Hi all,

I'm facing an issue about "site mapping" of 2 of our workstations, teh 2 of mines...

I use different management consoles or shells from both of my 2 workstations to managing AD based applications, and for an unknown reason several of these tools have stop working for approximately 1 month. Example of these tools are Exchange Management Shell, Exchange Toolbox, CodeTwo Exchange Rules Pro.

When I attempt to use EMS : 

I have to specify the Exchange Server that I want to connect to.

When I use CodeTwo Exchange Rules Pro and I try to make rules based on OU, nothing happen whereas I should get a dialog box to browse AD.

When I run the command "nltest /dsgetsite" on these 2 workstations, I get :

"Cannot get the domain controller name : Status = 1919 0x77f ERROR_NO_SITENAME".

I tested this command on several other workstations in the same AD site and all is good.

Would you have an idea about this issue ?

Thank you.

Regards,

FXE

Hi,

we have trouble with in scure LDAP connections between Linux computers and DCs. We are in the migration phase and have in our AD some W2K16 DCs and some W2K8R2 DCs.

If any Linux computer tries to access any DC in Active Directory, DC send RESET ACK. I set logging level higher on DCs and found following two Event ID in each LDAPS access:

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          17.07.2018 14:24:54
Event ID:      2085
Task Category: LDAP Interface
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      DC1.mydomain.com
Description:
Internal event: An LDAP over Secure Sockets Layer (SSL) connection could not be established with a client. 
Client network address:<LINUX IP ADDRESS>:45308 
Protocol:
TCP 
Additional Data 
Error value:
2148074289 The client and server cannot communicate, because they do not possess a common algorithm. 
Internal ID: c05086b

--------------------------

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          17.07.2018 14:24:54
Event ID:      1216
Task Category: LDAP Interface
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      DC1.mydomain.com
Description:
Internal event: An LDAP client connection was closed because of an error. 
 
Client IP:
<LINUX IP ADDRESS>:45308 
Additional Data 
Error value:
3 The system cannot find the path specified. 
Internal ID:
c0605fa

We deployed LDAPS on DCs correctly and I checked all the configuration many times. I am not sure if the problem a client certificate problem.

I read many articles about this issue. I created new certificates (on DCs and clients), applied GPO for chipher oders, etc. But I could not solve the problem. 

DCs have no problem internally using LDAPS (ldp.exe tested) and with other Windows computers...

Here are some articles which I read/applied them:

https://docs.microsoft.com/de-at/windows/desktop/SecAuthN/tls-cipher-suites-in-windows-10-v1607

https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

https://support.microsoft.com/en-us/help/931351/how-to-add-a-subject-alternative-name-to-a-secure-ldap-certificate

https://support.microsoft.com/en-us/help/4032720/how-to-deploy-custom-cipher-suite-ordering-in-windows-server-2016

Has anyboday experiences with this issue?

Best regards

Birdal

The domain functional level is 2008.

I have set a Fine Grained Password Policy with maximum password age of 30 days along with other settings that are similar to existing password policies.  I set the precedence number to a lower number so it would have higher precedence than any other pso.

It is applied to a security group.  I have checked each member of the security group effectivepso using the dsquery command and each group member shows the effecitvepso as the one configured with the new password policy maximum password age set as 30:00:00:00.

However, when I run the command net user username /domain on any of those users, the "Password expires" field still shows a date that is more than 30 days in the future.  This indicates that the policy is not being enforced.

What could be causing this issue?

I have tried doing gpupdate /force and it has not changed the output of the net user command.

I reran the querey dsquery user -samid username | dsget user -effectivepso

and now it only lists the result as "effectivepso" instead of the actual pso name.

Having an odd issue. In a non-administrative Powershell window, when I run Get-ADUser to find certain AD properties, it will not show many of the properties of standard users. See example below--PasswordLastSet is blank. However, it will show these properties of users who are in our "IT Department" OU (i.e. domain admins and power users) in the non-administrative Powershell window. 

If I run Powershell in administrative context, I can read all of these properties for any user whether they are standard users or in the IT Department OU. 

