Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

ADFS 3.0 - 2 servers in domain

September 28, 2015, 6:06 am
$
0
0

Hi,

First of all apologuies if in the wrong area.

I've been asked to design an ADFS 3.0 deployment that will replace an exisiting ADFS 2.0 deployment in another domain.

The adfs 3.0 has to be the same as the adfs 2.0 design. The current design has 2 adfs servers that are standalone, config changes are made manually on both servers (only one is active at any point in time) if the primary fails then a DNS update is made to point users to the other adfs server.

Now looking at adfs 3.0 I see that the standalone option is removed. My question is: Is it possible to replicate this design in adfs 3.0? Or will the installer know that there is already an existing adfs server when I come to install the second?

I know this is not the best approach and it would be far easier to use a farm but unfortunately this is what has been requested..

Thanks

David

Search

Can AD FS 2.0 (Windows Server 2008) work with AD FS 3.0 (Windows Server 2012?

September 19, 2015, 8:25 am
$
0
0

Hi all,

I'm looking to the AD FS deployment to establish a federation trust between two domain controllers A and B. The domain controller A has AD FS 2.0 deployed in Windows Server 2008 while the domain controller B has AD FS 3.0 deployed in Windows Server 2012. 

Can this case work with two different AD FS versions?

Your suggestion would be greatly appreciated.

Regards,
-T.s

Thuan Soldier
A 23-year-old man loving Microsoft technologies and making crazy ideas on business journey.
SharePoint Vietnam | Blog | Twitter

Want to be the Microsoft TechNet Windows Server Guru for September?

September 1, 2015, 1:21 pm
$
0
0

All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.

Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!

This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!

HOW TO WIN

1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.

2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)

3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!

Winning this award in your favoured technology will help us learn the active members in each community.

Feel free to ask any questions below.

More about TechNet Guru Awards

Thanks in advance!
Pete Laker

#PEJL
Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over toTechNet Wiki, for future generations to benefit from! You'll never get archived again, and you could win weekly awards!

Have you got what it takes o become this month's TechNet Technical Guru? Join a long list of well known community big hitters, show your knowledge and prowess in your favoured technologies!

Account options password after migration via ADMT

September 16, 2015, 7:02 pm
$
0
0
Hi,

There are some issues about account's password after migration via ADMT.

1) The migrated user accounts get "User must change password at next logon".
2) "User cannot change password" has been removed after migration.
3) "Password never expires" has been removed after migration.

It would be greatly appreciated if you could help me.

Thank you in advance
Kazuo Ieiri


Disable users who never logged on

September 28, 2015, 1:59 pm
$
0
0

Hello,

i run ldap query to find out which users that have never logged on (&(objectCategory=person)(objectClass=user))(|(lastLogon=0)(!(lastLogon=*))). and i found a lot of users. how can i disable all these users by ldap query or power shell

Regards,

temporary profiles

September 19, 2015, 1:06 am
$
0
0

Hi All,

I have two RDS session hosts with load balanced and each host has capability of 70 logins, which we usually use to login to other servers in infrastructure.

These two RDS session hosts are also a member servers of domain.

But every time users login temporary profile are getting created, Kindly advise how to troubleshoot the issue.

It windows 2012 R2

Thanks!!

We used Fine Grained Password Policy to rollout a new policy by Office

September 21, 2015, 4:38 pm
$
0
0

But, can we now switch folks back to the "default" domain password policy which has been updated with our newer requirements?

We are having a problem with Citrix 7.6 where people on the FGPP don't get early warnings or a display to change their password.

Suggestions?

Thanks

Ron

Configure the DHCP correctly

September 28, 2015, 2:05 pm
$
0
0

In WS 2012 R2 preentered into DHCP

169:254.xxx.yyy        Reservation(inactive)

In my host machine after "ipconfig /release"

DHCP enabled......Yes

Autoconfiguration IPv4 Address........169.254.xxx.yyy(Preferred)

After release in WS 2012 R2 Reservation(inactive) still.

