Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Insert new line/carriage return in ADFS custom claim rule

December 28, 2016, 11:43 pm
$
0
0
Hi,
I have to split an outgoing claim string value into a multiline text as follow:

Text_1¦Text_2¦Text_3¦Text_4

Split to:

Text_1
Text_2
Text_3
Text_4


I try to use the RegExRelace() function but I can't find the right syntax for new line/carriage return char

Exemple:
c:[Type == "string_1"]
 => issue(Type = "string_2", Value = RegExReplace(c.Value, "¦", "[\n\r]"));

Some suggestions?

Thanks in advance.
Search

Azure AD Connect - On-premises AD object attribute(s) not sync'ing to Office 365

December 19, 2016, 8:52 am
$
0
0

I hope I'm putting this in the correct forum category.

We have an on-premises Active Directory.  Several years ago, the organization had an on-premises Exchange server, so the schema was extended at one time.  However, this on-premises Exchange server was decommissioned a few years ago, and the organization has since been using hosted Exchange.  Last year, we moved our hosted Exchange to Office 365, and we were using the DirSync utility to perform the synchronization.  The AD objects' attributes were synchronizing without issue (i.e., I was able set the 'msExchHideFromAddressLists' attribute to "TRUE" on an AD object and that "user" would be hidden from our GAL.)   Earlier this year, I received the notification that DirSync was deprecated and I needed to switch to Azure AD Connect.

I don't know if my issue started after switching to Azure AD Connect or if the issue started after Microsoft upgraded the Office 365 servers to Exchange 2016.  But at this moment, the synchronization of the Exchange attributes for the AD objects do not appear to be synchronizing (i.e., an AD account that I had the 'msExchHideFromAddressLists' attribute set to "TRUE" and was previously hidden from the GAL is no longer hidden.)  Working with Office 365 techs, I've set the attribute to "FALSE" and forced sync.  I've set the attribute to "Not Set" and forced sync.  I've set the attribute back to "TRUE" and forced sync.  I've forced AAD Connect to perform initial sync (using PowerShell cmdlet 'Start-ADSyncSyncCycle -PolicyType Initial').  I cannot delete the account in question because management is 'holding onto the account' for legal purposes, but I've created a new account, sync'd, set the attribute, sync'd, and checked that GAL - all to no avail.

I've been told I don't need to extend the AD schema using Exchange 2016; however, I've read at other forums that is works.

Thoughts, please?

Thank you!

Intersite replication query

December 26, 2016, 3:29 am
$
0
0

Hi Team,

I have query about Intersite replication which has been mentioned below. Kindly review and provide your valuable comments.

I do have 2 Domain controllers named DC1 & DC2  which are located in different sites BLR and CHN . I have set the replication interval on every 15 Minutes. In my case whenever if I create a User or OU , the replications is performing very quickly. Indeed . the frequency between Intersite replication is 15 minutes and I am expecting the same on my scenario. Also I would like to highlight that I am not enabled any change notification between sites. I really don't know where is the mistake or is this the expected behaviour ?

Regards

Sajin P S

Regards Sajin P S

Active Directory DR Testing

December 13, 2016, 10:15 pm
$
0
0

I have following enviroment for active directory (Windows Domain Controller)

(Primary DC -- windows 2008 R2 standard edition) --- DC1

(Additional DC - windows 2012 R2 Standard edition) ---- DC2

(Additional DC - windows 2012 R2 Standard edition)---- DC3

All above are on VMs

I am taking system state and image backup of these 3 DC on daily basis.

I want to test the DR ( suppose my three of the machines are no more and i have only system state or image backup of above 3)

What the steps i need to follow to recover 3 DC to new enviroment with like old one.

