Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Domain Group plicy not applying on another PC for same user account

July 20, 2016, 5:14 am
$
0
0

Hi,

I've set up  group policy for each of our departmetns.

Users in the right OU, the policy linked to the container - very simple drive mapping

The policy works fine for user1, user2, user3 ... on PC1

However the same policy does not work on PC2 for any of the above users.

gpresult /R shows that the client PC sees users being in right domain/OUs

gpupdate /force shows sucessful on PC2 however doesn't ask to logoff as on PC1

The mapped drive does not apply on PC2.

rsop on PC2 with any of the clients shows access denied

The group policy resoults on the server side pointed to PC2 show - RPC server is unavailable

It also sais to check is Windows Management Instrumets are enabled <- not sure on that one where it is in the system.

If you could throw more light on this situation I would be very grateful.

With regards, Peter


Search

ADFS 2.0 ADFS/LS error EventID 364

July 26, 2016, 2:36 am
$
0
0

Hi

I am trying to get ADFS working in my environment to work with our external Intranet provider.

Setup:

DMZ Server - Proxy Role installed
Internal Server - ADFS 2.0 Installed

external A Record: sts.domainname.com

when i go to sts.domainname.com/adfs/ls i get this error:



in the event viewer on the ADFS Server i get an errors:

EventID: 364

Encountered error during federation passive request. 

Additional Data 

Exception details: 
Microsoft.IdentityServer.Web.RequestFailedException: MSIS7000: The sign in request is not compliant to the WS-Federation language for web browser clients or the SAML 2.0 protocol WebSSO profile.
   at Microsoft.IdentityServer.Web.Dispatchers.UnknownRequestDispatcher.DispatchInternal(PassiveContext context)
   at Microsoft.IdentityServer.Web.PassiveProtocolHandler.ProcessRequestInternal(PassiveContext context)
   at Microsoft.IdentityServer.Web.PassiveProtocolHandler.ProcessRequest(HttpContext context)


If you require further information then please ask

Any help would be appreciated



ADFS 2 Sync errors from Primary to Secondary server

July 26, 2016, 7:42 am
$
0
0

Hello, I hope someone can help.

We have 1 Primary ADFS server and 1 Secondary ADFS server (also 2 proxies) in our live environment . The secondary server has stopped syncing to the primary for over a month. 

I have also created a 3rd secondary ADFS server I wanted to use for testing and I get this error message (trying to do a sync) when I run through the ADFS 2 Wizard.  

There was an error doing synchronization. Synchronization of data from the primary federation server to a secondary federation server did not occur.

Additional data

Exception details:

System.ServiceModel.FaultException`1[Microsoft.IdentityServer.Protocols.PolicyStore.StoreConstraintFault]: ADMIN0066: ConstraintFault (Fault Detail is equal to Microsoft.IdentityServer.Protocols.PolicyStore.StoreConstraintFault).

User Action

Make sure the primary federation server is available or the service account identity of this machine matches the service account identity of the primary federation server.

DNS is correct, the service account is correct and has read permissions on the certificate, the server has Rollup3 installed, time is correct and network settings. It's also not a firewall or basic network communications issues either.

I did update our Token Signing and Decrypting certificates recently which might be causing this issue but if it is I'm not sure why as all our RP Trusts are working fine.

Any help would be appreciated.

Many Thanks

Block Event viewer Access to users

July 25, 2016, 6:08 pm
$
0
0

Hi Guys,

I have to block some users so that the can not read event viewer in some set of servers , I want to do this through GPO .

Please suggest how can i achieve this .

Regards,

Triyambak

Regards, Triyambak

Password Policy

July 26, 2016, 1:59 am
$
0
0

Hi All,

I'm new to this Forum, it would be great if any one of you can help me in resolving an issue in a password policy as I'm bit confused in resolving this.

Issue: we have not enabled 'Password never expires' option in account properties of user account, but I'm getting below result after executing 'net user <account> /domain' command.

Password last set            7/13/2016 9:47:24 AM
Password expires             Never
Password changeable          7/13/2016 9:47:24 AM

Thanks in Advance.


Message size error and how to increase the quota for binding elements.

July 26, 2016, 8:03 am
$
0
0

And a given AD domain, we have a deployment of AD FS. It is configured to handle SSO Authentication and Authorization requests via SAML. Take just into account that we have a large number of federations, both as RPTs and as CPTs.

By looking at the Event Viewer on the machine where the service is running, we found some error reports with the following message:

=========================================================

Encountered error during federation passive request. 

