Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Fetching users and groups from an existing active directory

October 26, 2016, 11:50 am
$
0
0
Hi,

I want to fetch users and groups from an existing active directory in my web application. Can somebody please guide me how can <g class="gr_ gr_173 gr-alert gr_tiny gr_spell gr_run_anim ContextualSpelling multiReplace" data-gr-id="173" id="173">i</g> do that? And what if <g class="gr_ gr_174 gr-alert gr_tiny gr_spell gr_run_anim ContextualSpelling multiReplace" data-gr-id="174" id="174">i</g> have my active directory setup using AWS active directory service?

Thanks
Search

Change user account name with minimum impact

October 31, 2012, 10:35 am
$
0
0

Hi All, 

I want to change user logon name to AD and smtp email due to standardization on our company. When we change the login name what is the impact ? is it gonna change the user profiles on each workstation which they log on to ? for the smtp I know we can add a new one and make it primary but still keep the old one so sender still can send him an email. I really concern about the logon / samaccountname.

any ideas for this ? maybe giving a hint or step ? :)

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Krisna Ismayanto | My blogs: Krisna Ismayanto | Twitter:@ikrisna

Trusts and DMZ

October 19, 2016, 3:59 am
$
0
0

Hi,

We have a standard design of DMZ, protected by firewalls. There is a one way trust between regular (MAIN) domain and DMZ domain. Users from MAIN can authenticate to DMZ, but not vise versa.

Now we need from 1 of servers in DMZ query data from AD of MAIN domain. Ports from this server to MAIN domain controllers are closed. No trust from DMZ to MAIN, but we can impersonate process with user from MAIN domain.

Port openings from server to MAIN domain controllers is not an option for us.

Setting up trusts from DMZ to MAIN domain is not an option as well.

Is there any workaround to achieve querying of MAIN active directory from DMZ server with 2 restrictions specified above.

Help is appreciated!

ADDS DR Questions

October 20, 2016, 9:51 pm
$
0
0

Hello All.........I have few questions with respect to DR of ADDS:

1.  How many DC's loss can an organization survive?

2.  If all DC's go offline in one of the sites, would the services dependent on AD, query or authenticate to another sites's DCs? OR we need to configure it to do so?

3.  Which one DC, we cannot afford to lose in the entire organization?

4.  If PDC goes down, would it cause disruption to all services dependent on AD such as Exchange, SQL, Skype, SharePoint, etc.?

5.  How organization generally manage BCP Drills with respect to AD?

6.  What is recommended for BCP Drills to be tested?

Thanks in advance.

Port for AD

October 26, 2016, 6:24 pm
$
0
0

Dear all,

I use windows 2012 R2 standard version, the AD server protect by the firewall.

Which ports should I open for the firewall policy to add the the server/PC to domain controller and the domain controlller push the policy to its member.

thanks

john

Entire AD restore

October 18, 2016, 8:00 pm
$
0
0

Hi All,

 what is the procedure for restoring the entire AD in Win 2008 R2/2012 R2, earlier in win 2003 we used
ntdstuil
authoritative restore
restore database (for entire AD restore)

but for Win 2008 R2/2012 R2 in technet i could see only
restore subtree
restore object
there is no mention of entire AD restore like "restore database" as in win 2003 !!

Cannot install Active Directory Management Gateway Service on Windows server 2008 64 bit SP2

August 26, 2015, 3:07 am
$
0
0

Hello,

I cannot install Active Directory Management Gateway Service based on the article Active Directory Management Gateway Service - Install Guide.docx presented on page https://www.microsoft.com/en-us/download/details.aspx?id=2852. I get an error message that the update does not apply to my system.

Based on the article, the following prerequisites need to be met to install Active Directory Management Gateway Service:

1. Active Directory Domain Services (AD DS) or AD LDS server roles - The server is a domain controller already.
2. .NET Framework 3.5 with Service Pack 1 (SP1) - already installed
3. For Windows Server 2008 - install hotfix https://support.microsoft.com/en-us/kb/969166, but there is no hotfix presented on page. When searching for KB969166 on https://support.microsoft.com/en-us/contactus?ws=support I find update Windows6.0-KB968934-x64.msu which points me back to https://www.microsoft.com/en-us/download/details.aspx?id=2852.
The update Windows6.0-KB968934-x64.msu cannot be installed, I get a message that "This update does not apply to your system".