Open to suggestion 

Regards

M.Amir Jabran

granting premmission for each user in his own directory using powershell

December 26, 2016, 11:47 am
$
0
0
i have 45 user in active directory and 45 folders that has the same name as the ad users i want to use script that give evrey user in his own directory full control on his own directory how do ido it and 

An issue with InfoBlox DNS appliance, Active Directory and LDAP

December 16, 2016, 11:51 pm
$
0
0
Hi All,

in our company we have implemented Active Directory, served by four DCs - dc1, dc2, dc3 and dc4, which maintain the domain domain.local, single forest single domain. We are using an InfoBlox applience as DNS server instead of Microsoft AD integrated DNS. The IP address of InfoBlox appliance is set on each domain controller as primary name server on the network card. As this AD implementation was inherited from the previous administrator (which suddenly left the company before I take his place) with no documentation at all what I found is that an AD integrated DNS server exists on dc2. This AD integrated DNS obviously was built during the initial configuration of Active Directory, it holds the zone domain.local with all supporting zones as _msdcs.domain.local etc. At the InfoBlox's side the zone was configured and it acts perfectly as a name server, every computer or server when added to domain registers itself in the InfoBlox, _msdcs.domain.local, _gc, _kerberos, _ldap zones and records are OK. We are facing an issue with ldap localization with Oracle BI software, which is installed on a domain member server. Oracle BI is set to work with AD users and for this purpose a LDAP connector was set. As a LDAP server I set domain.local, there is a dedicated domain user which is set in Oracle BI to perform LDAP queries, the user is specified with its distinguished name. When Oracle BI queries domain the users are listed in the Oracle BI. However, when I shut down dc2 Oracle BI is no longer able to perform LDAP queries. It seems that the connector somehow prefers AD integrated DNS instead the InfoBlox's DNS when performing LDAP queries. I have added DNS server role on dc1 (whith dc2 powered on), all the zones are transferred from dc2. When I shutdown dc2 the Oracle BI works perfectly with LDAP queries. The conclusion I made is that when there is no AD integrated DNS up and running Oracle BI is unable to perform LDAP queries even with specified in its network settings InfoBlox name server with all zones and records. Does anybody know what would be the reason this issue to occurs?
PS. Forgot to mention that on both AD Integrated DNS and InfoBlox all the _ldap records are set with priority 0 and weight 100.




How to backup and restore Windows 2012R2 ADFS

December 29, 2016, 9:48 pm
$
0
0

We have 2 ADFS Server and 2 ADFS Proxy Server.

We have to take the backup pf ADFS Server as well as ADFS Proxy Server. But we are using ADFS WID Farm Database.

Kindly provide the documents step by step backup WID Database.

Unable to create trust between oim.com and dev.com

December 30, 2016, 2:55 am
$
0
0

Hi,

There is  a requirement where we have two domains. Dev.com is production domain controller and oim.com is used for development test.User in oim.com need to access resources from Dev.com and Dev.com users must not be able to access the resources from OIM. Com !

oim.com - windows 2012 R2 ( functional level - windows 2008R2)

Dev.com - windows 2008 R2 ( functional level - windows server 2003)

I have created an one way Outgoing trust from oim.com to dev.com and when I validate the trust from oim.com the trust validate successfully. But when I validate the trust from dev.com I am getting the error" windows cannot find active directory domain controller for oim.com.Vreify that ADDC is available and then try again.

I am able to ping domain controller from both domain vice versa and also I have created a conditional forwarder in oim.com for dev.com and added respective DNS IPs. Also in Dev.com Domain Controller I have added the DNS IP address of OIM.com


Search

Default-First-Site-Name Renamed, can i delete site from DNS ?

December 15, 2016, 2:37 pm
$
0
0

Hi, 

I renamed the Default-Firs-Site-Name with a new name that identify the city of site.

I look that in _msdcs delegated zone of primary zone, in section sites exist the new-site-name and default-firs-site-name.

Can i remove it?

Custom OID:s in Active Directory

November 17, 2016, 4:41 am
$
0
0

I've been asked at my new job to add a couple of extra custom user attributes to Active Directory. When I was about to add the custom attributes in the Schema Editor i noticed an attribute name that started with the company name and decided to check it out.

It turns out that a previous admin has added a custom attribute using the "wrong" OID-prefix, namely:

1.2.840.113556.1.8000.999999.2.1

Which is the example mentioned in the following TechNet article https://msdn.microsoft.com/en-us/library/ms677620(v=vs.85).aspx, and not an OID generated from the script referenced in that article.

