Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

A chance for YOU to play for the Windows Server team, in the TechNet Guru World Cup!

July 1, 2014, 1:42 pm
$
0
0

The World Cup is here again!

Not balls... brains!

And YOU have been selected to play on our team!

Yes forum reader, step up and take a shot!

Slam some techie tips in the back of our nets!

No dribbling please, just lots of problem tackling.

So come on Gurus and use your head!

Show us your skills, wow us with your technique, and win the hearts of your nation!

All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.

Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!

This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!

HOW TO WIN

1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.

2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)

3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!

Winning this award in your favoured technology will help us learn the active members in each community.

Feel free to ask any questions below.

More about TechNet Guru Awards

Thanks in advance!
Pete Laker

#PEJL

Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over to the one and onlyTechNet Wiki, for future generations to benefit from! You'll never get archived again!

If you are a member of any user groups, please make sure you list them in the Microsoft User Groups Portal. Microsoft are trying to help promote your groups, and collating them here is the first step.


Search

how to audit what was done in AD?

July 1, 2014, 1:59 pm
$
0
0

if a user modifies an object in AD how do you audit that?  We had some computer accounts deleted and no one will admit to it so I want to know in the future how to prove who did this.

mqh7

User Account Deleted event ID concern

July 1, 2014, 4:18 pm
$
0
0

It is my understanding that when a user account is deleted in AD an event should be generated with ID 4726 (assuming you have auditing enabled), however in my company this does not appear to be the case, and i'm wondering why. I just tested this after being unable to track down a user deletion earlier. When i delete a user account, the only event generated is 5141 (Directory Service Change). Am i missing something here? I have "Audit Account Management" set to success and failure. Everywhere i read online tells me a 4726 event should be generated but it is not.

Any help is greatly appreciated.

ADFS SSL Certificate Assignment windows 2012 R2 ADFS

July 2, 2014, 3:54 am
$
0
0

HI,

I'm in an Account Domain and trying to access web application on an agency. so they request followings public SSL.

 1. Acquire a TLC Certificate for "service Communication" and "token decrypting".

 2. Acquire a verisign gatekeeper device type 3 certificate as "token Signing". 

How do i request these 3 types of SSL? (i only know can go to IIS  server and request CSR)

Also my internal domain name  is intdomain.com but public access through domainglobal.com

We have a Internal CA.

As

ADFS Specific Question? Post on the ADFS Forum

July 2, 2014, 5:04 am
$
0
0

If your question is specific to ADFS then it is recommended you post your question at this specific forum available at the URL below.

http://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva

Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security, BS CSci
2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
Please no e-mails, any questions should be posted in the NewsGroup.
This posting is provided AS IS with no warranties, and confers no rights.

ADFS Group Filtering not working

July 2, 2014, 4:19 am
$
0
0

Hello guys

I have deployed ADFS on our company. It's working good. When I define ADFS claim it looks like this:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/claims/Group"), query = ";sAMAccountName,givenName,sn,mail,tokenGroups;{0}", param = c.Value);

This works fine. I want to filter groups that are included in outgoing claim to just groups which start with string "SG". So I wrote custom ADFS rule:

c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~
"(?i) ^SG*"]
=> issue(claim = c);

But shit doesn't work for me. I still see all the groups in the outgoing claim (for example group Domain Users).

Please, help me to find out what I'm doing wrong.

Thank you,

---------- Ondrej Zilinec - Cievo ----------

2012 R2 RODC in Windows Server 2003 environment

July 2, 2014, 4:03 am
$
0
0

Hi,

Is it possible to introduce a Windows Server 2012 R2 RODC into a Windows Server 2003 environment? All DCs are Windows Server 2003 R2 SP2 and the FFL and DFL are 2003.

I know it is possible to prepare the 2003 forest/domain, introduce a Windows Server 2008 R2 writable DC and then install an RODC.

My question is can this process apply to server 2012 R2?

So can I prepare the 2003 Schema Master with the 2012 R2 ADPREP command, install a writable 2012 R2 DC and then a 2012 R2 RODC?

Im guessing its possible but would it be supported?

Any help is appreciated.


