Has anyone created a  ADFS claim using the claim language to create a claim as following (for the same relying party trust). If you can help, that would be greatly appreciated

Logic:

If extensionAttribute1= X then use "employee-Number" as the LDAP attribute and "Name ID" as the outgoing claim type

If extensionAttribute1= Y then use "extensionAttribute2" as the LDAP attribute and "Name ID" as the outgoing claim type

Thanks in advance!!

Feddie

Problem Context:

• 4 DC's serving the domain (native W2K3), DC01, 2, and 3 are W2K3x32, DC04 is W2K8r2x64 (newly added).
• All DC's are GC and DNS.
• DC's all pass DCDiag with no unexplainable errors
• LDAP query of the DC's in the site shows all 4, with identical weight
• All DC's are in the same AD Site
• No errors in any event log
• Sysvol is visible from everywhere, for all 4 DC's
• repadmin /replsum /errorsonly on all DC's (including 04) shows no issues that I don't understand (we have a remote DC in the forest offline, I see that one)
• Each DC points to another DC for 1st DNS and itself for 2nd, in a chain (01->02, 02->03, etc)
• All are single NIC, on different subnets.

I have 1500+ clients in my environment.  DC01/2/3 are slated to be upgraded, DC04 is the first.  It's newer hardware, 1gb vs 100mb, more ram, x64, etc.  However, in removing the old 04 and adding a new one, DC01/2/3 went off the charts on CPU/LSASS.  Doing a query (nltest /sc_query:domain) of my environment, I show that 33% of the environment is divided up each to 01/2/3, 0% go to DC04.  I have a script I run to "stir the pot" after I reboot a DC to "rebalance" them, which is essentially an "nltest /sc_reset:domain" run on each server.  I run this, and 33% end up on 1/2/3, 0% on 4.

If I do it by hand, nltest /sc_reset:domain\dc04, it works and the system uses DC04 and stays there, as expected, but if left to their own devices, zero systems choose DC04.

Help?  I've no clue why this is happening.  What happens when I replace DC01/2/3 with W2K8 DC's?  Will the systems choose none of them?  We're buried in CPU alerts and my proliferation is blocked until I can close on this.

Any wisdom would be greatly appreciated.  Thank you.

Hi Team,

I'm currently working on a project on Migrating our Windows Server 2003 AD server (old Machine) to our new Windows Server 2003 machine (PDC-AD). I successfully promoted our new AD server (PDC-AD) as domain controller, but upon checking, the server is not promoted as Global catalog with following errors shown below.

Is there any tool I can use to further isolate the problem?.

Thanks

Mark D.

HI All,

  Goal: Our Domain (DomainA) users(Internal-helpdesk) access  to the application hosting in other organization.(DomainB)

 MY Questions:

      1. As an Account Partner, Do we need a Federation Proxy Farm(2) and Federation Server Farm (2)? 

      2. What is the Risk without Proxy single server or farm?

      3. What sort of spec for VM's ? (30 Internal Helpdesk users)

      4. We have DMZ TMG 2012 VM. Can i use that?

 DomainB giving following technical requirements:

     1. Acquire a TLC Certificate for "service Communication" and "token decrypting". What is this mean and how?

     2. Acquire a verisign gatekeeper device type 3 certificate as "token Signing". What is this mean and how?

     3. Provide .CER ( Public Cert)of the token-signing cert to domainb and federation identifies and local endpoints?

I know lots of questions pls help me with design.

