Hi,

we are facing some issue from outlook 2010 and outlook 2007 

its asking password for some of the users only  we are having Exchange 2010 HA 

i have checked the outlook SP also installed properly 

i'm putting outlook log for your reference 

2015.10.30 13:15:42 <<<< Logging Started (level is LTF_TRACE) >>>>

Kindly help me to resolve the problem

I am running a 2008R2 domain.  This is a weird one, but I have tried creating 4-5 GPOs onmultiple DCs. They create fine, but when I go to edit(as domain admin) them I try to open startup(go into sysvol) and I have permissions problems. I cannot save anything. If I browse to C:\Windows\Sysvol\... on any DC, I also run into security isses. My problem is the same as this

https://technet.microsoft.com/en-us/library/cc816750(v=ws.10).aspx

I just transferred my PDC emulator to another DC and that did not fix it either, but resetting the permissions on sysvol sounds a little scary.  I have not called Microsoft support in 10 years and thinking calling them for this because I need to make sure the permissions from the 250 GPOs I have do not get messed up.  Has anyone done this before?  I did just happen to bring (2)new DCs online last night, but they seem fine. Output from dcdiag looks good, and the MS AD Replication Tool is showing everything in sync. 

Here are the permissions I am seeing on the newly created GPO when logged into a DC as Domain Admin

              CONTOSO\Enterprise Admins:(OI)(CI)(F)

              NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS:(OI)(CI)(RX)

              NT AUTHORITY\SYSTEM:(OI)(CI)(F)

              CREATOR OWNER:(OI)(CI)(IO)(F)

              CONTOSO\domadminuser-da:(OI)(CI)(F)

Here are the permissions I see when logged on a DC and check C:\Windows\Sysvol

c:\windows\SYSVOL NT AUTHORITY\Authenticated Users:(RX)

                 NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR,GE)

                 BUILTIN\Server Operators:(RX)

                 BUILTIN\Server Operators:(OI)(CI)(IO)(GR,GE)

                 BUILTIN\Administrators:(M,WDAC,WO)

                 BUILTIN\Administrators:(OI)(CI)(IO)(F)

                 NT AUTHORITY\SYSTEM:(F)

                 NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)

                 BUILTIN\Administrators:(M,WDAC,WO)

                 CREATOR OWNER:(OI)(CI)(IO)(F)

Thanks,

Dave

Good morning People :),

I will go straight to the problem.

We are trying to create Active Directory groups on which we will limit access to the OWA and MAPI outside company.

There are two groups one with granted permission other one with declined permission.

The problem is as follows:

One of this group is denying access outside company and allowing to access OWA and MAPI inside company. The claim is based on IP addresses that we are using in the company. Unfortunatelly that doesn't work. Rules are below.

exists([Type == "h**p://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) &&

exists([Type == "h**p://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "S-1-5-21-1177238915-764733703-1202660629-7711"]) &&

NOT exists([Type == "h**p://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip",

Value=~"\b10\.68\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-5][0-5])\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-5][0-5])\b"])

=> issue(Type = "h**p://schemas.microsoft.com/authorization/claims/deny", Value = "true");

exists([Type == "h**p://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) &&

exists([Type == "h**p://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "S-1-5-21-1177238915-764733703-1202660629-7711"]) &&

NOT exists([Type == "h**p://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip",

Value=~"\b10\.68\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))"])

=> issue(Type = "h**p://schemas.microsoft.com/authorization/claims/deny", Value = "true");

 Those rules are in the ADFS Proxy server.

There is a chance that I've made mistake but unfortunatelly I'm not an expert to solve this by my self and I need help.

Thank you.

Hello,

I have an Asp.Net application that communicate with ADFS(on some other Windows Server) for authentication purpose. Currently, when we navigate to application, it redirects to ADFS SSO authentication page. I followed this blog to implement SSO and have some questions here:

1. Can we change implementation so that it may redirect to authentication page only when I press login button ?
2. Can we change implementation so that only one page/URL of my application can be accessed without any authentication ?
3. What parameters are returned when user is authenticated and redirected back to landing page. How do we get all available parameters ? Can I get email or username ? so that I may link that person to a client in my application.

