Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

AD FS Across Differing Domain Functional Levels

July 7, 2014, 3:03 pm
$
0
0

My customer needs to implement AD FS for single sign on due to a cloud based email solution they recently implemented. The problem is, their domain controllers are Server 2003 (non-R2) at a functional level of 2003 mixed mode. They should be able to raise to 2003 native if necessary however. Their solution is to create a new 2008 domain and implement a two-way trust, running AD FS in the new domain serving the clients in the 2003 domain.  This way should be quicker than upgrading their current domain which would be a rather large project due to their size and complexity. 

Are there any gotcha's I should know about with doing it this way?  I have verified that we can create the two-way trust between domains of these functional levels, and AD FS can service clients in a trusted domain, but I am not entirely sure if AD FS will care that the trusted domain is 2003 non-R2.  Can anyone confirm if this will be a feasible scenario? 

Thanks very much!!

Wraith

Search

AD sync Error

July 7, 2014, 6:44 pm
$
0
0

Hi,

I have a Windows 2012 64bit AD which holds all the 5 FSMO role (call it AD-1) and another AD with Windows 2003 32bit (AD-2).  Originally AD-2 was the main AD that holds the FSMO but all the roles now are transferred to AD-1,  this configuration works well for more that a year.  

About a few weeks back, the AD-1 server event log shows error in replication but no error in AD-2.   So I ran the repadmin /syncall on AD-1 and AD-2.    On AD-1, I get the error code 1722 and on AD-2 it ran with success and no error. 

1)  What could be wrong here?. 

2) How do I fix the problem?  

I have disable firewall and antivirus function on both the servers and the are connected to the same gigabit switch (flat network, no vlan). 

Any pointers here would be appreciated.  Thank you.

Regards.

ISSUE: "This domain controller must register a DNS SRV resource record, which is required for replication to function correctly"

July 3, 2014, 10:25 am
$
0
0

so we currently have three domain controllers set up, two of them on 2012r2 and one of them on 2008r2. prior to any of these domain controllers being added to the domain there was only one, running on 2003r2. the 2003r2 server was up and running when the first 2012r2 was added and that's when running 'dcdiag /e /c /v' would yield an issue with "_ldap._tcp.9a5f3c17-e7ac-48f7-ab42-bf1ea621a6f5.domains._msdcs.cmedia.local" in the DNS portion of the diagnostics, specifically:

               TEST: Records registration (RReg)
                  Network Adapter [00000010] Microsoft Hyper-V Network Adapter:
                     Error:
                     Missing SRV record at DNS server 192.168.22.4:
                     _ldap._tcp.9a5f3c17-e7ac-48f7-ab42-bf1ea621a6f5.domains._msdcs.cmedia.local

after adding the second 2012r2 to the domain, this issue is still there... adding the 2008r2 server to the domain and running BPA it gives the following:

Title:
This domain controller must register a DNS SRV resource record, which is required for replication to function correctly

Severity:
Error

Date:
7/3/2014 11:24:48 AM

Category:
Configuration

Issue:
The "DcByGuid" DNS service (SRV) resource record that advertises this server as an available domain controller in the domain and ensures correct replication is not registered. All domain controllers (but not RODCs) in the domain must register this record.

Impact:
Other member computers and domain controllers in the domain or forest will not be able to locate this domain controller. This domain controller will not be able to provide a full suite of services.

Resolution:
Ensure that "DcByGuid" is not configured in the "DnsAvoidRegisteredRecords" list, either through Group Policy or through the registry. Restart the Netlogon service. Verify that the DNS service (SRV) resource record "_ldap._tcp.9a5f3c17-e7ac-48f7-ab42-bf1ea621a6f5.domains._msdcs.cmedia.local", pointing to the local domain controller "CM-DC4-NY01.cmedia.local", is registered in DNS.

More information about this best practice and detailed resolution procedures: http://go.microsoft.com/fwlink/?LinkId=126968

I've tried scanning and then re-scanning every single entry in DNS Manager and do not see any reference to this specific GUID mentioned, nor do I see any other domain controllers referenced that should not be in there. The two 2012r2 and the 2008r2 domain controllers are the only ones listed in DNS Manager... the 2003r2 mentioned earlier failed and was removed.