AS

I demoted two 2003 R2 servers and turnded off the servers one of which was FSMO. Now when I run "DCDIAG /c /v /f:dcdiag.txt" on the new FSMO server ma-file1 it still shows the two demoted domain controllers ma-file and ma-util as shown below. I have cleaned DNS but can't seem to clear the below entries. I also made sure ma-file and ma-util are not in Sites and Services. Any ideas how to get this cleared. Again ma-file and ma-util only show up on ma-file1 when running dcdiag. The other DC's do not show ma-file or ma-util when running dcdiag.

ma-file and ma-util are demoted and turned off. Very odd.

erforming initial setup:

   * Connecting to directory service on server ma-file1.

   ma-file1.currentTime = 20140324215330.0Z

   ma-file1.highestCommittedUSN = 300526

   ma-file1.isSynchronized = 1

   ma-file1.isGlobalCatalogReady = 1

   * Identified AD Forest.
   Collecting AD specific global data
   * Collecting site info.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=ccc,DC=local,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
   The previous call succeeded
   Iterating through the sites
   Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ccc,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=Boffice,CN=Sites,CN=Configuration,DC=ccc,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=Urology,CN=Sites,CN=Configuration,DC=ccc,DC=local
   Getting ISTG and options for the site
   * Identifying all servers.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=ccc,DC=local,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
   The previous call succeeded....
   The previous call succeeded
   Iterating through the list of servers
   Getting information for the server CN=NTDS Settings,CN=MA-FILE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ccc,DC=local
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=MA-UTIL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ccc,DC=local
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained

I am not able to access Internet on my "Windows Server 2012 R12  Domain Controller", which I have setup along with another 4 servers.

Server IP  Configuration: Domain Controller

Static IP:        10.10.10.10
Subnetmask: 255.255.255.0
Default Gateway: -.-.-.-  (blank)

I have my routher IP information as follows (which just got it from my laptop using "ipconfig" )

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 192.168.0.39
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1

Please help me out what needs to be configured properly so that I can access internet on my Domain Controller as well as other servers that I am about setup.

Thank you.

All,

Been trying to track down why a static DNS entry in an AD Integrated DNS zone keeps being deleted by the "System".

The entry is for the 2nd of two DC's. It is not a FSMO role holder.

If I drill down into ADSIedit to the Microsoft DNS zones (CN=MicrosoftDNS), find the record in question and open its propertires, I do see that it has been marked dNSTombstoned TRUE.  

As long as that stays TRUE, it will delete the entry and does do that, however, if I change that attribute to FALSE, manually create a new DNS entry, the attribute gets changed back to TRUE and the record again gets deleted.

Below is the actual Security log from Event Viewer (edited just a bit) that is logged after the DNS AD object has been deleted.

My question is, how do I troubleshoot/figure out why the system keeps deleting this DNS entry???

Thanks for any input.

      -joe

 A directory service object was deleted.

Subject:

Security ID: SYSTEM

Account Name: SYSTEM

Account Domain: NT AUTHORITY

Logon ID: 0xb713de

Directory Service:

Name: domain.com

Type: Active Directory Domain Services

Object:

DN: DC=domain-dc1,DC=domain.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=com

GUID: DC=domain-dc1,DC=domain.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=com

Class: dnsNode

Operation:

Tree Delete: No

Correlation ID: {2df081230-546e-4a1b-8efb-fdd547u6fc97}

Application Correlation ID: -

I keep getting a DFSR Event ID 5014(stopping communicate with partner), immediately followed by 5008 (failed to communicate with partner), a minute or two later 5004 (successfully established connection with partner).  This happens multiple times a day and I cannot figure it out.

Any help would be appreciated.

Thanks

I am trying to demote a server because it is old and I have a new one installed and working.
Executing dcpromo in the old server produces an error:

Active directory domain services could not transfer the remaining data in directory partition DC=ForestDNSZones,DC=xxxxxx,DC=local to ActiveDirectory Domain Controller \\newserver.xxxxxx.local.
"The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles."

I have queried the active directory with "netdom query fsmo" and all fsmo roles are in the newserver.
Looking into the "directory service log" of the old server event viewer, I see a warning with the following description:

Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: CN=Infrastructure,DC=ForestDnsZones,DC=xxxxxx,DC=local
FSMO Server DN: CN=NTDS
Settings\0ADEL:38b2eef0-bfa3-438a-a337-52349d447c49,CN=SVM\0ADEL:b4474016-1746-4988-af31-9f0d75909dbc,CN=Servers\0ADEL:a2ea0c85-85c1-4424-8f98-2d9ad429cd8b,CN=Site2\0ADEL:7883f732-28ef-4a0b-b2e4-f460df46b504,CN=Sites,CN=Configuration,DC=xxxxxx,DC=local

A long time ago, a server called "SVM" crashed without possible recovery. This server was in a a different Site called "Site2", and after the crash, the site and the server were deleted from active directory.

