AD LDS search bug on Windows Server 2012

November 25, 2016, 6:47 am

≫ Next: ADPREP Error when promoting Windows Server 2016 in 2008 R2 forest/domain

Steps to reproduce:

Install an AD LDS instance on Windows Server 2012.
Create a partition, e.g. CN=MyPartition.
Install one of the following updates: KB3156416 orKB3160352.
Create20 containers in the root of your partition.
Run the following PowerShell script:

$port = 389
$computerName = "computer.domain.com"

$strFilter = "(&(objectCategory=Container)(|(showInAdvancedViewOnly=FALSE)(showInAdvancedViewOnly=TRUE)))"

$searchRoot = New-Object System.DirectoryServices.DirectoryEntry "LDAP://$computerName`:$port/CN=MyPartition"

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $searchRoot
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Subtree"

try
{
    $results = $objSearcher.FindAll()

    foreach ($objResult in $results)
    {
        $objResult.Path
    }
}
finally
{
    if ($objSearcher) { $objSearcher.Dispose() }
}

RESULT: None, i.e. the search will not return any results (though it should). Also, you will get the following exception:

System.DirectoryServices.Protocols.DirectoryOperationException: An operation error occurred.

If there are less than 20 containers or if you specify a page size for theDirectorySearcher interface, the script will return your containers.

Uninstalling KBs mentioned on step 3 will fix the issue. Also, the same KBsdo not cause the issue on other operating systems (we've checked on Windows Server 2012r2, 2008r2, 7, 8, 8.1 and 10).

↧

ADPREP Error when promoting Windows Server 2016 in 2008 R2 forest/domain

November 25, 2016, 8:21 am

≫ Next: Smartcard credentials and invoke-command for addsdeployment

≪ Previous: AD LDS search bug on Windows Server 2012

When promoting a Windows Server 2016 to DC, adprep fails with an error that an attribute or value already exists.

The DN is CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=<domain>.

Forest and domain functional level is Windows Server 2008 R2, Exchange 2010 is also present in the domain. The result is the same if performed on the new-to-be DC implicit via Install-ADDSDomainController or directly on the schema master.

Here is the output from adprep:

PS C:\Temp\support\adprep> .\adprep.exe /forestprep

ADPREP WARNING:

Before running adprep, all Windows Active Directory Domain Controllers in the forest must run Windows Server 2003 or lat
er.

You are about to upgrade the schema for the Active Directory forest named '<domain>', using the Active Directo
ry domain controller (schema master) 'dc1.<domain>'.
This operation cannot be reversed after it completes.

[User Action]
If all domain controllers in the forest run Windows Server 2003 or later and you want to upgrade the schema, confirm by
typing 'C' and then press ENTER to continue. Otherwise, type any other key and press ENTER to quit.

Current Schema Version is 86

Upgrading schema to version 87

Verifying file signature
Connecting to "dc1.<domain>"
Logging in as current user using SSPI
Importing directory from file "C:\Temp\support\adprep\sch87.ldf"
Loading entries.
Add error on entry starting on line 1: Attribute Or Value Exists
The server side error is: 0x2083 The specified value already exists.
The extended server error is:
00002083: AtrErr: DSID-031513D7, #1:
0: 00002083: DSID-031513D7, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 90155 (appliesTo):len 72

0 entries modified successfully.
An error has occurred in the program
ERROR: Import from file C:\Temp\support\adprep\sch87.ldf failed. Error file is saved in C:\Windows\debug\adprep\logs\201
61125155706\ldif.err.87.

If the error is "Insufficient Rights" (Ldap error code 50), please make sure the specified user has rights to read/write
objects in the schema and configuration containers, or log off and log in as an user with these rights and rerun forest
prep. In most cases, being a member of both Schema Admins and Enterprise Admins is sufficient to run forestprep.

Adprep was unable to upgrade the schema on the schema master.
[Status/Consequence]
The schema will not be restored to its original state.
[User Action]
Check the Ldif.err log file in the C:\Windows\debug\adprep\logs\20161125155706 directory for detailed information.

