LDAPS authentication not working if use IP address instead of FQDN

Tutorials Win: Microsoft Windows Forum

- Previous
  - 1
    - Uncheck "Make Available Offline" All, In GP I have the policy ---Computer Configuration --> Admin templates --> Network --> Offline Files "Remove Available Offline" set to disabled. However, in any items in the My Documents folder (which is redirected to a network share), we can not uncheck that option on any files or folders. However, if I go to a drive mapping, make a folder or file available offline, I can uncheck it. What gives? Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134645
  - 2
    - How to prepare for 70-294 AD certification exam? Hey I'm preparing for that 70-294 exam. Hence I'm reading about Active Directory. In addition I've set up a little domain here at home. In addition I read in this NG and imagine what I would have answered and then read what the experts here actually answered etc. I want to pass this exam also because it targets Windows Server 2003 Active Directory. At work we still uses win2k3 and also our clients uses win2k3. So I don't see any need to pass an exam on win2k8 AD. In addition I don't computers at home with the minimum requirements for running win2k8. I run win2k3 on a 450MHz Pentium3 For me it takes time to prepare for such an exam, it is alot to learn etc. But still I hear about people who uses only 1 week to prepare for an exam and pass it. Have also heard about people passing microsoft ceritification exam without even used the program the exam was about... So that let me to think maybe there are things I don't know regarding preparing for certification exams. I want to pass that exam as soon as possible. Anyone have any tips about how to prepare for that exam? Perharps you got a link to questions I can test my AD knowledge on? Questions similar to exam questions, not the same but it give me an impression on how the exam is. Jeff Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134644
  - 3
    - can see all group members via ADO but only a few via ADSI - total I have a group with 20-30 members. Now, the funny thing is that if I use a script that queries ADO or "Active directory Management" snap-in I can see all groupr members ok. However if I use "ADSI namespace" snap-in or any of the scripts that queries ADSI I get only those group members who has some other groups as their primary groups. Why?!! Does anyone have any ideas? Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134631
  - 4
    - Delegating control to admin users- cant find city or country I am trying to delegate control to admin users- HR They can modify everything i gave them except city and country. I cant find it to give to them. I found this artilce on displaying additional features in AD http://support.microsoft.com/?id=296490 I changed countryCode=0 It still does not display in Delegate control. Is there a way to make City and Country avliable to users with limited privilages? thanks -- vyaw2003 ------------------------------------------------------------------------ vyaw2003's Profile: http://forums.techarena.in/members/vyaw2003.htm View this thread: http://forums.techarena.in/active-directory/1023618.htm http://forums.techarena.in Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134630
  - 5
    - Moved all roles from SBS to windows 2003 Server.... now While physically my office can't handle more then 75 users, and i dont think we will EVER be close to that , i was just wondering.. If i try to get a 76th person on the server will the original SBS AD restrictions kick in and stop it? Do the licensing restrictions from SBS still apply even though there is no SBS machine on the network?? What if i have 100 licenses for the 2003 standard machine, i assume 25 are trash in the current setup?? Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134628
  - 6
    - cloning the AD part deux :) Hi gurus! The company I am working for is in the process of going through a divestiture (of sorts) and I'm looking for pointers as to how best to accomplish the following: *Note: we're cloning essential bits of the infrastructure in order to meet end of fiscal deadline--duplicate and unneeded data/services will be addressed in a cleanup phase 1 - clone AD 2003 forest/single root domain foo.com[source] to foo.com [target] using umove (great utility btw!) which handles the initial clone handily (complete network level segregation and DMZ pinholes for data to be synchronized) 2 - on-going (likely monthly) synchronization of net new AD users/groups WITH the identical SID intact for access to resources (this is the biggie) 3 - one-off synchronization of same "on demand" (hopefully few and far between) I think I have a pretty good handle on the first item (using Umove as mentioned) for the initial clone/synch. The issue becomes item "2" and "3" where I was leaning toward using ADMT via a 3rd resource domain in the DMZ (bar.com), but the issue then I suppose would be the object SIDhistory from foo.com to bar.com and then *back* to (effectively) foo.com (the cloned domain) wouldn't work. I think I just blew my own mind there :) foo.com[source] --> bar.com --> foo.com[target] Since we're cloning infrastructure servers with group-based permissions to resources, etc. won't we absolutely require the same SID for the cloned AD group to continue to allow access? Any ideas at all as to how to hit even a portion of these goals would be fantastic! Thanks! DH Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134627
  - 7
    - Kerberos UDP MaxPacketSize Has anyone ever set a Kerberos UDP MaxPacketSize for all computers in the domain to force Kerberos to use TCP? We have issues with our VPN taking 10+ minutes to logon. When I change this DWORD in the registry to a decimal value of 1,465 or lower, everything works great. I was just curious if anyone has ever set this across the board to that value or 1. Tim Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134624
  - 8
