Hi,

I'm new to ADFS and would like to set it up properly. The ADFS system will be utilized by Dynamics CRM clients as well as Office 365. I've reviewed online docs on how to set it up, but there are a few things that I am still not clear on. The main one is that I'd like to use an existing 2012R2 which is our domain subordinate CA as the first ADFS farm member. Will this cause issues with SSL certificates and DNS? I understand that the ADFS role in Server 2012 R2 doesn't require a pre-install of IIS, but we currently have IIS installed for the domain PKI.

Recommendations are to use a public SSL cert for ADFS. Can that only apply to the ADFS proxy in the DMZ, or does the internal ADFS farm member require this as well? Ideally I'd like to use an our domain PKI for the internal ADFS farm members and the public CA for the ADFS proxy.

Brad

B

Hey all,

I am expected to run a test scenario for possible AD disaster. I have a simple isolated DR environment ready where I will duplicate my production environment for testing purposes.

We're talking about single domain with currently 4 highly available Domain Controllers (2x 2008 R2 and 2x 2012 R2). Forest/Domain functional level is 2012 R2.

My question is that what kind of realistic failure would be possible to simulate which would require a (non) authoritative restore from a backup?

Currently deletion of OU's, users or computers isn't much of an issue due to prevention of accidental deletion and recycle bin. My environment is also pretty well  delegated and there aren't many Domain Admins or other users with high privileges.

In theory the case could be a security breach where someone intentionally deletes stuff and restore is required. Production environment is highly available between two data centers so simultaenous network/storage/server failure for all Domain Controllers is also highly unlikely. Also a single Domain Controller failure in real life scenario wouldn't easily cause any disturbance to authentication or other services provided by AD as a single failed Domain Controller is easy to restore without DSRM.

Any suggestions to destroy the functionality for testing purposes?

Thanks!

I have a 2012 R2 domain functional level DS infrastructure. as of right now event 4740 (Account was locked out) is not being logged on the PDC emulator. I'm not sure what occurred but I do know we were looking at doing something with the default domain controller GPO to enable some auditing in ACS so it's possible that something got scrambled in there that caused this.

Here is output from auditpol:

Category/Subcategory                      Setting
System
  Security System Extension               No Auditing
  System Integrity                        No Auditing
  IPsec Driver                            No Auditing
  Other System Events                     No Auditing
  Security State Change                   No Auditing
Logon/Logoff
  Logon                                   Success and Failure
  Logoff                                  Success and Failure
  Account Lockout                         Success and Failure
  IPsec Main Mode                         No Auditing
  IPsec Quick Mode                        No Auditing
  IPsec Extended Mode                     No Auditing
  Special Logon                           No Auditing
  Other Logon/Logoff Events               Success and Failure
  Network Policy Server                   No Auditing
  User / Device Claims                    No Auditing
Object Access
  File System                             No Auditing
  Registry                                No Auditing
  Kernel Object                           No Auditing
  SAM                                     No Auditing
  Certification Services                  No Auditing
  Application Generated                   No Auditing
  Handle Manipulation                     No Auditing
  File Share                              No Auditing
  Filtering Platform Packet Drop          No Auditing
  Filtering Platform Connection           No Auditing
  Other Object Access Events              No Auditing
  Detailed File Share                     No Auditing
  Removable Storage                       No Auditing
  Central Policy Staging                  No Auditing
Privilege Use
  Non Sensitive Privilege Use             No Auditing
  Other Privilege Use Events              No Auditing
  Sensitive Privilege Use                 No Auditing
Detailed Tracking
  Process Creation                        No Auditing
  Process Termination                     No Auditing
  DPAPI Activity                          No Auditing
  RPC Events                              No Auditing
Policy Change
  Authentication Policy Change            No Auditing
  Authorization Policy Change             No Auditing
  MPSSVC Rule-Level Policy Change         No Auditing
  Filtering Platform Policy Change        No Auditing
  Other Policy Change Events              No Auditing
  Audit Policy Change                     No Auditing
Account Management
  User Account Management                 No Auditing
  Computer Account Management             No Auditing
  Security Group Management               No Auditing
  Distribution Group Management           No Auditing
  Application Group Management            No Auditing
  Other Account Management Events         No Auditing
DS Access
  Directory Service Changes               No Auditing
  Directory Service Replication           No Auditing
  Detailed Directory Service Replication  No Auditing
  Directory Service Access                No Auditing
Account Logon
  Kerberos Service Ticket Operations      No Auditing
  Other Account Logon Events              Success and Failure
  Kerberos Authentication Service         No Auditing
  Credential Validation                   No Auditing

________________

I tried attaching a picture of the ddc policy but this page wouldn't allow me to.

