I have my authentication app working with AD LDS when LDS users are members of the Admin or Reader role.  Those users are able to search the app partition.  However I have an internal request to allow users that are members of the user role to also be able to search the partition.  I suspect the problem is a permission or acl issue.  So I attempted to dump these permissions for the reader and user roles.  My goal is to determine the permission that I need and add it to the users role.  I appreciate any advice you can give to help.

I apologize in advance for the length of this post.  First here is my output from the  dsacls cmd which does not seem to list anything for users role:

Owner: CN=Administrators,CN=Roles,DC=AppPartFE,DC=com

Group: CN=Administrators,CN=Roles,DC=AppPartFE,DC=com

Access list:

Allow CN=Instances,CN=Roles,CN=Configuration,CN={875E7B3F-360F-4BE3-BA1F-8A5320A

B307D}

                                     SPECIAL ACCESS

                                     READ PERMISSONS

                                     LIST CONTENTS

                                     READ PROPERTY

                                     LIST OBJECT

Allow CN=Readers,CN=Roles,DC=AppPartFE,DC=com

                                     SPECIAL ACCESS

                                     READ PERMISSONS

                                     LIST CONTENTS

                                     READ PROPERTY

                                     LIST OBJECT

Allow CN=Administrators,CN=Roles,DC=AppPartFE,DC=com

                                     FULL CONTROL

Allow CN=Instances,CN=Roles,CN=Configuration,CN={875E7B3F-360F-4BE3-BA1F-8A5320A

B307D}

                                     Replicating Directory Changes

Allow CN=Instances,CN=Roles,CN=Configuration,CN={875E7B3F-360F-4BE3-BA1F-8A5320A

B307D}

                                     Replication Synchronization

Allow CN=Instances,CN=Roles,CN=Configuration,CN={875E7B3F-360F-4BE3-BA1F-8A5320A

B307D}

                                     Manage Replication Topology

Allow CN=Instances,CN=Roles,CN=Configuration,CN={875E7B3F-360F-4BE3-BA1F-8A5320A

B307D}

                                     Replicating Directory Changes All

Permissions inherited to subobjects are:

Inherited to all subobjects

Allow CN=Readers,CN=Roles,DC=AppPartFE,DC=com

                                     SPECIAL ACCESS

                                     READ PERMISSONS

                                     LIST CONTENTS

                                     READ PROPERTY

                                     LIST OBJECT

Allow CN=Administrators,CN=Roles,DC=AppPartFE,DC=com

                                     FULL CONTROL

>>>Next is output from ldp.exe > View Tree...Advanced > Security Descriptor > Text Dump

Here it looks to me like users and readers have the same permissions which does not make sense to me.

Here is what users have:

-----------

Security Descriptor:

Security Descriptor:SD Revision: 1

SD Control: 0x8c04

                               SE_DACL_PRESENT

                               SE_DACL_AUTO_INHERITED

                               SE_SACL_AUTO_INHERITED

                               SE_SELF_RELATIVE

Owner: CN=Administrators,CN=Roles,DC=AppPartFE,DC=com [S-1-393785894-280968348-512]

Group: CN=Administrators,CN=Roles,DC=AppPartFE,DC=com [S-1-393785894-280968348-512]

DACL:

               Revision      4

               Size:         56 bytes

               # Aces:       2

               Ace[0]

                               Ace Type:  0x0 - ACCESS_ALLOWED_ACE_TYPE

                               Ace Size:  24 bytes

                               Ace Flags: 0x12

                                               CONTAINER_INHERIT_ACE

                                               INHERITED_ACE

                               Ace Mask:  0x00020094

                                               READ_CONTROL

                                               ACTRL_DS_LIST

                                               ACTRL_DS_READ_PROP

                                               ACTRL_DS_LIST_OBJECT

                               Ace Sid:   CN=Readers,CN=Roles,DC=AppPartFE,DC=com [S-1-393785894-280968348-514]

               Ace[1]

