I'm looking for a use DSQuery to export user data from a certain OU of users that do nothave "Smart Card is required for interactive logon" checked.
Can anyone help me out?
↧
Query User data to get users that UserAccountControl "Smart Card Required" is disabled
↧
sysvol and netlogon not sharing between server 2008 and Server 2012
hello;
I have a small domain, which I am moving from 2008R2 to 2012R2
I built 2 new 2012 servers (DC1/DC2) and promoted both to new, moved roles and FSMO to DC1.
the problems come when replicating the sysvol and netlogon to the new server:
c:\repadmin /showrepl
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\DC2008
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 66da8497-fc13-4863-8573-838c4ac7b24c
DSA invocationID: a0a0881f-4440-408d-bea5-bfc4b90f38fc
==== INBOUND NEIGHBORS ======================================
DC=NEI,DC=IZONE,DC=ORG
Default-First-Site-Name\DC2 via RPC
DSA object GUID: ac2f28cc-47c4-4ce5-9b8f-690fb8e3a2cc
Last attempt @ 2016-04-11 13:13:27 was successful.
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 5ca41b73-5767-4ed2-abab-51a2dd72136d
Last attempt @ 2016-04-11 13:19:46 was successful.
CN=Configuration,DC=NEI,DC=IZONE,DC=ORG
Default-First-Site-Name\DC2 via RPC
DSA object GUID: ac2f28cc-47c4-4ce5-9b8f-690fb8e3a2cc
Last attempt @ 2016-04-11 13:13:24 was successful.
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 5ca41b73-5767-4ed2-abab-51a2dd72136d
Last attempt @ 2016-04-11 13:13:26 was successful.
CN=Schema,CN=Configuration,DC=NEI,DC=IZONE,DC=ORG
Default-First-Site-Name\DC2 via RPC
DSA object GUID: ac2f28cc-47c4-4ce5-9b8f-690fb8e3a2cc
Last attempt @ 2016-04-11 13:13:25 was successful.
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 5ca41b73-5767-4ed2-abab-51a2dd72136d
Last attempt @ 2016-04-11 13:13:26 was successful.
DC=DomainDnsZones,DC=NEI,DC=IZONE,DC=ORG
Default-First-Site-Name\DC2 via RPC
DSA object GUID: ac2f28cc-47c4-4ce5-9b8f-690fb8e3a2cc
Last attempt @ 2016-04-11 13:13:28 was successful.
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 5ca41b73-5767-4ed2-abab-51a2dd72136d
Last attempt @ 2016-04-11 13:13:30 was successful.
DC=ForestDnsZones,DC=NEI,DC=IZONE,DC=ORG
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 5ca41b73-5767-4ed2-abab-51a2dd72136d
Last attempt @ 2016-04-11 13:20:45 was successful.
Default-First-Site-Name\DC2 via RPC
DSA object GUID: ac2f28cc-47c4-4ce5-9b8f-690fb8e3a2cc
Last attempt @ 2016-04-11 13:20:47 was successful.
C:\dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = dc2008
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\dc2008
Starting test: Connectivity
......................... dc2008 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\dc2008
Starting test: Advertising
......................... dc2008 passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... dc2008 failed test FrsEvent
Starting test: DFSREvent
......................... dc2008 passed test DFSREvent
Starting test: SysVolCheck
......................... dc2008 passed test SysVolCheck
Starting test: KccEvent
......................... dc2008 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... dc2008 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... dc2008 passed test MachineAccount
Starting test: NCSecDesc
......................... dc2008 passed test NCSecDesc
Starting test: NetLogons
......................... dc2008 passed test NetLogons
Starting test: ObjectsReplicated
......................... dc2008 passed test ObjectsReplicated
Starting test: Replications
......................... dc2008 passed test Replications
Starting test: RidManager
......................... dc2008 passed test RidManager
Starting test: Services
......................... dc2008 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x80040020
Time Generated: 04/11/2016 13:12:27
Event String:
The driver detected that the device \Device\Harddisk1\DR1 has its w
ite cache enabled. Data corruption may occur.
