Active Directory Dynamic Ports clarification
Hi All,
Please enlighten me about my question:
Scenario:
We have a Windows server 2008R2 Standard edition running Active directory services in a windows server 2003 forest functional level
(we use 2003 FFL because some of our client computers were on XP and we're running MS dynamics)
Question:
Does the dynamic port setup will depend on the version of windows server solely or will it affect by the windows servers' forest functional level?
Sorry for this question, but I strongly knew that dynamic ports setup will depend on windows server version itself, but I just want to make it sure. :D
My reference:
http://blogs.technet.com/b/askds/archive/2007/08/24/dynamic-client-ports-in-windows-server-2008-and-windows-vista-or-how-i-learned-to-stop-worrying-and-love-the-iana.aspx
Hiya,
it's based on the O/S and not related to domain architecture.
Basically it is the server that "decides" which RPC port range it will be using. As the article states, it has been changed for 2008 and up.
Similar Messages
-
Server 2012 restrict active directory dynamic ports
Hello,
Has anyone encountered issues with restricting the Active Directory dynamic ports for Netlogon and NTDS in Server 2012? I have followed the added the typical registry entries as described below but I still see my RDS gateway in the DMZ trying to communicate
to my internal DC over other ephemeral ports (49158). I have rebooted the DC after the registry changes and still no effect. Are the reg entries the same in 2012? Any help would be appreciated. Thank you
Registry key 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Registry value: TCP/IP Port
Value type: REG_DWORD
Value data: 49152 (This value needs to be specified in decimal format)
Registry key 2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Registry value: DCTcpipPort
Value type: REG_DWORD
Value data: 49153 (This value needs to be specified in decimal format)
Eddie Espino | Secure Data Solutions | Miami, Florida | Microsoft PartnerHi,
There are at least two options that can be used to allow replication when there are network traffic filters (aka firewall) in the network, across two DCs:
1. Use registry keys on the DCs to force communication over specific ports
2. Use IPsec to restrict the traffic to two ports only (IP 50 and IP 51)
I tried to find some relevant documents, but could not find support for restricting the Active Directory dynamic ports for Netlogon and NTDS in Server 2012. You could refer to the following article, it may help you to solve your issues:
Restricting AD Replication Traffic between DCs to only a few ports
http://blogs.technet.com/b/luistog/archive/2012/05/08/restricting-ad-replication-traffic-between-dcs-to-only-a-few-ports.aspx
Regards,
Mandy Ye -
Active Directory RPC Ports - Server 2012 R2
Hi,
My networking team are looking to restrict the ports from clients to Domain Controllers.
They have opened the following ports:
TCP and UDP 389
TCP 636
TCP 3268
TCP 3269
TCP and UDP 88
TCP and UDP 53
TCP and UDP 445
UDP 123
TCP and UDP 464
UDP 138
TCP 9389
UDP 137
TCP 139
TCP/UDP 49152 - 65535
The question is do we need all of the TCP/UDP RPC Ports (49152 - 65535)? We are running Exchange and Lync. I have found articles (http://support.microsoft.com/kb/224196) which suggest I can use a static port but am concerned what impact this will have on
services.
Any help greatly appreciated.No you do not need all the high ports open and you can restrict them and be perfectly fine.
We restrict our high ports to a range of 50,000-51,000
This is the article we use below:
http://support.microsoft.com/kb/300083
Obviously you can't click on Start in 2012 so if you move the mouse to the lower right and then click search you can search and find Component Services. You can also find it in the Administrative Tools.
Hope this helps!
If it answered your question, remember to “Mark as Answer”.
If you found this post helpful, please “Vote as Helpful”.
Postings are provided “AS IS” with no warranties, and confers no rights.
Active Directory: Ultimate Reading Collection -
Authentication Plug-ins for active directory Multiple Domains(oidspad2.sh)
hi ,
i have use note 294791.1 from metalink to try link to active directory i have 2 one is staff and another is student
i first ran oidspadi.sh to create plugin for staff it works then i edit the 2 script to oidspad2.pls and oidspad2.sh with the require changes inside the files then i ran it it work but now the problem is the first ad now cant work this is my changes below
FOR oidspad2.pls
Rem
Rem $Header: oidspada.pls 02-aug-2004.04:45:11 saroy Exp $
Rem
Rem oidspads.pls
Rem
Rem Copyright (c) 2002, 2004, Oracle. All rights reserved.
Rem
Rem NAME
Rem oidspada.pls - 9.0.4 OID Password Active Directory
Rem External Authentication Plug-in
Rem
Rem
Rem NOTES
Rem <other useful comments, qualifications, etc.>
Rem
Rem MODIFIED (MM/DD/YY)
Rem saroy 08/02/04 - Fix for bug 3807482
Rem qdinh 01/27/04 - bug 3374115
Rem dlin 01/08/04 - pingan perf
Rem dlin 08/22/03 - 3111770 bug fix
Rem dlin 08/27/03 - change the way to get name
Rem dlin 08/13/03 - bug 2962082 fix
Rem dlin 02/21/03 - plug-in install changes
Rem dlin 02/13/03 - dlin_bug-2625027
Rem dlin 02/05/03 - fix ssl & failover
Rem dlin 01/31/03 - dlin_adextauth1
Rem dlin 01/30/03 - Created
Rem
SET echo off;
SET serveroutput off;
SET feedback off;
SET verify off;
CREATE OR REPLACE PACKAGE OIDADPSW2 AS
PROCEDURE when_bind_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
passwd IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
PROCEDURE when_compare_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
attrname IN VARCHAR2,
attrval IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
AD_HANDLE DBMS_LDAP.session DEFAULT NULL;
END OIDADPSW2;
SHOW ERROR
CREATE OR REPLACE PACKAGE BODY OIDADPSW2 AS
SUBTYPE LDAP_SESSION IS RAW(32);
SUBTYPE LDAP_MESSAGE IS RAW(32);
SUBTYPE LDAP_BER_ELEMENT IS RAW(32);
SUBTYPE ATTRLIST IS DBMS_LDAP.STRING_COLLECTION;
SUBTYPE MOD_ARRAY IS RAW(32);
SUBTYPE BERLIST IS DBMS_LDAP.BERVAL_COLLECTION;
PROCEDURE when_bind_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
passwd IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
IS
retval pls_integer;
lresult BOOLEAN;
my_session DBMS_LDAP.session;
my_session1 DBMS_LDAP.session;
tmp_session DBMS_LDAP.session;
adupname VARCHAR2(1024) DEFAULT NULL;
BEGIN
plg_debug( '=== Begin when_bind_replace()');
DBMS_LDAP.USE_EXCEPTION := FALSE;
result := 49;
adupname := LDAP_PLUGIN.get_adupname(ldapplugincontext);
IF (adupname IS NULL) THEN
result := 1;
plg_debug('Can not get ADUserPrincipalName');
rc := DBMS_LDAP.SUCCESS;
errormsg := 'Exception in when_bind_replace: Can not get ADUserPrincipalName';
plg_debug( '=== End when_bind_replace() ===');
RETURN;
END IF;
plg_debug( 'Go to AD for authentication');
-- externally authenticate user
IF ('&1' = 'n') THEN
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&2', &3);
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
-- Should free the old session if retry logic kept failing
-- to cause the number of outstanding sessions exceeding the
