In Production we have a 1 root domain & 1 child domain (single forest).
We want to do some work on the child domain in an isolated test environment. We copied the child DC VM to our test environment, unto an isolated VLAN. Next we would like to rename the domain, and RENDOM fails since we didnt have all the FSMO roles available.
We managed to seize all the FSMO roles except the Schema Master...we suspect its due to the Forest Trust? NETDOM also fails to remove the Forest Trust with the Root domain.
Is there a way to remove the Forest Trusts and seize the Schema Role using something more drastic like ADSIEDIT? Or is there another way to do this? Alternatively, maybe someone can shed some light on why RENDOM fails?
hope all of you are doing great here... and hope you can help me on this...this is new to me.
Ok...long story..but brief...I just setup a ADFS server in a subnet that has the following scenario:
- It needs to go thru 2 layers of firewalls to get to internet. One layer is used to isolate the subnet from other subnets - for advanced security purpose., while another layer is to secure the corporate network.
- It only allows outbound traffic while all inbounds are explicitly blocked.
- The firewall the subnet attached to does not have any public interfaces or NAT performed.
So now... for my ADFS server, I cannot setup a 3rd party certificate for it because of the NAT issue (there may be a way to set it up on the firewall but I still doing some research on that). Therefore, someone told me that... I can do "Metadata
URL exchange". The following is his comment:
################
What they have been doing is for the Metadata URL exchange that needs to happen over the internet, they host that file on their DMZ facing web server instead of on their ADFS server. That way
they can keep the ADFS server still in the inside PD network and still be able to make the federation work.
################
So I would like to ask what to do to complete this task? I meant...what steps I need to do to setup "Metadata URL exchange".
I´m testing bitlocker on a dell+TPM notebook and i´ve configure the GPO to force backup to AD (all or nothing mode, the backup has to be made OR bitlocker have to fail)
I´be installed the Bitlocker tool to view the key information (only the RSAT portion on the features install, only the tool, not the bitlcoker itself) and i can´t see anything (RUNAS in DSA.MSC with domain\administrator).
AFter the GPO applied, the bitlocker was successfully enaboled, rebooted, etc and i can see the keys with the manage-bde tool, but the computer account in AD has not changed it timestamp and there is no key in AD
If i use:
manage-bde -protectors -adbackup c: -id {GUID}, the error:
[TRANSLATED/LOCALIZED]
ERROR: the group policy does not allow store the recovery information in Active Directory. The operation was not attempted
The REG keys shows that AD backup of the Keys are allowed, iim I right?
I just built two new ADFS 2.0 servers for a farm and I can't get the second one talking to the first. The first one was configured to be in a new farm correctly and the second was configured to join that farm.
During the Configuration Results, I get:
An error occurred during an attempt to perform the configuration task: MSIS7711: PolicyOperationFault.
In the debug logs, I can see that it fails after trying to sync 'IssuanceScope'
Log Name: AD FS 2.0/Admin
Source: AD FS 2.0
Date: 11/16/2010 1:46:14 PM
Event ID: 344
Task Category: None
Level: Error
Keywords: AD FS
User: Domain\user Computer: Computer.Domain.com Description:
There was an error doing synchronization. Synchronization of data from the primary federation server to a secondary federation server did not occur.
Additional data
Exception details:
ADMIN0023: Incorrect value for property LastPublishedPolicyCheckTime: 1/1/1900 5:00:00 AM.
User Action Make sure the primary federation server is available or the service account identity of this machine matches the service account identity of the primary federation server.
Wondering if this is the right place to ask this question but you folks may have had the same challenge..
I need to explain on a high level (think in terms of explaining to a 10 year old child) how to explain Active Directory, GPOs and OU's etc to a group of non technical managers.
Do you know of any good resources that I can refer to that might have already addressed this challenge?
I have to present a slide show and I think it needs to be very visual with nice diagrams etc.
Any links / references to existing resources and material is greatly appreciated!
I see how to delegate control to a user to manage an OU with the settings "Create, delete, and manage user accounts". Is there a way to have that user only "mange" user account settings without the create and delete
permissions...?
Consider this: You have three AD sites; A, B, and C.
