Hi;

I am configuring a AD FS Proxy (WAP) on Windows 2012 R2 server, the default https port is 443 and I want to use port 8443 instead of port 443 for the https traffic coming in from my 3rd party hosted cloud system.  My understand that I need to issue Set-ADFSProxyProperties -HttpsPort to change but when I issue this command, I got "The term 'Set-ADFSProxyProperties' is not recognized as the name of a cmdlet..."

This is a AD FS Proxy server, so I do not install the complete ADFS.  What can I do to install the PowerShell cmdlets for me to complete the following execution.

Get-ADFSProxyProperties

Set-ADFSProxyProperties

Thanks!

KW - CNE,MCSE,VCP5

I have recently migrated a Windows 2012 R2 DC to Windows Server 2016. Afterwards I started noticing series of this particular error.

Log Name:      System

Source:        Microsoft-Windows-Kerberos-Key-Distribution-Center

Date:          11/27/2018 9:24:24 AM

Event ID:      11

Task Category: None

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      BBL-DC-CDC01.bd.bracbank.com

Description:

The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is D5B2E9E1E8C74C45D7F939E93ED09C7B0315FE69EE06D2F2458E0A050E453763 (of type KEY ID). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occurring remove the duplicate entries for D5B2E9E1E8C74C45D7F939E93ED09C7B0315FE69EE06D2F2458E0A050E453763 in Active Directory.

Event Xml:

<Event xmlns="">

  <System>

    <Provider Name="Microsoft-Windows-Kerberos-Key-Distribution-Center" Guid="{3FD9DA1A-5A54-46C5-9A26-9BD7C0685056}" EventSourceName="KDC" />

    <EventID Qualifiers="49152">11</EventID>

    <Version>0</Version>

    <Level>2</Level>

    <Task>0</Task>

    <Opcode>0</Opcode>

    <Keywords>0x80000000000000</Keywords>

    <TimeCreated SystemTime="2018-11-27T03:24:24.310757900Z" />

    <EventRecordID>3984</EventRecordID>

    <Correlation />

    <Execution ProcessID="0" ThreadID="0" />

    <Channel>System</Channel>

    <Computer>BBL-DC-CDC01.bd.bracbank.com</Computer>

    <Security />

  </System>

  <EventData>

    <Data Name="Name">D5B2E9E1E8C74C45D7F939E93ED09C7B0315FE69EE06D2F2458E0A050E453763</Data>

    <Data Name="Type">KEY ID</Data>

    <Binary>

    </Binary>

  </EventData>

</Event>

I have been struggling with this error for the last few days. Even though Event 11 is a very common error and there are clear instructions on how to mitigate the error, they fail to address my specific scenario.

All the solutions I got so far is related to "Type DS_SERVICE_PRINCIPAL_NAME" but mine is "Type KEY ID ". Basically this error says that KDC encountered duplicate names and then spits out a large string of hexadecimal no. rather than producing which SPN is duplicated. Therefore, it's difficult to solve the issue with "setspn" cmdlet.

I'm an amateur when it comes to Windows Server Active Directory, so any help is highly appreciated. Thanks.

I am doing some testing with the Active Directory Migration Toolkit Version 3.2 on a Windows Server 2008 R2.
I am sure I met all the prerequisites in the source domain, target domain and on the ADMT machine. Basically I can migrate Users, Groups and Computers also with the SID history. What´s causing some headaches is:

a) A Database / exclusion list related error message in the ADMT Logs, although the migration itself always finishes with "success".
b) The exclusion of a huge amount of AD attributes by default.

About a)
On every migration, the first line I get in the Log is this one:
Unable to store default excluded system properties in database. Unspecified error (0x80004005)
I had a look at the ADMT Databases TaskProperties Table and the Exclusion columns are all empty (for example AccountOptions.ExcludedSystemProps is NULL)
Also when using VBScript to query the exclusions, they are all empty:

Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

UserPropertiesToExclude:
InetOrgPersonPropertiesToExclude :
GroupPropertiesToExclude :
ComputerPropertiesToExclude :
SystemPropertiesToExclude:

The User which is running the ADMT is a local Admin and the BUILTIN\Administrators are sysadmin on the SQL Server. So I doubt this is a permission problem. The ADMT Whitepaper states that 2 properties are excluded by default (mail and proxyAddresses), but not even they are included in the Exclusion list. Somehow ADMT has problems saving that information in the Database, which I think is causing my problem b)