-- limit session number
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&4', &5);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
ELSE
-- SSL bind
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&6', &7);
plg_debug( 'ldap_session initialized: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.open_ssl(my_session,
'file:' || '&8', '&9', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM
-- or LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&10', &11);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.open_ssl(my_session1,
'file:' || '&12', '&13', 2);
IF (retval != 0) THEN
plg_debug( 'retry open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session1);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'retry open_ssl: ' || TO_CHAR(retval));
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
END IF;
END IF;
END IF;
-- for failover to connect to the secondary server
IF ('&14' = 'y' AND retval != 0) THEN
IF ('&15' = 'n') THEN
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&16', &17);
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
plg_debug( 'ldap_session initialized: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&18', &19);
plg_debug( 'retry ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
plg_debug( 'retry simple_bind_res again: ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
END IF;
END IF;
ELSE
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&20', &21);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.open_ssl(my_session,
'file:' || '&22', '&23', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&24', &25);
plg_debug( 'retry ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.open_ssl(my_session1,
'file:' || '&26', '&27', 2);
IF (retval != 0) THEN
plg_debug( 'retry open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'retry open_ssl: ' || TO_CHAR(retval));
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
END IF;
END IF;
IF (retval = 0) THEN
result := 0;
plg_debug('AD auth return TRUE');
ELSE
result := retval;
plg_debug('AD auth return FALSE or ERROR');
END IF;
-- retval := DBMS_LDAP.unbind_s(my_session);
-- plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
rc := DBMS_LDAP.SUCCESS;
errormsg := 'No error msg.';
plg_debug( '=== End when_bind_replace() ===');
EXCEPTION
WHEN OTHERS THEN
rc := DBMS_LDAP.OPERATIONS_ERROR;
retval := DBMS_LDAP.unbind_s(OIDADPSW2.AD_HANDLE);
OIDADPSW2.AD_HANDLE := NULL;
plg_debug( ' exception unbind_res returns ' || TO_CHAR(retval));
errormsg := 'Exception: when_bind_replace plugin';
plg_debug( 'Exception in when_bind_replace(). Error code is ' ||
TO_CHAR(sqlcode));
plg_debug( ' ' || Sqlerrm);
END;
PROCEDURE when_compare_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
attrname IN VARCHAR2,
attrval IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
IS
retval pls_integer;
lresult BOOLEAN;
my_session DBMS_LDAP.session;
my_session1 DBMS_LDAP.session;
tmp_session DBMS_LDAP.session;
adupname VARCHAR2(1024) DEFAULT NULL;
BEGIN
plg_debug( '=== Begin when_compare_replace()');
result := DBMS_LDAP.COMPARE_FALSE;
DBMS_LDAP.USE_EXCEPTION := FALSE;
adupname := LDAP_PLUGIN.get_adupname(ldapplugincontext);
IF (adupname IS NULL) THEN
result := DBMS_LDAP.COMPARE_FALSE;
plg_debug('Can not get ADuserPrincipalName');
rc := DBMS_LDAP.SUCCESS;
errormsg := 'Exception in when_compare_replace: Can not get ADUserPrincipalName';
plg_debug( '=== End when_compare_replace() ===');
RETURN;
END IF;
-- externally authenticate user
IF ('&28' = 'n') THEN
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&29', &30);
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&31', &32);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
ELSE
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&33', &34);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.open_ssl(my_session,
'file:' || '&35', '&36', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&37', &38);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.open_ssl(my_session1,
'file:' || '&39', '&40', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
END IF;
-- for failover to connect to the secondary AD
IF ('&41' = 'y' AND retval != 0) THEN
IF ('&42' = 'n') THEN
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&43', &44);
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&45', &46);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
ELSE
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&47', &48);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.open_ssl(my_session,
'file:' || '&49', '&50', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&51', &52);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.open_ssl(my_session1,
'file:' || '&53', '&54', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session1);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
END IF;
END IF;
IF (retval = 0) THEN
result := DBMS_LDAP.COMPARE_TRUE;
plg_debug('AD auth return TRUE');
ELSE
result := DBMS_LDAP.COMPARE_FALSE;
plg_debug('AD auth return FALSE or ERROR');
END IF;
-- retval := DBMS_LDAP.unbind_s(my_session);
-- plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
rc := DBMS_LDAP.SUCCESS;
errormsg := 'No error msg.';
plg_debug( '=== End when_compare_replace() ===');
EXCEPTION
WHEN OTHERS THEN
rc := DBMS_LDAP.OPERATIONS_ERROR;
errormsg := 'Exception: when_compare_replace plugin';
plg_debug( 'Exception in when_compare_replace(). Error code is ' ||
TO_CHAR(sqlcode));
plg_debug( ' ' || Sqlerrm);
retval := DBMS_LDAP.unbind_s(OIDADPSW2.AD_HANDLE);
OIDADPSW2.AD_HANDLE := NULL;
END;
END OIDADPSW2;
SHOW ERRORS
EXIT;
-- usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
-- isfailover, isfailoverssl, sechost, secport, sechost, secsslport
-- secwalletloc, secwalletpwd
-- usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
-- isfailover, isfailoverssl, sechost, secport, sechost, secsslport
-- secwalletloc, secwalletpwd
FOR oidspadi.sh
#!/bin/sh
# $Header: oidspadi.sh 13-may-2005.13:48:51 saroy Exp $
# oidspadi.sh
# Copyright (c) 2002, 2005, Oracle. All rights reserved.
# NAME
# oidspadi.sh - AD external authentication plug-in install
# DESCRIPTION
# <short description of component this file declares/defines>
# NOTES
# <other useful comments, qualifications, etc.>
# MODIFIED (MM/DD/YY)
# saroy 05/13/05 - Fix for bug 4233817
# saroy 02/18/05 - Fix for bug 4054414
# saroy 11/02/04 - Fix for bug 3980370
# qdinh 01/19/04 - bug 3374115
# dlin 07/10/03 - turn off debug
# dlin 02/21/03 - plug-in install changes
# dlin 02/13/03 - dlin_bug-2625027
# dlin 07/22/02 - Creation
ADHOST="A"
ADPORT="1"
ADSSLPORT="1"
WALLETLOC="A"
WALLETPWD="A"
WALLETPWD2="A"
CONNECT="A"
ODSPWD="A"
ODSPWD2="A"
OIDHOST="A"
OIDPORT="1"
ORCLADMINPWD="A"
ORCLADMINPWD2="A"
PRGDN="A"
SCUSB="A"
EP="A"
ISSSL="n"
ISFAILOVER="n"
ISFAILOVERSSL="n"
SECADHOST="A"
SECADPORT="1"
SECADSSLPORT="1"
SECWALLETLOC="A"
SECWALLETPWD="A"
SECWALLETPWD2="A"
clear
echo "---------------------------------------------"
echo " OID Active Directory Plug-in Configuration"
echo "---------------------------------------------"
echo " "
echo "Please make sure Database and OID are up and running."
