Kerberos Authentication

Tutorials Win: Microsoft Windows Forum

- Previous
  - 1
    - Folder Redirection So, I set up the Default Domain Policy under Group Policy Management in Server Manager in Windows Server 2008 for Folder Redirection. The settings I chose were Basic (Redirect everyone's folder to the same location), and under Target Folder Location, "Create a folder for each user under the root path" was chosen. The Root Path is set as \ \SageRealtyDC.SageRealty.local\SageRealtyUsers. I set up SageRealtyUsers as a Share and gave Everyone Full Control. From most of what I read on the subject of Folder Redirection, this should create a folder in the SageRealtyUsers folder when the user logs in using this new policy for the first time, and copy the My Documents folder there. That is not happening. Am I assuming wrong? Do I need to manually create the user folders myself? Tag: Kerberos Authentication Tag: 134044
  - 2
    - Slow Log off scripts when laptop is off the domain network Hi all, We have log off scripts set on one of our GPOs. When laptops are taking off the network, they take ~10-20 minutes to shutdown as they get "stuck" at the "running log off scripts". My guess is that it keeps looking for our DCs but since the laptop is not on the network, it doesn't find them an eventually times out. Is there a way to resolve this either by changing a setting that will bypass the log off scrips when not on the network or by reducing the timeout value? Thanks Tag: Kerberos Authentication Tag: 134042
  - 3
    - Can a win2003 become a BDC for NT4 PDC? Hi, Is there any article that explain how can a windows 2003 box become a BDC for a NT4 PDC? Any help would be appreciated, Max Tag: Kerberos Authentication Tag: 134037
  - 4
    - How Do You Verify The Last Domain Controller in a Window2003 Fores Hi All, How would you verify this? I googled and could not find any links. TIA, Zoey Tag: Kerberos Authentication Tag: 134024
  - 5
    - Infrastructure role - how intensive? Hi there, We've got our domain. It's got 3 sites (as set up in sites and services). We have 4 domain controllers as follows: 1. Site A - DC_A 2. Site B - DC_B 3. Site C - DC_C and DC_D (A virtual server) Now - A, B and C are GCs because they are each in their own site. C holds the majority of the roles. I know the infrastrcuture role should not be held on a GC so i've got it on D. Is this correct? How intensive is this role? I'd rather not stress a virtual machine you see -rather it just be there as the backup. Thanks, Tag: Kerberos Authentication Tag: 134017
  - 6
    - Event Dear, i want to write self define event for event viewer. How it is possible. rgds. Nasir karim Tag: Kerberos Authentication Tag: 134016
  - 7
    - How to change My Documents folder location for all domain users Hi all, I have configured Samba - PDC on ubuntu 8.04 and winXP clients. Domai logins are working without any problem. How do i map the My Document folder to a network drive for all users. I know you can do this if i wa using a ADS on Windows. But, i don't have an ADS on windows but a PDC o Linux. Is there a tweak on winxp where i can redirect the my documents folde to a network drive no matter which user logs into the machine. Thanks Avinas -- Avinash.Ra ----------------------------------------------------------------------- Avinash.Rao's Profile: http://forums.techarena.in/members/avinash-rao.ht View this thread: http://forums.techarena.in/active-directory/1019091.ht http://forums.techarena.i Tag: Kerberos Authentication Tag: 134008
  - 8
    - After demoting a DC (sites and services) Hi, I did a DCpromo today on an old box that is being removed. In sites and services I can still see the server there (but obviously no replication partners). The dcpromo demotion was sucessful. Does it just take a while before it removes the object from sites and services? Thanks, Tag: Kerberos Authentication Tag: 134002
  - 9
    - Event Log Dear All, how we can generate an event if a active directory user cut or copy data in domain environment. Rgds Nasir karim Tag: Kerberos Authentication Tag: 134001
  - 10
    - How can I change the font size of the log-on message text I have used group policy to set a message text for users attempting to log on in my Windows 2000 domain controllers. How can I change the font size to a bigger one? I cannot find any option in the group policy setting in doing so. Tag: Kerberos Authentication Tag: 133999
  - 11
    - Problem with GROUP report - Domain Users ( more than 15 000 member I have on Windows 2003 AD ( Native Domain and Forest 2003 ) problem with report members ( for example all ba* users ) from group Domain Users. There is more than 15 000 users in AD. Dsget group -member or VBS ( memberof ) return empty results. As temporary solution i'm checking all users account for primaryGroupID atribut ( value 513 ) Is there any chance for direct report from Domain Users group ? Marek Chladek Tag: Kerberos Authentication Tag: 133997
