Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Forest wide Replication Partners - Best Practise

December 11, 2012, 3:42 am
$
0
0

I have recently started with a new employer and have been tasked with looknig through their AD and making any suggestions for changes / improvements.

Briefly there is a main head office with 3 DC's and 39 branch offices each with 1 DC.  The head office is the main site with each branch office being a seperate site in the domain and all offices are connected via a 10MB link.

I have been looking at the replication partners for the sites and can see that there is some interesting configurations.  Now I am not seying it is wrong but is there a definiative guidline to how this sort of setup should be configured for replication?

There are no bridgehead servers anywhere and it almost seems as if the replication partners are just linked at random.  I have noticed some interesting replication issues of the sysvol share and am wondering if this setup could be the cause!

Any thoughts most welcome.

Rob

Search

Testing LDS functionality

December 12, 2012, 4:15 am
$
0
0

Dear Colleagues,

I have installed an LDS server to support multiforest authentication for Cisco UC Manager. I have extended the schema, imported the affected users and finally I gave the new LDS server as a source. The user import was success from both domain (as proxy users with all necessary attributes), but no one can authenticate.

The CUCM error message has no usable information (LDAP error! Contact your Administrator). My 'Cisco' colleague has started to check the CUCM logs, but meanwhile I should check the LDS related logs (no usable info) and the functionality.

How can I test the LDS based authentication without CUCM?

Any suggestion will be appreciated!

Cheers, Laci

I need to be able to Cut and past across volumes and drives. Not copy/paste. Help!!!!!!

December 17, 2012, 8:07 am
$
0
0

OK, I have looked all over the internet, all up and down your forums.  There is no one giving anyone the answer we really need.  The question is simple:

How do you set the Drag and drop features on your local machine to Cut and Paste regardless of the destination folder, drive, volume, etc. ?????

We deal with sensitive data here.  We cannot afford for this data to be located in more than 1 place for any given point in time (a few minutes when user is inputting the data).  Hence, when a document is loaded into a network shared drive, we need the ability to cut and past the data both to and from that network drive, and as we use over 20 different network drives for various reasons, we need these settings to be on the local machines.

It should be a simple setting, but apparently NOT.  This is a developer issue, where is the settings to change the behavior from the default? 

Is there a way to do this or not?  By the way, I have over 2000 machine accessing these drives, and only a handful cannot cut and paste to those drives.  All the other machines seem to work fine.


Domain Trust - SID's not resolving

December 17, 2012, 4:07 pm
$
0
0

I have a one way trust with an external domain.  I am a domain admin on my domain and have a domain user account in the remote domain (domainA).  My domain (domainB) is trusting the remote domain.  We normally add users from domainA to domain local security groups in domainB.  This allows remote users to authenticate to application servers in domainB.  The AD upgrade process from 2003 server to 2008R2 has recently been started on both domainA and domainB.  Both domains are still 2003 functional levels.  DomainB has both 2008R2 and one 2003 DC.  

The problem is that when I try to open a security group in domainB, the SID's are not resolved to friendly names.  I have a wireshark capture of attempting to enumerate the objects that have been added to the security group from domainB (clicked on the "members" tab) and have seen the DC in domainB connect to a DC in domainA.  DomainA replies with a message: NCA_S_ACCESS_DENIED.  

The following failure audit recorded in the security event log of a DC in domainA: 

EventID: 4625
Security ID: Null SID
Account Name: DC_domainB$
Account Domain: domainB

Failure Reason: Unknown username or bad password

I am confused why domainA would care about username/passwords when that domain has a trust established with domainB?  

Thanks in advance for the help. 

AD with FSMO down for days?

December 13, 2012, 8:49 am
$
0
0
Our agency is moving over the holidays and my DC with FSMO roles might be down for a day or two. I have some backup DC/GC servers in remote offices. Should I transfer FSMO rolls to one of those servers or are we going to be okay if current DC FSMO is down for a day or two?

Can't validate trust against RODC

December 14, 2012, 10:02 pm
$
0
0

Hi,

We have a customer that we have setup a one way external selective trust to.  We have a VPN tunnel setup between us and them. We have 2 RODCs setup on our side for them that are in their domain. These RODCs can talk to their RWDCs and our RWDCs.  We are not able to validate the trust unless our RWDC has a path back to their RWDC. 

