Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Is there really no way to do workstation account logon restrictions by an AD group?

March 27, 2013, 10:41 am
$
0
0

I can restrict what workstations/servers a user can log on to via the account tab on the individual user.  You manually enter 1+ computers that they are able to log on to.   However, it does not appear that you are able to add AD groups for this same user account restriction.  Is this really the case?

If so, how is this possible?  We have lots of situations where being able to add a group of computers would be very handy and save significant time.  Our call centers is a great example, where users may use one of 5-10 different computers, and we don't want them being able to log on to additional computers on the same floor.  There are lots of other examples as well.

So I'm just double checking that my Googling results are correct, and there isn't a way to implement this with AD right out of the box.  (I did find some add-on software that appears to let you do this.)

Search

machine logged in via a dc on another site

March 23, 2013, 4:34 pm
$
0
0

I have a server that is on subnet 10.245.x.x which is part of a site with its own dcs etc...

however it is logged in using dcs in a differerent site. any diea why this is happening and not using the closest dc for authentication?


dns servers are set to the local dcs.

DNS Active Directory folders under forward lookup zones missing

March 22, 2013, 9:19 am
$
0
0
Ok, here is the situation, I created a domain earlier this week, the domain got hosed due to fsmo roles being all over the world and not being able to talk to each other.  I blew away that domain and recreated it, however the folders for DNS under the forward lookups for AD are not there.  I am not a DNS guy, so I am struggling to figure out how I can get them back.  I can not add any servers to the domain because I can't resolve the domain name.  _msdcs, _sites, _tcp, _udp, DomainDNSZones are all missing.

AD LDS

March 27, 2013, 6:40 am
$
0
0

Hi,

we have 2 AD LDS servers where one of them is the extension of AD. can we add computers to the domain using the remote LDS server?

also can we integrate any application using LDAP with the remote AD LDS server/

Angshuman

2GB lsass.log file on 2003 DC - How do I clean it up?

March 27, 2013, 2:01 pm
$
0
0

I have windows server 2003 domain controller that has a large 2.2GB lsass.log file.

I need to know if I can relocate it to a different Drive or delete it or reduce the level of logging that is taking place within it.

Thank you

PowerShell UPN Suffix not working

March 27, 2013, 8:15 am
$
0
0

Hi

I have a powershell script that ive nicked from somewhere else which is supposed to change the UPN suffix on all of our accounts in the domain, but it doesn't work. if I use the -whatif switch it correctly displays a list of all the accounts it will affect, but when I remove the whatif switch nothing actually takes place. why would this be? im running under an administrator account which can normally make these changes in ADUC and the accounts in ADUC have the alternative UPN suffix available, I can manually set them fine. before I run the following script I use import-module activedirectory

#Replace with the old suffix
$oldSuffix = "my-domain.local"

#Replace with the new suffix
$newSuffix = "my-domain.co.uk"

#Replace with the OU you want to change suffixes for
$ou = "DC=my-domain,DC=local"

#Replace with the name of your AD server
$server = "main-server"

Get-ADUser -SearchBase $ou -filter * | ForEach-Object {
$newUpn = $_.UserPrincipalName.Replace($oldSuffix,$newSuffix)
$_ | Set-ADUser -server $server -UserPrincipalName $newUpn
}

thanks

Steve

Forest Trust Verification..

March 27, 2013, 5:38 pm
$
0
0

I Run the following command to verify forest trust..Correct me if i am wrong & if the syntax is right:

C:\Users\Me>nltest/domain_trusts /forest
List of domain trusts:
    0: blr.mydomain.local (NT 5) (Forest Tree Root) (Direct Outbo
und) (Direct Inbound) ( Attr: 0x400000 )
    1: internal.mydomain.local (NT 5) (Forest: 0) (Primary Domain) (Nativ
e)
The command completed successfully

Kindly let me know if this looks ok & where am i going wrong

Vignesh

Nesting Domain Groups across a one-way trust

March 27, 2013, 7:17 am
$
0
0

I think I have the correct forum.....We recently setup a domain trust between two Win2k3 domains, domain-a.net (existing domain for 5+ years) and domain-b.net (just setup late last year). The trust is a one-way trust (external, no transitive) with domain-a.net trusted by domain-b.net.  My issue/question is, we would like domain admin accounts from domain-a.net to be able to manage resources in domain-b.net – ie. manage share access and directory security permissions.

I followed the instructions in this link to setup the permissions using nested groups: http://jasonduffett.net/post/5448151233/administering-cross-forest-domains-with-a-single-login Everything worked as planned to add domain-a.net\remote_domain_admins (global group) to the domain-b.net\Local_Domain_Admins (domain local group). I tested access rights for a domain-a.net\domain_admin_user_account on a resource server in domain-b.net and that worked just fine too. However, after a period of time (right not I’m not sure what that is just yet), the domain-a.net\remote_domain_admins is removed and is missing from the domain-b.net\local_domain_admins group. I checked all the DC event logs and nothing appears to be out of the ordinary. I run a DCDiag and netdom query daily to monitor the health of the domains and all looks ok with that as well. I also did nslookup _ldap._tcp.dc._msdcs.domainname.net for both domains on DC’s from each domain and all DC’s were found for both domains. Lastly, I ran the command to validate the trust and that was successful.

