Search This Blog
Showing posts with label Troubleshooting. Show all posts
Showing posts with label Troubleshooting. Show all posts

Sunday, March 28, 2021

How to Add NT Service\All Services group to Active Directory User Rights Assignment

Description:

You want to use a group Managed Service Account (gMSA) on multiple domain in your forest. You also have Group Policy that managed the User Rights Assignment setting on Active Directory. You need to add NT Service\All Services to those User Rights Assignment policy.

Resolution:

  1. Open up Group Policy Manager, and edit the Group Policy. Example is the “Default Domain Controller Policy” if you want to modify the user Rights Assignment at Domain Controllers.
  2. Navigate down to “Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment”
  3. Edit the “Log on as a service” properties and ensure the box next to “Define these policy settings:” is ticked. Click “Add User or Group” and manually type “NT SERVICE\ALL SERVICES” (Do Not Click Browse)
  4. Click OK twice
  5. Close the Group Policy Manager

Diposting oleh di No comments:
Label: , , , ,

Saturday, March 27, 2021

Error when Configuring Azure AD Connect - Authorization Manager check failed

Description:

When you configure your Azure AD Connect, you encounter Authorization Manager check failed error message.

It said "An error occurred while retrieving the Active Directory Schema. The error are: AuthorizationManager check failed."



Resolution:

Try to manually installing the Microsoft certificate:

  1.  Go to C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1
  2. Right click the file, and open properties
  3. Go to 'Digital Signatures' tab and open the details for the certificate
  4. Click View certificate
  5. Click Install certificate for local machine
  6. Manually choose to store certificates at 'Trusted publishers'
  7. Click Ok to close the certificate wizard.
  8. Go Back to the Azure AD Connect Wizard > Click Previous > and Click Next again.
Diposting oleh di 1 comment:
Label: , , , ,

Error when configuring Azure AD Connect at MSOnline.Format.ps1xml file

Description:

When you configure your Azure AD Connect, you encounter Authorization Manager check failed error message.

It said " Unable to retrieve the Azure Active Directory configuration. Errors occurred while reading the format data file: Microsoft.PowerShell, , C:\Program Files\Microsoft Active Directory Connect\AADPowerShell\MSOnline.Format.ps1xml: The file was skipped because of the following validation exception: AuthorizationManager check failed."



Resolution:

Try to manually installing the Microsoft certificate:

  1.  Go to C:\Program Files\Microsoft Azure Active Directory Connect\AADPowerShell\MSonline.Format.ps1xml
  2. Right click the file, and open properties
  3. Go to 'Digital Signatures' tab and open the details for the certificate
  4. Click View certificate
  5. Click Install certificate for local machine
  6. Manually choose to store certificates at 'Trusted publishers'
  7. Click Ok to close the certificate wizard.
  8. Go Back to the Azure AD Connect Wizard > Click Previous > and Click Next again.


Diposting oleh di 4 comments:
Label: , , ,

Friday, March 26, 2021

Group Managed Service Accounts (gMSA) - PowerShell Command

Following are several useful group Managed Service Accounts (gMSA) PowerShell command.

  • To query the Active Directory for list of host where a specific gMSA account could be use, please run the following:
    • Get-ADServiceAccount [-Identity] ITFarm1 -Properties PrincipalsAllowedToRetrieveManagedPassword
  • To add member hosts to where the gMSA account could be use, please run the following:
    • Set-ADServiceAccount [-Identity] ITFarm1 -PrincipalsAllowedToRetrieveManagedPassword Host1$,Host3$
  • To install gMSA account to a host, please run the following command on the host machine:
    • Install-ADServiceAccount -Identity ITFarm1
  • To create a new gMSA account, please run the following
    • New-ADServiceAccount ITFarm1 -DNSHostName ITFarm1.contoso.com -PrincipalsAllowedToRetrieveManagedPassword ITFarmHosts$

Diposting oleh di No comments:
Label: , ,

Removing Extended Rights delegation on AdminSDHolder

Description:

You have Active Directory and Exchange servers running in your environment. One day, the Security team told you that they encounter an account with excessive access on AdminSDHolder container. The Account was "DomainName\Exchange Servers" and has Extended Rights permission of Replication Synchronization. Yow want to remove this excessive access.

