Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

join computer to domain - best practices

January 7, 2014, 1:49 am
$
0
0

We want allow only specific security group and domain admins to join copmuters to domain. Not only join, but also remove, rewrite existing, rename, move to another domain. So all other users are restricted for these operations. I searched for solution and found that there are several ways to grant permissions, and to restrict. I chose to delegate security settings on "computers" container, where new computers come. So to restrict user to join domain, I select "authenticated users" in security tab of "computers" container and deny to create and delete. Then, I select my specific security group and allow them to create and delete computer objects. But the point is that there are about 5 "autenticated users" groups. Which one to choose?

And we also suffer from some mistakes that appears after joining to domain computer that already exists. After overwriting copmuter object some group policies doesn't apply. So to work it correctly we need first to delete computer from AD, and only then join it. 

And actually I wanted to ask best practices to accompish this task. Now we have default "computers" container where new computers come, and we have OU where we mannualy move new computers from default container. 


Search

Implemeting Trust relationship between two AD Forests the same root domain name ?

January 27, 2014, 1:03 pm
$
0
0

Hello,

Is it possible to establish a trust between two AD forests sharing the same root domain name ?

Forest A : AD domain = company.com  and DNS = company.com

Forest B : AD domain = new.company.com  and DNS = new.company.com

One way Trust : B trusting A

If it is technically possible are there any recommendation or any advise against this set up ?

Thnaks for you help,

Luca

add mailenabled group in AD LDS

January 24, 2014, 1:54 am
$
0
0

Good day experts,

I've created a single ad lds instance which is made available to a 3rd party. They fill this instance with members and groups.
When I go to my outlook ldap addressbook I can see the members and I can search for the groups.

But the only that we can't find out is to make the members of the groups visible. What we've expected was that in Outlook you select a group and you could mail the members in that group. Same as with distribution groups when using Exchange.

We've probably have to create a mail-enabled group or something but I just can't figure it out. Please can you help me into the right direction?

So in short what we need is: a group, visible in Outlook with member we can mail.

Thanks in advance.

Kind regards,

Len

sysadmin KNB


DNS Event ID 4010

February 12, 2014, 1:41 am
$
0
0
Hello Everyone

My Primary DC is windows server 2003 x86
and my ADC is windows server 2008 R2 x64

When i login to DNS server on Windows Server 2003 and add the DNS server of Windows server 2008 R2 i am 
getting follow error
Cannot contact DNS Server, Some possible reason:include DNS server may not be running,or computer associated withthe
specified name or ip address could not be found.

When i check Active directory sites and services both the domain controllers are replicating.
When i go to Windows 2008 R2 server DNS ,i can add my windows Server 2003 DNS server
I can see the Event id 4010 on windows server 2008 R2
The DNS server was unable to create a resource record for 615c....._msdsc.mydomain.com.The
active directory defnition of this resource record is corrupt or contains an invalid DNS name

DNS event 4010

December 29, 2011, 8:33 am
$
0
0

After recreating msdcs.domain.local zone on domain controllers I'm getting error 4010 in the DNS event log.

The DNS server was unable to create a resource record for  62ebf5b9-1450-4eef-aeaf-f4eb0a16457c._msdcs.domain.local. in zone domain.local. The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.

The DNS server was unable to create a resource record for  1c9ddd24-8672-4052-a22a-22f853d81269._msdcs.domain.local. in zone domain.local. The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.

I tried locating this resource records, but no luck.

What is the proper way to fix this error

 

Thanks!

An attempt to resolve the DNS name of a domain controller in the domain being joined has failed.

August 6, 2010, 2:32 pm
$
0
0

The following error occurred attempting to join the domain "egl-underground.mainframe":

An attempt to resolve the DNS name of a domain controller in the domain being joined has failed. Please verify this client is configured to reach a DNS server that can resolve DNS names in the target domain.

I am running windows server 2008 R2 trying to connect with a windows 7 computer.
I have already set the DNS in my computer to the Server running DNS Server (same as DC server)
I can ping the server, i can nslookup the FQDN aswell with no problems.

Any help?

ADMT, what is the release plan?

November 18, 2013, 4:50 am
$
0
0

Hello,

there are several posts on the topic but I can't find any recent one. Is ADMT dead in terms of new releases? Windows Server 2012 was released some 14-15 months ago and it looks like there is still no support for running ADMT on it.

