Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Response form a specific port is faster whereas form the other port is longer/timeouts.

August 31, 2015, 10:23 am
$
0
0
Just wanted to understand why response form a specific port is faster whereas form the other port is longer/timeouts. 

The application query issued is basically same but the AD responds differently. Our application questionnaire expects us to use 636 to access AD configuration but by doing so we get timeouts when querying AD for users. 


Is there any difference querying to AD on different four ports (3269,3268,389,636), if yes what ..

Also all applications are connecting/querying/authenticating reaching to DCs which are being F5 loadbalancer. There is pool of 8 DCs configured in F5 loadbalancer on these four ports.

F5 loadbalancer VIP pool name is : dir.test.com which configured in applications for authentications/query
Search

Multiple Computers receive Access Denied at logon. User credentials are valid. Windows 7 Pro

July 27, 2015, 9:06 am
$
0
0

Windows 7 Pro 64 bit computer working normally or recently rebooted. User tries to logon and the access denied message displays. I try to logon with local admin account and get the same error. Sometimes rebooting the pc will allow you to logon correctly but we have had to boot into safe mode and choose "active directory repair" on several machines. This has happened on several windows 7 desktops and one 2008 r2 server running Terminal Services. We have about 80 user computers and so far 10 have had this issue over the last month.

Our 2 DC servers are Windows 2008 R2. I couldn't find any AD errors.

To "fix" the pc we had to:

1.Boot into Safe Mode with Command Prompt
2.At the DOS prompt (Cmd) window, type MSCONFIG and press Enter
3.When MSCONFIG opens click the "Boot Options" tab
4.Click the option for "Active Directory Repair"
5.Exit MSCONFIG, and reboot the PC
The PC will boot into Safe Mode regardless of what you choose (e.g. "Start Windows Normally")
You may need to reboot more than once for the repair to be completed, mine needed 2 times.

When a computer has the issue I cannot logon with the domain credentials or the local admin user credentials. Unplugging the network cable doesn't help. The only way to "fix" the issue is to boot into safe mode, login with local admin account and run msconfig, safe boot, active directory repair.

Does anyone know what Safeboot Active Directory repair does? I reboot into this mode and then I reboot again normally and the issue is resolved. If I knew what exactly happens when I boot into safe mode with active directory repair checked then maybe I can understand the problem more.

Could not join a compter to domain.

August 20, 2015, 5:04 am
$
0
0

Hello Every one,

I am creating a Lync Deployment Setup for testing purpose.

I have promoted one server to domain controller with the domain name as "lynclab.local". I am using Windows Server 2012 R2 operating system. Now the server name is domaincontroller.lynclab.local and it is hosting AD DS and DNS services.

 Now for installing SQL Server on another server, I need to add the Server computer to the domain. But when I enter the domain name and press enter, It asked me to enter the Credentials to log on to Domain Controller. After entering the Administrator Username and Password I am getting an error message saying: "The following error occurred when attempting to join lynclab.local. The network path was not found".

I have tried all the possible solution from other websites but could not resolve. Even I tried to do all the things from starting but still getting the same issue.

I have 5 more servers and I could not join any of the servers to domain.

Looking for help........

Thanks and Regards,

Noor Hussain.

Move Users Accounts using Filter and Path from CSV

August 28, 2015, 12:37 pm
$
0
0

Hi 

Im trying to move user accounts based on a set of filters on a csv file to the appropriate OU on that same file. I want to grab all users in AD that match the teachers name and grade level for each row, and move them to the OU listed for that same row. 

Here is how the date is configured on the CSV file

School

Grade

TeacherADOU
QCV0      Jane DoeOU=Teacher1,OU=Grade 0,DC=students,DC=local

Here's the script Im using:

import-module activedirectory
$mappings = Import-Csv -Path "C:\studentsAccounts\Student_AD_ImportSorted.csv"

foreach ($map in $mappings){
    $grade=$map.'grade'
    $teacher=$map.'Teacher'
    $OU=$map.'ADOU'
    
    Get-ADUser -server "ho-sb-dc03" -Filter {(Department -eq "$grade") -and (Title -eq "$teacher")} | Move-ADObject -Server "ho-sb-dc03"  -TargetPath $OU
}


When i run it, i get an error about the $OU variable being null.

