Cisco ISE 1.2 and 2 Active Directory Domains

Hi Support,
does anyone know whether I can perform Certificate Authentication for two different Active Directory domains using the same ISE host / deployment?
We have two forests with a trust link between them.
We have a seperate PKI in each domain.
I am thinking that the ISE can only be joined to a single domain, but because we have a trust between the two forests, the ISE can have two certificate profiles in an identity source sequence which can then use in a single authorisation policy.
I take it that I would need local certs from each CA in the local certificate store of the ISE?
We are performing a company merger and we cannot migrate users to the primary AD domain due to several reasons so we would like to use the same ISE deployment to authenticate Wireless users on both AD domains.
Thanks
Mario

Mario,
This is possible. Here are the guidelines for the Multi-Forest support in ISE 1.2:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_id_stores.html#pgfId-1350874
You would have to set a new Certificate Authentication Profile for each domain and use the Authentication Policies to determine which of the Certificate Authentication Profiles to use.
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_id_stores.html#pgfId-1349174
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton

Similar Messages

Cisco ISE Process Flow with Active Directory

Hi guys,
Today I did a lab and see this note at Authentication Policy Interface. This note is:
Note: For authentications using PEAP, LEAP, EAP-FAST or RADIUS MSCHAP it is not possible to continue processing when authentication fails or user is not found. If continue option is selected in these cases, requests will be rejected.
Then I thought that the best way to configure authetication policy for Flex Auth: Dot1x (with Active Directory) > MAB (Internal Endpoint) > CWA (Guest and other user) will be using EAP-TLS authentication protocol.
Is this possible using another protocol instead of EAP-TLS (which is required client certificate has already been installed)? Would you mind helping me to reslove the problem? And the network authentication method at end user side will be?
Any help will be much appreciated.

Please refer the Supported Authentication Protocols ( including PEAP ) , database and authentication types from below
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_auth_pol.html#pgfId-1266680

Laptop (Running Windows 8.1) no longer able to print and now see message Active Directory Domain Services is not available

Have a very recent Lenovo Ideapad Laptop running Windows 8.1. Connected via USB port to HP LaserJet Pro CM1415 frw Color MFP Printer. Was able to print fine nearly 2 weeks ago, but something recently happened - either a new windows or office 2013 update
or perhaps I blew away a certain file by mistake. I can see the printer installed but cannot print to it from anything (Word, Notepad, IE, Firefox etc.). The one thing to note is that usually when I plug or unplug a USB related device, Windows 8.1 recognizes
this and makes a certain chime noise, but with the printer USB cable it never makes that noise - making me think that it never fully recognizes the printer. Also when I select the printer (from within the control panel) and right click for properties (via
admin rights) It never lets me fully connect to it.
I have tried all the usual remedies - remove, install all drivers, reinstall printer, Windows update, start/stop print spooler and all other printer related services, etc. Its really annoying because this printer was working fine nearly 2
weeks ago. Looking for any advice now. Thanks.
-Chris

Hi Chris,
à
I have tried all the usual remedies - remove, install all drivers, reinstall printer, Windows update, start/stop print spooler and all other printer related services, etc.
I noticed that you had reinstalled the printer. Just a confirmation, when un-install this printer, please check
if this printer still exist in registry. For more details, please refer to following KB.
Registry entries for printing
If printer entry still exist in registry, please delete that printer entry and re-install this printer again,
then check if this issue still exists. (Please backup registry entries before operating registry. It will help us to avoid unexpected issue.)
àand now see
message Active Directory Domain Services is not available
By the way, would you please let me know where/when get this
Active Directory Domain Services is not available error message? Or provide a screenshot of it?
(Please hide all protected or private information) Please check if all services are running correctly on the computer. Meanwhile, please refer to following article and check if can help you.
Printer
Problem: Active Directory Domain Services is currently unavailable – Why does windows say no printers are installed?
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft
does not guarantee the accuracy of this information.
If any update, please feel free to let me know.
Hope this helps.
Best regards,
Justin Gu

