Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Domain controller failure

November 28, 2016, 9:54 am
$
0
0

All,

In deploying domains/servers over the last few years I've been following the guidelines and always building out at least two domain controllers. My environments are usually of the SOBO variety and rarely have Internet/WAN connections to larger setups so complete stand alone ability is essential.

Lately I've been asked exactly what would happen if only one domain controller was built and it died for whatever reason. I've been digging around the usual online sources but I've yet to see a definitive list of likely failures when the domain controller feature fails entirely.

Does such a list exist?

Thanks for reading.

Search

Setup AD without its server being the first one in the DHCP options

November 29, 2016, 9:15 am
$
0
0

I'm trying to setup Active Directory, I'm trying to move from macOS Server's Open Directory. It seems I can set the AD role succesfully as well as DHCP. The problem is as soon as I set up AD my the rest of my servers stop responding from outside using the my subdomain linked to the network.

After days without sleeping I finally figured out the what was missing is hairpin NAT, I tried looking it up and the best I came with is NAT Routing and specifying yet again all the forwarding to my servers. For this I had to use two NICs because apparently Routing doesn't work with only one as macOS Server does. For starters inputting the information was a nightmare and I couldn't even finish because the editor is this tiny window that doesn't let the user absorb much information, rule names cannot be reused, TCP and UDP can't be join on one rule the port ranges cannot be input. This left my with a 1 thousand ports missing for VoIP and even if there was a workaround like command line or something, it should be easier, servers' job is to make things easier. These are serious flaws in the OS I think.

Well, after not sleeping for four days and playing around with the DNS values on the DHCP scope, I noticed that if I input a public DHCP server it would resolve correctly my subdomain and load the internal websites from their local server using the FQDN but computers won't be able to join Active Directory. I'm not removing the AD server's IP address from the list, I'm just not placing it at the top.

Screenshot: 1drv.ms/i/s!Aln_B1W1PHb4yB4ItpG5RLGUTsMj
(I can't post links nor images.)

On the other hand if I move up the Active Directory server's IP address to the top of the DHCP's DNS list my FQDN won't resolve from inside the network, even after setting up NAT Routing. I don't understand the point of having more than one DNS server on the DHCP options if it will just use the first one anyway.

I tried also setting records at the DNS server role for my IP address but this turned out to be impossible as I don't have one IP address but four, I use a load balancer to connect to the internet, and to make matters worse, theses are not static IP addresses; so in order to resolve my domain name my [external] DNS server at my registrar points the FQDN to 4 DDNS CNAMEs whose addresses are dynamically updated by the load balancer. It's a bit of a mess but it's been going strong for years now with no downtime.

I'm really hoping that out of sheer exhaustion I missed the setting or feature for hairpin NAT but seeing there's a loopback interface in the Routing and Remote Access console, my hopes are not very high.

I'm using Windows Server 2012 R2 Datacenter by the way. If I find a solution I'm going to stick Standard though, Datacenter's pricing is way to expensive and I didn't like WS2016's pricing model either.

Thanks for your help!

ADMT Problem

November 29, 2016, 10:57 am
$
0
0

Hello,

using ADMT for cross site migration, the trust is set between the two domains.

Porcess steps:

1- migrating groups

2- migrating users

3- migration computers

4- migrating security translation.

The problem I have is: the group membership for the computers is not working after migrating the computers. the computer does not inherit the groups

Thank you for your help?

AD LDS Question

November 29, 2016, 7:42 am
$
0
0

Hello everyone,

I don't know if I'm posting in the right forum, but I couldn't find a LDS forum.

Windows Server 2012 R2 with AD LDS installed and configured.

Instance contains two partitions. I'm basically importing users from two production domains to the two partitions - that's working fine.

Question: Is there a way to have a user account that can have access (or bind) to both partitions?

I tried creating a user account at the instance level, and made that account a member of the Administrators role. I tried adding that account object to the Administrator's container for each of the partitions, but this gave me an error message. I also created a user account on one of production domains and made this account a member of the Administrators container in each partition and I was able to add the account, but I can't connect to either of the partitions.

Thanks!

Remove AD domain from Forest Root

November 29, 2016, 11:40 am
$
0
0

Hey guys,

So here is the scoop. There are currently two domains that have been connected in the past. Domain1.local and Domain2.local via two way and transitive.

Domain1.local is currently the Forest Root. Domain2.local was connected in the past but now we need to split it off and removed (not deleted) from this relationship. Domain2.local needs to be standalone. All DCs are server 2012 or higher.

DC1.Domain1.local currently holds the Schema Master and Domain Naming Master roles. DC1.Domain2.local holds its own roles for Domain2.local except the Schema Master and Domain Naming Master. After some research with various keywords, I did not really find the answer I was looking for (a lot of them dealt with deleting the domain or demoting DCs, etc).

Is there a away to cleanly remove Domain2.local from the Forest? Deleting the trust, remove transitive, remove from Sites, delete DNS zone, etc?

