Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

EAS IP restriction to MDM servers

March 24, 2016, 5:27 am
$
0
0

https://community.office365.com/en-us/f/158/t/228495

Dear ADFS Forum engineers and members,

I would like to refer to the case on top.

We use an on premise MDM solution with Exchange online. Recently a search has indicated that a lot of our users are connecting to Office365 Mailboxes using EAS via either Outlook app or native mobile device apps. We want to restrict email access using our MDM. 

Basically our goal is that users who try to connect through EAS with whatever client they use should not be granted access to their mailboxes. Only way should be that they install our MDM application and then they should be able to access mail. 

The built in claim rules on ADFS does not really answer our custom demand. 

Has anyone experience with such request? Any information provided will be highly appreciated.

Thank you,

A.Kurtay

Search

Changing AD domain name

March 24, 2016, 4:25 am
$
0
0

Hi all,

Let's say the company name is NODNOL

When our internal domain was setup many years ago the person who did it set it up as just one level ie. the FQDN is NODNOL.

So one of the servers for example is called SERVER1.NODNOL

Our email addresses are of the form rob@nodnol.co.uk

Now I wish to implement Exchange server, and from research I think it would make life easier if our domain was NODNOL.co.uk - is it possible to rename the internal domain NODNOL to this, or maybe start with a new domain NODNOL.co.uk?

Any thoughts welcomed.

Adding a Windows server 2012 DC to a Windows 2003 subdomain requires Enterprise Admins account

March 18, 2016, 1:50 am
$
0
0

Hi,

We have a example.com forest running with Windows 2003 functional level. There are multiple subdomains in this forest (fr.example.com, pl.exqample.com ...). We already have deployed Windows server 2012 domain controlers for some subdomains (i.e. fr.example.com).

We know want to deploy a Windows server 2012 domain controler in our polish subdomain pl.example.com that currently only have only Windows server 2003 domain controlers. 

During the promotion of the new Polish Windows server 2012 domain controler (runned with an account member of Domain admin group of Polish subdomain), the installation process request for Enterprise Admins account to :

  • Domain preparation ( I understand this one)
  • Forest and schema preparation

I don't understand why it indicates "Forest and schema preparation". As we already have deployed Windows server 2012 servers in the forest and also domain controllers running this version of Windows OS in other subdomains, we should not have to make any Forest and schema preparation.

Please could you help me understand that point ?

Thanks in advance for your feedback.

Denis


Old DNS records are not deleted

March 24, 2016, 6:40 am
$
0
0

I need help trying to understand why old DNS records are not deleted.

The host has been rebuild with the same hostname, ip has changed.

Looking at the properties of a record i see ""Delete this record when it becomes stale"" is checked.

The record time stamp is "8/‎20/‎2015 3:00:00 AM", according to this logic 

Record time stamp + No-refresh interval for zone + Refresh interval for zone<o:p></o:p>

If the value of this sum is greater than current server time, no action is taken and the record continues to age in the zone.

The record should be deleted "i think". What settings can i look for for further troubleshooting?

Thank you.

Windows server 2008 unable to recieve promote from win2k12 or win 2k8 r2 only win 2k8

May 5, 2013, 9:20 pm
$
0
0

This was the error when i tried to join win2k12 to DC on win2k8

"ADPrep execution failed --> Microsoft.DirectoryServices.Deployment.ADPrepLdapException: No Such Object. Server extended error: 8333. Server extended message: 0000208D: NameErr: DSID-031001E4, problem 2001 (NO_OBJECT), data 0, best match of:
'CN=Schema,CN=Configuration,DC=domain,DC=com'.
ADPREP was unable to modify the default security descriptor on object CN=ms-DS-Managed-Service-Account,CN=Schema,CN=Configuration,DC=domain,DC=com.
[Status/Consequence]
Adprep attempts to merge the existing default security descriptors with the new access control entry (ACE). 
[User Action]
Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20130505210218 directory for more information."

