Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

How to track user log on and log off on the Domain

$
0
0

Hello All,

I am trying to audit user log in access to the domain. 

My aim to to see records of logon and logoff and also export the report.

Can one achieve this even without the use of third party tools.

Please share third party tools with better intelligence reporting.

Thanks


o.k


LDAp settings

$
0
0
I am looking for values of these parameters to set up
an LDAP testing , can some one guide me please.

Recover domain controller in Hard disk failure

$
0
0

Hi,

I have an issue in one of the Domain Controller, Where Hard disk is failed. 

Can anyone let me know how to recover domain controller in Hard disk failure ?

Domain Admin Cannot create users or Reset passwords

$
0
0

Hi i have a weird problem with one of our domain admins,  i created his account my copying one of the other Domain Admins,

and if he logs onto the domain controller, and used AD users and computers, if he tries to create a new users, it refuses to set a password, and also if he tries to reset a password on any accounts he gets access denied.

I cannot figure out what is going wrong with this account, i have also tried creating a new account from fresh, and the same happened.

thanks

Mark

detect IP range to execute logon script

$
0
0

Hi guys,

I am having trouble with logon script.

How can I detect the IP address of target workstation ?

if the workstation located within a range, (192.168.101.1 to 192.168.101.254), then able to execute the rest of the logon script.

Thanks in advance.

BTW, i am not familiar in vbs



Domain Password History

$
0
0

Hi Admins, this might be a simple question but I cannot find the answer when searching. 

I am working with PCIDSS Certification and one item asks for users to be forced in changing the password every 90 days. This has been set already. My question is, where do I see the password history for a particular user? I understand that this will not be displayed as plain text, but hashes. We can I find this information please? Thank you. 


ADFS Claim Rules

$
0
0

Hi,

An application sends the following GET request to ADFS:

GET /adfs/ls/ wfresh=0&wauth=http%3a%2f%2fschemas.microsoft.com%2fws%2f2008%2f06%2fidentity%2fauthenticationmethod%2fpassword&username=USER%40mycomp.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%3drQIIAeNiNdQz0jPRYjbUM7RSsUxKNEw0TTbXTTM0T9Q1SUm11E00TDPUNTM0t0i2SDE1NDIyLhLiEuDm-GcsdkB_jvPqanPb85ul3VjsdKlhblWWWmlqRZladb5SeWlmRYGekZWOXnJ-1gZLzAwexHiBifEWE7-_I1DOCETkF2VWpT7CEnFxJqTITM5PSZ3FnBMZYpif4FUnlwZWhUYHFoZlAnEuRVlUUY5pT55KQVJuUFlKca-pUm5YQZeIV7ukUaWJUnhlqVeeZ6Wvi6O5WDs7loCpp0NwHyfcF8QXQKXh-iap6VY6pqYWybpJiUlWehaWiSbmVlaGKQZmBfYGa8wMK4ixN3iAEA0&popupui=1 443 - 21.127.30.56 Mozilla/5.0+(iPhone;+CPU+iPhone+OS+9_0_2+like+Mac+OS+X)+AppleWebKit/601.1.46+(KHTML,+like+Gecko)+Mobile/13A452 https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=678a547-f33a-1de3-a5f2-7544c3d756743&resource=0000000a-0000-0000-c000-000000000000&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.

How can I create a claim rule with the parameter "Client_id" (bold)? What do I have to do in order that I can use e.g. "http://schemas.microsoft.com/2012/01/requestcontext/claims/client_id" in my claim rules? I don't understand how a mapping of URL parameters of the request URL and Claims is done ... ? Can somebody help here?

Thanks,
Emil

AD Forest recovery

$
0
0

Hi Experts,

I'm in the prcess of creating AD Forest recovery process for our infrastructure. Currently all our FSMO roles are placed in one DC and all DC's are GC. We have one root and 4 child domains and all DC's are WIN2k8R2.

