KJ

I need help with PowerShell and Active Directory. 

I need to view the NTDS Schedules of our Domain Controllers.  Once I have their current replication schedules, I need to change the NTDS Schedule of a Domain Controller (DC4) to 15 mins

How do I do this with PowerShell?

Using the Active Directory Sites and Services I can update one Domain Controller at a time. However, I would like to use PowerShell.

Help!

(Attached is a Screen Shot of a Domain Controllers NTDS Settings

Hi All,

   DomainA Users/Computers are migrate to DomainB.  Keep all the servers in DomainA.  

   Users are login to DomainB DC01 but Computers are getting  the DHCP form DomainA -DC01.

   DomainA DC01 - 192.168.1.1  

   DomainB DC01 - 10.1.1.1   /Site: DCsite1

   Q1: In DomainA DC01- DHCP scope should i put DomainB  DNS ?

   Q2 : In DomainB DC01- Site & service--IP , User subnet should Point to  site: DCsite1 ?

    Q3 :    Is there a benefit for  setup DHCP in DomainB DC01 ?

     As

Hello,

Searching about, I found some things regarding partial replication in RODC via Filtered Attribute Set.

This can also be applied to ADDC?

I need only some OUs to be replicated. It is possible?

I installed LDAPS certificate on my domain controller, however, when I use LDP to make a connection on port 636, I get the error:

Error <0x51>: Fail to connect <g class="gr_ gr_29 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="29" id="29">ldaps</g>

Any suggestions to resolve this issue.

Hi,

Previously my secondary DC (server name is <g class="gr_ gr_90 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling" data-gr-id="90" id="90">sdc</g>)  was down so I boot up the image backup of the same server as a virtualized server in another computer.

Once I fixed my secondary DC server, I shut down the virtualized <g class="gr_ gr_109 gr-alert gr_gramm gr_inline_cards gr_run_anim Punctuation only-del replaceWithoutSep" data-gr-id="109" id="109">server,</g> and let the actual secondary DC run.

I can log in with no problem. The Primary DC (server name is <g class="gr_ gr_110 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="110" id="110">pdc</g>) and Secondary DC can ping each other.

Everything went well until the next morning, I found out I couldn't log into the secondary DC anymore. The error message says "The username or password is incorrect". The Primary DC and Secondary DC can ping each other though. Both my servers are running Window Server 2008

Below <g class="gr_ gr_158 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar multiReplace" data-gr-id="158" id="158">are</g> an extract from the <g class="gr_ gr_145 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling" data-gr-id="145" id="145">dcdiag</g>  command  :

      " Starting test: Replications

         [Replications Check, PDC] A recent replication attempt failed:            From SDC to PDC

           Naming Context: DC=ForestDnsZones,DC=xyz,DC=com,DC=my

            The replication generated an error (1256):

            The remote system is not available. For information about network troubleshooting, see    Windows Help.

            The failure occurred at 2018-07-19 09:56:07.

            The last success occurred at 2018-07-18 12:10:24.

            24 failures have occurred since the last success.

         [SDC] DsBindWithSpnEx() failed with error -2146893022,

         The target principal name is <g class="gr_ gr_186 gr-alert gr_gramm gr_inline_cards gr_run_anim Punctuation multiReplace" data-gr-id="186" id="186">incorrect..</g>

         [Replications Check PDC ] A recent replication attempt failed:

            From SDC to PDC

            Naming Context: DC=DomainDnsZones,DC=xyz,DC=com,DC=my

            The replication generated an error (1256):

            The remote system is not available. For information about network troubleshooting, see             Windows Help.

            The failure occurred at 2018-07-19 09:56:07.

            The last success occurred at 2018-07-18 12:11:41.

            28 failures have occurred since the last success.

         [Replications Check PDC] A recent replication attempt failed:

            From SDC to PDC

            Naming Context:

            CN=Schema,CN=Configuration,DC=xyz,DC=com,DC=my

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2018-07-19 09:56:07.

            The last success occurred at 2018-07-17 16:51:50.

            43 failures have occurred since the last success.

         [Replications Check, PDC] A recent replication attempt failed:

            From SDC to PDC

            Naming Context: CN=Configuration,DC=xyz,DC=com,DC=my

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2018-07-19 09:56:07.

            The last success occurred at 2018-07-17 16:51:50.

            42 failures have occurred since the last success.