Looking for successful auth debug between cisco 1113 acs 4.2 and Active Directory

Hello,
Does anyone have a successful authentication debug using cisco 1113 acs 4.2 and Active Directory? I'm not having success in setting this up and would like to see what a successful authentication debug looks. Below is my current situation:
Oct 6 13:52:23: TPLUS: Queuing AAA Authentication request 444 for processing
Oct 6 13:52:23: TPLUS: processing authentication start request id 444
Oct 6 13:52:23: TPLUS: Authentication start packet created for 444()
Oct 6 13:52:23: TPLUS: Using server 110.34.5.143
Oct 6 13:52:23: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
Oct 6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: socket event 2
Oct 6 13:52:23: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
Oct 6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 26 (0x1A)
Oct 6 13:52:23: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
Oct 6 13:52:23: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
Oct 6 13:52:23: T+: user:
Oct 6 13:52:23: T+: port: tty515
Oct 6 13:52:23: T+: rem_addr: 10.10.10.10
Oct 6 13:52:23: T+: data:
Oct 6 13:52:23: T+: End Packet
Oct 6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: Would block while reading
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: read entire 28 bytes response
Oct 6 13:52:23: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
Oct 6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
Oct 6 13:52:23: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:10, data_len:0
Oct 6 13:52:23: T+: msg: Username:
Oct 6 13:52:23: T+: data:
Oct 6 13:52:23: T+: End Packet
Oct 6 13:52:23: TPLUS(000001BC)/0/46130160: Processing the reply packet
Oct 6 13:52:23: TPLUS: Received authen response status GET_USER (7)
Oct 6 13:52:30: TPLUS: Queuing AAA Authentication request 444 for processing
Oct 6 13:52:30: TPLUS: processing authentication continue request id 444
Oct 6 13:52:30: TPLUS: Authentication continue packet generated for 444
Oct 6 13:52:30: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
Oct 6 13:52:30: T+: Version 192 (0xC0), type 1, seq 3, encryption 1
Oct 6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 15 (0xF)
Oct 6 13:52:30: T+: AUTHEN/CONT msg_len:10 (0xA), data_len:0 (0x0) flags:0x0
Oct 6 13:52:30: T+: User msg: <elided>
Oct 6 13:52:30: T+: User data:
Oct 6 13:52:30: T+: End Packet
Oct 6 13:52:30: TPLUS(000001BC)/0/WRITE: wrote entire 27 bytes request
Oct 6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:30: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
Oct 6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:30: TPLUS(000001BC)/0/READ: read entire 28 bytes response
Oct 6 13:52:30: T+: Version 192 (0xC0), type 1, seq 4, encryption 1
Oct 6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
Oct 6 13:52:30: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
Oct 6 13:52:30: T+: msg: Password:
Oct 6 13:52:30: T+: data:
Oct 6 13:52:30: T+: End Packet
Oct 6 13:52:30: TPLUS(000001BC)/0/46130160: Processing the reply packet
Oct 6 13:52:30: TPLUS: Received authen response status GET_PASSWORD (8)
Oct 6 13:52:37: TPLUS: Queuing AAA Authentication request 444 for processing
Oct 6 13:52:37: TPLUS: processing authentication continue request id 444
