Hello,

Our company is attempting to aggressively expand into the EU from here in the States.  Our IT team is trying to determine the best course of action when it comes to our Active Directory Forest design.  Currently we have a single domain forest with OU's for each office location.  We are struggling with the EU requirements for data and identity management security. 

Some people are saying that to do business in the EU you MUST have a separate EU AD forest for all of the users.  While others are saying that you can continue to use a single forest/domain as long as you use standard security practices to lockdown the data in a proper manner.

Our in-house security guy and legal team are of NO help to us and we are just trying to get the planning started so we can present our ideas and cost to management.  ANY help in finding security bulletins and best practices for a situation like this would be greatly appreciated!

Thanks!

We are in the process of implementing least privilege rights in Active Directory for our desktop team, and cannot find authoritative information on what rights are required for facilitating this change.

We set up auditing on a test computer object in active directory to see what attributes need to be modified, but when we rename a computer we noticed something we didn't expect. The Rename-Computer commandlet in powershell is making an SMB call instead of an LDAP request, and the security log does not capture the access denied message we see in the SMB call. Since the SMB call is encrypted, all we see is the access denied message. At this point we cannot see how we can find the correct attributes to facilitate the rename.

We are fully aware that if we give Read all properties / Write all properties, the rename will work, but there are attributes on the computer object that the group should not be able to read. Where can we go for a real answer to this question?

We are using DSACLS for implementation of changes. The following line works for adding workstations to the domain, and moving them between OUs, but does not work for renaming.

We are currently  in the middle of migration to o365. We have 2010Exhange Hybrid and ADFS 3.0 in Win 2012 R2. Most of our users are not domain joined and we are trying to figure out what is the best /recommended  solution to allow users to change their AD password while remote.

Thanks,

Egert

Hi Experts,                           

We have 4 AD sites and working properly. Due to some requirement we need to decommission DCs in one site. We are trying to demote DC roles in 2 servers but they are throwing attached errors.

I tried to follow given link and changed the orphan entry as mentioned. But still this error persists. Replication and communication is properly happening in all sites.

http://www.zerohoursleep.com/2011/07/dcpromo-out-fails-with-the-directory-service-is-missing-mandatory-configuration-information-and-is-unable-to-determine-the-ownership-of-floating-single-master-operation-roles/

When I tried to fire dsquery * CN=Infrastructure,DC=ForestDnsZones,DC=xxx,DC=net -attr fSMORoleOwner

I got below mentioned result which shows that there is some orphan entry. DC01 doesn’t exists in our network more.

CN=NTDS Settings\0ADEL:413b675f-3da2-4c09-b801-6358e839268f,CN=DC01\0ADEL:de8559b2-255b-4603-8f07-608df9e61a73,CN=Servers,CN=GVA,CN=Sites,CN=Configuration,DC=XXX,DC=net 

I changed the entry according to link.

CN=NTDS Settings,CN=EUDC2,CN=Servers,CN=AUS,CN=Sites,CN=Configuration,DC=XXX,DC=net 

Event Log Errors-01

The operations master roles held by this directory server could not transfer to the following remote directory server.

Remote directory server:

\\EUDC2.xxx.net

This is preventing removal of this directory server.

User Action

Investigate why the remote directory server might be unable to accept the operations master roles, or manually transfer all the roles that are held by this directory server to the remote directory server. Then, try to remove this directory server again.

Additional Data

Error value:

5005 The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.

Extended error value:

0

Internal ID:

52498735

Event Log Errors-02

Ownership of the following FSMO role is set to a server which is deleted or does not exist.

Operations which require contacting a FSMO operation master will fail until this condition is corrected.

FSMO Role: CN=Infrastructure,DC=DomainDnsZones,DC=xxx,DC=net

FSMO Server DN: CN=NTDS Settings\0ADEL:413b675f-3da2-4c09-b801-6358e839268f,CN=DC01\0ADEL:de8559b2-255b-4603-8f07-608df9e61a73,CN=Servers,CN=USA,CN=Sites,CN=Configuration,DC=XXX,DC=net

User Action:

1. Determine which server should hold the role in question.

2. Configuration view may be out of date. If the server in question has been promoted recently, verify that the Configuration partition has replicated from the new server recently.  If the server in question has been demoted recently and the role transferred, verify that this server has replicated the partition (containing the latest role ownership) lately.

