Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Distribution list add permission to another DL Exchange 2007

March 21, 2016, 1:22 am
$
0
0

I have  distribution list named "DLA" and I assigned full permissions to another distribution list Named "DLA2"  as shown below "DLA2" have 4 other nested DLs, and each of these 4 nested DLs have groups of users. 

set-adpermission -identity "DLA" -user "DLA2" -accessrights writeproperty -properties "member "

set-adgroup  -identity  "DLA" -managedby  "DLA2"

DLA2 memebers:

DLA2_1

DLA2_2

DLA2_3

DLA2_4

SO my question is that "DLA2_4" members will inherits the access right from DLA2 or it doesn't work like that?....

Please note that I asked same question over exchange 2007 and below is the reply I received from Ed Crowley MVP :

You aren't assigning Exchange permissions, you're assigning AD permissions, and you're not assigning the same rights at each level so I recommend that you ask your question in the Directory Services forum. 

https://social.technet.microsoft.com/Forums/office/en-US/c1459616-e520-4d3f-aec3-3b768f8f6156/distribution-list-add-permission-to-another-dl-exchange-2007?forum=exchangesvrgenerallegacy

Search

Can't create trust relationship due to domain rename in progress

March 15, 2016, 8:09 am
$
0
0

I reviewed the following article and discovered the command to end the domain renaming process that is in progress.

https://support.microsoft.com/en-us/kb/936918

What is the impact?  I don't know if what we are currently using is the new name or the old name.

Any thoughts would be appreciated.

Planning For AD in our environment - Need help on pricing estimate

March 22, 2016, 1:15 am
$
0
0

Hi,

need to get pricing details, can we get any Microsoft free licensing adviser 

Thanks in Advance.

NTRao

Qestion about Kerberos Version 5 Authentication Protocol in cross domains environment.

March 21, 2016, 2:14 am
$
0
0

Hi,

I'm a software developer, and I implemented the SSO function in our product. I have a question about how does the Kerberos 5 Authentication work in cross domain environment.

the current status is:

1. In customer's company, there are two domains, Client Domain and Server Domain.

2. Server Domain trusts Client Domain. (One-way trust)

3. Client want access a service in Server Domain.

Customer found there are data traffic between the following machines:

1. Client machine and Client Domain AD machine.

2. Client machine and Server Domain AD machine.

3. Client machine and Server service provider machine.

Customer think the data traffic 2 (Client machine and Server Domain AD machine.) should not exist.

I read the document of < How the Kerberos Version 5 Authentication Protocol Works> https://technet.microsoft.com/en-us/library/cc772815%28v=ws.10%29.aspx

In the section of Cross-Realm Authentication Between Two Realms,

Cross-Realm Authentication Between Two Realms

To understand how cross-realm authentication works, first consider the simplest case: a network with only two realms, East and West. If administrators for these realms are members of the same organization, or if for some other reason they are willing to treat the other realm's users as their own, they can enable authentication across realm boundaries simply by sharing an inter-realm key. (In Active Directory domains this happens automatically when two domains establish a trust relationship.) After the inter-realm key is shared, the ticket-granting service of each realm is registered as a security principal with the other realm's KDC. As a result, the ticket-granting service in each realm can treat the ticket-granting service in the other realm as just another service, something for which properly authenticated clients can request and receive service tickets.

When a user with an account in West wants access to a server with an account in East, the process is:

  1. The Kerberos client on the user's workstation sends a request for a service ticket to the ticket-granting service in the user account's realm, West.
  2. The ticket-granting service in West determines that the desired server is not a security principal in its realm, so it replies by sending the client a referral ticket—a TGT encrypted with the inter-realm key that the KDC in West shares with the KDC in East.
  3. The client uses the referral ticket to prepare a second request for a service ticket, and this time sends the request to the ticket-granting service in the server account's realm, East.
  4. The ticket-granting service in East uses its copy of the inter-realm key to decrypt the referral ticket. If decryption is successful, it sends the client a service ticket to the desired server in its domain.

From the above description, I think the data traffic 2 (Client machine and Server Domain AD machine.) is function as designed. Am I right?

Then I want test my thinking, so I shared a file in a Server domain machine. Then I access this shared file from the client machine which is in the Client domain. I captured the data traffic in the client machine, and I did NOT found the data traffic between Client machine and Server Domain AD machine. This confused me. So my questions are:

1. In my customer's scenario, is the data traffic 2 reasonable?

2. If it's yes for question 1, why there is no data traffic 2 when client  accessing the shared file in Server machine?


nltest and current site question

March 17, 2016, 4:18 am
$
0
0

Hello!

I have a strange situation in one of myg sub-networks.

The command nltest /dsgetdc:mydomain.com returns the dc that does not belong to native site of client.

I have joined client's sub-network to site Site1 in Active Directory sites and services, but nltest returnes:

Dc site name: Site2.

Our Site name:Site1

In other sub-networks I have DC and Our sites the same.

Thank you for any help.

