Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

kinit command is not able to fetch/read C:\Windows\krb5.ini file on widnows 2012 server R2

December 21, 2016, 5:00 am
$
0
0

Hi

In order to get a Kerberos ticket, I have created krb5.ini file (*1) on Windows server 2012 machine (*1) at location C:\windows\krb5.ini, but while trying to executekinit command by Administrator user below error occurred:

Exception: krb_error 0 Could not load configuration file c:\winnt\krb5.ini (The system cannot find t
he path specified) No error
KrbException: Could not load configuration file c:\winnt\krb5.ini (The system cannot find the path s
pecified)
        at sun.security.krb5.Config.<init>(Config.java:143)
        at sun.security.krb5.Config.getInstance(Config.java:75)
        at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:137)
        at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:106)
Caused by: java.io.FileNotFoundException: c:\winnt\krb5.ini (The system cannot find the path specified)

(*1) krb5.ini is as follows:

[libdefaults]
 default_realm = domain name
dns_lookup_kdc = true
dns_lookup_realm = true
 default_keytab_name = FILE:<keytab file location>
        default_tkt_enctypes = rc4-hmac
        default_tgs_enctypes = rc4-hmac
[realms]
        domain name = {
   kdc = machine name.domain name
              default_domain = domain name       
}

Please help.

Thank You

Search

Can i have Multiple Domains in a Server 2012 R2

January 7, 2017, 8:40 am
$
0
0

Hi,

I need to know can i have Multiple Domain Name in a Single Active Directory Server.

Or Can i create multiple Forest in a Single Domain Controller.

For Eg : Technet.com,Technet.in,Windows.com & Windows.in.

Thanks & Regards,

D.Nithyananthan.

Removing permissions to view objects in an OU to Authenticated Users

January 7, 2017, 9:03 am
$
0
0

Hi,

On a OU, I removed the ability for Authenticated Users to List Contents. When checking the effective access, it shows that list-content for my test user is denied.

However if I open an ADUC under the test user, or a powershell command and I do a Get-ADUser on the OU, I am still able to retrieve the user accounts in that OU.

What am I missing ?

Best regards,

How to check if clients still use SSL2, SSL3 prior disabling vulnerable protocols?

January 8, 2017, 8:20 am
$
0
0

Hi folks!

One of the customers I'm supporting is planing to disable vulnerable SSL2, SSL3 protocols on their domain controllers. The challenge is to make sure that the clients already use TLS and nothing will be impacted. Is there a way to enable some logging, tracing to find if some clients still use SSL2 or SSL3?

Thank you in advance!


MSA Account's password change causes failure to connect to SQL DB

January 8, 2017, 9:12 am
$
0
0

Hey,

I have an MSA account which runs an IIS application pool in my organization.

Seems that every 30 days, when the MSA account automatically resets its password, the site cannot connect to the SQL DB (this DB is located on a different AD Forest, a trust exists).

This is the error : the login is from an untrusted domain and cannot be used with Windows authentication.

Mostly after about 10-15 minutes, the problem resolves itself (maybe the connection reopened, not sure).

1.Is the GAP caused by replication between DCs? as far as I am aware of, when a trust exists, the DB's server should query the DC's of the trusted Domain in case the authentication failed (I could be wrong here), trying to see if the problem is replication here.

2.When the MSA account changes its password, and there is an open connection to the SQL DB, is the connection expected to fail because of the password change? Must I force the IIS application to close the connection and reopen it somehow?

This happens on multiple MSA accounts, on multiple IIS servers, on multiple environments, with different OS, some environments has Server 2008 R2, and some has 2012 R2.

Thank you for your help!

Having problem upgrading, after demoting all but one DC

January 8, 2017, 2:31 pm
$
0
0

This has been a nightmare, as I have a small home network that I use to use for supporting clients, but over the years now only has two 2003 servers,  a DC that I demoted to a stand-alone Web server, and the former eMail server that is now only a DC.  I was actually trying to upgrade to 2008, and eventually 2012/16, but being the 2008 would not work without AdPrep of the AD, I encounter a whole host of DNS issues that I eventually fixed everything except a VerifyEnterpriseReferences.

I tried to follow several online ADSIedit/LDP instructions, but am having difficulty with the repair of the records.   I had first transferred FMSO & GC (all 5 categories to the remaining DC (Mail01), then tried regular demotion of the DC (Web01), and finally did a FORCED demotion.  I then went in and cleaned up DC entries within "Users & Computers", not realizing that FRS was also going to have issues too.

