Hi,
We have on prem DC and we are thinking to deploy RODC in Azure using VPN connection.
We will be deploying some VMs in Azure so I want to confirm that Can we domain join our Azure VMs with RODC?
↧
Domain Join Machine with RODC
↧
Cross forest certificate enrollment Server 2012 R2 - cannot copy templates
I have attempted to setup Cross Forest certificate enrollment in a Test environment. I am using the document AD_CS_Cross_Forest.pdf. from the Technet article https://technet.microsoft.com/en-us/library/Ff955845(v=WS.10).aspx .
I have completed the section "Deploying AD CS for cross-forest certificate enrollment". I don't have any templates or a CA in the account domain to copy FROM, so I skipped to "Copying PKI objects to Account forest".
I am getting the error:
Copying Object: CN=402.8A47F982C359BC487708F8A89A897780,CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=de
v,DC=lab
WARNING: Error while coping an object. CN=402.8A47F982C359BC487708F8A89A897780
WARNING: Access is denied.
WARNING: At C:\certs\PKISync.ps1:285 char:17
+ $NewDE.psbase.CommitChanges()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This error is one of many with the CN being different for each object.
The article does not specific permission needing to be set for the account DCs to the resource DCs etc, but my guess is I need to on the templates or objects. Any help would be appreciated.
I am getting the error:
Copying Object: CN=402.8A47F982C359BC48770
v,DC=lab
WARNING: Error while coping an object. CN=402.8A47F982C359BC48770
WARNING: Access is denied.
WARNING: At C:\certs\PKISync.ps1:285 char:17
+ $NewDE.psbase.CommitChange
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
This error is one of many with the CN being different for each object.
The article does not specific permission needing to be set for the account DCs to the resource DCs etc, but my guess is I need to on the templates or objects. Any help would be appreciated.
↧
↧
Active Directory Best Practices
Does anyone have a BP document for AD? Thanks!
↧
Options Value missing from Inter-Site Transports under Configuration
I think I have a big problem. I was looking to enable Quite AD Replication using intersite communications
http://pctechgo.blogspot.com/2014/03/active-directory-intersite-replication.html
I am missing the options value from the editable properties.
Now it is enabled in the NTDS Settings on the AD Servers. Am I missing something here?
I think I found part of my problem and would appreciate advice on how to proceed.
Apparently my inter-site transfer is set to SMTP and the Birdgehead is set for IP. Should I switch these around? Will I break anything if I do?
Another issue is that I have multiple bridgeheads enabled.
I found this post so should I remove the preferred bridgehead transports? This post tells me yes?
↧
Delegated access for specific users to add and remove users from a group and all of its child groups
Hi,
I have setup a new group in AD and added a number of other groups as its members. On the new group, under security, advanced, I have added a test user and selected the properties read members and write members (left all other permissions, properties untouched); as well as "Applies to: This object and all descendant objects".
Outcome = with my test user, when logging into AD, I can add and remove a member from the new Group as expected. Unexpectedly I cannot add, remove users from the child groups of the new group which is what I need to accomplish.
Why?
↧
↧
Do I remove IP or IP and SMTP in my bridgehead under Sites and Services.
Hi,
We have three Windows 2012 R2 Domain Controllers. We had Microsoft assessed our environment and recommended to us to remove Bridgehead. As per their comment:
"Bridgehead servers are domain controllers that have replication partners in other sites. The selection of bridgeheads is automatic by default. Manually defining preferred bridgeheads is generally not required, because it incurs additional administrative overhead, can reduce the inherent redundancy of Active Directory, and can easily result in replication failures due to invalid configurations. Designating a single bridgehead for a domain in a site that contains a single domain controller of that domain is redundant as that domain controller would have been the bridgehead anyway. It can also lead to future problems should additional domain controllers be deployed to the site and only one of them configured as a preferred bridgehead server."
My question is, do I only remove IP or both IP and SMTP? See pic. Thanks!
