Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Setting up BitLocker missing delegate control setting

August 13, 2014, 6:12 am
$
0
0
Hi,

I am setting up BitLocker in our AD. I checked the schema using ADSI edit and it looks as if the schema is already extended.

I find:
CN=ms-FVE-KeyPackage
CN=ms-FVE-RecoveryGuid
CN=ms-FVE-RecoveryInformation
CN=ms-FVE-RecoveryPassword
CN=ms-FVE-VolumeGuid
CN=ms-TPM-OwnerInformation


So, now i want to delagate permissions in AD on the workastations OU for the SELF account.

In the delegate wizard i can only find Write msTPM-OwnerInformation.

On the technet page jj592683 ("Prepare your organization for BitLocker:..." "Applies To: Windows 8, Windows 8.1"), it referes to both Write msTPM-OwnerInformation and Write msTPM-TpmInformationForComputer.

However in the delegate wizard i cannot find Write msTPM-TpmInformationForComputer.


What is missing?

This posting is provided "AS IS" with no warranties or guarantees and confers no rights



Search

DNS 4015 error - DCs replication in different sites with IPv4 VPN

August 13, 2014, 2:29 pm
$
0
0

Hello


I have 2 DCs in different sites in Internet. They are connected by VPN routers (which are IPv4 only). The IPv4 connectivity is working, however,  I believe that the lack of IPv6 connectivity, errors in DNS are shown (errors id 4015). 
The PDC and other functions of the domain are in DC with Windows 2008 R2 (Site A) and the additional DC is Windows Server 2012 (Site B). The errors happens only in 2012 (several errors during the day). Tests with repadmin is ok.


However, everything is working ok. DCs should be communicate also through the IPv6 protocol? How to do this if the VPN routers is only IPv4?

Thanks!

Ricardo

I upload files in https://onedrive.live.com/redir?resid=2B77424111F5749E!211&authkey=!ALq4iPJoReWcoZk&ithint=folder%2clog

Windows can't access CIFS share via DFS link ,but it works if we access the CIFS share via UNC path

August 14, 2014, 1:19 am
$
0
0

Hi Guys

 We got a very strange problem, we are test our windows 8.1 currently, we found that our windows 8.1 client can't not access our existing CIFS share via DFS link, like\\domain.local\org\share ,we got following error.

And the meatime , a kerberos error logged



  However , if i direct access the CIFS via the UNC path, like \\serverFQDN\sharename, we can get the access. CNZJNIBRG1 was our serverFQDN's CNAME name. Did anyone has idea on this ? Existing windows 7 has no problem to access the CIFS share.

computing of modified timestamp attribute in the schema partition

June 12, 2013, 5:27 am
$
0
0

Hello,

i have problems understanding the modifiedTimeStamp attribute especially in the schema. I found on MSDN and Technet that this attribute is computed from the whenchanged attribute of the same object. If you look at the attibutes “whenchanged” and “modifiedtimestamp” from cn=Schema,CN=Configuration,DC=Contoso,DC=com you can see that these 2 attributes have the same value. This is also the same for every other object under schema except:

 

If you take the Object “CN=Aggregate,CN=Schema,CN=Configuration,DC=Contoso,DC=Com” which clients use to update their local schema cache you can see that “modified timestamp” differs from “whenchanged”.

On Server2008R2 the “modifiedtimestamp” Attribute of “CN=Aggregate,CN=Schema,CN=Configuration,DC=Contoso,DC=Com” equals the “whenchanged” attribute of the Schema.

On pre Server 2008R2 the “modifiedtimestamp” Attribute of “CN=Aggregate,CN=Schema,CN=Configuration,DC=Contoso,DC=Com” doesn’t equal the “whenchanged” attribute of aggregate neither the whenchanged attribute of the Schema.

Can someone tell me the background of the computing of the modifiedtimestamp attribute of “CN=Aggregate,CN=Schema,CN=Configuration,DC=Contoso,DC=Com” and why the computing differs from 2008R2 and pre2008r2 and also how the attribute is computed under 2008R2?