There is a work around (using a previous operating system) but I don't think there is a work around for AD with version 2012 native.

My question is if anybody knows if there will be new release of ADMT (perhaps 3.3) or not? It would be very useful to know since we need to make new routines for our migration processes.

Thanks

Erik, with many, many certs! ;-)

DHCP

February 12, 2014, 12:08 pm
$
0
0

I have primary DC which is Windows Server 2003 R2 x64 which is also DHCP Server.

I have added ADC which is windows Server 2008 R2. 

When i do ipconfig /all

i cannot see the ip address(DNS Server) of ADC ( i have added in DHCP options on name servers)

can you guide me where i am missing(After making ADC what are necessary steps to follow)


Search

Demote/Promote DC, with Windows Internal Database installed?

February 12, 2014, 1:53 pm
$
0
0

What is the official policy regarding domain management operations on a domain controller that has the Windows Internal Database installed?

Can you safely demote or promote a domain controller, with the Internal Database installed?

,

I am mainly concerned because this article says SQL Server must be removed prior to promoting or demoting a DC:

Security Considerations for a SQL Server Installation

http://technet.microsoft.com/en-us/library/ms144228.aspx

,

Yet also other documents say that removing the Internal Database from a domain controller can irreversibly damage the domain controller and corrupt the domain database.

So in the case of the SQL Server used by the Internal Database, and unlisted in Programs as a removable item, it doesn't matter if it remains installed when that server is promoted or demoted as a DC?

,

This is a 3 year old, Server 2008 R2 domain controller that is also a primary file server, and also previously ran WSUS and additional SQL Server 2005 programs.

The other programs using SQL databases were migrated off and removed, and the other SQL Server installs are no longer listed in the Programs list, yet the Windows Internal Database remains, and sqlservr.exe is listed as running in the Task Manager.

Two other single-purpose, dedicated domain controllers are available in the domain.

I would like to remove this difficult to manage DC, install VMWare on a separate drive mirror, and reinstall the 2008 R2 Server OS in a virtual machine for a dedicated file server.

Then an additional 2008 R2 server may be installed in another VM on this hardware, to again act as a domain controller, but with it operating in complete isolation from the file server VM and no need to worry about further WSUS or SQL Server conflicts.



Export Contact with creation and modify date

February 12, 2014, 3:45 pm
$
0
0

Hi All,

I need to export the contact created in AD ( windows 2008 )with creation and modified date.

Get-ADReplicationFailure and Get-ADReplicationUpToDatenessVectorTable

February 12, 2014, 3:23 pm
$
0
0

Hi,

Where does the Get-ADReplicationFailure and Get-ADReplicationUpToDatenessVectorTable cmdlets retrieve it`s data from?

Lets start with Get-ADReplicationFailure: It shows 2 replication failures which is not current. Running the following in the same environment shows no errors:

$dclist= get-addomaincontroller-filter *

foreach($dc in$dclist) {
repadmin /showrepl /csv | ConvertFrom-Csv
}


Get-ADReplicationUpToDatenessVectorTable: This cmdlet returns a lot of Microsoft.ActiveDirectory.Management.ADReplicationUpToDatenessVectorTable objects. Many of them have old timestamps and
 no value for the Partner property:

LastReplicationSuccess : 26.04.2010 21:01:02
Partition              : DC=domain,DC=local
PartitionGuid          : 7ddec540-31db-44d3-9ab5-d5adb479627e
Partner                :
PartnerInvocationId    : 0e2fbc85-8d50-4c30-ae65-27648a0888b9
Server                 : dc01.domain.local
UsnFilter              : 19853

These are probably old domain controllers which is decomissioned years ago. Why does these show up? And where is the cmdlet getting this data from?

The replication topology seems healthy using the legacy tools, but the new cmdlets isn`t giving the same impression.

Some clarifications would be appreciated.



Windows 7 Trust Relationship Problem

February 4, 2014, 3:56 am
$
0
0

Good day,

When our Workstations looses trust with the Domain it removes all the Programs loaded after it was SCCM?

I am struggling a lot with this and it seem to happen more often to the Workstations.