It also says in that same article that: Once you have a base OID, be careful when deciding how the OIDs should be divided into categories, because these OIDs are contained in the prefix table and are part of the DC replication data.It is recommended that no more than two OID categories be created.”

  • Should this be a cause for concern/something that needs to be fixed? Or can this only cause issues if we ever needed to establish a trust with a separate domain that has made the same mistake?
  • I’m not sure I understand the recommendation regarding the two OID categories, what possible issues could arise if I choose to add a second set of two OID categories using the OID prefix generated from the script? It should be a better option than to continue down the current path using the wrong prefix, right?


Any input is greatly appreciated,

Rashi


Unable to create external trust between two different domain

December 30, 2016, 2:55 am
$
0
0

Hi,

There is  a requirement where we have two domains. Dev.com is production domain controller and oim.com is used for development test.User in oim.com need to access resources from Dev.com and Dev.com users must not be able to access the resources from OIM. Com ! The domain controller in OIM.COM was crashed few days back and there we had only one Domain Controller in OIM. Hence we have re imaged the DC ad promoted the server as DC again and were trying to reconfigure the external trust between OIM.com ad DEV.com

oim.com has only 1 DC - windows 2012 R2 ( functional level - windows 2008R2)

Dev.com has multiple DC - All windows 2008 R2 ( functional level - windows server 2003)

I have created an one way Outgoing trust from oim.com to dev.com and when I validate the trust from oim.com the trust validate successfully. But when I validate the trust from dev.com I am getting the error" windows cannot find active directory domain controller for oim.com.Vreify that ADDC is available and then try again.

I am able to ping domain controller from both domain vice versa and also I have created a conditional forwarder in oim.com for dev.com and added respective DNS IPs. Also in Dev.com Domain Controller I have added the DNS IP address of OIM.com in network properties. Also added Host records too.

Also When I tried creating trust from Dev.com I am getting only two option ( Realm Trust and Trust with windows domain ) , But from oim.com when I try creating trust I am able to get all options like external trust, type of trust etc.

Can anyone suggest how to fix the issue ?


Reliability of nltest for secure channel

December 30, 2016, 9:56 am
$
0
0

Among the 4 domain controllers in my single-forest/single-domain, I have one DC which fails the nltest /sc_verify:mydomain.com. It spits out "I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH domain.  It does, however, replicate with the remaining 3 DC's just fine (via repadmin /syncall or /replsummary).  It fails on the powershell Test-ComputerSecureChannel but gives an "OK" using gwmi win32_ntdomain.  I have checked DNS and the appropriate SRV records as perhttps://support.microsoft.com/en-us/kb/241515 ). How reliable is nltest when run against a domain controller?  I have seen posting that indicate if replication is occurring, nltest must be wrong if it throws an error. Please advise and any possible solutions you could direct me should the DC's secure channel be broken. Thanks.

AD CS published certificates to wrong AD object

December 30, 2016, 11:26 am
$
0
0

In a Windows Server 2012 R2 environment, after a user's certificate is issued it is published to the Requester's AD object instead of the Subject's object named in the certificate.

Scenario:

User A is specified in the CSR's subject
User B takes the CSR and issues the certificate for User A
After:

No certificate exists in User A's object
User A's certificate exists in User B's object

Any help would be greatly appreciated?  I am expecting that the certificate would be published to the object specified in the subject of the request.

Chuck

Chuck


what Directory service for external vendor to connect?

December 27, 2016, 6:35 am
$
0
0

Dear all,

Thanks for your help first.
Current environment:
-Windows server 2008 AD  (FFL and DFL is 2008r2)

Right now we've some vendors will provide some applications to our internal users, we would like to utilize our AD user account to login their application, of course their application should support native AD connection.

I google and find some options:
- setup ADFS, application need to support this
- setup Read Only AD for external application to connect
- setup ADLDS for external application to connect
- setup ADMT server for external application to connect

Our requirement if possible:
- do not want to sync all users a/c to above server, only sync specific users if possible
- sync only some user attribute if possible
- do not want to sync password if possible because this will have time lap between password got sync

We prefer to use ADFS for those application support it, for those application do not support ADFS, we will provide a Directory Service for it to connect but which options is the best according to our requirement?

