Active Directory Permissions to Profile Manager

Similar Messages

• Sharepoint 2013 - Active Directory Import User Profile Property manager fields

  Hi there,
  I juste encountered actually a little issue regarding the Active Directory Import User Profil.
  Importation seems to work well but I have a little problem regarding the Manager field.
  When I verify a user profil through the sharepoint admin page ("Manage user profil") , I can see the manager field is correctly populated, but if I want to check my profil as a user (personal information), the manager field is not visible.
  With Sharepoint Admin and Manage Profil Properties, I haven't the possibility to modify some settings for the manager.
  For example, Policy parameters is greyed.
  The only way I found to show this field in a user profil is to give the permission "allow users to Edit values ...".... setting I don't want to set.
  Have you already this sort of issue ?
  Thanks for your help/idea.

  Hi Michael,
  I don't remember well what I did exactly regarding this issue because I played a lot with user profil.
  I know I used this powershell script from Sheyia which in fact help me a lot to clean and create a good profil setting.
  http://blogs.technet.com/b/sheyia/archive/2013/10/09/sharepoint-2013-another-way-to-change-order-for-user-profile-properties-via-powershell.aspx
  For example, this script help me to resolve some double entries.
  Let-me know if it help you (or not of course)

• To build the organization's Active Directory permissions are what we need

  To build the organization's Active Directory permissions are what we need

  what is your actual question?  Can you be more specific?
  Santhosh Sivarajan | Houston, TX | www.sivarajan.com
  ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA
  Windows Server 2012 Book - Migrating from 2008 to Windows Server 2012
  Blogs: Blogs
  Twitter: Twitter
  LinkedIn: LinkedIn
  Facebook: Facebook
  Microsoft Virtual Academy:
  Microsoft Virtual Academy
  This posting is provided AS IS with no warranties, and confers no rights.

• Active Directory integration with call manager

  Hi,
  I am facing issues while Integrating the CCM to my Active Directory using AD Plug-in.
  SITE SETUP:
  1. Windows 2003 Parent Domain Controller located remotely with GC.
  2. Windows 2003 Child Domain for the Parent DC located Locally with GC.
  3. Cisco CallManager 4.1.3 sr3b
  My Requirement is to integrate CCM with my Windows 2003 AD.
  My Questions are:
  1. Do I need to Provide the Parent Domain name or the Child Domain name while performing the AD Plug-in Setup?
  2. Does my Call Manager need to have the Forest access of the Active Directory (i.e., Does it perform some modifications in the Parent Domain)?
  3. Does the user account (which is used for Directory Integration) need to have direct members of Schema Admins or thru some other domain admin groups (i.e., Admin user -> Child Domain Admins Groups -> Parent Domain and Schema Admin Groups)?
  Can anyone can help me on this?
  Thanks,
  V.Kumar

  1. Do I need to Provide the Parent Domain name or the Child Domain name while performing the AD Plug-in Setup?
  Use the root domain, in this case the Parent domain.
  Cisco does not recommend having a Cisco Unified CallManager cluster service users in different domains because response times while user data is being retrieved might be less than optimal if domain controllers for all included domains are not local.
  2. Does my Call Manager need to have the Forest access of the Active Directory (i.e., Does it perform some modifications in the Parent Domain)?
  Yes, actually all domains in the forest share the same Schema, which will be modified after running the AD plugin.
  3. Does the user account (which is used for Directory Integration) need to have direct members of Schema Admins or thru some other domain admin groups (i.e., Admin user -> Child Domain Admins Groups -> Parent Domain and Schema Admin Groups)?
  Account should be a member of the Schema Admins group in Active Directory, try the one in parent domain.
  Correct permissions for CCMAdministration and similar example for your setup:
  http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_implementation_design_guide_chapter09186a00806e8c04.html#wp1043057
  HTH

• Apply OID search filter for Active Directory Export Sync Profile

  - currenlty we have active directory export profile working successfully
  - the filter we apply at OID side is SynchronizeToAD!=OID
  that means synchronize all ldap data that has a attribute value other than "OID"
  - This works very well
  Problem:
  - We now need to make the export sync work based on a different condition. The condition being....
  SynchronizeToAD=AD3 ( Note the equality condition here, the previous one was not equal to )
  - The moment we set it to the above conditions it seems to invalidate the filter. Now it behaves as if there is no filter. All changes are synchronized regardless of the attribute value
  Question:
  1) Need a way to control synchronization based on attribute value.
  2) So far tried the below filter value with out success
  2a) (&(!(SynchronizeToAD=OID))(!(SynchronizeToAD=AD)))
  2b) SynchronizeToAD=AD3
  - In the directory we have 3 values for this attribute(SynchronizeToAD) - AD , AD3 and OID
  Please provide us with valid search filter to accomplish the above.
  The OID profile attribute that we are trying to set is odip.profile.oidfilter