Oct 6 13:52:37: TPLUS: Authentication continue packet generated for 444
Oct 6 13:52:37: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
Oct 6 13:52:37: T+: Version 192 (0xC0), type 1, seq 5, encryption 1
Oct 6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
Oct 6 13:52:37: T+: AUTHEN/CONT msg_len:11 (0xB), data_len:0 (0x0) flags:0x0
Oct 6 13:52:37: T+: User msg: <elided>
Oct 6 13:52:37: T+: User data:
Oct 6 13:52:37: T+: End Packet
Oct 6 13:52:37: TPLUS(000001BC)/0/WRITE: wrote entire 28 bytes request
Oct 6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:37: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 33bytes data)
Oct 6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:37: TPLUS(000001BC)/0/READ: read entire 45 bytes response
Oct 6 13:52:37: T+: Version 192 (0xC0), type 1, seq 6, encryption 1
Oct 6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 33 (0x21)
Oct 6 13:52:37: T+: AUTHEN/REPLY status:7 flags:0x0 msg_len:27, data_len:0
Oct 6 13:52:37: T+: msg: Error during authentication
Oct 6 13:52:37: T+: data:
Oct 6 13:52:37: T+: End Packet
Oct 6 13:52:37: TPLUS(000001BC)/0/46130160: Processing the reply packet
Oct 6 13:52:37: TPLUS: Received Authen status error
Oct 6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: timed out
Oct 6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: No sock_ctx found while handling request timeout
Oct 6 13:52:37: TPLUS: Choosing next server 101.34.5.143
Oct 6 13:52:37: TPLUS(000001BC)/1/NB_WAIT/46130160: Started 5 sec timeout
Oct 6 13:52:37: TPLUS(000001BC)/46130160: releasing old socket 0
Oct 6 13:52:37: TPLUS(000001BC)/1/46130160: Processing the reply packet
Oct 6 13:52:49: TPLUS: Queuing AAA Authentication request 444 for processing
Oct 6 13:52:49: TPLUS: processing authentication start request id 444
Oct 6 13:52:49: TPLUS: Authentication start packet created for 444()
Oct 6 13:52:49: TPLUS: Using server 172.24.5.143
Oct 6 13:52:49: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
Oct 6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: socket event 2
Oct 6 13:52:49: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
Oct 6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 26 (0x1A)
Oct 6 13:52:49: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
Oct 6 13:52:49: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
Oct 6 13:52:49: T+: user:
Oct 6 13:52:49: T+: port: tty515
Oct 6 13:52:49: T+: rem_addr: 10.10.10.10
Oct 6 13:52:49: T+: data:
Oct 6 13:52:49: T+: End Packet
Oct 6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: Would block while reading
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 43bytes data)
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: read entire 55 bytes response
Oct 6 13:52:49: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
Oct 6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 43 (0x2B)
Oct 6 13:52:49: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:37, data_len:0
Oct 6 13:52:49: T+: msg: 0x0A User Access Verification 0x0A 0x0A Username:
Oct 6 13:52:49: T+: data:
Oct 6 13:52:49: T+: End Packet
Oct 6 13:52:49: TPLUS(000001BC)/0/46130160: Processing the reply packet
Oct 6 13:52:49: TPLUS: Received authen response status GET_USER (7)
The 1113 acs failed reports shows:
External DB is not operational
thanks,
james