I have looked at several articles in technet which seem to address this like: https://social.technet.microsoft.com/Forums/en-US/4ca48d92-1f85-40f2-b88c-4f6c4b616cf5/missing-event-4740-on-windows-server-2008-r2-domain-controllers?forum=winserversecurity& https://social.technet.microsoft.com/Forums/en-US/fabef911-0baf-4407-8ab9-2afc7b0e9eb8/dcs-not-auditing-locked-account-event-id-4740?forum=winserversecurity. I have tried what both have suggested to no avail. Any help you can provide is greatly appreciated, community :-).

I have newly dcpromo a DC from DR site to join our domain, after that I checked my DC event logs and found errors showing as below:

I also searched the web and many suggest thats the CNAME or DNS issues. But I have no clue what exactly to check for CNAME or DNS.  please help

Thanks

Kin

____________________________________________________________________________

The attempt to establish a replication link for the following writable directory partition failed.
Directory partition:
DC=domain,DC=local
Source directory service:
CN=NTDS Settings,CN=WN2QADDN1AP0001,CN=Servers,CN=WuHanDRSiteLink,CN=Sites,CN=Configuration,DC=domain,DC=local
Source directory service address:
b6bfd3d6-ea13-4b7c-bb0e-e0b8fde1d323._msdcs.domain.local
Intersite transport (if any):
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=domain,DC=local
 
This directory service will be unable to replicate with the source directory service until this problem is corrected.
 
User Action
Verify if the source directory service is accessible or network connectivity is available.
 
Additional Data
Error value:
8524 The DSA operation is unable to proceed because of a DNS lookup failure.

___________________________________________________________________

Replication Summary

Replication Summary Start Time: 2016-08-04 18:30:32

Beginning data collection for replication summary, this may take awhile:

  .......

Source DSA          largest delta    fails/total %%   error

 HKSCADDNP1                43m:08s    0 /  10    0 

 HKSCADDNP2                43m:11s    0 /  10    0 

 HKSCADDNP3                44m:55s    0 /   5    0 

 WN2QADDN1AP0001     (unknown)        0 /   3    0 

Destination DSA     largest delta    fails/total %%   error

 HKSCADDNP1                43m:11s    0 /   8    0 

 HKSCADDNP2                44m:55s    0 /   5    0 

 HKSCADDNP3                37m:05s    0 /  10    0 

 WN2QADDN1AP0001           43m:09s    0 /   5    0 

 ___________________________________________________________________________

Hi,

we have domain with 3 domain controllers. 2 are running on windows server 2008 R2 64bit and one is running on windows server 2008 64bit.

The sysvol NTFS has full control permission for DOMAIN\administrators.

The sysvol share has full control permission for DOMAIN\administrators.

When I try to edit a script on sysvol share with a user that is a member of DOMAIN\administrators, his access is denied. When I try the same with DOMAIN\administrator account it works.

The only anomaly I found is in DFS. When we added the dfs funcionality to all thre DC servers it took over sysvol replication (I think). I can't se the additional tabs for sysvol.

How to correct the problem with the permissions applying incorrectly?

I have pictures for attaching to this email but can't find a way to attach them.

andrej

Dear all,

during the last 6 weeks my users a faced with a strange issue. I'm not clear about where to start looking about as my result for current queries to this Forum and Google do not deliver adequate results.

If I queried Active Directory at a customers forest I receive different results on properties for exactly the same queries. Usually we have Citrix Storefront in place, and we are granting permission on a value usually stored in the users "carlicense" property. I'm very sure that I do not have replication issues, as far as I can see from dcdiag/repadmin replication is fine.

