ADAM

Tutorials Win: Microsoft Windows Forum

- Previous
  - 1
    - Unable to create basic domain trust between two Windows 2003 domains - logon servers not available ? Hi. I am currently trying to create a basic one way non-transitive trust between two Windows 2003 domains. We will be merging the domains of two companies in the future but for the time being need to give one domain access to resources in another. Both domains are standalone within their own forest i.e. domain1.net is the only domain in the domain1.net forest and domain2.net is the same. Both domain1 and domain2 have Windows Server 2003 domain and forest functional levels. So far I have created Stub zones on the DNS servers in each domain i.e. domain1.net has a stub zone for domain2.net and domain2.net has a stub zone for domain1.net. Both domains have a single domain controller called DC1 on each domain i.e. dc1.domain1.net and dc1.domain2.net. I can ping from one DC to the other and resolve names of workstations and servers in the remote domain. If I run a nslookup from each DC the output seems normal (DC1.domain1.net nslookup result below). When I try to create the one way non-transitive trust I get to the end of the wizard and select to 'Validate' the trust, I get the error : The secure channel (SC) reset on domain controller \\DC1.comain2.net of domain2.net to domain domain1.net failed with error: There are currently no logon servers available to service the logon request. The accounts I have used in both domains are Domain and Enterprise Admins. Only dc1.domain2.net has an error in the System Log with ID 5719 and the same error as above i.e. logon servers not available to service the logon request. Can anyone suggest where I am going wrong ? Thanks, Alex. DC1.domain1.net nslookup result: C:\>nslookup Default Server: localhost Address: 127.0.0.1 > set type=srv > dc1.domain2.net Server: localhost Address: 127.0.0.1 domain2.net primary name server = dc1.domain2.net responsible mail addr = hostmaster serial = 21 refresh = 900 (15 mins) retry = 600 (10 mins) expire = 86400 (1 day) default TTL = 3600 (1 hour) Tag: ADAM Tag: 134603
  - 2
    - Help: Vista network Browse issue on AD network I have several Vista workstations on a AD network along with 10's of workstations running XP and servers running various OS's. The AD network is connected to a separate much larger AD network (several hundred workstations and servers). When browsing network places (e.g.: when mapping to a network drive), the XP machines on the smaller AD network show two distinct networks, the local AD network and, larger AD network. Both networks can be 'explored' without significant delay. However, when performing a network browse on the Vista workstations, there is no distinction between the two AD networks. In addition, every time the browse button is hit, the entire list of AD servers and workstations on both networks is refreshed which can take in excess of 15 minutes before anything shows up, functionally making it impossible to 'browse' the network. This behavior appears to be limited to Vista workstations. Is there a way to make the Vista workstations respond more like the XP workstations in this regard? Thanks for any advice. Tag: ADAM Tag: 134602
  - 3
    - user logon audit is there any way to audit a user's logons and logoffs? specifically we would like to know if an end user was logged onto the network on a specific day. thanks in advance Bill Tag: ADAM Tag: 134596
  - 4
    - Integrate AzMan with SQL Database? I don't know if this is the right newsgroup for this, but.... We need to secure records in a table based on Active Directory permissions. Can someone point me to a good resource (with examples) of how to go about this? Here is some pseudo-code of what I'd like to be able to do: select * from mytable where UserIsAllowed("Brad") In this example, the "UserIsAllowed" function tests each record, presumably using AzMan, checking both the user and the groups the user belongs to. Any help would be appreciated. Thanks! Brad. Tag: ADAM Tag: 134594
  - 5
    - Member Server in DMZ I have done some research and know this is generally a bad idea, but... how would one go about running a Member server joined to a domain (i.e. domain.local) but reside in the DMZ? I've looked at ADAM and using IPSec and such things. I'm basically looking for the best approach to this. There are some internet applications that my organization would like to authenticate to AD. Thank you. Tag: ADAM Tag: 134591
  - 6
    - Folder Redirection Error with Documents folder Hello, We operate under Windows Server 2003 R2 with 15 Windows XPsp2 and 1 Vista laptop. All XP laptops are redirecting just fine with the GPO; however, the solo Vista machine (which is mine) is having problems with redirecting one folder. Pictures, Music, and Videos have redirected to the server (NOLDC1) fine. The Documents folder is the one that is having problems. I receive the below error in the event log. Failed to apply policy and redirect folder "Documents" to "\\noldc1\users$\kbullock". Redirection options=9021. The following error occurred: "Folder can not move because there is non redirectable folder at the same path". Error details: "Access is denied.". I've also noticed an exact duplicate of kbullock folder inside of my profile. I don't know what's going on here. Can anyone shed some light and help me out here? Thanks. Kenny Tag: ADAM Tag: 134577
  - 7
