Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

How to query Device claims information on client.

February 28, 2013, 3:19 pm
$
0
0

Hi,

I'm testing out dynamic access control and am able to succesfully use devices claims on windows 8 client connecting to a 2k12 file server. What I'm not sure about is how to view the current claims of the device.  If I setup help assistance with an email alert on the file server I can get a report of the user/device claims when access is denied, but it would be helpful to see this information in a different manner.

When doing a "whois /claims" on a 2k12 member server or the windows 8 client, I only see the user claims.

Any help is appreciated. Thanks

Search

DNS fowarder

March 23, 2014, 11:46 pm
$
0
0

Hi all,

Already 3 month ++ i done a migration from 2003 to 2008. Below are the post before.

http://goo.gl/ShqErG

http://goo.gl/7iDP6X

Now, 3 month past, i realize that there is some problem to sent email to certain domain.

I suspect it is a fowarder issue, but I'm not sure the setting. Attached is my forwarded image.

Before i capture screen, in the forwarder list the IP of the server (192.168.x.x). What should the right IP to put???


ADFS Question: ADFS Over Multiple Networks

March 25, 2014, 9:56 am
$
0
0

Good afternoon,

Have an ADFS Query which I hope you can help shed some light on. We have our ADFS accessible over the internet(ADFS1). Users are able to connect successfully to Any Resource made available. We have linked our ADFS server to a partner organisation (ADFS2). ADFS2 isnt available over the internet however, it is accessible from the internal network of ADFS1. So Users from ADFS2 are able to access resources made available by ADFS1. However, and Im sure this is expected, when an ADFS2 user wants to access resources from ADFS1 over the internet. They are greeted with the ADFS1 login page requesting the users to select which domain they belong to. If they select ADFS2 (they should be redirected to the ADFS2 login page, enter thier credentials and then be forwarded to the resource), however instead they get page cannot be displayed (becuase ADFS2) isnt accessible over the internet.

Would both ADFS servers need to be accessible from the internet, i would have thought so long as the servers can communicate with each other, that should be sufficient. Like the ADFS1 server would pass credentials and authenticate with ADFS2 which would pass the token through etc. Is it at all possible for a setup like this to work without having both servers accesible over the internet?

Many thanks in advance,  

Trying to Promote Windows 2012 R2 Server

March 25, 2014, 10:10 am
$
0
0

Trying to promote a Windows 2012 R2 server to a DC in a new forest.

I am getting 'Could not validate domain name(s). Unable to find type [Microsoft.DirectoryServices.Deploymen.Tests.Prerquisites]. Make sure that the assembly that contains this type is loaded.'

Any ideas? Many thanks.

PS I would post a screenshot but it is telling I can't do it until my account is verified, just no clue how to verify it!

Moving AD Certificate Services

March 25, 2014, 7:35 am
$
0
0

I've inherited an AD environment with two CA servers.  The original CA is on a server that we are trying to permanently retire.  It appears that in the past someone had tried to install a new CA and turn the old one off (which didn't work) which is why there are now two CAs.  I've read a lot about AD CS but for some reason it just isn't clicking.

All servers are running 2008 R2.

In the AD CS console under Enterprise PKI I have two servers listed:

  1. SERVER1-CA(2) (this appears to be the original first CA)
  2. SERVER2-CA

Here is what I would like to do:

  • Move the CA from SERVER1-CA(2) to either a new or existing server
  • Remove the second CA and just have the original root CA

I've read guides on how to move the CA role from the original server but I don't understand what I am supposed to do with SERVER2.

Could someone please point me in the right direction?

PKI 2012 R2 - Subordinate Enterprise CA Receives Reduced Expiration Period in SubCA Certificate: 2 yrs VS 5 yrs

March 25, 2014, 12:06 pm
$
0
0

Hi All,

The PKI infrastructure includes the following elements:

  1. All CAs are Windows Server 2012 R2 member servers.
  2. Online Enterprise Root CA: RootCA [RSA (4096 bit)].
  3. Enterprise Subordinate CA SubCA01 and SubCA02 are both directly subordinated toRootCA.
  4. CAs Details
    4.1. RootCA: RSA, 4096 bit. Valid for 20 years.
    Subordinate Certification Authority certificate template (SubCA Certificate Template) has 5 years of validity. 
    4.2. SubCA01 and SubCA02: RSA, 4096 bit. Security certificate is based on the SubCA Certificate Template.
    But the certificate is valid for 2 years, although it is using the SubCA Certificate Template which sets the validity of 5 years.
  5. The re-pro of the brand new test domain with 2-tier PKI infrastructure generated the same issue.

Questions:

  1. How to enforce that the SubCA-based certificate is valid for 5 years onSubCA01 and SubCA02?
  2. What is the potential cause of the under provisioning of the certificate validity period? Or where to look for the investigation?
  3. Is it possible to renew with the same key the certificate for the SubCA, but with longer validity period? Should any other certificates be re-issued except for the SubCA certificate for the subordinate CAs?
  4. Is there a way to configure the SubCA template so that the SubCA template based certificate is issued for the enterprise new subordinate CA with the expected validity period?
  5. Can the SubCA certificate be renewed automatically and how to configure it if possible?
  6. Can the SubCA certificate validity period be longer than the validity period of the Root CA?

