Unanswered Questions
2,286 questions with no upvoted or accepted answers
11
votes
3
answers
1k
views
Unable to bind OSX 10.9 to Active Directory 2008
I am struggling to bind OSX 10.9 to a 2008 r2 Active Directory. I can join the domain fine when I boot into Windows from the same machine. From OSX I can find the domain controller successfully and ...
- 680
9
votes
0
answers
4k
views
Unix nslcd login with sAMAccountName and/or userPrincipalName from Active Directory
I'm trying to setup authentication from Active Directory in FreeBSD 10.0 using nslcd (nss-pam-ldapd-sasl package) and would like to allow both sAMAccountName and userPrincipalName as valid login ...
- 5,540
8
votes
1
answer
2k
views
DNS and Active Directory configuration for a branch office
We've got a branch office with no on-site services at the moment, and we'd like to change that. The biggest goal is to setup some file servers but faster logins and DNS resolution will be welcome as ...
CommunityBot
- 1
7
votes
0
answers
184
views
Sunsetting Microsoft Identity Management for Unix the right way
I'd like to make sure that we don't have any connections to our AD controllers before sunsetting, but some run Microsoft Identity Management for Unix / Server for NIS. I'm having a dog of a time ...
- 143
7
votes
1
answer
2k
views
Joining a server to AD via AWS cloudformation
I want to use cloudformation to automatically join new instances to AD.
When I googled this it looks like many people just use scripts in there cloudformation templates and pass in credentials- I don'...
CommunityBot
- 1
7
votes
2
answers
4k
views
A single AD user can't log into a single Mac bound to the domain (DirectoryServices error). How can I resolve this?
On our campus, we have about 60 Macs joined to our Active Directory domain. Most users have no problems logging into Macs, as long as their accounts are configured correctly.
However, we have one ...
CommunityBot
- 1
6
votes
2
answers
941
views
Q: RHEL, SSSD, Active Directory
Good afternoon folks. I've been perusing various posts already about getting linux systems to authenticate using AD, but haven't seen anything approaching what I'm beating my head against.
There's a ...
- 381
5
votes
0
answers
2k
views
Samba and AD - "net ads changetrustpw" fails
I've got a Samba member of a Windows AD. I'm using a combination of sssd and winbind. Samba manages machine password changes, and it's configured also to update the passwords used by sssd. (The ...
- 1,681
5
votes
1
answer
4k
views
How do I fix a non-starting "Microsoft Key Distribution Service"? (not to be confused with Kerberos KDS)
The Microsoft Key Distribution Service is not starting on my DC (kdssvc.dll) and when I look at the event log under Microsoft\Kdssvc, I see the events:
Event ID 4001
Group Key Distribution ...
CommunityBot
- 1
5
votes
0
answers
614
views
Installing MSA (Managed Service Accounts) using Windows deployment tools
I have to install several new application servers (2012R2) for a project which will run IIS and MSMQ. I need to script the complete install, so I need to be able to change permissions on IIS ...
- 3,459
5
votes
1
answer
461
views
Active Directory: Server 2008 and RHEL 5.10
Apologies if this is a re-post. I've been googling and researching the topic for over three weeks now and I've come up against the same problem over and over again and I haven't managed to get around ...
CommunityBot
- 1
5
votes
1
answer
8k
views
Cross-Realm trust verify failed with 'netdom' command
Question 1:
Am having my ActiveDirectory in Windowsserver 2012 machine - its domain name is AD-DEMO.LOCAL
Kerberos admin-server is in another Ubuntu machine - its realm KERBEROS.COM
Added trust in '...
CommunityBot
- 1
5
votes
3
answers
2k
views
How do I launch a command on a remote computer with an invalid domain trust? (using local creds)
I intend to use WMIC to reset the trust of a machine that is remote, and off the network. All of the following variations result in an "access denied":
The following works fine:
net use \\patterson-...
CommunityBot
- 1
5
votes
1
answer
5k
views
Windows Server 2008 R2 hangs when Editing folder permissions
Background:
The server in question is a member of a domain.
This is a brand new server, freshly installed.
I can log into this server using any domain user (which tells me that on some level it is ...
CommunityBot
- 1
5
votes
1
answer
3k
views
Automatically refresh credential after password change
Lets say we have around 300 Windows XP machines on our ActiveDirectory domain that are used for processing something. Each has an account which is patterned on the machines name. As these are ...
CommunityBot
- 1
5
votes
1
answer
1k
views
How to prevent browser password prompts when no Active Directory single-sign-on?
We have single-sign-on working on an internal website, with Apache and mod_auth_kerb ... except users without the relevant browser config are getting password prompts instead of an error page.
Users ...
