Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Adding certificate while creating Relying party in ADFS 2.0

August 30, 2013, 4:45 am
$
0
0

I am trying out ADFS 2.0 as Identity Provider for SAML2.0

I have created a self signed certificate using IIS Manager. I then used it to Create a new Federation Service.

While setting up in the Add Relying party Wizard: after selecting the "Enter data about the relying party manually" --> "ADFS 2.0 profile" --> "Configure certificate" --> browse. I am not able to find the certificate that I created from IIS Manager.

Though I find the certificate in the certificate manager console. I am unable to figure out the physical path to my certificate.

Please help.

Thanks in advance.

Search

Can we make all DCs GCs

August 30, 2013, 7:16 am
$
0
0

We have an empty Root Domain (2 DCs, 1 non-GC) and a single child domain (31 DCs, 1 non-GC).

Is it safe to make the two non-GC servers (1 in each domain) GCs? Any downsides? Thanks!

Stop VM, copy vhd, convert from dynamic to fixed, restore and run VM

August 30, 2013, 11:24 am
$
0
0

Hi All

I am experiencing a dumb problem that I should have prevented. Allow me to first explain my setup

Host:

C: 50 GB

D: 700GB

VM

C: Dynamic disk (now 40GB)

The trouble that I have now is that my VM c drive is now full which in turn filled up my host c drive. I wanted to convert my vm to a fixed drive but I cannot because the c drive of my host is almost full and I need free space that is equivalent to my VM c drive for me to do the conversion. My question is that I have 400GB free on my host's D drive and was wondering whether it would be possible for me to convert my drive and set the output destination as my d drive or perhaps start with copying my vhd file to my d drive then do the conversion there and then delete the old one from the c drive and restore vm using the new fixed vhd.

I must mention that I am new to hyperV

Thanks

smigdeploy

August 30, 2013, 12:02 pm
$
0
0
I have server migration tools install on my server 2012 and trying to get into it from server 2008 from a different computer and net share was successful but I cant get into the file from another computer what do I need to do to get that done. when I try I get this C:\users\administrator\smigdeploy.exe is not a valid win32 application.

Upgrade Active Directory from 2008 to 2008 R2

August 30, 2013, 1:09 pm
$
0
0

Hi,

We have four domain controllers, 2 in each site that are running Server 2008 SP2 x64 Standard. They are domain controllers as well. We have Exchange 2007 SP3 Update 11, and we still have two Exchange 2003 SP2 Servers that are running some legacy applications.

Our Domain and Forest functional levels are Server 2003.

We want to upgrade our Domain Controllers from Server 2008 SP2 x64 Standard, to Server 2008 R2 Enterprise, and raise the Domain and Forest function levels to 2008 R2.

Can anyone advise any gotchas of the above, having gone through it yourself?

Thanks in advance

Cross forest domain user taking delay login time into my domain

August 30, 2013, 1:54 pm
$
0
0

Hi 

I am running on windows 2003 FF and DFL functional level and we have external trust with other forest.

Now user from other forest loging into my domain or accessing application through citrix, they are taking 5 mins to get desktop after passing credentials on server of my domain.

I want to know the what is the timeline of login into the server from its domain and from trusted domain.


Also how can increase logon time to login into the domain.

Cant join domain.. "the format of the specified network name is invalid"

May 14, 2007, 8:24 pm
$
0
0

Any ideas what this is about?  I built my Longhorn server, made it the domain controller.  I cannot join PCs to the domain though.  I tell my Vista PC to join a domain and type in the domain name. I get the domain admin user prompt. Then it gives the error.

 

 

"The format of the specified network name is invalid"

 

My domains fully qualified name is "Example.com" so I type "Example" in the domain box (it doesnt locate it if I type "Example.com".

 

 

Win 2008 R2 - dsquery user returns nothing for some userids while succeeds for others.

August 30, 2013, 7:13 pm
$
0
0

I have implemented Cisco's Cloud Web Security Scansafe back in October 2012, with success.

As of March of 2013, after our ISR binds to our Domain Controller with its bind root-dn, it cannot authenticate users (nor get any user's groups) with the base-dn CN=Users,DC=brazil,DC=cctechnol,DC=com.

I am no expert in Active Directory, but with Cisco Systems, yes, and doing a capture via an ACL from the ISR to the AD shows packets of binding and trying to authenticate, but it fails.

However, authentication with the root-dn, works.

