Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Security-Kerberos Event ID 9 - Smart Card not working for Login due to CRL download failure

November 24, 2014, 2:12 pm
$
0
0

We have 8 computers that users were able to login with a Smart Card on one day. The next day they couldn't. Everyone else can login with a Smart Card without issue. These users can login with their smart card on other systems without issue. No users can login on the affected computers with a SmartID.

In all cases, users can login on affected computers with their user ID and password.

All traces on the domain controllers indicate the smart card PKI cert was validated by OCSP and the Kerberos session ticket was passed back to the client.

However the client can't download the CRL from the CRL server for validation during login and always reports the CRL server is unavailable.

Using CertUtil, you can validate manually the DC cert and the CRL will download from CRL server.  You can also hit the HTTP site for the CRL download and manually download the CRL.  All this once logged in using user id and password.

You can't unlock the computer with a Smart card or login with a smart card.

Packet trace indicates Kerberos session properly negotiated with workstation and DC. 

Everything fails once client workstation can't download CRL during login.

Any suggestions on where to look next?

We have reloaded Activclient smart card validation software.  Still no effect on issue. 

Smart card is readable once user is logged in, via Activclient, and Windows recognizes certs on smart card when inserted for login.

Problem occurs during CRL download only, so login or any type of validation fails.


Search

user account is removed from a Active directory security group (server 2008 R2) after a day

December 8, 2014, 1:36 am
$
0
0

Hello !

i add many times a user in a AD security group, but the user is removed automatically after a day. What i don't understand is that other users have been added to the same group but they are still in the group (there is no problem with their accounts).

To add this user that is always removed after a day (or a period), i use the member of tab in the account properties.

Right click on the user account -> properties-> member of -> add -> groupName->ok

Thank you for your help !!

MSA Account Naming Rules?

November 26, 2014, 9:39 am
$
0
0

Hi, this is originally from https://social.msdn.microsoft.com/Forums/sqlserver/en-US/f15bd9f3-2e14-42e1-a6d0-576f7dd74ded/msa-account-naming-rules?forum=sqlsetupandupgrade.  Does anybody know of any special naming rules for MSAs?  We have an issue with embedded $ characters in the name.  I seen other report issues when using more than 15 characters, but have not tried it myself.  For the $ within the account name, there was no error creating the account; however, the account was not to be found.  It works fine once we removed the embedded $ chars.  Is this a known limitation in directory services or the tools used to mange it?  I'm interested in knowing the details because we are starting to use MSA.  A naming standard will be affected by rules - hopefully now rather than later.  Thanks.

Randy in Marin

Slow Logons from branch office

December 8, 2014, 9:54 am
$
0
0

We just moved an office of ours in a branch office to another building. The office is in Miami and is normally connected to our Tampa main office via an MPLS connection. The connectivity to our Tampa office is down now because of issues with the MPLS provider but I have users still logging in to their desktops to access server resources in Miami. The issue is that logons in the Miami office are taking longer than normal even though the Miami site has a read/write DC with GC enabled on that DC. If I unplug the network cable the logon happens much quicker and then I can plug the cable back in and access the server with no issues. My assumption is that when unplugging the network cable the computer is logging on with the cached credentials on the computer instead of trying to access a DC for logon. I was under the assumption that since their is a read/write DC and GC server on site logons should not take forever even though the DC on site has no connectivity to the DC's in our main office here in Tampa. Am I missing something? Why would the logons take so long?

Thanks in advance!

Chad

Chad Guiney

ADFS 2012 R2 + DirectAccess + Office 365 = Display 2 certificates and nothing.....

December 8, 2014, 10:26 am
$
0
0

I'll describe the situation and hope someone can point me in the right direction.

We have enabled ADFS sign on for office 365.  We have several laptop users who connect from all over the place and implemented DirectAccess so they would be automatically connected to our corporate LAN.

When these users are working on the wired network (Direct Access not needed) and go to the OWA site they put the URL in the browser and type their email address in the window.  The logon page redirects them to our ADFS site, they are logged in using cached credentials and redirected to the Office 365 site.

When they are outside the office and connected via DirectAccess the logon process changes.  They go to the OWA site, put in their logon name, and are redirected to the ADFS site.  This time they are presented with a popup and 2 certificates, One from the Communications Server with a 1 day range and the other from the local PKI server.  No matter which certificate is chosen the adfs server hangs.  If you press cancel the server asks for the logon credentials.  If you select a certificate, all subsequent attempts use that certificate and there is no option to cancel. 

The ADFS server should not be using credentials for authentication.  Can that be turned off easily?

I read an article that said it could be a Certificate Revocation Lookup issue which is a possibility since the RCL server is NOT in the DMZ or available from servers in the DMZ. 

Thanks for any help you can give me!

Vince

LSASRV - SPNEGO (Negotiator) - 40960

December 8, 2014, 11:02 am
$
0
0

We have established a relationship of trust between a Windows 2012 domain and another Windows 2003.

