Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

mailNickname user attribute not found in Schema

August 13, 2018, 9:11 pm
$
0
0

we are running Active Directory with Windows Server 2012 R2 Domain & Forest Functional Levels.

For e-Mails we have Office 365.

I am not able to find mailNickname attribute for user objects in AD.

What am I missing?

Search

Create User and assign it to the group

August 17, 2018, 1:40 am
$
0
0

I am total beginner with LDAP. I need to locally create demo user and its group as it is in production ActiveDirectory server.  I installed VirtualBox and Windows 2012 Server, then installed ActiveDirectory using some tutorial.

Now I need to import .ldif file that was exported from the ActiveDirectory but I don't know how. I tried it and AD is trying to connect to myCompany.com server to download RootDSE. Creating user and group manually would also be a good option but I don't know even how to do that. I think I need first to create some (parent) "container" to hold user and group.

User group example:

dn: OU=MyApp,OU=Applications,OU=Groups,DC=myCompany,DC=com
objectClass: top
objectClass: organizationalUnit
ou: MyApp
dn: CN=Role1,OU=MyApp,OU=Applications,OU=Groups,DC=myCompany,DC=com
objectClass: top
objectClass: group
cn: Role1
description: Standard-User
sAMAccountName: Role1
groupType: -2147483646

User example:

dn: CN=FirstName LastName,OU=AD,OU=MyDepartment,DC= My Company,DC=com

objectClass: top
objectClass: someAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: FirstName LastName 
sn: LastName 
givenName: FirstName 
displayName: FirstName LastName 

Set up ADFS device registration in a forest without adfs server.

August 17, 2018, 1:52 am
$
0
0

Hi everyone,

We have an ADFS server in a separate forest. Is it possible to activate device registration in a forest without an ADFS server? Today we have the adfs in forest FS11 and users and devices in FS2. For user authentication this give no problem. Regarding device registration I can’t see hove to solve that. Initialize-ADDeviceRegistration set the registration service for current forest. Any thoughts around this?

Trust related issue

August 16, 2018, 2:04 am
$
0
0

Hi All,

We are part of ABC.com domain and all the users are migrated from the legacy domain XYZ.com. The legacy domain is having child domains Apac.xyz.com , Amer.xyz.com , EMEA.xyz.com. We have external trust between all these child domains and ABC.com domain.

Recently we created a forest trust between ABC.com and DEF.com domain and we created name suffix routing in the name xyz.com in the DEF.com domain. They have UPN XYZ.com.

The existing environment working fine. and all the existing external trusts are working fine. But we face issue in few locations of EMEA.xyz.com domain. The issue is that the ABC.com domain user trying to access the share in Emea.xyz.com. the user faced issue that " the system detected a possible attempt to compromise security" . We verified all the trusts and domain controllers are are good. We didnt find any issue in the DC or trust. We restarted all the dc in ABC.dom AND  EMEA.xyz.com . At last for testing we disabled the "XYZ.com" name suffix routing in  the trust between "ABC.com - DEF.Com" then it started working fine for all the affected users. 

We dont have any clue how the name suffix routing creates problem.

If the name suffix routing is the problem , how all the other locations and other legacy child domains Amer.xyz.com and Apac.xyz.com works well.

If someone shred some light on this would be helpful for us to find the root cause

When joining domain, there says the specified network name is no longer available

November 24, 2016, 10:26 pm
$
0
0

Hi guys,


I met a strange issue. When a server joining domain, there shows the following error occurred attempting to join the domain, the specified network name is no longer available.


The domain controller and the client server are all windows 2012 R2 and in different location.

I have tested dns with nslookup and looks fine.

Ports UDP 53 88 138 working, TCP 53 88 389 445 636 working.

UDP 137 can't be connected. But this didn't seem to be the cause.


Any suggestions?

Thanks in advance.

Deploying Microsoft LAPS

August 8, 2018, 12:09 am

Add Service Principal Name to server for Kerberos Constrained Delegation

August 15, 2018, 8:33 am
$
0
0

Hi Folks,

I'm currently having an issue establishing Kerberos Constrained Delegation in my enviroment. 

So I'm having a Azure Application Proxy (which should do the authentication) and an inhouse web application.

The inhouse webapplications SPN is bound to an service account, lets call it SVCWebApp and the SPN HTTP/webapp.domain.com

When I try to add the SPN to the server for dalegation, almost all other SPNs bound to ths SVC account appear, but not the one i need. I ran "setspn -L SVCWebApp" and it shows the right SPN, just not when I'm trying to add it for deleagtion.

Maybe someone could help out.

Best Regards,

Need help updating a 2008R2 Ent. Cert. Authority from SHA1 to SHA2?

August 17, 2018, 4:35 am
$
0
0

From what I can see it is pretty simple:

  • CERTutil -setreg ca\csp\CNGHashAlgorithm SHA256
  • Next restart the cersvr service then ..
  • renew the root CA.

If I understand correctly any new certs issued will be SHA2.

My question: We dont have any legacy applications the dont support SHA2. Are there any risks, gotchas that or things that will bite me in the ass doing this? This is the only enterprise CA

Thoughst or comments? Thankks!

