Computer account getting deleted automatically

September 13, 2014, 5:35 am

≪ Previous: Computer object in the Administrators group on a domian controller

Have a strange issue..Computer accounts getting deleted automatically from AD. (Win 2008R2,2012 and 2012R2 DCs). I could see few events 4724 and 4742 for reset and change. Also could see 5141 event for the same computer account but its for class: dnsnode with security id system. Anyone can help me in uderstanding what this event for...? DN: shows cn-MicrosoftDNS,DC=domain,DC=com. Is this anything wrong with the DNS Server? If issue with DNS server why doesn't cause issue for all the host records.

Also, I dont see any 4743 or any other event for computer account deletion.

Need help and suggestion immediately please....

Appreciate the support provided!!

↧

import bulk users ad

September 27, 2014, 3:52 am

≫ Next: Forefront Identity Manager - Enabling / Disabling / Re-Enabling / Re-Disabling... userAccountControl how to do this with synch. rules and constraint of precedence ?

≪ Previous: Computer account getting deleted automatically

Guys,

I would like to get some more info about the import users through a csv in Ad.
First, i did read some fine articles(like this: http://www.computerperformance.co.uk/Logon/Logon_CSVDE_Bulk.htm) but most of the time i get more questions after reading those and i still cant do the trick.

question 1: i would like to find out what attributes i can use in the csv and what their purpose is

question 2: how should i read the DN attribute, it starts with the name of the server or the domainname?

question 3: what if i want to create users in a nested ou(OU: users: OU: management), how should i do that

thanks for the replies and help

↧

Forefront Identity Manager - Enabling / Disabling / Re-Enabling / Re-Disabling... userAccountControl how to do this with synch. rules and constraint of precedence ?

September 27, 2014, 9:36 am

≫ Next: Remove Certificate authority ok?

≪ Previous: import bulk users ad

Forefront Identity Manager - Enabling / Disabling / Re-Enabling / Re-Disabling... userAccountControl how to do this with synch. rules and constraint of precedence ?

↧

Remove Certificate authority ok?

September 27, 2014, 3:11 pm

≫ Next: One Way Trust, Start with RWDC Then Go To RODC?

≪ Previous: Forefront Identity Manager - Enabling / Disabling / Re-Enabling / Re-Disabling... userAccountControl how to do this with synch. rules and constraint of precedence ?

I have an old domain controller 2008 r2 that has Certificate Authority installed. I want to uninstall and start from scratch with a ROOT CA and subordinate. I have read all the knowledge base articles but want to know if it is ok to proceed. No certificates were being used for ssl or encrypting data. I just don't want to mess anything up. When I run certutil -key I do not get anything to delete although I see the key in AIA CDP etc.

Is it safe to uninstall and then remove all references in all containers and then start fresh with new 2 tier infrastructure?

Thanks!!

↧

One Way Trust, Start with RWDC Then Go To RODC?

September 25, 2014, 9:19 am

≫ Next: How to get local admim members

≪ Previous: Remove Certificate authority ok?

So, we have an internal network and a DMZ network in play here. I'm attempting to setup a one way trust so resources on the DMZ network can be managed from the internal network. Internal network has RWDCs in its domain, and the DMZ has its own RWDCs in its own domain and a RODC from the internal network's domain. The internal network's RODC is in its own site in AD and is confirmed to be communicating with the RWDCs in the internal network. The RODC is not an authoritative DNS server, but can host a secondary zone or stub zone. The functional level of the internal domain is 08r2 and the DMZ domain is 2012r2, if that matters.

The task is to setup the one way trust, and its proving a bit difficult. So far I've attempted both Conditional Forwarders or stub zones on the RODC and the DMZ RWDC, no dice. There are no observed DNS replication problems within the domains themselves and using ping and nslookup, I've confirmed that DNS resolution is working between the RODC and the DMZ RWDC. When I try to create the trust from the DMZ RWDCs, it fails saying the specified domain cannot be contacted. Based on what I've read online in other posts and my inability to get around it, it seems that a trust requires a RWDC at each end to function. If this is not the case, I would love to hear how it can be setup with a RWDC at one and and a RODC at the other.

Now, if its correct that the trust requires two RWDCs to setup, what if it was setup with two RWDCs and then one of the RWDCs was removed and replaced with a RODC? I guess what I'm asking is does it just require a RWDC at each end to be setup, or does it also require a RWDC at each end for the trust to function properly on an ongoing basis?

↧

How to get local admim members

September 28, 2014, 1:05 am

≫ Next: Unable to create Trust between domains

≪ Previous: One Way Trust, Start with RWDC Then Go To RODC?

