Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

ADFS Taleo Relying Party Configuration

February 17, 2015, 1:07 pm
$
0
0

Hi, 

I'm trying to configure Oracle Taleo as a relying party for AD FS and the AD FS as identity provider for Taleo. 

AD FS Configuration

I have uploaded XML Taleo federation metadata in relying party configuration wizard and everything seems correct. I have created claim-rules to return email address in Name ID attribute with unspecified format. 

Taleo Configuration


When I try to sign in, browser is correclty redirected to AD FS, AD FS returns a SAML response containing email address in name ID attribute (logged with Fiddler), but Taleo returns Internal Server Error 500. 

Do you see anything wrong in this configuration? IdP identifier? Authentication URL? and more important the certificate: it is possible to select only one certificate, so which certificate should be uploaded SSL, token encryption or token deryption? in which format? binary base 64?

I'm trying to  troubleshoot this error since one week also with Taleo support, but we didn't find anything. If you have already configured Taleo or you have any idea, let me know. 

Search

Password Complexity error

August 20, 2015, 10:17 am
$
0
0
Team,

I have a password policy with minimum password length 8. I am facing unique issue, I am unable to set password above 8 characters. Does minmum length also means maximum? Bit confused, as in my test domain with same setting, I can set 10 character password.

I am beating my head from last two day on this issue, unable to find why it is not allowing me to set longer password. I verified there is no FGP applied.

Amit

Server 2012 R2 Prerequisite Check for Domain Controller Promotion Failing

August 20, 2015, 12:32 pm
$
0
0

Hi all,

We are in the process of upgrading our domain controllers from Server 2003 SP2 to Server 2012 R2.  We have a test environment that has our two 2003 DC's (created using recent system state backups), two 2012 R2 servers, and multiple workstations.  Active Directory, DNS, and DHCP all appear to be functioning correctly.  We were able to run adprep from the 2012 CD successfully with no errors; however, when we try to promote our 2012 server we can't get past the "Prerequisites Check" step.  On screen, we getting the following errors:

- One or more prerequisites failed.  Please fix these issues and click "Rerun prerequisites check".

- Verification of prerequisites for Domain Controller promotion failed. The operation did not complete successfully.

The following is what is showing in the adprep log:

[2015/08/20:14:15:58.749]
Adprep created the log file 'C:\Windows\debug\adprep\logs\20150820141558-test\ADPrep.log'
[2015/08/20:14:15:58.749]
Adprep successfully initialized global variables.
[Status/Consequence]
Adprep is continuing.
[2015/08/20:14:15:58.755]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Schema,CN=Configuration,DC=corp,DC=mydomain,DC=com.
[2015/08/20:14:15:58.756]
LDAP API ldap_search_s() finished, return code is 0x0
[2015/08/20:14:15:58.756]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=2003DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=mydomain,DC=com.
[2015/08/20:14:15:58.757]
LDAP API ldap_search_s() finished, return code is 0x0
[2015/08/20:14:15:58.757]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Schema,CN=Configuration,DC=corp,DC=mydomain,DC=com.
[2015/08/20:14:15:58.758]
LDAP API ldap_search_s() finished, return code is 0x0
[2015/08/20:14:15:58.759]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Infrastructure,DC=corp,DC=mydomain,DC=com.
[2015/08/20:14:15:58.760]
LDAP API ldap_search_s() finished, return code is 0x0
[2015/08/20:14:15:58.760]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=2003DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=mydomain,DC=com.
[2015/08/20:14:15:58.761]
LDAP API ldap_search_s() finished, return code is 0x0
[2015/08/20:14:15:58.777]
Adprep discovered the Infrastructure FSMO: 2003DC1.corp.mydomain.com.
[2015/08/20:14:15:58.780]
Adprep connected to the Infrastructure FSMO: 2003DC1.corp.mydomain.com.
[2015/08/20:14:15:58.781]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2015/08/20:14:15:58.781]
LDAP API ldap_search_s() finished, return code is 0x0
[2015/08/20:14:15:58.781]
Adprep successfully retrieved information from the Active Directory Domain Services.
[2015/08/20:14:15:58.781]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=corp,DC=mydomain,DC=com.
[2015/08/20:14:15:58.782]
LDAP API ldap_search_s finished, return code is 0x0
[2015/08/20:14:15:58.782]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2015/08/20:14:15:58.782]
LDAP API ldap_search_ext_s finished, return code is 0x0
[2015/08/20:14:15:58.782]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2015/08/20:14:15:58.784]
LDAP API ldap_search_s finished, return code is 0x0
[2015/08/20:14:15:58.784]
Adprep does not find the tokenGroups attribute on the RootDSE object of the Active Directory Domain Controller. This attribute is not avaliable on Windows Server 2003 or lower version of Windows. Adprep will try to obtain token groups from the User object.
[2015/08/20:14:15:58.784]
The parameters /userdomain and /user are not specified. Using current logon user's domain ...
[2015/08/20:14:15:58.784]
The current logon user's domain is CORP.MYDOMAIN.COM.
[2015/08/20:14:15:58.785]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2015/08/20:14:15:58.785]
LDAP API ldap_search_s() finished, return code is 0x0
[2015/08/20:14:15:58.785]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=corp,DC=mydomain,DC=com.
[2015/08/20:14:15:58.786]
LDAP API ldap_search_s() finished, return code is 0x0
[2015/08/20:14:15:58.786]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Admin Account,OU=IT Users,DC=corp,DC=mydomain,DC=com.
[2015/08/20:14:15:58.789]
LDAP API ldap_search_s finished, return code is 0x0

