Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Certificate Services - Autoenrollment not occurring

March 30, 2010, 11:52 am
$
0
0

I am having an issue getting autoenrollment to occur.  I am not getting an error that I can see - it appears to be not initiating.

The forest is at Windows 2008 R2 domain functional. The root CA is an enterprise CA.  The client machines are Windows 2008 R2.

I installed only the Certification Authority role service.  This CA will only be used to issue server authentication certificates within its forest.

I've followed the tasks for Configuring AutoEnrollment in Group Policy.

I've verified the Default Action for a Certificate Request.

Along with th steps outlined in Set Up Automation Certificate Enrollment, I duplicated the default Computer (Machine) template, set properties, and granted Read, Enroll, and AutoEnroll to Domain Compunters.

 

Results:

I see two information entries in the Application event log on the client with the following text:

  1. Certificate enrollment for Local system is successfully authenticated by policy server {9EC47EC2-7C6B-42EE-9722-3650C7E4EED1}
  2. Certificate enrollment for Local system successfully load policy from policy server

On the CA, I see no entries in Failed Requests, Pending Requests, or Revoked Certificates.  I also see no new entries in Issued Certificates.

On the client, I can use certutil or the certificates MMC snapin to request a new certificate that automatically gets issued, but I'm looking for autoenrollment to kick-in so I can avoid logging into every machine.

 

I appreciate any advice or direction in this matter.
Search

The session setup from computer failed - Netlogon

August 6, 2014, 11:34 pm
$
0
0

Hi,

We have a Windows Server 2008 R2 domain, and on the domain controller we have the following error message

EventID 5723 and 5805

**********************************

The session setup from computer 'XXXXXX' failed because the security database does not contain a trust account 'XXXXXX$' referenced by the specified computer. 

USER ACTION 

If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time.  If this is a Read-Only Domain Controller and 'XXXXXX$' is a legitimate machine account for the computer 'XXXXXX' then 'XXXXXX' should be marked cacheable for this location if appropriate or otherwise ensure connectivity to a domain controller  capable of servicing the request (for example a writable domain controller).  Otherwise, the following steps may be taken to resolve this problem: 

If 'XXXXXX' is a legitimate machine account for the computer 'XXXXXX' , then 'XXXXXX' should be rejoined to the domain. 

If 'XXXXXX$' is a legitimate interdomain trust account, then the trust should be recreated. 

Otherwise, assuming that 'XXXXXX'$' is not a legitimate account, the following action should be taken on 'XXXXXX': 

If 'XXXXXX'is a Domain Controller, then the trust associated with 'XXXXXX'$' should be deleted. 

If 'XXXXXX'is not a Domain Controller, it should be disjoined from the domain.

**********************************

I have seen solutions to remove the server from domain and join it again, but the server is gone. I tried to create a computer account in AD and remove it, but same issue.

Do i need to actually add a physical / virtual machine to the domain with the same hostname for so to disjoin the machine? or will this fail since it not the same computerid.

Is there another solution to get rid of these messages... the computer account is not registered in and dns or ad on all 3 domain controllers.

Thanks for support.

/Regards Andreas

Force a Relying Party to always use Forms Based Authentication in ADFS 3.0

August 7, 2014, 8:33 am
$
0
0

Hello

Does anyone know if its possible to have a particular relying Party trust to only ever user forms based authentication, regardless of browser or client location.

I have an application that supports Federated logon with ADFS, but it will only work with forms based auth (https://support.zendesk.com/entries/514714-Using-SAML-for-single-sign-on-Plus-and-Enterprise).  My current workaround is to use the group policy site to zone assignment list and set the site as zone 3 (internet site). This brings up a forms based window and will get me in, but you dont see the properly formatted forms based website. 

The form i get with the workaround:

Form i get when using work around

Form i want to see:

Forms based auth i want to use

Mark Dordoy

RODC placement query...

August 7, 2014, 7:27 am
$
0
0

Hi,

I am trying to implement RD Gateway (server 2012) in a DMZ. I do not want the gateway server talking directly to the LAN DC's as too many ports need to be opened from the DMZ to the internal DCs. Therefore I am trying to setup a Server 2012 RODC.

