I have 2 Claims providers setup in ADFS 3.0 (Windows Server 2012 R2)
On the Home Realm Discovery Page I would like to customize the logo next to each Identity Provider.
Is there a PowerShell command to do this? How does one do this?
Thanks;
Jonathan
↧
ADFS 3.0 Customize Claims Provider Trust LOGO
↧
2003 to 2012 AD replication problems
Hi Guys. I feel a little lost in the situation that has been dumped on me and I wonder if I can have some assistance…
We have a Server Windows Server 2003 R2 machine as the ONLY physical server which is a DC, file server, jack of all trades… We’ve bought a brand new 2012 R2 machine which is going to replace all roles.
The step causing me grief right now is replicating AD from the 2003 R2 box to the 2012 R2 box.
DCDIAG from 2003 DC:
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\2003DC
Starting test: Connectivity
......................... 2003DC passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\2003DC
Starting test: Replications
......................... 2003DC passed test Replications
Starting test: NCSecDesc
......................... 2003DC passed test NCSecDesc
Starting test: NetLogons
......................... 2003DC passed test NetLogons
Starting test: Advertising
......................... 2003DC passed test Advertising
Starting test: KnowsOfRoleHolders
......................... 2003DC passed test KnowsOfRoleHolders
Starting test: RidManager
......................... 2003DC passed test RidManager
Starting test: MachineAccount
......................... 2003DC passed test MachineAccount
Starting test: Services
......................... 2003DC passed test Services
Starting test: ObjectsReplicated
......................... 2003DC passed test ObjectsReplicated
Starting test: frssysvol
......................... 2003DC passed test frssysvol
Starting test: frsevent
......................... 2003DC passed test frsevent
Starting test: kccevent
An Error Event occured. EventID: 0xC00005F8
Time Generated: 05/01/2014 10:25:06
Event String: Internal error: The Intersite Messaging service
An Error Event occured. EventID: 0xC000055D
Time Generated: 05/01/2014 10:25:06
Event String: The Intersite Messaging service could not receive
......................... 2003DC failed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0xC0001B77
Time Generated: 05/01/2014 10:33:32
(Event String could not be retrieved)
......................... 2003DC failed test systemlog
Starting test: VerifyReferences
......................... 2003DC passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : domain
Starting test: CrossRefValidation
......................... domain passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... domain passed test CheckSDRefDom
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running enterprise tests on : parentdomain.local
Starting test: Intersite
......................... parentdomain.local passed test Intersite
Starting test: FsmoCheck
......................... parentdomain.local passed test FsmoCheck
DCDIAG from 2012DC:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = 2012DC
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\2012DC
Starting test: Connectivity
......................... 2012DC passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\2012DC
Starting test: Advertising
Warning: DsGetDcName returned information for
\\ntzip2.domain.local, when we were trying to reach 2012DC.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... 2012DC failed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... 2012DC passed test FrsEvent
Starting test: DFSREvent
......................... 2012DC passed test DFSREvent
Starting test: SysVolCheck
......................... 2012DC passed test SysVolCheck
Starting test: KccEvent
......................... 2012DC passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... 2012DC passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... 2012DC passed test MachineAccount
Starting test: NCSecDesc
......................... 2012DC passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\2012DC\netlogon)
[2012DC] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... 2012DC failed test NetLogons
Starting test: ObjectsReplicated
......................... 2012DC passed test ObjectsReplicated
Starting test: Replications
......................... 2012DC passed test Replications
Starting test: RidManager
......................... 2012DC passed test RidManager
Starting test: Services
......................... 2012DC passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x00000C18
Time Generated: 05/01/2014 10:35:33
Event String:
The primary Domain Controller for this domain could not be located.
A warning event occurred. EventID: 0x00001795
Time Generated: 05/01/2014 10:42:10
Event String:
The program lsass.exe, with the assigned process ID 532, could not authenticate locally by using the target name ldap/ntzip.domain.local. The target name used is not valid. A target name should refer to one of the local computer names, for example, the DNS host name.
......................... 2012DC passed test SystemLog
Starting test: VerifyReferences
......................... 2012DC passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : domain
Starting test: CheckSDRefDom
......................... domain passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... domain passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running enterprise tests on : parentdomain.local
Starting test: LocatorCheck
......................... parentdomain.local passed test
LocatorCheck
Starting test: Intersite
......................... parentdomain.local passed test
Intersite
If anyone could shed some light on how to resolve these areas in my situation I would greatly appreciate it!
↧
↧
Removing schema changes in AD made by software
Hi,
I've got an application in my forest, which has extended the schema. This is not Exchange, but if I uninstall this application for any reason, how can I remove all the associated schema changes from AD?