Hi James,
We get External DB is not operational. Could you confirm if under External Databases > Unknown User Policy, and verify you have the AD/ Windows database at the top?
this error means the external server might not correctly configured on ACS external database section.
Another point is to make sure we have remote agent installed on supported windows server.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawi.html#wp289013
Also provide the Auth logs from the server running remote agent, e.g.:-
AUTH 10/25/2007 15:21:31 I 0376 1276 External DB [NTAuthenDLL.dll]:
Attempting Windows authentication for user v-michal
AUTH 10/25/2007 15:21:31 E 0376 1276 External DB [NTAuthenDLL.dll]: Windows
authentication FAILED (error 1783L)
thanks,
Vinay

Windows 2012 R2 Active Directory Domain Services and Remote Desktop services Role on the same server.

Findings:
Currently, Windows 2012 R2 AD DS role and RDS With Broker services can only seem to coexist properly in a new domain not an existing domain. Any attempt to add to an existing domain causes internal database user access denied issues and any attempt to
adjust rights and circumvent is dubious at best.
The escalation technician said it best. Out of 50 clients that want to do this, they end up not being able to help 5 right off the bat for whatever reason. As for the other 40 they might be able to help by running reports, adjusting rights and trying to add
the roles until it works. This can end up being a 20 day process. Basically they are playing whack-a-mole with user rights and permissions until something sticks.
We tried creating an OU where any other domain policies would not be inherited to see if that was the issue, a fresh install with different sequence of adding the Roles, no effect.
Given the errors I witnessed when running procmon and then trying to add the roles, the NT System and the Windows Internal database user had access denied issues on 100+ registry keys when trying to add the roles. After that the system is not behaving normally.
The errors displayed almost mirror the errors that would occur on Windows 2012 when those two roles would be added which of course is officially NOT supported on that system.
This blog needs serious revision:
http://blogs.msdn.com/b/rds/archive/2013/07/09/what-s-new-in-remote-desktop-services-for-windows-server-2012-r2.aspx
This is the excerpt from that blog: Single server RDS deployment including Active Directory. We now support running our RD Connection Broker role service on the same physical instance as an Active Directory Domain Controller. In addition, we published
guidelines for how RD Session Host could be used without the RD Connection Broker.
Microsoft Support was curteous and helpful and they were the ones who advised cutting our losses, which mirrored my hunch after seeing what was transpiring in the system. They refunded my money for the support call.
For me, it was an opportunity to find out if there was any way to configure Windows 2012 R2 in the Same manner that it was setup as Windows 2008 R2 and lay that to rest. The coexistence is poorly implemented. It is as if there was a reaction from all the deprecation
of bread and butter features such as shadowing in TS and the coexistence of AD DS and RDS to where those features were re-added haphazardly. (I have no complaints on shadowing on Windows 2012 R2 it works, just do not like having to go to server manager to
use it).
I opted for virtualizing the Domain controller to eliminate the incompatibility issues and that is what I will be doing from now on. I found free solutions for backing up and reporting for virtual machines as well as the suggested procedures for configruing
a Domain controller as a virtual machine on a Hyper-V environment and I will be sticking to those. Thus far the setup has been operational.
I am not allergic to virtualization, but for really small setups it adds additional time and considerations but if that is how it has to be done, so be it. Windows 2008 R2 days are numbered and since we can usually squeeze 5-7 years on quality server equipment,
buying a Windows 2008 R2 setup now is a borderline disservice in my opinion.
Hopefully someone finds this useful and saves some time.

Hi,
Thank you for posting in Windows Server Forum.
Do you need any other assistance?
Based on your description, you are describing your story of successfully implementing RDS server with AD role and more regarding all RDS related scenario. For shadowing feature, you can use with command also. Below is the syntax to shadow a session.
mstsc /v:<ServerName> /shadow:<SessionID>
Hope it helps!
Thanks.
Dharmesh Solanki
TechNet Community Support

Active Directory Domain Services crash after Administrator renames object in Active Directory Users and Computers