The RODC has been created and allowed to talk to several DCs on the LAN. The RODC was created in a new AD site called "PerimeterNetwork" with it's own subnet  172.16.1.1/29

The RD Gateway server was built and joined to domain whilst on the LAN. Then moved to the DMZ (The DMZ also has an AD Site for subnet 172.16.2.1/29).

The gateway server has been allowed to talk to the RODC (all ports opened - whilst testing) via the Firwall. The RODC is allowed to talk to several DCs in the LAN (LAN = 192.168.1.0/24) via the Firewall.

I can log into the RODC as my network account and all is fine. Replication is working and a copy of the DNS zones exist on the RODC.

My problem is that the RD Gateway server doesn't seem to know anything about the RODC, therefore I receive "No logon servers available to service the logon request" when I attempt to login as a domain user.

I can connect to the rODCs SYSVOL and NETLOGON shares from the RD Gateway Server when logged in locally. I suspect this is somekind of DNS issue with the SRV records that is preventing the Gateweay server from attempting to connect to the RODC.

To summerise the setup: -

DC01 LAN RWDC   192.168.1.10       AD Site = UK     (192.168.1.0/24)

DC02 LAN RWDC  192.168.1.11       AD Site = UK     (192.168.1.0/24)

RDWEBSVR          172.16.2.2          AD Site = DMZ    (172.16.2.0/29)

RODC1                 172.16.1.2        AD Site = PerimeterNetwork   (172.16.1.0/29)

The only entries in DNS that relates to RODC SRV record is in the sites - PerimeterNetwork- _tcp. zone.

I have tried different test commands with NLTEST from the RD Gateway server but most of them fail as they cannot query a DC. However I did manage to use NLTEST / DSGETSITE, which returns "DMZ".

DNS entries for Sites - DMZ - _tcp zone does not include the RODC SRV record, however does include two LAN DC SRV entries, which the Gateway server does not have access to, which I think is where this is failing.

My question is really, what is the correct way to configure this so that the RODC is provided to the Gateway server as a contactable DC? Or if this is not supported then is there a way of forcing the RD Gateway server to point to the RODC, via local policy, reghack, host file entry, etc?

Any help on this matter I would be very grateful.

Regards,

Scott.

Scott S.

Query all uers in an OU, Get group membership, and export as CSV to the Homedirectory path of each user

August 4, 2014, 8:23 am
$
0
0

I want to query each user object in an OU, than go through each user and get group membership, and lastly export that group membership data to a CSV in their home directory. This is what I have so far; it appears to be failing at Homedirectory. What am I doing wrong, any help is appreciated.

 
$Users = Get-ADUser -Filter * -Searchbase "OU=Accounting,OU=hq,OU=Accounts,DC=company,dc=loc"
  ForEach ($user in $Users) {
    $FilePath = $user.homeDirectory
    $Name = $User.UserPrincipalName
    Get-ADPrincipalGroupMembership $Name | Export-Csv -NoType -Path $FilePath
    }

Permissions for group policy in multi-tenant environment?

August 7, 2014, 8:31 am
$
0
0

What are the exact permissions that have to be applied to an OU for the computer object to get group policies?

Basically when I remove authenticated users rights from the OU that the computer is in it can't get the GPO. What I'm trying to do is lock down the environment using the AD List Object mode (which is enabled) but not finding what to do with the comptuer objects (I see tons of stuff for user objects).

Basically this is the layout:

- Hosting
--> Reseller
---> Company A
-----> Computers
-----> Users
---> Company B

and so on...

Under each computer I created a AllUsers group which has read access to the company OU's and all child OU's. So this is pretty much the security group layout:

- Hosting (GPOAccess@Hosting)
-- Reseller (GPOAccess@Reseller1) [Member of GPOAccess@Hosting]
--- Company (AllUsers@Company) [Member of GPOAccess@Reseller1]

Then GPOAccess has list object permissions and such on the appropriate OU's.

However.. what do I do about the computer objects?

Single forest multiple domains different domain functional levels

August 7, 2014, 2:42 pm
$
0
0

Hello,

I would like to call on the expertise of the forum to see if there would be any issues in building a new domain tree (in order to have a separate namespace) with Server 2012 R2 at a 2008 domain functional level.