↧
Modify granular permission on Active Directory Deleted Objects container
I'm looking to grant the following permissions to the "Deleted Objects" container in AD for JUST child computer objects:
- List the child objects of the object
- Read a property
- Write to a property
Normally I'd just open up ADUC, pull up advanced security permissions, and then set the permissions for descendant computer objects, but the "Deleted Objects" container isn't exposed in ADUC. Does anyone know of a good tutorial for making this modification?
zarberg@gmail.com
↧
Orphaned fSMORoleOwner entry for DomainDnsZones
I have a very strange situation/issue. We've been having some oddities with replication and mostly demotions of domain controllers. The error messages lead us to do some digging and here is what I found. When I run the following:
ldifde -f Infra_DomainDNSZones.ldf -d "CN=Infrastructure,DC=DomainDnsZones,DC=ttiinc,DC=com" -l fSMORoleOwner
I see a stale entry from an old retired server:
fSMORoleOwner:
CN=NTDS Settings\0ADEL:99784713-b9eb-4d06-8189-f63b56405981,CN=ADS003\0ADEL:
038ac0fe-4406-46fd-b444-8d665c49a5a8,CN=Servers,CN=Corp,CN=Sites,CN=Confi
guration,DC=domain,DC=com
However, when I view the entry in ADSIEdit, the entry is correct (i.e. shows the right DC):
CN=NTDS Settings,CN=ADS001,CN=Servers,CN=CorpTX,CN=Sites,CN=Configuration,DC=domain,DC=com
How do I reconcile this? I've seen the script posted here (https://support.microsoft.com/en-us/kb/949257) which all the forums suggest running; however they all presume the entry visible in ADSIEdit is corrupt - which is ours is correct. The bad entry is only visible when running from the command line (ldifde or dsquery).
Thank you in advance!
Karl
↧
Account & Resource Domain Setup.
Hi All,
DomainA Users/Computers are migrate to DomainB. Keep all the servers in DomainA.
Users are login to DomainB DC01 but Computers are getting the DHCP form DomainA -DC01.
DomainA DC01 - 192.168.1.1
DomainB DC01 - 10.1.1.1 /Site: DCsite1
Q1: In DomainA DC01- DHCP scope should i put DomainB DNS ?
Q2 : In DomainB DC01- Site & service--IP , User subnet should Point to site: DCsite1 ?
Q3 : Is there a benefit for setup DHCP in DomainB DC01 ?
As
↧
↧
Root CA migration from DC to DC
I am following the link below for our root CA migration. The current CA is on a DC and I am going to migrate to on an another DC. This case the new DC will have the same name as the old. My question, Should I install CA first and configure it before I promote the server to be the new DC or first promote it as Dc then install CA?
https://blogs.technet.microsoft.com/canitpro/2014/11/11/step-by-step-migrating-the-active-directory-certificate-service-from-windows-server-2003-to-2012-r2/
↧
CA migration from Windows 2008 to Windows 2012
We are planning to migrate windows 2008 R2 root CA to Windows 2012. We have a basic configuration in which CDP and AIA are pointing to the default location. The migration procedure is basically backup and restores as per some articles.
How are the contents of the CDP and AIA moved? Does the database backup contain the CDP and AIA?
↧
Shared Folder For Domain Users
Dear All,
How can i allow domain users to share their own folder "created by them"on their PCs. I did disable UAC but didn't work. Is there any group policy i can configure to let domain users to share folders on their PCs or any other solutions ( except adding them in local admin group).
Our envirenment:
1- windows server: 2008 R2 and 2012 r2
2- windows 7 and 10
Best Regards,
↧
Some subsidiary domain member computers get policy exceptions
Hi,
Found some domain member computers, their configuration is:
The ip address is located in the local site.
Both nltest /dsgetsite and nltest /dsgetdc show the corresponding site and intra-site domain controllers.
The dns of the NIC is set up and there is only one ip address of the dc of the local site.
Through the packet capture display, these members calculate repeatedly trying to connect to the headquarters domain controller when acquiring the executable script file in the domain policy. The smb traffic from other sites to the headquarters dc will fill
the entire available bandwidth.
