I was able to successfully deleted child domain but i see that entry has not removed and child domain entry shows again.
I wanted to delete child domain
hadeed.com.pk
↧
Deleting Child Domain Domain
↧
Need to Install a Backup domain Controller
I am trying to install a new secondary domain controller. When I removed the old secondary domain controller and had to use the /forceremoval option because I had errors trying to demote the domain controller.
I also had to force removal in active directory of the old domain controller because it was still in the domain controller group.
Now when I run dcpromo I can only install a RODC which I do NOT want to do?
I did install DNS on the new controller and it iw working properly as my secondary DNS controller.
How can I get my server to accept the dcpromo so I can install it as my secondary domain controller
Mike Bartfield
Mike Bartfield
↧
↧
Query all user data to a csv file
So I started writing some DSQUERY 's and so far its been great. However I noticed that as I'm doing this for Mgmt they keep asking for more information which requires another query and another and another, etc.... And some of things they are asking are getting more complicated. So is there a way to just pull all user data from an OU not just specific data. I want to pull everything under a user account (name, user name, disabled, locked, smart card required, email, etc....). Once I have it in a CSV file than I can use pivot tables etc. to get at what mgmt is looking for. I'm not finding a command that will give me everything...?
Thanks!
Dre
↧
Server 2012 Active Directory Trust relationship problem
We have a Server 2012 standard addition Active Directory and more than 100 users and Computers. We have VMware 5.5 and clustered in two host machine. We shifted the AD VM from one host machine to another through VM migration process for maintenance purpose. After that some users are facing login problem in AD. The message is- "The security Database on the server does not have a computer account for this workstation trust relationship." or shows "Login ID or password incorrect".
We have solved the issue on temporary basis doing the followings:
1. Unplugged the network cable and logged in normally. Then plugged the cable.
2. Dis-join and joining the Workstation to the AD. But after a day or two it happens again.
3. Formatted the PC and newly configured the machine.
4. Deleted the Computer account from the AD and Dis-join and joining the Workstation to the AD.
5. Replaced the VM to its previous host machine. But still facing the same issue.
Not All client machine at a time facing the problem but the problem increasing and the problematic client number is increasing.
Can anyone help me out?
Qamrul
↧
adfs claim rules
hi ,
I have a federated domain
I have an ADFS proxy and ADFS server on premise
I need only users from group 1 in AD to have access to web and outlook only from corporate network
I need users from group 2 in AD to have access to web and outlook from only corporate network and to have active sync from any where
I need that group 3 in AD will have access to web , outlook , active sync from anywhere corporate LAN and not from the corporate LAN
so the claims i wrote are
for group 1
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"])
&& NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value =~ "\b192\.168\.4\.([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-5][0-9])\b|\b192\.168\.7\.([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-5][0-9])\b"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
for group 2
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"])
&& NOT exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "for group 2 sid |for group 3 sid"])
&& exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value == "Microsoft.Exchange.ActiveSync"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
for group 3
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"])
&& NOT exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "S-1-5-21-2152009330-2874364806-1774962514-1680"])
&& exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value == "Microsoft.Exchange.RPC|Microsoft.Exchange.Autodiscover|Microsoft.Exchange.WebServices|Microsoft.Exchange.Mapi|Microsoft.Exchange.OfflineAddressBook"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
when i configure them in that order nothing is working except the web
what am i doing wrong ?
help will be much appreciated
↧
↧
Active Directory Logion failure and showing Trust relationship Error
Hi,
We have a Server 2012 standard addition Active Directory and more than 100 users and Computers. We have VMware 5.5 and clustered in two host machine. We shifted the AD VM from one host machine to another through VM migration process for maintenance purpose. After that some users are facing login problem in AD. The message is- "The security Database on the server does not have a computer account for this workstation trust relationship." or shows "Login ID or password incorrect".