echo " "
LDAP_DIR=${ORACLE_HOME}/ldap
LDAP_LOG=${LDAP_DIR}/log
## ORACLE_HOME
if [ -z $ORACLE_HOME ] ; then
echo " ORACLE_HOME must be set for this installation script"
exit 0
fi
# gather required information
if [ ${ADHOST} = "A" ] ; then
printf "Please enter Active Directory host name: "
read ADHOST
fi
## active directory host name is required
if [ "${ADHOST}" = "" ]
then
echo "Active Directory host name is required";
exit 1;
fi
printf "Do you want to use SSL to connect to Active Directory? (y/n) "
read ISSSL
if [ "${ISSSL}" = "n" ]
then
if [ ${ADPORT} = "1" ] ; then
printf "Please enter Active Directory port number [389]: "
read ADPORT
if [ "${ADPORT}" = "" ]
then
ADPORT="389"
fi
fi
fi
if [ "${ISSSL}" = "y" ]
then
if [ ${ADSSLPORT} = "1" ] ; then
printf "Please enter Active Directory SSL port number [636]: "
read ADSSLPORT
if [ "${ADSSLPORT}" = "" ]
then
ADSSLPORT="636"
fi
fi
if [ ${WALLETLOC} = "A" ] ; then
echo " "
printf "Please enter Oracle wallet location: "
read WALLETLOC
fi
## wallet location is required
if [ "${WALLETLOC}" = "" ]
then
echo "Oracle wallet location is required";
exit 1;
fi
if [ ${WALLETPWD} = "A" ] ; then
printf "Please enter Oracle wallet password: "
stty -echo ; read WALLETPWD ; stty echo ; echo
fi
if [ "${WALLETPWD}" = "" ]
then
echo "Oracle wallet password is required";
exit 1;
fi
if [ ${WALLETPWD2} = "A" ] ; then
printf "Please enter confirmed Oracle wallet password: "
stty -echo ; read WALLETPWD2 ; stty echo ; echo
fi
if [ "${WALLETPWD}" != "${WALLETPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
fi
if [ ${CONNECT} = "A" ] ; then
echo " "
printf "Please enter DB connect string: "
read CONNECT
fi
if [ ${ODSPWD} = "A" ] ; then
printf "Please enter ODS password: "
stty -echo ; read ODSPWD ; stty echo ; echo
fi
## password is required
if [ "${ODSPWD}" = "" ]
then
echo "ODS password is required";
exit 1;
fi
if [ ${ODSPWD2} = "A" ] ; then
printf "Please enter confirmed ODS password: "
stty -echo ; read ODSPWD2 ; stty echo ; echo
fi
if [ "${ODSPWD}" != "${ODSPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
if [ "${CONNECT}" = "" ]
then
CMDNAME="$ORACLE_HOME/bin/sqlplus -s ods/${ODSPWD} "
else
CMDNAME="$ORACLE_HOME/bin/sqlplus -s ods/${ODSPWD}@${CONNECT} "
fi
# Check if ODS password and connect string is correct
${ORACLE_HOME}/bin/sqlplus -L ods/${ODSPWD}@${CONNECT} << END 1>/dev/null 2>/dev/null
exit;
END
if [ $? -ne 0 ]; then
echo "Incorrect connect string or ODS password specified"
exit 1;
fi
if [ ${OIDHOST} = "A" ] ; then
echo " "
printf "Please enter OID host name: "
read OIDHOST
fi
## oid host is required
if [ "${OIDHOST}" = "" ]
then
echo "OID host name is required";
exit 1;
fi
if [ ${OIDPORT} = "1" ] ; then
printf "Please enter OID port number [389]: "
read OIDPORT
if [ "${OIDPORT}" = "" ]
then
OIDPORT="389"
fi
fi
# Check if OID host and port is correct
${ORACLE_HOME}/bin/ldapbind -h ${OIDHOST} -p ${OIDPORT} 1>/dev/null 2>/dev/null
if [ $? -ne 0 ]; then
echo "Incorrect OID host or port specified"
exit 1;
fi
if [ ${ORCLADMINPWD} = "A" ] ; then
printf "Please enter orcladmin password: "
stty -echo ; read ORCLADMINPWD ; stty echo ; echo
fi
if [ "${ORCLADMINPWD}" = "" ]
then
echo "orcladmin password is required";
exit 1;
fi
if [ ${ORCLADMINPWD2} = "A" ] ; then
printf "Please enter confirmed orcladmin password: "
stty -echo ; read ORCLADMINPWD2 ; stty echo ; echo
fi
if [ "${ORCLADMINPWD}" != "${ORCLADMINPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
# Check if orcladmin password is correct
${ORACLE_HOME}/bin/ldapbind -h ${OIDHOST} -p ${OIDPORT} -D 'cn=orcladmin' -w ${ORCLADMINPWD} 1>/dev/null 2>/dev/null
if [ $? -ne 0 ]; then
echo "Incorrect orcladmin password specified"
exit 1;
fi
echo " "
if [ ${SCUSB} = "A" ] ; then
printf "Please enter the subscriber common user search base [orclcommonusersearchbase]: "
read SCUSB
if [ "${SCUSB}" = "" ]
then
SCUSB=`${ORACLE_HOME}/bin/ldapsearch -h ${OIDHOST} -p ${OIDPORT} -D 'cn=orcladmin' -w ${ORCLADMINPWD} -s base -b 'cn=common,cn=products,cn=oraclecontext' -L 'objectclass=*' orclcommonusersearchbase | head -2 | grep -v 'dn:' | awk '{printf $2}'`
fi
fi
if [ ${PRGDN} = "A" ] ; then
printf "Please enter the Plug-in Request Group DN: "
read PRGDN
fi
if [ ${EP} = "A" ] ; then
printf "Please enter the exception entry property [(!(objectclass=orcladuser))]: "
read EP
if [ "${EP}" = "" ]
then
EP='(!(objectclass=orcladuser))'
fi
fi
echo " "
printf "Do you want to setup the backup Active Directory for failover? (y/n) "
read ISFAILOVER
if [ "${ISFAILOVER}" = "y" ]
then
if [ ${SECADHOST} = "A" ] ; then
printf "Please enter the backup Active Directory host name: "
read SECADHOST
if [ "${SECADHOST}" = "" ]
then
echo "Backup Active Directory host name is required";
exit 1;
fi
fi
printf "Do you want to use SSL to connect to the backup Active Directory? (y/n) "
read ISFAILOVERSSL
if [ "${ISFAILOVERSSL}" = "n" ]
then
if [ ${SECADPORT} = "1" ] ; then
printf "Please enter the backup Active Directory port number [389]: "
read SECADPORT
if [ "${SECADPORT}" = "" ]
then
SECADPORT="389"
fi
fi
fi
if [ "${ISFAILOVERSSL}" = "y" ]
then
if [ ${SECADSSLPORT} = "1" ] ; then
printf "Please enter the backup Active Directory SSL port number [636]: "
read SECADSSLPORT
if [ "${SECADSSLPORT}" = "" ]
then
SECADSSLPORT="636"
fi
fi
if [ ${SECWALLETLOC} = "A" ] ; then
echo " "
printf "Please enter Oracle wallet location: "
read SECWALLETLOC
fi
## wallet location is required
if [ "${SECWALLETLOC}" = "" ]
then
echo "Oracle wallet location is required";
exit 1;
fi
if [ ${SECWALLETPWD} = "A" ] ; then
printf "Please enter Oracle wallet password: "
stty -echo ; read SECWALLETPWD ; stty echo ; echo
fi
if [ "${SECWALLETPWD}" = "" ]
then
echo "Oracle wallet password is required";
exit 1;
fi
if [ ${SECWALLETPWD2} = "A" ] ; then
printf "Please enter confirmed Oracle wallet password: "
stty -echo ; read SECWALLETPWD2 ; stty echo ; echo
fi
if [ "${SECWALLETPWD}" != "${SECWALLETPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
fi
fi
# install the plug-in PL/SQL packages
echo " "
echo "Installing Plug-in Packages ..."
echo " "
# install plug-in debug tool
cp $ORACLE_HOME/ldap/admin/oidspdsu.pls $LDAP_LOG
chmod +w $LDAP_LOG/oidspdsu.pls
echo "EXIT;" >> $LDAP_LOG/oidspdsu.pls
${CMDNAME} @$LDAP_LOG/oidspdsu.pls
rm $LDAP_LOG/oidspdsu.pls
${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspdof.pls
# install plug-in packages
${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspad2.pls ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} 2>&1 ; stty echo ; echo
#stty -echo; eval ${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspad2.pls ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} 2>&1 ; stty echo ; echo
# usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
# isfailover, isfailoverssl, sechost, secport, sechost, secsslport
# secwalletloc, secwalletpwd
# usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
# isfailover, isfailoverssl, sechost, secport, sechost, secsslport
# secwalletloc, secwalletpwd
# register the plug-ins
echo " "
echo "Registering Plug-ins ..."
