Is connecting AD server hosting DNS integrated zones with 2 separate networks Cards for (production and staging) deferent Vlans will have any negative affect on the AD or DNS operations.
this is benefit from AD DNS services for the staging zone.(no route is allowed between staging and production)
Hello,
Occasionally we have PCs and Servers that, while performing a domain join operation, will contact a DC in a remote site instead of the local site. We have all subnets defined properly set to the correct sites. In the example below, the 192.168.1.0/24 subnet is attached to the HQ site. However, during the domain join operation, it contact a DC in a remote site. Looking at the log, I think I know why this happened. Rather than using what we have in Sites and Services, the operation simply queries domain.com A records and picks one of those to use for this process.
This is causing a problem because it can take up to 15 minutes for replication from this remote site to happen, so if a PC is being reimaged, a user at the HQ site cannot log on to the PC for some period of time until that remote DC replicates with our HQ DCs.
How can we prevent this from happening? All workstations and servers deployed at the HQ site need to utilize DCs at the HQ site.
Edited to add: We are joining to the domain using the "To rename this computer or change its domain or workgroup, click Change." in System Properties
04/07/2016 08:45:03:072 NetpDoDomainJoin
04/07/2016 08:45:03:072 NetpDoDomainJoin: using new computer names
04/07/2016 08:45:03:072 NetpDoDomainJoin: NetpGetNewMachineName returned 0x0
04/07/2016 08:45:03:072 NetpDoDomainJoin: NetpGetNewHostName returned 0x0
04/07/2016 08:45:03:072 NetpMachineValidToJoin: 'SERVERNAME'
04/07/2016 08:45:03:072 OS Version: 6.3
04/07/2016 08:45:03:072 Build number: 9600 (9600.winblue_ltsb.160119-0600)
04/07/2016 08:45:03:072 SKU: Windows Server 2012 R2 Standard
04/07/2016 08:45:03:072 Architecture: 64-bit (AMD64)
04/07/2016 08:45:03:072 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status: 0x0
04/07/2016 08:45:03:072 NetpGetLsaPrimaryDomain: status: 0x0
04/07/2016 08:45:03:072 NetpMachineValidToJoin: status: 0x0
04/07/2016 08:45:03:072 NetpJoinDomain
04/07/2016 08:45:03:072 HostName: SERVERNAME
04/07/2016 08:45:03:072 NetbiosName: SERVERNAME
04/07/2016 08:45:03:072 Domain: domain.com
04/07/2016 08:45:03:072 MachineAccountOU: (NULL)
04/07/2016 08:45:03:072 Account: domain.com\xxxxxx
04/07/2016 08:45:03:072 Options: 0x425
04/07/2016 08:45:03:072 NetpLoadParameters: loading registry parameters...
04/07/2016 08:45:03:072 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
04/07/2016 08:45:03:072 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
04/07/2016 08:45:03:072 NetpLoadParameters: status: 0x2
04/07/2016 08:45:03:072 NetpValidateName: checking to see if 'domain.com' is valid as type 3 name
04/07/2016 08:45:05:244 NetpCheckDomainNameIsValid [ Exists ] for 'domain.com' returned 0x0
04/07/2016 08:45:05:244 NetpValidateName: name 'domain.net' is valid for type 3
04/07/2016 08:45:05:244 NetpDsGetDcName: trying to find DC in domain 'domain.com', flags: 0x40001010
04/07/2016 08:45:20:244 NetpDsGetDcName: failed to find a DC having account 'SERVERNAME$': 0x525, last error is 0x0
04/07/2016 08:45:22:400 NetpLoadParameters: loading registry parameters...