A warning event occurred. EventID: 0x80040020
Time Generated: 04/11/2016 13:12:27
Event String:
The driver detected that the device \Device\Harddisk1\DR1 has its w
ite cache enabled. Data corruption may occur.
A warning event occurred. EventID: 0x80040020
Time Generated: 04/11/2016 13:12:27
Event String:
The driver detected that the device \Device\Harddisk1\DR1 has its w
ite cache enabled. Data corruption may occur.
An error event occurred. EventID: 0x00000457
Time Generated: 04/11/2016 13:20:10
Event String:
Driver Samsung CLP-310 Series required for printer Samsung CLP-310
eries is unknown. Contact the administrator to install the driver before you lo
in again.
An error event occurred. EventID: 0x00000457
Time Generated: 04/11/2016 13:20:11
Event String:
Driver Samsung SCX-4x21 Series required for printer Samsung SCX-4x2
Series is unknown. Contact the administrator to install the driver before you
og in again.
An error event occurred. EventID: 0x00000457
Time Generated: 04/11/2016 13:20:12
Event String:
Driver Send To Microsoft OneNote 2010 Driver required for printer S
nd To OneNote 2010 is unknown. Contact the administrator to install the driver
efore you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 04/11/2016 13:20:18
Event String:
Driver SmarThru Office PC Fax required for printer SmarThru Office
C Fax is unknown. Contact the administrator to install the driver before you lo
in again.
An error event occurred. EventID: 0x00000457
Time Generated: 04/11/2016 13:20:19
Event String:
Driver Send to Microsoft OneNote 15 Driver required for printer Sen
To OneNote 2013 is unknown. Contact the administrator to install the driver be
ore you log in again.
......................... dc2008 failed test SystemLog
Starting test: VerifyReferences
......................... dc2008 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : NEI
Starting test: CheckSDRefDom
......................... NEI passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... NEI passed test CrossRefValidation
Running enterprise tests on : NEI.IZONE.ORG
Starting test: LocatorCheck
......................... NEI.IZONE.ORG passed test LocatorCheck
Starting test: Intersite
......................... NEI.IZONE.ORG passed test Intersite
on the 2012DC
C:\Windows\system32>repadmin /showrepl
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\DC1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 5ca41b73-5767-4ed2-abab-51a2dd72136d
DSA invocationID: ba1af98d-5521-4986-bd83-c2aaebbcfe0f
==== INBOUND NEIGHBORS ======================================
DC=NEI,DC=IZONE,DC=ORG
Default-First-Site-Name\DC2 via RPC
DSA object GUID: ac2f28cc-47c4-4ce5-9b8f-690fb8e3a2cc
Last attempt @ 2016-04-11 14:24:33 was successful.
Default-First-Site-Name\2008 via RPC
DSA object GUID: 66da8497-fc13-4863-8573-838c4ac7b24c
Last attempt @ 2016-04-11 14:24:37 was successful.
CN=Configuration,DC=NEI,DC=IZONE,DC=ORG
Default-First-Site-Name\dc2008 via RPC
DSA object GUID: 66da8497-fc13-4863-8573-838c4ac7b24c
Last attempt @ 2016-04-11 14:03:23 was successful.
Default-First-Site-Name\DC2 via RPC
DSA object GUID: ac2f28cc-47c4-4ce5-9b8f-690fb8e3a2cc
Last attempt @ 2016-04-11 14:03:41 was successful.
CN=Schema,CN=Configuration,DC=NEI,DC=IZONE,DC=ORG
Default-First-Site-Name\DC2 via RPC
DSA object GUID: ac2f28cc-47c4-4ce5-9b8f-690fb8e3a2cc
Last attempt @ 2016-04-11 13:58:50 was successful.
Default-First-Site-Name\dc2008 via RPC
DSA object GUID: 66da8497-fc13-4863-8573-838c4ac7b24c
Last attempt @ 2016-04-11 13:58:50 was successful.
