Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

AD help.

July 3, 2013, 9:34 am
$
0
0

Hi all,

one forest which includes one empty root domain and one child domain (servers and users are located here)

there are multiple sites (site1-site8) and only corp site has root domain controllers.  So, at corp site, child domain controllers are forwarded to root domain controllers in the DNS.  at other sites, child domain controllers' DNS forarders are configured to use each site's internet provider's DNS servers.

Now, I need to promote one member server to child domain controller at site 8 and I use the site7's DNS server to promote and it seems hung.  I do not know the reason why and could it be due to the DNS forwarder that is forwarded to external DNS server at site 7 since there is no root domain controller?  Does promoting child domain controllers need DNS forwarder to root domain controller?

Thank you.

Search

new design to existing windows based infrastructure

July 4, 2013, 8:59 am
$
0
0

Hi

we have following existing infrastructure. we need to redesign it to make it

 *secure

* high availability for databases and applications

* fastest disaster recovery

1. domain controller+DNS+file server windows 2008 r2

2. exchange server 2010

3. Microsoft dynamics database server

4. front end server for Microsoft dynamics 

5. RDS 

6. application server for GO global, time guardian , payroll, accounting, etc

7. sonic wall acting as gateway and firewall for our 30 remotely connected stores across country. 

your help and comments will be appreciated.

Thanks

Simple LDAP in Windows Server 2012

July 4, 2013, 11:07 pm
$
0
0

Hi Guys

I have a Cisco ASA with a remote user VPN doing LDAP authentication against a Windows Server 2012 Domain Controller. I have set tonnes of these up without any problems when connecting to a Windows Server 2008 DC, and have not had to change much on the server - just ensure that there is an account that the ASA can use to run LDAP queries against the DC.

On my new 2012 server, it looks like the authentication from the ASA is being rejected because its trying to use simple LDAP authentication. Is this not allowed in Server 2012? I can see that the correct credentials are coming through on my Wireshark capture, but the server rejects them stating that they are invalid.

I know that the account works as I can log on from a domain-joined machine with the same credentials that the ASA uses. I have also ensured that the ASA account has the correct permissions. 

If simple LDAP binds are not allowed, and I cannot or should not enable them, should I use LDAP-over-SSL? This setup is for a small customer without a PKI infrastructure, so I'd have to install a root CA on the domain controller and use it to manage all of the certificates etc.

Otherwise, if anyone is able to point me in the right direction for setting up kerberos (sasl-mechanism) with the ASA, then i will happily give that a go, but I havent had much luck googling it so far.

Really appreciate any responses. Thanks for your time.

Jon

DC promotion and adprep/forestprep

July 29, 2007, 6:20 am
$
0
0

I've tried to dcpromo a new Windows 2008 server installation to be a Domain Controller, running in an existing domain. I am informed that, first, I must run adprep/forestprep ("To install a domain controller into this Active Directory forest, you must first perpare the forest using "adprep/forestprep". The Adprep utility is available on the Windows Server 2008 installation media in the Windows\sources\adprep folder".

 

Trouble is that adprep/forestprep says that:

 

Adprep cannot run on this platform because it is not an Active Directory Domain Controller.
[Status/Consequence]
Adprep stopped without making any changes.
[User Action]
Run Adprep on a Active Directory Domain Controller.

 

So, which needs to be installed first (they cannot really be dependent upon each other), and how do I go about completing this?!

 

Thanks

 

Stephen Simpson

DC Replication fail

July 2, 2013, 2:02 am
$
0
0

Hi ALL,

We have 4 DC in our forest,we found that the 2 file server with DC was failed,and one DC DNS was failed too.

Anyone can help?

We are planning to upgrade the Exchange 2003 to Exchange 2010.

The error code in ADReplicationStatus is -2146893022 and 1256.

TungHo

DC RDP access, change in 2008 R2 from 2008?

July 4, 2013, 2:59 pm
$
0
0

We have 2008 and 2008R2 DCs in our environment.  We have a few users who are not Domain Admins who are allowed to RDP to DCs.  I don't want to get into why this is, or argue about whether it is best practice or not, that is just the situation.

For our 2008 DCs, I do not need to put these users in the Built In group "Remote Desktop Users".  They are in the local security policy with the following rights: "Allow logon locally" and "Allow logon through terminal services". They are also in the terminal services configuration with full access rights.  With these rights, these people are able to log onto the DCs without any problems.