04/07/2016 08:45:22:400 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
04/07/2016 08:45:22:400 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
04/07/2016 08:45:22:400 NetpLoadParameters: status: 0x2
04/07/2016 08:45:22:400 NetpDsGetDcName: status of verifying DNS A record name resolution for 'REMOTEDC.domain.com': 0x0
04/07/2016 08:45:22:400 NetpDsGetDcName: found DC '\\REMOTEDC.domain.com' in the specified domain
04/07/2016 08:45:22:400 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0
04/07/2016 08:45:22:400 NetpDisableIDNEncoding: using FQDN domain.com from dcinfo
04/07/2016 08:45:22:400 NetpDisableIDNEncoding: DnsDisableIdnEncoding(UNTILREBOOT) on 'domain.com' succeeded
04/07/2016 08:45:22:400 NetpJoinDomainOnDs: NetpDisableIDNEncoding returned: 0x0
04/07/2016 08:45:25:884 NetpJoinDomainOnDs: status of connecting to dc '\\REMOTEDC.domain.com': 0x0
04/07/2016 08:45:25:884 NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS domain name: domain.com
04/07/2016 08:45:25:900 NetpProvisionComputerAccount:
04/07/2016 08:45:25:900 lpDomain: domain.net
04/07/2016 08:45:25:900 lpHostName: SERVERNAME
04/07/2016 08:45:25:900 lpMachineAccountOU: (NULL)
04/07/2016 08:45:25:900 lpDcName: REMOTEDC.domain.com
04/07/2016 08:45:25:900 lpMachinePassword: (null)
04/07/2016 08:45:25:900 lpAccount: domain.com\xxxxxxx
04/07/2016 08:45:25:900 lpPassword: (non-null)
04/07/2016 08:45:25:900 dwJoinOptions: 0x425
04/07/2016 08:45:25:900 dwOptions: 0x40000003
Hello,
I have a few locations that have physical DCs (all 2012R2). I have a need for virtual domain controllers. The existing DCs have a business function that isn't AD related and that has to stay on the machine. My plan is:
I guess my main question is of I establish a new domain controller at this site with a different host name and IP, will that have any adverse effects on the client PC's even once I let everything replicate before demoting the old one at the site? The old DC will be P2V'd after the AD services are taken away due to it still serving a function outside of AD. This old demoted machine will still need to have the same host name it's always had. Any thoughts, comments or advice appreciated. I would like to avoid having to play musical chairs with IP addresses and would rather convert the office to a new virtual DC with a new IP address.
Thanks,
J
Hi Team,
We are using Active Directory for Users management. We required to create ldaps for Oracle Application.
We required to create 3 different LDAPS for Test, Verification and Prod. Like tldap.test.com, vldap.test.com and pldap.com.
Is there any possibility to create 3 LDAPS in One AD domain. If possible, please help me, some steps.
Thanks in Advance.
//Bala R
Good day ,
I have GPO apply in our domain , the users can't install but in the past they can use UBS port , two days ago I saw that one new local user is created by Administrator Rights what I did first I disabled USB port but yesterday I saw that again they create again the local user .Many Thnaks
Regards
e
Hi,
Is there a tool which can find couse of locked account. We have few users which have problem with this and it would be good if there is a tool which can show if some device or something else cousing this.
Best Regards,
Blake
Hello,
I am new to the subject of RODC and I have a some questions, some are strictly theoretical..
1) when users authenticate against RODC with uncached credential, do they authenticate instead directly against a writable dc or rather are tunneled through the rodc? because from my understanding users authenticate directly against a writable DC, and I cannot understand what are the security advantages in RODC or DMZ in this case.
2) according to this technote: https://technet.microsoft.com/en-us/library/dd728028%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396 "We recommend that you create a separate Active Directory site for the RODCs in the perimeter network. The writeable domain controllers that the RODCs can contact can be placed in a site of their own, with the appropriate subnet mapping and additionally consider enabling a site link between that site and the site that is specific to the RODCs in the perimeter network."
why is it recommended to have a different site? what are the possible consequences if we don't set separated sites for the dmz and the intra-network?
3) I was reading I should have the RODC also as a dns and GC- however I couldn't find out why and if there are any cases in which I shouldn't have them as a dns or GC?
thanks for the help
I am working with a customer through a forest migration and working to replace their existing external LDAPS access point and having some trouble.
The existing model uses 2x RODC's, load balanced through an F5 and opened to only the necessary IP's that have to authenticate as necessary. Works great, only port 3269 is open.
So this seems pretty rational and straightforward so we kept the design the same, but of course - the simplest tasks are causing heartache.
For troubleshooting, we pointed the external IP's NAT to one RODC and started testing with the telnet and LDP.
From all points, telnet works (internal network, dmz network and external to firewall)
LDP can connect only from internal and dmz - it doesn't work from the outside. One internal machine was from the old forest, which although it is trusted, did not hold the root/intermediate Certs. Once copied into the local machine store it works fine.
