Hi Folks,
Does anyone out there know of a way to poll all Domain Member Servers to determine if this is configured at the local level and not controlled via a Domain GPO?
Computer Configuration => Windows Settings => Local Policies => User Rights Assignment => Manage Auditing and security log
I need to deploy this at the Domain level but am afraid of over riding anything someone might have configured locally and we have over 1500 servers.
Any help would be appreciated!
Not sure if there is something I cant remember from my 2012 Training, but I just tried to add a Domain Local Group in AD to the Local Administrators group on a 2012 R2 (domain joined) server and I cant.
I can see the Global groups fine, but domain local do not show as available for adding to the local group.
Is this a restriction now?
The AD is a legacy windows 2000 mixed mode domain.
Using the Windows Server 2008 R2 SP1 Answer File method I installed a forest domain.
That went fine.
Trying to install a domain controller on that forest but it rejecting every "argument" in the DC Answer File: first it is ConfirmGC; then it is DatabasePath and rejecting till there is nothing left.
Hi
After activating RDS with SPLA license aggrement on RDS server, more than two users are not able to login.
Please suggest.
Thanks
Techsol
Thanks, Kk
Hi All techies,
i would like to know one issue which i am facing mostly, i have created 5 virtual machine all with window server2008r2 and one windows 7 on vm-ware now when ever i start my virtual machines everything going rite but when i try to open active directory user/ computer or domain and trust i get a following error "data from active directory user and computers is not available from dc(null) bcoz unspecified error" even when i chk in events log its give me no help, and after 15-30 min everything works good .
Please let me know the cause of it and really appreciate it .
Thanks
Atul
I installed a Window 2012 R2 Failover Cluster in order to virtualize servers with Hyper-V. Both physical servers of the cluster are namedSRV-SAN01 and SRV-SAN02 and were installed usingWin2012 R2 Datacenter. The name of the cluster is SRV-HV01.
My environment is very simple : a unique domain and a unique site with 2 Domain Controllers (one onWin2013 and the second one on Win2008R2).
I first added a new Win2012 R2 Standard Domain Controller on a physical server namedSRV-DC01 and transferred the following Operation Masters to it :PDC, RID, Schema Master and Domain Naming. It is alsoGlobal Catalog.
I installed another Win2012 R2 Standard Domain Controller as a Virtual Server in the cluster whose name isSRV-DC02. It has the Insfrastructure Operation Master and is also aGlobal Catalog.
More 3 Member Servers using Win2012 R2 were installed on the cluster.
Everything worked fine until I ran my first Cluster-Aware remote updating. I installed the Failover Cluster Manager onSRV-DC01 and executed a remote CAU successfully.
At the end of the process, the Server Manager on the first physical serverSRV-SAN01 had a Manageability problem. The EventViewer showed the following error during 12 hours:
Error 4 from source Microsoft-Windows-Security-Kerberos : “The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server srv-san01$. The target name used was HTTP/SRV-HV01.mydomain.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (MYDOMAIN.COM) is different from the client domain (MYDOMAIN.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.”
On the second physical server SRV-SAN02 the Manageability problem still goes on after 27 hours after CAU with the exactly same error 4 form SourceMicrosoft-Windows-Security-Kerberos.
On the Failover Cluster Manager, I also have a Error 1023 from sourceMicrosoft-Windows-ClusterAwareUpdating-Management:
“Failed to get CAU report. Details:Microsoft.ClusterAwareUpdating.ClusterUpdateException: There was a failure in a Common Information Model (CIM) operation, that is, an operation performed by software that Cluster-Aware Updating depends on. The computer was "SRV-HV01", and the operation was "Contacting the Cluster-Aware Updating software on the cluster node.". The failure was: (CimException) WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. HRESULT 0x8033809d ---> Microsoft.Management.Infrastructure.CimException: WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config.
