Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Certificate Services in Microsoft

$
0
0
I have a standalone CA which is the root CA and a subordinate CA which is domain joined. I recently renewed the certificates of my root CA and sub CA. How will these certificates be distributed to client machines in the trusted root certificate folder.

Domain accounts locked out regularly

$
0
0

Hi,

I have quite a number of invalid log-on daily and causing locked out.

Action taken,

1. Unselected IPv6 from Windows 7 workstation

2. Follow PSS troubleshooting method http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

3. Using NetWrix Account Lockout Examiner - All results good fine except having lot of invalid logon; ranging from 20 to 60.

4. Netstat output from Windows 7 workstation

Active Connections

  Proto  Local Address          Foreign Address        State           Offload State

  TCP    10.82.0.11:49182       austin801ai:52230      ESTABLISHED     InHost      
  TCP    10.82.0.11:50231       sippoolbl20a02:https   ESTABLISHED     InHost      
  TCP    10.82.0.11:50253       autocache:8080         ESTABLISHED     InHost      
  TCP    10.82.0.11:50254       autocache:8080         ESTABLISHED     InHost      
  TCP    10.82.0.11:50278       autocache:8080         ESTABLISHED     InHost      
  TCP    10.82.0.11:50279       autocache:8080         ESTABLISHED     InHost      
  TCP    10.82.0.11:50280       autocache:8080         ESTABLISHED     InHost      
  TCP    10.82.0.11:50281       autocache:8080         ESTABLISHED     InHost      
  TCP    10.82.0.11:50298       autocache:8080         ESTABLISHED     InHost      
  TCP    10.82.0.11:50301       autocache:8080         ESTABLISHED     InHost      
  TCP    10.82.0.11:50306       autocache:8080         ESTABLISHED     InHost      
  TCP    10.82.0.11:50307       autocache:8080         ESTABLISHED     InHost      
  TCP    10.82.0.11:50315       autocache:8080         ESTABLISHED     InHost      
  TCP    10.82.0.11:50316       autocache:8080         ESTABLISHED     InHost      
  TCP    127.0.0.1:49155        2OPSLW7N048:49156      ESTABLISHED     InHost      
  TCP    127.0.0.1:49156        2OPSLW7N048:49155      ESTABLISHED     InHost      

What is next?  Running out of idea.  Please advice.  Thanks.


Kelvin Teang

Set msDS-AllowedToDelegateTo to

$
0
0

I have been given the following task, can anyone tell me how can I do it ?

Set msDS-AllowedToDelegateTo to:

§  MSSQLSvc/BLDEPP01.DOMAIN.COM\SQL2012:1450


Regards, h9ck3r.

Account Lockout repeatedly, even though lockout policy is disabled

$
0
0

I have a remote user who's domain account keeps getting locked out, and I'm completely stumped. Due to the lockout issues, we have disabled the domain lockout policy, and use the soft lockout function available in forefront TMG. This is working for everyone but the 1 user.

On the DC that is locking the account, I see the event ID 4740 in the security logs. What makes ZERO sense is the Caller Compuer shows has her workstation. Her workstation is a surface pro, which is not on a VPN. So it has no connection to the domain controller. When users that are connecting through TMG were getting locked out, the Caller Computer showed as the TMG machine.

I have gone through and cleared any saved credentials from the Credential manager on the workstation, yet the account is still getting locked out.

So why is this account getting locked out even though the lockout policy is disabled. And how is it showing the users workstation as the caller computer, when it has no direct connection to any domain controllers?

Implementing AD LDS to Authenticate for External Users

$
0
0

Hello,

I'm able to find documentation on AD LDS but I can't confirm if it's what I want.

My client is setting up an ecommerce site through Volusion and they want to be able to authenticate using Active Directory for their customers.

I personally don't like the idea of opening up the network for customers. AD LDS seems to be the right solution on a tight budget but I can't confirm if it will work.

