A question and out CA 'domain controller' templates, and kerbros/KDC in general

Similar Messages

• Does a domain controller need a certificate

  Hi,
  I have a certificate related question.  While checking the logs on our domain controller, I discovered a certificate problem.  In the Personal store is a Domain controller Template certificate that expired last year.  It was created by an
  enterprise CA that no longer exists and was not properly removed from the domain.  My question is:  Is the certificate needed for anything?    I inherited the administration of the domain and I am trying to clean it up.
  Thansk
  Ron Soulliard
  Ron Soulliard Systems Administrator Polaris Ventures

  Hi Ronald,
  In addition to the Paul's input,
  For your question Is the certificate needed for anything?, 
  It depends on your security requirement, such as the level of confidential information you share through network. 
  Certificate appears to be useful for doing SSL/IPSec, providing wireless authentication, and for securing VPN.
  Regarding Certificate Services, it allows you to create and manage "self signed" certificates. 
  It allows many security enhancements, but only to the point that any security service based on SSL certificates will be installed, configured, and enabled.
  Also it allows you to be your own Certificate Authority, instead of purchasing a commercial SSL certificate.
  Checkout the below thread dealing with the similar discussion,
  Is Certificate Services necessary for a small domain?
  Regards,
  Gopi
  JiJi
  Technologies

• Migration windows 2003 domain controller

  how to migrate windows server 2003 domain controller to windows server 2008/2012 

  Generally you would stand up the new server, join it to existing domain, dcpromo it and transfer the roles over.
  You can follow along on Meinolf's page.
  http://blogs.msmvps.com/mweber/2012/07/30/upgrading-an-active-directory-domain-from-windows-server-2003-or-windows-server-2003-r2-to-windows-server-2012/
  Regards, Dave Patrick ....
  Microsoft Certified Professional
  Microsoft MVP [Windows]
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

• Enter the forest and it locks me out of entering the domain controller or any child domains

  Using Windows Server 2008 R2 SP1, no matter if I use the Graphical User Interface (GUI) or the Answer Method to enter the forest and it locks me out of entering the domain controller or any child domains. 
  Is there a remedy to this?

  Hi Philo,
  Would you please tell us that how did you try to enter the forest?
  Are you able to run dcpromo to add domain controllers or create child domain?
  Best Regards,
  Amy

• 802.1x and Windows Domain Controller with ACS

  Wow, I am having a tough time getting my ACS and the Domain controller to work with 802.1x PEAP. Can somebody explane to me how to set up the domain controller (Active directry) to get a PEAP cert? Some other questions. If I am using PEAP and 802.1x how does my computer get a cert. from the CA if the port is disabled by 802.1x? And How do I set up my domain controller to work with ACS to authenticate users. I have been beating my self to death to figure this out. Any help would be ausome. I am really stuck on trying to make this work.
  Thanks a ton in advance
  Justin

  I as a Cisco customer would like to see answers to our questions based on some real world experience or something you've noticed in a lab environment.
  By simply posting links is not very helpful. The reason most of us come to this site and post our questions, is because we already went to the Cisco website and found the explanation to be vague. In the future, please post answers to our question, intead of referring us to a link.
  Thank you,
  John...

• Exchange Server 2013 and Domain Controller

  Hello,
  I am planning to install domain controller and exchange server 2013 in same server hardware. Is that not recommended? If not, why is it no recommended?
  Thank you in advance,

  thanks for such a quick response.
  Just a small question about the link that you put. Does member server mean other server other than domain controller?
  Regards,
  Yes, Also the server on which you are installing Exchange should have exchange installed.
  Cheers,
  Gulab Prasad
  Technology Consultant
  Blog:
  http://www.exchangeranger.com    Twitter:
    LinkedIn:
     Check out CodeTwo’s tools for Exchange admins
  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

• SCOM Agent Grayed Out When Trying To Monitor Domain Controller

  Hi i am trying to monitor my domain controller from SCOM 2012 R2. But it is grayed out. I tried to restart the Monitoring Agent Service of DC. After this agent was showing healthy state but after some time it was gray once again. Repeated this process again
  and again and get the same result. I have also read many blogs related to this problem and all of them are saying to run HSLockdown.exe /A "NT AUTHORITY\SYSTEM" to allow this account. Also tried this approach but this command is not working. The
  command is not running. Please help.