At the time of DC recovery, we need to select one DC from root domain. So it it advisable to restore the DC which has all thr FSMO roles or do i need to select any other DC from forest domain?

After reading the MS forest recovery doc, i have created below steps. Did i miss any points on below steps or any correction. 

1. Update DSRM password for the DC's
2. Decide the DC for recovery
3. Configure Selected DC's boot in DSRM mode
4. Disconnect the network cable from root domain dc / Shutdown all the DC's except the selected Root DC
5. Reboot selected forest DC in DSRM mode
6. On Root DC : Perform nonauthoritative of AD DS & Authoritative SYSVOL restore
a. Login to DC using DSRM pwd
b. get the version number of the backups which you have created
c. identify the backup you want to restore
d. restore AD in nonauthoritativly & SYSVOL in authoritativly 
7. Reboot the DC in normal mode 
8. Remove GC
9. Check DNS service
10. Create DWORD "HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Repl Perform Initial Synchronizations" with value 0
11. Seize FSMO roles
12. Metadata cleanup for other DC's in Root Domain
13. Remove A record of deleted DC's from Forward lookup zone and from _msdcs zone
14. Raise RID value by 100,000 
15. Invalidate current RID pool
16. Reset computer account pwd of DC's twice (Current adminstrator pwd)
17. Reset krbtgt account pwd twice
18. Configure time source
19. Install OS on other DC's and do DCPROMO
20. Enable GC on Root DC's
21. Do a force replication from initial restore forest DC


Regards, Nidhin.CK


DFS Event ID 5014

$
0
0

Hello,

I have set DFS between the my servers, frequently gettting error...

Event ID 5014

The DFS Replication service is stopping communication with partner WEB-02 for replication group IIS due to an error. The service will retry the connection periodically.
 
Additional Information:
Error: 1726 (The remote procedure call failed.)
Connection ID: 717B4E0C-9398-4F12-B310-C48B03574AB7
Replication Group ID: D56BBD41-ED00-4C09-A80B-AF1A52AAB4E1
 
The servers are connected via a Sonicwall Site to site VPN,  all are
in different cities
 
 
I m looking for the solution to fix it asap...
Thanks
Shailesh

shailesh chauhan

Password Sync between two domains

$
0
0
I have requirement in one of my project where I want to sync user's password between two domains. I want to sync user's current password so PCNS is not an option here as it only syncs updated password. Can anyone guide me here please. I can use anything - C#, powershell , C++ etc.

DCDIAG errors -failing advertising and more tests - appear to be due to flatname issues

$
0
0

I'm running "DCDIAG /Q /E " between my two domain controllers, and one of them is getting errors.  I'm running as admin of course!

The first DC is sitting on subnet1, and is called ACMEDC1.

The second DC is sitting on subnet2, and is called ACMEDC2.

When I run on ACMEDC2, there are no errors.

When I run on ACMEDC1, there are some errors:

         Fatal Error:DsGetDcName (ACMEDC2) call failed, error 1722

         The Locator could not find the server.

         ......................... ACMEDC2 failed test Advertising

         [ACMEDC2] An net use or LsaPolicy operation failed with error 64,

         The specified network name is no longer available..

         ......................... ACMEDC2 failed test SysVolCheck

         Could not open pipe with [ACMEDC2]:failed with 64:

         The specified network name is no longer available.

         Could not get NetBIOSDomainName

         Failed can not test for HOST SPN

         Failed can not test for HOST SPN

         [ACMEDC2] An net use or LsaPolicy operation failed with error 64,

         The specified network name is no longer available..

         ......................... ACMEDC2 failed test NetLogons

I can do a lookup of ACMEDC2 with nbtstat - it will resolve to an IP address and then it appears in the cache (so "nbtstat -a ACMEDC2" and "nbtstat -c" work.

However, from ACMEDC1, I have also noticed that I cannot connect to any SMB shares on SOME servers when using the netbios name.  There doesn't seem to be any rhyme or reason - server version, subnet.

