Click on Pictures to View

To view a larger version of an image within a post, just click on the picture you want to view :)

Wednesday, September 14, 2016

Computers Disappear from Active Directory/Domain

Discovered our MacBooks were “disappearing” out of Active Directory and falling off the domain (lost domain access).  One disappeared during lunch break today.  5 steps taken to resolve:
1)    Confirmed the deleted object (from today at lunch) existed in the Deleted Objects container.
            I used Ldp.exe to search the domain for deleted objects.
            To use Ldp to search the domain for deleted objects (tombstones)
1.      On the Start menu, click Run , and then type ldp .
2.      Connect and bind to a domain controller in the domain whose tombstones you want to retrieve.
o    To connect, on the Connection menu, click Connect , and then type a server name and a port number.
o    To bind, on the Connection menu, click Bind , and then type an account name, password, and domain if you want to connect to a domain other than the domain to which you are currently logged on.
3.      On the Browse menu, click Search .
4.      In the Search dialog box, for Base DN , type the distinguished name of the domain whose tombstones you want to retrieve.
5.      In the Filter box, use the filter (isDeleted=*) .
6.      Under Scope , click Subtree .
7.      Click Options .
8.      In the Search Options dialog box, under Search Call Type , click Extended .
9.      Click Controls . Then in the Object Identifier box, type the following:
1.2.840.113556.1.4.417
10.  Under Control Type , click Server .
11.  To add the control to the Active Controls list, click Check in . Then click OK .
12.  In the Search Options dialog box, click OK .
13.  In the Search dialog box, click Run .
SOURCE: https://technet.microsoft.com/en-us/library/cc978013.aspx

2)    Used command repadmin /showobjmeta with deleted object’s DN found in ldp.exe

Syntax

        repadmin /showobjmeta [DSA_LIST] <Object DN> [/nocache] [/linked]
 
Here’s the command I used (using quotes around the Object DN because of spaces in the name): repadmin /showobjmeta “CN=macX\0ADEL:bfe5e5d0-3f16-4897-9f2f-3691adeea02a,CN=Deleted Objects,DC=mydomain,DC=com”
 
3)    Confirmed Originating DSA on “isDeleted” entry, along with date and time attribute action was done.
“The originating DSA is a GUID that identifies the domain controller that performed the originating write.”
“You can see all three components of the stamp in output from the repadmin /showmeta command. The column labeled "Ver" contains the version, the column labeled "Org. Time/Date" contains the originating time, and the column labeled "Originating DSA" contains the originating DSA (expressed as "site\server" rather than GUID).”
SOURCE:  https://technet.microsoft.com/en-us/library/cc961798.aspx
4)    Logged onto that Domain Controller, and checked Event Viewer Security Logs with the timestamp from the repadmin output.
Found a Windows Security Event Log 4743: A Computer Account Was Deleted, with a specific domain account name associated to the action.
SOURCE:  https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4743
Subject:
The user and logon session that performed the action.
  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session. 
Taget Computer: 
  • Security ID:  SID of the account
  • Account Name:  name of the account
  • Account Domain: domain of the account

5)     Traced the issue to our MDM Active Directory profile

It was trying to download to Macs the AD profile in its associated SMART group.  The MDM was using the same account credentials as shown in the Security Event log event.  This profile wasn’t working correctly to begin with (was not downloading successfully to devices) and it appeared that either it began unjoining the Macs in the associated smart group, or was causing distrust by the domain controller that supposedly may have deleted the computer.



SOURCES:
Searching for Deleted Objects:  https://technet.microsoft.com/en-us/library/cc978013.aspx
Viewing Deleted Objects in Active Directory:  https://support.microsoft.com/en-us/kb/258310
Computer Accounts DELETED from Active Directory (forum thread):  http://www.edugeek.net/forums/windows-server-2000-2003/112820-computer-accounts-deleted-active-directory.html
Repadmin /showobjmeta:  https://technet.microsoft.com/en-us/library/cc742104(v=ws.11).aspx
Tracking Active Directory Updates:  https://technet.microsoft.com/en-us/library/cc961798.aspx
4743 – A Computer Account was Deleted:  https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4743


Posted by at No comments:
Labels: , , , , , , ,
Subscribe to: Posts (Atom)