Here are a couple of other notes that may or may not be helpful:

  1. Both domains are running at the highest possible functional level – Win2k3
  2. I installed the Client Side Extensions only on the DC’s in domain-b.net since that was the domain that would be using the Group Policy Preferences settings.
  3. Both domains exist on the same subnet in our home office. We have a remote DR site that has one DC for each of the domains and communications with the remote DC’s is not an issue.

This is a complete mystery to me. I’m not sure why a group would mysteriously disappear. Does anyone have experience with this setup? I’m thinking the disappearance may be related to replication timing but I am not sure. Does it matter that CSE’s are not installed on domain-a.net DC’s? Does it matter that there is only a one-way trust?

Any thoughts or suggestions would be appreciated. If I need to provide additional information please let me know. Thanks in advance!

Search

TLS

March 27, 2013, 1:27 pm
$
0
0
We have an SSL-vpn sonciwall 2000 integration with AD but with our password policy users have to change pw's every 90 days. So now when a user tries to login they cannot change there password properly because according to Sonicwall support I have to enable/install TLS on one of my domain controllers our forest and domain functional lvls are windows 2008 r2. How do I setup TLS, and what if any are the pros and cons.

Rename or Migrate AD 2003 to 2012

March 27, 2013, 12:52 pm
$
0
0

Hello,

My private domain name is currently company.com and public DNS has been annoying so we want to rename the domain to company.local.  Currently running 2003 AD and forest.  We don't have Exchange (thankfully aren't limited there), only Terminal servers, SQL 2008 cluster, File and Print.  We have new servers for a 2012 infrastructure everything will be migrated with the exception of the SQL cluster.  My question is would it be better to...

A) Upgrade from 2003 to 2012 then rename the domain.

B) Use ADMT and migrate from 2003 to 2012.

Option B seems like a lot more work, there are about 100 workstation.  I don't know how to best go about the process... migrate just users and workstations first then wait until I setup the new member servers in new 2012 domain?

Thanks in advance!

Do you need to run ADPREP if you already transferred FSMO roles from 2003 server to NEW 2008 server

March 27, 2013, 10:52 am
$
0
0

I have an exsisting 2003 DC. I have a brand new 2008 DC (which is also a virtual machine.) I did the transfer FSMO roles from the 2003 server to the 2008 server. I have also moved DNS and DHCP services over. The only thing left on the old DC is moving the files over to the new file server. (old DC was also the file server)

Do I need to run ADPREP if I already transferred the roles?

Do I need to seize FSMO roles on the old DC?

DO I need to run dcpromo to demote the old DC? (This server will be wiped clean for something else.)

Or do I just stop services on the old DC and the new one should take over?

THanks for your help.

 

zrm

March 27, 2013, 1:34 pm
$
0
0

Hi,

I trying to configur the active directory by the dc promo but there is comming message.

The operation failed: A domain controller could not be contacted for the domain aseerwater.gov that contained an account for this computer. Make the computer a member of a workgroup then rejoin domain before trying the promotion.

Access denied,

Kindly any body help me rgarding this issue.

Thanks

How to set the time on clients NOT sync with DCs?

October 21, 2012, 9:18 pm
$
0
0

DCs: Windows Server 2008 R2 (virtual machines)
Some special clients: Windows Server 2008 R2 (physical machines)

As you know, the time on clients will sync with DCs automactically after joining the domain. Now I have a special requirement, I want the time on the some sepcial clients not to sync with the DCs. How shell I do?

The reason is the DCs are VMs, and the host Hyper-V servers are the members of the domain. So it means the time on the host servers will sync with the DCs which are VMs (It looks like the priority of time sync service integrated in Hyper-V is lower than domain time sync). But I find the time on VMs are really running faster or slower a lot than normal. And we don't have Internet access for these servers to sync with Internet time.

How to setup user level restrictions in AD FS

March 27, 2013, 11:52 pm
$
0
0

Hi,

We are configuring AD FS (federation Services) to access webapplications on a different Zone, wanted to a few things on a high-level.

 These Applications are intended for US users, is it possible at AD FS end to setup restrictions in such a way that if a NON-US user try to access these applications it should not allow or the page should redirect to a page to seek further approvals.

OU level restrictions in other words.

Thanks in Advance,

Sravan

Internet accses for clients when the DC is privately connected only

March 22, 2013, 7:00 pm
$
0
0

Hi! :)

I have a server which runs a few VMs, one of which is a DC. I have read and agree with the notion that a private DC should not be routable on the Internet; as such it's private only. I also have a linux VM which runs iptables that I use as the default gateway for clients/VMs needing internet access. 

