i have a cloud based application that i am setting up AD sync with. in their directions below i have bolded the ones i need answers too. my domain functional level is windows server 2003

The active directory synchronization requires the following:

• A domain user which has the following properties:
• The password is known and does not expire - completed
  
• The domain user account has read permissions to all objects in the entire domain within active directory
• Confirm that if the domain has been upgraded to Windows 200x functional level from Windows NT4, 2000 or 2003 that we have the appropriate Group permissions below available to the domain user account for the synchronization in addition to read permissions to the entire domain:
  • Pre-Windows 2000 Compatible Access
  • Pre-Windows 2003 Compatible Access
• The username and password are passed using the appropriate communication channels - completed
  

i have created a service account in my AD called myappldap. does a domain user have read permissions to all objects in the entire domain within active directory without adding the to any other security groups except domain users? Or do i have to click on the top level domain object in AD>go to properties>security>and give them read permission and proprogate down those premissions? Also i do not see Pre-windows 2003 compatible access as a security object i can give this service account read permissions to. i just wanted to confirm that this is because i am still running a functional domain of windows server 2003?

I bleed .net

I'm setting the replication between AD and my LDS intstance, I decide to follow this article:

http://www.thegeekispeak.com/archives/64

when according to schema extension, as I have already extended schema in order to install MS Exchange. I succesfully load target schema from DC, but when I attempt to load base schema from LDS I receive the following error:

http://cid-0fadf372d269e1dd.photos.live.com/self.aspx/Alboom/Schema%20analyzer%20error.JPG

Do you have any clueas about the possible reason for this? Any help highly appreciated

I am trying to demote a server because it is old and I have a new one installed and working.
Executing dcpromo in the old server produces an error:

Active directory domain services could not transfer the remaining data in directory partition DC=ForestDNSZones,DC=xxxxxx,DC=local to ActiveDirectory Domain Controller \\newserver.xxxxxx.local.
"The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles."

I have queried the active directory with "netdom query fsmo" and all fsmo roles are in the newserver.
Looking into the "directory service log" of the old server event viewer, I see a warning with the following description:

Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: CN=Infrastructure,DC=ForestDnsZones,DC=xxxxxx,DC=local
FSMO Server DN: CN=NTDS
Settings\0ADEL:38b2eef0-bfa3-438a-a337-52349d447c49,CN=SVM\0ADEL:b4474016-1746-4988-af31-9f0d75909dbc,CN=Servers\0ADEL:a2ea0c85-85c1-4424-8f98-2d9ad429cd8b,CN=Site2\0ADEL:7883f732-28ef-4a0b-b2e4-f460df46b504,CN=Sites,CN=Configuration,DC=xxxxxx,DC=local

A long time ago, a server called "SVM" crashed without possible recovery. This server was in a a different Site called "Site2", and after the crash, the site and the server were deleted from active directory.

It seems that the server "SVM" has been existing as a deleted object for years and now it prevent my tries of demoting the old server.

With "Active Directory Users and computers" I found that there was a link to the "SVM" server in "System > File Replication Service > Domain System Volume > SVM". I deleted the replication but the "SVM" server already exists as deleted object and continues preventing the dcpromo.

Playing around with ldp.exe I found the deleted object "SVM" but I have not found any way to delete it object, all attempts with "delete from ldp" and "Remove-ADObject" with its GUID failed as object not found.

It seems that I must wait some moths until active directory delete the "SVM" server because it is not linked with the replication service, but maybe it is linked internally to other things I don't know.

Anyway I need to demote the old server in few days, I can not wait for months. Is there anyway to purge this deleted object that prevents me to demote a server?

Thank you for your help.

I have deployed a loopback Merge Mode GPO to set wallpaper for all users who logon to specified workstations. And you have set security filtering just allow workstations in specified group can apply this GPO. Then you doubt whether user can apply user configuration in the loopback GPO because they don’t in your security filtering allow list.

So I think why not add “Domain Users” group to security filtering. Then all domain users have both Read and AGP (Apply Group Policy) permission for user configuration in the loopback GPO.

Loopback GPO only takes effect on computer objects in your specified OU, and your workstation group security filtering control apply scope, then “Domain Users” security filtering grant permissions for all users.

========================issue is below================

Now GPO is applying to other workstations which are not part of group filtered in GPO.

its randomly but not for all workstations..

Workstations are XP operating systems..

