Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

I want to I want to Access Restrictions group wise in adfs

August 12, 2016, 10:23 am
$
0
0

I want to block external access active sync,outlook Client, Owa, SharePoint, overdrive for business, Skype for business client, sway, delve,  excepted one define define group member. Please help to create claim rule 

Please find the our condition in below

1. External access Active sync will be block excepted one specific group member.

2. External access outlook client will be block excepted one specific group member.

3. External access Owa will be block excepted one specific group member.

4. External access Share point will be block excepted one specific group member.

5. External access Onedrive for business will be block excepted one specific group member.

6. External access Lync Client will be block excepted one specific group member.

7. External access sway, delve, etc will be block excepted one specific group member.

Search

I want to block external access active sync,outlook Client, Owa, SharePoint, overdrive for business, Skype for business client, sway, delve, excepted one define define group member. Please help to create claim rule

August 12, 2016, 10:31 am
$
0
0

I want to block external access active sync,outlook Client, Owa, SharePoint, overdrive for business, Skype for business client, sway, delve,  excep ted one define define group member. Please help to create claim rule.

Can i create ADFS claim rule for internal network also

Group A member only allow to external access outlook client

Group B member only allow to external access outlook client & mobile

Group c member only allow to external access Skype for business on mobile 

group D share point is block for all external access 

I want to archive with claim rule . Please help me


ADFS and Office 365

August 12, 2016, 9:59 am

LDAPS not working with IP Address

July 30, 2015, 12:53 pm
$
0
0

We just brought up a new domain controller that is running Server 2012 R2.  I am having a bit of trouble with LDAPS though.  If I use the LDP utility to connect to the server using it's FQDN everything works.  If I try to use the IP address the connection fails with an Error 0x51.  When I setup LDAPS on the old 2008 R2 server I was able to connect by IP address.  Did something change in 2012?  Or maybe I messed up something when creating the certificate?

Thanks.

RODC password sync issue

August 12, 2016, 10:39 am
$
0
0

Hi

I have one user who tries to login on servers using different credentials. but we have one RODC on that site where user credentials get validate..

I checked in RODC properties group but I could not see his username and password in on RODC..

ADFS redirect to login after logging out

August 12, 2016, 12:46 pm
$
0
0

Hi:

Is there a way to have the ADFS login page be presented after signing or logging out of our application?

Thanks,
Stangride

"Connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise"

March 5, 2013, 8:39 am
$
0
0

HI

Running Windows 2003 DC's and I am seeing the following errors in the Event log:

"During the past 4.25 hours there have been 185 connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise"

I checked out the corresponding logs which showed client connecting with "'NO_CLIENT_SITE:" which infers they're in a subnet which has not been defined in AD Sites and Services.

Is this something to worry about? Am I correct in thinking that they would connect to the nearest site anyway?

Resotre AD security group

August 5, 2016, 7:49 am
$
0
0

HI Experts

I want to be clear on my below concern...

I want to restore one security group with help of Quest recovery manager server.

Group is old more than TSL around 6 month back.

What will happened if I restore that old group using quest recoery manager.

Will this group will become lingering object even if I restore group as authoriative restore?

Search

Unable to login on ADC

August 11, 2016, 11:07 pm
$
0
0

Hi, we are able to login on PDC through RDP as administrator but unable to login on Additional Domain Controller which is in remote location. Please check below screen shot taken from ADC.

Please guide asap.

Domain Controller trust issue

August 12, 2016, 11:30 am
$
0
0

Hey there,

I am trying to assist a coworker with this issue.  On one of the domain controllers, we can't even log in (trust issue). We are able to get the event log from the functional DC (see below).  We suspect we might had a network sometimes which caused this issue.  Any suggestions onto correcting this issue.

Thanks,

TT

--------------------------------------------------------------------------------------------------

This directory server has not recently received replication information from a number of directory servers.  The count of directory servers is shown, divided into the following intervals.
 
More than 24 hours:
1
More than a week:
1
More than one month:
1
More than two months:
1
More than a tombstone lifetime:
0
Tombstone lifetime (days):
180
 
Directory servers that do not replicate in a timely manner may encounter errors. They may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled.
 
To identify the directory servers by name, use the dcdiag.exe tool.
You can also use the support tool repadmin.exe to display the replication latencies of the directory servers.   The command is "repadmin /showvector /latency <partition-dn>".

HELP - Managed Service Accounts with Kerberos Constrained Delegation

July 23, 2015, 8:23 am
$
0
0

I cannot find any definitive guide on configuring a Managed Service Account for KCD.  Is it even possible?  In articles I have read online, several conflicting values for the userAccountControl were referenced, along with adding SPNs to the msDS-AllowedToDelegateTo attribute.  

Once I create an SPN for the MSA, adjust the userAccountControl value, and populate the msDS-AllowedToDelegateTo attribute with the proper SPNs, I configured an AppPool to run as this account. The AppPool will die as soon as site access it attempted. If I open the site settings and test the connection to the site path and appPool it logs an "invalid username or password" entry.

I verified the MSA creation/installation (password/credential) is Ok by configuring a service to utilized the account on the system where it is installed.  Service runs fine, starts and stops fine, no failures.

In summary:

Are MSA's supported in a KCD configuration? (Yes or No)

How EXACTLY do I configure the MSA? (userAccountControl value, msDS-AllowedToDelegateTo, etc.)

I've already checked out the most common articles from "the Google" search...

