what will happen if Infrastructure mast down.
↧
Infrastructure Master Down
↧
How to change a password from a remote domain? Local user on DOM A, changing the password from DOM B
I have two AD forests, 100% separated, no trust, only basic TCP/IP connection
Forest A is a production enviroment and Forest B is a test/developer environment
How can regular users from Forest A can change their password in Forest B?
(The term here is "change", not "reset", i.e. change PWD of the the user, knowing the current password, like self service change password)
The Forest B is used only occasionnaly, so the end users forget their passwords frequently, so the user calls HelpDesk, HelpDesk change to a default password and the user has to change their own password, BUT.. User does not have TS or lgogin access to the Forest B, the end user only used the credentials of the Forest B for test systems, never to make regular "logins", the user has to call HelpDesk, ask for password change
I´ve tried to use the CTRL+ALD+DEL approach, but the erros is:The security database on the server does not have a computer account for this workstation trust relationship
May i use the IISADMPWD to achieve this?
The goal here is to allow the user to change its password immediatly after the help desk do the job of resetting
↧
↧
Datazen - ADFS authentication
I am not sure if this is the right forum, please feel free to move the thread if there is a more appropriate place. Since there isn't a forum for Datazen, posting it here. Would be great if admins can create a new forum category for Datazen.
I have configured ADFS authentication for Datazen using this article: https://www.qumio.com/Blog/Lists/Posts/Post.aspx?ID=33
Managed to set it up and works good for Datazen Viewer. However, when browsing the Datazen control panel, it redirects it automatically to the viewer page. For example, https://datazen.qumio.com/cp gets
redirected to https://datazen.qumio.com/
https://datazenserver/cp/
Any thoughts on how we can configure it so that other Hub Owners can also access the Control Panel.
Thanks in advance!
Regards,
Krish
↧
failed to extend active directory schema in sccm 2012
hi
whenever i try to extend active directory schema its getting failed
log in account has full admin rights
see the below log files
<03-25-2016 02:24:36> Modifying Active Directory Schema - with SMS extensions.
<03-25-2016 02:24:36> DS Root:CN=Schema,CN=Configuration,DC=SN,DC=com
<03-25-2016 02:24:36> Failed to create attribute cn=MS-SMS-Site-Code. Error code = 8224.
<03-25-2016 02:24:36> Failed to create attribute cn=mS-SMS-Assignment-Site-Code. Error code = 8224.
<03-25-2016 02:24:36> Failed to create attribute cn=MS-SMS-Site-Boundaries. Error code = 8224.
<03-25-2016 02:24:36> Failed to create attribute cn=MS-SMS-Roaming-Boundaries. Error code = 8224.
<03-25-2016 02:24:36> Failed to create attribute cn=MS-SMS-Default-MP. Error code = 8224.
<03-25-2016 02:24:36> Failed to create attribute cn=mS-SMS-Device-Management-Point. Error code = 8224.
<03-25-2016 02:24:36> Failed to create attribute cn=MS-SMS-MP-Name. Error code = 8224.
<03-25-2016 02:24:36> Failed to create attribute cn=MS-SMS-MP-Address. Error code = 8224.
<03-25-2016 02:24:36> Failed to create attribute cn=mS-SMS-Health-State. Error code = 8224.
<03-25-2016 02:24:36> Failed to create attribute cn=mS-SMS-Source-Forest. Error code = 8224.
<03-25-2016 02:24:36> Failed to create attribute cn=MS-SMS-Ranged-IP-Low. Error code = 8224.
<03-25-2016 02:24:36> Failed to create attribute cn=MS-SMS-Ranged-IP-High. Error code = 8224.
<03-25-2016 02:24:36> Failed to create attribute cn=mS-SMS-Version. Error code = 8224.
<03-25-2016 02:24:36> Failed to create attribute cn=mS-SMS-Capabilities. Error code = 8224.
<03-25-2016 02:24:36> Failed to create class cn=MS-SMS-Management-Point. Error code = 8224.
<03-25-2016 02:24:36> Failed to create class cn=MS-SMS-Server-Locator-Point. Error code = 8224.
<03-25-2016 02:24:36> Failed to create class cn=MS-SMS-Site. Error code = 8224.
<03-25-2016 02:24:36> Failed to create class cn=MS-SMS-Roaming-Boundary-Range. Error code = 8224.
