trusting a non-Windows Kerberos Realm

Tutorials Win: Microsoft Windows Forum

- Previous
  - 1
    - Signing into wrong DC when launching "AD Users and Computers" Our network has many different geographical locations around the world. 1 Forest, 1 Domain, several DC's (All 2003 except 1, and it is a 2000 DC). When I launch Active Directory Users and Computers (or GPMC, etc...), It has been taking a few minutes to open up. I was looking at it yesterday and noticed that the DC I was logging into was at a site (Germany) other than mine (US). I was able to right click and change what DC I wanted to be connected to, but it does not keep that setting. I have been on the Google and Microsoft site, but the keywords I am using do not seem to help. If anyone has any ideas to help assist, I would appreciate it greatly. Thanks, Brent Tag: trusting a non-Windows Kerberos Realm Tag: 125730
  - 2
    - Not apply a policy against the administrator Against our Citrix/Terminal Server OU is a GPO that sets the path for terminal services profile under the computer settings section. The problem is our administrator account picks up this setting and uses a TS profile. I dont want the admin to use this profile. Is it possible to write a WMI filter to not apply the GPO if it is the administrator who is loggging on? Or if anybody has any better suggestions????? Tag: trusting a non-Windows Kerberos Realm Tag: 125710
  - 3
    - Exporting member of a particular group using csvde Hi, I am trying to export a list of users in a particular group so that it just gives me the names of the users in the group. I have done an export using the ldifde command but that gives the list with all the CN/OU/DC and the users logon information etc. I know it can be done using CSVE but am having trouble getting the right format. For example I want to export all users in a group named 'test users', the group is in an OU structure as follows: cn=test users,ou=users,ou=tier2,ou=tier3,dc=mycompany,dc=int Would appreciate any help. Thanks Tag: trusting a non-Windows Kerberos Realm Tag: 125698
  - 4
    - Server failure I have a couple of servers at a site. One original server running 2000 and the other recently added 2003. Both were domain controllers. Running in mixed mode. The 2000 box collapsed and died early today. Slammed in a DHCP scope on the 2003 box and we're golden. Print services were on the 2000 machine but I'm well on my way to getting that together. I should be raising the domain functional level to 2003 mode now I assume. The new DHCP scope points the dns to the 2003 servers ip instead of the 2000 machine but I'm getting some small delays in net view and basic network browsing. What else should I be doing? We have domain logins and access as before but I'm sure there's something else to do. Thanks for your help. Tag: trusting a non-Windows Kerberos Realm Tag: 125692
  - 5
    - Security Tab How can I hide the security tab in AD Users and Computers from my Help Desk? -- Steve Tag: trusting a non-Windows Kerberos Realm Tag: 125690
  - 6
    - reverse lookup dns zone Hi All: I'm having a hard time getting a clear answer on the following. I have a Windows 2003 Active Directory with about 300 machines, all belonging to a single domain. If its relevant, I do run a RAS server and exchange server and otherwise, pretty standard stuff. In this type of environment, in my DNS, do I need a reverse lookup zone? I believe I understand if I don't have one that I won't, as an admin, be able to do nslookup <ip address> and get a computer name back. Would this also mean that tracert wouldn't be able to resolve an address to a name? I know that the reverse lookup to the mail server must be valid as this is used as a spam prevention technique. But outside of this, in this basically flat network topology, do I need a lookup zone? Any info or advice or what having the reverse lookup gets me in this environment is much appreciated! Thanks! Drew Tag: trusting a non-Windows Kerberos Realm Tag: 125689
  - 7
    - Fixing domain name A few years ago when I installed a Win2K Server, I mistakenly created the domain as "ab.abc.com" when I really wanted it to be "abc.com". I am now replacing the server with Windows Server 2003 on a new machine. The two servers must overlap in time on the network so that I have time for application migration, etc. How do I promote the new server to the PDC _and_ fix up the domain name? Or, should I just start from scratch creating the domain with the correct name? Before this new server there was - and after the migration there will be - only one server in existance in the domain. BTW, This is the second time that I've done something like this wrong. On another occasion, I ended up with a domain named abc.abc.com when, of course, I really wanted abc.com. Any ideas what my misunderstanding was when I created these domain names in the first place? Clearly, I answered some question incorrectly and I must avoid doing this again. Any help and advice is grgeatly appreciated. Thanks and regards, David Tag: trusting a non-Windows Kerberos Realm Tag: 125684
  - 8
    - How to transfer domain controller roles Hi, I have a client who has two windows 2003 domain controllers - DC1 & DC2. I was told that DC1 has all the forest info and DC2 may not have all the info. DC1 is also the DHCP server. Both are DNS servers. DC1 one has a strange issue - Its MMC is acting up. Sometimes it opens up and sometimes it won't. Microsoft connected to the machine and after two days they gave up. We are thinking about re-installing the OS on DC1. What would be the proper way to achieve this objective....that is to have two domain controllers again in the end with all the AD info intact and not have to change anything on the client's side. If needed, we are willing to use a 3rd server on a temporary basis as well. Or, can we do this by swapping roles etc. Please provide the steps. -- Network Admin Tag: trusting a non-Windows Kerberos Realm Tag: 125671
