Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Using Active Directory Lightweight Directory Services (AD LDS) for production environment

July 23, 2015, 9:21 am
$
0
0

Hi,

I was wondering if it is supported by Microsoft to use AD LDS on a production environment.

I can vaguely recall having heard that it is either not supported or maybe not advised by Microsoft to use AD LDS on production environment but now that I am interested in that, I can't find a source confirming or refuting this.

Maybe it was related to High Availability or to automatic replication, I can't recall unfortunately.

Also apparently AD LDS can run on client OS meaning that it could be used as a AD DS replacement for developer, adding a bit to my confusion.

My end goal is to use AD FS with AD LDS, both being highly available and supported by microsoft in a production environment.

Thanks,

Francois Malgreve

Search

Increase the maximum number of values for an attribute in Active Directory 2008r2

July 24, 2015, 10:40 am
$
0
0

I have a 2008r2 forest that uses a custom attribute that has reached its limit of values.  Whenever I try to add a new value I get the following error:

Administrative Limit Exceeded (11) Administrative Limit Exceeded
LDAPException: Server Message: 00002024: SvcErr: DSID-0205053D, problem 5008 (ADMIN_LIMIT_EXCEEDED), data -1026

Google provides no insight and DSID-0205053D doesn't seem to appear anywhere.  Any help would be greatly appreciated.

Thanks

Marc


Some problems with Windows Time service on my domain controller

July 24, 2015, 7:07 am
$
0
0

Hello! I need help with Windows Time service. THe situation is: there is a single domain controller and I need to sync its local time with time.windows.com. So I prepared Default Domain Controllers Policy:

Computer configuration->Administrative Templates->System->Windows Time Service->Time Providers:

Enable Windows NTP Server=Yes

Enable Windows NTP Client=Yes

Configure Windows NTP Client=Yes (Type=NTP, NtpServer=time.windows.com,0x9)

So I run "gpupdate" and checked w32tm configuration:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator>w32tm /query /configuration
[Configuration]

EventLogFlags: 2 (Local)
AnnounceFlags: 10 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 172800 (Local)
MaxPosPhaseCorrection: 172800 (Local)
MaxAllowedPhaseOffset: 300 (Local)

FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)


[TimeProviders]

NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Policy)
ResolvePeerBackoffMaxTimes: 7 (Policy)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 0 (Policy)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Policy)
Type: NTP (Policy)
NtpServer: time.windows.com,0x9 (Policy)

NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)

VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)

Now I check source:

w32tm /query /source

time.windows.com,0x9

But if I restart this domain controller and try to check configuration again:

w32tm /query /source

Local CMOS clock

Why it's happening? What am I doing wrong? Thank you for answers.

Domain Migration from 2003 to 2012

July 24, 2015, 4:23 am
$
0
0

Hi Experts

I'm planning to migrated Windows Server 2003 to Windows Server 2013. I'm familiar with all the steps that we need to take care but need your best suggestion to complete this migration.

We have 4 AD sites (Total 8 DCs 2003). I'm planning to decommission one 2003 server which is configured as secondary DNS for clients. Then Will introduce new Server 2012 with same host name and then installing DC role.

Once this part is done, time to decommission primary dns (DC) and installing new Server 2012 R2 with same name of 2003 DC. (Obviously need to remove entries from AD and DNS).

Once all 3 sites are done, then will work on to move FSMO installing one 2012 server as secondary and then will remove primary DC (2003) and again will install last 2012.

I'm taking these steps to avoid DC rename activities because If I introduce new SERVER 2012 DCs in network I have to change their name and IP which is nightmare.

Do you think my planning is ok or I need to follow something diffrent approach?


Thanks Cloudy Lynx


Migrating from FRS to DFS. What about application directory partitions?

July 24, 2015, 7:17 pm
$
0
0

Hello Technet community!

I am about to migrate from FRS to DFS in preparation to migrating my DCs to 2012R2.

I was wondering if the application directory partition are also migrated to DFS using the procedure described here:

https://technet.microsoft.com/en-us/library/dd640019%28v=ws.10%29.aspx

If the application directory partition is not included, what is the procedure for it?

Thank you!

NTP Server Error

July 22, 2015, 12:17 am
$
0
0

Hi

I have 2 DCs, server 2008 r2 in my LAN(no internet access). both physical.

DC1 is using external NTP (cisco) and DC2 syncronized to DC1.