Get-ADUser jdoe -Properties passwordLastSet


DistinguishedName : CN=Jon Doe,OU=MainOffice,OU=Users,OU=Contoso,DC=domain,DC=com
GivenName         : Jon
Name              : Doe
ObjectClass       : user
ObjectGUID        : bfccf323-af6a-4b2f-a4b2-57719a87aa47
PasswordLastSet   :
SamAccountName    : jdoe
SID               : S-1-5-21-481090648-2447267674-3307774631-5532
Surname           : Doe
UserPrincipalName : jdoe@domain.com

Über Random

Hi,

We have two Win2K12 R2 DCs in Azure, we created azure site to site vpn with new on-premise datacenter, we can ping from on-premise standalone server to DC in azure. When we try to promote a server in the new datacenter to a domain controller, we received the below error at prerequisites check:

Verification of outbound replication failed, error reading the NTDS settings on replication source domain controller server.domain.com, the RPC server is unavailable

I think RPC traffic is getting blocked or filtered at network level (reference to this link: http://blogs.technet.com/b/askds/archive/2009/01/22/using-portqry-for-troubleshooting.aspx) as if I run PortQuery tool on the server to be promoted and query "Domains and Trusts" with DC IP in azure as the destination, output is below:

TCP port 135 (epmap service): NOT LISTENING

Network engineer says everything is open on the firewall, no ports nor security restriction is there however I am not sure how to convince him of my finding; in my search for this problem I found an article says that you may need to disable "Enable Restrict RPC Compliance" on the firewall as may affect RPC traffic between DCs in different sites but network guy says there is no such setting on the firewall (it is fort iGATE)

Can you help more in troubleshooting this issue?

Notes: 1. For every server in the on-premise datacenter, when I try to join to domain (DNS is DC in azure), I receive the same error (RPC is unavailable).

Hi,

we have Windows 2012 DC on a 2008 Functional level.

Each Kerberos request is generating two 4769 Events. The fist one is missing the Logon GUID and Sercive ID and therefore fails.

A Kerberos service ticket was requested.

Account Information:
	Account Name:		
	Account Domain:		
	Logon GUID: {00000000-0000-0000-0000-000000000000}

Service Information:
	Service Name:		
	Service ID: NULL SID

Network Information:
	Client Address: <ip_address>
	Client Port: <port_no>

Additional Information:
	Ticket Options: 0x40810000
	Ticket Encryption Type: 0xFFFFFFFF
	Failure Code: 0x1B
	Transited Services: -

The next event is also 4769

Account Information:
        Account Name: <name>
        Account Domain: <domain> Logon GUID: {1027c6be-21cf-44dc-7c64-38eabfb2f614}

Service Information:
        Service Name: <service_name>
        Service ID: <service_id>

Network Information:
        Client Address: <ip_address>
        Client Port: <port_no>

Additional Information:
        Ticket Options: 0x40810008
        Ticket Encryption Type: 0x12
        Failure Code: 0x0
        Transited Services: - 

Because of the Failiure Code of 0x1B (means: KDC is unavailable) these Events are interpreted as Auth Failiures by the SIEM.

I've seen this question (https://social.technet.microsoft.com/Forums/windows/de-DE/3aea2937-b116-4a86-aebc-fc529452125d/event-4769-flooding-security-logs-2008r2) with a different Failiure Code but we have no clients eralier than 2008 in our network.

Maybe this is a client configuration error, because the fist event has no valid Logon GUID ans Service ID.

Anyone had the same problm and was able to solve this?

Hi,

I wanna to create

1. Domain Controller + DNS - 192.168.10.0/29

2. Client Site A - 192.168.20.0/24

2. Client Site B - 192.168.30.0/24

How to setup Active Site and Services, DNS Configuration.

Please, Help Me.

Thanksssssssss,

I am planning to run some test around Resourced based Constrained Delegation.  I came across a statement to have a  Two way Trust between Domains\Forest in order to implement Resource based Constrained Delegation.

