Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

dns server could not be contacted access denied

June 20, 2012, 12:35 am
$
0
0

Hi,

DC was shutdown during maintenance and after that started problems with replication, dns etc. First problem what I need to debug is so I cannot

load DNS console and dns is not working.

Theres is error message:

The DNS server was unable to open Active Directory.  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

Service restart is not helping. How can I debug this problem?

Thanks.

Search

Checking with my current Active Directory version?

July 11, 2018, 10:01 am
$
0
0

Hi everyone,

Hope you are all doing well! Have not been in this for a while after all other IT incidents... and hope you can help :)

Currently I have one Active Directory domain, which have 9 domain controllers. 4 of them are running 2008 r2, and the rest are running Windows 2012 (not r2). I am also the person to upgrade their 2003 server to 2008 server. But I am not sure if I did the"active directory update"...or is it called "schema upgrade"...please help to correct me if I use the wrong terms.

Right now, I try to speed up to get rid of the Windows 2008 domain controllers. Let's say, once I upgrade all the domain controllers to 2012. Is this something I can do, or I need to do to upgrade the active directory version, or schema..or whatever that is called?

How do I check what version I am at now?

Thank you for your help in advance.

Takami Chiro


best practices for migrating or transferring Primary DC as secondary DC

July 12, 2018, 2:24 am
$
0
0

Need the best practices for migrating or transferring Primary DC as secondary DC and secondary DC as Primary DC.

Also please guide how the DNS will work once roles are transferred 

PDC - mydc1 (2008r2Windows) 

SDC - mydc2 (2012r2Windo

Change pop-up message when user's password doesn't meet policy?

July 11, 2018, 11:53 am
$
0
0

Hi there,

I've implemented the Pwned Passwords list (https://haveibeenpwned.com/passwords) as a password filter (https://jacksonvd.com/checking-for-breached-passwords-in-active-directory/) in my AD environment.  It works like a champ...

BUT, what is frustrating from a user standpoint is they may pick a password that *does* meet the Default Domain Password Policy, but is on the Pwned Passwords list.  And if they do that, the GUI message is still the exact same. 

Can the GUI message about "This password doesn't meet complexity requirements" be modified so I can also put a note in there about the fact that the user might be picking a known bad password?

Thanks,

Brian

In which site(s) should the Licensing Site Settings and TS-Enterprise-License-Server objects be?

July 12, 2018, 8:28 am
$
0
0

Hi there,

Lately I had to replace our licensing server in our environment. This Licensing server handlesKMS activation (VA) and Terminal Services licenses.

Everything works well, but now I'm a bit confused about what I saw lately in AD Sites and Services. My question, simply put is, in which sites should I expect theTS-Enterprise-License-Server and the Licensing Site Settings objects to be? Should it be under every of my sites or only in the site where it resides. Right now, some of the sites have the entries, some others don't. I fear my predecessors tried something by creating the entries themselves but I'm not sure. And most recent sites, that have been created in the last years, do not have the objects listed..?.?

Additional Info

  • The environment is pretty simple, only one domain.
  • A DNS entry exists for location of the Licensing server. This one seems fine...
  • I have only one server whit these roles in my environment.
  • The server could be moved using VMware SRM to another site. Should the objects mentioned above be created in this site as well?

Thanks a lot in advance for your replies!

RESET ADMINISTRATOR ACCOUNT PASSWORD

July 11, 2018, 12:19 am
$
0
0

Hi,

Just want to ask on what should i consider before resetting the password for the account of Administrator in a domain.

Should there any be affected roles, services, etc.?

Thanks.



demote Windows 2003 server domain controller to file server

July 12, 2018, 4:23 am
$
0
0
Good morning,

We have a mixed situation in the company, where there are still some Windows 2003 servers among the domain controllers.

These servers host the shares.

Is it possible to "demote" these servers and leave them only as file servers?

In practice they would no longer be domain controllers but only file servers (obviously they must remain domain-joined).

Once this is done, we should update the Active Directory in an homogeneous situation, ie with all DCs aligned to the windows Server 2012 version.

