Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

DynamicSiteName not all updating

December 3, 2014, 12:24 pm
$
0
0

Site 1: Datacenter                                                       Site: 2 (Office)2 RODC's.  One acting as                                                                                                                                           DNS and DHCP

Primary DC servers                                                               

Site 3:  2 RODC  Acting as DNS and DHCP for that site

The three sites are on different subnets.  All servers are Windows 2K12 R2.  Firewalls rule and ports where there is communication between the DC's and RODC's.  Replication is happening without issue.  Sites have been configured for each of the the respective DC's and RODC's to their subnet. 

So here's the issue:  When users are connected from Site 2 or Site 3, it changes the DynamicSiteName to that specific site.  So I know my sites and services are configured properly.  The problem is that when they logon to the VPN, the DynamicSiteName registry changes to Site 1 and when they disconnect from VPN, theDynamicSiteName registry does not change back to whatever site that they are currently getting IP from.  Therefore, when they lock or logon to their workstations it takes a really long time because it's trying to look for a DC to authenticate.  It eventually logs on with cache credentials because it could not authenticate to the RODC on for that site.  

To further add to the issue.  I know that this is only happening to half of my population of workstations.  I suspect when our workstations were originally joined to the domain they were joined over the VPN.  Not sure if this cause some hardcoding of the dynamicsitename registry entry.  I could not repeat this issue if I joined the workstations from an IP on the site.

Search

App V 5.0 on 2008

December 3, 2014, 2:58 am
$
0
0

The question is simply

Can I  Sequence MSIs using App V 5.0 then push the applications to 2008 servers (Non R2) using SCCM 2012?


ADFS 3.0 Relay State Issue

April 25, 2014, 7:38 am
$
0
0

We have recently upgraded to ADFS 3.0 on Server 2012 R2. Since one of our service providers uses the RelayState parameter, I have enabled it using the instructions I found here: http://social.msdn.microsoft.com/Forums/en-US/25239ff7-a33d-4f3e-a7a8-5a3c47d733f7/relaystate-support-in-adfs-30?forum=Geneva

I am running into an issue, however, where clicking any link involving a RelayState from this SP results in an error (below). The string the server is directing me to is : https://sso.domain.name/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=jobvite.com&RelayState=/l/default.aspx?xxxxxxxxx&target=/l/default.aspx?xxxxxxxxx&loginToRp=http://jobvite.com/saml

On ADFS 2.0 I had to create a rewrite rule to deal with this being slightly malformed. Since ADFS 3.0 doesn't use IIS, I'm not sure how to accomplish that here. Any help would be appreciated. 

-Matt

 

******************

Encountered error during federation passive request. 

Additional Data 

Protocol Name: 

Relying Party: 

Exception details: 
Microsoft.IdentityServer.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details.
   at Microsoft.IdentityServer.Web.Handlers.IdpInitiatedSignOnPageHandler.parseRelayStateParameters(WrappedHttpListenerRequest httpRequest, String& rpIdentity, String& nextRelayState)
   at Microsoft.IdentityServer.Web.Handlers.IdpInitiatedSignOnPageHandler.parseQueryParams(WrappedHttpListenerRequest httpRequest, IdpInitiatedSignOnRequestType& requestType, String& rpIdentity, String& nextRelayState, SignOnRequestParameters& signOnParameters)
   at Microsoft.IdentityServer.Web.Protocols.Saml.IdpInitiatedSignOnRequestSerializer.ReadMessage(WrappedHttpListenerRequest httpRequest)
   at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)


Add AD DS Role to Server 2012R2 fails 0x800f0831

December 3, 2014, 3:25 am
$
0
0

Windows Server 2012 R2 on ESXi 5.5 10GB RAM 200GB HD

Add Role AD DS fails

Using the Server Manager to install AD DS, fails with error:0x800f0831. I can add DHCP role as a test that worked fine. and removed it also fine.

Have tried Reboots etc. All fully patched apart from Nov2014 Rollup package. No other roles or soiftware running. machine is on an existing domain with no errors.


I have also installed Net Framework 3.5, as I suspected the error may be indicating that was needed. It installed fine but no change in adding the AD DS role still fails exactly the same (about 75% of the blue bar)

Group Policy

December 3, 2014, 8:38 am
$
0
0
I am setting up to redirect the Documents folder in Group Policy. I would like to do this at the top of the student OU not the individual grade level. This is my path for the individual grade level. Path: domain\home\GradeX\%username%\Documents  Is there a way to put a %something%...instead of the grade level that would include all grade levels. I am new at doing GPOs and I don't want to push that "red" button and make a huge mistake. Thanks

No SYSVOL & NETLOGON on a DC (FRS is broken)

December 4, 2014, 5:58 am
$
0
0

Need some help on the subjcet.

On one of the DCs, FRS is not working...

Have tried D4/D2 (Auth/non-auth) restore to no avail.

