ADFS 3.0 Form based Authentication Login

July 6, 2014, 10:19 am

≪ Previous: Enable Inheritance issue in user

Hi All,

My users were able to login to the ADFS 2.0 form based portal with just AD username (Eg: Username: ABC)and password . However, when I upgraded my Window Server 2012 ADFS farm to Windows Server 2012 R2, the Office 365 integrated ADFS 3.0 form based login page does not allow users to use AD username login (abc) rather it ask to enter full UPN abc@xyz.com or domain\username (XYZ\ABC).
How can I change the login page so that my users do not have to enter the entire UPN or domain\username?
Thanks
Puneet

↧

Finding Password Age

September 28, 2011, 4:19 am

≫ Next: demote on File and print server

≪ Previous: ADFS 3.0 Form based Authentication Login

Hi,

What AD user field stores the age of a users password? (2003 functional level)

↧

demote on File and print server

July 6, 2014, 1:26 pm

≫ Next: Server 2012R2 Crash after failed IDMU password sync

≪ Previous: Finding Password Age

I have 2 DCs Windows 2003 server. On DC2, It also has Files and Print Roles. All users are connect to this server for File and Print. however, this server has Replication problem. If I demote this DC2, Will it still retain all the user permissions on the Share drive?

↧

Server 2012R2 Crash after failed IDMU password sync

July 2, 2014, 12:35 am

≫ Next: Unicode character - complex password policy in AD

≪ Previous: demote on File and print server

Our 2012Dc`s Crash after event 8197:

Error in connecting to Host at the specified port.
host = 192.168.168.192
port = 6677
Please check if the host is up and is running SSOD on the specified port. Winsock error is in the message data.

Followed by event 1000:

Faulting application name: lsass.exe, version: 6.3.9600.16384, time stamp: 0x5215e25f
Faulting module name: ntdll.dll, version: 6.3.9600.17031, time stamp: 0x530895af
Exception code: 0xc0000008
Fault offset: 0x000000000009ca6a
Faulting process id: 0x224
Faulting application start time: 0x01cf9566b19c1df0
Faulting application path: C:\Windows\system32\lsass.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 94688131-01b7-11e4-80d2-005056802892
Faulting package full name:
Faulting package-relative application ID:

Resulting in event 1015:

A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000008. The machine must now be restarted.

And after 1 minute it restarts.

Looks like exacly the same problem as this:
http://social.technet.microsoft.com/Forums/en-US/b8fe4bc0-a656-4c1f-8d7a-30e148169324/idmu-password-synchronisation-crash-windows-2012?forum=winserverDS

unfortunately no solution is given here.

Please help

↧

Unicode character - complex password policy in AD

July 2, 2014, 10:41 pm

≫ Next: How to upgrade Domain - 2003 to 2012 R2 - task sequence

≪ Previous: Server 2012R2 Crash after failed IDMU password sync

I got complexity enabled for user passwords in AD (Password must meet complexity requirement is Enabled)

Per the Microsoft article, the password allows are:

http://technet.microsoft.com/en-us/library/cc786468(v=ws.10).aspx

Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.

I have been asked to provide hint to user what characters are allowed under the tag line above (unicode characters, what unicode characters are allowed to be part of user password?)

Thanks

Inderjit

↧

How to upgrade Domain - 2003 to 2012 R2 - task sequence

June 27, 2014, 1:12 pm

≫ Next: Upgrade Windows Server 2003 standard sp2 File and Print server to Windows server 2008

≪ Previous: Unicode character - complex password policy in AD

Could someone please sanity check this task sequence? I need to upgrade a 2003 domain to 2012 R2 and would appreciate a second set of eyes. thx.

Goal:

1. standup two new 2012 R2 DCs

2. decomm three old DCs

3. raise DFL/FFL to 2012 R2

Current DFL/FFL = 2003 (one site, one domain, 3 DCs, 400 users)

3 Existing DCs (all to be decommed):

OldDC1 = Svr2003 Std Ed SP2 x64 (holds all FSMO roles, GC=yes)
OldDC2 = Svr2003 Ent Ed SP1 x86 (holds no FSMO roles, GC=yes)
OldDC3 = Svr2003 Std Ed SP2 x64 (holds no FSMO roles, GC=no)

New DCs to be added:

NewDC1 Svr2012 R2
NewDC2 Svr2012 R2

Proposed task Sequence:

* build and patch OS, then add ADDS role to NewDC1 and NewDC2 (do not yet add servers to existing domain)

* in the network config of new DCs, set the DNS server IP to the IP of OldDC1

* when installing ADDS, I will be prompted to run Adprep.exe - it will be run as part of installing ADDS - this will update existing domain schema as needed.

