802.1x and Windows Domain Controller with ACS

Similar Messages

• Can we run domain controller windows 2008 32 bit and additional domain controller on 2003 server

  im my environment we are trying to upgrade from server 2k3 to 2k8, out testing done on server 2k3 to 2k8, but can we run domain controller windows 2008 32 bit and additional domain controller on 2003 server ...kindly suggest
  Nitin Gaurav
  [email protected]

  Yes you can. If you have two 2003 AD servers currently and upgrade one of them to 2008 AD then they'll continue to be able to work together. The domains functional level will remain as 2003 across both servers so at this stage you won't get any benefit from
  the new AD functionality available in 2008.
  Once you've then upgraded the second 2003 server to 2008 you can then upgrade the functionality levels in AD to make it 2008. It's been a while, but I believe it doesn't happen automatically, so once all AD servers have been upgraded you have to go into
  AD and upgrade the functionality levels yourself.

• Windows Domain Controller on Windows Server 2012 R2: Hyper-V roaming profiles not loading due to slow connection

  I have racked my brain and done everything that I know to do for about two weeks now.  I am setting up a new system at our fire department and I am having the worst luck with getting the workstations to login to the domain controller with roaming
  profiles.  It keeps telling me that the roaming profile could not be loaded because of a slow connection.  These are workstations that are connected directly to the switch that the DC is connected to.  I have tried multiple connections regarding
  the layout (DC into the router, router into the switch).  The router is a Cisco RV220W.  I have two VLANS, one for public and one for private domain.  The Private VLAN has DHCP turned off since I am providing it through the DC.  I currently
  have a connection from the Private VLAN going to the unmanaged switch that the workstations and server are plugged into.
  The server is a Dell PowerEdge R420 that has 6 NIC ports (1 dual port and 1 quad port).  I have a virtual switch setup on Hyper-V for an external port (let's say Card 2 Port 3) that is assigned to the WS 2012R2 Domain Controller.  The DC can see
  the internet fine and the workstations can connect to the shared folders on the server.  I can retrieve files by just using the computer name or FQDN.  The DC is also running DNS and DHCP.  The DNS has the _msdcs setup from when I installed
  the active directory role.  I have attempted to assign static IP addresses to the workstations:
  IP:                     10.0.0.80
  Subnet:             255.255.255.0
  IPV4 Gateway:  10.0.0.1
  IPV4 DNS:        10.0.0.12
  I've attempted "append the specific DNS suffix", I've "registered the connection in DNS", I've used "use this connections suffix in DNS registration".
  The server is assigned:
  IP:                     10.0.0.12
  Subnet:             255.255.255.0
  IPV4 Gateway:  10.0.0.1
  IPV4 DNS:         10.0.0.12
  The DNS entries have forwarders that forward to my ISP DNS servers for lookup
  I've enabled and disabled DHCP, I've installed a new VM just to create another DC to make sure that I didn't goof up when I created it.
  I've lost my patience with this project and am sinking fast.  Can someone please offer some advice as to what I've done wrong?  I've created this exact scenario at work many times but, I've never done it with Windows Server 2012.  Is this
  possibly something to do with the Dell PowerEdge server (Generation 12) with the SR-IOV?  I am going to attempt to work on it some more tomorrow when I get over there.  I think there may be an issue with the SR-IOV not being enabled on the machine
  through the Dell Bios.  Would the SR-IOV really cause the workstations to report a slow connection?  When I login at the domain controller the roaming profiles and folder redirection work fine so, I know the GPO settings are correct.  I don't
  have "ignore slow connections" or any of those GPO's set.  I need to get it working the correct way so, I didn't want to fool the server when there is another underlying problem.  Any help that someone can offer, I am more than willing
  to listen.  If you need more information, please ask.
  Thanks,
  Jay

  So, I've managed to research this some more since Thursday and I've come to the conclusion that Hyper-V does a horrible job of supporting Qualcomm NIC cards. That's the only thing I can conclude as far as where the issue is originating. I've read many
  post and walkthroughs but nothing that has helped. The issue wasn't with any settings in the domain controller. The issue was that there really is a slow connection originating at the domain controller that is a VM and has network connectivity through the
  virtual switch from Hyper-V. So, next question is, how do I get the DC to have better connectivity through the NIC that Hyper-V won't give it? If hyper-v would allow passthrough, this would be so much simpler. VM-ware is looking really good at this point.
  Im disappointed in MS right now.

