Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

AD LDS Schema Snap-In Error

March 22, 2016, 8:23 am
$
0
0

I'm trying to open my AD LDS Instance Schema using the Active Directory Schema Snap-In in MMC.  When I select Change Active Directory Domain Controller and enter the IP:port, I get an "Online" status.  After selecting the AD LDS server, I'm prompted if I want to administer the new forest.  I select Yes, but then it throws an error, which says, "The Active Directory Domain Controller could not be set.  The specified directory service attribute or value does not exist."

When I run dcdiag in verbose mode on the AD LDS instance I get the following:

  • Identified AD LDS Configuration Set.
  • FATAL LDAP ERROR: a simple call to ldap_search failed

Note that opening the Schema in ADSI Edit works. I have other AD LDS instances running on separate servers that this is successful on, I'm just not sure what the difference in configuration is.

Any ideas?

Search

Certificate tenplate with " ALLOW PRIVATE KEY TO BE EXPORTED" unchecked

March 22, 2016, 1:56 pm
$
0
0
on a webserver WEB001, we have a certificate issued by CA (win 2012) thru a "web server authentication template" that DOESNT  have "Allow private key export" option checked/enabled. But, I am still able to export the certificate with private key on WEB001. The option of exporting private key should have been grayed out as the template on CA doesn't have it . But still able to export.  anything missing here?

Slowness/Timeout while using Dirsync control from c# .NET

March 23, 2016, 2:47 am
$
0
0

We are using the code as below to issue a DirSync-based search on our AD to fetch updates to group members.

using System.DirectoryServices.Protocols;
...
var groupSearchFilter = @"(objectguid=\9\AE\C7\A6\C0\7F\1\41\92\B4\4\25\E9\A4\E\35)";
var request = new SearchRequest(adConnectionDetails.ADSearchBase, groupSearchFilter, SearchScope.Subtree, Constants.AD_GROUP_REQUEST_ATTRIBUTES);
request.Controls.Add(new DirSyncRequestControl(null, DirectorySynchronizationOptions.IncrementalValues));
var response = connection.SendRequest(request);

The request above is very slow (>20s), when we send a null cookie in dirsync control. With a valid cookie, it just takes about 1s. Also sometimes AD request times out, as below:

System.DirectoryServices.Protocols.LdapException was unhandled
  ErrorCode=85
  HResult=-2146233088
  Message=The operation was aborted because the client side timeout limit was exceeded.
  Source=System.DirectoryServices.Protocols
  StackTrace:
       at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
       at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
       at ADConnect.Program.Main(String[] args)
       at System.AppDomain._nExecuteAssembly(RuntimeAssembly assembly, String[] args)
       at System.AppDomain.ExecuteAssembly(String assemblyFile, Evidence assemblySecurity, String[] args)
       at Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly()
       at System.Threading.ThreadHelper.ThreadStart_Context(Object state)
       at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
       at System.Threading.ThreadHelper.ThreadStart()
  InnerException:

Can anyone suggest, how we could improve things here on a null cookie.


forgot outlook pst file password

March 25, 2011, 4:19 pm
$
0
0
is there a safe pst password tool/site?  i got $100,000s lost product keys and business data in older emails with forgoten password!  HELP!!!!

ADFS problems to troubleshoot this

March 23, 2016, 3:32 am
$
0
0

Since yesterday single sign on doesn't work for a webapplication anymore :

We got this messages:

Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Responder, status message is null

Event log:

Protocol Name:

Saml

Relying Party:

http://rws.login.cf-prod.intranet.rws.nl

Exception details:

System.FormatException: Index (zero based) must be greater than or equal to zero and less than the size of the argument list.

And

The Federation Service encountered an error while processing the SAML authentication request.

Additional Data

Exception details:

System.FormatException: Index (zero based) must be greater than or equal to zero and less than the size of the argument list.


We did check every setting and it look fine. Can people give us some tips how to further troubleshoot this. We don't get much info from the relying party.

Kind regards,

André

Active Directory Event 1006 Error

March 15, 2016, 9:41 pm

Calling all Windows Server Gurus!! It's time to MARCH into the history books!

March 5, 2016, 12:45 pm
$
0
0

It's another month, and another chance to find... the one!

That special person who brings us... the knowledge!

That thing we didn't know.

That revelation that saves us so much bandwidth on the search tool.

Clear and concise revelations that bring us closer to our goal!

You have that power my friends!

Step forth with words of wisdom!

Step up and let us know your name!

Carve your mark on the community... and history!

MARCH forth and win glory, fame, love honour and immortality!!!! (in the form of the written word... kind of...)

