Domain restore from RODC
- by Bump
Can an AD Domain be restored from a RODC with a copy of the GC? Does an offsite DC replicating the AD need to be a full DC to provide a sufficient up to date AD Backups for disaster recovery?
Search Results
Search found 29574 results on 1183 pages for 'directory services'.
Page 160/1183 | < Previous Page | 156 157 158 159 160 161 162 163 164 165 166 167 | Next Page >
-
-
Toshiba eStudio 281c turn off snmp in driver.
- by Matt
I have a customer with an eStudio 281c colour copier/printer and I'm having an issue with terminal services. Basically, the driver has the ability to query the printer for its configuration over snmp. I've set it to manual rather than auto so it's effectively switched off. Trouble is, when logging into terminal services it's still trying to communicate with the printer. This is an issue because when it fails it then defaults to being a different printer model with a different tray configuration. Users can still print but the settings are wrong. Any ideas?Read the article
-
Install SSL certificate for RDP on Windows 2003?
- by Crashalot
I need to configure SSL for RDP, and am following the instructions described here: http://thelazyadmin.com/blogs/thelazyadmin/archive/2007/01/26/Configure-RDP-over-SSL-with-SelfSSL.aspx My client's server already has a SSL certificate (.cer file), and I attempted to import it so that Terminal Services would recognize it. The importing instructions I followed are: http://support.microsoft.com/kb/816794#3. Unfortunately, when I click "Edit" from the "RDP-tcp Properties" dialog (for a Terminal Services certificate), no certificate appears. How can I get the certificate to appear here? Thanks!Read the article
-
In a multi-domain forest, what EXACTLY happens when some, but not all, of the Infrastructure Masters are on Global Catalogs?
- by MDMarra
There are plenty of TechNet articles, like this one that say that phantom object don't get updated if an Infrastructure Master is also a Global Catalog, but other than that there isn't a lot of in depth information on what actually happens in this configuration. Imagine a configuration like this: |--------------| | example.com | | | | dedicated IM | |--------------| | | | |-------------------| | child.example.com | | | | IM on a GC | |-------------------| Where child has two DCs that are both global catalogs, meaning that the Infrastructure Master role is on a GC. And, example has three DCs with the Infrastructure Master role on a DC that is not a GC. I understand that it's usually best to just make everything a GC and not have to worry about this sort of thing, but assuming that's not the case - what is the exact error behavior that can be expected from a setup like this, and which domain(s) would this behavior manifest in? The child or the parent?Read the article
-
How to make security group in one forest show up in another forest?
- by Jake
I have two Win2k8 forests which I do maintenance on. The two forests have full 2 way external, non transitive trust with each other. I have a folder in forest X, domain countryX.mycompany.com accessible ONLY by the global security group named $group. In forest Y, domain countryY.mycompany.com, countryY\user1, countryY\user2 etc needs to have access to the folder. The natural instinct is to put user1, user2 etc into the $group. However, none of the methods for adding user to group works as it appears that the AD cannot find the groups in the other forest. Question: 1.How to make forests see each other's security groups and be able to add? 2.In practice, what is the recommended way to achieve the user access to the folders/files in another forest?Read the article
-
Kerberos Policy section not appearing in RSop / GPResult
- by Chloraphil
I am attempting to confirm via RSoP or GPResult that the correct settings for "\Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy" are being applied, however the "Kerberos Policy" node is missing from the treeview / report. These settings are set in the "Default Domain Controllers Policy" which is linked in the "Domain Controllers" OU. Should "Kerberos Policy" appear at all? If not, how can I confirm the correct settings are being applied?Read the article
-
How to re-join an AD2003 domain with Samba after deleting the machine account?
