Can ACS support multiple Active Directory Domains for 802.1x EAP-TLS?
Hi
I'm looking to implement ACS 5.2 using 802.1X, we have two seperate AD domains.
Now.. this is the tricky part...
A single switch will need to support both ADs, so if a machine in AD1 is connected, it will be authenticated to the ACS using AD1 and applied to VLAN1, while a machine that is in AD2 will be authenticated to AD2 and applied to VLAN 2.
I'm looking at machine authentication, not user authentication, so I assume that I will need to import two certs from each AD.
Can any expert please let me know if they think that this will be possible please??
Many thanks
Yes ACS can support multiple AD domains but you will have to configure one as your AD domain and the other as an LDAP database and this will work since you are planning to use eap-tls.
The question I have is which version of ACS are you using? If you are using ACS 5.x then you can setup and identity store sequence so if the user is not found you can move to the next store and this will prevent you from installing two certificates on every machine.
You can then setup an authorization rule for the seperate containers on where the workstations are located (this is assuming machine authentication is being used) for the AD database or the LDAP database and then assign the vlan based off that.
Thanks and I hope this helps!
Tarik Admani
Similar Messages
-
Lion Server 10.7.4 VPN service not using my Active Directory domain for authentication
I have Lion Server 10.7.4 setup on a Mac Mini and I have enabled the VPN service for both L2TP and PPTP. The Mac Mini is joined to my Windows Domain at a functional level of Server 2008 R2. I have set the authentication paths to point to my domain in Directory Utility.
What I would like to have happen is for my laptop to be able to VPN into my office network remotely using domain credentials and not local account credentials on the Mac Mini itself. This is a process I have done numerous times on Windows boxes, but for some reason the only way I can get the VPN to work on this instance of Lion Server 10.7.4 is by authenticating using local accounts only.
Does Lion Server 10.7.4 only authenticate VPN users based on it's local account schema? Or can it truly authenticate against an active directory domain?
Any suggestions or help is greatly appreciated. Thanks,Hi g-pirtle,
Yes, I had already done that a few days ago. I was able to add the desired AD group to the allowed users/groups for the VPN service. Thats exactly what is so weird about this...it allows me to search for and add an AD user or group to the list of allowed users/groups, but then when I actually try to use a domain account to authenticate to the VPN is just gives me the "cannot authenticate" error. Very strange.
I wondered if for some reason Apple is only allowing local accounts to be authenticated against. Sounds crazy, but I cannot for the life of me get this to work. I also wondered if Kerberizing the server would help, but when I go to join a Kerberos realm in Open Directory inside of Server Admin, it just has no realm listed in the drop down menu.
Other than that, all other aspects of the Mac Mini being joined to the AD domain seems to be good. I'm really stumped here...
Thanks again, -
Join acs express to active directory domain
i have a problem joining acs express active directory domain , both are reachable to each other in the same subnet & no firewalls between them , but when i test the connectivity it gives this error:
" required service unavailable. DNS is setup correctly , and the domain controller is reachable , however , one of the required services, such as ldap,kerberos, or global catalog service is not available. This issue may arise if there is a firewall between AD domain controller, and the ACS Express appliance"It is sounds like a bug CSCsw29387 Join AD domain, with one DC down fails. If the ACS Express is trying to join an AD domain in a multi domain controller environment and one of the domain controllers is down, the ACS Express will fail to join the domain.
-
Cisco ISE for 802.1x (EAP-TLS)
I work for a banking organization and security is an area that needs to be improved continuously. I am planning on implementing Cisco ISE for 802.1x together with a Microsoft PKI for certificate issuing and signing.
I am currently trying to implement this in our test environment and I have managed to do a few basic bootstrapping tasks. I need someone to push me into the right direction as to how I can achieve what i am seeking.
I will use Cisco 2900 series switches on the access layer and a few HP switches as well which supports 802.1x.
I want to configure the ISE to process authentication requests using 802.1x EAP-TLS (Certificate Based). All the workstations on the domain needs to authenticate itself using the certificates issued to it by the Certificate Issuing Authority.
I have already managed to get the PKI working and have rolled out the certificates on all the workstations on the test environment. I can't seem to configure the Authentication portion on the ISE.