4
votes
0
answers
8k
views
kinit to get TGT returns “KrbException: Identifier doesn't match expected value (906)” under Windows Server 2016 Active Directory + Kerberos + JDK8
Trying to make Windows Server 2016 Active Directory + Kerberos and Java OpenJDK 8 kinit to obtain a ticket-granting ticket returns KrbException: Identifier doesn't match expected value (906)
I have ...
4
votes
1
answer
7k
views
2012 SERVER DCDIAG STRUGGLE with error 1355 (DsGetDdName call failed)
EDIT: This problem was resolved by following the information found at this link:
https://support.microsoft.com/en-us/help/947022/the-netlogon-share-is-not-present-after-you-install-active-directory-d
...
CommunityBot
- 1
4
votes
0
answers
378
views
Microsoft RemoteApp via TS Gateway initial connection load very long (over 2 minutes)
The Enviroment
We do have a RemoteApp Terminalserver, based on a Windows Server 2016. Latest Updates are installed. We have provisioned multiple apps through this server. There is one Session ...
- 39
4
votes
2
answers
959
views
Stop Google forcing a password change on newly created accounts
I'm in the process of implementing Google's GSuite Password Synch on a Windows Server 2016 AD system.
I've installed the Cloud Directory Sync software which successfully creates new users in GSuite ...
- 11
4
votes
0
answers
86
views
Moved AD Connect to a new server and now end-users are getting errors when replying to internal emails in Outlook
I moved my Microsoft AD Connect install from one server to another today. I installed AD Connect on the new server in staging mode, turned on staging mode on the old server, turned it off on the new ...
4
votes
1
answer
71
views
AD migration 2008 r2 to 2012 r2 - must've missed something
I finally went through with this the other day. Got DNS/AD setup, seized FSMO roles on the 2012 server, migrated DHCP etc. I thought I was ready to go so I turned off the 2008 server yesterday. ...
- 41
4
votes
0
answers
1k
views
Intermittent login problems (LDAP timeout?) with ejabberd
We're running ejabberd 17.07 on an Ubuntu 17.10 VM, and authenticating against an Active Directory on Windows Server 2012 R2.
This mostly works, but several times a day, logging in fails. It appears ...
- 2,741
4
votes
0
answers
5k
views
DNS IPv6 settings on Domain Controllers
Both in my lab testing and on real installation I saw that, after a dcpromo (done via "Server Manager" on Windows 2016), a loopback IPv6 address is automatically added on the interface DNS settings (...
- 49k
4
votes
0
answers
5k
views
Openvpn multi-factor authentication using active directory certificate store
Integrated Enterprise OpenVPN Configuration
I've scoured the Internet high and low attempting to locate a definitive source of how to configure openvpn in a manner that is secure, and most ...
- 41
4
votes
0
answers
2k
views
Questions about ktpass/kerberos with Active Directory
I got a few questions about Kerberos with Active Directory, specifically about the ktpass tool.
The example AD I'm using (everything is on 2012R2 level):
Active Directory Domain Name: ad.example.com
...
- 475
4
votes
0
answers
320
views
Windows NFS Client Tools Doesn't Follow manage-gids
I am running into an issue with the Windows NFS Client tools, it seems that when I attempt to access a folder on an NFS share that has read permissions for a group that user is member of - but not the ...
4
votes
1
answer
2k
views
SERVER2012 R2 Core access denied when deploying domain controller from remote system
I have installed Windows Server 2012r2 Core edition and want to promote it to my first domain controller. I intended to do this with a Server Manager installed on a client computer.
I connected to ...
CommunityBot
- 1
4
votes
1
answer
786
views
Issues with demoting a DC, remnants of failed SBS2011 DC still in directory
So, an environment I'm new to, is having some problems that I'm trying to correct.
Old config: Single SBS2011 server, a second 2008 R2 DC was added at some point. SBS failed, roles were seized and ...
- 139
4
votes
2
answers
1k
views
Fileserver cannot find any DC's for trusted domain
The problem
Due to a merger in our organisation, we are migrating to a new common Active Directory domain. Our old legacy domain and the new domain have a two-way trust between them.
We have two main ...
- 103
4
votes
1
answer
6k
views
Secure channel trust verification fails
Working on an issue with setting up a trust between two domains with several firewalls in between, and a pinhole routing between two servers in them.
newdc.newdomain.com is a 2012 server in a brand ...
CommunityBot
- 1
4
votes
0
answers
5k
views
LSA SID cache keeps old entry for renamed domain user - why?
I have a question about LSA SID cache on a domain member server. Recently I run into the issue when some users after their name was changed in AD has difficulties accessing application I support, and ...
- 1,315
4
votes
0
answers
2k
views
Cannot enable GSS-TSIG updates from Active Directory in BIND 9.10
I’m with a problem trying to enable GSS-TSIG with BIND 9.10.
Before I start describing what I’ve done, I would like to say that I’ve already done this in in another domain without any problems. So I ...