All three have independent network connections to each other, and all three have multiple domain controllers.
Connectivity and reliability at Site B is best, so you decide you use that as the hub of your replication topology. You configure an A-B site link, and a B-C site link.
Question: Do you actually need an A-C site link in case connectivity to B goes down? Or will the KCC attempt to make that connection on its own, based on the existing links?
I have a AD Domain(2008 R2 level) running on Windows Server 2008 R2.
my problem:
the base installation of this domain was done in German, i would like to migrate the domain to windows server 2012 R2 and change the language to English.
is there a way to migrate this without having to rebuild the domain or manually renaming all the built-in groups and users?
For a few weeks now we have been stuck on a problem with kerberos errors randomly showing up on boot up of our Windows 7 clients. We have concluded that these random errors show up far more often on wireless notebooks, and for some reason more often
on some than on others.
I have done wireshark captures of a notebook when it is working and when it is not working.
Image may be NSFW. Clik here to view.
Image may be NSFW. Clik here to view.
As you can see, in the top image (you will have to zoom in on the page in your browser), when it is working it shows that it connects with no kerberos error and it connects to the dns name of the server, in this case DC1.domain.ca and downloads the policy.
When it is not working it will give the kerberos error, and then try to connect to the hostname of the server \\dc1\ipc$ and it will fail to read the group policy.
I have done a lot of research and I know about resetting the domain controller computer account, checking the SPN's, and verifying that the the secure trust rerelationships good between the servers, checking for duplicate DNS entries, etc.
The problem I have is why is it so random. All of the posts online talk about these problems and the solutions, but they never mention that it is completely random. I can reboot this laptop 5 times and it will work perfect, but then it won't
work 3 times in a row, then it goes back to working again.
Am I completely off track in trying to fix errors on the DC's and I should be looking at a hardware issue or a driver problem on the client side?
One other note is that when you get a kerberos error on boot up, if you wait up to 30 seconds, the client will try the connection again and it will succeed with the connection just as it is in the working one. This is great, but most users have already
tried logging in within 30 seconds and the GP's have then already failed.
On my "Windows server 2008 R2 core" i had installed Active Directory remote managament componentes including "ActiveDirectory" powershell module. Then problem is that "GroupPolicy" module is not installed because GPMC tool is
not compliant with core version.
Is there a powershell "GroupPolicy" module stand alone installer without GPMC tool?
I have 2 domain controllers running Windows Server 2012 R2 Standard across countries in one domain.
My goal is: Users should logon to any one of the Domain Controller and should get the same profile.
I have created a shared folder on 1 DC and specified it's network path for roaming profile in all user's properties in AD.
The issue is, when I logon to any DC using Domain User, I can logon successfully, but user profile doesn't get created in the shared folder. So, when I logon to other DC, I don't get the same profile contents. As it is creating profile locally on DCs.
I don't want to join any PCs to my domain. I want users to take RDP of DCs and use them with same profile on both DCs.
Our current SharePoint/ADFS architecture utilizes integrated authentication in IE. So, when users browse to a SharePoint app, they are redirected to ADFS, their credentials are automatically passed, and they are issued a token before being taken back
to SharePoint. This is working peachy.
We have a thousand or so shared bedside workstations in our hospitals and clinics that are logged into windows using a generic account. We do not want these generic users authenticating. These generic accounts are all members of a EnterpriseGenericUsers
group in AD. To block their authentication, I added an Issuance Deny rule in the relying party trust that looks for the EnterpriseGenericUsers claim and denies the login. This works great. They are taken to the generic ADFS error page:
You are not authorized to access this site. Click here to sign out and sign in again or contact your administrator for permissions.
This is what we want to happen. Good deal. The next thing we would like is for the users to redirected from the not authorized page to the ADFS FBA login so they can enter their personal credentials and login. My question: is there a URL
we can hard code into a redirect or link that will take them to the FBA login? We can customize the not authorized page to reference this URL, so when the user clicks the "Click here" link, they would be taken to this URL for FBA login.
We do not want to change the entire relying party trust to use FBA. We want other non-generic users who log into their workstations with their own credentials to still be able to use integrated authentication and not sign in through the FBA page.
