ACTIVE DIRECTORY TRUST CONFLICT AND INTERDOMAIN MAIL FLOW

Similar Messages

• Will MX record work for the incoming mail flow and external mail flow.

  Hello All,
      I have created 2 machines with windows 2008 R2 workgroup and  installed Forefront TMG 2010 
      I am using the VIP for the external adapter for the NLB and going to connect it through the MX record will it work for the incoming mail flow to the Exchange 2010 and external mail flow.
      Is that right what i am doing please suggest. Thanks in Advance!
  Sidharth Guntoji,Messaging Consultant, ITBigBang (P) Ltd Www.ITBigBang.Com | Hire Us for Messaging Consulting

  Hi,
  Based on my experience, the MX record contains the fully qualified domain name of the messaging server that’s responsible for accepting messages for the domain.
  Do you want to configure the TMG server as a secure SMTP relay server? Did you mean that the external DNS server point to TMG’s external IP for the MX rcord and the internal Exchange server is using TMG’s internal IP address as the default gateway? Did you
  install any exchange role on the TMG server?
  I am sorry to say that I am not quite sure of your deployment, I would appreciate it if you can share your network topology and configuration.
  Best regards,
  Susie

• Active Directory Trusted Recon ends with NullPointerException

  Hi,
  I have installed  OIM 11.1.2.2.0 and AD connector version: ActiveDirectory 11.1.1.6.0. when i run "Active Directory Group Lookup Recon", I can see the groups created in "Lookup.ActiveDirectory.Groups". But when I tried to do "Active Directory User Trusted Recon" OIM given below error. I attached ITResource and Scheduler configurations.
  Any help is greatly appreciated.
  [2015-04-29T21:20:40.816+05:30] [oim_server1] [ERROR] [] [] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: eefe7b19b2a021e0:6c7958f0:14d05d5c757:-8000-000000000000009d,0] [APP: oim#11.1.2.0.0] [DSID: 0000Ko5qWtjFW7WFLz6UOA1LGFhL000004] Failed to communicate with any of configured Access Server, ensure that it is up and running.
  [2015-04-29T21:20:40.863+05:30] [oim_server1] [NOTIFICATION] [] [oracle.iam.features.scheduler.agentry.operations] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: eefe7b19b2a021e0:6c7958f0:14d05d5c757:-8000-000000000000009d,0] [APP: oim#11.1.2.0.0] [DSID: 0000Ko5qWtjFW7WFLz6UOA1LGFhL000004] [[
  java.lang.NullPointerException
    at java.io.ByteArrayInputStream.<init>(ByteArrayInputStream.java:89)
    at oracle.iam.scheduler.vo.JobHistory.getExceptionObject(JobHistory.java:123)
    at oracle.iam.features.scheduler.agentry.operations.LookupActor.prepare(LookupActor.java:1277)
    at oracle.iam.features.scheduler.agentry.operations.LookupActor.refresh(LookupActor.java:3069)
    at oracle.iam.features.scheduler.agentry.operations.LookupActor.receiveEvent(LookupActor.java:3056)
    at oracle.iam.consoles.faces.mvc.canonic.Model.handleIntent(Model.java:975)
    at oracle.iam.consoles.faces.mvc.canonic.Controller.doHandleIntent(Controller.java:533)
    at oracle.iam.consoles.faces.mvc.canonic.Controller.doSelectAction(Controller.java:204)
    at oracle.iam.consoles.faces.event.NavigationListener.processAction(NavigationListener.java:99)
    at javax.faces.event.ActionEvent.processListener(ActionEvent.java:88)
    at org.apache.myfaces.trinidad.component.UIXComponentBase.broadcast(UIXComponentBase.java:748)
    at org.apache.myfaces.trinidad.component.UIXCommand.broadcast(UIXCommand.java:179)
    at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:93)
    at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhase(ContextSwitchingComponent.java:371)
    at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:97)
    at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:104)
    at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:93)
    at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhase(ContextSwitchingComponent.java:371)
    at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:97)
    at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:98)
    at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:475)
    at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:756)
    at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._invokeApplication(LifecycleImpl.java:957)
    at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:427)
    at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:207)
    at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
    at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
    at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
    at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:205)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:128)
    at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446)
    at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)
    at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446)
    at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:271)
    at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:177)
    at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at oracle.iam.platform.auth.web.OIMAuthContextFilter.doFilter(OIMAuthContextFilter.java:112)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at oracle.adf.library.webapp.LibraryFilter.doFilter(LibraryFilter.java:180)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
    at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:324)
    at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:460)
    at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103)
    at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)
    at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at oracle.security.am.agent.wls.filters.OAMServletAuthenticationFilter.doFilter(OAMServletAuthenticationFilter.java:265)
    at oracle.security.am.agent.wls.filters.OAMValidationSystemFilter.doFilter(OAMValidationSystemFilter.java:133)
    at oracle.security.wls.oamagent.OAMAgentWrapperFilter.doFilter(OAMAgentWrapperFilter.java:120)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:163)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3730)
    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)
    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
    at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
    at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)
    at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)
    at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)