Move-ADObject : Cannot validate argument on parameter 'TargetPath'. The argument is null or empty. Supply an argument that is not null or empty and then try the command again.
At C:\studentsAccounts\MoveNewStudents.ps1:9 char:149
+     Get-ADUser -server "ho-sb-dc03" -Filter {(Department -eq "$grade") -and (Title -eq "$teacher")} | Move-ADObject -Server "ho-sb-dc03" -TargetPath <<<<  $OU
    + CategoryInfo          : InvalidData: (:) [Move-ADObject], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.MoveADObject
 

Cross Forest Trust failing one direction suddenly - 0xc000005e "An Error occured during Logon"

August 31, 2015, 6:12 pm
$
0
0

Have two Forests with trust between. Suddenly trust is not working from Domain in Forest A to Domain in Forest B, but still working the other way around.

This happened once before due to time being out of sync, at which point I configured Forest B to retrieve time from Forest A and no issues since and definitely still in sync now.

Checked all the trust configuration and everything validates both ends OK. Either end can resolve the other domain and such fine.

Here is the error logged on the DC over in Forest B when someone from Forest A attempts say SMB access:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/09/2015 12:35:25 p.m.
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      DC01.DOMAIN-B.COM
Description:
An account failed to log on.

Subject:
Security ID:NULL SID
Account Name:-
Account Domain:-
Logon ID:0x0

Logon Type:3

Account For Which Logon Failed:
Security ID:NULL SID
Account Name:username
Account Domain:DOMAIN-A

Failure Information:
Failure Reason:An Error occured during Logon.
Status:0xc000005e
Sub Status:0x0

Process Information:
Caller Process ID:0x0
Caller Process Name:-

Network Information:
Workstation Name:Domain-A PC
Source Network Address:192.168.X.X
Source Port:54282

Detailed Authentication Information:
Logon Process:NtLmSsp 
Authentication Package:NTLM
Transited Services:-
Package Name (NTLM only):-
Key Length:0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.


Office 365 Claim to allow Sharepoint Online but block OWA

August 14, 2015, 11:34 am
$
0
0

I need some clarification on passive ADFS claims.  I have a requirement to block external access to OWA but still allow external access to Sharepoint Online.  I'm not seeing any way to distinguish between the two in the claim request.  Is this even possible?  

The environment is ADFS 3.0 front-ended by a WAP.  

Thanks,

         Eric

Cannot install Active Directory Management Gateway Service on Windows server 2008 64 bit SP2

August 26, 2015, 3:07 am
$
0
0

Hello,

I cannot install Active Directory Management Gateway Service based on the article Active Directory Management Gateway Service - Install Guide.docx presented on page https://www.microsoft.com/en-us/download/details.aspx?id=2852. I get an error message that the update does not apply to my system.

Based on the article, the following prerequisites need to be met to install Active Directory Management Gateway Service:

1. Active Directory Domain Services (AD DS) or AD LDS server roles - The server is a domain controller already.
2. .NET Framework 3.5 with Service Pack 1 (SP1) - already installed
3. For Windows Server 2008 - install hotfix https://support.microsoft.com/en-us/kb/969166, but there is no hotfix presented on page. When searching for KB969166 on https://support.microsoft.com/en-us/contactus?ws=support I find update Windows6.0-KB968934-x64.msu which points me back to https://www.microsoft.com/en-us/download/details.aspx?id=2852.
The update Windows6.0-KB968934-x64.msu cannot be installed, I get a message that "This update does not apply to your system".

4. For Windows Server 2008 - http://go.microsoft.com/fwlink/?LinkId=152377 - not required for Windows Server 2008 SP2. My DCs are running Windows Server 2008 SP2, so this update is not required.

I am login on with an account that has administrator access - member of Domain admins group.

My server has current configuration:
- Domain controller + DNS
- Windows server 2008 64 bit + SP2
- .NET Framework 3.5 with Service Pack 1

Are the instructions from the webpage https://www.microsoft.com/en-us/download/details.aspx?id=2852 wrong?

Is anybody able to help me to install Active Directory Management Gateway Service?
I wonder if anyone faced similar issue?

Thank you in advance.