• Leap and windows domain logon

  I'm doing some test with an Air 1200 and some 352 Pc card for one of our customers.
  With ACU ver. 4.25.23, I enabled LEAP authentication using the windows user name and password.
  Leap authentication is successful, while windows domain logon not.
  Not to say using a "normal" NIC that logon succeed.
  Sniffing the packets that come out the AP, it seems the domain logon happens... I see the requests/answers between my client and the domain controller...
  However, after canceling the windows domain logon I have normal connectivity with the entire network.
  Someone experienced that? Any help will be greatly appreciated.
  Antonio Tassone

  Sure.
  My attempts to logon in a windows domain using the same user/password for LEAP authentication and windows logon were unsuccessful (either using Win9x or Win NT/2000 on the client), indeed the login dialog box was stuck in something like "searching primary domain controller" or similar (I'm sorry but it's been some month ago).
  Looking the Radius server log, I found an error like " xxxxx DLL rejected".
  Searching the Cisco web site and the forums for that error, I read the advice to make the authentication services on the NT server to run with the privileges of one of the Windows Domain Administrator accounts.
  Following that advice, and with some other tweaking explained in the document I read, I reached my goal.
  I regret I can't be more precise.
  Regards.

• Move Windows Domain Controller 2012 to other Windows Domain Controller 2012 eniveroment

  Dear All,
  I Have Windows Domain Controller 2012 and but this server have a lot of issue so I need to ask you if I can move this server to other new server as is old server if yes can you please guide me how to do that ?
  Regards, 

  Hello Khaleel,
  Your question doesnt specify what kind of errors are there on DC 2012. Try to resolve those errors.
  Incase the server cannot be remediated, you can demote the server from being a DC.
  you can demote the server using:
  http://terrytlslau.tls1.cc/2012/03/domain-controller-demotion-on-windows.html
  Please ensure, there is another DC in the domain and the FSMO roles , GC have been transferred to another server.
  http://support.microsoft.com/kb/223346/en-us
  http://www.archy.net/windows-server-2012-migrating-fsmo-roles/
  I LOVE MS..... Thanks and Regards, Kshitiz (Posting is provided "AS IS" with no warranties, and confers no rights.)

• ACS and Windows Domain / AD

  Hi All,
  In my environment there are two Windows Domain - Doamin A and B. ACS is configured on member server in domain B and hence Windows Authentication for users in Domain B is working fine. However I'm unable to see domain A in Configure Domain List on ACS server in Windows Domain configuration menu.
  Please note, there is one way trust between domain A and B with Domain A trusting Domain B.
  Is there a way I can use the same instance of ACS to authenticate the users in Domain A as well? If YES, can you please guide me with some pointers - thanks.
  I'm using ACS and Windows AD elements to authenticate users for SSL Web VPN on ASA 5540.
  Apprecaite quick help on this.
  -Satishcp

  Unfortunatley we are not using the Cisco Secure ACS Appliances, rather its ACS Ver 3.3 running on Windows 2000 Server (member server in Domain B).
  My guess Remote Agents for Windows / Solaris works with Appliances alone.