About b)
Looking at a Log after the migration of a User account, I can see that a huge amount of AD attributes are excluded. Many of them are needed and I want to include them. Since there´s no inclusion list in ADMT I cannot add them by hand and I think problem b) is connected to problem a). Many of these excluded attributes exist in the target Domain, since it also has for example an Exchange Server up and running. I assume since the ADMT cannot save to the Exclusion list in the SQL table, it just leaves out all AD attributes which are not required to create an Account in the target Domain. Apart from the SIDHistory, which gets migrated fine, it looks to me that the new Accounts in the target Domain have just the bare minimum AD attributes filled which are required to create a User at all.

Here´s an excerpt from a "successfully" migrated User log file:

mail,proxyAddresses,msDS-PSOApplied,msDS-HostServiceAccount,
DUP-houseIdentifier-8dbbf431-f20e-426d-9fe1-5f8e0b46d7ca,
DUP-labeledURI-45078ae9-7c90-4274-9014-7c638a9de597,altRecipient,altRecipientBL,
attributeCertificate,attributeCertificateAttribute,audio,authOrig,authOrigBL,
autoReply,autoReplyMessage,businessRoles,carLicense,dLMemDefault,
dLMemRejectPerms,dLMemRejectPermsBL,dLMemSubmitPerms,dLMemSubmitPermsBL,
dLMemberRule,deletedItemFlags,delivContLength,delivExtContTypes,
deliverAndRedirect,deliveryMechanism,departmentNumber,dnQualifier,employeeNumber,
employeeType,enabledProtocols,expirationTime,extensionAttribute1,
extensionAttribute10,extensionAttribute11,extensionAttribute12,
extensionAttribute13,extensionAttribute14,extensionAttribute15,
extensionAttribute2,extensionAttribute3,extensionAttribute4,extensionAttribute5,
extensionAttribute6,extensionAttribute7,extensionAttribute8,extensionAttribute9,
extensionData,folderPathname,formData,forwardingAddress,gecos,gidNumber,
heuristics,hideDLMembership,homeMDB,homeMTA,homePostalAddress,importedFrom,
internetEncoding,ipHostNumber,jpegPhoto,kMServer,language,languageCode,
logRolloverInterval,loginShell,mAPIRecipient,mDBOverHardQuotaLimit,
mDBOverQuotaLimit,mDBStorageQuota,mDBUseDefaults,mailNickname,memberUid,
monitoredConfigurations,monitoredServices,monitoringAvailabilityStyle,
monitoringAvailabilityWindow,monitoringCachedViaMail,monitoringCachedViaRPC,
monitoringMailUpdateInterval,monitoringMailUpdateUnits,
monitoringRPCUpdateInterval,monitoringRPCUpdateUnits,msDFSR-ComputerReferenceBL,
msDFSR-MemberReferenceBL,msDS-ObjectReferenceBL,msDS-PhoneticCompanyName,
msDS-PhoneticDepartment,msDS-PhoneticDisplayName,msDS-PhoneticFirstName,
msDS-PhoneticLastName,msDS-SourceObjectDN,msExchADCGlobalNames,
msExchALObjectVersion,msExchAddressBookFlags,msExchAddressBookPolicyLink,
msExchAggregationSubscriptionCredential,msExchAlternateMailboxes,
msExchApprovalApplicationLink,msExchArbitrationMailbox,msExchArchiveAddress,
msExchArchiveDatabaseBL,msExchArchiveDatabaseLink,msExchArchiveGUID,
msExchArchiveName,msExchArchiveQuota,msExchArchiveStatus,msExchArchiveWarnQuota,
msExchAssistantName,msExchAuditAdmin,msExchAuditDelegate,
msExchAuditDelegateAdmin,msExchAuditOwner,msExchAvailabilityOrgWideAccountBL,
