Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

List Object Mode in Active Directory

$
0
0

Hello everyone,

We have hosted Active Directory and we want to block customers from seeing each other. We have enabled list object mode but when I remove List Content from Parent OU and list object  from Child OU I am able to hide OUs from users, I mean if they open RSAT they will not be able to see OUs. Problem here is that if they look up for the users in FInd or Powershell they will be able to see them. One way is to remove the List Content permissions from the child OU. If I do that if both "List object" and "List contents" are removed from a child OU whose parent OU has "List contents" removed, I run the risk of denying applications, that rely on user accounts in an AD DS environment, the ability to look-up information in the domain. Is there a way to block users from seeing each other in Find. It must be a way to do this.

Thank you in advanced


pc's are auto join to domain

$
0
0

Hi fnd's,

I have N number's of pc's in our branch these all are have different ip's means 10.20.40.50....192.168.1.1........can I join these types of ip's to communicate for auto join to domain 

Fine Grained Password Policy Not Taking Effect

$
0
0

The domain functional level is 2008.

I have set a Fine Grained Password Policy with maximum password age of 30 days along with other settings that are similar to existing password policies.  I set the precedence number to a lower number so it would have higher precedence than any other pso.

It is applied to a security group.  I have checked each member of the security group effectivepso using the dsquery command and each group member shows the effecitvepso as the one configured with the new password policy maximum password age set as 30:00:00:00.

However, when I run the command net user username /domain on any of those users, the "Password expires" field still shows a date that is more than 30 days in the future.  This indicates that the policy is not being enforced.

What could be causing this issue?

I have tried doing gpupdate /force and it has not changed the output of the net user command.

I reran the querey dsquery user -samid username | dsget user -effectivepso

and now it only lists the result as "effectivepso" instead of the actual pso name.

ADFS 3.0 Relay State Issue

$
0
0

We have recently upgraded to ADFS 3.0 on Server 2012 R2. Since one of our service providers uses the RelayState parameter, I have enabled it using the instructions I found here: http://social.msdn.microsoft.com/Forums/en-US/25239ff7-a33d-4f3e-a7a8-5a3c47d733f7/relaystate-support-in-adfs-30?forum=Geneva

I am running into an issue, however, where clicking any link involving a RelayState from this SP results in an error (below). The string the server is directing me to is : https://sso.domain.name/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=jobvite.com&RelayState=/l/default.aspx?xxxxxxxxx&target=/l/default.aspx?xxxxxxxxx&loginToRp=http://jobvite.com/saml

On ADFS 2.0 I had to create a rewrite rule to deal with this being slightly malformed. Since ADFS 3.0 doesn't use IIS, I'm not sure how to accomplish that here. Any help would be appreciated. 

-Matt

 

******************

Encountered error during federation passive request. 

Additional Data 

Protocol Name: 

Relying Party: 

Exception details: 
Microsoft.IdentityServer.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details.
   at Microsoft.IdentityServer.Web.Handlers.IdpInitiatedSignOnPageHandler.parseRelayStateParameters(WrappedHttpListenerRequest httpRequest, String& rpIdentity, String& nextRelayState)
   at Microsoft.IdentityServer.Web.Handlers.IdpInitiatedSignOnPageHandler.parseQueryParams(WrappedHttpListenerRequest httpRequest, IdpInitiatedSignOnRequestType& requestType, String& rpIdentity, String& nextRelayState, SignOnRequestParameters& signOnParameters)
   at Microsoft.IdentityServer.Web.Protocols.Saml.IdpInitiatedSignOnRequestSerializer.ReadMessage(WrappedHttpListenerRequest httpRequest)
   at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)


Migrating away from Small Business Server (SBS) Standard FE

$
0
0

Hi All,

I have a Forest X with a single domain that has 1 DC running Small Business Server Standard FE.  We want to be able to establish a trust with our primary Forest and this particular Forest X but can't because of the limitations of that OS version.  We are planning on configuring another server in this single domain Forest X with server 2008r2 SP2 and then add the AD role to it.  Once this is done, we would promote it as another DC and then try establishing the trust to the primary Forest.  My concern is that with the other DC running SBS is this going cause issues?  Would I have to demote the SBS DC before trying to establish a trust?  I have never worked with SBS before.