echo " "
$ORACLE_HOME/bin/ldapadd -h ${OIDHOST} -p ${OIDPORT} -D cn=orcladmin -w ${ORCLADMINPWD} << EOF
dn: cn=adwhencompare2,cn=plugin,cn=subconfigsubentry
objectclass:orclPluginConfig
objectclass:top
orclpluginname:OIDADPSW2
orclplugintype:operational
orclplugintiming:when
orclpluginldapoperation:ldapcompare
orclpluginenable:1
orclpluginversion:1.0.1
orclPluginIsReplace:1
cn:adwhencompare2
orclpluginsubscriberdnlist:${SCUSB}
orclpluginattributelist:userpassword
orclpluginrequestgroup:${PRGDN}
orclpluginentryproperties:${EP}
dn: cn=adwhenbind2,cn=plugin,cn=subconfigsubentry
objectclass:orclPluginConfig
objectclass:top
orclpluginname:OIDADPSW2
orclplugintype:operational
orclplugintiming:when
orclpluginldapoperation:ldapbind
orclpluginenable:1
orclpluginversion:1.0.1
orclPluginIsReplace:1
cn:adwhenbind2
orclpluginsubscriberdnlist:${SCUSB}
orclpluginrequestgroup:${PRGDN}
orclpluginentryproperties:${EP}
EOF
cat <<DONE
Done.
DONEHi,
This is a problem that is not made clear in the note. What is probably happening here is that both plugins are being fired when a user logs in. OID will only read the value returned from the final plugin to fire. This can be a problem if the user authenticates correctly against the first plug-in but fails on the second. This is entirely legitimate as this note tells you to configure this way but the OID only observes the final result. The note doesn't tell us this.
Here's an example:
We've two OID User users in different containers: cn=Al is in container cn=usersA,dc=oracle,dc=com and cn=BOB is in container cn=usersB,dc=oracle,dc=com.
We have two plugins: pluginA and PluginB. Installed in that order.
When Al logs in the two plugins fire. pluginA finds Al and returns a true, but then pluginB fires and returns a false undoing the good result. OID only accepts the final answer and so rejects the user. When Bob logins in both plugins fire again but it's the second plugin that returns the answer again. This is true and bob gets in.
There's a couple of ways around this and one of the more effective ways is to associate the plugin with the dn. So in our example, we associate the pluginA to fire only for the dn cn=usersA,dc=oracle,dc=com and pluginB only to fire when a user is in cn=usersB,dc=oracle,dc=com. This gets around the problem of mulitple plugins firing and giving conflicting answers as the appropriate plugin only fires once.
I've used this solution in a realtime environment when connecting and provisioning multiple ADs into one OID and found it to be extremely effective.
Another solution is to associate the plugins with groups.
Both of these options may be configured easily by modifying the plugin properties in ODM. Don't forget to restart OID after you've made the changes.
HTH!
Phil.
If -
Tips on enabling SSL in Active Directory!!!
Finally I can connect to my Active Directory through SSL connection. I don't know what is wrong with my previous settings because I reinstall the server from scratch. Below is the steps I took:
1. Install Windows 2000 Advanced Server + SP4
2. Install Windows 2000 High Encryption Pack (128-Bits SSL)
3. Install Active Directory Service together with MS DNS Server and Enterprise Certificate Authority Service.
4. Install Windows 2000 Support Tools from Windows 2000 installation CD.
5. Launch ldp.exe and connect to local Active Directory on port 636.
6. It should display the rootDSE content if SSL is working properly.
7. Go to C: drive and get the root CA certificate in root directory. It should be named xxx.crt.
8. Import the certificate into ${JAVA.HOME}/lib/security/cacerts file.
9. Right now everything should be OK.
What surprised me is I didn't follow several 'important' steps suggested by both Microsoft and some other developers in this forum. They are:
1. Open the Domain Controller Policy using the Group Policy Editor.
2. Under Computer Configuration , click Windows Settings .
3. Click Security Settings , and then click Public Key Policies.
4. Click Automatic Certificate Request Settings .
5. Use the wizard to add a policy for Domain Controllers.
I double checked that I didn't enable Automatic Certificate Request Settings. But somehow SSL works. Can somebody explain why?
Regards,
WenBinI am glad that you can benefit from the tips.
Regarding to you question, the answer is like this:
1. A user named David logon
2. You generate the userPrincipal for him - [email protected]
3. Bind to ADS with this userPrincipal and the password he typed in
4. If succeeds, search user container with sAMAccountName=David and meanwhile request any attributes you want. Please refer to JNDI tutorial on how to search LDAP directory and get back some other attributes at the same time.
Hope this help you.
Regards,
WenBin -
Snow Leopard and Windows 2003 Active Directory Binding Issues
Ok I have a new imac 27" with snow leopard (completely patched).
I am attempting to join it to an active directory domain.
First the prequel:
* I have opened full traffic to and from the machine and our domain controllers
* I have enabled full logging on the firewall and there are no blocked packets
* I have used wireshark to watch the traffic on the mac and there appear to be no anomalies (packets being sent out but not getting a response, dns requests that aren't answered, etc)
* I have enabled full KDC logging on the domain controller in question and there are no errors in any of the event logs on either domain controller.
* The domain admin account in question has Enterprise, Schema and Domain Admin rights
* I have tried it both with and without an existing computer account and with every conceivable combination of caps and no caps on domain name, user and computer names.
I am getting the following error at the very end of the process:
"Unable to add server. Credential operation failed because an invalid parameter was provided (5102)"
I enabled debugging on Directory Services and will post a log in a reply.
Anyone have any ideas? I have been banging my head on this for a week with no luck.Here is the log with the Active Directory: entries grepped... the full log is far too large to reply to here, if you think you need it let me know and I can email it to you it is 548kb
obviously machine names, usernames and ip addresses have been munged.
2011-02-09 12:13:32 EST - T\[0x0000000100404000\] - Active Directory: copyNodeInfo called for /Active Directory
2011-02-09 12:13:36 EST - T\[0x0000000100404000\] - Active Directory: copyNodeInfo called for /Active Directory
2011-02-09 12:13:41 EST - T\[0x0000000100404000\] - Active Directory: copyNodeInfo called for /Active Directory
2011-02-09 12:13:46 EST - T\[0x0000000100404000\] - Active Directory: copyNodeInfo called for /Active Directory
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 1 - Searching for Forest/Domain information
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Start checking servers for site "any"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Total Servers "any" LDAP - 2, Kerberos - 2, kPasswd - 2
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc3.subdomain.domain.tld"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc1.subdomain.domain.tld"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Finished checking servers for domain
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: DomainConfiguration reachabilityNotification - Node: subdomain.domain.tld - resolves - enabled
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 2 - Finding nearest Domain controllers
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 3 - Verifying credentials
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Start checking servers for site "any"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Total Servers "any" LDAP - 2, Kerberos - 2, kPasswd - 2
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc3.subdomain.domain.tld"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc1.subdomain.domain.tld"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Finished checking servers for domain
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: DomainConfiguration reachabilityNotification - Node: subdomain.domain.tld - resolves - enabled
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: EstablishConnectionUsingReplica - Node subdomain.domain.tld - New connection requested
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: FindSuitableReplica - Node subdomain.domain.tld - Attempting Replica connect to dc3.subdomain.domain.tld.