* add NewDC1 and NewDC2 to existing domain

* in the network config of the new DCs, set the DNS server IP to that of the local server

* make both GCs, make both DNS servers

* distribute FSMO roles thusly:

* DC1 = PDCE, RID (more frequently used roles)

* DC2 = SM, DNM, IM (rarely used roles)

* run dcdiag.exe commands to verify functionality

* power off OldDCs one at a time, waiting 24 hours between each shut down

* raise DFL/FFL to 2012 R2 after all old DCs are decommed

↧

Upgrade Windows Server 2003 standard sp2 File and Print server to Windows server 2008

July 6, 2014, 3:29 pm

≫ Next: Attempting to join Win8 client to 2k12R2 domain - Repeated "The target account name is incorrect" messages

≪ Previous: How to upgrade Domain - 2003 to 2012 R2 - task sequence

I have a windows 2003 sp2 as a File and Print server. and I would like to upgrade this server to windows 2008 (32 bit). Will all the permission and printer be unchanged after the upgrade? Please help me the steps to perform this task.

↧

Attempting to join Win8 client to 2k12R2 domain - Repeated "The target account name is incorrect" messages

July 3, 2014, 11:12 am

≫ Next: Unable telnet port 53 from different subnet to Active Domain Controller after upgrade from 2003 to 2008 r2

≪ Previous: Upgrade Windows Server 2003 standard sp2 File and Print server to Windows server 2008

I have a machine that was incorrectly moved from a domain to a workgroup. I'm now trying to get it back in to the domain but unable to join. Every time I try to change back to "<mydomain>.com" I get prompted for username/pw and then after about 3-10 seconds I get error message with detail of "The target account name is incorrect"

Domain has 4 DNS servers and 3 AD DCs.

IPConfig /all from client machine is:

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . : <mydomain>.com
Description . . . . . . . . . . . : Intel(R) Gigabit CT Desktop Adapter
Physical Address. . . . . . . . . : 00-1B-21-A8-06-8E
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.0.0.189(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Thursday, July 3, 2014 10:58:22 AM
Lease Expires . . . . . . . . . . : Thursday, July 3, 2014 11:58:22 AM
Default Gateway . . . . . . . . . : 10.0.0.1
DHCP Server . . . . . . . . . . . : 10.0.0.3
DNS Servers . . . . . . . . . . . : 10.0.0.3
10.0.0.4
10.0.0.5
NetBIOS over Tcpip. . . . . . . . : Enabled

I found any machine accounts for this machine name and deleted them. I also confirmed all clocks are in sync across all DCs. Checked DNS records and found 4 with "Same Name as Parent Folder" NS pointing to my 4 DNS hosts. There is only one SOA"Same Name as Parent Folder" record and that points to the hostname for machine with IP of 10.0.0.3.

On that machine, the IP Config is:

Link-local IPv6 Address . . . . . : fe80::486c:ca3d:20a2:1f45%12(Preferred)
IPv4 Address. . . . . . . . . . . : 10.0.0.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.0.1
DHCPv6 IAID . . . . . . . . . . . : 301995357
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-E9-BA-BC-00-15-5D-00-0D-04

DNS Servers . . . . . . . . . . . : ::1
NetBIOS over Tcpip. . . . . . . . : Enabled

Nothing is working? Any ideas? How can I get this machine back on the domain?

↧

Unable telnet port 53 from different subnet to Active Domain Controller after upgrade from 2003 to 2008 r2

July 2, 2014, 8:28 am

≫ Next: Access Active Directory Domain Services on VM Machine from local machine (laptop)

≪ Previous: Attempting to join Win8 client to 2k12R2 domain - Repeated "The target account name is incorrect" messages

Hi GUys

Currently we upgrade our domain controller from Windows 2003 to Windows 2008r2, after upgrade, branches user encounter login fails and cannot authenticate with domain controller.

HQ IP Branches IP

10.33.1.310.33.224.4

255.255.128.0255.255.255.0

10.33.1.2 10.33.224.2

we did check the port below

UDP Port 88 for Kerberos authentication ( ok )
UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations. (ok)
TCP Port 139 and UDP 138 for File Replication Service between domain controllers.(ok)
UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers. (ok)
TCP and UDP Port 445 for File Replication Service (ok)
TCP and UDP Port 464 for Kerberos Password Change (ok )
TCP Port 3268 and 3269 for Global Catalog from client to domain controller. (ok)
TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller. (Fail)

we unable telnet port 53 from Branches to HQ!

it's got any thing we can do on server ? what is the impact if the port 53 cannot access?