First, you try to remove it through the GUI. Open AD User and Computer console, go to System, go to AdminSDHolder container. Right click, open Properties, open Security, and click Advanced. You try to search the "DomainName\Exchange Servers" with permission Replication Synchronization, but couldn't find it.

Second, you try to confirm the existence of the extended rights by running the following command:

DSACLS "CN=AdminSDHolder, CN=System, DC=DomainName, DC=Local"

And you can confirmed the existence of the permission as per below picture:


Third, your try to remove it using Exchange Management Shell, and run the following PowerShell command:

Remove-ADPermission -Identity "CN=AdminSDHolder, CN=System, DC=DomainName, DC=Local" -User "DomainName\Exchange Servers" -ExtendedRights "Replication Synchronization"

However it fails with access denied error.

Resolution:

We can remove the Extended Rights in AdminSDHolder container with the help of LDP.exe

  1. Open LDP.exe
  2. Go to Connection > Click Connect > Click OK
  3. Go to Connection again > Click Bind > Click OK
  4. Click View > Click Tree
  5. Enter the Base DN "DC=DomainName ,DC=Local". Click OK
  6. On the left, double click Domainname, double click "CN=System, DC=DomainName, DC=Local"right click AdminSDHolder container.
  7. Click Advanced > Click Security Descriptor

  8. Check the SACL box > Click OK
  9. Scroll Down until you find the Rights that you want to remove 

  10. Click Delete ACE > Select Yes
  11. Click Update to commit the changes
  12. Close the LDP.exe
Note:
Be careful when removing this "Rights" as it may affect your Exchange Servers behavior. Prior testing is required.

Diposting oleh di No comments:
Label: , , ,

Saturday, March 6, 2021

Integrating Dahua CCTV with Hikvision NVR

Description:

You have Hikvision IP POE NVR up and running. You want to add Dahua CCTV camera to the Hikvision NVR.

Resolution:

1. Change the Dahua CCTV IP Address to the IP Address within the Hikvision NVR existing scope. Make sure there's no IP conflict.

2. Enable ONVIF at Hikvision NVR. 

Go to Maintenance > ONVIF > Enable ONVIF


3. Add the Dahua CCTV to the Hikvision NVR

Go to Camera > Click the Camera Channel that connected to Dahua CCTV > click Edit

Choose Manual, Enter the correct IP Address, Select ONVIF as the protocol, Select 80 as the Management Port, enter the Dahua CCTV Default username and password, Click OK.



Diposting oleh di No comments:
Label: , , , , ,

Friday, February 12, 2021

Local Administrator Password Solution (LAPS) - Cannot Reset Password

Description:

You have properly setup Local Administrator Password Solution (LAPS) in your Domain Environment.

  • Admpwd.dll is being deployed and register at client computer
  • Group Policy to manage password is configured and linked to the proper OU
  • Permission to read and reset password is properly setup at the OU

However when you try to reset the local admin password for one of the computer, the new password never get generated automatically.

Resolution:

Please check the time configuration on where you reset the password. Does the machine time sync properly with the Domain Controller? If not, please fix it, restart the machine, and try to reset the password again.

Please also check the following registry at the machine:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

Value Name: Type

Value Data: NT5DS


Diposting oleh di No comments:
Label: , ,

Thursday, February 11, 2021

Network Policy Server (NPS) - Event Logs not appear

Description:

You have setup NPS in your environment and it seems to work properly. However when you check the event viewer at Custom Views\Server Roles\Network Policy and Access Services, you only saw very minimum event.

Resolution:

Run the following at elevated command prompt on the NPS Server

auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable


Diposting oleh di No comments:
Label: ,

Tuesday, February 9, 2021

Error when Upgrading Azure AD Connect version

Description:

When you upgrade Azure AD Connect from a previous version, you might encountered the following error: "Upgrade cannot proceed because the Azure Active Directory connector (b891884f-051e-4a83-95af-2544101c9083) is missing.