    - windows domain name issue without too much explanation, I have an application that checks access to parts of the program based on windows groups. This works, but there is some confusion. For example, we have a server that is part of a domain called TCBUSINESS. when you right click my computer and look at what domain it says it belongs to, it says ad.tcbusiness.com which is correct as well. When I do a LogonUser api call to authenticate a user based on windows logon info I can use either way of naming the domain. for example: TCBUSINESS\gkelly works and ad.tcbusiness.com\gkelly works they BOTH work but which is the proper one? Also, when I get a list of groups that gkelly belongs to it will give a list of local and domain groups. one of which is: TCBUSINESS\Domain Users this is fine, though why not ad.tcbusiness.com\Domain Users ? Also, when I use WMI's Win32_ComputerSystem and get the Domain field it returns 'ad.tcbusiness.com' not TCBUSINESS. why is this? If in our database I stated the group as "ad.twbusiness.com\Domain Users" it will fail to match obviously because the strings are different (when compared to TCBUSINESS) What system call can I use (in dotnet, or win32) to retrieve the domain name 'TCBUSINESS' ? not ad.tcbusiness.com ? gkelly Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134619
  - 9
    - Cross Domain Security Rights My environment - all Windows 2003 Servers Parent Domain - "Root.Domain.com" Child Domains - "child1.Domain.com" and "child2.Domain.com" My issue: When Iâ??m logged in to â??child1.Domain.comâ?? I would like to be able to open up Network Neighborhood and drill through â??child2.Domain.comâ??, but I am currently unable to. Reason I would like to do this is, is because we have an antivirus application that sits on â??child1.Domain.comâ?? that needs to be able to communicate cross domains so that we are able to push out the antivirus agent and receive details about the PC. Is there a spot within â??child2.Domain.comâ?? to allow such communication? I already have trust relationships between the child domains. Thanks in advance Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134612
  - 10
    - LDAP user permission I'd like to create a user with the only permission of consulting via LDAP. Windows server 2003 Std. How can I do that? Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134606
  - 11
    - ADAM We have our GAL that has user information added through AD for say addresses, phone numbers, etc., which changes frequently so I would like to assign a user the responsibility of keeping this updated. This user is not an administrator the person to do the updating is a domain user. Would using ADAM be the best way to allow the user to update the data in AD without giving the user domain administration priveleges? I am kind of confused on whether to install ADAM on one of our servers or on the users workstation. We run Server 2003 and the workstation is Windows XP Pro. Will using the ADAM allow the user to only be able to change certain user information fields without giving the user free reign on the AD? Where would my search start I have downloaded and went over Microsoft's step by step guide but I have a lot of questions and no one readily available to answer them. Thanks in advance for the help. Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134605
  - 12
    - Unable to create basic domain trust between two Windows 2003 domains - logon servers not available ? Hi. I am currently trying to create a basic one way non-transitive trust between two Windows 2003 domains. We will be merging the domains of two companies in the future but for the time being need to give one domain access to resources in another. Both domains are standalone within their own forest i.e. domain1.net is the only domain in the domain1.net forest and domain2.net is the same. Both domain1 and domain2 have Windows Server 2003 domain and forest functional levels. So far I have created Stub zones on the DNS servers in each domain i.e. domain1.net has a stub zone for domain2.net and domain2.net has a stub zone for domain1.net. Both domains have a single domain controller called DC1 on each domain i.e. dc1.domain1.net and dc1.domain2.net. I can ping from one DC to the other and resolve names of workstations and servers in the remote domain. If I run a nslookup from each DC the output seems normal (DC1.domain1.net nslookup result below). When I try to create the one way non-transitive trust I get to the end of the wizard and select to 'Validate' the trust, I get the error : The secure channel (SC) reset on domain controller \\DC1.comain2.net of domain2.net to domain domain1.net failed with error: There are currently no logon servers available to service the logon request. The accounts I have used in both domains are Domain and Enterprise Admins. Only dc1.domain2.net has an error in the System Log with ID 5719 and the same error as above i.e. logon servers not available to service the logon request. Can anyone suggest where I am going wrong ? Thanks, Alex. DC1.domain1.net nslookup result: C:\>nslookup Default Server: localhost Address: 127.0.0.1 > set type=srv > dc1.domain2.net Server: localhost Address: 127.0.0.1 domain2.net primary name server = dc1.domain2.net responsible mail addr = hostmaster serial = 21 refresh = 900 (15 mins) retry = 600 (10 mins) expire = 86400 (1 day) default TTL = 3600 (1 hour) Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134603
  - 13
    - Help: Vista network Browse issue on AD network I have several Vista workstations on a AD network along with 10's of workstations running XP and servers running various OS's. The AD network is connected to a separate much larger AD network (several hundred workstations and servers). When browsing network places (e.g.: when mapping to a network drive), the XP machines on the smaller AD network show two distinct networks, the local AD network and, larger AD network. Both networks can be 'explored' without significant delay. However, when performing a network browse on the Vista workstations, there is no distinction between the two AD networks. In addition, every time the browse button is hit, the entire list of AD servers and workstations on both networks is refreshed which can take in excess of 15 minutes before anything shows up, functionally making it impossible to 'browse' the network. This behavior appears to be limited to Vista workstations. Is there a way to make the Vista workstations respond more like the XP workstations in this regard? Thanks for any advice. Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134602
  - 14
    - user logon audit is there any way to audit a user's logons and logoffs? specifically we would like to know if an end user was logged onto the network on a specific day. thanks in advance Bill Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134596
