Quantcast
Channel: Directory Services Forum
Viewing all 2536 articles
Browse latest View live

During the attempt to synchonize the domain controller the RPC server is unavailable may cause dns lookup problem

January 10, 2013, 11:08 pm
$
0
0

Hi,

We are upgrading windows 2000 DC to windows 2012 DC.

I have setup the LAB, in Server A restored image of production server 2000 DC ,Server B Installed windows 2003 R2 64bit edition.

The Issue is.

While doing Adprep /foresrprep

Getting error Adprep was unable to extend the schema .

Schema master must complete at least one replication cycle before schema can extended.

Note:Production scenario I have Win 2000 DC and ADC

noticed that the restore 2000 DC, under sites and service ADC also there

I think we may have to Remove ADC.

Please help me .

Regards

Paramesh

                   

Search

NameErr while connecting ADAM service using ADSI Edit

October 15, 2012, 1:58 pm
$
0
0

Hi,

I have ADAM installed in server to extend BladeLogic schema for software deployment. I have local admin access also on the server. While connecting ADAM paritition using ADSI edit, I get following error.

Operation failed.Error Code: 0x208d
Directory object not found

0000208D: NameErr:DSID-0310020A, problem 2001
(NO_OBJECT), data 0, best match of:
 'DC=bbca,DC=test'

Can someone help me why I get such error while accessing ADAM partition ?

---Subramani

Subramani

Primiary and DR site with IP NAT'ing

January 10, 2013, 6:40 pm
$
0
0

Hi all,

So here's the situation I am facing at the moment.

We just finished our Primary site with all the servers that we need and now we are starting on the DR site. The original plan is to keep both sites connected all the time and have all servers in both sites members of the same active directory forest and domain.

to do that and as part of the original plan we planned on assigning different IP Subnets for both sites so that we can connect them and have domain controllers in both sites replicating AD like one happy family. Also the original plan includes DPM 2012 replication between the 2 sites.

 

Today, I found out we are required to use the same IP Addresses on both sites for all servers. so it would be something like this:

Primary Site                                                                                      DR Site

Server1                                                                                            Server2

192.168.1.100IP NAT’ing                                             IP NAT’ing   192.168.1.100

In the primary site server1 knows that server2’s IP Address is 192.168.2.100

In the DR site server 2 knows that server1’s IP Address is 192.168.3.100

When say knows, this really means that we’ll have to use standard primary DNS zones so that we can make static entries for the server names and also disable dynamic registration to avoid the servers registering their actual IP Addresses.

The NAT’ing changes the source address in the header of each packet.

If you ask me this very stupid and I would never choose to do it if it was up to me, but you know how it is.

So here’s what I need help with:

  1. Does this setup have any chances of success?
  2. Is there an articulated blog or article that can explain such setup as a good or bad idea?
  3. What are the potential problems that we should expect to deal with; a side from that fact that it may not actually work at all?

Any help, comments or suggestions are much appreciated and I appreciate you actually taking the time reading my post.

Thanks

Mohsen Almassud

error while importing users via ldifde command

January 14, 2013, 6:09 am
$
0
0

Hello,

my ldif file pattern is below. 

DN: CN=SERHAT AKTAS,OU=tamfree,OU=beyazyaka,OU=brs_user,DC=BRISANET,DC=brisa,DC=com,DC=tr
changetype: add
accountExpires: 9223372036854775807
c: TR
cn: SERHAT AKTAS
co:: VMO8cmtpeWU=
codePage: 0
company: BRISA
countryCode: 792
department: Bilgi Sistemleri
displayName: SERHAT AKTAS
distinguishedName: 
 CN=SERHAT AKTAS,OU=tamfree,OU=beyazyaka,OU=brs_user,DC=BRISANET,DC=brisa,DC=co
 m,DC=tr
dSCorePropagationData: 20130114110424.0Z
dSCorePropagationData: 20130114102855.0Z
dSCorePropagationData: 20130114102229.0Z
dSCorePropagationData: 20121220092627.0Z
dSCorePropagationData: 16010101181633.0Z

I reveive the below error:

Add error on entry starting on line 1: No Such Attribute

The server side error is: 0x57 The parameter is incorrect.

The extended server error is:

00000057: LdapErr: DSID-0C090C3E, comment: Error in attribute conversion operation, data 0, v1db1

0 entries modified successfully.

