Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Time source resets after server reboot to Free-running System Clock

July 20, 2015, 11:57 pm
$
0
0

All our servers (Windows 2008 R2) are configured to synchronize to the AD hierarchy. Sometimes the time source of the Windows time service is reset to Free-running System Clock. This happens as far as we could track it, after a reboot of the server.

After it was reset, you can synchronize with the AD again:

w32tm /config /syncfromflags:domhier /update

But some days / weeks / months (we couldnt really find out yet, when this happens excactly), the time source is reset again.

I already tried to /unregister and /register the time service, but this changes nothing in behavior.

All servers are virutalized. I already checked, that time synchronization with host is turned off.

Also there are no group policies, which set the time service configuration.

What else can I do to find out, what causes this configuration reset?

Search

Sub1 in IIS

July 27, 2015, 3:50 pm
$
0
0

I have a working site:mysite.com

In the DNS Manager I assigned a Host (A) as sub1 and a IP Address as 192.168.1.xxx close to the IP Address of the Domain.

Then made it a Static IP. 

Then in IIS assigned sub1 as a Site added it to an Application Pool and Binded it to *80 under sub1.mysite.com. 

I also populated it with a working ASP.net Program just like mysite.com. 

But when I entered sub1.mysite.com nothing comes up.


is anybody can help for New ADFS Service 2.0 Cofiguration steps for Windows 2008 server

July 17, 2015, 4:48 am
$
0
0
i am new to ADFS Configuration , can anybody help mon this is more helpful for me.
if any manuals/documentation for this please share me .

RootCA Renewal

March 31, 2015, 6:47 am
$
0
0

Hi,

We have an exchange server 2010 installation with a certificate issued from our active directory certificate authority.The entire setup was installed in the year of 2010 and now i can see that certificates are expiring by July of this year.

Experts please let me know the procedure involved in increasing the validity period of the Root Authority from the default 5 years and renewing the certificates. Please see the attached screenshots of existing certificates.

Thanks

Thomas

Replicate LDAP data from Active Directory to external system

July 27, 2015, 10:22 pm
$
0
0

Hi-

We are hosting a software application for a client, and we want the client to provide us with certain information from their on-premise Active Directory:  user name, email address, job title--about 5 fields of information.

Is there a way to replicate this data to our environment in a secure fashion? 

Thank you,

John

John

Trust relationship

July 27, 2015, 4:33 am
$
0
0

Hello, 

Is this possible to establish a two-way trust relationship between a Windows domain (functionnal level 2012 R2) and a SAMBA 3.8 domain ?? 

The samba domain work with a NETBIOS name..

I have one domain  Windows 2012 R2 : example.com et one domain (SAMBA) : domain

 Thank you

DFS 2012 and DFS 2008 mixed environment

July 27, 2015, 11:11 am
$
0
0

We have 2 server 2008 R2 DFS machines, both Domain controllers and both replicating.

I have installed Server 2012 R2 DFS as member server and added it to the group: in nampespace and in replication.

Problem is the replication share on new server (2012) shows updated replicated data, but the actual root location does not.

Confusing: so for example, if i navigate out to (on 2012 server) d:\dfsroot\dfs (root folder i created to host dfs data), this data is old and not updating.

BUT if i go to \\2012-server\dfs (share), dfs is updated.

The problem is, some users see this updated data and others dont. 

What is going on? Please help!

thanks

Multiple Computers receive Access Denied at logon. User credentials are valid. Windows 7 Pro

July 27, 2015, 9:06 am
$
0
0

Windows 7 Pro 64 bit computer working normally or recently rebooted. User tries to logon and the access denied message displays. I try to logon with local admin account and get the same error. Sometimes rebooting the pc will allow you to logon correctly but we have had to boot into safe mode and choose "active directory repair" on several machines. This has happened on several windows 7 desktops and one 2008 r2 server running Terminal Services. We have about 80 user computers and so far 10 have had this issue over the last month.

Our 2 DC servers are Windows 2008 R2. I couldn't find any AD errors.