  - 15
    - Integrate AzMan with SQL Database? I don't know if this is the right newsgroup for this, but.... We need to secure records in a table based on Active Directory permissions. Can someone point me to a good resource (with examples) of how to go about this? Here is some pseudo-code of what I'd like to be able to do: select * from mytable where UserIsAllowed("Brad") In this example, the "UserIsAllowed" function tests each record, presumably using AzMan, checking both the user and the groups the user belongs to. Any help would be appreciated. Thanks! Brad. Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134594
  - 16
    - Member Server in DMZ I have done some research and know this is generally a bad idea, but... how would one go about running a Member server joined to a domain (i.e. domain.local) but reside in the DMZ? I've looked at ADAM and using IPSec and such things. I'm basically looking for the best approach to this. There are some internet applications that my organization would like to authenticate to AD. Thank you. Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134591
  - 17
    - Folder Redirection Error with Documents folder Hello, We operate under Windows Server 2003 R2 with 15 Windows XPsp2 and 1 Vista laptop. All XP laptops are redirecting just fine with the GPO; however, the solo Vista machine (which is mine) is having problems with redirecting one folder. Pictures, Music, and Videos have redirected to the server (NOLDC1) fine. The Documents folder is the one that is having problems. I receive the below error in the event log. Failed to apply policy and redirect folder "Documents" to "\\noldc1\users$\kbullock". Redirection options=9021. The following error occurred: "Folder can not move because there is non redirectable folder at the same path". Error details: "Access is denied.". I've also noticed an exact duplicate of kbullock folder inside of my profile. I don't know what's going on here. Can anyone shed some light and help me out here? Thanks. Kenny Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134577
  - 18
    - Authoritative Restore Question on the proper way to had this particular authoritative restore using the ntdsutil restore subtree. In the past with authoritative restores of an OU I haven't had any issues restoring an OU and all objects within. Recently I had a situation where an OU was deleted along with sub-OUs. One of the sub-OUs needed to be restored without restoring the other sub-OUs. I trying to do an authoritative restore twice without success as I would expect it. First attempt, I recreated the parent OU then performed the authoritative restore of the child OU. Second attempt, I deleted the parent OU and attempted to restore the child OU. In both cases immediate after the restore and reboot I could see the restored OUs and objects. But once replication occurred they disappeared. If I did a find on the user objects in the child OU I could find them through ADUC, but the OU could not be seen through expanding the OU structure. This is because in both cases the parent OU was still a deleted object in the deleted objects container (isDeleted=true). However the child OU was not deleted (isDeleted = NULL). How would I go about doing an authoritative restore of a child OU and a parent OU with out bring back all the other child OUs of that parent? Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134575
  - 19
    - Change notification using AD Hi There, lI am using AZman with authorization store stored in xml file. And I was creating a file system watcher on this xml file and when an administrator modifies the store using Azman mmc, the event was raised and I would notify all the interested parties. But now I want my azman store to be in ADAM. Do we have any mechanism/apis to know when the azman store is modified? What is the best practice in these scenarios? i found this http://msdn.microsoft.com/en-us/library/ms676877(VS.85).aspx which is in managed C++ , since most of the ldap apis are wrapped in System.directoryservices , i was thinking if it is possible to use .net libraries to achieve the above mentioned(getting the notification) behavior. Thanks for your time. Dee Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134572
  - 20
    - How do I disable Drag N Drop i AD Users & Computers? How do I disable Drag N Drop i AD Users & Computers? Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134564
  - 21
    - Migration from 2003 DC to 2008 DC Dear, i have windows 2003 domain controller and also 2 additional domain controllers, now i want to migrate it to 2008 domain controller. how it is possible? Rgds, Nasir karim -- Message posted via WinServerKB.com http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-ad/200808/1 Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134555
  - 22
    - Adding a Windows 2003 R2 DC into a 2000 Domain Morning all, This is my current setup, I have 2 DC in my enviroment, one is a 200 server and the second is a 2k3 server, now what i want to do i introduce a wk3 r2 server into the enviroment, and make it the primar DC. If i run a "netdom query fsmo", this is the result, i have removed th domain in the results C:\Program Files\Support Tools>netdom query fsmo Schema owner server1 Domain role owner server2 PDC role server2 RID pool manager server2 Infrastructure owner server2 The command completed successfully. When i run a "schupgr" this is the result. C:\Program Files\Support Tools>Schupgr.exe Opened Connection to SERVER1 SSPI Bind succeeded Current Schema Version is 30 Upgrading schema to version 30 Schema has already been changed in another DC in this are made to this DC. Rerun setup to upgrade this DC Now i want the new Wk3 R2 server to have all the responsiblity, Roles DNS, DHCP etc... Oh yeah, i also have Exchange 2000 running on SERVER1, will thi upgrade impact Exchange at all? Whats the next step. Thank -- Wazz ----------------------------------------------------------------------- Wazza's Profile: http://forums.techarena.in/members/wazza.ht View this thread: http://forums.techarena.in/active-directory/1023028.ht http://forums.techarena.i Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134553
  - 23