at Microsoft.Management.Infrastructure.Internal.Operations.CimAsyncObserverProxyBase`1.ProcessNativeCallback(OperationCallbackProcessingContext callbackProcessingContext, T currentItem, Boolean moreResults, MiResult operationResult, String errorMessage, InstanceHandle errorDetailsHandle)
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at MS.Internal.ClusterAwareUpdating.Logger.<_TraceCallWorker>d__0`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at MS.Internal.ClusterAwareUpdating.Logger.<TraceCall>d__5`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
at MS.Internal.ClusterAwareUpdating.Wmi.ClientConnectionManager.<CreateInstancePreparationTask>d__0.MoveNext()
--- End of inner exception stack trace ---
at MS.Internal.ClusterAwareUpdating.Wmi.ClientConnectionManager.<CreateInstancePreparationTask>d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at MS.Internal.ClusterAwareUpdating.Wmi.AbstractCauStreamedMethod`1.<OnInvokeAsync>d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at MS.Internal.ClusterAwareUpdating.Wmi.AbstractCauMethod`1.<InvokeAsync>d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at MS.Internal.ClusterAwareUpdating.Util.Await[TResult](Task`1 t)
at MS.Internal.ClusterAwareUpdating.ReportManagerImpl.GetReportListFromMachine(String machineName, ClientConnectionManager clientConnectionMgr, Task instancePrepTask, CancellationToken cancelToken)
at MS.Internal.ClusterAwareUpdating.ReportManagerImpl.GetReportInternal(String clusterName, PSCredential credential, DateTime reportTimestamp, CancellationToken cancelToken)
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at MS.Internal.ClusterAwareUpdating.ReportManagerImpl.GetReportInternal(String clusterName, PSCredential credential, DateTime reportTimestamp, CancellationToken cancelToken)”
I have not found anything about that on the Internet.
Could you please help me with these errors ?
Thanks in advance.
I am using a Windows Server 2008 R2, these are the following errors that shows up in the Active Directory Domain Services Role.
Issue:
The primary domain controller (PDC) emulator operations master in this forest is not configured to correctly synchronize time from a valid time source.
Impact:
If the PDC emulator master in this forest is not configured to correctly synchronize time from a valid time source, it might use its internal clock for time synchronization. If the PDC emulator master in this forest fails or otherwise becomes unavailable (and
if you have not configured a reliable time server (GTIMESERV) in the forest root domain), other member computers and domain controllers in the forest will not be able to synchronize their time.
Resolution:
Set the PDC emulator master in this forest to synchronize time with a reliable external time source. If you have not configured a reliable time server (GTIMESERV) in the forest root domain, set the PDC emulator master in this forest to synchronize time with
a hardware clock that is installed on the network (the recommended approach). You can also set the PDC emulator master in this forest to synchronize time with an external time server by running the w32tm /config /computer:WS2008R2-DC.relianceinfotech.net /manualpeerlist:time.windows.com
/syncfromflags:manual /update command. If you have configured a reliable time server (GTIMESERV) in the forest root domain, set the PDC emulator master in this forest to synchronize time from the forest root domain hierarchy by running w32tm /config /computer:WS2008R2-DC.relianceinfotech.net
/syncfromflags:domhier /update.
and another issue
Issue:
The domain relianceinfotech.net has only one functioning domain controller.
Impact:
In the event of a failure on the domain's only domain controller, users will not be able to log in to the domain or access domain resources.
Resolution:
Add one or more additional domain controllers to the domain to handle authentication and authorization requests in case there is a failure on the domain's single available domain controller.
the problem is that I do not have a relianceinfotech.net that domain is the past one and the domain that is working now is relianceti.net. I just want to know how to resolve that and remove these warnings from showing.
We cannot access the network shareholder in W2008R2 DC of the sub-domain.
Our scenario is as follows:
The main-domain(AAA.com) has two DCs (W2008R2+W2003R2).
The sub-domain(BBB.AAA.com) has two DCs(W2008R2+W2003R2).
There is trust relation between AAA.com and BBB.AAA.com.
There are network sharefolders in both W2008R2 and W2003R2 of domain BBB.AAA.com.
Those sharefolders gave access rights to the users in domain AAA.com.
The domain users in AAA.com can access W2003R2 of BBB.AAA.com but cannot access W2008R2 with the error message “no access right”.
The domain users in BBB.AAA.com can access both DCs in BBB.AAA.com.
Presumably there is something wrong with W2008R2 of BBB.AAA.com.
Please guide to manage this issue.