                               Ace Type:  0x0 - ACCESS_ALLOWED_ACE_TYPE

                               Ace Size:  24 bytes

                               Ace Flags: 0x12

                                               CONTAINER_INHERIT_ACE

                                               INHERITED_ACE

                               Ace Mask:  0x000f01ff

                                               DELETE

                                               READ_CONTROL

                                               WRITE_DAC

                                               WRITE_OWNER

                                               ACTRL_DS_CREATE_CHILD

                                               ACTRL_DS_DELETE_CHILD

                                               ACTRL_DS_LIST

                                               ACTRL_DS_SELF

                                               ACTRL_DS_READ_PROP

                                               ACTRL_DS_WRITE_PROP

                                               ACTRL_DS_DELETE_TREE

                                               ACTRL_DS_LIST_OBJECT

                                               ACTRL_DS_CONTROL_ACCESS

                               Ace Sid:   CN=Administrators,CN=Roles,DC=AppPartFE,DC=com [S-1-393785894-280968348-512]

SACL not present

Security for "CN=Users,CN=Roles,DC=AppPartFE,DC=com"

-----------

Here is what readers have:

-----------

Security Descriptor:

Security Descriptor:SD Revision: 1

SD Control:  0x8c04

                               SE_DACL_PRESENT

                               SE_DACL_AUTO_INHERITED

                               SE_SACL_AUTO_INHERITED

                               SE_SELF_RELATIVE

Owner: CN=Administrators,CN=Roles,DC=AppPartFE,DC=com [S-1-393785894-280968348-512]

Group: CN=Administrators,CN=Roles,DC=AppPartFE,DC=com [S-1-393785894-280968348-512]

DACL:

               Revision      4

               Size:         56 bytes

               # Aces:       2

               Ace[0]

                               Ace Type:  0x0 - ACCESS_ALLOWED_ACE_TYPE

                               Ace Size:  24 bytes

                               Ace Flags: 0x12

                                               CONTAINER_INHERIT_ACE

                                               INHERITED_ACE

                               Ace Mask:  0x00020094

                                               READ_CONTROL

                                               ACTRL_DS_LIST

                                               ACTRL_DS_READ_PROP

                                               ACTRL_DS_LIST_OBJECT

                               Ace Sid:   CN=Readers,CN=Roles,DC=AppPartFE,DC=com [S-1-393785894-280968348-514]

               Ace[1]

                               Ace Type:  0x0 - ACCESS_ALLOWED_ACE_TYPE

                               Ace Size:  24 bytes

                               Ace Flags: 0x12

                                               CONTAINER_INHERIT_ACE

                                               INHERITED_ACE

                               Ace Mask:  0x000f01ff

                                               DELETE

                                               READ_CONTROL

                                               WRITE_DAC

                                               WRITE_OWNER

                                               ACTRL_DS_CREATE_CHILD

                                               ACTRL_DS_DELETE_CHILD

                                               ACTRL_DS_LIST

                                               ACTRL_DS_SELF

                                               ACTRL_DS_READ_PROP

                                               ACTRL_DS_WRITE_PROP

                                               ACTRL_DS_DELETE_TREE

                                               ACTRL_DS_LIST_OBJECT

                                               ACTRL_DS_CONTROL_ACCESS

                               Ace Sid:   CN=Administrators,CN=Roles,DC=AppPartFE,DC=com [S-1-393785894-280968348-512]

SACL not present

Security for "CN=Readers,CN=Roles,DC=AppPartFE,DC=com"

-----------

Thanks!

leo

Hello,

I have an application that does a sync with AD to import the OU structure. It uses the server's machine account (computername$) to do the sync. I need to prevent it from syncing certain OUs which are not needed in the application. The application does not have any methods for exclusions in the sync. I have tested doing exclusions by denying read access to the computername$ account within a given OU's security settings in ADUC. That appears to work. One of the OUs I need to prevent from being sync'd is the System OU at the root of the domain. If I deny read access to the computername$ account of the server to the domain System OU, what impacts would that have to the server? Would it not be able to read/apply group policies? Any other impacts?