    - Share Point Error #50070 I had an erlier post regarding a Share Point Error in the Event Log which is writing itself in every 5 seconds. I had a reply to apply a registry line KB840685, which I did. However, the error still occurs. The error is as follows: #50070: Unable to connect to the database STS_Config on xxxSERVER\SharePoint. Check the database connection information and make sure that the database server is running. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Any other suggestion? It is driving me mad about this error every 5 seconds. Thanks Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134552
  - 24
    - New location Hello, I currently have 1 local lan with AD (2003), some servers. Now, we have a new location linked to the central site via a mpls. I want to install a server (and users) on this new location. The users for the new site do the same job than for the central site. They connect to the central site for exchange and TSE and use the local site for files, ... What is the best to do that ? Create new AD and link it, create new site, ... ?? Thx Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134548
  - 25
    - redirecting My Documents and permissions hey I've playing around with Group Policy on my Windows Server 2003. For the purpose of learning. This is not a prodcution environment. The win2k3 machine is domain controller in my network Now I've created a Group Policy which redirect users My Documets over the a directory on the domain controller. On the domain controller I created a folder which I shared. Giving users read permissions. I wonder if only read permission is not enough. Maybe I should add write permissions to? But in the Group Policy I specified users having exclusive rights to these folders, so maybe that automatically gives it write permissons? any thoughts? Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134547
- Next
  - 1
    - determine the users have certificate installed I need to know who has certificates installed in personel certificate store and who don't.. I have 250 clients in my environment. How can i do this easily? Also i want to know if users have configured signing certificates in their outlook. I searched Google and found a registry key "AutoSign" has to be enabled in registry. But there is no autosign registry key enablen in my computer but autosign option is enabled in outlook. Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134533
  - 2
    - Join a Remote Computer? I have a corporate domain on a customer office, and, from my home, i want to have a virtual machine that is member of that domain. I have VPN access to the corporate domain already, and i have the admin login of the domain among a user account that i want to use, can i have windows XP client to join that domain over VPN and act as it was locally? I had tryied many different scenarios but any is working so far, any one can help with a guide on this? Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134525
  - 3
    - fun with indian sex moves downloadfree fun with indian sex moves downloadfree http://kumaripud.blogspot.com/ Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134522
  - 4
    - Using Active Directory (without any admin account) for checking if Hello, I'm programming in VS2003-ASP.NET 1.1. My web app is running on a Windows Server 2003. The user has to login into the web app using its account and password of the Active Directory (AD). I have this problem: How can I check if a domain account, that tries to login, has been disabled or password has expired? I use the System.DirectoryServices.DirectoryEntry class, but for security reasons we don't want to user any admin user account to get information of the account trying to login. Say that account "jdoe" has been disabled, or its password has expired in AD. If user tries to login, the web app should show some message about acount disabled or password expired. My code: Dim Domain As String = "DOMAINXXX" Dim sUserName="jdoe": Dim sPassword="jdoe_password" Dim myEntry As System.DirectoryServices.DirectoryEntry = New System.DirectoryServices.DirectoryEntry("LDAP://" & Domain, sUserName, sPassword, System.DirectoryServices.AuthenticationTypes.Secure) myEntry.Username = sUserName myEntry.Password = sPassword Dim mySearcher As System.DirectoryServices.DirectorySearcher = New System.DirectoryServices.DirectorySearcher(myEntry) Dim myResult As System.DirectoryServices.SearchResult mySearcher.Filter = "(&(objectCategory=person) (objectClass=user)(userPrincipalName=" & UserName & "*))" myResult = mySearcher.FindOne Dim x as String = myResult.Properties("sAMAccountName")(0) ''<-- it gets 'jdoe' Dim y as String = myResult.Properties("userAccountControl")(0) ''<-- it gets Nothing If I'd get 514 or 512 from myResult.Properties("userAccountControl") (0), then it would be able to determine if account has expired or not. But it gets Nothing However, if myEntry.Username = "any_admin_account" then it works ! I had put this question on the ASP.NET zone, but I've been told that the reasons I get Nothing from myResult.Properties("userAccountControl")(0), could be because of settings on the domain or the AD. Sorry if I have put my question in the wrong area, but maybe you guys could help me with some advices. Many Thanks Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134508
  - 5
    - Any effect on Windows 2003 envir.? Hi all, I want to introduce one windows 2008 member server to windows 2003 envir. with Windows 2003 DCs. Will it affect my schema or windows 2003 DCs? thank you. Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134464
  - 6
    - workstations & server times Hi all, Is it possible to configure all member workstations & servers in our domain to sync their date/time with a central server? We have 2 DCs and either one would be OK We also have an ISA server on our network. So would we have to open up any firewall permissions? Any articles on how to do this would be greatly appreciated. TIA! Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134457
  - 7
    - Group Policy - Maximum Password Age OK, this is weird.... In Group Policy we have the Default Domain set to Disabled. However, even though it is set to Disabled it does have settings in it from when it use to be Enabled. One of the settings is that the Maximum Password Age is set to 90 Days. Ok, now in the Group Policy we have set and enabled on the OU for where my user's and computers reside we have the Maximum Password Age set to 45 Days. Now this is where it gets weird... even though everything I look at (GP Modeling, GP Results, etc) says that the Maximum Password Age is set to 45 Days, it appears that the passwords do not expire until they reach 90 Days? Any Ideas on this? Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134436
