msDFSR-options value at the end of Authoritative synchronization of DFSR
Hello, I had a Sysvol synchronisation problem between my domain Controllers, so i made an authoritative synchronization of DFSR-replicated to fix it. Everything works find but i still have a question about the msDFSR-options value, should i keep it "1" or reset it to "not defined" Source : https://learn.microsoft.com/en-gb/troubleshoot/windows-server/group-policy/force-authoritative-non-authoritative-synchronization
Server 2016 Essentials coexisting with Server 2022 Standard
I am in the process of replacing an older Server 2016 essentials with a Server 2022 Standard. The 2016 Essentials server is today acting as the primary domain controller for the domain. My plan is to: 1. install the new Server 2022 Std 2. Join it to the existing domain as a Backup Domaincontroller 3. Promote the new server to PDC 4. Move contents and applications on the Essentials 2016 server 5. Demote the old 2016 Essentialsserver 6 Decomission the old server. 7. Lift the entire domain to a higher level. So the question is. Can these servers co-exist as domain controllers in the same environment or do I have to have another approach to the server change? Best regards, David
Microsoft Entra Connect connecting always to old DC
We are planning on demoting old DC server. When doing checkups I noticed that Entra Connect keeps connecting to this specific DC we'ew planning to demote everytime it connect to Active Directory. So now I'm wondering does this need any additional configuration to keep sync working after DC Demote. I found out that there is option to "Only use preferred domain controllers" but I'm not sure if that's what I want do do. There were the red line is is the old DC to be demoted. "Only use preferred domain controllers" setting. If I enable this setting I got this kind of notice. I don't feel like this is the right way to do it so I canceled at this point.Failed test VerifyReferences
Hello everyone, We are using Windows Server 2019 Standard as the primary and currently only domain controller. Previously, there were several additional domain controllers, but they have all been demoted. dcdiag test VerifyReference returns me the following error: Starting test: VerifyReferences Some objects relating to the DC 18DC06 have problems: [1] Problem: Missing Expected Value Base Object: CN=NTDS Settings,CN=18DC06,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=vk, DC=local Base Object Description: "DSA Object" Value Object Attribute Name: serverReferenceBL Value Object Description: "SYSVOL FRS Member Object" Recommended Action: See Knowledge Base Article: Q312862 [1] Problem: Missing Expected Value Base Object: CN=18DC06,OU=Domain Controllers,DC=vk, DC=local Base Object Description: "DC Account Object" Value Object Attribute Name: msDFSR-ComputerReferenceBL Value Object Description: "SYSVOL FRS Member Object" Recommended Action: See Knowledge Base Article: Q312862 ......................... 18DC06 failed test VerifyReferences Please advise on how to further investigate and resolve this issue. Thanks in advance.Can't RDP when in protected users group 2 domains no trust
I have the following issue and have read a lot about people with similar issues, but not quite the same setup as we have. We are working with 2 domains. I call them Domain A and B. So Domain A is our own domain, with our own DC and servers. Domain B is a shared setup for our customers. We all are working with our mailto:email address removed for privacy reasons accounts to gain access to servers from our customers. All customer servers are member of Domain B All admin accounts are members of protected users. When i am logged in to our management server, that is a member of domain A i cannot RDP with my mailto:email address removed for privacy reasons account to whatever server from our customers. When i am in the office, we can access domain B from our personal laptops who are only Entra ID joined. From our personal laptops we can RDP to the servers of the customers in Domain B with the mailto:email address removed for privacy reasons accounts. Strange thing is: not all admin accounts have this issue (at the same time) Issue is resolved spontaniously My first question is, do i need to have a domain trust between Domain A and Domain B Both the domains have higher domain functional level then 2012 R2. I have communication between my management machine in Domain A to the domain controllers of Domain B. Not only ping, but also KDC, DNS, LDAP, etc. Our domain controller in Domain A does not have communication to Domain B.
GroupPolicy/Registry issue
My MDR product is having an issue with scanning the registry of our hosts. It times out and causes performance issues, essentially bringing down the host. I opened a case with their support and we narrowed the issue down to this reg key: Computer\HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects There are hundreds of sub keys, each with their own sub keys. It seems each time group policy is applied to the host, 2 new keys are created, a machine and a user key. As a test, I deleted everything under the main key and rebooted. After logging back in, 2 new keys had been created. After a day I checked again and there were a dozen or more. Now after a few weeks we're back up to hundreds. Does anyone have any ideas as how to automatically clean up the older entries to keep the number to a minimum? Or is there a way to stop this behavior? Thanks
Windows Authentication for Entra ID for SQL MI
Hi Team, I recently come across a use case where we have to use Windows Authentication for Entra ID for SQL MI. My question is based on Microsoft documentation https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/winauth-azuread-setup?view=azuresql There are two options. Options 1 Modern interactive flow Options 2 Incoming trust-based flow Proceeding with Option 2 (Incoming trust-based flow) the authentication flow works some as the following Step Action From To Network Connection 1 Initiate Connection Client (Windows Server 2016) - - 2 Request Kerberos TGT Client Domain Controller (Windows 2012) On-premises network 3 Issue TGT Domain Controller Client On-premises network 4 Request Service Ticket via Kerberos Proxy Client Microsoft Entra ID (via proxy) ExpressRoute (Microsoft peering) 5 Issue Service Ticket Microsoft Entra ID Client ExpressRoute (Microsoft peering) 6 Submit Service Ticket Client Azure SQL Managed Instance ExpressRoute (private peering) 7 Validate Ticket and Exchange for Token Azure SQL Managed Instance Microsoft Entra ID Azure internal network 8 Authenticate User and Grant Access Azure SQL Managed Instance Client ExpressRoute (private peering) If above is correct. Can anyone confirm we have to synchronize service accounts and users to Entra IS that are used by applications? Does the client (running application ot SQL management studio) require access to Entra ID or it will be requested by on-premises AD on behalf of application server Many Thanks !
Sign In Error 90072 with On Prem Accounts - How to mitigate?
We receive weekly reports from one of our security vendors regarding login failures across our environment. As of recent, we've noticed a spike in interactive login failures, particularly with Microsoft services. The application that produces many of these logs is Microsoft Office. Upon investigation, we've determined that many of these sign ins procure error code 90072 with the following error message: "User account '{user}' from identity provider '{idp}' does not exist in tenant '{tenant}' and cannot access the application '{application}'({appName}) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account" As a disclaimer, I did not edit this message to insert the unfilled variables in brackets - that's how the error message appears in our Entra portal. We currently run a hybrid environment, and all of the users with high volumes of failed sign ins with the given error code and message are on-prem accounts. These logs produce a lot of noise that we would rather not have polluting our reports. Do you have any information we can use to help remediate this issue?Shape the future of our communities! Take this survey to share your practitioner insights. 💡 ✏️ 🔓
This brief survey explores your experiences and preferences in professional identity and network security communities. Your feedback will help shape our team's approach to future community resources and engagement opportunities. Take the survey here! For any questions about this survey, please contact dansantos@microsoft.com. Privacy Statement: https://go.microsoft.com/fwlink/?LinkId=521839