I request if someone can guide me or direct me to materials that can help achieve the above requirements. The guides available on the Cisco website are overwhelming and I can't seem to figure out how I am supposed to configure the authentication portion.
My email: [email protected]
Cheers,
Krishil ReddyHello Mubashir,
Many timers can be modified as needed in a deployment. Unless you are experiencing a specific problem where adjusting the timer may correct unwanted behavior, it is recommended to leave all timers at their default values except for the 802.1X transmit timer (tx-period).
The tx-period timer defaults to a value of 30 seconds. Leaving this value at 30 seconds provides a default wait of 90 seconds (3 x tx-period) before a switchport will begin the next method of authentication, and begin the MAB process for non-authenticating devices.
Based on numerous deployments, the best-practice recommendation is to set the tx-period value to 10 seconds to provide the optimal time for MAB devices. Setting the value below 10 seconds may result in the port moving to MAC authentication bypass too quickly.
Configure the tx-period timer.
C3750X(config-if-range)#dot1x timeout tx-period 10 -
Cisco ISE: HotFix and Timers for 802.1x (EAP-TLS)
Hi,
I found the below Hot-Fix to be set;
http://blogs.technet.com/b/jeff_stokes/archive/2013/01/24/20-minute-delay-deploying-windows-7-on-802-1x-fix-it-here.aspx
Kindly let me know that what is the best time to be set on it. It tells 20 mintues. Also, i wanna know that what is the corresponding configuration needs on Switch and ISE to reflect it or doesn't need it.
Thanks,
Regards,
Mubasher SultanHello Mubashir,
Many timers can be modified as needed in a deployment. Unless you are experiencing a specific problem where adjusting the timer may correct unwanted behavior, it is recommended to leave all timers at their default values except for the 802.1X transmit timer (tx-period).
The tx-period timer defaults to a value of 30 seconds. Leaving this value at 30 seconds provides a default wait of 90 seconds (3 x tx-period) before a switchport will begin the next method of authentication, and begin the MAB process for non-authenticating devices.
Based on numerous deployments, the best-practice recommendation is to set the tx-period value to 10 seconds to provide the optimal time for MAB devices. Setting the value below 10 seconds may result in the port moving to MAC authentication bypass too quickly.
Configure the tx-period timer.
C3750X(config-if-range)#dot1x timeout tx-period 10 -
Connecting Mac to Active Directory Domain
I understand there is an AD Plug-in available? Where can I find this and is there a good article or can somebody point me in the right direction to having my powerbook join our corporate active directory domain for authentication.
Thanks in advance
MikeMac OS 10.4 supports active directory out of the box. Open up /Applications/Utilities/Directory Access and click active directory and configure. Enter the name of the forest and domain you want to join and your computer id then click bind. You will be prompted for an admin password to join the domain. When you have joined click OK to go back to Directory Access and click on authentication. Make sure /Actuve Directory/All Domains is listed. If not add it. You should now be able to log onto your machine with your AD user account.
-
I have 2 domain controllers running 2003 server, server1 and server2. I ran dcpromo on server1 and removed AD and removed him from the domain and disconnected from network. I then added a 2012 server
with the same name and IP address server1 with no problem. Replication from sites and services work fine on both controllers.
The new 2012 server1 is GC. I transferred all FSMO roles to server1. Again no problem and replicating using sites and services. AD on server1 is populated correctly.
Now what I had intended on doing was a dcpromo to remove server2 from the domain so I can then add another 2012 server. That is when I get the: "The box indicating that this domain controller is the last controller for the domain
is unchecked. However, no other Active Directory domain controllers for that domain can be contacted.
I have DNS installed on both servers and both look good with replicating there. Strange thing is when on the 2012 server within DNS if I right click and connect to another DNS server I can add server2 just fine but from server2 adding server1 it tells me it
is not available.
Help please!Hi,
As there is server 2012 DC (SERVER1) DC is operational in a domain then "This domain controller is the last controller for the domain" should be remain unchecked when you demote SERVER2 DC.