  - 9
    - Forest Trust Hello All, We have 2 forests A and B; both have a child domain under it. We now have a two-way trust from child.A to child.B. I have created a Local Domain Group in child.A that contains a global security group from child.B. We have a website that requires integrated windows authentication. With just the group the users get access denied, but if I do add single users child.B to the local domain group in child.A then the users in child.B are able to access the website with no prompt for password [ie. windows authentication works properly]. Any ideas? Tag: trusting a non-Windows Kerberos Realm Tag: 125666
  - 10
    - dcpromo /forceremoval Good afternoon! I think that I know this, but I want to check.... If I use dcpromo /forceremoval to remove a dying DC and then clean things up (via the metadata cleanup and ntdsutil) and things have run nicely and cleanly for two months or more can I introduce - temporarily - a workstation or server that has the same computer name (actually, same FQDN) of the machine on which I performed a dcpromo /forceremoval? Here is why I ask: Had an older DC that continued to fail (hardware). Finally, client purchased replacement. Could not run dcpromo on failing server so used dcpromo /forceremoval. After that, cleaned up everything with our friend, ntdsutil. Environment is running nicely and cleaning since then. Let's say that the servername was DAFFY. In addition to being a DC/GC it was also the main file server (where the users "My Documents" were redirected, among other things). One of the lingering affects (no...not that...oh, lingering affects...not lingering objects) was that the usesrs of MS Access now have a multitude of choices when they synchronize - they click on the little drop down and choose the replica (do not worry what I mean here...not really the point). Client wants this cleaned up as half the entries point to \\DAFFY\blah\blah\blah\file.mdb and the like. Essentially we need to remove all replicas that reference DAFFY. According to some MS Access MVPs the only way to do that is to recreate the old directory structure and to then remove the replicas via normal methods (whatever that means...not an MS Access person). Thanks, Cary Tag: trusting a non-Windows Kerberos Realm Tag: 125657
  - 11
    - logging IP address of User who authenticates with AD. I have been tasked with building a small solution that will log the IP address whenever an Active Directory server authenticates a User. I know that this capability is not "built in" to Active Directory. But is there a plugin architecture or something else I can tap into to build this with .NET or some other programming language? This must be a server side solution, not client side. Tag: trusting a non-Windows Kerberos Realm Tag: 125644
  - 12
    - group member limitation, any more? We are using Windows 2003 AD and running 2003 native mode. I remember in Windows 2000 the group has limitation of 5000 users. What is it in Windows 2003? Does it have any limit? Since everyone will be in the Domain Users group? Is there a limit in Windows 2003 for this group? How about Domain Computers? another question is how to change user's primary group. By default, they are in Domain users. The "set primary group" is greyed out. Is it due to my permission? I don't need to change it but would like to know how to change it. Thanks. Tag: trusting a non-Windows Kerberos Realm Tag: 125643
  - 13
    - Controlling/Limiting impact of LDAP Referrals / remote sites down We have a misbehaving non-Microsoft LDAP web application. It does not know how to "not" chase LDAP Referrals. (We're working on that, but a fix is not imminent.) (A similar case is referenced in a thread called "Bizarre LDAP referral behavior" [referenced below].) Here is our situation. When a network link goes down without warning, the domain controller there is out-of-touch with the rest of the AD domain. Trouble is, there are seven (7) _ldap SRV records still in DNS, so AD/LDAP keeps trying to contact the down site when it following LDAP Referrals. This causes a delay of up to 90 seconds in the application. We workaround this issue by deleting the 7 _ldap SRV records from the central site. This allows the application to not experience a delay. When the site eventually comes back online, it's domain controller re-registers those 7 _ldap SRV records. Here are my questions: - Under normal conditions, if a domain controller is gracefully shutdown, does it de-register those _ldap records? (I think we only have an issue when the link goes down without warning.) - Are there any controlling mechanisms to reduce the 90-second delay when chasing LDAP referrals to the down site? - Can I somehow "automatically" have AD remove those SRV records at the central site, if it know the remote domain controller is unreachable? - Is there a way that from the central site, we don't see those _ldap SRV records in DNS? I'm thinking that would stop the LDAP referrals. I believe I can tell the remote domain controller to NOT register its _ldap records, but that seems like it would break local applications such as Outlook. LDAP SRV records: mydom.net\_msdcs\dc\_sites\RemoteSite1\_tcp\ SRV record: _ldap mydom.net\_sites\RemoteSite1\_tcp\ SRV record: _ldap mydom.net\_tcp\ SRV record: _ldap mydom.net\_sites\RemoteSite1\_tcp\ SRV record: _ldap mydom.net\DomainDnsZones\_sites\RemoteSite1\_tcp\ SRV record: _ldap mydom.net\_sites\RemoteSite1\_tcp\ SRV record: _ldap mydom.net\DomainDnsZones\_tcp\ SRV record: _ldap Reference thread: Bizarre LDAP referral behavior in Windows 2003 AD microsoft.public.windows.server.active_directory http://www.servernewsgroups.net/group/microsoft.public.windows.server.active_directory/topic961.aspx Tag: trusting a non-Windows Kerberos Realm Tag: 125638
  - 14