Additional Data 

Exception details: 
Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ServiceModel.CommunicationException: The maximum message size quota for incoming messages (20971520) has been exceeded. To increase the quota, use the MaxReceivedMessageSize property on the appropriate binding element. ---> System.ServiceModel.QuotaExceededException: The maximum message size quota for incoming messages (20971520) has been exceeded. To increase the quota, use the MaxReceivedMessageSize property on the appropriate binding element.
   --- End of inner exception stack trace ---

Server stack trace: 
   at System.ServiceModel.Channels.ClientDuplexConnectionReader.DecodeMessage(Byte[] buffer, Int32& offset, Int32& size, Boolean& isAtEOF, TimeSpan timeout)
   at System.ServiceModel.Channels.SessionConnectionReader.DecodeMessage(TimeSpan timeout)
   at System.ServiceModel.Channels.SessionConnectionReader.Receive(TimeSpan timeout)
   at System.ServiceModel.Channels.SynchronizedMessageSource.Receive(TimeSpan timeout)
   at System.ServiceModel.Channels.TransportDuplexSessionChannel.Receive(TimeSpan timeout)
   at System.ServiceModel.Channels.TransportDuplexSessionChannel.TryReceive(TimeSpan timeout, Message& message)
   at System.ServiceModel.Dispatcher.DuplexChannelBinder.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Microsoft.IdentityServer.Protocols.PolicyStore.IPolicyStoreReadOnlyTransfer.GetState(String serviceObjectType, String mask, FilterData filter, Int32 clientVersionNumber)
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreReadOnlyTransferClient.GetState(String serviceObjectType, String mask, FilterData filter, Int32 clientVersionNumber)
   at Microsoft.IdentityServer.ProxyConfiguration.ProxyConfigurationReader.GetAuthorities(Filter filter)
   at Microsoft.IdentityServer.ProxyConfiguration.ProxyConfigurationReader.FetchFederationPassiveIdentityProviders(ServiceSettingsData settingsData, String realm)
   at Microsoft.IdentityServer.ProxyConfiguration.ProxyConfigurationReader.GetFederationPassiveIdentityProviders(String realm)
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.GetPassiveIdentityProviders()
   --- End of inner exception stack trace ---
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.GetPassiveIdentityProviders()
   at Microsoft.IdentityServer.Web.Dispatchers.ClaimsProviderUserInterfaceDispatcher.CanDispatch(SignInContext context)
   at Microsoft.IdentityServer.Web.PassiveProtocolHandler.ProcessRequestInternal(PassiveContext context)
   at Microsoft.IdentityServer.Web.PassiveProtocolHandler.ProcessRequest(HttpContext context)

System.ServiceModel.CommunicationException: The maximum message size quota for incoming messages (20971520) has been exceeded. To increase the quota, use the MaxReceivedMessageSize property on the appropriate binding element. ---> System.ServiceModel.QuotaExceededException: The maximum message size quota for incoming messages (20971520) has been exceeded. To increase the quota, use the MaxReceivedMessageSize property on the appropriate binding element.
   --- End of inner exception stack trace ---

Server stack trace: 
   at System.ServiceModel.Channels.ClientDuplexConnectionReader.DecodeMessage(Byte[] buffer, Int32& offset, Int32& size, Boolean& isAtEOF, TimeSpan timeout)
   at System.ServiceModel.Channels.SessionConnectionReader.DecodeMessage(TimeSpan timeout)
   at System.ServiceModel.Channels.SessionConnectionReader.Receive(TimeSpan timeout)
   at System.ServiceModel.Channels.SynchronizedMessageSource.Receive(TimeSpan timeout)
   at System.ServiceModel.Channels.TransportDuplexSessionChannel.Receive(TimeSpan timeout)
   at System.ServiceModel.Channels.TransportDuplexSessionChannel.TryReceive(TimeSpan timeout, Message& message)
   at System.ServiceModel.Dispatcher.DuplexChannelBinder.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Microsoft.IdentityServer.Protocols.PolicyStore.IPolicyStoreReadOnlyTransfer.GetState(String serviceObjectType, String mask, FilterData filter, Int32 clientVersionNumber)
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreReadOnlyTransferClient.GetState(String serviceObjectType, String mask, FilterData filter, Int32 clientVersionNumber)
   at Microsoft.IdentityServer.ProxyConfiguration.ProxyConfigurationReader.GetAuthorities(Filter filter)
   at Microsoft.IdentityServer.ProxyConfiguration.ProxyConfigurationReader.FetchFederationPassiveIdentityProviders(ServiceSettingsData settingsData, String realm)
   at Microsoft.IdentityServer.ProxyConfiguration.ProxyConfigurationReader.GetFederationPassiveIdentityProviders(String realm)
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.GetPassiveIdentityProviders()

System.ServiceModel.QuotaExceededException: The maximum message size quota for incoming messages (20971520) has been exceeded. To increase the quota, use the MaxReceivedMessageSize property on the appropriate binding element.