  Hi Abhishek, if you'd like more information on the HSLOCKDOWN util, then check out the links below: 
  https://technet.microsoft.com/en-us/library/hh212737.aspx?f=255&MSPPError=-2147217396
  http://thoughtsonopsmgr.blogspot.com/2009/09/hslockdown-explained.html
  Gray agents could be caused by several issues, and without a detailed description of your SCOM configuration, and issues, it would be hard to pinpoint the root cause. Here's a comprehensive article on troubleshooting grey agents, that should guide you in
  your remediation efforts: http://support.microsoft.com/en-us/kb/2288515
  If you've found this post helpful,  please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  MrChiyo | My blog: Technical | Twitter: MrChiyo

• Windows Server Primary & Secondary Domain Controller Question

  lulzchicken wrote:
  Right now the DHCP is assigning 192.168.200.1 (DNS server) and 8.8.8.8 (Google's DNS) as DNS servers for each client. I don't necessarilly want to change these assignment settings,Yes, you do. This is absolutely the worst thing you can ever do with DNS. More details why here -> Ramblings of a Sysadmin: How to do DNS correctly
  Primary and secondary DNS should ALWAYS be internal.
  Your DNS Servers should use FORWARDERS go go out to google. That's the only place that should see google DNS servers in your environment.

  Hi everyone, thank you for taking the time to listen.
  I have successfully implemented an Active Directory setup using a Primary DC and a Secondary DC with Windows Server 2012 R2.
  EL1 is my PDC and EL2 is my BDC.
  Active Directory is in sync among the two Domain Controllers. Here is my question:
  If I were to have a policy (Group Policy) that sets the wallpaper of each client machine to whatever is in the "\\EL1\Wallpaper\wp.jpg" - what would happen if I were to have that Domain Controller fail? That directory is no longer available due to the outage - even though the Backup Domain Controller will still be pushing out the policy (pointing to the down server).
  My idea was to have that directory replicated on the Backup Domain Controller, "\\EL2\Wallpaper\wp.jpg" however - the policy will still be looking for the file in the Primary Domain...
  This topic first appeared in the Spiceworks Community

• How to script out to connect to Active Directory specific domain controller server?

  How to script out a script that enable us to connect to the specific domain controller server, it is because I have 2 different servers version and both of them have been communicate with powershell, thus, I wanted to powershell to communicate with one
  server version. How to script this out? 

  Please see the Posting Guidlines:
  http://social.technet.microsoft.com/Forums/en-US/a0def745-4831-4de0-a040-63b63e7be7ae/posting-guidelines?forum=ITCG
  and this article on how to ask questions in a technical forum:
  http://sincealtair.blogspot.com/2010/04/how-to-ask-questions-in-technical-forum.html
  [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

• How to join a Domain Controller Server to an two-tier (SQL Server 2012) and Sharepoint 2013 (SP2013) farm

  Hi,
  I am trying to build a 3-tier SharePoint 2013 farm.
  1. SQL Server 2012, Windows 2012 VM
  2. DC Server, Windows 2012 VM
  3. SharePoint 2013, Windows 2012 VM
  I didn't built the DC server. Someone else did. However, I created about 14 service domain user accounts for SQL Server and SharePoint install and operation.
  I was able to join the SQL Server into the SharePoint server farm using SharePoint 2013 Product Configuration Wizard.  When I start the Central Admin, and click on Servers in the Farm, I only see the SharePoint server and SQL server,
  but the DC server is not listed.  Any suggestion on what did I miss?
  Thanks
  Jean