Adprep was unable to update forest information.
[Status/Consequence]
Adprep requires access to existing forest-wide information from the schema master in order to complete this operation.
[User Action]
Check the log file, ADPrep.log, in the C:\Windows\debug\adprep\logs\20161125155706 directory for more information.

The referenced ldif.err.87 file:

Entry DN: CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=<domain>
changetype: modify
Attribute 0) appliesTo:7b8b558a-93a5-4af7-adca-c017e67f1057

Add error on entry starting on line 1: Attribute Or Value Exists

The server side error is: 0x2083 The specified value already exists.

The extended server error is:

00002083: AtrErr: DSID-031513D7, #1:
	0: 00002083: DSID-031513D7, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 90155 (appliesTo):len 72


An error has occurred in the program

The referenced ldif.err file:

Entry DN: CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=<domain>
changetype: modify
Attribute 0) appliesTo:7b8b558a-93a5-4af7-adca-c017e67f1057

Add error on entry starting on line 1: Attribute Or Value Exists

The server side error is: 0x2083 The specified value already exists.

The extended server error is:

00002083: AtrErr: DSID-031513D7, #1:
	0: 00002083: DSID-031513D7, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 90155 (appliesTo):len 72


An error has occurred in the program

Can anyone shine some light into this matter and what to do?

Searching the internet I could not find anything resembling this.

Thanks a lot for any input!

↧

Smartcard credentials and invoke-command for addsdeployment

November 24, 2016, 8:47 am

≫ Next: Changing account name

≪ Previous: ADPREP Error when promoting Windows Server 2016 in 2008 R2 forest/domain

Invoke-Command -ComputerName servernamehere -ScriptBlock {
test-addsdomaincontrollerinstallation }

Invoke-Command -ComputerName servername -ScriptBlock {
test-addsdomaincontrollerinstallation -credential (get-credential) }

$cred = get-credential

Invoke-Command -ComputerName servername -ScriptBlock {
test-addsdomaincontrollerinstallation -credential $using:cred }

#####################################################################

All fail with errors like

Message : Verification of user credential permissions failed. The wizard cannot access the list of domains in the forest. The
error is:
The Kerberos protocol encountered an error while attempting to utilize the smartcard subsystem.

Message : Verification of user credential permissions failed. Failed to examine the Active Directory forest. The error was:
ldap_search() failed, err=1
000004DC: LdapErr: DSID-0C090752, comment: In order to perform this operation a successful bind must be completed
on the connection., data 0, v2580
Errors may be the result of insufficient credentials for a remote operation. Consider setting explicit credentials
for this operation.

I have enterprise admin rights, the promotion works fine if you login via RDP and do it. This only fails with Invoke-command , tried running the powershell as different user and giving the smart card credentials. Tried prompting as seen in above examples. All with NO Luck. Have a microsoft case open as well and engineer worked with me for over a day without any real solution yet.

↧

Changing account name

November 25, 2016, 2:25 pm

≫ Next: Active Directory Sites and Services - when i go to NTDS properties for one site, i can see replication from and replication to fields what does this specify.

≪ Previous: Smartcard credentials and invoke-command for addsdeployment

Please tell me how to change my account name

↧

Active Directory Sites and Services - when i go to NTDS properties for one site, i can see replication from and replication to fields what does this specify.

November 25, 2016, 3:19 pm

≫ Next: Management trust to the tenants.

≪ Previous: Changing account name

Hi ,

when i go to NTDS properties in Active Directory Sites and Services for one site, i can see "replication from" and "replication to" fields what does this specify.

I am clear that "Replication From" is where current DC getting data to be replicated and what does "Replicate To " mean?

Please let me know.

Paramesh KA

↧

Management trust to the tenants.

November 26, 2016, 12:57 pm

≫ Next: how to demote old DC but keep the DNS role

≪ Previous: Active Directory Sites and Services - when i go to NTDS properties for one site, i can see replication from and replication to fields what does this specify.

