Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Allow log on locally Right for Enterprise Domain Controllers

September 14, 2016, 5:35 am
$
0
0

Hello together

When upgrading Active Directory from Windows 2003 / 2008 to 2012 R2, i've seen a differences in the GPO for "Default Domain Controller Policy":

The Group ENTERPRISE DOMAIN CONTROLLERS is not listed in the "log on locally" right for this Policy. (See Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally)

In "CIS Microsoft Server 2012 R2 Benchmark" (p. 53) it's listened to secure Domain Controllers by define only Administrators and ENTERPRISE DOMAIN CONTROLLERS.

Can someone explain why a Domain Controller needs the right to log on locally?

We don't have set this right, and haven't any issues so far.

Thanks for some explanation.

Kind Regards:

Daniel

Search

Can't reset AD password IISADMPWD or OWA

September 20, 2016, 7:37 am
$
0
0

Hi,

I'm the new server admin at my job, and we have a problem with our webpage to reset password password.  The user go there when their password is about to expire.  Three month ago, with the old server admin the owa and the IISADMPWD worked well.  Right now none of the solution work, one change that was done in this time was an enforce of password policy in Active directory administrative center.  I created a new password setting with an lower number (lower number = higher priority).  In this password setting none of the checkbox is checked.  The user that are assigned with this password policy can't change their password online too.  So it don't seem to be the cause.

The first solution that worked 3 month ago was IISADMPWD.  When I try to reset a password with this I have the error : -2147023631 .  On internet I don't find any valuable information to help me.  It is a windows server 2008 R2 64 bits.  I double check all the info around IISADMPWD, everything seem fine.  In the log of IIS, I don't have any valuable info too.  Is there any log that can gave me good information around this?

The second solution is owa.  When the password is expired, it worked wheel.  Right now it detect if the password it's expire of not, if it is, it redirect me to a page to change the password, again it don't work.  The error message is the username or password entered is not correct, try again ...  I tryed to find some log around, but without success too.

So right now I don't know where to search to find the problem.  Do you have any idea?

Thanks



CA server issues

September 13, 2016, 9:21 am
$
0
0

Hi there, 

I am running 2012 r2 servers. And lately one a newly added DC, I've been getting the SChannel error ID 36886.
Existing DC is getting event ID 10028 

So I looked under my Trusted Root Certificate Authorities,  the two CA that I have, one is dead, but expired at 2017, and one is working, but expired on 2015 already, so does that mean I have no CA that's running? 

How do I go about removing the dead CA from Domain?  For the one that's expired, can I introduce another new CA server and just simply remove the role of this expired one? 

Thanks! 


No DNS servers configured for local system.

September 19, 2016, 12:07 pm
$
0
0

I have 2 DC's in my domain. dc1 and dc2.  DC2 is PDC.

Seemingly randomly, all network shares on dc1 become inaccessible.  (I should note that if nobody is on, like the weekend, there is no problem).  The only messages I get in the event log are

1. Dynamic registration or deregistration of one or more DNS records failed
with the following error:  No DNS servers configured for local system.

2.  The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed...

This domain has been around since 2007, and it just recently started this.  Might have to do with removing a DC, but I took it completely out of DNS, Sites and services, ntdsutil, etc.  There are no vestiges of it left anywhere I can find.  DCDIAG rins clean, with no failures.

I thought I had error #2, above solved last week, but it is back.

Pulling my hair out.  Any help is appreciated.

Your System Administrator Has Blocked This Program. For more information contact your system administrator

May 22, 2016, 5:43 pm
$
0
0

Hi,

We have a single Windows 2012R2 RDS server with Xenapp 7.6 installed.

Dropbox is installed on the server but when trying to run it under the account that installed it the following error message comes up:

Your System Administrator Has Blocked This Program. For more information contact your system administrator

The following policies have been applied to disable UAC

User Account Control: Admin Approval Mode for the Built-in Administrator  - Disabled

User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop - Disabled

User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode - Elevate without prompting

User Account Control: Run all administrators in Admin Approval Mode - Disabled

The user is a member of the local admin group and other users in this group. Other member of this group which are in the same OU can launch Dropbox without the error. We renamed the profile to.old to see if it was a profile thing but when we renamed the profile directory it keeps logging in with a temporary profile

Any assistance would be greatly appreciated.

Thanks

SID still showing in security of a folder after deleting the user from AD

December 27, 2011, 1:52 am
$
0
0

I have a 2003 domain with an DC and two ADCs and a file server.

There are lot of folders in my file server and permission differs from user to user, so we give security permission to individual user ID based on the requirement.

When a user quits the organisation we do normally disable the id and then delete it after some time. 