  - currenlty we have active directory export profile working successfully
  - the filter we apply at OID side is SynchronizeToAD!=OID
  that means synchronize all ldap data that has a attribute value other than "OID"
  - This works very well
  Problem:
  - We now need to make the export sync work based on a different condition. The condition being....
  SynchronizeToAD=AD3 ( Note the equality condition here, the previous one was not equal to )
  - The moment we set it to the above conditions it seems to invalidate the filter. Now it behaves as if there is no filter. All changes are synchronized regardless of the attribute value
  Question:
  1) Need a way to control synchronization based on attribute value.
  2) So far tried the below filter value with out success
  2a) (&(!(SynchronizeToAD=OID))(!(SynchronizeToAD=AD)))
  2b) SynchronizeToAD=AD3
  - In the directory we have 3 values for this attribute(SynchronizeToAD) - AD , AD3 and OID
  Please provide us with valid search filter to accomplish the above.
  The OID profile attribute that we are trying to set is odip.profile.oidfilter

• WLS 7.0 Active Directory authenticator - problems starting managed server (Solaris 8)

  Has anyone managed to setup a WLS 7.0 Active Directory authenticator and booted
  a managed server using the node manager? I can boot the server without the AD
  authenticator and I can also boot the server using a script and successfully authenticate
  through AD. My AD control flag is set to OPTIONAL and I have also setup a default
  authenticator to boot weblogic - the control flag here is set to SUFFICIENT. This
  configuration works fine with weblogic running on W2K, but not on Solaris (it
  looks like the control flag is being ignored). Errors as follows
  ####<Oct 1, 2002 1:59:08 PM BST> <Info> <Logging> <mymachine> <server01> <main>
  <kernel identity> <> <000000> <FileLo
  gger Opened at /opt/app/live/appserver/domains/test/NodeManager/server01/server01.log>
  ####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01> <main>
  <kernel identity> <> <000415> <System
  has file descriptor limits of - soft: 1,024, hard: 1,024>
  ####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01> <main>
  <kernel identity> <> <000416> <Using e
  ffective file descriptor limit of: 1,024 open sockets/files.>
  ####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01> <main>
  <kernel identity> <> <000418> <Allocat
  ing: 3 POSIX reader threads>
  ####<Oct 1, 2002 1:59:19 PM BST> <Critical> <WebLogicServer> <mymachine> <server01>
  <main> <kernel identity> <> <0003
  64> <Server failed during initialization. Exception:weblogic.security.service.SecurityServiceRuntimeException:
  Problem instantiating
  Authentication Providerjavax.management.RuntimeOperationsException: RuntimeException
  thrown by the getAttribute method of the Dynam
  icMBean for the attribute Credential>
  weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
  Authentication Providerjavax.management.RuntimeOper
  ationsException: RuntimeException thrown by the getAttribute method of the DynamicMBean
  for the attribute Credential
  at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
  at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
  at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
  at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
  at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
  at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
  at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
  at weblogic.Server.main(Server.java:31)
  ####<Oct 1, 2002 1:59:19 PM BST> <Emergency> <WebLogicServer> <mymachine> <server01>
  <main> <kernel identity> <> <000
  342> <Unable to initialize the server: Fatal initialization exception
  Throwable: weblogic.security.service.SecurityServiceRuntimeException: Problem
  instantiating Authentication Providerjavax.management.
  RuntimeOperationsException: RuntimeException thrown by the getAttribute method
  of the DynamicMBean for the attribute Credential
  weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
  Authentication Providerjavax.management.RuntimeOper
  ationsException: RuntimeException thrown by the getAttribute method of the DynamicMBean
  for the attribute Credential
  at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
  at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
  at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
  at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
  at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
  at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
  at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
  at weblogic.Server.main(Server.java:31)