Francisco Mercado Jr.

Unable to add second DC to Domain

$
0
0

Whenever I try to add a second DC to my Domain, both Server 2008 Standard, I get : An Active Directory domain controller for the domain my.domain.com could not be contacted. In the details, it lists an AD DC was identified by the query, but it lists an server that isn't the DC. I have DNS pointing to my PDC only.

Modify OU Active Directory Win Server 2012 R2

$
0
0

Hello!

I have a Active Directory whit some OU´s, but i need modify some items to each user (job title, office, description,etc, etc). Actually we have 250 users and if I want modify step by step, I wont finish never jeje

How i can modify from CSV file? Can you help me?

 

Thank you!!

Do we have the right Site Links defined for 4 Sites?

$
0
0

Hi,

We have 4 Sites all independent of each other.  To ensure the best availability given one or more sites go 'dark' and ensure AD changes are replicated, we were going to define the following topology. 

Site Links

SiteLink1 - Site1-Site2

SiteLink2 - Site1-Site3

SiteLink3 - Site2-Site4

SiteLink4 - Site3-Site4

SiteLink5 - Site1-Site4

SiteLink6 - Site2-Site3

Does this adequately cover our bases if one or more Sites become unavailable?


Thanks for your help! SdeDot


Active Directory freezes

$
0
0

Hello, I'm currently trying to find a lead for a recurrent problem.  Every 30 minutes, the Active Directory subsystem freeze for a minute. 

I open a AD User & computer console, I do F5 for refresh and every 30 minutes, there is the FREEZE. To help me know the time of the freeze in advance, I open the event viewer and open the ADWS log. Every 30 minutes it timeout to say it cannot find a DC. The ADWS is not the source of the error, it's just a victim of the error. Other services also complain about the issue (AD FS). Everything you do against AD will pause for a minute (every 30 minutes). There is errors in AD, no warning other than ADWS.

Whatever the tools I use, result is the same. MMC console, LDP.EXE , DSGET (command line).

I enabled the logs for GPO processing and it's not occurring at the same interval. I found no relation between background processing and the issue. 

If I run a DCDIAG when the freeze occurs, the program just wait until AD reply. I'm running every tools locally on the DC and get the errors. When the issue happens the machine is very idle, no process taking more than 1% of cpu, storage is also sleeping, network is aruond 100MB/s. Nothing unusual so far. The only pattern is the damned 30 minutes. It's a mix of physical & vm DCs.


the facts:

- all DCs are 2012 R2 (fresh install)
- no antivirus
- same problem across 3 DC (1 physical, 2 virtual), so the storage backend is different.
DCDiag reports no error.
The freeze occurs on all DCs.
- The client also have Exchange.

thanks for any clue

sorry the forum did a resize of the picture:

link to the full size picture 

link to waitlock.pdf  (waitlock of the lsass.exe process when the problem happens)

note: When the DCs were in 2008R2 there was no issue but the client replaced the DC with 2012r2 ones (fresh install only, no upgrades).




Best Practice for Adding Second Domain to Network

$
0
0

We're starting down the path of moving everything from one domain name to another. There's are rather spirited debate going on amongst us about whether it's best to put the new domain on a separate, different network (me) and those that think the new domain would do fine on the same network and subnets.

I'm interested in the pros and cons of each and especially input from any Microsoft AD folks.


Orange County District Attorney

communicate between the different domain

$
0
0

can we communicate between the different domain?

Any methods please suggest me

issue with w32time service in Domain Controller

$
0
0

Hi,

After rebooting w32time is getting disappeared from Domain Controoler. Even after that when I am trying to register time service I am getting below error.

C:\Users\sdavid>net start w32time
System error 1290 has occurred.

The service start failed since one or more services in the same process have an incompatible service SID type setting. A service with restricted service SID type can only coexist in the same process with other services with a restricted SID type. If the service SID type for this service was just configured, the hosting process must be restarted in order to start this service.

Can anyone help here please ?

Limit Number of allowed Concurrent connections to AD DS

$
0
0

Dears,

Hope all are fine and doing well.