Hello.
We have two domain controllers - node1 (Windows 2008 R2) and node2 (Windows 2012 R2). When administrator connects to node2 and tries to rename some object in AD (for example, user) AD Domain Services crashes and reboot server after 60 seconds.
In Events I can see these messages:
Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          04.03.2014 12:37:58
Event ID:      1173
Task Category: Internal Processing
Level:         Warning
Keywords:      Classic
User:          domain\admin
Computer:      NODE2.domain.example
Description:
Internal event: Active Directory Domain Services has encountered the following exception and associated parameters.
Exception:
c0000005
Parameter:
0
Additional Data
Error value:
7ffc7c38e45d
Internal ID:
0
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
    <EventID Qualifiers="32768">1173</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>9</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2014-03-04T06:37:58.116264800Z" />
    <EventRecordID>881</EventRecordID>
    <Correlation />
    <Execution ProcessID="572" ThreadID="2580" />
    <Channel>Directory Service</Channel>
    <Computer>NODE2.domain.example</Computer>
    <Security UserID="S-1-5-21-3794920928-4165619442-305938157-2047" />
</System>
<EventData>
    <Data>c0000005</Data>
    <Data>7ffc7c38e45d</Data>
    <Data>0</Data>
    <Data>0</Data>
</EventData>
</Event>
Log Name:      Application
Source:        Microsoft-Windows-Wininit
Date:          04.03.2014 12:37:58
Event ID:      1015
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      NODE2.domain.example
Description:
A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000005. The machine must now be restarted.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
    <EventID Qualifiers="49152">1015</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-03-04T06:37:58.000000000Z" />
    <EventRecordID>189578</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>NODE2.domain.example</Computer>
    <Security />
</System>
<EventData>
    <Data>C:\Windows\system32\lsass.exe</Data>
    <Data>c0000005</Data>
</EventData>
</Event>
Log Name:      Application
Source:        Application Error
Date:          04.03.2014 12:37:58
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      NODE2.domain.example
Description:
Faulting application name: lsass.exe, version: 6.3.9600.16384, time stamp: 0x5215e25f
Faulting module name: ntdsai.dll, version: 6.3.9600.16421, time stamp: 0x524fcaed
Exception code: 0xc0000005
Fault offset: 0x000000000019e45d
Faulting process id: 0x23c
Faulting application start time: 0x01cf3773fe973e1b
Faulting application path: C:\Windows\system32\lsass.exe
Faulting module path: C:\Windows\system32\ntdsai.dll
Report Id: 85cfbe32-a367-11e3-80cc-00155d006724
Faulting package full name:
Faulting package-relative application ID:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-03-04T06:37:58.000000000Z" />
    <EventRecordID>189576</EventRecordID>
    <Channel>Application</Channel>
    <Computer>NODE2.domain.example</Computer>
    <Security />
</System>
<EventData>
    <Data>lsass.exe</Data>
    <Data>6.3.9600.16384</Data>
    <Data>5215e25f</Data>
    <Data>ntdsai.dll</Data>
    <Data>6.3.9600.16421</Data>
    <Data>524fcaed</Data>
    <Data>c0000005</Data>
    <Data>000000000019e45d</Data>
    <Data>23c</Data>
    <Data>01cf3773fe973e1b</Data>
    <Data>C:\Windows\system32\lsass.exe</Data>
    <Data>C:\Windows\system32\ntdsai.dll</Data>
    <Data>85cfbe32-a367-11e3-80cc-00155d006724</Data>
    <Data>
    </Data>
    <Data>
    </Data>
</EventData>
</Event>
In node2 we installed all available updates and hotfixes.

Hi Azamat Hackimov,
Regarding to error messages, it seems that the
ntdsai.dll file caused the issue. Based on current situation, please use
sfc /scannow command to scan protected system files and check if find error and repair. Meanwhile, you can also navigate to the location of this DLL file and confirm details.
In addition, Windows Server 2012 R2 has reboot unexpectedly. Please check if you get some dump file and then analysis it. It may help us to find the root reason. Please refer
to the following KB.
How to read the small dump memory dump file that is created by Windows if a crash occurs.
http://support.microsoft.com/kb/315263/en-us
By the way, it is not effective for us to debug the crash dump file here in the forum. If this issues is a state of emergency for you. Please contact Microsoft Customer Service
and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request.
To obtain the phone numbers for specific technology request, please refer to the web site listed below:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607
Hope this helps.
Best regards,
Justin Gu

Active directory domain services stopped after removing routing and remote access role

Hello everyone;;
I am in deep trouble.. I did install routing and remote access and then lost connection to the server remotely. Then I connected a monitor to the server and removed the role... then it asked me to restart the server . After logging back in I found
all my active directory service has gone... I can see red cross on active directory domain services.. Also I am able to ping other pcs but other pcs cannot ping my server..
However when I go into the active directory services, it shows all services are running except file replication service. I have tried to start that service but it give error 1053 error..
My server in between loses LAN connection... I dont know what is going on.. Please help!!!
My server is win 2008 R2 ser pack 1
Only one DC....
Has fixed ip,
no DNS server running..