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: watchReachability watching socket = 21, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: VerifiedServerConnection - Verified server connectivity - dc3.subdomain.domain.tld.
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: CheckWithSelect - good socket to host dc3.subdomain.domain.tld. from poll and verified LDAP
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: FindSuitableReplica - Node subdomain.domain.tld - Established connection to dc3.subdomain.domain.tld.
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: kadmEntry port is nil, will use default 464
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: populateKerberosToDomain - Bailing no domain cache for
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Password verify for [email protected] succeeded - cache MEMORY:vyvyIt4
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Switching active cache to MEMORY:vyvyIt4
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Secure BIND Session Success with server dc3.subdomain.domain.tld.:389 using cache MEMORY:vyvyIt4 user [email protected]
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Processing Site Search with found IP
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: No site name available
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Start checking servers for site "any"
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Total Servers "any" LDAP - 2, Kerberos - 2, kPasswd - 2
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc3.subdomain.domain.tld"
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc1.subdomain.domain.tld"
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Finished checking servers for domain
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updating Mappings from inSchema.........
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updated schema for node name subdomain.domain.tld
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Configuration naming context = cn=Partitions,CN=Configuration,DC=subdomain,DC=domain,DC=tld
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Top domain set as <cn=subdomain,cn=partitions,cn=configuration,dc=subdomain,dc=domain,dc=tld>
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updating domain hierarchy cache
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updating policies from domain subdomain.domain.tld
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updated policies for node name subdomain.domain.tld
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 4 - Searching for existing computer
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: EstablishConnectionUsingReplica - Node subdomain.domain.tld - New connection requested
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: watchReachability watching socket = 18, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: VerifiedServerConnection - Verified server connectivity - dc3.subdomain.domain.tld.
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: establishConnectionUsingReplica - Node subdomain.domain.tld - Previous replica = dc3.subdomain.domain.tld. responded
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: kadmEntry port is nil, will use default 464
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: populateKerberosToDomain - Bailing no domain cache for
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Password verify for [email protected] succeeded - cache MEMORY:zXpbfEi
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Switching active cache to MEMORY:zXpbfEi
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Secure BIND Session Success with server dc3.subdomain.domain.tld.:389 using cache MEMORY:zXpbfEi user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Doing Computer search for Ethernet address - 10:9a:dd:56:1b:1d
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 4 - no mapping for Ethernet MAC address
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Doing DN search for account - machinename
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: stopWatching socket = 21, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: LDAP connection closed - dc3.subdomain.domain.tld.:389 - cache MEMORY:vyvyIt4 user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Destroying cache name MEMORY:vyvyIt4 user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Closing All Connections
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: stopWatching socket = 18, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: LDAP connection closed - dc3.subdomain.domain.tld.:389 - cache MEMORY:zXpbfEi user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Destroying cache name MEMORY:zXpbfEi user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 5 - Bind/Join computer to domain
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: EstablishConnectionUsingReplica - Node subdomain.domain.tld - New connection requested
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: watchReachability watching socket = 18, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: VerifiedServerConnection - Verified server connectivity - dc3.subdomain.domain.tld.
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: establishConnectionUsingReplica - Node subdomain.domain.tld - Previous replica = dc3.subdomain.domain.tld. responded
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: kadmEntry port is nil, will use default 464
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: populateKerberosToDomain - Bailing no domain cache for
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Password verify for [email protected] succeeded - cache MEMORY:10xG6op
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Switching active cache to MEMORY:10xG6op
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Secure BIND Session Success with server dc3.subdomain.domain.tld.:389 using cache MEMORY:10xG6op user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Looking for existing Record of machinename
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Doing DN search for account - machinename
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: EstablishConnectionUsingReplica - Node subdomain.domain.tld - New connection requested
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: watchReachability watching socket = 21, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: VerifiedServerConnection - Verified server connectivity - dc3.subdomain.domain.tld.
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: establishConnectionUsingReplica - Node subdomain.domain.tld - Previous replica = dc3.subdomain.domain.tld. responded
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: kadmEntry port is nil, will use default 464
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: populateKerberosToDomain - Bailing no domain cache for
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Switching active cache to MEMORY:10xG6op
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Secure BIND Session Success with server dc3.subdomain.domain.tld.:389 using cache MEMORY:10xG6op user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: KerberosID Found for account CN=MACHINENAME,CN=Computers,DC=subdomain,DC=domain,DC=tld - MACHINENAME$
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Existing record found @ CN=MACHINENAME,CN=Computers,DC=subdomain,DC=domain,DC=tld with [email protected].
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Setting Computer Password FAILED for existing record......
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Computer password change date is 2011-02-04 18:21:01 -0500
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Schtldled computer password change every 1209600 seconds - starting 2011-02-09 12:13:50 -0500
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Closing All Connections
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: stopWatching socket = 21, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: LDAP connection closed - dc3.subdomain.domain.tld.:389 - cache MEMORY:10xG6op user [email protected]
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: stopWatching socket = 18, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: LDAP connection closed - dc3.subdomain.domain.tld.:389 - cache MEMORY:10xG6op user [email protected]
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Destroying cache name MEMORY:10xG6op user [email protected]
2011-02-09 12:13:50 EST - T\[0x00000001026AA000\] - Active Directory: Failed to changed computer password in Active Directory domain
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: copyNodeInfo called for /Active Directory
2011-02-09 12:13:51 EST - T\[0x0000000102481000\] - Active Directory: copyNodeInfo called for /Active Directory
Message was edited by: aelana -
Replication Active Directory, ports issues in firewall
Hi,
i am facing some issue in active directory replication between my Active Directory User Database located in two different locations.
I am not doing any Port based ACL in the firewall, and there is no static / dynamic NAT-ng used between the server ip ranges (nat 0).
1) what could be the possible issue in this?2) do i need to issue any command in the FWSM Module to make use / open the dynamic ports ?3) How can i make sure that these ports are not opend or not blocked on the firewall.
below are some of the ports used for this, based on the information from Microsoft Team.
tcp 5389
tcp 5722
tcp 5729
tcp3268
tcp 3269
tcp 445
udp 445
udp 88
udp 2535
udp 389
tcp 1025 - 5000
tcp 44152 - 65535
Appreciate your valuable support.
regards
SunnyHi Bro
If you’re not doing any port based ACL in your FWSM, I can only assume you’re permitting the rules between both the AD by IP e.g. access-list inside permit ip host 1.1.1.1 host 2.2.2.2, am I right? I hope you can PING between both the AD, otherwise this could be a routing issue.
Listed below are some commands that you could type to investigate this issue further;
a) show np block (hardware buffer counters) - if they are non-zero and increasing it's bad. You're most likely running into hardware limitation of the FWSM.
b) show np all stats | i RTL and show np all stats | i RL will show you if the packets are dropped because of software rate limiting mechanisms built into network processors.
Perhaps, what you need is to enable the “xlate-bypass” command. By default, the FWSM creates NAT sessions for all connections even if you do not use NAT. You can disable NAT sessions for untranslated network traffic, which is called xlate bypass, in order to avoid the maximum NAT session limit. The xlate-bypass command can be configured as shown:
hostname(config)#xlate-bypass
If the xlate-bypass doesn’t resolve your issue, please do ensure you’ve a static NAT or dedicated nat/global in place.
The last resort is to enable sysoption np completion-unit, this magic option is invoking special processing created to address scenarios in which FWSM was known to introduce out of order packets for TCP streams. -
Active Directory client not dynamically updating DNS
Hi,
There has been some other issues mentioned on other threads regarding the Active Directory Plugin within Lion, it does appear to be flaky.