Why?

Is it that the Internet connection is Limited but the networking should still be up.

Did I not configure the DHCP correctly but I even configured the IPv6 Addresses, all of them even the Temps.

As a last cry for help I ran "ipconfig /renew" the error was:

"An error occurred while renewing interface Local Area Connection : unable to contact your DHCP server.  Request has timed out."

Search

What the purpose to create a site in Sites and Services without DC?

September 28, 2015, 9:46 pm
$
0
0
What the purpose to create a site in Sites and Services without DC? In which scenario it could be configured like that?

New Objects not showing up in GPMC

September 20, 2015, 6:44 pm
$
0
0

Hi, I have just come across a issue with AD and GPMC on server 2012 R2.

When I create a new OU in the ADUC console it does not appear in the tree when browsing the Group Policy console.

Also if I create a new group I can not find it when creating policies in GPMC.

There is more than one DC and replication seems too be fine with the new OU and group showing up on all DC's.

These are not default containers I am trying to access but Newly created OU and group


Any Idea what would cause this?

DFS replication does not start due to lack of disk space.

September 28, 2015, 8:20 am
$
0
0


Hello everybody, I'mtrying to replicatedata from onevolume F: \of700GBand isbusywithspace690GB, data is replicated to avolumeon another server, alsoF: \of1.5TB.

Thereplicationdoes not happen,although there are noerrors in theEvent Viewer, then thereport generatedinDFSR,brought methe information below.

WARNINGS (There are 2 warnings to report)
       
 This member is waiting for initial replication for replicated folder F.  
  Affected replicated folders: F
  Description: This member is waiting for initial replication for replicated folder F and is not currently participating in replication. This delay can occur because the member is waiting for the DFS Replication service to retrieve replication settings from Active Directory Domain Services. After the member detects that it is part of replication group, the member will begin initial replication.  
  Last occurred: Monday, September 28, 2015 at 10:14:10 AM (GMT-3:00)
  Suggested action: Replication will begin after initial replication is complete. If this state does not change, see The Microsoft Web Site.  
       
 Volume F: is low on disk space.  
  Affected replicated folders: F
  Description: Volume F: is low on disk space. If this volume becomes full, the DFS Replication service will stop replication on the volume.  
  Last occurred: Monday, September 28, 2015 at 10:14:11 AM (GMT-3:00)
  Suggested action: Increase available disk space on the specified volume or move the replicated folder to a different volume. See additional information about disk space under the informational section in the table titled "Current used and free disk space on volumes where replicated folders are stored.”  

Thison the source server,wherethe fileswill go. Means thatthis diskmust havefree disk spaceto startreplication?It would not be only on thedestination serverdisk?

Any tipson how I cansolvethis issue?BecauseI can notincrease thesize of the sourceserver diskwherethe filesare.

Thank you !

Ivanildo Teixeira Galvão

ADFS iOS app not authenticating

September 28, 2015, 7:02 pm
$
0
0
We are using an iOS and Android app that uses ADFS for authentication but we are not getting the login prompt. It just goes right to not authorized, so its like its just trying to do windows integrated authentication and obviously can't and fails. The weird thing is I can open this service's website and the authentication works fine. Also the app works offsite when connecting through the ADFS proxy server. Anyone have any ideas?

Change of DC IP Address - What issues will arise?

September 29, 2015, 12:41 am
$
0
0

Hi,

We will be changing the IP address/host name of current DC, if the DC holds some FSMO roles will doing this cause any problems? We will be changing the IP address/host name so it should be about a minute switch over. Will this cause any problems if the DC holds any FSMO roles or services? Do any commands need to be run after doing this?

We have other DC's in the Domain.

RODC

September 28, 2015, 10:43 am
$
0
0

I had a question i could not find anything on the forums or tech net on this, but if you have an RODC and you have a user who is added outside the replication period for the RODC and the user tries to log in and there is no account in the RODC or password cached, what happens to that authentication request does it get forwarded to the RWDC or does it just get denied ?

