Active directory migration , profile migration using admt

Similar Messages

• Restore Active Directory on Server 2008 using NTDS.DIT file

  hello
  I have NTDS.DIT file with me and want to restore it on same hardware with same host name and IP
  Please help

  Hi Rochak,
  You have only the NTDS.DIT file? 
  No its not possible to restore the AD only using NTDS.DIT. You need to have the System state backup.  
  System state backup and restore operations include all system state data: you cannot choose to backup or restore individual components
  due to dependencies among the system state components. However, you can restore system state data to an alternate location in which only the registry files, Sysvol directory files, and system boot files are restored. The Active Directory database, Certificate
  Services database, and Component Services Class Registration database are not restored to the alternate location.
  http://technet.microsoft.com/en-us/library/cc938537.aspx
  Regards,
  Rafic
  If you found this post helpful, please give it a "Helpful" vote.
  If it answered your question, remember to mark it as an "Answer".
  This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

• Adding a listener to Active directory for user creation using Java

  Hi,
  I would like to add a listener to active directory such that when a user is created to the "Users" container, I should be notified or informed. I would like to do this with Java. What should I do ?
  Regards,
  Anand Kumar D

  You should add a NamingListener or a NamespaceChangedListener.

• Lync 2013 & Active Directory Intra Domain Migrations

  Hi all,
  Hopefully this is the correction forum to ask.  Suppose the following scenario
  Parent Domain containing Lync 2013 Servers
  Child domains consisting of user accounts
  It is intended that child domains containing Lync 2013 enabled users be migrated to the parent domain. 
  A few questions
  Is it possible to migrate user accounts to another domain and configure the migrated (technically new) account to link back to Lync so as to retain contact information?
  Or prior to migration have contacts exported so they can be imported into the new Lync 2013 accounts?
  Thanks,

  Within a single forest it quite possible to have Lync installed in one domain and User a part of another domain 
  All we have to do during the Lync server install process run the domain prepaerationn wizard for all the domain weher we shall either have Lync user object or Lync server object 
  Please refer http://technet.microsoft.com/en-us/library/gg398630.aspx
  I believe As long as the user SIP URI Doesn't change you can export the user data information and after the migration if you can import in user information 
  Please refer http://technet.microsoft.com/en-us/library/jj204897.aspx
  PLEASE REMEMBER, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answered"

• Effictive Permissions not showing up for security groups after interforest migrations using ADMT

  Hi there,
  I"m trying to fix an issue with the effective permission, below is the description
  Two separate forests exist with respective domains DomainA and DomainB.
  A two-way trust has been established between these two domains.
  I migrate a user (using ADMT) from DomainA to DomainB.
  After migration the user account in DomainB has access to the same shares and folders on file servers in DomainA as it did with the user's account in DomainA.
  when i checked the effective permission of the migrated security group it does not show up any tick mark on the permissions. but still end users are able to access the resource on file server
  Thanks in advance for any advice you may have to offer.
  -Vijay

  Hi,
  After the user migration, did you finish the Security Translation?
  http://social.technet.microsoft.com/wiki/contents/articles/16621.interforest-migration-with-admt-3-2-part-3.aspx#Group_Account_Migration
  Regards.
  Vivian Wang

• Using Groups in SharePoint from Active Directory

  Hello,
  Is it possible to use groups in SharePoint from AD?
  I have several groups in AD that I would like to use in SP. Of course SP has its own set up groups in permission (Owner, Member and Visitor). I do not want to use these groups. What I would like to do is use groups that are in my AD and assign those the
  designer, contributor, read-only..etc permission.
  For example, SP people picker finds my AD group called "Finance_Project" and assign this group with permission rights as a contributor.
  Is this doable in SharePoint. I would think since SharePoint can be authenticated with AD, you should be able to use your own AD groups.
  Any suggestions, articles and answers are greatly appreciated.
  artisticweb

  You can do this in SharePoint. are you importing the AD groups via UPA?
  Creating a SharePoint group and adding an Active Directory group to its members…this allows anyone in the Active Directory group to participate in the SharePoint group
  Mapping roles directly to Active Directory groups and not using SharePoint groups at all.
  here is couple of article which will explain your choices one over to other
  Assign permission levels in SharePoint 2013
  Using Active Directory Vs. SharePoint Groups
  http://sergeluca.wordpress.com/2013/07/06/sharepoint-2013-use-ag-groups-yes-butdont-forget-the-security-token-caching-logontokencacheexpirationwindow-and-windowstokenlifetime/
  Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog

• Apply OID search filter for Active Directory Export Sync Profile

  - currenlty we have active directory export profile working successfully
  - the filter we apply at OID side is SynchronizeToAD!=OID
  that means synchronize all ldap data that has a attribute value other than "OID"
  - This works very well
  Problem:
  - We now need to make the export sync work based on a different condition. The condition being....
  SynchronizeToAD=AD3 ( Note the equality condition here, the previous one was not equal to )
  - The moment we set it to the above conditions it seems to invalidate the filter. Now it behaves as if there is no filter. All changes are synchronized regardless of the attribute value
  Question:
  1) Need a way to control synchronization based on attribute value.
  2) So far tried the below filter value with out success
  2a) (&(!(SynchronizeToAD=OID))(!(SynchronizeToAD=AD)))
  2b) SynchronizeToAD=AD3
  - In the directory we have 3 values for this attribute(SynchronizeToAD) - AD , AD3 and OID
  Please provide us with valid search filter to accomplish the above.
  The OID profile attribute that we are trying to set is odip.profile.oidfilter

  - currenlty we have active directory export profile working successfully
  - the filter we apply at OID side is SynchronizeToAD!=OID
  that means synchronize all ldap data that has a attribute value other than "OID"
  - This works very well
  Problem:
  - We now need to make the export sync work based on a different condition. The condition being....
  SynchronizeToAD=AD3 ( Note the equality condition here, the previous one was not equal to )
  - The moment we set it to the above conditions it seems to invalidate the filter. Now it behaves as if there is no filter. All changes are synchronized regardless of the attribute value
  Question:
  1) Need a way to control synchronization based on attribute value.
  2) So far tried the below filter value with out success
  2a) (&(!(SynchronizeToAD=OID))(!(SynchronizeToAD=AD)))
  2b) SynchronizeToAD=AD3
  - In the directory we have 3 values for this attribute(SynchronizeToAD) - AD , AD3 and OID
  Please provide us with valid search filter to accomplish the above.
  The OID profile attribute that we are trying to set is odip.profile.oidfilter

• How to authenticate Username and password in MVC using Azure Active Directory

  Need a sample application where in need to authenticate user entered logindetails using Azure Active directory.

  Hi,
  Kindly go through beneath article which helpful to understand the procedure.
  How to Authenticate Web Users with Azure Active Directory Access Control
  http://azure.microsoft.com/en-in/documentation/articles/active-directory-dotnet-how-to-use-access-control/
  Developing ASP.NET Apps with Windows Azure Active Directory
  http://www.asp.net/identity/overview/getting-started/developing-aspnet-apps-with-windows-azure-active-directory
  Adding Sign-On to Your Web Application Using Azure AD
  https://msdn.microsoft.com/en-us/library/azure/dn151790.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• How to set up authentication against Active Directory using custom account

  Hi All,
  Our development BPC server (version 7.0.112, MSSQL Server 2005) was installed using a local user in domain X. It is a single-server installation (meaning all services were installed on that server). The dev server always has the latest data/users by restoring the production backup on the dev server. For testing purpose, I need to allow a user of domain X to log in and do a testing.
  Is there a way to configure the dev server to authenticate against an Active Directory in domain X using a special user in the domain X? If yes, how can I configure the dev server?
  Thanks.

  The installation user must be a domain user with rights to browse domain X.
  Otherwise you are not able to add users fom domain.
  In your case installation was done with a local user which means you willnot be able to use domain users.
  It can be an workaround if you will change the identity for 2 COM+ components to be a domain user instead to be that local user.
  Any way I don't advice you to do this. It will be better to reinstall the dev using a domain user.
  The COM+ which has to be changed are:
  OsoftAdminServer
  OsoftUserManage
  Attention domain user used must be added into administartor group of BPC server and also to have sys admin right to SQL Server.
  I hope this will help you.
  Regards
  Sorin Radulescu

• How to handle SQL connection if password Active directory always change? (Connection using Active directory via network SQL 2012 )

  I have 3 server (Web server, database sql 2012 server and Active directory). I'm using sqlsvr version 3.0,  PHP version 5.3 ,IIS version 7 and windows server 2008.
  Right now my php connection to SQL 2012 using AD id, so How to handle if password on active directory change?