I just wanted to make sure that the issue I'm having is not down to a mis-config by myself.
We have several Macs running 10.7.1 and are bound into Active directory (Windows 2008 r2) however, it appears that the DNS records for these machines are not being dynamically created within AD. (All Zones are AD intergrated) All 10.6.x clients seem to work fine and records are created and updated dynamically as IPs change etc.
Is anybody else having this issue? If not, any ideas why this is happening?
Thanks in advance.Hi!
I'm having exactly the same problem and nobody seems to have an answer.
Regarding the reply you got, this has nothing to do with Lion Server. We're talking about Lion clients bound to an AD (Windows Server 2008 R2, in my case) not dynamically registering their DNS entries.
I also noticed that the DHCP entries for those clients are missing the "Name" property, which is already symptomatic of something going wrong.
Anyone? -
Creating group dynamically in active directory depending on their role
Hi,
I have sycn oid and active directory using directory integration platform. Now the scenario is We have one system says hr system which take care of entering all the user information. Once it submit that information it goes to oid. Now we want that when we import all that user from oid to active directory it didn't duplicate any user as well as depending on their role it should create groups dynamically in active directory. For e.g: If user belong to Trainee category or manager category it must create Trainee group & Manager group & respective person should go into that group. I don't know whether my question is placed in right group or not. I am using filter to do this task but not able to write proper condition in "source matching filter" and "destination matching rule". Any help will be appreciated.
Thanks,
Sonya SharmaThanks Tamim. To clear your thought, i will explain again. I have sync oid and active directory through Directory integration platform. I have created user in oid.(cn=users,dc=mycompany,dc=com). It get sync in active directory properly. Now i have created two group in active directory say for e.g Trainees and Manager. There is a field name position in oid which is a custom attribute. When i fill the information of user in oid, I have to fill "Position" attribute also. So my question is that, if i fill Trainee as a value in Position attribute and click on submit it should go in Trainee Group In active directory and not in user group. Same for manager. How can we achieve this? Can we do it through filter? Or any other way? It's needed desperately. Please help me in resolving this issue.
Regards,
Sunil -
Hi My self Arun in my current project i have a task on that active directory user need to automatically populate in share point list drop down please help me. is that any out of box feature in share point 2010 ?
Thanking You
ArunArun,
If you plan to implement the "Querying the Active Directory" based on my code snippet,
and if you do not have permission [your account must be the part of domain admin] to do so,
Then still you can do it in least effort through code,
string usersInXml = SPContext.Current.Web.AllUsers.Xml;your xml string look like this.
<Users><User ID="2" Sid="" Name="Administrator"
LoginName="i:0#.w|murugesan\administrator" Email="" Notes="" IsSiteAdmin="True" IsDomainGroup="False" Flags="0" /><User ID="1" Sid="" Name="Murugesa Pandian" LoginName="i:0#.w|murugesan\murugesan" Email="" Notes="" IsSiteAdmin="True" IsDomainGroup="False" Flags="0" /><User ID="1073741823" Sid="S-1-0-0" Name="System Account" LoginName="SHAREPOINT\system" Email="" Notes="" IsSiteAdmin="False" IsDomainGroup="False" Flags="0" /></Users>
You can user Linq to XML to filter the "LoginName,Name and Email and then populate your drop down list.
* User must be logged into the site at least once.
Murugesa Pandian.,MCTS|App.Devleopment|Configure -
Active Directory not replicating from SBS 2003 to Server 2008 R2 Standard
I have an old SBS 2003 server and am migrating to a 2008 R2 server. I followed this guide:
http://demazter.wordpress.com/2010/04/29/migrate-small-business-server-2003-to-exchange-2010-and-windows-2008-r2/
I followed the guide (except the exchange stuff, because they are moving from exchange to Google apps for business) and everything went fine.
I removed the sbs from Domain controller status (dcpromo'ed it out) and everything seemed to go fine. I haven't turned off the old server yet, because they are still using it for a couple of other unrelated applications.
After I did this I added new computers to active directory, but they only showed up on the active directory on the old sbs (I think something went wrong when I too the old sbs out of domain controller status).
I ran dcdiag on the new server and this is the result:
Time Generated: 01/10/2014 14:57:56
Event String:
The SiSRaid4 service failed to start due to the following error:
An error event occurred. EventID: 0xC0001B58
Time Generated: 01/10/2014 14:57:56
Event String:
The stexstor service failed to start due to the following error:
An error event occurred. EventID: 0xC0001B58
Time Generated: 01/10/2014 14:57:56
Event String:
The vhdmp service failed to start due to the following error:
An error event occurred. EventID: 0xC0001B58
Time Generated: 01/10/2014 14:57:56
Event String:
The vsmraid service failed to start due to the following error:
A warning event occurred. EventID: 0x8000001D
Time Generated: 01/10/2014 14:58:00
Event String:
The Key Distribution Center (KDC) cannot find a suitable certificate
to use for smart card logons, or the KDC certificate could not be verified. Sma
rt card logon may not function correctly if this problem is not resolved. To cor
rect this problem, either verify the existing KDC certificate using certutil.exe
or enroll for a new KDC certificate.
An error event occurred. EventID: 0x0000164A
Time Generated: 01/10/2014 14:58:20
Event String:
The Netlogon service could not create server share C:\Windows\SYSVOL
\sysvol\PIIKANIPW.local\SCRIPTS. The following error occurred:
An error event occurred. EventID: 0xC0001B58
Time Generated: 01/10/2014 14:58:21
Event String:
The Qntm3520 service failed to start due to the following error:
An error event occurred. EventID: 0x00000422
Time Generated: 01/10/2014 14:58:36
Event String:
The processing of Group Policy failed. Windows attempted to read the
file \\PIIKANIPW.local\sysvol\PIIKANIPW.local\Policies\{31B2F340-016D-11D2-945F
-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Po
licy settings may not be applied until this event is resolved. This issue may be
transient and could be caused by one or more of the following:
A warning event occurred. EventID: 0x00002724
Time Generated: 01/10/2014 14:58:40
Event String:
This computer has at least one dynamically assigned IPv6 address.For
reliable DHCPv6 server operation, you should use only static IPv6 addresses.
A warning event occurred. EventID: 0x800013B8
Time Generated: 01/10/2014 14:58:49
Event String:
The application '/tmsWebAgent' belonging to site '1' has an invalid
AppPoolId 'Classic .NET AppPool' set. Therefore, the application will be ignore
d.
A warning event occurred. EventID: 0x80003BC4
Time Generated: 01/10/2014 15:01:53
Event String:
SSL Certificate Settings deleted for Port : 0.0.0.0:50106 .
A warning event occurred. EventID: 0x80003BC5
Time Generated: 01/10/2014 15:01:53
Event String:
SSL Certificate Settings created by an admin process for Port : 0.0.
0.0:50106 .
An error event occurred. EventID: 0xC0001B7A
Time Generated: 01/10/2014 15:01:59
Event String:
The TMS Print Agent service terminated unexpectedly. It has done th
is 1 time(s).
A warning event occurred. EventID: 0x0000000C
Time Generated: 01/10/2014 15:02:00
Event String:
Time Provider NtpClient: This machine is configured to use the domai
n hierarchy to determine its time source, but it is the AD PDC emulator for the
domain at the root of the forest, so there is no machine above it in the domain
hierarchy to use as a time source. It is recommended that you either configure a
reliable time service in the root domain, or manually configure the AD PDC to s
ynchronize with an external time source. Otherwise, this machine will function a
s the authoritative time source in the domain hierarchy. If an external time sou
rce is not configured or used for this computer, you may choose to disable the N
tpClient.