An error has occurred in the program

the command that I use for exporting : 

ldifde -m -f PROD_tamfree.ldf -s localhost:389 -d "OU=tamfree,OU=beyazyaka,OU=brs_user,DC=BRISANET,DC=brisa,DC=com,DC=tr" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))"

the command that I use for importing : 

ldifde -i -f "PROD_tamfree.ldf" -s localhost:389

Note: source server and the target server is not the same. I'm trying to import the users in to a different domain (test domain)

what can be the reason of my issue?

Error – SAML Single Logout request does not correspond to the logged-in session participant

January 14, 2013, 1:49 pm
$
0
0

We are relatively new to ADFS, having set up working rp-trusts with three partners in the last few months.  Our 4th partner is proving problematic.  Single sign in works, but the ADFS responds the single logout request from the RP with a status of Requester.  The ADFS event log shows

The SAML Single Logout request does not correspond to the logged-in session participant.

Requestor: https://test-sso.rp.com/fed/sp

Request name identifier: Format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, NameQualifier: http://fs.idp.com/adfs/services/trust SPNameQualifier: https://test-sso.rp.com/fed/sp, SPProvidedId: 

Logged-in session participants:

Count: 1, [Issuer: https://test-sso.crmondemand.com/fed/sp, NameID: (Format: , NameQualifier: SPNameQualifier: , SPProvidedId: )] 

 

This request failed.

User Action

Verify that the claim provider trust or the relying party trust configuration is up to date. If the name identifier in the request is different from the name identifier in the session only by NameQualifier or SPNameQualifier, check and correct the name identifier policy issuance rule using the AD FS 2.0 Management snap-in.

 

The LogoutRequest looks like this

 

<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

                    Destination="https://fs.timken.com/adfs/ls/"

                    ID="id-HAScmHCfwfuYk76bce6YBfO2uOM-"

                    IssueInstant="2013-01-14T13:24:04Z"

                    Version="2.0">

. . . cert, etc. omitted . . .

<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"

                Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"

                NameQualifier="http://fs.idp.com/adfs/services/trust"

                SPNameQualifier="https://test-sso.rp.com/fed/sp"

                >jsmith</saml:NameID>

   <samlp:SessionIndex>_df13d31b-162e-42e1-8331-f36be6bf1194</samlp:SessionIndex>

</samlp:LogoutRequest>

 

 

The session index and the username in NameID matches the Response we got from our AuthRequest.  I don't know how to figure out what ADFS thinks does not match.  Any suggestions would be appreciated.

 

For completeness sake, the Response to AuthRequest looked like this.

 

<Subject>
            <NameID>jsmith</NameID>
            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData NotOnOrAfter="2013-01-14T13:28:52.199Z"
                                         Recipient="https://test-sso.rp.com/fed/sp/authnResponse20"
                                         />
            </SubjectConfirmation>
        </Subject>
        <Conditions NotBefore="2013-01-14T13:23:52.183Z"
                    NotOnOrAfter="2013-01-14T14:23:52.183Z"
                    >
            <AudienceRestriction>
                <Audience>https://test-sso.rp.com/fed/sp</Audience>
            </AudienceRestriction>
        </Conditions>
        <AuthnStatement AuthnInstant="2013-01-14T13:10:43.826Z"
                        SessionIndex="_df13d31b-162e-42e1-8331-f36be6bf1194"
                       >

ADMT v3.2 Cross forest migration - Regular Groups sync between source and target

January 14, 2013, 10:31 am
$
0
0

Hi,

I'm performing a cross forest migration with ADMT v3.2 over the course of several weeks.

I have successfully migrated user accounts and mailboxes from source to target with additional powershell scripts.

My question though is how do I ensure group membership is updated between source and target domains DURING the course of the migration?

Do I just run the Group wizard again (wth includes file) in ADMT? If so which tick boxes do I select?

Is there a better way to do it?

Thanks
Nathan

AD - home directory not getting created when adding users via PHP

January 14, 2013, 9:00 am
$
0
0

I'm adding users to Active Directory via a php script using ldap_add().

Using ldap_get_entries(), I've compared the users that I create with those that were created manually. I can confirm that the same set of attributes is present in both populations, and that the attribute values that I create are structurally consistent with those created in manually entered users.

The problem is that the user's home directory is not getting created.

