Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

NTDS Writer missing

March 9, 2016, 8:02 am
$
0
0

Hi,

First thing, if this in the wrong forum I apologise.

We are having issues with a Windows 2008 DC at the moment. To give you a quick insight into how this problem happened, the server is a virtual server sat on a VMware platform. They were hit by the telsacrypt virus and the decision was taken to roll back to a previous version of the server.

Yes I know now that ths was the wrong thing to do.

Since then we have had a few problems with the server and VSS, I have managed to get most things working but I cannot get the ntds vss writer to show up when I type vssadmin list writers.

Looking online all the information I can find tells me to do a dcpromo down and then back up again but this is a production exchange server so it is not really an option.

Is there any way to reregister this writer and so get it working again?

Thanks for any help given,

alamb200

Search

gmsa with AD permissions as scheduled Task

April 4, 2016, 1:05 am
$
0
0

Hello together,

could someone help me with group managed service accounts and AD permissions?

i have a deployment of 2 trusted forests. In forest A i have a computer "machine a", a Group managed Service account and a normal service account which i both want to use on this computer. This gmsa and the normal service account were granted permissions to modify group membership of some groups in forest B and also logon as a batch job on "machine a" and write permissions to a folder on "machine a" to store logs after processing a powershellscript.

I created two scheduled tasks on "machine a" to run a powershell script which modifies group membership in forest B and logs what it does on a folder on "machine a". One scheduled task with the gmsa and one with the normal service account (same settings)

When i run the Scheduled task with the normal service account; changes to the group in Forest B occured like i want and log got written

When i run the Scheduled task with the gmsa, no changes to AD occured but log got also written (thus gmsa is working at least with the scheduled task)

It looks like AD permissions for gmsa are not working. Is this out of scope of a gmsa to make changes in AD via script running as a scheduled task?

Some computers in my network don't see Active Directory

April 10, 2016, 5:35 am
$
0
0

Hello everyone,

If somebody can help me with my problem I will be very glad for any piece of advice.

Some computers in my network don't see Active Directory. All computers in my company get ip address from DHCP. I have configured - DHCP Reservations. If I set for a computer a static DNS address (which is the IP of my router), it mirrors the IP that would be given by DHCP. When I change DNS, then change the status of my network card from "Network Connected" to my domain.com., in the end everything works correctly.

My environment: the router is a Virtual Machine (Linux) with DNS role, DHCP, firewall. In the configuration the DNS has a special SRV records with redirection to Active Directory. The environment functions in such configuration for over 4 years.

Domain Controllers: We have three Domain Controllers: AD (Windows Server 2012), AD2 (Windows Server 2012), AD3 (RODC, Windows Server 2012). Additionally we have AD1 which is a dead record of not existing VM (it was deleted but not unistalled). Forest and domain are on Windows Server 2008 R2 level.

I run dcdiag on AD and AD2, there popped up a message that „The host ...._msdcs.DOMAIN.COM could not be resolved to an IP address”. In the networg settings i changed DNS1 from router IP to the address of IP controller and the DC diag was done with some errors. The users in AD and AD2 replicate.

Best Regards,

Pawel

Trying to setup a farm in a child AD domain but fails with "Insufficient privilege" error

April 8, 2016, 12:55 pm
$
0
0

Hi

We are trying to install and configure ADFS farms in different AD sites (which each one is a child domain of a main site). I've done installation and configuration of ADFS time and time but this is my first time facing this problem.

I've installed the ADFS on 2012 R2 successfully then start the configuration and did get this error:

You do not have sufficient privileges to create a container in Active Directory at location CN=xxxxxxxxxxxxxxxxxxx,CN=ADFS,CN=Microsoft,CN=Program Data,DC=Sub1,DC=Domain,DC=com for use with sharing certificates. Verify that you are logged on as a Domain Admin or have sufficient privileges to create this container, and try again.

I've checked in the internet and some people suggested to recreate the Program Data container, which I did. but still getting the same error.

I'm 100% sure my user has the highest admin privileges!!

P.S: I have created a service account manually since the AD doesn't have thegMSA yet!

Any thoughts would be greatly appreciated!

Ali

Clients are Authenticating to wrong DC.

April 15, 2016, 6:46 am
$
0
0

We have set up a new DC for a site and now this site in 'Active Directory Site and services' have 2 DC, One old (which we will be decommissioning soon) and 2nd New DC. We want All clients to Authenticate via NEW DC and now old anymore. How can we do this?

We notice that all Clients are still authenticating via Old dc and now even a single client is being authenticated via new DC. Please help

Active Directory

April 15, 2016, 8:50 am
$
0
0
I have been given a task of using our companies active directory and Visio to create department Org charts that will auto generate information into Visio from the active directory as new employee information is added into our active directory. Is it possible to sync the two? 