Thanks,

DCDIAG Errors and AD parent/child domain DNS suffix search list

November 17, 2016, 8:46 am
$
0
0

We have an AD structure that consists of a parent and child domain. I have been doing some cleanup and repair of the existing DNS environment mainly using DCDIAG /test:dns /e /v. I have fixed a good amount of issues and almost have the parent domain passing DNS test (one server has invalid forwarders which should be resolved tonight).

If I run the same DCdiag command from one of the servers in the child domain I receive the same entries as described in this TechNet article.

social.technet.microsoft.com/wiki/contents/articles/25715.dcdiag-misleading-dns-test-failure-in-a-multi-sited-parentchild-domain-scenario.aspx?Sort=MostRecent&PageIndex=1

In his example he remedies the situation by creating A records in the parent domain. To me this seems like it could cause other issues down the line.

Doing some further digging I did find that our parent domain has the suffix search list set with both domain.com and child.domain.com in that order on the DCs.

If I Look at one of the child domains DCs their search list is only child.domain.com I was thinking that adding the parent domain as a secondary search list should resolve the issues described in the TechNet article I linked to.

Do you see any issues with setting the parent domain as a secondary suffix search list on the child domain?


Disable ldap anonymous directory access in Windows server 2008 R2 SP1 Domain Enviorment.

November 17, 2016, 10:23 pm
$
0
0

Hello Friends,

During the security audit we have been suggested to Disable ldap anonymous directory access, i found multiple article which suggest to change the value for dSHeuristics, we need to change the seventh character to 0 or 2.

However when i checked this value using ADSI EDIT i found it is set as Not Set.

On few MS Forum it is mentioned that the ldap anonymous directory access is by default disabled in Windows 2003 and above systems.

Could someone help me on this and let me know if changing the value will actual help me to disable the ldap anonymous directory access and it will not get captured in next security scan, or is this False Positive.

Regards,

SGH.

MCP, MCTS

Identity synchronization Error

August 9, 2015, 8:32 pm
$
0
0

Hello All

im facing this issue after migrating one of our users to office 365.

Unable to update this object in Azure Active Directory, because the attribute [ShadowCommonName], in the local Directory exceeds the maximum allowed length. If you want to update, reduce the length in the local directory services, and then try again.

i have contacted office 365 support but they said its not from their side and it is better to post the question here.

Search

Remove published trusted root certificate and all related items (e.g. AIA, CDP) from Active Directory

November 30, 2016, 8:23 am
$
0
0

Recently, I became alarmed when I noticed an unusual certificate (hereafter: "BadCert") in the Trusted Root Certification Authorities section of the Certificates MMC on a computer.  I checked several computers in our environment and BadCert was installed as a Trusted Root Certification Authority on all of them.  As I manage our PKI, this alarmed me because I definitely had nothing to do with it.

I was able to identify the host server that seems to be responsible for it as the name of BadCert has the server hostname in its common name.  It is a Windows Storage Server 2012 R2 Storage Server Essentials server that one of our Systems Administrators (who also has Domain Admin rights) set up.  I asked him about it, and he does not know how or why a certificate related to this server ended up being pushed out as a trusted root certification authority.

I determined that BadCert is not being pushed out via Group Policy.  Instead, it appears to be published in Active Directory.*  At this point, I believe the prudent thing to do is to remove/unpublish this certificate in Active Directory.  The thing is, the originating server does not have the Active Directory Certificate Services role installed and does not have BadCert installed in its "Personal" certificate store.  It does have the Windows Server Essentials Experience role installed but the configuration is not completed.

I'm not sure how to proceed.  Can anyone assist?

* I see entries related to BadCert under "CN=Public Key Services,CN=Services,CD=Configuration,DC=<subdomain>,DC=<domain>,DC=<root>.  For instance there are items related to BadCert under the "CN=AIA", "CN=CDP","CN=Certification Authorities", and "CN=KRA" RDNs under that container.

PowerShell Script for getting multiple group membership information along with user name,company,user name,display name

November 30, 2016, 11:49 pm
$
0
0

PowerShell Script for getting multiple group membership information for Group along with user name,company,user name,display name

it's not work properly "Get-ADGroupMember -identity “NA-NYC1-Grey-EliLilly-MensHealth-SG” | select name,company | Export-csv -path C:\VPN-GHGROUP_a.csv -NoTypeInformation "

Is the internet needed for Active directory and why ?

November 30, 2016, 11:52 pm
$
0
0

Hi 

We have 2 Domain Controllers 

 First I want to know if  the internet required for Domain controllers or not 

If yes I need to know why and what is the best practice from Microsoft on this case

Second   

regarding the DNS , I want what is Microsoft recommendations for DNS as I want to secure the DNS 


Mahmoud

Moving the FSMO rules effect

November 23, 2016, 12:16 am
$
0
0

I'm planning to upgrade my dcs from 2008 r2 to 2012 r2. I added the first 2012 r2 dc to my domain and its working fine.we have a GPO for the NTP server with wmi filter "PDCe filter". now I'm planning to move the FSMO rules to the new dc and shutting down the old master for a day or two before demoting it then proceed with the rest of dcs one by one. is this right?

will there be any effect on the users or services (especially exchange 2016)?