We have solved the issue on temporary basis doing the followings:
1. Unplugged the network cable and logged in normally. Then plugged the cable.
2. Dis-join and joining the Workstation to the AD. But after a day or two it happens again.
3. Formatted the PC and newly configured the machine.
4. Deleted the Computer account from the AD and Dis-join and joining the Workstation to the AD.
5. Replaced the VM to its previous host machine. But still facing the same issue.
Not All client machine at a time facing the problem but the problem increasing and the problematic client number is increasing.
Please help me in this regard.
Atiqul Islam
↧
Grant access to the ITHelpdesk user OU to edit access to employee it field only
Hi,
Good Morning/Good evening,
we required to provide access to the IT help desk user to grant to edit access to Employee id field.
Basavaraj(Raj) Navalgund
Bangalore-India
↧
Converting a trusted domain
I'm looking for the steps I need to take to do the following:
Domain1 is the official domain and will stay.
Domain2 is a trusted domain in Domain1
We want to join everything in Domain2 to Domain1 (computers, servers, ..etc). We would like to get rid of Domain2 and have everything on Domain1. Here are some concerns I have:
1. Domain1 is in the United States, Domain2 is in Mexico. Will this be an issue?
2. What about the group policies that are currently running in Domain2? When we join to Domain1, will they begin to use the group policies associated with Domain1?
3. Would it be better to create a new OU on Domain1 for Mexico and generate new user accounts, security groups, group policies...etc?
.....this will just get me started. Our primary active directory master domain controller on Domain1 is Windows Server 2012.
↧
Cannot restart AD server
Hi,
We have a Server 2012 standard addition Active Directory. We have VMware 5.5 and clustered in two host machine. We cannot restart the AD VM. When required to restart the VM, we just right click on VM and power off. Then start the VM. If we restart the windows we have observed one day long “restarting” showing on display.
↧
↧
Different dates of an AD Expired account
Hi,
Could you let me know the reason behind the different dates of an expired AD account between AD console and Powershell?
When expired in Powershell the AD console shows the date as one day behind
↧
What data is synced between DCs during automatic Active Directory synchronization
When there is more than 1 domain controller (DC) in an Active Directory (AD) domain, by default they are usually configured to sync every 5 to 15 minutes. My understanding was that they sync all AD data, however we recently found different last login details for users between 2 DCs.
When we looked into this we found an MS article which stated
“lastLogon is not synced across the domain so the code above will only give you the last time the user connected to the random domain controller that answers the query rather than the last time the user connected to any controller in the domain” (from article title Determining a User's Last Logon Time from technet.microsoft)
However I can't find what data is and is not sync'd between DCs. Is there a defined list available?
Thanks in advance,
Jonny
↧
Windows 2000 AD, users higher than Windows Vista cannot login & change expired password
Hello,
my company is using Windows 2000 advanced server as PDC & BDC. The problem is that users which uses Windows Vista and higher, cannot change password when expired.
Scenario :
User with Windows 7 log in, to computer, and he is getting message "user must change password at next logon".
Users is enters correct old password & new password.
After that he is still getting message "user must change password at next logon".
I think that the problem by updates released after 10 Oct 2015. because we have a test computer with windows 7 with updates up to 2015-05-09, and problem does not occured
Interestingly, the users can change with success their passwords if is not expired. Alt+ctrl+delete -> change password.
I can confirm that after install KB3149090 on test computer, the problem occurs with expired password, but it is not only KB that cause issues.
Anybody knows which updates or settings causes this problem?
Some GPO settings :
Min age password : 0
Max age password : 30
PDC & BDC are trusted
Error seen in wireshark : KRB5KDC_ERR_KEY_EXP
NT Status : STATUS_PASSWORD_MUST_CHANGE
Status : 0xc0000224, 0x0
↧
Client not authenticating to the right Domain controller but the site is correctly identified
Hi,
I have a root and child AD domain (2003) with several clients.
The subnet and sites are correctly configured (I precise that on the "site" configuration, I have a DC for each domain and sub-domain (I hope this is not the reason of the issue).