An error event occurred. EventID: 0x0000165B
Time Generated: 01/10/2014 15:02:34
Event String:
The session setup from computer 'PK-PC1' failed because the se
curity database does not contain a trust account 'PK-PC1$' referenced by t
he specified computer.
An error event occurred. EventID: 0x00000422
Time Generated: 01/10/2014 15:03:37
Event String:
The processing of Group Policy failed. Windows attempted to read the
file \\PIIKANIPW.local\sysvol\PIIKANIPW.local\Policies\{31B2F340-016D-11D2-945F
-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Po
licy settings may not be applied until this event is resolved. This issue may be
transient and could be caused by one or more of the following:
A warning event occurred. EventID: 0x000727AA
Time Generated: 01/10/2014 15:04:01
Event String:
The WinRM service failed to create the following SPNs: WSMAN/PKDC01.
PIIKANIPW.local; WSMAN/PKDC01.
A warning event occurred. EventID: 0x80003BC4
Time Generated: 01/10/2014 15:06:54
Event String:
SSL Certificate Settings deleted for Port : 0.0.0.0:50106 .
A warning event occurred. EventID: 0x80003BC5
Time Generated: 01/10/2014 15:06:54
Event String:
SSL Certificate Settings created by an admin process for Port : 0.0.
0.0:50106 .
An error event occurred. EventID: 0x00000422
Time Generated: 01/10/2014 15:08:37
Event String:
The processing of Group Policy failed. Windows attempted to read the
file \\PIIKANIPW.local\sysvol\PIIKANIPW.local\Policies\{31B2F340-016D-11D2-945F
-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Po
licy settings may not be applied until this event is resolved. This issue may be
transient and could be caused by one or more of the following:
An error event occurred. EventID: 0x000016AD
Time Generated: 01/10/2014 15:13:21
Event String:
The session setup from the computer PK-PC1 failed to authentic
ate. The following error occurred:
An error event occurred. EventID: 0x00000422
Time Generated: 01/10/2014 15:13:38
Event String:
The processing of Group Policy failed. Windows attempted to read the
file \\PIIKANIPW.local\sysvol\PIIKANIPW.local\Policies\{31B2F340-016D-11D2-945F
-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Po
licy settings may not be applied until this event is resolved. This issue may be
transient and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000422
Time Generated: 01/10/2014 15:18:39
Event String:
The processing of Group Policy failed. Windows attempted to read the
file \\PIIKANIPW.local\sysvol\PIIKANIPW.local\Policies\{31B2F340-016D-11D2-945F
-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Po
licy settings may not be applied until this event is resolved. This issue may be
transient and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000422
Time Generated: 01/10/2014 15:20:28
Event String:
The processing of Group Policy failed. Windows attempted to read the
file \\PIIKANIPW.local\sysvol\PIIKANIPW.local\Policies\{31B2F340-016D-11D2-945F
-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Po
licy settings may not be applied until this event is resolved. This issue may be
transient and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000457
Time Generated: 01/10/2014 15:20:33
Event String:
An error event occurred. EventID: 0x00000422
Time Generated: 01/10/2014 15:23:39
Event String:
The processing of Group Policy failed. Windows attempted to read the
file \\PIIKANIPW.local\sysvol\PIIKANIPW.local\Policies\{31B2F340-016D-11D2-945F
-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Po
licy settings may not be applied until this event is resolved. This issue may be
transient and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000422
Time Generated: 01/10/2014 15:28:40
Event String:
The processing of Group Policy failed. Windows attempted to read the
file \\PIIKANIPW.local\sysvol\PIIKANIPW.local\Policies\{31B2F340-016D-11D2-945F
-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Po
licy settings may not be applied until this event is resolved. This issue may be
transient and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000422
Time Generated: 01/10/2014 15:33:41
Event String:
The processing of Group Policy failed. Windows attempted to read the
file \\PIIKANIPW.local\sysvol\PIIKANIPW.local\Policies\{31B2F340-016D-11D2-945F
-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Po
licy settings may not be applied until this event is resolved. This issue may be
transient and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000422
Time Generated: 01/10/2014 15:38:41
Event String:
The processing of Group Policy failed. Windows attempted to read the
file \\PIIKANIPW.local\sysvol\PIIKANIPW.local\Policies\{31B2F340-016D-11D2-945F
-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Po
licy settings may not be applied until this event is resolved.
......................... PKDC01 failed test SystemLog
Starting test: VerifyReferences
......................... PKDC01 passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : PIIKANIPW
Starting test: CheckSDRefDom
......................... PIIKANIPW passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... PIIKANIPW passed test CrossRefValidation
Running enterprise tests on : PIIKANIPW.local
Starting test: LocatorCheck
......................... PIIKANIPW.local passed test LocatorCheck
Starting test: Intersite
......................... PIIKANIPW.local passed test Intersite
I also noticed that the SYSvol share on the new server is empty and the NETLOGON share doesn't exist.
Please help! Thanks.Hi,
Do you currently have any relevant errors in your System or Application logs?
Seems like the replication is not successfully.
An SBS server shouldn't shut down upon detecting the existence of another DC as that's a fully supported scenario.
Regards.
Vivian Wang -
Have a very recent Lenovo Ideapad Laptop running Windows 8.1. Connected via USB port to HP LaserJet Pro CM1415 frw Color MFP Printer. Was able to print fine nearly 2 weeks ago, but something recently happened - either a new windows or office 2013 update
or perhaps I blew away a certain file by mistake. I can see the printer installed but cannot print to it from anything (Word, Notepad, IE, Firefox etc.). The one thing to note is that usually when I plug or unplug a USB related device, Windows 8.1 recognizes
this and makes a certain chime noise, but with the printer USB cable it never makes that noise - making me think that it never fully recognizes the printer. Also when I select the printer (from within the control panel) and right click for properties (via
admin rights) It never lets me fully connect to it.
I have tried all the usual remedies - remove, install all drivers, reinstall printer, Windows update, start/stop print spooler and all other printer related services, etc. Its really annoying because this printer was working fine nearly 2
weeks ago. Looking for any advice now. Thanks.
-ChrisHi Chris,
à
I have tried all the usual remedies - remove, install all drivers, reinstall printer, Windows update, start/stop print spooler and all other printer related services, etc.
I noticed that you had reinstalled the printer. Just a confirmation, when un-install this printer, please check
if this printer still exist in registry. For more details, please refer to following KB.
Registry entries for printing
If printer entry still exist in registry, please delete that printer entry and re-install this printer again,
then check if this issue still exists. (Please backup registry entries before operating registry. It will help us to avoid unexpected issue.)
àand now see
message Active Directory Domain Services is not available
By the way, would you please let me know where/when get this
Active Directory Domain Services is not available error message? Or provide a screenshot of it?
(Please hide all protected or private information) Please check if all services are running correctly on the computer. Meanwhile, please refer to following article and check if can help you.
Printer
Problem: Active Directory Domain Services is currently unavailable – Why does windows say no printers are installed?
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft
does not guarantee the accuracy of this information.
If any update, please feel free to let me know.
Hope this helps.
Best regards,
Justin Gu -
Active Directory, single sign-on and SRM Users
We are in the process of installing SRM 7.0. using the Classic Scenario. I am seeking clarification around the creation of users in that system given the following:
- My Basis colleagues are in the process of implementing single sign-on using Active Directory for our SAP Portal, SAP Business Warehouse and SRM systems.
- Single sign-on will not at this point be used for our SAP ECC 6.0 system
My questions are:
1. If active directory is being used do we need to create actual users within the SRM system?
2. If actual users in the SRM system are not required, does this have any impact on the creation of the Organizational structure in SRM from the SAP ECC HR hierarchy?