As far as we can tell, there are no errors in the log above.

Does anyone have any idea where we might be going wrong?  Any help will be greatly appreciated!

Help Desk Group - Delegating Rights and allowing access

August 20, 2015, 2:39 pm
$
0
0

Hi,

I followed the steps in another thread (https://social.technet.microsoft.com/Forums/en-US/f1846ea7-31fc-4d38-8950-ef7d86f3cefb/need-to-create-help-desk-users-to-unlock-andor-change-passwords?forum=winserverDS) on delegating rights to a "help desk group" to allow this new group to do limited things in AD (create accounts, reset passwords etc).  I applied this to the OU where most of our users objects belong.

Having done that, how do I give the help desk person access to the appropriate programs (users and computers for instance) so they can make these changes?  Do they log in as themselves to a domain controller to fire up "users and computers"?  Or can they still do too much on a DC?  (I only want them to be able to a) create users b) reset pwd c) add a computer to the domain).

Or can you somehow install some sort of snapin on their local PC to allow them access to users and computers?

I added them as a remote user to the domain controller but they still could not log in.

Thanks,

Albert

ADAC - Cannot restore the custom configuration settings

August 12, 2015, 5:56 pm
$
0
0

We are using Active Directory Administratative Center to manage AD and we recently switched to redirected folders (among other things).

since the changes were made when starting the ADAC we are seeing an error:

I can't figure out what the story is. It's obviously some sort of custom configuration file, more than likely stored in %APPDATA% somewhere and there is an issue accessing it but I can't find where it might be.

Can anyone shed some light on either the issue or where ADAC stores it's per user configuration data?

Thanks in advance!

Permissions required for NOC Team

August 17, 2015, 7:32 am
$
0
0

We are working to lock down our access permissions and trying to put a granular access model so that only required rights are present for the teams:

Would like to know how we can accomplish some of these activities, without giving away Admin rights.

Start & Stop Services on Windows 2008 and above servers

Clean up DiskSpace on Servers

Preventing a service to run during machine startup if DC not available

August 16, 2015, 9:39 pm
$
0
0

Hope to get some help on this:

My objective is to prevent a in-house developed service to run if Windows cannot connect to the domain controller during startup. The reason for this is that some old machines may have hardware time wrong and when they started up, if they are not able to communicate with the DC, their times will be wrong. Some down-level clients (devices using embedded os) get the time from these machines (Windows XP, Windows 7 professional)  and if the time is wrong and the service is running, wrong time will be propagated, that can create havoc.