AD FFL and DFL 2003 to 2008 R2 and the KRBTGT account concern

August 31, 2015, 2:30 pm
$
0
0

I am doing the design, planning, prepping, etc. for a forest and domain level increase. I was reading the blog below and what caught my eye was this statement:

So when you raise the domain functional level to Windows Server 2008 or Windows Server 2008 R2 from Windows Server 2003 or gasp Windows 2000 the krbtgt password will be changed.

We do not have the original password documented for this, we have cisco, ibm, netapps, VMware, etc. that use AD Authentication. My question is this:

If the password is changed, then how do I ensure that the products that are not Microsoft continue to work and not go down?

http://blogs.technet.com/b/askpfeplat/archive/2012/04/09/a-few-things-you-should-know-about-raising-the-dfl-and-or-ffl-to-windows-server-2008-r2.aspx

Search

Naming a new Active Directory?

August 31, 2015, 1:15 am
$
0
0

Hi,

We are in the process of setting up a new AD domain. I have some questions regarding the naming of the domain. We would really like to name the internal AD domain the same as the public domain. I have read a bit about this and Microsofts recommendations is NOT to do this, but to use a subdomain of the public domain.

My real question for you is what caveats  and possible technical challenges do we have to deal with if using the same name?

I already know that we have to deal with a "Split-bran DNS" setup. (Not a big problem as i see it). And that internal users will not be able to reach the public website without entering "www.example.com".

/Andreas

Create and auto-configure Outlook 2013 profile based on active directory user

August 27, 2015, 9:39 pm
$
0
0
Is it possible to create and automatically configure an Outlook 2013 profile based on a user account in active directory? If not, is there an out-of-the-box solution for this? I have seen some information about applying group policy settings but it does default settings, not user-specific (signatures, out of office replies, categories, rules, nk2). I'm happy to provide more information if required.

AD FS 3.0 Event 342, There are currently no logon servers available to service the logon request

August 21, 2015, 8:51 am
$
0
0

We rely on AD FS to perform authentication for Office 365.

To guard against local network outages we built an ADFS stack in Azure that includes load balanced edge servers, load balanced ADFS hosts and a domain controller (full DC, *not* a RODC).

We experienced a network outage to our corporate data canter and expected the Azure installation to handle authentication.  The Azure based servers were unable to perform the authentication returning an event 342, "There are currently no logon servers available to service the logon request."

It appears that the ADFS hosts were not using the local domain controller and were attempting to authenticate with a domain controller at corporate which was unreachable due to the network outage.  When the network service was restore these hosts were able to authenticate.

How do I configure these ADFS hosts to use the Domain Controller on their subnet?

We have set AD up so that the Azure site and servers are on their own "site".
I checked %logonserver% on the adfs hosts and each pointed to the local DC, not one at corporate.

TIA for any help!

  

ADMT - SID history not working

August 24, 2015, 2:23 am
$
0
0

Hello guys,

I have stopped with ADMT migration tests. Using ADMT 3.2 installed within my resource forest (FFL = WS 2003). I have resource forest with 4 child domains divided per continent.

Resource forest and domain functional level WS 2003. Target forest WS 2003, target child domain functional level is WS 2008 R2

Two way external trust is between with Disabled SID filtering feature. I have created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA (TcpipClientSupport - DWORD with value 1 on resource PDC.

My ADMT service account is member of Built-in Administrator in resource forest and Domain admins in target domain . I´m able migrate users from resource to target forest including passwords (PES already configured), but when I want to use option to migrate SID to target domain, I´m getting error:

Does anyone know what is the root cause? Thank you for help!

Petr Weiner

Petr Weiner

Access server by FQDN

August 31, 2015, 4:23 pm
$
0
0
Hello

I have 2 Dcs (2012R2), both with two network cards, and pointing at each other as the preferred DNS on the network adapter.

However experience the following issue:

If I try to access the domain so \\ contoso.local can not therefore say that this is not available on any of the workstations as well as on the member servers, such as fileservers.

With this I can not ride the namespace for my file servers to do by replicating a namspace.

Could anyone help me?