  - 12
    - Domain login problem after AD restore Hope you guys can give me some pointers here. The client is a school and these are the details of the issue: The main server (â??server1â??, for staff) was derived from earlier NT4 box that has been upgraded and moved around over the years. It had exchange 5.5 and was then upgraded first to windows 2000, then exchange 2000. It's hard disk has been cloned and moved into a newer server. It was once the only server, 18 months ago it was upgraded to server 2003R2, with some difficulty from exchange 2000 failing. Its been stable for 18 months. Server2 (for pupils) was added at some point after the first win2k server came, and was a domain controller and global catalog with server in the domain â??schoolâ??. All master and schema roles etc were on server1. At the end of last term I tried to upgrade exchange to 2003. It failed due to the domain controllers not being in sync. Looking at the system logs there has been a problem since April 14th. In looking at the AD connector on exchange 2000 a permissions message was returned. At this point the users disappeared from server1, but were still ok on server2. Backups were taken and a third server (server3) introduced, with some success. The exchange data was moved to server2. Foolishly I then tried to upgrade the exchange here, and guess what, the users disappeared on server2 and server3! I then restored the AD from server2 from July 18th back to server2 (server1 had shadow copy in backup exec but no system state backup). I forcibly did a dcpromo /remove on server1, so itâ??s a standalone as there did not seem much point in keeping it, I regret it now. The users reappeared on server2, and with a little more configuration it looks good, you can create new users (there are around 200) and share folders etc. All the shares are correct. The exchange data is however â??stuckâ?? here as the AD restore also restores the registry, so this is another issue! The main problems are that you cannot login to server2, even though it claims to be a DC with all roles â?? things like netlogon, sysvol share etc are all there. You cannot join server1 (or server3) to the domain. You cannot run a terminal server session on it. You can login on a workstation, but it's so slow its obviously not right (dns screams at me here?) Nslookup fails on any other server looking at server2 as dns. If you ping server2â??s fqdn it fails (but it's ok on server2 itself). Dcdiag and event logs show very little to help. Just wondering if anyone can give me some pointers. I have eliminated any physical possibilities like NIC drivers, switching, cabling etc and am pretty sure it's DNS (things like this always seem to be DNS!) but I am kind of banging my head against a brick wall here. In essence, I need to get Server2 to accept logins and allow server1 (or server3) to be a AD server. Then I can tackle the Exchange issue on server2. Thanks a lot guys. Tag: Kerberos Authentication Tag: 133992
  - 13
    - keytab multiple SPN-s How can I generate keytab file for unix service with multiple SPNs? I don't want to produce lot of service accounts and prefer having similar services with one service account and keytab file with multiple SPN. Tag: Kerberos Authentication Tag: 133991
  - 14
    - Group name not updating when accessing from Outlook Calendar Hey, I have a bunch of Groups in AD with various members in each. When I open Calendar in Outlook (Office 2003) and click Share My Calendar, I'm able to add Users or Groups. However, for some reason when I add a new Group or edit the name of an existing group to something else, the change is not being picked up and I'm not able to find/select this new Group to add. I am able to edit a Group name, search for the old name, add it and it will show the new Users that I have added to the Group, however I really want to be able to add new Groups as well. Any ideas? Thanks! -- Duracelll ------------------------------------------------------------------------ Duracelll's Profile: http://forums.techarena.in/members/duracelll.htm View this thread: http://forums.techarena.in/active-directory/1018953.htm http://forums.techarena.in Tag: Kerberos Authentication Tag: 133986
  - 15
    - Any good books/resources for ADAM and AzMan? Hi, What are the good books/resources to learn ADAM and AzMan? I searched Amazon.com and I couldn't find any! Any help would be appreciated, Max Tag: Kerberos Authentication Tag: 133965
  - 16