In Windows 2003 DC I have published this error.
As I can fix?

The Security System detected an authentication error for the server ldap/SERVER.domain2/domain2@DOMAIN2.  The failure code from authentication protocol Kerberos was "The name or SID of the domain specified is inconsistent with the trust information for that domain.  (0xc000019b)".

Regards

Changing IP of domain Controller (Server 2008)?

December 9, 2014, 12:08 am
$
0
0
I'm considering changing the IP on a 2008 Domain Controller. Server is also running DNS, anything that I should be aware of to look out for?

Newbie questions about ADDS

December 8, 2014, 1:35 pm
$
0
0

It has always been my impression that with ADDS you are able to really lock down systems and permissions much more than with standard users vs administrator.

Is that true, or can you get the same control using gpedit?

When a pc joins a domain, are there still "local" accounts or does every user have be from the domain?
What happens if there is a network outage between the domain server?

Thanks

Search

SYSVOL folder is not syncronizing on ADC on windows 2003

December 9, 2014, 12:54 am
$
0
0
SYSVOL folder is not syncronizing on ADC on windows 2003

I have created ADC in windows 2003 invironment but there is no item in sysvol folder. getting below mentioned warning on DC

The attempt to establish a replication link for the following writable directory partition failed.
 
Directory partition:
CN=Configuration,DC=Mpsfulfilment,DC=com
Source domain controller:
CN=NTDS Settings,CN=MPSFSERV-ADC,CN=Servers,CN=MPS-GURGAON,CN=Sites,CN=Configuration,DC=Mpsfulfilment,DC=com
Source domain controller address:
cf8069dd-038a-4d70-a8c4-a38ddfe50b4f._msdcs.Mpsfulfilment.com
Intersite transport (if any):
 
Please suggest.

Regards
Manoj Khowal

Promote a Win2k12R2 as a New Child Domain of Existing Forest

December 8, 2014, 10:53 pm
$
0
0

We already have a setup of Win2012 R2 Servers but as soon as we promoting a new Win Server 2012 R2 as a New Child Domain in existing Forest (i.e.xyz.abc.com), The Promotion completed successfully but after that It Start rebooting in 15mins.

We tried to install all windows updates/Hotfixes but no solution.

But Once we demote it it starts working fine again.

It seems a bug in Windows Server 2012 R2.

User account lockout after password change for users with access to multiple wireless laptops.

December 5, 2014, 12:47 pm
$
0
0
We have a situation where a user is forced to change their password after it expires.  They change it successfully on their laptop, but they also have previously logged into another laptop in the building.  That other laptop ends up locking out the user account because it's using cached credentials which are no longer current.  Our environment uses a Cisco Identity Service Engine for wireless connections, so the event logs always shows that the source of the lockout is the Cisco Identity Service Engine.  This makes it hard to find what other laptop the user has been logged onto before.  It there a way to force those other laptops to "logoff" the user when he/she changes their domain password so they don't lock the account? In other words....if they change their domain password, all their other active sessions on other computers are logged off.  

- the problem of having an open mind is, there is always someone trying to put something in it.

Problem Registering Workstation

December 1, 2014, 7:49 am
$
0
0

Hi,
we have two forest.
Forest A (windows 2003) contains the dhcp server
Forest B(windows 2008r2) use dhcp server of forest A
the two forest have bidirectional trust relationship in place
when I move workstation from forest a to foerest B pc doesn't register in the new forest.
The primary DNS of every workstation in the two forest is a domanin controller placed in forest A.
DNS name resolution between two forest works fine.
What can I check?

Thank you 


Luca Pozzoli

AD CS - Import certificates to new user laptops

December 9, 2014, 5:29 am
$
0
0

Hello,

We have a AD CS server. 

When users changes laptop - or use multiple laptops -, is there a procedure to import user certificates to new laptops, whitout manual export/import?

Thank you

ADWS Broken after in-place upgrade from Server 2008 R2 to Server 2012 R2

November 21, 2014, 12:36 pm
$
0
0

I performed an in-place upgrade from 64-bit Server 2008 R2 to Server 2012 R2.  This machine ran Active Directory Web Services. After the upgrade ADWS will not start. I get the following event log error:

Log Name:      Application
Source:        .NET Runtime
Date:          11/21/2014 3:23:02 PM
Event ID:      1026
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      COMPUTER
Description:
Application: Microsoft.ActiveDirectory.WebServices.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.ServiceModel.CommunicationObjectFaultedException
Stack:
   at System.ServiceModel.Channels.CommunicationObject.Close(System.TimeSpan)
   at Microsoft.ActiveDirectory.WebServices.WindowsHostService.StartService(System.Object)
   at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
   at System.Threading.ThreadHelper.ThreadStart(System.Object)