  - 8
    - Create a site over WAN link I'm working on diagraming out a new AD site design for our single domain network. We have 3 physical locations. 1. Data center facility with all servers (file, app, web, AD and Exchange) 2. Main campus (about 1000 users), currently no servers 3. Satellite office (about 100 users), currently no servers WAN connection between Data Center and Main campus is 100Mbit. Should AD sites represent physical locations, or if there is a high speed highly available WAN link, can a site encompass more than one physical location. I'm looking for best practice design geared toward high availability in the event of connectivity disruption. Currently I have two sites defined. One for the Data Center and main campus and one for the satellite office. I've placed one ADDC at the Data center and one at the main campus. Both are GC's with AD integrated DNS. Exchange will be hosted at the data center. I also have a ADDC that is a GC with integrated DNS at the satellite office. This office will also have a high bandwidth highly available WAN link, but not as fast as the one between the DC and the main campus. Any suggestions on this approach would be greatly appreciated. Thank you. Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134435
  - 9
    - Query Based Distribution Group We are looking at implementing QDQ in our environment. We have about 13,000 users. We first one we want to create is for everyone that has an Exchange mailbox. I have done some research to find out what the requirements and recommendations are and found out that our DCs will be able to handle the load. They have enough processing and memory capacity. What I am curious about that I have not been able to find, but think I remember from something is the results size of each QDG. Is there a recommended limit on the number of results that a single QDG should return. For our example of creating a goup to list everyone with a mailbox, we initially thought we would create a univeral group and nest the QDG in that. We would create one QDG for each mailbox server. Each Mailbox server has about 3000 mailboxes. I do not know if that is too large for one QDG. Should we break each server down to the database level where it would only return ~200 results and nest those into a server based group? Any advice, hints, articles and knowledge would be wonderful. Thank you. Pete Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134377
  - 10
    - What backups for DC and DNS etc? Hi, I'm in the process of reviewing our backup procedures for our Active Directory and DNS (and DHCP). (My setup is as follows): Domain A - root forest - 4 domain controllers over 3 sites. (2 at the main and these hold most roles). The main server in each site is a GC, DHCP and DNS. I was thinking i would back up the system state of one main DC in each site? IS this enough or should i backup ALL? Is System State enough to be backing up? Does this include everything? If a DC goes down we do not mind so long as we have others - i am confortble with seizing roles and demoting and promoting and tidying up AD etc. However i want to protect against worse case scenario. It is important for AD to be backed up, DHCP and DNS. I believe we use some corperate Symantec product so imagine it able to do most things so long as i know what to back up.... Thanks. Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134343
  - 11
    - Servers in Sites & Services We have a 2003 AD. In Sites & Services, under Default First Site Name we have 4 servers. 2 of them are the DCs with DNS. The other 2 are just member servers. These 2 might have been DCs at one time. Should these be removed? -- Thanks! Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134342
  - 12
    - Forest functional upgrade not possible Iâ??m having trouble upgrading the forest functional level in a test environment, and am wondering if any light can be on the issue. (Sorry, for the length of this initial post, but I thought it best to include as much as possible). When attempting to raise the forest functionality to Windows 2003 (logged in to holder of all root FSMOs with Enterprise admin account) I receive the followign error; â??The forest functional level could not be be raised. This may be due to replication latency. Please wait about 30 minutes and try again.â?? I first got this error two weeks ago, so replication latency can be ruled out (replication health checked numerous times during this period). More specifically if I raise the NTDS service logging level to 5 for 9 (Internal Processing), 8 (Directory access) and 16 (LDAP interface events) I get three events logged when I try to raise forest functional level; 1535, 1175 and 1481. The detail of these events are; Source: NTDS General Category: Internal Processing Event ID: 1481 Description: Internal error: The operation on the object failed. Additional data: Error value: 5 00002179: SvcErr: DSID-030F12D4, problem 5003 (WILL_NOT_PERFORM), data 0 Source: NTDS General Category: Directory Access Event ID: 1175 Description: Internal event: A privileged operation (rights required = 0x) on object CN=Partitions,CN=Configuration,<FOREST ROOT> failed because a non-security related error occurred. Source: NTDS LDAP Catoegry: LDAP Interface Event ID: 1535 Internal event: The LDAP server returned an error 00002179: SvcErr: DSID, 030F12D4, problem 5003 (WILL_NOT_PERFORM), data 0 Error 2179 is ERROR_DS_NO_BEHAVIOR_VERSION_IN_MIXEDDOMAIN, which indicates that one or more domains are still in mixed mode. However this is not the case. The test domain has a placeholder root domain (single DC) and a production domain (three DCs), both of which are at Windows 2003 level, and this value (domainFunctionality=2) is consistent across all DCs). This test environment Iâ??ve been asked to use, has unfortunately not been maintained properly. When I got to it I found that it even had a â??deadâ?? domain referenced (another one below the placeholder root). I tidied this up using NTDSUTIL, including removign the domain and the domainDNSzones partition, and can no longer find any reference to it in the configuration container, or as a trust in other domains, but I canâ??t help feeling that some residue of this domain is causing the issue. The following steps have been taken as troubleshooting steps; â?