Can you not validate a trust against an RODC?  Doesn't the RODC forward the request back to the RWDCs?  We dont see any errors indicating what the issue is, just that there are no AD DCs available for the domain.

Yes all ports are open that are necessary. It just won't work unless our RWDCs can talk to their RWDCs.

Thanks.

adfs 2.0 Hardware Load Balancer configuration

December 17, 2012, 10:36 am
$
0
0

Hello All,

Does anyboy know the HLB configuration for ADFS 2.0 Server (WIndows 2008 R2)?

Affinity: Source IP Address

Algorithm:Least Connections

Sticky COnnection

Time Out

Regards

JOse Osorio

Syncing road warrior's AD password.

December 17, 2012, 2:20 pm
$
0
0

We recently flagged a large number of accounts to require password reset.  We also have a policy in place that only allows users to change passwords once every XX days.

Now are running into a situation where a road warrior user powered up their laptop, connected via VPN (and was prompted to change their password which they did).  This updated their AD password but their local machine password is still cached at the old value.

When they try to CTRL-ALT-DEL to update their password, it obviously doesn't work -- presumably either because their "old" password that they enter for verification is no longer valid, or because XX days have not expired and thus they are not allowed to change their password until that amount of time has expired.

Thought we could be clever and eidt pwdLastSet, but doesn't appear it can be explicity set to anything other than 0 or -1.

Any bright ideas on how we can get our local credentials in sync with AD again (short of removing the 30 day policy... may be an option, but there must be another way).

Search

GPUPDATE /force warning even folder redirection has not configured

December 17, 2012, 6:52 pm
$
0
0

Hi All,

When try the GPUPDATE /Force on any of the domain machine we are getting the warning that

We are having 2008 r2 domain and forest function levels and Windows 2008r2/Win 7 client machines.

" The Group Policy Client Side Extension Folder Redirection was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish complet
ely before the next startup or logon for this user, and this may result in slow startup and boot performance." But we have not configured folder re direction GPO in our domain, also after logoff and login we haven't received any GPO success events. We got 501 and 1202 events on the client machines. Please help on this regard.

How to purge from AD

December 17, 2012, 9:34 am
$
0
0
I have AD where the PDC is trying to communicate to another DC that is no longer online so i am looking at running

repadmin /removelingeringobjects ServerName ServerGUID DirectoryPartition/advisory_mode

to flush out these old entries.

Can someone give me an actual example of the mentioned command? With the commands ive tried, i cannot get it to work.

Thx.

RODC trusted domain cannot resolve resources (users/groups)

December 17, 2012, 7:55 am
$
0
0

DomainDMZ one way trust (External with Domain-wide authentication) with DomainLAN

DomainDMZ sites & services

Subnets
-------
10.0.20.0/24
10.0.24.0/24
10.0.40.0/24
10.0.41.0/24
10.0.42.0/24

Sites
-----
Default-First-Site-Name (10.0.41.0/24 & 10.0.42.0/24)
RDWC1 -> ip = 10.0.42.1
RDWC2 -> ip = 10.0.41.1

DMZ (10.0.20.0/24 & 10.0.24.0/24)
RODC1 -> ip = 10.0.24.1
RODC2 -> ip = 10.0.24.2

***********************

DomainLAN

Subnets
-------


Sites
-----

Default-First-Site-Name
RDWC101 -> 10.100.0.1
RDWC102 -> 10.0.40.102
RDWC103 -> 10.0.41.103

Replication works, firewall ports are opened.

When on a member server in DomainDMZ and i want to add a user from DomainLAN on a share I see the following behaviour in network monitor:

The member server queries the RODC in it's own DomainDMZ for LDAP servers in DomainLAN. It get's back the LDAP/SRV DNS records and report these back to the member server.
Then on the RODC further nothing happens but the member server in the DomainDMZ is attempting to make an LDAP call to the domain controller in the DomainLAN, offcourse this fails.

Why is the member server contacting the DC in DomainLAN directly?
Why can't i add/resolve users and or groups from the trusted domain?