NtFrs logs amongst others: 

- ERROR - Invalid Partner: AuthClient:domain name\dcname$

- DS: ERROR - Can't free system member DCname:  Ldap Status: Insufficient Rights

- DS: Marking connection inconsistent

I can also see that the there is no GUID in the Cumulative Replica Sets/Replica Sets in the registry of the affected DC...

I have tried to recreate the missing objects (CN=NTFRS Subscriptions etc.) using ADSIEEDIT but getting the GUID baclk in the registry is the issue..

D2 is not working because no GUID set for Cumulative Replica Sets/Replica Sets.

Any help/advice on resolving this would be appreciated.

NOTE:

DC is Windows 2012 R2, SYSVOL still uses FRS. When this is resolved and no issues with all DCs, FRS would be migrated to DFSR...

Please help.

Thanks.


NameServer Record Query

December 4, 2014, 9:14 am
$
0
0

HI Team,

I have gone though some Docs and they specified that Name server will specify the name server for the particular domain.

Can anyone tell me  the exact function of this record in DNS and  when this will use ?

Whether DNS round robin is finding the name servers in the name server tab for resolution ??

Thanks in Advance..

Regards

Sajin P S 

How to find out what computers user logged on? (not at the moment but history)

December 4, 2014, 9:27 am
$
0
0

Domain Controller: Windows 2012 R2 - Unfortunately, I don't manage DC but my own OU (computers and users)

I have a user working mid-night shift reporting that he received error message "The group policy client service fail the logon, access denied". He is using multiple PC and he did not remember which PC gave him the error message. How do I find out which computers he logged on? I have access to my domain OU. I can manage my own Computers and Users objects in my domain (no domain controller in my department)

I searched internet but most of them are finding out which computer user is currently logging on - not the history, thanks.


Thang Mo

Search

Need to find out which application is making an frequent account lockout in AD

December 4, 2014, 7:40 am
$
0
0

Hi ,

In my environment two of the user accounts are having an frequent account lockout.

We have found that the account lockout was happening in their own machines with the help of the event logs in the domain controllers.

Please tell us how do we find that which application on their machines are making an frequent account lock with the help of event logs else do we have some other options.

All of your suggestions are much appreciated.

Thanks & Regards S.Nithyanandham

DNS Scavenging -

December 2, 2014, 11:19 am
$
0
0

I walked into the following at my current company.

Single Forest, parent, and three child domains.  My predecessor had setup scavenging in the parent domain and it is working as expected.  Scavenging is setup on the Server, Parent Zone and records are setup to be scavenged.  Event ID 2501 were occurring every Sunday at 2PM (7 Day Scavenge Period on server, 7 Day No Refresh, 7 Day Refresh on zones)

I wanted to start scavenging on Child Domain 1, the zones are Active Directory Intergrated, I set the zone to be scavenged, but I do not set the DNS server in the Child Domain 1 for scavenging, because the Parent Domain DNS servers is set to scavenge right?

I did not get a 2501 Event ID this past Sunday, I set Child Domain 1 zone 2 weeks ago.  On Child Domain 1 Zone, the records show that they are available to be scavenged on December2 2014 @ 10PM.

I expected scavenging cycle to still occur on Sundays.  I have done scavenging in many places and really never noticed that the scavenging cycle changed dates.  Maybe, I just need to wait until tonight to see what happens.

Unable to connect to the NETLOGON share in widnwos 2008

December 2, 2014, 11:12 am
$
0
0

Unable to connect to the NETLOGON share! (\\DC02\netlogon)

         [DC02] An net use or LsaPolicy operation failed with error

         67, The network name cannot be found..

         ......................... DC02  failed test NetLogons

Note : I have two dc in the org. one is dc01 and dc02; Both DC'S are having the issue , i mean netlogon is missing on both dc sudden.

any help would be appreciated 

Pradip Sisodiya

Web application authenticate to trusted domain via local DC's

December 4, 2014, 1:52 pm
$
0
0

Hello

I have a web application that I need to authenticate users from a trusted domain on.  However the problem is the web servers cannot route to the trusted domain controllers.  My domain controllers can route to the trusted dc's and talk etc.   I was wondering if in the code I can just point the ldap connection string for the foreign domain to my dc's and it will pass along the connection requests and handle the response back.

I am thinking it will not.... but I am praying for miracles here!    If not any other ideas how to authenticate these users from foreign domain if we cannot route from web servers to their DC's? (There is a subnet overlap between the organizations).

Thanks for your help.

Phil

Domain Controller not replicating

November 27, 2014, 11:08 am
$
0
0

Hi Guys,

I have a VM that's a DC but it runs a demo server 2012...I would like to create another DC and license it properly, but I have tried creating another VM and it doesn't replicate. As soon I shutdown my original DC the Active Directory on the new one goes blank and I get errors. I also tried promoting my host server to a DC and I get the same problem. The Sysvol share doesn't replicate. My DNS settings on each server points to each other, as I have read on various forums. Not sure what's really going on, is it because my DC is a demo windows? Please assist me with this problem, thanks.