-repadmin /showrepl all fine

-check object version its 56

Need Help thanks before



Setting custom attribute to AD user account

March 24, 2016, 6:31 am
$
0
0

I have created a customer attribute in Schema and I am trying to set the value of the attribute to True for certain users. When I search the user by "Find" functionality  in Active Directory I do not see Attribute Editor tab. The only way to see the Attribute Editor is by browsing to the user account. I have 1.2 million users in AD and it is hard to load all users in AD user and computers window. 

Would any body know power shell command to the same.

Repadmin /syncall causes DC01 to try and replicate to itself and gets "Access Denied"

March 24, 2016, 1:40 pm
$
0
0

Hi Everyone. I have been trying to figure out this peculiar behavior from one of our DC's. We have 3 DCs in our environment and I can force replication on DC02 and DC03 with no issues. By issuing "repadmin /syncall" on DC02 and DC03, I get the following success message:

DC02: repadmin /syncall

    From: a9326fa6-e465-4a55-8fe4-143f4d2100e8._msdcs.test.com
    To  : 3dc7a026-c031-4bdc-915f-f200e0aebcba._msdcs.test.com
CALLBACK MESSAGE: The following replication completed successfully:
    From: a9326fa6-e465-4a55-8fe4-143f4d2100e8._msdcs.test.com
    To  : 3dc7a026-c031-4bdc-915f-f200e0aebcba._msdcs.test.com
CALLBACK MESSAGE: The following replication is in progress:
    From: 83ce846e-4d0b-485e-a414-4ac5abc39bc5._msdcs.test.com
    To  : 3dc7a026-c031-4bdc-915f-f200e0aebcba._msdcs.test.com
CALLBACK MESSAGE: The following replication completed successfully:
    From: 83ce846e-4d0a-485e-a414-4ac5abc39bc5._msdcs.test.com
    To  : 3dc7a026-c031-4bdc-915f-f200e0aebcba._msdcs.test.com

However, from DC01: repadmin /syncall

CALLBACK MESSAGE: Error contacting server 83ce846e-4d0b-485e-a414-4ac5abc39bc5._msdcs.test.net (network error): 5 (0x5):
    Access is denied.

SyncAll exited with fatal Win32 error: 8440 (0x20f8): The naming context specified for this replication operation is invalid.

The peculiar thing is that "83ce846e-4d0b-485e-a414-4ac5abc39bc5._msdcs.test.net" is actually DC01 itself:

DC01: nslookup 83ce846e-4d0b-485e-a414-4ac5abc39bc5._msdcs.test.net

Server:  dc02.test.net
Address:  x.x.x.40

Name:    dc01.test.net
Address:  x.x.x.120
Aliases:  83ce846e-4d0b-485e-a414-4ac5abc39bc5._msdcs.test.net

So why is DC01 trying to replicate to itself and not the other DCs? Or am I just looking at this wrong? We have only 1 site in Sites and Services, and all the DC's  have the correct connection links in NTDS Settings. 

Replication in our environment still works - just not when initiated from DC01. I can also manually replicate from DC01 when I specify the partition to replicate.

DC01: repadmin /replicate dc02 dc01 "CN=configuration,DC=test,DC=com"

Sync from DC01 to DC02 completed successfully.

Any ideas on why I cant do a repadmin /syncall on DC01?

Thanks!

Adding a Windows server 2012 R2 DC to a Windows forest using Windows server 2003 level

March 24, 2016, 8:26 am
$
0
0

Hi,

In my company we are using a forest (example.com) with multiple subdomains (sub1.example.com, sub2.example.com, sub3.example.com). The curest functional level of the forest is Windows server 2003.

As a particularity we have one of our subdomain still using Exchange 2003 (sub3.example.com), they plan to move to Office 365 :) !!

One of our subsdiary managing one of our subdomain (sub1.example.com), not the one with Exchange 2003,  wants to create a new domain controler using Windows server 2012 R2 operating system.

Is there any problem to introduce a Windows server 2012 R2 domain controler in the environement I describe above ?

Best Regards. 