    - Group Policy Results, can not collect.( probably simple) So I run tbe GPRWizard from the dc connecting to the xp w/s and receive the same result on every machine. Failed to connect........ The RPC server in unavailable. Thanks Tag: trusting a non-Windows Kerberos Realm Tag: 125632
  - 15
    - Win2K3 Domain Controllers - DR Exercises I had a DR question that I'm pretty confident someone here could answer for me, and it would be much appreciated! My company has 3 sites, for the sake of this post I will call them HQ, DR-Site1, and DR-Site2. Our HQ site has 3 domain controllers, and each DR-Site has 1 single domain controller. During our DR exercises that occur twice a year, we sever the connection to our HQ site and rely on only the DC's and resources that we restore from backup at each of the DR-Sites. Because of the large number of server restores we do along with the fact they are restored to different subnets, we find ourselves making a lot of changes to DNS records, WINS records, and computer accounts on the DC's at the DR-Sites. During these exercises, our HQ site continues normal business and the domain controllers here remain in production. They complain about no longer seeing/replicating with the DC's at the DR-Sites, but it does not impact production resources. At the conclusion of the exercises, our current method of getting everything back to normal is to perform metadata cleanup at the HQ site, blow away the DC's at the DR-Sites, and then rebuild/re-promote those DC's to get them back on the production network. While the metadata cleanup process isn't all that tedious, I've been wondering if another procedure might be less time consuming: Prior to the start of the DRE, take System State backups of the DC's at the DR-Sites. At the conclusion of the DRE, rather than metadata cleanup/rebuilds, couldn't we just use those System State backups and perform non-authoritative restores on the DR-Site domain controllers? If I understand correctly, the non-authoritative restores would tell the DR domain controllers that *their* AD data is incorrect/out-of- date and to replace it with the data from the production DC's. Is my logic here correct? Or should I just stick with the current method? Many thanks in advance! Tag: trusting a non-Windows Kerberos Realm Tag: 125618
  - 16
    - ADprep question about going from 2000 to 2003 domain I will be updating our aging Windows 2000 AD domain (two Win2k servers) by introducing a third server which runs Windows Server 2003 (not R2). I need to run adprep /forestprep and adprep /domainprep to prepare the Windows 2000 domain for Windows 2003 Server. However, MS's documentation states that if you want to upgrade to a Windows 2003 Server SP1 domain, you must also run adprep /domainprep /gpprep. The Windows 2003 Server I want to introduce into the domain has SP2 and the latest updates. Do I need to run adprep with the /gpprep switch as a third step in the process before bringing the new server into the domain? Tag: trusting a non-Windows Kerberos Realm Tag: 125614
  - 17
    - active directory user properties new tab Hi; I am from turkey. I have a problem about active directory. I set up scheme and added user.and then added extra attribute which name ise social securite number.There is not problem so far but I could not see or enable user properties it which added new attribute in new tab. I want to ask; is it possible add new tab in user properties and display new attribute on the new tab, how can I do . Ä°f you know ,Can you explain? Best regards.. Tag: trusting a non-Windows Kerberos Realm Tag: 125610
  - 18
    - Roaming Profiles and Redirected Folders Inconsistent I'm Running Windows 2000 Small Business Server as a PDC/DC/AD, DNS, and Terminal Server with a Windows 2003 Server running DHCP, DNS, and File Server. Clients are Windows XP Pro. On the W2K SBS, I set the default policy to include folder redirection of the users' "My Documents", etc. folders. In AD, I set the users profiles to be redirected (different path, same server, W2K3) as well. The redirection is not working consistently. I've had cases where a user logs in from one computer and their folders are redirected. The same user goes to another computer and logs in - the folders are NOT redirected. It is "hit and miss" as to whether the folders/profiles are redirected or not. What should I check to diagnose and fix these problems? What needs to be changed? Tag: trusting a non-Windows Kerberos Realm Tag: 125609
  - 19
    - OU Security Delegation I created a group call dc-joincomputertodomain Ad and pupulated the memberlist with our servicedesk team. The service desk team is able to join computers to the domain, but they cannot move the computer object joined to the domain to the proper OU destination. So I created a new group called ServiceDesk_AD and populated the memberlist with the same users. I then delegated ServiceDesk_AD group to be able to modify COmputer Objects in the OU we want them to move computers to. But for some reason, when they join the computer to the domain, the newly created computer object is no inhereting the secuirty values from the parent. Any Ideas? Tag: trusting a non-Windows Kerberos Realm Tag: 125608
  - 20
    - W2k3 Domain Controllers running on Windows 2003 Std 64bit? What are the benefits of running Windows 2003 Domain Controllers on Windows 2003 std 64bit? Is there any gotcha's? Tag: trusting a non-Windows Kerberos Realm Tag: 125607
  - 21