IMPORTANT ADDITION: Site1 is site of 4  RODC


Netlogon authenticating to the wrong site and domain controller

March 21, 2016, 10:36 pm
$
0
0

Hi all,

I've read through pretty much the entire Internet (not joking unfortunately!) but i still can't get to the bottom of an issue i've got. 

I've got 5 AD sites configured in AD Sites and Services with the primary site VIC having most of the desktop users and has got local DCs. The other sites are geographically distributed and each have a local physical DC. 

My issue is that clients at the VIC site, although having 3 local DCs to authenticate to, are randomly being authenticated to the remote site DCs which is slowing down the logon process obviously.

I have checked AD S&S until my eyes fall out including the sites, subnets and site links, DNS SRV records, netlogon debug logs on both the client and the DCs and enabled traffic monitoring on the Fortinet firewall. 

I've hit a brick wall right now and would appreciate some assistance, even if people throw suggestions/questions at me that might trigger something else to check.

Cheers,

Luke

Intersite replication misunderstanding

March 22, 2016, 2:18 am
$
0
0

Hello.

I've got a misunderstanding about replication process between sites. Here is a my lab topology on the picture below

Here mus be a topology diagram, but I can't pace it here and I've got a message:

  • Body text cannot contain images or links until we are able to verify your account.

So let me try to explain a situation without any pictures, unfortunately.

There are two sites and two domain controllers in the each site. Now replication works fine, but I don't understand connections created by ISTG.

Bridgeheads servers are: ny-dc01.lab.local in NY site and root-dc02.lab.local in the root-site

Inbound connections between sites are:

ROOT-SITE (from ny-dc01.lab.local to root-dc02.lab.local - correct)

NY (from root-dc01.lab.local to Ny-dc01.lab.local). This is incorrect, because it was created not from bridgehead server

From my point of view the correct connections must be:

ROOT-SITE (from ny-dc01.lab.local to root-dc02.lab.local)

NY (from root-dc02.lab.local to Ny-dc01.lab.local)

i.e., connections must be ONLY between bridgeheads servers.

So I'd like to ask where I'm wrong in my suggestions.

Thanks a lot in advance!

Best regards.

accidental deletion of users and computers

March 21, 2016, 6:51 am
$
0
0
I noticed from a report of all users and computers in our domain, the majority are not "protected from accidental deletion".

How much of a risk is this?

How does this feature save us if we do "accidentally delete" a bunch of users/computers?                          
Search

Serial number attribute of computer object

March 22, 2016, 2:10 am
$
0
0

Hi,

Is there any attribute of computer object in Active Directory for serial number?

what could be the reason group policy not appliying few machine

March 21, 2016, 3:15 pm
$
0
0
in my environment ,there is a department (OU)called account,around 20 peoples are working in this department.i created the policy for wallpaper which is applying on this department ,strange is policy applying only on 15 machine other 5 machine the policy is not applying i have check the RSOP.msc its showing policy applied .is there any other reason for That.windows 7 running on all machine 

Abp

pam_ldap: ldap_simple_bind Can't contact LDAP server

March 22, 2016, 4:25 am
$
0
0

Hello All,

We are doing LDAP testing for high availability. The configuration worked as expected to provide high availability across multiple LDAP domain servers. However new issue in noted during testing.

We have total four LDAP domain servers in configuration.  LDAP client is unable to authenticate with BDC1 & BDC2 domain servers. 

ADC1 - LDAP login success 

ADC2 - LDAP login success 

BDC1 - LDAP request time out

BDC2 - LDAP request time out

ADC1&2 belong to one site and BDC1&2 to another.
We are testing from unix box 'AUNIX'  on which var/log logs show below error:

pam_ldap: ldap_simple_bind Can't contact LDAP server
pam_ldap: reconnecting to LDAP server...

can someone please guide me.

Thanks.

ADR

Install-ADServiceAccount Error Message: An unspecified error has occurred

March 8, 2016, 11:27 am
$
0
0

I have had Group Managed Service Accounts running before in our AD without a problem.  The one server that ran all the policies needed to be updated so it was imaged and everything was wiped.  When I now go to install the account (Install-ADServiceAccount gMSA-AD.Modify) powershell hangs for about an hour and I get the following error message:  

Install-ADServiceAccount : Cannot install service account. Error Message: 'An unspecified error has occurred'.
At line:1 char:1
+ Install-ADServiceAccount gMSA-AD.Modify
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (gMSA-AD.modify:String) [Install-ADServiceAccount], ADException
    + FullyQualifiedErrorId : InstallADServiceAccount:PerformOperation:InstallServiceAcccountFailure,Microsoft.ActiveDirectory.Management.Commands.InstallADServiceAccount

I also now have problems creating new Group Managed Service Accounts on other servers in my Domain.

It may also be worth noting that, during the process of getting this server set back up our primary Domain Controller died.  The backup Domain Controller took over and then all the roles were moved to that backup to make it become the primary.  Since then the former primary Domain Controller has been rebuilt and is now a backup Domain Controller.  Not sure if that would have anything to do with this error.