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name=".NET Runtime" />
    <EventID Qualifiers="0">1026</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-11-21T20:23:02.000000000Z" />
    <EventRecordID>65596</EventRecordID>
    <Channel>Application</Channel>
    <Computer>COMPUTER</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Application: Microsoft.ActiveDirectory.WebServices.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.ServiceModel.CommunicationObjectFaultedException
Stack:
   at System.ServiceModel.Channels.CommunicationObject.Close(System.TimeSpan)
   at Microsoft.ActiveDirectory.WebServices.WindowsHostService.StartService(System.Object)
   at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
   at System.Threading.ThreadHelper.ThreadStart(System.Object)
</Data>
  </EventData>
</Event>

Password Never Expires- Check Box Rights Delegation

December 8, 2014, 8:59 pm
$
0
0

Greetings my fellow IT comrades,

I have a peculiar problem with an OU in assigning rights to a group or individual to be able to check the "Password Never Expires" checkbox. The OU has any GPOs blocked from inheritance and although I grant the user or group full rights to the OU, they are unable to check this box for any user accounts within that OU. They can check and uncheck everything else but that option in a user's Account settings tab. With full permissions to the user or group, they can uncheck the box but not check it. Checking the box after it has been unchecked and applied will result in the error "The following Active Directory Domain Services error occurred: Access is denied." I've verified within the advanced security settings "Effective Permissions" and everything is checked for Read & Write for every object for the user account(s). Any ideas or thoughts as to what I should be looking for that is missing? Domain Admin of course can do everything to the account just not a particular account or group. What is missing? Your feedback or thoughts is greatly appreciated. Thanks in advance!

Van

Search

Active directory internet web authentication

December 9, 2014, 8:39 am
$
0
0

hi,

i need for an internet web page authentication from active directory

how can obtain this

thanks

Domain Controller Disk Partition Best Practices

April 23, 2011, 9:20 am
$
0
0

I'm hoping someone can sanity check my plan for a new AD DS install.

I'm building the first 2008 DC for a non-profit.  Max users are estimated to be 100, with about 40 to 50 for starters.  The server has two internal disk drives:

C: System, Boot, Page, RAID 1 (20Gb free)

E: Secondary disk drive, Simple Volume (250Gb free)

My thinking on how to partition the storage and install AD DS is as follows:

1. NTDS.DIT -- on C:  (has 20Gb free)

2. Logs -- create a separate 10Gb partition (F:) on the Secondary drive for Logs

3. SYSVOL -- on E: in another separate 100Gb partition (G:)

My reasoning is that

a) NTDS and Logs should definitely be on separate spindles.  Since NTDS.DIT should remain under 5Gb, there is enough space on C:

b) SYSVOL should generally not be on the boot disk (which is tight on space anyway), and while not optimal on the same disk as Logs, it is the best choice in this scenarios.

Does this sound about right?

Procedure to shutdown and reboot Root Domain Controller in downtime maintenance

December 5, 2014, 8:32 am
$
0
0

Hi All,

We have a single domain in a forest in data center and ADC in remote branches.

Root domain controller and ADC having OS Windows Server 2008 R2 Enterprise Edition.

The root DC has all 5 FSMO roles.

My Question is here that, during downtime maintenance, what steps we have to take before shutdown and after power On the Root domain controller.

Why because, we faced lot of issue during downtime, like logon issues, cluster not working.

AD Replication error 5: Access is denied or 2146893022: target principal name is incorrect

December 9, 2014, 7:01 am
$
0
0

Hello,

I have DC1(fsmo role holder) and DC2 which were replicating.  I ran windows update on DC1 and rebooted which it had not done in months.  When it came back up  I could run repadmin /showrepl successfully on DC1.  However when running on DC2 I get the "2146893022: target principal name is incorrect" message.

I understand you can run the "netdom resetpwd /s:server /ud:<var style="box-sizing:border-box;margin:0px;padding:0px;color:#333333;font-family:'Segoe UI regular', 'Segoe UI', Arial, Tahoma, sans-serif;font-size:13px;font-weight:bold;line-height:16px;">mydomain</var>\administrator /pd:*"  command but I am unsure:

1.  Where would I run this command

2. Which server goes in th"/s:server"?  Would it be the DC1 or the DC2?

I've got alot of gpos..

December 9, 2014, 12:38 pm
$
0
0

Greetings and salutations.

I, have a problem.

I've been tasked with going through and cleaning out/ validating/ gathering info on settings/ nixing any duplicated policies when it comes to the gpos riding on our network. So, after very rapidly shoving the basics of powershell down, I decided to run the get-gporeport -all command via the gpo module. After about 10 minutes of buffering, I ended up with a neat xml file that I sent over to excel for organizational reasons. It imported the file, and I told it to make it into an xml table

It took excel awhile to process, but when it was done I had like.. 9 billion or so different cells. Would any of you know how I could filter out the unnecessary information so the file could be digestible by the likes of an IT noob? or a better way entirely to do this?

any and all help will be greatly appreciated.

Viewing all 31638 articles
Browse latest View live
Search