    - Receiving a File Replication Service error on 2 DC's. The 2 domain controllers receive Event ID's 13555 and 13552 every day a couple of times. Restarting the services did not fix the issue. All domain controllers are running Windows 2003 Standard sp1. These servers were cloned about 5 months ago on new hardware and that's when the problem started. We will be applying service pack 2 later today in hopes of fixing the issue. I would like other alternatives to try and remedy the problem instead of what the logs say. Event ID 13555 The File Replication Service is in an error state. Files will not replicate to or from one or all of the replica sets on this computer until the following recovery steps are performed: Recovery Steps: [1] The error state may clear itself if you stop and restart the FRS service. This can be done by performing the following in a command window: net stop ntfrs net start ntfrs If this fails to clear up the problem then proceed as follows. [2] For Active Directory Domain Controllers that DO NOT host any DFS alternates or other replica sets with replication enabled: If there is at least one other Domain Controller in this domain then restore the "system state" of this DC from backup (using ntbackup or other backup-restore utility) and make it non-authoritative. If there are NO other Domain Controllers in this domain then restore the "system state" of this DC from backup (using ntbackup or other backup-restore utility) and choose the Advanced option which marks the sysvols as primary. If there are other Domain Controllers in this domain but ALL of them have this event log message then restore one of them as primary (data files from primary will replicate everywhere) and the others as non-authoritative. [3] For Active Directory Domain Controllers that host DFS alternates or other replica sets with replication enabled: (3-a) If the Dfs alternates on this DC do not have any other replication partners then copy the data under that Dfs share to a safe location. (3-b) If this server is the only Active Directory Domain Controller for this domain then, before going to (3-c), make sure this server does not have any inbound or outbound connections to other servers that were formerly Domain Controllers for this domain but are now off the net (and will never be coming back online) or have been fresh installed without being demoted. To delete connections use the Sites and Services snapin and look for Sites->NAME_OF_SITE->Servers->NAME_OF_SERVER->NTDS Settings->CONNECTIONS. (3-c) Restore the "system state" of this DC from backup (using ntbackup or other backup-restore utility) and make it non-authoritative. (3-d) Copy the data from step (3-a) above to the original location after the sysvol share is published. [4] For other Windows servers: (4-a) If any of the DFS alternates or other replica sets hosted by this server do not have any other replication partners then copy the data under its share or replica tree root to a safe location. (4-b) net stop ntfrs (4-c) rd /s /q c:\windows\ntfrs\jet (4-d) net start ntfrs (4-e) Copy the data from step (4-a) above to the original location after the service has initialized (5 minutes is a safe waiting time). Note: If this error message is in the eventlog of all the members of a particular replica set then perform steps (4-a) and (4-e) above on only one of the members. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Event ID: 13552 The File Replication Service is unable to add this computer to the following replica set: "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" This could be caused by a number of problems such as: -- an invalid root path, -- a missing directory, -- a missing disk volume, -- a file system on the volume that does not support NTFS 5.0 The information below may help to resolve the problem: Computer DNS name is "mcgcpdc.co.mchenry.il.us" Replica set member name is "MCGCPDC" Replica set root path is "c:\windows\sysvol\domain" Replica staging directory path is "c:\windows\sysvol\staging\domain" Replica working directory path is "c:\windows\ntfrs\jet" Windows error status code is FRS error status code is FrsErrorMismatchedJournalId Other event log messages may also help determine the problem. Correct the problem and the service will attempt to restart replication automatically at a later time. For more information, see Help and Support Center at Tag: trusting a non-Windows Kerberos Realm Tag: 125606
  - 22
    - Drive mapping problem Hi everyone This maybe a simple problem, but i have yet to find an answer! All our users get drives mapped when they logon in the morning. But one user has to re-map one of their drives 90% of the time. There are no errors or explanations as to why he has this problem and all of his other drives map ok. He is using Windows XP and all hardware is the same as the other users Can anyone assist? Thanks Tag: trusting a non-Windows Kerberos Realm Tag: 125603
  - 23
    - Trust Hi there, I have 2 forests, a.net and b.net. I have placed a 2-way transitive trust between them. Even though, child1.a.net can't see objects in child1.b.net and vice-versa. What I did was create a shortcut trust between both child domains and that worked fine. I'm still trying to figure out why the 2-way transitive trust did not work as expected. Both domains are 2003 SP1 native mode. -- NetAdmin <SÃ£o Paulo, BR> Tag: trusting a non-Windows Kerberos Realm Tag: 125600
  - 24
    - Audit moved computer object? In terms of auditing, can I find out which user moved a computer object from one container/OU to another? Is this type of object auditing turned on if I have audit directory service access turned on in the Default DC Policy or do I have to enable it separately? Is this logged on all DCs or do I have to search each DC individually for the event ID? What event ID would it be? Tag: trusting a non-Windows Kerberos Realm Tag: 125593
  - 25
    - Replication Basic Qs Hi: I have root Domain Windows 2003 and have 7 child domains across geographical locations and have about 12 various sites. I have a hub and spoke environment where The central HUB - "AAA" replicates to Various sites. So If I have a Site called Africa; Example: I have a site link called AAA to Africa and it contains site AAA and Africa.. My question is to monitor it effectively using replication monitor... What is the best way?? like to send me email when replication failed.. thanks Tag: trusting a non-Windows Kerberos Realm Tag: 125591