Been thinking a bit..

Is this a valid solution:

Lets say I'm working at a Cloud provider that hosts and manage company's Active Directory's. All tenant have its own forest. We have each an Domain Admin account in their forest. Is it a valid/good solution to have an "management trust"; where all Administrators have their accounts, instead of accounts in their domain.

Or is there any better way to manage it?

↧

how to demote old DC but keep the DNS role

November 26, 2016, 11:02 pm

≫ Next: DFSR replication

≪ Previous: Management trust to the tenants.

We have 2 Windows server 2012 R2 DC and 2 old Windows Server 2003 DC, need to demote the old Windows server 2003 based DCs. The old Windows server 2003 DCs are DNS servers and for many reasons, must go on providing DNS services. My question is can we demote the Windows Server 2003 DCs and leave the servers on with only the DNS role? If so, how can the DNS servers maintain a copy of Active Directory integrated zones?

↧

DFSR replication

November 26, 2016, 11:05 pm

≫ Next: Unable to connect to Domain Controller

≪ Previous: how to demote old DC but keep the DNS role

We have a lot of DFSR replication groups between 3 servers (One 2008 R2 and two Server 2012). We want to stop/remove replication but we want to make sure the current queued/staged files replicate, how do we do this?

↧

Unable to connect to Domain Controller

November 16, 2016, 7:54 am

≫ Next: NetUserChangePassword invalid parameter

≪ Previous: DFSR replication

I have recently gotten an HP Gen 8 microserver, the G1610t. I've been following the TechNut guide tosetting it up on YouTube found at: https://www.youtube.com/playlist?list=PLfYIS7PWFoq5zRq9ObjDbKa-R07CwbHBV

Pretty good series and mostly smooth sailing so far until trying to join the server to the domain I have set up using sconfig where I get the error:
"The specified domain either does not exist or could not be contacted"

So, Windows 2012 on the server, configured not through Hyper-V Server but by remoting onto the desktop and setting up, only real difference I've had so far to the videos, can't see that being the issue.

On the server, using Hyper-V Manager I have created a new virtual switch and a new VM called HOME-DC01 using the Windows 2012 evaluation iso available at https://www.microsoft.com/en-us/evalcenter/evaluate-hyper-v-server-2012-r2

I'm intending this VM to be the domain controller. Once started have applied all available patches, restarted. Then in Server Manager, using the Add Role wizard, added the Active Directory Domain Services role. Promoted the server to Domain Controller and then I created a new forest and specified the domain name as home.local. Installation seems to go ok, I can log in, services seem to be running and looking in Server Manager after RDP'ing into the server all Roles are green (AD DS, DNS, File and Storage Services as well as Local Sever and All Servers)

Back on the microserver, I have changed the DNS server to be the new domain controller using sconfig. Ping to the Domain Controller using the IP address and the hostname both work. I've used google (8.8.8.8) as the secondary DNS.

Now when I try to change the domain in sconfig, I get the error:
"The specified domain either does not exist or could not be contacted"

I think the firewalls are open as needed as I've run:
Set-NetFirewallRule -DisplayGroup 'Windows Management Instrumentation (WMI)' -Enabled true
Set-NetFirewallRule -DisplayGroup 'Remote Event Log Management' -Enabled true
Set-NetFirewallRule -DisplayName "Windows Firewall Remote Management (RPC)
Set-NetFirewallRule -DisplayName "Windows Firewall Remote Management (RPC-EPMAP)

Can anyone help with my error? Point me in the direction of what else I should check or what I might have missed? I've tried recreating the VM again but got the results (which is good as it's consistent). Been at this a week and making no progress.

↧

NetUserChangePassword invalid parameter

November 18, 2016, 8:36 am

≫ Next: prevent sequence numbers password in ad 2012

≪ Previous: Unable to connect to Domain Controller

I have a win7 box and a win2008r2 box. Not sure if this is related to my problem, but the win2008r2 server has KB3177108 installed. Win7 does not have this patch.