    - Authoritative Restore Question on the proper way to had this particular authoritative restore using the ntdsutil restore subtree. In the past with authoritative restores of an OU I haven't had any issues restoring an OU and all objects within. Recently I had a situation where an OU was deleted along with sub-OUs. One of the sub-OUs needed to be restored without restoring the other sub-OUs. I trying to do an authoritative restore twice without success as I would expect it. First attempt, I recreated the parent OU then performed the authoritative restore of the child OU. Second attempt, I deleted the parent OU and attempted to restore the child OU. In both cases immediate after the restore and reboot I could see the restored OUs and objects. But once replication occurred they disappeared. If I did a find on the user objects in the child OU I could find them through ADUC, but the OU could not be seen through expanding the OU structure. This is because in both cases the parent OU was still a deleted object in the deleted objects container (isDeleted=true). However the child OU was not deleted (isDeleted = NULL). How would I go about doing an authoritative restore of a child OU and a parent OU with out bring back all the other child OUs of that parent? Tag: ADAM Tag: 134575
  - 8
    - Change notification using AD Hi There, lI am using AZman with authorization store stored in xml file. And I was creating a file system watcher on this xml file and when an administrator modifies the store using Azman mmc, the event was raised and I would notify all the interested parties. But now I want my azman store to be in ADAM. Do we have any mechanism/apis to know when the azman store is modified? What is the best practice in these scenarios? i found this http://msdn.microsoft.com/en-us/library/ms676877(VS.85).aspx which is in managed C++ , since most of the ldap apis are wrapped in System.directoryservices , i was thinking if it is possible to use .net libraries to achieve the above mentioned(getting the notification) behavior. Thanks for your time. Dee Tag: ADAM Tag: 134572
  - 9
    - How do I disable Drag N Drop i AD Users & Computers? How do I disable Drag N Drop i AD Users & Computers? Tag: ADAM Tag: 134564
  - 10
    - Migration from 2003 DC to 2008 DC Dear, i have windows 2003 domain controller and also 2 additional domain controllers, now i want to migrate it to 2008 domain controller. how it is possible? Rgds, Nasir karim -- Message posted via WinServerKB.com http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-ad/200808/1 Tag: ADAM Tag: 134555
  - 11
    - Adding a Windows 2003 R2 DC into a 2000 Domain Morning all, This is my current setup, I have 2 DC in my enviroment, one is a 200 server and the second is a 2k3 server, now what i want to do i introduce a wk3 r2 server into the enviroment, and make it the primar DC. If i run a "netdom query fsmo", this is the result, i have removed th domain in the results C:\Program Files\Support Tools>netdom query fsmo Schema owner server1 Domain role owner server2 PDC role server2 RID pool manager server2 Infrastructure owner server2 The command completed successfully. When i run a "schupgr" this is the result. C:\Program Files\Support Tools>Schupgr.exe Opened Connection to SERVER1 SSPI Bind succeeded Current Schema Version is 30 Upgrading schema to version 30 Schema has already been changed in another DC in this are made to this DC. Rerun setup to upgrade this DC Now i want the new Wk3 R2 server to have all the responsiblity, Roles DNS, DHCP etc... Oh yeah, i also have Exchange 2000 running on SERVER1, will thi upgrade impact Exchange at all? Whats the next step. Thank -- Wazz ----------------------------------------------------------------------- Wazza's Profile: http://forums.techarena.in/members/wazza.ht View this thread: http://forums.techarena.in/active-directory/1023028.ht http://forums.techarena.i Tag: ADAM Tag: 134553
  - 12
    - Share Point Error #50070 I had an erlier post regarding a Share Point Error in the Event Log which is writing itself in every 5 seconds. I had a reply to apply a registry line KB840685, which I did. However, the error still occurs. The error is as follows: #50070: Unable to connect to the database STS_Config on xxxSERVER\SharePoint. Check the database connection information and make sure that the database server is running. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Any other suggestion? It is driving me mad about this error every 5 seconds. Thanks Tag: ADAM Tag: 134552
  - 13
    - New location Hello, I currently have 1 local lan with AD (2003), some servers. Now, we have a new location linked to the central site via a mpls. I want to install a server (and users) on this new location. The users for the new site do the same job than for the central site. They connect to the central site for exchange and TSE and use the local site for files, ... What is the best to do that ? Create new AD and link it, create new site, ... ?? Thx Tag: ADAM Tag: 134548
  - 14
    - redirecting My Documents and permissions hey I've playing around with Group Policy on my Windows Server 2003. For the purpose of learning. This is not a prodcution environment. The win2k3 machine is domain controller in my network Now I've created a Group Policy which redirect users My Documets over the a directory on the domain controller. On the domain controller I created a folder which I shared. Giving users read permissions. I wonder if only read permission is not enough. Maybe I should add write permissions to? But in the Group Policy I specified users having exclusive rights to these folders, so maybe that automatically gives it write permissons? any thoughts? Tag: ADAM Tag: 134547
  - 15
    - determine the users have certificate installed I need to know who has certificates installed in personel certificate store and who don't.. I have 250 clients in my environment. How can i do this easily? Also i want to know if users have configured signing certificates in their outlook. I searched Google and found a registry key "AutoSign" has to be enabled in registry. But there is no autosign registry key enablen in my computer but autosign option is enabled in outlook. Tag: ADAM Tag: 134533
  - 16
    - Join a Remote Computer? I have a corporate domain on a customer office, and, from my home, i want to have a virtual machine that is member of that domain. I have VPN access to the corporate domain already, and i have the admin login of the domain among a user account that i want to use, can i have windows XP client to join that domain over VPN and act as it was locally? I had tryied many different scenarios but any is working so far, any one can help with a guide on this? Tag: ADAM Tag: 134525