- by Guss
During some troubleshooting I deleted the machine account for a Linux server running samba from our AD 2003 domain. We are using Kerberos for authentication, and after I deleted the machine account I tried to join the domain again using net ads join -U Administrator But I keep getting Kerberos errors like these: [2009/08/18 16:14:36, 0] libads/kerberos.c:ads_kinit_password(228) kerberos_kinit_password [email protected] failed: Client not found in Kerberos database Failed to join domain: Improperly formed account name It appears as if samba remembers that it once had an account with the AD and keeps trying to reconnect to it, but I want to create a new account from scratch. I tried to delete all the .tdb files I could find as well as everything under /var/cache/samba but to no avail - it still behaves the same. I also tried to create the machine account on the AD side, but then I get a similar error when I try to join, about failure to authenticate with the machine account - it looks like samba tries the previous machine account password and I don't know how to reset it, or even if I could figure out what samba uses - how to set it in the AD. Any help would be greatly appreciated, as at this point the only thing I can think about is to reformat and reinstall the machine, and I would really REALLY love to not do that. Thanks in advance.Read the article
-
Migrate Domain from Server 2008 R2 to Small Business Server 2011
- by josecortesp
I'm looking for some advice here, rather than the big how to do it I'm looking for what do to I have this home server, quad core and 4 GB of ram (I really can't afford more right now). With a Windows Serve 2008 R2 With ActiveDirectory and a Hyper-V-Virtual machine with SharePoint, TFS and a couple of more thigs. I have a least 10 remote users, all of them joined a Hamachi VPN (working great by the way). But I want to migrate that to a Small Business Server 2011 Standard. I tried to make a VM to join the domain and then promote that VM, back up it and then format the physical server, boot up the VM, Promote the Phisical and then erase the VM, but I can't do that because of SBS requiring a least 4 GB of ram to install (so I can't give all the 4 GB of physical ram to a VM). I was thinking in using a laptop (All the clients are laptop) as a temporal server, join the domain, promote it, then format the server and install SBS on the server and do all again. I really need some advice. Thanks in advance. BTW, I know that the software I'm using is kindda expensive, and I can't afford more hardware. I have access to MS downloads by a University partnership so I have all this software for free.Read the article
-
What are the consequences of giving an AD domain differing NetBIOS and DNS names?
- by Newt
In the past, when creating AD domains, I've used the common convention of using a sub-domain of the company's publicly registered domain name, e.g "corp.mycompany.com" or "int.mycompany.com". I've always accepted the default NetBIOS name when running DCPromo, for fear that creating a NetBIOS name that differs from the sub-domain may cause complications. I've recently been doing a bit of research on the consequences of providing an alternate NetBIOS name. The main reasons behind this are: The NetBIOS name isn't particularly descriptive or unique to the company Apparently generic NetBIOS names such as "CORP" or "INT" can cause issues when merging IT systems (although I've not had experience with this myself) Providing something "before the slash" that means more to users (less important) In looking at the possible downsides, the only one I can come up with is the disjointed namespace issue when configuring Exchange. Can anybody with more experience than I elaborate on my findings at all? Many thanksRead the article
-
Remote site AD design (2003)
- by Boy Mars
A remote site has about 25 of our 50-ish employees. They have their own AD domain presently (2003) but I want to look at getting them onto the same global domain for ease of access/administration. The remote site has a VPN link but line speeds are very poor. I am already aware of tools like ADMT and have done a few migrations in the past (NT/2003 domains), but this is the first time I have the luxury of designing how this domain is organised. So I'm looking for tips on good AD design; would a remote site be better served as a sub-domain? would this reduce traffic? I am only currently looking at 2003 since only existing machine will be used.Read the article
-
Is there a "Run Level Configurator" for Windows XP?
- by djangofan
I have been having trouble with something causing my Windows XP system to take 6-8 minutes to startup from a cold boot. Something is happening during startup that is causing the system to crawl. I have a lot of Linux experience , especially configuring run levels so that some programs start before others do. I also know how to do that on Windows XP but its really complex, and with 50 services I'd have to keep a giant spreadsheet to keep it all organized. Is there such a thing as a Windows XP Tool that "emulates" the Linux run-level editors that I can use to control the order than services start on my system?Read the article