The Environment:
Server 2012 1: DC; AD; Hyper-V
VM Server 2012 2: File Server (Hosted on Server 1)
VM Server 2012 3: DirSync (Hosted on Server 1)

MS documentation suggests AD LDS not be setup on a DC as well as placing the server in a DMZ. Unfortunately I can't implement a DMZ at the moment. I would like to put AD LDS on the File Sever. There is a web developer working on the ecommerce side, I just have to provide the authentication. I'm going to try a trial version of OneLogin, but for a couple thousand users, it could get expensive.

Questions:
What resources are recommended for AD LDS? (RAM, HDD Space, etc.) I only need AD LDS right now for 5-10 users but if I decide to go with it, it would need to handle a couple thousand accounts.
Is there special process of creating a SSL Certificate for authentication? Or should one be purchased?
How secure is AD LDS?
Does anyone know of any good how-to guides for linking AD LDS to an external PHP site?

Thanks in advance!

-Jake

Multiple AD FS instances in single forest

$
0
0

Hi, thank you for reading this. I have a little design question about AD FS. The current situation is like this:

  • One forest, root domain: domain.lan
  • domain.lan contains all user objects
  • Three child domains: 1.domain.lan, 2.domain.lan and 3.domain.lan
  • AD FS 2.0 server is deployed in domain.lan

Customer wants an extra AD FS instance for testing purposes.

I do find some recommendations on the internet, but I still have a few questions:

  1. Is it true that only one AD FS server (or farm) per forest can be deployed?
  2. I read that I can have multiple AD FS instances, but not in the same domain. Should I move the current AD FS server to 1.domain.lan (Because the current AD FS server also automatically supports the child domains) and add an AD FS server for testing purposes to 2.domain.lan?
  3. Is the configuration as suggested in point 2 supported by Microsoft?

Thanks!

Regards,

Baksteen

Domain Controllers not replicating

$
0
0

Hi All

Domain name: abc.com
DC1 - Windows Server 2003 R2 (Physical Server) - 192.168.1.1
DC2 - Windows Server 2012 (Virtual Machine) - 192.168.1.2

Somehow DC1 doesn't replicated to DC2.

-------------------------------------------------------------

netdom query fsmo's result:
Schema master                DC1.abc.COM
Domain naming master    DC1.abc.COM
PDC                                  DC1.abc.COM
RID pool manager            DC1.abc.COM
Infrastructure master       DC1.abc.COM
The command completed successfully.

-------------------------------------------------------------

I run dcdiag in DC1:

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site\DC1
      Starting test: Connectivity
         The host bd9e6e75-ec75-4c6b-be1b-ebef58146bbe._msdcs.abc.COM could not b
e resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (bd9e6e75-ec75-4c6b-be1b-ebef58146bbe._msdcs.abc.COM) couldn't be
         resolved, the server name (DC1.abc.COM) resolved to the IP address
         (192.168.1.1) and was pingable.  Check that the IP address is
         registered correctly with the DNS server.
         ......................... DC1 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site\DC1
      Skipping all tests, because server DC1 is
      not responding to directory service requests

   Running partition tests on : TAPI3Directory
      Starting test: CrossRefValidation
         ......................... TAPI3Directory passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... TAPI3Directory passed test CheckSDRefDom

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : abc
      Starting test: CrossRefValidation
         ......................... abc passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... abc passed test CheckSDRefDom

   Running enterprise tests on : abc.COM
      Starting test: Intersite
         ......................... abc.COM passed test Intersite
      Starting test: FsmoCheck
         ......................... abc.COM passed test FsmoCheck

-------------------------------------------------------------------------

But funny thing is I able to ping DC1 name from DC2 and workstations:

C:\Users\User>ping dc1

Pinging dc1.abc.com [192.168.1.1] with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time<1ms TTL=128
Reply from 192.168.1.1: bytes=32 time<1ms TTL=128
Reply from 192.168.1.1: bytes=32 time<1ms TTL=128
Reply from 192.168.1.1: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.1.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

---------------------------------------------------------------------------

I also run repadmin on DC1,
Result:

C:\>repadmin /showrepl /all /verbose

repadmin running command /showrepl against server localhost

Default-First-Site\DC1
DC Options: IS_GC
Site Options: (none)
DC object GUID: bd9e6e75-ec75-4c6b-be1b-ebef58146bbe
DC invocationID: bd9e6e75-ec75-4c6b-be1b-ebef58146bbe

