Greetings,

I have been doing some testing with gMSA Accounts in a Server 2012 R2 environment (two separate environments, actually), and I have noticed something very strange that occurred in both environments, which does not appear to be occurring in one of our customer's self-managed environments.

We created a Group Managed Service Account using the following article: http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx

Everything went smoothly, and the account installs/tests successfully on both of the hosts that we are testing on. I am able to set my services to run under the account, and most of them appear to work fine. I am having some issues with a few of my services, and I believe that the strange behavior I am seeing may have something to do with this - described below: 

As soon as I set the service's Log On Account (via the Log On Tab under the Service's Properties), the entirety of the "Log On" tab changes to "greyed out," and I am unable to change the Log On account back via the GUI (Screenshot attached).

I found that I am able to successfully change the account via Command Line using sc.exe, but the Log On tab remains greyed out! So far, I have found nothing to remedy this, but confirmed that it happens for any service I set to use the gMSA as the Logon Account, and that it happens in 2 separate test environments, but not in a Customer's production environment - very strange.

All servers in this environment are running Server 2012 R2, and domain Functional Level is currently Server 2012.

I have been unable to find any information online about this behavior, so I am hoping someone has seen this before, and can explain why this is happening.

Nick

hi,

i have a problem with my active directory. when trying to open it the error below appears

Naming information cannot be located because: the specified domain either does not exist or could not be contacted.

help please!



So myself and a colleague have set up 2 separate domains we will call my ad.domain1.org and his is domain2.local we have been trying to do some learning experiences so we have our physical networks talking to each other i can reach devices in his network and he can reach devices in mine. So we set up a 2 way Forest trust and after doing that everything was working except on his side is has a CA so he was having an issue. If he would request a Cert for a website he runs or for a vmware server web interface it would give an error saying:

"The specified domain either does not exist or could not be contacted 0x8007054b (WIN32:1335 ERROR_NO_SUCH_DOMAIN) The Active Directory Containing the Certificate Authority could not be contacted"

but he can make requests for domain2.local and those would work but anything that is not domain2.local will fail with this error. 

After breaking the trust between the 2 domains he can request Certs for any domain. does anyone know what would cause this?

Also the next set we where looking at doing was trying to merge the 2 domains together but what we are trying to do is see if its possible for one of our domains to be the root domain and then merge the 2nd domain as a sub domain. is this possible to do?

We have an old Domain Admin account that we're retiring, the account has been disabled but seems to be requesting Kerberos tickets from one of the DCs, how can we track where or what is still using this account.

Below is the Event ID being generated:

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Logged: 12/20/2016 16:54:53
Event ID: 4768
Level: Audit Failure
User:
Computer: DC3.domain.com

A Kerberos authentication ticket (TGT) was requested.

Account Information:
Account Name: AdminAcct
Supplied Realm Name: domain.com
User ID: S-1-0-0

Service Information:
Service Name: krbtgt/domain.com
Service ID: S-1-0-0

Network Information:
Client Address: ::1
Client Port: 0

Additional Information:
Ticket Options: 0x40810010
Result Code: 0x12
Ticket Encryption Type: 0xffffffff
Pre-Authentication Type: -

Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 

Hi,

FYI: I'm trying to do this task on my at-home network which only has 5 physical machines (and soon any VM's that I create); so I am a domain admin and I have full control over everything...

I'm having trouble joining a new (non-headed) 2016 Server R2 Hyper-V to an existing 2003 domain.  I can ping both the 2003 DC machine and the domain name.  There are a few other machines already joined to the domain so I don't think the problem is with the DC.  attempts to add the machine to the domain result in "Failed to join domain".  The message is nicely worded but as far as a diagnostic message it is completely USELESS!!  So I have a few questions:

1. Can a 2016 Server even join a domain that was created/is hosted by a 2003 server DC? 
2. If so then might there be a better diagnostic somewhere in the event log?  If so does anybody know where in the event log I should look; the 2016 server event log has @100 sections - I'm guessing "Admin"?
3. If I resolve this issue is there a "best practice" for using the Hyper-V server itself or a VM as a domain controller so that I can retire my 2003 server?

Thanx in advance for your help!

--Richard

mooseandpebs

We are going to Migrate computers from Parent domain to newly created Child Domain with ADMT 3.2.Forest and domain functional level is Server 2008 R2.OS is Server 2012 R2.

Getting the following error after agent installation in ADMT unable to retrive dns inforamtion......

Computer Migrated to Child domain which is shown in AD User and COmputers in computers and also DNS entry for the Computers but after Reboot getting the following error on ADMT.