msExchAvailabilityPerUserAccountBL,msExchBlockedSendersHash,msExchBypassAudit,
msExchBypassModerationBL,msExchBypassModerationFromDLMembersBL,
msExchBypassModerationFromDLMembersLink,msExchBypassModerationLink,msExchCU,
msExchCalculatedTargetAddress,msExchCalendarRepairDisabled,
msExchCapabilityIdentifiers,msExchCoManagedByLink,msExchCoManagedObjectsBL,
msExchConferenceMailboxBL,msExchConfigurationUnitBL,
msExchContentConversionSettings,msExchControllingZone,msExchCustomProxyAddresses,
msExchDelegateListBL,msExchDelegateListLink,msExchDeviceAccessControlRuleBL,
msExchDirsyncID,msExchDirsyncSourceObjectClass,msExchDisabledArchiveDatabaseLink,
msExchDisabledArchiveGUID,msExchDumpsterQuota,msExchDumpsterWarningQuota,
msExchELCExpirySuspensionEnd,msExchELCExpirySuspensionStart,
msExchELCMailboxFlags,msExchEdgeSyncCookies,msExchEdgeSyncRetryCount,
msExchEdgeSyncSourceGuid,msExchEnableModeration,msExchEwsApplicationAccessPolicy,
msExchEwsEnabled,msExchEwsExceptions,msExchEwsWellKnownApplicationPolicies,
msExchExchangeServerLink,msExchExpansionServerName,msExchExtensionAttribute16,
msExchExtensionAttribute17,msExchExtensionAttribute18,msExchExtensionAttribute19,
msExchExtensionAttribute20,msExchExtensionAttribute21,msExchExtensionAttribute22,
msExchExtensionAttribute23,msExchExtensionAttribute24,msExchExtensionAttribute25,
msExchExtensionAttribute26,msExchExtensionAttribute27,msExchExtensionAttribute28,
msExchExtensionAttribute29,msExchExtensionAttribute30,msExchExtensionAttribute31,
msExchExtensionAttribute32,msExchExtensionAttribute33,msExchExtensionAttribute34,
msExchExtensionAttribute35,msExchExtensionAttribute36,msExchExtensionAttribute37,
msExchExtensionAttribute38,msExchExtensionAttribute39,msExchExtensionAttribute40,
msExchExtensionAttribute41,msExchExtensionAttribute42,msExchExtensionAttribute43,
msExchExtensionAttribute44,msExchExtensionAttribute45,
msExchExtensionCustomAttribute1,msExchExtensionCustomAttribute2,
msExchExtensionCustomAttribute3,msExchExtensionCustomAttribute4,
msExchExtensionCustomAttribute5,msExchExternalDirectoryObjectId,
msExchExternalOOFOptions,msExchExternalSyncState,msExchFBURL,
msExchForeignGroupSID,msExchGenericForwardingAddress,
msExchGroupDepartRestriction,msExchGroupJoinRestriction,
msExchHABRootDepartmentBL,msExchHABShowInDepartments,msExchHideFromAddressLists,
msExchHomeServerName,msExchHouseIdentifier,msExchIMACL,msExchIMAP4Settings,
msExchIMAPOWAURLPrefixOverride,msExchIMAddress,msExchIMMetaPhysicalURL,
msExchIMPhysicalURL,msExchIMVirtualServer,msExchImmutableId,
msExchInconsistentState,msExchIntendedMailboxPlanBL,
msExchIntendedMailboxPlanLink,msExchInterruptUserOnAuditFailure,
msExchIsMSODirsynced,msExchLabeledURI,msExchLastExchangeChangedTime,
msExchLicenseToken,msExchLitigationHoldDate,msExchLitigationHoldOwner,
msExchMDBRulesQuota,msExchMailboxAuditEnable,msExchMailboxAuditLastAdminAccess,
msExchMailboxAuditLastDelegateAccess,msExchMailboxAuditLastExternalAccess,
msExchMailboxAuditLogAgeLimit,msExchMailboxFolderSet,msExchMailboxFolderSet2,
msExchMailboxGuid,msExchMailboxMoveBatchName,msExchMailboxMoveFlags,
msExchMailboxMoveRemoteHostName,msExchMailboxMoveSourceArchiveMDBBL,