Secure Administration AD Domain

April 15, 2016, 2:04 am
$
0
0

Hello,

I have a project to securize my Active Directory infrastructure.

To do that, one of my colleague told me about the possibility to create another AD domain in the forrest just for administration. That is this new domain will contain all administrator group to manage the other domain which contains standard account.

I don't really understand this solution and I would like to have some information about that but I don't find any thing on the Internet..

Does anybody have information about that ?

Thanks in advance

Migrate users from a SBS2008 domain to a new 2012R2 domain

April 15, 2016, 8:17 am
$
0
0

Hello,

I have 100 laptops connected to an old SBS2008 domain controller.

On the same subnet\vlan I have other 2012R2 domain controller with a different name that I need to migrate all the users.

My DHCP is my Firewall, it gives DNS IP for the SBS2008 domain.

My Questions:

1. Until I migrate all the users to the new domain I need to use the SBS2008 DNS, what should I do on the old SBS2008 DNS to resolve queries for the 2012 domain, bare in mind that I can't put a manual DNS IP in the clients, they need to stay with obtain IP and DNS automatically from the FW DHCP.

Do I need to set a Conditional Forwarder on the SBS2008 DNS to the new 2012 domain, if so what is to procedure?

2.  I was thinking of using the ForensiT util to migrate the user profile to the new domain, do you have any experience with ForensiT tool?

Thanks,

Mic



Search

Fingerprint centralized integration with Active Directory

April 15, 2016, 10:29 am
$
0
0
Hi,
When i am enable, with GPO, biometric authentication for each user log on with fingerprinter , where the biometric data stored, in the server AD or in local computer?

if the data stored in local computer, windows provied somethig to centraliced the biometric data so that all users can log on using biometrics on any computer in the domain?
Kind Regards,

Membership of Windows Authorization Access Group

April 13, 2016, 3:10 am
$
0
0

Hello.

Im trying to add some computer Accounts to said group. I do so and restart the server.

I then check on the server with "gpresult /r /scope computer" the security group membership of the computer and i cant see the Windows Authorization Access Group listed there. Other groups of which the server is member of however are listed there.

Is this the correct behavior? How can i check from the server itself if he is a member of the group?

DC Replication Issue / Error.

April 15, 2016, 7:32 am
$
0
0

We have setup a new DC in our 'AD site and Services' and this DC is generating following error every time we manually choose 'Replicate now' option between this DC and other DC. 

Hundreds of Events 4771 - Account not getting locked out

April 15, 2016, 7:53 pm
$
0
0

Hi,

we have set our lockout policy in default domain policy to:

PolicySetting
Account lockout duration0 minutes
Account lockout threshold4 invalid logon attempts
Reset account lockout counter after720 minutes

After user changes password on his workstation there are hundreds of event ID 4771 generated on the domain controllers, due to some cached credentials (events stop after user restarts his workstation), the question is why user accounts are not getting locked out?

Example of event:

4771,AUDIT FAILURE,Microsoft-Windows-Security-Auditing,Thu Apr 14 20:26:01 2012,No User,Kerberos pre-authentication failed.    Account Information:   Security ID:  S-1-5-21-2094812614-1962491401-1202159320-115256  Account Name:  domain.com\username    Service Information:   Service Name:  krbtgt/domain.COM    Network Information:   Client Address:  ::ffff:10.12.104.105   Client Port:  57939    Additional Information:   Ticket Options:  0x40810010   Failure Code:  0x18   Pre-Authentication Type: 2    Certificate Information:   Certificate Issuer Name:     Certificate Serial Number:     Certificate Thumbprint:      Certificate information is only provided if a certificate was used for pre-authentication.    Pre-authentication types, ticket options and failure codes are defined in RFC 4120.    If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

Service Control manager event: DNS server service enters stopped state

April 13, 2016, 9:53 am
$
0
0

Our Windows Server 2012R2 domain controller DNS server service enters a stopped state every other day and does not restart unless the service is restarted. Event logs show that Service Control manager records Remote registry service enters stopped state and restarts along with Smart Card Device Enumeration service, WinHTTP wb Proxy Auto-Discovery service, Windows Update Service, Device setup manager service, Windows Error Reporting service, Shell Hardware Detection service. I have uninstalled our TrendMicro A/V but this did not make a difference as this morning, several services have already entered a stopped state.

Troubleshooting the NIC will be my first attempt but has any admin seen multiple services quit on a daily basis?

How do I use long path names ("\\?\UNC\...") with Server 2008 roaming profiles?

May 15, 2013, 5:51 am
$
0
0

Hey folks!

