Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Looking for feedback on third-party Active Directory tools

September 6, 2008, 3:15 pm
$
0
0
My company currently is open to the possibility of third-party AD tools to allow users to update their account information in Active Directory which syncs to our Global Address List in Exchange. Basically, they want a tool that will allow end users to modify fields of their choosing, reset their passwords if their accounts are locked and more.

What third party apps are you familiar with that may achieve this and more? Also, a robust app that could simplify creating AD accounts and Exchange mailboxes would be helpful as well....one that would provide a web-based interaction that syncs the changes to AD.

Thank you.
Search

Insert new line/carriage return in ADFS custom claim rule

December 28, 2016, 11:43 pm
$
0
0
Hi,
I have to split an outgoing claim string value into a multiline text as follow:

Text_1¦Text_2¦Text_3¦Text_4

Split to:

Text_1
Text_2
Text_3
Text_4


I try to use the RegExRelace() function but I can't find the right syntax for new line/carriage return char

Exemple:
c:[Type == "string_1"]
 => issue(Type = "string_2", Value = RegExReplace(c.Value, "¦", "[\n\r]"));

Some suggestions?

Thanks in advance.

Notification Active Directory changes via Mail alert

December 29, 2016, 12:26 am
$
0
0

Hi,

I want to get mail alert if any changes done in Active directory. like new User creation and user deletion, computer object creation and deletion, OU movement alert, account password reset alert, account locked out alert.

Please suggest any one how it's done via POWERSHELL...

I found one AD group membership changes mail alert powershell script in technet and lazywinadmin page. please find the below screen shot. (https://gallery.technet.microsoft.com/Monitor-Active-Directory-4c4e04c7)

I need this kind of mail alert in User creation and deletion, Computer account creation and deletion, OU movement, Account password reset, Account Locked out alert.

Please any one help this out. Please suggest any idea on this.....

Thanks & Regards,

Arun C


User Rights Assignment done in wrong place

December 23, 2016, 10:23 am
$
0
0

I inherited an AD environment from a group of people who didn't know how to setup AD. In the default domain policy they setup in Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies/User Rights Assignment Several settings hard-coded. including "Act as part of the OS" and "log on as a batch job" Things that Service accounts and Managed Service accounts need.

Up to this point, I have just dealt with it and manually added service accounts that needed these rights to this and then they suddenly have rights on all servers and workstations. This is becoming a problem now and I really need to fix it.

I need to know, if I remove these settings, do all servers go back to defaults, or are they wiped out and I potentially could hose a bunch of things? And what are the default values supposed to be?

My biggest concern is that removing even one of these, could potentially hose all 20 of my servers until I can get to them and set what it should be manually.

How do I fix this pickle?

Enforce VPN access through domain joined machines

December 22, 2016, 11:52 am
$
0
0

I want to know is it possible to make users login to VPN only if they are part or have joined a domain (part of user population) . So, a user even knowing the credentials of VPN cannot login to machine which has not joined DOMAIN server.

Can this be done? Considering the VPN server is third part e.g CISCO.

Event ID 4768 | Result Code 0x12

December 21, 2016, 3:34 pm
$
0
0

We have an old Domain Admin account that we're retiring, the account has been disabled but seems to be requesting Kerberos tickets from one of the DCs, how can we track where or what is still using this account.

Below is the Event ID being generated:

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Logged: 12/20/2016 16:54:53
Event ID: 4768
Level: Audit Failure
User:
Computer: DC3.domain.com

A Kerberos authentication ticket (TGT) was requested.

Account Information:
Account Name: AdminAcct
Supplied Realm Name: domain.com
User ID: S-1-0-0

Service Information:
Service Name: krbtgt/domain.com
Service ID: S-1-0-0

Network Information:
Client Address: ::1
Client Port: 0

Additional Information:
Ticket Options: 0x40810010
Result Code: 0x12
Ticket Encryption Type: 0xffffffff
Pre-Authentication Type: -

Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.


updating Active Directory user Logon Count attribute

December 29, 2016, 1:43 am
$
0
0
Is the logon count attribute updated only when a user physically logs in to a workstation or Is threre Any way to update the attribute programatically or through script.Just asking for testing purposes.

Recommended order for setting up Active Directory, DNS and DHCP services

December 27, 2016, 3:22 am
$
0
0

Hi all,

I was wondering whether anybody could advise me on which order Active Directory and DNS services should be setup as part of a Domain Controller, I have seen a majority of sources on the Internet including Microsoft help pages suggesting to install Active Directory and DNS services before setting up the IP configurations of the server, however I have seen a minority of sources on the Internet where some people suggest to setup the IP configurations of the server before installing Active Directory and DNS services. Would there be any consequences encountered at later date if the IP configurations were made on the server before installing Active Directory and DNS? If so, what problems would I most likely to come across and can they be easily rectified? Does this vary depending on which version of Windows Server you use as well as order of setup? Also what order would you setup DHCP? Are there are any right and wrong answers with achieving these tasks? Reason why I am asking is that I am trying to get into good practices of setting up Windows servers and cannot find any accurate information to clarify this. Your help would be much appreciated.