- Next
  - 1
    - logon script policies we use a combo of batch file and kixtart scripts for our logon process. I'd like to get the logon script process into a GPO as opposed to putting the batch file name in every user profile. First, I just want to confirm this is the best way to do it - I would think so as right now we have many users that don't have the logon script field properly set, most likely because the person who created the account didn't follow the proper steps! Second, Do I need to include all of the logon-script related files in the policy, or is it perfectly acceptable to just add the batch file that does the calling into the policy and include lines like the following in the batch file that calls files in the netlogon share : \\%logonserver%\netlogon\files\kix32.exe \\%logonserver%\netlogon \script.kix or... %0\..\files\kix32.exe %0\..\\netlogon\script.kix ...and speaking of which, are one of the methods better than the other for referring to files in the netlogon share from a logon script?? Thank You!! - JayDee Tag: trusting a non-Windows Kerberos Realm Tag: 125586
  - 2
    - one big reverse lookup zone Hi! Our AD has about 26,000 computers. Right now we've got a messy mix of Class B and Class C reverse-lookup zones that I want to clean up. At first I was considering changing them all to class B's and getting rid of the Class C's, but then I was thinking.... what about creating one giant Class A reverse-lookup zone? The entire network is on the same first octet, and none of the addresses are routable on the internet, so in essence we own the entire class A range. Thanks for your opinions... - JayDee Tag: trusting a non-Windows Kerberos Realm Tag: 125585
  - 3
    - 1481,1084, 2108 Error NTDS Replication about 3 months until now I have (occasionally occurs) some NTDS Replication Errors, only on 2 DC in the same site... The objects are always on Deleted Objects and related with printers like "CN=PC1-PrinterP1\0ADEL:87a67f33-5ffe-4484-93c7- f02cc6567121,CN=Deleted Objects,DC=bv,DC=org" 1481,NTDS Replication,Internal error: The operation on the object failed. Additional Data Error value: 5 000020D9: SvcErr: DSID-031B0D6F, problem 5001 (BUSY), data 0 1084,NTDS Replication,Internal event: Active Directory could not update the following object with changes received from the following source domain controller. This is because an error occurred during the application of the changes to Active Directory on the domain controller. Object: CN=PC1-PrinterP1\0ADEL:87a67f33-5ffe-4484-93c7-f02cc6567121,CN=Deleted Objects,DC=bv,DC=org 2108,NTDS Replication,This event contains REPAIR PROCEDURES for the 1084 event which has previously been logged......... help? thkU! Tag: trusting a non-Windows Kerberos Realm Tag: 125581
  - 4
    - FYI: Remote Server Administration Tools (RSAT) available for Windows Vista SP1 This is a multi-part message in MIME format. ------=_NextPart_000_003C_01C88ECD.499C2970 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable FYI: Remote Server Administration Tools (RSAT) available for Windows = Vista SP1 see: http://blogs.dirteam.com/blogs/jorge/archive/2008/03/26/remote-server-adm= inistration-tools-rsat-adminpak-for-windows-vista-sp1.aspx --=20 Cheers,=20 (HOPEFULLY THIS INFORMATION HELPS YOU!) # Jorge de Almeida Pinto # MVP Windows Server - Directory Services BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx -------------------------------------------------------------------------= ----------------- * How to ask a question --> http://support.microsoft.com/?id=3D555375 -------------------------------------------------------------------------= ----------------- * This posting is provided "AS IS" with no warranties and confers no = rights!=20 * Always test before implementing! -------------------------------------------------------------------------= ----------------- ################################################# ################################################# -------------------------------------------------------------------------= ----------------- ------=_NextPart_000_003C_01C88ECD.499C2970 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.6001.18000" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DVerdana size=3D2> <DIV><FONT face=3DVerdana size=3D2><FONT size=3D1> <P>FYI: Remote Server Administration Tools (RSAT) available for Windows = Vista=20 SP1</P> <P></FONT></FONT><FONT face=3DVerdana size=3D2>see:</FONT></P></DIV> <DIV><FONT face=3DVerdana size=3D2><A=20 href=3D"">http://blogs.dirteam.com/blogs/jorge/archive/2008/03/26/remote-= server-administration-tools-rsat-adminpak-for-windows-vista-sp1.aspx</A><= /FONT></DIV></FONT></DIV><FONT=20 face=3DVerdana size=3D2> <DIV><BR>-- <BR><BR>Cheers, <BR>(HOPEFULLY THIS INFORMATION HELPS = YOU!)</DIV> <DIV> </DIV> <DIV># Jorge de Almeida Pinto # MVP Windows Server - Directory = Services</DIV> <DIV> </DIV> <DIV>BLOG (WEB-BASED)--> <A=20 href=3D"http://blogs.dirteam.com/blogs/jorge/default.aspx">http://blogs.d= irteam.com/blogs/jorge/default.aspx</A><BR>BLOG=20 (RSS-FEEDS)--> <A=20 href=3D"http://blogs.dirteam.com/blogs/jorge/rss.aspx">http://blogs.dirte= am.com/blogs/jorge/rss.aspx</A><BR>--------------------------------------= ----------------------------------------------------<BR>*=20 How to ask a question --> <A=20 href=3D"http://support.microsoft.com/?id=3D555375">http://support.microso= ft.com/?id=3D555375</A><BR>----------------------------------------------= --------------------------------------------<BR>*=20 This posting is provided "AS IS" with no warranties and confers no = rights! <BR>*=20 Always test before=20 implementing!<BR>--------------------------------------------------------= ----------------------------------<BR>###################################= ##############<BR>#################################################<BR>--= -------------------------------------------------------------------------= ---------------</FONT></DIV></BODY></HTML> ------=_NextPart_000_003C_01C88ECD.499C2970-- Tag: trusting a non-Windows Kerberos Realm Tag: 125578