Thanks
↧
Installing ADFS on Active directory-DC it self Is OK ?
I integrated our Lync Server 2010 on Premise with Office 365 which requires installing ADFS and Dirsync, I read a recommendation from Microsoft that Dirsync should be installed on a separate server since it requires SQL and SQL can't be installed on Domain Controller(AD). however I didn't read any recommendation if installing ADFS on AD would be ok or not?
It seems to be working fine but i'm worried from security wise! since ADFS requires that you install IIS and publish the authentication page for AD users permission.
I would appreciate any input on this.
Thanks
Mohammed JH
↧
AD changes not replicating when I move a DC to the correct site
I have created a site in AD Sites and Services for our branch office. However, when i place the RWDC in the correct site replication stops. New user accounts and changes made to that DC do not replicate back to us.
I am pretty sure there is not a firewall issue because everything works fine when the site is moved back to the same site with the other two domain controllers. However, my goal is to make sure that users authenticate to the geographically closest DC.
There is a site-link created between the two sites.
The correct subnet (a /20) is assigned to the site.
I ran the AD Replication Status Tool with no errors, but when i create a test user on the branch office DC it does not replicate back over to the other DC's.
Any tips on what i should look for/try next?
↧
↧
Compacting and Defrag AD file(s)
After reviewing and running utilities against our AD database, we've determined that we need to Defrag and Compact the database on our Domain Controllers. Since we have 8 domain Controllers, I'm trying to determine the best way of attacking the problem.
Should I bring one DC down, one at a time and run the maintenance on it or bring all DC's down at once and run maintenance on all at the same time? Future project involves upgrading the schema, having a problem with a current DC that we're hoping the utilities
either fix or plan to remove the older DC. Any advice on the attack plan?
↧
Applying FGPP to Logged In Users
Hi,
I've already got FGPP set up and applied to some users via membership in a global security group. If I add another user to the security while that user is logged in, will there be any consequences of this other than the user now having the password policy applied? Will the currently logged in credentials be affected in any way? Can you point me at any documentation to back that up?
Cheers
↧
ADFS 3.0 and force password change
I was wondering if anyone knows if ADFS 3.0 supports the AD flag "Force password at first login"? I know 2.0 does not. I have been integrating Shibboleth with my ADFS and a custom login handler but I would really like to not complicate my setup and use straight ADFS if at all possible. Our ADFS setup would be for a SSO into our on-premise Sharepoint 2010 server. Even if 3.0 returns a error indicating that the password needs changed at least I can then tell the student that and direct them to our FIM server to have them register and set their password. Any thoughts?
Thanks
Joe
Joe M
↧
Active Directory related program works for some users, not for others
My apologies if this is an inappropriate forum. This involves an in-house program that works for some users but not all of them can run it successfully. The gist of the program is to allow users to update distribution groups in which they're designated the manager. This part works fine when the user can get past the start process. The load section of the program gathers up the user's Windows identity then makes some requests of AD to find the groups.
It appears that some users get an exception thrown when trying to create the initial request for AD information about their own account. Initially I got their Windows ID using WindowsPrincipal(WindowsIdentity.GetCurrent()) then using the extract the pertinent date I'd query AD for the directory entry for the user. This would generate an error "Network path not found." When I realized I could bypass this query by using UserPrincipal.Current the error message change to "The connection could not be established."
I'd come to think it might be related to a setting in the userAccountControl but I'm finding no correlation between the users who can and those who can't run the program successfully. I've run tests to try to make sure it's not workstation related. I've hard coded the user ID to make sure it's not related to the specific account being looked up. I'm at wit's end and would appreciate any help that's available.
↧
↧
Share Folder access problem after DC upgrade
Hi,
We have recently upgraded a Domain Controller in the Domain from Windows 2003 to Windows 2008 R2. The Domain Controller policy is same as it was before migration. After the upgrade we are facing the issue with NAS storage access. We have a NAS storage which have got some shared folders. Users access the folders from their PC's. We are facing the issue that when we try to access the share with IP\\192.168.1.1 it gives error that the "attached device is not functioning" but when we try to access as\\servername it works fine.
