department
, use dsacls
:All about Information Technology infrastructure and system. Helpdesk & support issue, deployment guide, and daily activity in managing an information technology operation.
department
, use dsacls
:Description:
One of your users suddenly sees the error message "Trust Relationship Between This Workstation And The Primary Domain Failed" when trying to logon to their machine.
You have verify the Computer Account is exist on Active Directory. DNS settings are properly set and there's no problem with port or networking.
You wish to remediate the issue without having to disjoin and rejoin the computer to the domain.
Resolution:
On the problematic machine, logon using local admin credential. Open PowerShell and run as Administrator.
Type the following:
Reset-ComputerMachinePassword -Server DomainController -Credential
DomainAdmin
If the command completed successfully, logoff and try to logon again.
Description:
You have several local account on your computer. One day, you need to find out which one is the real local Admin Account.
Resolution:
You can run the following PowerShell command on the local computer:
Get-CimInstance -ClassName Win32_UserAccount -Filter "LocalAccount = TRUE and SID like 'S-1-5-%-500'"
Description:
At DNS Server which also a Domain Controller, you notice the Event Viewer is full with the following error.
The DNS server has encountered a critical error from the Active Directory.
Check that the Active Directory is functioning properly.
The extended error debug information (which may be empty) is 0000051B: AtrErr: DSID-031508EF, #1:0: 0000051B: DSID-031508EF, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor).
Resolution:
Enabled AD diagnostic logging, Enabled Directory access key and set the value to 5.
Look for Event ID 1175 at event viewer and noticed the Object Distinguished Name. You may need to change the ownership of that AD Object to SYSTEM and restarted the DNS service on the domain controller.
To invalidate the current RID pool in Active Directory
Open an elevated Windows PowerShell session, run the following command and press ENTER:
$RootDSE.SetInfo()
To clear the cached Kerberos tickets:
Open Command Prompt with Administrative permission
Type:
Klist purge
klist purge –li 0x3e7
Description:
You are trying to re-install NPCAP as part of Microsoft Defender for Identity Sensor deployment on a Domain Controller. However you got stuck uninstall error problem.
You have try to remove the registry from Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\NpcapInst. However the problem still exist.
Resolution:
Search for possible services that were using NPCAP. Example is Wireshark or Cisco Tetration. Stop those services and try to re-install NPCAP again.
Description:
You are using Domain Admins account and wanted to delete a "stale" Domain Controller (DC) from Active Directory Users and Computers console. However you got an access denied error.
Resolution:
Most probably there's a protection against accidental deletion of DC.
Now you should be able to delete the Domain Controller from Active Directory Users and Computers console.
Description:
As security best practice, we should not run SQL Server Services with domain admin credential. However after changing it to the normal domain user credential, you encounter connection error message when trying to connect from SQL Server Management Studio.
The error may say something like "The target principal name is incorrect. Cannot generate SSPI context."
Resolution:
We need to provide the appropriate permission for the domain user credential to modify ServicePrincipalName attribute in Active Directory.
Description:
During Active Directory Upgrade, you might need to maintain the old Domain Controller name because of certain application requirement. You planned to use the swing method, where the new Domain Controller will be renamed to old Domain Controller name.
Resolution:
Description:
You have configure MBAM Application server, MBAM Database server and set GPO for Drive Encryption to run automatically with minimal user interaction. However when you test it, it shows error "failed to encrypt".
Azure AD Connect uses 3 accounts in order to synchronize information from on-premises or Windows Server Active Directory to Azure Active Directory. These accounts are:
AD DS Connector account: used to read/write information to Windows Server Active Directory
ADSync service account: used to run the synchronization service and access the SQL database
Azure AD Connector account: used to write information to Azure AD
In addition to these three accounts used to run Azure AD Connect, you will also need the following additional accounts to install Azure AD Connect. These are:
Local Administrator account: The administrator who is installing Azure AD Connect and who has local Administrator permissions on the machine.
AD DS Enterprise Administrator account: Optionally used to create the “AD DS Connector account” above.