  - 5
    - Active Directory Specialist position available in Gaithersburg MD Hi My name is Firdosh Bhathena and I am a Technical Recruiter with Altek Information Technology Inc. We are looking for acandidate to fill the Active Directory Specialist position in Gaithersburg MD for our client Marriott International This is a long term contract position working for one of our direct clients. Attached is the job description for your reference ,please review the job description and let me know if you are interested . Job Description: *****WE ARE LOOKING FOR AN ENGINEER AS THIS POSITION IS NOT GEARED TOWARDS AN ADMINISTRATOR***** Experience: -Significant experience Administering Active Directory, with very large, multi-domained networks. -Significant experience Programming custom Maintenance/Migration/ Disaster Recovery Scripts and Tools for Active Directory. Core Skills: -VBScript (core language) -ADSI (Active Directory Services Interface, the primary API) -Automation of windows 2000 AD functions (user populations, group/ domain maintenance, bulk loading, DR) -Exchange (Scripting, troubleshooting, integration) -Knowledge of Meta directory structure and JNDI scripting -LDAP protocol (operations and syntax) (Non-proprietary protocol) Kerberos (Architecture, understanding) Please call me when you can to discuss this position in further details and email me a word copy of your resume at the earliest . Thanks Firdosh Bhathena Technical Recruiter ALTEK Information Technology, Inc. Main Number: 301-695-4440, Ext: 108 Cell Phone: 240-447-7742 Fax: 301-695-9390 Email: fbhathena@al-tekinc.com Website: http://al-tekinc.com "ALTEK is a WBENC Certified Women Owned Firm" Tag: trusting a non-Windows Kerberos Realm Tag: 125575
  - 6
    - Allow access to registry key Hello, Windows 2003 Active directory Windows XP Pro I want to allow the standard user group be able to have access to a certain key in the registry. Currently Im getting an error "Access to the registry key 'HKEY_LOCAL_MACHINE\Software......' When I change the user access to power user group i dont get this error. Thanks for you help in advaance. Tag: trusting a non-Windows Kerberos Realm Tag: 125573
  - 7
    - Query DHCP Lease Duration Information Hi, We want to query for the lease duration of a subnet scope on DHCP server remotely in our product. We don't have clue from where we can read this information in case DHCP server is present on windows 2003 platform. On windows 2000 server we read registry to find all the DHCP subnet information, but that information in not present in registry if DHCP server is on windows 2003 platform. Following things which we tried returned only half information. 1) DhcpGetSubnetInfo API returns only some information like subnet name, comment, and subnet mask. It doesn't give other information like IP range and Lease duration. 2) We tried using COM (DHCPObjs) object (present in Windows 2000 resource toolkit). But it doesn't give Lease duration. Is there any other way to find Lease Duration either through Registry, WMI, dhcp.mdb(DHCP database) or any other source? Any help would be appreciated. Thanks in advance. ~Somesh Tag: trusting a non-Windows Kerberos Realm Tag: 125572
  - 8
    - Query DHCP Lease Duration Information Hi, We want to query for the lease duration of a subnet scope on DHCP server remotely in our product. We don't have clue from where we can read this information in case DHCP server is present on windows 2003 platform. On windows 2000 server we read registry to find all the DHCP subnet information, but that information in not present in registry if DHCP server is on windows 2003 platform. Following things which we tried returned only half information. 1) DhcpGetSubnetInfo API returns only some information like subnet name, comment, and subnet mask. It doesn't give other information like IP range and Lease duration. 2) We tried using COM (DHCPObjs) object (present in Windows 2000 resource toolkit). But it doesn't give Lease duration. Is there any other way to find Lease Duration either through Registry, WMI, dhcp.mdb(DHCP database) or any other source? Any help would be appreciated. Thanks in advance. ~Somesh Tag: trusting a non-Windows Kerberos Realm Tag: 125571
  - 9
    - There must be an easy answer to this one.. How would i export all avilable attributes (be they populated or not) for a user object? I can view them by scrolling through an accounts properties in ADSI Edit, but i'd like to have them in a single list i can view and make notations on. Even better would be a link that lists all the attributes along with an explanation for each one. ..But i'm not greedy, i'll settle for only the list at this point. Thanks in advance. Tag: trusting a non-Windows Kerberos Realm Tag: 125563
  - 10
    - Error lsasvr 40690 Hi all, I have been having this error on one of our domain controler (cut and paste of the event at the end of the post). It's repeated every 1:30 to 2 hours and has been going on for 2 weeks. I have made an extensibe search both on microsoft website and google (web) and I couldn't find anything that apply to this error. I have also made a complete diagnostic of the server with dsdiag, netdiag, nltest and nothing comes out, all diagnostics indicate that the server is fonctionning correctly without any error. The IP configuration is correct, the account is not disabled or erase and at this point I can't figure out what is wrong or if I even need to be worriedÂ. One last thing, it as been a while since the server has been rebooted. I plan on doing it this afternoon and see if it makes a difference. Event Type: Warning Event Source: LSASRV Event Category: SPNEGO (Negotiator) Event ID: 40960 Date: 3/25/2008 Time: 1:20:41 PM User: N/A Computer: SHSJDC02 Description: The Security System detected an authentication error for the server ldap/shsjdc02.somewhere.intranet/somewhere.intranet@somewhere.intranet. The failure code from authentication protocol Kerberos was "The referenced account is currently disabled and may not be logged on to. (0xc0000072)". For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 72 00 00 c0 r..Ã? Tag: trusting a non-Windows Kerberos Realm Tag: 125561