<03-25-2016 02:24:36> Failed to extend the Active Directory schema, please find details in "C:\ExtADSch.log".
<04-05-2016 23:05:53> Modifying Active Directory Schema - with SMS extensions.
<04-05-2016 23:05:54> Unable to connect to RootDSE - Cannot update Active Directory. Error code = 1355.
<04-05-2016 23:05:54> Failed to extend the Active Directory schema, please find details in "C:\ExtADSch.log".
<04-05-2016 23:18:12> Modifying Active Directory Schema - with SMS extensions.
<04-05-2016 23:18:12> Unable to connect to RootDSE - Cannot update Active Directory. Error code = 1355.
<04-05-2016 23:18:12> Failed to extend the Active Directory schema, please find details in "C:\ExtADSch.log".
↧
Downloading Windows 10 ADMX errors out
I am attempting to download the ADMX files for Windows 10 to start performing some tests of the GP management but when I go to https://www.microsoft.com/en-us/download/details.aspx?id=48257 I get an error message that the page no longer exists. Is there another Microsoft page that hosts the ADMX files?
Thanks,
DJ
↧
↧
Additional Domin Controller for Branch office in Different Network
Hi all,
Our head office is in UAE and we are opening a new branch in Jordan, planning to put an additional domain controller there. Our domain name is3gee.com.
What is the best way to do this ?
UAE setup
Domain Controller and Additional domain controller
IP Range : 10.201.30.1 to 10.201.30.255
For Jordan, we are planning a different IP Range, for an ex: 192.168.1.1 to 192.168.1.255, so, is there required another DHCP server ?, but Domain will same as its, just an additional domain controller for Jordan..
Waiting for someone’s reply… your help will be appreciated..
Thanks, in Advance.
Mafeer CM
↧
ADFS and Moodle 3.0
Hi Everyone
I want to integrate Moodle 3.0 with ADFS 3.0.
Can anyone help?
Thanks.
- Andre
Regards Andre Thompson
↧
Schannel error, Event ID 36888? - IS there a way to Identify what causes Schannel to log error?
Hi, I hope this is the correct forum for this problem,
I am seeing a few of these errors (error details below) sporadically throughout the system event log on a windows 2008 R2 server. I have seen a number of threads about SChannel errors
http://social.technet.microsoft.com/Forums/en-US/w7itprogeneral/thread/b2e0e110-f9ca-4113-8f4d-f20d6b39b8c7http://social.technet.microsoft.com/Forums/en-US/windowsserver2008r2general/thread/675864e2-2856-44fa-b3bc-ef275d391d45However I can find no clear way of trying to find what exactly causing the error. It would appear that the Schannel is logging errors but that this errors are being caused by other processes. Now I know that this is obviously SSL/TLS related. So my question/s are this.
What exactly is Schannel and what does it do?
How do you identify the actual problem.?
I list the error details below, the pid refereced in the error is the lssas.exe which I believe deals with authentication. Is there anyway to trace what is actually causing the issue?
For reference the PID 604 noted below is lsasss.exe
The General error is
The following fatal alert was generated: 10. The internal error state is 1203.
The Details are
- System
- Provider
[ Name] Schannel
[ Guid] {1F678132-5938-4686-9FDC-C8FF68F15C85}
EventID 36888
Version 0
Level 2
Task 0
Opcode 0
Keywords 0x8000000000000000
- TimeCreated
[ SystemTime] 2010-06-18T04:51:41.830028400Z
EventRecordID 10087
Correlation
- Execution
[ ProcessID] 604
[ ThreadID] 3828
Channel System
Computer<ComputernameRemoved>
- Security
[ UserID] S-1-5-18
- EventData
AlertDesc 10
ErrorState 1203
↧
DFSN name resolution issue at logon over wireless
I've already posted this question in the Windows 10 and then Networking forums but have now been directed here.
I'm seeing a peculiar issue where wireless laptops cannot resolve DFSN paths by their NetBIOS domain name early in logon,unless you wait 30 seconds after boot before logging in!
So for example, a user whose home folder is mapped to \\domain\DFSshare\path gets no folder mapped and their Group Policy Preferences drive maps which are done to DFS Shares the same way also fail to appear. The latter gives event log error "failed with error code '0x80070035 The network path was not found.'"
We already have the "wait for network" Group Policy setting and I tried increasing the "Specify startup policy processing wait time" value too to no avail. DHCP hands out the WINS Server addresses and the node-type is Hybrid.