I am suspecting something happened to our Domain Controller, but need help with where to start looking.

Running dsquery user -name <userid> fails for a great majority of our users. But it does return the DN of a few users. The root-dn that I am using in my ISR, is one of them. Even with my own userid, fails as it returns blank.

After spending some time with Cisco TAC Support, and being reassured my LDAP configuration is correct. I need to start looking at our Domain Controller.

I appreciate all the help I can get on this. As this has been an investment that our IT dept. fought to get and without user authentication, our filters do not work.


Search

AD LDS Chase Referrals URL

August 19, 2013, 7:54 am
$
0
0

I have run into a snag and not sure if this is even possible or where this is set.  Here is our setup:

1 2008 R2 Forest with multiple domain controllers and child domains

1 2008 R2 AD LDS server with 15 app partitions to accommodate each child domain

LDAP server has SSL cert and a different external name for outside connections.  Our external client can bind successfully and search without an issue.  However in order to authenticate users in the other partitions they are running a search to provide a list of referrals.  This works except the returned values all include the internal name of the server itself. 

Example:

Bind successful:  ldaps://external.name:port/dc=name,dc=name

Returned referrals:

ldap://internal.name:port/dc=name,dc=name,dc=name 

instead of

ldaps://external.name:port/dc=name,dc=name,dc=name

They are asking me to change something so that their referral search returns the external name including ldaps.  This is the first ldap server I have configured so this may be an easy question but one I cannot seem to find an answer for.

[Verification Needed] nslookup type=ns returns partial result set?

August 30, 2013, 7:43 am
$
0
0

I have around 30 DCs that are all DNS servers. When I ran nslookup and set query type to ns (set type=ns) and looked up my domain name, the first section of result (only names) is fine, but the second section of result (name + IP) returns only 25 results. 

Is this a bug or design limit? Why the limit?

Active directory

August 31, 2013, 12:00 am
$
0
0

Dear Experts

My domain is bankofceylon.local in Sri Lanka (GMT +5.30) running nearly 200 odd local branches with SCCM. We are planing to implement a branch in seychelles where the time zone is GMT +4.00, so do we have to create a separate domain for this location or can we run seychelles in the same bankofceylon.local domain

Thanks & Best Regards

Chandana

SBS Down and Local Logins

August 31, 2013, 11:30 am
$
0
0

Here is the deal.. we have a client that lost their SBS 2008 VM.. the physical drives are at OnTrack and we are hopeful they can recover the VMDKs.. the client switched their primary DNS on the workstations to the local firewall so they could at least browse the web.. that worked fine except now two days later of course no one can log in since the VM is not avail.. and they do not recall the local administrator login. Argh. I can reset with the offline NT cracker util.. however, I am wondering if there really is any other option ? We are confident we will get the VM back.. but the clients are no set to use the firewall and not SBS as primary DNS so even with the VM online I think we are stuck try to reauth to the domain. Ideas?

windows 7 cannot join to domain with this error:"The Network Name Cannot be found"

August 19, 2013, 1:30 am
$
0
0

hello 

i have windows server 2008 R2 as AD and ADC

clients are windows 7 and XP SP3

now my problem is :

when i want to join windows xp to domain i have not problem

but when i want to join windows 7 to domain,i enter domain name,it ask me for user name and password,i enter them,but after some seconds it show me an error :the network name cannot be found!

i tested this with several PCs 

I am thoroughly confused. Please have anyone  any idea on this?

Regards




Cann't Find Directory Browsing in IIS

August 31, 2013, 3:34 pm
$
0
0

Hi all

I installed Internet Information Services (IIS) Manager and I cann't find Directory browsing included in it , Any Help Please

Logging in and make the working login script (drive mapping and profile mapping) depending on wich OU the user logs in.

August 31, 2013, 4:06 pm
$
0
0

Hi there,

Here is my issue.   We have a single 2008R2 domain.  It has about 36 locations (sites) that all have their own OU.

A user can work at more than one site. His or her loginname is only available once, but is it posible for a script (or policy) to let it find out on which OU the user is and then maps to the right home-drive and right profile map.

So when working in site one the user gets the home and profile stuff that is on server

When the user is working on site 2 the user needs to get the home drive and profile map on that perticular server.

At the moment I  use simple scripts that reside in the netlogon map.

Through Policy should be neater and less maintenance.

Like to hear from you.

Yours,


Ben.