Thanks

Best Regards

Darren

↧

Access Active Directory Domain Services on VM Machine from local machine (laptop)

July 7, 2014, 5:15 am

≫ Next: Logon Authentication Options

≪ Previous: Unable telnet port 53 from different subnet to Active Domain Controller after upgrade from 2003 to 2008 r2

Dear All,

I am using below version of VMware workstation on my laptop. I have created 1 VM Machines with windows 2012 Datacenter Edition. configured one of the machine as AD and Domain Services. How can I access the Domain IP which is 192.192.0.1 from my local machine (Laptop)

Product :VMware® Workstation

Version :10.0.2 build-1744117

Machine 1 : Settings

VM1.jpg

Machine 1 : Network Connection Settings

VM2.jpg

VM3.jpg

The Ip Address of each of the network card are

C:\Users\Administrator>ipconfig/all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Airliner
   Primary Dns Suffix . . . . . . . : dbprox.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : dbprox.local
                                       localdomain

Ethernet adapter Ethernet1:

   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #
2
   Physical Address. . . . . . . . . : 00-0C-29-2B-2F-BD
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.192.0.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.192.0.100
   DNS Servers . . . . . . . . . . . : 192.192.1.1
                                       192.161.161.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix . : localdomain
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-0C-29-2B-2F-B3
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.161.136(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Saturday, 5 July 2014 12:41:46 PM
   Lease Expires . . . . . . . . . . : Saturday, 5 July 2014 1:41:46 PM
   Default Gateway . . . . . . . . . : 192.186.0.1
                                       192.168.161.2
   DHCP Server . . . . . . . . . . . : 192.168.161.254
   DNS Servers . . . . . . . . . . . : 192.168.161.2
   Primary WINS Server . . . . . . . : 192.168.161.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter 6TO4 Adapter:

   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Microsoft 6to4 Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2002:c0c0:1::c0c0:1(Preferred)
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.192.1.1
                                       192.161.161.2
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.localdomain:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . : localdomain
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{04A33498-31FA-4E61-8910-B5F2CE50F1A1}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

C:\Users\Administrator>

Regards

Sufian

Mohd Sufian www.sqlship.wordpress.com Please mark the post as Answered if it helped.

↧

Logon Authentication Options

July 6, 2014, 11:52 pm

≫ Next: netsh http add sslcert - The parameter is incorrect - Windows Federation Services 3.0 - Server 2012R2

≪ Previous: Access Active Directory Domain Services on VM Machine from local machine (laptop)

Hi all,

Just hoping to get some help with some information on my course work.

I need to know what logon authentication options are available for local user and domain user accounts? and then how these authentication methods can be controlled by the domain controller.

Any information appreciated,

Cheers,

QuiKGun

↧

netsh http add sslcert - The parameter is incorrect - Windows Federation Services 3.0 - Server 2012R2

July 7, 2014, 8:06 am

≫ Next: How to access Active Directory to build the organization we need

≪ Previous: Logon Authentication Options

Hello there.

We are running WFS 3.0 on a W2012R2 server.

Microsoft is telling us that we have to run "netsh http add sslcert" command (with all the parameters, of course) to fix an ongoing issue.

Unfortunately, that command (ran either on a cmd prompt or PS) returns "The parameter is incorrect"

I have followed all possible Google links to all possible resolutions and non of them is working.

Is anybody out there having the same issue?

Thank you.

↧

How to access Active Directory to build the organization we need

July 7, 2014, 8:12 am

≫ Next: ADMT 3.2 "Could not verify auditing and TcpipClientSupport on domains. Will not be able to migrate Sid's. Access is denied."

≪ Previous: netsh http add sslcert - The parameter is incorrect - Windows Federation Services 3.0 - Server 2012R2

How to access Active Directory to build the organization we need

1-Domain Admin ?

2-Account Oprator ? ,....???

↧

ADMT 3.2 "Could not verify auditing and TcpipClientSupport on domains. Will not be able to migrate Sid's. Access is denied."

December 19, 2012, 7:37 pm

≫ Next: Forgot to DCPROMO after Migrating from 2008 to 2012R2

≪ Previous: How to access Active Directory to build the organization we need

Hi,

I am receiving the following error while trying to migrate user with SIDHistory on my ADMT 3.2 Server.

"Could not verify auditing and TcpipClientSupport on domains. Will not be able to migrate Sid's. Access is denied."