Am i missing anything in order to get it working from an untrusted foreign machine on the outside? i found plenty of references on how to enable LDAPS on 3269, but it all seems pretty straightforward. the port opens, so i know it is not likely a firewall issue, i've tried from a test machine added to the firewall rule, telnet opens, i added the root and intermediate certs, but still no luck.
thoughts?
hello;
I have a small domain, which I am moving from 2008R2 to 2012R2
I built 2 new 2012 servers (DC1/DC2) and promoted both to new, moved roles and FSMO to DC1.
the problems come when replicating the sysvol and netlogon to the new server:
c:\repadmin /showrepl
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\DC2008
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 66da8497-fc13-4863-8573-838c4ac7b24c
DSA invocationID: a0a0881f-4440-408d-bea5-bfc4b90f38fc
==== INBOUND NEIGHBORS ======================================
DC=NEI,DC=IZONE,DC=ORG
Default-First-Site-Name\DC2 via RPC
DSA object GUID: ac2f28cc-47c4-4ce5-9b8f-690fb8e3a2cc
Last attempt @ 2016-04-11 13:13:27 was successful.
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 5ca41b73-5767-4ed2-abab-51a2dd72136d
Last attempt @ 2016-04-11 13:19:46 was successful.
CN=Configuration,DC=NEI,DC=IZONE,DC=ORG
Default-First-Site-Name\DC2 via RPC
DSA object GUID: ac2f28cc-47c4-4ce5-9b8f-690fb8e3a2cc
Last attempt @ 2016-04-11 13:13:24 was successful.
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 5ca41b73-5767-4ed2-abab-51a2dd72136d
Last attempt @ 2016-04-11 13:13:26 was successful.
CN=Schema,CN=Configuration,DC=NEI,DC=IZONE,DC=ORG
Default-First-Site-Name\DC2 via RPC
DSA object GUID: ac2f28cc-47c4-4ce5-9b8f-690fb8e3a2cc
Last attempt @ 2016-04-11 13:13:25 was successful.
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 5ca41b73-5767-4ed2-abab-51a2dd72136d
Last attempt @ 2016-04-11 13:13:26 was successful.
DC=DomainDnsZones,DC=NEI,DC=IZONE,DC=ORG
Default-First-Site-Name\DC2 via RPC
DSA object GUID: ac2f28cc-47c4-4ce5-9b8f-690fb8e3a2cc
Last attempt @ 2016-04-11 13:13:28 was successful.
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 5ca41b73-5767-4ed2-abab-51a2dd72136d
Last attempt @ 2016-04-11 13:13:30 was successful.
DC=ForestDnsZones,DC=NEI,DC=IZONE,DC=ORG
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 5ca41b73-5767-4ed2-abab-51a2dd72136d
Last attempt @ 2016-04-11 13:20:45 was successful.
Default-First-Site-Name\DC2 via RPC
DSA object GUID: ac2f28cc-47c4-4ce5-9b8f-690fb8e3a2cc
Last attempt @ 2016-04-11 13:20:47 was successful.
C:\dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = dc2008
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\dc2008
Starting test: Connectivity
......................... dc2008 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\dc2008
Starting test: Advertising
......................... dc2008 passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... dc2008 failed test FrsEvent
Starting test: DFSREvent
......................... dc2008 passed test DFSREvent
Starting test: SysVolCheck
......................... dc2008 passed test SysVolCheck
Starting test: KccEvent
......................... dc2008 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... dc2008 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... dc2008 passed test MachineAccount
Starting test: NCSecDesc
......................... dc2008 passed test NCSecDesc
Starting test: NetLogons
......................... dc2008 passed test NetLogons
Starting test: ObjectsReplicated
......................... dc2008 passed test ObjectsReplicated
Starting test: Replications
......................... dc2008 passed test Replications
Starting test: RidManager
......................... dc2008 passed test RidManager
Starting test: Services
......................... dc2008 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x80040020
Time Generated: 04/11/2016 13:12:27
Event String:
The driver detected that the device \Device\Harddisk1\DR1 has its w
ite cache enabled. Data corruption may occur.
A warning event occurred. EventID: 0x80040020
Time Generated: 04/11/2016 13:12:27
Event String:
The driver detected that the device \Device\Harddisk1\DR1 has its w
ite cache enabled. Data corruption may occur.
A warning event occurred. EventID: 0x80040020
Time Generated: 04/11/2016 13:12:27
Event String:
The driver detected that the device \Device\Harddisk1\DR1 has its w
ite cache enabled. Data corruption may occur.
An error event occurred. EventID: 0x00000457
Time Generated: 04/11/2016 13:20:10
Event String:
Driver Samsung CLP-310 Series required for printer Samsung CLP-310
eries is unknown. Contact the administrator to install the driver before you lo
in again.
