Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

ADFS issue

December 24, 2013, 10:59 pm
$
0
0
Hi,

I installed ADFS and configured with my END application for a SP initiated login.. This is a 2008 R2 X64 system. When i try to do a SP initiated login. I get the below screen. Request your help.

Server Error in '/adfs' Application.
This page has been called with the wrong action.
Expected Action: CollectInitialCredentials or CollectAdditionalCredentials
Actual Action: None
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.ApplicationException: This page has been called with the wrong action.
Expected Action: CollectInitialCredentials or CollectAdditionalCredentials
Actual Action: None

Source Error:


Line 69:     }
Line 70: 
Line 71:     LSCredentialFormContext formContext = (LSCredentialFormContext)LogonServer.FormContext;
Line 72: 
Line 73:     //


Source File: c:\Windows\SystemData\ADFS\sts\ls\clientlogon.aspx    Line: 71
Search

Netbios consideration during Samba to AD migration

December 19, 2013, 12:38 pm
$
0
0

Hi there,

I'm doing some search for possible SAMBA to 2012 AD migration and I do have some concern regarding to Netbios. Based on my scenario below, users are using ABC\user_account to login to the system. In this case, keeping the same netbios name during and after the migration will definitely help IT team and will prevent end user conflicts.

As the samba and AD servers are on different subnet using the same Netbios name shouldn’t introduce any conflict however I’m not quite sure if this is supported or possible with ADMT…

So my question; would it be possible to use the same Netbios name during the migration?

Current SAMBA :

dns name            :a.b.c

netbios name    :ABC

Subnet                 :1.2.3.x

New AD :

dns name            :q.w.e

netbios name    :ABC

Subnet                 :1.2.30.x

Any comments or explanations would be appreciated…

Thanks,

Cem

[Vote] Which rights are "most" important

December 21, 2013, 2:13 pm
$
0
0

Hello,

Question as follows:

If you'd be getting an effective permissions report about your AD DS environment, which of the below permissions should be considered as most important?

I would appreciate if you can give a rank for each of these permissions (1 = Most important (highest risk))

Full control
Delete all child objects
Create all child objects
Any role (inc. special) with delete bits  : Delete attribute <attr>
Any role (inc. special) with create bits  : Create attributes <attr>
Write
Write all properties
Any role (inc. special) with write bits  : Write <attr>
All Validated Writes
All Extended Rights
Read
Read all properties
Any role (inc. special) with read bits : Read <attr>


Changed the IP Address of Active Directory Server

December 24, 2013, 9:25 pm
$
0
0

Hi,

I changed the IP address of our Active Directory Server. When I open Active Directory Users and Computers, for example, an error message appears saying:

The directory schema is not accessible because:

An invalid directory pathname was passed

For this reason, the New menu may be inaccurate, and the extension snap-ins may not work properly.

I am new to AD and this is the first time I encountered the error as this is also the first time that I changed the IP address. Thank you very much for any help!

Regards,

Lester

what is risk of Change User logon Name to Employee Number format in Active Directory for all User accounts

December 25, 2013, 1:47 am
$
0
0
Management want to Change User logon Name to Employee Number format in Active Directory for all User accounts, i would ask about the risk and is this will effect the applications. we are using AD win 2008 R2 function level 2008

AD Cross forest access token creation and resource access

May 27, 2013, 11:41 am
$
0
0

Dear all!

Could someone explain me an access token creation process for user with two AD forests (2003 - 2008R2) that are joined by forest trust.

Domain and Forest functional levels are  2003 native and 2008 R2 respectively.

http://technet.microsoft.com/en-us/library/cc780455(v=ws.10).aspx

As I understood from the link above (not only from there), when user logs on to the domain joined computer the LSA subsystem constructs the user’s access token by virtue of netlogon.dll that communicates with localDC+GC+ForestRootDC to get:

-          user’s own SID;

-          user’s SIDhistory attribute, if any

-          SIDs of all the groups that the user is member of (global, universal, domain local, computer local) along with their SIDs, if any

-          well-known groups’ SIDs (depending on access type)

-          privileges and other pieces

If I add user (DOM1\User1) from one forest to “domain local” group of the second forest (DOM2\DL-Group2) (for assigning permissions to resources in DOM2) this will lead toForeignSecurityPrincipals object creation in  the second forestDOM2.

This foreign object will be seen as part of part of a particular DOM2\DL-Group2 group and vice versa.