Thanks

Exchange Server 2010 Domain Functional Level Migration Prep

August 13, 2014, 1:23 pm
$
0
0

All,

This may be a simple question to most but I only been Administering Exchange 2010 SP3 for 2 years now and this is my first AD migration with Exchange so excuse my ignorance.

Currently my Domain Functional Level is 2008 R2 but will be migrating/raising to 2012 R2 by the end of the month. I currently installed/configured 2 Windows Server 2012 R2 Domain Controllers and demoted the 2 2008 R2 DC's it replaced, then removed the accounts from AD. This leaves me with 1 2008 R2 DC in the domain and since the transition from the 2 2008 R2 DCs to 2012 R2 DCs were not exactly 100% smooth I need/want to check my basis prior to shutting down the last one and have the possibility of breaking Exchange.

What should I be looking for via Exchange or DC/AD for this migration to raise domain level to 2012 R2?

What configurations need to be considered?

What programs/applications/scripts need to be run to ensure a successful migration to 2012 R2 and Exchange still works?

I know 2012 R2 automatically runs ADPrep.exe to extend the schema so would this need to be run manually on the Exchange Servers to extend the schema?

Thank you for any suggestions/responses received.

Error 364 An item with the same key has already been added with Azure Pack

August 13, 2014, 11:29 pm
$
0
0

I am configuring Windows Azure pack and have configured my 2 ADFS servers using NLB.

The login to the tenant portal works fine, but when I try to login to the Admin site, the page errors and I get the following error logged on the ADFS server

Encountered error during federation passive request. 

Additional Data 

Protocol Name: 
wsfed 

Relying Party: 
http://azureservices/AdminSite 

Exception details: 
System.ArgumentException: An item with the same key has already been added.
   at System.Collections.Generic.Dictionary`2.Insert(TKey key, TValue value, Boolean add)
   at Microsoft.IdentityServer.Web.HomeRealmModule.FindApplicableRealms(ProtocolContext context, Boolean needsIDPInstance)
   at Microsoft.IdentityServer.Web.HomeRealmModule.DiscoverHomeRealm(PassiveProtocolHandler pHandler, ProtocolContext context)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthenticationMethods(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)


Simon Holman
Expeed Technology
Australian Web Hosting

PowerShell or DSACLS adding permissions to OU

August 14, 2014, 2:17 am
$
0
0

Hi

I was starting to like Powershell but the AD stuff is giving me a headache, what I am looking for is (what i think) quite simple....

all I would like is this:

allow the computer object called "MYComputer" to have Read, Write, and Create Child Objects on the OU located at

OU=MYTestOU,OU=Servers,DC=MyDomain,DC=Local

how can i achieve this using PowerShell? the domain controller is 2008 R2 and has the activedirectory module present

... or, after reading a bit more about dsacls i could do it this way but I can't seem to get my command right. i have the following 

dsacls.exe "OU=MYTestOU,OU=Servers,DC=MyDomain,DC=Local" /G "mydomain\MyComputer:GRGWCC"

many thanks

Steve


Active directory OU deleted

August 13, 2014, 4:31 am
$
0
0

Hi,

Recently we have disaster in our organization as someone has deleted entire OU from active directory and we have the logs regarding the user who delete the OU but we dont have any logs to tell us from which system it got deleted.

Any one has any idea how to investigate this accident and what proactive measure need to be taken in order to prevent this  type of disaster in future.

Regards,
Hakim. B

Hakim.B Sr.System Administrator

Search

How to set permission to change E-mail field on Active Directory user account?

August 14, 2014, 8:09 am
$
0
0
We need to allow a user the permission to only update the E-mail field on the General tab of an Active Directory user account.  What is the name of the the object for that field when setting advanced permissions? thanks

How to let help desk only update email in one OU

August 14, 2014, 9:15 am
$
0
0

All,

Question is I have set up help desk group in AD for a particular OU.  I cannot find under the security tab for them to just be able to ONLY update the email field.  I found that read and write public gives them that field, but also allows for update to the account name in which I do not want.  Any help will be greatly appreciated!