Hi Guys

I can use following powershell script to get local admin members , but there was one problem , if any non-resolved SID existed in any local admin group, the script will report a error ,and stop to run, was a way to fix that problem

===========================================

Add-Tyep -AssemblyName System.DirectoryServices.AccountManagement

$ctype = [System.Directory.AccountManagement.ContextType]::Macihne

$contexr = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList $ctype,$server

$idtype = [System.DirectoryServices.AccontManagement.IdentityType]::samAccountName

$group = [System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($context,$idtype,'Administrators')

↧

Unable to create Trust between domains

September 28, 2014, 1:20 am

≫ Next: KRB_AP_ERR_MODIFIED 4 Random on Member Server in upgraded Domain 2003 to 2012 R2

≪ Previous: How to get local admim members

Scenario. I am trying to build 2 way trust between two Windows forests abc.com & xyz.com

Highest OS in both domain is Win 2008 R2

FFL and DFL in both is Win2003

I added forwarders in DNS in both - It is resolving

I disabled Antivirus

I stopped Windows firewall in all the DCs of the domains and no n/w level port restrictions is there

I am able to ping to all DCs from each of the DCs in both domains.

Doing above all I am unable to create trust - in the trust wizard it is not identifying Domain names.

Another thing is I have a Primary zone exists in name of each of the domain name. ie In abc.com I have another Primary zone created in xyz.com, Likewise in XYZ.com I have ABC.com primary zone . Will this be an issue?, If not guidelines please...

↧

KRB_AP_ERR_MODIFIED 4 Random on Member Server in upgraded Domain 2003 to 2012 R2

February 5, 2014, 11:50 pm

≫ Next: -samid

≪ Previous: Unable to create Trust between domains

Hi all

By one ouf oure customer we migrated a 2003 domain to 2012 R2 (3 DCs, 2 AD Sites), now native all 2012 R2 Dc in 2008 AD and Forest Mode. All was ok until a view weeks after depromoting the last 2003 DC. Randomly all 4 weeks Member Server 2012 R2 in the Domain are logged the KRB_AP_ERR_MODIFIED EventID 4 in the Eventvwr.

This AM I get a call and users cannot log into the management server. I then try to log onto the Member Server. I get a login error, the Member Server doesn't recognize administrator or the regular domain admin account I typically use. I then log on with the local Administrator Account successfully. I'm forced to do a restart. After restart I can log in and everything appears to be good.

A review of the event logs show that @ 21.20h the system logs event 5823 (NETLOGON The system successfully changed its password on the domain controller . This event is logged when the password for the computer account is changed by the system. It is logged on the computer that changed the password. ).

The nothing until ~ 2 1/2 hours later I start getting a bunch of event 4 (kerberos KRB_AP_ERR_MODIFIED) and 1006 (Group Policy processing failed) errors every couple minutes until I reboot. We check the AD / DNS and the SPNs for the Servers. Can anyone shed some light on what possibly happened? Did the automatic change of the system password break AD?

Regards Steven

↧

-samid

September 28, 2014, 5:33 pm

≫ Next: Authenticating agains AD with Kerberos, by a user with an explicit UPN

≪ Previous: KRB_AP_ERR_MODIFIED 4 Random on Member Server in upgraded Domain 2003 to 2012 R2

I was creating a group at command prompt and I have typed dsadd group "CN=aamir,OU=Group,DC=contoso,DC=com" and when I successful created the group I tried to change the group scope and the group type by typing -samid aamir -secgrp yes -scope g then I get error saying '-samid' is not recognized as internal or external command, operable program or batch file. anyone knows how to fix this error let me know I appreciate for you time.

↧

Authenticating agains AD with Kerberos, by a user with an explicit UPN

September 25, 2014, 3:30 pm

≫ Next: workplace join additional factor auth

≪ Previous: -samid

Hello

My situation :

I have a 2008 functionnal level domain with a technical name, lets say tec.domain.com

I have for this domain configured an alternate UPN : domain.com (that is only a DNS domain name, not an existing AD domain)

My users have a SamAccountName like j.doe and a UPN like john.doe@domain.com (which is their email address, on our Exchange organization)

Now, from a Linux server (running Apache and kerberos), i can do a kinit with j.doe@TEC.DOMAIN.COM, but not with john.doe@DOMAIN.COM.

When i capture trafic, the DC answers "error-code: eRR-WRONG-REALM (68)", saying it is not able to handle the DOMAIN.COM realm.

According to this article ( http://msdn.microsoft.com/en-us/library/Cc212351.aspx ) , my DC should be able to handle it, as far as i understand it.

Am i missing something ?

Thanks in advance.

↧

workplace join additional factor auth

September 25, 2014, 6:20 pm

≫ Next: dual-stacked DCs

≪ Previous: Authenticating agains AD with Kerberos, by a user with an explicit UPN

Please consider the request as urgent and critical. As i had raised it with Office 365 community, they have routed me to the Directory services forum.

I am planning to deploy workplace join with DRS in my environment and looking for your valuable feedback.

