Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

What To Expect If I Pre Build A Domain Controller Ship To Remote Site Then Power On For Usage

July 25, 2018, 4:51 am
$
0
0

Good Morning Community Friends!

I need a sanity check. So, We Just Purchases A Company that is on its original domain and I am going to deploy a new domain controller and migrate them into our domain.

My plan is to build the domain controller here in the US at our corporate office then ship overseas and when I get there spin it up and start joining users to it. Does anyone see any issue with this from a potential connectivity issue? I am going to build here promote it to a domain controller then ship it over and set it up. 

Phil Balderos

Search

authentication policy and authentication policy silo

July 25, 2018, 5:29 am
$
0
0

Need to grant the access via auth policy silo using specify access control conditions for the authentication policy for 5 servers & 5 users. Who are only able to access those server.

What specify access control conditions for the authentication policy ?

 Please help.

AliahMurfy

Windows server 2012 R2 Conditional Forwarder: NSlookup fails the first time

July 20, 2018, 8:22 am
$
0
0

Hi,

Windows server 2012 R2.

I have a conditional forwarder added to resolve to the customer domain (abc.com).  When I do nslooup -type=mx abc.com it fails the  time and it resolves the second time.

My domain contoso.com (not my real domain)

First nslookup

c:\> nslookup -type=mx abc.com
Server: DC1.constoso.com
Address: 192.168.1.5

DNS request timed out was 2 seconds.
***Request to DC1.contoso.com timed-out

Subsequent nslookup

c:\> nslookup -type=mx abc.com
Server: DC1.constoso.com
Address: 192.168.1.5

Non-authoritative answer:
abc.com       MX preference =1, mail exchanger =mail.abc.com

mail.abc.com internet address = 10.10.0.5

Any ideas what might be  this issue?

Thanks,





gMSA won't logon after reboots

July 25, 2018, 12:08 pm
$
0
0

The gMSA is being used for SQL Server 2016 services. The gMSA has been setup and does work but only after reentering the name in the service properties. After a reboot, the following is in the system log:

The MSSQL$Foo service was unable to log on as Bar$ with the currently configured password due to the following error: 
The user name or password is incorrect.

Running AD PowerShell Test-ADServiceAccount after a reboot returns True even though the error still happens. I see there is a hotfix for Windows Server 2012 that may fix a similar issue but we are on Windows Server 2016.

Any ideas??

Delayed access to AD resources without internet connectivity

July 25, 2018, 12:08 pm
$
0
0
My company requires that all AD and AD-related services administration be done on a system that has no connectivity to the internet. We have built two Windows Server 2016 RDS systems for all of our admins to use. These systems are blocked from internet access via a perimeter firewall rule.

The issue is that accessing any AD related administration (AD Users & Computers, GP Management Console, AD-integrated DNS administration and Powershell scripts) is delayed by about 20 -30 seconds when you first access the tool or if you have not used an already running tool for 15 - 20 minutes. This is usually seen by clicking on another OU or object in ADUC, trying to add a record in DNS or clicking on a GPO. 

The issue only happens on these two systems. As a test, we removed the internet restriction on one system and the issue went away.

We have run network traces and didn't see anything that stood out. Some process is obviously hanging and then timing out. We just cannot find it. Any help would be appreciated. Thanks.

"the security database on the server does not have a computer account for this workstation trust relationship"

December 18, 2011, 1:30 pm
$
0
0
I am terrifically inexperienced with running a network. The error mentioned in the title occurred today out of the blue. When I came in this morning I was able to log in fine. When I left for about 3 hours and came back to find my computer locked as usual I attempted to log back in. Instead of logging in I got the aforementioned security database error. I read through other articles on the matter but they talk of forests and such which means nothing to me due to my inexperience. The server is in our office, my workstation is separated from the server by only a switch. The server is running Windows Server 2008, my workstation is running Windows 7 professional. Can anyone please offer a lamen's explanation of what I should do here? Thanks in advance for anyone's consideration on the matter!

Group Managed Service Accounts

June 4, 2018, 2:30 pm
$
0
0

Hi All,

A few questions regarding gMSA's. I've created the KDS Root Key and the AD Schema was already at a Server 2016 level (DC is on a Windows 2012 server). But checking AD, I do not have a Managed Service Accounts container, is this something that is created automatically? Or should I add it via ADSIEdit. 

Also, running the command below always asks me to specify a location to create it. If I create the account in any container other than the Manager Service Accounts container, does that create and issue? Or is it ok? 