NOTE: I have already followed the recommendations as per the following article, but still it doesn't appear to be working and I am receiving the above error.

http://technet.microsoft.com/en-us/library/cc974410(v=ws.10).aspx

STEPS ALREADY FOLLOWED:

To create a local group in the source domain to support auditing

To enable TCP/IP client support on the source domain PDC emulator

To enable auditing in Windows Server 2008 R2 and Windows Server 2008 domains

↧

Forgot to DCPROMO after Migrating from 2008 to 2012R2

July 7, 2014, 10:56 am

≫ Next: To build the organization's Active Directory permissions are what we need

≪ Previous: ADMT 3.2 "Could not verify auditing and TcpipClientSupport on domains. Will not be able to migrate Sid's. Access is denied."

Hi,

I recently migrated from Windows Server 2008 DC to Windows Server 2012 R2.I followed a link from here and followed the migration process step by step.
http://www.youtube.com/watch?v=xVnPeFZWCC4

Except for ONE last thing - I forgot to DCPROMO the old server i.e the old Domain Controller.
The old DC is not available anymore - it was formatted for other stuff.

I have ONE problem - the AD keeps trying to replicate to the OLD DC. My questions are as follows:-
1) How can i delete the OLD DC from the NEW DC completely including DNS entries.
2) How to i stop the replication?
3) What are the implications if i just leave it the way it is and dont do anything to the current setup?

Thanks for your time.
Feroz Dosani.

↧

To build the organization's Active Directory permissions are what we need

July 7, 2014, 8:14 am

≫ Next: AD Management - One Team or Many?

≪ Previous: Forgot to DCPROMO after Migrating from 2008 to 2012R2

To build the organization's Active Directory permissions are what we need

↧

AD Management - One Team or Many?

July 7, 2014, 8:23 am

≫ Next: Secondary DNS server is missing from DNS Manager.

≪ Previous: To build the organization's Active Directory permissions are what we need

We are a medium size business with a relatively simplistic AD configuration. We have been experiencing a lot of pains with distributed management of AD. Security, Sys Admins and even tech support teams all have roles and responsibilities in AD (group/user creation, sites and services, gpo, etc). No one is an expert and there is no single neck to ring. This is leading to chaos, but we don't know if the grass is greener by having just one group of talented individuals controlling all AD administration.

In your experience, is it better to have multiple teams administering AD or one group of people?

↧

Secondary DNS server is missing from DNS Manager.

July 1, 2014, 9:07 am

≫ Next: Account lockout with no bad password attempts in registry

≪ Previous: AD Management - One Team or Many?

We noticed that webpages were not being fully downloaded so I investigated and found our secondary DNS server was missing from our network. I can login via IP but not hostname. When access DNS Manager is says, "Automated Test Query Failed". Why would this happen and how would I resolve it? Also, why would secondary DNS cause this affect. Shouldn't primary be able to handle this without secondary involvement. Our domain has been functioning correctly for many months and for this to happen is rather strange.

↧

Account lockout with no bad password attempts in registry

July 7, 2014, 10:44 am

≫ Next: ACL not working on groups but on users

≪ Previous: Secondary DNS server is missing from DNS Manager.

I have an account that keeps getting locked out. I used the LockoutStatus tool to locate which DC was registering the bad pwds and generating the lockout. However, when I search the event log at the times indicated, I can find the lockout, but no bad authentication attempts. Other than the repeated lockouts (event id 4740) and unlocks (id 4767) by the helpdesk, there are no events containing this user's name at all. I see numerous bad pwd events (id 4776) for other users, so I know the logging is configured correctly. Obviously I'm missing something.

Where is LockoutStatus getting its information on the number and time of bad pwds? How can I find those entries?

Blog / Facebook / Twitter

↧

ACL not working on groups but on users

July 7, 2014, 12:37 pm

≫ Next: AD FS Across Differing Domain Functional Levels

≪ Previous: Account lockout with no bad password attempts in registry

Hello Everyone,

I'm having a very strange issue here.

I have a share on a server, let's call it C:\share$ that has everyone as sharing permissions and few security groups as security permissions.

For some reasons that I cannot explain, some users that are part of the groups set to have permissions on this share, do not have access to it, it gives an access denied error.

When I go to the "Effective Permissions" tab in Security/Advanced and I select the group, I can see that it has all the required permissions. However when I select the user, it has NONE !

I tried to remove the user from the group and re-add it, remove the group and re-add it to the share's ACLs but it did not change anything.

Thank you for your help.

↧