Kind regards,

RocknRollTim

P.S. I forgot to mention I have been reading up in books particularly the studying guides for Windows Server 2000, 2003 and 2008 as well as watching videos on YouTube for Windows Server 2008, 2008 R2, 2012, 2012 R2 and 2016.

Search

AD-Default domain policy

December 27, 2016, 12:42 am
$
0
0

Dear All,

recently there was a disaster and our AD and Exchange went down.

We recovered AD and Exchnage from backup

Mail flow everything is working fine

Now I am stuck with two issues

1.netlog on folder is not shared

2. When i am expanding the default domain GPO i get access is denied error

anything we can check 

Windows Server 2003R2 Sp2 with exchanging 2007 running, Migration to Window server 2012 R2

December 29, 2016, 3:19 am
$
0
0

Hello,

Currently we are running on Windows Server 2003 R2 Sp2 and our mail server (Exchange 2007) is running on windows server 2008 R2 Enterprise.

Domain Controller

Domain Controller is running on Windows Server 2003 R2 Sp2 running Services include AD, DHCP, CA, IAS.

Forest and Domain Functionality is Windows Server 2003

Exchange 2007

4 Server include Mailbox, CAS, HT, EDGE installed Separate servers running on Windows server 2008 R2 Enterprise.

Exchange version is Exchange 2007 without any Sp's.

Exchange is using local certificate on domain controllers CA.

We are planning to migrate our domain Controller to windows server 2012 R2 and remove the old server running windows server 2003 R2.

1st question: Any step by step guide how to migrate our 2003 to 2012R2.

2st question: Will exchange work if we migrate to windows server 2012 R2 without any problems.

TombstoneLifetime values recommended

December 29, 2016, 2:56 am
$
0
0

Hi community.

I would like to get your advice/feedback on increasing Tombstone lifetime value.In a security approach I think there are benefits for:
- datas retention (for certains kind of objects)
- forensics and replication metadata analysis

And cons like:
- AD db white space / size
- Backup and Restore

My customer use a WS 2012r2 box with TSL set at 180 days (default value) and ad recycle bin is enabled.
What do you think if TSL is increased to 365 days?

Thanks in advance.

Kévin KISOKA - MCITP Entreprise Messaging Administrator, MCTS Hyper-V Server Virtualization I do not represent the organisation I work for, all the opinions expressed here, are my own. This posting is provided AS IS with no warranties or guarantees and confers no rights.

How to remove write protected CN object after failed DC/dcpromo removal

December 29, 2016, 4:02 am
$
0
0

We have two domain controllers, dc1 and dc2. We have already removed dc2 and made meta data cleanup (with ntdsutil, with microsoft script, with GUI). Unfortunately we have always one CN object left which is write protected (Protect from accidential deletion) which can't be deleted. It is located in:

CN=dc2,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=forestrootdomain

To delete the msDFSR-Member CN object (dc2) in the Topolocy CN via ADSIEdit fails. To delete it with Powershell fails too, PS command:

Get-ADObject "CN=dc2,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=forestrootdomain" | Set-ADObject -ProtectedFromAccidentalDeletion:$false

with the following error:

Set-ADObject : A required attribute is missing

But if we can't delete this CN object, we can't recreate a domain controller with the same hostname who has a functional replication and advertisement within the domain.

Any suggestions appreciated.

Best regards

-- Regards Timo

Security Thread of File services in Active directory

December 29, 2016, 5:59 am
$
0
0

Hi Team,

please let me know the Security Thread of File services in Active directory domain services.

thakns

Migrating Users,Computers,Group Policy from Root Domain to Child

December 29, 2016, 7:20 am
$
0
0

Hello,

We are going to migrate users, computers ,Group Policy, OUs, from Root domain to New child domain Controller.

1. How will we migrate Users, from Root to Child: ADMT Works good but does the password will remain the same or no password will change for each user, and by changing UPN as frst it was user@root.local and migrating to user@child.root.local does user will still logon with the same user name with no changes.

2.By migrating Computers with ADMT does it will effect already Domain Joined Computers with root.local as these computer will be migrated to child.root.local domain.what will be the response of these computers.

3.How to migrate Group policy from root to child.

4.Can we migrate complete OU with user or no user will be done manually through ADMT or any best recommendation for migrating users?.

Thanks......


DNS server list

December 29, 2016, 7:26 am
$
0
0

So we have regional offices that have about five workstations....we have seven locations around the state. At one time we had a domain controller at each site.  We have recently removed the Active Directory role off the server at their location...I moved their IP subnet to our HQ site.

Server at each regional site that used to be AD controller still has all the internal DNS zones copied to it from the domain controllers that are in our domain.

Question I have...at these regional sites....what should I set the DNS properties to on the workstations...