  I believe suddenly after running use cases related with target recon, you are trying to run trusted recon.
  Make sure you update the following value in IT Resource whenever u run it for trusted recon:
  Configuration Lookup
  This parameter holds the name of the lookup definition that stores configuration information used during reconciliation and provisioning.
  If you have configured your target system as a target resource, then enterLookup.Configuration.ActiveDirectory.
  If you have configured your target system as a trusted source, then enterLookup.Configuration.ActiveDirectory.Trusted.
  Default value: Lookup.Configuration.ActiveDirectory
  http://docs.oracle.com/cd/E22999_01/doc.111/e20347/deploy.htm#BABGFCFE
  ~J

• Windows Server 2008 Active Directory Trust

  Hi ,
  Can anyone help with the answer to the following questions please?
  a) Whether Microsoft Windows Server 2008 SP2 Standard Edition support AD trust relationships (one-way; two-way)
  b) Whether we can create trust between Windows Server 2008 R2 SP1 and Windows Server 2008 SP2 Standard Edition AD servers?
  Thanks in advance.
  India1947

  Hello,
  First of all, please confirm the firewall on the Windows Server 2008, the TCP/IP filter or any 3 party firewall is not blocking the RPC and ICMP traffic between two domain controllers.
  1.    Have a test of creating and verifying trust while all firewalls are all disabled. Then re-create and verify the trust to check how it works.
  Allowing Inbound Network Traffic that Uses Dynamic RPC
  http://207.46.196.114/windowsserver2008/en/library/d37f96c6-c729-4b29-80a9-88db3d97b8631033.mspx
  2.    If it still fails, please try to collect the following information for our further investigation:
  -      Run "Netdiag /v >>netdiag.txt" on both DCs
  -      Network Monitor trace when verifying the trust:
  Download the NetMon3.1 from the following link:
  http://www.microsoft.com/downloads/details.aspx?FamilyID=18b1d59d-f4d8-4213-8d17-2f6dde7d7aac&DisplayLang=en
  1.    Install the NetMon on Windows Server 2008.
  2.    In the Microsoft Network Monitor 3.1 window, click Create a new capture tab….
  3.    In the new tab, select all the Network Adapter in the Select Networks window.
  4.    After that, press F10 to start NetMon.
  5.    In the Active Directory Domains and Trusts, try to verify the trust to reproduce the issue.
  6.    After that, go back to the Netmon window and press F11 to stop the Netmon on the Windows Vista machine.
  7.    Press Ctrl+S to save the Netmon files.
  Please send files to [email protected]
  Note:
  a. Please include the following three lines for this issue in the email body:
  Trust Windows Server 2008 and Windows 2000
  http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=3210801&SiteID=17
  Miles Li - MSFT
  b. We will continue to discuss the issue here in the newsgroup and will NOT reply via emails.
  c. Pease post a quick note in the current thread to inform me after sending the email.
  Thanks.
   

• Active Directory Recycle Bin and Infrastructure FSMO Role.

  Hello!
  In the book about Active Directory I have found the information:
  "Once the Active Directory Recycle Bin has been enabled, the infrastructure master’s functions are performed independently by every DC in the forest. That is, the tasks just described are no longer delegated to a single DC."
  I have looked for additional information and found only one article from trusted source:  http://msdn.microsoft.com/en-us/library/cc223753.aspx :
  "When the Recycle Bin optional feature is enabled, every DC is responsible for updating its cross-domain object references in the event that the referenced object is moved, renamed, or deleted. In this case, there are no tasks associated with the Infrastructure
  FSMO role, and it is not important which domain controller owns the Infrastructure Master role."
  Someone have any additional information about this changes?
  How Infrastructure Master role works, after enabling AD Recycle bin?

  From my understanding is that the Infrastructure Role ceases to do the updating when cross-domain objects are moved-renamed- deleted and now becomes the function of the domain controller that did the action. This makes the role of Infrastructure Master redundant
  thus no longer a necessary role.
  When you enable the Recycle Bin - that's a forest wide operation meaning that each domain must be at least a windows 2008 R2 domain level and the forest is a 2008 R2 level -
  http://technet.microsoft.com/en-us/library/dd391916.aspx
  Here is a forum post that asked that exact question
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/dec7f361-c6ea-43ef-b929-f5b26661fdb8/recycle-bin-and-infrastructure-master?forum=winserverDS
  Brad Held http://windorks.wordpress.com

• Active directory management pack and 2012 R2

  I'm getting the following alert from SCOM 2012 R2:
  "Alert description: AD Op Master Response : The script 'AD Op Master Response' could not determine the PDC Op Master.The error returned was: 'LDAP://server01.domain.local/RootDSE' (0x8007203A)"
  DCDiag shows no errors.
  The error did not show up when we were running 2012 DC:s.

  Resolution: Logged into the server, attempted to open Active Directory Domains and Trusts and received the message: “The configuration information describing this enterprise is not available. The server is not operational.” Debugging, rebooting the server.
  After reboot the issue opening Active Directory Domains and Trusts no longer occurred. Closed the alerts generated to see if they would recur
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Mai Ali | My blog: Technical | Twitter:
  Mai Ali

• Can i recover my all active directory domain computers and users from IFM and in-cooperate them in new forest ??