4. For Windows Server 2008 - http://go.microsoft.com/fwlink/?LinkId=152377 - not required for Windows Server 2008 SP2. My DCs are running Windows Server 2008 SP2, so this update is not required.

I am login on with an account that has administrator access - member of Domain admins group.

My server has current configuration:
- Domain controller + DNS
- Windows server 2008 64 bit + SP2
- .NET Framework 3.5 with Service Pack 1

Are the instructions from the webpage https://www.microsoft.com/en-us/download/details.aspx?id=2852 wrong?

Is anybody able to help me to install Active Directory Management Gateway Service?
I wonder if anyone faced similar issue?

Thank you in advance.


FERPA Compliance

October 27, 2016, 9:58 am
$
0
0

To remain in compliance with FERPA requirements and protect student personal information, we
have removed the authenticated users group from our Student OU's and user
objects. This temporary solution has prevented us from applying GPO policies to
the student OU's, what are other Universities currently doing to allow
GPO"s  to apply to students without putting their personal
information at risk of exposure?


Matt Burgos

Search

DFS Share Permissions

October 27, 2016, 9:57 am
$
0
0

Grant full control to user/group on file share. How to prevent user/group from removing
access , or deny any of the administrator groups; ie domain admins,
administrators, system on file share? I need some advice as to the best way to accomplish this. The goal is the allow user full access with out having them remove any Admin groups or users from the folder.


Matt Burgos

DC promotion error !

October 27, 2016, 9:16 am
$
0
0

Hey everyone ;

There is 10 different sites on environment and each sites already have 2 additionel DC (2008) and i did dc promotion(2012) on 9 sites but on one site i get this error when i try to promote new Domain Controller;

"the wizard cannot gain access to the list of domain in forest"...

There is no any firewall rules between sites and windows firewall is disabled.

i can ping mydomain.com. i can telnet mydomain.com to  135,139,389,636,3268,3269,88,53,445,9389,5722,464,123 (from old DCs also ) any idea ? 

also when i ping mydomain.com it returns me the IP address of old DCs on that site also i thought those old DCs have some problem and because of that i faced that problem. but dont know how to set my new DC to look at DC of main site ?

in addition when i use

nslookup

mydomain 

it returs : 

Non-authoritative answer:
Name:    tr.com.tr
Address:  XX.XX.101.100
Aliases:  mydomain.com.tr.com.tr   - it seems not normal dosent it ? but dont know where it check.

Thank u.


quit domain process?

October 26, 2016, 11:46 pm
$
0
0

What's a Computer quit domain process?

I.E.

Whether is deleted in the Trusted Root Certification Authorities certification.

Whether is deleted in the Personal certification.

I tested the results:

The Trusted Root Certification Authorities certification will be delete

The Personal certification will not be delete.


Cross Forest Active Directory Migration

October 16, 2016, 9:24 pm
$
0
0

Hello Experts,

I am in a process of Cross Forest Migration and I am looking for a step by step tutorial for help.  Source DC is running with MS windows 2012 R2 std. X64 Bit and target DC would be 2012 R2 Ent. X64. 

Also, The target DC is a VM lying on AWS and source Dc is an in-house VM. Is there any compatibility issue while migrating to DC on AWS or any other consequences with respect to end users?

Please guide me with the best possible solution. Is it possible to migrate from 2012 R2 Std. to Ent. without any problem? Is there my problem in compatibility of both OSes in regards to ADMT migration. Also, which tool would be best for migration ADMT or QUEST? Is ADMT capable of migrating profiles as wells. Also, I do not want to rejoin domain of all client PCs. Is it possible?

Thanks,

Simant



Schema Extensions

September 4, 2015, 1:38 pm
$
0
0

Hello,

Apparently the Schema extensions in Active Directory by SCCM (SMS) have been changed.