The root domain are at FFL and DFL 2003.  The servers are a mix of Server 2012 and Server 2008 R2.  FRS is still being used as we have not migrated it to DFSR.  My biggest fear would be the new domain tree being unable to replicate any information back to the forest root DCs due to the mandatory 2008 or higher DFL in server 2012 R2.

Any feedback is appreciated.

thank you!

franz

Kerberos WeConstrained Delegation

August 7, 2014, 10:27 pm
$
0
0

Need some help setting up constraint delegation on web servers.

Here is our scenario:

1.One Web Server in DMZ which will be a front end servers, this has some kinda redirect to a back-end web server

2.Backend Web Server, which has the actual web pages

Need to set this up in such a way that, there is only one time authentication by the user and the frontend web server does some kind of proxying of credentials to the backend server.

Kindly assist.


Search

Can't login ADFS using IE

August 1, 2014, 2:28 pm
$
0
0

I created ADFS v2 on one of windows 2008 R2 serves. The AD Sync works fine. However, I can't login  the ADSF server using adfssvr.mydomain.com/adfs/ls/idpinitiatedsignon.aspx even we have correct internal DNS settings.

Troubleshooting steps:
1. I read this article "A federated user is repeatedly prompted for credentials during sign-in to Office 365, Azure, or Windows Intune". If I modify the web.config, I can login. But none of resolutions fixes the probelm.
2. If I use Firefox broswer, I can login. Only IE doesn't work.
3. I have tried different IE version, differen computers, using compatibility view and adding the website to IE security site.

What could be hte probelm?

Bob Lin, MCSE & CNE Networking, Internet, Routing, VPN Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net How to Install and Configure Windows, VMware, Virtualization and Cisco on http://www.HowToNetworking.com

Account Lockout Active Directory continuously

July 21, 2014, 2:50 pm
$
0
0
Hi all, I have a domain with 3 sites and domain controllers Windows Server 2008 R2. 

I recently have ongoing account lockouts and I see no errors on domain controllers. 

I've checked to see if they match but neither virus virus. 

Can be any password policy? 


regards

Microsoft Certified IT Professional Server Administrator

Decommissioning ADDS 2012

August 3, 2014, 4:59 pm
$
0
0

Hi everyone,

I have 3 domain controller one 2012 and two 2012 R2 all are GC and 2012 R2 servers are DNS server (not the 2012 one)

but when I am trying to uninstall AD from the 2012 Server it is telling me that I can not find other domain controllers and when it is turned off the other domain controllers could not connect and basically non of AD related MMC opening after that

the only error I can find in the event log is DFS Replication error

Event ID 5008

The DFS Replication service encountered an error communicating with partner DC-01 for replication group Domain System Volume.

and

Event ID 4612

The DFS Replication service initialized SYSVOL at local path C:\Windows\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner DC-01.

these error are only happening when DC-01 (the 2012 Server) is off

and these are failing on DC-01 (the 2012 Server) when I test DCs

failed test Advertising

failed test DFSREvent

failed test KccEvent

failed test SystemLog

DcGetDcName(PDC_REQUIRED) call failed, error 1355

DcGetDcName(TIME_SERVER) call failed, error 1355

DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355

please help

Reza Negarestani


Implications of upgrading domain from 2008R2 DC's to 2012R2 DC's with ADFS 3.0 installed

August 7, 2014, 12:43 pm
$
0
0

I'm wondering if there are any implications or concerns when upgrading from 2008R2 DC's (2008R2 Functional level) to 2012R2 DC's (2012R2 functional level) with ADFS 3.0 installed in the current environment.

Anything to be concerned with in regards to our current ADFS 3.0 installation before the upgrade to 2012R2?  Or will everything work as expected after the DC upgrades?

Thanks


Getting reports out of Active directory

August 7, 2014, 10:42 am
$
0
0

I may be asking in the wrong community, so sorry. It has been a very long time since I have worked with Active Directory, and I am sure it have come a long way since the 90s.

