Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Claims Rules for Office 365 and MFA

January 12, 2016, 1:04 pm
$
0
0

We are trying to enforce MFA for all connections to Office 365 except those not supported - specifically ActiveSync.

Currently, our rule allows for no MFA when connecting from the corporate network and only for browser based requests when not on the corporate networks.  This works for web based access but allows apps with Modern Auth (ADAL) enabled to access with no MFA when connecting from outside.  What we want is ADAL enabled applications to enfore MFA.  Here is our current claim rule:

c:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"]
 && c1:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"]
 => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");

What we have tried:

c:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork",Value == "false"]
 && c1:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value != "Microsoft.Exchange.ActiveSync"]
 => issue(Type ="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod",Value = "http://schemas.microsoft.com/claims/multipleauthn");

 

- and - 

c:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] && [Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn"); exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"])&& NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value=="Microsoft.Exchange.Autodiscover"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value=="Microsoft.Exchange.ActiveSync"]) => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "PermitUsersWithClaim");

Nothing seems to work and the examples all talk about deny when external vs. enforce MFA when external.

Thanks

Search

Failed to delete . The requested object has a non-unique identifier and cannot be retrieved.

January 13, 2016, 7:54 am
$
0
0

Hello everybody,

I've already found a lot of articles regarding this topic but no solution for me - how ever here is the problem:

1. Alternate DC was snapshotted and Snapshot was reverted (I know, I will never do it again)

2. USN Rollback was done (workaround with deleting Registry entry DSA Not writeable = 4, etc..)

3. DC Replication was running again

4. In Exchange 2010 a distribution group was created (successfully) - while trying to add group members the first error appeared

5. Group cannot be deleted with the following error: Failed to delete <AD-Group>. The requested object has a non-unique identifier and cannot be retrieved.

6. Demote of the alternate DC and metadata cleanup was done - the DC was promoted again - replication works fine

7. Still cannot delete group

8. While browsing the attributes of this group the following error appears:

Windows could not load values for all attributes.
Operation failed. Error Code: 0x2121
The search failed to retrieve attributes from the database.
00002121: SvcErr: DSID-03120493, Problem 5012(DIR_ERROR), data

Any help appreciated!

AD Trusts

January 13, 2016, 2:50 am
$
0
0

Hello - Can you please let me know how to achieve Kerberos authentication without 2 way Forest level AD trust. 

Requirement is to have users from our AD forest to access applications hosted in vendor site.  We have planned to achieve through IPsec.  And, management is not keen on achieving below and hence need to understand if there is a way to configure 2 different one way trusts (behave like 2 way) with Kerberos.  Due to security reasons we cannot use NTLM.

1) Not expose PDC emulator role to vendor AD forest

2) No 2 way AD transitive trusts

Any help would be much appreciated.

Thanks,

Srini

Workstation trust timeout question

January 13, 2016, 8:52 am
$
0
0

My customer has this question:

How long can machines not be in contact with the
domain before they lose the trust relationship or otherwise get disjoined from
the domain.  We have the potential for the machines to be off network for
over 100 days total.

Thanks.

ADDS 2008R2 - Ability to create multiple computer accounts with same name??

January 13, 2016, 11:07 am
$
0
0
So we have an OU within our domain where it is possible to create AD computer accounts with the same name.  So if OU1 has a servera, then it's possible to create servera in OU1 > SubOU2.  I have tested this in other OU's and you get the inevitable Cannot add because of same name error.  Any ideas on how this one OU is allowing computer account creation with the same name within separate OU's?

Trust verification error : 1786 0x6fa ERROR_NO_TRUST_LSA_SECRET on RODC

January 13, 2016, 12:04 pm
$
0
0

Hello,

In our AD domain, we are verifying the trust to external domains using nltest /sc_query:externaldomainname. this works from most of the DCs without any errors giving the DC name from external domain. But for few DCs, it was giving error NO logon servers. for these DCs, we requested Firewall team to open up ports 135,389,445. After opening these ports, it worked for all DCs except 2 RODCs. from RODCs, when we run the command, couple of times, it executed successfully by displaying the external domain DC. But most of the time we get the message "1786 0x6fa ERROR_NO_TRUST_LSA_SECRET". is this expected with RODCs?

Please help us on this. we have to ensure trust verification succeeds from these DCs as SCOM is always alerting inter-domains trust failure.

Thanks,
Sarat U

Group Policy Software Install Failing to read gpt.ini

January 13, 2016, 12:46 pm
$
0
0

I'm sort of new to active directory, I've been trying just about everything I can think of to enable a Group Policy software install to go through and I receive this error on the client machine. 