If anyone of above is possible, how I can get it ?

hello

I create vpn connection with gpo like picture. but it dosnt work. it create in client but when i connect to this vpn the tunnel doent connect to 192.168.30.6. I undrestand it when i type tracert 8.8.8.8.

In another picture you can see this.

why?my domain is 2003.

help me

I have a root domain (AUN.local) & a child domain (MUS.AUN.LOCAL) now i am planning to add new tree in this forest (INT.LOCAL) my question is that can INT.LOCAL users can login in (MUS.AUN.LOCAL) and vice-versa, is there any trust created between (MUS.AUN.LOCAL) and (INT.LOCAL) by default.

Hi,

After patching, I am unable to connect my Prod PDC .Getting an error like below when I am RDP using Host name. But using IP I am able to login to PDC

Hi, 

Noticed one issue after patching in one of the production domain controller.When tried login with hostname getting below attached error,but we are able to login with IP Address. One important thing is we are not using microsoft DNS, the one we are using is corporate DNS.

Also Dcdiag shows this error.

Testing server: Bangalore\Prod-DC-INC-001
      Starting test: Connectivity
         Both IPV4 and IPV6 channels are disabled on all adapter cards of the
         local server. Hence no connectivity to the server.
         Got error while checking LDAP and RPC connectivity. Please check your
         firewall settings.
         ......................... Prod-DC-INC-001 failed test Connectivity

The results for September's TechNet Guru competition have been posted!

http://blogs.technet.com/b/wikininjas/archive/2015/10/19/the-microsoft-technet-guru-awards-september-2015.aspx

Below is a summary of the medal winners for September. The last column being a few of the comments from the judges.

Unfortunately, runners up and their judge feedback comments had to be trimmed from THIS post, to fit into the forum's 60,000 character limit, however the full version is available on TechNet Wiki.

Some articles only just missed out, so we may be returning to discuss those too, in future blogs.
 

BizTalk Technical Guru - September 2015

Forefront Identity Manager Technical Guru - September 2015

Also worth a mention were the other entries this month:

• FIM 2010 & MIM2016: Virtualisation support byPeter Geelen - MSFT   
  Søren Granfeldt: "Another great article Peter"  
  Ed Price: "Great use of links for readers to dig deeper!"

Microsoft Azure Technical Guru - September 2015

Also worth a mention were the other entries this month:

• Azure Active Directory integration with Salesforce 'Sandbox' bySamir Farhat       
  JH: "Haven't worked with Salesforce yet, but the steps are explained in a good detail."   
  Ed Price: "Good job with the images, and the table is incredibly useful! I love having setting broken down like that in a clear way."
• Microsoft Azure Redis Cache - Implementation of a service to work cache data by João Sousa
  JH: "Short intro. Needs some more explanations and detailed code snippets."   
  Ed Price: "Fantastic topic! Great formatting on the code snippets!"
• Full Home Automation with Azure & Voice Assistance using Intel Galileo Gen 1 & Windows 10 by Rishabh Banga
  JH: "Is already present in the "Universal Windows Apps" section"   
  Ed Price: "Cool and fun topic! Good job on this. This one got judged in the "Universal Windows Apps" category instead. Please only submit each article into one category."
• Microsoft Azure - Create Cloud Service with specific .NET Framework by João Sousa
  JH: "Seems to be mostly the same as https://azure.microsoft.com/en-us/documentation/articles/cloud-services-dotnet-install-dotnet/" 
  Ed Price: "Great to have the images and code!"

Miscellaneous Technical Guru - September 2015

Also worth a mention were the other entries this month:

• Unity 3D Game Creation Using C# Script bySYED SHANU
  Richard Mueller: "Good images but the explanation wasn't clear to me. Also, check out the Wiki Guidelines Wiki for pointers."
  Durval Ramos: "This article awake curiosity, was well illustrated and has "See Also" section."
• Getting started with Microsoft ASP.NET WebHooks Preview byGaurav Kumar Arora
  Durval Ramos: "This article is interesting, but needed to be done to facilitate learning. e.g: TOC, images, samples,... A good start."
  Richard Mueller: "A new technology. Grammar needs work and the explanation can be improved."
• An idea to add SQL Like Functionality in LINQ by Gaurav Kumar Arora
  Durval Ramos: "This feature is very useful and has a code easier to understand "how to do", but need to add images and References."
  Richard Mueller: "A good idea. Short and sweet."