Now the problem here is as we have deleted the user ID the permissions in the file server is showing SID's instead of user name. So is there any easy way to clean up this mess and remove all the unresolved SID's

This was practiced by the old admins and i am given the task of cleaning the mess.

Suggest me some easy and reliable way to get out of this.

Thanks

Searching Active Directory Objects with C#

September 20, 2016, 6:55 am
$
0
0

I'm writing some code in C# to search through some active directory users and return the userprincipal and I'm having trouble returning the results I want.  I'm trying to return all the xx* users from active directory and that works fine, what I'm having trouble with is I want to return those users but exclude the ones ending in _c.  I came across an MSDN page for search filter syntax here,

http://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx

And I'm trying to adapt those examples to my needs. 

I currently have,

(&(objectCategory=person)(objectClass=user)(un=xx*)(!(cn=_c)))

and on the page surname is expressed as "sn" so my question is how is username (SamAccountName, Logon name, Account name, whatever you want to call it) expressed in this manner?  Clearly it isn't "un" as that isn't working.



How to query users activity in the domain

September 14, 2016, 6:51 am
$
0
0
Hi,

I would like to know if there is a way to query users logon and logout activity.

 

For example.

 

Can I see when and which users were logged in to the domain, on which client and for how long they were connected until they logged out?

 

Thanks,

Hadar

Search

FQDN vs NetBIOS domain name at logon screen when using Remote Desktop

September 11, 2016, 7:04 am
$
0
0

This question was asked but never satisfactorily answered back in 2011:

FQDN vs NetBIOS domain name at logon screen

I am seeing the same behavior as the original poster: both FQDN and NetBIOS domain names appear on the logon screen at different times.  In my case, I want to ALWAYS show the NetBIOS (short) name.

I believe the behavior may change if Remote Desktop is used: when logging in remotely, I ALWAYS see the FQDN, even if I specify the NetBIOS name at logon time.

Anyone have any thoughts on this?

Complexity Password: Restrict words in user passwords

September 20, 2016, 2:25 pm
$
0
0

Hello everyone, good afternoon,

this is because I have a query regarding user passwords:

As a result of an audit, it was observed that most users use a password that includes the domain.

For example:

We have used the domain ABC.com

Password used for users: abc2010. or Abc3000. etc.

You can block the use of the domain or certain word within the password? This is possible natively by GPO or some level configuration ADDS?

Thanks!

Best Regards!

sysvol folder size 1.5 GB defragment your size?

September 20, 2016, 3:10 pm
$
0
0
sysvol folder size 1.5 GB defragment your size? my infrastructure is 10 domain controllers should not weigh so much?

AD intergrated dns, fail after primary down and client cannot use alternate dns

September 16, 2016, 12:13 am
$
0
0

Currently, I have two servers 2k12 running AD integrated dns. They're both replicating well with each other. some of my clients use a static IP address.

- Primary server: primary.contoso.net 192.168.100.1

- Secondary server: secondary.contoso.net 192.168.100.2

- Client: 192.168.100.33, preferred dns192.168.100.1/ Alternate dns 192.168.100.2

After primary was down, my client cannot nslookup till my client move Alternate dns(192.168.100.2) to Preferred dns.

Any solution on how it is automatic to let the clients know secondary dns server when the primary is down?

Any advise,

Thanks with Regards,

Sunsami MAO

Install-AdServiceAccount : Unable to contact the server.

September 10, 2016, 12:38 pm
$
0
0

Hi. I have two Windows Server 2012 R2 installed in test network.

Now, i would like to configure  service as MSA.

I have created MSA on DC. 

Import-Module ActiveDirectory


New-ADServiceAccount -Name MSA1 -RestrictToSingleComputer -Enabled $True


Add-ADComputerServiceAccount -Identity TargetServer -ServiceAccount MSA1

On target server I Installed ActiveDirectory Windows PowerShell module and .NET Framework
3.5

but when i try to run 

Install-ADServiceAccount -Identity MSA1

it shows me this error

Install-AdServiceAccount : Unable to contact the server. This may be because this server does not exist, it is
currently down, or it does not have the Active Directory Web Services running.

I have googled this problem but with no success.

Thank you!


IPv4 and IPv6 in Dualstack for ADDS - prefer IPv4

September 20, 2016, 2:46 pm
$
0
0
Hi @all,



I have 2 datacenters, which were both behind a NAT Router connected via site2site VPN.

Now I've got IPv6 and IPv4 enabled through my ISP in a real dualstack configuration. Means I have a real IPv4 and a real IPv6 address.

Having only IPv4 the domain controller replicated through IPv4 there was no problem at all.