Denis

Search

Error Moving FSMO Roles

March 3, 2016, 8:51 am
$
0
0

hi all

i currently have 2 DC

1 dc windows 2008 (It is also an exchange 2007, in the process to be migrated to office 365)

2 dc windows 2012 R2

we are running hyperv 2012 r2

we had a corruption of the exchange and had to restore to a previous day.

the exchange now works ok but the fsmo roles cannot be moved to the other dc in order to demote it from a dc.

tried the normaal way and also through ntdsutil but i get errors.

any ideas or suggestions?

Qestion about Kerberos Version 5 Authentication Protocol in cross domains environment.

March 21, 2016, 2:14 am
$
0
0

Hi,

I'm a software developer, and I implemented the SSO function in our product. I have a question about how does the Kerberos 5 Authentication work in cross domain environment.

the current status is:

1. In customer's company, there are two domains, Client Domain and Server Domain.

2. Server Domain trusts Client Domain. (One-way trust)

3. Client want access a service in Server Domain.

Customer found there are data traffic between the following machines:

1. Client machine and Client Domain AD machine.

2. Client machine and Server Domain AD machine.

3. Client machine and Server service provider machine.

Customer think the data traffic 2 (Client machine and Server Domain AD machine.) should not exist.

I read the document of < How the Kerberos Version 5 Authentication Protocol Works> https://technet.microsoft.com/en-us/library/cc772815%28v=ws.10%29.aspx

In the section of Cross-Realm Authentication Between Two Realms,

Cross-Realm Authentication Between Two Realms

To understand how cross-realm authentication works, first consider the simplest case: a network with only two realms, East and West. If administrators for these realms are members of the same organization, or if for some other reason they are willing to treat the other realm's users as their own, they can enable authentication across realm boundaries simply by sharing an inter-realm key. (In Active Directory domains this happens automatically when two domains establish a trust relationship.) After the inter-realm key is shared, the ticket-granting service of each realm is registered as a security principal with the other realm's KDC. As a result, the ticket-granting service in each realm can treat the ticket-granting service in the other realm as just another service, something for which properly authenticated clients can request and receive service tickets.

When a user with an account in West wants access to a server with an account in East, the process is:

  1. The Kerberos client on the user's workstation sends a request for a service ticket to the ticket-granting service in the user account's realm, West.
  2. The ticket-granting service in West determines that the desired server is not a security principal in its realm, so it replies by sending the client a referral ticket—a TGT encrypted with the inter-realm key that the KDC in West shares with the KDC in East.
  3. The client uses the referral ticket to prepare a second request for a service ticket, and this time sends the request to the ticket-granting service in the server account's realm, East.
  4. The ticket-granting service in East uses its copy of the inter-realm key to decrypt the referral ticket. If decryption is successful, it sends the client a service ticket to the desired server in its domain.

From the above description, I think the data traffic 2 (Client machine and Server Domain AD machine.) is function as designed. Am I right?

Then I want test my thinking, so I shared a file in a Server domain machine. Then I access this shared file from the client machine which is in the Client domain. I captured the data traffic in the client machine, and I did NOT found the data traffic between Client machine and Server Domain AD machine. This confused me. So my questions are:

1. In my customer's scenario, is the data traffic 2 reasonable?

2. If it's yes for question 1, why there is no data traffic 2 when client  accessing the shared file in Server machine?


Can i create 2 object in AD with same name bit IP address is diffrent?

March 24, 2016, 11:01 pm
$
0
0

Hello ,

Can i create 2 object in AD with same name bit IP address is different?

in our scenario application team has created one virtual computer object with same name at DC & DR, but IP address is different.

The computer object is  shared folder's share name at DC & DR.

Will like to know what will be impact or it is ok?

Delegate rights to another user temporarily

March 25, 2016, 8:25 am
$
0
0

[WS 2003; Active directory]

Hi all,

I was not able to find a solution to my problem on the internet so I come ask it here.

I am part of an organization of +300 employees, and we manage the rights for accessing to shared folders very specifically.

We map network drives for each department, user, project, etc. We also have a folder for exchange between users / departments containing many subfolders for each one several security groups are defined (containing specifics users)

The result of this is that each user belong to many security groups, and sometimes we need to grant to one user the same access of another user who could be in another department, accessing to different shared folders.