The workaround I have found is to change the drive mappings and home folder paths to\\domain.local\DFSshare\path then everything works! This is why it appears to be a NetBIOS name resolution issue but I don't understand why it is only brief and then only if logon is attempted immediately on boot.
I first saw it on Windows 10 x64 Surface Pro machines but have since seen it on Windows 7 x86 laptops too.
Any ideas what might be going on to explain this? Thanks!
↧
↧
Windows 2008 R2
We have Windows 2008 R2 and when I click on any server directory and choose properties then go to security tab it lists the following groups:
Domain users
Domain administrators
Users
my concern is why listing Domain Users and Users groups can we delete Users group? or these are default groups for Windows server?
↧
Which takes precedence - fine grained policy vs. password never expires
We have a fine grained policy attached to user objects that sets maximum password expiration date. What hapeens when password never expires is also checked for the user? Which takes precedence?
↧
Accounts of trusted domain shown as placeholder instead of UPN and real location in foreign domain
We had a AD domain (testlab.local) running here that has an outgoing trust to our office AD (our-office.net). Everything was fine
until we had to rename the testlab.local to newlab.lan (real names differ :)). After rename, we re-created the trust to the office
AD.
Now when we add some users from our-office.net to groups of newlab.lan, the users are no longer shown as "real name" and
the complete "Active Directory Domain Services Folder" as before.
The users now are just shown with their sAMAccountName and the "Active Directory Domain Services Folder" just displays
the name of the foreign domain. Additionally there is a small red arrow at the user icon (which, IMHO, says that "this object
is just a placeholder for a user or group from a trusted external domain. ....")
Any idea what we did wrong during the rename process?
Thanks a lot!
Christian
P.S.: I tried to attach a screenshot but currently I'm not allowed :)
↧
Server 2008 r2 windows 10 bitlocker
I have used ldifde on article below to extend our 2008 r2 schema for the mstpm-tpmownerinformationforcomputer object and gave the SELF object write permissions.
This all succeeds and after that I installed the BitLocker Recovery Password Viewer for AD.
One windows 10 computer wrote it's key to mstpm-tpmownerinformationforcomputer that I can see in adsiedit but when I go in ADUC to BitLocker Recovery Password Viewer tab I see ' no items in this view '
Can the 2008 r2 BitLocker Recovery Password Viewer not see the mstpm-tpmownerinformationforcomputer attribute and value (and thus only the windows 7 mstpm-tpmownerinformation) ?
↧
↧
Remove Web Application Proxy from ADFS 3.0
We have two Web Application Proxies deployed with ADFS 3.0, however we'd like to remove one. We uninstalled the role from the server, however on the other Web Application Proxy it still shows the uninstalled server under Clustered Servers on the Remote
Management mmc. How can I get this completely removed from ADFS?
↧
Hotfix 2830145 is taking too long to install - More than 72 hours?
I´m trying to install the 2830145 Hotfix, but after more than 6 hours, i´ve cancelled the isntallation.
IN Technet forums, people said that took 48 HOURS to install and MS support told that could take more than 72 HOURS!!!
There is a workaround regarding this problem?
WIn2008R2, authenticating on WIN2012R2
InWin2008R2
>PsGetsid.exe S-1-18-1
Error querying SID:
No mapping between account names and security IDs was done.
>PsGetsid.exe S-1-18-2
Error querying SID:
No mapping between account names and security IDs was done.
InWin2012R2 works fine!
>psGetsid.exe S-1-18-1Account for BRDC1-SRV0109\S-1-18-1:
Well Known Group: \Authentication authority asserted identity
>psGetsid.exe S-1-18-2
Account for BRDC1-SRV0109\S-1-18-2:
Well Known Group: \Service asserted identity
Source:
http://stackoverflow.com/questions/17027781/userprincipals-getauthorizationgroups-an-error-1301-occurred-while-enumerating
↧
Remote powershell management via dual-homed server
I have a domain that is behind a firewall and unreachable from my non-domain joined PC. There is a single server that is joined to the domain and is dual-homed. One NIC is in my PC's network and the other NIC is in the domain. I'd like to manage ActiveDirectory from my non-domain joined PC with powershell. I'd like to have access to the AD commands (Get-ADUser, Set-ADUser, etc...). Is there a way to do this? I have tried working with PSSession commands (https://technet.microsoft.com/en-us/magazine/ff720181.aspx) but am beginning to think I'll need access to ADWS from my PC. The problem is that the domain controllers are not accessible from my PC. Is there some Powershell trickery I can do or maybe get ADWS on the dual-homed machine (without making it a DC)?