  Solved : Using Kaberos

• SSO on WAS 6.20 (unix) using kerberos and Windows Active Directory (AD)

  Hi Gurus!!
  We are looking for the way to implement the Single Sign On in our R/3 Systems installed on unix of the Active Directory (obviously windows) users using Microsoft Kerberos.
  I'm not able to find a documentation about this arquitecture.
  Can somebody help me?
  Is any documentation related with this topic?
  Did Somwbody configure this kind of SSO?
  Thank you very much in advanced,
  Edorta Ramos

  Ramos,
  I should have made it clearer. When I referred to AS, I was referring to the SAP ABAP AS (e.g. application server). Of course the KDC (e.g. Microsoft Active Directory) has an AS service as well...
  yes, you can Kerberos enable (Kerberize) the SAP ABAP AS and SAP GUI using Kerberos libraries for Windows and AIX. As I mentioned already, since AIX is involved you should consider evaluating and buying SAP certified SNC libraries available from a SAP partner. Your first place to look is in SAP EcoHub (click link at top of this SDN forum to enter EcoHub) and search for SNC or Kerberos.
  You asked about gssapi library - as I have said a few times, there is no gssapi (e.g. SNC library) provided by SAP for UNIX or Linux, so if you are using AIX you need to look elsewhere (e.g. SAP partner) and the SAP partner will also provide the compatible/supported library for the Windows workstations as well so you get a complete solution from the vendor.
  Thanks,
  Tim

• OID and Active Directory

  1 Does Oracle OID integrate with Active Directory to synch data with Active Directory periodically?
  2 Marshall data from Active Directory on demand (live link)?
  3 Does Oracle Single Sign-on solution work with multiple directories (i.e. OID and AD both being used by Oracle Single Sign-on)
  4 Can Oracle Single-Sing-on work with a Desktop login into a Domain (also called NT Authentication or Desktop authentication).

  This is what I have to share with you....For further details refer link http://otn.oracle.com/products/oid/index.html and Oracle Internet Directory Administrator's Guide.
  1 Does Oracle OID integrate with Active Directory to synch data with Active Directory periodically?
  For synchronizing from Microsoft Active Directory to Oracle Internet Directory, you need to track changes in Microsoft Active Directory and configure your Active directory connector giving its URL, user account and password to be used by the Active Directory connector, its DIT info on domain which contain the users/groups. And in the Active Directory synchronization profile you'll have to set the mapping rule.
  2 Marshall data from Active Directory on demand (live link)?
  Yes, its possible to migrate data between directories. Configure your Active Directory connector and External auth Plug-in. And use the Directory Integration and Provisioning Assistant.
  3 Does Oracle Single Sign-on solution work with multiple directories (i.e. OID and AD both being used by Oracle Single Sign-on)
  Yes, its possible. When a user tries to log in, the OracleAS Single Sign-On server tries to verify the credentials the user enters against those stored in Oracle Internet Directory. If the user credentials are not there, then the Oracle directory server invokes the Active Directory external authentication plug-in. This plug-in verifies the user credentials in Microsoft Windows. If the verification is successful, then the Oracle directory server notifies the OracleAS Single Sign-On accordingly.
  4 Can Oracle Single-Sing-on work with a Desktop login into a Domain (also called NT Authentication or Desktop authentication).
  Oracle Application Server Single Sign-On enables native authentication, also called autologin, in a Microsoft Windows environment. Once logged into the Windows desktop, the user automatically has access to Oracle components. OracleAS Single Sign-On automatically logs the user into the Oracle environment using user's Kerberos credentials.