Thanks,

Joe

We have 2008 and 2008R2 DCs in our environment.  We have a few users who are not Domain Admins who are allowed to RDP to DCs.  I don't want to get into why this is, or argue about whether it is best practice or not, that is just the situation.

For our 2008 DCs, I do not need to put these users in the Built In group "Remote Desktop Users".  They are in the local security policy with the following rights: "Allow logon locally" and "Allow logon through terminal services". They are also in the terminal services configuration with full access rights.  With these rights, these people are able to log onto the DCs without any problems.

For our new 2008R2 DCs, if I do not put these people in the Built In group "Remote Desktop Users", it will not work.  Even if all the other settings are exactly the same.  The local security policy is obviously the same, as it is set through Group Policy.   The remote desktop session host configuration security settings are exactly the same on the R2 DCs as they are on the 2008 DCs.  Additionally, with the R2s, I *do not* need to have the user in the "Allow log on locally" setting for the local security policy.

My question is: did something change from 2008 to 2008R2 for remote desktop access for non-domain admins? 

Hi,

I'm working on a project and in our test environment, we're running into some challenges and wondering if it's at all possible with what we're trying to do.

In our scenario:

ForestA (windows 2008 R2), we have Remote desktop farm (rdsfarm), a file server, roaming profile, and home drive provisioned through GPO. When ForestAusers connects to rdsfarm, they have a roaming profile and home drives on the ForestA file server.

ForestB (windows 2008 R2), AD users

* One way trust between ForestA (trusting) and ForestB (trusted) *

* Setup routing name suffixes across forest on ForestA domains and trust with ForestB domain (@forestB.com)

*ForestA user account, changed logon name DNS suffix to @ForestB.com

Goal: We have users that have two AD accounts, one in ForestA, one in ForestB. These users with multiple AD accounts would like to use their ForestB logon credentials to get to ForestA resouces (roaming profile/home drive) through rdsfarm.

Issue: With the current one way trust setup, when a ForestA user logons to rdsfam using ForestB credentials, they get a local profile instead of ForestA profile (roaming/home drive).

Let me know if its clear and what we're trying to do is even possible.

Thanks!

Dear All,

I have a Standalone Enterprise CA running on Windows Server 2008 R2. Through cohincidence I logged into the server and found a warning under 'Enterprise PKI' the the 'CDP Location #1'  already expired. 

Can anybody please tell me how I can republish the CDP Location and fix this issue? 

BR,

Khemarin

Khemarin333@hotmail.com

I need to setup LDAP SSO with an external 3rd party (my first time doing this). It will be my Active Directory (internal) and they want to configure LDAP access like this:

   To map the LDAP/AD authentication, we need:
   1) IP addresses enabled
   2) LDAP/AD connection details
   3) LDAP/AD account with read access
   4) Sample LDAP/AD entry.

   3rd Party IP addresses to be Enabled:
   ip.addresses.1
   ip.addresses.2
   ip.addresses.3

   Example of LDAP/AD Connection details:
   Example 1: CN=Example Group,OU=Domain Users,DC=xxxxx,DC=local
   Example 2: IP: 2xx.xx.xx.xx:389 Username: lookupuser Password: xxxxx Base: DC=schoollabs, DC=edu CN=Users CN Test case: schoolabs\passw0rd

My first thoughts are that they don't need full read access, they only need auth pass/fail result, but I'm not sure how to configure this or what the correct terminology is.

I'm also wondering if putting an RODC in the DMZ for them to connect to would be best, but I've never done this, how well does it work?

It's also disconcerting that they specify :389 instead of :636, but this is easily configured.

Thanks for any input,

Mike

We have had our AD setup using site and services for 6 months without any problem, but now I am upgrading our vpn and that is causing Site and Services to show the machines in the wrong office.  We were running a vpn between the two cisco routers we had in each office, the new vpn is using openvpn.

