Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

wireless security password from Active Directory GPO

$
0
0

HI

I want to Disable or Hide wireless security password option from Active Directory GPO (Server 2016) for active directory User. 

Interface: WiFi> Right Button > Status > Wireless Properties > Security (Tab), i will need DisableSecurity (Tab) Option by GPO. Please advice and share the documents.








Local Security Policy cannot be contacted

$
0
0

Hi,

We have two Windows 2012 DCs. After the primary DC went down, users were unable to login to an RDP Server and getting error message, "Local security policy cannot be contacted". Does this mean the second DC is not working fine. Both DCs have the same roles installed.

Thanks.

DNS replication time and check DNS

$
0
0

Hello,
I have a software that uses DNS and reverse DNS of company domain to work properly.
At the moment, in the company, there are two domain controllers.
Both of them has got AD, DHCP and DNS services.

I would improve, if it is possible DNS replication time between these two domain controllers.
These two DC are in the same VLAN and in the same site.

How can I check it?
Is it possibile decrease DNS replication time?
How can I check if all, about DNS, work properly?

Thanks so much!

Federico

Adding domain to forest

$
0
0

Our first DC was created with a forest name first.forest.com with the thought that joining a new second domain to it I could create second.forest.com.  but from what I'm reading when I add the second domain to the forest it will create second.first.forest.com

is there a way to do what I want? Or do I have to recreate the forest as forest.com and add first.forest.com and second.forest.com ?

Thanks in advance,

Jim

Preventing automation task failure because of account lockout.

$
0
0

Hello,

In my environment, there is service account used to perform AD related operations tasks(Adding/removing users from groups) via automation called by Service Now. What I observed in couple of days that automation task is failing because of that service account lockout.

I need to know can I do something to prevent locking out of the account so that AD related operations tasks are completed via automation.

Any suggestion or approach?


G-ONE

Clone AD

$
0
0

Dear Expert,

Our current AD have 2 trusted Organizational unit and we want to separate this 2 OU and locate it at server B (different location).

I planning use method to clone our current AD and use the clone AD to run at different server but both OU still there.

The changes is I change IP address at clone AD and user pointing to it.

Is this method workable? or there are other ways to do it.

Thank you

How to find which *Active* users are not logged in AD for 120 days?

$
0
0

I want to export a list

prephare using LDAP and not Powershell bat it can be both

with all users that haven't logged in on the past 120 days and are still active (not the disabled ones)

I need only their display name, email and descriptions.

SysVol Permissions for one or more GPO's are not in sync


dns server and ad server

$
0
0

newly configure one dns (jkil.local)server 2012 r2 make dns and configure AD 

i want rename  domain jkil.local-jkumar.local 

but still domain name showing JKIL.local when i using rendom/ upload its showing error a domain rename process already in progress pls suggest what need to do 

ADMT 3.2 User Migration issue

$
0
0

I am using ADMT 3.2 inter-domain user Migration with in the forest.

After the migration below issues are occurring:

1. UPN suffix is getting changed- I know this is common but its not setting it to the destination domain suffix instead using one of my email domain suffix which i have manually added in UPN suffixes under Domains and Trusts.

2. "user must change password at next logon" getting checked.

3. While checking the creation date i found the user is showing as a newly created user at the Destination and SiDhistory is showing some values which is contradicting and of course i am doing migration and not newly creating the users in the Destination domain.

checked GPO and nothing is related to this.

checked UPNSuffix attribute for the domain if that is hardcoded somehow via GPO or OU properties but this is not the case either.

Is there something needs to be checked at ADMT or this is related to something else, please help me with your feedback.

Authentication using a AD LDS

$
0
0

Hello,
does anyone know how to set up an AD LDS to authenticate with AD accounts, such as a vSphere Appliance (VCSA)? Or other Linux-based systems?

Our Setup

  • AD with Windows Server 2016, all function levels are 2016
  • one forest with multiple domains
  • there are several internal systems (e.g. VCSA), which are located at the internal network and which are using our AD as identity source for SSO - no problems here

Now an external service provider is to host and operate a web application for us. It is a requirement that our users can then log in via their AD accounts. For this purpose, a connection to our AD must be established. For data protection reasons, however, we cannot establish a direct connection to our AD, because otherwise the external service provider can read the information of all users from the entire AD, even those that have nothing to do with this mentioned web application. Restricting the access rights (denying reading access) would be extremely time-consuming or not feasible at all without a complete restructuring of our AD structures. Hence the idea of having to do that via an AD LDS.

So we have an AD with multiple domains behind a firewall. In front of the firewall is a Windows Server 2016 with AD LDS (hereinafter referred to as "LDAP Proxy"). The LDAP proxy is a member of one of the internal domains. This domain membership is fully functional, and the appropriate rules are set up in the FW. So far no problem.

The AD proxy synchronizes selected AD accounts from the different domains and creates userProxy objects in its LDAP. So far good, no problem.

What does not work is the connection as an identity source, e.g. in a VCSA, which is also in the same subnet as the LDAP proxy in front of the FW.

When we try to set up the identity source on the VCSA, the LDAP proxy logs in the security event log:
(transaleted from german message text)

Audit Failed - Event ID 4776

An attempt was made to verify the credentials for an account.

Authentication package: ADAM_XyZ
Login account: CN=XyZuser1,OU=Benutzer,DC=XyZ,DC=ADproxy,DC=local
Workstation: 192.168.245.35:34760
Error code: 0xC000006D

The error code varies.
If we use the NT loginmname such as "domain\samaccountname" to set up the identity source, then the error code is

0xC0000064
Meaning: User login with misspelled or incorrect user account
This seems logical because the userProxy object contains the sAMAccountName, but not the NetBIOS name of the domain.