Domain A User

Domain A Server

Domain B Resource

So if Domain B has a One way Trust with Domain A, where Domain B is Trusting and Domain A is Trusted, wouldn't it be sufficient? Is it a Must to have a Two Way Trust?

Hi,

We have a Win 2012 R2 Domain environment, and we have join to domain win 2008 servers running application. We have implemented IBM QRadar solution, we are pulling the logs by  MSRPC Protocol.

By using Domain administrator account i can pull the event logs for all servers (Win2012R2, Win2008)

I have create a separate account for this activity user1 and add it to the Event Reader Group in Active Directory

By using User1 account i can pull the logs from win2012r2 but unable to pull event logs from win2008

Do we have to give some other privileged or do we have to do some more additional settings like GP ........

Thanks In advance.

Hi there,

Lately I had to replace our licensing server in our environment. This Licensing server handlesKMS activation (VA) and Terminal Services licenses.

Everything works well, but now I'm a bit confused about what I saw lately in AD Sites and Services. My question, simply put is, in which sites should I expect theTS-Enterprise-License-Server and the Licensing Site Settings objects to be? Should it be under every of my sites or only in the site where it resides. Right now, some of the sites have the entries, some others don't. I fear my predecessors tried something by creating the entries themselves but I'm not sure. And most recent sites, that have been created in the last years, do not have the objects listed..?.?

Additional Info

• The environment is pretty simple, only one domain.
• A DNS entry exists for location of the Licensing server. This one seems fine...
• I have only one server whit these roles in my environment.
• The server could be moved using VMware SRM to another site. Should the objects mentioned above be created in this site as well?

Thanks a lot in advance for your replies!

Hi All,

I am planning to transfer FSMO roles from DC 2008 to new DC server 2016, i want to use same IP address of existing 2008 DC on New DC 2016, is it possible that after i transferred the roles to new DC, can i shutdown old DC and use the same IP address on new DC 2016? because all users are using DC 2008 in preferred DNS and have Static IP address so it is difficult for me to change for 100s of users.

Regards,

Agha

we have more than 6 sites in Active directory 

we have facing replication problem 

Error -2146893022, 1256,8614,8524,1256.

please help me

Hi............................

I wanna know about the setting home folder on a file server. How it is different from folder redirection and roaming profile?

Thanks in advance

We have several users that are now running the latest version of Safari 8.0 (Yosemite Release) on their Macs.  When they try to login to Office 365 and they are redirected to our ADFS 3.0 portal the page just seems to ... hang ... and never completes. Users can switch to Chrome on the Mac and it works as expected.  Is there something within the ADFS configuration or within the Safari (client-side) configuration that needs to be updated?

Thanks in advance...

Hello There,

Hope you are doing Well,

I would need help to resolve this issue like need background of this issue,reason of this issue and How to resolve?

Thanks in Advance,

Here is my Problem,

We have built some of RODC in windows server 2016 in our environment but we are unable to take backup getting below error in Backup log.

C:\Windows\system32\ntdsutil.exe: activate instance ntds

Active instance set to "ntds".

C:\Windows\system32\ntdsutil.exe: ifm

ifm: create Sysvol rodc d:\backup\2400

Creating snapshot for RODC media...

Snapshot set {f801bc40-ad9b-463e-b136-4fb9f678d1eb} generated successfully.

Snapshot {e25ec1ee-6122-45ce-aa6a-9eceac15f75f} mounted as C:\$SNAP_201807040000_VOLUMED$\

Snapshot {e25ec1ee-6122-45ce-aa6a-9eceac15f75f} is already mounted.

Initiating DEFRAGMENTATION mode...

     Source Database: C:\$SNAP_201807040000_VOLUMED$\NTDS\ntds.dit

     Target Database: d:\backup\2400\Active Directory\ntds.dit

Operation terminated with error -550( JET_errDatabaseDirtyShutdown, Database was not shutdown cleanly. Recovery must first be run to properly complete database operations for the previous shutdown. ).

error 0x800720d9(A database error has occurred.)