  - 11
    - export a list of all users including the value of the "pager" field Hi everyone, I want to export a list of all users including the value of the "pager" field, so that I can edit it with Excel for example. Does anyone know how to? Ithink it can be done with an LDAP query? Many thanks, Remco. Tag: trusting a non-Windows Kerberos Realm Tag: 125560
  - 12
    - Adding Win2003 Server R2 to Non-SP Win2003 Server Domain Our sole DC is a W2003 Server without any service packs. The system partition is too small to allow me to SP this machine. I am planning on taking this machine down and replacing drives after I get this new machine up and running. OS on new machine is W2003 Server R2. The AD schema on the existing DC needs to be extended via ADPREP. Questions I have are can the AD Schema be extended regardless of the lack of SP's and does the server require a reboot after running ADPREP? Tag: trusting a non-Windows Kerberos Realm Tag: 125553
  - 13
    - Are there any known problems making an existing fileserver second Helllo, i'm want to make my existing fileserver (Windows Server 2003) to a second domain controller. The first domain controller is a Windows Server 2003 R2. Are there any known problems in making an fileserver to a domain controller? Something i should keep an eye on making the fileserver to another DC? -- Thanks & Regards btbadmin Tag: trusting a non-Windows Kerberos Realm Tag: 125551
  - 14
    - "Ghost" DC Still Showing Up I'm trying to eliminate AD replication problems we're having. After searching various forums I ran the LDIFDE utility and came back with the following results. My problem is that this server (ghostserver) does not exist anymore. The machine was demoted and removed from the domain several weeks ago. How can I delete this entry? Any help would great be appreciated. dn: CN=ghostserver\0ACNF:ea976bf3-fb37-4de8-b027-94ee547cfe52,OU=Domain Controllers,DC=child,DC=domain,DC=com changetype: add servicePrincipalName: exchangeAB/ghostserver.child.domain.com servicePrincipalName: exchangeAB/ghostserver servicePrincipalName: ldap/ghostserver.child.domain.com/child servicePrincipalName: ldap/ghostserver servicePrincipalName: ldap/ghostserver.child.domain.com servicePrincipalName: ldap/ghostserver.child.domain.com/child.domain.com servicePrincipalName: ldap/0b91889b-c4e5-4a69-a1e6-8cffd0949456._msdcs.domain.com servicePrincipalName: HOST/ghostserver.child.domain.com/child servicePrincipalName: HOST/ghostserver.child.domain.com/child.domain.com servicePrincipalName: GC/ghostserver.child.domain.com/domain.com servicePrincipalName: E3514235-4B06-11D1-AB04-00C04FC2DCD2/0b91889b-c4e5-4a69-a1e6-8cffd0949456/child .domain.comservicePrincipalName: NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/ghostserver.child.domain.comservicePrincipalName: HOST/ghostserverservicePrincipalName: HOST/ghostserver.child.domain.com Tag: trusting a non-Windows Kerberos Realm Tag: 125546
  - 15
    - How to rename domain.com to domain.local? Hi there, I recently posted about was it wrong to use company-name.com as our Forest/Domain and should company-name.local be used. The suggestions were to use .local where possible but as we already have .com I have decided to leave it as everyone said it is OK if not causing problems. I don't actually want to do this or have any plans to but does anyone know how I would go about changing .com to .local and the impacts of doing so including downtime or problems. Thanks. Tag: trusting a non-Windows Kerberos Realm Tag: 125532
  - 16
    - demote adc I want to demote my adc, when i try it using dcpromo it gives error like that the operation failed because: Active Directory could not transfer the remianing data in directory partition CN=schema, CN=Configuration, DC=netserv,DC=com to domain controller primaryserver.mydomain.com "The DSA operation is unable to proceed because of a DNS lookup failure" Do you hav any idea why it is caused by? Thanks Tag: trusting a non-Windows Kerberos Realm Tag: 125516
  - 17
    - AD DNS Zone question - Dynamic Updates I had someone ask me a question the other day that I wasn't totally sure the answer to. Let's say you have an active directory dns zone, either integrated or primary, and you have dynamic updates turned off. So I realize that no clients will be able to update or create host records in the zone. However, let's say you make domain controller changes, such as bringing up a new DC and making it a GC. Will the SRV records be updated within the zone for the domain controller(s)? Tag: trusting a non-Windows Kerberos Realm Tag: 125511
  - 18
    - Main differences between Enterprise CA and Standalone CA ? Hi, one people in my team has made a project with a standalone CA but we are thinking about installing an Enterprise CA as we are using Active Directory. We don't have any special needs actually but the advantage to have the Enterprise CA is the auto-enrollment so we would like to install it for the project and not anymore the standalone CA. My question is, what differences should we have to know about the installation of an Enterprise CA in place of a Standalone CA ? (or more exactly what default options should I have to change on the Enterprise CA to work as if I was using a Standalone CA?) For example, I am thinking about changing the default value of autoenrollment in the Enterprise CA ( Policy Modules/Properties/Set the certificate request status to pending). But is there anything else ? Thank you -- Pascal Tag: trusting a non-Windows Kerberos Realm Tag: 125505