• Query related to UPN Suffix in Hierarchical domain architecture in Active Directory deployment

  This is regarding a query related to UPN Suffix in Hierarchical domain architecture in Active Directory deployment.
  We use LDAP query (filter uPNSuffixes=* for the parent domain DN) to retrieve the upn suffixes configured in the AD Domain. This returns the UpnSuffixes configured for the entire domain tree ( upnsuffixes of parent domain and all the child domains) in the
  hierarchy. The AD Domains and Trusts configuration lists all the upnsuffixes as part of the dnsroot domain. 
  For one of our implementation, we need to distinguish between the UPNsuffixes belonging to the parent and child domain and map the UPN suffixes with the respective domain in the hierarchy. As the upnsuffixes are stored as part of the root domain in the AD
  domains and trusts configuration, it was not clear how to retrieve the information specific to each domain in the hierarchy.
  It would be helpful if you could provide pointers on how to obtain the above mapping for the upn suffixes in a hierarchical domain setup.
  Thank you,
  Durgesh

  By default, you can use only the domain name as UPN suffix for user accounts you create within the domain. It is possible to add extra UPN suffixes but these are added at the forest level and not specific to a domain.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Active directory problem ?

  i have installed a brad new Xserver Intel Xenon dual core with 10.4.8, and i have manged to get the computer connected to our windows 2000 AD it´s on a windows 2003 server but the ad is in 2000 mode, and kerberized it, and the server is a domain member. I have populated the local group with AD users, and i have no problem to logon from our macs, but when i try the same account from one of the pc´s with XP sp2 they can´t logon, and i get the logfile like this. If i logon with a local server account from the pc there is no problem.
  NTSTATUS_WRONGPASSWORD
  User "davidedlund" failed to authenticate with "dsAuthMethodStandard:dsAuthSMBNTKey" (-14090)
  checkntlmpassword: Authentication for user [david.edlund] -> [david.edlund] FAILED with error NTSTATUS_WRONGPASSWORD
  netbios connect: name1=FILSERVER name2=DAVIDXP
  netbios connect: local=filserver remote=davidxp, name type = 0
  User "davidedlund" failed to authenticate with "dsAuthMethodStandard:dsAuthSMBNTKey" (-14090)
  checkntlmpassword: Authentication for user [david.edlund] -> [david.edlund] FAILED with error NTSTATUS_WRONGPASSWORD
  netbios connect: name1=FILSERVER name2=DAVIDXP
  netbios connect: local=filserver remote=davidxp, name type = 0
  User "davidedlund" failed to authenticate with "dsAuthMethodStandard:dsAuthSMBNTKey" (-14090)
  checkntlmpassword: Authentication for user [david.edlund] -> [david.edlund] FAILED with error NTSTATUS_WRONGPASSWORD
  Macbook Pro   Mac OS X (10.4.8)  
  Macbook Pro   Mac OS X (10.4.8)  

  If you completely remove it from your forest and partitions Yes that is possible. I have included some more links for you. 
  How to remove data in Active Directory after an unsuccessful domain
  controller demotion
  Active Directory – Remove a Domain Using NTDSUTIL
  Regards.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• How can I authenticate a User In Windows Active Directory?

  I need to authenticate a user in Windows Active Directory, but I found use the code below will return true if the user name and password are both correct and false if one of them is wrong. But when I input a user name which is not exist in Active Driectory with a blank password, it will also return true. What shall I do? Ask every user must input a password withnot blank?
  Please give me some help to solve this problem. Thanks a lot.
  Code:
  private Context ctx = null;
  Hashtable env = new Hashtable ();
  boolean isValid = false;
  try {
  this.setEnvironmentProperties();
  String domainName = AuthenticateResources.getString("mydomain.com");
  //set the name of domain with the user name
  String fullName = name + "@" + domainName;
  env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
  env.put(Context.PROVIDER_URL,"ldap://mydomain:389");
  env.put(Context.SECURITY_AUTHENTICATION,"simple");
  //set user related information
  env.put(Context.SECURITY_PRINCIPAL, fullName);
  //set user password
  env.put(Context.SECURITY_CREDENTIALS, password);
  //validate user
  ctx = new InitialDirContext(env);
  isValid = true;
  }catch (AuthenticationException ex){
  isValid = false;
  catch (NamingException ex) {
  throw ex;
  }finally{
  this.freeContext();
  return isValid;

  This is usually a problem if Anonymous Binding is enabled. I have faced this in other Directory Servers, but I am not familiar with Active Directory.
  I think by default Active Directory disables Anonymous Binding, but you may want to check.