  - 17
    - fun with indian sex moves downloadfree fun with indian sex moves downloadfree http://kumaripud.blogspot.com/ Tag: ADAM Tag: 134522
  - 18
    - Using Active Directory (without any admin account) for checking if Hello, I'm programming in VS2003-ASP.NET 1.1. My web app is running on a Windows Server 2003. The user has to login into the web app using its account and password of the Active Directory (AD). I have this problem: How can I check if a domain account, that tries to login, has been disabled or password has expired? I use the System.DirectoryServices.DirectoryEntry class, but for security reasons we don't want to user any admin user account to get information of the account trying to login. Say that account "jdoe" has been disabled, or its password has expired in AD. If user tries to login, the web app should show some message about acount disabled or password expired. My code: Dim Domain As String = "DOMAINXXX" Dim sUserName="jdoe": Dim sPassword="jdoe_password" Dim myEntry As System.DirectoryServices.DirectoryEntry = New System.DirectoryServices.DirectoryEntry("LDAP://" & Domain, sUserName, sPassword, System.DirectoryServices.AuthenticationTypes.Secure) myEntry.Username = sUserName myEntry.Password = sPassword Dim mySearcher As System.DirectoryServices.DirectorySearcher = New System.DirectoryServices.DirectorySearcher(myEntry) Dim myResult As System.DirectoryServices.SearchResult mySearcher.Filter = "(&(objectCategory=person) (objectClass=user)(userPrincipalName=" & UserName & "*))" myResult = mySearcher.FindOne Dim x as String = myResult.Properties("sAMAccountName")(0) ''<-- it gets 'jdoe' Dim y as String = myResult.Properties("userAccountControl")(0) ''<-- it gets Nothing If I'd get 514 or 512 from myResult.Properties("userAccountControl") (0), then it would be able to determine if account has expired or not. But it gets Nothing However, if myEntry.Username = "any_admin_account" then it works ! I had put this question on the ASP.NET zone, but I've been told that the reasons I get Nothing from myResult.Properties("userAccountControl")(0), could be because of settings on the domain or the AD. Sorry if I have put my question in the wrong area, but maybe you guys could help me with some advices. Many Thanks Tag: ADAM Tag: 134508
  - 19
    - Any effect on Windows 2003 envir.? Hi all, I want to introduce one windows 2008 member server to windows 2003 envir. with Windows 2003 DCs. Will it affect my schema or windows 2003 DCs? thank you. Tag: ADAM Tag: 134464
  - 20
    - workstations & server times Hi all, Is it possible to configure all member workstations & servers in our domain to sync their date/time with a central server? We have 2 DCs and either one would be OK We also have an ISA server on our network. So would we have to open up any firewall permissions? Any articles on how to do this would be greatly appreciated. TIA! Tag: ADAM Tag: 134457
  - 21
    - Group Policy - Maximum Password Age OK, this is weird.... In Group Policy we have the Default Domain set to Disabled. However, even though it is set to Disabled it does have settings in it from when it use to be Enabled. One of the settings is that the Maximum Password Age is set to 90 Days. Ok, now in the Group Policy we have set and enabled on the OU for where my user's and computers reside we have the Maximum Password Age set to 45 Days. Now this is where it gets weird... even though everything I look at (GP Modeling, GP Results, etc) says that the Maximum Password Age is set to 45 Days, it appears that the passwords do not expire until they reach 90 Days? Any Ideas on this? Tag: ADAM Tag: 134436
  - 22
    - Create a site over WAN link I'm working on diagraming out a new AD site design for our single domain network. We have 3 physical locations. 1. Data center facility with all servers (file, app, web, AD and Exchange) 2. Main campus (about 1000 users), currently no servers 3. Satellite office (about 100 users), currently no servers WAN connection between Data Center and Main campus is 100Mbit. Should AD sites represent physical locations, or if there is a high speed highly available WAN link, can a site encompass more than one physical location. I'm looking for best practice design geared toward high availability in the event of connectivity disruption. Currently I have two sites defined. One for the Data Center and main campus and one for the satellite office. I've placed one ADDC at the Data center and one at the main campus. Both are GC's with AD integrated DNS. Exchange will be hosted at the data center. I also have a ADDC that is a GC with integrated DNS at the satellite office. This office will also have a high bandwidth highly available WAN link, but not as fast as the one between the DC and the main campus. Any suggestions on this approach would be greatly appreciated. Thank you. Tag: ADAM Tag: 134435
  - 23
    - Query Based Distribution Group We are looking at implementing QDQ in our environment. We have about 13,000 users. We first one we want to create is for everyone that has an Exchange mailbox. I have done some research to find out what the requirements and recommendations are and found out that our DCs will be able to handle the load. They have enough processing and memory capacity. What I am curious about that I have not been able to find, but think I remember from something is the results size of each QDG. Is there a recommended limit on the number of results that a single QDG should return. For our example of creating a goup to list everyone with a mailbox, we initially thought we would create a univeral group and nest the QDG in that. We would create one QDG for each mailbox server. Each Mailbox server has about 3000 mailboxes. I do not know if that is too large for one QDG. Should we break each server down to the database level where it would only return ~200 results and nest those into a server based group? Any advice, hints, articles and knowledge would be wonderful. Thank you. Pete Tag: ADAM Tag: 134377
