Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

"Your Organizations Polocies are preventing us from continuing this action for you. For more information contact the Help Desk

$
0
0

I don't have an organization this is my computer that I use for work. This problem just started yesterday when I was trying to purchase an Adobe product but now I can't even open extensions.  It's really frustrating.  How do I change this?  Please


AD Domain Name - Best Practices

$
0
0

We are in the process of designing a brand new AD implementation and running into some difference of opinions in regards to what the AD domain should be.

Our company "Contoso" plans to use Contoso.com for a public website, and for hosted Exchange email using O365. The AD infrastructure is expected to synchronize with O365 andAzure and use SSO whenever possible.
Additionally AD FS and LDAP over SSL (using 3rd party certificates) might be in our feature however no formal requirements are defined yet.

The options on the table are:

  1. contoso.com
  2. ad.contoso.com
  3. contoso.local
  4. adcontoso.com

The majority of our team is split between options 1 and 2. What do you think the ideal name should be?

2FA for Windows login using Mobile app

$
0
0

Hi All,

We are planning to implement additional login security for our domain.

Present :

Windows Server 2012 R2

Active Directory

800+ users

Requirement : need to enable additional security (means 2FA) for all users to login to AD and other applications (like Billing, Accounts, etc - Third Party Apps).

We recommend to use a mobile app to general passcode for 2FA.

Please advice the best industry standard method and OS/Application requirements.

Thanks in advance

Shibu

Domain Controller GUID Change

$
0
0
Does a domain controller GUID change when dcpromo'd down and then dcpromo'd back up?

DNS

$
0
0

Hello,

We have Active Directory and infoblox as DNS in our environment, both these DNS are controlling their own namespace. Lately we realized that when we do a reverse lookup from client machine which has the DNS as AD servers, this is resolving to RR record created in infoblox rather than resolving through AD DNS. I can see the RR record for the specific host I'm looking for in AD defined correct.. When I do nslookp (server pointing to AD) it does not perform the RR lookup correct.. Could someone let me know what could be the issue ?

All accounts are locked

$
0
0

Hello,

Today I tried to login to my lab and found my account is locked. Tried to login with other accounts, but they are too locked :(

Waited for some time, but still account reamins in locked state.

My built in account was renamed to ADMIN, I tried to login with this account, but it is disabled (it was disabled by me)

I do not have back up of my AD

DC - Windows Server 2003 

Troubleshooting done so far:


Rebooted in DSRM, tried to modify default policy

Went to Sysvol\Domain\Policies\{31b…}\Machine\Microsoft\WindowsNT\Secedit\Gpttmpl.inf and changed following values

ResetLockoutCount = 1
LockoutDuration  = 1
LockoutBadCount to 100

Rebooted in normal mode. Did not help.

Tried again with following values:

ResetLockoutCount = 1
LockoutDuration  = 1
LockoutBadCount to 0

Did not help.

-------------

Please help me from here.

I do not have backup, so cannot restore from it.

Please don't ask me to destroy the lab and create again

Remote office, no DC and a public DNS Server

$
0
0

We are trying to do a unique setup, which is turning out to be more trouble then I expected.

We have one office, which contains all our servers, DHCP, DNS, DC, EXCH, FILE...etc   This office has their own internet connection.

Servers: 192.168.0.109 is our DNS and DC server.

We have a second office, which is connected to the main office via a fiber connection.   The second office is a disaster muster zone and we needed to connect them to their own Internet connection.  Essentially, if the main office is down, this office needs to have access to the internet.

We configured the firewall on the remote office side to use 8.8.8.8 and 192.168.0.109 as our DNS, but when I try to ping the DC by name it will not resolve.

We have added the names/IPs to house files, which allows us to resolve the servers by name, but we are not able to authenticate with AD at all.  When we log into the computers we are logging in via cached credentials and when we try to access network shares, we need to enter credentials.

Is what we are trying to do even possible without having a local DC

Cannot Remove User from Built in Administrators group

$
0
0

Hi,

Our Network Admin left and we want to make some changes to share folder. We want to remove one of the user from Administrators group. Once removed it comes back to that group automatically after couple of minutes. Can anyone help me to sort out this problem

Thank You in advance


Jibran Ishtiaq


LDAP Query - Finding account that have a logon script entry

$
0
0

Hi

Is there a query that can be run to find all user accounts in a domain that have an entry under 'Login Script' ?