Adding namespace server and replicating folder structure

July 8, 2014, 5:57 am
$
0
0

Not sure if this is the correct forum. @mod, please redirect if applicable.

When adding a second or subsequent Namespace server to a DFS Root, how is the virtual folderstructure replicated when that server is added?

The folder-targets are stored in AD under the System container. However, folders (to create a sensible hierarchy) are not stored in AD. Where do they come from when a new Namespace server is added ?

Regards, Marcel

ADFS - WIF issue in load balanced environment - Parameter name: certificate] Microsoft.IdentityModel.Web.RsaEncryptionCookieTransform..ctor(X509Certificate2 certificate)

July 8, 2014, 4:27 am
$
0
0

Hi 

We are using passive claims based authentication on a load balanced app with sticky sessions enabled. We want to get rid of sticky sessions and to do this As suggested by some article on msdn site, I added this piece of code to my global.asax file to change the encryption from DPAPI to RSA.

 void FederatedAuthentication_ServiceConfigurationCreated(object sender,Microsoft.IdentityModel.Web.Configuration.ServiceConfigurationCreatedEventArgs e)

        {            Log.Debug("FederatedAuthentication_ServiceConfigurationCreated");            List<CookieTransform> sessionTransforms = new List<CookieTransform>(new CookieTransform[] { new DeflateCookieTransform(),                  new RsaEncryptionCookieTransform(e.ServiceConfiguration.ServiceCertificate),                new RsaSignatureCookieTransform(e.ServiceConfiguration.ServiceCertificate)  });            SessionSecurityTokenHandler sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly());            e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler);            Microsoft.IdentityModel.Web.FederatedAuthentication.WSFederationAuthenticationModule.AuthorizationFailed += WSFederationAuthenticationModule_AuthorizationFailed;        }

After adding this code, I receive the below error:

Server Error in '/' Application.

Value cannot be null.
Parameter name: certificate

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 

Exception Details: System.ArgumentNullException: Value cannot be null.
Parameter name: certificate

Source Error: 
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace: 
[ArgumentNullException: Value cannot be null.
Parameter name: certificate]
   Microsoft.IdentityModel.Web.RsaEncryptionCookieTransform..ctor(X509Certificate2 certificate) +193
   Nasdaq.Gcs.Gnw.Editorial.UI.MvcApplication.FederatedAuthentication_ServiceConfigurationCreated(Object sender, ServiceConfigurationCreatedEventArgs e) in f:\Builds\1\Dragon\Editorial-main-WixDeploy\Sources\Gnw\Newswire\main\Editorial\Editorial.UI\Global.asax.cs:108
   Microsoft.IdentityModel.Web.FederatedAuthentication.get_ServiceConfiguration() +184
   Microsoft.IdentityModel.Web.HttpModuleBase.Init(HttpApplication context) +17
   System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers) +530
   System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context) +304
   System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context) +404
   System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext) +475

[HttpException (0x80004005): Value cannot be null.
Parameter name: certificate]
   System.Web.HttpRuntime.FirstRequestInit(HttpContext context) +12968244
   System.Web.HttpRuntime.EnsureFirstRequestInit(HttpContext context) +159
   System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context) +12807949

Did anyone else experience this error and found a solution? if so please guide me.  

RKD

RKD

How do setup an alert when a users password has expirying

July 8, 2014, 7:22 am
$
0
0
I am using Outlook 2013 via Corporate Office365 and I want to setup an alert via my Active Directory to send an email alert that users password is expirying

ADMT Error 7585, An operations error occurred.

June 24, 2014, 2:04 pm
$
0
0

I am having a problem with cross forest migration with ADMT. I have a source domain which is Win 2003 R2 and target domain is Win 2008 R2. I've already created a two-way external trust and also added the target domain administrator to the administrators group of the source domain.

I need to move mailboxes from source domain exchange 2010 to target domain exchange 2010.

The ADMT 3.2 is installed on a member server in target domain with sql express 2008 sp1.

However when I try to migrate any user using ADMT it starts to run but gives me the following error,

"ERR3:7585 The account replicator is unable to continue.   An operations error occurred."

I already have forwarders in DNS servers for each domain to resolve the other and I get the correct response when I ping the target domain from the source domain dc and also vice versa. Also I've checked that auditing is enabled on both sides.

what's the problem now and how do I resolve it?