Many ThanksHi Claire,
The Single Sign On work only if user exist on every systemes.
For example :
If you connect trough portal to access ECC and SRM, your user id must exist in ECC and SRM.
For Active Directory you can synchronize your user table to AD by using LDAP option.
The best way is to configure a CUA for ECC and SRM, use the UME of Portal on ECC and synchronize the CUA to Active Directory.
Finally use the SSO certificate between Portal ECC and SRM.
Regards,
Gilles SEBBAG
Sap Technical Consultant. -
How do I get info from Active Directory and use it in my web-applications?
I borrowed a nice piece of code for JNDI hits against Active Directory from this website: http://www.sbfsbo.com/mike/JndiTutorial/
I have altered it and am trying to use it to retrieve info from our Active Directory Server.
I altered it to point to my domain, and I want to retrieve a person's full name(CN), e-mail address and their work location.
I've looked at lots of examples, I've tried lots of things, but I'm really missing something. I'm new to Java, new to JNDI, new to LDAP, new to AD and new to Tomcat. Any help would be so appreciated.
Thanks,
To show you the code, and the error message, I've changed the actual names I used for connection.
What am I not coding right? I get an error message like this:
javax.naming.NameNotFoundException[LDAP error code 32 - 0000208D: nameErr DSID:03101c9 problem 2001 (no Object), data 0,best match of DC=mycomp, DC=isd, remaining name dc=mycomp, dc=isd
[code]
import java.util.Hashtable;
import java.util.Enumeration;
import javax.naming.*;
import javax.naming.directory.*;
public class JNDISearch2 {
// initial context implementation
public static String INITCTX = "com.sun.jndi.ldap.LdapCtxFactory";
public static String MY_HOST = "ldap://99.999.9.9:389/dc=mycomp,dc=isd";
public static String MGR_DN = "CN=connectionID,OU=CO,dc=mycomp,dc=isd";
public static String MGR_PW = "connectionPassword";
public static String MY_SEARCHBASE = "dc=mycomp,dc=isd";
public static String MY_FILTER =
"(&(objectClass=user)(sAMAccountName=usersignonname))";
// Specify which attributes we are looking for
public static String MY_ATTRS[] =
{ "cn", "telephoneNumber", "postalAddress", "mail" };
public static void main(String args[]) {
try { //----------------------------------------------------------
// Binding
// Hashtable for environmental information
Hashtable env = new Hashtable();
// Specify which class to use for our JNDI Provider
env.put(Context.INITIAL_CONTEXT_FACTORY, INITCTX);
// Specify the host and port to use for directory service
env.put(Context.PROVIDER_URL, MY_HOST);
// Security Information
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, MGR_DN);
env.put(Context.SECURITY_CREDENTIALS, MGR_PW);
// Get a reference toa directory context
DirContext ctx = new InitialDirContext(env);
// Begin search
// Specify the scope of the search
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
// Perform the actual search
// We give it a searchbase, a filter and the constraints
// containing the scope of the search
NamingEnumeration results = ctx.search(MY_SEARCHBASE, MY_FILTER, constraints);
// Now step through the search results
while (results != null && results.hasMore()) {
SearchResult sr = (SearchResult) results.next();
String dn = sr.getName() + ", " + MY_SEARCHBASE;
System.out.println("Distinguished Name is " + dn);
// Code for displaying attribute list
Attributes ar = ctx.getAttributes(dn, MY_ATTRS);
if (ar == null)
// Has no attributes
System.out.println("Entry " + dn);
System.out.println(" has none of the specified attributes\n");
else // Has some attributes
// Determine the attributes in this record.
for (int i = 0; i < MY_ATTRS.length; i++) {
Attribute attr = ar.get(MY_ATTRS);
if (attr != null) {
System.out.println(MY_ATTRS[i] + ":");
// Gather all values for the specified attribute.
for (Enumeration vals = attr.getAll(); vals.hasMoreElements();) {
System.out.println("\t" + vals.nextElement());
// System.out.println ("\n");
// End search
} // end try
catch (Exception e) {
e.printStackTrace();
System.exit(1);
My JNDIRealm in Tomcat which actually does the initial authentication looks like this:(again, for security purposes, I've changed the access names and passwords, etc.)
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://99.999.9.9:389"
connectionName="CN=connectionId,OU=CO,dc=mycomp,dc=isd"
connectionPassword="connectionPassword"
referrals="follow"
userBase="dc=mycomp,dc=isd"
userSearch="(&(sAMAccountName={0})(objectClass=user))"
userSubtree="true"
roleBase="dc=mycomp, dc=isd"
roleSearch="(uniqueMember={0})"
rolename="cn"
/>
I'd be so grateful for any help.
Any suggestions about using the data from Active directory in web-application.
Thanks.
R.VaughnBy this time you probably have already solved this, but I think the problem is that the Search Base is relative to the attachment point specified with the PROVIDER_URL. Since you already specified "DC=mycomp,DC=isd" in that location, you merely want to set the search base to "". The error message is trying to tell you that it could only find half of the "DC=mycomp, DC=isd, DC=mycomp, DC=isd" that you specified for the search base.
Hope that helps someone.
Ken Gartner
Quadrasis, Inc (We Unify Security, www -dot- quadrasis -dot- com) -
How do i use an active directory group for vpn and not all user
hi all,
i have an asa 5515x...
how do i use a particular group in active directory to have vpn/anyconnect access? right now i believe it's for all user on my current config,
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
!integrate with active directory
aaa-server LDAPSERVERS protocol ldap
aaa-server LDAPSERVERS (vlan192) host 10.0.0.2
ldap-base-dn dc=company,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password 12345678
ldap-login-dn cn=administrator,cn=Users,dc=company,dc=com
server-type auto-detect
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
say i want this "vpn-group" object group in AD and my vpn is only anyconnect and no other vpn types.
thanks for any comment you may add.The best way is to use Dynamic Access Policies (DAP). Cisco has a white paper (here) that shows how one can choose the LDAP group as one of the DAP criteria.
DAP requires the Advanced Endpoint Assessment feature, so your licensing must support that.
Maybe you are looking for
-
NTSC to PAL Compression for DVD Studio Pro
I am trying to make PAL MPEG2s using Compressor. My videos are roughly 15 minutes long (I have 6 going onto one DVD). I altered one of the Presets to PAL, 16x9, one pass VBR, 4.5 to 7 data rate, best for the motion setting. And I get the typical odd
-
Hi All, We have implemented oracle Warehouse Management and using Bar code functionality to read Item ID. We are suing LXE MX-9 Device to read barcode. Steps we performed to test if its working or not 1.Took one Item ID from database . 2.Downloaded d
-
Enter number of copies to print of a form as a variable
I would like to be able to print a variable number of copies of a form by using a data field to hold the number of copies for each form such as an invoice. In other words, I'd like to print 3 copies of some invoices, 4 copies of some invoices, 2 cop
-
Windows 7 PC Blue Screen: STOP 0x000000F4
0x000000F4 (0x0000000000000003, 0xFFFFFA800B8D7B30, 0XFFFFFA800B8D7E10, 0XFFFFF8000337D270) Sometimes bios won´t detect my SSD drive (Windows is installed here). Happens every time i start my laptop. Here is a link to my dump file: http://1drv.ms/1o0
-
Getting error when trying to download update for flash player with OSX 10.91
Trying everything to download update for Adobe Flash Player. This is maddening. I have tried uninstalling previous player and re-installing and checked my preferences. Can any one give me some instructions that are easy to understand. I keep getting