If you are getting error "Active Directory domain controllers for that domain can be contacted" while demoting SERVER2 DC then check the DNS pointing on both as per below article, disable windows firewall on all DC, less possiblities but worth to check if both
are different site then check the ports are open on firewall.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/
http://technet.microsoft.com/en-us/library/cc766337(v=ws.10).aspx
http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx
run “ipconfig /flushdns & ipconfig /registerdns“, restart DNS server and NETLOGON service on each DC and try to demote server2 DC.
If issue reoccurs, post dcdiag /q result.
NOTE: If initial replication was completed between both DC (new 2012 and old DC) then you may remove the server2 DC from Active Directory forcefully (DCPROMO /FORCEREMOVAL) and perform metadata cleanup.
Active Directory Metadata Cleanup
http://abhijitw.wordpress.com/2012/03/03/active-directory-metadata-cleanup/
Best regards,
Abhijit Waikar.
MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
Blog: http://abhijitw.wordpress.com
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights. -
Install software on multiple client computers in active directory domain win 2008 R2
We have a Windows Server 2008 R2 Active Directory Domain. We will be getting a few new Windows 7 computers that we will need to install all our proprietary software on, and don't want to have to install all programs, including windows
updates, individually, on each machine individually.
Is there a (as simple as possible) way to maybe create an image from a "master client computer" with all software, windows updates etc. and push out to the clients.
Also to create a boot disc with the image in case a hard drive fails and we have to replace it.
* It's not Windows we want to install here (unless we replace a hard drive) but for now, the clients already have windows 7, and we want to install antivirus, Adobe reader, windows updates, and our proprietary software.
ThanksIs there a (as simple as possible) way to maybe create an image from a "master client computer" with all software, windows updates etc. and push out to the clients.
Windows deployment services http://technet.microsoft.com/en-us/windowsserver/dd448616.aspx for an image
it's not Windows we want to install here (unless we replace a hard drive) but for now, the clients already have windows 7, and we want to install antivirus, Adobe reader, windows updates, and our proprietary software.
https://support.microsoft.com/kb/816102?wa=wsignin1.0 msi deployment via gpo - (can be restrictive) if not a script or psexec
for windows updates use WSUS -
Hi,
I was following the artigle (http://www.messageops.com/resources/office-365-documentation/ad-fs-with-office-365-step-by-step-guide/) but
when try to install the 'Office 365 PowerShell Module' shows a msg saying that 'windows azure active directory module for windows powershell is not supported by your version'.
And according to the blog (http://blogs.office.com/2014/04/15/synchronizing-your-directory-with-office-365-is-easy/) "DirSync can be
installed on an existing domain controller"
>>>> Any help is appreciated.
* Similar issue: http://www.adaxes.com/forum/post7398.htmlOk Vasil tks for reply, but this server is 64x. I dont get the point.
Microsoft Windows [Version 6.0.6002]
C:\Users\Administrator>set
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Administrator\AppData\Roaming
CLIENTNAME=ANJOTEC_NOTE01
CommonProgramFiles=C:\Program Files\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
COMPUTERNAME=COMPANYBR-SERVER
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Administrator
lib=C:\Program Files\SQLXML 4.0\bin\
LOCALAPPDATA=C:\Users\Administrator\AppData\Local
LOGONSERVER=\\COMPANYBR-SERVER
NUMBER_OF_PROCESSORS=4
OS=Windows_NT
Path=C:\ProgramData\Oracle\Java\javapath;C:\Program Files\HP\NCU;C:\Windows\sys
em32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\
1.0\;C:\Program Files (x86)\Microsoft SQL Server\90\Tools\binn\;C:\Program File
(x86)\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Microsoft SQL Serve
\90\DTS\Binn\;C:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program F
les (x86)\Microsoft SQL Server\90\DTS\Binn\;C:\Program Files (x86)\Microsoft SQ
Server\90\Tools\Binn\VSShell\Common7\IDE\;C:\Program Files (x86)\Microsoft Vis
al Studio 8\Common7\IDE\PrivateAssemblies\;C:\Program Files (x86)\ExchangeMapi\
C:\Program Files (x86)\Common Files\Roxio Shared\DLLShared\;C:\Program Files (x
6)\Common Files\Roxio Shared\DLLShared\;C:\Program Files (x86)\Common Files\Rox
o Shared\9.0\DLLShared\;C:\Program Files\Microsoft\Exchange Server\bin;C:\Progr
m Files\Microsoft\Exchange Server\Scripts
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=AMD64
PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 30 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=1e05
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
ProgramFiles(x86)=C:\Program Files (x86)
PROMPT=$P$G
PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
PUBLIC=C:\Users\Public
RoxioCentral=C:\Program Files (x86)\Common Files\Roxio Shared\9.0\Roxio Central
3\
SESSIONNAME=RDP-Tcp#0
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Administrator\AppData\Local\Temp\2
TMP=C:\Users\Administrator\AppData\Local\Temp\2
USERDNSDOMAIN=COMPANYBR.LOCAL
USERDOMAIN=COMPANYBR
USERNAME=administrator
USERPROFILE=C:\Users\Administrator
windir=C:\Windows
C:\Users\Administrator> -
AFP only works for Active Directory "Domain Admins"
I have purchased a new XServe to add to our Active Directory domain as a member server. It all seems to work right except that only users in AD who are members of the "Domain Admins" group seem to function properly under AFP.
