Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Active Directory Migration Tool - scripted user migration : ERR2:7615 SID History cannot be updated

July 31, 2015, 12:16 am
$
0
0

Hi,

Am using ADMT script to migrate the user ID between AD Forest, But am receiving the below error during the script execution.

Have verified the permission of the User ID executing the script on both source and destination domain, in both its part Domain admin and Administrator Group.

Also i have tried running this script from Source domain configuring new ADMT setup, But still same error.

Can any one please suggest !

Below is the script and the output.

Script

admt user /F "c:\temp\users.csv" /SD:xxxx.com /TD:yyycom /TO:OU /PO:COPY /PS:"xxxx.com" /MSS:YES /TRP:NO /UUR:YES /MGS:NO /FGM:YES /CO:MERGE+MOVEMERGEDACCOUNTS

Output:

2015-07-27 12:39:26 Starting Account Replicator.
2015-07-27 12:39:28 CN=User1         - Created
2015-07-27 12:39:30 ERR2:7615 SID History cannot be updated for User1. You must be an administrator in the source domain.
2015-07-27 12:39:30 WRN1:7392 SIDHistory could not be updated due to a configuration or permissions problem.  The Active Directory Migration Tool will not attempt to migrate the remaining objects.
2015-07-27 12:39:30 Operation Aborted.
2015-07-27 12:39:31 Operation completed.

Javid Akthar

Search

Exclude particular password to be

January 15, 2016, 4:40 am
$
0
0

Hello Team,

i have password policy implemented in my environment.

now client requirement is that , user can not keep some particular passwords.

lets suppose Password  test@123. restrict user to use this password in domain.

Balwan Singh


Add custom tabs to users in AD?

January 15, 2016, 7:11 am
$
0
0

Hello, in active directory (for 2008 servers) when you open up the properties of a user you get the following tabs.

Is there anyway to add a tab to this for all users?   We want to add our own custom tab and then create our own fields on it likeEmployee ID# and a few other attributes.

mqh7

GPO/GPP - Item level target - Security NESTED groups

January 15, 2016, 9:21 am
$
0
0

I´m creating a GPP/GPO using the Preferences to map drive letter


Example:

1) Main Global Group = IT

1.1) Other Global Groups = IT-DB

1.2) Other Global Groups = IT-DEV

1.3) Other Global Groups = IT-INFRA

All 1.1, 1.2 and 1.3 global groups (DB, DEV and INFRA) belongs to the main global group IT

May i use the item target to match only the IT (main) global group to map the drive letter to all its members or the nested groups can´t be recognized by GPP and i´ll have to match the iten target to use all global groups?

i´m thinking about creating a map drive preference but to only map de drive letter IF a user belongs to a set of more than 15 global groups.

My 15 (or so) global groups belongs to a "main" global group (nested groups), therefore, all users belongs to both groups, the group to give access to resources AND the "main" global group, therefore it will be nice to create the item target only to the "main" global group, insted all 15 global groups (inside the "main", nested in it)

Windows 2008R2/WIndows 2012R2 DCs + AD in WIn2008 R2 forest and domain functional Mode

how to put a domain controller in maintenance mode

January 15, 2016, 4:41 am
$
0
0

we have 50 plus DC's so I'm not worried about replication or failover necessarily but I need to do an in-place upgrade from 2008r2 to 2012r2 on an important DC, during this time much of which will be pingable but not responsive.

How do you recommend I prevent my other services requiring authentication from using this DC but rather use another DC.

What do you recommend/ Thanks.

How do you set up the update password page in ADFS 3.0

October 9, 2014, 6:43 am
$
0
0

Hello,

We have recently migrated to ADFS 3.0.  Everything is working except the update password feature.  In the KB articlehttp://technet.microsoft.com/en-us/library/dn280950.aspx  the section under Update Password says that I need to enable  the ADFS endpoint -/adfs/portal/updatepassword/ and restart the ADFS service.

This has been done, but when I go to https://sts.domain.com/adfs/portal/updatepassword.  All I get is a page that says "An error occurred.  contact your administrator."

What I am trying to accomplish is this. 

http://technet.microsoft.com/en-us/library/dn280950.aspx

Any help would be greatly appreciated.

Thanks

Cheston


List active computers in AD

January 15, 2016, 5:01 pm
$
0
0

I want to list all the active computers in AD as in "Dsquery computer -inactive" but instead of inactive, the active ones...

Is there a simple way to do it as with dsquery, or what should I do to list them?

Error During Removing Trust Between Parent & Child

January 15, 2016, 11:20 pm
$
0
0

Hi All,

I have single forest and two domain now i want to delete one domain named as "hadeed.com.pk" which has only one domain controller so i just demote this single domain controller as a last domain controller also remove its metadata delete each and every entry from DNS , Active Directory Users & Computers and Active Directory Sites & Services but i can see that hadeed.com.pk is still listed in my forest hierarchy so i just google and found a link

http://myblogs-amit.blogspot.com/2011/12/how-to-remove-default-trust_13.html

I am successfully able to perform step 1 to step 4 from below link


But i am unable to perform after step 5 to step 6

please see this

Search

The DNS server recv() function failed. The event data contains the error.