• Limit Administrator Access to only OS Level functions on a Windows 2003 (and up) Domain Controller Server

  <p>I have read several articles such as:</p><p>1.&nbsp; <a href="http://social.technet.microsoft.com/Forums/windowsserver/en-US/9c723f4a-51a7-4844-9dc6-0017355d694c/limited-administrative-on-domain-controller?forum=winserverDS">http://social.technet.microsoft.com/Forums/windowsserver/en-US/9c723f4a-51a7-4844-9dc6-0017355d694c/limited-administrative-on-domain-controller?forum=winserverDS</a></p><p>2.&nbsp;
  Active_Directory_Delegation.doc</p><p>Consider that a domain controller, doing no other functions than domain based functions (ie no file server, printer or app server) - is managed in two parts:&nbsp; The OS-only level, to read log files,
  server health monitoring, install OS-level Micrsoft security patching and the second part being Domain management level - Users and Computers, Domains and Trusts, etc).</p><p>For a given domain controller server, an outsourced support&nbsp;group&nbsp;needs
  to be responsible for the OS-only level access - they need no access to the Domain management level functions so they can fufill contractual obligations (SLAs) for server uptime, patching etc.&nbsp; </p><p>For the same given domain controller
  server above, there is an internal (non-outsourced) support group that will perform all Domain management level functions only.&nbsp; They want to manage the Domain on the Domain Controller servers, want the Outsourcer to manage the VM and OS-related tasks,
  but DO NOT want them to be able to access and change information in Users and Computers, Domains and Trusts etc.&nbsp; </p><p>With that explaination, would putting the Outsourcer's AD-based account IDs in the Server Operators group alone be
  sufficient to allow OS-level management, like patching, reboots, etc but disallow access to Domain Management functionality (Users and Computers etc) - or does it need to be a combination of built in groups and delgated rights?</p><p>Please consider
  that I am seeking a technical solution here&nbsp;- do not respond with "either trust your Domain Administrators or keep your junior admins from the server" as that is not a viable solution.&nbsp; </p>
  Jason B. Allen

  Hi Jason,
  According to your description, you want to assign the OS-level management and Domain management rights to two groups separately, right?
  Based on my research, members of Server Operators group don’t have sufficient rights to install updates for Domain Controllers, you can refer to this article below:
  Default groups
  http://technet.microsoft.com/en-us/library/cc756898(v=WS.10).aspx
  You can configure Allow non-administrators to receive update notifications group policy so that non-administrative users will be able to install all optional, recommended, and important updates content for which
  they received a notification, except some updates which contain User Interface, End User License Agreement and so on, which still require domain admin credentials.
  To enable non-administrator users the ability of logging onto and shutting down DCs,
  Allow logon locally and Shut down the System rights should be granted.
  In addition, reading logs and monitoring server performance rights are included on Performance Log Users and Performance Monitor Users groups.
  More information for you:
  Step 5: Configure Group Policy Settings for Automatic Updates
  http://technet.microsoft.com/en-us/library/dn595129.aspx
  User Rights Assignment
  http://technet.microsoft.com/en-us/library/cc780182(v=WS.10).aspx
  I hope this helps.
  Amy Wang

• Renaming Windows Server 2012 Domain Controller with Exchange Server 2013

  Is it possible to rename Windows Server 2012 Domain Controller, as we are using Exchange Server 2013 as a member server on Windows Server 2012 ?
  We have some issues with the Domain Name, so want to rename..
  Maybe somebody knows the best practices how to do this in best way???
  Thanks.

  Hello,
  You should do the following:
  1. Promote another DC.
  2. Transfer FSMO roles to that server.
  3. Decommission old DC.
  4. Rename it.
  5. Promote it again as DC.
  Here is useful link:
  http://technet.microsoft.com/en-us/library/cc782761(v=ws.10).aspx#bkmk_renamesingle.
  Hope it helps,
  Adam
  www.codetwo.com
  If this post helps resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of this message. By marking a post as Answered, or Helpful you help others
  find the answer faster.

• Windows domain controller in a virtual machine: how dangerous is saving its state for a short period of time?

