Hi,
How do I rest the directory service restore mode password for Active Directory ?
Thank you,
Tarek Faraj
↧
Directory Service Restore Password
↧
Create User in Active Directory From Siebel CRM
Hi Everyone
We have a Siebel CRM in our envirorment and we use Active Directory as user repository. We have activated the self-register feature in Siebel but we cannot create the user in AD.
The fact is that when the add function is called the password is forced in the unicodePwd parameter
An AD refuses to create the user. How can bypass this issue. Has anyone pushed users in AD using Siebel.
Thank you,
Tudor
↧
↧
UnattendJoin fails but works afterwards without further configuration
Hello everybody,
im suffering from a problem that i could not solve yet.
In short, my UnattendJoin with an AutoUnattend.xml in WDS fails due to error 0x54b (1355, NO_SUCH_DOMAIN), but works fine when i join the domain manually directly after deployment without further configuration or limitations.
Well, i have to say that i build a Windows infrastructure inside of an Unix environment. I don't have access to configure the main DNS or DHCP. Thus i have to configure the DNS manually before the domain join and the WDS operates in standalone mode. I do so with the DNS Client component in the unattend.xml. In the Setupact log file i can see that the DNS configuration is successfully applied before setup is trying the domain join. After several retries setup stops the domain join with gdwError = 0x54b.
I could deal with it if the join would not work afterwards without any problems -.- I just can't take it anymore. Any suggestions?
Clients OS: Windows 7 Ent. x64
AD: Windows Server 2008r2 (DNS role installed)
WDS on Server 2012 with prestaged clients operating in standalone mode
with best regards,
strade
↧
AD to LDS - nested groups
Dear all, I have an issue with adamsync that I can't seem to grasp on my own.. hope to find a suggestion here.
I’m trying to unify the authentication of a few web applications between AD and non-ad accounts and I would like to accomplish that through LDS, by using “local” ldap user objects for non-ad accounts and userproxy objects for the AD accounts.
The part that I don’t understand (not even sure it can work actually) relates to the group membership of accounts coming from AD.
The domain has a well thought-out authorization strategy that uses nested groups where possible; the current web application (which authenticates AD users through ldap but directly on the domain controllers rather than on LDS) after a successful bind reads the “memberOf” attribute of the user object in AD, then recursively checks each group found in the “memberOf” attribute and basically builds a full list (directly associated + parents) of all the groups the account is member of. It’s a relatively sophisticated solution and has been working well for a few years at this point.
Now, my problem is that once the AD accounts are migrated into LDS, the references found in the memberOf attribute will have DNs that are valid on the original directory but not on the new directory, so in the new scenario I might be able to get the group
names listed in memberOf, but I wouldn’t be able to recursively search all the group DNs because.. they would have different distinguished names in the LDS instance. (and a broken reference in the migrated memberOf attribute)
Is this an issue you have ever encountered? Do you think there is a way for the distinguished names to get translated during the synchronization?
Thank you in advance and I hope you'll have a suggestion to set me in the right direction.
Sergio
↧
Upgrade Win 08 R2 DC to Win 2012
I have a virtualized DC running Win Server 2008 R2 Enterprise. Can I upgrade it to Win 2012 Standard or Datacenter edition?
Shawn
↧
↧
command to creat an application directory partition for DNS
Hi I am trying to creat an applicationdirectory partition using this command but I face tis error what is wrong?
please help
cmd . /createdirectorypartion DNSpartitionA.nwtraders.msft
↧
Cannot execute LDAP bind in AD VBScript
I am trying to run a small VBScript to force a test user's AD password to expire (for the purpose of testing OWA reset).
I am logged onto my DC, as domain admin, for this test.
Here is the script I am using (names changed to protect the innocent):
' Bind to the user object in AD.
Set objUser = GetObject("LDAP://cn=JohnnyTest,ou=TestOU,dc=MyDomain,dc=com")
' Expire the password immediately.
objUser.pwdLastSet = 0
' Save the change in AD.
objUser.SetInfo
The OU TestOU is on the top level of my AD structure, and the account JohnnyTest@MyDomain.com is in there. (The display name under the Object tab is Test, Johnny - But when created,the account name was simply JohnnyTest)
Yet when I run this script, I get the following Windows Script Host error:
SCript: C:\Documents and Settings\Administrator.MyDomain\Desktop\ExpirePassword1.vbs
Line: 1
Char: 1
Error: There is no such object on the server.
Code: 80072030
Source: (null)
I am not sure where I am going wrong. I've repeatedly doublechecked that first line of the script, I have the user logon name from the Account tab of the AD account, JohnnyTest, then the OU "TestOU" which is where his account sits, then the DC hierarchy broken down from specific to general. What am I missing?