Windows 2012 Active Directory upgrade

December 17, 2012, 9:54 pm
$
0
0

Hi,

I was just going through below article for planning AD upgrade to WIndows 2012 based environment, i got few ideas but not able to to find clear articulation about Windows 2003 DCs.

http://technet.microsoft.com/en-us/library/hh994618.aspx

If Forest and DOmain Functional level is 2003 with Windows 2003 as Domain Controller OS then can we directly introduce Windows 2012 DC in existing environment ?

Will Windows 2012 DC be able to sync with Windows 2003 DC considering 64 bit OS?

Did any one tried these ? pls suggest

Regards:Mahesh

Custom Attributes - Which permission option?

December 18, 2012, 12:54 am
$
0
0

Hi

I need to enable a service account to write to the Custom Attributes.

Which options is this set from the AD Delegate access wizard?

These attributes are visible in Exchange Management Console

EMC_Custom attribute fields

Thanks, 

Maelito

Maelito

Installing a DC in Windows Server 2012

December 18, 2012, 1:15 am
$
0
0

Hello!

Can't type in the DSRM password while installing the first Win2012 DC:


???

Thank you in advance,

Michael

Rename a Custom Attribute

December 18, 2012, 12:47 am
$
0
0

Hi

W2K8 domain + Exch2010.

I need to start using Custom Attributes is it possible to rename to whatever I want or is this a locked field in Schema?

Thanks, M

Maelito

Search

Auto email notification to system administrators if users do not login for more than 1 month

December 12, 2012, 12:09 am
$
0
0

As from the title above, basically is to allow the system administrators to be notified that these users did not login to their PCs for at least a month and above, and therefore is required to disable their domain accounts. The email notification will keep on sending to the system administrators on daily basis until the system administators have disabled the users' domain accounts. Is there any solution to implement it? Hope my explaination is clear. Really need assistance from you all!! Thank you in advance!!

DDM1983

Retention

December 17, 2012, 9:47 pm
$
0
0

Hi!

Is it possible in Windows 2008 Domain to keep the deleted active directory objects somewhere in a container if account operators delete them?

Thanks.

Active Directory Users and Computers Ask For Password

December 18, 2012, 2:19 am
$
0
0

Hello frnds,

      plz help in solving this problem..........

         when i login on Domain controller with a user id that is not part of administrator group and run Active Directory Site and services console it asks for password and when i enter the password it again prompts for password........  i think some gpo setting is blocking this ...........  anyone know wehre to set the access to this console through GPO?

Migrating SYSVOL to DFSR, One Server 'stuck' when using getmigrationstate, but it looks OK locally

August 28, 2012, 9:36 am
$
0
0

Hi,

I am upgrading our 2008 R2 Domain Controllers (All Writable, no RODC) to DFSR for SYSVOL.

2 of our DCs are out our main head office, and 1 DC is in a small office (in a seperate site on a different subnet).

This issue is concerning the DC on in the second site.

I ran dfsrmig /setglobalstate 1 yesterday, and today I expected all to be OK when I ran dfsrmig /getmigrationstate, however I had the following issue:

The following Domain Controllers are not in sync with Global state ('Prepared'):


Domain Controller (Local Migration State) - DC Type
===================================================

FT-SGW-FAP ('Start') - Writable DC

Migration has not yet reached a consistent state on all Domain Controllers.
State information might be stale due to AD latency.

I then decided to check locally on server FT-SGW-FAP, and in the c:\Windows directory I have a SYSVOL_DFSR folder, and it is the same size as the other DC's, with the same number of files / folders so I know the SYSVOL_DFSR folder got created OK

I also checked the registry under HKLM\SYSTEM\CurrentControlSet\services\DFSR\Parameters\SysVols\Migrating SysVolsand Local State is set to 1 so I know that the server itself is prepared (according to http://blogs.technet.com/b/filecab/archive/2008/03/05/sysvol-migration-series-part-3-migrating-to-the-prepared-state.aspx ) I also checked (by comapring with 'successful DC') the other reg settings, and all looked OK

It has been around 24 hours since I started the dfsrmig /setglobalstate 1 command. Additionally I have tried variousrepadmin /syncall /AeD commands (with various switches), I have also tried a few timesdfsrdiag pollad commands, no errors occured. But the issue persists

I also checked the Event Viewer, and I got a few infomrational events which were normal with setting up DFSR for SYSVOL, the last event I got was this one:

Log Name:      DFS Replication
Source:        DFSR
Date:          27/08/2012 18:32:02
Event ID:      8014
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      FT-SGW-FAP.PAX.local
Description:
DFSR has successfully migrated the Domain Controller FT-SGW-FAP to the 'PREPARED' state.
 