Migrating users from one domain to another(Interforest)

July 2, 2014, 12:05 am
$
0
0
Scenario- Two Domains A & B in two different forests.
A - holds exchange server in DMZ and 2 domain controllers in A used by exchange also in DMZ
B holds all users and computers and 2 Domain controllers used for authentication .

Now I want to migrate all users and computers  in B domain to A domain using ADMT

My question here is
1. Can I use the DCs used by exchange to authenticate if I migrate users and computers from B to A.
2. If not what is the work around here. I want to build  an action plan on this.
Search

Local administrator account (non built in) - how to receive a specific policy

July 2, 2014, 2:18 am
$
0
0

Hi folks,

previously we have been using a builtin administrator account which did no lock out after x number of login attempts. by company direction we have been told to disable the builtin admin account and create a new local admin account. after this has been done, it seems that the account is now reading default domain policy domain setting and locking out after 5 incorrect attempts.

How can we prevent this from happening, just specifically for that account?

thanks.

Ineternet Access from VM is up and down

June 30, 2014, 10:20 am
$
0
0

My infrastructure is WS 2012 R2 Standard with AD services installed as a main server. There's a VW server running on it with EXCHG 2013 running on it.

The EXCHG has been unstable in sending and receiving emails from outside due to DNS issues. Sometimes when I troubleshoot I can browse internet from the VM sometimes not. The errors I see in the EXCHG is DNS resolution issues. The forwarders on the DNS server are correct - my ISP Cox ones. I tyrend adding and removing the root hits with no success. I added 8.8.8.8 and 8.8.4.4 it helped for a while then I again got issues, deleted them it resolved issued and again I got them. It seems like interminient issue with DNS. No antivirus or anything running on VM that could block ports. Please suggest!

Server 2012R2 Crash after failed IDMU password sync

July 2, 2014, 12:35 am
$
0
0

Our 2012Dc`s Crash after event 8197:

Error in connecting to Host at the specified port. 
host = 192.168.168.192 
port = 6677 
Please check if the host is up and is running SSOD on the specified port. Winsock error is in the message data.

Followed by event 1000:

Faulting application name: lsass.exe, version: 6.3.9600.16384, time stamp: 0x5215e25f
Faulting module name: ntdll.dll, version: 6.3.9600.17031, time stamp: 0x530895af
Exception code: 0xc0000008
Fault offset: 0x000000000009ca6a
Faulting process id: 0x224
Faulting application start time: 0x01cf9566b19c1df0
Faulting application path: C:\Windows\system32\lsass.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 94688131-01b7-11e4-80d2-005056802892
Faulting package full name: 
Faulting package-relative application ID: 

Resulting in event 1015:

A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000008.  The machine must now be restarted.

And after 1 minute it restarts.

Looks like exacly the same problem as this:
http://social.technet.microsoft.com/Forums/en-US/b8fe4bc0-a656-4c1f-8d7a-30e148169324/idmu-password-synchronisation-crash-windows-2012?forum=winserverDS

unfortunately no solution is given here.

Please help



Local administrator account (non builtin) cannot view local computer policy in gpresult

July 2, 2014, 2:12 am
$
0
0

Hi folks,

perhaps you can help me. If I run a gpupdate /force with builtin administrator account on a windows 7 pc it policy processes successfully without error. By company direction we are obliged to disable builtin admin account and add a new local created admin account (memeber of administrators group) with new sid. after doing this, when we do a gpupdate with that account, computer policy update fails , group policy operational event log provides errors:

event id 7320: Group Policy refresh access failed (0x5)

event id 7320: Access check based on security descriptor failed (0x5)

in addition, if I try to view gpresult /h using same account, the policy report is almost blank, no computer configuration is visible. Again, if I do with with builtin admin it works fine.

Do you have any advice on how to fix the problem?

thanks.

AD Web Service Error 1202

February 8, 2010, 5:11 am
$
0
0
We are seeing this error every 1 minute on two Windows Server 2008 R2 domain controllers that were recently installed at a remote site:

Source: ADWS
Error: 1202
This computer is now hosting the specified directory instance, but Active Directory Web Services could not service it. Active Directory Web Services will retry this operation periodically.