-
Revert "Deny" permissions in Windows 7
- by saurabhj
I made a very dumb mistake and I am hoping there is a way to fix this without having to boot in through a Linux Live CD and extracting the data. My user login to my Windows 7 system is: John John is part of the Administrator's group. I have a folder called "C:\Users\John" I tried to make this folder accessible to ONLY John (and deny from all other Administrators) by going to the Folder, Right Click Secturity tab and then selecting all the checkboxes under "Deny" while having selected the "Administrators" group. As a result, I cannot access this folder from any of the accounts: "John" and "Administrator" as both of them belong to the Administrators groupd and deny permissions out-weigh the "Allow Permissions" Is there any way I could revert this back? Thanks a million!Read the article
-
Changing Network Path of Offline Files
- by Adam
Many of our users have their Home folder set as Available Offline. Their Windows 7 laptops will not be back on our network for a few weeks. In the mean time, we're setting up new servers and reorganizing our files, so the network path to the Home folder is going to be completely different. Based on some testing I did, when the users return, any files they've created or modified while offline will be gone, and the new Home folder will be there and not set to sync. The offline cache of the old Home folder is still accessible through the Sync Center, but they're not going to want to dig through that and try to find what's missing. Avoiding this would involve keeping the old server around and moving everyone to the new location in person, so we know for sure they're synced first. Is there any way to avoid this that isn't as tedious, like a quick registry edit or something that will point the old offline cache to the new location?Read the article
-
LDAP over SSL with an EFI Fiery printer
- by austinian
I've got a printer with a Fiery running 8e Release 2. I can authenticate users against AD using the LDAP configuration, but I can only get it to work if I don't use SSL/TLS, and only if I use SIMPLE authentication. Right now, it's authenticating using a fairly low-impact user, but it's also the only system on our network that's not using LDAPS. I can get AD info fine over LDAPS using ldp.exe from my machine, our firewall, our mail filter, our linux boxes, etc. The only problem child is the Fiery. I've added the LDAP server certificate as a trusted cert to the Fiery, but after I check the box for Secure Communication and change the port to 636, pressing Validate results in a dialog box coming up saying: LDAP Validation Failed Server Name invalid or server is unavailable. I've tried changing the server name to use just the name, the FQDN, and the IP address, and changed it to another server, just to see if it was just this AD server that was fussy with the Fiery. EDIT: removed LDP output, added packet capture analysis from wireshark: The conversation seems pretty normal to me, up to the point where the Fiery terminates the connection after the server sends back a handshake response. Maybe they messed up their TLS implementation? I'm trying support, but it's been fairly useless so far. The cert is a SHA-2 (sha256RSA) 2048-bit certificate. Also, it looks like the Fiery is specifying TLS 1.0. Looking at http://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx, I'm not seeing SHA256 and TLS 1.0 combination being supported by SChannel. headdesk perhaps that's why, after the DC changes the cipher spec, the connection is terminated by the Fiery? TLS 1.1 and 1.2 are enabled on the DC. Wireshark conversation: DC: 172.17.2.22, Fiery: 172.17.2.42 No. Time Source Source Port Destination Destination Port Protocol Length Info 1 0.000000000 172.17.2.42 48633 172.17.2.22 ldaps TCP 74 48633 > ldaps [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=3101761 TSecr=0 WS=4 2 0.000182000 Dell_5e:94:e3 Broadcast ARP 60 Who has 172.17.2.42? Tell 172.17.2.22 3 0.000369000 TyanComp_c9:0f:90 Dell_5e:94:e3 ARP 60 172.17.2.42 is at 00:e0:81:c9:0f:90 4 0.000370000 172.17.2.22 ldaps 172.17.2.42 48633 TCP 74 ldaps > 48633 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1 TSval=67970573 TSecr=3101761 5 0.000548000 172.17.2.42 48633 172.17.2.22 ldaps TCP 66 48633 > ldaps [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSval=3101761 TSecr=67970573 6 0.001000000 172.17.2.42 48633 172.17.2.22 ldaps TLSv1 147 Client Hello 7 0.001326000 172.17.2.22 ldaps 172.17.2.42 48633 TCP 1514 [TCP segment of a reassembled PDU] 8 0.001513000 172.17.2.22 ldaps 172.17.2.42 48633 TCP 1514 [TCP segment of a reassembled PDU] 9 0.001515000 172.17.2.42 48633 172.17.2.22 ldaps TCP 66 48633 > ldaps [ACK] Seq=82 Ack=1449 Win=8736 Len=0 TSval=3101761 TSecr=67970573 10 0.001516000 172.17.2.42 48633 172.17.2.22 ldaps TCP 66 48633 > ldaps [ACK] Seq=82 Ack=2897 