Basically if I am on the cisco vpn everything operates as expected.  As soon as I switch to the openvpn connection the machines all think they are in the other office.  If I run nltest /dcgetsite it shows the other site, the logon server shows the correct local server and when I do DNS lookups it goes through the local server correctly.  When I do a dns lookup of the domain it resolves to the local server.

Now if I just disconnect the vpn between the offices everything resolves to the correct site but as soon as it is back up the machines all think they are in the other office again.

In site and services I have the subnets of the openvpn connection and each local subnet pointing to the correct site.

At this point I am at a complete loss and can't figure out what to do and I have not seen or heard of someone experiencing a similar issue.  I am thinking it is some sort of routing issue but I have not been able to find too many details on how the site and services actually work to pick the correct site other then the machine's subnet.

Hi, We have Active Directory domain; I have added a new Server 2008 R2 Print Server for my domain I have 10 printers been installed and shared. And each printer has "List in the directory" has been enabled.

From Windows 7 workstations or from any servers/domain controllers or within this print server if I browse to UNC path \\printserver\ then I can see all 10 printers; I can right click connect to install it; Whereas if I go through Devices & Printers>> Add Printer >> Find a Printer in the directory >> Find Now then no printers are listed.

Is there anything I am missing here ?

Your help will be much appreciated, thank you.

Hi,

I need to replace my current DC with new one and I want to degrade current DC to backup (second DC).

My current DC is:
- Windows 2003 SP2 x86, language: PL
- Domain functional Level: 2003
- Forest functional level: 2003
- AD schema version: 47

My new DC is:
- Windows 2008 R2 SP1 x64, language: EN

My plan is: promote new DC as additional DC for an existing DC, transfer FSMO, DHCP, etc...

But during promotion I have an error:

On current DC I executed adprep32.exe (from install CD of Windows 2008 R2) with /domainprep option but I had errors:

Adprep was unable to modify the security descriptor on object CN=IP Security,CN=System,DC=main,DC=domain,DC=local.

[Status/Consequence] 
ADPREP was unable to merge the existing security descriptor with the new access control entry (ACE).


Adprep encountered an LDAP error. 

Error code: 0x20. Server extended error code: 0x208d, Server error message: 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:
	'CN=System,DC=main,DC=domain,DC=local'
.

Adprep was unable to update domain information. 

[Status/Consequence]
Adprep requires access to existing domain-wide information from the infrastructure master in order to complete this operation.

Could this be due to differed language versions on current DC and new DC?

Hi,

I would like to create a backup of an existing AD LDS instance from one server and give it to developers to restore it on their local computers (2008/win7).

I followed the procedures using dbdsutil.exe utility to backup and restore the session  but can't make it work 100% like the original instance. The restoration works fine but if I open ADSI Edit to check it I have:

1. I can connect successfully but if I open the directory tree and look around in the instance root I have just the "builtin" folder and the rest of the OUs are empty inside, no users, no objects and no attributes.

2. I cannot connect to my instance and ADSI Edit is throwing me 0x8000500d error. "The directory property cannot be found in cache."

The steps I made look quite simple but they don't work in my case:

- Create the backup with dbdsutil.exe , in fact saves the adamntds.dit file . (The Windows backup procedure is not feasable in my case because it would mean sharing about 10GB)

- Recreate the instance at the destination with the same settings, without the partition.

- Stop the instance service.

- Xcopy the file from backup to "Microsoft ADAM\instance\data" folder

- Restart the service and open ADSI Edit to check the status.

These are the links I used to do the backup and restore:

http://technet.microsoft.com/en-us/library/cc730941%28WS.10%29.aspx

http://technet.microsoft.com/en-us/library/cc770886%28WS.10%29.aspx

Notes:

1. The source AD LDS server is a 2008R1 domain machine (not controller), the destination is not a domain computer and is 2008R2 or win7.  

2. The source AD LDS server has been synced with AD DS server to pull the configuration, schema, etc ...

Please help

Thanks.

Please help. i am having same issue on two ADFS server. I have installed ADFS already three times.....

