Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Domain controller is Name server tab

May 31, 2016, 1:16 pm
$
0
0

I have various domain controllers and various DNS forward lookup and reverse lookup zones.

When I open the DNS console from DC1 and view the name server tab of various zones the NS record for DC1 is listed as:

DC1 Unknown

When I try to remove DC1 NS record and add it again, it gives me two ip addresses

1. First one is ::1

2. The actual ip address of the server.

When I go to DC2 and view the Name server tab of various zones, the NS record for DC1 appears correctly along with the ip address, however the NS record for DC2 appears as:

DC2 Unknown

However on DC1, the NS record for DC2 does not appear as Unknown, it shows the ip address of DC2.

Why the ip address is not listed and it says unknown. Why I am getting ::1 when I try to add the NS record in a DNS zone.

I have too many zones, can I automate to remove the NS record where is says "DC1 Unknown" and re-add it so that it appears along with its ip address?

Search

DFSR Domain System Volume Replication

May 31, 2016, 1:22 pm
$
0
0

Multi Site ADDS

Sysvol replication with DFSR-

Replication of Sysvol and netlogon folders occurs very slowly (hours) between DC on different Sites, but immediately within the same site.

I was looking for a way to configure the Replication Group schedule. Even with powershell I cannot get information of Domain System Volume replication group. I suppose the replication schedule of DFSR is not the same of ADDS Intersite Site Link.

If I use the dfsrdiag syncnow ... I can force the replication successfully, but I would like to have more control on the Replication Group parameters.

I thank you very much for  your help.

Kind regards,

Enrico Giacomin

SID History not migrating when using ADMT forest migration even though auditing is fully enabled

May 31, 2016, 2:21 pm
$
0
0
Can anyone tell me why I keep getting errors when using ADMT like the following:

2016-05-31 14:16:44 ERR2:7430 SID History for MailTest6 cannot be updated because auditing is not enabled on domainname.   rc=8552.\n  This operation requires that auditing be enabled for Success and Failure auditing of account management operations.

2016-05-31 14:16:44 WRN1:7392 SIDHistory could not be updated due to a configuration or permissions problem.  The Active Directory Migration Tool will not attempt to migrate the remaining objects.

I have enabled auditing at the root domain level (Default domain policy)

This is enabled on the old domain and on the new domain:
Security Settings > Local Policies/Audit > Policy
PolicySetting
Audit account managementSuccess, Failure
Audit directory service access

Success


Why does ADMT continue to insist that auditing is not enabled when it is 100% enabled and enforced?

NETLOGON logging and LDAP logging

June 1, 2016, 12:11 am
$
0
0

Hello All,

we are moving from 2003 AD to 2012 R2, and we are in the midst of collecting data on applications that connect to the domain controllers, for either Kerberos authentication / authorisation ; LDAP queries and NTLM /SMB connections.

we have set up netlogon logging for NTLM related data. that said the information is limited at best, we are looking at whether the request was transitive or direct, and what computer, using which account, but not the details of whether it was using LM, NTLM v1 or NTLM v2.  since this is 2003 and we cant use NTLM traffic auditing (available in 2008 and above), are there any other suggestions out there, other than sniffers (wireshark, netmon) ?

Also we are looking at LDAP logging , for LDAP traffic, by setting the value of each

16 LDAP Interface events and15 Field Engineering to 5 <under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics >

now this gives us information on the user, computer and application the request is coming from, but lacks port information and where in it misses out giving data about the protocol used (LDAP vs Secure LDAP etc)

so we found another product called ADINSIGHT (sysinternal tool) that we can use. issues with this tool : we will have to logon to console to make changes to things like depth and to start the tool that said , capturing data post it is tricky as well unless you are on console doing these things. hence it isn't ideal for our scenario (perfect for troubleshooting, not great for capturing data for general analysis)

so we were hoping to see if anyone here knew of a tool that could help (again we wont prefer sniffer tools).

for Kerberos we are relying on logon audits (event 672 / 673 )

any help in the direction would be highly welcome.

client Date format is not same as PDC emulator date format

October 6, 2015, 7:30 am
$
0
0

we are running windows server std 2012 r2 as PDC(Forest root domain) with FSMO rule and have windows server 2003 sp2 as ADC. The time service running in PDC is time.windows.com as external clock settings. We did changed in PDC as the date format should be DD/MM/YY in the clock settings, but the clients attached to that Domain are showing date format as MM/DD/YY.

