HI All,

  Goal: Our Domain (DomainA) users(Internal-helpdesk) access  to the application hosting in other organization.(DomainB)

 MY Questions:

      1. As an Account Partner, Do we need a Federation Proxy Farm(2) and Federation Server Farm (2)? 

      2. What is the Risk without Proxy single server or farm?

      3. What sort of spec for VM's ? (30 Internal Helpdesk users)

      4. We have DMZ TMG 2012 VM. Can i use that?

 DomainB giving following technical requirements:

     1. Acquire a TLC Certificate for "service Communication" and "token decrypting". What is this mean and how?

     2. Acquire a verisign gatekeeper device type 3 certificate as "token Signing". What is this mean and how?

     3. Provide .CER ( Public Cert)of the token-signing cert to domainb and federation identifies and local endpoints?

I know lots of questions pls help me with design.

AS

I have one machine in the domain that is getting error ID 4098 for both Drive Maps and Files Group Policy Preferences. The GPPs are working on every other machine in the domain. This is the file server that is hosting the DFS Shares and File Share where the GPP Preference files are being hosted and drives are being mapped to, but I don't think that should make a difference. Otherwise, it's not different from any other server. I don't get errors on any other GPO settings.

I've enabled GPP tracing, but it isn't providing any insight, I get for the files preferences:

Properties handled. [ hr = 0x8007052e "The user name or password is incorrect." ]
2014-06-03 13:58:08.309 [pid=0x2d4,tid=0xa80] Error suppressed. [ hr = 0x8007052e "The user name or password is incorrect." ]

and this for the drive maps preference:

Properties handled. [ hr = 0x80070056 "The specified network password is not correct." ]
2014-06-03 13:58:08.519 [pid=0x2d4,tid=0xb1c] Error suppressed. [ hr = 0x80070056 "The specified network password is not correct." ]

I haven't specified any connect as options, drives are available to all authenticated users.

I thought it might be a computer password issue, so I've removed the server from the domain, deleted the computer object in AD, then re-added the server to the domain, no change in results. I've actually tried this several times to make sure.

Any thoughts on how to resolve this?

Greeting's,

 I have a Windows Server 2012 running AD services. There is folder redirection enabled to facilitate user's logging in from a different machine and still being able access their personal files. Folder redirection is configured exactly as per following microsoft document : http://technet.microsoft.com/en-in/library/hh848267.aspx

 Even administrators cannot access user files due to ACL's.

 I need to migrate from this AD server to a new one, including user files. Old server will be recommissioned for other role. How can I do this seamlessly?

Thank you very much in advance,

Parth D. Maniar

We have a service account that has an unusual authentication problem. The account runs fine on our server 2008 R2 server, but the same account does not appear to be able to use kerberos for authentication with the domain controller. You get logged in, but you get a balloon tip that says:

"Windows needs your current credentials. Please lock this computer, then unlock it using your most recent password or smart card."

Logging out or rebooting doesn't help.

We also noticed that kerberos logon does not complete successfully when trying to use the service account to connect to an SQL server on a different box. During the SQL server connection process we are able to get a network capture, and have noticed that kerberos fails requiring preauth (which we understand to be normal), but we never see a successful kerberos authentication with the domain controller in the network trace or the security logs. If we turn off pre-Authentication, we can see that the issue is related to encryption due to the krb5kdc_err_etype_nosupp error.

So we believe we have an encryption issue, except that if anyone else logs into the server, none of these problems exist. We have made this account a member of the same groups that I am a part of (way more rights than required), and we have put the account in the same OU as my account. My account works just fine for everything. The service account doesn't seem to authenticate properly. Even in Kerbtray I see no indication of issued kerberos certificates.

This service account has rights in active directory, Exchange, and SQL databases. I don't want to recreated it if I don't have to, but I cannot figure out why it doesn't work right. Any help pointing me to what I have over looked would be appreciated.