For our new 2008R2 DCs, if I do not put these people in the Built In group "Remote Desktop Users", it will not work.  Even if all the other settings are exactly the same.  The local security policy is obviously the same, as it is set through Group Policy.   The remote desktop session host configuration security settings are exactly the same on the R2 DCs as they are on the 2008 DCs.  Additionally, with the R2s, I *do not* need to have the user in the "Allow log on locally" setting for the local security policy.

My question is: did something change from 2008 to 2008R2 for remote desktop access for non-domain admins? 


How to update nas-ip-address for an authenticated user?

July 5, 2013, 3:12 am
$
0
0

Hi.

I need to address the following scenario. I have 2 NAS as RADIUS clients (both valid clients as per the IAS server). A user authenticates through NAS client 1. After some time, NAS client 1 fails, and NAS client 2 takes over that user. NAS client 2 has cached the authentication information for that user, and hence the user doesn't need to re-authenticate with the IAS server again. Now, I need to update that user's record in the IAS server, so that in future if the server sends a RADIUS disconnect-message or COA request, it reaches NAS client 2, and not NAS client 1 through which the user originally authenticated.

My question is, can I do so by sending an Accounting-Request for that user from NAS client 2 after it has taken over for NAS client 1? If not, is there an alternate way to update the record for that user on IAS server? Or should I be resigned to re-authenticating the user all over again with IAS server?

Can't lookup Domain Local Group

July 5, 2013, 3:06 am
$
0
0

Hi all,

I have a problem while working on Active Directory, so could you please help me to resolve this problem

I have 2 domain: domain "ABC.LOCAL", domain "CHILD1.ABC.LOCAL", CHILD1 is child domain of ABC.LOCAL

In domain ABC.LOCAL, create an account ABC\testaccount and create a Domain Global Group ABC\parentgroup and add test account to this group.

In domain CHILD1.ABC.LOCAL, create a Domain Local Group CHILD1\parentgroup and add ABC\parentgroup to this group

After logon to a computer by using ABC\testaccount (Administrator permission), I use below source code to reading user security groups from Active Directory, but the result is missing all domain local groups.

private void GetAuthorizationGroups(ref Dictionary<SecurityIdentifier, Principal> arrGroup)
{
	UserPrincipal user = UserPrincipal.Current;
	PrincipalSearchResult<Principal> groups;

	groups = user.GetAuthorizationGroups();
	IEnumerator<Principal> iterGroup = groups.GetEnumerator();
	using (iterGroup)
	{
		while (iterGroup.MoveNext())
		{
			try
			{
				Principal p = iterGroup.Current;
				System.Diagnostics.Debug.WriteLine(string.Format("{0}[SID: {1}]", GetADPath(p.Sid), p.Sid));
				if (!arrGroup.ContainsKey(p.Sid))
				{
					arrGroup.Add(p.Sid, p);
				}
			}
			catch (Exception pex)
			{
				System.Diagnostics.Debug.WriteLine(pex.Message);
				continue;
			}
		}
	}
}
Why domain local groups isn't listed in this case? Is that limitation of Domain Local Group?

Thank you


Search

Proxy Authentication and lockout status

April 18, 2013, 12:19 pm
$
0
0

Is it possible to have the account lockout status not sync between AD DS and AD LDS when using proxy authentication? 

We have a scenario where an application will use LDS as an authentication store. Some users will be contained in the LDS database and others will be stored in AD and use proxy authentication. We don't want the user to be locked out of the application because they've entered their password wrong numerous times, even though they me be locked out of AD DS due to our domain password lockout policy. 

Thanks,

Mr Dizzle


How to Export OU Permission Delegation Info in Windows Server 2003 AD?

December 9, 2009, 5:44 pm
$
0
0
Hi,

I am running an Windows Server 2003 environment and when I need to review the permission settings for an OU, I will right click the OU --> Properties --> Security tab --> Advance button.

The problem is, I am having nearly 600 OU and it is impossible for me to check every single OU manually.

Thus I would like to export the permission settings for all OU.

I have tried LDIFDE query with command:
ldifde -f exportOu.txt -s Server1 -d "dc=test,dc=local" -p subtree -r "(objectCategory=organizationalUnit)" -o "cn,objectclass,ou"

But the output does not contains any permission setting info =(

Hence would like to ask any expert here will able to provide tools / scripts to do that?