  Solved the problem. The 'domain root' directory specified in the remote start configuration,
  must contain a copy of the file 'SerializedSystemIni.dat' that was created along
  with the domain, in order to boot when an AD authenticator is configured. If an
  AD authenticator is not configured, no file is required. This was not a platform
  specific issue; on Win2K I had configured the 'domain root' remote start parameter
  to point to an existing domain root and not a new directory.
  "Andrew Walker" <[email protected]> wrote:
  >
  Has anyone managed to setup a WLS 7.0 Active Directory authenticator
  and booted
  a managed server using the node manager? I can boot the server without
  the AD
  authenticator and I can also boot the server using a script and successfully
  authenticate
  through AD. My AD control flag is set to OPTIONAL and I have also setup
  a default
  authenticator to boot weblogic - the control flag here is set to SUFFICIENT.
  This
  configuration works fine with weblogic running on W2K, but not on Solaris
  (it
  looks like the control flag is being ignored). Errors as follows
  ####<Oct 1, 2002 1:59:08 PM BST> <Info> <Logging> <mymachine> <server01>
  <main>
  <kernel identity> <> <000000> <FileLo
  gger Opened at /opt/app/live/appserver/domains/test/NodeManager/server01/server01.log>
  ####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01>
  <main>
  <kernel identity> <> <000415> <System
  has file descriptor limits of - soft: 1,024, hard: 1,024>
  ####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01>
  <main>
  <kernel identity> <> <000416> <Using e
  ffective file descriptor limit of: 1,024 open sockets/files.>
  ####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01>
  <main>
  <kernel identity> <> <000418> <Allocat
  ing: 3 POSIX reader threads>
  ####<Oct 1, 2002 1:59:19 PM BST> <Critical> <WebLogicServer> <mymachine>
  <server01>
  <main> <kernel identity> <> <0003
  64> <Server failed during initialization. Exception:weblogic.security.service.SecurityServiceRuntimeException:
  Problem instantiating
  Authentication Providerjavax.management.RuntimeOperationsException:
  RuntimeException
  thrown by the getAttribute method of the Dynam
  icMBean for the attribute Credential>
  weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
  Authentication Providerjavax.management.RuntimeOper
  ationsException: RuntimeException thrown by the getAttribute method of
  the DynamicMBean
  for the attribute Credential
  at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
  at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
  at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
  at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
  at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
  at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
  at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
  at weblogic.Server.main(Server.java:31)
  ####<Oct 1, 2002 1:59:19 PM BST> <Emergency> <WebLogicServer> <mymachine>
  <server01>
  <main> <kernel identity> <> <000
  342> <Unable to initialize the server: Fatal initialization exception
  Throwable: weblogic.security.service.SecurityServiceRuntimeException:
  Problem
  instantiating Authentication Providerjavax.management.
  RuntimeOperationsException: RuntimeException thrown by the getAttribute
  method
  of the DynamicMBean for the attribute Credential
  weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
  Authentication Providerjavax.management.RuntimeOper
  ationsException: RuntimeException thrown by the getAttribute method of
  the DynamicMBean
  for the attribute Credential
  at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
  at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
  at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
  at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
  at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
  at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
  at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
  at weblogic.Server.main(Server.java:31)

• Integration of MS Active directory with SAP Identity management

  Hello
  I am implementing SAP identity Management  7.1with external tools MS active Directory with Single sign on using SAP IDM . Is there any documentation as to how do I connect SAP IDM with MS AD with the roles and their user provisioning process .
  Also does anyone have a architectural work flow template  on this process .

  Hi
  I guess, using VDS you can achive this. ref the LDAP connection part.
  https://websmp203.sap-ag.de/~sapidb/011000358700001449652008E
  https://www.sdn.sap.com/irj/sdn/nw-identitymanagement
  Regards
  Shridhar Gowda

• Active Directory, GRC, and Identity Management

  I had originally posted this in the Security forum, but was directed here:
  A client I am working at would like to explore using Active Directory groups to assign SAP roles to users, both portal roles and ABAP roles. They are currently using Microsoft AD. However they have a requirement to use GRC Access Controls (v5.2) to assist with role maintenace and assignment for SOX compliance. I have been told that the Identity Management product can assist with integrating GRC and AD that will still allow for SOD checking/SOX compliance while role assignments can take place in AD.
  Does anybody have experience with using Identity Management either with or without GRC? Does in work with Microsoft AD or is it is own AD product? What was your experience with it?
  Are there any other products that can be recommended that will allow for integration between GRC Access Controls and Microsoft AD?
  Steve

  Hi Steve,
  We integrated SiteMinder(eTrust) from CA with the Portal and it is pretty good and stable.
  The one thing i like with SiteMinder is they are pretty stable and once it is configured the maintenance is very less and it is very stable also.
  Also, they provide integrations with major webservers and application servers.
  Cheers, Nag

• How to manage Active directory and tools to manage Active Directory

  How to manage Active directory and which tools we use?