Directory instance: GC
Directory instance LDAP port: 3268
Directory instance SSL port: 3269

dns server could not be contacted access denied

June 20, 2012, 12:35 am
$
0
0

Hi,

DC was shutdown during maintenance and after that started problems with replication, dns etc. First problem what I need to debug is so I cannot

load DNS console and dns is not working.

Theres is error message:

The DNS server was unable to open Active Directory.  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

Service restart is not helping. How can I debug this problem?

Thanks.

Applying different GPOs based on extensionattribute1

July 2, 2014, 10:59 am
$
0
0

Hello,

I would like to make use of the extensionattribute fields for computer accounts in AD.  What I would like to do is apply a differnt GPO based on the contents of a particular field, for example, I would like to create three different GPOs with different patch settings:

PROD
DEV
PILOT

I would then enter the corresponding value for each server in extensionattribute1.  I would then like to have the correct patching GPO applied to each server based on the value in extensionattribute1.

I know this might be easier to do using OU's, but our OU structure is already very strict and I can't move the machines around for this purpose. 

Is this even possible?  If not, can anyone make a different suggestion that will allow me to use extentionattribute1 in a similar way?

Search

User Logon Issue on Client Machine

May 31, 2014, 2:06 am
$
0
0

Dear

I have two Domain Controllers.

AD50 & AD100

If i give AD50 as primary DNS in Network connections of client machine, it work fine and users are able to logon

If i give AD100 as primary DNS in Network connections of client machine, It gives user name and password incorrect error to remote desktop users whereas domain admins are able to logon.

Replication, AD health, DNS all are working fine on ADs.

Any idea???

Rox_Star

DCs security event

July 2, 2014, 2:41 pm
$
0
0

HI

I have DC on windows 2008 STD SP1...

But MY DC security events are not updating..

I can see old date of last year security events are there..

Can anyone help me to get this solution.. 

Is this because my this dc authentication is not happening  OR forwarding to another DC..

If yes why so.. and how can i get this info..

Unable telnet port 53 from different subnet to Active Domain Controller after upgrade from 2003 to 2008 r2

July 2, 2014, 8:28 am
$
0
0

Hi GUys

Currently we upgrade our domain controller from Windows 2003 to Windows 2008r2, after upgrade, branches user encounter login fails and cannot authenticate with domain controller.

HQ IP Branches IP

10.33.1.310.33.224.4

255.255.128.0255.255.255.0

10.33.1.2 10.33.224.2

we did check the port below

  • UDP Port 88 for Kerberos authentication ( ok )
  • UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations. (ok)
  • TCP Port 139 and UDP 138 for File Replication Service between domain controllers.(ok)
  • UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers. (ok)
  • TCP and UDP Port 445 for File Replication Service (ok)
  • TCP and UDP Port 464 for Kerberos Password Change (ok )
  • TCP Port 3268 and 3269 for Global Catalog from client to domain controller. (ok)
  • TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller. (Fail)

we unable telnet port 53 from Branches to HQ!

it's got any thing we can do on server ? what is the impact if the port 53 cannot access?

Thanks

Best Regards

Darren

Create AD Groups with the same name !!

July 2, 2014, 4:56 am
$
0
0

hi , 

i need to create two groups with the same name into different OU .. how i can do it ???? 

Powershell AD cmdlets receive "Internal Error" after Upgrade to AD Server2012R2

June 20, 2014, 6:09 am
$
0
0

Hi,

We've recently moved and upgraded our AD from Server 2003 (with W2K3 functional level ) to Server2012R2 (and W2K12R2 Functional level). The upgrade was completed successfully.

However, a user has reported that since the upgrade that when he runs get-adgroupmember groupname, or get-ADPrincipalGroupMembership  Powershell throws the following error:

get-adgroupmember : The server was unable to process the request due to an internal error.  For more information about
the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the
<serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or
turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs.
At line:1 char:1
+ get-adgroupmember -server kozel gr-admins
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (gr-admins:ADGroup) [Get-ADGroupMember], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember

I get the same error on my own domain user account, but if I elevate to my domain administrator account and run it from my desktop, the command runs successfully.

I've googled around, but havn't found anything conclusive, other than restarting ADWS which didn't work.

Does anyone know what might be causing this?

Many Thanks

Mark

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>