So, if it is possible to only allow the service to run if I am sure that the time is correct (that the machine has synchronized with a DC), then I can prevent down-level machines to synchronize time with these Windows workstations. 

Is it possible? For example, if machine authentication with DC fails during startup the service shall not start. Is there any Windows service that is dependent on machine authentication with DC (that can only run if machine authentication is successful)?

Valuable skills are not learned, learned skills aren't valuable.

Issue finding which logon server a remote workstation is currently Connected too ?

August 21, 2015, 1:38 am
$
0
0

Hi Guys,

(Get-WmiObject-Classwin32_ntdomain-Filter"DomainName = 'domain'"-ComputerNamemade_up_workstation_name).DomainControllerName

When I run the above on my workstation it gives the same value as theset variable Logonserver

When I run it on my colleagues workstation it gives a Valid DC but not the one that shows in its set variable Logonserver

I get the same results wether I run on or remotely on both workstations

Any ideas ?

Search

ADFS 3 (Server 2012 R2) and Chrome

December 27, 2013, 3:42 pm
$
0
0

Hello,

I just recently installed ADFS v3 on a new Server 2012 R2 instance.  I have two ADFS servers in a farm, with 2 ADFS proxy servers, each using Windows Server Network Load Balancer.

Currently, we are federating to Office 365 and everything seems to be working great for our Internet Explorer users, however people that use Chrome seem to be having multiple issues logging in.  We are seeing the following symptoms with chrome:

1. Internally, Chrome users are not automatically logged in.  I have tried setting the executing the following command on the ADFS farm, but the issue still persists: Set-ADFSProperties -ExtendedProtectionTokenCheck "None"

2. Users using chrome cannot sign in at all, both trying through the proxy and the internal ADFS server directly.  When entering mydomain\myusername ormyusername@mydomain.com, my password, and hit Sign In, the page simply "refreshes" and does nothing.  I don't see any errors or warnings inside of event viewer on both the proxy or internal ADFS farm, so not quite sure what is happening.

I have tried running the Office 365 Single Sign-On Test from https://testconnectivity.microsoft.com/ and everything comes back successful, so I think this is a direct issue with ADFS 3 and Chrome.

Any ideas?

Thanks in advance!


Unable to reset the ADFS 3.0 Illustration back to the ADFS 3.0 default

August 21, 2015, 7:11 am
$
0
0

Hi There,

I'd set the ADFS 3.0 Illustration page to a custom one. However, I now need to set it back to default.

The Illustration page was by default -> {[, System.Byte[]]}

However when I reset it to @{}. It didn't set it back to the above. And If I try setting it to the above, it gives a syntax error.

This is causing the Illustration 3.0 page to show as plain blue, without the default style.

Can you kindly help me restore it back to the default please?

Regards, Kartikesh Nadar MCSA 2008, MCTS, VCP, ITILv3 -------------------------------------------------------------------------------- This posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

domain trust issue

August 21, 2015, 7:04 am
$
0
0
I have a production site and i am setting up a DR site. Each time the DR site DC is running, i get the domain trust issues at my production site.

AD FS 3.0 Event 342, There are currently no logon servers available to service the logon request

August 21, 2015, 8:51 am
$
0
0

We rely on AD FS to perform authentication for Office 365.

To guard against local network outages we built an ADFS stack in Azure that includes load balanced edge servers, load balanced ADFS hosts and a domain controller (full DC, *not* a RODC).

We experienced a network outage to our corporate data canter and expected the Azure installation to handle authentication.  The Azure based servers were unable to perform the authentication returning an event 342, "There are currently no logon servers available to service the logon request."

It appears that the ADFS hosts were not using the local domain controller and were attempting to authenticate with a domain controller at corporate which was unreachable due to the network outage.  When the network service was restore these hosts were able to authenticate.

How do I configure these ADFS hosts to use the Domain Controller on their subnet?

We have set AD up so that the Azure site and servers are on their own "site".
I checked %logonserver% on the adfs hosts and each pointed to the local DC, not one at corporate.