         [Replications Check, PDC] A recent replication attempt failed:

            From SDC to PDC

            Naming Context: DC=xyz,DC=com,DC=my

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2018-07-19 09:56:07.

            The last success occurred at 2018-07-18 12:12:46.

            23 failures have occurred since the last success.

         ......................... PDC failed test Replications

      Starting test: RidManager

         ......................... PDC passed test RidManager

      Starting test: Services

         ......................... PDC passed test Services

      Starting test: SystemLog

         An Error Event occurred.  EventID: 0x40000004

            Time Generated: 07/19/2018   09:54:36

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server sdc$. The <g class="gr_ gr_285 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" data-gr-id="285" id="285">target  name</g> used was cifs/Sdc.xyz.com.my. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. <g class="gr_ gr_286 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" data-gr-id="286" id="286">This    error</g> can also happen when the target service is using a different password for the target <g class="gr_ gr_302 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" data-gr-id="302" id="302">service  account</g> than what the Kerberos Key Distribution Center (KDC) has for the target service account.  Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (XCZ.COM.MY) is  different from the client domain (XYZ.COM.MY), check if there are identically named  server accounts in these two <g class="gr_ gr_824 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" data-gr-id="824" id="824"><g class="gr_ gr_543 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" data-gr-id="543" id="543">domainas</g> ,</g> or use the fully-qualified name to identify the server

         An Error Event occurred.  EventID: 0x40000004          Time Generated: 07/19/2018   09:56:07

           Event String:             The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server sdc$. The target  name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/e92efb8d-1c9d-4412-9766- 09eae008a05c/xyz.com.my@xyz.com.my. This indicates that the target server failed to <g class="gr_ gr_865 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" data-gr-id="865" id="865">decrypt          the</g> ticket provided by the client. This can occur when the target server principal name (SPN) <g class="gr_ gr_907 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" data-gr-id="907" id="907">is  registered</g> on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account.         Please ensure that the service on the server and the KDC are both updated to use the <g class="gr_ gr_942 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" data-gr-id="942" id="942">current  password</g>. If the server name is not fully qualified, and the target domain (XYZ.COM.MY) <g class="gr_ gr_980 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" data-gr-id="980" id="980">is  different</g> from the client domain (XYZ.COM.MY), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An Error Event occurred.  EventID: 0x40000004

            Time Generated: 07/19/2018   10:11:21

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server sdc$. The target             name used was LDAP/e92efb8d-1c9d-4412-9766-09eae008a0 5c._msdcs.xyz.com.my. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC                    are both updated to use the current password. If the server name is not fully qualified, and the target domain (XYZ.COM.MY) is different from the client domain (XYZ.COM.MY), check <g class="gr_ gr_1036 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" data-gr-id="1036" id="1036">if  there</g> are identically named <g class="gr_ gr_1057 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" data-gr-id="1057" id="1057">server  accounts</g> in these two domains, or use the fully-qualified name to identify the server.

         ......................... PDC failed test SystemLog    "

As I am a novice, I hope you guys can help me out here.

Thank you all.

Hello,

Please help resolve errors od dcdiag /test:dns

====================================

Anyone have any experience for Windows Server 2008 R2 and Exchange 2010 upgrade ? Could you mind to share your experience?

Here is my environment :

                Current :

                AD : Windows Server 2008 R2 and Exchange 2010 (in the same physical machine)

                Target :

                AD: Upgrade to Windows Server 2016 (It is a new Physical Server)

                Exchange: Upgrade to Exchange 2016 (install in same with Windows Server 2016)

                Other requirement:

                Current domain is using      aaaaaaaaa.com    and    zh.aaaaaaaaa.com

                We would like to changed it to      bbbbbbbbb.com  (our company name changed, and will merge 2 old domain into one domain)

Do you have any related information for our reference ?

I want to know, is it possible to do the about migration at the same time? (install new server, AD and Exchange migrate and rename our domain, to reduce downtime to user)

Is it possible to clean install / migrate ?

                e.g.        is it possible to clean install Windows Server 2016 and Exchange 2016, then export / import the “necessary data” from old one to new one, not just migrate all the things from the old one.

Thanks !

Dear All,

I have a user in active directory when i do search for it, then i got result but when i go to that OU then i cant find him. I did move this user to another OU and now it showing. I did check " showinadvanceviewonly"  and it sets to " not set". 

Why this happening?  How to get other hidden users?