The Mac Clients can connect to our Windows boxes just fine and AD login's seem to work for loggin in any clients. I've created a shared volume on the XServe and when I try to access it via AFP with any user account that doesn't have Administrator rights I get "Invalid Login or Password" on the Mac Client.
Anyone got any ideas, this is driving me crazy.Post to the appropriate server forum or AD forum where people dealing with these products hang out.
-
Help with setting up active directory domain controller/DNS - need this for Clustering
Disclaimer: I am new to Active Directory, so please dont rule out the obvious things I may have overlooked.
I need to set up Active Directory Domain controller on at least one server so I can run clustering. I set up the domain controller and ran Cluster validation and that failed - unable to reach writable domain controller.
When I look at my server manager AD DS complain about DNS:
NASE-2012-234 4015 Error Microsoft-Windows-DNS-Server-Service DNS Server 1/14/2014 12:54:06 AM
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.
When I click on DNS this is the error:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.
Output of DCDiag -v is below.
PS C:\Users\Administrator> dcdiag -v
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine NASE-2012-234, is a Directory Server.
Home Server = NASE-2012-234
* Connecting to directory service on server NASE-2012-234.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=lab,DC=nase,DC=com,LDAP_SCOPE_SUBTREE,(objectCategory=
ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=lab,DC=nas
e,DC=com
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=lab,DC=nase,DC=com,LDAP_SCOPE_SUBTREE,(objectClass=ntD
SDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=NASE-2012-234,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
N=Configuration,DC=lab,DC=nase,DC=com
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\NASE-2012-234
Starting test: Connectivity
* Active Directory LDAP Services Check
The host c0c507c4-fb9b-49a6-9a01-ef79d7960c94._msdcs.lab.nasecom could not be resolved to an IP address.
Check the DNS server, DHCP, server name, etc.
Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
......................... NASE-2012-234 failed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\NASE-2012-234
Skipping all tests, because server NASE-2012-234 is not responding to directory service requests.
Test omitted by user request: Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Test omitted by user request: FrsEvent
Test omitted by user request: DFSREvent
Test omitted by user request: SysVolCheck
Test omitted by user request: KccEvent
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: MachineAccount
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: Replications
Test omitted by user request: RidManager
Test omitted by user request: Services
Test omitted by user request: SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyReplicas
Test omitted by user request: DNS
Test omitted by user request: DNS
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : lab
Starting test: CheckSDRefDom
......................... lab passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... lab passed test CrossRefValidation
Running enterprise tests on : lab.nasecom
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\NASE-2012-234.lab.nasecom
Locator Flags: 0xe000f3fd
PDC Name: \\NASE-2012-234.lab.nasecom
Locator Flags: 0xe000f3fd
Time Server Name: \\NASE-2012-234.lab.nasecom
Locator Flags: 0xe000f3fd
Preferred Time Server Name: \\NASE-2012-234.lab.nasecom
Locator Flags: 0xe000f3fd
KDC Name: \\NASE-2012-234.lab.nasecom
Locator Flags: 0xe000f3fd
......................... lab.nase.com passed test LocatorCheck
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments
provided.