Tons of thanks in advance for your great help and attention!!!


DCDiag Error Enterprise Read-only Domain Controllers doesn't have Replicating Directory Changes access rights for the naming context:

May 19, 2013, 12:11 pm
$
0
0

I'm trying to cleanup our domain to eliminate errors and warnings when running DCDIAG and other tools.  Following is one problem I had and the associated resolution:

Running DCDIAG on any of our domain controllers (all are Windows Server 2008 R2) resulted in the following error:

Starting test: NCSecDesc
   Error OURDOMAIN\Enterprise Read-only Domain Controllers doesn't have
      Replicating Directory Changes
   access rights for the naming context:
   DC=ourdomain,DC=com

Verifying the Problem:

Using Active Directory Users and Computers (ADUC) and navigating to \Users, verify the existence of a Security Group called "Enterprise Read-only Domain Controllers".   In our case, that group already existed.  Exit ADUC.

Using ADSIEDIT, right-click on Naming Context "DC=ourdomain,DC=com", choose "Properties", click the "Security" tab and verify that "Enterprise Read-only Domain Controllers" shows in the "Group or user names" pane.  In our case, that group was missing.

Resolution:

In ADSIEDIT, click the "Add" button, type the group name "Enterprise Read-only Domain Controllers" and click "OK".  Next, highlight "Enterprise Read-only Domain Controllers" in the "Group or user names:" pane and then scroll down in the "Permissions:" pane to find "Replicating Directory Changes".  Enable (check) the box in the "Allow" column to the right of "Replicating Directory Changes" and Press "OK". 

Exit ADSIEDIT and re-run DCDIAG.  This solved the problem in our case.


AD Sync error in on windows 2003/2008 domain controllers

March 25, 2014, 12:38 pm
$
0
0

I am a new admin at my company and checking the log files on the domain controllers...I am coming across the following errors on 2 of the 10 domain controllers, one is a win 2008 and the other is a windows 2003...the error is below:

Failed to upload user 'xxxxx': Failed to get user 'xxxx': Administrator's password is not valid or has expired because Failed to get user 'xxxx': Administrator's password is not valid or has expired

-Provider
[ Name]AD Sync
-EventID2
[ Qualifiers]0
Level2
Task0
Keywords0x80000000000000
-TimeCreated
[ SystemTime]2014-03-25T19:29:48.000000000Z
EventRecordID340204
ChannelApplication
Computerxxxxxxxx
Security
-EventData
Failed to upload user 'xxxxx': Failed to get user 'xxxxx': Administrator's password is not valid or has expired because Failed to get user 'xxxxx': Administrator's password is not valid or has expired

Search

DNS problem.

March 25, 2014, 11:03 am
$
0
0
On Saturday, I stared my laptop and could not use the internet due to a ip conflict. I did eventually get it to work by entering my own ip address and dns server into ICHP4. Today I went to school, and I noticed something. The option for obtain dns server isn't selectable at all. Now I need the DNS server for the school wifi, which I know they will not give me. Any help with this? Running Windows 7 on Asus laptop. Model number : K53S

ADFS 2.0 FS & ADFS 2.0 Proxy Server Setup

March 25, 2014, 12:52 pm
$
0
0

I've looked at links such as:

http://pipe2text.com/?page_id=399

    I haven't had too many issues however I'm trying to install things again, and things aren't working fine.  The questions, I have are:

1. Do only ports 80 and 443 need to be open between the proxy and the FS server or are there additional ports?

2. During the Proxy configuration wizard, it asks for "Specify Federation Service Name".  Suppose we wish to have it so that folks connect to the service via adfs.domain.com.  For testing purposes we'll have two servers, a proxy server: adfsproxy and an AD server: adfsad.   How would things be configured in the wizard?  On the proxy hostfile, do we put in the adfs.domain.com to point to the ad server?  Externally, we would point adfs.domain.com to the proxy server?

Thanks!

FSMO Migration from 2003 to 2008 R2

March 25, 2014, 2:47 pm
$
0
0

I am prepping for FSMO migration from 2003 to 2008 R2 this weekend. I was going through the steps and found a issue that is concerning me. On the 2008 server which is a DC and going to hold all FSMO roles. When I right click on Schema to change Schema Master the "Change field" does not reflect the new 2008 R2 server? Is this by design...As in will this reflect the 2008 R2 server once I do step 1 Change Domain Controller? Single domain simple AD topology. I am an enterprise admin, domain admin, and schema admin. 

All other FSMO moves show the new server ma-file1. Any help appreciated.

Dave Santel



AD Account Lockouts

March 25, 2014, 1:12 pm
$
0
0

Hi Guys!

We are having an issue with a users account is being locked every 5 minutes.. I will put below what I have tried and also what I have used to try investigate the issue.