Search

Will a domain functional level change break NTLM across trusted domain?

August 17, 2018, 6:30 am
$
0
0

Your opinions please... 

2 Forests. Domain R, single forest/domain. Domain H, is a child domain within a separate Forest

The Forests have a two-way transitive FOREST trust. The Domains have a two-way non-transitive EXTERNAL trust. I don't know why it was done this way. Both Forests and Domains at FFL/DFL 2003.

Domain R has a legacy (mission critical) application that authenticates using NTLM only. It is used mostly by users in Domain H.

I've been led to believe that by upgrading the FFL/DFL of Forest/Domain (Domain H), my users on Domain H will no longer be able to authenticate to the App in Domain R. This is because in a native 2008, 2008  R2, 2012 R2 or 2016 AD environment, there is lack of support for NTLM authentication over an EXTERNAL trust. PERIOD (i.e. no amount of GPO settings can force the behaviour).

The only workaround involves CAs and signing the traffic (a plan that I'm not fully up to speed with yet).

Any input gladly appreciated.

Thanks




Lastlogon mystery

August 17, 2018, 9:33 am
$
0
0

We've got a domain with a 60 day password expiration policy.  An audit uncovered the following condition with a group of accounts and I'm having a hard time coming up with an explanation.  (Names have been changed to protect the innocent)

samaccountnamepwdlastsetlastlogontimestamp
User12018/03/19-09:14:43 Eastern Daylight Time2018/08/04-02:33:51 Eastern Daylight Time
User22018/05/21-09:01:16 Eastern Daylight Time2018/08/04-02:22:59 Eastern Daylight Time
User32018/05/03-15:33:24 Eastern Daylight Time2018/08/04-02:46:49 Eastern Daylight Time
User42018/05/31-14:58:10 Eastern Daylight Time2018/08/04-02:44:31 Eastern Daylight Time
User52018/05/11-08:07:12 Eastern Daylight Time2018/08/04-02:48:29 Eastern Daylight Time

Lastlogontimestamp can have a variance of up to 14 days, but even taking that into account, if these users did indeed attempt to login at 2am on 8/4 (even + or - 14 days), they would have been forced to update their password, which would have then updated pwdlastset.

None of the accounts have the password set to never expire.  The last modified date on all of these accounts is also within a few minutes of 2am on 8/14.

Any thoughts on how a condition like this can exist?  It doesn't make sense to me the way I understand the rules.

Thanks!

Cannot delete server from ADSS. No exist

August 16, 2018, 1:07 pm
$
0
0

Hello everyone

I have this issue.

Y have my parent domain and have some child domain in my infrastructure.

In he past weeks i configure one child domain with name pdc01-svz, i dont know why in the ADSS register other name in the same site.

I want delete this other connection and i have this error

Error ADSS

New DC not taking over

August 17, 2018, 9:53 pm
$
0
0
I am replacing a Windows 2008 server that's aged out with a Windows 2012 R2 server.  I promoted the new server to DC, then assigned it the five FSMO master roles, but when I down the old server, the new one isn't taking over completely.  It has the volume, DNS, DHCP, and all services apparently replicating and not complaining, but when I down the Win2008 server, my workstations aren't always (they do in some cases) successfully passing credentials between the workstation and server, but give a prompt for credentials.  What am I missing?

I want to send Messages from my Active Directory Server to all currently logged on Users. My Active Directory Server is Windows 2012 R2 & Client Operating Systems are Win7, win8 & Win10. Please provide the resource about this.

August 18, 2018, 3:42 am
$
0
0

sending  Messages from my Active Directory Server to all currently logged on Users.

Permissions to create Reverse Lookup Zones in DNS

January 31, 2012, 8:32 am
$
0
0
What Active Directory permissions are needed to create Reverse Lookup Zones in DNS?  My co-worker is getting an access denied error when completing the wizard for this and the zone is NOT created.  He is a member of the "DnsAdmins" group and he can create Forward Lookup Zones.  We are running Server 2008 R2 SP1 on our Domain Controllers where DNS is running.  Any ideas?

Browser selection issues

August 16, 2018, 4:28 am
$
0
0

Hi all,

   we got  five remote sites and no DC's. all users are login to HQ and DR site DC's . Now noticed that each site got lot of browser selection broadcast ?  Netbios Over TCP is disable. 

 HQ -DC ( w2k12) is select for Domain master browser. and both servers running the service.

Clients are windows 7

How do i stop these broadcast?

AS

Search

User Profile Cant be loaded

August 18, 2018, 8:18 am
$
0
0
Recently we stat to get an issue with our Internal Network workstations ( not accessible from internet physically and logically).
the error message start to appear on Windows 7 workstations, during the first days the error was reported from about or 1 or 2 workstations daily but now the issue is happening on windows 10 & Windows 7 and the calls are becoming about 5 to 8 calls per days.
the error message  “ The User Profile Service service failed the login. User profile can’t be loaded “
We fix the problem by overwriting the default profile folder for the workstation from another working one, but we don't have an explanation why the problem is happening and why its spreading everywhere.
 