  You can use Microsoft Active Directory management tools:
  http://technet.microsoft.com/en-us/library/aa998508(EXCHG.65).aspx
  http://technet.microsoft.com/en-us/library/aa998508(EXCHG.65).aspx
  erview of Server Message Block signing
  http://support.microsoft.com/kb/887429/en-us
  Remote Server Administration Tools for Windows 7:
  http://www.microsoft.com/downloads/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displaylang=en
  AD Admin Center:
  http://technet.microsoft.com/en-us/library/dd560651(WS.10).aspx
  http://technet.microsoft.com/en-us/library/dd560652(WS.10).aspx
  Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX http://blogs.sivarajan.com/ http://publications.sivarajan.com/ This posting is provided "AS IS" with no warranties, and confers no rights.

• Active Directory Permissions Problems

  Hi all,
  I'll be brief and to the point.
  New iMacs
  10.5.2
  Bound to Active Directory
  Login works fine
  Authentication to network shares works fine (albeit slow)
  But - when saving a file, let's say an HTML document in Coda, it comes up saying "You need administrative privileges to save the file, however you have permissions to replace the file".
  Same in Excel, different message, but the same deal, can't modify files, but can create, delete, rename.
  Same in Illustrator - only lets 'save as' and write over the top.
  The permissions on the AD end are set fine to read&write. Even if I create a new file, it will save it once, then if I try and edit, same deal.
  The permissions are granted as part of a 'group' - but I've added the individual username also and hasn't changed anything.
  Any thoughts would be GREATLY appreciated.

  I have an issue with OSX Leopard (10.5.2) , where by I can't write to NTFS shares on W2K3 servers with SMB signing turned on and IPV6 disabled for the interface.
  To recreate the issue:
  Create a folder named test that contains two files one named ._test.txt and test.txt on OSX and copy to an SMB share on W2k3.
  This results in spurious errors about permissions and locked files.
  Copying a file larger than 4k results in the error:
  "The operation cannot be completed because you do not have sufficient privileges or some of the items."
  Using mount_smbfs from a shell on OSX results in the error: "Permission denied"
  host:~ user$ mount_smbfs //user@server/share /Volumes/test-smbmount/
  Password:
  host:~ user$ cp test.docx /Volumes/test-smbmount/
  cp: /Volumes/test-smbmount/test.docx: Permission denied
  Using smbclient from a shell on OSX results in SUCCESS!!!
  host:~ user$ smbclient \\\\server\\\share -U user
  Password:
  Domain=DOMAIN OS=Windows Server 2003 3790 Service Pack 2 Server=http://Windows Server 2003 5.2
  smb: \> put test.docx
  putting file test.docx as \test.docx (784.7 kb/s) (average 784.7 kb/s)
  smb: \>
  There is an alternative solution if you do need to drag and drop in your gui world, it'll cost you $120
  link: http://www.thursby.com/products/dave-eval.html
  I have mailed the developer as he has obviously identified the root problem of the issue and I urged him to share his patch/resolution with Apple in the interests of the user community and a darn nice thing to do.I had a response form the developer to my request. I sent my workaround solution to the developer and stated that in my opinion the pricing for the software seems unnecessarily high based on the functionality it provides and way above what I would be willing to pay to resolve one small issue.
  <developers response>
  Pricing is a difficult topic to discuss -- but if you have no use for the product, any price is too much. As for reporting bugs to Apple, they'll listen to customers much sooner than they'll listen to developers. And they have some of the brightest engineers I know. If you report the bug to them, they'll likely have it fixed in the next update.
  </developers response>
  I couldn't find away to report the bug myself so I had a friend do it for me. The response I had back from Apple was less than satisfactory.
  They believe that the issue is to do with NTFS streams and that a file containing ".com.apple.smb.streams.on" needs to be created and placed into the root of shared volumes. This is not a fix!
  If you want to prevent writing the "Apple Double" files to a remote share, enter the following into a terminal:
  $ defaults write com.apple.desktopservices DSDontWriteNetworkStores true
  Problem still exists.
  ref: http://docs.info.apple.com/article.html?artnum=301711
  <apple double description>
  ref: fhttp://docs.info.apple.com/article.html?artnum=106510
  Before Mac OS X, the Mac OS used 'forked' files, which have two components: a data fork and a resource fork. The Mac OS Standard (HFS) and Mac OS Extended (HFS Plus) disk formats support forked files. When you move these types of files to other disk formats, the resource fork can be lost.
  With Mac OS X, there is a mechanism called "Apple Double" that allows the system to work with disk formats that do not have a forked file feature, such as remote NFS, SMB, WebDAV directories, or local UFS volumes. Apple Double does this by converting the file into two separate files. The first new file keeps the original name and contains the data fork of the original file. The second new file has the name of the original file prefixed by a "._ " and contains the resource fork of the original file. If you see both files, the ._ file can be safely ignored. Sometimes when deleting a file, the ._ component will not be deleted. If this occurs you can safely delete the ._ file.
  </apple double description>
  I am not the only one this issue. A quick peruse on http://macwindows.com/ will show that numerous people are suffering and numerous workarounds have been suggested. Sadly none of which work for me. Each work around is stranger than the previous. Such as disabling IPV6 and updating Daylight Savings Time.
  The issue lies with the samba integration. I am primarily a Gentoo Linux user and this kind of bug would have been resolved almost instantly if present in open source software.