The only errors I am having after running a clean NetDiag -v, and a DCDiag -v /Fix is:

Starting test: VerifyEnterpriseReferences
         The following problems were found while verifying various important DN

         references.  Note, that  these problems can be reported because of latency in

         replication.  So follow up to resolve the following problems, only if the same

         problem is reported on all DCs for a given domain or if  the problem persists

         after replication has had reasonable time to replicate changes.
            [1] Problem: Missing Expected Value

             Base Object:

            CN=WEB01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=mydomain,DC=com

             Base Object Description: "SYSVOL FRS Member Object"

             Value Object Attribute Name: frsComputerReference

             Value Object Description: "DC Account Object"

             Recommended Action: Check if this server is deleted, and if so clean up this

            DCs SYSVOL FRS Member Object.  Also see Knowledge Base Article:  Q312862

             
            [2] Problem: Missing Expected Value

             Base Object:

            CN=WEB01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=mydomain,DC=com

             Base Object Description: "SYSVOL FRS Member Object"

             Value Object Attribute Name: serverReference

             Value Object Description: "DSA Object"

             Recommended Action: Check if this server is deleted, and if so clean up this

            DCs SYSVOL FRS Member Object.  Also see Knowledge Base Article  Q312862
         
         ......................... MAIL01 failed test VerifyEnterpriseReferences

Then I ran the NTFRSUTL DS command with these results:

NTFRS CONFIGURATION IN THE DS
SUBSTITUTE DCINFO FOR DC
   FRS  DomainControllerName: (null)
   Computer Name            : MAIL01
   Computer DNS Name        : mail01.mydomain.com

BINDING TO THE DS:
   ldap_connect     : mail01.mydomain.com
   DsBind     : mail01.mydomain.com

NAMING CONTEXTS:
   SitesDn    : CN=Sites,cn=configuration,dc=mydomain,dc=com
   ServicesDn : CN=Services,cn=configuration,dc=mydomain,dc=com
   DefaultNcDn: DC=mydomain,DC=com
   ComputersDn: CN=Computers,DC=mydomain,DC=com
   DomainCtlDn: OU=Domain Controllers,DC=mydomain,DC=com
   Fqdn       : CN=MAIL01,OU=Domain Controllers,DC=mydomain,DC=com
   Searching  : Fqdn

COMPUTER: MAIL01
   DN   : cn=mail01,ou=domain controllers,dc=mydomain,dc=com
   Guid : 04942f68-4854-4959-b3646eb91c9ced79
   UAC  : 0x00082000
   Server BL : CN=MAIL01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
   Settings  : cn=ntds settings,cn=mail01,cn=servers,cn=default-first-site-name,cn=sites,cn=configuration,dc=mydomain,dc=com
   DNS Name  : mail01.mydomain.com
   WhenCreated  : 9/10/2007 16:36:54 Central Standard Time Central Daylight Time [360]
   WhenChanged  : 1/6/2017 5:14:48 Central Standard Time Central Daylight Time [360]

   SUBSCRIPTION: NTFRS SUBSCRIPTIONS
      DN   : cn=ntfrs subscriptions,cn=mail01,ou=domain controllers,dc=mydomain,dc=com
      Guid : 184aed6a-a860-41e2-8d82042d2de3da73
      Working       : c:\windows\ntfrs
      Actual Working: c:\windows\ntfrs
      WhenCreated  : 9/10/2007 16:50:57 Central Standard Time Central Daylight Time [360]
      WhenChanged  : 9/10/2007 16:50:57 Central Standard Time Central Daylight Time [360]

      SUBSCRIBER: DOMAIN SYSTEM VOLUME (SYSVOL SHARE)
         DN   : cn=domain system volume (sysvol share),cn=ntfrs subscriptions,cn=mail01,ou=domain controllers,dc=mydomain,dc=com
         Guid : b06a53cb-6f6b-4c90-81d2ef2c73035bb3
         Member Ref: (null)
         Root      : c:\windows\sysvol\domain
         Stage     : c:\windows\sysvol\staging\domain
         WhenCreated  : 9/10/2007 16:50:57 Central Standard Time Central Daylight Time [360]
         WhenChanged  : 9/10/2007 16:50:57 Central Standard Time Central Daylight Time [360]
   MAIL01 IS NOT A MEMBER OF ANY SET!

Any ideas on how I could fix this ?

I was also setting up a VMware Workstation, and installed  a 2008 Server on that, but was also unable to DCPROMO that station to a DC as it is not detecting a completed ADPREP  on Mail01 either !

Sincerely,

John in Chgo....

  

Cannot remove user from AD, access is denied

January 4, 2017, 4:24 am
$
0
0

I'm trying to remove a user from our AD using Adsiedit but I get this error:

Operation failed. Error code: 0x5 Access is denied.
00000005: SecErr:DSID-031A1256, problem 4003
(INSUFF_ACCESS_RIGHTS), data 0

I removed all permissions, made myself owner and gave myself full permissions but still same error.