Regards,

Jevon.

AD Site renamed and DFS error (dfsdiag) regarding wrong static site association

December 1, 2014, 1:39 am
$
0
0

Community

I am running DFS-N and been facing a few issues over the past few weeks. Occasionally unable to access DFS share, my Home share mapping disappearing on the client, etc. Most of the times it works fine, but ideally I would like to get to the bottom of this.

So I ran "dfsdiag /testreferral /dfspath:\\root\homeshare /full" and it gave me the following error

Success: The site associated with the following host name is consistent on all accessible domain controllers: DC-02
Validating the static site association by accessing the registry.
Error: The static site-association of the following host name is not consistent with the site-association in Active Directory Domain Services (AD DS): DC-02
Finished TestSites.

A while ago I renamed the AD Site where this particular DC is located. As this was done more or less at the same time as I did the DFS-N implementation, I don't know whether this site rename is the cause of my problems.

The error is referring to registry. Does anyone know where in registry this information is stored and whether this error could cause issues I mentioned above?

Some help would be greatly appreciated.

Regards,

Thomas

Migrating from 2003 domain/forest level to 2008R2 with all DC's at 2008R2 and 2 other Domain External and Forest Trusts

December 1, 2014, 12:55 pm
$
0
0
Is there anything that needs to be done or considered when migrating from 2003 domain/forest level to 2008R2 with all DC's at 2008R2 with 2 other 2003 separate Domain incoming and outgoing Trusts, one Trust that is a Forest Trust and the other is an External Trust? Is there any chance or risks that doing this upgrade will break either one of these Trust relationships? Some of the user accounts with SID history have been migrated from both Domain Trusts to our domain. Any chance that this upgrade will break these relationships for users that are using SID history for access to folders and files in their old Domains? If so what can be done to protect these trusts and SID history, prior to moving the Domain to 2008R2
Search

non-authoritative restore vs new server

December 3, 2014, 6:04 pm
$
0
0

Hi all.

Why do we non-authoritative restore? Much easier to promote new server and replicate it.

How to import ldif into AD LDS (data is from Oracle DSEE7 (Oracle Directory server enterprise edition).ldif

December 4, 2014, 6:35 pm
$
0
0

Hi Community, 

OS: Windows server 2008 r2 (Do let me know if i have posted in a wrong area) 

My experience is lacking in AD LDS , guidance will be greatly appreciated. 

Does anyone has import successfully from this format? 

Import .ldif file from (DSEE) to AD LDS along with user define schema 

If we are doing this on DSEE: 

Command to run is simply :

dsadm import <var style="border:0px;margin:0px;padding:0px;vertical-align:top;-webkit-font-smoothing:antialiased;">instance-path</var> <var style="border:0px;margin:0px;padding:0px;vertical-align:top;-webkit-font-smoothing:antialiased;">LDIF-file dc=example,dc=com</var>

I understand that under AD LDS import is via 

ldifde -i -f filelocation.ldf -s localhost:389 -k -j -c "cn=dc=example,dc=com" #schemaNamingContext

I have also created an application directory partition dc=example,dc=com in AD LDS.

Read Only Domain Controllers - Automatically inserting new objects to Allowed RODC Replication Group

November 20, 2014, 8:40 am
$
0
0

Good Morning,

Here is my scenario. We have multiple site all over the globe, we have started implementing a RODC heavy infrastructure at some of the branch sites. For every site their is a group we create " SITE Allowed RODC Replication Password Policy". Within this group we manually add all the site objects that will be authenticating to the RODC we want the password cached. As you can see many sites have multiple objects to add to this group. My question is does anyone know an automated way to automatically put all objects in SITE A OU to SITE A Allowed RODC Replication group? Also we want to reduce administration overhead for any new objects created to be automatically put in the group as well. The only thing i could think of is add the authenticated users group to the Allowed RODC Password Replication Policy, but then that kind of defeats the purpose of an RODC. Everyone's thoughts are appreciated.

Ricardo Romero - MCITP, MCSA, MCP

ADFS 3.0 Claims Rule

November 20, 2014, 12:11 pm
$
0
0

I'm looking for help building an Authorization claims rule that will do the following.
 1. Check the submitted logonid to see if it is prefaced with any domain (<DOMAIN>\userid)
  if so then process the claim and allow access
 2. if not, or no <domain>\ provided, then add WIDOM\<userid> and process the claim and allow access

In other words, if a domain is specified use it, if not, add a default domain of WIDOM\ to the userid and process.

I'm running ADFS 3.0 on Windows 2012 R2.

offline domain join error

November 23, 2014, 2:00 pm
Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>