From the client, if I run the nltest /dsgetsite I have the correct site displayed. The DNS configuration of the client is defined to the IP Adress of the DC that I want it to authenticate.
BUT if I run a echo %logonserver%, the DC is not the one in the list of the DCs associated to the site).
How can I force my client to be authenticated to the DC associated to its site ? and how can I find the issue ? :)
Thank you
↧
↧
Can I modify Department attribute without any issue?
Hi All!
I should modify the rangeupper limit from 64 to 96 becuse of our HR application (Users department text longer than 64 char).
Have you got experiences with this? Have you ever modified this attribute rangeupper?
I haven't got representative LAB to test it, but if you say that this modification is very sensitive, then i have to test it before i change this in production.
Thanks,
T.
↧
A large set of query results from AD in Java with lastLogonTimestamp attribute not presented
Hello,
I'm retrieving user attributes from AD. And I'm using Java with JNDI API. It works all well. But when I analyze the data, I found 73% of the data with lastLogonTimestamp not presented. I don't think 73% of the employees have never logged on.
The Domain Level is native, 2012 R2. The Domain Controller I'm querying is under the main domain, "companyname.com". The server is also a Global Catalog. But I query it with port 389, it contains all objects anyway.
I've found someone had the same issue when querying with PS Script. They figured it out by running as Administrator. I will try this as well when I have contact with the person who has Administrator permission. But with my account I have the rights to read all. Or I just run the program as Administrator from the computer?
Anyone has a clue?
Thanks!
↧
KDC reports incorrect etypes after level change from 2003 to 2008 R2
A couple of years ago we added Windows 2008 R2 Domain Controllers to our Windows 2003 domain and completed the process of moving off of the old 2003 to the new and finally changed the functional level to 2008 R2. As far as everything we were using things were functioning as expected. However here recently we've been working on enhancing our GPO configuration for our desktops to increase security.
One of the changes we made was based off of DoD STIG settings and according to MS documentation was supported by our W7 & W10 machines connecting to our Windows 2008 R2 domain.
Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network security: Configure encryption types allowed for Kerberos -> checking only AES128, AES256, & Future
After that change was made though the test machines (w7 & W10) all started getting popups telling them they needed to lock their machine and log back in because the password was out of sync. Doing so did not resolve the issue and then if you tried to change the account password from the computer you get an error about the KDC not supporting the encryption requested. The following error was logged in the Domain Controller too.
While processing an AS request for target service krbtgt, the account USER_ACCOUNT did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes : 18 17 3. The accounts available etypes : 23 -133 -128. Changing or resetting the password of USER_ACCOUNT will generate a proper key.
Researching etypes 18 & 17 are AES128 & AES256 which is what I expected but then on the Domain Side its telling me it only supports RC4 and I couldn't figure out what -133 & -128 were. So I did more research and was assuming the domain when upgraded just never added the AES options so I started delving into klist & ksetup. However I started running into errors.
ksetup /getenctypeattr MY.DOMAIN
Query of attributes on MY.DOMAIN failed with 0xc0000034
Failed /GetEncTypeAttr : 0xc0000034
ksetup /AddEncTypeAttr MY.DOMAINAES128-CTS-HMAC-SHA1-96Query of attributes onMY.DOMAINfailed with 0xc0000034
Failed /AddEncTypeAttr : 0xc0000034
So I was messing around with klist on the machines that couldn't login and were throwing the error on the Domain Controller.
klist
Current LogonId is 0:0x123456789
Cached Tickets: (0)
Then I ran it on any of our other machines that did not have the new GPO changes and was a bit surprised to see everything in my domain is already using AES256...
