Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

"user must change password at next logon" flag for multiple users

February 5, 2015, 3:51 pm
$
0
0

2008 R2 domain with a couple of 2012 R2 DCs.

john.user is in the Users OU. if I right-click john.user, choose properties, go to the account tab, and check "user must change password at next logon," the next time john.user tries to log in, he gets prompted to change his password. also the powershell command

get-aduser -filter * -Properties * | ? name -like "*john.user*" | select name,pwdlastset

shows that john.user's pwdlastset is 0. all of this is as expected.

but if I  highlight every account in the Users OU, right-click, properties, Account, "user must change password at next logon," it appears that nothing whatsoever happens. john.user doesn't get prompted to change his password at his next logon, and his pwdlastset is something like 130622757432306111.

is this the expected behavior? why are the Account tab and/or the "change password at next logon" box available to me when selecting multiple users if they aren't meant to work?



Search

NEED YOUR HELP!

January 21, 2015, 9:01 am
$
0
0

three forests and domains example: a.local, b.internal, c.mis
a.local has two way EXTERNAL trusts with b.internal
b.internal has two way forest trusts with c.mis

does a.local have or one way two way trust with c.mis?

Thank you!

KB216970 - Confusion with Mixed-Mode Domains and Universal Groups in a Trusted Domain

January 31, 2015, 3:28 am
$
0
0

Hi

KB216970briefs about the role of Global catalog for Accounts (User and Computer) in various operations like explicit UPN name resolution, Group membership population in case of Domains with Functional level >= Windows 2000 Native (i.e. with introduction of Universal Security groups).

At the bottom of this KB, it states

"In a Mixed-mode domain, universal groups cannot be created. If a Windows 2000-based computer is located in a down-level or Mixed-mode domain, different behavior occurs. Other domains may be in Native mode and universal groups may have been created that contain the user as a member. The domain controller authenticating the logon request will add the SIDs of the global groups of which the user is a member to the user's token and the local computer adds SIDs for groups of which the user is a member on the local computer as appropriate. When an attempt to use resources in another domain occurs, the computer hosting the resource contacts a domain controller for that domain, which adds the SIDs of the groups local to that domain (which may include universal groups) of which the user is a member to the user's token."

The highlighted part confused me and indeed it doesn't work so as stated. Hence, I tried to simulate this scenario, please have a look at THIS Document covering this case scenario and please let me know if i am wrong in deducing the quoted text or implementing the simulation as per quoted text!

Please Assist.

Thanks


OS ... VirTuaLiZaTioN ... MaxiMuS ... Fair, Good, Better, Best

Trust relationship between hosts (servers/workstations) to primary domain

February 1, 2015, 9:23 pm
$
0
0

hello

we have upgraded our domain controllers to Active directory 2012 from Servers 2003 and I am noticing for increasing of trust relationship issues.

what can cause that?

Windows 2008 R2 Event Id 12294 User Locked

January 23, 2015, 2:59 am
$
0
0

Dear All

I have suddenly facing problem that our users going to be locked out. event 12294 is generated active directory server.

please find attached error log

pls help

Sunil

SUNIL PATEL SYSTEM ADMINISTRATOR

Are there any AD LDS Security best practices?

February 5, 2015, 5:22 pm
$
0
0

Hi,

Is there any security baseline for AD LDS by Microsoft or any other reputed organization?

I am looking for something like a set of configurations / settings to compare the AD LDS server which authenticates non-domain devices (linux, networking devices, etc.) using LDAP.

Log on to... Attribute with 2012R2

February 6, 2015, 1:03 am
$
0
0
Hi there,

is it possbile that the behavior of the attribute "userWorkstation" or "Log on to..." has changed with an 2012R2 Domain? 

With 2008R2 it was possible to just put in the Target machine and the user was able to connect to that machine through rdp.

Doing so now makes the user unable to connect to any machine, only by adding the source machine as well that works again.

can anybody confirm that disprove that behavior with 2012R2 Domain?

Thanks alot!

Problem connecting server to domain

February 5, 2015, 8:41 pm
$
0
0

Hi,

I am trying to connect my Hyper-V Server 2012 R2 to my domain. I was getting an unspecified error using the built-in command, so I then tried the "netdom join" command from the command prompt. That is giving me the error "The network path was not found". However, an nslookup of the domain points to my domain controller, and a ping of it is successful. I have disabled the firewall on both servers. I am out of ideas at this point. Any suggestions?

Thanks,

I. Kinal

Search

NO WINS Server but WIN7 Client Default netBios Setting

February 4, 2015, 5:20 pm
$
0
0

Hi All,

  NO WINS Servers and  all our Windows 7 Clients are set to default to NetBios Settings.

    So do we need DHCP Option set to 046 (Wins/nbt node type 0x8) ?