  My only Active Directory Server on win server 2008 R2 with one domain controller crashed today. The only backup that i had was IFM media.
  So what i have done till now to recover it is a follow
  I reintalled window server but this time it is winserver 2012. I added AD DS role to it. Promoted it to Domain Controller. (functionality level is 2008 R2)
  On second server i installed win 2008 R2 and trying to add additional domain controller from IFM to recover all of my domain users,computers and GPO's. but i am getting this error
  Could not replicate the directory partition CN=schema, CN= configuration, DC=XXX, DC=com from the remote domain
  the naming context specified for this replication operation is invalid
  i dont know weather my approach is correct or not
  but my simple questions is
  Can i recover my all domain computers and users from IFM and in-cooperate them in new forest ?? if yes how can i do that?? urgent help required.

  yup exactly i created a new domain(in new forest) with same previous name in window server 2012 on SERVER-1. As ifm file that i had was generated from 2008 r2 so on second server i installed window 2008 r2 and tried to add role of additional domain controller
  from ifm file on SERVER-2 using dcpromo /adv . every step went ok but in last step when it starts replicating domain controllers it poup following error
  Could not replicate the directory partition CN=schema, CN= configuration, DC=XYZ, DC=com. .  .
  and roll backs every thing.

• Exchange 2013 upgrade from 2010 and no mail flow and cannot move mailboxes

  I am in the process of moving to Ex 2013 from 2010. I have installed Ex 2013 SP1 on a new server 2012 R2. All of my Ex 2010 servers are SP3 RU 5. Ex 2013 is running and I can connect through the EAC and see all other Exchange servers and connectors that
  were already in existence. Several puzzling things are happening now that the servers are in coexistence:
  1) As soon as Ex 2013 was installed on the network, many Outlook users are continuously being prompted to enter their domain credentials.  They can cancel the prompt and Outlook still sends/receives email.  No user mailboxes are on Ex 2013 yet. 
  Why is this happening?
  2) I am following the Ex 2013 Deployment Assistant and I get to the step to move the Ex 2010 Arbitration mailbox to Ex 2013 and the move does not happen--it just says "syncing" and never completes.  I tried moving a test mailbox from Ex 2010
  to the 2013 database and I get the same result.  I created the move request on the Ex2013 server and I see it as queued on the Ex2010 server, so I know they are "talking" to each other.  However, when reviewing the status of the move I
  see "MapiExceptionNoAccess: Unable to open message store".
  3) There seems to be no mail flow on the same Ex2013 server or between the Ex 2010 and 2013 servers.  I created two new test user mailboxes in Ex 2013.  The Ex2013 mailboxes cannot send/receive to each other or to Ex 2010 users.  This
  seems strange, unless I am completely missing something in the Ex 2013 install?
  I know this is a lot in one post, but following the Deployment assistant, I was hoping this would be something that others have faced.  Thanks for any input here.

  Does the below points already fit for you.
  Exchange 2013 Supported with the following minimum versions of Exchange:
  1) Exchange*** 2010 SP3 on all Exchange 2010 servers in the organization, including Edge Transport servers.
  2) Exchange 2013 CU2 or later on all Exchange 2013 servers in the organization.
  *** If you want to create an EdgeSync Subscription between an Exchange 2010 Hub Transport server and an Exchange 2013 SP1 Edge Transport
  server, you need to install Exchange 2010 SP3 Update Rollup 5 or later on the Exchange 2010 Hub Transport server.
  Thanks Prem P Rana MCSA Messaging 2003 MCSE 2003 Server MCTS MCITP Exchange 2007, 2010 Gurgaon, India http://blogs.msexchange-experts.com

• Windows 2012 R2 Active Directory Domain Services and Remote Desktop services Role on the same server.