Current LogonId is 0:0x123456789
Cached Tickets: (1)
#0> Client: USER_ACCOUNT @ MY.DOMAIN
Server: krbtgt/MY.DOMAIN @ MY.DOMAIN
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 6/15/2016 9:47:25 (local)
End Time: 6/15/2016 19:47:25 (local)
Renew Time: 6/22/2016 9:47:25 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Server: krbtgt/MY.DOMAIN @ MY.DOMAIN
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 6/15/2016 9:47:25 (local)
End Time: 6/15/2016 19:47:25 (local)
Renew Time: 6/22/2016 9:47:25 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
So while my KDC is not advertising it does AES once a machine talks to it then it starts actually using AES. I went back to that GPO value I set and added to let it request RC4 and as soon as I did that those test machines all started talking to the KDC, got new tickets, the popup stopped showing, and all of the tickets were AES.
So yippy I'm actually running in the level I was trying to enforce but in order to do it I have to allow the ability to down level to RC4...
I've done a bunch of research online and I can't seem to figure out how to get the KDC to correctly report what it supports so that I can remove the usage of RC4.
Systems Administrator Senior - University of Central Florida
↧
Delay logging in when one of our DC's is offline
We have 3 Domain controllers in our environment (lets call them DC-A. DC-B and DC-C). All three are AD, DNS, File servers and global catalog servers. DC-B holds all of our FSMO roles and is therefore our PDC. The other day DC-B froze
up over night and went offline. When users from DC-A and DC-C attempted to login they got a black screen for about 20 minutes before their machines finally logged them in. When I look they are all connecting to the proper domain controllers for
authentication. All DC's are weighted the same so it looks like everything is setup correctly. Is there something else that could be causing this long delay for login? All computers in all three locations have mapped drives to every single
DC so could it maybe be attempting to map the drive for DC-B and thats whats taking so long? Just trying to figure it out. Thanks
↧
↧
ADFS showing up a pop up for login credentials only with GET
Hi!
We are using ADFS mostly for SaaS applications (including O365).
It is working perfectly but we have now integrated a new application and it is showing a popup window asking for credentials.
Let me explain the scenario.
I know that ADFS tries using WIA (SSO) if the browser is running in the intranet and if it is a Internet Explorer.
So our services are working ok:
- External users are shown the login form
- Internal users with corporate laptops use integrated windows auth
- Internal users with other devices or browsers are shown the login form
But with this new app, internal users with Firefox are seing a popup window (basic authentication).
We have had a look at the difference between this application and other applications and have seen that the only difference is that this app is calling ADFS with a GET method (SAML) while the rest use a POST method.
AFAIK our ADFS is not customized.
Are any of you aware of this difference? Why GET and POST work different? Can we fix this in ADFS or should we ask for a change in the application?
Thank you!!
↧
urgent help: on DNS issue
We have on forest and one domain which is at windows 2008 R2 functional level.
we have one scope (10.1.150.x/24) which is at Windows 2003 DHCP server. The DHCP server is configued:
to always dynamically update DNS A and PTR record and discard A and PTR records when lease
is deleted. AD integrated zones and allow secure update. Scavengaing is enabled on the forward and reverse
lookup zones.
here are issue we constantly have:
ex: computer name: pc1, pc2, pc3
nslookup pc1
address: 10.1.150.201 (verified in DNS and DHCP)
but, nslookup 10.1.150.201 -->it returned pc2 (that means reverse PTR is not updated).
nslookup pc2
address: 10.1.150.170
nslookup 10.1.150.170 it returned pc3
The above issue seems that DNS A and reverse records are not updated correctly.
DNS dynamic update is not working. right?
note: two PCs with same IP show in DNS forward zone
How should we fix it?
Thank you!
↧
Active Directory and OCS 2007
good day staff
I had a server with OCS 2007 - this server just making trouble and not have more spare parts.
Active Directory in Scheme consists fields OCS, my doubt is if I do some kind of cleaning in order to remove the OCS 2007 courses within the AD, since I do not have more OCS server, however the fields still contained in AD
Thank you
I had a server with OCS 2007 - this server just making trouble and not have more spare parts.
Active Directory in Scheme consists fields OCS, my doubt is if I do some kind of cleaning in order to remove the OCS 2007 courses within the AD, since I do not have more OCS server, however the fields still contained in AD
Thank you
↧