Backtrack:  
 
showing posts tagged with 'ad'
 
edited by on April 22nd 2021, at 10:40

In the past, whenever you needed to reset the machine (computer) account password for a computer joined to an Active Directory domain, you could use netdom.exe to perform the task. While this no longer exists in Windows 10, you can also perform the task through Powershell:

Reset-ComputerMachinePassword -Server dc.domain.local -Credential (Get-Credential)

Replace dc.domain.local with the FQDN of a domain controller, or simply type the domain name (domain.local) to automatically select a domain controller. When running the cmdlet, you will also be prompted to enter the credentials of an account which is delegated to reset the computer account password of this particular machine.

edited by on November 30th 2020, at 16:45
A long standing issue (it goes back as far as Windows 10 1511) exists where GPOs are not (or not always) applied on Windows 10 machines, even though the entire setup checks out (correct GPO links, network in working order, domain controllers functional). Back in Windows 10 1511, there was a certain update introducing something called UNC hardening which caused this behaviour. Although it was expected that this has since been resolved in another Cumulative update, there are still numerous reports of users encountering this issue all the way up to Windows 10 2004.

Should you be affected by this issue, the symptoms are as follows:

You are able to succesfully log on using a domain account you'  ...
edited by on November 16th 2020, at 15:31

Using Powershell, you can quickly verify the status of the replication between domain controllers in Active Directory. This can be used in monitoring to verify a healthy AD replication. This can be run on any domain controller or on another system with RSAT or ActiveDirectory Powershell module.

Get-ADReplicationPartnerMetadata -Target "$env:USERDNSDOMAIN" -Scope Domain | FT -Auto Server,LastReplication*

To see forest-wide replication, replace -Scope Domain with -Scope Forest.

edited by on September 12th 2017, at 09:47
Occasionally, you may encounter AD account lockouts and the reason for the lockout is not always apparent. Enabling NETLOGON logging on your domain controllers may help in this regard. The NETLOGON log file will provide a detailed logging of all NETLOGON events and helps you to trace the originating device on which the logon attempts (and subsequent lockout) occurs.

To enable NETLOGON logging, run the following command (from an elevated command prompt):

nltest /dbflag:0x2080ffff

The parameter is a integer value of flags, and 0x2080ffff is the highest level, showing detailed timestamps, the domain controller clients authenticate against, client site, account password expiration, and much m  ...
edited by on January 19th 2017, at 14:49
ADMT stands for Active Directory Migration Tool and is used to migrate AD objects (such as users, groups, computers, etc.) from one AD forest or domain to another, supporting complex scenarios in the process.

Why Microsoft hides their most useful tools is a mystery though. So here are the download links. You will need to accept some EULAs and have a Microsoft Account if you wish to download it though.

Navigate to https://connect.microsoft.com/site1164/program8540.

If you have not done so, you will have to log on with a Microsoft Account and join the program and accept its EULA things.

Then, you will be able to click through to the download page and download ADMT version 3.2, and, if req  ...
edited by on December 15th 2016, at 14:48

Ned Pyle from Microsoft TechNet wrote an article about DCDiag, explaining in detail what it actually does.

Read full article on TechNet.

edited by on August 4th 2016, at 10:57

Using ADUC, it can be quite a hassle to find and/or unlock AD accounts. Powershell solves this by providing some neat commands for a system administrator to use.

To list all locked out AD accounts:

Search-ADAccount -LockedOut

To get more info about these accounts, you can do a Full-List:

Search-ADAccount -LockedOut | FL

Furthermore, you can pipe the output to quickly unlock some/all AD accounts:

Search-ADAccount -LockedOut | Unlock-ADAccount
edited by on April 21st 2016, at 16:43
During the installation of ADMT PES (Password Export Server), the installer reports the encryption key password is wrong, even though you're absolutely sure it's the correct password. Although KB2004090 states this is for 3.1, the problem also exists on 3.2.

The reason for this is that the MSI installer does not elevate the session. If you are not logged on with the Administrator-account, the elevation does not occur automatically and the error mentioned above will appear, without any mention of elevation requirements.

To work around the issue, you can follow the steps below. This will ensure the MSI installer runs in an elevated session and the installation will continue as normal. Altern  ...
edited by on November 5th 2015, at 11:03

Sometimes you may want to set or clear attributes of an AD object (e.g. the extensionAttributes of an AD user) through Powershell.

To set an attribute:

Set-ADUser -Identity "AnyADUser" -Add @{extensionAttribute15="SomeValue"}

To clear an attribute (i.e. unset the attribute):

Set-ADUser -Identity "AnyADUser" -Clear extensionAttribute15
edited by on October 19th 2015, at 12:59
When users change their passwords of their on-premise AD account, these changes are not replicated to Office365 (Azure AD). In the event log of the server running AD Sync, event 611 is logged:

Event ID 611
Password synchronization failed for domain: constoso.com.

Details:
System.DirectoryServices.Protocols.LdapException: The operation was aborted because the client side timeout limit was exceeded.

To resolve the issue, a registry setting has to be changed on the server running AD Sync, followed by a reboot:

On the server running AD Sync, open regedit.

Navigate to the key:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Ldap

Set the value of LdapClientIntegrity to 0.