    - Script to read Computers in AD Hi, I need some help with this script. I've been trying to read a file with computer names, have it select the computer and write the Name and Description to a file. I can get the Name and write it to a file, but I can not seem to get the Description. Here is my code: ********************************************** On Error Resume Next Const ADS_SCOPE_SUBTREE = 2 Const ForReading = 1 Set objConnection = CreateObject("ADODB.Connection") Set objCommand = CreateObject("ADODB.Command") objConnection.Provider = "ADsDSOObject" objConnection.Open "Active Directory Provider" Set objCommand.ActiveConnection = objConnection objCommand.Properties("Page Size") = 1000 objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFile = objFSO.OpenTextFile("C:\admin\Computers.txt") Set objFS = CreateObject("Scripting.FileSystemObject") Set objNewFile = objFS.CreateTextFile("fsoutput.txt") Do Until objFile.AtEndOfStream strComputer = objFile.ReadLine objCommand.CommandText = "SELECT Name, Description FROM 'LDAP://DC=fabrikam,DC=com' " & _ "WHERE objectCategory='computer' AND Name = '" & strComputer & "'" Set objRecordset = objCommand.Execute If objRecordset.RecordCount = 0 Then objNewFile.WriteLine strComputer & " does not exist." Else objNewFile.WriteLine strComputer & " " & objRecordSet.Fields("Description").Value End If Loop objNewFile.Close ***************************************************** Any help is greatly appreciated. Tag: Kerberos Authentication Tag: 133959
  - 17
    - folder redirection error My Setup: Windows Server 2003R2 File Server Active Directory Domain I have a policy set up to redirect the user's my documents to their 'home folder' On the user's account properties their home folder is set to 'connect u to' \\usd\homedirs\staff\hs\%username%' for example. So I have my user s home folder pointing to the home folders share via dfs. The folder was created by AD This works perfect with windows xp my users documents are redirected no problem. In windows vista this is not the case. The documents are not being redirected, in sync center there is an error staff (\\usd\homedirs) - Access is denied. Why would this be happening? What is different about the way vista does folder redirection that could cause it to work in xp but not vista and appear to be a permission issue? Tag: Kerberos Authentication Tag: 133958
  - 18
    - View number of objects in entire OU? Is there a way within AD to show the number of objects within a certain OU including sub containers? I know if I go to each subcontainer it will show the number but I would like to be able to click the upermost OU and then be able to set the type of objects to count and then get that total. Can this be done? This is a 2003 native domain. Thanks! Tag: Kerberos Authentication Tag: 133956
  - 19
    - Filtering on a Security Group to Apply a Group policy Instead of applying a Group Policy to an OU, what is the proper way to apply it to just a security group of users or computers to ensure the policy is no applied to any other computer or user. If you have a good article. I am reading about how to apply but does it really work without affecting other computers or users? This is because moving users or computers in and out of a specific OU that has policy's attached to it causes custom applications to break that are tied into Active Directory. tina Tag: Kerberos Authentication Tag: 133954
  - 20
    - adfind search using adfind what would be the best way to show a single users attributes adfind -default -f "(&(objectcategory=person) (objectclass=user))" ????? Tag: Kerberos Authentication Tag: 133952
  - 21
    - Failed DCPROMO?? This morning to promo'd out what I believed to be a NT BDC promoted to PDC, then upgraded to Win2000. The demotion I guess went ok, users can log in, no calls etc . . But when I look at our AD-DNS, the old DC is still listed as a name server. When I look at ADSites and Services, he's still listed in my site, but there is no NTDS listed. If I look at Computer Mangement\Sessions there are a handful of users connected, but no open files. And what's the deal in Sites and Services when links aren't automatically created? I forget. But I have a handful of links that were manually created... So - should I wait for my four sites to replicate for that old DC to drop out of DNS, and sites and services or do I have a problem?? Tia, RandyH Tag: Kerberos Authentication Tag: 133947
  - 22
    - Default Homepage IE6 We use the Default Domain Policy GPO that changes the default home page and doesn't allow the end users to change it. We now have a need to exclude 1 specific user from this policy. So I stuck them in a new OU and told that OU to block inheritence so that we could change the default home page. No luck. Any suggestions on how to do this? Mike Tag: Kerberos Authentication Tag: 133946
  - 23
