Hi all,

Sometime last decade we installed AD4UNIX onto our Win2k3 Domain Controllers.

Now it seems this schema extension is blocking updates to the AD schema.

I have gone through the schema using Active Directory Schema. While I can defunct most objects and attributes, I can't defunct several, including msSFUPosixAccount, msSFUPosixGroup, msSFUIpHost, and msSFUShadowAccount.

Using ADSIEdit, If i attempt to set isDefunct to true, I see:

"Schema deletion failed: class is used as an auxiliary class".

I have tried searching the dit for any references to any of the classes mentioned above, with no luck. I have tried using LDP, and ldapsearch from openldap.

Prior to this exercise, I have gone through AD and removed all attributes from all accounts and groups. This was accomplished using LDP.exe.

Can anyone shed any light on what magic I need with AD to find what is using these classes?

I am beginning to think I will be better off creating a new AD Domain, or even an entirely new forest? This seems like a massive waste of time.

I await any advice.

Thanks.

Greetings!

We have same users that never connect to network on authenticated computers.

They connect only through Webmail (OWA on Office365 Exchange Inline, that uses ADFS for authentication).

Whent their password expires, they don´t have how to change them, because OWA in Exchange Online doesn´t allow password change when using ADFS authentication.

We have already tried a strategy using RDS, but with no success... the message asking the password change doesn´t appear in RDS when the password is already expired.

Do you have any suggestion on how to allow people change their password?

Thanks in advance.

Hello,

We are operating in a Windows Server 2008 R2 domain and I have been asked to lock down access some servers. By lock down I mean there are only 5 administrators that need to be able to access a hand full of servers. These 5 administrators should not be able to access any other servers and none of the other administrators (unless in the domain admins group) should be able to access the servers. I created a security group and added the 5 admin accounts. I've come across documentation that says I need to configure NPS for secure access, but for the life of me I can't figure out how to do it for the security group. Could anybody point me in the right direction to complete this task.

Thanks in advance.

Hi Guys;

Recently i promoted three Windows 2012 R2 servers as Domain controllers to my existing multi domain forrest as a first step of a total migration to 2012 R2.

I noticed that none of the new servers are able to resolve anything normally through forwarders, wether that's internal or external, conditional or regular. What puzzles me more, is that when i do an nslookup locally on these servers it always fails due to timeouts. If i try to nslookup the servers from clients, it resolves the local zones, but the external queries are hit and miss.

Despite that i have external forwarders configured properly (Google) and all zones are stored in the AD forrest partition with the proper reverse zones, the servers even fail to resolve their own IP address.

Any  insight on possible reasons?

We have  3 DC's in our environment (Server 2008)

I have noticed if one of the DC's has issues (Like Sometimes \\dc\sysvol stops working -- dont know why)

The users who have this DC as logged on one cant work, somehow we start getting call from users either they are not able to log back in to locked pc's etc.

Q: Why would the syvol share stop working sometimes on our DC's (although DC is till pingable and can RDP into it)

Q:Why don't the users get failed over to another DC's during this situation

Q:what is the general failover for Users/Computers w.r.t DC (How does Client choose to get assigned or log on to one of the DC's)

Q:is there a way we can force COmputer/User to be switched to another DC

Q:if we create a Load Balanced address for our DC's does that help

2008r2 Domain Controllers

When I view the MEMBER OF tab of a given user with my admin account, it lists all groups the user is a part of as expected.

However when I view the MEMBER OF tab of the same user with a help desk user, only the DOMAIN USERS group is listed.

I have checked that the help desk user has READ MEMBER OF permissions. With the help desk user I can browse to the group and list members of the groups without issue.

What could be the cause of this?

