Search Results

Search found 28603 results on 1145 pages for 'active users'.

Page 89/1145 | < Previous Page | 85 86 87 88 89 90 91 92 93 94 95 96 | Next Page >

Hide notification area GPO not applying

- by Richard

I have created a GPO to hide the notification area on Windows XP SP3. The GPO must apply to all students but only in certain rooms so I've also enabled loopback processing on the GPO and linked to the OUs the computers are in. I've then added a group to the security filter that contains all student accounts. This is not applying. It doesn't even show up in gpresult. I have also tried linking it in the Students OU which contains all student accounts and applying a security filter with a group of the computers I want it to apply to. This didn't work either. It's possible I'm missing something straightforward. Would a WMI filter do the job, and if so how would I go about writing one so that it'll only apply to computers whose name begins with XX-RT for example.

Read the article
How to set common NTP server for all computers in AD

- by abatishchev

I want to set default NTP server to pool.ntp.org to all computers joining my domain. How can I force this using AD MMC console? Or I have to setup this using DHCP server?

Read the article
Does an ADFS v2 server have to be on the actual domain server?

- by Carl Hörberg

Can an ADFS v2 server be installed stand-alone, or is it tightly coupled with the AD server?

Read the article
How to logon with local account? RODC "There are no logon servers to process your request"

- by g18c

I have a site-to-site VPN, writeable DC in main office, Read-only DC. Today the VPN went down, but i couldnt log in to the read-only DC - the error message came up There are no logon servers to process your request. Since the RODC is a domain controller, there is no local administrator. How can i ensure that i am always able to log on to the RODC with a known account in an emergency if the writeable DC is not available?

Read the article
Application Compatibility Clients do not show in MSSQL database, but do show in \AppCompat\

- by rjt

Application Compatibility Clients are not denied access to the central MSSQL database, but are able to leave their own files in the \AppCompat\ share. The only computer that shows up in the "Microsoft Application Compatibility Manager" database is the the machine i initially created the .MSI installer from. The MSI successfullly pushed out via GPO and like i said there are tons of file in the \AppCompat\ share from many different computers. But only 1 pc shows up in the "Data Collection Manager" database, so i only have data from one machine. i could manually add all these machines (ADNETBIOSNAME\MACHINENAME221$) to the MSSQL AppCompat db permissions list or use an SQL command to do so in batch, but i suspect i must have missed something. Do you manually edit the MSI to set the credentials?

Read the article
How to setup a 1 way trust, Windows Server 2008 R2

- by MichaelOz

I am on my home network and connect to workplace via a VPN. I have a DC on my home network (DC1 , domain = home). How can I setup a 1 way trust, so that I am able to run executables, such as SQL Management Studio using RunAs - then type in credentials for work domain? First question is, will a 1 way trust solve this, and can I set this up without bothering a network admin at workplace (assuming I have a domain account with enough permissions on work domain) If yes - any good step by step guide to setup 1 way trust? Server is Windows Server 2008 R2. As mentioned its DC running DNS Role too. Thanks in advance

Read the article
"The zone can be scavenged after" keeps incrementing

- by kce

What are you trying to do? I'm trying to enable DNS scavenging on a DNS zone that has about a hundred stale DNS records. What have you tried in order to make it happen? I setup DNS Scavenging per everyone's favorite TechNet Blog post: Don't be afraid of DNS Scavenging. Just be patient. I first disabled scavenging on all of our domain controllers: DNSCmd . /ZoneResetScavengeServers contoso.com 192.168.1.1 192.168.1.2 I then enabled automatic scavenging on the DNS zone: I then enabled DNS scavenging on one of the domain controllers: I then found a few records that I expected to get delete with timstamps from a few years ago and ensured that that the Delete this record when it becomes stale and that time stamp was actually set: Finally I reloaded the zone and waited 14 days (the sum of the Refresh + No-Refresh periods). What results did you expect? I expected to see a 2501 Event in the DNS server logs noting the deletion of a bunch of DNS records. What actually happened? Nothing happened. The Zone Aging/Scavenging Properties showed that the zone could be scavenged after 6/12/2014 10:00:00 AM last week. No 2501/2502 events were recorded. All of the records with "aged" time stamps are still present. The date at which the zone can be scavenged after incremented another seven days to ?6/?18/?2014 10:00:00 AM. As I understand it until that date stays at least 14 days in the past nothing will ever even be eligible for scavenging let alone actually be scavenged. The only 2501 events recorded in the event logs are ones that I have triggered by right clicking and selecting "Scavenge Stale Resource Records". They note that scavenging will try to run again in 168 hours which was this morning. I have DNS scavenging enabled for a few months and have waited patiently for something to happen. I have reloaded the zone multiple times (which resets this timestamp). What am I missing here?