SharePoint 2010 / 2013 Technical Guru - September 2015

Also worth a mention were the other entries this month:

• SharePoint site down "An application error occurred on the server" web.config error by Inderjeet Singh Jaggi
  Ashutosh Singh: "Needs tidy and more"
  TN: "This error can be caused by many reasons."

Small Basic Technical Guru - September 2015

SQL BI and Power BI Technical Guru - September 2015

Also worth a mention were the other entries this month:

• SSRS: Join data from different SSRS data sources into data set by sergey vdovin
  PT: "At first I had mixed feelings about promoting these techniques as a best practice, given the level of complexity. However your approach to this challenging problem well executed and clearly explained. Thank you for posting this useful information."
  RB: "Not much information here, apart from link to github projects"
  OT:"I personally don´t see any greater benefit in writing a separate article and referring an already existing one without pointing out really new stuff. The old one is pretty good and although the author does not get much love updating this, he should in order to have the thing in one place."
  AN: "The content is not complete and the "Solution" section was written in another article. This article's very confused."

SQL Server General and Database Engine Technical Guru - September 2015

System Center Technical Guru - September 2015

Transact-SQL Technical Guru - September 2015

Universal Windows Apps Technical Guru - September 2015

Visual Basic Technical Guru - September 2015

Visual C# Technical Guru - September 2015

Also worth a mention were the other entries this month:

• MVC Web API And AngularJS: Are You Genius Game bySYED SHANU
  Carmelo La Monica: "Interesting, i don't have experience on Asp.Net, but article very interesting, good image and code snippet."
  Jaliya Udagedara: "Explains a specific application. Love the fact that a lot of images is used and sample code is available to download which helps the readers. A bit of article formatting is needed."
• Little More Information On Casting and Type Checking in C# byIsham Mohamed
  Jaliya Udagedara: "Explains the topic of the article in detail. If we can have little bit of formatting in the article, then it will be perfect."
  Carmelo La Monica: "Sometime is a problem for casting Object, but with this article we can to understand how to convert correctly an object or variable. Congrats!"
• ASP.NET MVC HangFire - Execute Jobs in Background using SQLServer by João Sousa
  Jaliya Udagedara: "I would rather change the title of the article to “Configure Hangfire in an ASP.NET MVC Application”, because that is what explained in the article. Good job!"
  Carmelo La Monica: "Great content, and useful image and code snippet. Congratulations!"
• MVC Web API and Angular JS For Word Puzzle Game bySYED SHANU
  Carmelo La Monica: "Same comment for MVC Web API And AngularJS: Are You Genius Game. Congratulations!"
  Jaliya Udagedara: "Explains a specific application. Love the fact that a lot of images is used and sample code is available to download which helps the readers. A bit of article formatting is needed."

Wiki and Portals Technical Guru - September 2015

Windows PowerShell Technical Guru - September 2015

Windows Presentation Foundation (WPF) Technical Guru - September 2015

Windows Server Technical Guru - September 2015

As mentioned above, runners up and comments were removed from this post, to fit into the forum's 60,000 character limit.

You will find the complete post, comments and feedback on the main announcement post.

Please join the discussion, add a comment, or suggest future categories.

If you have not yet contributed an article for this month, and you think you can write a more useful, clever, or better produced wiki article than the winners above, here's your chance! :D

Best regards,
Pete Laker

More about the TechNet Guru Awards:

• TechNet Guru Competitions

#PEJL
Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over toTechNet Wiki, for future generations to benefit from! You'll never get archived again, and you could win weekly awards!

Have you got what it takes o become this month's TechNet Technical Guru? Join a long list of well known community big hitters, show your knowledge and prowess in your favoured technologies!

Hi!

