Hello
I want to authenticate users by Active Directory (from a web application). It works fine
but it needs users to have "logon to" permission to the web server or the client they use..
I think there should be other ways without giving such permission to all users.
Can any body help me?
Hello everyone
today I am working on a mounted on a Red Hat Enterprise PKI
Linux Server release 5.5 (Tikanga) is Easycert 5.2.2.15. We need to know what are the necessary data that we have to go to the PKI so it can generate certificates of users in Active Directory for use with a USB Token (ACOS5-64 CHIP CRYPTO) functioning as Smart
Card to make the login of users on computers.
On the other hand also we need to know the necessary settings between the third party pki and the domains controllers (Windows 2012).
Greetings and I hope for you response.
TechCach
Hello All,
My environment consists of 10 sites and 20 DCs. Windows server 2008 R2 - single domain single forest.
I run MS replication tool every week to monitor the replication status of my forest\domain.
From last week, users from a site reported with authentication issue after resetting the passwords w.r.t AD integrated applications and system logon.
Upon, i was checking on the reported site and found Two domain controllers were missing from the site, also the DC showing blank in site column in the DC OU in AD.
Again, i tried running MS AD replication report and found no issue reported. Surprised!. And logged in to those missing DC and executed repadmin /showrepl, repadmin /replsummary and found the replication was success with other DCs without any issues.
Can DC be part of replication without being present in AD SITES? could someone clarify? How it is getting replication with other DC.
Then, execute DCdaig and found errors like below in the missing DCs from site.
REPLICATION LATENCY WARNINGAlso, i am looking for how DC can get removed from AD sites apart from manual intervention.
Regards,
Joe
We have 75 domain Controllers in our Org and current Domain Functional level is 2003. We have a mix setup where all versions of OS are available starting from 2003. A large no of applications are also integrated with our current Active Directory. My concern is, If I raise my Domain Functional level to 2008 then what are the consequences we might face in terms of accessing legacy applications.
Please let me know the checklist which we need to follow and incase of any failure then what will be the rollback procedure.
Looking forward for your valuable inputs.
Hello,
For a few weeks now we have been stuck on a problem with kerberos errors randomly showing up on boot up of our Windows 7 clients. We have concluded that these random errors show up far more often on wireless notebooks, and for some reason more often on some than on others.
I have done wireshark captures of a notebook when it is working and when it is not working.
As you can see, in the top image (you will have to zoom in on the page in your browser), when it is working it shows that it connects with no kerberos error and it connects to the dns name of the server, in this case DC1.domain.ca and downloads the policy.
When it is not working it will give the kerberos error, and then try to connect to the hostname of the server \\dc1\ipc$ and it will fail to read the group policy.
I have done a lot of research and I know about resetting the domain controller computer account, checking the SPN's, and verifying that the the secure trust rerelationships good between the servers, checking for duplicate DNS entries, etc.
The problem I have is why is it so random. All of the posts online talk about these problems and the solutions, but they never mention that it is completely random. I can reboot this laptop 5 times and it will work perfect, but then it won't work 3 times in a row, then it goes back to working again.
Am I completely off track in trying to fix errors on the DC's and I should be looking at a hardware issue or a driver problem on the client side?
One other note is that when you get a kerberos error on boot up, if you wait up to 30 seconds, the client will try the connection again and it will succeed with the connection just as it is in the working one. This is great, but most users have already tried logging in within 30 seconds and the GP's have then already failed.
Thanks,
Dan.
Hi all
I've recently installed installed AD LDS and exported then painstakingly imported user from AD to AD LDS.
AD LDS is installed on Windows 2008 R2 (64bit) Enterprise server
I've realised that I need to modify an attribute for each account to allow logon.
As I have 9000+ accounts is there a batch process that I can use to update the msDS-UserAccountDisabled attribute?
Cheers
AussiePete
Hi
After restoring a virtual DC from software that was 'Active directory unaware' the DC is in USN ROLL BACK
I have tried to demote the DC gracefully and forced and keep getting 'Access Denied' Error messages
Like to know if anyone has any idea why i cant demote it!
The last stop would be to shut it down leave it off, then clean up the metadata on our remaining DC. I would rather Demote
the DC Properly
Any Ideas Guys
Thanks
Migrate existing Domain OU into its own Child Domain
Hi There, I have a customer of which their branch is a single OU inside a large international Forest/Domain configuration.
Due to Exchange/Sharepoint/GPO reasons they wish to break away into their own Child Domain, so still inside the main company forest but a child domain.
Question:
Is there a preferred route or a 'best practice' method of achieving the above in terms of the user/computer/object migration?
Do you foresee and significant roadblocks that I could be missing?
Any help would be greatly appreciated.
Many thanks
Jon
We are designing private cloud for customer. (This is not 0365 cloud) It will be a hosted private cloud and will have multiple tenants because of some business requirement.
1. What all options are available to extend existing AD in private cloud ? One option that we can see is to deploy Additional DC in cloud. OR can se use DirSync for this.. is DirSync+ADFS supported for this kind of scenario?
2. How do we create federation between these multiple tenants?
Dear All
We have windows 2008 R2 as domain controller with windows 7/8/8.1 client. we want to restrict wireless access by SSID and allow only company wireless.
is there any templates or gpo available?
Sunil
SUNIL PATEL SYSTEM ADMINISTRATOR
I have 1 main AD server which is on windows 2003 R2 and all users are authenticated from this server and second ADC i.e backup ADC which is on windows 2003 R2, we have 3rd ADC on windows 2008 R2 which is created for Exchange 2010 on windows 2008R2,
Users are getting Account lock out issue randomly.
Can any one help on this.