¢ Replication confirmed as healthy. (repadmin /replsum) â?¢ Domain controllers confirmed as healthy (dcdiag /c/v/d, /test:verifyenterprisereferences) â?¢ Netdiag /v on all DCs â?¢ Only expected partitions in cn=partitions,cn=configuration,<FOREST ROOT> â?¢ No references to failed domain in Configuration partition (dumped using ldif and scanned) â?¢ All DCs are now at sp2 (were at sp1 before) â?¢ 2 * DomainDNSZones deleted and recreated â?¢ No obsolete computer objects in Sites and Services â?¢ No obsolete _msdcs references, or reference to â??deadâ?? domain â?¢ Schema and Enterprise admins are universal groups â?¢ Forest prep logs (for 2K3 update) are still available and donâ??t report any error â?¢ No unexpected computers think theyâ??re DCs (userAccountControl 8192) â?¢ Lost and found objects deleted â?¢ CNF objects deleted â?¢ Lingering objects cleared down (there were a lot of these on the root DC in the child partition) â?¢ FSMO roles are reporting correctly (netdom query fsmo) when checked from each DC. These are as per appropriate fsmoRoleOwner attributes. â?¢ Enterprise Admins and Enterprise Domain Controllers seem to have appropriate rights (compared with other environments) to the partitions (at root of partitions, and in CN=Partitions container), and the Partitions container in Configuration partition. â?¢ Thirteen attributes are added to the global catalog as part of the forest functional update. To rule this out I manually added the attributes to the PAS with the Schema GUI. â?¢ ntmixedDomain value on all DCs=0. â?¢ No obsolete security descriptors on CN=Partitions or itâ??s content partitions â?¢ INITSYNC has been set to be skipped (Repl Perform Initial Synchronizations = 0) â?¢ â??Everyoneâ?? has Access this computer from the network right â?¢ userAccountcontrol for all DCs is 532480 Two other errors have also been received, but havenâ??t helped me so far. Whenever a DC is rebooted the following error is received; Source: NTDS Category: Internal Processing Event ID: 1481 Description: Internal error: The operation on object failed. Additional data Error value 2 000020EF: NameErr: DSID-032500F4, problem 2001 (NO_OBJECT), data -1603, best match of: â??â?? 20EF = ERROR_DS_UNKNOWN_ERROR ====== I tried using ADMOD to â??manuallyâ?? update the msDS-Behaviour-Version value (recommended in a post elsewhere by Joe Richards), and got the following error; DN Count: 1 Using server: <ROOTDC>.<FOREST ROOT>:389 Directory: Windows Server 2003 Modifying specified objects... DN: CN=Partitions,CN=Configuration,<FOREST ROOT>... Extended Error: 00000057: LdapErr: DSID-0C090A85, comment: Error in attribute conversion operation, data 0, vece ERROR: Too many errors encountered, terminating... The command did not complete successfully x57= LDAP_FILTER_ERROR I couldnâ??t get any further with these errors. Thanks in advance for any help. Regards Gordon Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134338
  - 13
    - RENDOM or ADMT Hi I have inheritted a poorly named single level domain and am looking to either rename it or to migrate the business to a new domain and suitable domain name. Currently the domain is named in the format domain.domain.company.com and really only needs to be company.com We have around 150 users but they only use AD for authentication as we have linux based DNS (to be replaced by A integrated shortly) and linux file&print servers. 1> I am after opinion as to whether to rename the domain or migrate to a new AD domain on a new box. 2> I understand by doing this I can also migrate local profiles so end users won't see the change, is this correct? 3> Do I install AD integrated DNS before i start either process? I can answer any questions if I am not clear enough Cheers Andy Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134336
  - 14
    - Security analysis We have one-place branch office and we'd like to create security analysis of our services, checking procedures and make new procedures and rules. As first step we'll run Microsoft Best Practices Analyzers (for Exchange, GPO, SharePoint, SystemStateAnalyzer, ...) and follow Microsoft Instrastructure Optimization to identify our currently position in IT software and hardware world. Can you please advice any other SW / procedure to follow formal procedure...? p.s. sorry for crosspoting Thnx. Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134334
  - 15
    - admin pack vista & terminal profile tab Installed Windows Server 2003 SP1 Administration Tools Pack on Windows Vista. In Active Directory Users and Computers when you pull up the properties of a user account the Terminal Services Profile tab is missing. This is not just the case on my installation. The Terminal Services Extension in MMC is missing. How do we make this available? Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134325
  - 16
    - DCDIAG Error Sometimes Exchange 2007 had problem connecting to the DC (cannot find DC) I then started to run a dcdiag and got some DNS errors which I think I fixed. Now when I run a DCdiag it passes all the test without one of which I have attached the log from DCDIAG below. I have no idea what that could be. Could anyone please point me to the right direction. I really would appreciate. Thanks in advance. Starting test: frsevent ......................... SCTDC passed test frsevent Starting test: kccevent An Error Event occured. EventID: 0x0000025C Time Generated: 08/18/2008 11:03:20 Event String: NTDS (476) NTDSA: Locale ID 0x0000041e (Thai ......................... SCTDC failed test kccevent Starting test: systemlog An Error Event occured. EventID: 0x00000457 Time Generated: 08/18/2008 11:02:39 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 08/18/2008 11:02:39 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 08/18/2008 11:02:39 (Event String could not be retrieved) ......................... SCTDC failed test systemlog Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134317
  - 17