DC=ForestDnsZones,DC=NEI,DC=IZONE,DC=ORG
Default-First-Site-Name\DC2 via RPC
DSA object GUID: ac2f28cc-47c4-4ce5-9b8f-690fb8e3a2cc
Last attempt @ 2016-04-11 14:23:57 was successful.
Default-First-Site-Name\dc2008 via RPC
DSA object GUID: 66da8497-fc13-4863-8573-838c4ac7b24c
Last attempt @ 2016-04-11 14:24:06 was successful.
DC=DomainDnsZones,DC=NEI,DC=IZONE,DC=ORG
Default-First-Site-Name\DC2 via RPC
DSA object GUID: ac2f28cc-47c4-4ce5-9b8f-690fb8e3a2cc
Last attempt @ 2016-04-11 13:58:51 was successful.
Default-First-Site-Name\dc2008 via RPC
DSA object GUID: 66da8497-fc13-4863-8573-838c4ac7b24c
Last attempt @ 2016-04-11 13:58:51 was successful.
there are no DFS errors or FRS errors in the event log
I have looked and tried many of the suggestions regarding adsiedit and wmi and still no luck..
not sure where to go from here???
↧
↧
Replace password with Finger print
Can we integrate finger print devices with active directory(not saving the password on local workstation)
---matching finger print with password only stored on AD.
↧
Windows 10 + Windows Server 2012 R2 - Work Offilne problem
we have the following issue with the Windows 10 Pro ;
When we work outside of Active directory network, or offline, we can not see our redirected folders like My Documents , and Desktop,
and if we do VPN connection to our head office it is always asks to enter credentials to connect AD, then everything is working fine.
the same account with Windows 7 pro or Windows 8.0/8.1 Pro works like a charm, any suggestions ?
so far what I did is: 1. rejoin to Domain Controller
2. Control panel>Sync Center> Manage Offline Files > Disable and Enable Offline files
3. gpudpate /force and all other options
4. etc.etc
one more think in windows 10 pro : when we navigate to sync folder (state shows online), and then easy access all options there are gray ("Always available offline", "Sync", "Work Offline"), expect "Map as a Driver"
Any suggestions ??? Thanks :)
attached 2 files, maybe that helps , thanks again ..
↧
LDAP ipHostNumber property matching Active Directory DNS records and DHCP leases
Hello everywhere!
I'm trying to export LDAP records of servers. Everything works as expected, except ipHostNumber. This is field is empty. Please tell me, is there a way to map ipHostNumber to DNS records or DHCP leases?
Servers and DCs are Windows 2012 R2
Sincerely, Alexey
↧
↧
Client can not login to Addition Domain controller
Dear All
My system had PDC and ADC . when I shutdown PDC, client can not login to domain with ADC.
error in eventview " Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted. "
In machine client I had set primay DNS point to ADC IP address.
Please help me fix this problem.
Thanks so much
↧
Adding Additional Domain Controller
Hello All...........I need to install Additional Domain Controllers in one of the Remote Location. At the Central Site, Infoblox is being used as a DNS. In other words, the DNS is not AD Integrated or rather Microsoft DNS to be more precise. DCs are added in the whitelist to allow dynamic updates to DNS.
1. What would be high level steps to install DCs in remote location?
2. Besides whitelisting DCs for dynamic updates at Infoblox DNS, what else do I need to do to make sure there are no communication issues?
3. How should I verify the health and communication between DCs, once they are up and running?
4. Where should the Primary and Secondary DNS of Remote Locations DCs should be pointing to?
5. Would it be advisable to raise Domain/Forest Functional level all by one to 2012 or step by step i.e. first 2008, 2008 R2 and 2012?
6. What would be the recommendation for FSMO Role distribution. There are generally two-2 DCs available at all sites.
↧
FRS- DFS issue
As per screen shot kindly recommend If i can delete the below one and which would not impact to my running service.
CN=DFSVolumesCNF:1628fd0e-2aab-4f7b-9963-b897d3042ae7
And let me know how could i remove it ( Just right click and delete). Because of this we are getting FRS warning in events.
Kindly help.
ThanksLucky.