I want to limit the number of concurrent connections to AD to 1 or 2, can you please inform me how can I do that?

Thanks

Regards

adprep 2012r2 in 2008r2 domain

$
0
0

I was reading through all the changes that 2012r2 makes when running ADprep, most seem to be fields related to auditing.

Are there any known issues to old devices XP, server 2000 after introducing a new 2012r2 DC to a 2008r2 environment?

Or any other known issues to any MS products, we have about every combination of MC products & versions running. 


 

Can admins perform changes to AD data?

$
0
0

Hi every one,

Please let me know if I am not in the appropriate forum.

I am trying to understand a control our clients have in regards to user creation monitoring in AD. They want to implement a control that will notify a specific team with the complete list of new accounts created during the last month. My question is the following:

Can I consider this report complete if I get it from AD, or is there any risk that Domain admins can alter this information in the AD data set? I am not concerning about the report being changed during transmission, only at the source.

Please let me know if any further details are required.

Thanks in advance!

Gexhi


How to find, to which sites ipp address are related to

$
0
0

Hi

I have couple ip address, i need to find out to which site does it belongs to in Sites and services in AD.

Please provide any easy solution


NA

Different domain name in down-level logged user name

$
0
0

Hi 

I am performing user authentication using WINNT and LDAP provider by using following sequence:

1. Get WINNT path of local system Administrators group.

2. Check whether the logged-on user (domain\local) in member of Administrator groups or any nested group.

3. For domain user, i do following steps:

1. I get the  default DN path for the domain using ADsGetObject passing rootDSE parameter API.

2. Get the LDAP path logged-on user using dsquery filter.

3. Make a dsquery filter string using group name in case of group and then do further searching on that and from there I    get distinguished name and then makes LDAP path of group with that.

4. Using group LDAP path , I do recursive searching for logged-on user by matching GUID of user with logged on and return    true in case it matches. 

This is the general work-flow of my code. As I am new to this Active Directory, I have some problems in client configuration. For normal cases when we have one domain my code is working properly. But for case in client environment, it is not giving proper out-put and I am not able to figure out the issue. the sample out-put of client configuration is mentioned below:

UserLogon Name : MS-ROOT\user1 

Logged On user Path : LDAP://CN=user1,OU=Server_Admins,OU=Support_Accounts,DC=ab,DC=com

1st Members Path: WinNT://ABAD/Domain Admins 

Under this Domain Admins group my code is properly traversing all members properly.

        LDAP path: CN=Domain Admins,CN=Users,DC=ab,DC=com

2nd Members Path: WinNT://ABAD/WinOps-Server-L3 

the logged-on user belongs to this WinOps-Server-L3 group but unfortunately my code is returing zero members for thisgroup.

LDAP path -not found in my code

3rd Members Path: WinNT://MS-ROOT/HIPGM_SrvAdmin 

My code is able to traverse properly through this group(HIPGM_SrvAdmin )

LDAP Path :DN path grp filter: CN=HIPGM_SrvAdmin,OU=Support_Accounts,DC=ab,DC=com

Now my queries are:

1. As from LDAP path we can  canclude that domain name is ab.com but in our logging we find that there are two different domains associated with WINNT path of group object : MS-ROOTand ABAD. I am not able to get what these names actually are and what is the difference between in ab.com and these names(MS-ROOT and  ABAD).

2. for 1st Members Path as shown above where domain name, if I am correct, is ABAD , my code is able to traverse but for 2nd Members Path as shown above my code is not able to traverse instead of it having same ABAD domain name.

3.  for 3rd Members Path where domain is MS-ROOT , my code is able to traverse properly. why? is it because of current logged-on user is having same domain MS-ROOT?

4. why we are seeing two differnent domain name ABAD and MS-ROOT under same domain ab.com?

Please guide me about these things and let me know where am I wrong. May be my understanding is not correct as I am new to AD. So please help me out with correct understanding.