Read the article
ADExplorer, how to search with "distinguishedName contains" condition?

- by Jimm Chen

I'm using ADExplorer 1.42 from Microsoft. I'm not very versed at this program so please kindly help me out with a search-related problem. Right click on a node(e.g., CN=NlscanStaff) and select Search Container... , with default search attributes, I can see all objects inside NlscanStaff listed as result. Note that there is a CN=CHJTEST object listed. Now, my question is, how to search for CHJTEST specifically? I tried search condition: Attribute : distinguishedName Relation : contains Value : CN=CHJTEST Click Add , then Search . But no result. Can someone tell me what's going wrong? Thanks.

Read the article
Unable to Mange DNS via MMC

- by IT Helpdesk Team Manager

When trying to access the DNS service on Microsoft Windows Server 2003 (Build 3790) domain controller/schema master via the MMC DNS snap in or locally via the DNS MMC from Administrative tools I'm getting a red "X" through the icon for the DNS Server. The inability to access DNS management via MMC happens on all domain controllers as well. We've looked at items such as the DHCP client not being started, incorrect DNS setup ( the machine points at itself and another DC ), the DNS service not running ( it is and all DNS queries via NSLOOKUP work correctly ), dslint returns the correct information and functions as expected. There is the following entry in the DNS event log: The DNS server could not initialize the remote procedure call (RPC) service. If it is not running, start the RPC service or reboot the computer. The event data is the error code. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. 0000: 0000051b dnscmd fails with RPC server unavailable yet RPC is started: C:\Documents and Settings\Administrator.DOMAIN>dnscmd /Info Info query failed status = 1722 (0x000006ba) Command failed: RPC_S_SERVER_UNAVAILABLE 1722 (000006ba) DCDIAG /TEST:DNS /V /E produces the following errors: Warning: no DNS RPC connectivity (error or non Microsoft DNS server is running) [Error details: 1753 (Type: Win32 - Description: There are no more endpoints available from the endpoint mapper.)] Warning: no DNS RPC connectivity (error or non Microsoft DNS server is running) [Error details: 1722 (Type: Win32 - Description: The RPC server is unavailable.)] The DNS server could not initialize the remote procedure call (RPC) service. If it is not running, start the RPC service or reboot the computer. The event data is the error code. A DNS query for _ldap._tcp.dc._msdcs. returns the correct results. All domain and ADS related activities are working except that I can't manage my DNS via MMC or dnscmd. Any thoughts or solutions would be greatly appreciated. EDIT: Adding Registry export per request: Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc Class Name: <NO CLASS> Last Write Time: 10/18/2012 - 2:29 PM Value 0 Name: DCOM Protocols Type: REG_MULTI_SZ Data: ncacn_ip_tcp Value 1 Name: UuidSequenceNumber Type: REG_DWORD Data: 0xb19bd0f Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\ClientProtocols Class Name: <NO CLASS> Last Write Time: 3/9/2007 - 12:11 PM Value 0 Name: ncacn_np Type: REG_SZ Data: rpcrt4.dll Value 1 Name: ncacn_ip_tcp Type: REG_SZ Data: rpcrt4.dll Value 2 Name: ncadg_ip_udp Type: REG_SZ Data: rpcrt4.dll Value 3 Name: ncacn_http Type: REG_SZ Data: rpcrt4.dll Value 4 Name: ncacn_at_dsp Type: REG_SZ Data: rpcrt4.dll Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\NameService Class Name: <NO CLASS> Last Write Time: 2/20/2006 - 4:48 PM Value 0 Name: DefaultSyntax Type: REG_SZ Data: 3 Value 1 Name: Endpoint Type: REG_SZ Data: \pipe\locator Value 2 Name: NetworkAddress Type: REG_SZ Data: \\. Value 3 Name: Protocol Type: REG_SZ Data: ncacn_np Value 4 Name: ServerNetworkAddress Type: REG_SZ Data: \\. Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\NetBios Class Name: <NO CLASS> Last Write Time: 2/20/2006 - 4:48 PM Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy Class Name: <NO CLASS> Last Write Time: 3/9/2007 - 12:11 PM Value 0 Name: Enabled Type: REG_DWORD Data: 0x1 Value 1 Name: ValidPorts Type: REG_SZ Data: pdc:100-5000 Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService Class Name: <NO CLASS> Last Write Time: 2/20/2006 - 4:48 PM Value 0 Name: 9 Type: REG_SZ Data: secur32.dll Value 1 Name: 10 Type: REG_SZ Data: secur32.dll Value 2 Name: 14 Type: REG_SZ Data: schannel.dll Value 3 Name: 16 Type: REG_SZ Data: secur32.dll Value 4 Name: 1 Type: REG_SZ Data: secur32.dll Value 5 Name: 18 Type: REG_SZ Data: secur32.dll Value 6 Name: 68 Type: REG_SZ Data: netlogon.dll