msExchMailboxMoveSourceArchiveMDBLink,msExchMailboxMoveSourceMDBBL,
msExchMailboxMoveSourceMDBLink,msExchMailboxMoveSourceUserBL,
msExchMailboxMoveStatus,msExchMailboxMoveStorageMDBBL,
msExchMailboxMoveTargetArchiveMDBBL,msExchMailboxMoveTargetArchiveMDBLink,
msExchMailboxMoveTargetMDBBL,msExchMailboxMoveTargetMDBLink,
msExchMailboxMoveTargetUserBL,msExchMailboxOABVirtualDirectoriesLink,
msExchMailboxPlanType,msExchMailboxSecurityDescriptor,msExchMailboxTemplateLink,
msExchMailboxUrl,msExchManagementSettings,msExchMasterAccountHistory,
msExchMasterAccountSid,msExchMaxBlockedSenders,msExchMaxSafeSenders,
msExchMessageHygieneFlags,msExchMessageHygieneSCLDeleteThreshold,
msExchMessageHygieneSCLJunkThreshold,msExchMessageHygieneSCLQuarantineThreshold,
msExchMessageHygieneSCLRejectThreshold,msExchMobileAllowedDeviceIDs,
msExchMobileBlockedDeviceIDs,msExchMobileDebugLogging,msExchMobileMailboxFlags,
msExchMobileMailboxPolicyLink,msExchMobileRemoteDocumentsAllowedServersBL,
msExchMobileRemoteDocumentsBlockedServersBL,
msExchMobileRemoteDocumentsInternalDomainSuffixListBL,msExchMobileSettings,
msExchModeratedByLink,msExchModeratedObjectsBL,msExchModerationFlags,
msExchOURoot,msExchOWAAllowedFileTypesBL,msExchOWAAllowedMimeTypesBL,
msExchOWABlockedFileTypesBL,msExchOWABlockedMIMETypesBL,
msExchOWAForceSaveFileTypesBL,msExchOWAForceSaveMIMETypesBL,msExchOWAPolicy,
msExchOWARemoteDocumentsAllowedServersBL,
msExchOWARemoteDocumentsBlockedServersBL,
msExchOWARemoteDocumentsInternalDomainSuffixListBL,msExchOWASettings,
msExchOWATranscodingFileTypesBL,msExchOWATranscodingMimeTypesBL,
msExchObjectCountQuota,msExchObjectID,msExchOmaAdminExtendedSettings,
msExchOmaAdminWirelessEnable,msExchOnPremiseObjectGuid,
msExchOrganizationsAddressBookRootsBL,msExchOrganizationsGlobalAddressListsBL,
msExchOrganizationsTemplateRootsBL,msExchOriginatingForest,msExchPOP3Settings,
msExchParentPlanBL,msExchParentPlanLink,msExchPartnerGroupID,msExchPfRootUrl,
msExchPoliciesExcluded,msExchPoliciesIncluded,msExchPolicyEnabled,
msExchPolicyList,msExchPolicyOptionList,msExchPreviousAccountSid,
msExchPreviousHomeMDB,msExchPreviousMailboxGuid,msExchProvisioningFlags,
msExchProxyCustomProxy,msExchQueryBaseDN,msExchRBACPolicyBL,msExchRBACPolicyLink,
msExchRMSComputerAccountsBL,msExchRMSComputerAccountsLink,msExchRecipLimit,
msExchRecipientDisplayType,msExchRecipientTypeDetails,
msExchRecipientValidatorCookies,msExchRemoteRecipientType,
msExchRequireAuthToSendTo,msExchResourceCapacity,msExchResourceDisplay,
msExchResourceGUID,msExchResourceMetaData,msExchResourceProperties,
msExchResourceSearchProperties,msExchRetentionComment,msExchRetentionURL,
msExchSMTPReceiveDefaultAcceptedDomainBL,msExchSafeRecipientsHash,
msExchSafeSendersHash,msExchSendAsAddresses,msExchSenderHintTranslations,
msExchServerAdminDelegationBL,msExchServerAssociationBL,
msExchServerAssociationLink,msExchServerSiteBL,msExchSetupStatus,
msExchShadowAssistantName,msExchShadowC,msExchShadowCo,msExchShadowCompany,
msExchShadowCountryCode,msExchShadowDepartment,msExchShadowDisplayName,
msExchShadowFacsimileTelephoneNumber,msExchShadowGivenName,msExchShadowHomePhone,