    - Minimum security settings of computer accounts for allowing domain user account to join domain Hi ALL, I'd like to configure the security settings for the computer accounts that only allow domain user to join domain (nothing else, including changing computer account name,etc.). I tried to create a dummy computer account using (Active Directory Users and Computers -> New Computer Wizard) and specified a domain user account in the "The following user or group can join this computer to a domain". The domain account can join domain but also can modify the computer name (Simply change the computer name in the Windows client, the computer account will be modified after reboot). Do anyone know what is the minimum security settings of the computer account object so that the domain account can only have join domain privilege, no others, especially change the computer account name? TIA M C Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134315
  - 18
    - Problem After Creating Home Folder with vbs script Hello, I have a script that creates users, assigns them to security groups and creates and sets a home folder. Here is an excerpt: 'Create home folder Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFolder = objFSO.CreateFolder("\\terra\home\2010\" & strSAMAccountName) 'Set permissions Set oShell = wscript.CreateObject("Wscript.Shell") oShell.Run "%COMSPEC% /c Echo Y| cacls \\terra\home\2010\"& strSAMAccountName & " /t /e /g Administrators:F "& strSAMAccountName & ":C /R Students", 2, True 'Set home directory and home drive objNewUser.Put "homeDirectory", "\\terra\home\2010\" & strSAMAccountName objNewUser.SetInfo objNewUser.Put "homeDrive", "H" objNewUser.SetInfo At the end of the script, everything looks good. Permissions are set properly. However, on first logon, the folder does not map in the login script. When the user tries to get to their home folder manually, xp throws a message about access to the resource being disallowed. I can fix it by going into AD Users and Computers, setting the home folder to local, applying it and then setting the home folder back to where it is supposed to be. (I'd rather not do this for the 100 plus students and users that we get at the beginning of each year. Thanks for your ideas. Steve Ediger Any ideas? Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134311
  - 19
    - Useracc dissapeared resulted in a disconneted mailbox Hi all Environment: Windows 2003 SP2 AD (No SBS2003), Exchange 2003 SP2, Win XP Clients w SP2 Problem: An AD useraccount dissapeared, no information about HOW, resulted in a lost account and a disconnected mailbox. Solution: Recover the exchange db to e RSG and recover the mailbox, accociated It to a new created user and reconnected it. Q: (I need to now what may have resulted in a deleted account when no admin with rights and knowledges has been logged on to the one Exchange server with Exchange tools, and not ot a server with ADUC tool.) 1.) Has anyone any knowledge of bugs, issues, faulty third party apps that might cause this scenario of the deleted usser account? 2.) Most important, How can I, afterwards, search how this might have happened with the deleted/removed user account (where, how, what tools etc.)? I need to find out if the account was deleted by a user and If so, who. Secondly, If not a user, what and why. Pls, any help would be highly appreciated. In this thread, suggestions of improvements are not wanted at the moment (I know that my enviroment Is poorly set up and not properly configured, will create other threads for that). TIA Henrik (Hear), MCP-SBS Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134308
  - 20
    - 2003 Server Internet DNS configuration I have 26 web sites hosted on my own web server that are public to the internet. I have 2 servers, NS1 and NS2. NS2 runs Apache web server. I would like to know if it is necessary for the domain DNS (ns2.company.net) entry to be Active Directory-Integrated. All the rest are simply primary and secondary. Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134297
  - 21
    - Folder redirection - client's profiles on multiple pcs We're looking at implementing folder redirection in an already well-established client estate. The implementation guidelines are always drawn up with the assumption of a greenfield site, or a relatively uncomplicated one-machine-per-user setup. The issue we have is where the same user might log on to several machines, and may have files scattered across these. Certainly we may have the case where exchange has invited the user to autoarchive their email onto the local hard disk, and so they will have two or more machines where a user has an "archive.pst" sitting. How does folder redirection work for a user, where their folder has already been redirected from one machine? Does it look for and use the redirected folder if it exists, regardless of the local profiles? Can they get to any files on the local machine? Thanks for your help! Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134295
  - 22
    - email address as login name I want to grant external users access to resources in our domain. Is it possible to register these users with their usernames being their own custom email addresses? How is Microsoft doing it with their passport authentication? Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134293
  - 23
    - KCC error This is a multi-part message in MIME format. ------=_NextPart_000_0015_01C90079.ECDE3C40 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I'm configuring a additional Domain Controller, however some error = appear. The environment: UK Network and have a VPN connection to HK The dcpromo process is complete without any error and the DC is appear = at the "Active Directoty Users and Computers" Snap-ins. The erro appear = at the Event Viewer The attempt to establish a replication link for the following writable = directory partition failed.=20 =20 Directory partition:=20 CN=3DConfiguration,DC=3Dkcacad,DC=3Dco,DC=3Duk=20 Source domain controller:=20 CN=3DNTDS = Settings,CN=3DLONDONFILE,CN=3DServers,CN=3DKCALONDON,CN=3DSites,CN=3DConf= iguration,DC=3Dkcacad,DC=3Dco,DC=3Duk=20 Source domain controller address:=20 43126dc7-4083-4e14-9a77-eade6892a697._msdcs.kcacad.co.uk=20 Intersite transport (if any):=20 CN=3DIP,CN=3DInter-Site = Transports,CN=3DSites,CN=3DConfiguration,DC=3Dkcacad,DC=3Dco,DC=3Duk=20 =20 This domain controller will be unable to replicate with the source = domain controller until this problem is corrected. =20 =20 User Action=20 Verify if the source domain controller is accessible or network=20 and Event Type: Information Event Source: NTDS Replication Event Category: Replication=20 Event ID: 1557 Date: 8/17/2008 Time: 2:43:02 PM User: NT AUTHORITY\ANONYMOUS LOGON Computer: KCAHKFS Description: The local domain controller has not completed a full synchronization of = the following directory partition. The local domain controller will not = be advertised to clients by the domain controller locator service until = this task is completed.