We have a situation where a user is forced to change their password after it expires. They change it successfully on their laptop, but they also have previously logged into another laptop in the building. That other laptop ends up locking out
the user account because it's using cached credentials which are no longer current. Our environment uses a Cisco Identity Service Engine for wireless connections, so the event logs always shows that the source of the lockout is the Cisco Identity
Service Engine. This makes it hard to find what other laptop the user has been logged onto before. It there a way to force those other laptops to "logoff" the user when he/she changes their domain password so they don't lock the account? In other words....if they change their domain password, all their other active sessions on other computers are logged off.
- the problem of having an open mind is, there is always someone trying to put something in it.
We are migration our ADFS 2.0 to 3.0, we have created a lab and successfully tested more of the transition however we are not sure if just exporting the ADFS server configuration using (Export-FederationConfigration.ps1 –Path and Import-FederationConfiguration.ps1–Path) it's enough to have all the settings migrated.
Our question is: based on your experience, is the Export/Import configuration powershell script all we need or we might need to contact our Federated companies to make changes on their end?
My scenario is I have a small business who has two locations. The "IT" guy is set in a way that he wants to do this, and he has contracted me to help.
Site 1
192.168.1.x network
SBS 2003 server (on really old hardware) Lets call this server SBS1
Site 2
192.168.2.x network
Is a domain controller thats a global catalog. The two sites replicate. Lets call this server Server2
SIte 2 Site VPN between the two offices
The OLD IT guy took an image of the SBS server six months ago, and put it on newer hardware. But it was never implemented. Since 6 months ago, not much has changed, a few new PC's and a few new users.
The current "IT" guy wants to put the imaged SBS that is the newer hardware server into the network and decom the old SBS server.
The network can be taken down, and downtime is okay. This doesnt need to a quick drop in and go.
My concern is, if I drop in the imaged server of the SBS server that was done six months ago, its going to look and say hey, there are some accounts that I dont have, so im going to remove them from Server2.
Whats the best way going about this?
I have suggested some other routes, but the "IT" guy is insistent on doing this, and well he's paying me by the hour so im fine following his lead.
Also the "IT" guy is willing to recreate missing user accounts if that happens.
I have 9 Domain Controllers 2012 (not R2) and one DC 2008R2 in one Domain. Damain has 5 sites. There are some trusted domains. All DCs are VirtualMachines on VmWare. Damain and Forest tevel - 2008R2.
All 2012 DCs have the same problem. WinRM load CPU on 100% and DC doesn't answer on requests, ping works, RDP try connecting but can't sign-in. The problem appear randomly (not simultaneously) on all DCs. DC 2008R2 works good.
I dasabled WinRM on all DCs and users can works but I need WinRM.
We are in process of planning our 2003 to 2012R2 AD upgrade, yea I know, and we have a legacy External Domain that I wish to collapse.The domain is setup with an external trust non-transitive.
It also shows another domain that we no longer have in the Trusts tab showing Realm for trust type and Yes for transitive.
My question is when we DCPromo the last DC in the external domain are the trust settings removed automatically or do I need to ‘remove’ them on both sides of the trust prior to DCPromo process? Or does removing one side remove the other side settings?
Any concerns about the user account being used.In each case I have an account in both domains that is a Domain Admin with the same name but different passwords.Should I sync these PW’s up for this process?
Also, I'm correct in the though that collapsing the external trust domain should not have any affect on my primary domain that is still in place or are there other points that I should be aware of in this process?
I am using LSC(LDAP synchronize Connector) to synchronize user from AD LDS to Mysql Database.
I am able sync properties like cn,sn,mail,given name. But I can't sync password . What is key for password?. I mean for example for mail ,we have "mail" key. For the password ,I can't see any keyword. Using key only I am able sync user from AD
LDS to databse.
I have set password in two way.
1) Using ADSI Edit - By right click "Reset Password" -
in this scenario ,i dont know key for this.
2) Using Ldp over an encrypted, non-SSL connection - In this scenario ,I know the key.The key is "userpassword" .Using key I am not able to sync password.