    - Converting LastLogonTimestamp to a readable format Hi Everyone I have done a dump of directory attributes using csvde. One of the attributes Im after is the lastlogontimestamp which is obviously in an interger8 format. How do I convert this to a normal readable date format? I don't want to run other scripts against our AD. I would rather have a script that ran against the export file if there is one. I do seem to remember being able to use Excel to convert this to a readable format but I can't seem to get this to work now. Your help is appreciated Tag: Kerberos Authentication Tag: 133926
  - 24
    - Rename a DC Hi, I've got a DC that i wish to change the name of (I have a few other DCs within this domain). How would i go about this? Any issues in doing this? Thanks, Tag: Kerberos Authentication Tag: 133921
  - 25
    - change a global group to a domain local group Hello, It is not possible to change a global group directly to a domain local group however it is possible to change the global group into an universal group and then change the universal group into a domain local group. There are people that say that it is not a recommended way to do this, other say that it is no problem. I can imagin that there will be problems when GC's are nested in other groups. But if the groups are not nested, what kind of issue's can I expect? Can anyone give me some feedback or links where I can find more information about this subject? Kind regards, Peter van der Laarse Tag: Kerberos Authentication Tag: 133919
- Next
  - 1
    - server 2000 (single domain name) to server 2008 migration + domain rename So I have a windows 2000 domain controller with a single label domain name. Nobody uses it as a domain controller, just to access shares stored on it. but now we need to migrate it to windows 2008 and make it work like a domain controller without loosing the user passwords and share permissions. (all users have accounts on it, they just type their passwords when accessing shares). I tried to add a secondary domain controller with windows 2008 to it and wanted to rename it later. but even after transfering all the roles to it it didn't work. Tried to follow this article: http://support.microsoft.com/default.aspx?scid=kb;en-us;300684 about working with single domains. But that broke my DNS server, it won't start anymore. and doesn't start after reverting the changes also. dcdiag says that Global Catalog, PDC, and KDC could not be found. The DNS zone was active directory integrated. I do have backups, so I could try to do this again if I can find out where did I go wrong an what precautions should I take next time. THenks. -- zux ------------------------------------------------------------------------ zux's Profile: http://forums.techarena.in/members/zux.htm View this thread: http://forums.techarena.in/active-directory/1018297.htm http://forums.techarena.in Tag: Kerberos Authentication Tag: 133918
  - 2
    - Documentation/Tutorial for anyone new to Active Directory Anyone just getting started with Active Directory may find the two documents available for download near the bottom of the page at http://members.shaw.ca/bsanders/WindowsGeneralWeb/DomainAndActiveDirectory.htm interesting or helpful. Installing Windows Server 2008 and making it a Domain Controller - explains how to configure a simple network, install Windows Server 2008 and make it a Domain Controller for a new domain in a new forest. Getting started with Windows 2008 Domains - explains Domain concepts and objects plus detailed instructions setting up a "starter set" of OUs, user accounts, groups, and GPOs, including delegation of authority within Active Directory. No adds, no gimmicks; just some hopefully useful information derived from some years of experience. Comments and suggestions are welcome! -- Bruce Sanderson http://members.shaw.ca/bsanders It is perfectly useless to know the right answer to the wrong question. Tag: Kerberos Authentication Tag: 133910
  - 3
    - Group Policy Windows 2000 domain Security Page-Site to Zone assign I have a Windows 2000 active directory domain and I would like to set the following group policy settings. Group Policy-User Configurations-Administrative Templates-Internet Explorer-Security Page-Site to Zone assignment List But I am unable to find this settings in the current group policy. How do I go about it? This setting is available in XP local policy. Thanks Tag: Kerberos Authentication Tag: 133909
  - 4
    - Display the user permission on a share folder Hi, Is it possible to scan the share folder and report the user permission on that folder? I ever tried the "ShareEnum" and it only showed the domain login name. Possible to show the User Name (from AD) instead of the login name? thanks huang Tag: Kerberos Authentication Tag: 133906
  - 5
    - 1 user gets no logon server at logon attempt I have an XP pro sp2 in an AD network. when 1 user attempts to logon to the domain she gets no logon server available. Other users can logon that machine. No restrictions for that PC or user. What could cause this? corrupt profile is about all I can think of. Carl -- Tag: Kerberos Authentication Tag: 133905