How do we change the setting and in where to change the settings to get the client display the date format as DD/MM/YY as displaying in the PDC?

Clients :windows 8.1 pro/ent , windows 10 pro/ent

Troubleshoots done below :

w32tm /stripchart /computer:time.windows.com /samples:5 /dataonly
w32tm /config /manualpeerlist:time.windows.com /syncfromflags:manual /reliable:yes /update

net stop w32time
w32tm /unregister
w32tm /register
net start w32time

Sathishkumar M


FRS to DFSR Sysvol Migration

May 23, 2016, 4:11 am
$
0
0

Hi,


We have DFL in 2003 mode and FFL is in 2000 mode and all domain controller with Windows 2008 R2. Now we are upgrading to Windows 2012 functional mode and Win 2012 OS. 

Just wanted to know if we need to migrate FRS to DFSR manually or will it automatically upgraded to DFSR  for Sysvol migration?

If Manual the what all steps we need. Please suggest.

Waseem Khan MCP, MCITP, VCP, VCA, ITIL

How to enforce AD security group to be the local administrators group for all servers using GPO or Group Policy Preference ?

June 1, 2016, 4:12 am
$
0
0
  • Hi All,

    I'd like to standardize the membership of the Local Administrators group for all of my production servers. So that whenever people tries to add it manually to the Local Administrators group, it gets removed automatically, leaving only Local Administrators on %COMPUTERNAME% AD security (global) group in each respective servers ?

    How is that possible using Group Policy Preference or Group Policy Object ?

    Note:
    As for the AD security group Local Administrators on %COMPUTERNAME% I will create it using Powershell script.
    The servers are only Windows Server 2008 R2, 2012 and 2012 R2.

    Thanks.

/* Server Support Specialist */


ADFS Claim Rule - Device Registration

January 26, 2016, 5:27 am
$
0
0

We have successfully implemented device registration in ADFS with Office 365 using Azure AADConnet with device writeback.  We see the device registration container and it is populated with all the devices that we have workplace joined (registered). Also we can see the devices in Azure AD for each user.

Now we are trying to set up a claim rule that states, if you are external AND your device is not registered then enforce multifactor.  Here is our claim rule we are using to try and accomplish this:

c:[Type == "http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser", Value == "false"] 
&& c1:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] 
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");

We have set that as an additionalauthenticationrule using powershell for our O365 relying party trust.

On my device which I have absolutely confirmed is a registered device, when I go the O365 web portal and login, I am still getting a multifactor prompt.  Since I'm going to the web portal on a registerd device, shouldnt I not get multifactor?  Also tried using the Outlook app to set up email,  I'm also getting MFA prompt when setting up my 365 account using that app as well.  

If I connect to our works wifi so that my device gets an internal IP, I do not get MFA so I know the claim rule is working but for some reason it is not detecting that my  device is registered.  We have tried on multiple devices that are for sure registered but its the same result.

Any help is greatly appreciated.

Rich

Search

add users from a trusted domain to domain admins group

October 1, 2012, 1:25 am
$
0
0

Hi all,

This discussion has come up before but it hasnt worked for me.

here is my set up:

  • Domain A (server 2008)
  • Domain B (Server 2008 R2)
  • Two way trust relation ship between the domains (Domain Wide Authentication)

Here is what I need to do:

  • Add a user from Domain B to "Domain Admins" group of Domain A.

Here is what I have done so far:

  • Added user from Domain B to a Global group(DomainB_Global) on Domain B
  • Added DomainB_Global to a Domain Local Group(DomainA_DL) on Domain A

Here is what I can not do:

  • Make DomainA_DL a member of Domain Admins of Domain A

Any help is appreciated.

2008 Domain controller decom failed - Catastrophic failure

April 7, 2016, 6:07 am
$
0
0

Hello,

When trying to run dcpromo on a 2008 RODC (first step of decommissioning) I receive the following error:

Failed to detect if Active Directory Domain Services binaries were installed.  The error was: Catastrophic failure

As a first step towards troubleshooting I have done the following:

Run chkdsk /r /f (Successful)

Run sfc /scannow (from command line as administrator) Failed with error:

Windows Resource Protection could not perform the requested operation.