  Findings: 
  Currently, Windows 2012 R2   AD DS role and RDS With Broker services can only seem to coexist properly in a new domain not an existing domain. Any attempt to add to an existing domain causes internal database user access denied issues and any attempt to
  adjust rights and circumvent is dubious at best.
  The escalation technician said it best. Out of 50 clients that want to do this, they end up not being able to help 5 right off the bat for whatever reason. As for the other 40 they might be able to help by running reports, adjusting rights and trying to add
  the roles until it works.  This can end up being a 20 day process. Basically they are playing whack-a-mole with user rights and permissions until something sticks.
  We tried creating an OU where any other domain policies would not be inherited to see if that was the issue, a fresh install with different sequence of adding the Roles, no effect.
  Given the errors I witnessed when running procmon and then trying to add the roles, the NT System and the Windows Internal database user had access denied issues on 100+ registry keys when trying to add the roles. After that the system is not behaving normally.
  The errors displayed almost mirror the errors that would occur on Windows 2012 when those two roles would be added which of course is officially NOT supported on that system.
  This blog needs serious revision:
  http://blogs.msdn.com/b/rds/archive/2013/07/09/what-s-new-in-remote-desktop-services-for-windows-server-2012-r2.aspx
  This is the excerpt from that blog: Single server RDS deployment including Active Directory. We now support running our RD Connection Broker role service on the same physical instance as an Active Directory Domain Controller.  In addition, we published
  guidelines for how RD Session Host could be used without the RD Connection Broker.
  Microsoft Support was curteous and helpful and they were the ones who advised cutting our losses, which mirrored my hunch after seeing what was transpiring in the system.  They refunded my money for the support call. 
  For me, it was an opportunity to find out if there was any way to configure Windows 2012 R2 in the Same manner that it was setup as Windows 2008 R2 and lay that to rest. The coexistence is poorly implemented. It is as if there was a reaction from all the deprecation
  of bread and butter features such as shadowing in TS and the coexistence of AD DS and RDS to where those features were re-added haphazardly. (I have no complaints on shadowing on Windows 2012 R2 it works, just do not like having to go to server manager to
  use it).
  I opted for virtualizing the Domain controller to eliminate the incompatibility issues and that is what I will be doing from now on. I found free solutions for backing up and reporting for virtual machines as well as the suggested procedures for configruing
  a Domain controller as a virtual machine on a Hyper-V environment and I will be sticking to those. Thus far the setup has been operational.
  I am not allergic to virtualization, but for really small setups it adds additional time and considerations but if that is how it has to be done, so be it. Windows 2008 R2 days are numbered and since we can usually squeeze 5-7 years on quality server equipment,
  buying a Windows 2008 R2 setup now is a borderline disservice in my opinion.
  Hopefully someone finds this useful and saves some time.

  Hi,
  Thank you for posting in Windows Server Forum.
  Do you need any other assistance?
  Based on your description, you are describing your story of successfully implementing RDS server with AD role and more regarding all RDS related scenario. For shadowing feature, you can use with command also. Below is the syntax to shadow a session.
  mstsc /v:<ServerName> /shadow:<SessionID>
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support

• Change (or add) a password to Active Directory with Java and JNDI

  I've create a new account in LDAP with attributs, It's ok. But a can't initialize the password, i've tryed some samples without result.
  Maybe it's a SSL problem (i don't know why, i read it somewhere).
  my code :
  import java.util.*;
  import java.io.*;
  import java.net.*;
  import javax.naming.Context;
  import javax.naming.NameAlreadyBoundException;
  import javax.naming.NamingException;
  import javax.naming.directory.DirContext;
  import javax.naming.directory.InitialDirContext;
  import javax.naming.directory.BasicAttributes;
  import javax.naming.directory.BasicAttribute;
  import javax.naming.directory.ModificationItem;
  public class addUser {
       private static final String UNICODE = "Unicode";
       private static final String UNICODE_PASSWORD = "unicodePwd";
       public addUser() {}
       private Hashtable env;
       private DirContext ctx;
       private void _initialize()
       String jndiURL = "ldap://DOMAINSRV:389/";
       String initialContextFactory = "com.sun.jndi.ldap.LdapCtxFactory";
       String authenticationMode = "simple";
       String contextReferral = "ignore";
       String principal = "[email protected]";
       String credentials = "oce";
       env = new Hashtable();
       env.put(Context.INITIAL_CONTEXT_FACTORY, initialContextFactory);
       env.put(Context.PROVIDER_URL, jndiURL);
       env.put(Context.SECURITY_AUTHENTICATION, authenticationMode);
       env.put(Context.SECURITY_PRINCIPAL, principal);
       env.put(Context.SECURITY_CREDENTIALS, credentials);
       env.put(Context.REFERRAL, contextReferral);
       public boolean createUser()
       try
            ctx = new InitialDirContext(env);
            ctx.destroySubcontext("cn=FBXX,cn=users,DC=gedeon,DC=fr");
            BasicAttributes attrs = new BasicAttributes();
            BasicAttribute ocs = new BasicAttribute("objectclass");
            ocs.add("user");
            attrs.put(ocs);
            BasicAttribute sa = new BasicAttribute("sAMAccountName", "FBXX");
            attrs.put(sa);
            BasicAttribute na = new BasicAttribute("name", "FRANCOIS BERTOUX");
            attrs.put(na);
            BasicAttribute sn = new BasicAttribute("sn", "BERT");
            attrs.put(sn);
            BasicAttribute up = new BasicAttribute("userPrincipalName", "[email protected]");
            attrs.put(up);
            BasicAttribute ua = new BasicAttribute("userAccountControl", "512");
            attrs.put(ua);
            BasicAttribute dn = new BasicAttribute("displayName", "FRA BERT");
            attrs.put(dn);
            BasicAttribute gn = new BasicAttribute("givenName", "FRA");
            attrs.put(gn);
            BasicAttribute des = new BasicAttribute("description", "CECI EST MON TEST");
            attrs.put(des);
            BasicAttribute cp = new BasicAttribute("codePage", "0");
            attrs.put(cp);
            BasicAttribute cc = new BasicAttribute("countryCode", "0");
            attrs.put(cc);
            BasicAttribute it = new BasicAttribute("instanceType", "4");
            attrs.put(it);
            ctx.createSubcontext("cn=FBXX,cn=users,DC=gedeon,DC=fr", attrs);
            changePassword ("cn=FBXX,cn=users,DC=gedeon,DC=fr", "TOTO" , "FBX");
            ctx.close();
       catch (NameAlreadyBoundException nex)
            System.out.println("User ID is already in use, please select a different user ID ...");
       catch (Exception ex)
            System.out.println("Failed to create user account... Please verify the user information...");
            ex.printStackTrace();
       return true;
  public final void changePassword(
  String argRDN,
  String argOldPassword,
  String argNewPassword)
  throws NamingException
       ModificationItem modificationItem[] = new ModificationItem[2];
       try
            modificationItem[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE,new BasicAttribute("unicodePwd",(byte[])this.encodePassword(argOldPassword)));
            modificationItem[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE,new BasicAttribute("unicodePwd",(byte[])this.encodePassword(argNewPassword)));
       catch (UnsupportedEncodingException e1)
            System.out.println("changePassword(String argOldPassword, String argNewPassword)" +
            "Passwordchange failed: " + e1.toString());
            throw new RuntimeException(e1.toString());
       try
            ctx.modifyAttributes(argRDN, modificationItem);
       catch (NamingException e1)
            System.out.println(
            "changePassword(String argOldPassword, String argNewPassword)" +
            "Passwordchange failed : " + e1.toString());
            throw e1;
  private byte[] encodePassword(String pass) throws UnsupportedEncodingException
       final String ATT_ENCODING = "Unicode";
       // Agree with MS's ATTRIBUTE_CONSTRAINT
       String pwd = "\"" + pass +"\"";
       byte bytes[] = pwd.getBytes(ATTENCODING);
       // strip unicode marker
       byte bytes[] = new byte [_bytes.length - 2];
       System.arraycopy(_bytes, 2, bytes, 0,_bytes.length - 2);
       return bytes;
       public static void main(String[] args)
            addUser testUser = new addUser();
            testUser._initialize();
            testUser.createUser();
  And the result is :
  changePassword(String argOldPassword, String argNewPassword)Passwordchange failed : javax.naming.OperationNotSupportedException: [LDAP: erro
  r code 53 - 00002077: SvcErr: DSID-03190ADF, problem 5003 (WILL_NOT_PERFORM), data 0
  ]; remaining name 'cn=FBXX,cn=users,DC=gedeon,DC=fr'
  Failed to create user account... Please verify the user information...
  javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002077: SvcErr: DSID-03190ADF, problem 5003 (WILL_NOT_PERFORM), data 0
  ]; remaining name 'cn=FBXX,cn=users,DC=gedeon,DC=fr'
  at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2804)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2677)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2483)
  at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1285)
  at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:253)
  at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:170)
  at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:159)
  at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:144)
  at addUser.changePassword(addUser.java:129)
  at addUser.createUser(addUser.java:92)
  at addUser.main(addUser.java:167)
  And with "userPassword" no error but no change.
  Please, help.
  Thanks