Hello everyone,

My question stems from trying to understand the OID and syntax behind this classic LDAP search to find disabled users:

"(useraccountcontrol:1.2.840.113556.1.4.803:=2)"

What I am interested in is the value 1.2.840.113556.1.4.803, specifically how it differentiates from the value 1.2.840.113556.1.4.8, which is the OID of the useraccountcontrol attribute:

http://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx

Now, this website below says that the 03 and 04 are designators of the AND and OR operations, respectively, and are added on to the end of the OID:

https://www.appliedtrust.com/blog/2011/04/keeping-your-active-directory-pantry-order

However, using this logic, I can't get these 03 and 04 operators to work with other attribute OID's that use flags as values, such as the "searchflags" attribute, e.g. a LDAP search of "(searchflags:=1.2.840.113556.1.2.33404:=0) returns nothing, using the OR (04) operation at the end of the "searchflags" OID of 1.2.840.113556.1.2.334.

So back to my original question, for the useraccountcontrol OID of 1.2.840.113556.1.4.8, is this OID at all related to the bitwise AND extensible match of 1.2.840.113556.1.4.803 (like just adding a 03 to designate an AND operation), or is thisextensible match value of 1.2.840.113556.1.4.803 completely separate from the useraccountcontrol OID of 1.2.840.113556.1.4.8?

If I have my terms mixed up, please feel free to correct me on what the proper terms are.

Thanks!

Hello, I have trying this for a few days now with multiple servers and I have had no luck. I have a 2008 R2 RODC in my dmz and I have been able to and still can offline join 2008 R2 servers through the RODC to the domain. However, I have not been able to get a server 2012 R2 server to join in the same manner. First is it possible to join a Server 2012 R2 member server to a domain through a 2008 R2 RODC?

Thanks,

Scott

in an attempt to transfer FSMO roles to the 2012r2 DC the first thing I ran was dcdiag /e /c /v and after correcting some minor errors, I came upon this one in the DNS portion where a SRV record is missing and I have no idea how to fix/remove this. there's only two DCs, 200.5 and 200.6 where the former is a Hyper-V VM running 2012r2 and the latter is a physical 2003r2 machine. I was able to successfully raise the levels to 2003 and join the 2012r2 DC. this missing SRV record does not look fatal and only warrants a warning from dcdiag, however I would like to fix this so there's no trouble down the road. I've tried ipconfig /registerdns, but no dice. here is the message I'm concerned about:

                    Error:
                    Missing SRV record at DNS server 192.168.200.5:
                    _ldap._tcp.9a5f3c17-e7ac-48f7-ab42-bf1ea621a6f5.domains._msdcs.cmedia.local
                    [Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)]

the bottom portion of the DNS section that contains this message is in the RReg section and is as follows:

i am using microsoft server 2008 R2 with 20 N-connect thin clients. Will microsoft exchange 2010 run with thin clients ?

i read that microsoft exchange 2010 is a thick client application .

you are requested to look in to the matter forthwith.

TechNet Gurus... we salute you!

You're awesome, and we know it!

Your knowledge uploads and nifty info nuggets are our life blood at TechNet Wiki.

Every awesome article that gets an award is just the start. We are building up the most sensational collection of gifts of knowledge from eminent community heavy weights and young guns alike. And we plan to promote you and your work wherever we can.

Reputations are being forged.

History is being made.

Generations will know your name.

Your children, grandchildren and great-grandchildren will marvel at your technical prowess.

And now, my mighty code warriors, cool consultants and platform specialists, now your chance is here again.

A new month of possibilities. Another chance to prove YOU are the ONE!

The mighty TechNet Guru medal winner for June!

Take up your mouse and keyboard!

Unleash your mighty words of wisdom and bask in the glory that we bestow upon you!

GO GO Gurus! Give, give, give!

All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.

Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!

This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!

HOW TO WIN

1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.

2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)

3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!

Winning this award in your favoured technology will help us learn the active members in each community.

Feel free to ask any questions below.

More about TechNet Guru Awards

Submit now : http://social.technet.microsoft.com/wiki/contents/articles/24692.technet-guru-contributions-for-june-2014.aspx

Thanks in advance!
Pete Laker

#PEJL

Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over to the one and onlyTechNet Wiki, for future generations to benefit from! You'll never get archived again!