FRS 13508 (No instance of 13509) - Diagnosing

May 29, 2014, 9:35 am
$
0
0

Hello!

We have two 2008 R2 DCs and our second DC has been getting the 13508 for months.  I have checked the logs and have found no instance of 13509.  I have ran ntfrsutl version and got this:

NtFrsApi Version Information
   NtFrsApi Major      : 0
   NtFrsApi Minor      : 0
   NtFrsApi Compiled on: Nov 19 2010 22:04:38
NtFrs Version Information
   NtFrs Major        : 0
   NtFrs Minor        : 0
   NtFrs Compiled on  : Nov 20 2010 02:15:59
   Latest changes:
   Install Override fix
OS Version 6.1 (7601) -
SP (1.0) SM: 0x0110  PT: 0x02
Processor:  AMD64 Level: 0x0006  Revision: 0x0f0b  Processor num/mask: 2/0000000
3

I'm not exactly sure what that means, but I continued to do some diagnostics.  I was able to ping the FQDN with no problem.  I disabled the firewalls on both boxes and tested with no luck. 

In addition, I have noticed on the DC that is NOT receiving the 13508 error is getting 13568 -

The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.

It appears these two (13508 on DC2 and 13568 on DC1) starting about the same time months ago.  It informs me in 13568 to "Enable Journal Wrap Automatic Restore", but I'm afraid to do so.  Is this something I should do?

Any idea what would be causing this and what my next steps would be?  Let me know if I can get you any more info.

Thanks for the help in advance!


Search

Replication Problem

July 8, 2014, 8:09 am
$
0
0

Hi,

I have windows 2008 SBE domain server (Domain A) which is not replicated with other GC Server (Domain B).

When i disconnect the domain Server (Domain A) from the network. we are not able to join new machine in the domain.

Also we are not able to access any data which is accessible by the domain login credentials.

Could you please help me to resolve this issue. 

I am getting below error mssg.

Error7/7/2014 8:25:59 PMNtFrs13568None
The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR. 
 
 Replica set name is    : "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" 
 Replica root path is   : "c:\windows\sysvol\domain" 
 Replica root volume is : "\\.\C:" 
 A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found.  This can occur because of one of the following reasons. 
 
 [1] Volume "\\.\C:" has been formatted. 
 [2] The NTFS USN journal on volume "\\.\C:" has been deleted. 
 [3] The NTFS USN journal on volume "\\.\C:" has been truncated. Chkdsk can truncate the journal if it finds corrupt entries at the end of the journal. 
 [4] File Replication Service was not running on this computer for a long time. 
 [5] File Replication Service could not keep up with the rate of Disk IO activity on "\\.\C:". 
 Setting the "Enable Journal Wrap Automatic Restore" registry parameter to 1 will cause the following recovery steps to be taken to automatically recover from this error state. 
 [1] At the first poll, which will occur in 5 minutes, this computer will be deleted from the replica set. If you do not want to wait 5 minutes, then run "net stop ntfrs" followed by "net start ntfrs" to restart the File Replication Service. 
 [2] At the poll following the deletion this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set. 
 
WARNING: During the recovery process data in the replica tree may be unavailable. You should reset the registry parameter described above to 0 to prevent automatic recovery from making the data unexpectedly unavailable if this error condition occurs again. 
 
To change this registry parameter, run regedit. 
 
Click on Start, Run and type regedit. 
 
Expand HKEY_LOCAL_MACHINE. 
Click down the key path: 
   "System\CurrentControlSet\Services\NtFrs\Parameters" 
Double click on the value name 
   "Enable Journal Wrap Automatic Restore" 
and update the value. 
 

If the value name is not present you may add it with the New->DWORD Value function under the Edit Menu item. Type the value name exactly as shown above.

Unable to use mouse scroll wheel when ammending formulas in excel

July 8, 2014, 7:21 am
$
0
0
I have a client that uses MS Excel and when he is ammending a Formula he is unable to scoll up or down the spreadsheet, however he can use the side bar to move up and down. If he then stops ammending the formula and is just viewing the spreadsheet the mouse scroll wheel starts to work

An entry with the same key already exist - ADFS 2.0

July 8, 2014, 10:35 am
$
0
0

Dear All,

While importing meta data in ADFS 2.0 , getting error An entry with same key already exist.

below mention meta data. Please assist me.

