Backtrack:  
Blog
 
showing posts tagged with 'ad'
1 · 2
 
Find certificate authority servers in your Active Directory (AD) domain
edited by on June 10th 2015, at 14:29

There are two ways to see which Certificate Authority servers exist in your AD domain.

1. Check the Cert Publishers group

The AD group Cert Publishers contain the servers that are permitted to publish certificates to AD. As a consequence, this gruop will contain all servers that are CAs.

2. Use certutil

You can use the certutil command to view (and select from) a list of CAs in the current AD domain:

certutil -config - -ping

Note: type the command as-is, including all spaces and hyphens.

A window will appear, listing the CA name and the server it runs on.

 
An error (1301) occurred while enumerating the groups. The group's SID could not be resolved
edited by on June 10th 2015, at 14:20
After migrating AD from 2003 to 2012, I ran into this issue on a RADIUS server running 2008 R2, used for authentication. When attempting to retrieve AD information for a particular user, the following error appeared:

Error
An error (1301) occurred while enumerating the groups. The group's SID could not be resolved.

The solution (at least for Windows 7 and 2008 R2), is to install hotfix 2830145.

The hotfix is only available by request through e-mail.

When attempting to log on to a 2012-based domain controller, the following SIDs are unmappable:

S-1-18-1 : Authentication authority asserted identity

S-1-18-2 : Service asserted identity

2012 introduces two new securit  ...
 
No logon servers available in a inter-domain trust
edited by on June 5th 2015, at 10:40
If your inter-domain trust is down, and the eventlog reveals the following error:

Error
There are currently no logon servers available to service the logon request. (0x51F)

Then check the following:

Check whether you can still access the DNS servers at the other side: try using the name first, then try through IP. If DNS does not work, there's an issue with your DNS.

Check whether the DNS zones for the domain are still in place. If it exists, try performing a reload from master. If this fails, you either have connection issues, or the other side has removed the required zone delegation, preventing you from retrieving the zone information.

If you can neither connect through DNS or IP, ch  ...
 
Can't log on after changing machine account password in mixed 2012R2 and 2003 AD
edited by on May 28th 2015, at 10:46

When attempting to log on with a domain account on a computer joined to a domain that has both 2012R2 and 2003 domain controllers, you may encounter the following error:

Error message
unknown username or bad password

Additionally, an Event ID 4 on Source: Kerberos is logged. You can only log on using local accounts.

Solution

Mixed 2012R2 and 2003 AD environments require hotfix 2989971 to be installed on every 2012R2 DC. See the KB for a full explanation.

The hotfix requires Update 1 (2919355) to be installed first. The hotfix is also included in update rollup 2984006.

 
Get rid of lingering objects in AD, the easy way
edited by on November 20th 2014, at 15:16
Lingering objects in Active Directory are a pest, and require a lot of work to properly dispose of them. Luckily, there's repldiag.exe, part of Active Directory Utils. This particular tool resolves lingering objects by automating the required procedure and set of commands to run to clean up lingering objects.

In normal circumstances, you would have to look up and run various commands to completely clean out the AD database on each DC. Using repldiag.exe does the hard work for you by looking up the DC's and running the clean up on each DC, cross-referencing with the other DC's, and it does so by using the built-in commands and API's (such as those used by repladmin and other commands).

Down  ...
 
Quick guide to a Core Read-Only Domain Controller
by on January 1st 1970, at 01:00
Here's a quick and dirty guide to the setup of a read-only Domain Controller (RODC) on a Core-based installation.

Deploy your Core-based server like you normally would.

Using sconfig, perform these tasks in order:

Configure network.

Optionally, configure computer name.

Join the computer to the domain.

After the reboot, install the required role via Powershell:

Install-WindowsFeature AD-Domain-Services

After that's successful, using Powershell, promote the server to an RODC (adjust parameter values accordingly):

Install-ADDSDomainController -Credential (Get-Credential) -DomainName domain.local -SiteName "Default-First-Site-Name" -InstallDNS:$true -ReadOnlyReplica:$true -For  ...
 
Troubleshooting DNS updates in AD via Event logs
by on January 1st 1970, at 01:00
To troubleshoot issues with DNS dynamic updates (e.g., certain Active Directory-joined Windows servers not properly registering their hostnames in DNS), there's an easy way to troubleshoot via the DNS Server's audit log, where DNS updates are logged. To properly filter the log for certain IP addresses or hostnames, you'll need to use custom XML filters to properly filter on the contents of the log entries because of the way the events are logged and standard filters don't provide the proper filtering.

The audit log can be found in the Event Viewer at Applications and Services logs → Microsoft → Windows → DNS-Server → Audit. Once the log is open, click on Action → Fi  ...
 
Request a SAN certificate on an Enterprise CA (AD CS) using CertReq
by on January 1st 1970, at 01:00
You can use the CertReq command line tool to request SAN SSL certificates. This can be useful where you have an internal (web)server which also needs to be available using another (alternate) DNS name.

First create a template file you can use, specifying the required parameters. Save it with a name, e.g. request.inf and save it to a temporary (work) folder (or simply your desktop):

;----------------- request.inf -----------------[Version]Signature="$Windows NT$"[NewRequest]Subject = "CN=SERVER1.domain.com, OU=Some OU, O=Organization, L=City, S=State, C=US";Subject = "CN=SERVER1.domain.com"KeySpec = 1KeyLength = 2048; Can be 2048, 4096, 8192, or 16384.; Larger   ...
 
Private network profile on domain controller (instead of Domain)
by on January 1st 1970, at 01:00
It can happen that the network profile on a domain controller switches to Private, usually after changing network settings or a network adapter. The network profile is then set to Private with no way to switch to Domain.

The first thing you can attempt is to restart the Network Location Awareness service. This service is responsible for setting the network profile depending on several parameters. It can sometimes get it wrong (usually because of startup order).

If restarting NLA helps, then there's an easy registry fix to permanently resolve it. This is the preferred method over manually configuring service dependencies in the registry, which is more complex and prone to errors. While the   ...
 
1 · 2
 
showing posts tagged with 'ad'
 
 
« November 2024»
SunMonTueWedThuFriSat
     12
3456789
10111213141516
17181920212223
24252627282930
 
Links
 
Quote
« I needed a password with eight characters so I picked Snow White and the Seven Dwarves. »