Thanks a lot in advance!
hello everyone
in our company we are upgrading our DCs to server 2012R2 we have one Dc 2008R2 we installed another DC 2012R2 and make it GC from sites and services the problem appeared when I demoted the 2008 server I noticed that nobody in the company is able to log to the domain I realized that even the global catalog check mark is checked the server is not global catalog when I connect through ldap I see isglobalcatalogready : false I tried many solution to make it global catalaog but no success my solution was to shut down this server and restore the 2008 server from a previous backup now all the users can log to the domain but I only have one DC I tried to add another 2012R2 Dc but DCPromo fails on the prerequisite "check verification of outbound replication failed error reading the ntds settings on replication source controller" I installed another server 2008R2 server since there is no prerequisite check but the same problem occured the new DC is marked as GC but it's not GC I checked port 3268 I ran dcidag and this is the result
dcdiag /test:checksecurityerror
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = 2k8DC
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: mysite\2K8DC
Starting test: Connectivity
......................... 2K8DC passed test Connectivity
Doing primary tests
Testing server: mysite\2K8DC
Starting test: CheckSecurityError
The account 2K8DC is not a DC account. It cannot replicate.
Unable to verify the machine account
(CN=2K8DC,OU=Domain Controllers,DC=mydomain,DC=local) for 2K8DC on
2K8DC.
Source DC WIN-SM5GUTCII7H has possible security error (8453).
Diagnosing...
Error 2184 querying time on DC WIN-SM5GUTCII7H. Ignoring this
DC and continuing...
* Missing SPN
:LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
* Missing SPN :LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@
* Missing SPN :LDAP/WIN-SM5GUTCII7H
* Missing SPN
:LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain
* Missing SPN
:LDAP/f67b0f34-07ae-4dec-8ff5-7cd284ecb7b8._msdcs.mydomain.local
* Missing SPN
:HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
* Missing SPN :HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@
* Missing SPN
:HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain
* Missing SPN
:GC/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
Unable to verify the machine account
(CN=WIN-SM5GUTCII7H,OU=Domain Controllers,DC=mydomain,DC=local)
for WIN-SM5GUTCII7H on 2K8DC.
Unable to connect to the NETLOGON share!
(\\WIN-SM5GUTCII7H\netlogon)
[WIN-SM5GUTCII7H] An net use or LsaPolicy operation failed with
error 67, The network name cannot be found..
[WIN-SM5GUTCII7H] Unable to verify logon privileges on DC
shares. Please check the above output and take appropriate
steps.
Failed to read object metadata on WIN-SM5GUTCII7H, error
Directory object not found.
[WIN-SM5GUTCII7H] Unable to diagnose problem for this source.
See any errors reported in attempting tests.
......................... 2K8DC failed test CheckSecurityError
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : mydomain
Running enterprise tests on : mydomain.local
C:\Users\Administrator>dcdiag /test:checksecurityerror
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = 2k8DC
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: mysite\2K8DC
Starting test: Connectivity
......................... 2K8DC passed test Connectivity
Doing primary tests
Testing server: mysite\2K8DC
Starting test: CheckSecurityError
The account 2K8DC is not a DC account. It cannot replicate.
Unable to verify the machine account
(CN=2K8DC,OU=Domain Controllers,DC=mydomain,DC=local) for 2K8DC on
2K8DC.
Source DC WIN-SM5GUTCII7H has possible security error (8453).
Diagnosing...
Error 2184 querying time on DC WIN-SM5GUTCII7H. Ignoring this
DC and continuing...
* Missing SPN
:LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
* Missing SPN :LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@
* Missing SPN :LDAP/WIN-SM5GUTCII7H
* Missing SPN
:LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain
* Missing SPN
:LDAP/f67b0f34-07ae-4dec-8ff5-7cd284ecb7b8._msdcs.mydomain.local
* Missing SPN
:HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
* Missing SPN :HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@
* Missing SPN
:HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain
* Missing SPN
:GC/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
Unable to verify the machine account
(CN=WIN-SM5GUTCII7H,OU=Domain Controllers,DC=mydomain,DC=local)
for WIN-SM5GUTCII7H on 2K8DC.
Unable to connect to the NETLOGON share!
(\\WIN-SM5GUTCII7H\netlogon)
[WIN-SM5GUTCII7H] An net use or LsaPolicy operation failed with
error 67, The network name cannot be found..