  You cannot join the Domain Controller to your SharePoint farm.  You must instead join each server from that farm to the domain that is served up by that DC.  You will want to uninstall SharePoint and probably SQL before you do this.  If it's
  an option, I would re-provision your VMs completely and start fresh.  Once you login to a new server, join that server to the target domain like this: 
  http://www.petri.co.il/join-windows-server-2012-to-domain.htm
  You'd have to ensure that your DNS resolves to the target domain on the server being joined to the domain.  If it doesn't, you can always use HOSTS entries to overcome that in the short term.
  Once you've joined both the future SQL and SharePoint servers to the domain, you can install SQL Server and then SharePoint on their prospective servers to create your farm.
  I trust that answers your question...
  Thanks
  C
  |
  RSS |
  http://crayveon.com/blog |
  SharePoint Scripts | Twitter |
  Google+ | LinkedIn |
  Facebook | Quix Utilities for SharePoint

• New Domain Controller does not show in our different site's Domain controller's Sites and Services

  Hi,
  we have two sites in our AD environment. OMA site and NY site. we have three domain controllers in our OMA site and two domain controllers in our NY site. All our DCs are windows server 2008R2 except one in our OMA site that is 2003R2 the domain
  functional level is also 2003R2.
  We decided to raise our functional level to 2008R2. I added a new domain controller in our OMA site and transferred all FESMOS from the DC that was running 2003R2 to this new domain controller.
  the issue now is that our NY site does not make any connection with the new domain controller in OMA site. it does not even show it under sites and services. I have checked the DNS settings and everything. if you try to replicate the connections
  from NY site it gives the following error: "The naming context is in the process of being removed or is not replicated from the specific server."
  can anyone plz tell me why this is happening mt brain is just frozen at this moment and cant figure out why is this happening

  Just noticed this replication issue has been going on for a while now but we never noticed until I added new DC. here is the error log for the NY site DC.
  Log Name:      Directory Service
  Source:        Microsoft-Windows-ActiveDirectory_DomainService
  Date:          1/4/2014 8:11:40 AM
  Event ID:      2042
  Task Category: Replication
  Level:         Error
  Keywords:      Classic
  User:          ANONYMOUS LOGON
  Computer:      NORDC1.vertrue.com
  Description:
  It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source.
   The reason that replication is not allowed to continue is that the two DCs may contain lingering objects.  Objects that have been deleted and garbage collected from an Active Directory Domain Services partition but still exist in the writable partitions
  of other DCs in the same domain, or read-only partitions of global catalog servers in other domains in the forest are known as "lingering objects".  If the local destination DC was allowed to replicate with the source DC, these potential lingering object
  would be recreated in the local Active Directory Domain Services database.
  Time of last successful replication:
  2013-05-16 15:26:38
  Invocation ID of source directory server:
  9236ac56-d046-4632-b072-acbe823c5f6c
  Name of source directory server:
  accde843-11b2-476c-9783-9b29252d0ba5._msdcs.vertrue.com
  Tombstone lifetime (days):
  90
  The replication operation has failed.
  User Action:
    The action plan to recover from this error can be found at
  http://support.microsoft.com/?id=314282.
   If both the source and destination DCs are Windows Server 2003 DCs, then install the support tools included on the installation CD.  To see which objects would be deleted without actually performing the deletion run "repadmin /removelingeringobjects
  <Source DC> <Destination DC DSA GUID> <NC> /ADVISORY_MODE". The eventlogs on the source DC will enumerate all lingering objects.  To remove lingering objects from a source domain controller run "repadmin /removelingeringobjects <Source
  DC> <Destination DC DSA GUID> <NC>".
   If either source or destination DC is a Windows 2000 Server DC, then more information on how to remove lingering objects on the source DC can be found at
  http://support.microsoft.com/?id=314282 or from your Microsoft support personnel.
   If you need Active Directory Domain Services replication to function immediately at all costs and don't have time to remove lingering objects, enable replication by setting the following registry key to a non-zero value:
  Registry Key:
  HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner
   Replication errors between DCs sharing a common partition can prevent user and compter acounts, trust relationships, their passwords, security groups, security group memberships and other Active Directory Domain Services configuration data to vary between
  DCs, affecting the ability to log on, find objects of interest and perform other critical operations. These inconsistencies are resolved once replication errors are resolved.  DCs that fail to inbound replicate deleted objects within tombstone lifetime
  number of days will remain inconsistent until lingering objects are manually removed by an administrator from each local DC.  Additionally, replication may continue to be blocked after this registry key is set, depending on whether lingering objects are
  located immediately.
  Alternate User Action:
  Force demote or reinstall the DC(s) that were disconnected.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS Replication" />
      <EventID Qualifiers="49152">2042</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>5</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8080000000000000</Keywords>
      <TimeCreated SystemTime="2014-01-04T13:11:40.963263500Z" />
      <EventRecordID>38018</EventRecordID>
      <Correlation />
      <Execution ProcessID="660" ThreadID="1596" />
      <Channel>Directory Service</Channel>
      <Computer>NORDC1.vertrue.com</Computer>
      <Security UserID="S-1-5-7" />
    </System>
    <EventData>
      <Data>2013-05-16 15:26:38</Data>
      <Data>9236ac56-d046-4632-b072-acbe823c5f6c</Data>
      <Data>accde843-11b2-476c-9783-9b29252d0ba5._msdcs.vertrue.com</Data>
      <Data>90</Data>
      <Data>Allow Replication With Divergent and Corrupt Partner</Data>
      <Data>System\CurrentControlSet\Services\NTDS\Parameters</Data>
    </EventData>
  </Event>