When I run this program on Win7, it works (returns status_success and changes the password). When I run this on win2008r2, it fails with error 87 - invalid parameter, but it also successfully changes the password...
What am I doing wrong here?

Thanks for looking at this...

#include "windows.h"
#include <LM.h>
#include <stdio.h>

int wmain(int argc, wchar_t * argv[])
{
   DWORD   error = NetUserChangePassword(
               L"mydomain",
               L"lowlyuser",
               L"oldpassword",
               L"newpassword"
               );

   wprintf(L"Error = %d\n", error);

   return error;
}

↧

prevent sequence numbers password in ad 2012

November 27, 2016, 8:41 am

≫ Next: Steps to secure Active directory pass the hash attack and clear text password

≪ Previous: NetUserChangePassword invalid parameter

Is it possible to force the use of the domain policy so there is no password can be reset sequence numbers, for example Ad1234567
This is the domain in 2008 and 2012
By the way passwords are to:
Password Must meet complexity
Thanks in advance...

↧

Steps to secure Active directory pass the hash attack and clear text password

November 27, 2016, 8:53 pm

≫ Next: where can i download the Windows Service for UNIX 3.5?

≪ Previous: prevent sequence numbers password in ad 2012

Hi,

I have Microsoft Active directory implemented with windows OS 2012R2 person who don't have Any privilege rights on the server he is able to escalate himself as enterprise admin. I would like to know how to secure this. As per my understanding he is using pass the hash attack and PowerShell exploit.

Nagesh C Samant

↧

where can i download the Windows Service for UNIX 3.5?

November 18, 2016, 3:13 am

≫ Next: Reset Active Directory Service Account password

≪ Previous: Steps to secure Active directory pass the hash attack and clear text password

I can not find the download URL, please tell me how can i get it, thanks a lot!

↧

Reset Active Directory Service Account password

November 27, 2016, 8:53 pm

≫ Next: how to install openLDAP server into RHEL without internet connection

≪ Previous: where can i download the Windows Service for UNIX 3.5?

Please let me know how to reset Service account password Through Power shell Or GUI

↧

how to install openLDAP server into RHEL without internet connection

November 27, 2016, 11:40 pm

≫ Next: Port Requiremenet from Domain controller to Client PC

≪ Previous: Reset Active Directory Service Account password

I need to implement the OPENLDAP in RHEL 6.5.but my system doesn't have internet connection.

is it possible or not????

if without internet connection is possible please help me with us for the step by step procedure..

↧

Port Requiremenet from Domain controller to Client PC

November 28, 2016, 12:31 am

≫ Next: Impact of Active directory user migration

≪ Previous: how to install openLDAP server into RHEL without internet connection

Dear Team,

We found below all the ports are opened from client to Domain contoller but not opened from domain controller to Client PC.

TCP and UDP 389

TCP 636

TCP 3268

TCP 3269

TCP and UDP 88

TCP and UDP 53

TCP and UDP 445

TCP 135

TCP Dynamic

TCP 5722

UDP 123

TCP and UDP 464

UDP Dynamic

UDP 138

TCP 9389

UDP 67 and UDP 2535

UDP 137

TCP 139

Please confirm whether same need to be enabled from Domain controller . we have enabled 135 and 445 only.

↧

Impact of Active directory user migration

November 16, 2016, 6:52 am

≫ Next: how to create temporary user using Active directory

≪ Previous: Port Requiremenet from Domain controller to Client PC

Hello team,

i have the domain called abc.com where exchange is running, i have one more domain called xyz.com.

i have few user where login id's are same in both the domain. i will merge the SID history of XYZ domain user to Abc.com

So is there any impact to my email access after merging the SID of old domain.

↧

how to create temporary user using Active directory

November 8, 2016, 1:14 am

≫ Next: Multiple-Forests - Super Admin Forest Model.