Read the article
Getting Squid to authenticate with kerberos and Windows 2008/2003/7/XP

- by Harley

This is something I setup recently and was quite a big pain. My environment was getting squid to authenticate a Windows 7 client against a Windows 2008 Server invisibly. NTLM is not really an option, as using it requires a registry change on each client. MS have been recommending Kerberos since Windows 2000, so it's finally time to get with the program. Many, many thanks to Markus Moeller of the Squid mailing lists for helping to get this working.

Read the article
Multi-Tenant VMWare View Deployment

- by SimonJGreen

We have VMWare View 5 set up for a single tenant environment, absolutely brilliant and works perfectly. Two thumbs up there! We're looking at the possibility of deploying this in a multi tenant scenario, where multiple unlinked companies connect to a VDI solution hosted by us but have no visibility of each other. Obviously;y this could be achieved by doubling up on all the components, having a complete VMWare View stack for each tenant, but this seems a little bit messy. Has anyone done this before, and if so how? Googling sheds little light apart from this experts exchange topic.

Read the article
What breaks in a Windows domain if a member has a high time skew?

- by Ryan Ries

It's taken for granted by most IT people that in a Windows domain, if a member server's clock is off by more than 5 minutes (or however many minutes you've configured it for) from that of its domain controller - logons and authentications will fail. But that is not necessarily true. At least not for all authentication processes on all versions of Windows. For instance, I can set my time on my Windows 7 client to be skewed all to heck - logoff/logon still works fine. What happens is that my client sends an AS_REQ (with his time stamp) to the domain controller, and the DC responds with KRB_AP_ERR_SKEW. But the magic is that when the DC responds with the aforementioned Kerberos error, the DC also includes his time stamp, which the client in turn uses to adjust his own time and resubmits the AS_REQ, which is then approved. This behavior is not considered a security threat because encryption and secrets are still being used in the communication. This is also not just a Microsoft thing. RFC 4430 describes this behavior. So my question is does anyone know when this changed? And why is it that other things fail? For instance, Office Communicator kicks me off if my clock starts drifting too far out. I really wish to have more detail on this. edit: Here's the bit from RFC 4430 that I'm talking about: If the server clock and the client clock are off by more than the policy-determined clock skew limit (usually 5 minutes), the server MUST return a KRB_AP_ERR_SKEW. The optional client's time in the KRB-ERROR SHOULD be filled out. If the server protects the error by adding the Cksum field and returning the correct client's time, the client SHOULD compute the difference (in seconds) between the two clocks based upon the client and server time contained in the KRB-ERROR message. The client SHOULD store this clock difference and use it to adjust its clock in subsequent messages. If the error is not protected, the client MUST NOT use the difference to adjust subsequent messages, because doing so would allow an attacker to construct authenticators that can be used to mount replay attacks.

Read the article
New AD-DC in a new Site is refusing cross-site IPv4 connections

- by sysadmin1138

We just added a new Server 2008 (sp2) Domain Controller in a new Site, our first such config. It's over a VPN gateway WAN (10Mbit). Unfortunately it is displaying a strange network symptom. Connections to the SMB ports (TCP/139 and TCP/445) are being actively refused... if the connection is coming in on pure IPv4. If the incoming connection is coming by way of the 6to4 tunnel those connections establish and work just fine. It isn't the Firewall, since this behavior can be replicated with the firewall turned off. Also, it's actually issuing RST packets to connection attempts; something that only happens with a Windows Firewall if there is a service behind a port and the service itself denies access. I doubt it's some firewall device on the wire, since the server this one replaced was running Samba and access to it from our main network functioned just fine. I'm thinking it might have something to do with the Subnet lists in AD Sites & Services, but I'm not sure. We haven't put any IPv6 addresses in there, just v4, and it's the v4 connections that are being denied. Unfortunately, I can't figure this out. We need to be able to talk to this DC from the main campus. Is there some kind of site-based SMB-level filtering going on? I can talk to the DC's on campus just fine, but that's over that v6 tunnel. I don't have access to a regular machine on that remote subnet, which limits my ability to test.