  - 24
    - What backups for DC and DNS etc? Hi, I'm in the process of reviewing our backup procedures for our Active Directory and DNS (and DHCP). (My setup is as follows): Domain A - root forest - 4 domain controllers over 3 sites. (2 at the main and these hold most roles). The main server in each site is a GC, DHCP and DNS. I was thinking i would back up the system state of one main DC in each site? IS this enough or should i backup ALL? Is System State enough to be backing up? Does this include everything? If a DC goes down we do not mind so long as we have others - i am confortble with seizing roles and demoting and promoting and tidying up AD etc. However i want to protect against worse case scenario. It is important for AD to be backed up, DHCP and DNS. I believe we use some corperate Symantec product so imagine it able to do most things so long as i know what to back up.... Thanks. Tag: ADAM Tag: 134343
  - 25
    - Servers in Sites & Services We have a 2003 AD. In Sites & Services, under Default First Site Name we have 4 servers. 2 of them are the DCs with DNS. The other 2 are just member servers. These 2 might have been DCs at one time. Should these be removed? -- Thanks! Tag: ADAM Tag: 134342
- Next
  - 1
    - Forest functional upgrade not possible Iâ??m having trouble upgrading the forest functional level in a test environment, and am wondering if any light can be on the issue. (Sorry, for the length of this initial post, but I thought it best to include as much as possible). When attempting to raise the forest functionality to Windows 2003 (logged in to holder of all root FSMOs with Enterprise admin account) I receive the followign error; â??The forest functional level could not be be raised. This may be due to replication latency. Please wait about 30 minutes and try again.â?? I first got this error two weeks ago, so replication latency can be ruled out (replication health checked numerous times during this period). More specifically if I raise the NTDS service logging level to 5 for 9 (Internal Processing), 8 (Directory access) and 16 (LDAP interface events) I get three events logged when I try to raise forest functional level; 1535, 1175 and 1481. The detail of these events are; Source: NTDS General Category: Internal Processing Event ID: 1481 Description: Internal error: The operation on the object failed. Additional data: Error value: 5 00002179: SvcErr: DSID-030F12D4, problem 5003 (WILL_NOT_PERFORM), data 0 Source: NTDS General Category: Directory Access Event ID: 1175 Description: Internal event: A privileged operation (rights required = 0x) on object CN=Partitions,CN=Configuration,<FOREST ROOT> failed because a non-security related error occurred. Source: NTDS LDAP Catoegry: LDAP Interface Event ID: 1535 Internal event: The LDAP server returned an error 00002179: SvcErr: DSID, 030F12D4, problem 5003 (WILL_NOT_PERFORM), data 0 Error 2179 is ERROR_DS_NO_BEHAVIOR_VERSION_IN_MIXEDDOMAIN, which indicates that one or more domains are still in mixed mode. However this is not the case. The test domain has a placeholder root domain (single DC) and a production domain (three DCs), both of which are at Windows 2003 level, and this value (domainFunctionality=2) is consistent across all DCs). This test environment Iâ??ve been asked to use, has unfortunately not been maintained properly. When I got to it I found that it even had a â??deadâ?? domain referenced (another one below the placeholder root). I tidied this up using NTDSUTIL, including removign the domain and the domainDNSzones partition, and can no longer find any reference to it in the configuration container, or as a trust in other domains, but I canâ??t help feeling that some residue of this domain is causing the issue. The following steps have been taken as troubleshooting steps; â?¢ Replication confirmed as healthy. (repadmin /replsum) â?¢ Domain controllers confirmed as healthy (dcdiag /c/v/d, /test:verifyenterprisereferences) â?¢ Netdiag /v on all DCs â?¢ Only expected partitions in cn=partitions,cn=configuration,<FOREST ROOT> â?¢ No references to failed domain in Configuration partition (dumped using ldif and scanned) â?¢ All DCs are now at sp2 (were at sp1 before) â?¢ 2 * DomainDNSZones deleted and recreated â?¢ No obsolete computer objects in Sites and Services â?¢ No obsolete _msdcs references, or reference to â??deadâ?? domain â?¢ Schema and Enterprise admins are universal groups â?¢ Forest prep logs (for 2K3 update) are still available and donâ??t report any error â?¢ No unexpected computers think theyâ??re DCs (userAccountControl 8192) â?¢ Lost and found objects deleted â?¢ CNF objects deleted â?¢ Lingering objects cleared down (there were a lot of these on the root DC in the child partition) â?¢ FSMO roles are reporting correctly (netdom query fsmo) when checked from each DC. These are as per appropriate fsmoRoleOwner attributes. â?¢ Enterprise Admins and Enterprise Domain Controllers seem to have appropriate rights (compared with other environments) to the partitions (at root of partitions, and in CN=Partitions container), and the Partitions container in Configuration partition. â?¢ Thirteen attributes are added to the global catalog as part of the forest functional update. To rule this out I manually added the attributes to the PAS with the Schema GUI. â?¢ ntmixedDomain value on all DCs=0. â?¢ No obsolete security descriptors on CN=Partitions or itâ??s content partitions â?¢ INITSYNC has been set to be skipped (Repl Perform Initial Synchronizations = 0) â?¢ â??Everyoneâ?? has Access this computer from the network right â?