3. Determine whether the role is set properly on the FSMO role holder server. If the role is not set, utilize NTDSUTIL.EXE to transfer or seize the role. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.

4. Verify that replication of the FSMO partition between the FSMO role holder server and this server is occurring successfully.

The following operations may be impacted:

Schema: You will no longer be able to modify the schema for this forest.

Domain Naming: You will no longer be able to add or remove domains from this forest.

PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.

RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.

Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

Any Suggestion apart from that Link pls?

Hi Team,

can any one help me to achieve the task. we have one OU  suppose it is test OU , and in this this OU we have 100 users.

we have to implement a policy like when we trying to reset password of any user's from dsa.msc console on this OU  user must change password at next login should be disable but at the same time when the same user will login on his desktop he will ask for the password change.

Regards, Triyambak

Hello!

We have two 2008 R2 DCs and our second DC has been getting the 13508 for months.  I have checked the logs and have found no instance of 13509.  I have ran ntfrsutl version and got this:

NtFrsApi Version Information
   NtFrsApi Major      : 0
   NtFrsApi Minor      : 0
   NtFrsApi Compiled on: Nov 19 2010 22:04:38
NtFrs Version Information
   NtFrs Major        : 0
   NtFrs Minor        : 0
   NtFrs Compiled on  : Nov 20 2010 02:15:59
   Latest changes:
   Install Override fix
OS Version 6.1 (7601) -
SP (1.0) SM: 0x0110  PT: 0x02
Processor:  AMD64 Level: 0x0006  Revision: 0x0f0b  Processor num/mask: 2/0000000
3

I'm not exactly sure what that means, but I continued to do some diagnostics.  I was able to ping the FQDN with no problem.  I disabled the firewalls on both boxes and tested with no luck. 

In addition, I have noticed on the DC that is NOT receiving the 13508 error is getting 13568 -

It appears these two (13508 on DC2 and 13568 on DC1) starting about the same time months ago.  It informs me in 13568 to "Enable Journal Wrap Automatic Restore", but I'm afraid to do so.  Is this something I should do?

Any idea what would be causing this and what my next steps would be?  Let me know if I can get you any more info.

Thanks for the help in advance!

Hi all.  I am seeing a weird user logon issue on one of my laptop and on another user's PC.  Both of the laptop and the PC is a member of our domain.  However, on this particular laptop and PC, we are not login with a domain user account, rather we've created a local user account, grant it the local admin access, and login with this local user account.  Now, on my domain controller, I am seeing a bunch of account login failure message, which happens few times per minute and filling up the domain controller security log.  For the laptop, this is a clean build, with fresh Windows 7 installation, alone with MS Office 2010 and few third party application (eg: Adobe Reader, 7-ZIP, etc).  I've checked all group policy to ensure there are no service or connection that requires domain credential access that have applied to this laptop (or the PC).  I am not sure why this local user is trying to authenticating to our domain controller.  This user account doesn't exist in our domain.  The only thing I can think of is Microsoft Outlook 2010 might doing back ground authentication against the domain controller by using the current login user account, I just can't confirm this.  Did anyone encountered this issue in their environment?  Thank you.

Below is a copy of the event.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          13/06/2014 8:56:27 AM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      domaincontroller.mydomain.local
Description:
An account failed to log on.

Subject:
    Security ID:        NULL SID
    Account Name:        -
    Account Domain:        -
    Logon ID:        0x0

Logon Type:            3

Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:        dummy
    Account Domain:        l-sparet400sc

Failure Information:
    Failure Reason:        Unknown user name or bad password.
    Status:            0xc000006d
    Sub Status:        0xc0000064

Process Information:
    Caller Process ID:    0x0
    Caller Process Name:    -

Network Information:
    Workstation Name:    L-SPARET400SC
    Source Network Address:    192.168.2.181
    Source Port:        60720