Please let me know where it has to rectified ?? Many thanks in advance.

<?xml version="1.0" encoding="utf-8"?>
<EntityDescriptor xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" entityID="https://akzo-onetube.talentinsite.com" ID="idd1dc3d102ea04207bb6b7a7e8842dac7" validUntil="2014-07-15T17:21:37.0158471Z" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#idd1dc3d102ea04207bb6b7a7e8842dac7"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>w61UM/L1K0jROTE93aRvP8wcOFw=</DigestValue></Reference></SignedInfo><SignatureValue>LBEQ8XUNE7F8FCmal9KB89pPKAG9wX5JsNAhvVyHo6klB1+P8/fvNWqn0X04ycF3si1MhUgGBbToXq734TNRrBCqTTHivzLzqwIo31bH9OAVQbxu1Y0PPTvVewb2qquX1AijmKZ6qkixiVKOtC1OUAAX6U1P+L4BxEoI0bF0zsbARz0+8TYRLYjvcH4gGBsCtHryb4tNp1HRz3RBHRjKpC3NGBVeUwWSkuPJGFh2f5AZen2w5+g9PV8D8vpuuIbINzmh1Em4wTqZJWIHGkfZgJJQ0Egxu9bqfcQp3vWnzWM+/RGiexMgDf1pW1VgIwfHWMEySRb966sF1s9Q4ly4mg==</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIFDjCCA/agAwIBAgIRAO0PwgNZA5+Kcgt4fzzd3yswDQYJKoZIhvcNAQEFBQAwczELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxGTAXBgNVBAMTEFBvc2l0aXZlU1NMIENBIDIwHhcNMTMxMjE2MDAwMDAwWhcNMTQxMjE2MjM1OTU5WjBfMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQxHTAbBgNVBAsTFFBvc2l0aXZlU1NMIFdpbGRjYXJkMRswGQYDVQQDFBIqLnRhbGVudGluc2l0ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIjvtIbA6hpF0gWKbLHJDhtyXUSbFA9yINje96LR6yqJXqC/JvK0uuz4QHc9bgYaDEw6TYtExRMNqVv1K8pNJjneZv6mWtoNBtKubgVXa6KwW1DO7hL5jaWthMBhVWQow99Jf8oeXflPiqv6mqS9GhB6aZxvn11Uoa4NnX0WStJb/gujD/59CAtztCOubqUTBqNzEZhcge2Ru15UAzQul9j36x9feV2R2fYtKEBWSNh6i3H/RxHU1ikTqPc5IsD8oCbpUmkPvGzCo5raD+1OghkV+Xbv9pTEl2fV7kevmPrxuAmYzZC/NDK4qd5qvy4svizyNMkij478PPvPCpwBGBAgMBAAGjggGvMIIBqzAfBgNVHSMEGDAWgBSZ5EBfaxRePgXZ3dNjVPxiuPcArDAdBgNVHQ4EFgQU+EFcBcinhtHGqEUiQydXaEeCXvUwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMFAGA1UdIARJMEcwOwYLKwYBBAGyMQECAgcwLDAqBggrBgEFBQcCARYeaHR0cDovL3d3dy5wb3NpdGl2ZXNzbC5jb20vQ1BTMAgGBmeBDAECATA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9Qb3NpdGl2ZVNTTENBMi5jcmwwbAYIKwYBBQUHAQEEYDBeMDYGCCsGAQUFBzAChipodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9Qb3NpdGl2ZVNTTENBMi5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAvBgNVHREEKDAmghIqLnRhbGVudGluc2l0ZS5jb22CEHRhbGVudGluc2l0ZS5jb20wDQYJKoZIhvcNAQEFBQADggEBAAg6ymq6YIgvhdrjHLk2hqp131722zk4kWVy0FMi6kto7PmiL4bpt/WLFEjo9kRrtfMBWCMCLMwMmyMV5ubtnbTo8ndU5j1QdPfhoFGG98yyuooWo7QqhBFxaA83NdbNajewnC0F2KGHahdYIrZS7JZ+dkHv+vA4TfMx9EJi7q3fOcMzgVJlYmR5R8Pc7rYEGKL+zwaPXXnncwtzEs7U88leLVsQn9SvgHMC+MpzQ7YeUbBVGNEWfX/boHH8yJQcVh9x/4/xgBS9xY3tYrCwKWguHGjvXZSz5E6RbYBPMxXzuRakguPNmYtiX3q/7MvcbbIdX9rh7iiQYlcvKUYB+ME=</X509Certificate><X509Certificate>MIIE5TCCA82gAwIBAgIQB28SRoFFnCjVSNaXxA4AGzANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290MB4XDTEyMDIxNjAwMDAwMFoXDTIwMDUzMDEwNDgzOFowczELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxGTAXBgNVBAMTEFBvc2l0aXZlU1NMIENBIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDo6jnjIqaqucQA0OeqZztDB71Pkuu8vgGjQK3g70QotdA6voBUF4V6a4RsNjbloyTi/igBkLzX3Q+5K05IdwVpr95XMLHo+xoD9jxbUx6hAUlocnPWMytDqTcyUg+uJ1YxMGCtyb1zLDnukNh1sCUhYHsqfwL9goUfdE+SNHNcHQCgsMDqmOK+ARRYFygiinddUCXNmmym5QzlqyjDsiCJ8AckHpXCLsDl6ez2PRIHSD3SwyNWQezT3zVLyOf2hgVSEEOajBd8i6q8eODwRTusgFX+KJPhChFo9FJXb/5IC1tdGmpnc5mCtJ5DYD7HWyoSbhruyzmuwzWdqLxdsC/DAgMBAAGjggF3MIIBczAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73gJMtUGjAdBgNVHQ4EFgQUmeRAX2sUXj4F2d3TY1T8Yrj3AKwwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwEQYDVR0gBAowCDAGBgRVHSAAMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVybmFsQ0FSb290LmNybDCBswYIKwYBBQUHAQEEgaYwgaMwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVybmFsQ0FSb290LnA3YzA5BggrBgEFBQcwAoYtaHR0cDovL2NydC51c2VydHJ1c3QuY29tL0FkZFRydXN0VVROU0dDQ0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQCcNuNOrvGKu2yXjI9LZ9Cf2ISqnyFfNaFbxCtjDei8d12nxDf9Sy2e6B1pocCEzNFti/OBy59LdLBJKjHoN0DrH9mXoxoR1Sanbg+61b4s/bSRZNy+OxlQDXqV8wQTqbtHD4tc0azCe3chUN1bq+70ptjUSlNrTa24yOfmUlhNQ0zCoiNPDsAgOa/fT0JbHtMJ9BgJWSrZ6EoYvzL7+i1ki4fKWyvouAt+vhcSxwOCKa9Yr4WEXT0K3yNRw82vEL+AaXeRCk/luuGtm87fM04wO+mPZn+C+mv626PAcwDj1hKvTfIPWhRRH224hoFiB85ccsJP81cqcdnUl4XmGFO3</X509Certificate><X509Certificate>MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5hbCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvtH7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzXmk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LXa0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzNE0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYDVR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcNAQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxHYINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw56wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvCNr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEXc4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5amnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=</X509Certificate></X509Data></KeyInfo></Signature>
  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="true">
    <KeyDescriptor use="signing">
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <X509Data>
          <X509Certificate>MIIFDjCCA/agAwIBAgIRAO0PwgNZA5+Kcgt4fzzd3yswDQYJKoZIhvcNAQEFBQAwczELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxGTAXBgNVBAMTEFBvc2l0aXZlU1NMIENBIDIwHhcNMTMxMjE2MDAwMDAwWhcNMTQxMjE2MjM1OTU5WjBfMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQxHTAbBgNVBAsTFFBvc2l0aXZlU1NMIFdpbGRjYXJkMRswGQYDVQQDFBIqLnRhbGVudGluc2l0ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIjvtIbA6hpF0gWKbLHJDhtyXUSbFA9yINje96LR6yqJXqC/JvK0uuz4QHc9bgYaDEw6TYtExRMNqVv1K8pNJjneZv6mWtoNBtKubgVXa6KwW1DO7hL5jaWthMBhVWQow99Jf8oeXflPiqv6mqS9GhB6aZxvn11Uoa4NnX0WStJb/gujD/59CAtztCOubqUTBqNzEZhcge2Ru15UAzQul9j36x9feV2R2fYtKEBWSNh6i3H/RxHU1ikTqPc5IsD8oCbpUmkPvGzCo5raD+1OghkV+Xbv9pTEl2fV7kevmPrxuAmYzZC/NDK4qd5qvy4svizyNMkij478PPvPCpwBGBAgMBAAGjggGvMIIBqzAfBgNVHSMEGDAWgBSZ5EBfaxRePgXZ3dNjVPxiuPcArDAdBgNVHQ4EFgQU+EFcBcinhtHGqEUiQydXaEeCXvUwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMFAGA1UdIARJMEcwOwYLKwYBBAGyMQECAgcwLDAqBggrBgEFBQcCARYeaHR0cDovL3d3dy5wb3NpdGl2ZXNzbC5jb20vQ1BTMAgGBmeBDAECATA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9Qb3NpdGl2ZVNTTENBMi5jcmwwbAYIKwYBBQUHAQEEYDBeMDYGCCsGAQUFBzAChipodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9Qb3NpdGl2ZVNTTENBMi5