¢ userAccountcontrol for all DCs is 532480 Two other errors have also been received, but havenâ??t helped me so far. Whenever a DC is rebooted the following error is received; Source: NTDS Category: Internal Processing Event ID: 1481 Description: Internal error: The operation on object failed. Additional data Error value 2 000020EF: NameErr: DSID-032500F4, problem 2001 (NO_OBJECT), data -1603, best match of: â??â?? 20EF = ERROR_DS_UNKNOWN_ERROR ====== I tried using ADMOD to â??manuallyâ?? update the msDS-Behaviour-Version value (recommended in a post elsewhere by Joe Richards), and got the following error; DN Count: 1 Using server: <ROOTDC>.<FOREST ROOT>:389 Directory: Windows Server 2003 Modifying specified objects... DN: CN=Partitions,CN=Configuration,<FOREST ROOT>... Extended Error: 00000057: LdapErr: DSID-0C090A85, comment: Error in attribute conversion operation, data 0, vece ERROR: Too many errors encountered, terminating... The command did not complete successfully x57= LDAP_FILTER_ERROR I couldnâ??t get any further with these errors. Thanks in advance for any help. Regards Gordon Tag: ADAM Tag: 134338
  - 2
    - RENDOM or ADMT Hi I have inheritted a poorly named single level domain and am looking to either rename it or to migrate the business to a new domain and suitable domain name. Currently the domain is named in the format domain.domain.company.com and really only needs to be company.com We have around 150 users but they only use AD for authentication as we have linux based DNS (to be replaced by A integrated shortly) and linux file&print servers. 1> I am after opinion as to whether to rename the domain or migrate to a new AD domain on a new box. 2> I understand by doing this I can also migrate local profiles so end users won't see the change, is this correct? 3> Do I install AD integrated DNS before i start either process? I can answer any questions if I am not clear enough Cheers Andy Tag: ADAM Tag: 134336
  - 3
    - Security analysis We have one-place branch office and we'd like to create security analysis of our services, checking procedures and make new procedures and rules. As first step we'll run Microsoft Best Practices Analyzers (for Exchange, GPO, SharePoint, SystemStateAnalyzer, ...) and follow Microsoft Instrastructure Optimization to identify our currently position in IT software and hardware world. Can you please advice any other SW / procedure to follow formal procedure...? p.s. sorry for crosspoting Thnx. Tag: ADAM Tag: 134334
  - 4
    - admin pack vista & terminal profile tab Installed Windows Server 2003 SP1 Administration Tools Pack on Windows Vista. In Active Directory Users and Computers when you pull up the properties of a user account the Terminal Services Profile tab is missing. This is not just the case on my installation. The Terminal Services Extension in MMC is missing. How do we make this available? Tag: ADAM Tag: 134325
  - 5
    - DCDIAG Error Sometimes Exchange 2007 had problem connecting to the DC (cannot find DC) I then started to run a dcdiag and got some DNS errors which I think I fixed. Now when I run a DCdiag it passes all the test without one of which I have attached the log from DCDIAG below. I have no idea what that could be. Could anyone please point me to the right direction. I really would appreciate. Thanks in advance. Starting test: frsevent ......................... SCTDC passed test frsevent Starting test: kccevent An Error Event occured. EventID: 0x0000025C Time Generated: 08/18/2008 11:03:20 Event String: NTDS (476) NTDSA: Locale ID 0x0000041e (Thai ......................... SCTDC failed test kccevent Starting test: systemlog An Error Event occured. EventID: 0x00000457 Time Generated: 08/18/2008 11:02:39 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 08/18/2008 11:02:39 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 08/18/2008 11:02:39 (Event String could not be retrieved) ......................... SCTDC failed test systemlog Tag: ADAM Tag: 134317
  - 6
    - Minimum security settings of computer accounts for allowing domain user account to join domain Hi ALL, I'd like to configure the security settings for the computer accounts that only allow domain user to join domain (nothing else, including changing computer account name,etc.). I tried to create a dummy computer account using (Active Directory Users and Computers -> New Computer Wizard) and specified a domain user account in the "The following user or group can join this computer to a domain". The domain account can join domain but also can modify the computer name (Simply change the computer name in the Windows client, the computer account will be modified after reboot). Do anyone know what is the minimum security settings of the computer account object so that the domain account can only have join domain privilege, no others, especially change the computer account name? TIA M C Tag: ADAM Tag: 134315
  - 7
    - Problem After Creating Home Folder with vbs script Hello, I have a script that creates users, assigns them to security groups and creates and sets a home folder. Here is an excerpt: 'Create home folder Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFolder = objFSO.CreateFolder("\\terra\home\2010\" & strSAMAccountName) 'Set permissions Set oShell = wscript.CreateObject("Wscript.Shell") oShell.Run "%COMSPEC% /c Echo Y| cacls \\terra\home\2010\"& strSAMAccountName & " /t /e /g Administrators:F "& strSAMAccountName & ":C /R Students", 2, True 'Set home directory and home drive objNewUser.Put "homeDirectory", "\\terra\home\2010\" & strSAMAccountName objNewUser.SetInfo objNewUser.Put "homeDrive", "H" objNewUser.SetInfo At the end of the script, everything looks good. Permissions are set properly. However, on first logon, the folder does not map in the login script. When the user tries to get to their home folder manually, xp throws a message about access to the resource being disallowed. I can fix it by going into AD Users and Computers, setting the home folder to local, applying it and then setting the home folder back to where it is supposed to be. (I'd rather not do this for the 100 plus students and users that we get at the beginning of each year. Thanks for your ideas. Steve Ediger Any ideas? Tag: ADAM Tag: 134311