TIA!
↧
DFSR SysVol replication goes to status 2 when all DCs are shut down.
I have exactly two DCs (2012 R2) in a test lab, each on a different subnet, separated by a router which passes all traffic. Neither DC has a firewall. I check DFSR SysVol replication by using this command on either of the two DCs:
For /f %i IN ('dsquery server -o rdn') do @echo %i && @wmic /node:"%i" /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername='SYSVOL share' get replicationgroupname,replicatedfoldername,state
…which is really just a turbo-charged version of this command:
WMIC.exe /NameSpace:\\root\MicrosoftDFS path DFSRReplicatedFolderInfo get ReplicatedFolderName, State
DFSR SysVol on both DCs shows fine (status 4).
I shut both DCs down, wait two days, bring them back up, and SysVol DFSR is broken (awaiting initial synchronization, status 2).
I do an authoritative SysVol restore on one of the DCs (http://support.microsoft.com/kb/2218556) and I get event ID 4602 on it, and 4604 on the non-authoritative DC; so everything is fine (status 4) until I let them sit turned off for two or more days at which time DFSR is back in status 2 and SysVol doesn’t properly replicate.
I’ve set the MaxOffline time to 180 with this command, but to no avail:
wmic.exe /namespace:\\root\microsoftdfs path DfsrMachineConfig set MaxOfflineTimeInDays=180
What am I missing?
↧
↧
KTPASS Getting error "Failed to retrieve user info for : 0x5
Hi All,
I am trying to generate keytabs on a 2012 R2 DC using the following comand:
ktpass -out C:\temp\site_kerberos.keytab -mapuser DOMAIN\User -pass PASSWORD -princ HTTP/Site@DOMAIN.COM -crypto RC$-HMAC-NT -ptype KRB5_NT_PRINCIPAL
Output:
Targeting Domain Controller: DC I am running on
Using Legacy password setting method
Successfully mapped HTTP/site to User
Failed to retrieve user info for User: 0x5
Aborted
When I check the account in ADUC it has been modified appropriately and the SPN has been created, but no keytab has been created. I have done a bit of googling and found references to UAC (This has been disabled on this DC) or run as administrator (I am running as administrator). I am an enterprise Admin so I know the rights are fine.
Any ideas what could be causing this?
Thanks in advance.
↧
How to import a certificate into the AD DS personal store in Server Core
I found this article that shows how to do it in MMC but our DC are all configured in Server Core.
Event ID 1220 — LDAP over SSL
Does anyone knows how to import the certificate to NTDS\Personal store without MMC?
Thanks
Neil
↧
IIS, SQL and Kerberos Constrained Delegation
Hello,
I have a IIS website that is using Windows authentication and it needs to pass through those credentials to my SQL 2008 server. I understand this is called Kerberos "double-hop" and have gone through many MS articles regarding how to set it up. Fortunately, I do have it working, however it is Unconstrained and I can't get the Constrained part working. Here is how I've configured it:
DC- Win2012R2
WebSvrA - Win2012R2
SQLSvrA - Win2008R2, SQL2008
SQL service is a named instance and is running as a domain user - Domain\SQLSvcUser
I have created SPNs:
setspn -S MSSQLSvc\SQLSvrA:SQLInstance domain\SQLSvcUser
setspn -S MSSQLSvc\SQLSvrA.domain.local:SQLInstance domain\SQLSvcUser
setspn -S MSSQLSvc\SQLSvrA:5090 domain\SQLSvcUser
setspn -S MSSQLSvc\SQLSvrA.domain.local:5090 domain\SQLSvcUser
In AD, I have given the following delegations:
WebSvrA - Delegate tab; selected SQLSvcUser and added the SPNs
SQLSvcUser - Delegate tab; selected SQLSvcUser and added the SPNs
Running the app, and using NetMon on WebSvrA, I get KDC_ERR_BADOPTION error on the second hop.
Now, in AD, if I were to give SQLSvrA full delegation, and then run this, it works fine. can someone please assist me with this? Any help/advice is appreciated.
Thank you,
Sau
↧