The Problem came up first when some users reported Problems with that application, but it Looks like that issue is Independent from an application, as I can also get the misleading result from Powershell and dsa.msc as  well.

If you query AD like that:

get-aduser Martin.gudel -Server somedomaincontroller -properties carlicense 

you will receive a Default Output including the "enabled" 

What you can see from the screenshot: in the 1st query there also is a return value enabled true as well as the carlicense property. The second query does not contain any of These properties. Especially I wonder for the enabled true is missing.

Any explanation for that? Thanks for any hints.

Regards,

Martin

For security reasons, we are dividing our education network into two segregated domains with no trust between them. We are going to impose more stringent security on the new staff domain and leave the existing domain as a teaching domain. Network will also be divided (connectivity between will be controlled by firewall).

The staff user identity will remain the same between the two domains (to support identification by systems such as printing that will support the name of the user without authentication and ignoring the UPN suffix/domain).

As teaching staff will be using both domains (in offices and in classrooms), we wonder if we can audit somehow to help ensure that each staff member is not using the same password on both domains. As there is no direct link between the domains I thought I might be able to schedule a script that might pull staff password hashes (or some equivalent value) from both domains and compare the values to see if any were the same in both domains?

Maybe I am coming at this from the wrong angle or maybe there just isn't a way. Any suggestions? Is this possible? Is it very unwise?

Hi All ,

I want to do my AD all users company attribute character 250

I have 2 users in a very specific OUs that are locked on purpose, but for some reason, they get unlocked on a daily basis and we do not know why. Yes, we do have many scripts that are running in active directory to perform many different functions but if one of my scripts is at fault for unlocking the accounts, I would expect to see an event 4767 on the event viewer for these 2 users. I actually see event 4767 for other users.

The main question would be the following:
besides event 4767, are there any other types of events that would unlock an account? all DCs are windows 2008 servers.

Thanks,
any help is appreciated.

Most Domain Controllers are now Windows 2012
Forest and Domain functional level is Windows 2008 R2

---

Trying to dcpromo a Windows 2008 R2 domain controller down to member server and during dcpromo got a message:

The operation failed because:

Active Directory Domain Services could not transfer the remaining data in directory partition
DC=ForestDNSZones, DC=<domainname>,DC=org to
Active Directory Domain Controller \\DCNAME.domainname.org.

"The directory service is missing mandatory configuration
information, and is unable to determine the ownership of floating
single-master operation roles."

---

Running DCDIAG on the server - NCSecDesc fails
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=domain,DC=org
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=domain,DC=org

One of the TechNet articles says that adprep /rodcprep  from Windows 2008 R2 needs to be run and would eliminate the NCSecDesc fail error.

Can I still run adprep /rodcprep even after Windows 2012 domain controllers have been added to the domain (which I understand changes the schema during insertion of Windows 2012 domain controller)?

What options do I have to resolve getting the Windows 2008 R2 domain controller dcpromo'ed down to member server?

Thanks,

F.Palacio

I'm a Linux admin covering for one of my colleagues on the Windows side, so apologies if the answer is obvious.

I recently changed a user's username in Active Directory due to a name change. For example, Jane Foo (username: jfoo) changed her name to Jane Bar (new username: jbar). I changed both the user logon name and the user logon name (pre-Windows 2000).

When I query the ADUser object in PowerShell, the distinguished name, name, and SamAccountName fields all reflect the new username.

However, the user is having problems logging into one of our web applications that uses AD credentials. When I look at the security logs I see events like the following (event id 4624 [succsssful logon]):

New Logon:
Security ID: EXAMPLEDOMAIN\jfoo
Account Name: jbar
Account Domain: EXAMPLEDOMAIN
Logon ID: 0x3506bc09
Logon GUID: {00000000-0000-0000-0000-000000000000}

The username in the Security ID field still reflects the old name, and the web application isn't recognizing the new username.

How can I update the value of the Security ID?

I want to use the search string below to query all ad users who have changed their passwords on 8/8/2016 12:00:00 AM Mountain standard time... I can not find a simple way to get the Integer 8 value for this date, can anyone help?