All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.

Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!

This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!

HOW TO WIN

1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.

2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)  <----

3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!

Winning this award in your favoured technology will help us learn the active members in each community.

Below are last month's mighty winners and contenders!

Thanks in advance!
Pete Laker

#PEJL
Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over toTechNet Wiki, for future generations to benefit from! You'll never get archived again, and you could win weekly awards!

Have you got what it takes o become this month's TechNet Technical Guru? Join a long list of well known community big hitters, show your knowledge and prowess in your favoured technologies!


Can't access ADFS federationmetadata.xml

December 18, 2015, 9:51 am
$
0
0

I configured ADFS and am having issues accessing the metadata xml file and can't seem to find an answer.

If I go to
https://localhost/federationmetadata/2007-06/federationmetadata.xml
It works perfectly from the local ADFS server

If I go to
https://<IP Address>/federationmetadata/2007-06/federationmetadata.xml
it gives me "This page can't be displayed  .... Turn on TLS1.0, TLS 1.1, and TLS 1.2 in Advanced settings ......". I get the same error if I use the internal server FQDN.

If I go to my external proxy address
https://fs.myexternaldomain.com/federationmetadata/2007-06/federationmetadata.xml
it gives me "502 - Web server received an invalid response while acting as a gateway or proxy server"

Any ideas what I'm doing wrong?

Search

Control authentication to remote domain controllers in other sites if domain controllers in local AD site are down

March 23, 2016, 12:03 pm
$
0
0

Hi all,

How can we control authentication to remote domain controllers in other sites if domain controllers in local AD site are down? For example, if I have 8 sites: Site 1, Site 2, .... Site 8 and DCs in Site 1 are down, how can we make sure AD objects in Site 1 will authenticate against DCs in site 2 for example then Site 3 (prioritization) and not against any other domain controller in other sites?

Uptime of all DCs

March 23, 2016, 11:35 am
$
0
0

Hello 

I got a task to pull the uptime of all DCs on weekly basis, we have 33 DCs in our environment,

Can any one help with the script or module to find this all together, rather than doing one by one

Thanks 

NA

ADFS3 Login Page Script Error

March 23, 2016, 1:43 pm
$
0
0

Fully patched and updated ADFS 3 server running in our environrment. When we access Azure through a web browser we are redirected to the ADFS 3 page and log in without any issues. 

When I use powershell to connect to azure, A window comes up from our ADFS page but as soon as I type any character into the password or username field I get a Script Error:

An Error has occurred in the script on this page.

Line: 127

Char: 9

Error: Unable to get property 'style' of undefined or null reference

Code: 0

URL: https://federation.companyname/adfs/ls/?wfresh=0&wauth=http%3a%2f%2fschemas.microsoft.com%2fws%2f2008%2f06%2fidentity%2fauthenticationmethod%


We see this same error message when someone trys to log in word or other office products with their accounts also.

Our ADFS page has some minor customizations done to the onload.js file but since it works fine in a browser I'm not sure the customizations are the cause.

What is rendering the ADFS page when I use powershell? Any way to debug that window to find the issue? Are these logins running some other script from the ADFS server?


A+, N+, MCP


Active Directory - Computers going into correct OUs

March 22, 2016, 6:41 am
$
0
0

Hey all,

Ill be the first to admit. I feel like a has been. I did quite a bit in AD 5 years ago, but am pretty rusty and now need to figure something out. Hoping yall can help.

Situation:

Computers already in correct OU and on domain when arrive to client facility with unique PC name

We need to re-name the computer and also ensure it goes back into the OU it was already in prior to the rename (boss wants this one automated step)

Most, but not all PCs are rejoining to the same OU it was already in. Is it this GUID that determines this? What would cause it to fail?

Unfortunately, I am part of a very large and segregated company so its the left and right hand not knowing scenario. My boss is currently directing everyone to no longer disjoin any PCs from the domain figuring that will resolve the issue. He has extremely limited experience with AD. I wanted to reach out as I remember 5 years ago, just placing PCs in the correct OU. OR if I were going to rename it, I would dis-join from the domain, rename and re-join with some rebooting in between. 

Can anyone advise proper procedure and also what I should be researching on to figure out why some do and some do not join back to the correct OU? 

Thanks so much! Any advice is much appreciated. 

- Has been. 

pam_ldap: ldap_simple_bind Can't contact LDAP server

March 22, 2016, 4:25 am
$
0
0

Hello All,

We are doing LDAP testing for high availability. The configuration worked as expected to provide high availability across multiple LDAP domain servers. However new issue in noted during testing.