Current Environment:

DC: Windows Server 2008 R2

Domain & Forest functional level: 2003

ADFS 2.0 & ADFS proxy deployed

2FA by 3rd party app

In order for workplace join, please confirm if my understanding is cporrect

a) Upgrade the domain controller from 2008 to 2012 R2

b) Replace ADFS 2.0 with ADFS 2012 R2

c) Replace ADFS proxy with WAP

d) Upgrade the forest & domain functional level to 2012?

e) Can cert based authentication be used for external users as 2nd Factor Authentication?

f) what are the other 2FA options (not looking for MFA by O365 or Azure. As it uses APPPassword for Non-Browser)

Any pointer will be deeply appreciated.

Regards,

Dematri

Regards, Dematri

↧

dual-stacked DCs

September 29, 2014, 10:18 am

≫ Next: ADMT 3.2 New - June/2014 Release

≪ Previous: workplace join additional factor auth

I thought I would re-post this here for an answer:

http://social.technet.microsoft.com/Forums/windowsserver/en-US/7882a70f-598e-4606-938e-7b0ddac27fbe/dhcp-dns-ipv6-dual-stack?forum=winserverNIS#eb4944e4-fca7-4dac-af70-c10fbbed68cdthe

the question in short is: has anyone done a dual-stack ipv4 + ipv6 configuration on a domain controller?

↧

ADMT 3.2 New - June/2014 Release

September 29, 2014, 12:02 pm

≫ Next: Employee X in Domain A Reports to Employee Y in Domain B

≪ Previous: dual-stacked DCs

Hello to all, the following MS link states that ADMT 3.2 has a new release and all previous versions are deprecated:

http://technet.microsoft.com/en-us/library/active-directory-migration-tool-versions-and-supported-environments(v=ws.10).aspx

Is there a problem or restriction to use this ADMT 3.2 new release if source domain has a newer AD version than target domain? Example: source AD has all DCs on Windows 2012 R2 and target domain has all DCs on Windows 2008. Did you already passed through a similar scenario in real life with ADMT 3.2 new release?

Regards, EEOC.

↧

Employee X in Domain A Reports to Employee Y in Domain B

September 29, 2014, 7:35 am

≫ Next: NLTEST /DCNAME Cannot find DC

≪ Previous: ADMT 3.2 New - June/2014 Release

What happens when a user in one Active Directory Reports to a user in a different AD? We can't replicate users in all ADs.

i.e. We have an employee in Spain reporting to someone in the US. They are in the Spanish AD and their manager is here.

We could manually add the manager in the properties, but the next timewe sync with their AD, it will overwrite.

Devster

↧

NLTEST /DCNAME Cannot find DC

September 29, 2014, 12:22 pm

≫ Next: Setting up Subnets in Sites and Services

≪ Previous: Employee X in Domain A Reports to Employee Y in Domain B

I have been fighting this for over a week, and I'm stumped.
On a 2008 R2 DC that holds the PDC emulator, I get the following.

NLTEST /DCNAME:MyDomain.com
NetGetDCName Failed: Status = 2453 0x995 NERR_DCNotFound

For the most part all other tests I have tried seem to show no problems.

This DC is also a DNS and DHCP server.

I have only 2 DC's.

Below are the results of some other tests which look good, but I will include them for reference:

systeminfo | findstr Domain
OS Configuration: Primary Domain Controller
Domain: MyDomain.com

netdom query fsmo
Schema master ADServer1.MyDomain.com
Domain naming master ADServer2.MyDomain.com

PDC                         ADServer1.MyDomain.com
RID pool manager            ADServer1.MyDomain.com
Infrastructure master       ADServer2.MyDomain.com
The command completed successfully.

NLTEST /DSREGDNS
Flags: 0
Connection Status = 0 0x0 NERR_Success
The command completed successfully

nltest /dclist:MyDomain.com
Get list of DCs in domain 'MyDomain.com' from '\\ADServer2.MyDomain.com'.
ADServer2.MyDomain.com [DS] Site: Default-First-Site-Name
ADServer1.MyDomain.com [PDC] [DS] Site: Default-First-Site-Name
The command completed successfully

dsquery server -hasfsmo pdc
"CN=ADServer1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MyDomain,DC=com"

IPCONFIG /ALL

Windows IP Configuration

   Host Name . . . . . . . . . . . . : ADServer1.MyDomain.com
   Primary Dns Suffix . . . . . . . : MyDomain.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : MyDomain.com

Ethernet adapter LAN 1 Slot 4 Close to mboard:

   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Intel(R) I350 Gigabit Network Connection #2
   Physical Address. . . . . . . . . : 00-0A-CD-24-7E-2D
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.172.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.172.100
   DNS Servers . . . . . . . . . . . : 192.168.172.1
                                       192.168.172.251
   NetBIOS over Tcpip. . . . . . . . : Enabled

There are 3 NIC's in total, but only 1 is enabled.

Repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost

Default-First-Site-Name\ADServer1

DSA Options: IS_GC

Site Options: (none)

DSA object GUID: 59439d65-35ba-4f4e-a50d-303823810e8c

DSA invocationID: ff79b065-1e22-407a-9067-d22beab36571

==== INBOUND NEIGHBORS ======================================

DC=MyDomain,DC=com