It seems that the server "SVM" has been existing as a deleted object for years and now it prevent my tries of demoting the old server.

With "Active Directory Users and computers" I found that there was a link to the "SVM" server in "System > File Replication Service > Domain System Volume > SVM". I deleted the replication but the "SVM" server already exists as deleted object and continues preventing the dcpromo.

Playing around with ldp.exe I found the deleted object "SVM" but I have not found any way to delete it object, all attempts with "delete from ldp" and "Remove-ADObject" with its GUID failed as object not found.

It seems that I must wait some moths until active directory delete the "SVM" server because it is not linked with the replication service, but maybe it is linked internally to other things I don't know.

Anyway I need to demote the old server in few days, I can not wait for months. Is there anyway to purge this deleted object that prevents me to demote a server?

Thank you for your help.

i have a cloud based application that i am setting up AD sync with. in their directions below i have bolded the ones i need answers too. my domain functional level is windows server 2003

The active directory synchronization requires the following:

• A domain user which has the following properties:
• The password is known and does not expire - completed
  
• The domain user account has read permissions to all objects in the entire domain within active directory
• Confirm that if the domain has been upgraded to Windows 200x functional level from Windows NT4, 2000 or 2003 that we have the appropriate Group permissions below available to the domain user account for the synchronization in addition to read permissions to the entire domain:
  • Pre-Windows 2000 Compatible Access
  • Pre-Windows 2003 Compatible Access
• The username and password are passed using the appropriate communication channels - completed
  

i have created a service account in my AD called myappldap. does a domain user have read permissions to all objects in the entire domain within active directory without adding the to any other security groups except domain users? Or do i have to click on the top level domain object in AD>go to properties>security>and give them read permission and proprogate down those premissions? Also i do not see Pre-windows 2003 compatible access as a security object i can give this service account read permissions to. i just wanted to confirm that this is because i am still running a functional domain of windows server 2003?

Dear Team,

We have a domain named "test.gov.in" .Now we want migrate all the users,computers,groups,GP ....etc in to our new domain "abc.net".Operating system of the source DC and destination Dc is same (Windows 2003 32 bit)..

Pls provide me the steps to migrate one  domain to another domain between different forest

Thanks

Anurag

Hi ,

I have 2 physical servers srvr1 and srvr2 running windows server 2012 Standard , with 32RAM and 800GB for each , srvr1  is Domain controller , and I need to make secondary as backup in case the first one fail .

my question is what is the best option

install secondary domain on Srvr2 or on the hyper instance of srvr2 and why

thanks in advanced

I am in a Office 365 Hybrid mode, this question has been asked on the Office 365 forums and I was directed here.

Using PowerShell for Exchange 2007+ its a fairly simple process to change the primary SMTP.

Using a PowerShell script with a couple simple variables this is what I would use for Exchange:

Set-MailBox "$getUsername" -EmailAddressPolicyEnabled $false -PrimarySmtpAddress $getSMTP

Is there any equivalent or something similar to this for AD PowerShell?