  - 6
    - ADSI Get Users Groups I have a linked server setup so that I can query Active Directory and ADAM. I have veiws for Users and Groups, and have even written a query to return the members of a given group. The problem is, I need to write the reverse, a sp to return the groups a given user is a member of. Does anyone know how to do this? Environment is SQL Server 2005, Win 2K3 R2. Thanks, Mark Faulcon Tag: Kerberos Authentication Tag: 133902
  - 7
    - Granting user right to add workstations to domain? I have a helpdesk technician who needs to be able to add new workstations to the domain. This person does not need domain admin rights, only this particular right. I'm trying to make sure that he can do this without any trouble, so I'm looking for advice on best practices? I see that I can add him here: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Is this the best method though? I've been reading the specifics of this in the "Explain This Setting" tab and it's a little murky... Apparently, Authenticated Users can add up to 10 workstations already? Didn't realize that, but what gets me is part about who is owner of the account once it's created? Anyway, can somebody explain this to me, or maybe give me another alternative? Thanks! Tag: Kerberos Authentication Tag: 133900
  - 8
    - 2003 DC hangs at 'applying computer settings' on reboot I have a strange problem. 1 of 2 DCs (not the PDCe or FSMO) rebooted/crashed yesterday and it looked like a power failure as the reason came up unknown and there were no errors/warnings in event log. I also checked the HP logs as this is a Proliant server ML350. I removed the network connection and it booted up OK- notwithstanding the expected errors. I was able to start the sevrices manually and get the DC online. Now I am trying to find the problem. I am leading towards a GP or DNS issue. Otherwise, the only possible issue was that it had been pointing to itself as the time source and not the PDCe. I corrected that but didnt reboot yet as I am letting it run overnight. Anything else possible with above scenario- oh, I know about the old APC issue and we fixed that years ago. Much regards Cranky Tag: Kerberos Authentication Tag: 133895
  - 9
    - Backup/restore ADAM database Hi, Is there a way to backup/restore only the ADAM database (including passwords) without backing up/restoring the system state ? (the instance may be created manually or by a script before prior to restoring the database). I tried to check this by backing up on machine1 and then trying to restore it on machine2 in the most straight-forward way, but obviously this doesn't work: 1) Backup the database files (%program files%/%instance dir%) on machine1. 2) Install an instance (manually / using a script) on machine2. 3) Copy the backup file from machine1 to machine2. 4) Stop the instance service on machine2. 5) Try to restore the database on machine2. 6) Start the instance service on machine2. --> The service starts and then immediately stops. Is there a way to do this? Tag: Kerberos Authentication Tag: 133889
  - 10
    - DHCP Server Reboots and Acts Like Domain Controller We have a Windows 2000 DHCP controller with two scopes that was well-behaved for about 18 months. We rebooted it today after a power outage and we got a rude awakening when the computer refuses to reboot giving a modal dialog on reboot that says something like: "Directory services could not start because of the following error: the event log is corrupted. Error status: 0xc00018e." So what is interesting here is that this is a dedicated DHCP server and is NOT a domain controller. The DHCP server has woken up as a domain controller, or at least it is attempting to become one. No one ever attempted a DCPROMO on this computer. If you hit OK on the dialog the computer reboots. If you attempt to boot in safe mode, the computer will not reboot and gives the same modal error. If you reboot in directory services recovery mode, it becomes quickly obvious that the event viewer logs are NOT corrupted in any way. You can wipe them clean and start them all over and it won't change the behavior in any way. If you scan the event logs while logged into the directory services recovery mode, what is strange is that the Directory Services log has one message that is an error 1473 that says something like: "Intersite Messaging Service failed to read the configuration of the Intersite Transports out of the Directory." and the reason given is the computer doesn't have authority. So this message further reinforces the idea that the DHCP server is trying to behave similar to a domain controller. This is the second time in six months we have lost a DHCP server to this behavior. The first time it was a Windows 2000 DHCP server in a lab environment. Does anyone have any insights on how a computer gets into this strange mode and how we can reverse the behavior to recover the computer as a member server? -- Will Tag: Kerberos Authentication Tag: 133886