msExchShadowInfo,msExchShadowInitials,msExchShadowL,msExchShadowMailNickname,
msExchShadowManagerLink,msExchShadowMobile,msExchShadowOtherFacsimileTelephone,
msExchShadowOtherHomePhone,msExchShadowOtherTelephone,msExchShadowPager,
msExchShadowPhysicalDeliveryOfficeName,msExchShadowPostalCode,
msExchShadowProxyAddresses,msExchShadowSn,msExchShadowSt,
msExchShadowStreetAddress,msExchShadowTelephoneAssistant,
msExchShadowTelephoneNumber,msExchShadowTitle,msExchShadowWWWHomePage,
msExchShadowWindowsLiveID,msExchSharingAnonymousIdentities,
msExchSharingPartnerIdentities,msExchSharingPolicyLink,msExchSignupAddresses,
msExchSupervisionDLBL,msExchSupervisionDLLink,msExchSupervisionOneOffBL,
msExchSupervisionOneOffLink,msExchSupervisionUserBL,msExchSupervisionUserLink,
msExchSyncAccountsPolicyDN,msExchTUIPassword,msExchTUISpeed,msExchTUIVolume,
msExchTextMessagingState,msExchThrottlingPolicyDN,msExchTransportInboundSettings,
msExchTransportOutboundSettings,msExchTransportRecipientSettingsFlags,
msExchUCVoiceMailSettings,msExchUMAddresses,msExchUMAudioCodec,
msExchUMAudioCodec2,msExchUMCallingLineIDs,msExchUMDtmfMap,msExchUMEnabledFlags,
msExchUMEnabledFlags2,msExchUMFaxId,msExchUMListInDirectorySearch,
msExchUMMailboxOVALanguage,msExchUMMaxGreetingDuration,msExchUMOperatorNumber,
msExchUMPhoneProvider,msExchUMPinChecksum,msExchUMRecipientDialPlanLink,
msExchUMServerWritableFlags,msExchUMSpokenName,msExchUMTemplateLink,
msExchUnmergedAttsPt,msExchUsageLocation,msExchUseOAB,msExchUserAccountControl,
msExchUserBL,msExchUserCulture,msExchVersion,msExchVoiceMailboxID,
msExchWhenMailboxCreated,msExchWindowsLiveID,msOrg-GroupSubtypeName,
msOrg-IsOrganizational,msOrg-Leaders,msOrg-LeadersBL,msOrg-OtherDisplayNames,
msRADIUS-FramedIpv6Route,msRADIUS-SavedFramedIpv6Route,msRTCSIP-AcpInfo,
msRTCSIP-ApplicationOptions,msRTCSIP-ArchivingEnabled,msRTCSIP-DeploymentLocator,
msRTCSIP-FederationEnabled,msRTCSIP-GroupingID,msRTCSIP-InternetAccessEnabled,
msRTCSIP-Line,msRTCSIP-LineServer,msRTCSIP-OptionFlags,msRTCSIP-OriginatorSid,
msRTCSIP-OwnerUrn,msRTCSIP-PrimaryHomeServer,msRTCSIP-PrimaryUserAddress,
msRTCSIP-PrivateLine,msRTCSIP-TargetHomeServer,msRTCSIP-TargetUserPolicies,
msRTCSIP-TenantId,msRTCSIP-UserEnabled,msRTCSIP-UserExtension,
msRTCSIP-UserLocationProfile,msRTCSIP-UserPolicies,msRTCSIP-UserPolicy,
msSFU30Aliases,msSFU30Name,msSFU30NisDomain,msSFU30PosixMember,
msSFU30PosixMemberOf,networkAddress,nisMapName,oOFReplyToOriginator,otherMailbox,
pOPCharacterSet,pOPContentFormat,personalPager,photo,preferredLanguage,
promoExpiration,protocolSettings,publicDelegates,publicDelegatesBL,
registeredAddress,replicatedObjectVersion,replicationSensitivity,
replicationSignature,reportToOriginator,reportToOwner,roomNumber,secretary,
securityProtocol,shadowExpire,shadowFlag,shadowInactive,shadowLastChange,
shadowMax,shadowMin,shadowWarning,submissionContLength,supportedAlgorithms,
targetAddress,telephoneAssistant,textEncodedORAddress,trackingLogPathName,type,
uid,uidNumber,unauthOrig,unauthOrigBL,unixHomeDirectory,unixUserPassword,
unmergedAtts,userPKCS12,userSMIMECertificate,
x500uniqueIdentifier