• 801.x WLANs authenticated via Radius and Active Directory permit any user access any WLAN

  Hi,
  I have configured several WLANs with WPA2 and 8021.x which authenticate users through Radius server (Windows Internet authentication service) that conects with an Active Directory, into the AD exists one user group for each WLAN but the problem is that any user that was added to some group can get access to any WLAN, does anyboby know if I need some configuraion on the WLC to restric that?
  thanks for your help.

  Hi Scott,
  I have done some test modifying the Radius Policy to look at called station ID and test too looking at the NAS-ID, In the first case, I change the Call Station ID Type into WLC RADIUS Authentication Servers configuration to AP MAC Address:SSID and AP Name:SSID and into the Radius Server using .*:SSID-NAME$ and SSID-NAME$ ,but it blocks access for any user. In the second case, I change the NAS-ID into WLC WLAN and interface confguration and into the radius server Policy to match all, but it doesn´t have any impact, what other test could I try?
  thanks for your help. 

• Active directory permissions

  I have 2 domain controllers in my lab environment. I'm getting all kinds of errors due to tombstone lifetime. When I try to increase the 'tombstonelifetime' , I don't have the privileges to edit it. I'm logging in with a Domain Admin account. Any ideas
  how I can resolve this?

  Oh, this isn't good news.
  What is the actual error message you get? In the event viewer in the Directory Service log as well as in the output of a "repadmin /showrepl" on both of your DCs?
  If your two DCs didn't replicate for more than the TSL (tombstonelifetime), the solution isn't to increase the TSL. The recommended approach is to just get rid of one of the DC (ideally you keep the one that has the most recent info - if any) and clean the
  environment from the reference of this DC (metadata cleanup procedure
  http://technet.microsoft.com/en-us/library/cc816907(v=WS.10).aspx ). Then promote a new DC. Also make sure that the root cause for the failed replication is also identified, check the network configuration (rooting, firewall, DNS...). In certain
  situations, both DCs were use and diverged for so long that you cannot really determine what DC to keep and what DC to get rid of.
  Have a look here:
  Troubleshooting AD Replication error 8614: "The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime"
  https://support.microsoft.com/kb/2020053
  Event ID 2042: It has been too long since this machine replicated
  http://technet.microsoft.com/en-us/library/cc757610(v=WS.10).aspx
    Tell us how bad it is :)
  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

• Active Directory groups not being managed when added to an OD group?

  Hi all,
  Hopefully someone out there might be able to help with this. I have a magic triangle of authentication working and when I add an AD group to an OD group, some work and some don't.
  For example if I add a AD User to an OD group it works. If I add the "Domain Users" AD group to my OD group, it works - everyone on our network is managed (because everyone is in the Domain Users AD group). But if I remove "Domain Users" and add the "Students" AD security group, they are not managed. If I add "Staff' AD group, some staff are managed and some are not (I have confirmed that they are added to the group).
  Is there a trick to having AD security groups work in OD groups every time. (Note they are not distribution groups)
  Thanks,
  Gavin

  If the group was added to SharePoint and then users were added to the group try waiting a day.  The claims token in SharePoint lifetime is fairly long.  So when new users are added to an existing AD group SharePoint will not recognize the new membership
  in the Claims token for 12 -24 hours.  If you add a user today they should be able to log in tomorrow.  Take a look at the following Blog post.  I think this is your issue.
  http://www.andrewjbillings.com/sharepoint-2013-claims-authentication-ad-group-changes-not-reflected/
  Paul Stork SharePoint Server MVP
  Principal Architect: Blue Chip Consulting Group
  Blog: http://dontpapanic.com/blog
  Twitter: Follow @pstork
  Please remember to mark your question as "answered" if this solves your problem.