  - 11
    - tool to list DCs I have a couple of XP sp2 clients who are unable to login to the domain. They get 'there are currently no logon servers' When I login to these machines as local admin I can see the domain and all resources- after entering proper credentials. I was looking for a tool to run from these machines to see what they see for logon servers for our domain Thnaks Arlie Tag: Kerberos Authentication Tag: 133873
  - 12
    - Active Directory "ignoring" Apple Macbook Pro Recently we attempted to bind an Apple Macbook Pro to Active directory. We accidentally named the MBP as the name of the Domain Controller. This, of course, set in motion a week's worth of fun. However, now that everything is fixed, this MacBook Pro is unable to access the exchange server while on the network through MS Entourage. It cannot be bound to the network. When attempting to do so we get an immediate response that there is no connectivity to the domain. However, the machine uses the network resources to browse the network, connect to windows shares, use networked printers, and connect to the internet. The laptop, when not connected to the network, can connect to the Exchange server. We have reset the computer in Active Directory, as well have having completely rebuilt the MacBook Pro. We're at a loss as to where Active Directory is somehow blacklisting or ignoring the machine. We thought it might be MAC address of the network interface, so for a few hours this morning the user was hard wired, vs wireless, and was working, however somehow that network interface is blocked now as well. Please help, as the user having the issues is the VP of IT. We are at a complete loss and tempers are starting to flare. :) Thanks. Tag: Kerberos Authentication Tag: 133869
  - 13
    - 2nd ldap server not authenticating in extranet We have an LDAP server in an extranet that authenticates users for web applications coming from multiple web servers in the same extranet. We are trying to have another LDAP server that is in place for failover purposes. I have this working and replication has been proven. However we have an ISAPI filter that allows us to use two ldap servers. They have to be enter by a tool and they have to be FQDN's . This has been done. However I can't seem to force authentication to the fail-over in a outage scenario. The management want an active-passive multiple ldap server setup. Not multiple authenticating ldap servers. I have called our supplier of the ISAPI filter they feel it is not their product and that it has something to do with my certificates ? Anyone got any idea's. I did not expect this to be such a headache. Tag: Kerberos Authentication Tag: 133865
  - 14
    - 1539 warning I am getting this on 3 new Dell 2950 domain controllers- warning-1539 the local domain controller could not disable the software-based disk write cache on the following disk: hard disk: c: data might be log during system failures. any reason for concern? raid-1 C:/D:, and raid-5 on remaining drives (e:). thanks. steve Tag: Kerberos Authentication Tag: 133860
  - 15
    - Profile issue I just built a latitude d531 with windows xp on it. The user logs in and can access file on the network. When he tries to rename a file on the network he gets access denies. I then log the user onto an inspiron 1150 and he is able to rename files on the network. I have also renamed his profile on the d531 and logged back in but still same issue. Any suggestions? Tag: Kerberos Authentication Tag: 133852
  - 16
    - Group policy if i apply Group policy on the parent domain. this is inherited on child domain or not??? Tag: Kerberos Authentication Tag: 133842
  - 17
    - Secondary DC failed Hello, In our small network (Windows 2003 Standard) , the secondary DC hardware failed and we can't bring that back. Now, we are planning to bring another box as a secondary DC. Failed DC was holding the GC, AD intergrated DNS and Wins. Could some one advice me how to remove the failed DC from the domain and add the new box as sencondary DC. Any advice will be appreciated. Thanks -- Eric Tag: Kerberos Authentication Tag: 133841
  - 18
    - Ping servers that are on secondary DNS server list? Hi, I have a domain trust between my domain (A) and another domain (B). On domain B I have created a secondary zone with the domain name of domain A etc and they and the list is populated. Now should I be able to ping ther server names that are in domain A from Domain B? In domain B if I type ping server1 I get no response, but if I type ping server1.domainA.com for example it works. Is this correct or do I need to add s DNS suffix to the users in domainB? Tag: Kerberos Authentication Tag: 133835
  - 19