Domain Controller computer objects, adminCount and AdminSDHolder

September 29, 2015, 1:03 am
$
0
0

According to every article I've read, the "Domain Controllers" group is protected by AD. The group does in fact have adminCount set to 1. The same applies to the "Read-only Domain Controllers" group. 

However the members are of course domain controllers, none of which have adminCount set and the ACL does not match AdminSDHolder. (I know that if the ACLs already match, adminCount is not necessarily set to 1 when the check runs)

I see other computer objects (with adminCount=1) that are being protected, so it's not that computer objects are excluded. It just does not seem to apply to any domain controllers, even though the groups they're in are protected. 

What am I missing here? 

Andreas

Search

Restrict trust traffic to specific site

September 28, 2015, 5:35 am
$
0
0

Hi,

we have a multi-tenant Active Directory supporting a cloud workspace based on Citrix XenApp/XenDesktop. So many customers in 1 AD, each in their own OU. We have dedicated WAN links to many customer sites.

We've received a request from 1 customer to connect our AD to their (resource) forest using a Forest Trust, but since the customer uses he same IP range as one of our other customers we've implemented Source-NAT on the WAN link. I know that AD traffic and trusts in combination with Source-NAT are unsupported, but would it be a possible (and supported!) solution to setup 2 dedicated domain controllers in a separate site and configure sites & services in both forests to use the same site name? In this scenario the 'Core' domain controllers in the default site would not be accessible/routable from the remote forest.

Is there a way to link SSH key in AD?

October 17, 2012, 8:46 pm
$
0
0
Is there a way to link SSH key in AD account or there is nothing in AD for that?

Server 2012 R2 password expiry notification not showing, and password GPO being ignored

September 25, 2015, 2:00 am
$
0
0

Hi,

We have a domain running on two 2012 R2 domain controllers. We had a password and account lockout policy set in our default domain policy, which had some basic password settings, and no lockout policy. It also set a password epxiry notification of 7 days.

We wanted to then setup fine grained password policies, for which we were pointed to towards AD Administrative center. We set up two password policies in here, one with basic requirements for the password and account lockout, and another with no password expiry. We set each of these to link to different groups.

This caused us some issues with accounts being lockout far too often, including system accounts, which stopped some services. We decided to remove these two password policies from the administrative center, and go back to using out original settings in the GPO.

Oddly, accounts were still being locked out, even though our default domain policy had no such settings. Also, our expiry notification stopped showing.

The only way I have found so far to fix the account lockout issue, is to go back to the administrative center, and create a policy with the same settings as in the GPO. This unfortunately, has not fixed the expiry notification issue.

Is it possible the previous policies we had have left some remnant which is causing these problems? Can anyone advise what I can check to determine why our GPO was not applying as expected?

Many thanks

Eds

To Point cleint to specific DC

September 29, 2015, 10:53 am
$
0
0

Hi All,

we want to test a logon script by adding to the group policy in test DC, now we want couple of client machine to get authenticated or connected to this test DC, Please let us know how can we point these client machine to this test DC

Thanks


Incorrect member attribute for the "Domain User" group. PowerShell also shows incorrect count.

September 29, 2015, 11:35 am
$
0
0

I am working with an application vendor. This application needs to import a list of Active Directory users. The application needs an AD group as part of its search.

I told the vendor to use the built in group “Domain Users”

I expected the user list to be around 40,000 if the application excluded disabled user accounts.

The application only returned 46 users…

If I open the group in ADUC I can see thousands of users in the Members tab. If I open the attribute editor tab and go to the “member” attribute I can see only 46 users.

PowerShell confirms this discrepancy. If I run a command to list the membership attribute via Get-ADGroup I receive 46 users. If I use Get-ADGroupMembers powershell will return all 40k users.

Is there any way to fix the attribute on this group?

When new users are added "Domain Users" is the default group they are added to. How can I fix this permanently for new users?

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>