Ben van der Meer


Search

ADFS and SPN

August 31, 2013, 7:28 am
$
0
0

We currently
have a single ADFS server and a single ADFS proxy server setup to allow single
sign-on to our Office365 accounts.  All works well.  We are currently
setting up a separate ADFS farm with 2 servers for each that will give us come
geographic redundancy.   Our hopes are to setup the separate environment
so that we can test it with our Symantec enterprise vault email archive.
 Once everything is tested we'll configure to new ADFS farm to working
with Office365 and retire the old stand alone ADFS servers.  During setup
we're getting a messages about enabling SPN for the ADFS service account.
 We're using the same ADFS services account that is used for the stand
lone ADFS servers.  The stand alone environment was setup by the previous
admin and apparently SPN wasn't configured for the account.  What I'd like
to know is if we setup SPN for the ADFS account do we risk breaking our current
stand alone ADFS environment and causing issues with single sign-on to our
Office365 account?<o:p></o:p>


RPC server is unavailable 0x800706BA, while updating password for user in active directory

August 29, 2013, 6:16 pm
$
0
0

I am using System.DirectoryServices.AccountManagement apis to create a new user/disable an account in Active Directory. When i am trying to create a new user, and set its password, m/c throws an exception with the message The RPC server is unavailable. (Exception from HRESULT: 0x800706BA). The following snippet is used to create and persist the user.

UserPrincipal user = new UserPrincipal(ctx);
user.GivenName = "Andrew";
user.Surname = "Green";
user.EmailAddress = "agreeen@gmail.com";
user.SamAccountName = "agreen";
user.Save();
user.SetPassword("Pqw^&12");
user.Save();

When i execute this, the code throws an exception as soon as it tries to set a password. After a little search on the net, I tried out the following things.

Since acct agreen gets created without password, there is no privilege or connection issue. I added Windows Management Instrumentation(WMI) as exception to the windows firewall on my AD machine I ensured that the following services RPC Endpoint Mapper, Remote Procedure Call, Remote Registry are running on the AD machine. Ensured that the account, that is used to connect to AD machine, has Enable remote Controlchecked I verified that port 135 is not blocked on AD machine The setup that i have is, I have box b1 running Microsoft Windows 7 Professional, which is trying to connect to a box b2, running Microsoft Windows Server 2008 R2 enterprise. The c# code is running on .Net4.5 framework on b1, and trying to create account on b2.

When i tried running the code from the same box(i.e. box with AD), I was able to successfully create the account with password, when i specified the ip address as localhost, but when i specified it as m/c ip address, it failed with the same exception

Please let me know what i am doing wrong.

Thanks

SYSVOL & Atribute User Replication when DC is Off on Site Link Bridge

August 29, 2013, 3:34 am
$
0
0

We have this AD hierchary:

Site Link1: Site0 - Site1    Site Link2: Site1 - Site2    (These 2 site links have cost 100 and Replication Interval 15)

Site Link Bridge: Site Link1 + Site Link2

Site 0 have 4 DCs. Site 1 and Site 2 have a DC. FSMO roles are on Site 0. KCC and Bridge are enabled

When DC on Site1 is off, SYSVOL changes on Site 0 are replicated to Site2, but Atribute User changes are not replicated to Site2

How long KCC takes to generate an object beetween Site0 and Site2?? I can't see it...


Restriction to servers based on groups

September 1, 2013, 5:57 am
$
0
0

Hi,

My organization has decided to put a restriction to the users. Please find the below requirements.

1. Sales users should not have access to purchase servers and should have admin access to their sales servers ( Including RDP)

2. Purchase users should have read only access to sales servers ( Including RDP) and should have admin access to their purchase servers ( Including RDP).

Current Scenario:

Everyone is having admin access to all the servers except DC :)

What is the best way to achieve it? Please help me on this.

Regards,

Mac

ADFS Windows Integrated Authentication

August 29, 2013, 3:50 pm
$
0
0

Hello, I am trying to setup WIA for the internal users.  When currently going to the login we just get the forms authentication.  How do we get it to pass through the currently logged in user without having to fill in user name and password? 

Server 2012 ADFS 2.1.  Internal users are pointed to the internal ADFS server and not the Federation proxy.

I have tried editing the web.conf and placing the <add name="Integrated" page="auth/integrated/" befreo the forms authentication but doesnt appear to make a difference.   Have not been able to find any specific information on setup of WIA.  Thanks.

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>