↧
Server 2012 has stopped accepting new wksts joining our domain, error 53: the network path not found
Hello,
We have Windows Server 2012 R2 as our DC. Several workstations were added to our domain successfully.
But then (I cannot determine what exactly could be a show-stopper) it stopped accepting new nodes joining the domain.
Nodes are different (OS also different: Win 10 Ent, Win 7 Pro, Debian Wheezy), but the problem is more or less the same: at some point of the procedure a workstation requests something on DC and gets "the network path not found" error 53 (0x35).
I tried dcdiag, dnslint, PortQry for diagnostics. They do not find a problem (I can supply their reports). Switching firewalls and antivirus software off both on server and workstation does not help. The ms-DS-MachineAccountQuota parameter is extended to 255. LDAP is accessible. DNS records were checked many times (though maybe I miss something important there). I also receive the same error 53 if I try to address some shared domain resource from outside, even if I supply valid credentials.
Any idea what happens?
Where to look further?
Below I supply excerpts from netsetup.log - first, of the workstation which successfully joined our domain some time ago. Then, an excerpt from netsetup.log of a node which fails to join it:
1. success:
07/28/2015 14:08:17:791 NetpGetLsaPrimaryDomain: status: 0x0
07/28/2015 14:08:17:791 NetpMachineValidToJoin: status: 0x0
07/28/2015 14:08:17:791 NetpJoinDomain
07/28/2015 14:08:17:791 HostName: Fontanka-win81
07/28/2015 14:08:17:791 NetbiosName: FONTANKA-WIN81
07/28/2015 14:08:17:791 Domain: OUR.DNS.DOMAIN
07/28/2015 14:08:17:791 MachineAccountOU: (NULL)
07/28/2015 14:08:17:791 Account: OUR_NETBIOS_DOMAIN\account
07/28/2015 14:08:17:791 Options: 0x23
07/28/2015 14:08:17:791 NetpLoadParameters: loading registry parameters...
07/28/2015 14:08:17:791 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
07/28/2015 14:08:17:791 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
07/28/2015 14:08:17:791 NetpLoadParameters: status: 0x2
07/28/2015 14:08:17:791 NetpValidateName: checking to see if 'OUR.DNS.DOMAIN' is valid as type 3 name
07/28/2015 14:08:17:791 NetpValidateName: OUR.DNS.DOMAIN' is not a valid NetBIOS domain name: 0x7b
07/28/2015 14:08:18:119 NetpCheckDomainNameIsValid [ Exists ] for 'OUR.DNS.DOMAIN' returned 0x0
07/28/2015 14:08:18:119 NetpValidateName: name 'OUR.DNS.DOMAIN' is valid for type 3
07/28/2015 14:08:18:119 NetpDsGetDcName: trying to find DC in domain 'OUR.DNS.DOMAIN', flags: 0x40001010
07/28/2015 14:08:18:728 NetpDsGetDcName: failed to find a DC having account 'FONTANKA-WIN81$': 0x525, last error is 0x0
07/28/2015 14:08:18:898 NetpLoadParameters: loading registry parameters...