I have to perform this exercise and remove all entries.

Thanks

Ivan 

Credential Roaming failed to write to the Active Directory. Error code 5 (Access is denied.)

$
0
0

Hi All,

I could see following error event in all client computers , Could you please some one help me on this ?

Log Name:      Application

Source:
Microsoft-Windows-CertificateServicesClient-CredentialRoaming

Event ID:      1005

Level:         Error

Description: Certificate Services Client: Credential Roaming failed to  write to the Active Directory. Error code 5 (Access is denied.)


Regards, Srinivasu.Muchcherla

Replication Error after remove one DC

$
0
0

Hi 

We had an 2 DC , one of them failed , 

we seize operation master roles to additional dc , and delete meta data , but now active directory send this log 


P.Kahani Network Specialist

Locally cached copy of roaming profiles are being created with username.domainname.00x suffix

$
0
0
First off let me give some background as to where we've come from and how we got to where we are today.  In my organazation we initially setup a Win 2k3 domain with roaming profiles.  The roaming profiles worked without a problem for about 6 years.  We migrated to a Windows 2k8 domain (non-2008 native mode) about two years ago.  Profiles have been working fine.  We recently did a rollout of 80% of our client machines with newly leased machines.  Once we did this, the profile issues have been...interesting to say the least.  I've been seeing a couple machines having issues loading their profiles correctly.  The users will complain of not being able to use MS Outlook, or they don't have their proper desktop icons on their desktop.  These erros can present themselves when the user changes their domain acct. password (per our security policey) or it may happen just out of the blue.  The user may be working perfectly fine on Monday, and then log off and on Tuesday when they login to their computer, the user will have these problems.  When this is reported to me, I login the computer that is having the issue and I look at the C:\Documents and Settings folder and I'll see sometimes multiple bogus profiles.  The profiles have a naming convention of %username%.%domainname%.00X .  The .00X will increment up 1 with each bogus profile.  Each of these bogus profiles will have only the local settings folder in them.  In order to fix this problem, we typically delete all the local profiles and let the computer pull the server copy back down.  Can someone please shed some light on this for me.  Thanks. 

AD FS - KB3003381 causes redirect loop on login

$
0
0

Hi,

I'm using AD FS 2.1 for SSO (2 IIS sites and several WCF services) but my users have been seeing redirect loops when they try to login. Once the user's browser recognises the loop and interrupts it, they are able to either resubmit the request with a page refresh (depending on the browser) or navigate to the URL of the site and they are logged in, but this is not a good workaround. We are using SecurEnvoy for 2FA.

This behaviour started shortly after KB3003381 was applied to the production environment, and I have replicated the behaviour on our staging environment. Removing this patch from the staging environment causes the login mechanism to behave normally.

From Fiddler, once users have authenticated successfully using SecurEnvoy, they are directed to

https://<AD FS proxy URL>/adfs/ls/?wa=wsignin1.0&wtrealm=<site URL>&wctx=rm%3d0%26id%3dpassive%26ru%3d%252f&wct=<UTC timestamp>

which results in a 302 redirect to 

https://<AD FS proxy URL>/adfs/ls/auth/basic/?wa=wsignin1.0&wtrealm=<site URL>&wctx=rm%3d0%26id%3dpassive%26ru%3d%252f&wct=<UTC timestamp>

This should return a 200, but instead returns a 302 redirect to the same URL, until stopped by the browser.

Domain Users Group is a Protected Group on the Domain

$
0
0

I'm having an issue where I set some permissions for a particular users mailbox, but when I come back later the permissions later they have been removed. I have done some digging around and I believe the issue is a result of the Domain Users group being protected, which has led me to the AdminSDHolder object in the System OU. Does anyone know if it possible to amend the the security permissions, so that the group is no longer protected as it is causing some major issues for me.

Any suggestions would be appreciated

Thanks in Advance

Edit GAL to show phone numbers but not email addresses

$
0
0

We would like to edit our company's GAL to show only the phone numbers for some staff and not their exchange email accounts.  Is there a way to do this through Active Directory?

AD Environment: Server 2008 R2 Standard

Exchange Environment: Server 2008 Standard, Exchange server 2007.