For example, from ACMEDC1:

I can connect to \\ACMESRV1\fileshare 

(or any share)

If I try to connect to ACMEDC2:


\\ACMEDC2.ACME.LOCAL\FILESHARE

works

\\(IP ADDRESS)\FILESHARE

works

But:

\\ACMEDC2\FILESHARE

fails with the error "Windows can't find '\\ACMEDC2\FILESHARE'.  Check the spelling and try again."

I can connect to SMB successfully with PowerShell too.  nbtstat -RR (or -R) do not resolve the issue either.

So I think that whatever is causing the issue with the SMB connection to the flatname is causing the same issues in DCDIAG.  I am not seeing any problems with any other AD services - replication works perfectly, and ACMEDC2 is having no such issues in SMB or DCDIAG.

Redirected folders unacessible when notebook offline

$
0
0

Greetings, 

I'm struggling to solve my issue with redirected folders (Desktop, Documents) and travelling laptops. The situation is following: 

  •  We have an OU for notebooks
  •  On this OU, we have two GPOs - one for folder redirection and the other one sets "prevent usage of offline files -> disabled"
  • Folders are redirected to network share with DFS path - \\domain\folder\%username%
  • As long as laptops can reach the fileserver hosting this DFS path, everything is okay
  • When the laptop goes outside of the corporate network, the user gets error stating that \\domain\redirectionfolder\%username%\Desktop cannot be reached and something like local desktop is provided to the user. User makes some changes on this desktop and these are lost as soon as user connects back to corporate network. 

I thought redirected folders are automatically synchronised and accessible offline. I don't know why is the laptop trying to reach the DFS share when it is outside of the corp. net. 

I discussed this situation with much more experienced friend of mine and he said that I used the concept of the folder redirection incorrectly. What I should do instead is to map the network drive (e.g. W:\) pointing to \\domain\redirectionfolder\%username% to each user and redirect their desktop and documents to W:\. Problem is, I could not find the correct setting in GPO that would say to change the location of "Desktop" folder to W:\. 

May I hear your opinion which approach is better in order to solve this issue with laptops outside of the corporate network? I'm really clueless at the time. 

Thank you in advance, 

Best regards, 
Standa


DNS objects are not updating from DC 2012 to DC 2008

$
0
0

Hi,

One server have windows server 2012 and second is windows server 2008 and both are primary server.

I have configured zone transferred to other DNS server but records are not being updated and i am not getting any failure message.

Any help or idea will be highly appreciated.

New Network - No Access / Active Directory

$
0
0

Hi,

I've created a new network within my site, within my switching environment.  I am not able to navigate to any UNC path locations on any of my Servers, or workstations.  If I try Windows Explorer times out.

Take note I am authenticating on a workstation that was previously a host within the network that my AD Controllers were from which I was able to successfully communicate to all AD services.   Inter-network communication is occurring.  I am able to ping all of the hosts from the network were my AD infrastructure resides.  I don't have anything preventing network communication, like firewalls or ACL's on my switches.   What I have observed is that it takes a good 3-4 minutes to authenticate on the workstation since it's now a member of this new network.

The workstation is using a static IP address.  I specified the DNS Servers from the original network where my AD Servers reside.  I saw a new A record from the DNS Server assigned to the new IP address of the workstation from the new network.  I am successfully able to resolve FQDN's to IP addresses.

I have created a new subnet within AD Sites & Services, and assigned it to appropriate site.  Is there anything administratively that needs to be undertaken to allow access to my AD forest?

Be aware my AD controllers are using the Windows Server 2008 R2 SP1 platform.

Thanks in advance.


RID pool and user account creation (migrated from HA forum)

$
0
0

Hello,

I have a question about RID pool and user account creation.
Our system has two server farms each of which has two DCs (i.e. 4 DCs in total).
Two farms are a primary and a backup, and the RID master DC resides in the primary.
The entire system is under a single domain.


