Hi,
I would like to grant a security group the permission to read and change the UserWorkstations attribute (Log on To... from Account Tab in ADUC).
But when i look at the permissions and properties available through Advanced Security Settings, UserWorkstations does not exist... I have only :
"Read logonWorkstation"
"Write logonWorkstation"
I tried these but they do not work.
Is there a way to make it works ?
Hi,
At this moment I'm doing a project for a large financial customer in The Netherlands who plans to upgrade their AD FS 2.0 farms to AD FS Windows Server 2012 R2 (3.0).
The reason this customer needs to upgrade is because they are going to migrate from SharePoint 2007 to SharePoint 2013 and the last one is using dynamic URL's when you create a SharePoint App. So to federate with AD FS this is only supported in the latest AD FS version.
The customer is using AD FS to federate with all web applications based on SharePoint technology and some other web applications. The customer is also using multiple IdP's (External, Government, Internal, Customers and Stakeholder organizations) for their Relying Party trusts and does not want users to have a selection screen to select the correct IdP before they login. This is called Home Realm Discovery (HRD).
On their current platform they have customized the web.config and created a HomeRealmDiscovery.asp.cs to create a temporary domain cookie which determines the IP address of the source client and selects the correct IdP when they connect to a Relying Party Trust. This process will be triggered to determine if a user is from an internal client but also to determine if the user is coming from a specific external partner organization. In this case no users will be asked to select their corresponding IdP when they login to an application.
In AD FS 3.0 the HRD process is improved. You can now enable IntranetUseLocalClaimsProvider on the ADFS Properties for the AD FS farm. This solves a part of the problem which will be the determination of internal clients. It however doesn't solve the problem to determine a partner organization based on their IP Address.
The second part of the new HRD improvements (the OrganizationalAccountSuffix which can be set on the AdfsClaimsProviderTrust) aren't much of use in this scenario because not all partner organizations use and will never be using an e-mail address or UPN to login to the application.
I also thought of doing some custom coding in a new Authentication Provider based on the Microsoft.IdentityServer.Web namespace. But I don't know if this will work and how to create this because the namespace is poorly documented for use with AD FS 3.0.
I have found some blog post on the net where a similar scenario is described but they solved it in SharePoint to create a redirect. Since we are not only using SharePoint and we preferably want to have the HRD logic on AD FS and not on the application side this doesn't help very much.
Does anyone have any ideas how i can tackle this issue?
Ps. I'm also considering opening a Microsoft support case.
Thanks
Cor
Technical Consultant Exchange | MCP, MCSA, MCSE, MCTS, MCITP | Blog: http://www.reinhard-online.nl | Follow me on twitter: correinhard | Please, feel free to nominate me for MVP @ https://mvp.support.microsoft.com/gp/mvpnominate
HI all,
We are trying to create the Active Directory users from SAP . But we are not able to manipulate the Distingushed Name attribute to create the users inside the right OU. We tried to pass the value of OU name to the attribute 'o' which is not affecting the distinguishedName attribute. kindly suggest ideas??
We've setup a new 2012 R2 forest that we plan to migrate our 2008 R2 resources to over time. Currently it is on our production network, on the same ip ranges as our production forest.
I've suggested that we really should put the new domain on new, different subnets so that we don't have any issues with AD sites, replication, authentication or our AD site-enabled applications such as SCCM 2012. Not to mention DHCP.
Has anyone been able to stand up a forest using the same subnets / Sites for two different forests? My thoughts are that it can't (shouldn't) be done.
Orange County District Attorney
Hi all,
I'm migrating a small test environment from a child Domain onto the Root domain.
(SOURCE) test.child.net ---> (TARGET) child.net
Using ADMT I can migrate everything across, including Service Account references on the servers, however, the Service Account reference on the migrated Windows Services still reference the test.child.net account instead of mapping it to the child.net account.
I migrated the accounts first as well as run the Security Translation Wizard, both without any issues. The Account I am using has 'Logon Locally' rights on the TARGET domain.