Azure AD Global Administrator account: used to create the Azure AD Connector account and configure Azure AD.
SQL SA account (optional): used to create the ADSync database when using the full version of SQL Server. This SQL Server may be local or remote to the Azure AD Connect installation. This account may be the same account as the Enterprise Administrator. Provisioning the database can now be performed out of band by the SQL administrator and then installed by the Azure AD Connect administrator with database owner rights.
Description:
You want to use a group Managed Service Account (gMSA) on multiple domain in your forest. You also have Group Policy that managed the User Rights Assignment setting on Active Directory. You need to add NT Service\All Services to those User Rights Assignment policy.
Resolution:
Description:
When you configure your Azure AD Connect, you encounter Authorization Manager check failed error message.
It said "An error occurred while retrieving the Active Directory Schema. The error are: AuthorizationManager check failed."
Try to manually installing the Microsoft certificate:
Description:
You have Active Directory and Exchange servers running in your environment. One day, the Security team told you that they encounter an account with excessive access on AdminSDHolder container. The Account was "DomainName\Exchange Servers" and has Extended Rights permission of Replication Synchronization. Yow want to remove this excessive access.
First, you try to remove it through the GUI. Open AD User and Computer console, go to System, go to AdminSDHolder container. Right click, open Properties, open Security, and click Advanced. You try to search the "DomainName\Exchange Servers" with permission Replication Synchronization, but couldn't find it.
Second, you try to confirm the existence of the extended rights by running the following command:
DSACLS "CN=AdminSDHolder, CN=System, DC=DomainName, DC=Local"
And you can confirmed the existence of the permission as per below picture:
Third, your try to remove it using Exchange Management Shell, and run the following PowerShell command:
Remove-ADPermission -Identity "CN=AdminSDHolder, CN=System, DC=DomainName, DC=Local" -User "DomainName\Exchange Servers" -ExtendedRights "Replication Synchronization"
Resolution:
We can remove the Extended Rights in AdminSDHolder container with the help of LDP.exe
Description:
You have a security incident in Active Directory where a ransomware attack encrypt your VCenter infrastructure. All you have left is a backup from a month before the attack.
Resolution:
Although it's not recommended to use VM Snapshot as your Active Directory backup method, in this situation, you can use what you have at the moment.
You can follow the following high-level guidance.
1. Choose the snapshot from time where the malware or malicious file hasn't entered your production environment.
2. Choose to recover only single Domain Controller from the snapshot. Preferable the one who doesn't hold the Flexible Single Master Operation (FSMO) role. The rest of the DC will be build manually from fresh using AD replication.
3. Perform recovery at isolated network.
4. Make sure the Active Directory recover successfully. Make sure SYSVOL and NETLOGON are shared properly.
5. Seize FSMO to the recovered Domain Controller. Perform metadata cleanup of the rest of DCs.
6. Increase RID pool number.
7. Reset all High Privilege account password twice.
8. Update security patches and Antivirus.
9. Connect new Domain Controller to the production network.
10. Re-create Users or Re-join Computer as needed.
11. Continue building new Domain Controller from clean machine as needed.
Note*:
The guidance assume you are able to get the snapshot from the time before the attack occur. Sometimes this attack could start many months in advance which make recovering from snapshot have less benefit.
There maybe times when you want to restrict client machine or member server authentication to a specific Domain Controller only. One possible reasons is that you're doing security hardening to Domain Controller or Active Directory and want to test the impact to a limited production system before going company wide.
To restrict the client or member server authentication to specific DC only, please do the following:
1. Open Active Directory Sites and Services Console.
- Create a new Site.
- Assign a proper subnet to that site.
- Move the Specific Domain Controller to that site.
2. Open Registry Editor on the client or member server.
- In Registry Editor, navigate to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
- Add the following multistring value (REG_MULTI_SZ) Value Name: SiteName
- For Value Data: TheNewSitename
3. Restart the client or member server to get the new setting. If you cannot restart the machine, you can run the following command:
nltest /dsgetdc:domainname /force