When the primary farm fails and the backup farm takes over,
we do not want to seize the RID master role at the backup farm,
because the primary might recover later depending on the cause of the failover.

I read a Technet article which says that I can change the block size by changing a registry value.
http://blogs.technet.com/b/askds/archive/2011/09/12/managing-rid-pool-depletion.aspx
I would like to know whether it would be possible to avert the RID block depletion on backup farm's DCs by setting a larger value to the 'RID Block Size' key (e.g. 5000) in advance.
In other words, is there anything that could potentially deplete
DCs' RIDs other than the account/computer/group creation operations we will perform
when our system enters the service (we will be creating no more than
several hundred user accounts, a couple hundred computers, and about a dozen groups).
We might create new user accounts while we are on the backup farm,
but the number of added users will not exceed 1000.
We will not create new computers and groups while on the backup farm, except perhaps a few.
Also, we will be incorporating AD CS, Exchange, and Skype for Business
to our single domain system.

(I posted the question to the HA forum, I've been suggested that this is a better place for my question, so here I am. Sorry for the double post.)


Regards,
Wanko




ADFS configuration with o365

$
0
0

hi,

after going through https://technet.microsoft.com/en-us/library/hh526961(v=ws.10).aspx several times, i cant find a solution for my challenge:

- block access to o365 for all non company enrolled devices

- users use windows phones (enrolled with intune/sccm) and surface pro (domain joined), access for them should work while travelling

so limit all access based on ip address will not work because:

- mobile phones cannot be enrolled to intune (they use an ip from the mobile provider)

- surface users use direct access, but access to non-company domains (like microsoftonline.com) will go directly, so again different IPs will be used

when accessing adfs from a client, this is what adfs logs:

Following request context headers present: 

X-MS-Client-Application: -
X-MS-Client-User-Agent: -
client-request-id: 00000000-0000-0000-de2f-008000000035
X-MS-Endpoint-Absolute-Path: /adfs/ls/
X-MS-Forwarded-Client-IP: 188.20.20.20
X-MS-Proxy: vmprpr1

so nothing except the ip, which is of no real use.

Any ideas how to implement this request?

I have already posted this question to the o365 forum, but they had no idea about adfs configuration and suggested to post here.

regards

Manfred

How to Backup and Restore AD FS (3.0) 2012R2

$
0
0

Hi,
How to make Backup of AD FS (3.0) that have WID database in use?

Is Windows System State Backup sufficient?

Found article from of 2.0
http://social.technet.microsoft.com/wiki/contents/articles/2199.ad-fs-2-0-how-to-back-up-the-federation-service.aspx

Do I need some special backup for SSL (Private key), Token Signing and Token Decryption certificates?

AD FS with SQL answer found
https://social.technet.microsoft.com/Forums/windows/en-US/507a1002-939f-4120-a69c-0e227ca21081/how-to-backup-and-restore-windows-2012r2-adfs?forum=winserverDS

Do I need to take concern some Virus scanning exlusions with WID?
Can't find any recommendations of that
https://support.microsoft.com/en-gb/kb/822158

Thanks for help


Export Email and Account Name

$
0
0

Hello,

i have excel file with 100 names , my boss ask me the email address my question is 

"how i can export user name and email address form active directory to CSV File basted on date "i mean the time when i create the users"

 


FZ2H

AD Migration from abc to xyz

$
0
0

HI all

Our company abc is getting merged with xyz and hence all the AD needs to be migrated from abc.com to xyz.com

Please let us know how to proceed on this?

Force Logoff at specified time - Even if computer is Locked

$
0
0

We need to setup a task to force logoff of all workstations, even if the user has locked their workstation.

I tried to use the logoff.exe and the shutdown.exe action in a GPO policy (not the default Domain policy).  First we send a message (for those that are actually working) and then 15 minutes later we use the "exe" command.  Unfortunately, this doesn't work for "Locked" workstations.

How do you force Locked workstation logoff???

Viewing all 31638 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>