Hi,
The File Replication Service Start Error 1053 error can be caused by damaged Windows system files. Corrupted system files entries can threaten the well-being of your computer. Many events can result in creating system file errors.
Please refer to the articles below to troubleshoot the issue:
File Replication Service Start Error 1053
http://repairerrors.net/file-replication-service-start-error-1053.html
Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Regards,
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Active Directory domain migration with Exchange 2010, System Center 2012 R2 and File Servers

Greeting dear colleagues!
I got a task to migrate existing Active Directory domain to a new froest and a brand new domain.
I have a single domain with Forest/Domain level 2003 and two DC (2008 R2 and 2012 R2). My domain contains Exchange 2010 Organization, some System Center components (SCCM, SCOM, SCSM) and File Servers with mapped "My Documents" user folders. Domain
has about 1500 users/computers.
How do u think, is it realy possible to migrate such a domain to a new one with minimum downtime and user interruption? Maybe someone has already done something like that before? Please, write that here, i promise that i won't ask for instruction from you,
maybe only some small questions :)
Now I'm studying ADMT manual for sure.
Thanks in advance,
Dmitriy Titov
С уважением, Дмитрий Титов

Hi Dmitriy,
I got a task to migrate existing Active Directory domain to a new froest and a brand new domain.
How do u think, is it realy possible to migrate such a domain to a new one with minimum downtime and user interruption?
As far as I know, during inter-forest migration, user and group objects are cloned rather than migrated, which means they can still access resources in the source forest, they can even access resources after the migration is completed. You can ask users
to switch domain as soon as the new domain is ready.
Therefore, there shouldn’t be a huge downtime/interruption.
More information for you:
ADMT Guide: Migrating and Restructuring Active Directory Domains
https://technet.microsoft.com/en-us/library/cc974332(v=ws.10).aspx
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]

Difference between Windows NT domain registry and Active Directory registry

What are the difference(s) ?

Frank, thanks for your response :)
I want WebSphere Application Server to take advantage of a directory service. There are multiple options available for a directory service.
In my configuration the requirement is to make WebSphere Application server to use Microsoft's Active Directory.
While I was going through (WebSphere) documentation, I see following note.
" With Windows NT domain registry support for Windows 2000 and 2003 domain
controllers, WebSphere Application Server only supports Global groups that are the Security type. It is recommended that you use the Active Directory registry support rather than a Windows NT domain registry if you use Windows 2000 and 2003 domain controllers
because the Active Directory supports all group scopes and types. The Active Directory also supports a nested group that is not support by Windows NT domain registry. The Active Directory is a centralized control registry."
You can find the above note in this link (somewhere after 7th line)
http://www-01.ibm.com/support/knowledgecenter/SSAW57_7.0.0/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/csec_localos.html?cp=SSAW57_7.0.0%2F3-11-5-1-0-0
Does it mean that they are recommending to use Active Directory over Windows NT (which is an older approach) with windows server 2000 or windows server 2003 because Active directory is
advanced ?
I was under the impression that, Active Directory was started with Microsoft Windows Server 2003 and Windows NT registry was used till Windows 2000 server.
After going through above links,
Windows NT registry in an old method. However, it is compatible with Windows Server 2000 and Windows server 2003 but it is recommended to use Active directory with Windows Serve 2003 as it is more advanced. And the same is recommended in WebSphere documentation
(I am aware that support for Windows Server 2000 is over and only extended support is available for Windows Server 2003 however this is to clear doubt). Is my understanding correct ? And does windows server 2000 also support both i.e we can use either Windows
NT registry or Active directory and similarly, Either of them (Windows NT or Active Directory) could be used with Windows Server 2003 ?
And if I got it correct, Is Windows NT and Active Directory, both directory service offering from Microsoft? While NT being an old method and Active Directory being a new/advanced approach ?