Command adprep

July 12, 2018, 7:03 am
$
0
0

Hi there,

Please, I have a question: I have a couple of Windows Server 2012 Active Directory in my infraestructure network. All of them are working ok. What happens if I just execute "adprep" command, without doing anything else? Could it cause any problem in my infrastructure, or just prepare the forest for more features?

Thanks in advance,

Bye

Search

is it possible to copy the password hash of a local account to another machine?

June 19, 2018, 11:38 pm
$
0
0

On Linux I can just copy the password hash of a user to another machine and this user can then login to that machine with the same password.
I as an administrator do not need to know the password.

Reason:
There is a functional account which we have on various machines for production purposes.
The password of this account does not expire and cannot be changed.
The machines in question operate in an isolated environment.

We need the account on new machines but the people who know the password must be limited so the admin should not know the password.
In the past we set up the local account with a temporary password and then require it to change on first use.
This involves manual interaction though and it does not allow automated processes to run before the password has been set correctly.

Thus I am looking for a way to clone the password hash to new machines like I can do on linux.

4625: An account failed to log on--Source and target are the same computer.

July 11, 2018, 1:34 pm
$
0
0

Our SEIM is reporting a disabled domain account is attempting to authenticate and failing. On a daily basis this is occurring over 1000 times. In the security event log for the server each attempt shows id 4625 :

An account failed to log on.

Subject:
Security ID: SYSTEM
Account Name: ComputerName$
Account Domain:OUR DOMAIN
Logon ID: 0x3E7

Logon Type:3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Disabled Domain Account
Account Domain:OUR DOMAIN

Failure Information:
Failure Reason:Account currently disabled.
Status: 0xC000006E
Sub Status: 0xC0000072

Process Information:
Caller Process ID:0x254
Caller Process Name:C:\Windows\System32\lsass.exe

Network Information:
Workstation Name:SameComputerNameAsAbove
Source Network Address:192.168.xxx.xxx
Source Port: 65473

Detailed Authentication Information:
Logon Process:Advapi  
Authentication Package:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services:-
Package Name (NTLM only):-
Key Length: 0

What could be the source of these attempts? I think it has to do with cached credentials but cmdkey shows no cached credentials.  I see the login type is network, but how does that correlate to the other indicators showing it is the local machine as the source of the attempt?

thanks,

2012 R2 repadmin /syncall kerberos issues KRB5KDC_ERR_ETYPE_NOSUPP

July 3, 2018, 6:50 am
$
0
0

Hello. I am working on a single DC root forest domain with another single DC domain in the same forest. I was trying to force a kerberos tickets to a third party app to use AES256 on the root domain via the group policies set here:https://blogs.msdn.microsoft.com/openspecification/2011/05/30/windows-configurations-for-kerberos-supported-encryption-type/ . I was also using the computer account settings from that article.

Something seems to have gone wrong and on the root domain DC, DNS could no longer connect to AD with event ID 4000 registered in event logs. I also found replication between the root domain DC and the other domain's DC was no longer working. 

Running repadmin /syncall from the child domain DC I get 'Replication access was denied.' . In a network trace I inspect the kerberos traffic and see this:

TGS-REQ


In the response I get this:

I have removed all the group policy settings for kerberos encryption types and rebooted both DCs several times as well as run gpupdate. I've also manually gone into the computer account for the forest root domain server and noticed that it is only set to allow AES128 for some reason, and when I set it to allow RC4/AES128/AES256 (0x1c), it ends up reverting eventually. This might be because gpupdate is failing on the root domain computer and never taking away the disabled kerberos encryption policy I created.

Is there a setting some where that is overriding the encryption for the kerberos tickets from kdc? I've tried about everything I can find online, resetting computer account passwords, verifying DNS resolves (long story getting that in a functional order), etc. Very stuck on this, don't really want to have to recreate both domains.

DC offline and users are unable to login to ADC and giving DNS error

December 17, 2017, 12:08 pm
$
0
0

We made DC offline to check if users are able to logon through ADC or not.

But we found users are unable to login through ADC and getting error USER LOGON SERVER NOT AVAILABLE. Also checked and found DNS is not resolving properly on client systems.

DC DNS IP 172.16.8.X

ADC DNS IP 172.16.10.X

nslookup before DC offline

   

C:\Users\Administrator>nslookup dc.com
Server:  server1.dc.com
Address:  172.16.8.x

Name:    dc.com
Addresses:  172.16.8.x
          172.16.10.x

nslookup on client after DC offline, to check ADC status and found users unable to login.