I have taken netmon trace while accessing the drive as IP and as Hostname and some of the highlights are as follows:
-------------------------------------------------------------------------------------------------------------------------
When accessing through IP
1. Client -> Server: SMB: C Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002, SMB 2.???
2. Server -> Client: SMB: R negotiate, NT LM 0.12 # = 5
3. Client -> Server: SMB: C session setup & X, NTLM NEGOTIATE MESSAGE
4. Server -> Client: SMB: R session setup & X, NTLM Challenge message error code 22 Status More processing required
5. Client -> Server: SMB: C session setup & X, NTLM Authenticate Message Version:V2 Domain:domain, user:username,workstation:PC1
6. Server -> Client: SMB: R session setup & X NT Status: System Error Code 563 Status DOMAIN Controller NOT FOUND
After that it again goes back to point 3 and continues like that
-------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------
When Access through Hostname
1. Client -> Server: SMB: C Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002, SMB 2.???
2. Server -> Client: SMB: R negotiate, NT LM 0.12 # = 5
3. Client -> Server: SMB: C session setup & X,Krb5ApReq(0x100)
4. Server -> Client: SMB: C session setup & X,Krb5ApReq(0x200)
5. Client -> Server: Tree Connect Andx Path: \\hostname
---------------------------------------------------------------------------------------------------------------------------
We have already checked the DC Security policies and done the changes as recommended.
↧
Running 2008 R2 DCs - Can we use ADFS from 2012 R2?
Do we have to upgrade our Active Directory DCs to 2012 R2 in order to use ADFS in 2012 R2? 2012R2 uses ADFS 3.0, right? And that requires GMSA accounts to work in a farm if I understand it right. Does 2008R2 support GMSAs? I cannot find anything on it and powershell commands do not work for creating GMSA accounts.
Do I need to update all our DCs to 2012 R2 before doing ADFS in 2012 R2? We currently do not use ADFS, and I'd like to stick with the latest and greatest if possible...
↧
Is it possible to restrict a local admin from accessing/viewing AD accounts on a Domain Controller?
I am working on determining if I can have a separate administrator group handle patching and performing maintenance on four servers that are DCs of their own AD domain, but restrict these administrators from the ability to see the active directory user
accounts in that AD domain?
↧
Domain Functional Level Shows "Subsequent to Windows Server 2012" on Workstations
Earlier this week, I raised the functional level my domain, and it all looks right in the Active Directory Administrative Center (ADAC) on a domain controller:
However, using ADAC on a workstation (we've tried this on multiple PCs) we see this:
Current domain functional level: Subsequent to Windows Server 2012
Is this expected behavior, or is there a way to correct it?
Thanks in advance!
↧
↧
Win 2008 R2 to Win 2012 R2 DCs and compatibility with 2000 Server clients
Hi
We're in the process of planning to upgrade our DCs running 2008 R2 to 2012 R2 servers. The upgrade method will be to introduce new DCs and phase out the 2008 R2 DCs. Our environment consists of parent and multiple child domains, forest/domain functional level: Windows 2008 R2.
Questions
1. We have Windows Server 2000 clients in some of the child domains (3 servers total). Does anyone know for sure if we will or will not run into issues with 2000 clients authenticating or anything else with regards to 2012 DCs. Is there a MS KB article or a blog post from a MS AD guru such as http://blogs.technet.com/b/askds/ that outlines why and what issues you may run into if you have 2000 clients in a domain that has 2012 DCs? It wont for another year until we can upgrade the 2000 client to a newer OS.
I came across this thread in the support forum but I just need something more formal to give to upper management.
a-windows-2012-domain-?forum=winserver8setup
2. One option is to upgrade just the parent domain to all 2012R2 DCs and leave the child domains running 2008R2 DCs. Of course will still run adprep /domain for all child domains even though we wont be introducing 2012 DCs anytime soon. Will this work as expected, meaning the 2000 client servers will not have any problems since it's auth with 2008R2 DCs.
The parent domain has just a handful of accounts and doesn't necessarily need to log into the 2000 client.
Thanks.
↧
how to move shared folders with permissions
I have a windows server 2003 DC i am going to decommission it and come up with windows server 2012. I have shared folders on windows server 2003 i want to move to a another server temporarily till i come up with windows server 2012.
How do i move the shared folders with permissions,
↧
Laptops failing to authenticate on wireless
I have an odd situation and it seems to also be intermittent although frequent. I've got a user that when they attempt to connect to the wireless network (Cisco WAPs [RADIUS access]) they're often unable to. Our networking team has sent us a report that says it is trying to authenticate as host/<computername>. To clarify that I want to make sure you all understand that the word host in my example is NOT a variable while <computername> is. The report literally says host/... rather than Domain/ Not sure what host/ means as I've never seen this.
The machine in question has no difficulties in connecting through a wired connection whatsoever. Most other machines don't experience this, although some seem to,(I say seem because we don't have the same report on the other machines. Networking is a whole other department.) I need to know what else to look at because it seems to be either local computer problem or something in AD, although the latter seems unlikely as wired authentication is fine.
Wireless adapters are configured using Windows rather than 3rd party app, we're not using certs at this time, but domain auth. Also OS is Windows 7. Domain is 2008R2 DCs.