==== INBOUND NEIGHBORS ======================================

DC=ABC,DC=COM
    Default-First-Site\DC2 via RPC
        DC object GUID: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c
        Address: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c._msdcs.ABC.COM
        DC invocationID: 7b99d5b5-1757-4533-9976-907907e99eff
        SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
        USNs: 2190434/OU, 2190434/PU
        Last attempt @ 2014-05-21 15:14:40 failed, result 1753 (0x6d9):
            There are no more endpoints available from the endpoint mapper.
        1400 consecutive failure(s).
        Last success @ 2014-05-20 15:38:26.

CN=Configuration,DC=ABC,DC=COM
    Default-First-Site\DC2 via RPC
        DC object GUID: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c
        Address: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c._msdcs.ABC.COM
        DC invocationID: 7b99d5b5-1757-4533-9976-907907e99eff
        SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
        USNs: 2180668/OU, 2180668/PU
        Last attempt @ 2014-05-21 14:54:49 failed, result 1753 (0x6d9):
            There are no more endpoints available from the endpoint mapper.
        118 consecutive failure(s).
        Last success @ 2014-05-17 00:54:43.

CN=Schema,CN=Configuration,DC=ABC,DC=COM
    Default-First-Site\DC2 via RPC
        DC object GUID: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c
        Address: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c._msdcs.ABC.COM
        DC invocationID: 7b99d5b5-1757-4533-9976-907907e99eff
        SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
        USNs: 2110088/OU, 2110088/PU
        Last attempt @ 2014-05-21 14:55:15 failed, result 1753 (0x6d9):
            There are no more endpoints available from the endpoint mapper.
        110 consecutive failure(s).
        Last success @ 2014-05-17 00:54:43.

DC=DomainDnsZones,DC=ABC,DC=COM
    Default-First-Site\DC2 via RPC
        DC object GUID: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c
        Address: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c._msdcs.ABC.COM
        DC invocationID: 7b99d5b5-1757-4533-9976-907907e99eff
        SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
        USNs: 2190524/OU, 2190524/PU
        Last attempt @ 2014-05-21 14:54:24 failed, result 1256 (0x4e8):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
        32 consecutive failure(s).
        Last success @ 2014-05-20 15:38:27.

DC=ForestDnsZones,DC=ABC,DC=COM
    Default-First-Site\DC2 via RPC
        DC object GUID: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c
        Address: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c._msdcs.ABC.COM
        DC invocationID: 7b99d5b5-1757-4533-9976-907907e99eff
        SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
        USNs: 2106507/OU, 2106507/PU
        Last attempt @ 2014-05-21 14:54:24 failed, result 1256 (0x4e8):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
        507 consecutive failure(s).
        Last success @ 2014-04-30 16:48:21.

==== OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS ============

CN=Configuration,DC=ABC,DC=COM
    Default-First-Site\DC2 via RPC
        DC object GUID: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c
        Address: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c._msdcs.ABC.COM
        WRITEABLE
        Last attempt @ (never) was successful.

CN=Schema,CN=Configuration,DC=ABC,DC=COM
    Default-First-Site\DC2 via RPC
        DC object GUID: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c
        Address: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c._msdcs.ABC.COM
        WRITEABLE
        Last attempt @ 2014-05-17 00:55:01 was successful.

DC=DomainDnsZones,DC=ABC,DC=COM
    Default-First-Site\DC2 via RPC
        DC object GUID: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c
        Address: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c._msdcs.ABC.COM
        WRITEABLE
        Last attempt @ (never) was successful.

DC=ForestDnsZones,DC=ABC,DC=COM
    Default-First-Site\DC2 via RPC
        DC object GUID: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c
        Address: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c._msdcs.ABC.COM
        WRITEABLE
        Last attempt @ (never) was successful.