AS

Event ID 36886

February 6, 2015, 4:07 am
$
0
0

Hi,

I'm looking at an environment which is as follows:

1 W2K3R2 DC - DC1 - All FSMO roles here. Has certificate issued by the local Enterprise CA server.

1 W2K8R2 DC - DC2 (This DC was migrated from W2K3R2 to W2K8R2 recently. Same name and IP were kept. has third party SSL cert installed for Mimecast LDAPS).

1 WK28R2 DC -DC3 (This DC was migrated from W2K3R2 to W2K8R2 recently. Same name and IP were kept. No Certificate in Computer>Personal certificate store.

There is a local Enterprise CA setup on W2K3R2. Looking at the Enterprise CA, I can see that the old DC3 (when it was W2K3R2) was being issued DC certificates from the CA. There is a certificate enrolment policy defined in GP.

I am seeing event ID 36886 on DC3. (No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.)

As per http://support.microsoft.com/kb/261196 the event 36886 is expected if there is no CA in the domain. In this case, there is a CA and it seems it was issuing certicates to the old DC3.

1) Am I correct in presuming that DC2 is not getting these errors as it has a third party SSL cert installed?

2) Is there any need to request the cert from the domain CA for DC3 or will AD, etc. work correctly, given that this is the only DC that doesn't have a cert? Will clients and servers require me to obtain a certificate for DC3?

3) If I need to request and install a cert, should I create a request using the command line or simply go to mmc>certificates snap in (local computer)>personal and request a certificate? When I do this, I get an option to choose the enrolment policy :Configured by Administrator (Active directory enrolment policy)  or 'Configured by you'. The Active Directory enrolment policy only has the 'Domain Controller' policy available. Clicking on details>properties gives me several options such as friendly name, etc that I can fill in. Is there any need to fill in any details?

Thanks,

HA

DC/DNS settings and slow start up.

February 6, 2015, 5:06 am
$
0
0

Hi,

I have a scenario with 4 DCs. Three of them are DNS servers.

DCA (DNS/DC W2K3R2): 192.168.1.1 (all FSMO Roles here. Also GC).. Primary DNS 192.168.1.1 (itself), Secondary DNS 192.168.1.3

DCB (DNS/DC W2K8R2): 192.168.1.2 (GC). Primary DNS 192.168.1.1, Secondary DNS 192.168.1.2 (itself)

DCC (DNS/DC W2K3R2): 192.168.1.3 (GC). Primary DNS 192.168.1.1, Secondary DNS 192.168.1.3 (itself)

DCD (DC only W2K8R2): 192.168.1.4 (GC): Primay DNS 192.168.1.1, Secondary DNS 192.168.1.3

I have only tried this with DCB:

On DCB, if I keep itself as primary (192.168.1.2) and DCA (192.168.1.1) as secondary DNS and I restart DC2, it takes a long while to come up. After it comes up, if I check the logs, I see several errors :

Event id: 14550 (DFSSvc),

The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

Event ID: 129 (Time-service)

NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)

Event ID: 5719:

This computer was not able to set up a secure session with a domain controller in domain exampledomain due to the following:

There are currently no logon servers available to service the logon request.

This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. 

Event ID: 1129 (Group Policy):

The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

After some time, the errors seem to go away and I will see event id 37 (time service), event 1503 (group policy), etc. My questions are as follows:

1) Is the above behaviour the 'islanding' behaviour described here: http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx#dnsbest

2) Based  the article, for DCB and the other DCs, I should not have them pointing to themselves as primary DNS but as secondary or tertiary DNS. So DCB should point to DCA or DCC for primary DNS and itself as secondary. When I do this, none of the errors above occur. Is this true of the DC that holds all the FSMO roles as well? Should it have DCC (for example) as  primary DNS and itself as secondary DNS?

3) All FSMO roles are on DCA. DCA is also a GC. Is this ok given that all DCs are GCs? This is a one domain environment and the and forest are at Windows 2003 level.

Thanks very much,

HA

Pros and cons in setting AD domain trust into my AD domain for more than 10+ AD domain and some with same FQDN or label ?

February 5, 2015, 11:00 pm
$
0
0

Hi,

Can someone please share what is the pros and Cons of trusting AD domain for more than 10 different AD sites into my existing single domain forest let say ParentCompany.com ?

At the moment I only have one single forest AD domain with the Domain and Forest functionality Windows Server 2003. The main domain controller FSMO role holder is in the Data Center spread across three different VMs running on Windows Server 2008 R2.

The main/parent company has acquired smaller business chain of 15+ offices in which they have their own Domain Controller and also their own domain, sometimes they also got the same AD domain between them (no trust or whatsoever in those 15+ AD domain). Sounds crazy but yes, there is no standardization in them or whoever manage their IT infrastructure previously.

I'm now considering what are the benefits of creating the AD domain and trust versus importing those AD objects into my domain and then decommission them.

No need to worry about Exchange Server since all of the user in those sites connecting to the RDS to my ParentCompany.com terminal servers.

My requirements or goal are as follows:
1. Simplify the AD domain structure & maintenance
2. Try to avoid the disruptions of the user in terms of downtime and selecting multiple different domain everytime they login to their PC or SharePoint sites.

any kind of help and suggestion would be greatly appreciated.