The question is the following:

How “LSA + netlogon.dll + something else (WHAT ? )” know that user is member of some group in different AD forest so that to include SID of that group into user’s access token ?

Could someone provide me with a detailed mechanisms and processes that are taking place that cover inter-forest resource access in conjunction with cross-forest access token creation?

1. When DOM1\User1 logs on to DOM1\PC1and access resources in foreign forest

2. When DOM1\User1 logs on to DOM2\PC2and access resources in foreign forest

Any help is appreciated!

Cannot install Web Management Gateway (KB968934) on Windows 2003 SP2 Enterprise

January 6, 2011, 7:29 am
$
0
0

I have installed the following prerequisites:.Net Framework 3.5 SP1, KB969166 and KB969429. 

I also update my Windows Installer to 4.5.

Installation of the Web Management Gateway is failing saying I don't have a prerequisite.  I don't know what else it is looking for.  The server is a domain controller, running SP2 and fully patched with the exception of Silverlight and .Net Framework 4.0.  Below is the log file from the attempted installation.  Any help would be greatly appreciated.

 

0.046: ================================================================================
0.046: 2011/01/06 08:15:10.078 (local)
0.046: d:\a8bdf6e05ac0f8597b\update\update.exe (version 6.3.15.0)
0.046: Hotfix started with following command line:
0.046: In Function GetReleaseSet, line 1193, RegQueryValueEx failed with error 0x2
0.093: SYSTEM\CurrentControlSet\Control\ProductOptions\ProductType is Equal To Specified Value
0.093: First Condition in Prereq.CheckIfAnyInstanceRunning.Section Succeeded
0.093: Condition succeeded for section Prereq.CheckIfAnyInstanceRunning.Section in Line 1 of PreRequisite
0.093:  SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5 is Present
0.093: SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5\SP is Greater or Equal To Specified Value
0.093: Condition succeeded for section Prereq.CheckCLR.Section in Line 2 of PreRequisite
0.093:  C:\WINDOWS\system32\netlogon.dll is Present
0.093: FileVersion of C:\WINDOWS\system32\netlogon.dll is Greater or Equal To 5.2.3790.4482
0.093: Condition succeeded for section Prereq.CheckDCLocatorQFEInstalled.Section in Line 3 of PreRequisite
0.093:  C:\WINDOWS\Assembly\GAC_MSIL\System.DirectoryServices.AccountManagement\3.5.0.0__b77a5c561934e089\System.DirectoryServices.AccountManagement.dll is Present
0.093: FileVersion of C:\WINDOWS\Assembly\GAC_MSIL\System.DirectoryServices.AccountManagement\3.5.0.0__b77a5c561934e089\System.DirectoryServices.AccountManagement.dll is Greater or Equal To 3.5.30729.4126
0.093: Condition succeeded for section Prereq.CheckSDSAMQFEInstalled.Section in Line 4 of PreRequisite
0.093: InstallerVersion is Present
0.093: SOFTWARE\Microsoft\Updates\Windows Server 2003\SP10\KB968934\InstallerVersion is Greater or Equal To Specified Value
0.093: Condition Check for Line 5 of PreRequisite returned FALSE
0.093: ReadStringFromInf: UpdSpGetLineText failed: 0xe0000102
0.093: KB968934 Setup encountered an error:  Setup cannot continue because one or more prerequisites required to install KB968934 failed. For More details check the Log File c:\windows\KB968934.log
0.109: ReadStringFromInf: UpdSpGetLineText failed: 0xe0000102
0.109: Setup cannot continue because one or more prerequisites required to install KB968934 failed. For More details check the Log File c:\windows\KB968934.log
3.984: Message displayed to the user: Setup cannot continue because one or more prerequisites required to install KB968934 failed. For More details check the Log File c:\windows\KB968934.log
3.984: User Input: OK
3.984: Update.exe extended error code = 0xf0f4
3.984: Update.exe return code was masked to 0x643 for MSI custom action compliance.

ADFS cache

December 20, 2013, 5:42 pm
$
0
0

First of all thanks for taking the time to read, any response is greatly appreciated.

If I setup ADFS between my in-house operations with an off-site host and my in-house AD's go down, can users still use SSO to log into the off-site host?

I guess I'm curious to know if the off-site host can cache accounts.

Is it bad practice to have account credentials cached for a long time due to security reasons?

How can I get my users to log into the off-site location using SSO when my in-house ADs and ADFS servers are down?