We have total four LDAP domain servers in configuration.  LDAP client is unable to authenticate with BDC1 & BDC2 domain servers. 

ADC1 - LDAP login success 

ADC2 - LDAP login success 

BDC1 - LDAP request time out

BDC2 - LDAP request time out

ADC1&2 belong to one site and BDC1&2 to another.
We are testing from unix box 'AUNIX'  on which var/log logs show below error:

pam_ldap: ldap_simple_bind Can't contact LDAP server
pam_ldap: reconnecting to LDAP server...

can someone please guide me.

Thanks.

ADR

RODC Compatibility - KB944043 for XP 32 bits

March 23, 2016, 9:59 am
$
0
0

Hello,

According to the articles about compatibility of clients for Read Only Domain Controllers  (https://support.microsoft.com/en-us/kb/944043 - https://technet.microsoft.com/en-us/library/upgrade-domain-controllers-to-windows-server-2008-r2(v=ws.10).aspx), I would like to download KB944043 for Windows XP x86.

But this package is not available but XP x64 and Server 2003 x86/x64 are available.

Is there any reason to this ? And when can I download x86 package (french and english languages).

Thanks

what could be the reason group policy not appliying few machine

March 21, 2016, 3:15 pm
$
0
0
in my environment ,there is a department (OU)called account,around 20 peoples are working in this department.i created the policy for wallpaper which is applying on this department ,strange is policy applying only on 15 machine other 5 machine the policy is not applying i have check the RSOP.msc its showing policy applied .is there any other reason for That.windows 7 running on all machine 

Abp

Search

local account with same name as domain account locking out domain account

March 3, 2011, 12:49 pm
$
0
0

I have an issue where if i have a local account that has the same username as the AD account, and the passwords do not match, it will lock out the domain account. This is a recent occurrence. The only thing that has changed lately is the deployment of Exchange 2010 CAS server. Does anyone know why Windows 7 would try to pass local credentials to the domain as if they were domain credentials? Perhaps a new feature of Exchange 201o that tries to do some authentication in the background? This is happening to accounts that have had local accounts on their machines for a couple of years without any issues, but suddenly these local accounts are locking out the domain account. I am hopeful there is something I can change on the server side to prevent this.

Thanks,

Rich

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server adfs. The target name used was HTTP/fs.domain.com

March 24, 2016, 2:06 am
$
0
0

HI,

I got the below error in event viewer when i tried to access my ADFS URl

Source: Security-Kerberos

Event ID: 4

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server adfs. The target name used was HTTP/fs.domain.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (Domain.COM) is different from the client domain (Domain.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server

Active Directory Users and computers search comes up blank on everything.

March 17, 2016, 12:50 am
$
0
0

Hello.

I have 5 DC, 2 2012R2 and 3 2003. Domain lever is 2003.

Whenever I search for something in ADUC, it comes up blank. It does not matter what DC i try from or point ADUC to use. However it works fine in Powershell or administrative center, and i have gotten no other kind of error in the enviorement so everything else seems to be working great.

Does anyone have any idea on were to start with this one?

sub domain authentication fail

March 23, 2016, 11:32 am
$
0
0

Hello , 

i have a domain control in HQ  ex: domain.local  and sub domain in branch ex site.domain.local  connected via internet VPN connection.

in HQ i have all main services running like exchange 2013.  the problem exchange not authenticating users for that sub domain when my VPN connection down.

what should i do to make the authentication done form the HQ if this branch VPN down so users can still using their outlook using Outlook anywhere configuration.

LDAP Bind and Service Principal Name Issues

March 15, 2016, 9:35 am
$
0
0

I am having some problems performing an LDAP bind using SASL and DigestMD5 against active directory on Windows Server 2008 R2. 

We have a domain controller called ContosoDC for Contoso.com at 192.168.44.208. If I perform an LDAP bind with the hostname ldap://192.168.44.208 then I get the following error "The digest-uri does not match any LDAP SPN's registered for this server".
I have tried to resolve this by running the command "setspn -S ldap/192.168.44.208 ContosoDC" however it only seems to add the service principal name temporarily. After some random amount of time, minutes or hours, ldap/192.168.44.208 is removed from the list of service principal names for ContosoDC.

What is causing the SPN to be removed from the list and how do I prevent it from happening? Is it good practice to use ldap://192.168.44.208 and ldap://Contoso.com as hostnames? What would be the standard hostname to use as good practice to communicate with this domain controller via LDAP?

Viewing all 31638 articles
Browse latest View live
Search