Read the article
Mac Share Points automatically authenticate with matching Windows AD credentials from Windows

- by Ron L

I recently started administering an OS X server (10.8) that is on the same network as our AD domain. While setting up Mac Share Points, I encountered some odd behavior that I hope someone can explain. For the purposes of this example assume the following: 1) Local User on OS X Server: frank, password: Help.2012 2) AD Domain User: frank, password: Help.2012 3) AD Domain: mycompany 4) OS X Server hostname: macserver (not bound to AD, not running OD) When joined to the domain on a a Win 7 computer and logged in as frank and accessing the shares at \\macserver, it automatically authenticates using frank's OS X credentials (because they are the same). However, if I change frank's OS X password, the standard Windows authentication dialog pops-up preset to use frank's AD domain (my company\frank). However, after entering the new OS X password, it will not authenticate without changing the domain to local (.\frank). Basically, if a user in AD has the same User name and password in OS X, it will authenticate automatically regardless of the domain. If the passwords differ, authenticating to the OS X shares must be done from the local machine. (and slightly off topic - how come an OS X administrator can access the root drives on the Mac server from Windows when accessing the Mac shares even when they aren't shared? In other words, it will show all the shared folders from "File Sharing" plus whatever drives are mounted in OS X)

Read the article
Can I log into a Domain account without pointing DNS to the domain controller?

- by user72593

My situation is as follows: I have a Windows 2003 Domain Controller which is also my DNS server. I have 10 Windows XP Pro PC's which all login to domain accounts. I am about the forward my DNS requests to OPENDNS so I can regulate web access but I have (2) PC's that I would like to keep unregulated. I manually changed their DNS server IP to (8.8.8.8) which worked but that caused my login to fail (by creating a 3 minute delay before it would let me get to the desktop) when I change the DNS IP back to the IP of the Domain Controller, everything works smoothly. Question is, how can I continue to login to the domain but have a different DNS path...is this possible ?

Read the article
Remote site AD design (2003)

- by Boy Mars

A remote site has about 25 of our 50-ish employees. They have their own AD domain presently (2003) but I want to look at getting them onto the same global domain for ease of access/administration. The remote site has a VPN link but line speeds are very poor. I am already aware of tools like ADMT and have done a few migrations in the past (NT/2003 domains), but this is the first time I have the luxury of designing how this domain is organised. So I'm looking for tips on good AD design; would a remote site be better served as a sub-domain? would this reduce traffic? I am only currently looking at 2003 since only existing machine will be used.

Read the article
How to access shared files in two different domains

- by Sundeep

There are two internal domains, domainA and domainB at my workplace. I could remote into machines from either domains by using respective credentials. My doubt is if I create a shared folder on domainA with read access to everyone for e.g., \\server1.domainA.net\sharedfolder. Will I be able to access this folder by just entering the path likewise from any machine in domainB without entering credentials.

Read the article
AD GIT SELinux RHEL 6 : Can not get SELinux to allow connetion to git

- by Johan Sörell

I have a problem with SELinux! I have installed git on Red Hat Enterprise 6 with AD group control and SSL Cert . Everything works fine if I do setenforce 0 ( set SELinux in detection only mode ) or if I do semanage permissive -a httpd_t (Set httpd_t in detection only mode) I do not want to use this on my git production server. Is there anyone out there who can help we with SELinux? Below is some info that you might need to be able to help me: All help I can get would be apriciated: This is the output of ls -lZa /preproduction/git/repositories/ ls -lZa /preproduction/git/repositories/ drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 . drwxr-xr-x. apache apache unconfined_u:object_r:file_t:s0 .. drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 playground drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 shamrock.git drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 test Here is the out put of getsebool -a |grep -i httpd getsebool -a |grep -i httpd allow_httpd_anon_write --> off allow_httpd_mod_auth_ntlm_winbind --> off allow_httpd_mod_auth_pam --> off allow_httpd_sys_script_anon_write --> off httpd_builtin_scripting --> on httpd_can_check_spam --> off httpd_can_network_connect --> off httpd_can_network_connect_cobbler --> off httpd_can_network_connect_db --> off httpd_can_network_memcache --> off httpd_can_network_relay --> off httpd_can_sendmail --> off httpd_dbus_avahi --> on httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> off httpd_execmem --> off httpd_read_user_content --> off httpd_setrlimit --> off httpd_ssi_exec --> off httpd_tmp_exec --> off httpd_tty_comm --> on httpd_unified --> on httpd_use_cifs --> off httpd_use_gpg --> off httpd_use_nfs --> off Tis is the status of : sestatus sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted

Read the article
Repercussions of Raising Domain Functional Level to 2008 on Mac computers running 10.6.2 with OD

- by JohnyV

We have recently replaced all of our 2003 server domain controllers to 2008 r2 and have tried to implement PSO's but have found that the domain functional level must be raised to 2008. We have a mac server in our environment that runs open directory and it is integrated into AD. Does anyone know if I do raise the domain functional level (which makes sense since we only have 2008 r2 domain controllers) what the repercussions (if any) there will be on the macs in the environment? Macs are running 10.6.2 and mac server runs the same. Mac server is running OD and also bound to AD.

Read the article
Kerberos Policy section not appearing in RSop / GPResult

- by Chloraphil

I am attempting to confirm via RSoP or GPResult that the correct settings for "\Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy" are being applied, however the "Kerberos Policy" node is missing from the treeview / report. These settings are set in the "Default Domain Controllers Policy" which is linked in the "Domain Controllers" OU. Should "Kerberos Policy" appear at all? If not, how can I confirm the correct settings are being applied?

Read the article
Remote hosts accessing AD's registry

- by smitty user

I have a situation here. I have an intrusion detection system and it constantly alerts me that a remote host is accessing our AD's registry remotely. Our remote hosts are mainly Windows XP and our ADs are W2K8. The remote hosts access them over SMB port 445 Is it normal for Windows hosts to access AD's remote registry? My colleagues confirmed with me that both host and AD is clean from virus with endpoint protection enabled. Thanks.

Read the article
How to re-join an AD2003 domain with Samba after deleting the machine account?

- by Guss

During some troubleshooting I deleted the machine account for a Linux server running samba from our AD 2003 domain. We are using Kerberos for authentication, and after I deleted the machine account I tried to join the domain again using net ads join -U Administrator But I keep getting Kerberos errors like these: [2009/08/18 16:14:36, 0] libads/kerberos.c:ads_kinit_password(228) kerberos_kinit_password [email protected] failed: Client not found in Kerberos database Failed to join domain: Improperly formed account name It appears as if samba remembers that it once had an account with the AD and keeps trying to reconnect to it, but I want to create a new account from scratch. I tried to delete all the .tdb files I could find as well as everything under /var/cache/samba but to no avail - it still behaves the same. I also tried to create the machine account on the AD side, but then I get a similar error when I try to join, about failure to authenticate with the machine account - it looks like samba tries the previous machine account password and I don't know how to reset it, or even if I could figure out what samba uses - how to set it in the AD. Any help would be greatly appreciated, as at this point the only thing I can think about is to reformat and reinstall the machine, and I would really REALLY love to not do that. Thanks in advance.

Read the article
In a multi-domain forest, what EXACTLY happens when some, but not all, of the Infrastructure Masters are on Global Catalogs?

- by MDMarra

There are plenty of TechNet articles, like this one that say that phantom object don't get updated if an Infrastructure Master is also a Global Catalog, but other than that there isn't a lot of in depth information on what actually happens in this configuration. Imagine a configuration like this: |--------------| | example.com | | | | dedicated IM | |--------------| | | | |-------------------| | child.example.com | | | | IM on a GC | |-------------------| Where child has two DCs that are both global catalogs, meaning that the Infrastructure Master role is on a GC. And, example has three DCs with the Infrastructure Master role on a DC that is not a GC. I understand that it's usually best to just make everything a GC and not have to worry about this sort of thing, but assuming that's not the case - what is the exact error behavior that can be expected from a setup like this, and which domain(s) would this behavior manifest in? The child or the parent?

Read the article
Domain restore from RODC

- by Bump

Can an AD Domain be restored from a RODC with a copy of the GC? Does an offsite DC replicating the AD need to be a full DC to provide a sufficient up to date AD Backups for disaster recovery?

Read the article
Windows server 2008 R2 error :The page file is to small to complete the action

- by kishore

I have a windows server 2008 R2 standard edition. The system suddenly stopped accepting remote desktop connections. When I tried to connect directly to the console, I am unable to start any applications. I got errors "The page file is to small to complete the action". Under takmanager in performance the system shows "Commit(GB) 127/127". What does this imply? The system has 32 GB ram, 5 raid disks each 150 Gb

Read the article

< Previous Page | 85 86 87 88 89 90 91 92 93 94 95 96 | Next Page >