If I want my clients to join the domain they need to use the DNS server of the domain which is run on the DC. However, since the DC is private only, they'll then be unable to resolve any Internet domains. Setting root hints on the DC or forwarding is futile. 

TLDR: How can I both use my private domain's DNS to join the domain on my laptop and also use other DN (my ISP's) DNS servers so that I can resolve Internet domains without having two NICs? Thanks.


Search

Event ID 4771

March 28, 2013, 12:09 am
$
0
0

Hi All

I have an issue with my HyperV 2012 cluster where I am getting a 4771 audit failure event on the cluster virtual computer name. E.G. The cluster is called hypervcluster and the event is for the hypervcluster$ account.

I am aware that this could most likely be fixed with the netdom program, to re-sync the password of a computer with the DC, but as the machine name is not relating to a workstation or server I can physically logon to, I can't run netdom to fix the password issue. 

It is a major job to delete and re-create the cluster just to get it properly authenticating. Is there a tool like netdom to resync the password of hypervcluster$ with a DC to clear this error. I cannot do a live migrate whilst it is happening and I am filling my logs.

Regards

Mark Dutton

Regards
Mark Dutton
Datamerge

The renaming of nested group don't replicate display information across the DC who aren't GC

March 28, 2013, 12:31 am
$
0
0

Hello,

I have the following issue, i don't understand why the display name of the nested group is not refresh:

same forest / not parent-child domain

DomainA has two DC: DCa1 and DCa2-GC;  (DCa1 has all fsmio)

DomainB has two DC: DCb1 and DCb2-GC; (DCb1 has all fsmio)

in DomainA, i have a domain local security group DLG_A,

in DomainB, i have a global security group GG_B

GG_B is a member of DLG_A.

If I rename GG_B in GG_B1, the information is correct on GC in domainA but not in DC in domainA.

I have checked replication ->, it's ok

i have checked object metadata (repadmin /showobjmeta <guid=id>) all information are correctly replicated

Where am i wrong ?

Thank you, 

Sorry for my english ;) it's not my mother tongue...

Help needed with Kerberos Constrained Delegation

March 20, 2013, 4:01 pm
$
0
0

Hi,

I have a requirment to configure kerberos constrained delegation to accommodate a 'double hop' from SQL to a cifs/SMB file share.

The scenario is:

  • I have a SQL Server instance (2008 R2) running under account domain\SQLService
  • I have a file share hosted on domain\fileServer to which domain\SQLService has full access
  • The file share contains the file test.dll
  • I need to be able to run the statement CREATE ASSEMBLY test from '\\fileServer\share\test.dll' from a remote ssms session, hence need kerberos double hop to allow the authentication.

I have got this working by setting the delegation settings for domain\SQLService to 'Trust this user for delegation to any service (Kerberos only)' so I know the SPN and permissions etc.. are correctly set.

However, I need to get this working using constrained delegation, i.e. to configure the explicit services for the delegation rather than allowing any.

So I have configured the delegation settings for domain\SQLService to specify 'Trust this user for delegation to specified services only' and specified 'cifs/fileServer'.

This is resulting in failure.

I have enabled kerberos logging on the middle tier (SQL Server) and performed a network trace.

The logging shows event ID 3 with:

Description:
A Kerberos error message was received:
 on logon session
 Client Time:
 Server Time: 22:34:54.0000 3/20/2013 Z
 Error Code: 0xd KDC_ERR_BADOPTION
 Extended Error: 0xc0000225 KLIN(0)
 Client Realm:
 Client Name:
 Server Realm: TEST.LOCAL
 Server Name: cifs/fileServer.test.local
 Target Name: cifs/fileServer.test.local@TEST.LOCAL
 Error Text:
 File: 9
 Line: 12be
 Error Data is in record data.

I have also performed a netmon trace with the working scenario (deleagtion set to allow any service) and this shows the kerberos token for cifs/fileServer.test.local in the securityBlob.

I cannot see any other service names referenced so am at a lose as why this isn't working with the constrained configuration?

Any help/advise as to what I am missed here ?

Thanks,

Phil

How to find Branch number in Active Directory by C# ?

March 28, 2013, 10:32 am
$
0
0

Hi,

Could anyone provide any information about how to find Branch number in Active Directory(AD) account by C#?

For example, I have an AD account: abc\xyz. At my computer, when I login it, I can get my branch number from:

Control Panel -> System -> Advanced tab - > Enviroment Variables.

At the part of "User Variables for xyz", one variable of Branch has its value : 55.

My question is how to user C# to find this Branch number by using is my AD account. 

Thanks.

Query for OS (XP, 7, 8) versions (SP1, SP2, SP3), NetBiosName and IP Address

March 28, 2013, 10:20 pm
$
0
0

Hi,

I want to collect the information from Active Directory of which Operating System Install with which version with netbiosname and ipaddress. i am searching for this query but nothing found useful. Any query regarding this will be very helpful for me.

Thanks in Advance.

Regards,

Mohsin

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>