Snapshot {e25ec1ee-6122-45ce-aa6a-9eceac15f75f} unmounted.

ifm: quit

C:\Windows\system32\ntdsutil.exe: quit

and also same while creating IFM,

and we thout it could be Active Directory Database issue hence we ran integrity and Semantec Database Analusis Cheks got error in Log file as below,

Link Table has inappropriate activated link from DNT 12637 to DNT 2043 [Not fixed].
Link Table has inappropriate activated link from DNT 12637 to DNT 2044 [Not fixed].
Link Table has inappropriate activated link from DNT 12637 to DNT 2050 [Not fixed].
Link Table has inappropriate activated link from DNT 12637 to DNT 12638 [Not fixed].
Link Table has inappropriate activated link from DNT 12637 to DNT 12639 [Not fixed].
Link Table has inappropriate activated link from DNT 12637 to DNT 12638 [Not fixed].
Link Table has inappropriate activated link from DNT 12637 to DNT 12639 [Not fixed].
Summary:
Active Objects    68190
Phantoms       11
Deleted     2536
Inconsistent Instance type for 83800 and parent 14281 [4 != 0]
Inconsistent Instance type for 83866 and parent 7580 [4 != 0]
Security descriptor summary:
SD count:     3111
Total SD size before single-instancing:       643529 Kb
Total SD size after single-instancing:         30569 Kb

When i googled am not getting proper anwer and reason of these erros and How to resolve this issue?

Thanks & Regards

Veerappa Kammar

Hello, can someone please help me with the following question, as I do not understand it

I have a LAB with a few 2012 R2 DCs and two AD sites

Default-first-site contains two Read-Write DCs and one Read-Only DC

New-Site contains one Read-Only DC

When I do a RepAdmin /ReplSummary I get the following, As you can see from the out put there is a large delta between DC01 (read-write DC) and ADRODC02 (read-only DC) 

My first question (hope it does not sound too stupid), that is meant by the 'delta' what information does this figure actually seek to convey?

The reason I ask the above question is because of the following

if I create a new user on DC01, this new user object appears quite quickly on the other DCs (in the same site, DC02 and ADRODC01) then it appears quite quickly too on the RODC on the other AD site ADROCS02 (as I forced replication). So now my new user appears on all DCs in the domain.  However RepAdmin still shows the high delta as above

If I look at the NTDS Settings Object, on ADRODC02 it shows the RepsFrom (Replicate From) as being DC01 (in other words ADRODC02 gets its updates from DC01)

So, considering the new user created on DC01 appears in the AD database on ADRODC02 (when connected to this DC via ADUC) why does the delta still show 17 plus hours?  which leads me to think that is the delta figure trying to tell me? I thought is meant there was a replication issue, but there is not (or at least not one I can see), as the new user replicated OK.

Please help,

thanks very much

__AAnotherUser

AAnotherUser__

How to do script that uses CSV file for this command? Need to Enable remotemailbox for several users using CSV

Enable-RemoteMailbox -Identity user@domain.fi -RemoteRoutingAddress user@company.mail.onmicrosoft.com

I have script and I need find users from AD by DistinguishedName

# Specify target OU.
$TargetOU = "ou=testi,ou=Users,ou=test"

# Read user sAMAccountNames from csv file (field labeled "Name").
Import-Csv -Path Users.csv | ForEach-Object {
    # Retrieve DN of User.
    $UserDN = (Get-ADUser -Identity $_.Name).distinguishedName

    # Move user to target OU.
    Move-ADObject -Identity $UserDN -TargetPath $TargetOU
}

I get the following error:

get-aduser : Cannot find an object with identity: 'test test' under: 'DC=test,DC=test'.

I have CSV file and there are names like "Testi Testi", if I put "Testi.testi", then it will work just fine. Problem is that we have accounts that have different logon names, than the actual DistinguishedName. Like username is "Marta.Kyll" and DistingushedName is "Marta-Kylie Kyll"

Hi,

Our application team is in the process of configuring some Oracle based HR application with our domain controllers. There are no connectivity issues between application server and domain controllers. When they are connecting they get below error.

kinit: Cannot find KDC for realm "contoso.com" while getting initial credentials.

Please let us know how to avoid this.

Regards,

Kavindu