Somehow the user is messed up because it isn't visible in Users and Computers. When I check the account properties I also noticed that the sAMAccountType is 805306370 (TRUST_ACCOUNT).


TombstoneLifetime values recommended

December 29, 2016, 2:56 am
$
0
0

Hi community.

I would like to get your advice/feedback on increasing Tombstone lifetime value.In a security approach I think there are benefits for:
- datas retention (for certains kind of objects)
- forensics and replication metadata analysis

And cons like:
- AD db white space / size
- Backup and Restore

My customer use a WS 2012r2 box with TSL set at 180 days (default value) and ad recycle bin is enabled.
What do you think if TSL is increased to 365 days?

Thanks in advance.

Kévin KISOKA - MCITP Entreprise Messaging Administrator, MCTS Hyper-V Server Virtualization I do not represent the organisation I work for, all the opinions expressed here, are my own. This posting is provided AS IS with no warranties or guarantees and confers no rights.

Search

inconsistant share access in a file server with Domain Controller exceeded tombstone (forcebly demoted)

January 3, 2017, 12:01 am
$
0
0

hello everybody

I have an issue in my Share in the file server, the shares are not consistant

nslookup lookup to the server with the name works (not FQDN)

when I access with the name only \\servername\            it fails with access denied.

when I access with FQDN it success   but sometimes rarly fails with access denied

when I access with IP it success but sometimes fails with access denied.

the user I'm using is a domain admin and in the security tab of the shares local administrators have full controll and my user also has full controll.

I don't know what's going on, please help

this file server was also a domain controller exceeded tombstone life time.

this problem occured when I forcebly demoted the the DC

Verification of replica failed. The Wizard cannot access the list of domains in the forest

December 28, 2016, 12:53 am
$
0
0

Hello,

I have DC2(MBDC), and DC1. The DC2 was the primary domain controller and was holding the DNS, AD DS, and DHCP, the operating system of DC2 was Win 2008. The DC2 was damaged due to electricity shortage. I sized the FSMO roles in DC1 and then transferred the roles to DC1, DC1 already was a the alternate DNS.

Now the AD is not connecting in Exchange server 2007 (mail.macca.org.af), and I am not able to join a new computer to the domain. I have prepared a new server and want to promote it as a domain controller, but I get this message during DCpromo.

Verification of replica failed. The Wizard cannot access the list of domains in the forest. The network path was not found.

Please help.

Thanks,

Zilgai

msDS-UserPasswordExpiryTimeComputed returning "01.01.1601 01:00:00" for most users

January 5, 2017, 5:42 am
$
0
0

Good Day!

I've just noticed that this command:

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties “DisplayName”, “msDS-UserPasswordExpiryTimeComputed” |
Select-Object -Property “Displayname”,@{Name=“ExpiryDate”;Expression={[datetime]::FromFileTime($_.“msDS-UserPasswordExpiryTimeComputed”)}} | CLIP

returns lines like that for most of my users:

DisplaynameExpiryDate                                                                
---------------------                                                                
FirstName Givenname01.01.1601 01:00:00  

With "most" i mean almost all of them. Only Exceptions are User with Domain- Admin rights and two (imo) random users.

Logon and such works as always.

I can't imagine what could have caused this. I've been playing around with our password-expiration-reminder script but i wouldn't know how it could be the reason.

The Attribute "pwdlastset" is fine for alle users. 

Reseting the Password over ADUC creates a "right" msDS-UserPasswordExpiryTimeComputed value.

Do you have any idea what causes this?

Thanks!


ho has joined the computer to domain??

January 9, 2017, 1:17 am
$
0
0

Hi 

Desktop Engineers add computers to the domain, the computer gets added to domain at the root. But these computers need to be moved to specific region OU group. 

Since this was not maintain properly, There are 60 computers under the root computer OU. Now the challenge, need to move these computers to particular regional OU. 

So I need to know who has joined those computers to the domain, so that i can assign the task to move the computer to particular OU.

How can find the name of the engineer who has joined the computer to domain?

Thanks

Venky


How to move DNS from Bind to Windows Server?

January 9, 2017, 1:25 am
$
0
0

Hi,

Today we have our DNS-servers running on Linux Bind, the DNS-zones for AD are also running on Bind. But now we want to move this to AD-integrated zones running on the domain-controllers. My plan is to migrate the forward-zone by first setting it up as a secondary zone so that it will have to content from the Bind-zone migrated. BUT on the Bind-side we also have the 4 special-zones with resource-records (_msdcs,  _sites, _tcp and _udp) and my question is: How can I migrate these zones to the Windows DNS? Or will the content of these zones be creted automatically by the system?

Regards,

Thor-Egil

Thor-Egil

Who has joined the computer to domain??

January 9, 2017, 1:17 am
$
0
0

Hi 

Desktop Engineers add computers to the domain, the computer gets added to domain at the root. But these computers need to be moved to specific region OU group. 