ERR2:7711 Unable to retrieve the DNS hostname for the migrated computer "Client Name. The ADSI property cannot be found in the property cache.
 (hr=0x8000500d)

Client Computer name are in both Domains also dns entries.

and on Sign in with Domain\User getting following error.

the Security database on the server does have computer account for this workstation trust relationship.

Also in both domain Below error shows in Event Viewer...

The attribute value provided is not unique in the forest or partition. Attribute: servicePrincipalName Value=HOST/CLIENT19.abc.test.com
CN=CLIENT19,CN=Computers,DC=test,DC=com
CN=CLIENT19,CN=Computers,DC=test,DC=com Winerror: 8647

Hi,

There is  a requirement where we have two domains. Dev.com is production domain controller and oim.com is used for development test.User in oim.com need to access resources from Dev.com and Dev.com users must not be able to access the resources from OIM. Com ! The domain controller in OIM.COM was crashed few days back and there we had only one Domain Controller in OIM. Hence we have re imaged the DC ad promoted the server as DC again and were trying to reconfigure the external trust between OIM.com ad DEV.com

oim.com has only 1 DC - windows 2012 R2 ( functional level - windows 2008R2)

Dev.com has multiple DC - All windows 2008 R2 ( functional level - windows server 2003)

I have created an one way Outgoing trust from oim.com to dev.com and when I validate the trust from oim.com the trust validate successfully. But when I validate the trust from dev.com I am getting the error" windows cannot find active directory domain controller for oim.com.Vreify that ADDC is available and then try again.

I am able to ping domain controller from both domain vice versa and also I have created a conditional forwarder in oim.com for dev.com and added respective DNS IPs. Also in Dev.com Domain Controller I have added the DNS IP address of OIM.com in network properties. Also added Host records too.

Also When I tried creating trust from Dev.com I am getting only two option ( Realm Trust and Trust with windows domain ) , But from oim.com when I try creating trust I am able to get all options like external trust, type of trust etc.

Can anyone suggest how to fix the issue ?

Hi Guys,

We are moving our old infrastructure from hosting provider to AWS and we would like to create a new infrastructure as good as possible :) Due to this I have a lot of questions related with this. May I count on your help?

Scenario:
- For now around 30 windows servers (2012R2)
- around 200 servers based on Linux

We would like to us AD to:
- manage access to WinServers and in future to Linux Servers and others services in whole company
- configuration of windows servers 
- quickly deploy a new server for example for test env etc (for developers)

In AWS we would like to have two environments:
- PRODUCTION
- DISASTER RECOVERY

I have some questions related with this:

1) Should I create one AD or two sperarate? Use two domains? or one master and two child? DR and PROD will be in two AWS Regions. I don't want to have too large env because of administration work. 

2) Our naming convention for hostnames will be:
MACHINE.SERWERGROUP.AWSREGION.COMPANYNAME.COM - This will be for all our windows and linux servers. Where would you recommend me put DOMAINNAME? Or use one part of above example or hostname? 

3) Should i use typical instance of system (EC2) or user AWS Directory Service - do you have any experience with this?

4) What about replications between regions? 

Thanks,
Mateusz

I'm working to separate out an OU to a new domain. 

We have ADMT installed in the target domain using an account in the source domain that has full control at the OU level. The account has also been given access to migrate SID history at the top level of the source domain.

I get the error below unless I add the account to the builtin\administrators group on the source domain. Is there a way to migrate SIDHistory without admin access in the source domain? 

Could not verify auditing and TcpipClientSupport on domains. Will not be able to migrate Sid's. Access is denied. 

if you go into Computer Manager (on a remote machine) and drill down to:  Shared Folders \ Sessions what AD rights are required to end someone's session?    Does that require domain admin rights or can you grant limited rights and if so which rights?

mqh7

If I modify the default domain policys password complexity, are the changes immediate...meaning will all users be forced to change their password to meet new requirements, or will it take effect at their next password change?

If possible please supply Microsoft supporting documentation.

I want to find out what specifically updates the lastlogontimestamp for computers. I have read the other articles that are referenced numerous times, but they do not have the exact answer to these questions (there are wonderful and have lots of information, but not the information I need). Which of these scenarios does the lastlogontimestamp get updated for a computer (given the 14 days minus a random percentage of 5 days has passed and that number is greater than the current lastlogontimestamp):

When a domain computer is restarted and stays connected to the network does this update the lastlogontimestamp?

From my testing I can confirm that the reboot update the lastlogon, but no idea about lastlogontimestamp

When a domain computer is logged onto with a domain account by logging on locally?

From my testing this did not update the lastlogon and I have no idea about lastlogontimestamp

When a domain computer is logged onto with a domain account by logging on remotely using Windows Remote Desktop Connection?

From my testing this did not update the lastlogon and I have no idea about lastlogontimestamp

When a domain computer is logged onto with a local account by logging on locally?