==== KCC CONNECTION OBJECTS ============================================
Connection --
    Connection name : 2e2755c0-c2b1-484b-a0b2-489926271fd4
    Server DNS name : DC1.ABC.COM
    Server DN  name : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Sit
e,CN=Sites,CN=Configuration,DC=ABC,DC=COM
        Source: Default-First-Site\DC2
******* 1382 CONSECUTIVE FAILURES since 2014-05-20 15:38:27
Last error: 1256 (0x4e8):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
        TransportType: intrasite RPC
        options:  isGenerated
        ReplicatesNC: DC=ABC,DC=COM
        Reason:  StaleServersTopology
                Replica link has been added.
        ReplicatesNC: DC=DomainDnsZones,DC=ABC,DC=COM
        Reason:  StaleServersTopology
                Replica link has been added.
        ReplicatesNC: CN=Schema,CN=Configuration,DC=ABC,DC=COM
        Reason:  StaleServersTopology
                Replica link has been added.
        ReplicatesNC: DC=ForestDnsZones,DC=ABC,DC=COM
        Reason:  StaleServersTopology
                Replica link has been added.
        ReplicatesNC: CN=Configuration,DC=ABC,DC=COM
        Reason:  StaleServersTopology
                Replica link has been added.
        enabledConnection:         whenChanged: 20140520094554.0Z
        whenCreated: 20131005064554.0Z
        Schedule:
        day: 0123456789ab0123456789ab
        Sun: 111111111111111111111111
        Mon: 111111111111111111111111
        Tue: 111111111111111111111111
        Wed: 111111111111111111111111
        Thu: 111111111111111111111111
        Fri: 111111111111111111111111
        Sat: 111111111111111111111111
1 connections found.

Partition Replication Schedule Loading:

      00      01      02      03      04      05      06      07      08      09
      10      11

 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3
 0 1 2 3 0 1 2 3
        Sun: 0500000005000000050000000500000005000000050000000500000005000000050
00000050000000500000005000000
        Sun: 0500000005000000050000000500000005000000050000000500000005000000050
00000050000000500000005000000
        Mon: 0500000005000000050000000500000005000000050000000500000005000000050
00000050000000500000005000000
        Mon: 0500000005000000050000000500000005000000050000000500000005000000050
00000050000000500000005000000
        Tue: 0500000005000000050000000500000005000000050000000500000005000000050
00000050000000500000005000000
        Tue: 0500000005000000050000000500000005000000050000000500000005000000050
00000050000000500000005000000
        Wed: 0500000005000000050000000500000005000000050000000500000005000000050
00000050000000500000005000000
        Wed: 0500000005000000050000000500000005000000050000000500000005000000050
00000050000000500000005000000
        Thu: 0500000005000000050000000500000005000000050000000500000005000000050
00000050000000500000005000000
        Thu: 0500000005000000050000000500000005000000050000000500000005000000050
00000050000000500000005000000
        Fri: 0500000005000000050000000500000005000000050000000500000005000000050
00000050000000500000005000000
        Fri: 0500000005000000050000000500000005000000050000000500000005000000050
00000050000000500000005000000
        Sat: 0500000005000000050000000500000005000000050000000500000005000000050
00000050000000500000005000000
        Sat: 0500000005000000050000000500000005000000050000000500000005000000050
00000050000000500000005000000

Any suggestion, thanks.

Is there any way to provide only Install / Uninstall rights to domain users in AD 2008?

$
0
0

I need to provide just Install / Uninstall rights to domain users avoiding all other admin privileges.

I cant provide admin rights to them. 

Is there any way I can provide them???


Schema Master down

$
0
0
If Schema master role is down will I able to create user or not.

unsuccessful domain controller demotion

$
0
0

Hi, i am getting the following error while demoting a windows 2003 domain controller. Our environment consists of 2 Win2008R2 DC, 2 Win2003R2 DC and 1 Win2003 DC. All FSMO roles are on one of the Win2008R2 DC. All are Global Catalogs. When i try to demote the Win2003 DC, the following error occurs:

The operation failed because: Active Directory could not configure the computer account xxxx02$ on the remote domain controller xxxx.xxxxx.local.  "Access is denied."

Have followed the steps in the following MS article and no luck: http://support.microsoft.com/kb/2000939

Please help.

regards,

kishore.ch


Kishore Chakka

Periodic NETLOGON & GroupPolicy errors results server hangs (Hard Hang)

$
0
0

Hi,

Our server hangs (Hard hang) randomly once or twice a month. Its Server 2008R2 SP1 with all latest patches, Its Virtual machine on VSphere 5.5, Virtual machine version 10.

