Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

ADFS 3.0/Win 2012 with Win 2008 AD?

$
0
0

Hello Everyone,

We are running Windows Server 2008 AD with the Schema Extended for Server 2012.  I am wondering if I can setup ADFS 3.0 on a Windows 2012 machines joined to this domain, or if i need to use ADFS 2.0 with Windows 2008R2?

Joe


ADFS and Office 365 SSO Authentication

$
0
0

Good Afternoon,

We have a setup where we have two groups of users - Staff and students.  We are using the email address (via the Synchronization Service Manager) with Office 365. Staff have emails like user@district.domain.edu, while students have email addresses like user@student.org. However, the UPN for BOTH follows the staff email domain.

Now, using DirSync, EVERYONE can login to Office365 with their organizational email and password.

However, now we are implementing ADFS for single-sign on. For staff, we have it working without a hitch. However, for students it is not working. I'm thinking that this has something to do with the userID that Office365 is sending back to our ADFS server? For staff it is sending a value that corresponds to a users UPN, but for students that's not the case...

Is there a way (perhaps using Claims Rules?) that I can convert the email to the UPN before it attempts authentication with our ADFS?

Thanks

Chad

Site Links - Active Directory Sites and Services

$
0
0

We currently have 4 physical sites within our organisation. These sites are Heathrow, Norwich, Wales and Ipswitch. At the moment the site links which are configured are in a mess. There are five site links. One is a duplication, this is Heathrow - Ipswitch seems to be listed twice with a cost of 100 and interval of 15min (with only these two sites in it) Site link is just called a different name. Third site link link which contains Heathrow, Norwich and Wales. Fourth with just Wales by itself. Fifth with Heathrow and Norwich. 

Sites Norwich, Wales and Heathrow are all on MPLS, Ipswitch is connected via VPN tunnel to Heathrow.

I want to simplify the site links. Would a good design be to have Norwich, Wales and Heathrow all in one Site Link and then a separate site link for Ipswitch and Heathrow, or could someone advise best practice on this? Bridge all site links is ticked and site links are all currently IP site links.


AD 2003 Tombstone Lifetime error

$
0
0

Dears,

Site A (Main) : 2 DC (win 2003 R2 Sp2)

Site B : 1 DC ( win 2003 R2 Sp2)

On of my clients has a DC replication problem and after investigating using replmon we discovered that the DC on Site B is ran out of Tombstone Lifetime !

And when i checked the Attribute "tombstoneLifetime" of the object cn=directory service,cn=windows,cn=services in the Configuration-Partition , I found the value <not set> , which means from what I know its 60 days !

Now i need to know what if I changed the Attribute "tombstoneLifetime" to 180 days , would I face any problem if I did that ? , because I need to enable replication again between both sites !


mwahab

Event Error NetBT 4321

$
0
0

Hi,

I am getting the following error messages on my domain controller. 

Error: NetBT 4321

The name "domainname        :1d" could not be registered on the Interface with IP address 172.16.10.1. The machine with the IP address 172.16.10.2 did not allow the name to be claimed by this machine.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

How can i resolve this issue.

Thanks

Faisal Farooq

Active Directory User and Password Sync

$
0
0

Hi,

We have virtualised development labs that are direct clones of our production environment, including names, IP addresses and Active Directory. These labs are ring fenced using virtual network appliances with firewall rules that allow access to specific ports. The issue we have is that when passwords expire either in the labs or in production AD, it causes issues for our developers. Also, when new users are created in production, the process has to be repeated in multiple labs which is a bit of a time sink, even with scripts.

Currently we sporadically do system state restores to AD controllers in the labs to get them in sync with prod but this also requires us re-adding all the servers back onto the domain and again is tedious process. Is there any way to sync from production AD to the labs AD?

Thanks in advanced.

Mark

How many Secondary Zone can be created?

$
0
0

Hi Guys,

I would like to ask how many Secondary zone can be created like in my image bellow

Thank you

Active Directory Question

$
0
0

Hi all!

All my domain controllers have recently migrated to a new corporate forest, I'll call the domain name "S".

The IT admin has created many individual OU within this domain S. (SG1, SG2, SG3 etc)

I belong to OU SG1 and I'm also looking after OU SG2.

The problem I notice here is, when I have a new PC that has just joined the domain S, when it is still sitting in the OU S > Computer container.

The computers there have no problem accessing internal web services in OU SG1 & OU SG2.

However, when the IT admin starts to put the PCs in their respectively OU (SG1 for instance), they are able to ping the web server of SG2, but is unable to access them. I have to request for the admin to put it back in the Computer container until I have a solution for this.