I've noticed that I got some replication error within my Active Directory Domain.
My domain consist of a parent domain and a child domain. The parent domain have 2 domain controllers and the child domain got 1 domain controller.

If I look at the eventlog on one of the domain controllers in the parent domain, I've got events like:
DC2    1865    Warning    Microsoft-Windows-ActiveDirectory_DomainService    Directory Service
DC2    1566    Warning    Microsoft-Windows-ActiveDirectory_DomainService    Directory Service
DC2    1311    Error        Microsoft-Windows-ActiveDirectory_DomainService    Directory Service
DC2    2042    Error        Microsoft-Windows-ActiveDirectory_DomainService    Directory Service  

Basically they're saying that connection/repliation to child domain failed.

If I run repladmin /replsummary and repladmin /showrepl I receive the following message:
(8614) The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.

DCDIAG.exe returns errors on the KKC check as well as replications against Child Domain.

I've searched the forum and found a few others with the same issue:

https://social.technet.microsoft.com/Forums/windows/en-US/a5f64f43-c44f-47cd-9bcd-9c3790e0e6ba/receiving-error-in-ad-replication-but-somehow-passed-test-replications-?forum=winserverDS
https://social.technet.microsoft.com/Forums/sharepoint/en-US/9f3919db-ade9-4a36-927c-6853d29e2e4c/the-active-directory-cannot-replicate-with-this-server-because-the-time-since-the-last-replication?forum=winserverDS
https://social.technet.microsoft.com/Forums/windowsserver/en-US/cfb99ad9-562e-4bd5-8514-911db79591ff/active-directory-replication-2042-errors-between-2-dcs-involving-lingering-objects-on-both-possibly?forum=winserverDS
https://social.technet.microsoft.com/Forums/office/en-US/7066bff9-cf19-4698-bf81-9773ecb48130/two-child-domain-controllers-with-replication-errors?forum=winserverDS

So now I'm trying to fix the replication issues as gracefully as possible by demoting the domain controller in the Child Domain with the following code:

Import-Module ADDSDeployment
Uninstall-ADDSDomainController `
-DemoteOperationMasterRole:$true `
-DnsDelegationRemovalCredential (Get-Credential) `
-IgnoreLastDnsServerForZone:$true `
-LastDomainControllerInDomain:$true `
-RemoveDnsDelegation:$true `
-RemoveApplicationPartitions:$true `
-Force:$true

but it fails with the following message:

The operation failed because:
Active Directory Domain Services could not transfer the remaining data in directory partition CN=Schema,CN=Configuration,DC=Parent,DC=local to
Active Directory Domain Controller DC1.Parent.local.

"The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime."

So I'm kind of stuck in a Catch-22 scenario and thinking about a "hard" removal with the following code:

Import-Module ADDSDeployment
Uninstall-ADDSDomainController `
-DemoteOperationMasterRole:$true `
-ForceRemoval:$true `
-Force:$true

So my question is:
Is there a better way to fix the issue other then doing a "hard" removal?
What kind of steps do I have to take after the "hard" removal?

PS. This is issue occurs in my home-test lab environment so I do not care too much about the domain. But since I'm studying for MS Exams I would like to know the best way to handle a situation like this.

Greetings,

When I search for select groups using ldp.exe, some attributes are not returned.

Steps I use:

1. Open ldp.exe on a domain controller
   
2. Connect to the same DC I'm logged in to
3. Bind as the currently logged on user
4. Browse menu...Search
5. Type "DC=mydomain,DC=local" as the base DN (obfuscated of course)
6. Type "(&(sAMAccountName=WorkingGroup)(objectClass=*))" as the Filter
7. Set "Subtree" as the scope
8. Type "objectClass;name;description;canonicalName;MemberOf" as the attributes
9. Click Run

This correctly returns the attributes requested, including a list of groups "WorkingGroup" is a member of.

My problem comes in where this doesn't work for all groups, of which we have hundreds (about 1.3% don't work).  This, in turn, causes things like ldap_search_s to fail when coming from our Netscaler MPX, which does nested group extractions to determine which Web Interface to send that client to.