Thanks in advance for your help,

John

Search

how to find the source generating DNS Query

December 26, 2013, 3:20 am
$
0
0

Hi team,

we are getting error message for DNS total query Received/sec is getting more than 250 . can any one help me how i know the source where these query are generated .

DNS Total Query Received/sec is 308.11; >TH = 250

Regards, Triyambak

Active Directory Dies

December 26, 2013, 6:03 am
$
0
0

We have 3 Active Directory Controllers. Two our on one side of our network (A+B) and one is on the other side of a VPN connection (C). When the VPN connection goes down A and B lose all information until they can reconnect with C. This is a recent development since we replaced a new PIDC (A). A query shows that A has all the roles but a dcdiag /test:advertising on A shows:  

 Starting test: Advertising
    Warning: DsGetDcName returned information for
    \\C.domain, when we were trying to reach A.
    SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
    ......................... A failed test Advertising

When I run the same test on B I get the same error replacing A with B. 

Has anyone seen this before? My network is in a fragile state and I desperately need answers.

How to create a roaming profile from a virtualized physical machine

December 26, 2013, 7:54 am
$
0
0
I have a small network using Server 2008 R2 with ADDS.  I need to add two new client PCs to the domain without changing the physical appearance or operation.  I have installed VMWare on the server and have started making virtual copies of the client computers and need to deploy them out as roaming profiles so the users can pick up right where they left off.  Could someone point me in the right direction as to how to do this?  Thank you.

Unable to register the World Wide Web Publishing Service as a service principle name

December 26, 2013, 9:10 am

transfer the roles and delete a failed ADC

December 26, 2013, 9:23 pm
$
0
0
I have one Primary DC and two Additional Domain Controllers.

DC : windows Server 2003 x86
ADC : window Server 2003  x86
ADC : windows Server 2008 R2


1. I want to transfer the roles from Windows server 2003 Domain Controller to make my Windows 2008 R2 ADC as primary.so that i can decomission Window 2003 DC and install new ADC(either 2008R2 or 2012) with the same host name and again transfer the roles to make it primary.
Please do guide me the steps for windows server 2012 and windows server 2008


2. One of my ADC which is Windows Server 2003 is having hardware issues if it fails what are the steps to remove its entries so that i can reinstall the ADC with the same hostname.
I have read an artiticle
http://usefulglyphs.wordpress.com/2010/02/10/how-to-delete-a-failed-domain-controller-from-active-directory/

ntdsutil 
metadata cleanup 
connections 
connect to server hostname of a functional DC 
quit 
select operation target 
list domains 
select domain # 
list sites 
select site # 
list servers in site 
select server # 
quit 
remove selected server 
Click [YES] when presented with the warning message. 
quit

Till here it is fine for me, since i need to install the ADC with the same host name do i need to follow the below steps  
Do i need to delete failed DC name from Active Directory Sites and Services &  Active Directory Users and Computers


Next, open up "Active Directory Sites and Services", and…

Expand Sites –> Your Site Name –> Servers 
Right-click on the failed DC, and select "Delete".

Finally, open up "Active Directory Users and Computers", and…

Expand , and open up the "Domain Controllers" container. 
Right-click the hostname of the failed DC, and select "Delete".

You will be prompted for a reason for deleting the object.  Select "The domain controller is permanently offline and can no longer be demoted using Active Directory Installation Wizard (DCPROMO)."

Click [Delete]. 
Click [Yes] to confirm the deletion of the object.

replica domain controller installation windows server 2012 unattended

December 17, 2013, 3:08 pm
$
0
0

How we can have unattended answer  file for  replica domain controller installation in windows server 2012 

in windows 2008 it was easy do from the IFM . in windows server 2012 dcpromo is deprecated how we can acheive the same using ifm and unattended answerfile  i got this article from technet http://technet.microsoft.com/en-us/library/hh472162.aspx

where it tells to use powershell  which is fine but it also tells me to specify database and log files location which i don't want to do everytime .As in windows 2008 you can just specify everything in unattended answer file and you are good to go that feature is not available any more . is there a workaround for this 

we are in the pilot phase of testing windows server 2012 r2 any feedback is appreceiated




ADFS Setup Error

December 18, 2013, 9:26 am
$
0
0

Scenario:

New physical DC running Server 2012 R2 (AD DS and DNS) with no other roles. Installed and configured AD FS. First server in a new farm. Service account created in AD for the farm servers. Wildcard certificate used. No problems with this part.