To "fix" the pc we had to:

1.Boot into Safe Mode with Command Prompt
2.At the DOS prompt (Cmd) window, type MSCONFIG and press Enter
3.When MSCONFIG opens click the "Boot Options" tab
4.Click the option for "Active Directory Repair"
5.Exit MSCONFIG, and reboot the PC
The PC will boot into Safe Mode regardless of what you choose (e.g. "Start Windows Normally")
You may need to reboot more than once for the repair to be completed, mine needed 2 times.

Search

Active Directory Time Synchronization

July 27, 2015, 3:19 pm
$
0
0

I currently am in the process of upgrading my Active Directory Domain Controllers from 2008 R2 to 2012 R2.

I have 2 domains, 1 parent and 1 child. Currently my FSMO role holder in the parent domain is syncing time with an external time source and is a physical server.

I know when I set it up in 2009 it was strongly recommended that the time server be a physical server.

Is this still the Microsoft recommendation or is it OK to setup the time server on a virtual Hyper-V machine?

Thanks,

Eddie

Can i change User attribute Single-Valued to Multi-Valued ?

July 28, 2015, 12:19 am
$
0
0

Hello,

I created a new "Unicode String" user attribute and i dont check the multi valued box:

Now i see that we need several valued in this attribute.

I'm afraid i can not change the user attribute from Single-Valued to Multi-Valued.

I canenter multiplevaluesseparatedsomehow ? coma ?

Many thanks



ADFS Home Realm Discovery Question

July 28, 2015, 1:59 am
$
0
0

I have an ADFS 3 configuration consisting of two ADFS 3 servers with a trust. The internal ADFS server has a relying party set up and the external has a claims provider setup. When I am directed (from the web app) to the external it shows both realms as it should and which ever I select and login works fine. My question is how can I set the claims provider in the URL of the web application for the internal realm. 

www.webapp.com = automatically select the external claims provider and go directly to the ADFS login page for the external claims provider

www.webapp.com/internal = automatically select the internal claims provider and go directly to the ADFS login page for the internal claims provider

Any assistance appreciated

Trust type suggestion

July 28, 2015, 12:06 am
$
0
0

The case:

I have a site (site1 for the example) with domain controller 2003 and terminal server 2008r2 with domain name company.com

I want to build a second site (site2 for the example) with domain controller 2012 and users of which will log on to domain of site2 and have access to terminal server of site1.

My question:

1) If I choose "Parent-child" trust, do the domain of the second site have to be named like site2.company.com or it can be irrelevant (like company2.local for example)?

2) If it cannot be irrelevant do I have to raise the 2003 domain to forest and then join the domain of site2 to the forest or there is another way accomplice my goals?

3) If any kind of trust is build , I will have just to add users of domain of site2 to the "remote desktop  group" of terminal server of site1 and that's it?

I hope my questions and goals are clear enough.

Thanx in advance for any help 

Active Directory Sites, Replicatioon and trust Relationship issue

July 28, 2015, 2:36 am
$
0
0

Hello,

I am facing issue on domain member servers and computer, where users are getting error while trying to login by their user id, the error displays

The Security database on the server does not have a computer account for this workstation trust relationship

we have multiple branch offices and each branch site have Domain controller, most of the branch offices have RO DC ( Windows 2008-R2).

while troubleshooting this issue i found the replication error using repadmin /replsummary

 HO-DC1         28d.05h:01m:14s   10 /  25   40  (1396) Logon Failure: The target account name is incorrect.
  • The computer account exists in AD, but still users are getting "Trust relationship issue"
  • we joined the computer again to AD, but the next day again same issue occurs.
  • when we try to get the AD group membership in ISA it displays the UUID, instead of the name of group.

We have done force replication without any errors, still the problem is not getting solved.

Can we do audit for these kind of issue.

thanks,

Certificate Validity Periods

July 28, 2015, 2:39 am
$
0
0

I have a 2008 R2 Standalone CA to which I set the signing validity period to 5 years. This is however fine for machinekey certs. I have a requirement to start issuing Client Authentication certificates for a specific web application which TMG will secure against the issued client auth certificate. The question is, if and where in a <request.inf> can I set an attribute that will ask the signing CA to sign for 1 year or 2 etc. and not use the default set on the CA. Is this possible with a Standalone CA?