Hi,
I'm involved in a project where we intend to split to an existing AD forest (due to divestiture). Lets say there is a forest called Mycompany.com with one domain called mycompany.local. The goal is to split the Active Directory into 2 separate entities, with both environments having a copy of the domain after being separated.
The execution idea (from what I understand) is that the existing forest will be "copied", a new forest created with the clone and a cleanup performed on both forests, as well as the new domain DC seizing the FSMO roles (I know this is not the supported method from MS, but this is the approach we are going with nonetheless). Also, the two domains will be forever isolated so that they can never talk to each other, the aim being the two domains can co-exist without knowing about each other
Now, in the above scenario I have some very basic questions I was hoping someone can help answer (I'm an AD novice when it comes to this type of stuff!)
1) To create a new domain, would it be advisable to clone an existing DC in mycompany.com and use that clone to setup a new domain (mycompany.pri) in a new environment, or install a new DC in the current domain, let it replicate and get all the data, take that offline and instantiate a new environment using this DC?
2) Why does the new DC need to seize the roles from the original one? Wouldn't that mean the original DC no longer has any FSMO roles causing the original AD environment to break?
Apologies if the above questions are stupid, trying to wrap my head around this stuff for the first time :)
Ivanildo Teixeira Galvão
I need to create a remote site that will be physically located across the country. It will consist of a W2k8R2 domain controller, W2kR2 file/backup server, and several Win7 Enterprise clients. The remote site will simply be an extension of the existing single forest/domain (same domain, different AD site). Now assuming that I have no network access to the existing system yet. Is it possible to completely set up the remote site in an "offline" network, and when I get network connectivity, hook it up to the existing central site and have everything properly replicate? In other words, I would set up a local network at the remote site (with the remote site subnet), install/promote the new remote site domain controller using IFM from the existing domain controller, join the file server and clients to the domain (from the newly promoted, offline domain controller), have all the GPOs, etc. applied, and then later (within 45 days) connect it all back to the existing central site?
Would appreciate any insights, best practices, or other approaches.
Thanks.
Hello,
I just recently installed ADFS v3 on a new Server 2012 R2 instance. I have two ADFS servers in a farm, with 2 ADFS proxy servers, each using Windows Server Network Load Balancer.
Currently, we are federating to Office 365 and everything seems to be working great for our Internet Explorer users, however people that use Chrome seem to be having multiple issues logging in. We are seeing the following symptoms with chrome:
1. Internally, Chrome users are not automatically logged in. I have tried setting the executing the following command on the ADFS farm, but the issue still persists: Set-ADFSProperties -ExtendedProtectionTokenCheck "None"
2. Users using chrome cannot sign in at all, both trying through the proxy and the internal ADFS server directly. When entering mydomain\myusername ormyusername@mydomain.com, my password, and hit Sign In, the page simply "refreshes" and does nothing. I don't see any errors or warnings inside of event viewer on both the proxy or internal ADFS farm, so not quite sure what is happening.
I have tried running the Office 365 Single Sign-On Test from https://testconnectivity.microsoft.com/ and everything comes back successful, so I think this is a direct issue with ADFS 3 and Chrome.
Any ideas?
Thanks in advance!
Hi Support Team,
As per the Auditors Recommendations, we need to rename windows 2008 r2 Domain administrator accounts.
Our ADC, exchange server 2010 and backup service account using same account and while installation also used the same account, it has trusted domain relation with other domain. So kindly advise me the Microsoft recommended steps for Renaming Domain default Administrator account name with out affecting service down.
Regards,
Manoj T. Raveendran
Systems Engineer
United SULB Company
Jubail
Mob# 00966 502203505
Background: Server named NAxx010 in child domain was promoted to DC.
Then shipped to a site to replace old DC there. Old DC named NAxx001.
NAxx001 is demoted to member server and removed from Domain.
NAxx010 is then renamed NAxx001 and rebooted as required.
Problem: NAxx001 sees itself as wide as NAxx001 (which is correct). All the DC is the rest of the Domain (over 500 DCs) see it as NAxx010.
Mixed domain, nearly all are Windows 2008 R2 we 7 remaining Win 2003 DCs.
We still have to use NTFRS to replicate SYSVOL until we get rid off all 2k3 DCs.
The problem is the SYSVOL is not being replicated by Hub DCs in North America.
sometimes a restart of FRS Service does the trick but I am wondering if his issue is
caused by a windows patch, the fact we have over 5GB of Policies (thousands of GPOs) and
we have reached the limit of NTFRS, or that something else is affecting these 2008 R2 DCs.
AD sees the change and updates it in GPMC but sysvol version doesn't update.
Greetings,
I have been doing some testing with gMSA Accounts in a Server 2012 R2 environment (two separate environments, actually), and I have noticed something very strange that occurred in both environments, which does not appear to be occurring in one of our customer's
self-managed environments.
We created a Group Managed Service Account using the following article:
http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx
Everything went smoothly, and the account installs/tests successfully on both of the hosts that we are testing on. I am able to set my services to run under the account, and most of them appear to work fine. I am having some issues with a few of my services, and I believe that the strange behavior I am seeing may have something to do with this - described below:
As soon as I set the service's Log On Account (via the Log On Tab under the Service's Properties), the entirety of the "Log On" tab changes to "greyed out," and I am unable to change the Log On account back via the GUI (Screenshot
attached).
I found that I am able to successfully change the account via Command Line using sc.exe, but the Log On tab remains greyed out! So far, I have found nothing to remedy this, but confirmed that it happens for any service I set to use the gMSA as the Logon Account, and that it happens in 2 separate test environments, but not in a Customer's production environment - very strange.
All servers in this environment are running Server 2012 R2, and domain Functional Level is currently Server 2012.
I have been unable to find any information online about this behavior, so I am hoping someone has seen this before, and can explain why this is happening.
Nick