TIA for any help!

  

Server 2012, AD Acounts

August 21, 2015, 3:06 am
$
0
0

Good day,

I am having a problem with my DC accounts, they keep on locking the users out and then i would have to unlock the users. so i am not sure what to do. i have been struggling for months now.

Please assist urgently, as this thing irriatates the hell out of my Seniors when they are locked out.

Windows 2012 - AdamSync Not Synchronizing Objects

August 10, 2015, 9:02 pm
$
0
0

Environment:

I have a new Windows 2012 AD LDS instance setup. The MS schema files MS-InetOrgPerson.LDF MS-User.LDFMS-UserProxy.LDF, and MS-UserProxyFull.LDF and MS-AdamSyncMetadata.LDF were loaded during the build. I am attempting to sync user objects from Windows 2012 R2 AD toLDS. The AD partition is DC=DOM12R2,DC=local and the LDS partition is DC=DOM12R2,DC=local. Windows 2012 AD LDS is a member server of active directory domain. My account is a member of the Domain Admin group and is member of Administrators group in the LDS configuration instance. I am configuring this AD LDS to work with Cisco Unity and using the following article:

http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-version-80/111979-ucm-multi-forest-00.html

To create the sync file, I made a copy of MS-AdamSyncConf.XML and have made the minimum changes necessary for this configuration. However, after I install the config file successfully, and run the sync and the sync completes without errors, however, no objects are created in LDS. Please help. Thanks.

Contents of config file:

<?xml version="1.0"?>
<doc> 
 <configuration>  
  <description>DOM12R2.local</description>  
  <security-mode>object</security-mode>         
  <source-ad-name>DOM12R2.local</source-ad-name>  
  <source-ad-partition>dc=DOM12R2,dc=local</source-ad-partition>
  <source-ad-account></source-ad-account>               
  <account-domain></account-domain>
  <target-dn>dc=DOM12R2,dc=local</target-dn>  
  <query>   
   <base-dn>dc=DOM12R2,dc=local</base-dn>
    <object-filter>
(&#124;(&amp;(!cn=Administrator)(!cn=Guest) (!cn=ASPNET)
(!cn=krbtgt)(sAMAccountType=805306368))(&amp;(objectClass=user)(isDeleted=TRUE)))
    </object-filter>
   <attributes>
    <include>objectSID</include>
    <include>mail</include> 
    <include>userPrincipalName</include>
    <include>middleName</include> 
    <include>manager</include> 
    <include>givenName</include> 
    <include>sn</include> 
    <include>department</include> 
    <include>telephoneNumber</include> 
    <include>title</include> 
    <include>homephone</include> 
    <include>mobile</include> 
    <include>pager</include> 
    <include>msDS-UserAccountDisabled</include>
    <include>samAccountName</include>
    <include>employeeNumber</include>
    <exclude></exclude>
   </attributes>  
  </query>
 <user-proxy>
    <source-object-class>user</source-object-class>
    <target-object-class>userProxy</target-object-class>
  </user-proxy>  
  <schedule>   
   <aging>    
    <frequency>0</frequency>    
    <num-objects>0</num-objects>   
   </aging>   
   <schtasks-cmd></schtasks-cmd>  
  </schedule> 
 </configuration> 
 <synchronizer-state>  
  <dirsync-cookie></dirsync-cookie>  
  <status></status>  
  <authoritative-adam-instance></authoritative-adam-instance>
  <configuration-file-guid></configuration-file-guid>  
  <last-sync-attempt-time></last-sync-attempt-time>  
  <last-sync-success-time></last-sync-success-time>  
  <last-sync-error-time></last-sync-error-time>  
  <last-sync-error-string></last-sync-error-string>  
  <consecutive-sync-failures></consecutive-sync-failures>  
  <user-credentials></user-credentials>  
  <runs-since-last-object-update></runs-since-last-object-update>
  <runs-since-last-full-sync></runs-since-last-full-sync> 
 </synchronizer-state>
</doc>

Log output:

Adamsync.exe v1.0 (6)
Establishing connection to target server localhost:389.
Saving Configuration File on DC=DOM12R2,DC=local
Saved configuration file.