I wasn't able to find a way of delegating AD rights from one user to another one, do you guys know if it is possible in any way ? Or could you think of another way to approch this issue ?

Thank you for any help.

ADMT 3.2, Migrate User SIDs, fails with ERR2:7111 Failed to add sid history for USER to USER.test RC=1722

March 25, 2016, 9:08 am
$
0
0

Hello everyone, I've been testing a migration of user SIDs and I've run into an issue I've exhausted my efforts on.  

Three servers involved:

DC on Domain1,  Has DOMAIN1$$$ created,  Auditing enabled appropriately, Domain2 DA Admin in the Builtin\Administrators group of Domain1

DC on Domain2, Auditing enabled appropriately

ADMT server on the *Domain1 network but joined to the **[Domain2] domain

Both servers have the following build info:

Windows Server 2008 R2 Standard 6.1 (7601) Service Pack 1, Native Mode 2008 R2

Using an Input File (which is working appropriately)

Migration Script info:

========================

Intra-Forest: No
Password Option: Generate passwords, only for new objects = Yes
Password File:   'c:\Windows\ADMT\Logs\passwords.txt'
Migrate Security Identifiers: Yes
Update Rights: No
Translate Roaming Profiles: No
Fix group membership: No
Conflict Option: Merge, rights = No, members = No, move objects = Yes
Source Disable Option: Leave source account
Source Expiration: Do not expire source account
Target Disable Option: Set target same as source
Migrate groups: No
Migrate service accounts: Yes

========================

DC Diag on both Domain Controllers show no issues including a  /TEST:DNS

I have verified with Network team that no blocks/denies on any ports between ADMT server and DOMAIN 1 or 2 are present.


[Object Migration Section]
2016-03-25 11:50:20 Starting Account Replicator.
2016-03-25 11:50:37 WRN1:7561 ADMT could not migrate some properties for this object type (user) due to schema mismatches.  Please refer to the Schema Section in the migration log for a complete listing.  The Schema Section will be available once object migration is complete.
2016-03-25 11:50:37 CN=XXXXXXXXXXXXX - Merged.
2016-03-25 11:50:37 Did not update password for 'CN=XXXXXXXXXXXXXX' as user already existed.
2016-03-25 11:52:26 ERR2:7111 Failed to add sid history for XXXXXXXXXXXX to XXXXXXXXXXXX. RC=1722 
2016-03-25 11:52:26 Operation completed.

===============================

A Wire Shark capture shows several attempts before doing an DSUnbind request.

DRSUAPI_ADD_SID_HISTORY  request

DRSUAPI_ADD_SID_HISTORY  response

DRSUAPI_ADD_SID_HISTORY  request

DRSUAPI_ADD_SID_HISTORY  response


Any suggestions on the RC=1722 (I'm assuming an RPC Error)

Any help would be fantastic!  Thank you.






Question about forest trust security

March 25, 2016, 8:44 am
$
0
0
I have 
Forest A and Forest B

I have a one way trust from Forest A to Forest B , user sin Forest A can authenticate in Forest B. It's all good all up to here.

However, in Forest A if i go to the Domain controller, and I go to Active directory, I am able to list all users/objects/computers in Forest B if I go to "change domain".

How do I restrict this? 

selective authentication is already on.

Moving AD completely to new server

March 25, 2016, 9:03 am
$
0
0

I currently have 2 Servers which have AD installed on them, one being the root domain (dc1.xyz.com) and another DC (dc2.xyz.com) .

I want to move both of these to Azure VM's and decommission them.

So one of my new VM is Azure act as root domain and another dc!

Can anyone guide or refer me on the steps on how to proceed?