Now since I have IPv6 assigned to both sites they want to communicate via IPv6 preferably, but cannot since there is no Direct Access or anything configured and my domain controller replication is curently not running.



Is there a switch available to tell the domain controllers to communicate via IPv4 preferably?

cheers,

Matthias



DFS Commands for day to day activites

September 9, 2016, 2:21 pm
$
0
0

Hi,

Please share few DFS commands  for administration /troubleshooting purpose 


Search

Active Directory Certificate Serverice Setup Error: RPC Server not available

September 12, 2016, 6:53 am
$
0
0

Hi Guys,

I installed the ADCS and tried to request a certificate in the konfiguration setup.

I choose sending certificate request to superordinate ca by computer name but I get an error (rpc server is not available. 0x800706ba (win32:1722 RPC_S_Server_unavailable)

I can't choose sending certificate request to superordinate ca by ca name because the root is not in the domain.

I know I could choose the option by .req-data but I need to know why the error occur if I try by computer name.

Btw. It's a subordinate business ca

Greetings Waidm4nn


Logon to domain few min

September 15, 2016, 3:06 am
$
0
0

Hello,

I have 2 domain controllers (WS 2012 R2) and around 150 Win 10 Edu hosts. I have one domain, and when it was set up like 6 months ago, login to domain took few seconds. Now it takes from 30sec to even 10min(!!). I have no roaming profiles, all files are saved on local machine, very few GPO policies (but I have tried with clean host - no GPOs, but same resultat).

Any ideas why it takes so long to login? I'm writing user/pass, press enter and it takes and takes.

//logging into servers (also in DC) takes like 2 sec.

Query about Domain Controller Reimaging to different Hypervisor

September 20, 2016, 9:17 pm
$
0
0

HI,

I have a requirement where I need to reimage the existing DC ( Test1) as the Hypervisor for this DC is getting decommisioned and will be imaging a new machine with same name( Test1) in new Hypervisor.

So my query is what all steps need to be followed in this case. The DC ( Test1) is holding all FSMO roles ?

I hope I need to transfer all the FSMO roles to partner DC and run dcpromo command on Test1 to make it as member server and also remove DNS entry too. Then setup new DC and transfer all the roles from Partner DC to here.

Is that correct ? Can anyone correct me if I am wrong ?

Active Directory Forest recovery and Global Catalogue removal issue

September 15, 2016, 3:37 am
$
0
0

Hello,

I work for a big international company with multi AD domains in one forest.

I am currently testing/validating the forest recovery process in an isolated lab wrote by Microsoft.

It says to restore one DC of each domain starting by the root domain in an isolated network or with the network cable unplugged.

Once restored I have to remove the global catalogue in order to avoid lingering objects. When I do so, my isolated DC has no more GC to contact when it needs to authenticate a user's logon.

The problem is that in the doc they ask to reboot, so when I reboot I can no longer logon to the DC, doing DSRM boot I can't re add the GC role?!!

Even in the MS white paper they say to remove the GC role on the isolated DC. When I re add it I have errors like this:

Event Type:    Information Event Source:    NTDS Replication Event Category:    Global Catalog  Event ID:    1110 Date:        19/10/2009 Time:        10:23:31 User:       NT AUTHORITY\ANONYMOUS LOGON Computer:    ADMGT04 Description: Promotion of this domain controller to a global catalog will be delayed for the following interval.    Interval (minutes): 30 

This delay is necessary so that the required directory partitions can be prepared before the global catalog is advertised. In the registry, you can specify the number of seconds that the directory system agent will wait before promoting the local domain controller to a global catalog. For more information about the Global Catalog Delay Advertisement registry value, see the Resource Kit Distributed Systems Guide.

 

So is actually possible to remove the GC role on a isolated DC when restoring?

Thank you

Stéphane

 

Creating a low very low priviled user in the domain - User is member of DOMAIN GUESTS ONLY - no Domain Users

September 15, 2016, 11:00 am
$
0
0

The goal here: To create a DOMAIN user to use in a "kiosk machine", with the lowest local and domain possible privilege 

There is a public machine (Win7), on boot we MUST have autologon enabled (arrgh, tech people does not make the rules)

AND

a domain user has to be used because of a windows AD integrated application with single sign on in the web application (IE)

So, i´ve created a domain user, added to domain guests, turned domain guests into the primary group and removed domain users form the membership.

There is a problem? Can a user be member only of the domain guests (and local guests group) and no other groups?

The idea here is to avoid user being able to see shared folders and other resources availab le to authenticaed users (and everyone with equivalence) or users or regular global and local groups

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>