This OU contains more than 2000+ users and i got a message every time i open that OU. All from letter M to Z are no exist on that OU. Is it because the OU has more than 2000+ objects in it.

Best Regards,

Dear All,

Are there any wayto track the computer that used the service account. For example, if user X used ServiceAccount@test.com from his computer, can i get his computer name. Are there any tool, script or PS command to get this kind of information

Best Regards,

Hi

We have a strange issue - we have Home folder in user profiles set as H: drive mapped to \\servername\Home$\%username% and mapped fine, and folder redirection set via Group Policy as "Setting: Redirect everyonce folder to the same location" and"Target folder location: Redirect to the user`s home folder.

All PCs are windows 7, domain is windows 2008 and 2012

But folder redirection creates "Documents" folder under \\servername\Home$ (rather then under \\servername\home$\username) and redirect into that folder.
Anybody had same issue?

Thanks

Hi,

We have on prem DC and we are thinking to deploy RODC in Azure using VPN connection.

We will be deploying some VMs in Azure so I want to confirm that Can we domain join our Azure VMs with RODC?

Greetings,

We added a 2008R2 DC to our 2003 domain, which consists of two 2003R2 servers; we are planning to upgrade the domain once I am happy that things are stable.  Unfortunately I have had one reoccurring issue since the addition of the server.

Every day a handful of machines present the "The securitydatabase on the server does not have a computer account for this workstation trust relationship" - normally at the start of the day when a use first logs on.  This can be sorted by restarting the machine once or twice, but it's not ideal and can reoccur on the same machine.

I can find no associated errors on either the local machine nor domain controllers, so I'm starting to climb the walls figuring out the cause.  My gut instinct is that it's DHCP/DNS related, but I can't find anything wrong with the machine's records.

Any suggestions would be well received.

Hi,

we have trouble with in scure LDAP connections between Linux computers and DCs. We are in the migration phase and have in our AD some W2K16 DCs and some W2K8R2 DCs.

If any Linux computer tries to access any DC in Active Directory, DC send RESET ACK. I set logging level higher on DCs and found following two Event ID in each LDAPS access:

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          17.07.2018 14:24:54
Event ID:      2085
Task Category: LDAP Interface
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      DC1.mydomain.com
Description:
Internal event: An LDAP over Secure Sockets Layer (SSL) connection could not be established with a client. 
Client network address:<LINUX IP ADDRESS>:45308 
Protocol:
TCP 
Additional Data 
Error value:
2148074289 The client and server cannot communicate, because they do not possess a common algorithm. 
Internal ID: c05086b

--------------------------

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          17.07.2018 14:24:54
Event ID:      1216
Task Category: LDAP Interface
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      DC1.mydomain.com
Description:
Internal event: An LDAP client connection was closed because of an error. 
 
Client IP:
<LINUX IP ADDRESS>:45308 
Additional Data 
Error value:
3 The system cannot find the path specified. 
Internal ID:
c0605fa

We deployed LDAPS on DCs correctly and I checked all the configuration many times. I am not sure if the problem a client certificate problem.

I read many articles about this issue. I created new certificates (on DCs and clients), applied GPO for chipher oders, etc. But I could not solve the problem. 

DCs have no problem internally using LDAPS (ldp.exe tested) and with other Windows computers...

Here are some articles which I read/applied them:

https://docs.microsoft.com/de-at/windows/desktop/SecAuthN/tls-cipher-suites-in-windows-10-v1607

https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

https://support.microsoft.com/en-us/help/931351/how-to-add-a-subject-alternative-name-to-a-secure-ldap-certificate

https://support.microsoft.com/en-us/help/4032720/how-to-deploy-custom-cipher-suite-ordering-in-windows-server-2016

Has anyboday experiences with this issue?

Best regards

Birdal

Hi I wish to know what the correct path I should type to allow the below to work: ?

1.  First I typed - 'repadmin.exe /options * IS_GC' - for current domain options - states 'repadmin running command /options against server pdc01.cognitive.local - unknown option "IS_GC"

2.  And second I typed - 'nltest /dsgetdc:corp /GC', so I typed - nltest /dsgetdc:cognitive GC' - which worked

-- Moby

Hello All,

I have 3 zones (internet, intranet and DMZ). Internet and intranet zones are physically separated and in different domains. I need to build a stand alone root ca in DMZ zone common for both internet and intranet zones and this root ca in dmz zone has to be able to sync/import certificates generated by external root ca. How to achieve this. 

Thanks