Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Account Lockout issue

February 2, 2015, 11:01 pm
$
0
0

Hi All,

I am facing one strange issue on account lock out issue of one of the user. On domain controller logs caller computer name is showing "Domain Controller" name. While looking on event id 4625 Source Network Address is showing some other server name.

I have checked that server user don't have rights to login on that server but whenever user account is lock out every time its showing only this server name.

In user machine i did all troubleshooting, enable netlogon debugging on domain controller but  nothing found.

Nirmal Singh IT Administrator

Search

Group Management (IGLDA)

February 3, 2015, 4:43 am
$
0
0
i have a short question about group management in AD. i've read a lot about IGLDA/IGUDLA and while most of it is quite clear, i still wonder whether to use the domain local groups for each and every object i apply permissions to. i understand that i use the DL groups when assigning permissions to file shares, printers, ... but what about delegating permissions to AD objects like group policies and OUs? do i also use DL groups in that case? or what about groups that i assign specific rights to like local admin permissions on my workstations or RDP access to specific servers? 
all the examples in the various blogs/books/articles only speak about file/printer permission and don't elaborate about permissions in AD itself - so maybe someone can shed some light into this?

ad user only in one ad group

February 3, 2015, 6:35 am
$
0
0

I have the following question about Active Directory. (Domain and Forest level: Windows Server 2008 R2)

I have created in Active Directory three security groups.
Now I want to add a Active Directory user to only one of these three groups.

The user may only be a member in one of three groups.
It´s not allowed to be a member in two or three groups that a have create.

How can I create this.

Windows 2008 R2 in a IPv4 network - Do I leave IPv6 enabled.?

September 12, 2009, 8:13 am
$
0
0

We have an IPv4 network, when installing a 2008 server IP6 is also enabled by default. should IPv6 be disabled or just left alone.?
I have 4 new R2 2008 servers that will become DC's should IPv6 be disabled if I run an IPv4 network ?

Some folks have reported problems with IPv6, what the general consensus ? Do I leave IPv6 enabled ?

 

Is LDAP on Port 3269 Secure?

February 3, 2015, 7:45 am
$
0
0

Is LDAP on port 3269 (for third party app authentication) secure by default or are user names and passwords being passed over the network in clear text unless your add separate SSL encryption on the connection?

Why would you use port 3269 for LDAP vs port 636?


Importing multi-valued attributes from a CSV through powershell into Active Directory?

February 3, 2015, 11:50 am
$
0
0

Can't seem to find how to import a multi-valued attribute into Active Directory, specifically the otheripphone field. I was able to successfully export the first value in that array to a CSV, but nothing works for import:

Export command in powershell (exports 1st value in the array of the ipphonefield)

get-aduser -properties samaccountname,mail,physicaldeliveryofficename,ipphone,otheripphone,enabled | select samaccountname,mail,physicaldeliveryofficename,@{L='otheripphone'; E={$_.otheripphone[0]}},enabled | export-csv "C:\Vidyo_AD_User_export.csv"

Import script(csv file only contains samaccountname and otheripphone field)

$users = Import-Csv C:\test.csv                       
foreach ($user in $users) {                      
 Get-ADUser -Filter "samaccountname '$($user.samaccountname)'" |            
 Set-ADUser -add @{otheripphone=$($user.otheripphone)}
}

I get the following error from the script

Get-ADUser : Error parsing query: 'samacc
ountname 'import.test'' Error Message:
 'syntax error' at position: '16'.
At C:\test.ps1:22 char:12
+  Get-ADUser <<<<  -Filter "samaccountname '$($user.samaccountname)'" |

    + CategoryInfo          : ParserError: (:) [Get-ADUser], ADFilterParsingEx
   ception
    + FullyQualifiedErrorId : Error parsing query: 'samaccountname 'import.tes
   t'' Error Message: 'syntax error' at position: '16'.,Microsoft.ActiveDirec
  tory.Management.Commands.GetADUser

Information about moving the SYSVOL directory

February 3, 2015, 4:13 pm
$
0
0

Hello.
First, I would like to say that I am not a business or professional computer user. I am a home user.
However, I run a domain network from my bedroom server. I am comfortable with active directory, group policy, distributed software installations, etc.
Basically, my server has two RAID configurations - 2x 300GB 15krpm SAS disks in RAID0, and 6x 2TB 7200rpm SATA in RAID5.
During setup of Server 2008, I chose to store the NTDS.DIT, Log files, and SYSVOL directory on the RAID5 array.
Recently I have learned that my 12TB RAID5 Array is likely to encounter a rebuild failure, should one of the disks fail in the future.
The idea of losing 3TB of data is scary enough, spare the thought of losing all of the GPO's and the AD databases...