Any recommendation and suggestion on our situation and requirement?

Thanks again.

Patrick



Rename domain

December 31, 2016, 3:12 am
$
0
0

Hi,

We have a green field AD forest deployment in which we have AD, DHCP, SQL cluster, PKI, System Center 2016 and Symantec Endpoint Protection. All services are almost deployed. Suddenly we are asked to change the domain name  from xxx.yyy to zzz.www (total domain fqdn change). Now is this is something supported? what about the SIDs for the accounts used as services in various products installed? Note that the domain and forest functional level is Windows Server 2012 R2.

Search

ADMT 3.2-Computer Migration From Parent Domain to Child Domain with in Single Forest failed ...

December 31, 2016, 9:29 am
$
0
0

We are going to Migrate computers from Parent domain to newly created Child Domain with ADMT 3.2.Forest and domain functional level is Server 2008 R2.OS is Server 2012 R2.

Getting the following error after agent installation in ADMT unable to retrive dns inforamtion......

Computer Migrated to Child domain which is shown in AD User and COmputers in computers and also DNS entry for the Computers but after Reboot getting the following error on ADMT.

ERR2:7711 Unable to retrieve the DNS hostname for the migrated computer "Client Name. The ADSI property cannot be found in the property cache.
 (hr=0x8000500d)

Client Computer name are in both Domains also dns entries.

and on Sign in with Domain\User getting following error.

the Security database on the server does have computer account for this workstation trust relationship.

Also in both domain Below error shows in Event Viewer...

The attribute value provided is not unique in the forest or partition. Attribute: servicePrincipalName Value=HOST/CLIENT19.abc.test.com
CN=CLIENT19,CN=Computers,DC=test,DC=com
CN=CLIENT19,CN=Computers,DC=test,DC=com Winerror: 8647

AD Bulk User creation and AD user reset password via SMS

December 31, 2016, 9:34 pm
$
0
0

Dear All,

Good Day!

I need your help for the below.

Bulk AD user Creation...

-         My AD Admin Create User’s Without Knowing the Password During Creation.

Also I’m for Security Application to reset my password vis SMS with AD like

-         User Send Message contains ID, User Name then to reset Password

Thanks

Dweik

Restrict logon to specific computers in Active Directory - not working

December 20, 2016, 3:21 am
$
0
0

Hi,

We are running Windows Server 2008 R2 Active Directory environment. 

I have a strange issue. I configured a number of users in Active Directory to be able to only logon to a number of specific computers. For example, user1 can only logon to Computer1, Computer2, etc. I've configured this using the Account tab, then Logon to... in AD. However, when applying and user1 attempts to connect they receive the error "The system administrator has limited the computers you can logon with. Try logging on at a different computer...". I've tried restricting various computers but the same error. If I remove the restrictons logon is permitted (as expected). 

It was working fine yesterday and no changes which may have impacted. Any ideas how to resolve? 

Thanks

Craig

Enforce VPN access through domain joined machines

December 22, 2016, 11:52 am
$
0
0

I want to know is it possible to make users login to VPN only if they are part or have joined a domain (part of user population) . So, a user even knowing the credentials of VPN cannot login to machine which has not joined DOMAIN server.

Can this be done? Considering the VPN server is third part e.g CISCO.

Verification of replica failed. The Wizard cannot access the list of domains in the forest

December 28, 2016, 12:53 am
$
0
0

Hello,

I have DC2(MBDC), and DC1. The DC2 was the primary domain controller and was holding the DNS, AD DS, and DHCP, the operating system of DC2 was Win 2008. The DC2 was damaged due to electricity shortage. I sized the FSMO roles in DC1 and then transferred the roles to DC1, DC1 already was a the alternate DNS.

Now the AD is not connecting in Exchange server 2007 (mail.macca.org.af), and I am not able to join a new computer to the domain. I have prepared a new server and want to promote it as a domain controller, but I get this message during DCpromo.

Verification of replica failed. The Wizard cannot access the list of domains in the forest. The network path was not found.

Please help.

Thanks,

Zilgai

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>