↧
DSGETDCNAME advertising test failing. SYSVOL and NETLOGON shares not replicating. Please help!!!
Hello all. We are currently running a Windows Server 2003 ADDC as a virtual machine on a Windows Server 2012 host using Hyper-V. We have recently added a second Windows Server 2012 ADDC also as a Hyper-V VM. I promoted the 2k12 to a DC, transferred all FMOS roles, and tested AD replication. All AD data was replicated fine. However a DCDIAG (the results of which I have attached to this post) show a few errors.
First off, it is failing the advertising test. This is more than likely due to a DNS error. Unfortunately, I can not seem to find the error within the DNS to resolve it.
Secondly, it is failing the KccEvent test; also seeming as a DNS related error.
Thirdly, both SYSVOL and NETLOGON shares were not successfully replicated. This is likely the basis for the other issues. Without these successfully replicated, I can not demote the 2K3 server; which is the goal in the end, to replace the old server with the new.
I am willing to try just about anything, so any suggestions would be greatly appreciated. As for what I have tried, I have tried a non-authoritative restore using burr flags with no success. I CAN ping both DCs from each other ensuring connectivity. All users can currently log on to the server (due to the fact that the 2K3 server is still running and still holds the SYSVOL and NETLOGON shares).
Once again, any help would be greatly appreciated! Thank you in advance!
DCDIAG Output:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = RETIRED2012
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site\RETIRED2012
Starting test: Connectivity
......................... RETIRED2012 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site\RETIRED2012
Starting test: Advertising
Warning: DsGetDcName returned information for
\\retired1.RetireFirst.local, when we were trying to reach
RETIRED2012.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... RETIRED2012 failed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... RETIRED2012 passed test FrsEvent
Starting test: DFSREvent
......................... RETIRED2012 passed test DFSREvent
Starting test: SysVolCheck
......................... RETIRED2012 passed test SysVolCheck
Starting test: KccEvent
An error event occurred. EventID: 0xC0000827
Time Generated: 08/09/2013 22:08:34
Event String:
Active Directory Domain Services could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory Domain Services from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.
A warning event occurred. EventID: 0x80000677
Time Generated: 08/09/2013 22:10:02
Event String:
Active Directory Domain Services attempted to communicate with the following global catalog and the attempts were unsuccessful.
An error event occurred. EventID: 0xC0000466
Time Generated: 08/09/2013 22:10:06
Event String:
Active Directory Domain Services was unable to establish a connection with the global catalog.
......................... RETIRED2012 failed test KccEvent
Starting test: KnowsOfRoleHolders
......................... RETIRED2012 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... RETIRED2012 passed test MachineAccount
Starting test: NCSecDesc
......................... RETIRED2012 passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\RETIRED2012\netlogon)
[RETIRED2012] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... RETIRED2012 failed test NetLogons
Starting test: ObjectsReplicated
......................... RETIRED2012 passed test ObjectsReplicated
Starting test: Replications
......................... RETIRED2012 passed test Replications
Starting test: RidManager
......................... RETIRED2012 passed test RidManager
Starting test: Services
......................... RETIRED2012 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x00001695
Time Generated: 08/09/2013 22:06:48
Event String:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'RetireFirst.local.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
A warning event occurred. EventID: 0x000003F6
Time Generated: 08/09/2013 22:06:49
Event String:
Name resolution for the name _ldap._tcp.Default-First-Site._sites.dc._msdcs.RetireFirst.local. timed out after none of the configured DNS servers responded.
A warning event occurred. EventID: 0x00001696
Time Generated: 08/09/2013 22:07:44
Event String:
Dynamic registration or deregistration of one or more DNS records failed with the following error:
A warning event occurred. EventID: 0x000003F6
Time Generated: 08/09/2013 22:07:51
Event String:
Name resolution for the name retired1.RetireFirst.local timed out after none of the configured DNS servers responded.
A warning event occurred. EventID: 0x00001695
Time Generated: 08/09/2013 22:08:23
Event String:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'DomainDnsZones.RetireFirst.local.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
A warning event occurred. EventID: 0x00001695
Time Generated: 08/09/2013 22:08:35
Event String:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'ForestDnsZones.RetireFirst.local.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
An error event occurred. EventID: 0x0000041E
Time Generated: 08/09/2013 22:08:45
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
An error event occurred. EventID: 0x00000423
Time Generated: 08/09/2013 22:08:53
Event String:
The DHCP service failed to see a directory server for authorization.
A warning event occurred. EventID: 0x000003F6
Time Generated: 08/09/2013 22:10:04
Event String:
Name resolution for the name isatap timed out after none of the configured DNS servers responded.