I am a beginner and I try to implement client in Java for Active Directory. I would like to create and add a new user to AD. So far, I have written the following code:

import java.util.Hashtable;
import javax.naming.Context;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.BasicAttribute;
import javax.naming.directory.BasicAttributes;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;

public class NewUser {

    public static void main(String[] args) {
        NewUser user = new NewUser("aaa", "bbb", "ccc", "mypass", "orgunit");
        try {
            System.out.print(user.addUser());
        } catch (NamingException e) {
            e.printStackTrace();
        }
    }

    private static final String DOMAIN_NAME = "xyz.xyz";
    private static final String DOMAIN_ROOT = "abc.xyz.xyz"; // ?
    private static final String ADMIN_NAME = "CN=Administrator,CN=Users,DC=xyz,DC=xyz";
    private static final String ADMIN_PASS = "xxxxxxx";
    private static final String DOMAIN_URL = "ldap://xxx.xxx.xx.xx:389";


    private String userName, firstName, lastName, password, organisationUnit;
    private LdapContext context;

    public NewUser(String userName, String firstName, String lastName,
                   String password, String organisationUnit) {

        this.userName = userName;
        this.firstName = firstName;
        this.lastName = lastName;
        this.password = password;
        this.organisationUnit = organisationUnit;

        Hashtable<String, String> env = new Hashtable<String, String>();

        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");

        // set security credentials, note using simple cleartext authentication
        env.put(Context.SECURITY_AUTHENTICATION, "simple");
        env.put(Context.SECURITY_PRINCIPAL, ADMIN_NAME);
        env.put(Context.SECURITY_CREDENTIALS, ADMIN_PASS);

        // connect to my domain controller
        env.put(Context.PROVIDER_URL, DOMAIN_URL);
        try {
            this.context = new InitialLdapContext(env, null);
        } catch (NamingException e) {
            System.err.println("Problem creating object: ");
            e.printStackTrace();
        }
    }

    public boolean addUser() throws NamingException {

        // Create a container set of attributes
        Attributes container = new BasicAttributes();

        // Create the objectclass to add
        Attribute objClasses = new BasicAttribute("objectClass");
        objClasses.add("top");
        objClasses.add("person");
        objClasses.add("organizationalPerson");
        objClasses.add("user");

        // Assign the username, first name, and last name
        String cnValue = new StringBuffer(firstName).append(" ").append(lastName).toString();
        Attribute cn = new BasicAttribute("cn", cnValue);
        Attribute sAMAccountName = new BasicAttribute("sAMAccountName", userName);
        Attribute principalName = new BasicAttribute("userPrincipalName", userName+ "@" + DOMAIN_NAME);
        Attribute givenName = new BasicAttribute("givenName", firstName);
        Attribute sn = new BasicAttribute("sn", lastName);
        Attribute uid = new BasicAttribute("uid", userName);

        // Add password
        Attribute userPassword = new BasicAttribute("userpassword", password);

        // Add these to the container
        container.put(objClasses);
        container.put(sAMAccountName);
        container.put(principalName);
        container.put(cn);
        container.put(sn);
        container.put(givenName);
        container.put(uid);
        container.put(userPassword);

        // Create the entry
        try {
            context.createSubcontext(getUserDN(cnValue, organisationUnit), container);
            return true;
        } catch (Exception e) {
            e.printStackTrace();
            return false;
        }
    }

    private static String getUserDN(String aUsername, String aOU) {
        return "cn=" + aUsername + ",ou=" + aOU + "," + DOMAIN_ROOT;
    }
}

And there is the following error:

javax.naming.InvalidNameException: Invalid name: cn=bbb ccc,ou=orgunit,abc.xyz.xyz; remaining name 'cn=bbb ccc,ou=orgunit,abc.xyz.xyz' at javax.naming.ldap.Rfc2253Parser.doParse(Rfc2253Parser.java:86) at javax.naming.ldap.Rfc2253Parser.parseDn(Rfc2253Parser.java:49) false at javax.naming.ldap.LdapName.parse(LdapName.java:772) at javax.naming.ldap.LdapName.(LdapName.java:108) at com.sun.jndi.ldap.LdapCtx.addRdnAttributes(LdapCtx.java:902) at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:783) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:319) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:248) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:236) at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:178) at NewUser.addUser(NewUser.java:98) at NewUser.main(NewUser.java:17) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)

Anyone can help me? I have spent long time ti fix it but it still does not work.

Thank you in advance

We have a server installed with Windows server 2003.

Using this server for AD/FTP/DHCP and as well as WEB Server.