Win=11632 Len=0 TSval=3101761 TSecr=67970573 11 0.001732000 172.17.2.22 ldaps 172.17.2.42 48633 TCP 1514 [TCP segment of a reassembled PDU] 12 0.001737000 172.17.2.22 ldaps 172.17.2.42 48633 TLSv1 1243 Server Hello, Certificate, Certificate Request, Server Hello Done 13 0.001738000 172.17.2.42 48633 172.17.2.22 ldaps TCP 66 48633 > ldaps [ACK] Seq=82 Ack=4345 Win=14528 Len=0 TSval=3101761 TSecr=67970573 14 0.001739000 172.17.2.42 48633 172.17.2.22 ldaps TCP 66 48633 > ldaps [ACK] Seq=82 Ack=5522 Win=17424 Len=0 TSval=3101761 TSecr=67970573 15 0.002906000 172.17.2.42 48633 172.17.2.22 ldaps TLSv1 78 Certificate 16 0.004155000 172.17.2.42 48633 172.17.2.22 ldaps TLSv1 333 Client Key Exchange 17 0.004338000 172.17.2.22 ldaps 172.17.2.42 48633 TCP 66 ldaps > 48633 [ACK] Seq=5522 Ack=361 Win=66304 Len=0 TSval=67970573 TSecr=3101762 18 0.004338000 172.17.2.42 48633 172.17.2.22 ldaps TLSv1 72 Change Cipher Spec 19 0.005481000 172.17.2.42 48633 172.17.2.22 ldaps TLSv1 327 Encrypted Handshake Message 20 0.005645000 172.17.2.22 ldaps 172.17.2.42 48633 TCP 66 ldaps > 48633 [ACK] Seq=5522 Ack=628 Win=66048 Len=0 TSval=67970574 TSecr=3101762 21 0.010247000 172.17.2.22 ldaps 172.17.2.42 48633 TLSv1 125 Change Cipher Spec, Encrypted Handshake Message 22 0.016451000 172.17.2.42 48633 172.17.2.22 ldaps TCP 66 48633 > ldaps [FIN, ACK] Seq=628 Ack=5581 Win=17424 Len=0 TSval=3101765 TSecr=67970574 23 0.016630000 172.17.2.22 ldaps 172.17.2.42 48633 TCP 66 ldaps > 48633 [ACK] Seq=5581 Ack=629 Win=66048 Len=0 TSval=67970575 TSecr=3101765 24 0.016811000 172.17.2.22 ldaps 172.17.2.42 48633 TCP 60 ldaps > 48633 [RST, ACK] Seq=5581 Ack=629 Win=0 Len=0Read the article
-
How to host Exchange mailboxes for another organisation outside of domain?
- by Jon
We have a branch office out in another country who currently have their own domain and AD and Exchange Server. We want to look at hosting their Exchange mailboxes so that we can improve presence information through the use of Calenders etc. Whats the best way to do this? Simple VPN connection? Or is there a way to for them to keep their own Exchange Server and mailboxes but view and edit our calenders?Read the article
-
MS DNS lookup issue
- by 3molo
Hi, Got two AD/DNS servers, and on the secondary I can't seem to lookup the external site www.iis.se (or any other hostname that their name servers control). The central firewall at this office allows any any outbound, tcp and udp. The DNS server has no local firewall nor antivirus. My windows client, located in the same subnet as the DNS server can do the lookup by asking the nameservers that are in control of www.iis.se. 'dig NS iis.se' shows iis.se. 2517 IN NS ns2.nic.se. iis.se. 2517 IN NS ns.nic.se. iis.se. 2517 IN NS ns3.nic.se. on AD/DNS server C:\Users\Administratornslookup www.iis.se 212.247.7.228 Server: UnKnown Address: 212.247.7.228 Name: www.iis.se Addresses: 2a00:801:f0:80::80 212.247.7.221 C:\Users\Administratornslookup www.iis.se 194.17.45.54 Server: UnKnown Address: 194.17.45.54 Name: www.iis.se Addresses: 2a00:801:f0:80::80 212.247.7.221 C:\Users\Administratornslookup www.iis.se 212.247.3.83 Server: UnKnown Address: 212.247.3.83 Name: www.iis.se Addresses: 2a00:801:f0:80::80 212.247.7.221 And still: C:\Users\administratornslookup www.iis.se Server: UnKnown Address: 127.0.0.1 DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. * Request to UnKnown timed-outRead the article
-
LDAP Authentication for multiple AD Domains
- by TrevJen
I have 3 full trust domains (2 child and one root). I need to use LDAP to allow authntication for domain users. The trick is that I need the application to use an AD server for the child domain BUT proxy the LDAP query and authentication for the root domain. I see that it maty be possible with AD LDS and some trusts and synching, but it looks pretty hairy and overly complicated. The short of it is: 3 domains (Parent, ChildA, ChildB) My 3rd party app will need to use ChildA domain servers to authenticate either: a. a user in the parent domain or b. a user in the ChildB domain I already have full trusts between all domains, and regular NTLM authentication works fine (unless you are trying to authenticate with LDAP)Read the article
-
Double root folder vs single root folder
- by Tomas
On my Linux box, in bash, I have access to a "double root" folder denoted by two forward slashes: tomas:~ $ cd / tomas:/ $ ls bin/ cdrom@ ... tomas:/ $ cd // tomas:// $ ls bin/ cdrom@ ... The content of the folder and its subfolder is identical to the "normal" single slash root. The double slash does not go away when I access its subfolders. The annomaly does not repeat itself with three or more slashes; these are simple synonyms for the root: tomas:// $ cd home/tomas tomas://home/tomas $ cd /// tomas:/ $ cd //// tomas:/ $ What kindof place is it? Is it a bug? Can anyone explain the annomaly?Read the article
-
Exchange\AD Authentication Using Alternate Email Domain
- by Aaron Wurthmann