≪ Previous: Impact of Active directory user migration

how to create temporary user using Active directory.

and when user log off data need to delete is it possible.

Plz help me

↧

Multiple-Forests - Super Admin Forest Model.

November 28, 2016, 4:53 pm

≫ Next: Big problems Migrating from FRS

≪ Previous: how to create temporary user using Active directory

Is this still a valid/best model to implement if a company manage lot of forests?

https://technet.microsoft.com/en-us/library/cc526459.aspx

No idea when the articel is dated.

↧

Big problems Migrating from FRS

November 3, 2016, 10:54 am

≫ Next: KCC - Sites Connections

≪ Previous: Multiple-Forests - Super Admin Forest Model.

So I was migrating FRS to DFRS and it was stuck. Well, looking into things, I found that I can no longer modify GPOs. I Did the Sysvol Rebuild d4/d2 flags and it still doesnt appear to work. Here is my dc Diag report.

PS C:\Windows\system32> dcdiag

Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
Home Server = SKDC05
* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: Skender\SKDC05
Starting test: Connectivity
......................... SKDC05 passed test Connectivity

Doing primary tests

Testing server: Skender\SKDC05
Starting test: Advertising
Warning: DsGetDcName returned information for \\SKDC03.Skender.com, when we were trying to reach SKDC05.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... SKDC05 failed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVO
replication problems may cause Group Policy problems.
......................... SKDC05 passed test FrsEvent
Starting test: DFSREvent
......................... SKDC05 passed test DFSREvent
Starting test: SysVolCheck
......................... SKDC05 passed test SysVolCheck
Starting test: KccEvent
A warning event occurred. EventID: 0x80000829
Time Generated: 11/03/2016 12:17:09
Event String:
This directory partition has not been backed up since at least the following number of days.
A warning event occurred. EventID: 0x80000829
Time Generated: 11/03/2016 12:17:09
Event String:
This directory partition has not been backed up since at least the following number of days.
A warning event occurred. EventID: 0x80000829
Time Generated: 11/03/2016 12:17:09
Event String:
This directory partition has not been backed up since at least the following number of days.
A warning event occurred. EventID: 0x80000829
Time Generated: 11/03/2016 12:17:09
Event String:
This directory partition has not been backed up since at least the following number of days.
A warning event occurred. EventID: 0x80000829
Time Generated: 11/03/2016 12:17:09
Event String:
This directory partition has not been backed up since at least the following number of days.
......................... SKDC05 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... SKDC05 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... SKDC05 passed test MachineAccount
Starting test: NCSecDesc
......................... SKDC05 passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\SKDC05\netlogon)
[SKDC05] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
......................... SKDC05 failed test NetLogons
Starting test: ObjectsReplicated
......................... SKDC05 passed test ObjectsReplicated
Starting test: Replications
......................... SKDC05 passed test Replications
Starting test: RidManager
......................... SKDC05 passed test RidManager
Starting test: Services
......................... SKDC05 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x000003FC
Time Generated: 11/03/2016 12:17:33
Event String: Scope, 192.168.4.0, is 98 percent full with only 7 IP addresses remaining.
A warning event occurred. EventID: 0x00000560
Time Generated: 11/03/2016 12:17:33
Event String: IP address range of scope 192.168.4.0 is 98 percent full with only 7 IP addresses availabl
An error event occurred. EventID: 0x000003EE
Time Generated: 11/03/2016 12:20:47
Event String:
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on
omain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.
......................... SKDC05 failed test SystemLog
Starting test: VerifyReferences
......................... SKDC05 passed test VerifyReferences

Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation

Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation

Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation

Running partition tests on : Skender
Starting test: CheckSDRefDom
......................... Skender passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Skender passed test CrossRefValidation

Running enterprise tests on : Skender.com
Starting test: LocatorCheck
......................... Skender.com passed test LocatorCheck
Starting test: Intersite
......................... Skender.com passed test Intersite
PS C:\Windows\system32> dfsrmig /getmigrationstate

Any help is appreciated

↧