07/28/2015 14:08:18:898 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
07/28/2015 14:08:18:898 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
07/28/2015 14:08:18:898 NetpLoadParameters: status: 0x2
07/28/2015 14:08:19:030 NetpDsGetDcName: status of verifying DNS A record name resolution for 'dc.in.our.domain': 0x0
07/28/2015 14:08:19:030 NetpDsGetDcName: found DC '\\dc.in.our.domain' in the specified domain
07/28/2015 14:08:19:030 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0
07/28/2015 14:08:19:030 NetpDisableIDNEncoding: using FQDN our.dns.domain from dcinfo
07/28/2015 14:08:19:033 NetpDisableIDNEncoding: DnsDisableIdnEncoding(UNTILREBOOT) on 'our.dns.domain' succeeded
07/28/2015 14:08:19:034 NetpJoinDomainOnDs: NetpDisableIDNEncoding returned: 0x0
07/28/2015 14:08:24:013 NetpJoinDomainOnDs: status of connecting to dc '\\dc.in.our.domain': 0x0
07/28/2015 14:08:24:013 NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS domain name: our.dns.domain
07/28/2015 14:08:24:201 NetpProvisionComputerAccount:
07/28/2015 14:08:24:201 lpDomain: OUR.DNS.DOMAIN
07/28/2015 14:08:24:201 lpHostName: Fontanka-win81
07/28/2015 14:08:24:201 lpMachineAccountOU: (NULL)
07/28/2015 14:08:24:201 lpDcName: dc.in.our.domain
07/28/2015 14:08:24:201 lpMachinePassword: (null)
07/28/2015 14:08:24:201 lpAccount: OUR_NETBIOS_DOMAIN\account
07/28/2015 14:08:24:201 lpPassword: (non-null)
07/28/2015 14:08:24:201 dwJoinOptions: 0x23
07/28/2015 14:08:24:201 dwOptions: 0x40000003
07/28/2015 14:08:24:904 NetpLdapBind: Verified minimum encryption strength on dc.in.our.domain: 0x0
..........
2. failure:
04/20/2016 20:44:37:251 NetpDoDomainJoin04/20/2016 20:44:37:251 NetpDoDomainJoin: using current computer names
04/20/2016 20:44:37:251 NetpDoDomainJoin: NetpGetComputerNameEx(NetBios) returned 0x0
04/20/2016 20:44:37:251 NetpDoDomainJoin: NetpGetComputerNameEx(DnsHostName) returned 0x0
04/20/2016 20:44:37:311 NetpMachineValidToJoin: 'ARMIDE'
04/20/2016 20:44:37:350 NetpMachineValidToJoin: status: 0x0
04/20/2016 20:44:37:365 NetpJoinDomain
04/20/2016 20:44:37:365 HostName: ARMIDE
04/20/2016 20:44:37:365 NetbiosName: ARMIDE
04/20/2016 20:44:37:365 Domain: OUR.DNS.DOMAIN
04/20/2016 20:44:37:365 MachineAccountOU: (NULL)
04/20/2016 20:44:37:365 Account: OUR.DNS.DOMAIN\account
04/20/2016 20:44:37:365 Options: 0x23
04/20/2016 20:44:37:432 NetpValidateName: checking to see if 'OUR.DNS.DOMAIN' is valid as type 3 name
04/20/2016 20:44:37:432 NetpValidateName: 'OUR.DNS.DOMAIN' is not a valid NetBIOS domain name: 0x7b
04/20/2016 20:44:37:713 NetpCheckDomainNameIsValid [ Exists ] for 'OUR.DNS.DOMAIN' returned 0x0
04/20/2016 20:44:37:713 NetpValidateName: name 'OUR.DNS.DOMAIN' is valid for type 3
04/20/2016 20:44:37:713 NetpDsGetDcName: trying to find DC in domain 'OUR.DNS.DOMAIN', flags: 0x40001010
04/20/2016 20:44:38:313 NetpDsGetDcName: failed to find a DC having account 'ARMIDE$': 0x525, last error is 0x0
04/20/2016 20:44:38:475 NetpDsGetDcName: status of verifying DNS A record name resolution for 'dc.in.our.domain': 0x0
04/20/2016 20:44:38:475 NetpDsGetDcName: found DC '\\dc.in.our.domain' in the specified domain
04/20/2016 20:44:38:475 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0
04/20/2016 20:44:38:475 NetpDisableIDNEncoding: using FQDN our.dns.domain from dcinfo
04/20/2016 20:44:38:546 NetpDisableIDNEncoding: DnsDisableIdnEncoding(UNTILREBOOT) on 'our.dns.domain' succeeded
04/20/2016 20:44:38:546 NetpJoinDomainOnDs: NetpDisableIDNEncoding returned: 0x0
04/20/2016 20:45:43:580 NetUseAdd to \\dc.in.our.domain\IPC$ returned 53
04/20/2016 20:45:43:580 NetpJoinDomainOnDs: status of connecting to dc '\\dc.in.our.domain': 0x35
04/20/2016 20:45:43:580 NetpJoinDomainOnDs: Function exits with status of: 0x35
04/20/2016 20:45:43:582 NetpResetIDNEncoding: DnsDisableIdnEncoding(RESETALL) on 'our.dns.domain' returned 0x0
04/20/2016 20:45:43:587 NetpJoinDomainOnDs: NetpResetIDNEncoding on 'our.dns.domain': 0x0
04/20/2016 20:45:43:587 NetpDoDomainJoin: status: 0x35
↧
↧
Forest Trust and PDC
Hi Experts
We have two forests (Abc.com and 123.com). users from ABC.com and access the resources in 123.com. Two DCs in each forest.