Thanks,

Dave

I'm facing this issues of migrating a member server from a domain to another domain. When i try to join to the target domain after disjoin from the current ones. It display error "There are no more endpoints available from the endpoint mapper". After I communicate with the security team and remove the object from the DC.

I force replicate the DC so the object removed to be replicated to all DCs. Then i re-try join domain, it was successful. The server was then reboot.The issue now is that want to add an object (eg domain users) to the computer management local admin group, it will display the same error "There are no more endpoints available from the endpoint mapper".

I rebooted the server again and now in the local admin group i can only see those local users, the domain users becomes SID numbers. 

I check the netsetup log 

The NetpDoDomainJoin: status: 0x0

Any idea how to resolve this issues?

Hi Team,

In our domain, windows 7 machines are taking long time to login with domain user account. But for Windows XP machine has no problem in logging in.

Could anybody suggest, wht will be the root cause for this problem and how to overcome this?

And also, please clarify is there any differences in Logon process between XP and windows 7.

Thanks,

Dev

Hello,

I tried to remove AD DS from a DC called SERVER. First I introduced a new DC. I called this one TEMP. I let it sit and replicate. Everything was ok. Replication was fine.

So I decided to remove AD DS from SERVER using Server Manager. However I noticed that it was thinking that this was the last DC in the domain, so it tried to remove the DNS zone as well. I realized that this can't be right, so I removed AD DS using PowerShell with the -Force parameter.

Now it's all messed up. TEMP cannot even locate the domain. I cannot open AD users and computers because it says the domain doesn't exist or it can't be contacted.

And from SERVER I cannot rejoin the domain because it says, "Verification of replica failed. An Active Directory for the domain could not be contacted"

When I look in TEMP I see the c:\windows\ntds folder. So the AD database is still there. DNS shows the Primary zone. So my question is, is there any way to save this domain?

Thanks!

Hod

I am getting while exporting AD Users or Computers information from AD below is the script and error message. Can anyone help me on this. I have user count near about 15000.

Get-ADUser -Filter * -Properties * | Select-Object -Property Name,SamAccountName,Description,EmailAddress,LastLogonDate,Manager,Title,Department,whenCreated,Enabled,Company | Sort-Object -Property Name | Export-Csv -path D:\AlluserfromAD30102015.csv

I am having an issue with a single DC domain where i cannot view any properties of the user accounts in the Users OU- i can see the properties of the groups within though. 

I am not showing any errors in the event log that would point to this, or any errors when trying to access the properties i just get no window popup at all.

Any suggestions would be greatly appreciated.

Hi,

i found this warning every day on company server but didn't find anything to start troubleshooting from.

Winimage backup says everything is right and backup seems ok.

What couldn i do to stop this? Thanks

Log: Directory Service
Type: Warning
Event: 2841
Alert Time: 2015-10-27 23:08:22Z
Event Time: 03:07:12 AM 28-Oct-2015 UTC
Source: ActiveDirectory_DomainService
Category: Backup
Username: SYSTEM
Computer: SERVER.abcd.local
Description: The Active Directory Domain Services backup will be failed, because the user requested the Active Directory Domain Services stop during the backup process. The invocation ID may be changed on AD DS startu

Hi

We are currently working on a procedure for restoring our systems further from having a powercut which extends beyond support of our UPS.  We have two domain controllers

DC1 (Physical) - DNS, DHCP. We have configured this server (BIOS) to boot automatically when power is restored. 

DC2 (Virtual) - DNS. When the ESX Host boots (also boots automatically), this server is set to boot first automatically.

Each servers primary DNS is set to point at the other. 

We are trying to get to a point where if we experience a powercut that lasts for a few hours out of hours, once power is restored and DC1 and DC2 have booted, providing all automatic services have started, that we do not need to manually intervene and as both DC's are operational.

At the moment, when we test this process by rebooting both DC's out of hours, after about 10 minutes we are having to restart the DNS service as we are unable to ping servers by hostname and both DC's cannot see each other. 

Should this happen?

Hi experts,

Can dirsync tool support adfs 3.0?

Appreciate if can point to me the link for such reference.

Thanks.

Regards,

Chun Hai