  - 8
    - Useracc dissapeared resulted in a disconneted mailbox Hi all Environment: Windows 2003 SP2 AD (No SBS2003), Exchange 2003 SP2, Win XP Clients w SP2 Problem: An AD useraccount dissapeared, no information about HOW, resulted in a lost account and a disconnected mailbox. Solution: Recover the exchange db to e RSG and recover the mailbox, accociated It to a new created user and reconnected it. Q: (I need to now what may have resulted in a deleted account when no admin with rights and knowledges has been logged on to the one Exchange server with Exchange tools, and not ot a server with ADUC tool.) 1.) Has anyone any knowledge of bugs, issues, faulty third party apps that might cause this scenario of the deleted usser account? 2.) Most important, How can I, afterwards, search how this might have happened with the deleted/removed user account (where, how, what tools etc.)? I need to find out if the account was deleted by a user and If so, who. Secondly, If not a user, what and why. Pls, any help would be highly appreciated. In this thread, suggestions of improvements are not wanted at the moment (I know that my enviroment Is poorly set up and not properly configured, will create other threads for that). TIA Henrik (Hear), MCP-SBS Tag: ADAM Tag: 134308
  - 9
    - 2003 Server Internet DNS configuration I have 26 web sites hosted on my own web server that are public to the internet. I have 2 servers, NS1 and NS2. NS2 runs Apache web server. I would like to know if it is necessary for the domain DNS (ns2.company.net) entry to be Active Directory-Integrated. All the rest are simply primary and secondary. Tag: ADAM Tag: 134297
  - 10
    - Folder redirection - client's profiles on multiple pcs We're looking at implementing folder redirection in an already well-established client estate. The implementation guidelines are always drawn up with the assumption of a greenfield site, or a relatively uncomplicated one-machine-per-user setup. The issue we have is where the same user might log on to several machines, and may have files scattered across these. Certainly we may have the case where exchange has invited the user to autoarchive their email onto the local hard disk, and so they will have two or more machines where a user has an "archive.pst" sitting. How does folder redirection work for a user, where their folder has already been redirected from one machine? Does it look for and use the redirected folder if it exists, regardless of the local profiles? Can they get to any files on the local machine? Thanks for your help! Tag: ADAM Tag: 134295
  - 11
    - email address as login name I want to grant external users access to resources in our domain. Is it possible to register these users with their usernames being their own custom email addresses? How is Microsoft doing it with their passport authentication? Tag: ADAM Tag: 134293
  - 12
    - KCC error This is a multi-part message in MIME format. ------=_NextPart_000_0015_01C90079.ECDE3C40 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I'm configuring a additional Domain Controller, however some error = appear. The environment: UK Network and have a VPN connection to HK The dcpromo process is complete without any error and the DC is appear = at the "Active Directoty Users and Computers" Snap-ins. The erro appear = at the Event Viewer The attempt to establish a replication link for the following writable = directory partition failed.=20 =20 Directory partition:=20 CN=3DConfiguration,DC=3Dkcacad,DC=3Dco,DC=3Duk=20 Source domain controller:=20 CN=3DNTDS = Settings,CN=3DLONDONFILE,CN=3DServers,CN=3DKCALONDON,CN=3DSites,CN=3DConf= iguration,DC=3Dkcacad,DC=3Dco,DC=3Duk=20 Source domain controller address:=20 43126dc7-4083-4e14-9a77-eade6892a697._msdcs.kcacad.co.uk=20 Intersite transport (if any):=20 CN=3DIP,CN=3DInter-Site = Transports,CN=3DSites,CN=3DConfiguration,DC=3Dkcacad,DC=3Dco,DC=3Duk=20 =20 This domain controller will be unable to replicate with the source = domain controller until this problem is corrected. =20 =20 User Action=20 Verify if the source domain controller is accessible or network=20 and Event Type: Information Event Source: NTDS Replication Event Category: Replication=20 Event ID: 1557 Date: 8/17/2008 Time: 2:43:02 PM User: NT AUTHORITY\ANONYMOUS LOGON Computer: KCAHKFS Description: The local domain controller has not completed a full synchronization of = the following directory partition. The local domain controller will not = be advertised to clients by the domain controller locator service until = this task is completed.=20 =20 Directory partition: DC=3Dkcacad,DC=3Dco,DC=3Duk=20 =20 An attempt to complete a full synchronization of this directory = partition will be tried again later. For more information, see Help and Support Center at = http://go.microsoft.com/fwlink/events.asp. It seems something wrong to synchronize the domain informations. Is any = one have ideas about this? ------=_NextPart_000_0015_01C90079.ECDE3C40 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.6000.16705" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY> <DIV><FONT face=3DArial size=3D2>I'm configuring a additional Domain = Controller,=20 however some error appear.</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>The environment:</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>UK Network and have a VPN connection to = HK</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>The dcpromo process is complete without = any error=20 and the DC is appear at the "Active Directoty Users and Computers" = Snap-ins. The=20 erro appear at the Event Viewer</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><STRONG><FONT color=3D#ff0000>The = attempt to=20 establish a replication link for the following writable directory = partition=20 failed. <BR> <BR>Directory partition:=20 <BR>CN=3DConfiguration,DC=3Dkcacad,DC=3Dco,DC=3Duk <BR>Source domain = controller:=20 <BR>CN=3DNTDS=20 Settings,CN=3DLONDONFILE,CN=3DServers,CN=3DKCALONDON,CN=3DSites,CN=3DConf= iguration,DC=3Dkcacad,DC=3Dco,DC=3Duk=20 <BR>Source domain controller address:=20 <BR>43126dc7-4083-4e14-9a77-eade6892a697._msdcs.kcacad.co.uk = <BR>Intersite=20 transport (if any): <BR>CN=3DIP,CN=3DInter-Site=20 Transports,CN=3DSites,CN=3DConfiguration,DC=3Dkcacad,DC=3Dco,DC=3Duk = <BR> <BR>This=20 domain controller will be unable to replicate with the source domain = controller=20 until this problem is corrected.  <BR> <BR>User Action = <BR>Verify if=20 the source domain controller is accessible or network</FONT></STRONG>=20 </FONT></DIV> <DIV><STRONG><FONT face=3DArial color=3D#ff0000 = size=3D2></FONT></STRONG> </DIV> <DIV><STRONG><FONT face=3DArial size=3D2>and</FONT></STRONG></DIV> <DIV><STRONG><FONT face=3DArial color=3D#ff0000 = size=3D2></FONT></STRONG> </DIV> <DIV><FONT face=3DArial color=3D#ff0000 size=3D2><STRONG>Event=20 Type: Information<BR>Event Source: NTDS Replication<BR>Event=20 Category: Replication <BR>Event=20 ID: 1557<BR>Date:  8/17/2008<BR>Time:  2:43:02=20 PM<BR>User:  NT AUTHORITY\ANONYMOUS=20 LOGON<BR>Computer: KCAHKFS<BR>Description:<BR>The local domain = controller=20 has not completed a full synchronization of the following directory = partition.=20 The local domain controller will not be advertised to clients by the = domain=20 controller locator service until this task is completed. = <BR> <BR>Directory=20 partition:<BR>DC=3Dkcacad,DC=3Dco,DC=3Duk <BR> <BR>An attempt to = complete a full=20 synchronization of this directory partition will be tried again=20 later.</STRONG></FONT></DIV> <DIV><FONT color=3D#ff0000><STRONG></STRONG></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><FONT color=3D#ff0000><STRONG>For more = information,=20 see Help and Support Center at </STRONG></FONT><A=20 href=3D"http://go.microsoft.com/fwlink/events.asp"><FONT=20 color=3D#ff0000><STRONG>http://go.microsoft.com/fwlink/events.asp</STRONG= ></FONT></A><FONT=20 color=3D#ff0000><STRONG>.<BR></STRONG></FONT></FONT></DIV> <DIV><FONT face=3DArial size=3D2><FONT color=3D#ff0000><FONT = color=3D#000000>It seems=20 something wrong to synchronize the domain informations. Is any one have = ideas=20 about this?</FONT></FONT></FONT></DIV> <DIV><FONT face=3DArial size=3D2><FONT color=3D#ff0000><FONT=20 color=3D#000000></FONT></FONT></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><FONT=20 color=3D#ff0000> </DIV></FONT></FONT></BODY></HTML> ------=_NextPart_000_0015_01C90079.ECDE3C40-- Tag: ADAM Tag: 134292
  - 13
    - Suddenly DHCP server service can't start I'm getting the following errors: Event ID 1008 The DHCP service failed to start as a RPC server. The following error occurred : Not enough resources are available to complete this operation. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Event ID 1008 The DHCP service is shutting down due to the following error: Not enough resources are available to complete this operation. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Anyone has a clue??? Thanks Tag: ADAM Tag: 134289
  - 14
    - GPO for MS office? I need a GPO for MS office 03/07 where can I download it from? Tag: ADAM Tag: 134276
  - 15
    - promot 2003 sp2 to dc We have a 2003 DC and we want to promote a 2003 sp2 server to a dc. A message came up that we need to run adprep. would we take the adprep.exe from the sp2 server and run that on the 2003 dc? If we upgrade the 2003 dc to sp2 does it negate the need to run adprep? many thanks Ali Tag: ADAM Tag: 134275
  - 16
    - adprep Hi I need to run adprep to allow a DC promotion. When can I find a whitepaper detailing what adprep does and available options etc... Regards Craig Tag: ADAM Tag: 134271
  - 17
    - ADAMSync Problem with userProxy and SID? Dear all, I want to setup AD to ADAM sync and everything works fine so far. But during /sync command I get following error: Processing Entry: Page 1, Frame 1, Entry 10, Count 1, USN 0 Processing source entry <guid=bfbd971e58030f43abcabf91bfa284c9> Processing in-scope entry bfbd971e58030f43abcabf91bfa284c9. Adding target object CN=XXXXXXXXX,OU=USERS,OU=XXXXXXXXXXX,DC=XXXX,DC=XXXX,DC=XXXXX,DC=com. Adding attributes: sourceobjectguid, sn, c, l, title, description, postalCode, postOfficeBox, physicalDeliveryOfficeName, telephoneNumber, givenName, instanceType, displayName, co, department, company, streetAddress, userAccountControl, codePage, countryCode, primaryGroupID, objectSid, accountExpires, sAMAccountName, userPrincipalName, mail, mobile, lastagedchange, objectclass, Ldap error occured. ldap_add_sW: Unwilling To Perform. Extended Info: 000020E7: SvcErr: DSID-03152AA9, problem 5003 (WILL_NOT_PERFORM), data 1317 With option /force -1 all OUs and so on are created successfully. Only user objects will not be created and result in same error above. It could be something with the objectSID as stated in this link http://microsoft-programming.hostweb.com/TopicMessages/microsoft.public.metadirectory/2055221/1/Default.aspx But I've no idea how to resolve this! As background: The server which is running ADAM is not in the source domain of this snyc process. It's not in a domain at all. Thanks for any help in advance! Marc Tag: ADAM Tag: 134262
  - 18
    - DNS change changes back by itself I changed a DNS entry on a test domain, and when I ping the machine name from that server, I get the proper (new) ip address back. When I ping it from anywhere else, I get the old value (the one I changed it from) back. It never seem to replicate properly, so I never get the new value when I ping it from anywhere except the DNS server on which I made the change. After a while, it changes back to the old entry on the DNS server where I made the change. Tag: ADAM Tag: 134258
  - 19
    - Limit on AD fields? Is there a limit on the amount of characters that can be entered in physicalDeliveryOfficeName ('Office' field)?? We use qwests active roles and I receive an error when entering more than 128 characters. I do not see any policies in Active Roles to limit this. Thanks! Tag: ADAM Tag: 134250