......................... lab.nasecom passed test Intersite
PS C:\Users\Administrator>http://social.technet.microsoft.com/Forums/en-US/home?forum=winserverDS is the forum for Directory Services questions. You might want to post your question there.
.:|:.:|:. tim -
Documentation on Active Directory Domain Rename for VMware
Aplogies if my questions are elementary. Just getting started with VMware.
We are looking to update our virtualized Active Directory domain name. I have the documentation for that, but want to make sure I have the list of articles needed to make sure the VMware is properly updated as well.
I found the following documents:
configure host to use active directory:
https://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-63D22519-38CC-4A9F-AE85-97A53CB0948A.html
setting DNS configuration vmware
http://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vcli.examples.doc%2Fcli_manage_networks.11.8.html
Is there anything else?
Which do I update first? The VMware info or the Active Directory.Hi David,
Based on my experience, you’d better pay attention to the following two points:
1. After you have completed the installation of Exchange 2010, you have to create an Accepted Domain of “uvwxyz.org”.
2. If you want to use Autodiscover, you need to configure the additional settings for “uvwxyz.org”. You could refer to the article below:
http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/exchange-autodiscover.html
Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety,
or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
If you have any further questions, please do not hesitate to post back.
Best regards,
Eric -
How to install Small Business Server 2008 in an existing Active Directory domain
It is shown on this page:
http://support.microsoft.com/kb/884453, "How to install Small Business Server 2003 in an existing Active Directory domain".
Is it possible to do this with SBS2008 ?
If "YES", are there any published information about the procedure ?Yes, it is. Thank you very much.
But there is something that confuses me - I want to migrate from Win2003Std to SBS2008. And also, I want to keep the existing Win2003Std as a second DC for a long time.
But it is written in the shown article:
... After the migration is finished, you must remove the Source Server from the network within 21 days. ...
Is this rule mandatory for the scenarios where the Source Server is Std, not SBS ? As I know, I can have more than one DC(Win2003Std/Win2008Std) together with SBS2003. But what about SBS2008 ? -
Hi everyone,
I've been banging my head against this for a while and hope someone can help me.
Running Windows Server 2008 R2 Standard with Service Pack 1.
When I try to add the Active Directory Domain Services role to the server it gets to about 90% complete and then dies.
The ServerManager.log shows the following information, I have run the System Readiness Tool - output below - with no errors found.
At a loss on what to do next. The only other links I've found suggest rebuilding the server which I would really like to avoid...
Help appreciated,
John
ServerManager.log (extract)
==========
name : Active Directory Domain Services
state : Changed
rank : 1
sync tech: CBS
guest[1] : Active Directory Domain Controller
guest[2] : Identity Management for UNIX
ant. : empty
pred. : empty
provider : null
name : Active Directory Domain Controller
state : Changed
rank : 4
sync tech: CBS
ant. : .NET Framework 3.5.1
pred. : Active Directory Domain Services, .NET Framework 3.5.1
provider : Provider
8720: 2012-01-18 10:54:41.853 [Sync] Calling sync provider of Active Directory Domain Controller ...
8720: 2012-01-18 10:54:41.853 [Provider] Sync:: guest: 'Active Directory Domain Controller', guest deleted?: False
8720: 2012-01-18 10:54:41.853 [Provider] Begin installation of 'Active Directory Domain Controller'...
8720: 2012-01-18 10:54:41.853 [Provider] Install: Guest: 'Active Directory Domain Controller', updateElement: 'DirectoryServices-DomainController'
8720: 2012-01-18 10:54:41.853 [Provider] Installation queued for 'Active Directory Domain Controller'.
8720: 2012-01-18 10:54:41.853 [CBS] installing 'DirectoryServices-DomainController ' ...