The processing of Group Policy failed. Windows attempted to read the file \\domain.local\SysVol\domain.local\Policies\{D25022D8-F0DA-4B9E-898D-8807C87F7312}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 
a) Name Resolution/Network Connectivity to the current domain controller. 
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). 
c) The Distributed File System (DFS) client has been disabled.

The policy is pretty simple.  It's set to install an .msi and it's a computer configuration, assigned, linked and enforced.  I created a small OU with three test machines in it and created a specific security group for them.  The scope applies to Authenticated users and the other security group I created which these three machines are in as well.  When I run gpresult on the client machine I can see that the machine does in fact have the policy applied to it.  The problem is that it says it cannot read the gpt.ini while I can at the same time click on the link in eventvwr error and OPEN THE FILE.  I cannot seem to find anyone else having this issue I've gone as far as sharing the policies folder and giving full permissions to that OU but I still cannot get it to work.  I made a change to the registry to force the machine to wait for a connection to the DC and I still have this issue.

If anyone has any ideas I would be so appreciative I'm at my wits end.

ServicePrincipalName attribute blank after using SETSPN

January 13, 2016, 12:50 pm
$
0
0

This will almost surely be me being stupid on this one, but I thought I'd ask anyway.

To register an SPN for a computer or user object in AD, the 'ServicePrincipalName' attribute is populated in the correct SPN syntax.

If I can also register an SPN for a computer or user account with SETSPN, why is that SPN then not reflected in the attribute for object in AD?

If I run - setspn -s www/testserver testuser

...and then run setspn -l testuser

A registered SPN is displayed. But nothing shows in the attribute in AD?

What have understood incorrectly?

Many thanks.

Search

Be our Windows Server TechNet Guru of 2016 and become renowned in community and professional circles!

January 4, 2016, 1:45 pm
$
0
0

A new year! A new start for the TechNet Guru Awards 2016!

2015 Guru was soooo last year! 2016 Guru is where it's @ my friends!

This is when you make your mark on history and stamp your authority on your favoured technology!

This is when they shall know your name and come to appreciate your depth and breadth of knowledge!

This is... the Year of You!

All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.

Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!

This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!

HOW TO WIN

1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.

2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)

3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!

Winning this award in your favoured technology will help us learn the active members in each community.

Feel free to ask any questions below.

More about TechNet Guru Awards

Thanks in advance!
Pete Laker

#PEJL
Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over toTechNet Wiki, for future generations to benefit from! You'll never get archived again, and you could win weekly awards!

Have you got what it takes o become this month's TechNet Technical Guru? Join a long list of well known community big hitters, show your knowledge and prowess in your favoured technologies!

Token-signing Certificate Rollover

January 13, 2016, 1:51 pm
$
0
0

Question around AD FS Token-decrypting and Token-signing certificates. I am torn between using the self-generated certificates (generated by AD FS) versus using CA signed ones.

I know that the main advantage of using the self-generated ones is that the certs get renewed automatically when the auto rollover option is set.

My question is when a self-generated Token-signing cert is renewed, do I have to send the renewed cert to all partners? I know I have to do that when I install a totally new cert but am not 100% sure if I have to do the same for a renewed cert. Do we always have to send Token-signing certs over to partner regardless of it being renewed or new?

I found this link but it does not answer my question:

https://technet.microsoft.com/en-us/library/dn781426.aspx

Alert from TechNet Posting

DNS is not going to Root hints automatically

January 13, 2016, 2:08 pm
$
0
0

Hello,

we have forwarders and root hints configured. when we nslookup abc.com, it is not resolving, but when we change the server to the root hint server name, and then do a query, it resolves.

basically its not resolving automatically when we query external domain name. resolves only when we change the server context in nslookup to root hint server name.

verified all below settings and all are good.

 Check if you have the option "Use root hints if no forwarders are available" enabled under DNS properties in the forwarders tab.

- Check if you have the option "Disable recursion" NOT enabled under DNS properties in the advanced tab.

- Check if you have root hints listed under DNS properties in the root hints tab.

- Check the interfaces tab under DNS properties, how many address listen for that DNS server? Are the clients using any of these address under their preferred DNS settings

and from below link, IsSlave reg entry is 0x0 [followed below article.

https://technet.microsoft.com/en-us/library/ff807388(v=ws.10).aspx

 Please share your thoughts.

Multiple VLAN and one DNS

January 13, 2016, 3:40 pm
$
0
0

Hi Guys,

on our Envi we have multiple VLANS and we are using one DNS server.

we are running Windows 2012R2 server, most users are Apple OSX users.

we have the next :

VLAN 10    10.10.10.0/24
VLAN 20 10.10.20.0/24
VLAN 30 10.10.30.0/24

DNS Server 10.10.10.2
Gateway VLAN 10 is 10.10.10.1 / 10.10.20.1 /10.10.30.1

VLANS are created in Cisco server .
my question now.