If we use the UPN such as "name@domain.tld" to set up the identity source, then the error code

0xC000006D
Meaning: This is due to either a bad user name or authentication information.
The UPN is contained in the userProxy object and the event log message also contains the correctly recognized DistinguishedName.

I tried to set up the identity source with both an account that is synchronized to the LDAP proxy, an AD account that is not synchronized, and a local account of the LDAP proxy. (all 3 are members of the Readers role in AD LDS)

What I can rule out:

  • incorrect user name -- multiple attempts
  • wrong password -- multiple attempts
  • Missing open TCP/UDP ports -- I disabled the local firewall of the LDAP proxy for testing, and there is no other FW between VCSA and LDAP proxy.

So I'm doing something wrong. Does anyone have any idea?

E.







Set a specific expiration date in AD

$
0
0

I want to set 1 days password expireation in AD. how can I do that?

Default CA certificate expiring, cannot issue past its own expiration date

$
0
0

Server12R2 DC with Single CA in AD that has expiration date in November, installed in 2010.

Planning to run   All Tasks | Renew CA Certificate  to update it. no pending requests, all issued certs in all panes have expired... I'm concerned that updating certificate will muck something up with AD. Should i just go ahead and renew it, or is there a way to test first if anything is using it? Generated two certs against the CA and they both terminate at the end date of the CA's cert. When i do renew, the soon to expire one is still active correct, until it expires?

Conditional Forwarder

$
0
0

Hi,

Do we still need to have a conditional forwarders between two domain having a forest level trust over internet connected with ipsec vpn tunnel. If not then how to configure the DNS properly to let both the domains resolve DNS names of each other properly?

Thanks.

MS PKI Autoenrollment

$
0
0

I am having a 2tier PKI infrastructure where my subca will be used for issuing certs to user and machines using autoenrollment for 802.1x.

I have around 4k user and devices what is the best practice to issue them cert's at once?

Will there be any impact if i issue certs to all user/machines at once through GPO at domain level??please share a doc which can confirm this??


Delegating Control for Managing Membership of a Group

$
0
0

Hello,

I am looking for solution to delegate permission only for addition and removal of users from security group.

Regards

Bhavesh Khare

ADFS 3.0 Getting pop-up box instead of login page from external

$
0
0

Hello,

Maybe someone can provide me some hint with the following issue. I will start from the beginning.

I have implemented Windows 2016/ADFS 3.0 in our company. It worked perfectly until some days ago, when the token signing / decrypting certificates expired.

I renewed both certificates and I also updated the new token signing certificates for the Office 365 trust.

After that, when sign in to Office, instead of company authentication page users get an authentication popup. 

All user agents strings have been added to WIA.

The Global authentication policy  has:

- for extranet Form based authentication
- for intranet Form based authentication and Windows Authentication

ExtendedProtectionTokenCheck is none
Fallback to WIA is true.

Some colleague of mine updated the user agents right after a renewed the certificates, but before update the office365 one.

That was (hopefully) the only thing he did, but I already added the user agents from scratch.

I would be happy if you guys can give me some hint where to look further, as having a popup displayed is awkward.

Thanks in advance!

Best,

Victor


Registering an SPN for CIFS/domain.com

$
0
0

Hello everyone,

I have a question about file share SPNs for shares on domain controllers. Due to some issues with Kerberos delegation - the infamous "bad option" errors related to missing service identities in web.config endpoints which then defaults to WP's UPN and triggers Kerberos SPN negative caching in IIS, I enabled Kerberos verbose logging for all member servers. This also helped me to identify lots of missing SPNs by using SCOM to alert me about Principal Unknown errors. One of those which I see a lot is when servers look up an SPN for CIFS/domain.com. I assume the servers are connecting to domian controllers shares to download GPOs and are trying to authenticate through Kerbeors. I've been wondering if it's possible to register a CIFS SPN for the domain and where to do it in order to enable Kerberos authentication for access to these shares.

Would it work if I register it under PDCe and delegate it to other DCs?

Thanks

Zoran

A constraint violation occurred - when uploading picture in Active Directory

$
0
0

No replication failure but differences on policies subfolder.

$
0
0

Hi everyone!

  We have 2 DCs on the same site in a local domain that do not have any data replication failures, but when I count the number of files and folders in 'C:\Windows\SYSVOL\domain\Policies', there are differences on totals.

C:\Windows\SYSVOL\domain>repadmin /replsum
Replication Summary Start Time: 2020-07-20 09:42:43

Beginning data collection for replication summary, this may take awhile:
  .....


Source DSA          largest delta    fails/total %%   error
 SRVWI003                  48m:54s    0 /   5    0
 SRVWI026                  57m:12s    0 /   5    0


Destination DSA     largest delta    fails/total %%   error
 SRVWI003                  57m:12s    0 /   5    0
 SRVWI026                  48m:54s    0 /   5    0
C:\Program Files\SysinternalsSuite>hostname
srvwi003

C:\Program Files\SysinternalsSuite>du.exe -nobanner c:\Windows\SYSVOL\domain\Policies
Files:        367
Directories:  1097
Size:         1,510,708 bytes
Size on disk: 7,389,312 bytes
C:\Program Files\SysinternalsSuite>hostname
srvwi026

C:\Program Files\SysinternalsSuite>du.exe -nobanner c:\Windows\SYSVOL\domain\Policies
Files:        296
Directories:  888
Size:         1.483.386 bytes
Size on disk: 6.123.648 bytes

  It's like looking for a needle in the sand. Are there any practical ideas or tools for finding out where the difference is?

Thanks.


Doria



Viewing all 31638 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>