  I have a Windows Server 2012 R2 virtualization cluster. All the hosts are connected to an external storage system, and virtual machines' files are stored on external volumes (CSVs). All the hosts and virtual machines are a part of the same AD domain
  (mixed Windows Server 2012 RTM / 2008 R2 domain controllers). All the domain controllers are running in the virtual machines on the hosts of this cluster.
  To prevent problems when all the hosts are turned off and then on simultaneously (for example, because of a power failure) all the domain controller VM files has been placed on local disks of the virtualization hosts (not on the Cluster Shared
  Volumes). As Hyper-V services don't depend on other Windows Server services (except its networking components), it means that my domain controllers can always start, providing the virtualization host can start at all. However, it also means
  that those DCs cannot be (quickly) migrated to other hosts while their current hosts are being rebooted. So if I need to reboot a virtualization host to install new updates, for example, I have to shut down the corresponding DC, reboot the host
  and wait for the DC to finish cold boot and come back online. It means some interruption of service for our users, which, in turn, requires me to perform the reboots late in night.
  The downtime can be significantly decreased by saving the state of the VM in which the DC is running. However, all the articles I've found on the Internet strongly recommend against it. I'm trying to understand why this recommendation was issued in the first
  place. However, I'm unable to find a clear explanation. I've found some statements that saving state of a DC can cause serious AD replication problems because of tombstoning, and that the password of a DC computer account may be changed
  while the DC itself stays in the saved state, which could prevent the DC from connecting to the domain after its state has been restored. However, those considerations are non-significant when we discuss a short-time
  (5 to 10 minutes) saved state.
  I work with AD and virtualization long time, and I fail to see any danger in saving state of a DC for several minutes. In my opinion, after its state has been restored it would simply replicate all the AD changes from other DCs, and that's all.
  What's your opinion?
  Evgeniy Lotosh
  MSCE: Server infractructire, MCSE: Messaging

  Hello,
  as stated in "http://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv(v=ws.10).aspx"
  Operational Considerations for Virtualized Domain Controllers
  Domain controllers that are running on virtual machines have operational restrictions that do not apply to domain controllers that are running on physical machines. When you use a virtualized domain controller, there are some virtualization software features
  and practices that you should not use:
  Do not pause, stop, or store the
  saved state of a domain controller
  in a virtual machine for time periods longer than the tombstone lifetime of the forest and then resume from the paused or saved state.
  This may sound as it is supported to store it for shorter times and use it.
  BUT recommendation also from the Hyper-V Program manager in
  http://blogs.msdn.com/b/virtual_pc_guy/archive/2008/11/24/the-domain-controller-dilemma.aspx recommends against using them.
  Also best practices
  http://blogs.technet.com/b/vikasma/archive/2008/07/24/hyper-v-best-practices-quick-tips-2.aspx
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://blogs.msmvps.com/MWeber
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  Twitter:  

• Machine authentication by certificate and windows domain checking

  Hi,
  We intend to deploy machine?s certificate authentication for wifi users.
  We want to check certificate validity of the machine, and also that the machine is included on the windows domain.
  We intend to use EAP-TLS :
  - One CA server.
  - each machine (laptop) retrieves its own certificate from GPO or SMS
  - the public certificate of the CA is pushed on the ACS as well as on each of the machine (laptop)
  - ACS version is the appliance one
  - one ACS remote agent installed on the A.D.
  - when a user intends to log on the wifi network :
  - the server (ACS appliance) sends its certificate to the client. This client checks the certificate thanks to the CA server certificate he already trusts, results : the client also trusts the ACS?s certificate signed by the CA server .
  - the client sends its certificate to the server (ACS appliance). This ACS checks the certificate thanks to the CA server certificate he already trusts, results : the ACS also trusts the client?s certificate signed by the CA server but the ACS also checks that this certificate isn?t revocated (the ACS checks this thanks to the CA server CRL ? certificate revocation list).
  Am I right about these previous points ?
  And then my question is : is it possible to check that the machine is also included in the windows domain ?
  That is, is it possible for the ACS to retrieve the needed field (perhaps CN ?? certificate type "host/....") and then perform an authentication request to the A.D. (active directory) thanks to the ACS remote agent ? We want to perform only machine authentication, not user authentication.
  Thanks in advance for your attention.
  Best Regards,
  Arnaud