I notice around the time of hang we have NETLOGON error 5719 and Group Policy error 1054

Log Name:      System
Source:        NETLOGON
Date:          26.06.2014 09:49:54
Event ID:      5719
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      xxx.domain.no
Description:
This computer was not able to set up a secure session with a domain controller in domain DOMAIN due to the following:
The RPC server is unavailable.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. 

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="NETLOGON" />
    <EventID Qualifiers="0">5719</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-06-26T07:49:54.000000000Z" />
    <EventRecordID>91928</EventRecordID>
    <Channel>System</Channel>
    <Computer>xxx.domain.no</Computer>
    <Security />
  </System>
  <EventData>
    <Data>DOMAIN</Data>
    <Data>%%1722</Data>
    <Binary>170002C0</Binary>
  </Even

Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          26.06.2014 08:11:49
Event ID:      1054
Task Category: None
Level:         Error
Keywords:     
User:          SYSTEM
Computer:      xxx.domain.no
Description:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
    <EventID>1054</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>1</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2014-06-26T06:11:49.361463400Z" />
    <EventRecordID>91916</EventRecordID>
    <Correlation ActivityID="{A79795FE-5CB2-4051-83F7-FA6F9BC566E1}" />
    <Execution ProcessID="872" ThreadID="1148" />
    <Channel>System</Channel>
    <Computer>xxx.domain.no</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="SupportInfo1">1</Data>
    <Data Name="SupportInfo2">1903</Data>
    <Data Name="ProcessingMode">0</Data>
    <Data Name="ProcessingTimeInMilliseconds">1139</Data>
    <Data Name="ErrorCode">58</Data>
    <Data Name="ErrorDescription">The specified server cannot perform the requested operation. </Data>
  </EventData>
</Event>tData>
</Event>

I have checked all settings such as domain and DNS connectivity, Sysvol access, Ping check (NetBIOS\FQDN), deleted the computer account and rejoined the server to domain and all other basic steps but nothing has helped.

What shall be the next step to figure out the cause?

Regards

Prabhash

Certificate Services - Autoenrollment not occurring

$
0
0

I am having an issue getting autoenrollment to occur.  I am not getting an error that I can see - it appears to be not initiating.

The forest is at Windows 2008 R2 domain functional. The root CA is an enterprise CA.  The client machines are Windows 2008 R2.

I installed only the Certification Authority role service.  This CA will only be used to issue server authentication certificates within its forest.

I've followed the tasks for Configuring AutoEnrollment in Group Policy.

I've verified the Default Action for a Certificate Request.

Along with th steps outlined in Set Up Automation Certificate Enrollment, I duplicated the default Computer (Machine) template, set properties, and granted Read, Enroll, and AutoEnroll to Domain Compunters.

 

Results:

I see two information entries in the Application event log on the client with the following text:

  1. Certificate enrollment for Local system is successfully authenticated by policy server {9EC47EC2-7C6B-42EE-9722-3650C7E4EED1}
  2. Certificate enrollment for Local system successfully load policy from policy server

On the CA, I see no entries in Failed Requests, Pending Requests, or Revoked Certificates.  I also see no new entries in Issued Certificates.

On the client, I can use certutil or the certificates MMC snapin to request a new certificate that automatically gets issued, but I'm looking for autoenrollment to kick-in so I can avoid logging into every machine.

 

I appreciate any advice or direction in this matter.

Verify ForestPrep, Domainprep & Rodcprep result-Powershell

within adfs I need to pass domainname\username as nameid.

$
0
0

Newb here,  The idp is adfs and my sp needs the nameid to equal the windows account name.  When I edit the claims rule I don't see windows account name as an option and if I just type it in it passes nothing onto the sp.  What am I doing wrong..

thanks greatly

tr

NTDS.DIT object deletion verification

$
0
0

How can I truly verify that the NTDS.DIT doesn't contain an object that I have deleted?  I know, I could copy/systemstate backup the orig, then delete an OU, then offline defrag, then restart NTDS and try to restore the OU.