8720: 2012-01-18 10:54:42.399 [CBS] ...parents that will be auto-installed: 'NetFx3 '
8720: 2012-01-18 10:54:42.399 [CBS] ...default children to turn-off: 'WCF-HTTP-Activation '
8720: 2012-01-18 10:54:42.415 [CBS] ...current state of 'DirectoryServices-DomainController': p: Staged, a: Staged, s: UninstallRequested
8720: 2012-01-18 10:54:42.415 [CBS] ...setting state of 'DirectoryServices-DomainController' to 'InstallRequested'
8720: 2012-01-18 10:54:42.430 [CBS] ...current state of 'NetFx3': p: Installed, a: Installed, s: InstallRequested
8720: 2012-01-18 10:54:42.430 [CBS] ...skipping 'NetFx3' because it is already in the desired state.
8720: 2012-01-18 10:54:42.430 [CBS] ...current state of default child 'WCF-HTTP-Activation': p: Installed, a: Installed, s: InstallRequested
8720: 2012-01-18 10:54:42.430 [CBS] ...skipped child 'WCF-HTTP-Activation' because it is already installed
8720: 2012-01-18 10:54:42.461 [CBS] ...'DirectoryServices-DomainController' : applicability: Applicable
8720: 2012-01-18 10:54:42.461 [CBS] ...'NetFx3' : applicability: Applicable
8720: 2012-01-18 10:54:42.539 [CbsUIHandler] Initiate:
8720: 2012-01-18 10:54:42.539 [InstallationProgressPage] Installing...
8720: 2012-01-18 10:54:42.758 [InstallationProgressPage] Verifying installation...
8720: 2012-01-18 10:54:42.758 [InstallationProgressPage] Installing...
8720: 2012-01-18 10:55:03.740 [CbsUIHandler] Error: -2147021879 :
8720: 2012-01-18 10:55:03.740 [CbsUIHandler] Terminate:
8720: 2012-01-18 10:55:03.787 [InstallationProgressPage] Verifying installation...
8720: 2012-01-18 10:55:03.802 [CBS] ...done installing 'DirectoryServices-DomainController '. Status: -2147021879 (80070bc9)
8720: 2012-01-18 10:55:03.818 [Provider] Skipped configuration of 'Active Directory Domain Controller' because install operation failed.
8720: 2012-01-18 10:55:03.818 [Provider]
[STAT] ---- CBS Session Consolidation -----
[STAT] For
'Active Directory Domain Controller'[STAT] installation(s) took '21.9535541' second(s) total.
[STAT] Configuration(s) took '0.0007754' second(s) total.
[STAT] Total time: '21.9543295' second(s).
8720: 2012-01-18 10:55:03.818 [Provider] Error (Id=0) Sync Result - Success: False, RebootRequired: True, Id: 110
8720: 2012-01-18 10:55:03.818 [Provider] Error (Id=0) Sync Message - OperationKind: Install, MessageType: Error, MessageCode: -2147021879, Message: <null>, AdditionalMessage: The requested operation failed. A system reboot is required to roll back changes made
8720: 2012-01-18 10:55:03.818 [InstallationProgressPage] Sync operation completed
8720: 2012-01-18 10:55:03.818 [InstallationProgressPage] Performing post install/uninstall discovery...
8720: 2012-01-18 10:55:03.833 [Provider] C:\Windows\system32\ServerManager\Cache\CbsUpdateState.bin does not exist.
8720: 2012-01-18 10:55:03.833 [CBS] IsCacheStillGood: False.
8720: 2012-01-18 10:55:04.333 [CBS] >>>GetUpdateInfo--------------------------------------------------
8720: 2012-01-18 10:55:34.784 [CBS] Error (Id=0) Function: 'ReadUpdateInfo()->Update_GetInstallState' failed: 80070bc9 (-2147021879)
8720: 2012-01-18 10:55:34.784 [CBS] <<<GetUpdateInfo--------------------------------------------------
8720: 2012-01-18 10:55:34.815 [DISCOVERY] hr: -2147021879 -> reboot required.
8720: 2012-01-18 10:55:34.831 [InstallationProgressPage] About to load finish page...
8720: 2012-01-18 10:55:34.831 [InstallationFinishPage] Loading finish page
8720: 2012-01-18 10:55:34.831 [InstallationFinishPage] Finish page loaded
CheckSUR.log
=================================
Checking System Update Readiness.