Error

Resolution:

Make sure the PowerShell Execution Policy is set to unrestricted. You can check by running the following command at PowerShell:

Get-ExecutionPolicy

To change the execution Policy to unrestricted, run the following PowerShell command:

Set-ExecutionPolicy Unrestricted

Type Y when asked.

Re-Run the upgrade process again.

Diposting oleh di 2 comments:
Label: , ,

Monday, June 26, 2017

Blue Screen after modifying Windows registry - Recovery

Description
You changed certain value on your Windows machine's registry (HKLM). After a restart, the machine cannot start properly again. Windows never reached the normal logon page.
You want to revert the changes back to previous condition.


Resolution
Use a CD/DVD/ISO to boot to the Recovery Environment. Follow the wizard until you can open the command prompt. At the command prompt, type regedit.
In the registry editor, highlight HKEY_LOCAL_MACHINE, and then go to File and select Load Hive. Select the file from other drives. It could be in E:\(or F:\)Windows\System32\Config, and will be called just SOFTWARE or SYSTEM. Type any name when the wizard prompt for the hive name.
Go to the registry location where you performed the last changes. Revert the value back to previous working condition.
To unload  the Hive, Highlight that hive name under HKEY_LOCAL_MACHINE, and go to File and select Unload Hive.
Restart the machine normally.




 
Diposting oleh di 1 comment:
Label: , ,

Monday, August 5, 2013

Group Policy are not applying properly - event id 1054

Description:

You have a group policy setting that you want to deploy during computer startup. However it seems that the policy is not applying properly. Running gpresult command from the client machine shows no error. Running gpresult wizard from GPMC for the problematic machine shows GPO Core processing error preventing some policies from applying successfully. Running gpupdate /force will correct the situation and the settings will be applied successfully. 
At event viewer of the problematic computer, you found event id 1054, “Windows cannot obtain the domain controller name for the computer network. (The specified domain either does not exist or exist or could not be contacted). Group Policy processing aborted.”

Resolutions:

Please follow Microsoft's Knowledge Base Article KB840669 http://support.microsoft.com/kb/840669

As Per KB 840669, create a new DWord value on registry on:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: GpNetworkStartTimeoutPolicyValue
Value: 120

Restart the client computer. Settings can be applied successfully.
Diposting oleh di No comments:
Label: , , , , , , ,

Red X or Cross on Network Connection Icon - Windows 2008 R2


Description:

You found there's a Red X or Cross on Network Connection Icon.
Found some services stopped and cannot be started with access denied error.


Resolutions:

Ø  Check and add the registry permissions on the following key: 

•Regarding the BFE service, we have given “NT Service\BFE” account the following allow permissions on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE:

Query Value
Set Value
Create Subkey
Enumerate Subkeys
Notify
Read Control 

•Regarding the NLA service, we have given “NT Service\NLASvc” account the following allow permissions on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NLASvc:

Query Value
Set Value
Create Subkey
Enumerate Subkeys
Notify
Read Control

•Regarding the DPS service, we have given “NT Service\DPS” account the following allow permissions on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DPS:

Query Value
Set Value
Create Subkey
Enumerate Subkeys
Notify
Read Control

Also it was necessary to give the same permissions to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WDI\Config


• Regarding the Windows Firewall service, we have given “NT Service\mpssvc” account the following allow permissions on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mpssvc:

Query Value
Set Value
Create Subkey
Enumerate Subkeys
Notify
Read Control

Also it was necessary to give the same permissions to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess

•Regarding the DHCP Client service, we have given Local Service account full control permissions on:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCP

•Regarding the Distributed Transaction Coordinator, we have given “NT Service\MSDTC” account the following allow permissions on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSDTC:

Query Value
Set Value
Create Subkey
Enumerate Subkeys
Notify
Read Control

Also it was necessary to add Network Service account with “read, write, read & execute”  permissions to the file C:\WINDOWS\system32\MSDtc\MSDTC.LOG

> All of the services can be started after adding the security permission. Restart the computer to make sure.

Note:
If the issue happens again ,you may want to check for the group policy, or local policy, or application that modified the security permission on those above registry.

Diposting oleh di No comments:
Label: , , , ,
Subscribe to: Posts (Atom)

Search Google