Now we want to migrate this server to Windows server 2012 with higher end configuration.

so that we need help for how to take backup and how to restore it on my new server.

i can view some users in some group but others no.

those groups are both security group, but running the command i can only view users from the other.

command

net group <groupname>

are there any limitation to string i enter, i mean if the group name is to long ?

appreciate

----- bsl

i´m trying to create a script to send mail and monitor users with password never expired enabled. The idea here is to make sure that´s NO USERS will have the pass never expire option enbaled, making sure that all users are forced to change theis passwords from time to time, as GPO policy dictates.

but...

i got an disabled user to make some testing and, surpreise, some users are shown as "NULL" and others as "False" and others as "True"

WHy is that?

Get-ADUser -Filter 'SAMAccountName -eq "USER1"' -Properties SAMAccountName,PasswordNeverExpires | select-object SAMAccountName,PasswordNeverExpires | ft -A

SAMAccountName PasswordNeverExpires
-------------- --------------------
USER1          -->> NULL, nothing, blank, empty space!


PS C:\DADOS\SCRIPTS> Get-ADUser -Filter 'SAMAccountName -eq "USER2"' -Properties SAMAccountName,PasswordNeverExpires | select-object SAMAccountName,PasswordNeverExpires | ft -A

SAMAccountName PasswordNeverExpires
-------------- --------------------
USER2                 False

So, i´ve changed the approach and tried something else:

Get-ADObject -LDAPFilter "(objectclass=user)" -Properties samaccountname,accountExpires | ft samaccountname,accountExpires -A | Out-File -FilePath c:\temp\file.txt

i´ve filtered more, to exclude disabled, get only users and so on, but something weird: several non-zero (infinite) numbers have appeared in the listings:

half of the database have a "9223372036854770000" (non-zero)

but

several users (less than 30) have a different number:

129907692000000000
129962088000000000
129981096000000000
130017384000000000
130028616000000000
130058028000000000
130219596000000000
130407948000000000
130706892000000000
130792428000000000
130828716000000000
130961736000000000

I´ts weird, thinking of a true/false information, it´s expected to see only 2 results... frustrating...

In troubleshooting an issue with a third party application which uses AD authentication, I needed to check the MaxConnections in the LDAP policies. I found that MaxConnections was set to the default of 5000, so that was exactly as expected.

However, in checking these policies using ntdsutil,  I noticed some settings which are not at default on our DCs:

MaxDatagramRecv = 1024 (default 4096)

MinResultSets = 0 (default 3)

MaxResultSetsPerConn = 0 (default 10)

MaxValRange = 0 (default 1500)

MinResultSets = 0 (default 3)

MaxBatchReturnMessages = 0 (default 1100)

We have a Windows 2012 R2 domain/forest functional level. It began long ago as a Windows 2000 domain, then to 2003, 2008 R2, 2012 R2.

I'm hoping someone can answer as to whether these values can be expected in our scenario.

Hope to get some help on this:

My objective is to prevent a in-house developed service to run if Windows cannot connect to the domain controller during startup. The reason for this is that some old machines may have hardware time wrong and when they started up, if they are not able to communicate with the DC, their times will be wrong. Some down-level clients (devices using embedded os) get the time from these machines (Windows XP, Windows 7 professional)  and if the time is wrong and the service is running, wrong time will be propagated, that can create havoc.

So, if it is possible to only allow the service to run if I am sure that the time is correct (that the machine has synchronized with a DC), then I can prevent down-level machines to synchronize time with these Windows workstations. 

Is it possible? For example, if machine authentication with DC fails during startup the service shall not start. Is there any Windows service that is dependent on machine authentication with DC (that can only run if machine authentication is successful)?

Valuable skills are not learned, learned skills aren't valuable.

Hi,

I'm required to create a test plan regarding moving a server out of one domain and putting it into another, any suggestions of what should be tested? How do you test the correct GPO's are being applied?

Apologies for the vague detail/question, I've never had to create a test plan before.

Many thanks in advance.

I need to setup audit on Domain Controllers to log who creates users.

Ie: if me, with my login user xpto-admin created user01, I need to be possible to realize that user01 was created by xpto-admin. 

Is there any step-by-step or can you guide me to accomplish this task?

Thanks in advance. 