• Problems with Active Directory Users showing as not found in Open Directory work group manager

  I’m running a golden triangle setup with Open directory assigning group policy and authentication provide by active directory. In workgroup manager I can search through the AD and add users or computers to groups in OD workgroup manager. However when I save and refresh the users or computer appear as ‘not found’. Is there a reason for this?

  Hi Zero
  It's very reassuring to know im not the only one having issues with this..
  Im on my second re install of the server.. I like you have no wish to do another clean install as everything else is connected and it seems like the answer is probably very simple.
  So today im going to re- run the terminal commands as layed out in the online guides.
  However i was kinda hoping someone would be able to supply us with an answer.
  thanks
  J

• Not able to connect to Active Directory through Topology manager of ODI

  Hi,
  We are trying to connect to Active Directory though ODI Topology manager.
  The details given are :
  +1. Using LDAP(JNDI) driver:+
  username : CN=Administrator
  JDBC Driver name : com.sun.jndi.ldap.LdapCtxFactory
  JDBC URL : ldap://ten.mydomain.com:636/dc=oracle,dc=com
  I am getting the error as shown below:
  java.sql.SQLException: No suitable driver
       at java.sql.DriverManager.getDriver(Unknown Source)
       at com.sunopsis.sql.SnpsConnection.u(SnpsConnection.java)
       at com.sunopsis.sql.SnpsConnection.a(SnpsConnection.java)
       at com.sunopsis.sql.SnpsConnection.testConnection(SnpsConnection.java)
       at com.sunopsis.sql.SnpsConnection.testConnection(SnpsConnection.java)
  *2. Sunopsis JDBC driver for LDAP:*
  Username: cn=Administrator
  JDBC Driver Name : com.sunopsis.ldap.jdbc.driver.SnpsLdapDriver
  JDBC Driver URL :
  jdbc:snps:ldap?ldap_url=ldap://ten.mydomain.com:636/&ldap_password=abcd1234&ldap_basedn=dc=oracle,dc=com
  We also tried with URL : jdbc:snps:ldap?ldap_url=ldap://ten.mydomain.com:636/&ldap_basedn=dc=oracle,dc=com
  We are getting an error as shown below:
  Java.sql.SQLException: A NamingException occured saying: Request: 1 cancelled with this explanation: Request: 1 cancelled and this remaining name: null
       at com.sunopsis.ldap.jdbc.driver.i.e(i.java)
       at com.sunopsis.ldap.jdbc.driver.i.a(i.java)
       at com.sunopsis.ldap.jdbc.driver.SnpsLdapConnection.<init>(SnpsLdapConnection.java)
  Did I misconfigure something? Do I need to install a seperate Driver for this?
  Please help me out in this.
  Thanks in advance for any help.

  For LDAP default user Root is having all the priviledge to access all the Ldap data.
  Go to physical architecture and insert a new dataserver
  user - cn=root,dc=css,dc=hyperion,dc=com [ change this  according to your requirememnt  for you it will be   *cn=Administrator ,dc=oracle,dc=com* ]
  password - null
  JDBC
  jdbc driver : com.sunopsis.ldap.jdbc.driver.SnpsLdapDriver
  jdbc url : jdbc:snps:ldap?ldap_url=ldap://<server name :port/&ldap_password=KLLEJMNLKFLBKLKODDGPGPDB&ldap_basedn=dc=css,dc=hyperion,dc=com
  [  for you it will be  *jdbc:snps:ldap?ldap_url=ldap://ten.mydomain.com:636/&ldap_password=<encoded password>ldap_basedn=dc=oracle,dc=com* ]
  Here the Default Ldap password for ROOT is SECURITY and if its changed or you are using for some other user . Please use that .
  you also need to encode the password using this command
  java -cp C:\OraHome_1\oracledi\drivers\snpsldapo.jar com.sunopsis.ldap.jdbc.driver.SnpsLdapEncoder <enter password here>
  Later test the connection and you should be able to connect successfully.
  Thanks