• Can we run domain controller windows 2008 32 bit and additional domain controller on 2003 server

  im my environment we are trying to upgrade from server 2k3 to 2k8, out testing done on server 2k3 to 2k8, but can we run domain controller windows 2008 32 bit and additional domain controller on 2003 server ...kindly suggest
  Nitin Gaurav
  [email protected]

  Yes you can. If you have two 2003 AD servers currently and upgrade one of them to 2008 AD then they'll continue to be able to work together. The domains functional level will remain as 2003 across both servers so at this stage you won't get any benefit from
  the new AD functionality available in 2008.
  Once you've then upgraded the second 2003 server to 2008 you can then upgrade the functionality levels in AD to make it 2008. It's been a while, but I believe it doesn't happen automatically, so once all AD servers have been upgraded you have to go into
  AD and upgrade the functionality levels yourself.

• Question about adding Windows 2012 R2 Domain Controller, into a native Windows 2008 R2 single forest domain

  I current have a two server domain, both Windows 2008 R2 and fully updated.   The two servers are on subnet 10.0.1.0 /24
  - Windows 2008 R2 Server A: 10.0.1.1 (DC, GC, FSMO, DNS)
  - Windows 2008 R2 Server B: 10.0.1.2 (DC, GC)
  AD Domain: COMPANY.LOCAL
  I have a second connected subnet, 192.168.1.0 /24) which is routed to the 10.0.1.0/24 subnet and I would like to install a Windows 2012 R2 server onto a server on that subnet and make it a domain controller with AD-Integrated DNS and DHCP for the 192.168.1.0
  /24 subnet.
  - Windows 2012 R2 Server C: 192.168.1.1
  What are the proper progression steps, in order to bring up the Windows 2012 R2 server and then add it to my COMPANY.LOCAL domain and then promote it do a DC/GC/AD-Integrated DNS server?   Are they anything like the following:
  1. Install Windows 2012 R2 server (Server C)
  2. Point Windows 2012 R2 server DNS servers at Server's A and B
  3. Perform AD prep to extend AD schema to support Windows 2012 R2 domain controllers
  4. Promote Windows 2012 R2 server to domain controller (install local DNS service on Server C, during this step)
  * Question:  Will Windows automatically create a DNS zone for the Windows 2012 R2 subnet (192.168.1.0/24) AND also include the DNS zone from the previous Windows 2008 R2 domain (10.0.1.0 /24)?  Or will I need to add the 10.0.1.0 /24 zone to the DNS
  server on Server C, even though the DNS from the Windows 2008 R2 domain is AD integrated?