I powered off the domain controller and attached the disk to another Windows 2008 server (as an e: drive) and ran the following command:

sfc /scannow /offbootdir=e:\  /offwindir=e:\windows  (Success!)  ..Found corrupt files and successfully repaired them...)

Unfortunately it looks like now the server is really poached.  Upon booting the server I am getting the error:

Windows failed to start.  A recent hardware or software change might be cause...

File: \Windows\system32\winload.exe

Status: 0xc000000e

Info: The selected entry could not be loaded because the application is missing or corrupt. 

Fixed this by inserting the installation disc, running a repair, from the command prompt I typed:

bootrec /rebuildbcd

Booted into the OS Successfully.  Ran DCPROMO.  Same error:

Failed to detect if Active Directory Domain Services binaries were installed.  The error was: Catastrophic failure

At this point I'm out of ideas.  Any suggestions??

Installing Active directory

June 1, 2016, 2:55 am
$
0
0

this is my first time installing Active Directory :  ( I have a windows 10)  

-I used Active Directory Lightweight Directory Services Setup Wizard in Administrative tools  

-then i created a new instance, entred 50005 as LDAP Port, choosed a partition name 

-after that a opened ADSI Edit and tried to configure connection : I had "Default Naming Context" as a name,

but don't retrieve cn and dc in path, tha but i had  was "LDAP://Default naming context"

when i clicked ok i had this error :

Operation failed. Error 0x8007054b

The specified domain either does not exist or could not be contacted

I noticed also that i can't access to Active Directory Sites and Services in administrative tools, and when trying to open i have this error:

Naming information cannot be located because

The specified domain either does not exist or could not be contacted.

Contact your system administrator to verify that your domain is properly configured and iscurrently online.

I tried to search in the internet but didn't find specific solution.

Where should the ForestDnsZone and DomainDnsZone be pointed if we use a 3rd party DNS in our organization?

June 1, 2016, 8:17 am
$
0
0
In our environment we do not utilize the the Microsoft DNS (We have enterprise level DNS appliances for this). When I go into ADSIedit, open the Configuration section, and go into the Partitions section, I find all five entries there, however the DomainDNSZone and the ForestDNSZone both point to different GUID's.

When I run DcDiag it suggests that these should point to the single DC we have in the environment (Something that I will be fixing once I have AD cleaned up and have a reasonable chance of bringing up a second DC).

Some things I have read state that these are only used when utilizing AD integrated DNS and therefore it doesn't matter where they point.  I would like to be sure though that there isn't any place it shouldn't be pointed or if there is a best practice of where it should be in such a scenario. So where should those two entries point?

Script to remove DNS entries

June 1, 2016, 10:39 am
$
0
0

We have migrated a whole bunch of server from one location to another location and changing the ip address of the servers in the process. However some ilo and backup DNS entries are still not cleaned up. Also we need to remove entries for servers which were not migrated.

Is there a script which first pings the DNS record to make sure it is not in use and then delete it from all DNS zones ( forward and reverse lookup zones)?

Safe to use netdom to reset PDC password?

June 1, 2016, 1:38 pm
$
0
0

Here's my scenario:

Changed the NIC on the PDC.  PDC is also a fileserver.  Started getting "The target account is incorrect" from clients trying to access shares.  After a while and a few basic things like "ipconfig /registerdns" most of the machines started working, and now it seems a few more that were working fine are starting to have the same error.

I ran "netdom /reset" on some of the machines to fix, and that has mostly worked.  But replication is failing between the PDC and the 2nd DC which is in another location.  Now when I run "repadmin /syncall" on the PDC, it says"The target principal is incorrect" when it tries to access itself.

I was able to run the "netdom /reset" on the 2nd DC against the primary DC, but can I run it on the PDC against the 2nd DC?  Or will this cause more AD problems?

About to raise the domain functional level, pre checks highlighted inconsistencies

June 2, 2016, 1:00 am
$
0
0

I am about to raise the DFL and FFL of a single Domain (no forest/trusts).

It is currently at 2003, we need to go to 2008 minimum for CRM 2015/16.