- 5,540
4
votes
0
answers
36k
views
Windows 7 there are no logon servers available to service the logon request subdomain
I've read other solutions, but my problem is slighlty different.
Problem occurs in domain environment. We work in a subdomain, but we also have some employees coming with notebooks registered in top ...
4
votes
0
answers
10k
views
Server not found in Kerberos database while getting credentials for imap
When running kvno imap/[email protected] get the following error:
kvno: Server not found in Kerberos database while getting credentials for imap/[email protected]
...
- 15.2k
4
votes
1
answer
796
views
Intranet corporate SSO for webapps against Active Directory
I am trying to plan and implement a SSO solution in a corporate environment that serves intranet web applications running on CentOS:
Corporate portal (Drupal backend)
Project management (Project.NET)
...
- 9,669
4
votes
1
answer
1k
views
Kerberos issues after new server of same name joined to domain
Environment: Windows Server 2012, 2 Domain Controllers, 1 domain.
A server called Sharepoint1 was joined to the domain (running
Sharepoint 2013 using NTLM).
The fresh install for Sharepoint1 (OS and ...
- 711
4
votes
0
answers
63
views
Why is Office 2010 asking me to choose one of only one potential account to open a restricted document
We have implemented an AD Rights Management System in our domain. Occassionally, when I send a protected email to someone in my domain or someone sends one to me, I will be prompted with a dialog box ...
- 1,543
4
votes
0
answers
1k
views
DSGET escapes hash signs (#) in outputted Distinguished Names (DN)s but expects unescaped hash signs for input
Lets say I want to do the very simple query in AD
dsquery user -name "John Smith" | dsget user -memberof -expand
This will output the DNs of the AD groups that this user belongs to. I can make it ...
CommunityBot
- 1
4
votes
0
answers
622
views
Single Sign On through Citrix
I have a webserver running Windows 2008 R2 with IIS 7. The server is a member of the domain "mydomain.com". What I am trying to achieve is a SSO connection between the AD users and the web server. The ...
- 141
4
votes
1
answer
4k
views
can't add sharepoint users from trusted domain
I have a very strange problem with our Sharepoint 2007 implementation. I went in today to grant access to a user and was greeted with "The user does not exist or is not unique." Let me start off by ...
CommunityBot
- 1
3
votes
0
answers
308
views
Active Directory: how to get rid of NTLM when we have remote users (road warriors)?
I want to disable NTLM completely. I don't want password hash to be stored in memory because of pass-the-hash attack (people don't have SeDebugPrivilege but anyway NTLM is not good)
But people connect ...
- 211
3
votes
2
answers
1k
views
Grant minimum required permission for adding computer to a domain - without using delegation
Following principle of Least-Privilege Administrative Model I need to create custom group that would give its members permission to add computers to a domain but nothing else that could pose a ...
- 36.3k
3
votes
1
answer
453
views
Windows - Group Policy - Numerous Share Drives w/ Item-Level Targeting
Overview
We have been working on getting our numerous sites to map share drives for each user that needs access to their sites. We have no way of standardizing this from within their AD profile as ...
- 3,459
3
votes
0
answers
2k
views
DNSSEC for private internal sub zones of an external domain
Consider the following scenario:
example.com is hosted on CloudFlare and it's signed by CloudFlare DNSSEC. Everything works as expected for example.com.
Inside the company we have some internal ...
- 5,540
3
votes
0
answers
76
views
Joining Linux machine to Active directory
What would be the benefit of joining a Linux machine to windows AD, let's say I already manage the users on this Linux machine from the AD, my question is more about the pros and cons of adding the ...
Infidel
3
votes
0
answers
969
views
Old server accounts persist after migration to Windows Server 2019
I went through the process of migrating Active Directory 2012 R2 to Active Directory 2019. Minus a few firewall ports needing to be opened up, I was able to get through the process of promoting the ...
- 201
3
votes
2
answers
3k
views
Samba4 AD DC setup and working, but won't connect with Windows 7 or 10
I've gotten a Samba 4 AD DC setup running on Ubuntu 18.04 LTS. I used this tutorial to make it work:
https://www.tecmint.com/install-samba4-active-directory-ubuntu/
The problem is I can't get my ...
CommunityBot
- 1
3
votes
0
answers
2k
views
Is a domain joined windows machine's objectGUID or ObjectSID as stored by Active Directory also stored locally?
Working on an inventory project where I need to link a computer to an object in Active Directory.
I have an export of all computer objects from Active Directory including some unique identifiers such ...
- 293
3
votes
0
answers
3k
views
Local groups mapped to AD users via groups.conf working - but only with ssh login
I'm running a Samba Active Directory domain with Ubuntu 18.04 clients.
I used the /etc/security/group.conf file to successfully create a mapping for domain users to the "dialout" group. I tested it ...
- 535