If you are a member of any user groups, please make sure you list them in the Microsoft User Groups Portal. Microsoft are trying to help promote your groups, and collating them here is the first step.

Hi, thank you for reading this. I have a little design question about AD FS. The current situation is like this:

• One forest, root domain: domain.lan
• domain.lan contains all user objects
• Three child domains: 1.domain.lan, 2.domain.lan and 3.domain.lan
• AD FS 2.0 server is deployed in domain.lan

Customer wants an extra AD FS instance for testing purposes.

I do find some recommendations on the internet, but I still have a few questions:

1. Is it true that only one AD FS server (or farm) per forest can be deployed?
2. I read that I can have multiple AD FS instances, but not in the same domain. Should I move the current AD FS server to 1.domain.lan (Because the current AD FS server also automatically supports the child domains) and add an AD FS server for testing purposes to 2.domain.lan?
3. Is the configuration as suggested in point 2 supported by Microsoft?

Thanks!

Regards,

Baksteen

Our environment has roaming profiles stored on CIFS shares and by policy, domain admins are not supposed to be members of the builtin administrators group on the NAS boxes. As a result, domain admins do not have access on the roaming profile folders for the users which makes it difficult to perform routine support tasks. 

I had a couple of users run the icacls \\path to roaming profile folders /grant "domain admins":(F) /T command (so as to grant domain admins full control on their roaming profile folder) but it didn't work. The error is 

"an error occurred while applying security information to <roaming profile folder>. Access is denied."

I have a test environment configured where the permissions on the root folder are the same as in the production environment. The command runs fine in the test environment. I've checked the GPO settings in the production environment and none seem to be the cause of this behavior. At the root folder level, Creator/Owner, Domain Admins and Builtin\Administrators have Full Control, while Authenticated users have modify rights. Effective permissions on the roaming profile folder show that the individual user accounts have full control on their roaming profile folder, and what is more, these accounts also have ownership of their respective roaming profile folders. 

Does anybody have any helpful tips? 

Hi

Currently our organization is at the Server 2008 R2 forest and domain functional level. I would however like to upgrade my dc's to Server 2012 R2 so that these levels can be increased. What is the best way to update the schema? Could I just follow the same procedures as before where you ran the updates from the dvd of the OS you wish to upgrade to?

Thanks

Karl

The Weirdest thing is happening on a 2012 R2 DC, in order to fix the ActiveSync error event ID 1053 on exchange2010, the fix is to Enable inheritance on the Advanced Security settings of the domain users that will be using ActiveSync...Ok...but here is the weird thing...I set the Enable inheritance on the users and apply them, then when I check back after however long...the setting has now reverted back to disabled inheritance? this is happening on all user accounts?

This screen shot is from this morning...Last night I changed this setting and enabled inheritance...this morning it reverted back to disabled inheritance?

All,

Been trying to track down why a static DNS entry in an AD Integrated DNS zone keeps being deleted by the "System".

The entry is for the 2nd of two DC's. It is not a FSMO role holder.

If I drill down into ADSIedit to the Microsoft DNS zones (CN=MicrosoftDNS), find the record in question and open its propertires, I do see that it has been marked dNSTombstoned TRUE.  

As long as that stays TRUE, it will delete the entry and does do that, however, if I change that attribute to FALSE, manually create a new DNS entry, the attribute gets changed back to TRUE and the record again gets deleted.

Below is the actual Security log from Event Viewer (edited just a bit) that is logged after the DNS AD object has been deleted.

My question is, how do I troubleshoot/figure out why the system keeps deleting this DNS entry???

Thanks for any input.

      -joe

 A directory service object was deleted.