Step by step process to create domain name and active directory in windows 7 64 bit

Step by step process to create domain and active directory in windows 7 64 bit
I work in an organization
I want to create a domain name SBBYDP and make it server for other computers
I want that, all users’ have a personal account while they use any computer from this organization, even they use any computer from this network they use their own account to login to network.
And this may be in Active directory option.
I installed windows 7 professional edition 64 bit
Can any person help me? Step by step process, I always thanks full all of you

Hi,
You must use the Windows Server platform system for the AD service, you can refer the following KB first:
Active Directory
http://technet.microsoft.com/en-us/library/bb742424.aspx
AD DS Deployment Guide
http://technet.microsoft.com/zh-cn/library/cc753963(v=ws.10).aspx
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

MAB and Active directory check

Hi
I have ISE 1.2
I would like to know if it is possible to configure AD check for MAB user
I have some user that are authenticated by MAB
But I need to add another check for those user, ISE should check the Active directory group user widows session
Is it possible to do it ?
How can I configure it for wired and wireless user ?
Thanks in advance

Yes, you can definitely do this. I have done this in my previous deployments for "Whitelisting" users. My policy was like this:
1. I created an Identity Group called "Whitelist"
2. Statically added all of the needed mac address to that group
3. For wireless, I created a dedicated "Policy Set" for that SSID. In the policy set I created a rule that:
- Checked for domain group membership (For instance, domain users or domain computers)
- Checked if the "Internal Identity Store" was "Whitelist"
4. For wired, I also have a dedicated "Policy Set" and you can basically duplicate the rule from wireless.
I hope this helps!
Thank you for rating helpful posts!

How to install Small Business Server 2008 in an existing Active Directory domain

It is shown on this page:
http://support.microsoft.com/kb/884453, "How to install Small Business Server 2003 in an existing Active Directory domain".
Is it possible to do this with SBS2008 ?
If "YES", are there any published information about the procedure ?

Yes, it is. Thank you very much.
But there is something that confuses me - I want to migrate from Win2003Std to SBS2008. And also, I want to keep the existing Win2003Std as a second DC for a long time.
But it is written in the shown article:
... After the migration is finished, you must remove the Source Server from the network within 21 days. ...
Is this rule mandatory for the scenarios where the Source Server is Std, not SBS ? As I know, I can have more than one DC(Win2003Std/Win2008Std) together with SBS2003. But what about SBS2008 ?

Provision Search in SharePoint Foundation 2013 without Domain Controller / Active Directory - Domain accounts

Hi,
I have successfully setup SharePoint Foundation 2013 as single server farm with SQL Server Standard database in a DMZ environment using local accounts since DMZ doesn't have an Active Directory and hence Domain accounts using powershell as described
in https://theblobfarm.wordpress.com/2012/12/03/installing-sharepoint-2013-without-a-domain-controller
When I run Farm configuration wizard to provision search service application, I get an error:
ERROR: "The service application(s) for the service "Search Service Application" could not be provisioned because of the following error: I/O error occurred."
The log file logged the details of this error as:
ERROR: "Failed to create file share Analytics_e441aa1c-1a8d-4f0a-a079-58b499eb4c50 at D:\SharePoint Search\Office Server\Analytics_e441aa1c-1a8d-4f0a-a079-58b499eb4c50 (System.ArgumentException: The SDDL string contains an invalid sid or a sid
that cannot be translated."
After investigation, I found that potentially the error could be because the timer service is trying to setup a network share for analytics component (as part of provisioning search). It is trying to setup that share with a domain account that happens to
be a local user instead in this case and fails with error “System.ArgumentException: The SDDL string contains an invalid sid or a sid that cannot be translated”.
I got some pointer from the below thread
https://social.technet.microsoft.com/Forums/en-US/c8e93984-f4e5-46da-8e8a-c5c79ea1ff62/error-creating-search-service-application-on-sharepoint-foundation-with-local-account?forum=sharepointadmin
However, the above thread doesn't state that the solution worked.
I have tried creating share manually for Analytics_<Guid> folder but it doesn't work since every time farm configuration wizards is run it creates a new Analytics_<Guid> folder.
Since, I have setup SharePoint Foundation 2013 on a production environment I cannot test and trial various solutions.
Can some please guide me on how to successfully provision search for SharePoint Foundation 2013 setup as a single server farm with SQL Server Standard database in a DMZ environment using local accounts (without Active Directory - domain accounts).
Thanks in advance.
Himanshu