  - 19
    - Event ID 8003 on domain controller Hello, every hour i receive eventid 8003 on our domain controller. The master browser has received a server announcement from the computer <NAME OF OUR ISA Server 2006> that believes that it is the master browser for the domain on transport NetBT_Tcpip_{B7545DFC-BA6C-4712-81. The master browser is stopping or an election is being forced. The hostname that is displayed in the error description is the hostname of our ISA Server 2006. How can i get rid of the error message? What is wrong here? Tag: trusting a non-Windows Kerberos Realm Tag: 125504
  - 20
    - Replication NTDS Settings I have added additional DC to my domain. And replication process accomplished well, at least i guess it is well. I can see users, i have checked dns it is updated. Both old and new dns services have all and same entries. 1. But I can not see NTDS Settings entries to replicate now process in Sites and Services for my new server. What may be problem? Is it important? And also i have not checked global catalog server for new server. Can it cause this problem? 2. I want to ask another question. can there be two server which is checked as global catalog server in a single domain? or what should i do for this situation? 3. For last question, can i test for transfer roles from old one to newer one at this question? thanks Tag: trusting a non-Windows Kerberos Realm Tag: 125500
  - 21
    - Active Directory login seems too fail, shares not corrensponding . Hello people, have abit of a problem, will try to explain below. (I am very new to this so go easy on me). We recently installed a new fiberoptic for WAN communication. In this process we changed our entire network subnet and ip scope. We have a different means of distributing ip-adresses to clients then we had before. Now, everything works fine up to the point when it comes to login in to server from a client. Login scripts, connections to shares - doesn't seem to register upon logon. Running from the server itself it looks fine, no problems there. If one tries to connect to a share from a client the message "networkpath could not be found .. " appears. I can ping the DC, works fine. Run nslookup (dns), works fine and such - but not get the shares to work / run login scripts from clients. Any ideas? I've basically given up on this because I really do not know what to look for or where to start. And it's really not in my job description either. Any help is appreciated. Best regards, T Tag: trusting a non-Windows Kerberos Realm Tag: 125499
  - 22
    - Certificate Installation Hi I have to install certificates through Group policy in the following authority Trusted Root Certification Authority: Intermediate Certification Authority: Under the Group policy I am able to successfully import certificates in Trusted Root Certification Authority but I could not find the container for Intermediate Certification Authority Can any one suggest me how to import certifcates in Intermediate Certification Authority and apply the same through Group policy?? Thanks in advance regards Tag: trusting a non-Windows Kerberos Realm Tag: 125498
  - 23
    - Empty Subject in outlook Can I prevent the userâ??s send any outlook mail to otherâ??s without subject by apply a group policy in AD .... Tag: trusting a non-Windows Kerberos Realm Tag: 125496
  - 24
    - DCDIAG error When I run a DCDIAG on mij W2k3 server I get the following output: Domain Controller Diagnosis Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\ZEUS Starting test: Connectivity The host b6b4dfa9-2dd1-47fd-8a80-24558752ee7f._msdcs.test.local could not be resolved to an IP address. Check the DNS server, DHCP, server name, etc Although the Guid DNS name (b6b4dfa9-2dd1-47fd-8a80-24558752ee7f._msdcs.test.local) couldn't be resolved, the server name (zeus.test.local) resolved to the IP address (10.31.1.160) and was pingable. Check that the IP address is registered correctly with the DNS server. ......................... ZEUS failed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\ZEUS Skipping all tests, because server ZEUS is not responding to directory service requests Running partition tests on : ForestDnsZones Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Running partition tests on : DomainDnsZones Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Running partition tests on : Schema Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Running partition tests on : Configuration Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Running partition tests on : test Starting test: CrossRefValidation ......................... test passed test CrossRefValidation Starting test: CheckSDRefDom ......................... test passed test CheckSDRefDom Running enterprise tests on : test.local Starting test: Intersite ......................... test.local passed test Intersite Starting test: FsmoCheck ......................... test.local passed test FsmoCheck What can/must I do to correct this problem? Tag: trusting a non-Windows Kerberos Realm Tag: 125493
  - 25
    - Retrieve Users in AD from SQL server Procedure Is it possible to reteive a group of users(not all ) from AD using an SQL query? The users will be placed under folder structures like F1, F2 and i need to extract only those users in F1 and F2. Thnx Tag: trusting a non-Windows Kerberos Realm Tag: 125492

I am looking to setup a trust between a Windows 2003 domain and a
non-Windows Kerberos realm.

1) I'm looking for a straight-forward how-to
2) I'm looking for an official doc on what protocols MS uses to encrypt the
shared secret

Thanks
Blake

Top

Re: trusting a non-Windows Kerberos Realm by Jorge

Jorge
Thu Mar 27 09:28:26 PDT 2008

Hi
Check if helps
http://technet.microsoft.com/pt-br/library/bb742432(en-us).aspx
http://technet.microsoft.com/en-us/library/bb742433.aspx#ECAA

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

Top