ADAMSync is querying for a writeable replica of DOM12R2.local.
Establishing connection to source server DC-DOM12R2.DOM12R2.local:389.
Using file .\dam278F.tmp as a store for deferred dn-references.
Populating the schema cache
Populating the well known objects cache

Starting synchronization run from dc=DOM12R2,dc=local.
Starting DirSync Search with object mode security.
Updating the configuration file DirSync cookie with a new value.
Beginning processing of deferred dn references.
Finished processing of deferred dn references.
Finished (successful) synchronization run.

Number of entries processed via dirSync: 0
Number of entries processed via ldap: 0
Processing took 0 seconds (0, 0).
Number of object additions: 0
Number of object modifications: 0
Number of object deletions: 0
Number of object renames: 0
Number of references processed / dropped: 0, 0
Maximum number of attributes seen on a single object: 0
Maximum number of values retrieved via range syntax: 0

Beginning aging run.
Aging requested every 0 runs. We last aged 1 runs ago.
Saving Configuration File on DC=DOM12R2,DC=local
Saved configuration file.

Liaqat

Event 13508 and 13559

August 21, 2015, 8:38 am
$
0
0
I have two sites connected via mpls.  Recently added two Server 2012 r2 servers one to each site to replace server 2003. For time being I am keeping both 2003 servers as backups. Recently started receiving errors 13508 and 13559. I have not moved the sysvol on any of the servers.  I ran frsdiag and it shows 4 errors. Two of them are for a server that is a member server. The other two are the events listed above. From any of the DCs I can ping the other DCs by domain name or IP. They are all listed in DNS properly.  Event viewer tells me that replication is not taking place, yet sysvol looks the same on all four servers. Please help.

Wade Harris

Search

Old Domain Controllers in Replication list

August 21, 2015, 10:34 am
$
0
0

I was checking on the replication status for a domain controller when I noticed that long ago decommissioned domain controllers show up in the list. What is the best way to remove these references?

repadmin /showvector /latency DC=domain,DC=com

ADCs don't assume PDC Operations Master Roles RID and PDC and Infrastructure are wrong

August 21, 2015, 9:36 am
$
0
0

Hello,

I have several DCs on my domain.

The DCs located on my contry are comunnicating well and assuming the Operations Masters Roles from the correct PDC but two of them located bough on different countries are not.

Lets call the PDC DC1 and is located in USA another DC called DC2 located also in USA and the DC3 is located in France and DC4 in England.

The DC2 have the information on The AD/Operation Masters correctely pointing that RID/PDC/Infrastructure Operations Master is DC1

But The DC3 and DC4 on the RID tab it shows "ERROR" and the PDC and Infrastructure tabs indicates that each one are the Operation master and not the DC2 located in USA.

How can I correct this situation and tur the AD replications correctely?!

Thank you

Old Domain Controllers in Replication list

August 21, 2015, 10:33 am
$
0
0

I was checking on the replication status for a domain controller when I noticed that long ago decommissioned domain controllers show up in the list. What is the best way to remove these references?

repadmin /showvector /latency DC=domain,DC=com

Adamsync and Forefront Identity Manager

August 21, 2015, 11:42 am
$
0
0
I am currently using adamsync.exe to create UserProxy objects in AD LDS to allow users to authenticate. Can i replace the command line adamsync tool with Forefront Identity Manager? As of now adamsync.exe looks at an OU in Active directory and creates an account for each user in AD LDS as userproxyfull objects and that works well to allow authentications. I would like to move away from the command line approach and use another tool to do it....Can Forefront Identity Manager handle this?

Jef

LDAP SERVER

August 21, 2015, 11:53 am
$
0
0

We are having one DC , we are planning to integrate our applications on LDAP server, my question is can i configure ldap services on the DC or shall i take another machine for configuring LDAP services.

Thanks

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>