Regards

Daniev_ZA

ADFS migration 1.x to 3.0

February 4, 2014, 6:56 am
$
0
0
Hi,

We'll be performing an AD upgrade from server2003 to server2012 R2.
There's also an ADFS farm configured that needs to be migrated to server2012 servers.

The process to migrate from 2.x to 3.0 is documented very well, but i can't find any resources available to migrate from 1.x to 3.0.
Does anyone know if there's an upgrade path available, or do I just configure a new ADFS win2012 R2 farm, configure it, and eventually move the DNS record to move to the new one?

Problem creating external trust between domains

February 10, 2014, 6:19 am
$
0
0

Hello,

When I try to create one-way incoming external trust between 2 domains (to DomainA from DomainB) in separate forests I get this info:

This domain already has a one-way trust relationshp with specified domain.

But I cannot see it on the list of trusts either incoming or outgoing (in both domains).

For sure trust was never setup before.

In DomainA there are several other external not transitive trusts with other domains. But for sure DomainB do not have any incoming or outgoing trusts on list. Name resolution betwen domains is OK. I can ping domain name on both sides.

Any help is welcome.

Darek.

Using DSACLS and how to use objects and properties

February 7, 2014, 7:31 am
$
0
0

Hello,

I hope that someone can help me with this question.

We are trying to set permissions on user objects in OU's and using for that the DSACLS powershell command.

We want to set some specific permission which are visible trough the security tab on a user object. The group Authenticated Users much have the Allow permissions for Read general Information, Read personal information, Read public information and Read web information.

We try to accomplish this with this commandline:

dsacls cn user /g '"Authenticated Users:RP;Read general information"'

This fails.  The strange thing is that for Permissions like Send As it succeed.

Can anyone direct me to te right way?

Search

Removing a registered device from AD via Powershell

February 12, 2014, 6:50 pm
$
0
0

Hello!

I've been testing the new Workplace Join feature in Windows Server R2 and Windows 8.1. So far, I know that I can remove a registered device from the AD via PC Settings > Network > Workplace in Windows 8.1. I'm wondering however, if I can also accomplish this using Powershell. 

Thank you!



SAML SSO from salesforce and ADFS 2.0

January 30, 2014, 7:32 am
$
0
0
Hi all

I need to implement the SAML SSO from salesforce.com and ADFS, where ADFS is the identity provider. Our need is to configure both the salesforce production and the salesforce sandbox environment and log on salesforce using the IDP Initiated login.

In our ADFS 2.0 we configured one Relying Party Trust with more Identifiers:
- production: "https://mydomain.my.salesforce.com"
- sandbox: "https://mydomain-Quality.cs17.my.salesforce.com"

The production identifier has been setted as default.

Now IDP initiated login works fine for the production; when I try to connect to the sandbox, with the following link, a login error is returned.

"identity provider url"/idpinitiatedsignon.aspx?loginToRp= "sandbox URL"

Validating the SAML response I saw that the problem is on the Audience parameter because it contains the production URL and not the sandbox URL.

Where Is it possible to configure this parameter?

Thank you
Loredana

Configuring a Certificate for ADFS on Server 2012 R2

January 31, 2014, 7:34 am
$
0
0

Preparing to install ADFS on Server 2012 R2 for SSO to applications outside of our organization.  For my needs, do I need two certificates? One for SSL and one for Claims?

We have an internal Microsoft CA that I can get certs from. I have read that Microsoft suggests using a self-signed cert for claims. Can someone corroborate this for me?

Since ADFS 2012 R2 doesn't use IIS, if I have IIS installed and request a cert from my internal CA, can I still use it for my ADFS installation?

Orange County District Attorney

Active Directory is shut down

February 12, 2014, 12:54 pm
$
0
0
How can I log into a remote server that has stopped the Active Directory services. I can't login with the current credentials. Restart the server doesn't seem to resolve the problem because Active Directory services were configurated to start manually (I don't know why). So, I need to log in into te server anyway, can you help me?

Update AD Attribute using script

February 12, 2014, 7:59 pm
$
0
0

Hi Team, I have a task to update ad Attribute of 1000 users in one go.

Task:- we have 1000 users in our AD, I have to update IP Phone information (under Telephones tab) in one go.

I can not do it manually for 1000 of users, so need power shell script or vb script so that i complete this task.

could you please help me on this.

Regards, Triyambak

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>