Subject:

Security ID: SYSTEM

Account Name: SYSTEM

Account Domain: NT AUTHORITY

Logon ID: 0xb713de

Directory Service:

Name: domain.com

Type: Active Directory Domain Services

Object:

DN: DC=domain-dc1,DC=domain.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=com

GUID: DC=domain-dc1,DC=domain.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=com

Class: dnsNode

Operation:

Tree Delete: No

Correlation ID: {2df081230-546e-4a1b-8efb-fdd547u6fc97}

Application Correlation ID: -

I have entered a valid path like C:\ss in Home folder local path field. But i don't see any such folder or drive when i logon using client. 

Can anyone state the difference between home folder local path and connect to fields?

Hello,

We have a 2008 Standard server which is the DC, DNS, Print and File server.

Yesterday I joined an iMac to the domain and it seems to have caused all hell to break loose... unless it was just a random coincidence!

Basically, right after joining the mac to the domain, I tried to log on to the server locally, only to find out that my creds were not working. I get an error message saying: "The user name or password is incorrect."

Also, no-one else can log in to the domain. They get "Access denied."

I can connect via RDP but get the same error when trying to login, and I can connect to services via RSAT and AD, DNS, etc services show up as 'Started'.

DCDIAG returns: LDAP bind failed with error 8341

and the System Event log shows:

Warning17/06/2014 17:07:48Microsoft-Windows-Time-Service12NoneTime Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.
Error17/06/2014 17:07:46Microsoft-Windows-DHCP-Server1059NoneThe DHCP service failed to see a directory server for authorization.
Information17/06/2014 17:07:46Microsoft-Windows-DHCP-Server1044NoneThe DHCP/BINL service on the local machine, belonging to the Windows Administrative domain xxxxxxxx.local, has determined that it is authorized to start. It is servicing clients now.
Error17/06/2014 17:07:46Microsoft-Windows-DHCP-Server1059NoneThe DHCP service failed to see a directory server for authorization.
Warning17/06/2014 17:07:45Microsoft-Windows-DHCP-Server10020NoneThis computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.
Information17/06/2014 17:07:41Microsoft-Windows-ResourcePublication 104None The service is publishing to the network.
Warning17/06/2014 17:07:37Microsoft-Windows-DHCP-Server1056None"The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service.   This is not a recommended security configuration.  Credentials for Dynamic DNS registrations may be configured using the command line ""netsh dhcp server set dnscredentials"" or via the DHCP Administrative tool."
Information17/06/2014 17:07:36Microsoft-Windows-DfsSvc14531NoneDFS server has finished initializing.
Information17/06/2014 17:07:36Microsoft-Windows-DfsSvc14533NoneDFS has finished building all namespaces.
Information17/06/2014 17:07:36Microsoft-Windows-Time-Service143NoneThe time service has started advertising as a good time source.
Information17/06/2014 17:07:36Microsoft-Windows-Time-Service139NoneThe time service has started advertising as a time source.
Warning17/06/2014 17:07:29LsaSrv40960(3)"The Security System detected an authentication error for the server ldap/ITSERVER01.xxxxxxxx.local. The failure code from authentication protocol Kerberos was ""There are currently no logon servers available to service the logon request.
 (0xc000005e)""."
Information17/06/2014 17:07:09Microsoft-Windows-Spooler-LPDSVC4000NoneThe Line Printer Daemon (LPD) service started successfully. No user action is required.
Warning17/06/2014 17:07:01Microsoft-Windows-Kerberos-Key-Distribution-Center29NoneThe Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
Information17/06/2014 17:06:52Microsoft-Windows-FilterManager6NoneFile System Filter 'luafv' (6.0, 19/01/2008 06:30:35) has successfully loaded and registered with Filter Manager.

DNS Event Log:

17/06/201417:08:46DNSErrorNone4007N/AITSERVER01.xxxxxxxxxx.localThe DNS server was unable to open zone 137.251.10.in-addr.arpa in the Active Directory from the application directory partition DomainDnsZones.xxxxxxxxxx.local. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.
17/06/201417:08:08DNSErrorNone4000N/AITSERVER01.xxxxxxxxxx.localThe DNS server was unable to open Active Directory.  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.
17/06/201417:07:14DNSWarningNone4013N/AITSERVER01.xxxxxxxxxx.localThe DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

I'm at a loss as to what to do...