=20 =20 Directory partition: DC=3Dkcacad,DC=3Dco,DC=3Duk=20 =20 An attempt to complete a full synchronization of this directory = partition will be tried again later. For more information, see Help and Support Center at = http://go.microsoft.com/fwlink/events.asp. It seems something wrong to synchronize the domain informations. Is any = one have ideas about this? ------=_NextPart_000_0015_01C90079.ECDE3C40 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.6000.16705" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY> <DIV><FONT face=3DArial size=3D2>I'm configuring a additional Domain = Controller,=20 however some error appear.</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>The environment:</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>UK Network and have a VPN connection to = HK</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>The dcpromo process is complete without = any error=20 and the DC is appear at the "Active Directoty Users and Computers" = Snap-ins. The=20 erro appear at the Event Viewer</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><STRONG><FONT color=3D#ff0000>The = attempt to=20 establish a replication link for the following writable directory = partition=20 failed. <BR> <BR>Directory partition:=20 <BR>CN=3DConfiguration,DC=3Dkcacad,DC=3Dco,DC=3Duk <BR>Source domain = controller:=20 <BR>CN=3DNTDS=20 Settings,CN=3DLONDONFILE,CN=3DServers,CN=3DKCALONDON,CN=3DSites,CN=3DConf= iguration,DC=3Dkcacad,DC=3Dco,DC=3Duk=20 <BR>Source domain controller address:=20 <BR>43126dc7-4083-4e14-9a77-eade6892a697._msdcs.kcacad.co.uk = <BR>Intersite=20 transport (if any): <BR>CN=3DIP,CN=3DInter-Site=20 Transports,CN=3DSites,CN=3DConfiguration,DC=3Dkcacad,DC=3Dco,DC=3Duk = <BR> <BR>This=20 domain controller will be unable to replicate with the source domain = controller=20 until this problem is corrected.  <BR> <BR>User Action = <BR>Verify if=20 the source domain controller is accessible or network</FONT></STRONG>=20 </FONT></DIV> <DIV><STRONG><FONT face=3DArial color=3D#ff0000 = size=3D2></FONT></STRONG> </DIV> <DIV><STRONG><FONT face=3DArial size=3D2>and</FONT></STRONG></DIV> <DIV><STRONG><FONT face=3DArial color=3D#ff0000 = size=3D2></FONT></STRONG> </DIV> <DIV><FONT face=3DArial color=3D#ff0000 size=3D2><STRONG>Event=20 Type: Information<BR>Event Source: NTDS Replication<BR>Event=20 Category: Replication <BR>Event=20 ID: 1557<BR>Date:  8/17/2008<BR>Time:  2:43:02=20 PM<BR>User:  NT AUTHORITY\ANONYMOUS=20 LOGON<BR>Computer: KCAHKFS<BR>Description:<BR>The local domain = controller=20 has not completed a full synchronization of the following directory = partition.=20 The local domain controller will not be advertised to clients by the = domain=20 controller locator service until this task is completed. = <BR> <BR>Directory=20 partition:<BR>DC=3Dkcacad,DC=3Dco,DC=3Duk <BR> <BR>An attempt to = complete a full=20 synchronization of this directory partition will be tried again=20 later.</STRONG></FONT></DIV> <DIV><FONT color=3D#ff0000><STRONG></STRONG></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><FONT color=3D#ff0000><STRONG>For more = information,=20 see Help and Support Center at </STRONG></FONT><A=20 href=3D"http://go.microsoft.com/fwlink/events.asp"><FONT=20 color=3D#ff0000><STRONG>http://go.microsoft.com/fwlink/events.asp</STRONG= ></FONT></A><FONT=20 color=3D#ff0000><STRONG>.<BR></STRONG></FONT></FONT></DIV> <DIV><FONT face=3DArial size=3D2><FONT color=3D#ff0000><FONT = color=3D#000000>It seems=20 something wrong to synchronize the domain informations. Is any one have = ideas=20 about this?</FONT></FONT></FONT></DIV> <DIV><FONT face=3DArial size=3D2><FONT color=3D#ff0000><FONT=20 color=3D#000000></FONT></FONT></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><FONT=20 color=3D#ff0000> </DIV></FONT></FONT></BODY></HTML> ------=_NextPart_000_0015_01C90079.ECDE3C40-- Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134292
  - 24
    - Suddenly DHCP server service can't start I'm getting the following errors: Event ID 1008 The DHCP service failed to start as a RPC server. The following error occurred : Not enough resources are available to complete this operation. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Event ID 1008 The DHCP service is shutting down due to the following error: Not enough resources are available to complete this operation. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Anyone has a clue??? Thanks Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134289
  - 25
    - GPO for MS office? I need a GPO for MS office 03/07 where can I download it from? Tag: LDAPS authentication not working if use IP address instead of FQDN Tag: 134276

I have an application on windows system in DMZ which talks to AD server and
authenticates user. I have opened up a LDAPS port 636 to do that. IF I use
Hostname of domain controller then it works fine. I have opened up a port 636
on the firewall.

If I try to use IP Address instead of Hostname and try to use some port and
forward it to AD server on 636, it does not work.

Please help.

Top

Re: LDAPS authentication not working if use IP address instead of FQDN by Joe

Joe
Wed Aug 20 09:14:31 PDT 2008

Normal certificate chain verification requires that the host name in the
certificate match the name specified to access the server. The default is
to fail the request if they don't match. They won't if you use the IP
address.

Depending on what API you are using, you may be able to override this policy
and essentially ignore the error. That's usually not a good idea though.
Why use the IP address? DNS is your friend. :)

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"yashmitl" <yashmitl@discussions.microsoft.com> wrote in message
news:0B8B8B58-D02E-4E58-B93B-87096B9AC991@microsoft.com...
>I have an application on windows system in DMZ which talks to AD server and
> authenticates user. I have opened up a LDAPS port 636 to do that. IF I use
> Hostname of domain controller then it works fine. I have opened up a port
> 636
> on the firewall.
>
> If I try to use IP Address instead of Hostname and try to use some port
> and
> forward it to AD server on 636, it does not work.
>
> Please help.

Top