FM

Hi all,

I've been busy in a Lab environment with a LDAP_MATCHING_RULE_IN_CHAIN query to validate its performance on a Windows 2012 R2 domain controller. The query comes from IBM's PureApps Administration console, and is pretty "hardcoded", using the root of the Directory as basedn to check in a specified group which (nested) members it has.

The pureapp guys were complaining that the query took too much time to finish in our production environment, seeing it to take from 75 seconds to even time-outs. We were complaining that this query was consuming all cpu, causing decrease of speed in LDAP service to other clients.

So I've started digging :) - details in the detail section...

Our conclusion so far:

 In our AD DS setup, the query took by average 51 seconds to complete.
 In our AD LDS setup, the query took by average 4 seconds to complete! Almost 13x faster!

Same ESX, same ammount of vCPU's, same amount of memory, same users, group and membership data (the AD LDS is a synchronized from AD DS via FIM).

Anyone a clue on this? Sure a Domain Controller is not a AD LDS server and has far more tasks & complexity. But that big difference? Me and colleagues are surprised to see this! We can duplicate this outside our lab in other environments (production, acceptance, test, ...).

Kind regards,
David

Details

all on these queries: https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx

BaseDn: DC=contoso,DC=com
Scope: Subtree
 Filter:
(&(objectCategory=person)(memberOf:1.2.840.113556.1.4.1941:=CN=Admins,OU=Groups,DC=contoso,DC=com))    

which enumerates the users of this Admins Group, with support if nested. There are 3 users in that group, via Direct membership (not nested). The AD DS or AD LDS has 40.000 users.

Chapter 1: cpu! add more cpu!

Using perfmon on a dedicated ESX (32 vcpu's, PE M620 E5-269V2 2.7GHZ 12C (DELL) XEON E5 SAN attached) with only my VM running on it with 8Gbyte RAM + reboot between each test:

W2k12 R2 fully patched with x vCPU, fault 2 seconds:

1 vCPU: 62 seconds
2 vCPU: 58 seconds
3 vCPU: 57 seconds
4 vCPU: 48 seconds
6 vCPU: 51 seconds
8 vCPU: 50 seconds
16 vCPU: 59 seconds

Average: 51 sec

conclusion: one query is actually allocated to one cpu. The speed does not change with adding cpu's on a non loaded machine. The overal impact to the total cpu usage is of course lower with every extra cpu.

Chapter 2: There's caching!

In the above test in scenario 2, we've been repeating the same queries. When we did these within 1-2 minutes of the previous query, we could clearly see an improvement of+35% in answer time! resulting in an average of 33 seconds.

Conclusion; the caching helps, but is pratically not of use.

Chapter 3: our production is Windows 2008 R2, the lab is Windows 2012 R2!

Doing tests on the same hardware in the lab with a W2K8 R2 DC, we see these times:

2 vCPU: 75 seconds
(simmilar for increasing amount of vCPU's as in chapter 1)

Let's try if there's caching: 71 seconds. That's like 5% improvement.

Conclusion; Windows 2012 R2 is more efficient! :D

Chapter 4: well we also have AD LDS with the same data, let's try that!

Our AD LDS is a setup where we synchronize 2 AD DS environments to AD LDS with FIM, using an userproxyfull user class to make LDAP authentication (and authorization) nicely transparant. So the AD LDS is even 10.000 "users" bigger than the AD DS where we've been testing against. Many user attributes like manager, telephone, name, location, company are included.

We see these times:

2 vCPU: 4 seconds average (fastest was 3, slowest 5)

Surprise, where did this come from? that's like almost 13 times faster! 

Chapter 5: let's index "memberof"!

Why didn't Microsoft do that by default in AD DS? Mmm let's try anyway, knowing that indexing is only efficient if data is different enough for each user, and whith group memberships, we know, it isn't much different.

Result: we did not see improvement with every test.

Chpater 6: let's go social :)

Hi Guys,

(Get-WmiObject-Classwin32_ntdomain-Filter"DomainName = 'domain'"-ComputerNamemade_up_workstation_name).DomainControllerName

When I run the above on my workstation it gives the same value as theset variable Logonserver

When I run it on my colleagues workstation it gives a Valid DC but not the one that shows in its set variable Logonserver

I get the same results wether I run on or remotely on both workstations

Any ideas ?