Delegation of modifying the membership of groups

July 27, 2015, 7:56 pm
$
0
0

Hi All,

In our domain, we have an OU called Workstation, under which there are many sub OUs called like DepartmentA,DepartmentB, DepartmentC... Under every sub OU (department OU) there is a group called likeGroupA, GroupB or GroupC...

I would like to delegate the permission of modifying the membership of GroupA, GroupB, GroupC, etc. to someone. Is there a short way to manage it? There are too many sub OUs underWorkstation OU and thus there are too many groups under each sub OUs. It's too difficult to configure each groups. And I should not grant the access from theWorkstation OU level as there are many other groups and sub groups.

Thanks,
高麻雀

Search

password expiration check

July 28, 2015, 1:29 am
$
0
0

Team,

Is there  a way i can get the list of users whose AD password will going to be expire.

AD nightmare

July 28, 2015, 12:52 am
$
0
0

Hi everybody

Need some more heads to get an idea :)

Our customer have two domains in forest  e.g. DOMAIN.LOCAL and CHILD.DOMAIN.LOCAL

They find that clock on workstations are sometimes skewed,  the symptoms were rarely but were, in further investigation the result was: NTDS corruption on primary DC and therefore AD was not reliable, some clients switched to backup DC which resides on VMware host that hasn't hw clock synchronised, - OK time was set to synchro with NTP , primary DC restored from Backup 2 days ago, synchronisation between PRIMARY and SECONDARY DC's is now ok without errors, but deep inspection of eventless showed that DC from CHILD.DOMAIN.LOCAL hasn't been replicated successfully for  almost 1 year!!! , so what now?

With so long unreplicated state isn't possible to force replication with partner out of replication period, the result is unpredictable - cannot risk forest corruption , not mentioning lingering objects changes to schema .... on the other side isn't possible demote child domain dc and/or lose the child domain. I'm not sure if is possible to only invoke unidirectional replication of critical data from forest root domain do child domain's DC and then also try allow fix replication  to replicate the rest of data from child to parent because both DC's  (e.g MASTERDC.DOMAIN.LOCAL and DC.CHILD.DOMAIN.LOCAL) are Global catalogs.

Dynamic Access Control - User access

July 23, 2015, 3:26 am
$
0
0

Dear Forum,

I am still having a few user access issues with configuring Dynamic Access Control in our lab environment and hoped to find my answer here, as there is almost nothing to find elsewhere.
Example folder structure.
Level 1 directories:
Sales
Finance
Planning

Level 2 directories (Planning):
Party
Rental
Comptetition

Issues:
- Users keep seeing folder to which they do not have access to, even though access based enumeration has been activated.
- Users access keeps being blocked if I have not configured TraverseFolder + List Folder permissions on level 1 directories, while the user has modify permissions on level 2 directories.

What I want:
- On both level 1 and level 2 there are multiple directories.
- I want to give user A permissions to a level 2 directory called "Party".
- I do not want user A to be able to see, nor directly access any other directories or files on level 1 or level 2 other then the "Party" directory and its contents.

How can I accomplish this?

With kind regards,

Bob Lauteslager

Two factor authentication for Certificate Enrollment Web Service

July 28, 2015, 4:37 am
$
0
0

We are building a client that communicates with ADCS via the Certificate Enrollment Web Service. We will be using the username-password authentication support but were wondering whether it is possible to incorporate some two factor authentication methods in the supported protocols.

Thanks,

David

Need assistance

July 28, 2015, 8:28 am
$
0
0
We are currently running Window Server 12 R2 and have a Active Directory with Roaming profiles. Recently I was approached about some missing files on a desktop computer users account in my documents.  It appears one of the active directory users documents were merged with another user and this individual has also lost some of his files from his profile. The user in question does not have admin rights to the network, but the account user files he was merge with does have admin rights to the network. Has anyone else ever had this experience before. We have had no other issues at this time nor have we had any other issues with other complaints of this problem with other users on the domain. Any insight would be great not sure where begin attacking this problem from.  
Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>