When I migrate a server which uses a Service Account to run services onto the Target Domain, it copies the reference but doesn't change it to reference the TARGET domain equivalent like it does with folder permissions.
SOURCE SERVICE - account1.test.child.net
TARGET SERVICE - account1.test.child.net (When I would expect this to use account1.child.net)
Hopefully this makes sense and someone has come across this before and can point me to where I'm going wrong.
Regards,
Martin
Hi,
there are two different domains a.local and b.local.
there is DFS link \\b.local\root\fiance\bill oublished in b.local
two domains are allowed to connect
in domain a.local, tried to map \\b.local\root\fiance\bill
to use b.local account; got prompt to enter user name
and password I did. I got access denied. I checked permisions
and the account in b.local does have permissions to DFS link.
So, can we map \\b.local\root\fiance\bill in domain a.local to
use b.local account?
Thank you!
Hi, we seem to be having some trouble setting up NTP in our domain. This is apparently a very simple process, type a few commands and voila is all works.
The present state of set up is this
3 domain controllers, one holding all FSMO roles. The one holding the FSMO roles has a GPO applied to is using WMI filtering. I have confirmed that the GPO is effective with RSOP. In this GPO we have defined enabled the NTP client and also set the below
The NTP server is our core switch which in turn gets time from the internet.
When I check the config on the PDC I get
But when I run a check the time against the source I get a difference
Tracking
The current time is 23/01/2015 17:34:20.
17:34:20, +04.1620684s
17:34:22, +04.1573097s
Any ideas?
DC's are 2012 R2 as is functional level on forest and domain
Thanks
I've been finding this event in logs on computers in my domain recently. I've seen it on a variety of servers and workstations, so I think it's probably affecting all domain members. The specific domain controller mentioned in the text of the event varies, it could be any one of our domain controllers. I'm not sure when it started. I've been trying to search for a solution, but so far I'm not finding anything that quite fits.
Log Name: System Source: Microsoft-Windows-Security-Kerberos Date: 12/22/2014 10:21:55 AM Event ID: 4 Task Category: None Level: Error Keywords: Classic User: N/A Computer: HOST.DOMAIN.COM Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DOMAINCONTROLLER$. The target name used was cifs/DOMAIN.COM. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (DOMAIN.COM) is different from the client domain (DOMAIN.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
How can I track down the cause of this issue?
Everything I see on google is how to enable it; i need to turn it off. Do i just clear the options field on the site link? Does anything on the DCs in the site link scope have to be recycled? Server 2012 DCs and 2012 ffl/dfl.
Thanks!
I'm trying to find out where a user account is getting permissions to our Active Directory Users & Computers. On the entire domain it has the ability to modify all properties, modify permissions, change owner, and a bunch of stuff that it shouldn't. I found this out when testing and verified it with using "effective permissions". The weird thing is, when looking at Advanced security, neither the user nor the security group it is in are explicitly given permissions anywhere in ADUC. My question is: where could it be getting these rights? How do I find it if it's not in the Advanced Security Settings area of ADUC?
I know the problem is the security group and not the user account. After I removed the user account from its security group, it no longer had the extra permissions it shouldn't have.
TestUserA is a member of SecurityGroupA: TestUserA has rights to all of our AD domain (unexpected, not sure where the rights are coming from)
TestUserA removed from SecurityGroupA: TestUserA only has basic "read" rights to our AD domain (the desired level of permissions)
Any help or suggestions of where to find SecurityGroupA's permissions are coming from would be helpful. Thank you!
I think this should be easily resolved, but I need some guidance.
I have a client with 2 Server 2003 R2 x64 DCs: BORIS & NATASHA. Last year I upgraded both of them from x86 to x64 one at a time, allowing replication to occur between the upgrades. BORIS is the FSMO roles holder as it is currently the production server,
while NATASHA is a backup DC. One thing that puzzles me though is that if I look at the NS record in DNS on the SOA tab, it says NATASHA is the Primary server.