I triple checked the ADMT Whitepaper for the requirements in the source Domain, target Domain and on the ADMT machine. I was not able to find any errors. Why the exclusion fields are not filled in the ADMT database is beyond my understanding. The same is with the huge number of excluded attributes. I thought apart from the 2 attributes mentioned in the Whitepaper and the attributes which are not existing in the target Domain, ADMT will migrate all attributes and you have to exclude the ones you don´t need. For me it seems to work the other way round.

Good Day Dears,

I'm trying to add RODC (windows server 2012 R2) to DC (windows server 2016) and I have error: 5 (Access is denied)

note that my user is member of : Administrators , Domain Admins , Allowed RODC Password and Enterprise Admin .

Also I tried to add it from DC , from Pre-create Read-only Domain Controller account

Br,

Ahmed Maxsood

Dear Team

I want to active directory policy deploy only group wise so that all device (Computers) in group then i will configure by GPO setting.

note: I do not AD policy apply in OU.

Please advice and share documents.

Hi, 

My company split from ABC.com to XYZ.com few months back. Many of our applications, servers and portals are still there in ABC.com environment and still in planning stage to migrate in XYZ domain. Both the domains have separate Active directory servers, where we have created new User accounts (Instead of Migrate them) of few existing employees in XYZ.com. Now we have same user in both the Forest AD with different domain name for example, User1.ABC.com is authorize to access all the applications, servers and company portal of ABC domain. After Split instead of Deactivate in ABC domain and Migrate to XYZ domain, we create new account User1.XYZ.com in XYZ domain.

Now, when users from XYZ domains wanted to access resources in ABC domain, they have to use their ABC.com credentials and for XYZ domain they use XYZ Credentials. As it is difficult to remember multiple credentials every time, we propose them to setup trust relationship between these two domains. But doing so, one should have to identify User1.ABC.com permissions in ABC.com and assign same permissions to User1.XYZ.com for all the users.   

Is there any way/tool, using which we can map same users from both the domains? For example, we will map User1.ABC.com with User1.XYZ.com. So that whenever User1.XYZ.com wants to access resources from ABC domain, he/she will simply provide XYZ credentials and access all the resources (only those resources on which User1.ABC.com has permissions). 

Any suggestions are welcome. 

Hi All,

Planning to delete one of child domain in my environment. This domain is currently have inactive accounts alone. May i know what kind of backup should be taken before delete this child domain. If in case, we need to recover any configuration/account/information from this domain, is restoring the backup will work?

Thanks in advance.

We have a need to allow a remote support technician the ability to log into a DC at that site to administer a specific OU for that site.  I set permissions to allow the account to log into the DC through Remote Desktop but it cannot run ADUC or even just MMC and add ADUC to the snapin without making that account a member of the Builtin "Account Operators" group. 

If we make it a member of Account Operators then it can modify other OU's, even though we've only delgated it that specific OU.

What is necessary to run ADUC so that this acount can manage the OU in question but not other OU's? 

I know we could install tools on a seperate workstation but we'll need this account to be able to log into the DC itself anyway should it become inaccessble.

Thanks in advance!

Hello all,

I'm trying to find information on how to read the Key Credential Link Structure. I've read the documentation but it doesn't seem to be lining up with the data I've read from the attribute. The data from the attribute comes back like this:

B:784:00010000100001A1...<continued hex>:CN=<...>,CN=<...>,DC=dev,DC=com; 

but when I try to read the first 4 bytes of the hex-encoded value which should contain the version information, it doesn't match with what the documentation suggests it should:

Actual (big-endian)
0000 0000 0000 0001 0000 0000 0000 0000
Actual (little-endian)
0000 0000 0000 0000 0000 0001 0000 0000
Expected
0000 0000 0000 0000 0000 0010 0000 0000

The full pdf document outlining [MS-ADTS] makes many references to various attributes being little- or big-endian, but for this attribute there is no mention of endianness.

I was hoping someone might be able to provide some insight on how to read these attributes.

Thank you for your time,

-lawkennedy 

Just this morning i noticed a huge lag on my internet connection at my work network. After rebooting the modem with no help i investigated the server.

lsass.exe was sending massive data outbound only. Upwards of 8Mb/second. To different ip address, one resolved back to france.protection-ddos.com.

I have not had any server setting changes in months. I haven't even logged on to the server in months, it's been doing it's job as it should with no interference, until this.

I updated my virus database and doing full scan now. To update my Virus database i tethered my phone to the server for an internet connection. The lsass data did not start on this connection, only the lan to cable modem connection. Scan is going to take hours so am letting my network off the internet for the night and hoping the scanner finds something upon my return in the morning.