Merging two separate AD forests

$
0
0

Right now my company has a sister company that is totally separate from ours. All we have in common right now is that we are owned by the same entity. Different AD forests each with its own email etc. We are now looking at combining the two companies and I need some advice on the best way to do this. I think what they would like to see happen is have a new domain that would have a new name that identifies the parent company and then have our 2 domains come together under that. Both domains are 2008R2 functional level right now. Can this be done easiest with trusts? Creating the new forest/domain and then just trusting the current domains all around. I don't believe we can take an existing forest and make it child domain under a new forest, but I could be wrong.

Any advice would be appreciated. I have not had any experience with this type of scenario.

Thanks

rename domain cant change the case of DC

$
0
0

Hi,

I try to rename a domain but it is not possible to change the case of the TLD from LOCAL to local for the LDAP Attribute DC (possible it will also not work for the domain part, but this I didn't try).

Any idea where the case is saved? I think it must be stored somewhere in ldap, but I dont know whre (ldap search for *=local do not perform).

I also tryd the rename from domain.LOCAL to domain.test (where the case was ok) and back to domain.local, but it become again domain.LOCAL.

Notice: the dns name is renamed the the right case (only on some points you can read the tld with upper case), but not the ldap attribute (I see DC=domain,DC=LOCAL)

Regards,

Thomas



Domain netbios name fails to connect using LDP.exe

$
0
0

I can connect to my domain using FQDN with LDP.exe , however I'm unable to connect to my domain using domain netbios name in LDP.exe ..... I know this sounds simple, but cannot figure out why (this works on another machine in a different location)

ldp.exe, Connect - domain.local (works)

ldp.exe connect - domain (netbios name - fails)

I've been searching all over and I cannot find out the process by which the netbios domain name is queried in a DNS only Active Directory domain.....

Pls help!

2008 event equivalent of 2003 Netlogon 5807 event

$
0
0

I have a custom Opsmgr rule that alerts me when our Network team has made a new subnet and not told us about it.

I am upgrading all my DC's to 2008 and need to find the equivalent event to update this rule. I have a 2008 DC with missing subnets and cannot find any events to indicate this. I know that many event numbers were incremented by 4096 between 2003/2008. There are no events numbered 9903, and no events that contain phrases from the old event like "undefined site" or "existing sites"

Does anyone know if such an event is still logged, and if so, what is the source/number?

Thanks

Example of the old event from a Win2003 DC:

Event Type:         Warning
 Event Source:         NETLOGON
 Event Category:         None

 Event ID:         5807
 Date:                 1/10/2003
 Time:                 10:59:53 AM
 User:                 N/A
 Computer:          DC1
 Description:
 During the past 4.18 hours there have been 21 connections to this Domain Controller
 from client machines whose IP addresses don't map to any of the existing sites in the
 enterprise. Those clients, therefore, have undefined sites and may connect to any
 Domain Controller including those that are in far distant locations from the clients.
 A client's site is determined by the mapping of its subnet to one of the existing
 sites. To move the above clients to one of the sites, please consider creating subnet
 object(s) covering the above IP addresses with mapping to one of the existing sites.
 The names and IP addresses of the clients in question have been logged on this
 computer in the following log file '%SystemRoot%\debug\netlogon.log' and,
 potentially, in the log file '%SystemRoot%\debug\netlogon.bak' created if the former
 log becomes full. The log(s) may contain additional unrelated debugging information.
 To filter out the needed information, please search for lines which contain text
 'NO_CLIENT_SITE:'. The first word after this string is the client name and the second
 word is the client IP address. The maximum size of the log(s) is controlled by the
 following registry DWORD value 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
 Netlogon\Parameters\LogFileMaxSize'; the default is 20000000 bytes. The current
 maximum size is 20000000 bytes. To set a different maximum size, create the above
 registry value and set the desired maximum size in bytes.

 

Need KB969166 x86

$
0
0

0.438: FileVersion of C:\WINDOWS\Assembly\GAC_MSIL\System.DirectoryServices.AccountManagement\3.5.0.0__b77a5c561934e089\System.DirectoryServices.AccountManagement.dll is Less Than 3.5.30729.4126
0.438: Second Condition in Prereq.CheckSDSAMQFEInstalled.Section Failed

ad web services install failure on a 2003 stardard sp 2 with .net3.5 and all the other documented roll ups and fixes for this

Viewing all 31638 articles
Browse latest View live