Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Secure LDAP - Domain Controller FQDN (.local vs .com)

December 13, 2012, 6:34 am
$
0
0

According to this article microsoft requires that the name of the certfiicate match the FQDN of the server for LDAP over SSL with a third party.

The FQDN of my Domain Controller is servername.domain.local.  After 11/1/2015 GoDaddy will no longer allow non fully qualified domain names to be used as cert names.  I am attempting to address this issue now.

I have the cert installed for servername.domain.com on the DC in Certificates (Local Computer) > Personal > Certificates.  I have external DNS in place so that servername.domain.com resolves to my public IP of my firewall.  I have my Firewall redirecting traffic from port 636 from specific IPs (my third party) to my internal DC. However when I test it using some simply SSL Checker services I am told "No certificate found".  The server has been rebooted after the cert was installed.  Performing an IPCONFIG /ALL on the DC shows the Host is servername and the Primary DNS suffix is domain.local.  Hence the FQDN is servername.domain.local. 

What can I do to get my Domain Controller FQDN to be servername.domain.com?  Can this be as simple as adding a DNS suffix for domain.com?  Or is this going to take a major rework of my AD structure?

Any advice is appreciated.

Thanks,


Search

Have to remove and readd multiple PCs to domain every morning, no error messages

December 13, 2012, 6:37 am
$
0
0

For the past 2 weeks, every morning we have a few computers that will not allow any domain user to login (tested with 3 known good accounts)

The only error message is the standard (Username or password is incorrect)  Not giving trust couldn't be established or anything else.  No errors found in event viewer on local PC's or the domain controllers.  Most computers once removed and readded have been fine, a couple of computers we have had to remove and readd every morning, but even those work fine until the next morning when user tries to login again.

Our environment is 2 2008 DC's, and 1 2003 DC.

Any thoughts on where else to look for info since I'm not finding anything in event viewer and not getting any error messages to work from?

Thanks,

Cross domain account logon events

December 13, 2012, 4:52 am
$
0
0

Hi,

Our organisation has two domains with a 2 way trust established between the two, lets call them domain A and domain B.

We have users in domain A who often use domain resources in domain B, however, we do not have auditing of resource usage configured via group policy.

I need to find a way of tracing which users in domain A have used resources in domain B.

I know that logon events for users in domain A will be logged in the DC in domain A that authenticated them, however, will any events be logged on any DCs in domain B if the user accesses resources in this domain, without auditing enabled of course?

Any advice is greatly appreciated.

Thanks

Are my DNS settings correct as Exchange throws a wobbly when the pdc is down!

December 13, 2012, 3:51 am
$
0
0

Hi there, apologies for posting but I can't seem to find the answer to this anywhere and afaik I am following all good practice!

We have several sites with DCs in all of them and at our main location we have a several servers with a couple of DCs, The problem is with the exchange server which is also a GC, if the other GC goes offline it fails to serve email as it cannot find AD! at first I assumed it was something to do with AD so I have run DCdiag and it reports no errors on either machine (bar a few missing RD print drivers) and repadmin shows no problems either what on earth could be causing this?

I wondered if my DNS settings are correct or if exchange is just being mental? my setup is below, VPNs exist between gateways

Main Site

PDC1 (GC, DHCP, DNS) 2008r2
IP-10.0.0.1
GW-10.0.1.9
DNS-10.0.0.1
DNS-10.0.0.3

RDC (Remote Desktop, IIS) 2008r2
IP-10.0.0.2
GW-10.0.1.9
DNS-10.0.0.1
DNS-10.0.0.3

MAIL (Exchange, GC, DNS) 2008r2
IP-10.0.0.3
GW-10.0.1.9
DNS-10.0.0.3
DNS-10.0.0.1

DNS (DC, DNS) 2003r2
IP-10.0.0.50
GW-10.0.1.9
DNS-10.0.0.50
DNS-10.0.0.1

Remote site 1

DC1 (DC, DHCP, DNS) 2003r2
IP-10.0.1.1
GW-10.0.1.9
DNS-10.0.0.1
DNS-10.0.2.1

Remote Site 2

DC2 (DC, DHCP, DNS) 2003r2
IP-10.0.2.1
GW-10.0.2.9
DNS-10.0.0.1
DNS-10.0.1.1

I do hope someone has some ideas because I can't have exchange fall over everytime the PDC reboots!

Healthchecks of AD - issues

December 13, 2012, 2:01 am
$
0
0
Do any of you do independant healthchecks/technical audits of active directory setups for clients/partners? I just wondered if you come across any common issues in design weaknesses/maintenance weaknesses/monitoring weaknesses - and subsequent risks that exposes your clients/partners businesses too....

LDAP Client Sessions

December 12, 2012, 11:46 pm
$
0
0

HI

I have several DCs with "LDAP Client Sessions" above 100 and I'd like to know:

1) How can I know where that sessions come from

2) How can I reset or logoff that sessions.

Thank you very much!

Alberto

problem setting up new domain in different subnet

January 18, 2011, 7:39 am
$
0
0

i'm in the middle of studying for exam 70-640, so a lot of stuff is still a mystery for me.

all these are setup in a VM. Host and all guests OS are 2008 R2 trial. All VMs are connected connected using a VNIC card INTERNAL network, which has no access to internet or my company's network. The physical NIC i use has an ip of 192.168.100.2.