Binary Version 6.1.7601.21645
Package Version 13.0
2012-01-18 10:33
Checking Windows Servicing Packages
Checking Package Manifests and Catalogs
Checking Package Watchlist
Checking Component Watchlist
Checking Packages
Checking Component Store
Summary:
Seconds executed: 220
No errors detectedHi John,
Thanks for posting.
Performed some research and some results say that this problem can be caused by HD Write Caching.
To disable Write Caching:
1. Go to Device Manager.
2.Click the plus sign (+) next to the Disk Drives branch to expand it.
3.Right-click the drive on which you want to enable or disable disk write caching, and then click Properties.
4.Click the Disk Properties tab.
5.Click to select or clear the Write Cache Enabled check box as appropriate.
6.Click OK.
If no luck, Please check if any erros can be found in Event log, Dcpromoui.Log and Dcpromo.log
The following articles maybe helpful to you:
Known Issues for Installing and Removing AD DS
http://technet.microsoft.com/en-us/library/cc754463(v=WS.10).aspx
You cannot install Active Directory Domain Services
http://support.microsoft.com/kb/975142
Thanks
ZHANG -
I know this question has been asked before, but never for R2, that I can tell, and the posted fixes aren't working. I have just installed SCVMM 2008 R2 on a Windows Server 2008 R2 server, using a remote SQL 2008 SP1 database. When I attempt to connect to SCVMM, I get the following error:
"The SQL Server service account does not have permission to access Active Directory Domain Services (AD DS).
Ensure that the SQL Server service is running under a domain account or a computer account that has permission to access AD DS. For more information, see "Some applications and APIs require access to authorization information on account objects" in the Microsoft Knowledge Base at http://go.microsoft.com/fwlink/?LinkId=121054.
ID: 2607"
What I've seen online is that this is usually becuase the domain account SCVMM is running as does not have the proper permissions on the SQL database. Here's what I've confirmed:
1) My SCVMM service account is a local admin on the SCVMM server
2) My SCVMM service account is a dbowner on the SCVMM database in SQL
3) My SQL service account is a dbowner on the SCVMM database in SQL
4) My SQL service account is a domain user (even made it a domain admin, just in case, and it still "doesn't have access to AD DS," which is obviously untrue)
5) Neither service account is locked out
Has anyone run in to this? It says in Technet that remote SQL 2008 is supported, as long as the SQL management studio is installed to the SCVMM server, and I installed and patched before I began the SCVMM installation. I just don't know what else to try - I have no errors in event logs, no issues during the installation itself...
Andrew ToppThat answer was very unhelpful fr33m4n. The individual mentions that they've received the error that points to the KB article. I currently receive the same error -- there seems to be no resolution. I've run the Microsoft VBS script to add TAUG to the WAAG
as suggested by 331951, and that made absolutely no difference.
1) My SCVMM service account is a local admin on the SCVMM server
2) My SCVMM service account is a dbowner on the SCVMM database in SQL
3) My SQL service account is a dbowner on the SCVMM database in SQL
4) My SQL service account is a domain user (even made it a domain admin, just in case, and it still
"doesn't have access to AD DS," which is obviously untrue)
The user is also a member of WAAG, the machines have delegated authority to each other. Is there any other solution?
Maybe you are looking for
-
I really need some boot camp help...
-
Hi, I am doing XSLT Mapping. Scenario is file to file. From input file depending on some condition I need to place records in Target file. Target File structure is: Header_Record (1) Data_Record (1..*) Trailer_Record (1) In Trailer I need to place re
-
Problem in launching sunMC 4.0 Web console
Does anybody have problem in launching sunMC 4.0 web console from a browser? I have installed sunMC 4.0 on a Solaris 10 upgrade server. When I type the URL of the sunMC 4.0 server with the default port 8080 I gets the welcome page giving me two optio
-
I just installed boot camp. When I restart my computer it goes to windows thats it, it does not give me any other option of going back to my mac os x. help
-
I use XSLT to create XML documents to be opened in FrameMaker and converted to structured documents. I have one element (called SyntaxPara) in which I'd like multiple lines separated by forced returns, as indicated by "{" symbol in the document (or \