(&(objectCategory=person)(objectClass=user)(pwdLastSet>=))

After running Server Manager and setting up Active Directory, I removed AD from the only server in the domain. When I install AD again, I do not have the option to create a New Forest (without asterisks). There are no other existing domains or forests that I can find. Please HELP.  TIA

Daniel

Startup scripts are not executing for any computer in our domain. On boot up, there is always a NETLOGON error -

This computer was not able to set up a secure session with a domain controller in domain<Name> due to the following: There are currently no logon servers available to service the logon request.

I have tried enabling the "Always wait for network at computer startup and logon" as well as adding a timeout of 60 seconds using the reg key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GpNetworkStartTimeoutPolicyValue, but these settings do not solve the problem.

My domain is configured with a NetBIOS name for the pre-Windows 2000 domain (e.g. FQDN - areallylongdomain.com; Pre-Windows 2000 Domain name ARLD). Nothing resolves using the NetBIOS name (e.g \\ARLD\SYSVOL) until a minute or more has passed on startup. I suspect this is why the startup scripts are not running. The NETOLOGON error actually references the NetBIOS name in the text, not the FQDN.

Is there anyway to continue using the abbreviated NetBIOS name as the pre-Windows 2000 domain name, but have the computers use the FQDN? The NetBIOS name unfortunately is used everywhere (it has caused a lot of other problems as well) and our users (over 500) know their user names as ARLD\username.

Alternatively, is there anyway to have the pre-Windows 2000 domain name be resolvable immediately? I am not sure what causes the delay. Other NetBIOS names can be resolved pretty much immediately, though I think that may be because of the DNS suffix.

Obviously I'm open to other suggestions as well.

I am looking to see if there is a way to remove/delete newly disabled user objects as you can with isDeleted in Object-Filtering.

We have a somewhat long disable to terminate process and would like to remove user objects from AD LDS that have been disabled in Active Directory.

I have seen where you can set Object-Filtering not to sync disabled users, but if a user is enabled, then sync'ed to AD LDS, then that user is set to disable, can you use the sync process to have that user deleted from AD LDS?

Chris

Hi

I have DFL and FFL 2k8 r2 and I have around 57 DCs in my environment running over 2k8 and 2k12 operating systems.

Now I see below errors from PDC to other DCs in replsum.

####################

58 DC1

58 DC2

58 RODC1

#################

I checked the below ports are not listening in Port Query.

Starting portqry.exe -n 192.168.0.1 -e 88 -p BOTH ...
Querying target system called:
192.168.0.1
Attempting to resolve IP address to a name...
IP address resolved to dc03.contoso.com
querying...
TCP port 88 (kerberos service): LISTENING
UDP port 88 (kerberos service): LISTENING or FILTERED
portqry.exe -n 192.168.0.1 -e 88 -p BOTH exits with return code 0x00000002.

Starting portqry.exe -n 192.168.0.1 -e 137 -p UDP ...
portqry.exe -n 192.168.0.1 -e 137 -p UDP exits with return code 0x80000003.

Starting portqry.exe -n 192.168.0.1 -e 138 -p UDP ...
Querying target system called:
192.168.0.1
Attempting to resolve IP address to a name...
IP address resolved to dc03.contoso.com
querying...
UDP port 138 (netbios-dgm service): LISTENING or FILTERED
portqry.exe -n 192.168.0.1 -e 138 -p UDP exits with return code 0x00000002.

Is this issue related to ports ?

August Gurus step up and show us your knowledge on the latest and the greatest technologies Microsoft have to offer! And for your efforts, eminent leaders in your technology will evaluate your contributions and award real virtual medals! You Share and we Care!

All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.

Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!

This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!

HOW TO WIN

1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.

2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)

3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards . Once "on our radar" and making your mark, you will probably be interviewed for your greatness , and maybe eventually even invited into other inner TechNet/MSDN circles!

Winning this award in your favoured technology will help us learn the active members in each community.

Sharing is Caring!
Chen V

Regards Chen V [MCTS SharePoint 2010]

Hi

We have 50 systems and 4 laptops in our office. All systems are using internet connection. I want to buy a new router for this setup. Please help me to choose a best router.