Thanks.

/* Server Support Specialist */

event id 10154 - effects?

February 6, 2015, 5:25 am
$
0
0

Hi,

On new server 2008 R2 DCs, we see event ID 10154:


The WinRM
service failed to create the following SPNs: WSMAN/testserver.testdomain.xyz;
WSMAN/dchostname.

Additional Data
The error received was 8344: %%8344.

The fix is here  : https://social.technet.microsoft.com/Forums/windowsserver/en-US/ff42d97f-8c52-4ddc-93a2-6ae79498e3d5/the-winrm-service-failed-to-create-the-following-spns and here http://www.ceyhunkirmizitas.net/microsoft/windows-server/event-id10154-the-winrm-service-failed-to-create-the-following-spns-wsman/

I know this appears as a warning rather than an error but would anyone know what exactly is affected as a result of  the Network Service account not having the “Validated Write to Service Principal Name”  permissions? Would not fixing the permissions as per the fixes result in AD operations being affected? This pops up on every 2008R2 DC.

Thanks very much,

HA

Restrict Domain admins on certain servers

February 6, 2015, 12:17 am
$
0
0

Hi all,

I have a group of domain admins. I dont want couple of accounts to access all the servers in the domain but only on 2 particular servers

How do i restrict RDP to all the other servers and give them RDP access to only 2 servers

We are using win server 2008 R2

Thanks in advance


AD Sites and Services Remove Server

February 5, 2015, 1:23 pm
$
0
0

Hi,

I have a windows server 2003 AD server which was originally configured to replicate to a partner DC. Would it cause any harm to delete the instance of the partner DC from Active Directory Sites and Services? Sites > Object > Servers > Right-click on partnerDC and then click 'delete'.

The partner DC has been powered off for a little while now since we no longer have any use for it. I'm not sure how else to stop the replication since the 'repadmin /options +DISABLE_OUTBOUND_REPL' command failed with the "The DSA object could not be found" error. 

I'm looking into upgrading the DC to server 2012 and I would like to resolve the replication errors being displayed from dcdiag.

Thanks!

Search

Raising Domain Funcational Level

February 6, 2015, 8:21 am
$
0
0
i am looking to raise the domain/forest functional level on my domain from 2003 to 2012. I have been recieving Event ID 4515 about a duplicate DNS zone error. Will this error potentially cause me any issues or problems when i try to raise the domain/forest functional level to 2012?

Domain Administrator Problem

January 29, 2015, 5:17 pm
$
0
0

I created a new domain admin account that is part of AD Administrators, Domain Admins and Enterprise Admins.   I have been using this account for a couple of years with no issue. However after promoting the domain to W2k3 and adding 2012 R2 domain controllers I keep running into issues with the account. 

The most recent was using the command 'appcmd list backup' in preping for IIS migration. I received and Access is denied  error.  I tried this with another account that should have domain admin privileges and got the same error.  When using the original Administrator account there is no issue.

Does anyone have any thoughts on this? Is there a way to check rights and permissions for a domain admin, Enterprise admin and Administrator account?  So far all I have found is stuff related to the SID but I don't believe this is a true check or rights.

Thanks

ADFS 3.0 - SignInPageDescriptionText Not displaying...

February 6, 2015, 11:47 am
$
0
0

I'm having an issue getting my SignInPageDescriptionText to display.  Any help would be awesome. 

I have tried using the Set-AdfsGlobalWebContent -SignInPageDescriptionText "test desc", I've made sure it was on both Locale's and even tried the Additional Auth Desc Text and still nothing. 

But nothing is loading on the IdpInitiatedSignon.aspx page.

I will try to add links to the images as soon as I'm verified. 

ADFS on a Domain Controller

February 11, 2010, 4:14 pm
$
0
0
This is more of a design question and I am not sure if I will go with Windows 2003 r2 or 2008.  We have several Domain Controllers and we want to start playing around with ADFS.  I am going to build a seperate Federated Services Proxy server in our DMZ, but it is alright to installed Federated services on a domain controller?  Every slide or video always shows a seperate internal federated services server, but everywhere I have always worked(not massive companies) we have always been fine installing additional services on the DCs like DHCP and DNS.  If anyone has and good experience with putting ADFS on a DC let me know as we already have about 9 DCs for 6 sites any only 3000 users and the federated authentication would not even be used that often.

Thanks,

Dan
Dan Heim

Do Group Managed Service Accounts require permissions to run service in question?

February 6, 2015, 2:29 pm
$
0
0

I'm testing out GMSA (Group Managed Service Accounts) in Windows 2012 R2. My domain and forest functional level is 2008 R2 (which I understand is the minimal functional level for GMSA support). 

Question I have is if I create a new GMSA for a particular service, does the GMSA require permissions to run service? For example, SQL rights, IIS rights, etc...

Also, can they be used to run scheduled tasks? Thanks.

Viewing all 31638 articles
Browse latest View live
Search