  Hello!
  I have a new variant of the set password problem, and as i did not get any longer with a big running application i wrote a small standalone program to connect to an Active Directory server, and, hm, it works! I can login with a account which has administrator priveledges, i can set passwords, works fine, unless, and now it gets a little bit curious, unless i change the VM.
  Everything works fine with a jdk 1.5.0_07, but if i switch over to the fine new 1.6.0_16, the login works still but the change of a password leads to a not so fine javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0.
  As i use the same cacerts file, i do not really understand what is failing here, anyone who has an idea?                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       

• How to ACS 5.0.0.21 Expresss integrate with Active Directory Standar 2003 and authenticate PEAP MSCHAPV2

  Hi:
  My name is Ivan, I have a trouble
  I have a ACS 5.0.0.21 express, and i have to integrate with Active Directory (AD)  2003 Standar. I should authenticate the users of the Domain in the LAN with PEAP MSCHPAV2, using the follow:
  Cisco WLC 4402 + Cisco ACS 5.0.0.21 + Active Directory
  I need to know if i should to install a certificate in the ACS 5.0.0.21 or some agent remote install  in the AD.
  I put in the ACS a external database with the AD, and i already select the users on the domain in the ACS Express.
  Please could you tell me all the steps to autenticate the users on the Domain using the ACS Express and the Active Directory,
  I would like to know wich are the configuration that i have to do in my ACS express to authenticate using PEAP MSCHAPV2
  Regards
  Ivan

  See the below URL - multiple config guides on what you want to do:-
  http://www.cisco.com/en/US/products/ps6366/prod_configuration_examples_list.html
  HTH>

• Free Self Service Active Directory Account Unlock and Reset Solution:

  ....I’m testing a new self service suitefor Active Directory,(Call2unlock).  It is based on IVR and a web config tool.    This is the Link.   http://www.call2unlock.com/So far I’m impressed, the configuration is simple and the users just need to dial by phone to an internal extension to unlock or reset their accounts.  It can be integrated to any PBX.    The good part is that they have a free version up to 500 users.  
  This topic first appeared in the Spiceworks Community