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAvBgNVHREEKDAmghIqLnRhbGVudGluc2l0ZS5jb22CEHRhbGVudGluc2l0ZS5jb20wDQYJKoZIhvcNAQEFBQADggEBAAg6ymq6YIgvhdrjHLk2hqp131722zk4kWVy0FMi6kto7PmiL4bpt/WLFEjo9kRrtfMBWCMCLMwMmyMV5ubtnbTo8ndU5j1QdPfhoFGG98yyuooWo7QqhBFxaA83NdbNajewnC0F2KGHahdYIrZS7JZ+dkHv+vA4TfMx9EJi7q3fOcMzgVJlYmR5R8Pc7rYEGKL+zwaPXXnncwtzEs7U88leLVsQn9SvgHMC+MpzQ7YeUbBVGNEWfX/boHH8yJQcVh9x/4/xgBS9xY3tYrCwKWguHGjvXZSz5E6RbYBPMxXzuRakguPNmYtiX3q/7MvcbbIdX9rh7iiQYlcvKUYB+ME=</X509Certificate>
        </X509Data>
      </KeyInfo>
    </KeyDescriptor>
    <KeyDescriptor use="encryption">
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <X509Data>
          <X509Certificate>MIIFDjCCA/agAwIBAgIRAO0PwgNZA5+Kcgt4fzzd3yswDQYJKoZIhvcNAQEFBQAwczELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxGTAXBgNVBAMTEFBvc2l0aXZlU1NMIENBIDIwHhcNMTMxMjE2MDAwMDAwWhcNMTQxMjE2MjM1OTU5WjBfMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQxHTAbBgNVBAsTFFBvc2l0aXZlU1NMIFdpbGRjYXJkMRswGQYDVQQDFBIqLnRhbGVudGluc2l0ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIjvtIbA6hpF0gWKbLHJDhtyXUSbFA9yINje96LR6yqJXqC/JvK0uuz4QHc9bgYaDEw6TYtExRMNqVv1K8pNJjneZv6mWtoNBtKubgVXa6KwW1DO7hL5jaWthMBhVWQow99Jf8oeXflPiqv6mqS9GhB6aZxvn11Uoa4NnX0WStJb/gujD/59CAtztCOubqUTBqNzEZhcge2Ru15UAzQul9j36x9feV2R2fYtKEBWSNh6i3H/RxHU1ikTqPc5IsD8oCbpUmkPvGzCo5raD+1OghkV+Xbv9pTEl2fV7kevmPrxuAmYzZC/NDK4qd5qvy4svizyNMkij478PPvPCpwBGBAgMBAAGjggGvMIIBqzAfBgNVHSMEGDAWgBSZ5EBfaxRePgXZ3dNjVPxiuPcArDAdBgNVHQ4EFgQU+EFcBcinhtHGqEUiQydXaEeCXvUwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMFAGA1UdIARJMEcwOwYLKwYBBAGyMQECAgcwLDAqBggrBgEFBQcCARYeaHR0cDovL3d3dy5wb3NpdGl2ZXNzbC5jb20vQ1BTMAgGBmeBDAECATA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9Qb3NpdGl2ZVNTTENBMi5jcmwwbAYIKwYBBQUHAQEEYDBeMDYGCCsGAQUFBzAChipodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9Qb3NpdGl2ZVNTTENBMi5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAvBgNVHREEKDAmghIqLnRhbGVudGluc2l0ZS5jb22CEHRhbGVudGluc2l0ZS5jb20wDQYJKoZIhvcNAQEFBQADggEBAAg6ymq6YIgvhdrjHLk2hqp131722zk4kWVy0FMi6kto7PmiL4bpt/WLFEjo9kRrtfMBWCMCLMwMmyMV5ubtnbTo8ndU5j1QdPfhoFGG98yyuooWo7QqhBFxaA83NdbNajewnC0F2KGHahdYIrZS7JZ+dkHv+vA4TfMx9EJi7q3fOcMzgVJlYmR5R8Pc7rYEGKL+zwaPXXnncwtzEs7U88leLVsQn9SvgHMC+MpzQ7YeUbBVGNEWfX/boHH8yJQcVh9x/4/xgBS9xY3tYrCwKWguHGjvXZSz5E6RbYBPMxXzuRakguPNmYtiX3q/7MvcbbIdX9rh7iiQYlcvKUYB+ME=</X509Certificate>
        </X509Data>
      </KeyInfo>
    </KeyDescriptor>
    <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://akzo-onetube.talentinsite.com/SignIn.saml2" index="0" />
    <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://akzo-onetube.talentinsite.com/Logout.saml2" index="0" />
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://akzo-onetube.talentinsite.com/Logout.saml2" ResponseLocation="https://akzo-onetube.talentinsite.com/Logout.saml2" />
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://akzo-onetube.talentinsite.com/Logout.saml2" ResponseLocation="https://akzo-onetube.talentinsite.com/Logout.saml2" />
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://akzo-onetube.talentinsite.com/SignIn.saml2" index="0" isDefault="true" />
  </SPSSODescriptor>
</EntityDescriptor>