Should the primary DNS be a domain controller IP address ...does the workstation look to that for login to Active Directory and if it's not set as primary does that cause any issues with authentication and login.

Or since the local server even though not a domain controller now...but does have DNS installed with all our DNS zones copied to it...be the primary DNS so the workstations can get DNS locally.

One thing we do want to accomplish is if the regional offices lose connectivity to the HQ site ...we want DNS resolution for the workstations to go to their local DNS. So that would mean we'd have the following setup.

On workstation:   Primary DNS would be Active Directory controller at HQ site

                          Secondary DNS would be local member server running DNS with all zones copied to it.

This makes workstations look to Active Directory domain controller first ...and then if link is down to HQ for external DNS resolution and the workstation can't contact primary DNS it will then look to secondary DNS listed which would be local member DNS server...correct ?


Search

validation of child domain inputs failed you cannot create a new domain at this time because the domain naming master is offline

December 26, 2016, 5:48 am
$
0
0

We have clone production Active Directory in our testing environment which is in private VLAN.

Active Directory with all 2 Additional domain controller.

we are going to add and test Parent Child Domain Controllers with this domain controller.

Getting the following error on adding child domain controller...additional domain controller is working fine.but on adding new child domain controller in the same test environemnt.getting the following error.

validation of child domain inputs failed you cannot create a new domain at this time because the domain naming master is offline

Kindly help.....

LDAP error 0x35(53 (Unwilling To Perform) in NTDSUTIL

December 28, 2016, 11:33 am
$
0
0

I inherited this one.

Server was promoted to a DC in an existing single domain/forest that had one DC.

Client shut down old server without demoting or using metadata cleanup.

Client renamed new server to the name of the old server.

This broke AD/DNS/DHCP and where I got involved.

I was able to change the name of the server back to the name it had when it was promoted.  NETDOM shows only the 1 FQDN of the server and AD/DNS/DHCP is working.

However, the original server still shows up in AD.  It has a different SID, different SPNs, etc.

The client still wants to rename the new server to the old name but the object exists in AD so that's not possible.

If I run ntdsutil and metadata cleanup I am unable to remove the DC and the error is 'LDAP error 0x35(53 (Unwilling To Perform)'.

Any idea what could be causing this now?

-=Chris

Migrate users with folder redirection to a new trusted domain

December 18, 2016, 6:40 am
$
0
0

Hi Guys,

I am working on getting rid of our single labeled domain i inherited.

Currently I have set up a test environment - copy of our production domain, created a new domain DC, and set up a full trust between the domains.

For the migration - I tried using forensIT as recommended on another forum but i'm having issues with the folder redirection, it's just not working.

The folder redirection for the test environment resides on an independent server - not a member of any domain, and available for anonymous users.

Users have their profile on the default domain, and after migrating to the new domain - they no longer see their desktop.

Any advice? what's the best practice for moving users to the now domain?

Thanks!


DC migration cause DNS outage. I don't know why it happened!

December 22, 2016, 7:50 am
$
0
0

Hi,

Last weekend I migrated most of our DC's from Windows Server 2008R2 to Windows 2012. The 2008R2 servers were also DHCP servers. This role was migrated to a non DC Windows 2008R2 server during the migration. Most of the 2008R2 DC's were demoted, replication took place, then new Windows 2012 servers were promoted using the old name/IP address. 

At headquarters, we previously had two Windows Server 2008R2. Ill call them Headquarter-DC1 and Headquarter-DC2. Headquarter-DC2 was demoted but never shutdown or had DNS service stopped (a mistake on my part) which means it was configured with no zones. Headquarter-DC1 was demoted and then a Windows Server 2012 server was promoted with the same name/ip address as Headquarter-DC1. 

When users came in Monday morning, they couldn't resolve hostnames. After checking DNS, I realized I hadn't removed Headquarters-DC2 which was the tertiary DNS server (and also had no DNS zones configured)given out from DHCP. After replacing the tertiary address, the clients started resolving the hostnames again. I also restarted DNS during this time. Some things to note is before the tertiary was replaced and DNS restarted, some clients just started resolving on their own while other clients logging in couldn't resolve hostnames until I made the changes noted above (about 15 minutes from when they booted up).

My question is did the tertiary DNS server with no zones entry affect the clients ability to resolve the name even though the first to DNS servers were resolving names properly (which doesn't make sense to me). Or is there another likely scenario I am missing? 



Password Sync between two AD Forest

December 22, 2016, 2:28 am
$
0
0

Hi,

I make a Forest trust between two AD Forest. Old forest 2003, new forest 2012 R2. I migrated all users with ADMT enabling SID history. All users migrated can browse a share in old forest successfully.

I have many services (ex radius) on old forest that I can migrate  only when all 300 computers are migrated in new forest.

In this transitive phase, i need absolutely keep all users passwords in two forest sync.

Which is the best way to accomplish this goal ? Exist a free product/script to schedule ?

Thank you and best regards..

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>