A warning event occurred. EventID: 0x000003F6
Time Generated: 08/09/2013 22:10:08
Event String:
Name resolution for the name e45ad288-70ff-4d9e-adf9-3035e459e126._msdcs.RetireFirst.local timed out after none of the configured DNS servers responded.
A warning event occurred. EventID: 0x000003F6
Time Generated: 08/09/2013 22:10:21
Event String:
Name resolution for the name _ldap._tcp.Default-First-Site._sites.dc._msdcs.RetireFirst.local. timed out after none of the configured DNS servers responded.
An error event occurred. EventID: 0x00000423
Time Generated: 08/09/2013 22:11:14
Event String:
The DHCP service failed to see a directory server for authorization.
An error event occurred. EventID: 0x0000041E
Time Generated: 08/09/2013 22:13:45
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
......................... RETIRED2012 failed test SystemLog
Starting test: VerifyReferences
......................... RETIRED2012 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : RetireFirst
Starting test: CheckSDRefDom
......................... RetireFirst passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... RetireFirst passed test CrossRefValidation
Running enterprise tests on : RetireFirst.local
Starting test: LocatorCheck
......................... RetireFirst.local passed test LocatorCheck
Starting test: Intersite
......................... RetireFirst.local passed test Intersite↧
how to generate report failed logon count in Active Directory
Hi,
how to generate report failed logon count(Unsuccessful login Count by the user) in Active Directory
Regards
Anil Kumar
↧
↧
Server not accessible, but still running fine
Hi all,
We have had this same issue now with two of our Hyper-V host servers. The The symptoms are that when RDPing to the machine it asks for credentials, but then throws the error :
Remote Desktop Connection
---------------------------
Remote Desktop cannot verify the identity of the remote computer because there is a time or date difference between your computer and the remote computer. Make sure your computer’s clock is set to the correct time, and then try connecting again. If the problem
occurs again, contact your network administrator or the owner of the remote computer.
---------------------------
When you try connecting via the Hyper-V manager, you get the error "RPC Server unavailable. Unable to establish communications bettween ..."
I can connect all of the other remote tools to it (event viewer, server manager, services) and can see the following:
In the event viewer there are a multitude of errors, I'm guessing all with the same root cause:
GPO
The processing of Group Policy failed. Windows could not resolve the user name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
DCOM
DCOM was unable to communicate with the computer <DPM Backup server> using any of the configured protocols.
NETLOGON - Looks like the worst and maybe root cause?
This computer was not able to set up a secure session with a domain controller in domain D01 due to the following:
The RPC server is unavailable.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.
ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified
domain.
I can see that the service "Remote Procedure Call (RPC)" is started. Restarting it makes no difference. The RPC Locator service isnt started, but don't think this is an issue.
The DNS servers that are configured are the DCs and there are certainly fine for all our other servers and clients. The time is indeed out of sync, but I think this is more because it cannot establish a session with the DCs, which are the NTP servers. All of the guest machines are fine and running perfectly.
Like I said at the start, this has happened to another of our servers, suggesting that this is maybe a wider AD issue. In the case of the first server, a restart solved the symptoms. However, this second server is a bit more of a pain to restart and I want to sort out the root cause.
thanks in advance.
↧
LDAP no longer finds old users moved from an OU; 49 The supplied credential is invalid.
We recently created a new OU, let's say we call it OU2. We moved users from OU1 into OU2, since I've had nothing but problems. I've had to redelegate permissions to groups to change passwords, and so on. Two of my external apps can no longer search for users
using LDAP, and I'm sort of at a loss right now. The error (code 49) is output by one of the broken external programs. The other is people search.
New users are found by an LDAP query, with no problem.
OU2 was created, but in retrospect there were no permissions added or passed down from the previous OU. Now there has been a substantial build of new folders in this OU, permissions, and created users. I don't want to have to rebuild all of that.
↧
DCPromo Error promoting a 2012 Standard Server in a SBS 2003 Domain
I am trying to add a 2012 Standard server to a SBS 2003 domain and than promote it to a DC. I have done this before in a 2003 domain but not a SBS 2003 domain. The 2012 Server is at this poing a member server. I am logged in as domain administrator and doing a DCPromo. It fails on a prerequisite check.
"Verification of prerequisites for Active Directory preperation failed. Unable to preform Exchange schema conflict check for domain <my domain>. Exception: Access denied. Adprep could not retreive data from the server <2003 SBS server> through Windows Management Instrumentation (WMI)
I have googled and tried everything imaginable. I am missing something.
HELP!
↧
Active Directory Trusts & Firewalls - Authentication Flows
Hello,
I have a complex AD environment involving many domains/forests and firewalls everywhere.
For sake of this question, lets say I have 20 DC's in one forest and 10 in the other, and have a two-way forest trust between them. All DC's are behind different firewalls so without rules in place, no single DC can talk to another.