Checked if the user had left themselves logged into any machines, Checked if they had any Citrix/TS sessions open, Checked if they had connected to the corporate Wifi, Checked if they are receiving emails from Exchange Active Sync on her phone, also the user is on a thin client and it doesnt cache any passwords and her Citrix profile has been reset to ensure no apps have cached her password, she also has no drive mappings and I have used the Accountlockout tool from Microsoft and all that tells me is which DC the account lockout happens, I have then checked the event log on that DC and nothing is in the Security logs for the user as in Failure Audit or even Failed log on, I have also used that Eventlogger tool which comes with the Account lockout tool from Microsoft and that has also not found anything!!

Guys help :(!

Cant join my servers domain remotely.

March 25, 2014, 11:01 am
$
0
0
At my school the servers are slow so using new laptops on their network is a big bottle neck. I connected to my servers VPN so i am tunneled into my home network then switched user, ctrl-alt-del, I changed from my schools domain to my own by doing (domain)\(user). I login and it says "The security database on the server does not have a computer account for this workstation trust relationship" How do i fix this?

AD Authentication and VPN

March 26, 2014, 5:00 am
$
0
0

We have a Network where we have Active Directory spread across different security zones separated by Firewalls. The users login to their PC's and get authenticated through LAN DC as per their subnet association.

We also allow users to connect to network through VPN. But these users get access to different security zone which is also having Domain Controllers of same domain which is in LAN.

We have a requirement that when user connects through VPN also they should be able to get Group Policies applied, able to access application using SSO.

The problem is that when user connect to VPN he do cached login to Windows, then he connects to VPN ad gets IP and DNS address of the DC of that zone.

When I do Dsquery with -S command and specify the DC in VPN zone, it works fine but when I run GPUPDATE it fails. Is there a way to achieve this.

lastlogon, lastlogontimestamp

March 26, 2014, 4:57 am
$
0
0

is there anyway in ad users and computers to run a report to list all users (logonname), their status (i.e. disabled/expired/active) and the fields lastlogon and lastlogontimestamp. I thought there may be a way to do it in custom search area of a new query in ADUC, but couldnt find the fields. If I double click a user objecy in ADUC the fields and dates can be found in the attribute editor tab.

Any help most welcome.

Search

DCDIAG Result A net user or LsaPolicy failed with error 67

March 26, 2014, 5:40 am
$
0
0
I have looked through all the similar posts and have ran an Authoritative and UnAthroativte process. This allowed my SYSVOL to replicate and come back. I still keep getting this error on the one DC. Everything else passes fine. I am pulling my hair out if anyone has had this problem please help. Also this is a Server 2012 R2 DC 

Proxy User (Migrating from edirectory)

March 25, 2014, 1:56 am
$
0
0

Hi Guys,

I am sure this question has already come up somewhere in the past but i couldn't find it anywhere. all i am looking for is for someone to guide me to right direction on "Proxy Users for Active Directory". we are migrating from novell and we have number of proxy users with special/minimum rights to perform specific tasks. In this case all i want to create is a proxy user with the following rights:- 

Enter/Object Rights - Browse
CN - Read,Compare
ObjectClass - Read,Compare

Guys, any sort of help would be much appreciated. 

Thanks in advance

-mEtho

What is posted availability specification for Windows server 2012? 2012R2?

March 24, 2014, 5:04 am
$
0
0
I am trying to put together a high availability solution and I want to know what the availability 'claim' of the individual components would be. What is the availability specification for Windows server 2012 and Windows Server 2012R2?(for example 99.9% availability for the O/S itself). This would be in a non clustered or Load Balanced state. Just a single server running the O/S.

Logic for DC selection for authentication within the same AD site

March 26, 2014, 8:15 am
$
0
0

Hello All, I am working on extending AD service from an existing data center to a new data center. As part of co-existence, I have created new DC's in the new data center but kept them as part of the AD site in the existing data center. Both the data centers have a 1 GB connectivity.

What I would like to know is - would there be any internal logic in calculating which DC should a client authenticate against based on network latency or something like that ? I wanted to know if there was any way I can restrict the user workstations at the existing data center location (which is also the HQ location) to authenticate against the DC's available locally instead of travelling to the new DC's at the new data center, within the same AD site. I cannot make the new data center a separate AD site for now due to the migration challenges.

Any inputs would be highly appreciated. Thanks in advance.

Possible to change AD account password used on 3000+ computers without logging off?

March 21, 2014, 8:35 am
$
0
0

Imagine a work environment of 3000+ computers.

- Several domain service accounts are used to automatically log into Windows.

- (This is done via HKLM\...\CurrentVersion\Winlogon.)

- Every so often, the passwords for these accounts need to be changed.

- So the account passwords are changed, and the new passwords are updated in the HKLM registry path on all 3000+ computers via an automated script.

- However, then Windows pops up a dialog box on each computer: "Your credentials are out of date. Reboot or press CTRL+Alt+Delete to lock the computer and enter in your new credentials."

Is there any way to programmatically reauthenticate the new password WITHOUT logging off or locking/unlocking the computer on all 3000+ computers?

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>