Executing query (&(ObjectCategory=MSSMSRoamingBoundaryRange)(|(&(MSSMSRangedIPLow<=174742319)(MSSMSRangedIPHigh>=174742319))))
Executing query (&(ObjectCategory=mSSMSSite)(|(mSSMSRoamingBoundaries=10.106.80.0)(mSSMSRoamingBoundaries=RRH)(mSSMSSiteCode=SRV)))
LSGetAssignedSiteFromAD
I am trying to find out why the site code is wrong

How could I do:

- List of extensions used by SMS

- Last Modified Date

Thanks,
Dom

System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager


Local Password Issue

October 27, 2016, 1:52 pm
$
0
0
Every 90 days, we change the local administrator password on our workstations/laptops. We have this one laptop when you click on change password, It gives a warning that the laptop will restart in one minute and does.  We have run AV software on this laptop and does not find anything.  IS there something in the registry or else where that is inhibiting this password change?

Active Directory and DC replication issues

October 27, 2016, 8:44 am
$
0
0

Hello all,

I inherited a couple of networks that I am trying to sort out some issues with.  I'm not as savvy as I wished I was when it comes to networking etc, this job started as a "you will be trained and caught up to speed" and turned into the individual resigning and now is a you better learn quickly scenario.  With that being said I'll do my best to explain our network/issues please forgive me if I don't get simple terms etc.

We have 3 campuses on 3 networks.  AD and the majority of our servers lives at the main campus.  All sites are connected via ipsec vpn tunnels.  Each site has it's own domain controller, dhcp, dns servers.  The main site has a total of 2 dc's.  Site 1's dc (the main campus) is throwing the errors event id warning 2088 (I know this is caused by an old dc that is still in Active directory but is no longer a server that can be booted up, it was damaged before I got here and thus far i've been unable to clean it up within ad).  It's also throwing the error event id 1864 This directory server has not recently received replication information from a number of directory servers.

Site 2:  Event warning 1925 (also related to the old DC)  

Site 3:  Here is my main issue, I cannot get this dc to replicate and it is starting to cause some bigger issues.  I feel like it is a dns issue?  Within the dns server it's throwing the event error id 4000 "the dns serverwas unable to open Active Directory.  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it.  Check that the Active directory is functioning properly and reload the zone.  The event data is the error code."  If I tried to expland the dns on this server it gives me an error that "The server ****-DC could not be contacted.  The error was: Access was denied.  Would you like to add it anyway?"  yes or no.  Regardless if I click yes or no when you expand the dns part and right click the dns server name all options are greyed out except Launch nslookup.  Non of the typical folders/information are in the dns portion here like on the other campuses dc's.  

So I got the bright idea of well I'll just build a new DC for this site and go that route, however; when I run dcpromo for the new server on the select a domain part I get "Failed to examine the Active Directory forest.  The error was: The operation cannot continue because ldap connect/bind operation failed:  error: 1326 (Logon failure: unknown username or bad password.)  I am using the main administrator login/password.

So i'm not even sure where to start to troubleshoot these issues.  Everyone still has network connection at all sites but I feel like if this is left unresolved it will cause huge issues in the future (maybe im wrong).  Some of the weird issues i've seen with site 3 is people getting the error that the trust relationship between the workstation and domain has been broken.  (this happens way to often there, from what i've read it's an issue that happens periodically but not like what i'm seeing there.  It has become a daily plague.  I'm apprehensive on removing those machines from the domain and rejoining them since I don't feel that the dc there sees the main campus properly.  So far a shutdown of the machine has restored their connections. 

Other then troubleshooting site 3 how do I go about removing the old DC from AD so I can clean up the errors/warnings from the other sites since they can no longer see the damaged dc that will never be online again.  (i've googled things on this and non of what I have read / tried has worked.)

I know i'll be asked for logs etc.  Please just explain how to go about getting w/e information you all need to help and I'll do my best.  Thanks a ton in advance!  I hope I made sense in this ramble.

Search

Active Directory - What is meant by a 'Red forest design'?

April 19, 2015, 2:04 am
$
0
0

Hi,

I have been asked about a migration from a single AD forest structure to a 'Red Forest design' but I have not been able to find any info on this term. I assume it has something to do with AD security?

Any help would be greatly appreciated.