  - 20
    - Security for Active Directory LDAP Utilities Any articles I can read on how to be able to tighten the ability for "any" users to query Active Directory and modify it with the command line utilities and LDAP? How to create groups that only access using this service? Tina Tag: ADAM Tag: 134243
  - 21
    - Additional Domain Controller requirement. I have Win2k3 Ent. Edition with SP1 running as Domain Controller holding all five roles.I have other member server with Win2k3 Standard SP2 running SQL Server 2005 with CRM server.I want to make this machine ADC of root domain controller alongwith making it a global catalogue server. suppose after making this changes successfully, will my exchange server 2003 running on separate machine able to function correctly in case my root domain controller cease to function correctly. Furthermore, making a server ADC running SQL Server 2005 and CRM is recommended or not since i have only this machine to make it ADC? THis machine is located within same LAN not across another SITE. regards Tag: ADAM Tag: 134239
  - 22
    - Move users between DL's? Is it possible, preferably using some tool, to move users from one distribution list to another? Tag: ADAM Tag: 134237
  - 23
    - GUI for ADAM Hi, Is there a GUI available for ADAM? Tag: ADAM Tag: 134235
  - 24
    - replication and smtp address problem Hi, When i want to replicate with a dc in my forest i get the error below. That domain can replicate from my domain, but i cannot replicate from that domain. I couldn't solve this problem, has anyone got an idea? --------------------------- Replicate Now --------------------------- The following error occurred during the attempt to synchronize naming context ForestDnsZones.xxx.root from domain controller XXXXXSERVER1 to domain controller XXXDC1: The naming context is in the process of being removed or is not replicated from the specified server. This operation will not continue. --------------------------- OK Tag: ADAM Tag: 134229
  - 25
    - Cannot login to domain controller The problem: "Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found. Please try again later. If this message continues to appear, contact your system administrator for assistance." For the most part everything is working fine. Occasionally Iâ??ll get the above message and I can fix it by leaving the domain and joining it again. Sometimes the problem will come back in a few days, sometimes weeks later. On other workstations after correcting it once the problem never returns. I donâ??t see any errors generated in the workstation or domain controller event logs. The workstation has the correct DNS for the domain controller. It can ping the DNS controller. It can leave and join the domain with no problems at all. The problem seems to happen mostly to laptop users that take their PC away from the domain for a few days, but itâ??s not isolated to these users. It has happened to desktop users too. The server is running Windows Server 2003 R2. Itâ??s connected to another domain controller via a VPN using Logmein Hamachi. I have another location with the same configuration with but it does not experience the same problems. Any ideas on what can be causing the problem? Tag: ADAM Tag: 134228

We have our GAL that has user information added through AD for say addresses,
phone numbers, etc., which changes frequently so I would like to assign a
user the responsibility of keeping this updated. This user is not an
administrator the person to do the updating is a domain user. Would using
ADAM be the best way to allow the user to update the data in AD without
giving the user domain administration priveleges?

I am kind of confused on whether to install ADAM on one of our servers or on
the users workstation. We run Server 2003 and the workstation is Windows XP
Pro.

Will using the ADAM allow the user to only be able to change certain user
information fields without giving the user free reign on the AD?

Where would my search start I have downloaded and went over Microsoft's step
by step guide but I have a lot of questions and no one readily available to
answer them.

Thanks in advance for the help.

Top

Re: ADAM by Joe

Joe
Tue Aug 19 11:02:51 PDT 2008

No, this is not what ADAM does. ADAM is just an LDAP-based application
directory. It doesn't really have anything to do with AD except that they
use a lot of the same code and it is possible to copy data between them
using synchronization.

It sounds like what you want to do is to delegate specific permissions to
this user to allow them to update the attribute values that end up in the
GAL without making them an administrator. Reading the various
documentation/whitepapers on delegation of permissions in AD would be a good
start.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"DonN" <DonN@discussions.microsoft.com> wrote in message
news:FCB74594-691F-431B-ADB2-5B0A40D2B9C0@microsoft.com...
> We have our GAL that has user information added through AD for say
> addresses,
> phone numbers, etc., which changes frequently so I would like to assign a
> user the responsibility of keeping this updated. This user is not an
> administrator the person to do the updating is a domain user. Would using
> ADAM be the best way to allow the user to update the data in AD without
> giving the user domain administration priveleges?
>
> I am kind of confused on whether to install ADAM on one of our servers or
> on
> the users workstation. We run Server 2003 and the workstation is Windows
> XP
> Pro.
>
> Will using the ADAM allow the user to only be able to change certain user
> information fields without giving the user free reign on the AD?
>
> Where would my search start I have downloaded and went over Microsoft's
> step
> by step guide but I have a lot of questions and no one readily available
> to
> answer them.
>
> Thanks in advance for the help.

Top