[WIN-SM5GUTCII7H] Unable to verify logon privileges on DC
shares. Please check the above output and take appropriate
steps.
Failed to read object metadata on WIN-SM5GUTCII7H, error
Directory object not found.
[WIN-SM5GUTCII7H] Unable to diagnose problem for this source.
See any errors reported in attempting tests.
Authoritative attribute pwdLastSet on 2K8DC (writeable)
usnLocalChange = 5866156
LastOriginatingDsa = 2K8DC
usnOriginatingChange = 5866156
timeLastOriginatingChange = 2014-08-17 08:55:52
VersionLastOriginatingChange = 42
Out-of-date attribute pwdLastSet on WIN-SM5GUTCII7H (writeable)
usnLocalChange = 12868
LastOriginatingDsa = 22a5b57a-fac4-4cfe-9fcb-c545025d3716
usnOriginatingChange = 5830453
timeLastOriginatingChange = 2014-08-13 15:07:23
VersionLastOriginatingChange = 41
Unable to verify the convergence of this machine account
(CN=2K8DC,OU=Domain Controllers,DC=mydomain,DC=local) on these DC's
(DC=mydomain,DC=local,2K8DC). Does the machine account password need
resetting?
......................... 2K8DC failed test CheckSecurityError
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : mydomain
Running enterprise tests on : mydomain.local
note that WIN-SM5GUTCII7H is the new DC I renamed it to server 2008R2 but it can't be a global catalog due to the error.
I tried to google this error but I didn't find any solution how to make make it replicate the GC
Best
I am setting up a Web Application Proxy as a reverse proxy to publish some of our internal websites to the internet. I am going to publishhttps://portal.workplace.example as the "hub" site which will link off to various other websites hosted internally. These sites are hosted on various different servers so I want to use the WAP to take advantage of the SSO facility. This works nicely.
One of the links will be to Office 365. We are using IAMCloud's Federate 365 service (which is essentially a hosted ADFS service) to authenticate our users. Using this means that users away from the workplace are not dependant on our internet connection being active to access O365 and that they will still be able to authenticate should our internet connection die. However, it also means that when the user clicks on the link on the portal page to Office 365 they are forced to re-authenticate. What I'd like to is to pass on the credentials that the Web Application Proxy collects onto the external federation service automatically. I just can't see how you'd do it.
I have added the external ADFS farm as a relying party trust but I have no idea what I need to use as a claim rule so I've used a passthrough rule with the UPN as the claim being passed. I've also set up a publishing rule with the WAP with the external federation's URL and changed the hosts file on a test computer to make the external federation's address resolve to the WAP's IP address but this just results in a blank page. I fully accept that I'm not doing this right but I'm unsure of where to go from here. Can anyone give me some advice?
Many thanks,
IanHello, i am in need a little assistance with a script i am trying to make for automating the backups of my domain controllers.
so far i have system state working fine,
i altered the code from "wbadmin start systemstatebackup" to "wbadmin start backup"
system state script
Add-Pssnapin windows.serverbackup
#gets date
$date = Get-Date -Format dd.MM.yyyy
#declares backup location.
$backdir = ("\\backupserver\bpdbackups\DC\$date")
#makes backup directory on network share
mkdir $backdir | out-null
#runs system statebackup
wbadmin start systemstatebackup -backupTarget:$backdir -quiet
#sends and email at the nd of the process
$smtp = "192.168.254.201"
$from = "Domain Controller <support@domain.com>"
$to = "Network Admin <network.help@domain.com>"
$body = "The backup operation has been successfully done! Date: $date"
$subject = "Backup on $date"
#Send an Email to User
send-MailMessage -SmtpServer $smtp -From $from -To $to -Subject $subject -Body $body -BodyAsHtml
write-host "Backup Sucessfull"
and full backup script
Add-Pssnapin windows.serverbackup
#gets date
$date = Get-Date -Format dd.MM.yyyy
#declares backup location.