Log Name:      AD FS 2.0/Admin
Source:        AD FS 2.0
Date:          9/29/2010 3:26:57 AM
Event ID:      364
Task Category: None
Level:         Error
Keywords:      AD FS
User:          INFY\I1ADFSSRV
Computer:      Infy_ADFS.infy.com
Description:
Encountered error during federation passive request.

Additional Data

Exception details:
Microsoft.IdentityServer.Configuration.ReadServiceConfigFailedException: MSIS2001: Configuration service URL is not configured. ---> Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreConnectionException: ADMIN0017: An exception occurred while connecting to the configuration service. The configuration service URL 'net.tcp://localhost:1500/policy' may be incorrect or the AD FS 2.0 Windows Service is not running. ---> System.ServiceModel.EndpointNotFoundException: Could not connect to net.tcp://localhost:1500/policy. The connection attempt lasted for a time span of 00:00:02.0635164. TCP error code 10061: No connection could be made because the target machine actively refused it 127.0.0.1:1500.  ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 127.0.0.1:1500
   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
   at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
   --- End of inner exception stack trace ---

Server stack trace:
   at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
   at System.ServiceModel.Channels.BufferedConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
   at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
   at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
   at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Microsoft.IdentityServer.Protocols.PolicyStore.IPolicyStore.Search(FilterData filter, Int32 maxObjects, String[] propertyNames)
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreClientManager.SearchWorker(Filter filter, Int32 maxObjects, String[] propertyNames, Boolean firstTry, PropertyFactoryBase propertyFactory)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreClientManager.SearchWorker(Filter filter, Int32 maxObjects, String[] propertyNames, Boolean firstTry, PropertyFactoryBase propertyFactory)
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreClientManager.SearchWorker(Filter filter, Int32 maxObjects, String[] propertyNames, Boolean firstTry, PropertyFactoryBase propertyFactory)
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreClientManager.Search(Filter filter, Int32 maxObjects, String[] propertyNames, PropertyFactoryBase propertyFactory)
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyManagerBase.Search[T](Filter filter, Int32 maxItems, String[] properties, PropertyFactoryBase propertyFactory)
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyManagerBase.GetItem[T](Filter filter, String[] properties, PropertyFactoryBase propertyFactory)
   at Microsoft.IdentityServer.Configuration.ServiceConfigurationReader.ReadServiceConfiguration()
   --- End of inner exception stack trace ---
   at Microsoft.IdentityServer.Configuration.ServiceConfigurationReader.ReadServiceConfiguration()
   at Microsoft.IdentityServer.Configuration.ServiceConfigurationReader.get_ServiceConfiguration()
   at Microsoft.IdentityServer.Configuration.ServiceConfigurationReader.GetHostNetTcpPort()
   at Microsoft.IdentityServer.Web.PassivePolicyManager..ctor()
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.GetIssuerFriendlyName()

Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreConnectionException: ADMIN0017: An exception occurred while connecting to the configuration service. The configuration service URL 'net.tcp://localhost:1500/policy' may be incorrect or the AD FS 2.0 Windows Service is not running. ---> System.ServiceModel.EndpointNotFoundException: Could not connect to net.tcp://localhost:1500/policy. The connection attempt lasted for a time span of 00:00:02.0635164. TCP error code 10061: No connection could be made because the target machine actively refused it 127.0.0.1:1500.  ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 127.0.0.1:1500
   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
   at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
   --- End of inner exception stack trace ---

Server stack trace:
   at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
   at System.ServiceModel.Channels.BufferedConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
   at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
   at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
   at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Microsoft.IdentityServer.Protocols.PolicyStore.IPolicyStore.Search(FilterData filter, Int32 maxObjects, String[] propertyNames)
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreClientManager.SearchWorker(Filter filter, Int32 maxObjects, String[] propertyNames, Boolean firstTry, PropertyFactoryBase propertyFactory)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreClientManager.SearchWorker(Filter filter, Int32 maxObjects, String[] propertyNames, Boolean firstTry, PropertyFactoryBase propertyFactory)
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreClientManager.SearchWorker(Filter filter, Int32 maxObjects, String[] propertyNames, Boolean firstTry, PropertyFactoryBase propertyFactory)
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreClientManager.Search(Filter filter, Int32 maxObjects, String[] propertyNames, PropertyFactoryBase propertyFactory)
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyManagerBase.Search[T](Filter filter, Int32 maxItems, String[] properties, PropertyFactoryBase propertyFactory)
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyManagerBase.GetItem[T](Filter filter, String[] properties, PropertyFactoryBase propertyFactory)
   at Microsoft.IdentityServer.Configuration.ServiceConfigurationReader.ReadServiceConfiguration()