Really appreciate that =)

Domain 2000 windows time management

July 5, 2013, 6:15 am
$
0
0

i have a windows 2000 mixed domain. I have two sites( site A and site B) spreacd across two locations. There are two domain controller in each site.

The dc with the pdc role is located in one site A. I understand all member servers and PC's should be checking with the PDC for time sync, however is there a way that the the workstations and member servers sync time with the local domain controllers

why nesting organizational units to another organizational units?

June 27, 2013, 9:50 am
$
0
0
why nesting organizational units?

AD Domain Services Forest Functional Level 2008R2 and AD Recycle Bin

July 5, 2013, 9:44 am
$
0
0

I have a single Domain/single Forest Active Directory Domain with 4 DC's all of which are Windows Server 2008R2 SP1. Just recently I raised the Domain and Forest Functional Levels to 2008R2. I would like to go ahead and enable they Active Directory Recycle Bin to take advantage of this technology. After Reading through this article http://technet.microsoft.com/en-us/library/dd379484(v=ws.10).aspx I recalled that we have a VMware View implementation and VMware View utilizes AD LDS. At this time we really aren't using View in any capacitity but it does have an instance of AD LDS setup. Not being very familiar with AD LDS and if it leverages my 2008R2 Domain Services, I'm contemplating if I should stop and address the functional level of this instance of AD LDS in my VMware View envrionment prior to enabling the AD Recycle Bin in my AD Domain. Or does it not matter? Following the steps in the above article under "Active Directory Lightweight Directory Services envrionment" I checked the value of themsDS-Behavior-Version and found it to be "2=(Win 2003)" The instance of AD LDS is running on a Windows Server 2008R2.

Is it necessary that I raise the functional level of this AD LDS instance if I don't plan to use the AD Recycle Bin in it? Not being familiar with AD LDS I want to make sure if I just ignore this AD LDS instance that it won't cause any issue with my AD Domain Services when enabling the AD Recycle Bin.

Unable to locate object in LostAndFound container or raise forest functional level

July 5, 2013, 9:22 am
$
0
0

Hello.  We have one forest with one domain .  Our 11 DC’s run a mix of Windows Server 2003 SP2 and Windows Server 2008.  Domain functional level is Windows 2000 native, forest functional level is Windows 2000.  When I try to raise the forest functional level on our 2003 FSMO master, I get the following error:

The NTDS-DSA object ‘CN=NTDS Settings, CN=LostAndFoundConfig, CN=Configuration, DC=mydomain, DC=org’ is not properly configured and is preventing the forest functional level from being raised.  It refers to the domain controller ‘PRLRCK’.  If this domain controller is off-line, then bringing it back on line my cause replication that will repair the configuration.  Otherwise delete this object using the ADSI Edit MMC snapin or a similar tool.

We do not have a domain controller named “PRLRCK” in our organization.  It may be left over from something in the past but I have no way of knowing this because the previous tech support cannot be contacted and left no documentation.

I’ve found MS articles on this error and the procedure to delete the object seems pretty straightforward, i.e. metadata cleanup or removal via ADSI Edit.  However, there is no “PRLRCK” listed in the place where these articles say to look, so I can’t delete it.

When I try to do ntdsutil/metadata cleanup, I do not see that server listed in any of our sites.  When I use ADSI Edit to look at the LostAndFound container, it’s empty.

I've searched on this forum for anything relevant but I haven't found any posts on this issue; looks like most people with something similar have been able to locate the object in question and then delete it.

I did use LDP to look at the LostAndFound container.  There is an entry there referencing PRLRCK but I’m not sure how to get rid of it gracefully and if this will then enable me to successfully raise the forest functional level.  Can you please advise me what to do next?

Many thanks!

Monika

Trust relationship cannot be created, possibly SID conflict?

July 5, 2013, 5:01 pm
$
0
0

Hello,

I am using Windows Server 2012 for all machines.

I have 2 domains

In this example, I'll call them domain.co.uk and domain.int

I need to create a one-way trust so that a user on domain.int can be authenticated FROM domain.co.uk.

But, when trying to create the trust for domain.co.uk on domain.int, it fails with:
'This operation cannot be performed on the current domain.'

DNS is working fine

After reading through other threads, I have found that cloning may be a problem.

All my machines are made from a 'Master' VHD of Server 2012.

So, both the .co.uk and .int DC are from the same image (Non sys-prepped).

Is there a way, this late in the stage to change the SID of either DC, without causing a world of pain?