I did this once. I can't recall how to do it anymore AND/OR it works differently in Windows 2008 than it did in Windows 2003. I recall it being an Exchange hosting feature. I would like users to login with their email addresses instead of only with their domain name. EXAMPLE: User: John Doe User logon name: [email protected] User logon name (pre-Windows 2000): DOMAIN\jdoe E-mail: [email protected] I would like for jdoe to be able to login as [email protected]Read the article
-
computer and User Account Migrated using ADMT but not sending mail
- by TJ
I have successfully migrated a User and Computer account using ADMT. The user is able to login to the computer with the new account and is able to open outlook receive mail but is not able to send internal or external mail. The Exchange server is still in the Old domain. The bounce back message received was that the user doesn't have permissions to send to the recipient. When I migrated the user I did migrate the SID history so why is mail not being about to be sent? The body of the bounce back message is as follows: Your message did not reach some or all of the intended recipients. Subject: test Sent: 1/6/2010 4:17 PM The following recipient(s) could not be reached: User, user on 1/6/2010 4:17 PM You do not have permission to send to this recipient. For assistance, contact your system administrator. MSEXCH:MSExchangeIS:/DC=com/DC=DOMAIN:SERVERRead the article
-
How to correct time on Windows PDC server without affecting logons
- by Kieran Walsh
I know how to set an authoritative time server in Server 2008 R2. That's not what this question is. I want to know how I can change the time on a network where the PDC (and therefore everything) is a month out of date? I know that a 5 minute difference in time between clients and the domain prevents logons, so just changing the time on the PDC will break everything. What is the best way to fix this? Thanks Kieran.Read the article
-
AD license query
- by Rajeev
Hi, A basic question about AD license, if on my company website, clients makes an account and would be authenticated through AD server, do i need to have the licenses for the clients coming via web. and what all license would come into picture.Read the article
-
Configure custom SSL certificate for RDP on Windows Server 2012 in Remote Administration mode?
- by Ryan Bolger
So the release of Windows Server 2012 has removed a lot of the old Remote Desktop related configuration utilities. In particular, there is no more Remote Desktop Session Host Configuration utility that gave you access to the RDP-Tcp properties dialog that let you configure a custom certificate for the RDSH to use. In its place is a nice new consolidated GUI that is part of the overall "edit deployment properties" workflow in the new Server Manager. The catch is that you only get access to that workflow if you have the Remote Desktop Services role installed (as far as I can tell). This seems like a bit of an oversight on Microsoft's part. How can we configure a custom SSL certificate for RDP on Windows Server 2012 when it's running in the default Remote Administration mode without needlessly installing the Remote Desktop Services role?Read the article
-
SonicWall and Windows CA
- by Nathan C
I'm attempting to import a certificate created by a CA I've set up in Windows using AD CS. I've done the following: 1) Created my own CA (MyCompany) 2) Enabled web services (mostly for ease of configuration) 3) Generated a certificate request on the Sonicwall itself 4) Used web services to sign the certificate 5) Imported the sign certificate into the Sonicwall ...this caused the certificate to show "No" for the Verified field. 6) Imported the CA's certificate. This is where I get stuck. I attempted to import the CRL list, but get the following error: CRL Error - Verification failed using CA certificate. No further errors appear in the logs. Without the CRL list the certificate won't verify and it doesn't appear under the "Administration" page so I can select it for use via HTTPS. Any ideas?Read the article
-
How to resolve SSPI context error without changing Service Account from MSSQL
- by kockiren
There is a issue while connecting from new Windows 8.1 Clients to SQL Server 2008 running on Windows Server 2008 R2. The SQL Service running under account Domain\mssqlservice on a machine thats works fine I get this output from setspn -l domain\mssqlservice C:\>setspn -l domain\mssqlservice Registrierte Dienstprinzipalnamen (SPN) für CN=MSSQLService,CN=Users,DC=domain, DC=local,DC=tld: MSSQLSvc/mssql.domain.local.tld:1433 MSSQLSvc/mssql.domain.local.tld MSSQLSERVER/mssql.domain.local.tld:1433 On a windows 8.1 machine that don't work I get this output: C:\>setspn -l domain\msssqlservice FindDomainForAccount: Fehler beim Aufrufen von DsGetDcNameWithAccountW mit dem R ückgabewert 0x0000054B. Konto kockiren wurde nicht gefunden. On this Post I found a solution but, I can't change the Service Account who runs the SQL Service. Some application need this service delegation. But how I can realize that it works on my Windows 8.1 Clients?Read the article