  Hi,
  Regarding the issue here, please take a look into below articles:
  System Requirements and Installation Information for Windows Server 2012 R2
  http://technet.microsoft.com/en-us/library/dn303418.aspx
  Release Notes: Important Issues in Windows Server 2012 R2
  http://technet.microsoft.com/en-us/library/dn387077.aspx
  Install a Replica Windows Server 2012 Domain Controller in an Existing Domain (Level 200)
  http://technet.microsoft.com/en-us/library/jj574134.aspx
  Here is an example for promoting Windows Server 2012 to a DC, see:
  Step-by-Step Guide for Setting Up A Windows Server 2012 Domain Controller
  http://social.technet.microsoft.com/wiki/contents/articles/12370.step-by-step-guide-for-setting-up-a-windows-server-2012-domain-controller.aspx
  As the server is promoted to a DC, DNS Zones will be replicated and synchronized to it automatically whenever the new one is added to an AD DS domain,  bascially there is no special need to add zones,  for more information, please see:
  Understanding Active Directory Domain Services Integration
  http://technet.microsoft.com/en-us/library/cc726034.aspx
  Hope this may help
  Best regards
  Michael
  If you have any feedback on our support, please click
  here.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Create a Domain Controller and a Child Domain using Powershell

  Is it possible to create a Domain Controller and a Child Domain using Powershell?

  Yes, you can do that:
  WS2008R2 -
  http://technet.microsoft.com/en-us/library/cc731394%28v=ws.10%29.aspx
  http://technet.microsoft.com/en-us/library/cc731873%28v=ws.10%29.aspx - This isn't technically PowerShell.
  WS2012 -
  http://technet.microsoft.com/en-us/library/jj574105.aspx
  EDIT: You've asked this same question a few times now, is there something specific that's giving you trouble?
  Don't retire TechNet! -
  (Don't give up yet - 12,830+ strong and growing)

• Upgrading Domain Controller Questions

  Hello, we currently have 2 domain controllers in our environment, both with Server 2003 R2. We are looking to upgrade them one at a time to 2008 R2 but I have some questions. 
  Here's the environment:
  Server 1 (the one we are going to upgrade first):
  Server 2003 R2
  Domain Controller
  DHCP Server
  DNS Server
  Server 2 (we will be upgrading this in the near future but not just yet):
  Server 2003 R2
  Domain Controller
  DHCP Server
  DNS Server
  File Server with most of the company data
  We also have DNS replication set up between the two servers. 
  My questions:
  Will we run into any issues having two domain controllers with different Operating Systems?
  We would like for the domain controllers to keep the same names and IP's. Any issues with that?
  How will we stop, then re-setup DNS replication between the two servers?
  Any other 'gotcha's' we should be aware of?
  Dan Chandler-Klein

  I don't see any reason why not keeping old name and IP.
  Before upgrading make sure AD has no issues:
  look at the event viewer, run DCDiag, replication runs clean (repadmin /showrepl) etc.
  OS has no warning/errors.
  Not  must but I would move the FSMO roles to another DC before demote.
  Make sure applications installed on the new DC's (AV\Backup agents etc.)  support Windows 2008 R2 OS.
  Make sure all your network applications in your environment support working with Windows 2008 R2 DC - I recommend test it in lab first.
  Make sure that the DC you are about to demote not holding CA role. 
  Most important:
  Make sure you successfully demote the old DC and no records left in DNS.
  I'm not agree with evrimicelli about DC's naming and I wouldn't go for CNAME record - this can get you in many troubles in the future. 
  after demote the old DC, I would rename it or remove it from the domain, than you can rename the new server with old Dc name and promote it to DC with old DCs' IP address. 
  I didn't understand the question about DNS replication.
  What kind of DNS zone do host?  if its AD integrated (and thats what you should have), you don't need to configure any replication, AD integrated DNS zone replicate as part of AD replication between your two DC's.
  Please take a moment to Vote as Helpful and/or Mark as Answer where applicable. Thanks.