  Hello,
  also Microsoft provides the option with FIM 2010 and Forefront Identity manager to have self service for password reset:
  http://blog.msresource.net/2011/05/03/fim-self-service-password-reset-sspr-and-active-directory-password-policy/
  http://blog.msresource.net/2011/11/24/self-service-password-reset-sspr-question-and-answer-qa-gate-complexity-criteria-in-fim-2010-r2/
  http://technet.microsoft.com/en-us/edge/Video/ff945082 http://technet.microsoft.com/en-us/library/ee534892(WS.10).aspx
  http://support.microsoft.com/kb/2443871
  And your tool is as trial to download.
  http://www.sysoptools.com/password-reset-pro.aspx http://www.tools4ever.com/products/self-service-reset-password-management/
  Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

• Back Pressue causing internal and external mail flow to Stop!

  i have one exchange server 2007 SP3 x64 in the following configuration.
  Latest message ( i have been dealing with this off & on for 3-4 weeks) and need to resolve it. the server is a physical box IBM x3650 with a DS3200 storage cage with (2) Quad Core processors and 48gb of Ram. all volumes listed above are running on their
  own 15k spindle drives in a Raid 1 configuration.  C and E partitions are in the x3650.  F, G & H are in the DS3200 with a SCSI connection to the x3650. We have a 1gigabit network connection. We are using the Mimecast cloud server for spam and
  email archiving so we have our mail route to them first then down to our local server. outgoing mail routes to mimecast then out to it's destination.
  Resource pressure increased from Normal to Medium.
  Resource utilization of the following resources exceed the normal level:
  Version buckets = 127 [Medium] [Normal=80 Medium=120 High=300]
  Physical memory load = 91% [limit is 94% before message dehydration occurs.]
  Back pressure caused the following components to be disabled:
  Inbound mail submission from the Internet
  Mail submission from the Pickup directory
  Mail submission from the Replay directory
  Mail delivery to remote domains
  The following resources are in the normal state:
  Queue database and disk space ("E:\Program Files\Microsoft\Exchange Server\TransportRoles\data\Queue\mail.que") = 7% [Normal] [Normal=95% Medium=97% High=99%]
  Queue database logging disk space ("E:\Program Files\Microsoft\Exchange Server\TransportRoles\data\Queue\") = 9% [Normal] [Normal=94% Medium=96% High=98%]
  Private bytes = 1% [Normal] [Normal=71% Medium=73% High=75%]
  For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
  I have been working with Microsoft Support we have done the following:
  increased DatabaseMaxCacheSize
  default- 134217728
  updated to-  1073741824
  increased QueueDatabaseLoggingFileSize
  default - 524280
  updated to - 31457280
  increased DatabaaseCheckPointDepthMax
  default - 20971520
  updated to - 31457280
  But these changes have not solved the problem permanently. No other software changes have occurred on this system.  Can anyone else assist me with some other places to look to resolve this?
  Thank you
  R
  UPDATE: i see the following in my event viewer: ID: 15004
  Resource pressure increased from Medium to High.
  Resource utilization of the following resources exceed the normal level:
  Version buckets = 315 [High] [Normal=80 Medium=120 High=300]
  Physical memory load = 91% [limit is 94% before message dehydration occurs.]
  Back pressure caused the following components to be disabled:
  Inbound mail submission from Hub Transport servers
  Inbound mail submission from the Internet
  Mail submission from the Pickup directory
  Mail submission from the Replay directory
  Mail submission from Mailbox servers
  Mail delivery to remote domains
  The following resources are in the normal state:
  Queue database and disk space ("E:\Program Files\Microsoft\Exchange Server\TransportRoles\data\Queue\mail.que") = 8% [Normal] [Normal=95% Medium=97% High=99%]
  Queue database logging disk space ("E:\Program Files\Microsoft\Exchange Server\TransportRoles\data\Queue\") = 9% [Normal] [Normal=94% Medium=96% High=98%]
  Private bytes = 1% [Normal] [Normal=71% Medium=73% High=75%]
  For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

  Did reducing the maximum message size help? Did uninstalling (not just stopping the service) Symantec help?
  While it's nice to think that your file-level A/V is faultless, that isn't always the case. You might want to uninstall that, too, while you're troubleshooting.
  I know that "running naked" is a problem, but it's one way of discovering if the problem is associated with that product. Maybe you can install another HT server role and use the Anti-Spam software on it (temporarily) and have your Internet e-mail delivered
  there. If the problem on the existing HT role disappears you'll have an idea that perhaps that software was the source of the problem.
  I didn't see anything really alarming in your video except for the brief spikes in I/O per second (from, say, 24 to more than 100).
  You might want to have a look at Exchange PerfWiz and PAL (Performance Analyzer of Logs). They make performance data collection and analysis easier, at least while you're casting about for where the problem might be. After that you can home in on the area(s)
  of concern with more frequent snapshots of the performance counters of concern.
  --- Rich Matheisen MCSE&I, Exchange MVP