HI All,

  Goal: Our Domain (DomainA) users(Internal-helpdesk) access  to the application hosting in other organization.(DomainB)

 MY Questions:

      1. As an Account Partner, Do we need a Federation Proxy Farm(2) and Federation Server Farm (2)? 

      2. What is the Risk without Proxy single server or farm?

      3. What sort of spec for VM's ? (30 Internal Helpdesk users)

      4. We have DMZ TMG 2012 VM. Can i use that?

 DomainB giving following technical requirements:

     1. Acquire a TLC Certificate for "service Communication" and "token decrypting". What is this mean and how?

     2. Acquire a verisign gatekeeper device type 3 certificate as "token Signing". What is this mean and how?

     3. Provide .CER ( Public Cert)of the token-signing cert to domainb and federation identifies and local endpoints?

I know lots of questions pls help me with design.

AS

I had removed a site before removing the contents. This site had the server contents. I realized that after I had already removed the site. How can I repair this server’s site attribute? Unfortunately, I had not enabled Active Directory Recycle Bin.

This environment is 2008R2.

I would really appreciate any help...!!

It seems like Password Export Server (PES)- x64 isn’t available any more. When I click the download link it said “We are sorry, the page you requested cannot be found”

This is the link I’m using: www.microsoft.com/en-my/download/details.aspx?id=1838

We have a service account that has an unusual authentication problem. The account runs fine on our server 2008 R2 server, but the same account does not appear to be able to use kerberos for authentication with the domain controller. You get logged in, but you get a balloon tip that says:

"Windows needs your current credentials. Please lock this computer, then unlock it using your most recent password or smart card."

Logging out or rebooting doesn't help.

We also noticed that kerberos logon does not complete successfully when trying to use the service account to connect to an SQL server on a different box. During the SQL server connection process we are able to get a network capture, and have noticed that kerberos fails requiring preauth (which we understand to be normal), but we never see a successful kerberos authentication with the domain controller in the network trace or the security logs. If we turn off pre-Authentication, we can see that the issue is related to encryption due to the krb5kdc_err_etype_nosupp error.

So we believe we have an encryption issue, except that if anyone else logs into the server, none of these problems exist. We have made this account a member of the same groups that I am a part of (way more rights than required), and we have put the account in the same OU as my account. My account works just fine for everything. The service account doesn't seem to authenticate properly. Even in Kerbtray I see no indication of issued kerberos certificates.

This service account has rights in active directory, Exchange, and SQL databases. I don't want to recreated it if I don't have to, but I cannot figure out why it doesn't work right. Any help pointing me to what I have over looked would be appreciated.

Hi,

I have a windows 2012 server, I am the domain admin, and have all the roles which default administrator have. The problem is that my permissions are revoked. When I checked in Security settings of my user, I noticed that Inheritance was removed on my user. I then manually enable inheritance. But after some time it disabled automatically. Can you suggest?

I'll be grateful for any help.

Anees

We are currently  in the middle of migration to o365. We have 2010Exhange Hybrid and ADFS 3.0 in Win 2012 R2. Most of our users are not domain joined and we are trying to figure out what is the best /recommended  solution to allow users to change their AD password while remote.

Thanks,

Egert

Hello,

We have a 2008 Standard server which is the DC, DNS, Print and File server.

Yesterday I joined an iMac to the domain and it seems to have caused all hell to break loose... unless it was just a random coincidence!

Basically, right after joining the mac to the domain, I tried to log on to the server locally, only to find out that my creds were not working. I get an error message saying: "The user name or password is incorrect."

Also, no-one else can log in to the domain. They get "Access denied."

I can connect via RDP but get the same error when trying to login, and I can connect to services via RSAT and AD, DNS, etc services show up as 'Started'.

DCDIAG returns: LDAP bind failed with error 8341

and the System Event log shows:

Warning17/06/2014 17:07:48Microsoft-Windows-Time-Service12NoneTime Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.
Error17/06/2014 17:07:46Microsoft-Windows-DHCP-Server1059NoneThe DHCP service failed to see a directory server for authorization.
Information17/06/2014 17:07:46Microsoft-Windows-DHCP-Server1044NoneThe DHCP/BINL service on the local machine, belonging to the Windows Administrative domain xxxxxxxx.local, has determined that it is authorized to start. It is servicing clients now.
Error17/06/2014 17:07:46Microsoft-Windows-DHCP-Server1059NoneThe DHCP service failed to see a directory server for authorization.
Warning17/06/2014 17:07:45Microsoft-Windows-DHCP-Server10020NoneThis computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.
Information17/06/2014 17:07:41Microsoft-Windows-ResourcePublication 104None The service is publishing to the network.
Warning17/06/2014 17:07:37Microsoft-Windows-DHCP-Server1056None"The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service.   This is not a recommended security configuration.  Credentials for Dynamic DNS registrations may be configured using the command line ""netsh dhcp server set dnscredentials"" or via the DHCP Administrative tool."
Information17/06/2014 17:07:36Microsoft-Windows-DfsSvc14531NoneDFS server has finished initializing.
Information17/06/2014 17:07:36Microsoft-Windows-DfsSvc14533NoneDFS has finished building all namespaces.
Information17/06/2014 17:07:36Microsoft-Windows-Time-Service143NoneThe time service has started advertising as a good time source.
Information17/06/2014 17:07:36Microsoft-Windows-Time-Service139NoneThe time service has started advertising as a time source.
Warning17/06/2014 17:07:29LsaSrv40960(3)"The Security System detected an authentication error for the server ldap/ITSERVER01.xxxxxxxx.local. The failure code from authentication protocol Kerberos was ""There are currently no logon servers available to service the logon request.
 (0xc000005e)""."
Information17/06/2014 17:07:09Microsoft-Windows-Spooler-LPDSVC4000NoneThe Line Printer Daemon (LPD) service started successfully. No user action is required.
Warning17/06/2014 17:07:01Microsoft-Windows-Kerberos-Key-Distribution-Center29NoneThe Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
Information17/06/2014 17:06:52Microsoft-Windows-FilterManager6NoneFile System Filter 'luafv' (6.0, 19/01/2008 06:30:35) has successfully loaded and registered with Filter Manager.

DNS Event Log:

17/06/201417:08:46DNSErrorNone4007N/AITSERVER01.xxxxxxxxxx.localThe DNS server was unable to open zone 137.251.10.in-addr.arpa in the Active Directory from the application directory partition DomainDnsZones.xxxxxxxxxx.local. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.
17/06/201417:08:08DNSErrorNone4000N/AITSERVER01.xxxxxxxxxx.localThe DNS server was unable to open Active Directory.  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.
17/06/201417:07:14DNSWarningNone4013N/AITSERVER01.xxxxxxxxxx.localThe DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

I'm at a loss as to what to do... 

HI ,

I am getting specific issue with domain users their USB drives getting gettingdisable in systems which are in domain. This issue is coming on daily basis and we have to reinstall USB mass storage driver to have the USB driver working.

We have not applied any Policy which impact to USB

Please assist and do the needful this problem on permanent.

Regards

Rajesh

I have nokia lumia 520 and I am unable to add facebook in accounts. Every time when I try it gives the error saying,

We are having trouble adding facebook. Make sure you have good reception. If do, the problem may be on the other end. Wait a little while and try again.

if you call support, you can tell them you received this error code

0x85fbe196

please help me out. I have tried it lot of times.

Details:

Mobile : Nokia Lumia 520
OS: Windows Phone 8
Country: Pakistan
Internet Connection: Wifi Home Network

I have been given the following task, can anyone tell me how can I do it ?

Set msDS-AllowedToDelegateTo to:

§  MSSQLSvc/BLDEPP01.DOMAIN.COM\SQL2012:1450

Regards, h9ck3r.

I have a small query that what happens in the background when we join computer in an Active Directory domain.

Hi, I have a Parent / Root Domain which replicates to multiple locations Child domains and in which DNS replication happens. Now some of the locations are having sites / portals hosted at their locations. However, the DNS at my location synchronize with Parent DNS and resolves with Private IP Address of those portals to which we do not have direct network connectivity from my location. Only way to connect those Portals is thru Internet. But all the user's host file needs to be edited so that it resolves with Public IP address instead of private ones. Do we have any option where I can create a separate zone in my local DNS which can have manual entry of those public IP address of portal? When user try to access those portals it will learn public IP Address and they will be routed through internet capacity. Kindly suggest.

Hi,

We've recently moved and upgraded our AD from Server 2003 (with W2K3 functional level ) to Server2012R2 (and W2K12R2 Functional level). The upgrade was completed successfully.

However, a user has reported that since the upgrade that when he runs get-adgroupmember groupname, or get-ADPrincipalGroupMembership  Powershell throws the following error:

I get the same error on my own domain user account, but if I elevate to my domain administrator account and run it from my desktop, the command runs successfully.

I've googled around, but havn't found anything conclusive, other than restarting ADWS which didn't work.

Does anyone know what might be causing this?

Many Thanks

Mark