System.ServiceModel.EndpointNotFoundException: Could not connect to net.tcp://localhost:1500/policy. The connection attempt lasted for a time span of 00:00:02.0635164. TCP error code 10061: No connection could be made because the target machine actively refused it 127.0.0.1:1500.  ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 127.0.0.1:1500
   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
   at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
   --- End of inner exception stack trace ---

Server stack trace:
   at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
   at System.ServiceModel.Channels.BufferedConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
   at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
   at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
   at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Microsoft.IdentityServer.Protocols.PolicyStore.IPolicyStore.Search(FilterData filter, Int32 maxObjects, String[] propertyNames)
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreClientManager.SearchWorker(Filter filter, Int32 maxObjects, String[] propertyNames, Boolean firstTry, PropertyFactoryBase propertyFactory)

System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 127.0.0.1:1500
   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
   at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)


Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="AD FS 2.0" Guid="{20E25DDB-09E5-404B-8A56-EDAE2F12EE81}" />
    <EventID>364</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000001</Keywords>
    <TimeCreated SystemTime="2010-09-29T07:26:57.536667700Z" />
    <EventRecordID>62</EventRecordID>
    <Correlation ActivityID="{06F955C3-7141-4E72-9934-F2F8CDDAB86D}" />
    <Execution ProcessID="1348" ThreadID="2644" />
    <Channel>AD FS 2.0/Admin</Channel>
    <Computer>Infy_ADFS.infy.com</Computer>
    <Security UserID="S-1-5-21-3099104782-3553834904-3296149652-1107" />
  </System>
  <UserData>
    <Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
      <EventData>
        <Data>Microsoft.IdentityServer.Configuration.ReadServiceConfigFailedException: MSIS2001: Configuration service URL is not configured. ---&gt; Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreConnectionException: ADMIN0017: An exception occurred while connecting to the configuration service. The configuration service URL 'net.tcp://localhost:1500/policy' may be incorrect or the AD FS 2.0 Windows Service is not running. ---&gt; System.ServiceModel.EndpointNotFoundException: Could not connect to net.tcp://localhost:1500/policy. The connection attempt lasted for a time span of 00:00:02.0635164. TCP error code 10061: No connection could be made because the target machine actively refused it 127.0.0.1:1500.  ---&gt; System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 127.0.0.1:1500
   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
   at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
   --- End of inner exception stack trace ---

Server stack trace:
   at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
   at System.ServiceModel.Channels.BufferedConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
   at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
   at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
   at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&amp; msgData, Int32 type)
   at Microsoft.IdentityServer.Protocols.PolicyStore.IPolicyStore.Search(FilterData filter, Int32 maxObjects, String[] propertyNames)
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreClientManager.SearchWorker(Filter filter, Int32 maxObjects, String[] propertyNames, Boolean firstTry, PropertyFactoryBase propertyFactory)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreClientManager.SearchWorker(Filter filter, Int32 maxObjects, String[] propertyNames, Boolean firstTry, PropertyFactoryBase propertyFactory)
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreClientManager.SearchWorker(Filter filter, Int32 maxObjects, String[] propertyNames, Boolean firstTry, PropertyFactoryBase propertyFactory)
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreClientManager.Search(Filter filter, Int32 maxObjects, String[] propertyNames, PropertyFactoryBase propertyFactory)
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyManagerBase.Search[T](Filter filter, Int32 maxItems, String[] properties, PropertyFactoryBase propertyFactory)
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyManagerBase.GetItem[T](Filter filter, String[] properties, PropertyFactoryBase propertyFactory)
   at Microsoft.IdentityServer.Configuration.ServiceConfigurationReader.ReadServiceConfiguration()
   --- End of inner exception stack trace ---
   at Microsoft.IdentityServer.Configuration.ServiceConfigurationReader.ReadServiceConfiguration()
   at Microsoft.IdentityServer.Configuration.ServiceConfigurationReader.get_ServiceConfiguration()
   at Microsoft.IdentityServer.Configuration.ServiceConfigurationReader.GetHostNetTcpPort()
   at Microsoft.IdentityServer.Web.PassivePolicyManager..ctor()
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.GetIssuerFriendlyName()

Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreConnectionException: ADMIN0017: An exception occurred while connecting to the configuration service. The configuration service URL 'net.tcp://localhost:1500/policy' may be incorrect or the AD FS 2.0 Windows Service is not running. ---&gt; System.ServiceModel.EndpointNotFoundException: Could not connect to net.tcp://localhost:1500/policy. The connection attempt lasted for a time span of 00:00:02.0635164. TCP error code 10061: No connection could be made because the target machine actively refused it 127.0.0.1:1500.  ---&gt; System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 127.0.0.1:1500
   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
   at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
   --- End of inner exception stack trace ---

Server stack trace:
   at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
   at System.ServiceModel.Channels.BufferedConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
   at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
   at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
   at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&amp; msgData, Int32 type)
   at Microsoft.IdentityServer.Protocols.PolicyStore.IPolicyStore.Search(FilterData filter, Int32 maxObjects, String[] propertyNames)
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreClientManager.SearchWorker(Filter filter, Int32 maxObjects, String[] propertyNames, Boolean firstTry, PropertyFactoryBase propertyFactory)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreClientManager.SearchWorker(Filter filter, Int32 maxObjects, String[] propertyNames, Boolean firstTry, PropertyFactoryBase propertyFactory)
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreClientManager.SearchWorker(Filter filter, Int32 maxObjects, String[] propertyNames, Boolean firstTry, PropertyFactoryBase propertyFactory)
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreClientManager.Search(Filter filter, Int32 maxObjects, String[] propertyNames, PropertyFactoryBase propertyFactory)
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyManagerBase.Search[T](Filter filter, Int32 maxItems, String[] properties, PropertyFactoryBase propertyFactory)
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyManagerBase.GetItem[T](Filter filter, String[] properties, PropertyFactoryBase propertyFactory)
   at Microsoft.IdentityServer.Configuration.ServiceConfigurationReader.ReadServiceConfiguration()

System.ServiceModel.EndpointNotFoundException: Could not connect to net.tcp://localhost:1500/policy. The connection attempt lasted for a time span of 00:00:02.0635164. TCP error code 10061: No connection could be made because the target machine actively refused it 127.0.0.1:1500.  ---&gt; System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 127.0.0.1:1500
   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
   at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
   --- End of inner exception stack trace ---

Server stack trace:
   at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
   at System.ServiceModel.Channels.BufferedConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
   at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
   at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
   at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&amp; msgData, Int32 type)
   at Microsoft.IdentityServer.Protocols.PolicyStore.IPolicyStore.Search(FilterData filter, Int32 maxObjects, String[] propertyNames)
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreClientManager.SearchWorker(Filter filter, Int32 maxObjects, String[] propertyNames, Boolean firstTry, PropertyFactoryBase propertyFactory)

System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 127.0.0.1:1500
   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
   at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)

</Data>
      </EventData>
    </Event>
  </UserData>
</Event>

Hi everyone,

Here is the story. I have 2 domain controllers, 1. pv-dc01 and 2. pv-dc01rep(replica). The software that I have used for the servers is the server 2012 evoluation. Now as u may know, before activating this software I needed to disjoin the domain controllers. So I did that. 