How can i make when a user is on VLAN20 / VLAN30 can use 10.10.10.2 as it DNS server?
Do i have to create a reverse zoon for each VLAN on the DNS even when the Cisco Firewall is the DHCP server?

Thank you


unable to change domain password from windows 10 client

January 13, 2016, 3:51 pm
$
0
0

unable to change domain password only from windows 10 / windows 8 clients. it through error message "the security database on the server does not have a computer account for this workstation trust relationship"

Domain controllers: windows server 2008 Standard and Windows Server 2008 Enterprise editions.

Allow Normal User to Login to Domain Controller

April 26, 2011, 1:14 pm
$
0
0

Hi All,

Is there a way to allow user to login to a domain controller without making the user a domain admins.

 

Thank you

Sujit

Sujit

Computer unable to see Domain controller

January 13, 2016, 4:00 pm
$
0
0

We have 3 physical DC's 2008r2. We added 1 virtual DC 2008r2. Next week we transferred some FSMO role PDC, RID & infrastructure. Checked all replication no errors.

Next week we changed primary DNS in DHCP to new DC everything was working. After a week later at least 10 computer dropped out of network and cant see DC or can't see any network resources except physical DC's. The new DC is in cluster so anything in cluster is unavailable. Can't ping vDC nor DC can ping these computers. Computer account and dns record is matching on all DC's. We rejoined the domain, changing computer name and ip address nothing helped

As soon we turned off New vDC everything was fine. Now I'm looking for possible causes. Since it was a VM i turned on the server with NIC disabled and start looking event log. Nothing unusual. only difference was firewall ON.

For right now im clue less. Can someone point me to the right direction please. Is it firewall, WINS, replications issue

Please help!!! I cant leave that server offline to long.

numan

Search

Get a list of all local admins on computers in a specific OU in ADDS

January 13, 2016, 4:00 am
$
0
0

Hi folks,

I have been tasked with providing a list of all local admins on all servers in a specific OU in AD. These are the local administrators on each server in the organisation.

Does anyone have a PowerShell script or know of any applications that can do this please? I need to provide a report or spreadsheet with this data to management.

Any help would be gratefully received.

Many thanks

Danny

Demote Windows 2000 server

January 13, 2016, 8:53 am
$
0
0

We are about ready to run DCPROMO to demote our Windows 2000 DC as all files shares, FSMO roles, DCHP, DNS have been moved off of there a while ago but I wanted to see if there was a checklist I can follow to be sure that everything is off of there before I demote it.

Everything was moved to Our 2003 DC a long time ago and the plan is to now phase out the 2000 server, raise the domain functional level, then phase out the 2003 server.

Error determining whether the target server is already a domain controller: The target server is already a Domain Controller.

August 25, 2014, 12:25 pm
$
0
0

So basically, I was promoting a new server to a DC.  It said the promotion failed.  I rebooted the server and low and behold, it is acting like a domain controller.  It is moved to the domain controller OU, it is replicating fine, it knows who has the FSMO roles and I see no other problems. However, server manager is still telling me to promote the machine to be a DC as can be seen here:

If I click the link to run DC Promo, I get this:

Is there any way to just tell the server that "yes this is a working DC" to get rid of the task in server manager? Or is there something else I should do to correct this?

Unable to remove 2003 DC from domain environment

January 13, 2016, 3:23 am
$
0
0

I'm testing the upgrade of our a domain environment from 2003 to 2012; Our environment consists of one DC (currently 2003 but will be upgraded to 2012 with this exercise).

I've transferred all FSMO roles, tested machine login, everything works. Windows clients are able to connect to the 2012 domain and environment functions properly even when 2003 was turned off.

My final step is to demote the 2003 dc to be able to upgrade the forest and domain functional levels. I run dcpromo on the 2003 dc and I get the error:

"The network path was not found. If this computer is connected to the network via a remote access service (RAS) connection, ensure that file and printer sharing for Microsoft networks is enabled for that connection."

The 2012 server has inherited services previously operating on the 2003 DC (Active directory domain services, DNS and DHCP.

Help is greatly appreciated.

Thanks

LSASS.exe consuming too much CPU (same as https://support.microsoft.com/en-us/kb/2500682) but our DC is on 2012.

January 14, 2016, 7:39 am
$
0
0

We have few Exchange servers that are doing constantly queries to Exchange, and solution would be just like it is in KB; but KB is for 2008 r2 and we are on 2012.

We are hosting company that have a lot of address books, and based on what i see in diagnostic log- there are few address book queries, some of them very deep in AD database.

I would be grateful if anybody gives me some hint.

Thanks and regards,

Ivica


Viewing all 31638 articles
Browse latest View live
Search