Windows server 2008 unable to recieve promote from win2k12 or win 2k8 r2 only win 2k8

May 5, 2013, 9:20 pm
$
0
0

This was the error when i tried to join win2k12 to DC on win2k8

"ADPrep execution failed --> Microsoft.DirectoryServices.Deployment.ADPrepLdapException: No Such Object. Server extended error: 8333. Server extended message: 0000208D: NameErr: DSID-031001E4, problem 2001 (NO_OBJECT), data 0, best match of:
'CN=Schema,CN=Configuration,DC=domain,DC=com'.
ADPREP was unable to modify the default security descriptor on object CN=ms-DS-Managed-Service-Account,CN=Schema,CN=Configuration,DC=domain,DC=com.
[Status/Consequence]
Adprep attempts to merge the existing default security descriptors with the new access control entry (ACE). 
[User Action]
Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20130505210218 directory for more information."

-repadmin /showrepl all fine

-check object version its 56

Need Help thanks before



Group policy security filtering

March 21, 2016, 12:38 pm
$
0
0

Hi,

I have an OU which contains some computer accounts and some user accounts. I would like to use security filtering for a GPO to be applied only 2 of these computers. I know that I can remove Authenticated users and add the two computer accounts to it. But I have user settings defined in the mentioned GPO. And here comes my question. If I remove the Authenticated users and add only the 2 computer accounts will the user settings be applied to the users who are logon to the 2 computers or it will be denied because the users are not defined in the security filtering setting?

Thank you & Kind regards,

Dvijne

Repadmin /removeLingeringObjects give this err: The target principal name is incorrect

March 16, 2016, 8:15 pm
$
0
0

Hi,

I run this cmd this clean lingering objects in DC but I got an error:

Repadmin /removeLingeringObjects server01 0a56864e-2244-40c6-72d7-eb4f844cfef7 "DC=MyDomain,DC=com" /advisorymode
DsReplicaVerifyObjectsW() failed with status -2146893022 (0x80090322):
    The target principal name is incorrect.

What does it mean?

Search

ADFS 3 issues with setting up WAP servers

March 22, 2016, 11:05 pm
$
0
0

I have 2 ADFS servers in Azure fronted by an internal load balancer. Internal ADFS DNS point to the load balancer and that works. I now need to setup 2 wap servers but none of them can connect to the ADFS farm properly. When I run the WAP wizard I get the following errors:

EventID 391: The federation server proxy was able to successfully establish a trust with the Federation Service.
EventID 422: Unable to retrieve proxy configuration data from the Federation Service.

The WAP servers have a local HOSTS entry pointing to the internal load balancer.

Changing the computer account default locations in AD after joining domain

March 22, 2016, 10:42 pm
$
0
0
Need solution urgently regarding the issue.

AD login error "Trust Relationship between this workstation...."

March 20, 2016, 6:33 am
$
0
0

Hi,

We have 03 AD domain controllers with Windows server 2012 R2 in our environment. Time Synchronization and replication has no errors. The issue occur irrelevant of client OSs and Particular when users try too reset their password and trying to login to AD from branch offices. Branch office doesn't have DC/RODC setup. They directly connects to primary site via VPN links.

We encountered an issue related to ""Trust Relationship between this workstation....", and user is unable to login to PC. Have to remove the PC from domain then rejoin to solve the issue. Please advise to find the cause and solve the issue.

Thanks and Best regards,

Meedstone Perera

workstations lose doamin network

March 7, 2016, 4:48 am
$
0
0

Hello,

I have for a long time problem with workstation droping from domain network every random period (at least I not find clue).

I had one old thread and from that time I checked DC and dns, How I find now all work well. https://social.technet.microsoft.com/Forums/windowsserver/en-US/e5eb34e1-bb47-45e7-a7c3-7a0815e31e52/many-pc-randomly-drop-from-domain-network-?forum=winserverDS&prof=required

But I still have problem with workstations drop from domain network.

In moment whan that hepend I can't find anything special hepend. Mostly thats same worskatation (same 10 of 70) and sametimes hepend with other but not offten,

I checked SID and time. I checked conection to dns . network and port acces. with and without firewall.

Still not find any idea why that hepend.

Same of tham are newly instaled workstation with oem softver.all workstation using win 7 pro.

Only what I found is whan I go to network properties and deselect IPv6 and press ok that pc come back to domain network.

After same time it may drop again and I just come and than select IPv6 and it come on network.

I am realy confused and realy not sure where more to look,

I realy hope that I may get here same more idea where to look.

ps: I have company that hold my network infrastrukture and thay saying that 100% is not to network (I can't is that for sure :).

one more things last night we lose electric for longer period and all equipepent lose power. most of workstation were drop from domain network.

If you need any more info let me know.

Active directory and offline folder.

March 22, 2016, 9:44 am
$
0
0

Hi, here my situation.

PC with Windows 8.1 on Domain A (other organization, other network) that has a offline folder on a server in Domain A.

This pc is outside the Domain A by four month, and all this time worked on another network, so I think that he reaches the offline files by cache.

Now this pc changed the domain on my organization, Domain B. Windows made another user's profile and, of course, I can't access anymore to the server in Domain A.

There is a way to access the cache of the offline folder connected to Domain A?

I still have the old domain name, username ad password of the user in Domain A.


Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>