I am looking for a way to report out, accounts and permissions, group membership and shared directories and their permissions, for an entire domain. It's not that but, maybe 100 users and 25 shares.
Where do I start with this?

Are there tools made by Microsoft already to do such a thing (why not if there are not). I am really hesitant to go third party because of expense. I probably won't do this very often.

Lise Quinn

Windows 2008 running DCPROMO

August 7, 2014, 10:33 am
$
0
0

We recently migrated from SBS2003 to Windows 2012.  Currently our 2012 Server is the Domain Controller, while the 2008 server running Exchange 2010 is just a computer part of the domain.

I'd like to have redundancy for our Active Directory, so was going to run DC Promo and join it to the forest.   Is there anything else to prep besides running DCPROMO on the 2008 Server?  Will this affect permissions for any of the Exchange clients, or will everything stay the same except for a replica of the domain being available in case of a failure? 

missing dll

August 8, 2014, 12:07 am
$
0
0
How can i fix appdata\roaming\newnext.me\nengine.dll
Search

Add Employee ID Number to Active Directory - Functional Level: Windows Server 2008

April 4, 2013, 6:27 am
$
0
0

We would like to start entering Employee ID Numbers in Active Directory.  How do I add the Employee ID field in 2008 Active Directory?

Adding a DC

August 4, 2014, 12:29 am
$
0
0

hi,

i already have a Windows Server 2008, on which AD is running with DNS. i have added a new physical server with Server 2012 R2 and i have installed the AD role onto it. i have moved the fsmo roles to the new server and dns as well. when i do netdom query fmso, all roles have been moved to the new server.

i would like to remove the AD role on the old server. can you please guide me the steps?

the previous server has been shut down. when i click on the new server's AD, i get the error :naming information cannot be located

any help pls.

thks.

sundeep jogoo

SID only shows up when adding a domain user account from an external trusted domain

August 1, 2014, 2:25 pm
$
0
0

This is sort of an interesting situation which may wind up being more of a network port not being open.

There are two Windows 2008 R2 domains, AlphaCo and BravoCo, that have an external one-way trust setup between them where AlphaCo trusts BravoCo. The member servers on the AlphaCo domain have BravoCo users added to it's local groups. The problem is on one of the member servers (SRV-05) on the AlphaCo domain. When any user from the BravoCo domain is added to the local Administrators group it will show up when doing a search with the "friendly name" but when you click on "Apply" and/or "OK" it changes to the SID. This only happens on the SRV-05 server. The other member servers on the AlphaCo domain (SRV-01, 02, 03, 04, 06) are not having this issue.

Any idea what may be causing this user identity crisis and what could be done to resolve it?

AD account is being locked out every couple hrs. Need help tracking

August 2, 2014, 5:56 am
$
0
0

Hi,

I am one of multiple administrators at my company and for the past couple of weeks I have had a problem were my AD account will belocked out every couple hours or so. At least once a day. I fear that possibly while troubleshooting a computer my username was "stuck", or embedded if you will, into a running service or such.

Our previous Senior Systems Administrator was able to tell me the name of the computer when it first started happening and I logged in but didn't see anything out of the ordinary. I checked the services I had toyed around with such as RPC etc and nothing.

That Senior Sys Adm. is now gone from the company and I never bothered to ask him how he found out. I am still having the problem so I need to figure out what computer is trying to login to AD with my account(an old credentials) to stop it from being locked out. It seems to only lock my account when people are at work. For example, when people normally get back from lunch and login to their computers I notice my account gets locked.

I think he may have been just looking at event logs in MMC but I am not positive on which. Security audit logs possibly?

Anyways, I appreciate any help in advance and if someone can help me track down the computer(s) responsible I would be greatly appreciated.

Sean

ADFS Sending UPN Claim

August 8, 2014, 4:00 am
$
0
0

In the past, when sending UPN to a Relying Party, I have always used a Send LDAP Attribute Rule for the Relying Party.

I have just read a couple of guides for stepping by trust with Dynamic CRM.  They suggest first creating a pass through rule for Active Directory Claim Provider for UPN; and then a pass through rule for the Relying Party.

I assume both result in the same claim being sent to the Relying Party.  Are there pros and cons between the two methods?

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>