January 15, 2016, 10:30 pm
$
0
0

we are getting the following error continuously in our window server 2008 r2 server.

event id - 7050

error massage - 

The DNS server recv() function failed. The event data contains the error.

Please help to restore the above issue.

Naming information cannot be located because: The network path was not found. Contact your system administrator to verify that your domain

January 11, 2016, 8:53 pm
$
0
0

In Windows Server 2008 R2: 

"Naming information cannot be located because: The network path was not found. Contact your system administrator to verify that your domain is properly configured and is currently online."  

Some time this error come when i'm try to access the active directory.. and also event is showing one warning/error "NETLOGN". Once i restart it will be ok for 2 or 3 weak, then again the same error will occur...Please help me to solve the issue..

Event ID: 5781 NETLOON

Dynamic registration or deletion of one or more DNS records associated with DNS domain 'ForestDnsZones.tcadom.com.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).  

Possible causes of failure include:  
- TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers 
- Specified preferred and alternate DNS servers are not running 
- DNS server(s) primary for the records to be registered is not running 
- Preferred or alternate DNS servers are configured with wrong root hints 
- Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration  

USER ACTION  
Fix possible misconfiguration(s) specified above and initiate registration or deletion of the DNS records by running 'nltest.exe /dsregdns' from the command prompt on the domain controller or by restarting Net Logon service on the domain controller.


Windows Server 2003 member server is going out of domain

January 10, 2016, 4:19 am
$
0
0

Hi,

In my production environment the Windows 2003 servers are going out of domain intermittently. When I tried to rejoin it again but unable to do the same. I have checked the DNS IP's are properly provided. Kindly help me to resolve this issue.



Realm Discovery page unexpectedly shown twice for .NET OWIN WsFederation web app over WAP with ADFS pre-authentication

January 16, 2016, 3:41 pm
$
0
0

We have a .NET web application using OWIN WsFederation, with ADFS (on-premise) providing federation services.

For internal users, this works as expected, with our app redirecting to ADFS for authentication, and subsequently, after authenticating, redirecting back to the app with a token and associated claims.

For external users, we have WAP fronting ADFS. Because our application is claims-based and uses ADFS, our app is published on WAP with ADFS pre-authentication.The problem our external users experience is that the realm discovery page is presented twice, specifically:

a. ADFS presents RD.  User selects a provider (on-premise Active Directory).
b. ADFS challenges for credentials.  User enters credentials and clicks Sign In.
c. ADFS presents RD again (This is what we think is wrong - the app should be shown instead).  User selects the same provider.
d. The app is shown.

Inspection of the traffic with Fiddler shows the workflow as described in https://technet.microsoft.com/en-us/library/dn383640.aspx (the 7 steps).  But what doesn't happen is step 6, where the "client now has access to the published web application". Instead, what we see is the app redirect back to ADFS after (b), resulting in (c) above.  Our app doesn't show until re-selecting the provider.

The Fiddler trace says this (paraphrased, obviously):

aa. Request to app. WAP responds with a redirect to ADFS (using MS-ADFSPIP protocol).
bb. Request to ADFS. ADFS responds with realm discovery page. User selects provider.
cc. Request to ADFS. ADFS repsonds with credential challenge. User provides credentials and clicks Sign In.
dd. Request to ADFS. ADFS response with a redirect to app (still with MS-ADFSPIP protocol).
ee. Request to app (suspect WAP verifies MS-ADFSPIP token and forwards request to app).  App responds with redirect to ADFS (makes sense: app doesn't understand the MS-ADFSPIP token since the app uses WS-Fed).
ff. Request to ADFS (now using WS-Fed, as initiated by our app).  ADFS responds with realm discovery page. User selects provider.
gg. Request to ADFS. ADFS responds with a redirect to app (since ADFS knows the user has already signed-in; and it's now using WS-Fed).
hh. Request to app.  The app is shown.

So...

1. Is presenting the realm selection page twice expected behaviour? (we don't think so)
2. Is it possible/correct to force WAP to use WS-Fed instead of MS-ADFSPIP? (we think not)
3. Are we supposed to make our app understand MS-ADFSPIP tokens? (we don't think so)
4. Maybe ADFS is supposed to automatically redirect back to the app in step (ff)?  (not sure)
5. What is the right approach to this?  


Thanks in advance!