Does anyone know what i can do about this in my own OU, such that it is able to access the web servers in both SG1 and SG2?

Hope this is clearly explained.

Thanks in advance!


Install Additional Domain Controller

$
0
0

Hi,

I have two windows 2003 server domain controllers DC01 and DC02.

DC01 have all the roles and DC02 is acting a additional domain controller.

Additional domain controller DC02 has been dead its hdd was failed. Now i want to install again additional domain controller with the same name /IP addresses that is DC02.

Can i use the previous name of dead additional domain controller.?

Please suggest me the best practice and best solution.

Thanks

Faisal Farooq


Can I setup a seperate PKI infra in the same domain along with current PKI infrastructure

$
0
0
I have an existing PKI infrastructure running on Windows server 2003 in my domain. I want to upgrade my PKI to Windows server 2012. Can I setup a seperate PKI infrastructure running Windows server 2012 along with the Windows 2003 PKI infrastructure for the same domain? If yes what is the process and how can I slowly migrate from my old Windows 2003 PKI to my new Windows 2012 PKI infra?

How to config a trusting domain so that domain admins in the trusted domain can only see users in a certain OU in the trusting domain?

$
0
0
I want the domain admins in the trusted domain to be only able to see users in certain OUs in the trusting domain. I don't want  the domain admins in the trusted domain to be able to enumerate/see all users/OUs in the trusting domain.


AD prep for RODC

$
0
0

My company wants to put in some RODC in the DMZ. We are running 2008 R2 DCs, but it looks like to me that the forest/domain wasn't prepped to handle RODC. 

If I want to run the AD prep switch for that is there anything I need to consider before hand? Apparently it was missed during the upgrade about 1 year ago. 

Windows 2003 Servers Can't Authenticate on Windows 2012 R2 Domain Controller

$
0
0

I have a small 2003 level domain with two Windows 2003 Domain Controllers. I demoted DC2 and replaced it with a 2012 R2 server. It is mostly working once I applied the fix. But when I shut down DC1 (Windows 2003) I can't logon to the Windows 2003 servers in the domain. I get "RPC server is unavailable". The Windows 2008 servers work fine.

I ran DCDiagand everything was fine. But when I ran it against DNS I got the messages below.

TEST: Authentication (Auth)
  Error: Authentication failed with specified credentials

TEST: Basic (Basc)
  Microsoft Windows Server 2012 R2 Standard (Service Pack level: 0.0) is supported
  Error: Open Service Control Manager failed

I have triple checked all the service settings and DNS entries. I don't see the problem. I am an experienced server admin but not much experience in Active Directory. So I must be missing something.

Two DNS Servers with different SOA

$
0
0

Hello,

I have a DNS Server in my main office (Lab environment) of an Active Directory domain.

I have set up another one in a branchoffice, and they communicated to each other just fine with a ISA Server VPN Site-to-site.

The link of that VPN broke and the branchoffice was off line for several days.

I managed to bring up again that VPN site to site, but now I see that the SOA within the DNS Sever in the branchoffice is482, whereas the SOA in the DNS Server in the main office is 548.

I read somewhere that this SOA is precisely for this cases, and that Active Directory would determine which DNS is better and therefore, the branchoffice would take the new dns records.

Is this so? . I am waiting but don't see that the branchoffice takes that 548 SOA Number from the DNS in the main office.

Thanks in advance!

P.S : I manually changed some things in the DNS in the Branchoffice and I am hoping that the SOA will work that out.


Luis Olías Técnico/Admon Sistemas . Sevilla (España - Spain)


LDP Add dlMemSubmitPerms

$
0
0

Hello,

I have following Problem.

I should permit a Universal Security Group. This Group is used as a Mail Distributor. I have Access control (Full Conrol) over a OU. The OU includes the Group so I can use LDP exe. In a simple Test I changed a Attribute value <extensionAttribute1> to "test. Because I know that i have rights to change some values. When I change the attribute value for <dlMemSubmitPerms> over the ADUC i get the message "There is no Editor registered to handle this attribute type". When I modify the value over LDP.Exe

DN: CN=GroupSAM,OU=OUName,OU=OUName,OU=Firm,OU=other_companies,DC=ms,DC=contoso,DC=com

Attribute: dlMemSubmitPerms

Values: CN=PermitGroupSAM,OU=OUName,OU=OUName,OU=Firm,OU=other_companies,DC=ms,DC=contoso,DC=com

then => Operation: ADD => Enter => Run

I get following Error Message

***Call Modify...

ldap_modify_s(ld, 'CN=GroupSAM,OU=OUName,OU=OUName,OU=Firm,OU=other_companies,DC=ms,DC=contoso,DC=com',[1] attrs);

Error: Modify: Constraint Violation. <19>

Server error: 000020B5: AtrErr: DSID-03152804, #1:

0: 000020B5: DSID-03152804, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20090 (dLMemSubmitPerms)

Error 0x20B5 The name reference is invalid.