• SCCM 2007 and Active Directory - On-boarding and Off-Boarding Process

  Currently, when a user resigns from our company, we rebuild their computer immediately and provide to another user.
  From a best practice perspective, should we delete the computername from AD and then rebuild and join to the Domain?  We also have SCCM 2007 in place.  Are there other best practices for SCCM 2007 and AD that we should be following for on-boarding
  and off-boarding users?  Any suggestions would be greatly appreciated.  :-)

  With respect to AD, it will be better to reset the account rather than deleting it. This way the SID is retained and all permissions (for DNS records etc) and AD group memberships will be retained. AD group memberships will be more significant, depending
  on whether it is used for SCCM collection definition rules
  In SCCM, if the record is not deleted, it will be identified as a known computer and OSD advertisement can be pushed on the client. Ideally task sequence should use same name as the SCCM resource record for naming the newly built computer. In case AD/SCCM
  objects are deleted, duplicate records may get created depending on the timing of client registration and AD system discovery cycle. If SCCM client gets installed and registered before next AD system discovery cycle, there shouldn't be any issues.
  But if AD discovery cycle runs before client registration, two records will show up in SCCM console and one will be obselete, which has to be deleted manually. This issue can be resolved by adjusting the frequency and schedule of AD system discovery cycle.
  My suggestion will be to reset the computer account in AD and retain the SCCM resource in case of machine rebuild scenarios. In case of task sequence not retaining the computer name, custom steps can be added in TS to set variables as required.

• Configuring Active Directory with 11g and Windows Server 2003 R2

  Hi people,
  I'm spending some happy hours to setting up the windows domain authentication in a 2003 sever realm.
  When I try to register the database in the realm (logged as total-administrator-user of domain), NETCA give me an unexpected "no message" error...
  someone can help a martyr?
  I saw in the event viewer this error message about ldap:
  The Security System detected an authentication error for the server ldap/DbOraWin.mydomain.local.
  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
  (0xc000005e)".
  Thanks all
  Claudio