New-ADServiceAccount -name $serviceaccountname -DNSHostName <dns-host-name> -PrincipalsAllowedToRetrieveManagedPassword <group>

I've added a -Path statement to the command, but didn't want to run in just in case the accounts need to be in the specified folder.

Thanks in advance

send a message to all domain users over GP

July 26, 2018, 1:51 am
$
0
0
i know this is an old thing, users deleting any email sent from IT, so i want to send a system message, is that still available. the pop up that appears to all users
Search

Schema extension - custom attribute of type Object(DS-DN)

July 26, 2018, 2:06 am
$
0
0

Hello,

I have extended the Active Directory schema with a custom attribute of type Object(DS-DN) (attribute syntax 2.5.5.1).

Everything works fine. The attribute is displayed and editable in Active Directory Users and Computers. If I delete the referenced object then my custom attribute holds a reference to the tombstone of the deleted object.

Is there a way to tell Active Directory to not reference the deleted object but instead simply clear the reference?

You can reproduce this behaviour with the "assistant" attribute.

Kind regards,

Hansjörg

smart card is required for interactive logon users attribute

July 26, 2018, 2:22 am
$
0
0

Hello,

I have a question when we tick this attribute on user's configuration.

I know that it's ramdomize user's password, blocked interractive logon session...

If we reset the user's password on an account with SCRIL attribute tick , can we use this password with application using NTLM ?

Or tick this attribute block all NTLM authentification in Active Directory ?

Thank you

Assign Static IP to local user in dial in with Powershell

November 7, 2016, 1:32 am
$
0
0

Hello 

Iam making a powershell script to create a local user and give him all dial in permissions and everything was successfully done all i want to do is how to Assign Static IP to local user in dial in with Powershell i didn't seem to find a command to assign ip for every user

Thanks in Advance

How to sync certificates generated by external Root CA with internal CA

July 19, 2018, 8:13 am
$
0
0

Hello All,

I have 3 zones (internet, intranet and DMZ). Internet and intranet zones are physically separated and in different domains. I need to build a stand alone root ca in DMZ zone common for both internet and intranet zones and this root ca in dmz zone has to be able to sync/import certificates generated by external root ca. How to achieve this. 

Thanks

Domain controllers in Azure with 2016 DC whilst forest functional level is 2003

July 26, 2018, 4:57 am
$
0
0

We have AD forest functional and domain functional level of 2003. We have 1 2003 DC and multiple 2012 R2 DCs. We're looking at implementing DCs in Azure, preferably using Windows 2016.

Are there any issues with using a 2016 DC in Azure whilst we have 2003 & 2012 on premise? We'll be moving the domain and forest functional levels to 2012 later this year.

Our plan at the moment is to:

- Update the AD sites and services with Azure sites and subnets. Create site links as needed.

- Deploy new VMs in Azure with a separate non caching disk for SYSVOL and DC logs
-  Install AD on the Azure VMs

Azure Domain Services isn't suitable for our scenario.

Thanks

 

what is standard recommendation of Microsoft to keep FSMO role on Domain controller while we have ADC

July 2, 2018, 10:16 pm
$
0
0

Dear all,

we have one domain controller & one Additional Domain controller (windows2012r2) but now all FSMO role holded on domain controller so i am just want to know what would be better for FSMO role hold.either i transfer some role to ADC or keep all role on DC only........please suggest me.what would be happen if DC down with all hold FSMO role.......

Thanks & Regard

Naved Ali

PowerShell to update NTDS on a Domain Controller

July 2, 2018, 3:30 pm
$
0
0

I need help with PowerShell and Active Directory. 

I need to view the NTDS Schedules of our Domain Controllers.  Once I have their current replication schedules, I need to change the NTDS Schedule of a Domain Controller (DC4) to 15 mins

How do I do this with PowerShell?

Using the Active Directory Sites and Services I can update one Domain Controller at a time. However, I would like to use PowerShell.

Help!

(Attached is a Screen Shot of a Domain Controllers NTDS SettingsDomain Controller NTDS Settings

Search

Active Directory Domain Controller now answering authentication, yet forwards to another Controller

July 2, 2018, 9:38 am
$
0
0

I have a odd issue with our Active Directory.

A little backdrop, it was a SBS2008 Domain once upon a time. Many years ago. I have inherited this domain as it is now.

We have 5 domain controllers in 3 different sites.
Our two MAIN domain controllers (for this example: ADDC01 ADDC02) are in our primary site.

All authentication requests going to ADDC01 authenticate properly.
YET
All authentication requests going to ADDC02 are forwarded to ADDC01.

SO, when ADDC01 goes down, all authentication requests fail on ADDC02.