I administrate a Windows Server 2008 R2 SP1 Domain with about 40 users onWindows 7 SP1 clients. Because the users often switch between the many PCs, I am using Roaming Profiles which tend to produce errors with different application-specific paths and files inside the users profiles.

As one of many example, our standard mail application Thunderbird produces paths and files according to folders/subfolders and mails in a user's mailbox. Another one is Microsoft Office's Auto Recovery files which reside in a user's profile and can get very long.

These paths and filenames often extend the allowed max. path of about 256 characters, when (on log on or off) the synchronization process between the client and the server takes place, leading to errors in the event log and a notification to the user about the conflict:

"Event ID 1509 - Windows cannot copy file \\server\share\users\user123.v2\AppData\Roaming\looooong to location C:\Users\user123\AppData\Roaming\looooong. DETAIL - The filename or extension is too long."

In the long run this leads to different file versions on different clients which - in the case of Thunderbird - leads to missing mails.

After extensive searches and lectures of forums - including this - I haven't found a solution for this problem.

So my question is if there's a way to use the extended max path with roaming profiles and if so how do I get it to work?

I tried changing the profile path of a test user in the Active Directory user preferences from "\\server\share\profiles\test_user" to something like "\\?\UNC\server\share\profiles\test_user" without any changes in the system's behavior. Also I think that because this is such a fundamental problem somebody must have come up with a solution for it...

Thanks in advance,

Nico


LastLogin Time Stamp or LastlogonDate

April 16, 2016, 3:18 am
$
0
0

Hello All,

In our Forest, we have 4 domain, All the Domain Controller are running 2012 R2 and are GC

We have implemented Cisco Any Connect for VPN, Cisco box is configured with only one Domain DC's IP and Hostname.  

Users from other domain are getting authenticated with out any issues and can connected remotely,  but lately when we run the user inactive script, we see many users are mark as inactive due to lastlogin stamp and lastlogon are not updated.

Due to limitation on Cisco box we can't add all the DC's IP andHostname from other domain, I am just checking how to update or refresh the attributes so it can get updated to all DC's which will not mark active users as inactive.

Or any other attribute, which can consider to mark users as active.

Thanks HA

Search

Trust relationship issues ongoing with multiple clients

April 16, 2016, 9:24 am
$
0
0

I have a  chronic issue with workstations and laptops not able to login to the company domain due to the "trusted relationship" error. I have rejoined some of these computers only for them to again later have the same problem. The temporary solution has been to turn off wifi, unplug cat 5's and login then turn connectivity back on. Can also restart computers and sometimes can get them to login.

This is a system wide issue and must have something to do with dns but I am unable to pinpoint the issue and fix.

DC Replication / New DC

April 16, 2016, 6:31 pm
$
0
0

Old DC - Server 2008 R2

New DC - Server 2012 R2

I just promoted the new DC. However it looks like replication isn't working. Here is DCDIAG from OLD DC:

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = PAHServ

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests


   Testing server: Default-First-Site-Name\PAHSERV

      Starting test: Connectivity

         ......................... PAHSERV passed test Connectivity



Doing primary tests


   Testing server: Default-First-Site-Name\PAHSERV

      Starting test: Advertising

         ......................... PAHSERV passed test Advertising

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... PAHSERV failed test FrsEvent

      Starting test: DFSREvent

         ......................... PAHSERV passed test DFSREvent

      Starting test: SysVolCheck

         ......................... PAHSERV passed test SysVolCheck

      Starting test: KccEvent

         A warning event occurred.  EventID: 0x8000082C

            Time Generated: 04/16/2016   21:23:25

            Event String:


         ......................... PAHSERV passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... PAHSERV passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... PAHSERV passed test MachineAccount

      Starting test: NCSecDesc

         ......................... PAHSERV passed test NCSecDesc

      Starting test: NetLogons

         ......................... PAHSERV passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... PAHSERV passed test ObjectsReplicated

      Starting test: Replications

         ......................... PAHSERV passed test Replications

      Starting test: RidManager

         ......................... PAHSERV passed test RidManager

      Starting test: Services

         ......................... PAHSERV passed test Services

      Starting test: SystemLog

         A warning event occurred.  EventID: 0x8000001D

            Time Generated: 04/16/2016   21:12:53

            Event String:

            The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

         A warning event occurred.  EventID: 0x00000C18

            Time Generated: 04/16/2016   21:12:58

            Event String:

            The primary Domain Controller for this domain could not be located.