The relevant attributes (to my understanding), and values, that I am setting in the ldap_add() call are:

$info["homeDrive"] = "H:";
$info["profilePath"] = '\\\\NFSFS\\MembersProfiles$\\joecool';
$info["homeDirectory"] = '\\\\NFSFS\\MembersHome$\\joecool';
$info["scriptpath"] = "members.bat";

AD is running on a Windows 2008 server.

Any ideas on how to resolve this?

Thanks

DCPROMO Demote AD2003 while offline network

January 14, 2013, 12:38 pm
$
0
0

Hello,<o:p></o:p>

Need some assistance please..<o:p></o:p>

we had a site 2003 sever running as an AD in an office that was closed- the server was
already taken down when it was removed from GC at the home office. Now it sits disconnected
and I'd like to Demote it using DC PROMO and repurpose it as a member of the
domain. How should I do this without disrupting the current network? DO I need
to have it connected to the domain prior to running DC PROMO?<o:p></o:p>

Thank you,

M

Search

Domain Controller Certificate renewal

January 14, 2013, 3:01 pm
$
0
0

I renewed a domain controller authentication certificate via the certificates snapin.

Are there any other steps for ldap to use the new certificate when the old one expires ?

Do any services need to be restarted, etc?

How to add Samaccountname or userprincipalname to contact object

January 12, 2013, 3:37 am
$
0
0

We are implementing Voip on our network.  We have AD running on Forest Function Level 2008 R2.  Our Voip installers are requesting that we create contact objects in our directory for our conference room phones so that these phones will be searchable in the Voip database (being that they are not real users). 

The voip system downloads the user information from our directory into its database periodically.  To do this it searches for objects containing the following attributes:

samaccountname

userprinciplename

The issue is that the contact object does not have these attributes. 

Is it possible to add these attributes to the contact object without "breaking" anything or any other functionality in AD?

If so, how should this be done.

Windows 7 not prompting for Administrator credentials

January 14, 2013, 2:26 pm
$
0
0

Hi there,

I have a Win 7 machine joined to a domain (Win 2008 R2). The computer will never prompt for administration credentials when performing a privileged operation (no matter which one, so I can't blame any specific application etc). Of course, those operations will always fail.

UAC is disabled and in the Local Policies\Security Options, I found the standard settings: will prompt for credentials when application requires them and will detect applications needing admin privileges.

That said, I'm kind of lost. I have other Win7 computers in the domain that are working fine, so I can't blame any GPO either.

Thoughts?

Thanks !

RODC Replication

February 23, 2010, 5:58 am
$
0
0
Hi, i'm from Bulgaria.I have a problem with my RODC's.My Active Directory is on Windows 2008 level, i have 2 DC in central offise and 25 RODC's on Sites.
I configure subnet for each sites and assign RODC to corect site.I instal RODC on site.Network configuration on each RODC is IP address NET MASK GW and first DNS is DNS on central offise secund DNS is 127.0.0.1 .My prblem is - wen i create user or change GPO this setings not apply on all RODC.Wen i try to push Replicate Now on Sites and Services i have a massage /the naming context is in the process of being removed or is not replicated from the specified server .........../.In Sites and Services i have one FRS connection for RODC. I dont use DFSr wet.But i plaining to migrate ti DFSr. But with this problem i dont now wat is hapening after DFSr Migration :(.
PLS HELP ME

Kerberos_Error_ 7 Windows XP SP3 Active directory Server 2008 R2 SP1

January 11, 2013, 3:26 am
$
0
0

Two Windows XP can't logon domain suddenly.

Any advise?

Thanks.

KerberosError 7

The kerberos subsystem encountered a PAC verification failure.  This indicates that the PAC from the client  in realm had a PAC which failed to verify or was modified.  Contact your system administrator.