I run this command on DC1 to configure it as an NTP provider:

1. w32tm /config /manualpeerlist:PEERS /syncfromflags:MANUAL /reliable:YES /update

2. I have restarted the "windows time" service

3. I can see all changes set in registry.

Now, everything was working fine until both DCs shutdown and now when I do w32tm /resync  on DC1 it fails.

w32tm /query /source returns with LOCAL CMOS CLOCK

and w32tm /monitor returns with 

DC1.PDC.local *** PDC ***[...]
ICMP: 0ms delay
NTP: +0.0000000s offset from DC1.PDC..local.com
RefID: 'LOCL' [0x4C434F4C]
Stratum: 1
DC2.PDC.local[.....]
ICMP: 0ms delay
NTP: -0.0102597s offset from DC1.PDC.local
RefID: 'DC1.PDC.local'
Stratum: 1

how can I solve this?

Thanks!

ADFS 2.0 farm setup in two different data-center with two different subnet

July 25, 2015, 8:56 pm
$
0
0

Hi Team,

I have scenario where I have to deploy the ADFS 2.0 Farm with SQL database back-end in two different datacenter which is having different subnet. In case first data-center goes down ADFS will still be working.

Questions and doubts are:

1) Is ADFS 2.0 Farm support in different datacenter, Can possible to extend to multiple datacenter ?

2) Can ADFS Farm have one node in one subnet other node in different subnet ?

3) In different subnet scenario, SQL Database will be accessed by both the nodes ?

4) In case for DR scenario if we Mirror database and one node ADFS instance is available in DR site how to bring that node online ? or how to make it work ?

Thanks,

Khaleel Ahmed


Enable DNS Scavenging on Windows Server 2008 R2

July 25, 2015, 10:42 pm
$
0
0

Hi, Guys.

Good Day!

Need your inputs on what needs to check before you enable DNS scavenging on a Windows 2008 R2 AD-Integrated DNS servers.

Current Setup:

- Scavenging is enabled on resource records

- Scavening is enabled on a zone

  - No-Refresh/Refresh Interval is 7 Days

DHCP Lease Duration is 8 Days

Are these settings enough to enable scavenging on a server? Or are there any other more modification that needs to be done? Please advise. 

Thank you.

Search

ADTD Tool Fails to Run

July 20, 2015, 7:03 am
$
0
0

I am trying to run the ADTD on a Domain that is in a separate forest from ours and no trusts established.  Thus I have access onto their DC and am running the tool from there.  I have run the tool on server 2003 and 2008r2 with no issues but on this DC it give me the following error:  "Unhanded exception has occurred in your application. If you click Continue, the application will ignor this error and attempt to continue.  If you click Quit, the application will close immediately.  The type initializer for "ADTD.Draw" threw an exception."   Whether I click on Continue or not it will just stop and but me back to the main screen.  

One thing that I did notice was that the OS that is running on the DC is  Windows Server Standard FE.  This OS is a washed down version of say 2008r2.  Is the ADTD compatible with this version OS????

Francisco Mercado Jr.

Active Directory Administrative center 2008R2 New user creation issues.

July 23, 2015, 11:26 am
$
0
0
In ADUC you can right-click and copy a user account settings, also when you create a new user the domain user group is added by default. In ADAC 2008R2 you can not do neither, is there a way to make it so you can do these in ADAC?

Set a DNS Server a New Host (A or AAAA) as RDSCB1 under mysite,com with a IPv4 address as close to mysite.com as you can get - Round Robin.

July 22, 2015, 9:58 pm
$
0
0

I am working in Windows Server 2012 R2 with SQL Server 2012 installed.  I am trying to develop a connection string for my RDS Connection Broker. This is what I have so far:

DRIVER=SQL Server Native Client 11.0;SERVER=WIN-1;Trusted_Connection=Yes;APP=Remote Desktop Services Connection Broker;Database=Testdb

The version of SQL Server 2012 is: 11.0.
The name of the server is: WIN-1.
I am using: Remote Desktop Services Connection Broker.
The MS Database I am using is: Testdb.mdf.
Testdb.mdf is located in folder: C:\inetpub\wwwroot\App_Data\
DNS round robin name (ClientAccessName): RDSCB01.mysite.com.

I have set a DNS Server a New Host (A or AAAA) as RDSCB1 under mysite,com with a IPv4 address as close to mysite.com as you can get - Round Robin.

I make it a Static IP.

How do you configure the new RDSCB01?  Do you add an operating system?  Do you add Session variables and write ASP.net code?