We are having Forest trust between these two AD forests. Just wanted to know what will happen if PDC in 123.com goes down in terms of forest trusts. Do you think users from abc.com can still access to resources in 123.com if PDC in 123.com goes down?
Regards Suman B. Singh
↧
NFS - how do you implemant user mapping?
Windows 2008 R2 sp1
the NFS client is a Windows Server 2008 R2. the NFS server is a SAN storage that supports NFS and we have enabled the NFS service and shared a folder. when i map a drive to the NFS share, it would map alright but i get a big red X on the mapped drive. i can copy, created on the mapped NFS share too.
however, i keep getting event error id 16397 initially and now getting 16398 and 16399.
Windows(R) Lightweight Directory Access Protocol (LDAP) failed a request to connect to Active Directory Domain Services(R) for Windows user <ACME\bunny>. Without the corresponding UNIX identity of the Windows user, the user cannot access Network File System (NFS) shared resources. Verify that the Windows user is in Active Directory Domain Services and has access permissions.
if i understood correctly, i should create a one-to-one user mapping between Windows and the NFS server. how does one go about doing that?
↧
Test AD Environment
Hi Team,
We have one forest with 2 child domains. lets say for example Forest Domain "Test.net" and Child domains "Child1.test.net" and "Child2.test.net". All the Mail related Objects(Users and Servers) as in Child1.test.net domain. Mail system is O365. We need a test AD to test the mail scenarios, other applications testing and etc. Is there any possibility to create a Test domain out of the existing forest but with complete data in Child1.test.net domain. or is it recommended only to create a test domain start using it on requirement basis. Please suggest me on this
Thanks in Advance
//Bala R
↧
Problem while configuring CAS to use SPNEGO authentication
Hello,
We are configuring CAS to use SPNEGO Authentication. For this, we have created SPN accounts, Keytabs , AD principal etc. and are successful to achieve SPNEGO authentication on standalone servers. but When Load balancer comes in picture, SPNEGO authentication does not work.
I get an error :
2016-04-26 07:10:47,779 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Unable to obtain the output token required.
To troubleshoot this on loadbalancer, we enable persistemce cookie parmeter as true on LB but application stopped working.
Please guide If anybody has an idea Why Spnego is not working in case of F5 load balancer.
Thanks.
↧
↧
LDAP Access of AD DS to Applications
Hello All.........Several applications use AD DS as LDAP Provider, I have following questions regarding them:
1. Do we need any special configuration/account to connect an application to ADDS using LDAP?
2. Can applications make both LDAP and Secure LDAP Connection by default or some account, configuration or certificate is required?
3. For Secure LDAP (SSL), do we need any special configuration with respect to certificates? That is certificate to be trusted by both AD DS and Application involving a CA?
4. When making a Secure LDAP connection, several applications show certificate expiry date as well. What certificate is that? Is it a self-signed certificate? How is it renewed? Does it do it by itself? If not, how one renews it, as default cert is only 1 year long?
5. What type of SSL and TLS connections are supported by Secure LDAP? SSL 1, 2 OR 3/TSL 1.0, 1.1 OR 1.3? OR all are supported? What is recommended connection method to use for apps? If all are supported, does not it make system vulnerable? Is it possible to turn off some of them so only specific method is supported?
Thanks in advance.
↧
Raising Functional Level
Hello All...........Some questions regarding functional levels:
1. Is it possible to raise functional levels(F and D) of an AD environment to 2012 R2 even if there are 2008/2008 R2 DCs present?