I have a forest root domain, TEST.COM, with two DCs. 192.168.100.3 and 192.168.100.4. Both of these DCs are also a DNS server. 

i'm trying to create a child domain, BRANCH1.TEST.COM. before i ran DCPROMO, i set it up so that this DC(BRANCH1.TEST.COM) resides on a DIFFERENT subnet, 192.168.101.3. I configured the NIC card so that it uses the two DNS TEST.COM. During the process, it's telling me it can't reach test.com. I'll paste the exact at the end?

Can child domain reside on a different subnet than the parent domain? 

if it can, how can i set BRANCH1.TEST.COM to be on a different subnet?

It looks to me like, 101.3 subnet doesn't know how to get to 100.3. But how do i set this up so they can talk to each other?

Any thoughts? I'm still new at setting this all up. 

 

Grant permissions to a single custom attribute, possible?

December 13, 2012, 9:02 am
$
0
0

Hi

Is it possible to grant permissions to an account to write to one or two attributes fields in AD only?

Instead of giving full rights to the whole schema.

M

Maelito

Search

Implications of re-using server names.

December 13, 2012, 12:46 pm
$
0
0

In our environment we have a group that routinely changes the names of servers. Then later on they will create a new server and give it the original name of the one that was renamed.

This seems like a bad practice to me but I would like to confirm that if possible so I can explain it to them. One thing I suspect is related is that we have seen computer accounts lose their secure channel to AD and have to be rejoined to the domain.

Thanks for any insight on this.

Kenny

Kenny

LDAP Query in Active Directory - NPS Network Policy Attribute

December 13, 2012, 1:59 pm
$
0
0
Hi Guys,

Does anyone know the best way to search for users in Active Directory (2008) with the attribute "control access through NPS Network Policy" (In user properties > dial In Tab) set too deny?

I've tried to put together an LDAP query to filter users but can't find the relevant attribute to put in, and i'm crap at LDAP query's!

Any help would be great guys.

Thanks,
Andrew

Inter-Forest Site Subnet Overlap?

July 10, 2012, 7:35 am
$
0
0

Hello,

I have domain1.com with a site/subnet of London & 10.0.0.0/24 (added in sites and services) and now need to create domain2.com but need to use part of the 10.0.0.0/24 subnet.  There will be a trust between domain1.com and domain2.com so will there be a problem if the 10.0.0.0/24 subnet overlaps on both domains when the trust is established?  I'm trying to avoid breaking 10.0.0.0/24 down to smaller subnets to give me a free subnet that I can use specifically for domain2.com

Thanks.

Peter

mAPIID value not changed after Schema upgrade

December 13, 2012, 11:25 am
$
0
0

I have noticed that the mAPIID value remained the same (32974) even after the schema upgrade.

We had the schema version 31 and upgraded to 47 but the above attribute didn't change.

I believe the that is included in sch40.ldf but for some reason hasn't done it.

I need the value to be 35998 which I believe is the minimum in order to use the thumbnailPhoto attribute.

Can anyone shed any light please?

TIA


Problems with Group Managed Service Accounts in Server 2012

December 11, 2012, 10:54 am

Change domain netbios name

December 13, 2012, 1:29 pm
$
0
0

Hi,

We have a domain setup (example: TEMP.com) and the netbios domain name was set to (example: TEM&P) when the domain was first created (NT 4.0 days). Many of our new applications have a problem interpetting the "&" in the netbios name. Is there a way we can change just the domain netbios name or get rid of the "&" from the netbios domain name? Our AD controllers are running Windows 2003 server. We also have a Exchange 2007 server as well as a few Windows 2008 R2 servers on our network.

Thanks

Zak

Can't demote DC

December 13, 2012, 6:32 am
$
0
0

When I try to demote the domain controller, i receive the can't transfer schema partition "the dsa operation is unable to proceed because of a DNS lookup failure", what I need to check? The DNS resolution looks fine.

Search

AD with FSMO down for days?

December 13, 2012, 8:49 am
$
0
0
Our agency is moving over the holidays and my DC with FSMO roles might be down for a day or two. I have some backup DC/GC servers in remote offices. Should I transfer FSMO rolls to one of those servers or are we going to be okay if current DC FSMO is down for a day or two?

Create Account for Select Users to Install Programs

December 13, 2012, 9:56 am
$
0
0

We are outsourcing some of our IT to a local company and I'd like to allow a few select users to have the ability to install plug-ins or software on end-users machines without having to contact an expensive helpdesk.

What kind of account can I create that will allow users to install software on Domain Computers but not be a full admin account?

Thanks,
JOe K.

Migrating the Certification Authority From a failed Server to another

December 13, 2012, 10:29 am
$
0
0

I am currently working with a site who 2 years ago their CA had a bad hard drive. This CA was running server 2003. At this point any data on that drive cannot be recovered. Currently all new CA servers have a root of this phantom server. What steps can I take to update the Enterprise Root Certification Authority from the failed server to a New server running server 2008 r2?

AD Permissions on a specific User Attribute: ms-Exch-Extension-Attribute-5 Attribute

December 13, 2012, 1:48 am
$
0
0

Hi

I would like to use the following attributes "ms-Exch-Extension-Attribute-5" & "ms-Exch-Extension-Attribute-6"for RADIUS software use.

RADIUS will simply insert a serial number on the field for users. This is nothing to do with Exchange 2010 (my mail server version)

Is it safe to use these 2 attributes for RADIUS or will Exchange read them also or will this cause a problem downstream somewhere?

Thanks, Maelito



Maelito

error while domain

December 14, 2012, 12:56 am
$
0
0

Dear All, 

d error is coming while adding system in domain

Pls help for following error,

Network Path was not found.

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>