 


Removing ADC from AD, remove “subtree

July 27, 2015, 12:09 am
$
0
0

I want to delete my ADC from active directory site and services, which is not live. I am getting message " Object ADCSVR contains other objects. Are you sure you want to delete object ADCSVR and all of the objects it contains?

If you cancel the running deletion, the objects deleted thus far will not recovered.

WARNNING: if you select Use Delete Subtree server control check box, all objects within the subtree, including all delete-protected objects, will be deleted, and the deletion cannot be canceled."

Please confirm, it is safe to delete here from AD site ans services also please confirm if i enable the check box "Delete Subtree server control..

Default Fallback time to Secondary Domain Controller

July 27, 2015, 12:35 am
$
0
0

Hi Experts

I have a question about the Default Fallback time to Secondary Domain Controller in Windows Server Active Directory Environment.

My query is : My FSMO roles are in HQ Data centre. If I have two Domain Controllers (Regional Dc and Both are GC) and Primary DC is not reachable due to any reason. What is the time duration that Client authentication will get redirected to Secondary DC?


Thanks Cloudy Lynx

CAL for AD services

July 27, 2015, 1:24 am
$
0
0

Dear Team,

Do I need CAL for authenticating users against active directory and using group policy.

Regards,

Hridaya Patel

Signout with AFDS3 with SAML Client

July 27, 2015, 1:47 am
$
0
0

I have implemented SSO using ADFS3. I have logout button for sign out and it’s working fine with my ws-federation passive endpoints . In logout I redirect user to logout.aspx page and there I have written code on page load as.

WSFederationAuthenticationModule authModule = FederatedAuthentication.WSFederationAuthenticationModule;
SignOutRequestMessage signOutRequestMessage = new SignOutRequestMessage(new Uri(authModule.Issuer), authModule.Realm);
String queryString = signOutRequestMessage.WriteQueryString();
Response.Redirect(queryString);

One of the application uses SAML so I have created SAML assertion consumer end point. So when I open this application and hit logout it throws error and when I see event log on ADFS:

Encountered error during federation passive request.

Additional Data

Protocol Name:
wsfed

Relying Party:


Exception details:
Microsoft.IdentityServer.RequestFailedException: MSIS7055: Not all SAML session participants logged out properly. It is recommended to close your browser.
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSamlLogoutResponse(SamlContext samlContext, Boolean partialLogout, Boolean& logoutComplete)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.ProcessSignOut(SamlContext samlContext, String redirectUri, List`1 iFrameUris, Boolean partialLogout)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.PipelineInitiatedSignout(WrappedHttpListenerContext httpContext, String redirectUri)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolSignoutRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)



Search

Windows Storage Server 2012 Folder access

July 27, 2015, 2:19 am
$
0
0
hi ,i have a scenario where i only have one Window Storage Server 2012 and around 15 computers on workgroup.Now i want to create password enabled folders for each computer on my server(like AD users folder).What are my options in this case or is there any third party tool i can use to create network folder password authentication.(Till now i'm using public access folders which are open to all computer which i don't want.so all help is welcome)

same user

July 26, 2015, 9:43 pm
$
0
0
Hi I have active directory and two accepted domain in exchange I need creat same user with different mail for example:I have one user test@list.com I want creat same user but I need change domain for example: test@bk.com Can I creat same logon user in active directory?

Last Password set date for a group of users

July 26, 2015, 10:26 pm
$
0
0

I need to find when was the last Password change for all users in a particular AD security group . Is there any script for that.

We run Windows 2008 Domain

failed to authenticate to DC (event ID 3210)

May 22, 2015, 1:05 am
$
0
0

I´m troubleshooting different Workstation slowness scenarios, and one of the conserning event ID is 3210 which indicates some authorization issues between Client Computer and Domain. Also group policy errors (lack of connectivity to domain controller) follows this error.

I´m tryng to solve this event ID 3210 issue without succsess, so far I´ve done:

- Ports are opened between Client and DC (I ran portQui tests)
- Computer is patched 100%, also KB2958122 included.
- Computer account deleted, Computer re-joined to domain


Delete and create users

July 27, 2015, 3:54 am
$
0
0

hello everyone ,

i would like to get an opinion on a certain thing.

does creating and deleting users ( about 2000 users created and deleted per year ) make a load on the server 2012 AD DS ? 

does it have negative impact ? 

thank you 

RM

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>