  Hi Prem,
  Thanks for these inputs.
  I've passed the logs details to full, performed other tests and retrieved the package.cab.
  I've started investigating the 2 log files you pointed.
  First, we can see that the requests reach the ACS, so that's a good point.
  Then, I'm not sure how to understand the messages.
  In the auth.log, we can see the message "no profile match". I guess it is about network access profile. For my purpose (machine authentication by certificate), I don't think Network Access Profiles to be mandatory to be configured.
  But I'm not sure this NAP problem to be the root cause of my problem.
  And when no NAP is matched, then the default action should accept.
  We can see the correct name of the machine (host/...). We can see that he's trying to authenticate this machine "against CSDB". Then we have several lines with "status -2046" but I can't understand what the problem is.
  I don't know what CSDB is.
  I've configured external user database: for this, I've configured windows database with Remote Agent. The domain is retrieved and added in the domain list. And EAP-TLS machine authentication is enabled.
  I copy below an extract of the auth.log.
  I also attach parts of auth.log and RDS.log.
  If you have any ideas or advices ?
  Thanks in advance for your attention.
  Best Regards,
  Arnaud
  AUTH 04/07/2007 12:25:41 S 5100 16860 Listening for new TCP connection ------------
  AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PolicyMgr::CreateContext: new context id=1
  AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PdeAttributeSet::addAttribute: User-Name=host/nomadev2001.lab.fr
  AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PolicyMgr::SelectService: context id=1; no profile was matched - using default (0)
  AUTH 04/07/2007 12:25:41 I 0143 1880 [PDE]: PolicyMgr::Process: request type=5; context id=1; applied default profiles (0) - do nothing
  AUTH 04/07/2007 12:25:41 I 5388 1880 Attempting authentication for Unknown User 'host/nomadev2001.lab.fr'
  AUTH 04/07/2007 12:25:41 I 1645 1880 pvAuthenticateUser: authenticate 'host/nomadev2001.lab.fr' against CSDB
  AUTH 04/07/2007 12:25:41 I 5081 1880 Done RQ1026, client 50, status -2046

• What is the best practice and Microsoft best recommended procedure of placing "FSMO Roles on Primary Domain Controller (PDC) and Additional Domain Controller (ADC)"??

  Hi,
  I have Windows Server 2008 Enterprise  and have
  2 Domain Controllers in my Company:
  Primary Domain Controller (PDC)
  Additional Domain Controller (ADC)
  My (PDC) was down due to Hardware failure, but somehow I got a chance to get it up and transferred
  (5) FSMO Roles from (PDC) to (ADC).
  Now my (PDC) is rectified and UP with same configurations and settings.  (I did not install new OS or Domain Controller in existing PDC Server).
  Finally I want it to move back the (FSMO Roles) from
  (ADC) to (PDC) to get UP and operational my (PDC) as Primary. 
  (Before Disaster my PDC had 5 FSMO Roles).
  Here I want to know the best practice and Microsoft best recommended procedure for the placement of “FSMO Roles both on (PDC) and (ADC)” ?
  In case if Primary (DC) fails then automatically other Additional (DC) should take care without any problem in live environment.
  Example like (FSMO Roles Distribution between both Servers) should be……. ???
  Primary Domain Controller (PDC) Should contains:????
  Schema Master
  Domain Naming Master
  Additional Domain Controller (ADC) Should contains:????
  RID
  PDC Emulator
  Infrastructure Master
  Please let me know the best practice and Microsoft best recommended procedure for the placement of “FSMO Roles.
  I will be waiting for your valuable comments.
  Regards,
  Muhammad Daud