My question is there an easier way?  I need this in order to appease my infosec guys.

Thanks,

Dell


AD object security inheritance getting disabled

$
0
0

Hi,

I am observing few uses are having security inheritance issue and AD administrators are losing their permissions on these user objects.

Inheritance is getting removed automatically after some time even after setting it manually as per below screenshot.

Please if anyone can tell me on how to find the cause of this issue. Also, If I check advanced security on the parent OU, I am not getting the option to apply the inheritance on all child objects. Is there any way or command via which I can re-enable inheritance or apply permissions on all child objects under an OU ?

Thank you in advance.

Regards,

J R Dash


Unable to connect to Netlogon share in Windows 2008 R2

$
0
0

Hi,

Let me tell you about the initial setup. We had a Windows Server 2003 Standard edition 32 bit operating system, which was our Domain Controller. We installed a Windows Server 2008 R2 Standard edition, which is a virtual machine hosted in ESXi Server. Adprep was ran and DCPROMO was performed. The installation was successful.

But, after installation SYSVOL and Netlogon were missing. I had changed the registry value HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\SysvolReady flag to 1, which was initially 0. After the change, the SYSVOL folder is showing as shared folder why typing C:\>net share. If the registry value is reverted, the SYSVOL is missing.

The issue is still, I am not getting the NETLOGON share folder. Does any one have any idea?

Also, When I try an nslookup, I get the Server: Unknown answer. Why is it so? I would really appreciate if anyone can put any clue on this issue.

Thanks in advance.


Tom Jacob

Server 2012 Active Directory replication problems

$
0
0

Hi.

I`ve got a forest with 2 sites.

forest - domain.local
site a: - everything appears to work fine
srv-adc1 10.100.100.11 - domain controller - replicating with srv-adc2
srv-adc2 10.100.100.12 - domain controller - replicating with srv-adc1

site b: - was offline for more then 180 days
srv-bdc1 10.200.100.11 - domain controller - not replicating with srv-adc1
srv-bdc2 10.200.100.12 - demoted domain controller

each domain controller is also a dns server
all the servers are microsoft 2012

site B was offline for more than 180 days, so it exceeded the tombstone`s lifetime.

i demoted srv-bdc2 and did a metadata cleanup on the rest of the servers.

i took srv-bdc2 out of the domain and brought it back in.

when i try and promote it again i get an access denied error.

when i try and browse to \\domain.local\ from any server in the site B i get a network name error.

the same thing if i try \\srv-adc1\

with ip its working just fine.

i look everywhere in the dns but got nothing.

anyone has an idea?



Need adext.zip to add users phot in AD

$
0
0

Hi,

I am having only windows 2008 and 2012 server on my network. Don'e have exchange and communicator server in my environment. While surfing on the net i found that the adext.zip file will fulfill my requirement and the link http://www.dewdney.co.uk/adext/adext.zip is not working now. Can you please guide me to get the file. Thanks.

Regards,

Ramasamy R S

User roaming profile error - Access denied with event ID 1521

$
0
0

Hi,

I got event error log with user roaming profile issue.

Event Log Details - http://social.technet.microsoft.com/Forums/getfile/483551

User profile Properities - http://social.technet.microsoft.com/Forums/getfile/483552

In the user properties I don't find any roaming profile configuration also in the logon script as pasted below. Still I am getting the roaming profile error.

Logon Script;

REM net use i: /d
REM net use l: /d
REM net use m: /d
REM net use s: /d
REM net use t: /d
REM net use z: /d


REM set Mdlogic export directory
REM net use i: \\new\trans /persistent:yes

REM set MedMaster directory
net use l: \\new1\med /yes

REM set drive for APPS share
net use m: \\new1\apps /yes

REM set COMMON SHARE
net use S: \\new1\share /yes

REM set directory for VASLAB ACCESS Database
net use T: \\new1\system /yes

REM set Mdlogic export directory
net use z: \\new\trans /persistent:yes

rem centps
rem \\new1\source\centps\KcsSetup.exe

Please guide me to proceed further.

Regards,

Ramasamy R S

Viewing all 31638 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>