What is the reason for troubleshooting?
I look forward to your reply!
↧
↧
New 2008 DC on 2003 domain - workstation trust relationship issues.
Greetings,
We added a 2008R2 DC to our 2003 domain, which consists of two 2003R2 servers; we are planning to upgrade the domain once I am happy that things are stable. Unfortunately I have had one reoccurring issue since the addition of the server.
Every day a handful of machines present the "The securitydatabase on the server does not have a computer account for this workstation trust relationship" - normally at the start of the day when a use first logs on. This can be sorted by restarting the machine once or twice, but it's not ideal and can reoccur on the same machine.
I can find no associated errors on either the local machine nor domain controllers, so I'm starting to climb the walls figuring out the cause. My gut instinct is that it's DHCP/DNS related, but I can't find anything wrong with the machine's records.
Any suggestions would be well received.
↧
Active Directory "User must change password at next logon" takes 2 log off's before prompts for password change.
Active Directory "User must change password at next logon" takes 2 log off's before prompts for password change.
How do i set it that it forces the user to change password after 1 log off?
↧
How to use msds-memberoftransitive with multi-domain forest?
Hi all,
Have a multi-domain forest: acme.com and child.acme.com. For users in this forest, would like to get direct and transitive(nested) group membership using LDAP interface. After looking at available options zeroed on using msds-memberoftransitive attribute as that has distinguished names of all groups having user as member.
Question 1:
User say user1 from acme.com can be member of Universal, Global and Domain Local groups of acme.com and Universal and Domain Local groups of child.acme.com. As expected, universal groups in one domain can have membership in Domain local groups of other domain.
With this kind of membership, does msds-memberoftransitve store distinguished names of all Universal, Global, and Domain Local groups having user as member(both direct and thru nested groups)?
Question 2:
What is the right way to read msds-memberoftransitive? Should LDAP bind be to Domain Controller of user domain Or Global Catalog?
In my lab set-up, by connecting to Domain Controller of either domain, not getting the complete list of groups. So, is Global Catalog the only source to read msds-memberoftransitive?
From https://msdn.microsoft.com/en-us/library/dn410792.aspx?ppud=4, SystemFlags for attribute indicate it's not replicated(systemFlags: FLAG_ATTR_NOT_REPLICATED | FLAG_ATTR_IS_CONSTRUCTED | FLAG_ATTR_IS_OPERATIONAL | FLAG_SCHEMA_BASE_OBJECT). Guess, by this, it means the attribute msds-memberoftransitive is not available with Global Catalog. Please correct if I am wrong
Thanks,
Lokesh
↧
Windows Security Log Event ID 4776 on DC
I have a 2008 R2 DC with Windows 7 client.
When I login to client PC using local account instead of domain account several event logs are getting logged onto DC as shown below.
What is causing this event, and possible solution.
%NICWIN-4-Security_4776_Microsoft-Windows-Security-Auditing: Security,rn=425496272 cid=972 eid=672,Mon Jul 02 06:21:08 2018,4776,
↧
↧
Wrong Logon Server
On a new site we have created all of the clients get a logon server for a different site. B
In ADSS the subnet is setup and assigned to the correct site.
I looked through DNS and everything seems to be ok and the kerberos dns setting for the site is pointing to the correct dc
If I run nltest /dsgetsite it returns the wrong site
↧
Restrict AD object Deletion to specific group or User
Trying to see if there is a way to restrict the deletion of AD objects to either a group or one user. The AD objects are already set to protect but it is only a check box. Issue is that someone unchecked the box and deleted the object, person gone but
now looking for a way to prevent this from happening again. Yes trash can enabled but they cleared that out also. Yes the person was a IT person, again they are gone.
↧
Filter OU from Active Directory site replication
Hey Everyone,
Quick question :)
is there a way to filter an OU or a group of objects from replication to all the DCs in my forest ?
basically i want to create 100 000 contacts on one DC but dont want them to replicate to my 50 DC arount the world
if not do you know the size that those 100 000 contact will have ?
thanks !
Hitch Bardawil
↧