Thanks,

Domian Trust Issue

August 8, 2014, 8:52 am
$
0
0

We are in the process of creating 2 domains. One is our old, and one is the new one we want to move everything to. I have the new domain created. I created a new domain, and a new forest; the old domain is a single label domain. I have everything setup, but when I try to establish the trust between the 2 domains, I am running into issues.

This is the error I receive when I try to validate the trust:

The secure channel (SC) verification on Active Directory Domain Controller \\AlostarDC1.Nexity of domain Nexity to domain alostar.local failed with error: The specified domain either does not exist or could not be contacted.

The secure channel (SC) reset on Active Directory Domain Controller \\AlostarDC1.Nexity of domain Nexity to domain alostar.local failed with error: The specified domain either does not exist or could not be contacted.

from the old single label domain I can ping the domain name of the new domain just fine, however I can't ping the single label domain from the new domain. I have added a conditional forwarder on the old domain for the new domain. I added the dc's in the old domain as name servers in the new domain. Not sure what's going on. Any help will be appreciated. Thanks!

Basic Monitoring Permissions

March 23, 2012, 5:45 am
$
0
0

Hi Guys,

Maybe a silly question, but I have been looking around for a solution and cannot find a clean way to achieve what I want to achieve.

I have a team who currently have no administrative permissions on a domain, but need them to have the most basic access to a bunch of servers (including a Domain Controller) just for monitoring hardware/eventlogs/disk management and scheduled tasks.

I wish to do this via a GPO.

What would be the best way to do this in your opinion? What is the lowest permission I can give a user but that they can still access a domain controller?

Josh.

AD Sites & Services - Replication Connections

August 14, 2014, 10:38 am
$
0
0

I am trying to gather a better understanding of AD Sites & Services with regard to replication and to clarify some possible misunderstandings with a co-worker.

  • Replication within a site occurs very quickly and automatically via a notification process.
  • Replication between sites occurs on a scheduled basis with compression
  • Within each site, a DC is automatically identified by ISTG to be a bridgehead server for site to site replication.
  • The path sites replicate with each other is handled by Site Links.
  • Connections between sites (bridgehead servers) are generated by the KCC automatically.

Example environment:

Site 1

  • DC1 - Bridgehead Sever

Site 2

  • DC2 - Bridgehead Server

Site 3

  • DC3 - Bridgehead Server

The questions I have are:

  1. Should the KCC automatically generate connections with the other bridgehead servers at each site?  For example, DC1 - automatic connections with DC2 & DC3.
  2. Will these automatic connections only be done with bridgehead servers?
  3. Is there a limit to the number of automatic connections? A co-worker said the KCC will only auto generate connections for the first 5 DCs but I can't find that in any TechNet article.
  4. Would manual connections cause the KCC to not fully auto generate some of the connections? Our environment has 6 sites, and some sites only have a single auto generated connection so the other sites are not "connected".

Any input would be helpful so I can better understand this process and hopefully resolve any configuration issues.

Thanks!

Forest Configuration Operators

August 14, 2014, 12:22 pm
$
0
0
I'm commissioning a new Windows Server 2012 R2 AD DS forest for a customer and have implemented the ten recommended service management roles as per the Best Practice for Delegating Active Directory Administration. The first test of the delegation model was to create a new child domain with a privileged account that's a member of the Forest Configuration Operators Role group. Unfortunately the test failed because the promotion process appears to check to see if the account is a member of the Enterprise Admins security group, which of course it's not. Can I create a child domain with an account that's a member of the Forest Config Ops administrative role or shall I bin this role off and just use EAs?

Cheers,

Tom Houston, UK Identity Management Practice

Can we track or get the list of sites and subnets deleted from ActiveDirectory?