DC time not in sync

January 11, 2016, 9:47 pm
$
0
0

Windows Server 2008 R2 sp1

I followed the steps in this link to have my PDC sync with a time server referring to question number 6

http://blogs.msdn.com/b/virtual_pc_guy/archive/2010/11/19/time-synchronization-in-hyper-v.aspx

when I do a query, it tells me i'm using one of the asia.pool.ntp.org as my time source. the corresponding registry key also reflects the changes or time sources.

but my PDC or domain time is still two minutes ahead. I have rebooted the PDC, restarted the time service, waited overnight to sync yet it's two minutes ahead.

the PDC is a hyper-v VM.

error 0x8007271d when synchronising mail-app in Windows10

January 17, 2016, 7:51 am
$
0
0

Hello,

I'm trying to use the build in application 'mail' from Windows10, to connect it with my mailbox @skynet.be . Works OK to synchronize it with incoming mails, but for some reason, I keep getting the message 'error 0x8007271d' for outgoing mails, and I can't send any... Account setting are verified and correct... Any suggestion? (I'm not a very technical guy, so I hope to understand eventual technical solutions ;-)).

Eric


Allow non Domain Admins to install patches on Domain Controllers

January 17, 2016, 9:18 am
$
0
0

Hello There,

We have 68 Domain Controllers running on Windows 2008 R2 OS. Is it possible to allow non domain admins to install/uninstall patches on Domain Controllers? I am aware about how to make non-Domain admins to login to Domain controller. Please guide me. What is the best practice to install patches on Domain Controllers.

Thanks

Mahi

Search

Moving DHCP data base to a New DC

January 17, 2016, 10:24 am
$
0
0

Hello,

I have 2 old Server 2012 dc's that 1 of them is the main DHCP server and its have failover with the 2nd DC.

I have installed a new 2012 R2 DC that i want to me the main DC.

I did dc promo and everything was replicate OK , but the dhcp was not replicate.

I want to "copy" the DHCP configuration from the old dc1 and copy it to the new DC and then kill the old one.

1. how can i copy and install the configuration in the new dc? the new DC have different name and address. 

2. If i kill the 1st dc that have the failover connection with the 2nd dc, dose it cause problems to the DHCP pools in the 2 dc, or it will working well ?  the main DHCP configuration is on the 1st DC.

Thanks for the help!


CN length is greater than 64

January 17, 2016, 1:27 pm
$
0
0

Our AD has a few objects with a CN length of over 64 characters. Since the maximum length of the CN is defined as 64, this seems odd.    I was able to find the objects using the following powershell script:

Get-adobject-Filter* -Propertiescn,ObjectCategory,objectclass|

Where-Object {$_.cn.length-gt64 } |

flname, cn, @{name='CN Len';expression={($_.cn).length}},objectclass,objectcategory

All of the objects are CNF (conflict) objects.  Here's an example of one of the objects

name          : SRV-COMP-FACTRY-NetOasis-Change

                CNF:aca8678f-25dc-47dd-b518-5aaaa9185e8a

cn            : SRV-COMP-FACTRY-NetOasis-Change

                CNF:aca8678f-25dc-47dd-b518-5aaaa9185e8a

CN Len        : 72

objectclass   : group

objectcategory : CN=Group,CN=Schema,CN=Configuration,DC=mycompany,DC=com

Notice the length is 72.  Can anyone explain this?

Anonymous Access For particular IP Address

January 17, 2016, 9:01 pm
$
0
0

Is it possible to allow some specifier IP Address to access LDS As anonymous Read Permission.

Something like this on Openldap

by peername.ip=1.1.2.2 anonymous read
by peername.regex=1\.1\.2\..* anonymous read

Group Policy security filtering rights

January 14, 2016, 11:33 pm
$
0
0

Hi all,

I would like to change the security filtering for a group policy object.

In this way I limit the GPO to a specific user/computer instead of 'authenticated users'.

Enterprise admins and domain admins van change this value.

I would like to know which rights I have to give a specific group of admins to do this.

There are more than 50 to choose from and none of them ring a bell.

thanks in advance!

kind greetings,

Kris

Log on To... Attribute Cross Forest/Domain

January 18, 2016, 8:34 am
$
0
0

All,

We have a Two way forest trust created.  We have a user in Forest A that is accessing resources in Forest B.  The user in Forest A has "Log on to..." restrictions configured so that they can only log on to certain machines.  I know that in cross forest/domain authentication/authorization the client needs to communicate with DC's other domains due to the referrals and KDC operations for log on requests up the forest tree and across.  Do all the domain controllers from the other domains need to be added to the "Log on to..." attribute for the user in Forest A to access resources in Forest B? If so, can I add the NetBIOS name of the domain as oppose to every DC in that domain. I thought authentication traffic was not necessary for this attribute.

When the user tries mapping the drive with a net use command they get the following error message "System error 2240 has occurred. The user is not allowed to log on from this workstation." 

I have the local resource looking in to a couple items, but was hoping to to get a definitive answer prior to that resource attempting this (24 hour time difference).

Thanks!

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>