Obviously i can't kill lsass so i have isolated the network temporarily. I'm assuming I've been compromised somehow.

I don't know why/how lsass is sending such large amount of data out of the network. Everything i googled is more talking about lsass.exe using alot of cpu, mine is not, only outgoing network. And yes it is LSASS.EXE same PID as the one doing the network authenticating.

Any input would be appreciated.

Stats:

Windows Server 2012 Essentials, all work 5 stations are Windows 7.

Hello,

Whats the difference between the two methods below in settiing the Dynamic Ports a Server 2008 R2 Domain Controller is to use?  Is one method preferred or any better than the other?  Also, both methods set the dynamic port range from 49152-63999.  Thanks in advance.

1. Netsh int ipv4 set dynamicport tcp start=49152 num=14847

2. Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Internet]
"PortsInternetAvailable"="Y"
"UseInternetPorts"="Y"
"Ports"=hex(7):34,00,39,00,31,00,35,00,32,00,2d,00,36,00,33,00,39,00,39,00,39,\
  00,00,00,00,00

Scenario1

I was involved in a discussion whether we can get the reverse lookup zone name resolution, if I'm using conditional forwarder.

Conditional forwarder: Host to name resolution will work, but will It also able to resolve IP to host name for the resources in other domain in dns using nslookup, if yes, how.

If not, how can we make it work to resolve IP to host to other domain from my own domain using conditional forwarder, considering if I have similar private IP range configured into my own reverse lookup zone as another domain, how dns will resolve name from if I use IP into NSlookup for another domain.

Another scenario:

I have my own domain XYZ.com & another domain named abc.com with authoritative DNS server IP 192.168.1.5(IP for ABC domain) configured as forwarder in my domain for ABC domain name resolution from xyz, I have also existing 192.168.1.x configured as reverse lookup zone configured for my internal domain name resolution, the question is if I do nslookup using IP 192.168.1.x will it give nslookup for my own domain or another domain

I don't have lab to test, so request if anyone have tested or can share something on it.

C:\Users\Administrator>dcgpofix

Microsoft(R) Windows(R) Operating System Default Group Policy Restore Utility v5
.1

Copyright (C) Microsoft Corporation. 1981-2003

Description: Recreates the Default Group Policy Objects (GPOs) for a domain

Syntax: DcGPOFix [/ignoreschema] [/Target: Domain | DC | BOTH]


This utility can restore either or both the Default Domain Policy or the
Default Domain Controllers Policy to the state that exists immediately after
domain creation. You must be a domain administrator to perform this operation.

WARNING: YOU WILL LOSE ANY CHANGES YOU HAVE MADE TO THESE GPOs. THIS UTILITY
IS INTENDED ONLY FOR DISASTER RECOVERY PURPOSES.

You are about to restore Default Domain Policy and Default Domain Controller Pol
icy for the following domain
Kadasco.Com
Do you want to continue: <Y/N>? y
WARNING: This operation will replace all 'User Rights Assignments' made in the c
hosen GPOs. This might cause some server applications to fail. Do you want to co
ntinue: <Y/N>? y
Warning: This tool was unable to recreate the EFS certificates in the Default Do
main Policy GPO. The Default Domain Policy was restored successfully
Note: Only the contents of the Default Domain Policy were restored. Group Policy
 links to this Group Policy Object were not altered.
By default, the Default Domain Policy is linked to the domain.

The Default Domain Controller Policy was restored successfully
Note: Only the contents of the Default Domain Controller Policy were restored. G
roup Policy links to this Group Policy Object were not altered.
By default, the Default Domain Controller Policy is linked to the domain control
lers OU.

Best Regard Mohammad Reza Abdi

The following links were used as references for configuring NDES on Windows Server 2016 core:

  https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831498(v%3Dws.11)
  https://social.technet.microsoft.com/wiki/contents/articles/9063.active-directory-certificate-services-ad-cs-network-device-enrollment-service-ndes.aspx

The issuing CA is an enterprise intermediate/subordinate CA.  NDES is installed on a separate server using a service account (domain user, not gMSA).  The default password behavior is configured (required, max 5, expiring after an hour).  A custom certificate template has been created for devices, added as a template to issue on the CA, and configured on the NDES server.  Appropriate permissions have been set on the template and the CA for requesting and enrolling.