Question - which DC's need to talk to enable the trust to function?
I understand that for authentication it is the client that will talk to the DC/GC in the local forest before being redirected to talk directly to the DC/GC in the foreign forest, before it can access foreign resources - but for this client-to-DC authentication to work do I only need a single (e.g. the PDC-E) DC in both forests to be able to establish and maintain the trust, or does the DC's the client is talking to for authentication (client-to-DC flows), also need to talk to eachother (DC-to-DC) to enable that trust to work for the client?
Appreciate guidance as I can never find anything definitive on this question.
Thanks in advance.
I have a complex AD environment involving many domains/forests and firewalls everywhere.
For sake of this question, lets say I have 20 DC's in one forest and 10 in the other, and have a two-way forest trust between them. All DC's are behind different firewalls so without rules in place, no single DC can talk to another.
Question - which DC's need to talk to enable the trust to function?
I understand that for authentication it is the client that will talk to the DC/GC in the local forest before being redirected to talk directly to the DC/GC in the foreign forest, before it can access foreign resources - but for this client-to-DC authentication to work do I only need a single (e.g. the PDC-E) DC in both forests to be able to establish and maintain the trust, or does the DC's the client is talking to for authentication (client-to-DC flows), also need to talk to eachother (DC-to-DC) to enable that trust to work for the client?
Appreciate guidance as I can never find anything definitive on this question.
Thanks in advance.
↧
↧
Populating a Custom Attribute Stored in ADLDS
Hello Everyone,
I am attempting to store a single attribute that will be used to hold a number sequence (string) within ADLDS. I have stood up an Active Directory, and created an ADLDS partition. I selected none of the stock schema and created it as a bare-bones ADLDS. Within my ADLDS I have created a case insensitive string attribute called test. I am now attempting to populate this 'test' attribute on a user who exists in Active Directory using LDAPMODIFY.exe. However, I have been unsuccessful in this endeavor. My overall goal is to be able to store custom schema in ADLDS without affecting my AD, but I am unsure how to actually populate the attributes stored in ADLDS once I've created them there. Could someone point me in the right direction?
↧
Sync Data between AD and Oracle HRMS DB
We have an oracle HRMS system which is working independently. Then we have active directory. We want to update AD users attributes when ever there is a change in oracle HRMS database.
Primary key in both databases is email address. we can compare each user on basis of email address and if there is any change in oracle db for example: phone number, designation, line manager, location
then it should change it on AD
↧
Using a variable like %username% in fields other than Email
If I highlight a group of users and choose properties and use %username%, %sAMAccountName% etc in the Email field it works. I would like to do the same thing under company for example but it literally makes my company name %username%
I know it can be done we have done it in the past we just don't remember the syntax.
Is there something that needs to come before/after the % symbols or?
↧
LDAP authentication how to restrict it
Hi I know about the entry in the dSHeuristics That should stop
Anonymous access via LDAP, but I have changed the 7 charecter and still LDAP allows an Anonymous access, how do I prevent this? I have an app that allows logon without
a valid password? and they say its because AD is allowing the user
Anonymous access
↧
↧
Active Directory Change Password policy
Hi
We are using SharePoint Foundation 2010 / Windows Server 2008 R2 and have AD authentication . We have following requirements for changing the AD password
1. Require passwords to be changed on logon and within every 60 days
2. Minimum password age - 1 day
3. Reminders 15 days before password expiration
4. Allow the user to change their own password
5. Enforce password strength requirements (8 characters, min of 1 character from A-Z, a-z, 0-9, special characters)
6. Password reset to a one-time password that is emailed to user when user forgets password
7. Retain 6 generations of password, and prohibit use of password that was used within the prior 6 generations
I am not a AD person so just wanted to know
a) which of the requirements can be supported by Active Directory?
b) Which requirement needs customization?
I really appreciate any help on this.
Thanks,
Val
↧
LDAP Server - Can't connect with LDP, but I can bind with LDP
Hi,
I am attempting to connect to a Windows Active Directory LDAP server over SSL (with port 636) using LDP. However, when I perform the "Connect..." command from the File menu, I get a connection error. However, if I perform the "Bind..." command from the File menu, it works and I am able to successfully bind as a user in the domain.
Does this even make sense that this would happen? Are there any suggestions as to a way to fix it so I can first "Connect".
Thanks and I appreciate any help!
Kevin
Kevin Schaefer "The world is round and the place which may seem like the end may also be the beginning"
↧
Hardware Requirements for AD LDS
I'm trying to determine the hardware requirements for AD LDS running on either Server 2008 R2 or Server 2012.
It would be for about 20,000 users spread between 5 physical sites. If anyone can provide any hardware guidance from Microsoft, I'd appreciate.
Thanks
↧