August 14, 2014, 9:37 am
$
0
0
Can we track or get the list of sites and subnets deleted from Active Directory?
Search

Delegate Control Not Working

August 14, 2014, 9:52 am
$
0
0

I have an AD Group that has 12 users inside of it.  I did a delegate control for this group and here are the settings I allowed them to perform.

I've had users log off and back on yet they still cannot modify user accounts.  They can't move then, they can't change the description field....nothing.    

why not?  what else do I need to grant for them to update/modify User/Computer accounts?  

mqh7

Windows 7 machines lose Trust relationship frequesntly

August 14, 2014, 8:32 am
$
0
0

I have a random bunch of computers that are Windows 7 part of my domain that are randomly losing their trust relationship on a random basis.  I currently have a Windows 2008 Primary DC with a 2K8 R2 Secondary DC providing to 287 computers.  Right now we are migrating away from Windows XP so I would have to say that the ratio of XP machines is 60%.  It just started recently where the Windows 7 computers will randomly lose their security trust with the domain.  There's no rhyme or reason to it.  It will happen to a computer we installed with less than a week, and hit another computer that was installed almost 2 years ago.  I've seen quite a few other people having issues with W7 machines acting the same way and I know the "fix" is to dis-join it from the domain and rejoin it but its not a permanent solution.  All these machines are spanning multiple cities and all our Admins are based in Dallas.  we'll have computers in Ft Worth, Houston, Anna, and Longview texas all randomly behave this way and all are windows 7 pro SP1 machines from different manufacturers.   all the DNS records are up to date.  There are no AD replication error, in fact there are no errors at all on my DCs. No changes have been made to any GPOs or AD.  Any assistance is appreciated as this is bizaare since our domain has been working without a hitch for the past 3-4 years no issues.  

Thank You,

David

Primary and secondary DNS best practice

August 14, 2014, 6:58 am
$
0
0

Hello, I have 2 Server 2012 R2 domain controllers. DC1 has IP 10.0.0.1 and DC2 has IP 10.0.0.2. The primary DNS setting points to each other. I have added the secondary DNS pointing to the alternate DC. For example. DC1 primary DNS is 10.0.0.1 and secondary DNS is 10.0.0.2. DC2 primary DNS is 10.0.0.2 and secondary is 10.0.0.1. Is this best practice?

Thank you

2012R2 DC - AD LDS Service Principal Names - Duplicates

August 14, 2014, 4:57 am
$
0
0

Hello

After installing the first domain controller with 2012R2, we see the following error in the directory service log on the new 2102R2 domain controller:

The attribute value provided is not unique in the forest or partition. Attribute: servicePrincipalName Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/APP12345:50000
CN=APP12345,OU=App1,OU=Servers,DC=DOMAIN12345,DC=LOCAL
Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/APP12345:50000
CN=APP12345,OU=App1,OU=Servers,DC=DOMAIN12345,DC=LOCAL
CN=APP12345,OU=App1,OU=Servers,DC=DOMAIN12345,DC=LOCAL
CN=APP12345,OU=App1,OU=Servers,DC=DOMAIN12345,DC=LOCAL Winerror: 8647 
 See http://go.microsoft.com/fwlink/?LinkID=279782 for more details on this policy.

it seems to be related to the SPN for: AD LDS

http://technet.microsoft.com/pt-br/subscriptions/cc816802

http://technet.microsoft.com/en-us/library/dn535779.aspx

The error only occure for member servers where AD LDS are installed. (application dependency)

replication status is ok.

Any ideas on how this error should be handled/corrected?

Erlend



AD user security tab - inherit permissions

May 13, 2011, 6:09 am
$
0
0

Hi,

I have circa 150 user [1000 users total] who are not inheriting the security permissions. this causes an issue when delegated help desk staff try to reset passwords [becase the new delegated security permissions are not propogated]. I can go into each users account, check the tick box to inherit but 20 minutes later this is unchecked. I belive this issue was caused by a previous admin elevating the rights of these users during NT4 migration then putting the rights back to normal users.

How can I ensure these users inherit the permisssions for good?

 

Fizzmo 

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>