I have already manually moved the NTDS.DIT, and log files to the C:\ drive (RAID0) for safety, and speed (although speed is not important in my setup) with the NTDSutil prompt, according to the MS article titled "Move the Directory Database and Log Files to a Local Drive".

Now, I would also like to move the entirety of the SYSVOL folder to the same C:\ disk. Every online article I have found is talking about distributed file system, and replication. However, this is a stand alone domain controller. No other server is on the network. How might I go about moving this folder to a different drive? I also really don't like the idea of demoting the system as a domain controller. Sorting out DFS, DHCP, AD, Organizational Units, and all of my GPO's etc took a very long time. I am comfortable with modifications to the registry, and setting file permissions.

Difference in Kerberos settings

January 27, 2015, 10:41 am
$
0
0

Hi -

Does anyone know the functional difference between the  msds-supportedencryptiontypes computer attribute in AD and the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes registry key that is created when the “Configure Encryption Types allowed for Kerberos” GPO is configured? I get that they're both used to identify the Kerberos encryption ciphers used in AD, but under which circumstances (if any) would you use one over the other? In the lab, I've been able to make AES-256 bit encryption work on a W2K8R2/Win7 environment both with and without the GPO, so is the GPO STRICTLY used for backwards compatibility? I always thought it was the reg key that determined which cipher would be used.

Any insights would be greatly appreciated.

Thanks.


Search

AD FS auto certificate rollover

December 11, 2014, 3:32 am
$
0
0

Hi,

Can someone please confirm the functionality of auto certificate rollover?  We're having an issue where new AD FS certificate has been issued automatically, but the rollover was done manually by setting the new certificate to primary.

The issue is that CRM 2011 did not pick up new AD FS certificate.  I'm not looking for the resolution as there are many out there.  I'm looking for confirmation that if auto certificate rollover was enabled new certificate would have been pushed to CRM and updated automatically.  I know that updating relying party metadata for CRM is probably done manually, as well as resetting AD FS service.

Please can someone shed some light on this?

Thanks.

The following error occurred during the attempt to synchronize naming context domainxyz.net from domain controller A to domain controller B

February 4, 2015, 12:38 am
$
0
0

Hi

I have a forest domain controller with 5 tree domain controllers in this forest. During installation of a new tree domain controller (domainxyz.net), when the installation has completed and I have restarted my server. My server has crashed. 

I have installed this new tree domain controller with different name. I have removed all entries from forest of crashed domain controller also cleanup meta data. Replication is looking me fine when I run command repadmin /showreps but it give me following error when I replicate it from Site and Services

The following error occurred during the attempt to synchronize naming context domainxyz.net from domain controller DS1-A to DS1-B.

The naming Context is in the process of being removed or is not accessible

I have a question about Active Direcotry customization

February 1, 2015, 10:31 pm
$
0
0

Hi everyone:

Is it possible to customize Active Directory Event Receiver ? If it is possible how do i do ??

Thanks

Root Certificate Authority Server has lost Trust with Domain

January 26, 2015, 4:02 pm
$
0
0

Hi

My Root Certification Authority has lost its trust with the Domain. This running on a Server 2003 R2 machine which is not a domain controller.

I have no idea when this happened, as I cannot find anything in the event logs and the server is only used intermittently as an IIS Web Server as well. All I see are Event ID 66 and Event ID 1053 recurring every few hours.

As this is a CA, I cannot remove and re-add to Domain from the OS. Have tried resetting the computer account in AD and also tried to force password reset from the machine itself, but to no avail.

Anyone have any ideas?

User cannot change his password RDP

February 4, 2015, 2:19 am
$
0
0

Hi All,

First of all, i have already searched a lot on the internet for answers but none of them worked
The problem is that users are not able to change their password by itself.
When i create a new account, and i check the ''User have to change his password after first login" they receive the following message.'

  • (An authentication error has occured.
    The local security authority cannot be contacted.
    This could be due expired password.)

This same problems is also when users their passwords expired after 60 days. They are not able to change it.
I already checked in the Group Policy but there the Minimium password age is 0 days.  I already tried to install the Microsoft patch. But then he said (The update is not applicable to your computer)

Details; Windows 2008 Server R2 DC virtual with an seperated VPN server.

Can someone help me?

Thanks in advance.


NEED YOUR HELP!

January 21, 2015, 9:01 am
$
0
0

three forests and domains example: a.local, b.internal, c.mis
a.local has two way EXTERNAL trusts with b.internal
b.internal has two way forest trusts with c.mis

does a.local have or one way two way trust with c.mis?