2012r2 compatibility with 2003 r2 domain

July 8, 2014, 6:42 am
$
0
0
A customer of ours has a 2008r2 Domain Controller hosting 2003r2 AD Forests, they are standing up a SAP application server and it will run 2012 r2. will there be any loss of functionality or features for users using the SAP applicaiton on the 2012r2 enviroment?

router identity object

June 21, 2012, 6:48 am
$
0
0

hi

i was going to delete some objects in AD when i faced an error that said :

dsrm can not add a container which includes objects under ! it can only delete a leaf in AD

but that object was a leaf ! it was a computer

after viewing the objects as containers, i noticed there is a routeridentity object under that computer

so what is this ?

this is an old pc and has been inactive over past months so i do not know details about it

but i do not think it has been a windows server with RRAS service !!

maybe and just maybe dial-up incoming connections had been configured on that (but i doubt that)

can anyone give me a good clarification on that ?

thanks

Ineternet Access from VM is up and down

June 30, 2014, 10:20 am
$
0
0

My infrastructure is WS 2012 R2 Standard with AD services installed as a main server. There's a VW server running on it with EXCHG 2013 running on it.

The EXCHG has been unstable in sending and receiving emails from outside due to DNS issues. Sometimes when I troubleshoot I can browse internet from the VM sometimes not. The errors I see in the EXCHG is DNS resolution issues. The forwarders on the DNS server are correct - my ISP Cox ones. I tyrend adding and removing the root hits with no success. I added 8.8.8.8 and 8.8.4.4 it helped for a while then I again got issues, deleted them it resolved issued and again I got them. It seems like interminient issue with DNS. No antivirus or anything running on VM that could block ports. Please suggest!

Zone transfers for _site, _tcp, etc. on Server 2012

July 8, 2014, 9:45 am
$
0
0

In our corp, we use BIND for DNS and make things work by having zone transfers set up for the top level forward lookup zones in Server 2008, as follows:

Windows Server 2008

  • Forward Lookup Zones
  • * _msdcs
  • * _sites
  • * _tcp
  • * _udp
  • * DomainDNSZones

Server 2012 organizes things as follows, with _sites, _tcp, etc. being subdomains of the AD domain root:

Windows Server 2012 R2

  • Forward Lookup Zones
  • * _msdcs
  • * domain.example.com
  • ** _sites
  • ** _tcp
  • ** _udp
  • ** DomainDNSZones
  • ** ForestDnsZones

Zone transfers work fine at the top level, but we would like to not transfer the entire domain root, just the services. I have tried deleting/recreating, etc., but I can't figure out an option. Is this still possible and how might we do it?