An error event occurred. EventID: 0x00000457
Time Generated: 04/11/2016 13:20:11
Event String:
Driver Samsung SCX-4x21 Series required for printer Samsung SCX-4x2
Series is unknown. Contact the administrator to install the driver before you
og in again.
An error event occurred. EventID: 0x00000457
Time Generated: 04/11/2016 13:20:12
Event String:
Driver Send To Microsoft OneNote 2010 Driver required for printer S
nd To OneNote 2010 is unknown. Contact the administrator to install the driver
efore you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 04/11/2016 13:20:18
Event String:
Driver SmarThru Office PC Fax required for printer SmarThru Office
C Fax is unknown. Contact the administrator to install the driver before you lo
in again.
An error event occurred. EventID: 0x00000457
Time Generated: 04/11/2016 13:20:19
Event String:
Driver Send to Microsoft OneNote 15 Driver required for printer Sen
To OneNote 2013 is unknown. Contact the administrator to install the driver be
ore you log in again.
......................... dc2008 failed test SystemLog
Starting test: VerifyReferences
......................... dc2008 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : NEI
Starting test: CheckSDRefDom
......................... NEI passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... NEI passed test CrossRefValidation
Running enterprise tests on : NEI.IZONE.ORG
Starting test: LocatorCheck
......................... NEI.IZONE.ORG passed test LocatorCheck
Starting test: Intersite
......................... NEI.IZONE.ORG passed test Intersite
on the 2012DC
C:\Windows\system32>repadmin /showrepl
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\DC1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 5ca41b73-5767-4ed2-abab-51a2dd72136d
DSA invocationID: ba1af98d-5521-4986-bd83-c2aaebbcfe0f
==== INBOUND NEIGHBORS ======================================
DC=NEI,DC=IZONE,DC=ORG
Default-First-Site-Name\DC2 via RPC
DSA object GUID: ac2f28cc-47c4-4ce5-9b8f-690fb8e3a2cc
Last attempt @ 2016-04-11 14:24:33 was successful.
Default-First-Site-Name\2008 via RPC
DSA object GUID: 66da8497-fc13-4863-8573-838c4ac7b24c
Last attempt @ 2016-04-11 14:24:37 was successful.
CN=Configuration,DC=NEI,DC=IZONE,DC=ORG
Default-First-Site-Name\dc2008 via RPC
DSA object GUID: 66da8497-fc13-4863-8573-838c4ac7b24c
Last attempt @ 2016-04-11 14:03:23 was successful.
Default-First-Site-Name\DC2 via RPC
DSA object GUID: ac2f28cc-47c4-4ce5-9b8f-690fb8e3a2cc
Last attempt @ 2016-04-11 14:03:41 was successful.
CN=Schema,CN=Configuration,DC=NEI,DC=IZONE,DC=ORG
Default-First-Site-Name\DC2 via RPC
DSA object GUID: ac2f28cc-47c4-4ce5-9b8f-690fb8e3a2cc
Last attempt @ 2016-04-11 13:58:50 was successful.
Default-First-Site-Name\dc2008 via RPC
DSA object GUID: 66da8497-fc13-4863-8573-838c4ac7b24c
Last attempt @ 2016-04-11 13:58:50 was successful.
DC=ForestDnsZones,DC=NEI,DC=IZONE,DC=ORG
Default-First-Site-Name\DC2 via RPC
DSA object GUID: ac2f28cc-47c4-4ce5-9b8f-690fb8e3a2cc
Last attempt @ 2016-04-11 14:23:57 was successful.
Default-First-Site-Name\dc2008 via RPC
DSA object GUID: 66da8497-fc13-4863-8573-838c4ac7b24c
Last attempt @ 2016-04-11 14:24:06 was successful.
DC=DomainDnsZones,DC=NEI,DC=IZONE,DC=ORG
Default-First-Site-Name\DC2 via RPC
DSA object GUID: ac2f28cc-47c4-4ce5-9b8f-690fb8e3a2cc
Last attempt @ 2016-04-11 13:58:51 was successful.
Default-First-Site-Name\dc2008 via RPC
DSA object GUID: 66da8497-fc13-4863-8573-838c4ac7b24c
Last attempt @ 2016-04-11 13:58:51 was successful.
there are no DFS errors or FRS errors in the event log
I have looked and tried many of the suggestions regarding adsiedit and wmi and still no luck..
not sure where to go from here???