# When I wrote this script only God & I knew what I was doing. # Now, only God Knows! don't retire technet http://social.technet.microsoft.com/Forums/en-US/e5d501af-d4ea-4c0f-97c0-dfcef0192888/dont-retire-technet?forum=tnfeedback
↧
SetSPN for ADFS
On a brand new server 2012R2 machine I try to run setspn for this machine to be an ADFS host. I get an error that this is a duplicate SPN and it fails. How can I get around this error?
John Marcum | http://myitforum.com/myitforumwp/author/johnmarcum/
↧
↧
Getting confused to find dynamic rpc ports for NTDS Netlogon
I'm trying to find out dynamic ports for the following entry. Is this the 49152-65535?
TCP Dynamic | Replication, User and Computer Authentication, Group Policy, Trusts | RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS |
Which are the dynamic rpc ports for NTDS Netlogon ? I can't understand following ports...any help
LSA RPC | TCP/UDP | 55001-60001 |
| TCP/UDP | 51000 |
Netlogon | TCP | 55000 |
Anoop C Nair - @anoopmannur :: MY Site: www.AnoopCNair.com ::FaceBook: ConfigMgr(SCCM) Page ::Linkedin: Linkedin<
↧
Prepare 2003 Forest/Domain for 2008 R2 or 2012 Domain Controllers
Hi,
I would be grateful if you could help me with this:
We have a single Forest/Single Domain structure which is managed by 4 Windows Server 2003 Std Edition. We are now trying to add a Server 2008 R2 as a domain controller. I have followed lots of articles on MS and other website with regards to preparing the Forest and domain before promoting the new server and here is what I got so far:
Schema master - Windows 2003 SE
FFL/DFL both set to 2003
Run Adprep32.exe (found it on 2008 R2 disc) /forestprep and the outcome was:
lDAPDisplayName "uidNumber" defined for object "CN=VintelauidNumber,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk" conflicts with the schema extensions needed for Windows Server 2008 R2.[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the lDAPDisplayName value uidNumber and resolve this inconsistency. Then run adprep again.
==============================================================================
OID "1.3.6.1.1.1.1.0" defined for object CN=Vintela-uidNumber,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID value "1.3.6.1.1.1.1.0" and resolve this inconsistency. Then run adprep again.
==============================================================================
lDAPDisplayName "gidNumber" defined for object "CN=Vintela-gidNumber,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk" conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the lDAPDisplayName value gidNumber and resolve this inconsistency. Then run adprep again.
==============================================================================
OID "1.3.6.1.1.1.1.1" defined for object CN=Vintela-gidNumber,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID value "1.3.6.1.1.1.1.1" and resolve this inconsistency. Then run adprep again.
==============================================================================
lDAPDisplayName "gecos" defined for object "CN=Vintela-gecos,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk" conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the lDAPDisplayName value gecos and resolve this inconsistency. Then run adprep again.
==============================================================================
OID "1.3.6.1.1.1.1.2" defined for object CN=Vintela-gecos,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID value "1.3.6.1.1.1.1.2" and resolve this inconsistency. Then run adprep again.
==============================================================================
lDAPDisplayName "unixHomeDirectory" defined for object "CN=Vintela-homeDirectory,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk" conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the lDAPDisplayName value unixHomeDirectory and resolve this inconsistency. Then run adprep again.
==============================================================================
OID "1.3.6.1.1.1.1.3" defined for object CN=Vintela-homeDirectory,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID value "1.3.6.1.1.1.1.3" and resolve this inconsistency. Then run adprep again.
==============================================================================
lDAPDisplayName "loginShell" defined for object "CN=VintelaloginShell,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk" conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the lDAPDisplayName value loginShell and resolve this inconsistency. Then run adprep again.
==============================================================================
OID "1.3.6.1.1.1.1.4" defined for object CN=Vintela-loginShell,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID value "1.3.6.1.1.1.1.4" and resolve this inconsistency. Then run adprep again.
On the Schema master, run AD Schema, MMC and deactivated the object for Vintela. run the adprep32 /forestprep again and still the same result.
Would you please advise what else can/must be done? anyone knows anything on Vintela (Quest VAS) and how to get rid of it?
thanks for your help in advance.
↧
access internal webserver externally - DNS Issues
Hello everyone,
I have a 2 servers internally I want my developers to access from the external network.
The sites have portals for the user to login. My internal DNS server has records for the static IPs of the machines in the forward lookup zone, mydomain.com, site1 192.168.A.B and site2 192.168.A.C.
site1.mydomain.com and site2.mydomain.com are the site names and mydomain.com is hosted by a hosting company.
my www record point to my external website. So when I do an nslookup from an external client, it's returning a
non-authoritative answer:
name: site1.mydomain.com
address: 192.168.A.B
I can access internally but not externally, any ideas where I need to look? I hope this wasn't too confusing, I feel like I am missing something obvious.
↧