Thanks.

Search

sql spn rights on domain

July 8, 2014, 8:27 am
$
0
0

I need a domain service account to dynamically self register the SPN on any domain computer it is used on, is this all I need, see below?

copy custom attribute when copying ad user

July 8, 2014, 3:00 am
$
0
0

When I copy a user in AD, the homeDirectory attribute is automatically copied and customized for the new user based on username. Ex:  If I copy a user named "Test User" with username "tuser" and homeDirectory "\\server\share\tuser" and name the new user "New User" with username "nuser", the homeDirectory attribute is automatically set to "\\server\share\nuser".

I really want to do this with other attributes.  Specifically, if Test User has (lets say) a 'description' attribute of 'tuser sometextstring", when I copy to "New User", I'd like the 'description' attribute to automatically be set to 'nuser sometextstring'.

Is there a way to do this?

Alternatively, is there a way to specify a default, customized-based-on-username set of attributes for all new users?  So that I could say (again, just for example), "when a new user is made, automatically populate the 'jobTitle' field with '<username>'s Job'".

Chinese Characters in Netlogon.log -- re-asking

July 8, 2014, 4:27 pm
$
0
0

We have  822 occurrences of the following:

[CRITICAL] I_NetlogonLdapLookup: unrecognized character <Chinese characters>

in the last 2 days. The previous thread on this subject was marked "Answered" without being answered, so I'm re-asking:

1. Does anyone have any substantive information about what's sourcing this?

2. How can I associate a source IP with a single entry in the netlogon.log?

Here's what we know so far:

We have a Chinese linguist who has broken the character string down to 2 sections, the first being the same for all occurrences and the second being random-looking. He says the first section refers to "boats" or "water" and is looking farther, but he says the string definitely looks like virus-like activity.

Second, I_NetlogonLdapLookup is a function inside netlogon.dll, so intuition says something is trying to do an LDAP lookup on the Chinese character string. We are looking into exactly how that function is supposed to be called (we're network guys, not coders, so this may take longer than it should). Can someone help shorten this search?

C: There's no consistent contextual activity surrounding the actual log entries, so we're expecting to find out that there's  more than one source, so it's extra important we figure out how to associate a source IP with these [CRITICAL] log entries, especially since we may be looking for a root kit or something else that's able to hide from our multiple AV programs.

Assistance is appreciated, good analytical step-oriented result-generating assistance is GREATLY appreciated!

Robert

Oh yeah -- this is being logged on a DC in a 2008R2 domain with a small but growing number of 2012 member servers and almost no remaining servers lower than 2008R2. I can provide more details if anyone needs them


SSO (single sign on) using Active Directory

July 9, 2014, 2:02 am
$
0
0
I have an Active Directory 2008 R2 environment. I'm inexperienced with SSO and looking to setup with an external web service provider and possible more in the future. This includes providing a certificate and setting up SSO clients relevant settings. What's some good ways of achieving this? The requirement from the external provider is an HTTPS post from our environment/clients. This needs to be achieved through Security Token, MD5, SHA1, DES, 3DES encryption of the username and/or password or SAML. 

Any advice would be great!

Craig Brand

Admins sporadically getting "You do not have sufficient privileges to delete " but they have sufficient permissions to delete the object

August 7, 2012, 7:07 am
$
0
0

We've been getting a handful of calls lately from our Network Admins complaining that they can't delete computer accounts.

The get an Active Directory dialog box that states that they are a loser..."You do not have sufficient privileges to delete XXXXXX".

When it occurs, it affects all of the Adminis for the particular problem object in question.

As a domain admin and enterprise admin, I am able to delete the object without a problem.

The Admins are able to delete other comptuers accounts as well as create new computer accounts with in the same OU.  The security and ownership is identical for both problem objects and non-problem objects.

I'm stumped and I couldn't get any relavant hits on TechNet or the web.

David W. King

Techical Architect - Systems, Information Technology
(919) 784-3889 david.king@rexhealth.com

REX Healthcare, 4420 Lake Boone Trail, Raleigh, NC 27607

David W King



Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>