Ldifde Error when Importing Computers

May 28, 2010, 7:09 pm
$
0
0

Hi,

I am studying the MCTS Self-Paced Training Kit (Exam 70-640): Configuring Windows Server 2008 book . I am getting the errors when trying to import computers from a LDIFDE file. Chapter 5 Exercise 3 on page 210 "

Any help would be much appreciated.

dn: CN=SERVER10,OU=Servers,DC=Contoso,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn : SERVER10
userAccountControl: 4096
sAMAccountName: SERVER10$

dn: CN=SERVER11,OU=Servers,DC=Contoso,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn : SERVER11
userAccountControl: 4096
sAMAccountName: SERVER11$

 

C:\Windows\System32>ldifde -i -f "%userprofile%\documents\computers.ldf" -j c:\log
Connecting to "Server01.contoso.com"
Logging in as current user using SSPI
Importing directory from file "C:\Users\Administrator\documents\computers.ldf"
Loading entries.
Add error on entry starting on line 1: No Such Attribute
The server side error is: 0x57 The parameter is incorrect.
The extended server error is:
00000057: LdapErr: DSID-0C090C26, comment: Error in attribute conversion operation, data 0, v1772
0 entries modified successfully.
An error has occurred in the program


***Below is thecontents of the log file log file***
Connecting to "Server01.Contoso.Com"

Logging in as current user using SSPI

Importing directory from file "C:\Users\Administrator\documents\computers.ldf"

Loading entries
1: CN=SERVER10,OU=Servers,DC=Contoso,DC=Com
Entry DN: CN=SERVER10,OU=Servers,DC=Alps,DC=Priv
changetype: add
Attribute 0) objectClass:top person organizationalPerson user computer
Attribute 1) cn :SERVER10
Attribute 2) userAccountControl:4096
Attribute 3) sAMAccountName:SERVER10$

Add error on entry starting on line 1: No Such Attribute

The server side error is: 0x57 The parameter is incorrect.

The extended server error is:

00000057: LdapErr: DSID-0C090C26, comment: Error in attribute conversion operation, data 0, v1772

0 entries modified successfully.

An error has occurred in the program

 

 

 

 

 

A/D Atributes

January 11, 2013, 9:22 am
$
0
0
We're consolidating all our databases here, so A/D becomes the central point for information. Our DC's are running 2008 R2, and we use SharePoint 2010, Exchange 2010, Lync 2010 etc.

Our legacy company phone book uses various fields that I can't find the equivalent of in A/D though, so either I'm missing something, or I need to modify some attributes. Specifically, what we need are;

Given Title (e.g. Mr, Mrs). A/D has the 'Title' attribute, but this seems to be for job title

Preferred (Friendly) name (e.g. person might be called 'Robert', but this attribute would be 'Bob'). Can't find anything in A/D for this

I know there are the generic extensionAttribute1-15, but I've read that you can't really rename these. Are there attributes there already that could be used for this? I've looked closely, but can't see anything.

Search

Time Sync on SBS 2011 DC

January 14, 2013, 1:26 pm
$
0
0

Hi All,

I have Windows SBS 2011 DC which is virtualized on Hyper-v. This is the only domain controller in domain. I am facing time sync issue on this domain controller. Time clock gets behind by nearly 30 minutes frequently.

Troubleshooting steps performed so far:
1. Observed Event ID 50,W32tm getting logged on the server.
- Unregistered/Registered windows time service.
- Configured server as authorative time server and to sync it with global time source 'pool.ntp.org'
- Ran port query tool and observed udp 123 port status is "Listening or filtered"
- Checked time sync with host physical server is already disabled in Hyper-v console under integration services.
- Also disabled the partial time sync with host by following registry:
HKLM\SYSTEM\CurrentControlSet\Services\W32Ti me\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0

But still issue persists on the server and I am not sure how to fix this. Any help guys?

Hyper-V Time Synchronization Service is still running on this virtulized DC. I am not sure that this service could be culprit or can i go ahead and disable it ?

Regards,
Gauresh.


Wow! today I have selected for Technet Wiki Ninja

January 14, 2013, 4:53 am

adam.Events.xml could not enumerate

January 14, 2013, 6:53 am
$
0
0

I get this warning in Windows Server 2012.

Because of this the AD will not talk to the DNS.

What is the cause of this and how can I rectify it?

thanks

Logon DC

January 14, 2013, 7:23 pm
$
0
0
We have logon dc issue. For example, we have three DCs, DC1,DC2, and DC3. Most Pcs set DC3 as logon server. When DC3 is not available, the users can't logon and access the resource. How can I set that if DC3 is down, the PDs can get the available DC. Any help? Thanks,

Managing multiple active directory user and computer without trust relationship.

January 16, 2013, 12:23 am
$
0
0

Is it possible to Manage multiple "active directory user and computer(multiple forest)" without trust relationship from one pc.

Viewing all 2536 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>