How do i join a computer in a DMZ to an 'internal' domain

September 1, 2015, 4:16 pm
$
0
0

hi

i am required to join a computer in a dmz to an internal domain and add a domain user to the Local Administrators group on the computer. how do i do that? and is there a best practice regarding this?

users objects with 2 UPNS - default connection broke

September 1, 2015, 12:22 pm
$
0
0

We have a AD domain with .local extension, that is different from our actual domain. So, at user object level in AD, Primary UPN: logonname@addomain.local

To implement Office365, we needed to have the actual domain. So when creating user objects, we set UPN as logonname@actualdomain.edu. So, the New primary UPN: logonname@actualdomain.edu.

After we changed the primary UPN, I am able to see 2 UPN dropdowns in the account management tab. The first one was @actualdomain.edu and the second one was @addomain.local(default).

We were thinking that, when users login, they can use either one of these @UPNs but as soon as we added the logonname@actualdomain.edu as the primary UPN, it broke the existing connection (@addomain.local). Applications with addomain.local\username broke. What are we doing wrong? Should we add alternate Upn(or UPNSuffixes) at domain level or at the OU level?


Search

ADFS SSO and SAML

September 1, 2015, 2:59 pm
$
0
0

We use a third party application that is currently using CAS for SSO. We want the application to use ADFS SSO.

I followed tons of articles on the Internet on setting it up right because the vendor didn't have any documentation on how to make it work with ADFS. They support simple SAML authentication and need the attribute to be passed on as "NameID". The attribute to use from active directory is the sAMAccountName.

So this was what was done:

1. created a relying party trust with endpoint set to point to the vendor's saml link with binding set to "POST". SHA-1 was used.

2. Created a issuance transform rule that used LDAP attribute "SAM-Account-Name" and outgoing claim type as "NameID".

This doesn't work. The vendor says that they see saml connection from our end but the value being passed is NULL. A trace from fiddler shows
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" />

So basically, here is what we need:

pass the samaccountname from active directory to their SAML service as "NameID". Can someone please advise on how exactly this can be done?

ADFS Authentification

August 31, 2015, 5:59 am
$
0
0

Hello everyone,

i hope i choose the right Forum.

I have a Windows Server 2012 R2 with an ADFS and DIRSync.

The test ADFS Server (without WAP) has activated the FBA and WIA.

Every time I connect from the Internet or intranet the adfs choose the WIA and not the FBA.

I test it with a non-domain-joined Server.

How does the ADFS decide which autentification is to use?

Thanks

ADFS Sizing

August 29, 2015, 9:03 am
$
0
0

Team

I am planning to build ADFS 3.0 & I would like to have High Availability for ADFS Servers , there are almost 17000 users who need to access the O365 service , Could you please help on this ?

sizing calculator 

can I use SQL for ADFS Database or WID?

Please give more details on this.

Thanks 

SID History Authentication With Disabled Target Account

September 1, 2015, 8:07 am
$
0
0

BACKGROUND:

  • Users migrated to new domain with the SID value of their old domain user account added to the SID History property on their new domain user account
  • Old domain still in use as file servers haven't migrated to new domain
  • Old domain user accounts still exist to provision access to old domain file servers
  • New domain and old domain user accounts are both enabled

GOAL:

Determine if disabling the old domain user accounts will cause the new domain accounts to be unable to access the old domain file servers.

THOUGHTS:

From TechNet article: "When a user logs on and is successfully authenticated, the domain authentication service queries Active Directory for all the SIDs that are associated with the user — the user's current SID, the user's old SIDs, and the SIDs for the user's groups. All these SIDs are returned to the authentication client and are included in the user's access token. When the user tries to gain access to a resource, any one of the SIDs in the access token, including one of the SIDs in SID-History, can allow or deny the user access."

QUESTION:

If the old domain user account is disabled, will this disallow access to the group memberships of the disabled old domain user account and thereby make it so the new domain user account can't access resources on the old domain file servers?

failed to authenticate to DC (event ID 3210)

May 22, 2015, 1:05 am
$
0
0

I´m troubleshooting different Workstation slowness scenarios, and one of the conserning event ID is 3210 which indicates some authorization issues between Client Computer and Domain. Also group policy errors (lack of connectivity to domain controller) follows this error.

I´m tryng to solve this event ID 3210 issue without succsess, so far I´ve done:

- Ports are opened between Client and DC (I ran portQui tests)
- Computer is patched 100%, also KB2958122 included.
- Computer account deleted, Computer re-joined to domain


Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>