C:\Users\Administrator>nslookup dc.com
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  172.16.8.x

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out


Using GPO to auto log in client PC's

July 12, 2018, 7:22 pm
$
0
0

I'm helping out in a friend in his internet cafe and trying to work out how to configure a GPO for an OU to make all the customer PC's auto login to one account/password for all PC's in each group.   

I'm trying to avoid setting each pc individually so if a change needs to be implemented it only needs to be done once instead of 70 times as it currently does.  (meaning more than just log in details)

any searches I have done seem to indicate this might not be possible so I thought I'd ask the Microsoft forum directly

thanks

Issues with RODC in DMZ

July 11, 2018, 8:19 am
$
0
0

Hi, 

I am following the guide (https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/rodc/install-a-windows-server-2012-active-directory-read-only-domain-controller--rodc---level-200-#stage-rodc-workflow)  to install 2 RODC servers in our DMZ. 

All setup goes ok, until I reach the Attach stage, then I get error on both systems 'The wizard cannot access the list of domains in the forest.  The network path was not found. 

I can ping the Default gateway, Nslookup sees the Primary Domain Controller, I have flushed the dns, but always the system fails with the above error.  Also, always fails is Dfsrdiag command. 

Adding the A record in DNS did not fix either. 

Help please?  Thanks 

Does ADFS Server always need to communicate with PDC

July 12, 2018, 11:32 pm
$
0
0

Hello,

so i did fail configure ADFS because error "server not operational" , and from here i found answer that the ADFS server should get to communicate (telnet 389) to PDC. Okay then we have to make another route to the PDC when we shouldn't base on company policy.

The question is i want to know if communicate with PDC only mandatory when Configure ADFS and after it configured i can just connect to other DC (not the PDC) ? or the ADFS Server has to constantly communicate with the PDC ?

Thanks

Search

Password not Syncing

July 2, 2018, 2:57 am
$
0
0

Hi,

I have reset user AD password in AD computer since its got expired. After user is not able to login into his machine using new password,its still allowing old password. Please note that its synced with office365 email. Please let me know what would be the issue?

Thanks in advance,

Ramaiah C

Group Policy

July 7, 2018, 5:47 am
$
0
0

Hi All,

I'm using Windows Server 2008 r2. Please let me know about a policy where I want to restrict users from changing the domain on their system. I mean to say , I want the workgroup option and domain option to be greyed out , so that they don't change the domain they are connected to in the workstation. 

ESAE and Tier model approach - location of the privileged accounts and administrative workstations

July 11, 2018, 9:05 am
$
0
0

I would like to clarify the Microsoft postioning concerning the location of the privileged accounts and administrative workstations with the ESAE and Tier model approach.

  • In one documentation found here, the privileged accounts and workstations are located inside the production forest:

  • However, the link provided as a reference for MIM above the figure in the previous documentation (Privileged Identity Management for Active Directory Domain Services (AD DS)) put the administrative account for Jen(BASTION/Jen) in the forest dedicated to MIM (with PAM trust, thus SID history..., that's another story) to administer an HR database inside the production forest:

Can someone please confirm the location of the privileged accounts and administrative workstations with the ESAE and Tier model approach?


Configuring Default URL after Login

July 4, 2018, 1:05 am
$
0
0

Hi everyone,

i will like to everyone in my organization immediately after login be redirected to a default site on their browser. Kinda like a default opening page which is our Banknet. So anyone knows how i can get this done without having to go to each system individually?

Folder redirection does not work as expected

July 10, 2018, 4:23 am
$
0
0

Hi

We have a strange issue - we have Home folder in user profiles set as H: drive mapped to \\servername\Home$\%username% and mapped fine, and folder redirection set via Group Policy as "Setting: Redirect everyonce folder to the same location" and"Target folder location: Redirect to the user`s home folder.

All PCs are windows 7, domain is windows 2008 and 2012

But folder redirection creates "Documents" folder under \\servername\Home$ (rather then under \\servername\home$\username) and redirect into that folder.
Anybody had same issue?

Thanks

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>