Thanks and Regards

Rahul Pathak







Event ID 10016 - DCOM Error | Source - Microsoft-Windows-DistributedCOM | Level: Error

$
0
0

Hi there... I am getting the above mentioned error with the

Description: dows-DistributedCOM cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

Full message is -

Log Name:      System
Source:        Microsoft-Windows-DistributedCOM
Date:          5/15/2012 1:18:44 PM
Event ID:      10016
Task Category: None
Level:         Error
Keywords:      Classic
User:          NT AUTHORITY\IUSR
Computer:      Server.domain.com
Description:
The description for Event ID 10016 from source Microsoft-Windows-DistributedCOM cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

application-specific
Local
Activation
{2D527A8C-A4B6-4E74-A63F-E867360D401C}
{B13EFBAE-7504-4938-9ED7-8E8B53E51221}
NT AUTHORITY
IUSR
S-1-5-17
LocalHost (Using LRPC)

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" />
    <EventID Qualifiers="49152">10016</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-05-15T19:18:44.000000000Z" />
    <EventRecordID>43121</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>Server.Domain.com</Computer>
    <Security UserID="S-1-5-17" />
  </System>
  <EventData>
    <Data Name="param1">application-specific</Data>
    <Data Name="param2">Local</Data>
    <Data Name="param3">Activation</Data>
    <Data Name="param4">{2D527A8C-A4B6-4E74-A63F-E867360D401C}</Data>
    <Data Name="param5">{B13EFBAE-7504-4938-9ED7-8E8B53E51221}</Data>
    <Data Name="param6">NT AUTHORITY</Data>
    <Data Name="param7">IUSR</Data>
    <Data Name="param8">S-1-5-17</Data>
    <Data Name="param9">LocalHost (Using LRPC)</Data>
  </EventData>
</Event>

Please let me know any solutions to fix....

Steps, I did try from one of the blogs -

Open Component Services. Got oStart --> Control Panel --> Administrative Tools --> Components Services. Expand the Component Services branch then expand Computers, My Computer and DCOM Config. Right-click on "sms agent host" (my case) and click Properties. Click on the Security tab and under “Launch and Activation Permissions” select "edit" and add user Local Service (Local lunch). Click OK, close the Component Services window.

In the Launch Permission dialog box, make sure that the Everyone group has Remote Launch and Remote Activation permissions.

In the Launch Permission dialog box, make sure that the SMS Reporting Users local group has following permissions:

Local Launch / Remote Launch / Local Activation / Remote Activation

Also added Remote Launch / Remote Activation permission for Network Service (for the SMS_Reporting_Point)

Added Admin Group to the "ConfigMgr Remote Control Users"


VT


Can't pull Max Password Age with vbscrip

$
0
0

Ok, here's the setup.  My company has been building a new 2012 domain environment.  So far, all the servers in the domain are 2012.

With the new domain, I have begun testing Fine-Grained Password Policies because it was one of the functions we could not do on our old domain.  And so far, everything on the domain side appear to be working just fine.

So now comes the problem.  Because our users will be using Remote-apps to connect to their servers, they aren't going to be notified that their passwords will be expiring soon.  Thus enters the VBscript.

Using Microsofts instructions, http://msdn.microsoft.com/en-us/library/ms974598.aspx, I have been trying to get a script going that will pop up a message telling the user that they need to change their password, but I've hit a brick wall with this part of the script.

Set objDomain = GetObject("LDAP://" & objADSystemInfo.DomainDNSName)
Set objMaxPwdAge = objDomain.Get("maxPwdAge")

    If objMaxPwdAge.LowPart = 0 Then
        WScript.Echo "The Maximum Password Age is set to 0 in the " & _"domain. Therefore, the password does not expire."
        WScript.Quit

For some reason, it will not pull the max password age.  Now I'm using Fine-Grained passwords for the test account, but I have also tried setting the max password age in the default domain policy, and I still get the message that the "age is set to 0 and the password will not expire" even though I know the policy is functioning on the account.

I was thinking I might need to try and get the information from this attribute http://msdn.microsoft.com/en-us/library/cc220303.aspx, but I am unsure of how to call this information.

If I can just get the script to pull the max password age, I believe I can get the rest of the script working.


why i cant get on a site

$
0
0
yes every time I try to get on a certain  site a error comes up a 404 so whats going on or does yahoo block me from it I used to be able to
Viewing all 31638 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>