=========================================================

Googling, I found this other case with the same problem: https://social.msdn.microsoft.com/Forums/silverlight/en-US/5cd76441-6452-4114-98e3-5be7b3074404/the-maximum-message-size-quota-for-incoming-messages-65536-has-been-exceeded-to-increase-the?forum=silverlightdevtools

Unfortunately, I didn't find any configuration file containing info about bindings for web requests.

Do you have any clue about that? Where can I found these settings and fix the problem?

Cheers, V.

ADMT Excluded Objects

July 21, 2016, 6:43 am
$
0
0

Hi,

I'm using ADMT 3.2 to migrate my groups but i have a box call "Excluded Objects" how can i copy on a file or edit this box . I dont find any log

Thanks

Jeff


Event ID: 13575; File Replication Service (NtFrs)

July 11, 2016, 3:38 am
$
0
0

Dear All

i have the Following error event id no: 13575.

This domain controller has migrated to using the DFS Replication service to replicate the SYSVOL share. Use of the File Replication Service for replication of non-SYSVOL content sets has been deprecated and therefore, the service has been stopped. The DFS Replication service is recommended for replication of folders, the SYSVOL share on domain controllers and DFS link targets.

Network Structure:

One Server windows server 2012 r2 standard has the DC, AD, DNS, DHCP and File and Storage Services (not the file server.)

this error appear with dirty shutdown.

the sysvol is shared by net share.

how to fix it?


Search

ADFS Claim to return all the ou names for specific user

July 26, 2016, 8:03 pm
$
0
0
I want to return all the ou names for a specific user for saml login flow in ADFS, is there a way to write a claim rule to return them?

AD Migration using ADMT 3.2 & Dell Quest

July 21, 2016, 12:19 am
$
0
0

Hi,

I was planing to use ADMT & Dell quest as a migration tool as ADMT 3.1 is not available & ADMT 3.2 does not support server 2000.

& the cost of Dell quest is very high so a balance of both will let me migrate with in the cost limits.

The client will be upgrading server 2000 after migration as project to project bases. I did not find any work around using both the tools & suggestion for migration.

Regards,

Sntsh.

Not sufficient permission for an Enterprise Admin

July 26, 2016, 2:34 pm
$
0
0

Hi,

I'm doing Microsoft lab and I've got an issue as below.

I've got this error message when I try to go into 'Properties' of a network connection for IP configuration.

'You do not have sufficient privileges for configuring connection properties. Contact your administrator'

And the user account was the 'administrator' which is the member of 'Enterprise Admin' from Parent domain.

My network infrastructure is simply created a forest then generated parent and child domains. Parent domain has 4 servers and Child domain has 3 servers

Both sides are operating a single DC each. 

It is NO problem when I do login to the Child domain's DC serverso I can do modify/install anything and the Parent domain-joined servers are working well with Enterprise admin account.

But the rest of other Child domain-joined servers (EDGE & APP) were not treat me as an administrator. It seemed like normal domain users.

All servers are Windows 2012 R2 and I've never touched any GPO policies. It's default.

Please help me to find this solution. :)

Thank you very much

Event errors 1655 and 1126 - unable to establish a connection with the global catalog on 2008 DC

July 15, 2016, 4:06 am
$
0
0
Hi

We have just one AD domain which contains two domain controllers (2008 + 2012 R2) and two member servers along with 35 clients. Domain and forest functional level is set to 2008.

Both DC's host Active Directory integrated DNS. The 2008 DC also hosts DHCP, the DFS service and all FSMO roles.

For several weeks I have seen 1655 + 1126 event pairs being logged once an hour on the 2008 DC (Phobos), complaining the Global Catalog (GC) cannot be contacted. The events comprise:

-----------------------------------------------------------------------------------------------------------------------------
1655:
Active Directory Domain Services attempted to communicate with the following global catalog and the attempts were unsuccessful.
 
Global catalog:
\\Phobos.htlincs.local
 
The operation in progress might be unable to continue. Active Directory Domain Services will use the domain controller locator to try to find an available global catalog server.
 
Additional Data
Error value:
1722 The RPC server is unavailable.

-----------------------------------------------------------------------------------------------------------------------------

1726:
Active Directory Domain Services was unable to establish a connection with the global catalog.
 
Additional Data
Error value:
8430 The directory service encountered an internal failure.
Internal ID:
3200ce6
 
User Action:
Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem.

-----------------------------------------------------------------------------------------------------------------------------


The events are not being logged by the other DC.

I have used LDP and nltest as described in this MS article. Both utilities show the GC is available when connecting to Phobos from Phobos.

I have run DCDiag and the only failure is for NcSecDesc which according to this MS article can be safely ignored (we don't use a RODC).