Is this even my problem?

Any help welcome :D

Thanks,
Chris

Search

Verification of replica failed. Active directory domain controller for the domain XYZ could not be contacted. Ensure that you supplied the correct DNS domain name

July 6, 2013, 12:08 am
$
0
0

I am getting following error while I was trying to add secondary AD server to my domain:

"Verification of replica failed. Active directory domain controller for the domain XYZ could not be contacted. Ensure that you supplied the correct DNS domain name"

What I already tried:

ipconfig /resgisterdns and ipconfig /flushdns on both old Primary Active Directory DNS server 2008 and brand new 2012 server (Clean install of AD DS, to which I am configuring)

adprep of forest and domain on server 2008

resolved all connection issues and 2008 is pinging properly

Firewalls off on both 2008 and 2012

tried disabling IPv6

Started all Computer Browser related services and are set to automatic

Time settings

I can nslookup from both servers easily and IP seems to be correct

DNS server (2008) has only one itself's IP in primary DNS server

DNS has records in domain name (In DNS manager) and Dynamic Updates, click secure only.

net stop "net logon" 

net start "net logon"

-----

What was the reason to update to 2012?

---> My old secondary 2008 DNS server had BSOD because its Active directory was broken

----> I already followed steps given at http://www.petri.co.il/delete_failed_dcs_from_ad.htm to delete that server. which is now deleted

Active Directory Replication with state DsBindWithCred Error.Error of 1722 (0x6ba): The RPC server is unavailable

July 6, 2013, 12:45 am
$
0
0
Hi all,I havetwoADSites. Allexcept oneServersare WindowsServer 2008R2.

Everything worked fine, but I havetwo weekstoreplication errorsbetween the two Sites.Users createdat one of thesitesis not replicatedto the other.

I see thefollowing eventsintheDCs:

Eventid1864Microsoft-Windows-ActiveDirectory_DomainService
Eventid2093Microsoft-Windows-ActiveDirectory_DomainService
Eventid1925ActiveDirectory_DomainService

When I runrepadmin/showpl

ActiveDirectory ReplicationwithstateDsBindWithCredError.Errorof1722(0x6ba): The RPCserver isunavailable.

I triedcommunicating withPortQuery tool, andeverything seems to becorrect.

TheDCsthat are inthe same Site,are replicated correctly.

ICANNOTBE HAPPENING, Can you help?

thank you very much

Microsoft Certified IT Professional Server Administrator

Virtual Domain Controller Disk Partitions

July 6, 2013, 12:45 am
$
0
0

Are the disk partitioning best practices of OS, DB and Logs on different disks still applicable to virtual domain controllers too? Does it really matter when using VDC's? Also, generally the page file is recommended to be on a separate partition than the boot partition, is that still applicable on a VDC?

We are planning for using AD for a cloud solution and wanted to know if we can propose a DC with a Disk Configuration 50 GB Single Partition, 2 GB Memory, 2 Proc. The directory should have below 1000 objects.

2008 R2 BareMetal restore

July 4, 2013, 2:29 am
$
0
0

Hi All I have an interesting one that I need help with.

We have a windows 2008 R2 Domain Controller and we are testing a DR situation.

We want to restore the AD server onto another server with diff hardware using bare metal backup restore. The restore is successful and the server boots up without any problem with all the new drivers... etc

The problem im having is that after the reboot DNS DHCP etc works fine but I keep getting AD errors when I try and create users (RID identifier errors) or sometimes I get an errors the domain can’t be located although all services are running… again DNS is fine etc and no service is stopped… (I know this is the owner of all FMSO roles)

What I have found is that the sysvol share is no longer shared and if I try and share it after restart it reverts back…

I suspect it may be down to the fact that the current server is using 2 Broadcom NICS in a TEAM with Broadcom Suite 4. The DR server is using Intel Nics and something is interfering with the new NIC bindings.

I have tried various combinations and steps to try and sort this out, after restore configure new nic with correct IP, uninstall all of Broadcom software then configure IP on the new nics, still no joy.

How to set Impersonation Permissions by using Active Directory Sites and Services or the Active Directory Users and Computers user interfaces

July 6, 2013, 3:31 am
$
0
0
Using powershell cmdlets these impersonation can be set to specific users.

is it possible to set same  using Active directory users and computers and Active Directory Sites and Services.
For windows 2003 server and windows 2008 sever.
Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>