  There are news!!
  After some verifications on LDAP/AD server, now I can see something in tracelog's DBCA:
  [main] [17:7:24:299] [NativeSystem.<init>:277] NullSecurityManager is set for Native System calls
  [main] [17:7:24:299] [Library.getInstance:106] Created instance of Library.
  [main] [17:7:24:299] [Library.load:206] Loading orauts.dll...
  [main] [17:7:24:299] [Library.load:212] oracleHome null
  [main] [17:7:24:299] [Library.load:227] Property oracle.installer.library_loc is set to value=E:\app\oracle\product\11.1.0\db_1\oui\lib\win32
  [main] [17:7:24:299] [Library.load:229] Loading library E:\app\oracle\product\11.1.0\db_1\oui\lib\win32\orauts.dll
  [main] [17:7:24:299] [Library.load:262] Loaded library E:\app\oracle\product\11.1.0\db_1\oui\lib\win32\orauts.dll from path=
  E:\app\oracle\product\11.1.0\db_1\oui\lib\win32
  [main] [17:7:24:299] [Library.load:206] Loading MSVCR71.dll...
  [main] [17:7:24:299] [Library.load:212] oracleHome null
  [main] [17:7:24:299] [Library.load:227] Property oracle.installer.library_loc is set to value=E:\app\oracle\product\11.1.0\db_1\oui\lib\win32
  [main] [17:7:24:299] [Library.load:229] Loading library E:\app\oracle\product\11.1.0\db_1\oui\lib\win32\MSVCR71.dll
  [main] [17:7:24:299] [Library.load:262] Loaded library E:\app\oracle\product\11.1.0\db_1\oui\lib\win32\MSVCR71.dll from path=
  E:\app\oracle\product\11.1.0\db_1\oui\lib\win32
  [main] [17:7:24:299] [Library.load:206] Loading orawsec11.dll...
  [main] [17:7:24:299] [Library.load:212] oracleHome null
  [main] [17:7:24:299] [Library.load:227] Property oracle.installer.library_loc is set to value=E:\app\oracle\product\11.1.0\db_1\oui\lib\win32
  [main] [17:7:24:299] [Library.load:229] Loading library E:\app\oracle\product\11.1.0\db_1\oui\lib\win32\orawsec11.dll
  [main] [17:7:24:299] [Library.load:262] Loaded library E:\app\oracle\product\11.1.0\db_1\oui\lib\win32\orawsec11.dll from path=
  E:\app\oracle\product\11.1.0\db_1\oui\lib\win32
  [main] [17:7:24:299] [Library.load:206] Loading orasrvm11.dll...
  [main] [17:7:24:299] [Library.load:212] oracleHome null
  [main] [17:7:24:315] [Library.load:227] Property oracle.installer.library_loc is set to value=E:\app\oracle\product\11.1.0\db_1\oui\lib\win32
  [main] [17:7:24:315] [Library.load:229] Loading library E:\app\oracle\product\11.1.0\db_1\oui\lib\win32\orasrvm11.dll
  [main] [17:7:24:315] [Library.load:262] Loaded library E:\app\oracle\product\11.1.0\db_1\oui\lib\win32\orasrvm11.dll from path=
  E:\app\oracle\product\11.1.0\db_1\oui\lib\win32
  [main] [17:7:24:315] [Version.isPre10i:213] isPre10i.java: Returning FALSE
  [main] [17:7:24:315] [WindowsSystem.regKeyExists:1137] WindowsSystem.regKeyExists: mainkey= HKEY_LOCAL_MACHINE subkey = Software\Oracle\Ocr
  [main] [17:7:24:346] [WindowsSystem.getCSSConfigType:1304] configType=null
  [main] [17:7:24:346] [ca.InitialSetup.configureOPS:-1] Cluster mode is OFF
  [main] [17:7:24:346] [ca.InitialSetup.<init>:-1] TNS_ADMIN is: null
  [main] [17:7:24:346] [ca.InitialSetup.<init>:-1] Admin location is: E:\app\oracle\product\11.1.0\db_1\network\admin
  Exception occurred during event dispatching:
  java.lang.NullPointerException
       at oracle.net.ca.NetCA.returnToIntroPanel(Unknown Source)
       at oracle.net.ca.NetCA.deferLDAPConfig(Unknown Source)
       at oracle.net.ca.NetCA.createOrUpdateContext(Unknown Source)
       at oracle.net.ca.NetCA.prepareNextPage(Unknown Source)
       at oracle.net.ca.NetCA.wizardValidatePage(Unknown Source)
       at oracle.ewt.wizard.WizardPage.processWizardValidateEvent(Unknown Source)
       at oracle.ewt.wizard.WizardPage.validatePage(Unknown Source)
       at oracle.ewt.wizard.BaseWizard.validateSelectedPage(Unknown Source)
       at oracle.ewt.wizard.BaseWizard.doNext(Unknown Source)
       at oracle.ewt.wizard.BaseWizard$Action.actionPerformed(Unknown Source)
       at oracle.ewt.button.PushButton.processActionEvent(Unknown Source)
       at oracle.ewt.button.PushButton.processEventImpl(Unknown Source)
       at oracle.ewt.lwAWT.LWComponent.redispatchEvent(Unknown Source)
       at oracle.ewt.lwAWT.LWComponent.processEvent(Unknown Source)
       at oracle.ewt.button.PushButton.activate(Unknown Source)
       at oracle.ewt.lwAWT.AbstractButton.processMouseReleased(Unknown Source)
       at oracle.ewt.lwAWT.AbstractButton.processMouseEvent(Unknown Source)
       at java.awt.Component.processEvent(Component.java:5266)
       at java.awt.Container.processEvent(Container.java:1966)
       at oracle.ewt.lwAWT.LWComponent.processEventImpl(Unknown Source)
       at oracle.ewt.button.PushButton.processEventImpl(Unknown Source)
       at oracle.ewt.lwAWT.LWComponent.redispatchEvent(Unknown Source)
       at oracle.ewt.event.tracking.GlassMouseGrabProvider$Disp._redispatchEvent(Unknown Source)
       at oracle.ewt.event.tracking.GlassMouseGrabProvider$Disp._redispatchEvent(Unknown Source)
       at oracle.ewt.event.tracking.GlassMouseGrabProvider$Disp.mouseReleased(Unknown Source)
       at java.awt.Component.processMouseEvent(Component.java:5501)
       at oracle.ewt.lwAWT.LWComponent.processMouseEvent(Unknown Source)
       at java.awt.Component.processEvent(Component.java:5266)
       at java.awt.Container.processEvent(Container.java:1966)
       at oracle.ewt.lwAWT.LWComponent.processEventImpl(Unknown Source)
       at oracle.ewt.event.tracking.GlassMouseGrabProvider$Proxy.processEventImpl(Unknown Source)
       at oracle.ewt.lwAWT.LWComponent.redispatchEvent(Unknown Source)
       at oracle.ewt.lwAWT.LWComponent.processEvent(Unknown Source)
       at java.awt.Component.dispatchEventImpl(Component.java:3968)
       at java.awt.Container.dispatchEventImpl(Container.java:2024)
       at java.awt.Component.dispatchEvent(Component.java:3803)
       at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4212)
       at java.awt.LightweightDispatcher.processMouseEvent(Container.java:3892)
       at java.awt.LightweightDispatcher.dispatchEvent(Container.java:3822)
       at java.awt.Container.dispatchEventImpl(Container.java:2010)
       at java.awt.Window.dispatchEventImpl(Window.java:1778)
       at java.awt.Component.dispatchEvent(Component.java:3803)
       at java.awt.EventQueue.dispatchEvent(EventQueue.java:463)
       at java.awt.EventDispatchThread.pumpOneEventForHierarchy(EventDispatchThread.java:242)
       at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:163)
       at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:153)
       at java.awt.Dialog$1.run(Dialog.java:525)
       at java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:209)
       at java.awt.EventQueue.dispatchEvent(EventQueue.java:461)
       at java.awt.EventDispatchThread.pumpOneEventForHierarchy(EventDispatchThread.java:242)
       at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:163)
       at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:157)
       at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:149)
       at java.awt.EventDispatchThread.run(EventDispatchThread.java:110)
  Any suggestion?
  Thanks again also for only read this message!
  Claudio