The mscep_admin page shows a password.  However, requests from devices fail.  The Application event log shows the following:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-NetworkDeviceEnrollmentService" Guid="{73144342-19D1-47A4-94DE-D38E6A054AD5}" /><EventID>29</EventID><Version>0</Version><Level>2</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2020-03-04T15:12:17.367859700Z" /><EventRecordID>1647</EventRecordID><Correlation /><Execution ProcessID="3732" ThreadID="3768" /><Channel>Application</Channel><Computer>NDES-Comp-Name.foo.bar</Computer><Security UserID="S-1-5-21-701053380-3347107659-2942889231-2638" /></System><EventData Name="EVENT_MSCEP_INVALID_PASSWORD" /></Event>

The mscep.log file shows the following:

  402.478.948: Begin: 3/4/2020 7:03 AM 24.845s
  402.483.0: w3wp.exe
  402.491.0: GMT - 8.00
  2901.1286.0:<2020/3/4, 7:03:24>: 0x80004005 (-2147467259 E_FAIL)
  2905.923.0:<2020/3/4, 7:03:24>: 0x80090349 (-2146892983 SEC_E_CERT_WRONG_USAGE): B96FCFEE D3EC2220 8077AF3F C2C46A2A 22BFBB57
  2905.923.0:<2020/3/4, 7:03:24>: 0x80090349 (-2146892983 SEC_E_CERT_WRONG_USAGE): 70553F1F 27D5F499 4493B530 038929AC 4A4AD191
  2905.947.0:<2020/3/4, 7:03:24>: 0x0 (WIN32: 0): CN=Issuing-CA-Name, DC=foo, DC=bar:1a25a5e55b879c18334c1ca24bb1b5f043d18dc6
  419.5431.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0)
  2905.1055.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0): CN=NDES-Request-Agent-Name, C=US:6d7e33f8e4a8fdd64f381815c18e8af0fe6fa144
  2905.1497.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0): CN=NDES-Request-Agent-Name, C=US:6d7e33f8e4a8fdd64f381815c18e8af0fe6fa144
  2905.923.0:<2020/3/4, 7:03:25>: 0x80090349 (-2146892983 SEC_E_CERT_WRONG_USAGE): 4ED75197 6054E100 DAE442EC 35A46969 120EA1EF
  2905.947.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0): CN=Issuing-CA-Name, DC=foo, DC=bar:1a25a5e55b879c18334c1ca24bb1b5f043d18dc6
  419.5431.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0)
  2905.1062.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0): CN=NDES-Request-Agent-Name, C=US:43c449746084d661e5345753dda96b2d7f53ee62
  2905.1534.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0): CN=NDES-Request-Agent-Name, C=US:43c449746084d661e5345753dda96b2d7f53ee62
  419.5431.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0)
  419.5431.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0)
  419.5431.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0)
  2906.1405.0:<2020/3/4, 7:03:57>: 0x8007007a (WIN32/HTTP: 122 ERROR_INSUFFICIENT_BUFFER)
  2902.419.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
  2905.4738.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
  2905.3690.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
  2905.5284.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
  2905.5823.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
  2905.5799.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
  2905.1864.0:<2020/3/4, 7:03:57>: 0x1 (WIN32: 1 ERROR_INVALID_FUNCTION)
  2905.1865.0:<2020/3/4, 7:03:57>: 0x3 (WIN32: 3 ERROR_PATH_NOT_FOUND)
  2905.1866.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
  2905.1867.0:<2020/3/4, 7:03:57>: 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)
  2905.2006.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)

Various sources recommend enabling the CAPI2 log.  However, that does not show any warnings or errors related to the attempt.  Are there any other logs worth examining?

I have an OU called TestOU-1. Now I want to apply fine-grained password policies to all the users in TestOU-1. I know fine grained policies can be applied to global security groups and users only. But I heard of shadow groups through which fine-grained policies can be applied to an OU. 

How do I create a shadow group for TestOU-1. I know how to create a fine-grained policy. After creating it, what should be the value of msDS_PasswordAppliesto. Is it the DN of the TestOU-1 or the shadow group that I created. Also, do I have to create a global security group before creating a shadow group for the OU? 

Thanks and Regards, Radhakrishnan

Dear Team

I want to active directory policy deploy only group wise so that all device (Computers) in group then i will configure by GPO setting.

note: I do not AD policy apply in OU.

Please advice and share documents.