Trying to add a second server to the farm. This is an existing virtual DC running Server 2012 (not R2). Again no other roles other than AD DS and DNS. Installed AD FS. Running the configuration I select 'Add a federation server to an existing Federation Service'. I use the internal FQDN of the first server and select my service account (entering the password). I hit next and get the green progress bar for a few seconds then errors with the following...

"The primary federation server was contacted successfully, but the configuration data was not valid."

There is nothing in the AD FS logs. Tried a search and found nothing related to this specific message. I've tried importing the certificate manually before running the configuration. I've also associated the certificate with the default website.

Any suggestions would be greatly appreciated.

Search

Domain users can't change their passwords from their workstations

December 23, 2013, 11:34 pm
$
0
0

Greetings,

We have a Windows Server 2008 SP2 AD forest. Newly hired users are enforced to change their temporary passwords at the 1st logon, but the problem is some users can't perform that password change even they respect password policy, so we have to invite the user to change their passwords from ADUC.

Please help.

Thanks in advance.

Redouane SARRA

Parent/Child Domain

December 19, 2013, 2:23 pm
$
0
0

I have a parent/child domain structure. The parent domain consists of domain controllers in three different locations (HO1, HO2, HO3). I have set Sites and Services up so that each remote VPN site (Child domain) has a site link to HO1 and HO2 only. When I attempt to ping the parent domain name from a site server it sometimes resolves to HO3 and times out as there isn't an active VPN tunnel between the 2. My question is why would HO3 be replying when it doesn't have a site link to the remote site and in turn how can I stop that from being the domain controller that replies?

Thanks for any advice

Chris

2008R2 DCs not being used to log on

December 23, 2013, 2:33 am
$
0
0
I have an environment with 4 domain controllers. Two are running 2003, and two are running 2008R2. One of the 2K3 DCs hold all FSMO roles. All DCs are GCs. 2K3 servers are placed in the local site with most of the clients, while the 2008R2 ones are placed in the Datacentre. But there is only one site defined in AD (Default-First-Site-Name). So even if the clients are placed in the same site as the 2K3 DCs, they should still not prefer these DCs.

The thing is that none of the 2008R2 DCs are being used to authenticate against the domain. There are no logon or logoff events in the security log of both 2008R2 DCs, while there are plenty of such events in the 2K3 DCs. They all have the same audit policy.

Even when you log on to servers/clients placed in the Datacentre, you will authenticate against the 2K3 DCs. There are no replication related errors. Everything is being replicated back and forth just fine between the DCs, the 2K8 Dcs have registered their SRV records in DNS, and they have the same weight and priority as the 2K3 ones.

In other words, there is no reason why some users/clients shouldn't use the 2K8 DCs to log on, yet none of the users/clients are doing that.

What could be the reason?

AD sites and site links

December 6, 2013, 8:42 am
$
0
0

we have a single forest and single domain with only 2 domain controllers and single AD site.  The existing site is ABC annd only has domain controller subnet.  There are many other subnets which are not configured on Sites configuration.  In this situation , everything works fine.  we created couple of new AD sites DEF and GHI (domain controllers not available here yet) in the sites configuration and associated couple of subnets.  Sitelinks were configured between ABC and DEF (lower cost) . Also between ABC and GHI(higher cost).The moment this was done, we got the NO_CLIENt_SITE error in Netlogon (event id 5807) from most of the subnets saying"client IP dont map with any subnet and attempts to conect to nearby DC".  ANy idea why these clients were not serviced by the ABC site which initially did and also has domain controllers? The idea was to promote the DCs in DEF and GHI after the site and site link config.  How do we ensure that new sites are created and at the same time the existing clients should be serviced by ABC site.

windows 2008 AD DC can't be contact

December 19, 2009, 8:47 am
$
0
0
I have install AD DC in a windows 2008, the AD and DNS is runnig and pass all the  verify AD DS installations step. But when I use a windows 7 to join the domain, it have error:


DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain "hcnet.haverford.edu":

The query was for the SRV record for _ldap._tcp.dc._msdcs.hcnet.haverford.edu

The following domain controllers were identified by the query:
ad1.hcnet.haverford.edu


However no domain controllers could be contacted.

Common causes of this error include:

- Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect addresses.

- Domain controllers registered in DNS are not connected to the network or are not running.


Any one can help me?
Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>