$backdir = ("\\backupserver\bpdbackups\DC\$date")
#makes backup directory on network share
mkdir $backdir | out-null
#runs system statebackup
wbadmin start backup -backupTarget:$backdir -quiet
#sends and email at the nd of the process
$smtp = "192.168.254.201"
$from = "Domain Controller <support@domain.com>"
$to = "Network Admin <network.help@domain.com>"
$body = "The backup operation has been successfully done! Date: $date"
$subject = "Backup on $date"
#Send an Email to User
send-MailMessage -SmtpServer $smtp -From $from -To $to -Subject $subject -Body $body -BodyAsHtml
write-host "Backup Sucessfull"
however when i am running the full backup script it comes back with an error saying
no volume has been included fro backup am i missing a line of code?
many thanks
Gordon
Hey Guys,
I am sort of tugged into a strange scenario and want to understand if my procedure to the problem is right.
Single Forest / Single Domain scenario
2 DC's and a single site
DC 1 - GC, Schema master, DNM,
DC 2 = PDC , RID, INM
100's of clients authenticate to both DC's
In the event of DC2 failure - we have recently saw "unable to logon using domain admin account" to DC2. along with Secure channel issues and have no access to DC2 but yet the IP address on DC 2 responds. The challenge is we cannot restart in DSRM mode, cant run any 3rd party tools
In this vague event, what are the steps to be taken ?
Few I thought were
a) on DC 1 - transfer all the roles from DC 2 to DC 1
or
b) reset the secure channel on DC 2 - highly impossible , coz Admin's cannot RDP / access DC2 command prompt
or
c) seize FSMO roles from DC 2 to DC 1
question for seizing do we need to have DC 2 online ? and actively listening on Ethernet ?
or are there any other methods performed
Hi Support,
I get an error on the system log like the below - but is bringing up a user account rather tham for a computer account; for duplicate SPN:
The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is username. (of type -17). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occuring remove the duplicate entries for username in Active Directory.
Steps in the article KB321044 is for computer accounts and not for user accounts; is there any relevant steps for user accounts having duplicate SPNS ?
Thanks,
Arun
Hello Techie's,
Required your help....
I am getting the below while migrating sid.
ERR2:7447 SID History cannot be updated -- While Migrating SID. on Windows server 2008..
I did all the settings which were mentioned in below KB.. But still the same error.. why this is not working?
i already enabled. the SID history
Can you please help me..
Active Directory allows any domain user to join up to 10 computers to the domain. How does AD track this? Is there an attribute on each user object that shows how many computers that they have joined to the domain? Or does it use event logs to determine this?
Hi,
I'm using the following scenario:
Windows Server 2012
IP: 10.0.0.2
Functional level of the forests and domains: 2003
The software is configured to use AD authentication using DOMAIN2.SSC.
We need to allow that server to add some users from the DOMAIN1.CORP domain.
Configured the trust relationship guided from their website (http://kb.tableausoftware.com/articles/knowledgebase/active-directory-domains).
The problem is, the people on the DOMAIN1.CORP is complaining about security for using the two-way trust.
So I was trying to change the authentication mode to "selective".
The problem is:
When I configure the "outgoing trust" as "selective authentication", the software stops gathering information from DOMAIN1.CORP.
I went to the DOMAIN2.SSC, AD Users and Computers snap-in, computers OU and set the "Allow to be authenticated" permission on the computer account for the user of the DOMAIN1.CORP that I want to add on the software.
Nothing changes.
The only thing that changed was the fact that on seletive authentication, without that permission, the user couldn't log on the server using the other domain credentials. After the permission was set, it could.
Am I missing something? Or it must be something wrong with the software?
Hi All,
I have a website which implements the SSO functionlity. The website basically get the SAML request from the SSO url and does the AD authentication and then builds the SAML response to do the http post to the SSO url.
The problem I am facing is that the SSO url redirects again to my website with the SAML request and this goes into infinite loop. My thinking was that once the SSO url receives the SAML response it will validate and redirects to the actual url where users can use the website.
I know I have provided limited information here but would like to get response from the forum users on this.
Thanks
Prashant
Hi Guys
I'm a junior AD admin, we have a routine job that add/remove user from specific group, recently our team wants to assign the job to helpdesk, but the helpdesk doesn't have the domian admin account ,and even ,he dont have the permission to login the DC, so under this situation, can i have a way to achieve this ?
Thanks
Using Windows Server 2008 R2 SP1, no matter if I use the Graphical User Interface (GUI) or the Answer Method to enter the forest and it locks me out of entering the domain controller or any child domains.
Is there a remedy to this?