Everything seems fine. Staff can log on, access resources etc.

A Google search shows that this can sometimes be caused by DNS issues, but DNS seems to be OK. The 2008 server is configured to use 127.0.0.1 first followed by the IP address of the second DNS server in the DNS server set up for IPv4.

Does anyone have any ideas what may be causing this, please?

Thanks.

Linux machine join in domain

July 27, 2016, 1:29 am
$
0
0
dear. can any one help to join Linux machine in windows domain. I need help. I searched in google, all documents not clear at all.

frequent account lock in domain controller

July 27, 2016, 12:52 am
$
0
0
frequent account lock in domain controller

This posting is provided &amp;quot;AS IS&amp;quot; with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing! http://sesaitech.blogspot.in/

Database capacity planning for ADMT 3.2

July 26, 2016, 11:01 pm
$
0
0

Hi,

I was planning for AD cross forest migration from 2003 to 2008. There are more than 30,000 object. What will be the database size requirement. As SQL 2008 express has limitation of 4 GB. Will this be sufficient or shall i consider a higher version.

I tried to find the answer but could not find it. 

Regards,

Sntsh.

Search

Configuring Kerberos Authentication for certsrv web application

July 26, 2016, 12:48 pm
$
0
0

I'm trying to configure Kerberos authentication for use with the certsrv web application on Windows Server 2012R2. I've set the providers to be Negotiate:Kerberos in the Authentication settings in IIS for certsrv yet every time I try to login using Kerberos I get an Invalid Username/Password error. This does not happen when I login using NTLM. 

Any guidance?

shared folder redirection between 2 servers

July 27, 2016, 8:37 am
$
0
0

I have an existing network where DC is running on 2003 r2 (SERVER1) which hosts the DNS DHCP AD services on it. Also i have a DC running on 2008 R2(SERVER2) providing DNS role to clients. Idea is to get rid of the 2003 and put in a new 2012 DC. This 2003 DC has been in for a long time and the earlier admin in charge of running the company for 20 years decided to hardcode all custom in-house programs to the 2003 DC shared folders (all programs refer to the DC netbios server name SERVER1). The programmers have all since retired and we have decided to hire in more people to be able to modify these programs. I am sensing DC 2003 server is running on its last legs and need a replacement asap. But i would want all the programs (shared folders) to be transferred to the new 2012 R2 server(SERVER3) in working condition(since these programs refer to the netbios name SERVER1)

1.      With the current setup introduce server 2012 as a member server. Call it Server 3

2.      Promote server 2012 as DC. Transfer all roles from 2003 to 2012

3.      Copy the shared folder where all the programs are referencing  onto Server 3

4.      Create a CNAME record in server 2012 and point it to server 2012, so all request to Server 1 are now being redirected to Server 3

5.      Demote Server 2003 from domain

6.      Decommission Server 1 from the company.

 I am thinking of something using CNAME/ multiple A record or DNS forwarders – whichever works.  Is there a suggested way for this issue


SHA2 certificate Issuing Capability - 2008 CA

July 27, 2016, 9:11 am
$
0
0

We have a Windows 2008 r2 Enterprise root CA + Two Sub CAs in our Domain. Configured automatic machine certificate enrollment for client machines and its found the client certificate is of SHA1 algorithm- Even though I configured SHA2 in Certificate auto enroll template.

1. Why client certificate are of SHA1 , even if I selected SHA2 option in certificate template.

2. Is this due to a limitation in CA infra?

3. How can I check if my CAs has capability to issue SHA2 certificates ?

Heterogeneous environment NTP

July 27, 2016, 12:55 am
$
0
0

Dear all,

My understanding of NTP within a multi-domain Windows forest is as follows:

Workstations use their authenticating Domain Controller
DCs sync with the server holding the PDC Emulator FSMO role
In a multi-domain forest, the PDC Emulator in each child domain synchronises with a DC or the PDC in the forest root domain

To ensure the time remains reliable across the forest, only the PDC Emulator in the forest root domain should ever sync with an external time source. this leads to only one source of time being used across the forest

However my query is around a Heterogeneous environment were there are unix servers and some of these use samba to authenticate with AD. What are the best practices in this type of setup?  

 

Add or joining computer to a domain programatically

December 12, 2013, 3:25 am
$
0
0

Hi all,

I m working with Windows server(2003,2008,2012), and working on Active Directory.I have a domain in active directory and have approx 100 clients machine on this doamin.
 i want to make a program for "add or join" to computers in domain programatically, i m working in c++,vc++ and using MFC in visual studio environment.

Is there any API available provided by microsoft.i m not able to do this?

Does anyone have an example code for or other information for this.i m okking for API method to work on this.

please help me regarding this.

Regards:cric

Thanks to all.
Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>