         An error event occurred.  EventID: 0x00000422

            Time Generated: 04/16/2016   21:14:55

            Event String:

            The processing of Group Policy failed. Windows attempted to read the file \\pah.local\SysVol\pah.local\Policies\{04E5046B-8ADC-4A7C-9232-0493C8B43372}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:


         An error event occurred.  EventID: 0xC0001B61

            Time Generated: 04/16/2016   21:15:08

            Event String:

            A timeout was reached (120000 milliseconds) while waiting for the AVImark Server service to connect.

         An error event occurred.  EventID: 0xC0001B58

            Time Generated: 04/16/2016   21:15:08

            Event String:

            The AVImark Server service failed to start due to the following error:


         A warning event occurred.  EventID: 0x00000420

            Time Generated: 04/16/2016   21:15:25

            Event String:

            The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service.   This is not a recommended security configuration.  Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the DHCP Administrative tool.

         A warning event occurred.  EventID: 0x00002724

            Time Generated: 04/16/2016   21:15:29

            Event String:

            This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.

         An error event occurred.  EventID: 0xC0001B6E

            Time Generated: 04/16/2016   21:18:25

            Event String: The Greenline Service service hung on starting.

         A warning event occurred.  EventID: 0x000727AA

            Time Generated: 04/16/2016   21:21:01

            Event String:

            The WinRM service failed to create the following SPNs: WSMAN/PAHServ.pah.local; WSMAN/PAHServ.


         ......................... PAHSERV failed test SystemLog

      Starting test: VerifyReferences

         ......................... PAHSERV passed test VerifyReferences



   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation


   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation


   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation


   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation


   Running partition tests on : pah

      Starting test: CheckSDRefDom

         ......................... pah passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... pah passed test CrossRefValidation


   Running enterprise tests on : pah.local

      Starting test: LocatorCheck

         ......................... pah.local passed test LocatorCheck

      Starting test: Intersite

         ......................... pah.local passed test Intersite

How to add linux workstation to windows ad user's logon to workstations?

March 31, 2016, 2:39 am
$
0
0

1. I have a windows server 2003 SP2 workstation hosting active directory service.

The ip is 192.168.136.166.

2. I have a linux workstation with ip 192.168.137.86. 

3. I created a user called user01@sayms.com and I add "192.168.137.86" to the Log on to Workstations list.

4. I use python ldap library to bind the user01@sayms.com.

import ldap

conn = ldap.conn("192.168.137.86")

conn = ldap.simple_bind_s("user01@sayms.com", "itsapssword")

and it raises a exception:

  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 207, in simple_bind_s
    return self.result(msgid,all=1,timeout=self.timeout)
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 436, in result
    res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 440, in result2
    res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout)
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 446, in result3
    ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout)
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 96, in _ldap_call
    result = func(*args,**kwargs)
ldap.INVALID_CREDENTIALS: {'info': '80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 531, vece', 'desc': 'Invalid credentials'}

Is there a way I can add my linux workstation to the logon to workstations?

A similar question below:

https://confluence.atlassian.com/confkb/unable-to-log-in-because-of-userworkstations-attribute-in-active-directory-441746607.html

DomainMode

April 12, 2016, 8:32 am
$
0
0

Hi, we are currently running a 2003 mixed mode DFL/FFL and we will be raising it to windows 2008 R2. our issue is we have several apps that still use .net 3.5.1 and below.

As per kb2260240, we expect to see "The requested mode is invalid" error message when you run a managed application that uses the .NET Framework 3.5 SP1 or an earlier version to access a Windows Server 2008 R2 domain or forest if the hotfix is not applied.

does anyone have a script that will identify the domain mode of all servers in our environment?

thx,

jason

Suggestions For IT Staff Delegation

April 17, 2016, 12:06 pm
$
0
0
Hello all, looking for some suggestions or tips on how to setup our IT admins with delegation and server access.  I started at a new organization and saw that every IT staff member is a domain admin.  Looks like that allowed everyone to do what they needed to do on the domain and on servers.  I have began the process of trying to organize everyone and give them access to what they actually need.  Looking for suggestions on how you have all set your environments up?  We aren't a huge organization all in one location with 10 to 15 IT staff members at a given time.  Here is what I thought of doing.

1: Create 2 New Security Groups. 1 for HelpDesk and 1 for Server Operators.  Delegate permissions for Helpdesk to add computers as well as reset passwords.  Server Operators would have the same but would also add the group as admins of servers they need to have access to. Would still have 2 domain admins with full control.

2: Give both of those new groups access to all shares so they can assist users with deleted files or any other common tasks.  

In the future I'll create App specific admin security groups like CRMAdmins, ExchangeAdmin etc... where I can throw the users in that actually need to maintain and work on those servers.

My worry is that since everyone had full access I may cut access to users while i'm trying to secure this thing down.  Any thoughts or suggestions if this is a good path or any ideas on how you lay it out would be appreciated.  Thanks. 
Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>