Problem when LDAP-Querying the GC

November 23, 2016, 2:13 am
$
0
0

Hello,

in our Environment we have three Domains in one Active Directory Forests. Each Domain has two DCs. In one Domain i want to configure an Webapplication to (ldap) query the global catalog for Informations from another Domain.

For testing purposes i tried to query by simple Linux-Ldapsearches, which works fine most of the time. But there is my Problem. It does not work reliable, because sometimes the ldapsearches take about 1 Minute. These long running Queries seems to be the  reason which makes my Webapplication time out.

My assumption is, that these long running queries appear, when the DCs from this Domain replicate (I checked the times with repadmin /showrepl and it looks like there is an coherence.)

Our Windows Guy cant help me out, so i hope somebody here does have experience in this field. Is it ok to use the Global Catalog for this requirement? Why is this happening? Has somebody ideas for further troubleshooting? It would be nice to use the GC, because if this works i do not have to use an LDAP-Proxy for this.

best regards

Stefan


Clear Saved Password on all servers

December 1, 2016, 12:37 am
$
0
0

Hi 

when filtering the unsuccessful logins , i found 2 user have many logins failed

actually the 2 users already changed their passwords , so that we get many unsuccessful login

they didn't remember  where they used and saved their passwords 

I tried Credential manager to clear any password saved m but still receiving failed logins 

Is there any way to know where these credentials used ? " 

Mahmoud

Active Directory migration 2003 R2 to 2012 R2 with office 365 on board

November 22, 2016, 12:07 pm
$
0
0

Hello,

I would like to know if it is possible to migrate the active directory from (2003 R2 to 2012 R2) without an impact to other services for exemple office 365 , sharepoint or other services on board.

I would like to migrate without changing all the IPs with a transition server for exemple; and keep all the legacy configurations.

Keeping names and Ips for 3 active directory servers.

Best regards.


Search

NTDS Replication Warning with Event ID 1093

December 1, 2016, 2:42 am
$
0
0

Hi,

We have DCs across two sites and some replication issues are there, upon troubleshooting, we found a Warning with Event ID 1093 in affected DCs, this warning appears for some users. When checking the userCertificate attribute for those users in AD, we found huge list of certificates for them. To solve the issue, the unwanted certificates need to be removed from userCertificate attribute of the user object in Active Directory so we followed this approachhttps://support.microsoft.com/en-us/kb/2889671 to identify them for first user. Output was about 644 certificate.

In the mentioned link above, point 5 it says:

5. You can identify the certificates with their text or UI format and decide with certificates can be removed from this user object.

Now how can I decide which certificates need to be removed? The expired ones for example? Also it will be hard to go through the 644 certificates manually and remove the expired certificates...so I am thinking of clearing the contents of the userCertificate attribute for those users, can I do that and how?



profile move help

November 17, 2016, 7:06 am
$
0
0

We need to relocate user profiles stored in Windows 2003 servers to Windows 2012 servers.
The user profiles is stored in \\win2k3\profiles and new destination in \\win2012\profiles
We think to use robocopy to copies profiles over before cutoff.  Then do incremental copy until cutoff and final 
sync files during cut off.
Can anyone share script to do full copy or copy only 2 days change files during cutoff?  does permisions get 
copied over?

Thank you!

ADFS 4.0 AD LDS Local Claims Provider passing group membership

December 1, 2016, 6:19 am
$
0
0

Hi,

I've configured a ADFS Local Claims Provider Trust to an AD LDS instance. I can pass through all kind of claims. But I want to kind of mimic regular Active Directory so I'd like to pass group membership like Token-Groups-Unqualified. How could I achieve this?

Any advice is welcome.

Kind regards,

Erwin Vos

Port Requiremenet from Domain controller to Client PC

November 28, 2016, 12:31 am
$
0
0

Dear Team,

We found below all the ports are opened from client to Domain contoller but not opened from domain controller to Client PC.

TCP and UDP 389

TCP 636

TCP 3268

TCP 3269

TCP and UDP 88

TCP and UDP 53

TCP and UDP 445

TCP 135

TCP Dynamic

TCP 5722

UDP 123

TCP and UDP 464

UDP Dynamic

UDP 138

TCP 9389

UDP 67 and UDP 2535

UDP 137

TCP 139

Please confirm whether same need to be enabled from Domain controller . we have enabled 135 and 445 only.

how to install openLDAP server into RHEL without internet connection

November 27, 2016, 11:40 pm
$
0
0

I need to implement the OPENLDAP in RHEL 6.5.but my system doesn't have internet connection.

is it possible or not????

if without internet connection is possible please help me with us for the step by step procedure..

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>