Regards

Neil

Scripts folder (Netlogon Share) is missing on Windows 2008 R2 ADC

October 3, 2013, 9:17 am
$
0
0

We have 2008 R2 active directory forest with Windows 2003 and 2008 R2 domain controllers.

I have found that on some 2008 R2 DC's scripts folder (Netlogon Share) is missing right from DC promotion.

Sysvol share is present on all domain controllers.Replication is running fine as well.Ports are also opened and same has been checked with PortQueryUI tool.

I have tried Sysvol Non-Authoritative restore (Burgflag D2) on one of the affected 2008 R2 domain Controller but no luck.Sysvol is populated but netlogon is still missing.

I have seen two morphed folders named (scripts_NTFRS_xxxxxxxx) underneath Sysvol folder on all domain controllers but scripts (Netlogon) folder is missing on affected domain controllers.

Is there any way to create \ populate Netlogon Share on those affected Domain Controllers ?

Best Regards

Mahesh

mahesh1000@gmail.com

After a Domain Controller restart some security configurtion of WMI (cimv2) go away

October 10, 2016, 9:23 am
$
0
0

Hi, we need to add a user in the security configuration of cimv2 and we add it but after install any updates we restart the server and the the configuration go away.

Anybody knows why? or if a need make any change on the Default Domain Controller Policy?

Thanks everyone!

How to stop authentication from assuming domain suffix of user account

October 21, 2016, 1:54 pm
$
0
0

I’ve seen where if you log onto a local workstation as a local account that has the same name as a domain account on the same network and the workstation is a domain member, it tries to use the domain account’s credentials. This ends up locking out the domain account even when logged in as a local user. I am also seeing this same situation happen when testing scenarios prior to our company merger. Both domains use the same naming convention and if you log in as one user (Gloria Test on Corp-01 as Corp-01\GTest) on one domain and attempt to access resources on the other domain, if there is a user account there with the same name (George Test on Corp-02 as Corp-02\GTest also) it will use his credentials instead of the originating domain's account that is accessing.

This can be shown in both local to Domain accounts and Domain to Domain accounts:               

For example. Create a domain account on your network and give it permissions to access some folder. Then, create a local account on a member computer with the same  name and password as the domain equivalent created just earlier (Corp-01\GTest and LocalWorkstation\GTest for example) and log onto the computer as the local account. You should be able to access the network folder still, even though you are on a local account because of the way the credentials in windows ‘assumes’ the domain suffix and just passes the credentials.

If the passwords are the same, it will work without question, if the passwords are different (which the likely would be in the normal world) the domain account will be locked out! This could cause us issue in our domain trust if we have accounts that use the same naming convention I worry. We are about to move to this domain trust and I need to ensure testing of various senarios. We have Exchange in this domain and I am hoping to use linked mailboxes to allow SSO using the trusting domain's user account. if they are the same naming convention though (which they are) how is that going to work when security assumes the wrong domain suffix?

NTLM Authentication Latency

October 27, 2016, 1:25 pm
$
0
0

Good Afternoon,

     I need some direction on this one.  I am having some issues with NTLM Authentication latency.  Its the best way I can describe it?  We have a enterprise document management system.  The web frontend server is Apache running  on a Windows Server 2008  R2 system.  It references a SQL 2008 database running on Windows server 2008.  The third component is an SSO type solution built by the vendor running off of JRE 7.  In order to get the AD LDAP lookup working from the software we were forced to use LDAPS by importing the DC certificate into the JAVA store?  Anyway, the problem seems to have started roughly 1 yr ago.  When a user opens a document in the system it can take 30 sec. or more for the document to load.  Any subsequent forms, documents launch fine.  When running a network trace.  It looks like the system is passing the NTML request to the domain controller.  However, it does not get a response for 20 +/- seconds?  We have tested from workstations, from the server itself.  with and without the SSO component.  It's like the domain controller is having issues with the NTLM request?  We have less than 2000 users and a number of DC's.  Load shouldn't be an issue?

Not that it's the only change.  But, we did finish upgrading all of out DC's to 2012 R2.  I am wondering if the OS change is somehow contributing to the issue. 

 

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>