06/22/2014 08:28:20:209 NetpDoDomainJoin
06/22/2014 08:28:20:209 NetpMachineValidToJoin: 'MDMSRV01'
06/22/2014 08:28:20:209 OS Version: 6.1
06/22/2014 08:28:20:209 Build number: 7601 (7601.win7sp1_gdr.140303-2144)
06/22/2014 08:28:20:209 ServicePack: Service Pack 1
06/22/2014 08:28:20:209 SKU: Windows Server 2008 R2 Enterprise
06/22/2014 08:28:20:209 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status: 0x0
06/22/2014 08:28:20:209 NetpGetLsaPrimaryDomain: status: 0x0
06/22/2014 08:28:20:209 NetpMachineValidToJoin: status: 0x0
06/22/2014 08:28:20:209 NetpJoinDomain
06/22/2014 08:28:20:209 Machine: MDMSRV01
06/22/2014 08:28:20:209 Domain: phamnet.int
06/22/2014 08:28:20:209 MachineAccountOU: (NULL)
06/22/2014 08:28:20:209 Account: phamnet.int\GlobalAdmin
06/22/2014 08:28:20:209 Options: 0x27
06/22/2014 08:28:20:209 NetpLoadParameters: loading registry parameters...
06/22/2014 08:28:20:209 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
06/22/2014 08:28:20:209 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
06/22/2014 08:28:20:209 NetpLoadParameters: status: 0x2
06/22/2014 08:28:20:209 NetpValidateName: checking to see if 'phamnet.int' is valid as type 3 name
06/22/2014 08:28:20:318 NetpCheckDomainNameIsValid [ Exists ] for 'phamnet.int' returned 0x0
06/22/2014 08:28:20:318 NetpValidateName: name 'phamnet.int' is valid for type 3
06/22/2014 08:28:20:318 NetpDsGetDcName: trying to find DC in domain 'phamnet.int', flags: 0x40001010
06/22/2014 08:28:20:427 NetpLoadParameters: loading registry parameters...
06/22/2014 08:28:20:427 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
06/22/2014 08:28:20:427 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
06/22/2014 08:28:20:427 NetpLoadParameters: status: 0x2
06/22/2014 08:28:20:427 NetpDsGetDcName: status of verifying DNS A record name resolution for 'DOMCON02.phamnet.int': 0x0
06/22/2014 08:28:20:427 NetpDsGetDcName: found DC '\\DOMCON02.phamnet.int' in the specified domain
06/22/2014 08:28:20:427 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0
06/22/2014 08:29:08:707 [000002e0] NetpGetLsaPrimaryDomain: status: 0x0
06/22/2014 08:29:10:345 NetUseAdd to \\DOMCON02.phamnet.int\IPC$ returned 53
06/22/2014 08:29:10:345 NetpJoinDomain: status of connecting to dc '\\DOMCON02.phamnet.int': 0x35
06/22/2014 08:29:10:345 NetpJoinDomainOnDs: Function exits with status of: 0x35
06/22/2014 08:29:10:345 NetpDoDomainJoin: status: 0x35

So it looks like Windows Server 2012 is vry fussy with the DNS records. I had no issues joining machines to the domain until Server 2012 came along. Can someone help here? If triple checked the SRV records in the DNS and ive screwed around with DNS suffixes etc. 

What is the impact of upgrading the forest or domain functional level to 2012？
Especially I'm seeking an advice in order for trust relationships (forest or domain) to be working fine.

My environment:DC×15(2008R2) in one Forest includes two domains. The forest & domain functional levels are both 2008. I'm going to upgrade all Domain Controllers to 2012.

My Trust relationships：
One-way external trust - incoming or outgoing - w/ aaa.ccc.local,ddd.eee.com...and more
Two-way external trust - incoming or outgoing - w/ aaa.local,xxx.yyyy.com...and more
Forest trust - incoming - qqq.www.com

Any Information would be GREATLY appreciated!

We have several applications which are hosted/SaaS type deals.  These applications authenticate against our Active Directory.  Right now we punch holes through the firewall from the application servers to our AD domain controllers.  Not the best or most secure solution to be sure.  I'm wondering how we can do this better?  I'm picturing some type of LDAP proxy server that would sit in our DMZ and relay authentication requests from the external application server to the domain controllers. I did a bit of Googling, but didn't find much in terms of an LDAP proxy.  Does such a thing exist?  Can LDS be an LDAP proxy?

We only have 1 domain, so we don't need to worry about federation or anything like that.  But a bonus would be the ability to create accounts for users on the LDAP proxy server.  (In other words, sometimes we have to give access to a certain application for users who are not part of our organization... partners and such... right now we create AD accounts for them, but that's kinda kludgy.)

Thanks!