will run a backup and complete normally
b.Windows File System agent will hang
c.Although the server desktop was somewhat responsive up to this point, when the backup job stalled out, at this point the desktop became completely unresponsive as well.
 8. When I restart DRDC02 the system hangs during progress to shutdown with message “Please wait for the System Event Notification Service” this takes about 15 minutes to self-resolve and the server restarts. 
a. Why is SENS not ending? 
 b. Is it possible SENS is the cause of the problems?
9.Searching using Google for these symptoms, the only recommendation I find is to run SFC /SCANNOW
 a. SFC /SCANNOW results are
 b. Verification 100% complete. Windows Resource Protection did not find any integrity violations.
 

Question: Need a fix to prevent the domain controllers from hanging/unresponsive.


Need to export all machines from AD along with their OU

$
0
0

Hi, 

I'm looking to export the list of computer machines in AD along with their OU using powershell

Please help


Add AzureAD "member" to local security group

$
0
0

Hi,

I recently added a guest user in AzureAD which I converted to a member using PowerShell in order to be able to add it as a member of a Office365 Group. I had to do this to be able to forward emails received on an email address to a teams email address, to see the emails on that teams channel.

I want to do the same, to add that former guest (currently a member) to a security group that was created on the on premise DC.

The issue is that the user is not synced with on premise AD and the security group can't be managed from Office/Exchange portal.

Using PowerShell doesn't help either

Add-AzureADGroupMember : Error occurred while executing AddGroupMember
Code: Request_BadRequest
Message: Unable to update the specified properties for on-premises mastered Directory Sync objects or objects

What solution could be used for this scenario?


Regards,

Adi

Authentication using a AD LDS

$
0
0

Hello,
does anyone know how to set up an AD LDS to authenticate with AD accounts, such as a vSphere Appliance (VCSA)? Or other Linux-based systems?

Our Setup

  • AD with Windows Server 2016, all function levels are 2016
  • one forest with multiple domains
  • there are several internal systems (e.g. VCSA), which are located at the internal network and which are using our AD as identity source for SSO - no problems here

Now an external service provider is to host and operate a web application for us. It is a requirement that our users can then log in via their AD accounts. For this purpose, a connection to our AD must be established. For data protection reasons, however, we cannot establish a direct connection to our AD, because otherwise the external service provider can read the information of all users from the entire AD, even those that have nothing to do with this mentioned web application. Restricting the access rights (denying reading access) would be extremely time-consuming or not feasible at all without a complete restructuring of our AD structures. Hence the idea of having to do that via an AD LDS.

So we have an AD with multiple domains behind a firewall. In front of the firewall is a Windows Server 2016 with AD LDS (hereinafter referred to as "LDAP Proxy"). The LDAP proxy is a member of one of the internal domains. This domain membership is fully functional, and the appropriate rules are set up in the FW. So far no problem.

The AD proxy synchronizes selected AD accounts from the different domains and creates userProxy objects in its LDAP. So far good, no problem.

What does not work is the connection as an identity source, e.g. in a VCSA, which is also in the same subnet as the LDAP proxy in front of the FW.

When we try to set up the identity source on the VCSA, the LDAP proxy logs in the security event log:
(transaleted from german message text)

Audit Failed - Event ID 4776

An attempt was made to verify the credentials for an account.

Authentication package: ADAM_XyZ
Login account: CN=XyZuser1,OU=Benutzer,DC=XyZ,DC=ADproxy,DC=local
Workstation: 192.168.245.35:34760
Error code: 0xC000006D

The error code varies.
If we use the NT loginmname such as "domain\samaccountname" to set up the identity source, then the error code is

0xC0000064
Meaning: User login with misspelled or incorrect user account
This seems logical because the userProxy object contains the sAMAccountName, but not the NetBIOS name of the domain.

If we use the UPN such as "name@domain.tld" to set up the identity source, then the error code

0xC000006D
Meaning: This is due to either a bad user name or authentication information.
The UPN is contained in the userProxy object and the event log message also contains the correctly recognized DistinguishedName.

I tried to set up the identity source with both an account that is synchronized to the LDAP proxy, an AD account that is not synchronized, and a local account of the LDAP proxy. (all 3 are members of the Readers role in AD LDS)

What I can rule out:

  • incorrect user name -- multiple attempts
  • wrong password -- multiple attempts
  • Missing open TCP/UDP ports -- I disabled the local firewall of the LDAP proxy for testing, and there is no other FW between VCSA and LDAP proxy.

So I'm doing something wrong. Does anyone have any idea?

E.







msg command is not working

$
0
0

hello,

I want to send message to particular user or computer using msg command but nothing is happening. the output shows as below...

C:\>msg 192.168.10.15 "test msg"
192.168.10.14 does not exist or is disconnected

though 192.168.10.15 is well on line. Am I doing anything wrong?

O365 Hybrid Deployment

$
0
0

My organization is currently in a full hybrid O365 Deployment. I believe that is what you call our setup anyway. We currently have migrated all of our mailboxes to O365 but we still have to create new users and manage our users from our on premise 2016 Exchange. Another organization I am familiar with uses O365 and they just sync their users information with A/D sync. When they create a new users, they have to create the user in their A/D and in O365. The passwords are synced through A/D sync which runs every 15 minutes. I believe you refer to this as a minimal hybrid deployment.

My question is, how do I get from a full hybrid deployment to a minimal hybrid deployment? Is there a tech article on this?

Trusting AD CS CA issued SSL in another AD Domain that has no trust relationship

$
0
0

Trusting AD CS CA issued SSL in another AD Domain that has no trust relationship

Hello - We have two 2016 level AD domains. They are not in a forest and there's no trust relationship.

One domains controller in the 1st domain (DMZ) has an AD CS role and I have issued issued a CA SSL (server auth) cert to the WSUS in the same domain. The WSUS will serve as the WSUS for both AD domains, DMZ and Domain2.

Currently, Domain2 GP is configured to deliver the certificate to the Trusted Root Certificate Authorities repository. The machines in the test are receiving the certificate successfully and GP is processing without issues. All the GP settings pushed by the group policy are correct for WSUS URL, there is no FW in the middle. The machines can check into our previous WSUS in the DMZ domain that is not secured over SSL. 

Those client computers in Domain2 however, fail to check for updates with the new SSL configured WSUS with error 800b0109

Viewing the SSL certificate certification path on the Domain2 machines shows the message "the issuer of this certificate could not be found".

The question is, is it is possible to have the DMZ CA SSL cert trusted by the secondary domain (Domain2) computers so that WSUS can be secured with SSL across domains?

Thank you for any advice.

Viewing all 31638 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>