Our setup is fairly simple.

5x DC's, all Server 2008R2

NATTHN39 :

Schema Master & Domain Naming Master

NATRHN08 :

PDC / RID Pool Manager / Infrastructure Master

Remaining Servers hold no special roles.

All 5 are DNS/WINS

I have been planning this change for a week or so, all of this was working fin on the 27th.

Yesterday I was running a bunch of checks prior to making the change to the DFL when I noticed replication errors. Specifically replication from NATRHN08 (PDC) to NATTHN39 (Operations Master).

The same error is apparent in any attempt to connect DS functions from NATRHN08 to NATTHN39. Here is the output of NTDSUTIL run on NATRHN08 :

ntdsutil: local roles
local roles: connections
server connections: connect to server NATTHN39
Binding to NATTHN39 ...
DsBindWithSpnExW error 0x80090322(The target principal name is incorrect.)
server connections: connect to server NATTHN80
Binding to NATTHN80 ...
Connected to NATTHN80 using credentials of locally logged on user.
server connections: connect to server NATRHN01
Disconnecting from NATTHN80...
Binding to NATRHN01 ...
Connected to NATRHN01 using credentials of locally logged on user.

It is just the connection NATRHN08 -> NATTHN39 that is problematic. All other scenarios work OK, including NATTHN39 -> NATRHN08.

To fix I have attempted to use NETDOM to rest the password as follows

NET STOP KDC on NATTHN39

Reboot NATTHN39

klist purge

NETDOM /RESETPWD /S:NATRHN08 /UD:domain\user /PD:*

Reboot NATTHN39

NET START KDC

repadmin /syncall

This has not resolved the issue. The "The target principal name is incorrect" issue still exists.

Whilst looking into this I've also discovered a bunch of other issues I'm not sure about.

If i run DCDIAG all tests other than replication pass. If I run dcdiag /v I get a load failures on CrossRefValidation

If I use ADSI edit to check the schema version I get <not set>, running dsquery for the same returns objectversion 47.

I feel that the issue is to do with the execution of the netdom password reset but I can't see how I'm doing it wrong.
Search

Delegation of Control for a group to update just phone numbers of user objects.

May 24, 2016, 11:54 am
$
0
0
We have a need to have a security group just have the ability to update phone numbers of users. Is this possible using the Delegate Control wizard, and if so, which attribute am I looking for?

AD Server Behind NAT.

June 2, 2016, 2:46 am
$
0
0

We are establishing a new shared branch office with the existing network configuration. As the result, local administrator installed a couple of servers one of which was promoted to a domain controller in our existing domain. At the end we are facing a DC which is not able to replicate correctly. I assume that the main reason would be that the new machine has its IP v4 address set as 192.168.1.33 and is so registered in the DNS. Due to remapping of the addresses on the remote firewall this machine can be reached from our side only through another address 192.168.38.33.

I see a lot of errors in the event viewer, such as:

The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. 

Directory partition:

CN=Configuration,DC=MyDomain,DC=com  

There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers.  

My main question would be, if it is generally possible to bypass this problem or, in opposite, all domain controllers should be able to communicate directly?

New machine - Windows Server 2012

Domain functional level - Windows 2003

Thanks a lot.

Eduard

Numerous Schannel Warnings Event 36886

May 25, 2016, 9:23 am
$
0
0

Recently, our two 2012 DCs started logging these warnings in the System log...

No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.

One of the DCs gets them more frequently.  Sometimes it logs dozens per hour.  This just started happening a few weeks back.  What suddenly caused these to appear and how do stop them?

AD search for humans only

June 2, 2016, 5:42 am
$
0
0

I'm a little new to the guts of AD but I'm performing a search and really only want to retrieve records for humans, not computers or groups or admin accounts etc.  Is there a field that I can filter on or does it totally depend on how the admins have chosen to implement AD?

Thanks!

changing our exchange mail contacts to full mailbox - what licensing required?

June 1, 2016, 3:39 pm
$
0
0

Hi all,

our management has decided that our organisation's mail contacts should be converted to full user mailbox status. Do I need a license for Active Directory AND the Exchange CAL?

any advice appreciated

Viewing all 31638 articles
Browse latest View live
Search