Search

Backup from Barracuda

March 25, 2016, 8:23 am
$
0
0

not sure if anyone else has experienced this- backup from the barracuda issue-when we are trying to run a schedule it just started happening- also certain restored files they are not be able to write to the correct folder- get the 15 character folders made up- just started happening recently- VSS is stable and working properly, just having issues with writing and image 


03/25/16 00:49:48 0x000844c CRITICAL Exception - Original: 32 - 0x00000020 Mapped:122 Location:YB::YBackupFileWin32StreamIo::Read:c:\jenkins\workspace\bbs_agent_win\source\sup++\win\YBackupFileWin32StreamIo.cpp:67 Description:'The process cannot access the file because it is being used by another process.  '

03/25/16 00:49:49 0x00063e8 CRITICAL Exception - Original: 32 - 0x00000020 Mapped:122 Location:YB::YBackupFileWin32StreamIo::Read:c:\jenkins\workspace\bbs_agent_win\source\sup++\win\YBackupFileWin32StreamIo.cpp:67 

IP printing managed via AD with a link to a share path

March 25, 2016, 11:18 am
$
0
0
I Would like to try direct IP printing managed via AD with a link to a share for the drivers when installing the printer itself. No drivers on AD controllers

Event ID 10016 - DCOM Error | Source - Microsoft-Windows-DistributedCOM | Level: Error

May 17, 2012, 9:49 am
$
0
0

Hi there... I am getting the above mentioned error with the

Description: dows-DistributedCOM cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

Full message is -

Log Name:      System
Source:        Microsoft-Windows-DistributedCOM
Date:          5/15/2012 1:18:44 PM
Event ID:      10016
Task Category: None
Level:         Error
Keywords:      Classic
User:          NT AUTHORITY\IUSR
Computer:      Server.domain.com
Description:
The description for Event ID 10016 from source Microsoft-Windows-DistributedCOM cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

application-specific
Local
Activation
{2D527A8C-A4B6-4E74-A63F-E867360D401C}
{B13EFBAE-7504-4938-9ED7-8E8B53E51221}
NT AUTHORITY
IUSR
S-1-5-17
LocalHost (Using LRPC)

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" />
    <EventID Qualifiers="49152">10016</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-05-15T19:18:44.000000000Z" />
    <EventRecordID>43121</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>Server.Domain.com</Computer>
    <Security UserID="S-1-5-17" />
  </System>
  <EventData>
    <Data Name="param1">application-specific</Data>
    <Data Name="param2">Local</Data>
    <Data Name="param3">Activation</Data>
    <Data Name="param4">{2D527A8C-A4B6-4E74-A63F-E867360D401C}</Data>
    <Data Name="param5">{B13EFBAE-7504-4938-9ED7-8E8B53E51221}</Data>
    <Data Name="param6">NT AUTHORITY</Data>
    <Data Name="param7">IUSR</Data>
    <Data Name="param8">S-1-5-17</Data>
    <Data Name="param9">LocalHost (Using LRPC)</Data>
  </EventData>
</Event>

Please let me know any solutions to fix....

Steps, I did try from one of the blogs -

Open Component Services. Got oStart --> Control Panel --> Administrative Tools --> Components Services. Expand the Component Services branch then expand Computers, My Computer and DCOM Config. Right-click on "sms agent host" (my case) and click Properties. Click on the Security tab and under “Launch and Activation Permissions” select "edit" and add user Local Service (Local lunch). Click OK, close the Component Services window.

In the Launch Permission dialog box, make sure that the Everyone group has Remote Launch and Remote Activation permissions.

In the Launch Permission dialog box, make sure that the SMS Reporting Users local group has following permissions:

Local Launch / Remote Launch / Local Activation / Remote Activation

Also added Remote Launch / Remote Activation permission for Network Service (for the SMS_Reporting_Point)

Added Admin Group to the "ConfigMgr Remote Control Users"

VT


one of DC facing issue with High CPU usage from lsaas.exe

March 25, 2016, 11:24 am
$
0
0
One of DC facing issue with High CPU usage approx 95% from lsaas.exe. can any one suggest how can I troubleshoot.

ADFS: Public SSL certificate for testing

March 26, 2016, 12:27 am
$
0
0

I need to create a SSL certificate for test ADFS with Office 365. Office 365 needs a public SSL certificate.

What options do i have ?

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>