  Here I want to know the best practice
  and Microsoft best recommended procedure for the placement of “FSMO Roles both on (PDC) and (ADC)” ?
  There is a good article I would like to share with you:http://oreilly.com/pub/a/windows/2004/06/15/fsmo.html
  For me, I do not really see a need to have FSMO roles on multiple servers in your case. I would recommend making it simple and have a single DC holding all the FSMO roles.
  In case if
  Primary (DC) fails then automatically other Additional (DC) should take care without any problem in live environment.
  No. This is not true. Each FSMO role is unique and if a DC fails, FSMO roles will not be automatically transferred.
  There is two approaches that can be followed when an FSMO roles holder is down:
  If the DC can be recovered quickly then I would recommend taking no action
  If the DC will be down for a long time or cannot be recovered then I would recommend that you size FSMO roles and do a metadata cleanup
  Attention! For (2) the old FSMO holder should never be up and online again if the FSMO roles were sized. Otherwise, your AD may be facing huge impacts and side effects.
  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Get Active Directory User Last Logon
  Create an Active Directory test domain similar to the production one
  Management of test accounts in an Active Directory production domain - Part I
  Management of test accounts in an Active Directory production domain - Part II
  Management of test accounts in an Active Directory production domain - Part III
  Reset Active Directory user password

• Windows Domain Controller certificate for non domain clients

  Hi,
  Is it possible that we can export windows domain certificate and use it for non domain computers without joining domain, so that they can communicate each others without joining domain controller?
  Regards

  Hi,
  Is it possible that we can export windows domain certificate and use it for non domain computers without joining domain, so that they can communicate each others without joining domain controller?
  Not sure that what you want to achieve here.
  However, yes, it is possible to export certificates (with private keys) from domain machines then import them to non-domain machines, and some certificates can even function well based on key usages. Please note that Domain Controller certificates are only
  meaningful to Domain Controllers. Possession of domain certificates doesn’t indicate machines are part of domain.
  Without joining a machine to a domain (or without a trust), the machine is always treated as untrusted by the domain members no matter what kind of certificates it holds.
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Parallels Desktop and Windows Domain

  Ive installed Parallels 3 onto my MacBook and am now using Windows XP Pro.
  Ive tried to join my Windows OS to my domain on our Windows 2003 Server but the computer cannot find the domain. I think its something to do with the network connection with the Mac preventing the outward connection.
  Anyone know how to use a Windows Domain through Parallels 3?
  PLease help

  I would suggest changing the network settings in parallels so that your virtual host is getting an IP address straight from your companies DHCP server.
  Dont use shared networking but bridged networking.

• Unable to log onto domain controller with user account

  Hi,
  I am able to log onto my DC as domain admin. I cannot log on as myself. I do not see what I am missing in the GPO to make this happen? I am part of a server admin group and would like the server admin group to be able to log on to the domain controller to
  maintain the server. 
  Any suggestions?
  Wave~Chaser

  Log on to this DC and run rsop.msc and check the following policies:
  Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally
  Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on locally
  Add your self to Allow log on locally
  (in default domain controller policy - as I mentioned above) and make sure your user account not belong to any group that have Deny log on locally.
  Please take a moment to Vote as Helpful and/or Mark as Answer where applicable. Thanks.

• Windows Domain Controller dies, how to replace it?

  Hi all,
  I am new to these forums so sorry if I am posting in the wrong category.
  Our Server 2003 domain controller HDD gave up recently and unfortunately we had no backup of the same. We have now installed Server 2008 R2 and want to set it up as a domain controller. Do we need to enter all the usernames, passwords and computer names
  for all accounts in the network and then deploy it? Or what other way do we have of setting it up?
  Thanks in advance!
  Chintan

  Our Server 2003 domain controller HDD gave up recently and unfortunately we had no backup of the same. We have now installed Server 2008 R2 and want to set it up as a domain controller. Do we need to enter all the usernames, passwords and computer names
  for all accounts in the network and then deploy it? Or what other way do we have of setting it up?
  If this was the only DC in your environment and you have no backups, unfortunately you have to start from the beginning and create users, groups and re-join the computers to the domain.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?