Restart the se  ...
edited by on August 21st 2015, at 11:06

You can mail-enable multiple accounts with a single Powershell command. Look below for some examples:

Mail-enable AD accounts whose first name is John:

Get-ADUser -Filter * | Where {$_.GivenName -like "John"} | ForEach-Object { Enable-Mailbox -Identity $_.DistinguishedName }

Mail-enable all accounts in an OU called Engineering:

Get-ADUser -Filter * -SearchBase "OU=Engineering,DC=contoso,DC=local" | ForEach-Object { Enable-Mailbox -Identity $_.DistinguishedName }
edited by on July 9th 2015, at 09:31

Based on recommendations and best practices from Microsoft, and information I found here, I compiled a FSMO placement scenario for 2 domain controllers:

DC1DC2
PDC Emulator
RID Master
Infrastructure Master
Schema Master
Domain Naming Master
Global Catalog

Also, if your domain is top-level in the AD forest, configure DC1 to sync with external time sources.

edited by on July 3rd 2015, at 15:46
Active Directory uses Kerberos for authentication, which relies strongly on having the date and time of day running synchronously across the entire network and all devices in it. By default, each server and client joined in the AD, including domain controllers, will follow the domain hierarchy to sync its time. Domain controllers are set to automatically determine whether they can be used as a (reliable) time source. If a DC has considered itself as a time source, it will accept requests from clients and provide them with the its own current time.

Domain controllers at the top of the forest (top-level DCs) don't have another server above them to sync against, so they can either opt to sync   ...
edited by on July 2nd 2015, at 13:29
Contacting a domain controller in Active Directory is done through DNS lookup. Several DNS SRV records are used to find domain controllers in a site. If multiple domain controllers are present in the same site, the client will arbitrarily select one, based on the contents of those records.

By default, the selection is random, and all DCs have an equal change of being picked. The inherit properties of SRV-records allow for this behaviour to be influenced, by changing the weight and priority of those records. This enables fine-tuning and configuration of which DC to favour or even exclude. By default, all SRV records (thus, all DCs) have their weight and priority set to 0.

The weight defines  ...
edited by on June 26th 2015, at 14:50

Microsoft has released the Azure Active Directory Connect to the general public. Azure AD Connect replaces (although "incorporates" is a better word) DirSync as the new tool to set up synchronization between your on-premise Active Directory and Azure Active Directory, including Office 365.

The current version of Azure AD Connect is only the beginning. Microsoft has announced a lot more features, which will be made available in the next versions.

More information and installation resources: https://azure.microsoft.com/nl-nl/documentation/articles/active-directory-aadconnect/

edited by on June 26th 2015, at 12:01
When attempting to trigger an AD replication from one DC to another using Active Directory Sites and Services or repadmin.exe, you may get the following error:

AD Replication error 8452:
"The naming context is in the process of being removed or is not replicated from the specified server."

The most common cause for this error is that you tried to replicate between DCs for which no DS replication connection exist. The replication attempt will therefore fail. As a workaround, try replicating to the target DC from another source DC. Or, create a new replication connection between the target and source DCs.

Open Active Directory Sites and Services.

In the tree to the left, locate t  ...
edited by on June 26th 2015, at 11:25

Active Directory (AD) integrated DNS zones are not replicated by the DNS server, but replicates through the Active Directory replication mechanism, and uses the same settings for AD replication.

You can trigger replication through Active Directory Sites and Services, or with repadmin.exe on command prompt:

repadmin.exe /replicate target_dc source_dc DC=DomainDnsZones,DC=domain,DC=com

Replace parameters accordingly:

  • target_dc is the DC to replicate to
  • source_dc is the DC to replicate from
  • Edit the naming context so it includes your FQDN: e.g. contoso.co.ukDC=contoso,DC=co,DC=uk
edited by on June 24th 2015, at 13:07
With dcpromo.exe now being deprecrated on 2012 and 2012 R2, it is no longer obvious which method to use to demote a domain controller. Although you could resort to Powershell to get it done, there's also a way to demote using Server Manager, albeit not a very clear one.

The trick is to attempt to remove the Active Directory Domain Services role from the server, using Server Manager. When you do remove this, you will be prompted to demote the domain controller before the role can be removed, along with a link to actually perform this task.

Start Server Manager. In the upper right corner, click Manage, then click Remove Roles and Features.

Continue in the wizard that appears, making sure th  ...
edited by on June 12th 2015, at 13:14
Attached to this article are scripts to configure proxy settings for Internet Explorer (all versions). As Google Chrome uses the IE settings for their proxy settings, it can be used for that browser as well. I know there are other, far better methods for configuring proxy settings for clients, but continue your read to see why they were not usable in this particular case.

I ran into a customer where they were still using Internet Explorer Maintenance in their group policies to configure proxy settings for their clients. As a result, all users who got more recent computers did not get the proxy settings, as they were running Internet Explorer 10 or newer. Starting from IE10, configuration of  ...
edited by on June 10th 2015, at 16:04

When demoting a 2003 domain controller using dcpromo, you may run into the following error:

Error
The operation failed because:

Failed to configure the service NETLOGON as requested

"The wait operation timed out"

The error message is quite misleading as the real cause has got nothing to do with NETLOGON, but is in fact a DNS issue. You will most likely have the server's primary DNS pointing to itself using loopback address (127.0.0.1) or its own IP address.

You can correct the issue by having the DNS point to remaining domain controllers, and remove any DNS pointing to itself (i.e. loopback address or any other IP owned by the server being demoted).

 
showing posts tagged with 'ad'