Detailed Authentication Information:
    Logon Process:        NtLmSsp
    Authentication Package:    NTLM
    Transited Services:    -
    Package Name (NTLM only):    -
    Key Length:        0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4625</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2014-06-13T12:56:27.263546000Z" />
    <EventRecordID>299829083</EventRecordID>
    <Correlation />
    <Execution ProcessID="488" ThreadID="640" />
    <Channel>Security</Channel>
    <Computer>domaincontroller.mydomain.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-0-0</Data>
    <Data Name="SubjectUserName">-</Data>
    <Data Name="SubjectDomainName">-</Data>
    <Data Name="SubjectLogonId">0x0</Data>
    <Data Name="TargetUserSid">S-1-0-0</Data>
    <Data Name="TargetUserName">dummy</Data>
    <Data Name="TargetDomainName">l-sparet400sc</Data>
    <Data Name="Status">0xc000006d</Data>
    <Data Name="FailureReason">%%2313</Data>
    <Data Name="SubStatus">0xc0000064</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="LogonProcessName">NtLmSsp </Data>
    <Data Name="AuthenticationPackageName">NTLM</Data>
    <Data Name="WorkstationName">L-SPARET400SC</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0x0</Data>
    <Data Name="ProcessName">-</Data>
    <Data Name="IpAddress">192.168.2.181</Data>
    <Data Name="IpPort">60720</Data>
  </EventData>
</Event>

I keep getting a DFSR Event ID 5014(stopping communicate with partner), immediately followed by 5008 (failed to communicate with partner), a minute or two later 5004 (successfully established connection with partner).  This happens multiple times a day and I cannot figure it out.

Any help would be appreciated.

Thanks

I am looking for the "Official" instructions for backing up and restoring an ADFS server which uses Full Remote SQL 2012. I know the database is backed up but what are the procedures for DR on the ADFS servers themselves?

The migration of ADFS 2.1 to 2012 R2 ADFS include an export of the ADFS metadata and Import into 2012R2 ADFS. Is this a possible solution to schedule for 2012 R2 ADFS in order to quickly restore in the event that the Farm dies?

I demoted two 2003 R2 servers and turnded off the servers one of which was FSMO. Now when I run "DCDIAG /c /v /f:dcdiag.txt" on the new FSMO server ma-file1 it still shows the two demoted domain controllers ma-file and ma-util as shown below. I have cleaned DNS but can't seem to clear the below entries. I also made sure ma-file and ma-util are not in Sites and Services. Any ideas how to get this cleared. Again ma-file and ma-util only show up on ma-file1 when running dcdiag. The other DC's do not show ma-file or ma-util when running dcdiag.

erforming initial setup:

   * Connecting to directory service on server ma-file1.

   ma-file1.currentTime = 20140324215330.0Z

   ma-file1.highestCommittedUSN = 300526

   ma-file1.isSynchronized = 1

   ma-file1.isGlobalCatalogReady = 1

   * Identified AD Forest.
   Collecting AD specific global data
   * Collecting site info.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=ccc,DC=local,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
   The previous call succeeded
   Iterating through the sites
   Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ccc,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=Boffice,CN=Sites,CN=Configuration,DC=ccc,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=Urology,CN=Sites,CN=Configuration,DC=ccc,DC=local
   Getting ISTG and options for the site
   * Identifying all servers.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=ccc,DC=local,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
   The previous call succeeded....
   The previous call succeeded
   Iterating through the list of servers
   Getting information for the server CN=NTDS Settings,CN=MA-FILE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ccc,DC=local
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=MA-UTIL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ccc,DC=local
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained

Hello Team,

I wants to disable the access for  a group in AD to the checkbox which asks for “change password at next logon” to prevent users from retaining Generic Passwords after a password reset.

This should be greyed out when service desk agent reset the password for user.

I have 2008 R2 domain controller.

Thanks

Mukesh Saini

Regards, Dematri

Hi all

By one ouf oure customer we migrated a 2003 domain to 2012 R2 (3 DCs, 2 AD Sites), now native all 2012 R2 Dc in 2008 AD and Forest Mode. All was ok until a view weeks after depromoting the last 2003 DC. Randomly all 4 weeks Member Server 2012 R2 in the Domain are logged the KRB_AP_ERR_MODIFIED EventID 4 in the Eventvwr.

This AM I get a call and users cannot log into the management server. I then try to log onto the Member Server. I get a login error, the Member Server doesn't recognize administrator or the regular domain admin account I typically use. I then log on with the local Administrator Account successfully. I'm forced to do a restart. After restart I can log in and everything appears to be good.