2. Is it a limitation to first decommission 2008/2008 R2 DCs before raising functional level?
3. OR after FSMO Role transfer, one can easily raise functional levels?
4. AND later just remove the ADDS from legacy DCs?
↧
How can you tell if the AdminSDHolder processes have run?
I have been having issues with changes to the Builtin\Administrators group not staying. The changes seem to not be happening every hour which seems to be when the two processes that utilize the AdminSDHolder are run, they are happening randomly about once or twice a day but not at the same time. In order to test I have used the FixUpInheritance and the runProtectAdminGroupsTask through LDP.exe and get the following output:
***Call Modify...
ldap_modify_s(ld, '(null)',[1] attrs);
Modified "".
I'm unsure if this is what I should expect for it successfully starting or if there should be something else. If this is correct I am even more confused because it means the process is being run and that isn't what is resetting the group because half an hour after running the commands the changes I am trying to make in Builtin\Administrators is still there. If it isn't working I would love to know how to be sure it is working when I manually force it to run.
Also I know that changing stuff in these groups is something that be avoided, unfortunately a previous admin did something dumb to it and I am trying to fix the issue without causing outages and such to the environment.
↧
AD Backup needed to ensure successfull restore in case of forest disaster recovery
Regarding AD 2012 R2 Backup, in case of a forest disaster recovery, what type of backup should we take for successful recovery based on Microsoft Best Practice? Note that we have AD servers as virtual machines running in head quarter and in remote sites in VMWare VBlock and have also one physical server in one of the remote sites.
The backup solution we are using is EMC Avamar.
↧
↧
Removing orphaned AD Domains from Windows Network Browser
Hi, I am trying to get rid of two AD domains (ADDOM and ADDOM2) that are slowing down my Window Network browsing, i.e. NET VIEW, EXPLORER, the WinNet API, etc. I tried to get the downed ADDOM machine to be replace with the new PC and with the same ADDOM domain and machine name, but the wizard ended up creating a 2nd ADDOM2 because the wizard still believed the 1st one ADDOM was still on the network. That got all hairy so I followed steps to demote the new ADDOM2. Now the two domains are still present in the network when any network browser is done.
I would love to just wipe them both out. Where is this data located on the network? My DNS server has no records of either.
Thanks
Hector Santos, CTO Santronics Software, Inc. http://www.santronics.com
↧
Replication problem with DC - one way
Hi All,
I have 2 sites, with 2 DC each. Due to some problems, the servers on site 2 could not replicate with site 1 for a long time. To fix the problem, I demoted the DC on site 2 and promoted again.
Before promoting, I did a metadata cleanup.
Let DC1, DC2 be the DCs in site 1, and DC3,DC4 the DCs in site 2.
Now, DC1 can replicate to DC2, and DC2 can replicate to DC1 (same-site)
Also DC3 can replicate to DC4, and DC4 to DC3 (still same site)
The inter-site replication is the problematic part. The strange thing is that DCs from site 1 can replicate to DCs in site 2, but DCs from site 2 can replicate to DCs from site 1. Before these problem arose, there were no replication issues, so it should not be a network-related problem as network settings have not been changed.
The error I get when i try to replicate in AD sites and services is: "the name context is in the process of being removed or is not replicated from the specified server".
In the event log of DCs of site 1, I get an event 1925 that states an 1722 RPC not available error message. I relised that in the servers in site 1 nearly all DNS SRV entries for the servers in site 2 are missing. I tried restarting netlogon service, but the SRV records for the servers in site 2 are still not present
↧
Migrating Win XP computers failes (Using ADMT)
We are performing an inter-forest migration. Traget domain has Server 2012 DCs.
While migrating windows xp computers using ADMT following error shown in pre-check and agent.... log.
ERR3:7075 Failed to change domain affiliation, hr=80070040 The specified network name is no longer available.
This problem occurs only for XP clients. Win Firewall is already turned off in XP clients.
Please help to resolve this issue
↧