Thank you!

User account lockout

February 4, 2015, 6:17 am
$
0
0

Hi,

So, I have a windows server 2003 DC which has been working fine for a while. Recently, I've been seeing a user who is repeatedly locked out and it appears to happen when he first logs in in the morning and sometimes throughout the day for no apparent reason.

I installed and ran the lockout monitor from microsoft but it hasn't been very helpful. This is the only thing I've noticed in the NetLog:

02/04 09:01:20 C1: NO_CLIENT_SITE: MPC 10.1.1.25
02/04 09:01:20 C1: NO_CLIENT_SITE: MPC 10.1.1.31
02/04 09:01:20 C1: NO_CLIENT_SITE: MPC 10.1.1.31
02/04 09:01:22 C1: NO_CLIENT_SITE: MPC 10.1.1.25
02/04 09:01:22 C1: NO_CLIENT_SITE: MPC 10.1.1.31
02/04 09:01:22 C1: NO_CLIENT_SITE: MPC 10.1.1.31
02/04 09:01:22 C1: NO_CLIENT_SITE: MPC 10.1.1.31
02/04 09:01:23 C1: NO_CLIENT_SITE: MPC 10.1.1.31
02/04 09:01:23 C1: NO_CLIENT_SITE: MPC 10.1.1.31
02/04 09:01:23 C1: NO_CLIENT_SITE: MPC 10.1.1.31

When it last locked out, the Lockout tool had the Bad Pwd Count at "50".  So far, I've tried the following without any luck.

-Deleted and re-created the user account with the same username (in case of a corrupted UID)
-Gave him a new laptop (the problem followed)
-The IP address associated in the log matches his new laptop
-Checked and verified that there are no windows passwords currently in his credentials manager.

Not sure what else I can do. Other than possible creating him a new account with a different username.

Any ideas?? This is driving me insane!


Search

Active Directory user migration

February 1, 2015, 5:25 am
$
0
0

Hello,

We have a domain (abc.com) running two windows 2003 domain controllers. User names are in Arabic language. Now we are planning to create a windows 2012 r2 active directory domain (abc.local) in our environment and to migrate all the users from windows 2003 domain to windows 2012 r2 domain. There is no connectivity in between two domains old and new (abc.com and abc.local). total number of users are 150.

Please advise and guide what is the best possible way to achieve this goal.

Thanks in advance.

ADGMS error. Need KB969166 and cannot download it from Microsoft's site

January 2, 2015, 5:54 am
$
0
0

Basically I have several 2008 R2 servers that I need  that have the issue referenced in this article when attempting to install ADGMS: http://portal.sivarajan.com/2011/03/active-directory-management-gateway.html

I need to download KB969166 from http://support.microsoft.com/kb/969166 in order to resolve it but when I go to the link in it tells me to (https://connect.microsoft.com/VisualStudio/Downloads/DownloadDetails.aspx?DownloadID=20556) I get page not found error: The content that you requested cannot be found or you do not have permission to view it. 

I need both the x86 and x64 versions of this KB. Can anyone help me get this KB?

Branch Office will not host Microsoft services/servers - Sites and Subnets

February 2, 2015, 9:24 am
$
0
0

Hi,

The scenario is the following:

  • 1 Domain. Windows 2012 R2.
  • 6 sites. 1 DC per site. 3 subnets per site.
  • 5 sitelinks.

The sites diagram is the following:

The branch office "SITE04" will not host any Microsoft service/server/PC. Network routing/flow scheme will not change (branch office SITE04 reamins routing traffic to/from SITE05 and SITE06).

The questions are:

Does the existing SITE04 subnets must be deleted?

Does the existing SITE04 site must be deleted?

Does the existing SITE04-SITE05 and SITE04-SITE06 site links must be deleted?

if yes to any of the above questions?

How to redesign the subnets/sites/site links?

Thanks in advance!

Modify altSecurityIdentities attribute of users in active directory

February 4, 2015, 7:53 am
$
0
0

Hi,

I have an active directory with two dns windows server 2012 datacenter and, I would like to know how can I modify/change the content of the altSecurityIdentities attribute for the users of the domain.

I have found information related to this but I have not clear how it works.

Can anybody help me?

Thanks a lot.

Windows Server market share by OS version

February 4, 2015, 8:03 am
$
0
0
I've looked around on the internet, but couldn't find the market share of Windows Server by OS version (i.e. 2003, 2008, 2012) in the Windows Server world. How many companies use 2012 version? The purpose of the question is to understand which version of Windows Server is best for learning MS technologies, like AD or IIS etc. 2003 is certainly going off the shelf.
Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>