    - Global Catalogue I have a small network with 3 servers. 1 is a PDC and the other 2 are members. When the PDC was last upgraded the Global Catalogue was not replicated to the new PDC, the old PDC is now decommissioned and removed from service. I am now receiving errors saying the Global Catalogue could not be contacted. If I look in AD I can still see the old PDC listed and it has the Global Catalogue ticked. How can I move the Global Catalogue to the new PDC now that the old PDC is no longer available. Can I just deselect this on the old and select it on the new or is there more work involved? Thanks in advance for any assistance you can provide. Tag: Kerberos Authentication Tag: 133823
  - 20
    - VBA Script execution in AD Hi, We have a novell 6.x enviroment. We are planning to migrate it to active directory. Before migration i need to understand key risks and issues to consider in terms of the migration of VBA Script execution (such as Excel macros) into an AD security environment. Please suggest if any known risks and issues exisit with VBA migration to AD. Thanks, Tag: Kerberos Authentication Tag: 133821
  - 21
    - Secondary DNS and DC caused networking problems.. HI.. Our organization had untill yesterday just one server acting as a DNS and DC.. Now we decided to get a new server and configure it as secondary server for this services.. So I installed Windows Server 2003 sp2. Then I installed DNS and configured it as a secondary DNS server, so it replicated the data from the first DNS server succesfully... Next I ran DCPROMO on this machine, and selected the options to make the server a secondary DC of the existing domain. Since then, some user started having networking problems.. for example when trying to access the Intranet, they wer asked for user credentials.. When running our ERP app which is based on AD authentication they were getting connection failure and things like that... This morning all our users started having this problems.. Only when I shut down the secondary server, all services started working again... Any ideas what can be happening here?? thanks.. Tag: Kerberos Authentication Tag: 133819
  - 22
    - Wallpaper Policy Hi, I intend apply a Desktop Wallpaper policy but I would like to know which level it must be applyed. Is it in Domain Level? Thanks. Luiz Tag: Kerberos Authentication Tag: 133816
  - 23
    - Windows Server 2008 Knowledge Base http://windowserver2008.blogspot.com Tag: Kerberos Authentication Tag: 133814
  - 24
    - RODC deployment in DMZ, I am in the middle of migration AD and Exchange. This environment will be AD 08 and exchange 2007 soon. The client is asking if RODC is supported in DMZ. I am not able to locate any information so far if MS is supporting the RODC deployment in Perimeter Network. I am aware of a risk putting RODC in DMZ â??The Read-only Domain Controller functionality in Windows Server 2008 (both full installations and server core installations) offers a one-way replication method for selected information from your internal network to the DMZ, with limited risk towards your internal network when the box gets compromised.â?? But Also I ran into this statement from MSFT 1. The site is not Physically Secure, 2. Need to reduce Attack surface (not replicating all password, not allowing outbound replication from the site). Also, Do *not* yet deploy RODC in DMZ or Internet. Microsoft will publish detailed guidance on the DMZ deployment sometime by mid-08 ... Follow that guidance for DMZ deployment For internet deployments - wait for a word from Microsoft - on the guidance http://forums.technet.microsoft.com/en-US/winserverDS/thread/e610a5d7-a198-43b3-90a7-fd33e1350cc6/ Does anyone has any experience or MS link refers to this subject, would be greatly appreciated Regards, Oz -- Oz Ozugurlu MVP (Exchange) MCITP (EMA), MCITP (SA) MCSE 2003, M+, S+, MCDST Security+, Project +, Server + oz@SMTp25.org http://smtp25.blogspot.com (Blog) Tag: Kerberos Authentication Tag: 133812
  - 25
    - Search for Vista Comp without Bitlocker Keys Hi All, Is there a way to search the AD for Vista Machine Objects that do not have a bitlocker key in the AD. And is there a way to search for them and export those that do with their key/s? Not much in the AD add in, I presume command line maybe or scripting may be required. Thanks much Tag: Kerberos Authentication Tag: 133810

When mapping a drive from a Windows XP client to another Windows XP client
and both are members of the same domain and both are correctly registered in
DNS they use NTLM authentication instead of Kerberos. This is happening for
all XP to XP mappings in the domain. If any of these same XP clients map to
a Windows 2003 Server OS they use Kerberos. Is the Server service required
for cifs service principle name registration? Should XP to XP mappings be
using Kerberos? Thanks.

Top