A review of the event logs show that @ 21.20h the system logs event 5823 (NETLOGON The system successfully changed its password on the domain controller . This event is logged when the password for the computer account is changed by the system. It is logged on the computer that changed the password. ).

The nothing until ~ 2 1/2 hours later I start getting a bunch of event 4 (kerberos KRB_AP_ERR_MODIFIED) and 1006 (Group Policy processing failed) errors every couple minutes until I reboot. We check the AD / DNS and the SPNs for the Servers. Can anyone shed some light on what possibly happened? Did the automatic change of the system password break AD?

Regards Steven

History:  I migrated a 2003 domain to 2012 R2 (2 DCs), now native.  All was ok until my 1st reboot of the 2nd DC.  It lost its ability to communicate w/the domain.  I've demoted/removed it and am now on 1 DC until I can do some more testing.  DNS is now clean and dcdiag give a clean bill.  This has been running without issues for several weeks.

This AM I get a call and users cannot log into the terminal server.  I reboot it, but the problem persists.  I then try to log onto the DC.  I get a login error, the DC doesn't recognize administrator or the regular domain admin account I typically use.  I'm forced to do a power button shutdown and restart.  After restart I can log in and everything appears to be good.

A review of the event logs show that @ 4:30PM yesterday the scheduled backup (Win Backup) occurred successfully.  Then shortly after 5PM the system logs event 5823 (NETLOGON  The system successfully changed its password on the domain controller .  This event is logged when the password for the computer account is changed by the system. It is logged on the computer that changed the password. ). 

The nothing until ~ 2 1/2 hours later I start getting a bunch of event 4 (kerberos KRB_AP_ERR_MODIFIED)  and 1006 (Group Policy processing failed) errors every couple minutes until I reboot.

Can anyone shed some light on what possibly happened?  Did the automatic change of the system password break AD because I only have 1 DC?

Hi,

Is it possible to create custom attributes using powershell v2/v3 ?

Marcel

Evening all,

 I currently run domain network (MS Server 08 - dhcp) on my firewall interface1 and WiFi network on interface2 (dhcp provided by router itself). On my Wifi dhcp I am advertising as DNS server that of the domain, but wifi clients can resolve only FQDN domain client names not host names ("domainclient.domain.local" - not "domainclient").

If on my wifi client I change NIC properties -> IPV4->Advance->DNS-> append these suffixes, and put the domain.local, then it works but need to be able to work without manual changes to each client.

Any ideas?

Many thanks,

Argyris

Hi all,

I have been seeing a large number of event ID 4015 in the DNS Server logs of a newly installed server 2012 DC that I look after. The exact event is:

Log Name:      DNS Server
Source:        Microsoft-Windows-DNS-Server-Service
Date:          22/05/2014 13:24:04
Event ID:      4015
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      BCSERV01.batchelorcoop.local
Description:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-DNS-Server-Service" Guid="{71A551F5-C893-4849-886B-B5EC8502641E}" EventSourceName="DNS" />
    <EventID Qualifiers="49152">4015</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-05-22T12:24:04.000000000Z" />
    <EventRecordID>4242</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>DNS Server</Channel>
    <Computer>BCSERV01.batchelorcoop.local</Computer>
    <Security />
  </System>
  <EventData Name="DNS_EVENT_DS_INTERFACE_ERROR">
    <Data Name="param1">
    </Data>
    <Binary>51000000</Binary>
  </EventData>
</Event>

I have read through almost every post on this website regarding event 4015 but have yet to find a solution for this. They are generating every 5 minutes or so. Any help is much appreciated, let me know if there is any further information that can help you.

Hello,

This question has never been answered directly.

Q: Do the pkiEnrollmentService object field 'dNSHostName' and the value for 'sServerConfig' set in the certdat.inc file located in %windir%\system32\certsrv\ have to match all the time, or are there instance where they shouldn't match for good reason?

Example correct values as I understand them:

pkiEnrollmentService object field 'dNSHostName':    CAhostname.domain.com (The FQDN of the CA server)

'sServerConfig' value in certdat.inc:    CAhostname.domain.com\MyEvilCA (FQDN of the CA server \ The name of the CA as viewed in the Certificate Authority snap-in.)

Thanks,

Alex