While doing some routine maintenance I noticed an error in the File Replication Service events about a 'Tombstone' situation (Event ID 2042). I looked at article cc757610 in the Technet Library and opted for remedy #3 as I did not want to demote NATASHA
and I got confused looking at the help about using "repadmin /removelingeringobjects". I have no idea how to determine which DC has the good copy of the directory.
Now, in running "repadmin /showrepl" I get
"DC=CPA,DC=local
Default-First-Site-Name\BORIS via RPC
DC object GUID: 0267a090-1890-40e2-9a15-ea928cabd425
Last attempt @ 2012-12-27 08:28:55 failed, result -2146893022 (0x80090322):
The target principal name is incorrect.
1179 consecutive failure(s). Last success @ 2012-12-21 23:30:15." <-- THIS IS WEIRD SINCE THIS IS THE DATE THAT I DISCOVERED THE TOMBSTONE EVENT AND MADE THE REGISTRY CHANGE
(I THINK).
When I try to look at the FSMO roles on NATASHA, it shows ERROR for RID, PDC & Infrastructure and says "The current Operations Master is offline. The role cannot be transferred." The other issue I'm having is that client PCs are intermittently having trouble reconnecting to necessary server shares.
TIA
Wayne S. CompTIA A+ CompTIA Network+ Microsoft MCP
Hi, We have a small domain network with dual DHCP/DNS servers on 2008R2 servers. They are currently both primary DNS servers. When either server goes down we lose DNS functionality, including created A Records.
Here is a result of dcdiag /test:dns
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC2
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\DC2
Starting test: Connectivity ......................... DC2 passed
test Connectivity Doing primary tests
Testing server: Default-First-Site-Name\DC2
Starting test: DNS
DNS Tests are running and not hung.
Please wait a few minutes...
......................... DC2 failed test
DNS
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : mannm
unning enterprise tests on : mannm.local
Starting test: DNS
Test results for domain controllers: DC: DC2.mannm.local
Domain: mannm.local TEST: Basic (Basc)
Warning: no DNS RPC connectivity (error or non Microsoft DNS server is running)
C2 PASS WARN n/a n/a n/a n/a n/a .........................
mannm.local passed test DNS
Thoughts on why it's failing?
We are trying to do a unique setup, which is turning out to be more trouble then I expected.
We have one office, which contains all our servers, DHCP, DNS, DC, EXCH, FILE...etc This office has their own internet connection.
Servers: 192.168.0.109 is our DNS and DC server.
We have a second office, which is connected to the main office via a fiber connection. The second office is a disaster muster zone and we needed to connect them to their own Internet connection. Essentially, if the main office is down, this office needs to have access to the internet.
We configured the firewall on the remote office side to use 8.8.8.8 and 192.168.0.109 as our DNS, but when I try to ping the DC by name it will not resolve.
We have added the names/IPs to house files, which allows us to resolve the servers by name, but we are not able to authenticate with AD at all. When we log into the computers we are logging in via cached credentials and when we try to access network shares, we need to enter credentials.
Is what we are trying to do even possible without having a local DC
Dear All,
We have Windows 2008 R2 Domain Controller. Suddenly we have received issues account locked out of all users unexpectedly.
All uses are locked out. i don't know why it is happening. we have manually unlocked user but again it will locked within 2 to 3 minutes.
is there any fixit for that.
Please help me immediately.
Regards
Kamal Patel
Regards, Kamal Patel Windows Administartor
We have 2 domain controllers, one is Windows server 2003 and the other is windows server 2008 each with DNS services. We would like to decommission the server 2003 DC and we have started with a new Windows server 2012 R2. We are in the process of adding AD, DHCP and DNS to the new 2012 server and we are at the option to either check or uncheck update DNS delegation. We want to add DNS on this server for a secondary DNS.
Can you explain if we need to check or uncheck this option. This will be the secondary DC with DNS for redundancy.
Regards,
Robert