I don't know why, because other attributes can i modify.

Thanks for help.


Domain with 3DC and one Testserver same name like one of the DCs

$
0
0

hey

we have DC1 (Master DNS and GC), DC2 (GC) and DC3 (GC) which is holding a Warehouse Software.

Now i need, only for Testing purpose, to start a newServer (it is not in Domain only in workgroup at the moment, its not a problem for my Software) with same NAME and IP like DC3. (it holds a few lokal Users with same name and passowords like my clients) Some Clients have to connect to it, to test the new Version of the Warehouse Software for some hours.

--- later i will demote DC3 and promote my newServer to DC when the test was fine.

Could in this szenario go something wrong`? with my active Directory? or something`?




email notification after active directory password has been changed

$
0
0

hello.

thanks for the time.  i was wondering if it is possible to somehow setup an email alert after a user's password has been changed.  I see a lot of articles point to email alerts when a password is about to expire but not really anything after a password has been changed.  I figure it would similar but based on different attributes such as PasswordLastSet.

If anyone has run into something similar I would much appreciate some insight.  Thanks.

Non-Compliance issue

$
0
0

Hi Cooper,

If i enable this script in my environment where everything is maintained as per compliance. If i will install Quest modules then there should not be any non-compliance issue. Means my security team should not raise concern about unlicensed software installed in MS environment.

Pls confirm so that i can make a decision about this.

Nick naming / aliasing domain name to avoid renaming

$
0
0

Hi,

Is it possible to setup a nickname, alias or something so that if an end user prompted for credentials in a system including domain, they can enter newname\username and this actually gets translated to the actual real domain name, oldname\username

UPN suffixes wont cut it, the default format is of course olddomain\username in most systems and I want to be able to enter "newname" in the domain when for example configuring an iPhone for Exchange emails.

Thanks.

Domain controller demtion failed

$
0
0

After demoting my dc it appeared to have failed I'm missing the Kerberos and LDAP records in DNS. dcdiag /test:dns out puts

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = IGMSDC01

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

  
   Testing server: Default-First-Site-Name\IGMSDC01

      Starting test: Connectivity

         ......................... IGMSDC01 passed test Connectivity

Doing primary tests

  
   Testing server: Default-First-Site-Name\IGMSDC01

  
      Starting test: DNS

        

         DNS Tests are running and not hung. Please wait a few minutes...

         ......................... IGMSDC01 passed test DNS

  
   Running partition tests on : DomainDnsZones

  
   Running partition tests on : ForestDnsZones

  
   Running partition tests on : Schema

  
   Running partition tests on : Configuration

  
   Running partition tests on : installationgroup

  
   Running enterprise tests on : installationgroup.ca

      Starting test: DNS

         Test results for domain controllers:

           
            DC: IGMSDC01.installationgroup.ca

            Domain: installationgroup.ca

           

                 
               TEST: Dynamic update (Dyn)
                  Warning: Failed to add the test record dcdiag-test-record in zone installationgroup.ca
                 
               TEST: Records registration (RReg)
                  Network Adapter

                  [00000007] Intel(R) PRO/1000 MT Network Connection:

                     Warning:
                     Missing SRV record at DNS server 10.0.2.120:
                     _kerberos._tcp.dc._msdcs.installationgroup.ca
                    
                     Warning:
                     Missing SRV record at DNS server 10.0.2.120:
                     _ldap._tcp.dc._msdcs.installationgroup.ca
                    
                     Warning:
                     Missing SRV record at DNS server 10.0.2.120:
                     _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.installationgroup.ca
                    
                     Warning:
                     Missing SRV record at DNS server 10.0.2.120:
                     _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.installationgroup.ca
                    
                     Warning:
                     Missing SRV record at DNS server 10.0.2.120:
                     _ldap._tcp.gc._msdcs.installationgroup.ca
                    
                     Warning:
                     Missing A record at DNS server 10.0.2.120:
                     gc._msdcs.installationgroup.ca
                    
                     Warning:
                     Missing SRV record at DNS server 10.0.2.120:
                     _ldap._tcp.pdc._msdcs.installationgroup.ca
                    
               Error: Record registrations cannot be found for all the network

               adapters

        
         Summary of DNS test results:

        
                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: installationgroup.ca

               IGMSDC01                     PASS PASS PASS PASS WARN FAIL n/a 
        
         ......................... installationgroup.ca failed test DNS

Viewing all 31638 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>