From my testing this did not update the lastlogon and I have no idea about lastlogontimestamp

Are there SPECIFIC events that would cause the lastlogontimestamp to be updated? I need to tell our administrators this information so they have an understanding on what Microsoft considers a stale account

Trying to fix the issue with one RODC failing with the below error.

While promoting Read-only Domain Controller, failed to replicate the secrets from the helper AD DC.

01/06/2017 09:45:14 [INFO] EVENTLOG (Warning): NTDS General / Replication : 1115
Outbound replication has been disabled by the user.

01/06/2017 09:45:14 [INFO] Replicating secrets for Read-only Domain Controller.
01/06/2017 09:45:16 [INFO] Error - While promoting Read-only Domain Controller, failed to replicate the secrets from the helper AD DC. (8639)
01/06/2017 09:45:16 [INFO] EVENTLOG (Error): NTDS General / Internal Processing : 1168
Internal error: An Active Directory Domain Services error has occurred.



Additional Data

Error value (decimal):
-1073741823

Error value (hex):
c0000001

Internal ID:
3001806

tried, rejoining the computer to domain and retry with no luck. Tried changing the source DC for replication during promotion with no luck. Tried removing all PRP accounts while promoting with no luck. another computer in the same domain , promotion worked perfectly fine. There are no firewalls configured. ANy help appreciated.

Hello,

I am trying to evaluate our AD Sites and Services configuration that has not been touched in a long time to make sure it is configured correctly. The reason is I want to leverage AD Sites in SCCM Boundaries; so before I build on top of AD Sites I want to make sure it is valid and sane.

We have a main location which is our data center and 10 remote offices (some larger with 50-100 clients and others as small as 10 clients), connected with MPLS or IPSEC; so remote locations can reach the DCs for authentication over the WAN link just fine except if there is a connectivity issue; which we are OK with.

Main location has two Domain Controllers, one is our FSMO role owner, remote offices have a Windows server but no DC except one location; we do this to keep things simple and when it comes time to upgrade our DCs we don't have to update the OS on 10 servers to raise our schema level and the WAN traffic is acceptable.

So we have:

- Primary Site with 2 DCs, one has our FSMO role ownership

- Remote Office 1 has a DC

- Remote Office 2 (slow link) has a RODC

- Remote Offices 3 - 10 have no DCs, just a file server locally for shares, etc.

Currently in our AD Sites and Services we have 8 sites defined and we also have many Subnets defined and assigned to the corresponding sites. Not all of our remote offices have a site defined. 

1. What is the best practice around this in our scenario?
   
2. Should each remote office location be defined as a "Site" in AD Site and Services?
   
3. Should we create all the valid subnets for each remote location and assign them to the corresponding Site defined in #1?
   
4. What about Inter-Site Transports > IP? We have Site Link type definitions for each site it seems; is this correct even if those sites don't have DCs?
   

At some point long time ago we had DCs in all these sites, but have since de-complicated stuff and we only run a few DCs now. So I just want to make sure our configuration is valid.

Any AD experts out there?

Hello all, 

We have our domain name "OurCompany.com" as our On-Premise Domain.  We have four Domain Controllers, so in the DNS Zone "OurCompany.com" there are four (same as parent folder) equaled to the IP's of each Domain Controller.

Now here is our problem, we have our website "www.OurCompany.com" pointed to our webserver, but when we set a A Record for "OurCompany.com" to the website IP, in a browser it still resolves to the Domain Controller.  

Is there any fix to this?'

Thank you in advance, 

I hve two forest one is US domain Contoller and other is for india domain controller.

In US  domain Controller i config US time zone and for india DC i choose india Time zone

two way forest trust is created.

now on client machine. Client machine is join in india domain.

and doth DC user can login in india domain.

When india domain user login the time is correct But when US domain user login in this domain so time is not change

it still show india DC time.

my problem is this if US user login in india DC so time not change why....

Hello All,

i have pig issue in Active directory domain service, i have user every day her employeeID changes automatic to specific number & extensionAttribute15 in attribute editor and i can't find which application make this change from security log in event viewer, auditing enabled

thanks

I have a Windows server 2008 R2 Certificate Authority with templates published to AD.   When I use the Certificates MMC snapin pointed to the User store - I can request a Code Signing Certificate

However on the same computer I get an error "The Data is Invalid" when I select "Active Directory Enrollment Policy" and select next when attempting to enroll for a certificate. This is with the certificates Snapin point to "Local Computer"

The same error occurs when attempted on the CA itself

I have a second domain for which this all works - so I'm looking for guidance as to error logs to look at, settings to checkwhich would allow users to get a certificate for themselves but not a computer certificate.