Dear Experts,
Need some advice. I have 2 Windows 2008 DCs that are replicating with one another. Both server are running DHCP as well with different scopes serving different user segments. However, Id need to harden and patch the DCs one at a time. My concern is how can we prevent a downtime to users because of DHCP or is a downtime preferred etc? Could you guys propose a better approach ? Thanks
is there a way to allow users login to adfs page "adfs version 3.0" without having to type the user name with the upn suffix, so he will type only the user name
like user1 then the password not user1@domain1.com
Hi,
In our environment, we run the cmd set-admpwdeadpasswordpermission to give SG1 read password rights & set-admpwdReset PasswordPermission to give SG2 for reset password rights.
However, without being added into any of the SG intended for LAPS, some accounts already have the rights to Read and write thems-Mcs-AdmPwd attribute as well as the ms-Mcs-AdmPwdExpirationTimeattribute.
Question 1: Is there a cmdlet / way to find out which security groups that these rights are inherited / coming from?
We run the find-admpwdextendedrights cmdlet, however it did not returned other security groups that has Extended Rights besides than the default 'Nt Authority\system, Domain\Domain Admin' user/groups.
Question 2: When a security group has All Extended Rights - does it mean that it also has read/write rights to the two LAPS attributes? Does removing All Extended Rights automatically remove the read/write to those two attributes?
Cheers
Best Regards,
I created new AD-Account with a client. Client sets user password to attribute unicodePwd and userAccountControl to active state.
But I'm not able login with newly created account. I think it might be related to how password has been stored to AD and this is because when I change password with AD native tool to something else then I can login.
So client must store password to AD in a wrong way. What do you think?
Here are some algorithms that I can choose from how I want to store password and I can also choose wherever I want to use salting or not:
AES
SHA-256
SHA-384
SHA-512
SHA-1
MD5
I have set up ADFS 3.0 which uses port 443 on a new Windows 2012 R2 server for Dynamics CRM 2016. I also have a separate Exchange server in the same network which has the HTTPS service going to port 443.
Internally it works fine but is it possible to have two different services HTTPS and ADFS mapped to the same port using different IP addresses?
The common workaround is to change the port for ADFS 3.0
http://inogic.com/blog/2014/07/how-to-change-the-port-of-adfs-3-0-windows-server-2012-r2-to-444/
However it says Note: If you change the Port of ADFS to 444 from default port then it will give following warning. It means, if you set ADFS on 444, then you will not be able to register mobile device
in ADFS, hence you will not be able to develop Mobile device app for CRM.
I wish to avoid this as using CRM on phones/tablets is a requirement. Any ideas/workarounds?
Thanks
I have firewall behind router in my network and router is device (small) facing internet.. suppose i have static ip given by service provider which is 1.2.3.4... only live/static ip to use...how and where will i have to configure port forwarding for ipsec client vpn which is configured on my server 2008 r2. as vpn clients will need live/static ip to dial from remote location. Between router and my server/lan there is firewall which will also need any ip on its wan interface...
Adnan sabir
Hi..
i am able to run sidhist.vbs on a 2003 member without any issues and it is properly updating the sidHistory of a user though the ClonePrincipal User guide says the process should be run on a target PDC server. But while i run the script on a 2008/2012 member
server, i am getting the following error. however it works fine on 2008 PDC server, so I am wondering what would be the issue between 2003 and 2008/2012 member servers..
"failed to update the sid on destination domain controller : Access Denied"
i have followed the steps that are required for running that script on the member server and using the same admin on both member server and PDC server. On PDC it works fine whereas it fails in member
Please help
Thanks in advance,
Thanks, Prani.
Hello everyone
I created a new schema class in Active directory. and i create a display specifier for this class, and i set the TreatAsLeaf attributes to true. but whene i create a child object for this class, objects are treated as a container in ADUC.
Any idea about this issu ?
Thanks.
Hi. I recently added additional suffixes to our Windows 2012 R2 domain. When I set an account to one of the new suffixes about a hour later it reverts back to the original local domain suffix. Any ideas what would be causing this?
I have two Domain Controllers, both 2012 R2. AD replication has no errors. When I change the suffix on a test account and force replication it does replicate to the second DC.
I've checked scheduled tasks and group policy for obvious things that someone might have configured that might do this, but nothing.
Please help!
Thanks,
T.