First I did it to pv-dc01rep. THe procedure was good. Now after I demoted pv-dc01, I couldn't rejoin it again! I've tryed to add the domain controller to an existing domain and got the following message: Verification of replica failed. Failed to examine Active Directory forest. The error was: Expected value ridMasterDSA.parentDN not found.

Can anyone please help me with this? THanks in advance!

I am receiving the typical Event 5774, however the part where the DNS server with the problem is supposed to be listed I have nothing:

The dynamic registration of the DNS record '_kpasswd._udp.mydomain.com. 600 IN SRV 0 100 464 SLS-2K8DC1.mydomain.com.' failed on the following DNS server:  

DNS server IP address: :: <--????????? What server?
Returned Response Code (RCODE): 0 
Returned Status Code: 0  

For computers and users to locate this domain controller, this record must be registered in DNS.  

USER ACTION  
Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain  controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service. 
  Or, you can manually add this record to DNS, but it is not recommended.  

ADDITIONAL DATA 
Error Value: Bad DNS packet.

Not even sure how to start on this one.

I have been going through Active Directory book and found out that once you enable recycle bin in your domain you do no need to have an infrastructure master (IM) FSMO role required even if the DC is not a global catalog.

The reason is no where to be found, what exactly is the reason once you enable the recycle bin you no longer use IM, does Recycle bin starts to act like IM that is taking care of phantom objects.

I would appreciate to help me with some TechNet article if available.

Regards,

MCP,MCTS(Vista),MCSA(Messaging)

When trying to add a computer to the domain Win xp or Win 7 clients using just the Netbios name for the domain we get "An Active DIrectory Domain Controller (AD DC) for the domain "Domain" could not be contacted.  But if we use the FQDN (domain.local) it works fine.  My environment is below.

I have a Windows 2003 Forest/domain level Domain.  I am running a mixure of Win 2003 and Windows 2008 domain controllers.  We are not using WINS.  THe DHCP scope is hading out the DNS suffix domain.local.

To use the netbios name for the domain to add a computer do you need WINS? 

Thanks,

Steve 

Steve

Hi,

Can someone provide an insight on what exactly is the Difference between AD replication and sysvol replication.

Ref: Going through a note on technet website and found below sentence in quote and bit confusing for me:

" For Group Policy, only the Group Policy template (GPT) is replicated through SYSVOL replication. The Group Policy container (GPC), which is stored in the domain, is replicated through Active Directory replication. For Group Policy to be effective, both parts must be available on a domain controller "

Any help is much appreciated.

Hi guys,

I'm trying to run this script from here on my Domain:
http://www.computerperformance.co.uk/vbscript/vbscript_user_spreadsheet.htm

As i'm not familiar with LDAP query, what should I put under the strOU value here?

' -----------------------------------------------'
' Important change OU= and strSheet to reflect your domain
' -----------------------------------------------'

strOU = "OU=????? ," ' Note the comma
strSheet = "E:\scripts\UserSpread1.xls"

My domain name is banking.local

And the OU I wanted to create the user in AD was banking.local\ Users\ Project Manager

Do I put the value as strOU = "OU=Users, OU=Project Manager ," ?

Thanks for the advice!

---Packie

Hi Team,

AD : Windows server 2008 R2

Users Count : 4000+ Users

In my domain, no account lockout policy in place - its set for 0 invalid attempts. For auditing and security reasons, need to apply account lockout policy in my domain.

So, to observer, i have implemented the lockout policy in the domain. But then, there are lot of users started complaining about the account lockout issue and my Help desk is filled with lockout tickets.

I think the majority of the issue is causing due to the saved passwords in the PCs. Then after this incident, i roll backed my changes. 

Then, As per the Microsoft article , http://technet.microsoft.com/en-us/library/hh994574(v=ws.10).aspx . I 

I have implemented the policy in my Domain for 50 invalid attempts.

And around 60% of the users are saying account is getting locked out.  After this, i have revised the policy again.

Could any suggest how to address this issue.???

Also, i am upgrading my functional level to 2008 to at least excluded some service accounts from being locked.  But that will not be the complete one.

Regards, Dj