Since this was not maintain properly, There are 60 computers under the root computer OU. Now the challenge, need to move these computers to particular regional OU. 

So I need to know who has joined those computers to the domain, so that i can assign the task to move the computer to particular OU.

How can find the name of the engineer who has joined the computer to domain?

Thanks

Venky



Rights to change password & to Move user from specific OU to specific OU

January 9, 2017, 1:42 am
$
0
0

I have to assign rights to my technician to  change password & to Move user from specific OU to specific OU.

They can only view the specified OU they have to work.All others are hidden or restricted for technician.

Please Guide. 

Search

Design and deploy fresh Active Directory infrastructure - Questions

January 6, 2017, 3:30 am
$
0
0

Hi Guys,

We are moving our old infrastructure from hosting provider to AWS and we would like to create a new infrastructure as good as possible :) Due to this I have a lot of questions related with this. May I count on your help?

Scenario:
- For now around 30 windows servers (2012R2)
- around 200 servers based on Linux

We would like to us AD to:
- manage access to WinServers and in future to Linux Servers and others services in whole company
- configuration of windows servers 
- quickly deploy a new server for example for test env etc (for developers)

In AWS we would like to have two environments:
- PRODUCTION
- DISASTER RECOVERY

I have some questions related with this:

1) Should I create one AD or two sperarate? Use two domains? or one master and two child? DR and PROD will be in two AWS Regions. I don't want to have too large env because of administration work. 

2) Our naming convention for hostnames will be:
MACHINE.SERWERGROUP.AWSREGION.COMPANYNAME.COM - This will be for all our windows and linux servers. Where would you recommend me put DOMAINNAME? Or use one part of above example or hostname? 

3) Should i use typical instance of system (EC2) or user AWS Directory Service - do you have any experience with this?

4) What about replications between regions? 

Thanks,
Mateusz


How to Limit Rows in ADO query from Active Directory for SQL or Crystal Reports

January 9, 2017, 6:23 am
$
0
0

How do i Limit the number of rows displayed with a SQL Command or Syntax statement? I have tried LIMIT but that does not work.

SELECT CN, OperatingSystem

FROM 'LDAP://DC=domain,DC=edu' WHERE objectClass='computer'

LIMIT 900

OR 

SELECT CN, OperatingSystem SELECT TOP 100 CN FROM 'LDAP://OU=EUC_Devices,OU=CHMC,OU=SCAL,OU=Regional_Sites,DC=domain,DC=edu' WHERE objectClass='computer'

OR

SELECT TOP 100 CN, OperatingSystem FROM 'LDAP://OU=EUC_Devices,OU=CHMC,OU=SCAL,OU=Regional_Sites,DC=domain,DC=edu' WHERE objectClass='computer'

Authentication through 3 Forests

January 9, 2017, 7:11 am
$
0
0

Hello,

I have the following trust setup and having issues with authentication.

Trust Scenario:

Forest A > Forest B > Forest C

the Users reside in Forest A and I can RDP into Forest B with the Forest A credentials but when I try to RDP from Forest B to Forest C with Creds from Forest A I get an Authentication error ( Code:0x80004005). am I missing something here? or is the scenario I'm describing not possible?

how to remove orphaned domain trust user account

January 3, 2017, 12:11 pm
$
0
0
I see an account under the Users container, named XYZ$, its userAccountControl attrobute is set to 2080 (PASSWD_NOTREQD | INTERDOMAIN_TRUST_ACCOUNT).  I assume this account was used for some sort of a domain trust relationship, however it was created years ago and nobody recalls.  I would like to remove this account.  One odd thing I noticed is the lastLogonTimestamp is unexpected, contains a value from one year ago.  I am not sure how that could be, but either way that is a fairly long time ago (by logon standards for anything that should be actively used).  I would like to remove this account, but keep getting permissions denied no matter what I try.

Using the command line, How to apply admin rights (privileges) to the user?

January 9, 2017, 8:43 am
$
0
0
Hello everyone,

Windows Server 2012 R2 , Active Directory

Sometimes I need to give Admin Rights (Privileges) to the user, so he/she can install Software, Applications, Run as Administrator, etc. on his/her laptop.

The laptop is already bind to the Active Directory.

With the GUI this is what I do and it work great, no problem:

Start MMC
File
Add Remove Snap In
Local user and Group
Add
Save Console to the Desktop

Right Click the Console that I just saved before and select Run as Administrator
I put my credentials, because I am a Domain Admins user.
I select Local Groups
Groups
Administrator
and final I add the user name as administrator for his/her laptop
I select Ok and Apply and thats it.


Question…..how can I do all the above with the command line?

Thank you so much and thank you so much in advance for your help
Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>