Microsoft documentation doesn't always specifically call out all products (Project Server isn't there, either). But it does apply. You'll need to stand up at least one Domain Controller, or allow port access back to a DC.
Preferably, set up SharePoint on the internal network and use a reverse proxy (which will terminate client connections at the reverse proxy) present in the DMZ.
Trevor Seward
Follow or contact me at...
&nbsp&nbsp
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

DNS and Active Directory error 4000 server 2008

Hello all,
My network skills aren't very good and I'm facing a dilemma. First off we have two Windows servers on the network. The newest is 2008 Standard (named Vader) and the other is 2000 (dells3). Obviously I'd like to get rid of the 2000, but the people in charge
of my budget haven't given me the option to do so and it's the only back up we have.
Earlier in the week we had lots of problems. One of our nas boxes locked everyone out who was mapped to it and it would only let me log in through the web portal. Two of our Macs our marketing department uses suddenly locked up and wouldn't let them back
in (both were part of the Active Directory). A second nas box won't let certain people map to it and for awhile I had issues logging into Vader itself.
I believe all of these problems are connected to some issues on Vader and possibly in conduction with dells3. In Server Manager under DNS I get error 4000 "The DNS server was unable to open Active Directory.
This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code."
Then under Active Directory Domain Services I get error 2042 "It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded
the tombstone lifetime. Replication has been stopped with this source."
Followed by more text I can post if needed.
Under File Services error 1202 "The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the
next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues."
And finally if I try to open Active Directory Domains and Trusts "The configuration information describing this enterprise is not available. The server is not operational."
I'm not sure where to start or what to post that might help. Any and all help is appreciated.
Edit: Also I can only add dells3 as the DNS on Vader in the DNS Manager if I try to add Vader to itself I get an error.

It's the other way around. Overall, I'm advising ripping the 2008 server out of AD and adding it back . Let's look at this as a series of steps:
1.) You do a force demote of the 2008 server because it's tombstoned. This means the 2008 server is no longer a DC. You are doing a force because it doesn't have the ability to replicate. If it could replicate, we'd just do a graceful demotion
and be done with it.
2.) Once the 2008 server is demoted, we go to the 2000 server which holds the only good copy of AD. From that server we run a metadata cleanup using the ntdsutil utility. We use that utility to clean out references to the 2008 server which is
no longer a DC.
3.) Once you have a clean AD, you can then promote the 2008 server back into Active Directory. Make sure Vader is pointing to Dells3 as its primary DNS server before promoting or you'll run into issues.
Hopefully that clarifies things.

Is it possible to modify the timeout of the userID on my active directory domain when off network?

My work Macbook Pro is using a domain account from my office. When I travel and the domain controller is not reachable it takes 30 to 60 secs longer to log into my system because it has to wait for the active directory domain controller search to timeout before it will use cached credentials (i.e. a mobile account). Does anyone know how to modify my system settings to reduce the timeout or even eliminate the delay all together? I am running the latest version of Yosemite.
Thanks,
Mike

Here is the modified VI, saved in LabVIEW 2012. Follow these steps to patch your system:
1. Close LabVIEW 2012.
2. Backup the following file: LabVIEW 2012\resource\Framework\Providers\VILibrary\libFrame_OpenPageRef.vi
3. Replace it with the version attached to this post.
4. Restart LabVIEW 2012.
Now you should no longer experience the 30 second timeout when the class property page loads. I set the timeout to "-1", so it should wait as long as necessary to open the page.
Note that if you ever repair or reinstall LabVIEW 2012, you'll need to patch this file again. Also, I wouldn't try patching any version other than 2012, since there may be other changes made to this VI across LabVIEW upgrades.
Darren Nattinger, CLA
LabVIEW Artisan and Nugget Penman
Attachments:
libFrame_OpenPageRef.vi ‏24 KB

Cisco ISE 1.2 and 2 Active Directory Domains

Similar Messages

Maybe you are looking for