Thanks in advance - mark


ADDC Error

August 12, 2016, 5:10 pm
$
0
0

hi there I have a server setup using Windows 2008.

it has a static IP of 192.168.1.2

I have 2 other machines that are connected to it successfully ((Windows 7 Ultimate) 192.168.1.3, 192.168.1.4)

I also have a Windows 8.1 Enterprise that is not connecting AT ALL.

I can ping www.megabytetc.tk (my domain that the rest of the network is currently connected to).

I have been playing Around with the settings for 2 days now and so far im about to destroy the pc.

please help me before it comes to that.

TIA

Sha1 to sha2 migration

August 12, 2016, 4:07 pm
$
0
0
tell me  the steps for migrating the sha1 to sha2 certificate this is a internal certificate authority.

Already sha1 was published through GPO Sha1 to sha2 migration going to happen in same server there is no server migration involved here.

post migration how to publish sha2 certificate through GPO

please assist



Environment details

1.)ADS 2008R2
2.)Certificate Authority version 20082 it is  a Enterprise root CA
3.)Clients windows 7

Authenticating to domain file shares with a smart card on a workgroup computer

August 13, 2016, 11:12 am
$
0
0
I work in an organization that has a mix of domain and workgroup computers. We used to be able to open domain file shares on the workgroup computers by using our domain usernames and passwords to authenticate to the shares, however, recently our IT department has forced smartcard log ons and now we can't get the file shares to open on the workgroup computers. I try to map a network drive using other the "Connect using different credentials" on a workgroup computer and I choose my smart card as the credential to use but I always get the "An extended error has occurred" error. I have been searching for a resolution for 3 days with no luck. We can't put the workgroup computers on the domain because the GPO enforced when adding a machine to the domain will break these special application systems. I have tried to disable secure negotiation but I still get the error. Is there anyway I can get these workgroup computers to authenticate to these domain file shares using my smart card?

SSL Cert renewal for AD LDS instance.

August 13, 2016, 11:41 am
$
0
0

Hi Friends,

 

We are planning to renew the SSL certificate for our AD LDS instance, which configured with "Userproxyfull "and Applications used to point to this AD LDS instance for user Authentication through Proxy binding.  Currently we are in process to identify the applications which are pointed to this AD LDS instance. 

 

We configured the field Engineering logs and able to see the 1644, is this enough, Please let us know is there any way that we can follow to figure-out this.


Our setup also similar to below article :

http://clintboessen.blogspot.in/2011/04/userproxy-class-and-adam-lds.html





Ravi Ch

Search

Configuring Forest Trust in non-fully routed network -- Best practice?

August 13, 2016, 1:35 pm
$
0
0

We are ramping up to nailing up a Forest trust between two merging organizations. The two network environments are connected between their core data centers via point-to-point VPN tunnels. The two networks are not fully meshed.

We have established DNS forwarders for the respective zones. Our first attempt at standing up the trust failed on one side with complaint “new trust wizard cannot continue because specified domain cannot contacted.”

When we execute NSLookup against the target domain, the ip addresses for the entire list of DCs from the remote domain are returning, most of which are not reachable so we believe some validation or configuration is being attempted against one of the ip addresses causing the failure.

Our preference is for any trust traffic to flow between pre-specified domain controllers rather than *any* domain controller in the target domain. The question is really how can we control/specify the domain controllers for this type of configuration? I've looking for white papers/best practice in this kind of configuration and no luck so far.

Any guidance?
 

Allow Normal User to Login to Domain Controller

April 26, 2011, 1:14 pm
$
0
0

Hi All,

Is there a way to allow user to login to a domain controller without making the user a domain admins.

 

Thank you

Sujit

Sujit

Active Directory Domain and Trust Relationship

August 14, 2016, 5:20 am
$
0
0

Hi Team,

I have created a 2 forest called abc.com and xyz.com in my lab setup.

abc.com is able to ping (both IP and hostname) successfully of xyz.com.

xyz.com able to ping only IP address of abc.com and not not hostname. When I ping Hostname am getting "PING REQUEST COULD NOT FIND HOST DC1. PLEASE CHECK THE NAME AND TRY AGAIN."

Can someone please help me fix this issue. Am not able to find what is causing this issue.

Thanks,

Sivakumar Thayumanavan

Sivakumar Thayumanavan

FRS to DFSR Migration and Riverbed RODCs

May 19, 2014, 8:41 am
$
0
0

As I understand it, Riverbed RoDCs are only there to grab session keys from AD in order to optimize SMB traffic. Please correct me if I'm wrong. 

I'm in the middle of trying to migrate from FRS to DFSR for SYSVOL, but when moving from the Start to Prepared state, DFSRMig complains that the Riverbed RoDCs aren't following. 

C:\Users\adminaccountname>dfsrmig /getmigrationstate

The following Domain Controllers are not in sync with Global state ('Prepared'):

Domain Controller (Local Migration State) - DC Type

===================================================

xxx1a-xxx-xx05 ('Start') - Read-Only DC

xxx1a-xxx-xx03 ('Start') - Read-Only DC

xxx1a-xxx-xx04 ('Start') - Read-Only DC


Pretty sure this is entirely out of my control and there might be a mode of operations on the Riverbed side that needs to be raised along with the functional level of the forest and domain, but I'm getting nothing from the Riverbed documentation that I can get my hands on. I'm waiting to hear from our networking team. 

In the meantime, has anyone had any experience with this?

certificate server with below option.

August 14, 2016, 10:07 am
$
0
0

Hi all I installed certificate server with below option. so kindly let me know if any thing needs to configure after that?

Certification Authority
Certification Authority Web Enrollment
Enterprise CA--Root CA

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>