I was wondering if someone could give me a pointer or suggestion as to where to look to resolve this.

Thank you

Sky

2012 R2 repadmin /syncall kerberos issues KRB5KDC_ERR_ETYPE_NOSUPP

July 3, 2018, 6:50 am
$
0
0

Hello. I am working on a single DC root forest domain with another single DC domain in the same forest. I was trying to force a kerberos tickets to a third party app to use AES256 on the root domain via the group policies set here:https://blogs.msdn.microsoft.com/openspecification/2011/05/30/windows-configurations-for-kerberos-supported-encryption-type/ . I was also using the computer account settings from that article.

Something seems to have gone wrong and on the root domain DC, DNS could no longer connect to AD with event ID 4000 registered in event logs. I also found replication between the root domain DC and the other domain's DC was no longer working. 

Running repadmin /syncall from the child domain DC I get 'Replication access was denied.' . In a network trace I inspect the kerberos traffic and see this:

TGS-REQ


In the response I get this:

I have removed all the group policy settings for kerberos encryption types and rebooted both DCs several times as well as run gpupdate. I've also manually gone into the computer account for the forest root domain server and noticed that it is only set to allow AES128 for some reason, and when I set it to allow RC4/AES128/AES256 (0x1c), it ends up reverting eventually. This might be because gpupdate is failing on the root domain computer and never taking away the disabled kerberos encryption policy I created.

Is there a setting some where that is overriding the encryption for the kerberos tickets from kdc? I've tried about everything I can find online, resetting computer account passwords, verifying DNS resolves (long story getting that in a functional order), etc. Very stuck on this, don't really want to have to recreate both domains.

Unable to add second domain controller

July 4, 2018, 6:44 am
$
0
0

Hi

I am currently assisting a client with issues relating to the environments domain controllers running on Windows Server 2012 R2. It would seem that issues have persisted for a while now. When I got access to the environment i had found two domain controllers which were no replicating with one another. I removed the domain controller which did not any have any of the fsmo roles on it and attempted to re-add it to the domain as domain domain controller.

On numerous attempts on trying to add the server to the domain as a domain controller I kept receiving and Access Denied error. I checked the default domain controller policy and the default domain policy going to the extent of recreating the Default Domain Controller policy in the event that this was previously tampered with and this still not resolve the issue.

I attempted to manually add the server to the domain, which was successful however trying to make this a domain controller continued to fail with Acces Denied error.

I am coming close to throwing in the towel on this one and advising the client possibly rebuild the environment however before i do that I am looking for any assistance that could deviate from that path. I have the dcpromo and dcdiag logs if required.

thanks.


Cannot join computer to domain (host to VM)

July 4, 2018, 7:28 am
$
0
0

Hi guys,

I do have to apologize in advance because I am a novice at this and I am doing a home study course now to improve my knowledge but just hit a brick wall!

I have got a virtual machine on Oracle VM VirtualBox which I have setup to be a domain controller with active directory features enabled. Lets say the domain name setup is dg1

I have set it so it uses the same IP range as my host computer/home router. So my router/computer has IP address 192.168.15.x and my domain controller has the exactly the same range, just a different prefix in replace of x.

I am able to ping my domain controller from its DNS name and its IP address from my host computer which is perfect! ...however, I want to allow my computer to join its domain so it can included in active directory! (I will be getting a new virtual machine system soon but just want to test to see if the computer can join a domain)...

However, when I try to join domain dg1, it is giving me an error saying "an active directory domain controller cannot be contacted".

Note: This information is intended for a network administrator.  If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\WINDOWS\debug\dcdiag.txt.

The domain name "dg1" might be a NetBIOS domain name.  If this is the case, verify that the domain name is properly registered with WINS.

If you are certain that the name is not a NetBIOS domain name, then the following information can help you troubleshoot your DNS configuration.

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "dg1":

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.dg1

Common causes of this error include the following:

- The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:

81.91.192.247
81.91.192.253

- One or more of the following zones do not include delegation to its child zone:

dg1
. (the root zone)

Could someone point me in the right direction or guide me on how to rectify this please?

Thanks,

Dan



I want to upgrade Active directory domain controller from windows server 2003 to windows server 2016. What will be challenge on client operating system which are the part of AD windows 2003 domain.

July 4, 2018, 10:50 pm
$
0
0

I want to upgrade Active directory domain controller from windows server 2003 to windows server 2016. What will be challenge on client operating system which are the part of AD windows 2003 domain. Like is there any requirement to upgrade the client Operating System also.I had clients having windows 7 O S.

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>