TO CONTINUE MIGRATION: If you choose to continue the migration process and proceed to the 'REDIRECTED' state, please note that any changes made henceforth to the SYSVOL share located at C:\Windows\SYSVOL (which is under NTFRS replication) will not be updated in the SYSVOL_DFSR folder located at C:\Windows\SYSVOL_DFSR (which is under DFSR replication). To avoid this possibility of data loss, please make sure no file system changes on the SYSVOL share occur while DCs are migrating from 'PREPARED' to 'REDIRECTED' state.
 
TO ROLLBACK MIGRATION: If you choose to rollback the migration process and return to the 'START' state, please note that DFSR will no longer be replicating the SYSVOL_DFSR folder and all DFSR information will be removed from the Active Directory.

This obviously looks good, but that was over 22 hours ago, and still running dfsrmig /getmigrationstate returns that this server is in the 'start' state.

Additionally, I have tried to restart all the servers, I also checked the ADSI edit settings (according to http://blogs.technet.com/b/filecab/archive/2008/03/05/sysvol-migration-series-part-3-migrating-to-the-prepared-state.aspx ), and all is looking like it should work. But it doesnt! and now I can think of nothing else.

Incidently, going through the event log I found 1 Warning:

Log Name:      DFS Replication
Source:        DFSR
Date:          28/08/2012 12:10:47
Event ID:      5014
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      FT-SGW-FAP.PAX.local
Description:
The DFS Replication service is stopping communication with partner DC1 for replication group Domain System Volume due to an error. The service will retry the connection periodically

Additionally, this third DC on the second site usually works OK, policies get pushed out, AD replicates fine, so theAD Service is running OK. The server is also a File server, and we use DFS to replicate our files to / from this server with our main file servers,so I know the DFS service is running OK. While the connection is usually 'quite' stable, it does every now and then drop, but its not so bad. The speed is about 1Mbps both ways under ideal situations, but can drop to around 600Kbps both ways under day-to-day usage.

Thanks, would appreciate any assistance

Richard

LDIFDE No Such Attribute

December 18, 2012, 12:45 pm
$
0
0

I am trying to Import users with LDIFDE but I'm getting an error on the second user. The error is

Add error on entry starting on line 20: No Such Attribute
The server side error is: 0x57 The parameter is incorrect.
The extended server error is:
00000057: LdapErr: DSID-0C090C30, comment: Error in attribute conversion operation, data 0, v1db0

I must be missing something since the first entry (which gets added) and the second (which fails) look to be about the same to me. I've been trying to figure out the difference between the two entries for about an hour now but with no luck, it all seems to be the same.

dn: CN=User One,OU=Test,OU=Company,DC=domain,DC=local
changetype: add
cn: User One
objectClass: user
sAMAccountName: user.one
telephoneNumber: (407) 599-6888
userPrincipalName: user.one@company.com
givenName: user
sn: one
title: Title
l: City
st: OH
streetAddress: 610 A Road
facsimileTelephoneNumber: (457) 874-5574
mobile: (888) 874-4891
extensionAttribute1: 210591
extensionAttribute2: 833871
mail: user.one@company.com

dn: CN=User Two,OU=Test,OU=company,DC=domain,DC=local
changetype: add
cn: User Two
objectClass: user
sAMAccountName: User.Two
telephoneNumber: (407) 599-6888
userPrincipalName: User.Two@company.com
givenName: User
sn: Two
title: Title
l: City
st: OH
streetAddress: 610 A Road
facsimileTelephoneNumber: (484) 489-6889
mobile: (888) 721-5464
extensionAttribute1: 286994
extensionAttribute2: 833871
mail: User.Two@company.com

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>