Notes :-
1-the  problem is happening on Windows 10 and Windows 7 workstations with different build versions  and different  PC hardware models.
2- we are using Mcafee antivirus with latest daily update (downloaded and pushed offline) and the path for default profile has been excluded from scanning  for troubleshooting reason.
3-When we check infected workstation we found error regard network disconnect and then follows by not applying GPs on that workstations
4-We are using a local profile kindly for our domain users.
5- When we check infected workstation we found error regard network disconnect and then follows by not applying GPs on that workstations
 
last changes before problem happening:-
1-     Applied password policy ( group policy ) and apply it on domain level. (Working currently)
2-     Pushed Internet explorer 11 ( upgrade ) for windows 7 only through SCCM 2012R2SP1
3-     Configured antivirus policy to block Temp folder,
 
We did the following steps to troubleshoot the issue:
1-     Stopped pushing IE11 deployment.
2-     Remove antivirus policy to block Temp folder.
3-     Stop scanning Users folder through antivirus (MacAfee)
 
But the issue still exist and keep increasing. Recently windows 10 have that issue as well. Event IDs are as follows:
1-     1509   (source: user profile general)

2-     1534   (source: user profile general)

On infected computers, we followed  one Microsoft article, but the path on the mentioned folder was not exist on most of those computers (windows7 only), so the user’s profile issue is not occurring because updating IE:


What else we can do to find out the cause of this issue.

Best Regards,

ROOT SERVER LOGIN ISSUE

August 18, 2018, 12:20 pm
$
0
0

While login in root server  2008 R2 (the security database on the server does not have a computer account for this trust relationship. ?)

we are only able to login in safe mode.

plz give the best solutation

Default printer settings

August 18, 2018, 9:34 am
$
0
0

All,

We have begun the process of moving our default printer settings into AD. We have several report site with a mobile workforce. As a result we will be setting the printer by IP address. However we have several users that require printers outside of this default. How can we allow those users to define their own default printer? And how do we allow the users to elect their own printer preferences?

Error: Service RTCSRV entered into an unexpected state while waiting. Expected State: Running. Actual State:Stopped

August 16, 2018, 1:24 am
$
0
0

hi

Don't start service Skype for Business Server Front-End

Error: Service RTCSRV entered into an unexpected state while waiting. Expected State: Running. Actual State:Stopped

> Assign CertificateSet-CSCertificate -Type Default,WebServicesInternal,WebServicesExternal -Thumbprint BC26F93E63E0CFCE1A8929279F4FD2E7205D1A03 -Confirm:$false -Report "C:\Users\administrator.Milad\AppData\Local\Temp\2\Set-CSCertificate-[2018_08_16][12_40_26].html"ImageWARNING: The subject name "*.xxx.com" of the certificate does not match the computer fully qualified domain name (FQDN) "SE2016vmSKY-006.xxx.com".Image

WARNING: The subject alternative names "*.xxx.com,xxx.com" of the certificate "BC26F93E63E0CFCE1A8929279F4FD2E7205D1A03" do not contain the computed alternative names "SE2016vmSKY-006.xxx.com,dialin.xxx.com,meet.xxx.com,admin.xxx.com,LyncdiscoverInternal.SE2016vmSKY-006.xxx.com,Lyncdiscover.SE2016vmSKY-006.xxx.com".The following certificate was assigned for the type "Default":Default: BC26F93E63E0CFCE1A8929279F4FD2E7205D1A03 *.xxx.com 08/11/2019 CN=Certum Domain Validation CA SHA2, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL 29B357C9FFED1EF01AEA39FD0A4CFFB6The following certificate was assigned for the type "WebServicesInternal":WebServicesInternal: BC26F93E63E0CFCE1A8929279F4FD2E7205D1A03 *.xxx.com 08/11/2019 CN=Certum Domain Validation CA SHA2, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL 29B357C9FFED1EF01AEA39FD0A4CFFB6The following certificate was assigned for the type "WebServicesExternal":WebServicesExternal: BC26F93E63E0CFCE1A8929279F4FD2E7205D1A03 *.xxx.com 08/11/2019 CN=Certum Domain Validation CA SHA2, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL 29B357C9FFED1EF01AEA39FD0A4CFFB6ImageWARNING: "Set-CSCertificate" processing has completed with warnings. "2" warnings were recorded during this run.ImageWARNING: Detailed results can be found at

Best Regard Mohammad Reza Abdi

The subject alternative names "*.AA.com,AA.com" of the certificate "BC26F93E63E0CFCE1A8929279F4FD2E7205D1A03" do not contain the computed alternative names

August 18, 2018, 9:43 pm
$
0
0

Warning: The subject alternative names "*.AA.com,AA.com" of the certificate "BC26F93E63E0CFCE1A8929279F4FD2E7205D1A03" do not contain the computed alternative names "SE2016vmSKY-006.AA.com,dialin.AA.com,meet.AA.com,admin.AA.com,LyncdiscoverInternal.AA.com,Lyncdiscover.AA.com".

Do not Start service Skype for Business Server Front-End

Best Regard Mohammad Reza Abdi

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>