Cisco ISE 1.3 Active Directory issue

Hi Folks
I am having an issue with our Cisco ISE and would love some feedback or a solution. I have to ISE configured to use our Active Directory setup and so far it appears to be functional. I could connect to AD retrieve groups and use AD for authentication. The issue I am experiencing is that when I try to go to the 'Administration > Identity Management > External Sources page and select our AD instance from the left hand side window the screen locks up and refuses to load. Any advice?

hi
i also had this issue (and one of my collegue also) when using Firefox (version 34 and 35)
i managed to create the AD server using IE 10 for example, and after it appears correctly with Firefox
it was before ise1.3patch 1, but i have seen no corrected issue in patch1 release note for this problem
guillaume

Similar Messages

ISE / Active Directory: issue to get users group

Hello,
We have a strange issue:
- ISE 1.2 patch 8
- no WLC, autonomous AP
In authentication, we check Wireless IEEE 802.11 (radius) and cisco-av-pair (ssid), then we use AD.
We have 3 SSIDs, so 3 rules, one DATA, one GUEST, one for TOIP.
In one more rules to grant authentication from APs to register in WDS: user in local database.
In authorization, we check cisco-av-pair (ssid) and AD user group, then we permit access.
(so 3 rules), and one more to authorise the internal base for WDS.
We have something strange:
- sometimes users can connect but later they can't: in the logs, the authorization rejects the user because the AD Group is not seen.
Exemple:
1- OK:
Authentication Details
Source Timestamp
2014-05-15 11:43:19.064
Received Timestamp
2014-05-15 11:43:19.065
Policy Server
radius
Event
5200 Authentication succeeded
All the GROUPS of user are seen:
false
AD ExternalGroups
xx/users/admexch
AD ExternalGroups
xx/users/glkdp
AD ExternalGroups
x/users/gl revue écriture
AD ExternalGroups
xx/users/pcanywhere
AD ExternalGroups
xx/users/wifidata
AD ExternalGroups
xx/informatique/campus/destinataires/aa informatique
AD ExternalGroups
xx/informatique/campus/destinataires/aa entreprises et cités
AD ExternalGroups
xx/informatique/campus/destinataires/aa campus
AD ExternalGroups
xx/users/aiga_creches
AD ExternalGroups
xx/users/admins du domaine
AD ExternalGroups
xx/users/utilisa. du domaine
AD ExternalGroups
xx/users/groupe de réplication dont le mot de passe rodc est refusé
AD ExternalGroups
xx/microsoft exchange security groups/exchange view-only administrators
AD ExternalGroups
xx/microsoft exchange security groups/exchange public folder administrators
AD ExternalGroups
xx/users/certsvc_dcom_access
AD ExternalGroups
xx/builtin/administrateurs
AD ExternalGroups
xx/builtin/utilisateurs
AD ExternalGroups
xx/builtin/opérateurs de compte
AD ExternalGroups
xx/builtin/opérateurs de serveur
AD ExternalGroups
xx/builtin/utilisateurs du bureau à distance
AD ExternalGroups
xx/builtin/accès dcom service de certificats
RADIUS Username
xx\cennelin
Device IP Address
172.25.2.87
Called-Station-ID
00:3A:98:A5:3E:20
CiscoAVPair
ssid=CAMPUS
ssid
campus
2- NO OK later:
Authentication Details
Source Timestamp
2014-05-15 16:17:35.69
Received Timestamp
2014-05-15 16:17:35.69
Policy Server
radius
Event
5434 Endpoint conducted several failed authentications of the same scenario
Failure Reason
15039 Rejected per authorization profile
Resolution
Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.
Root cause
Selected Authorization Profile contains ACCESS_REJECT attribute
Only 3 Groups of the user are seen:
Other Attributes
ConfigVersionId
5
Device Port
1645
DestinationPort
1812
RadiusPacketType
AccessRequest
UserName
host/xxxxxxxxxxxx
Protocol
Radius
NAS-IP-Address
172.25.2.80
NAS-Port
51517
Framed-MTU
1400
State
37CPMSessionID=b0140a6f0000C2E15374CC7F;32SessionID=radius/189518899/49890;
cisco-nas-port
51517
IsEndpointInRejectMode
false
AcsSessionID
radius/189518899/49890
DetailedInfo
Authentication succeed
SelectedAuthenticationIdentityStores
AD1
ADDomain
xxxxxxxxxxx
AuthorizationPolicyMatchedRule
Default
CPMSessionID
b0140a6f0000C2E15374CC7F
EndPointMACAddress
00-xxxxxxxxxxxx
ISEPolicySetName
Default
AllowedProtocolMatchedRule
MDP-PC-PEAP
IdentitySelectionMatchedRule
Default
HostIdentityGroup
Endpoint Identity Groups:Profiled:Workstation
Model Name
Cisco
Location
Location#All Locations#Site-MDP
Device Type
Device Type#All Device Types#Cisco-Bornes
IdentityAccessRestricted
false
AD ExternalGroups
xx/users/ordinateurs du domaine
AD ExternalGroups
xx/users/certsvc_dcom_access
AD ExternalGroups
xx/builtin/accès dcom service de certificats
Called-Station-ID
54:75:D0:DC:5B:7C
CiscoAVPair
ssid=CAMPUS
If you have an idea, thanks so much,
Regards,

To configure debug logs via the Cisco ISE user interface, complete the following steps
:Step 1 Choose Administration > System > Logging > Debug Log Configuration. The Node List page appears, which contains a list of nodes and their personas.
You can use the Filter button to search for a specific node, particularly if the node list is large.
www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_logging.html#wp1059750

Identity services engine Active directory issue

Hi Folks
We have two ISE instances running in a virtual machine environment on a Cisco UCS . Both ISE’s are running version 1.1.4 and have been patched to the latest engine patch for that version (patch 11). The primary is setup to be the administration primary and the monitoring secondary and the secondary ISE is setup as the administration secondary and the monitoring primary.
The Cisco UCS is connected to a pair of Nexus 5548 switches and they are connected to our core switches both Cisco 6500’s.
At the moment both ISE's can connect to Active Directory (test connection) but only the secondary can join. The error message I am getting on the priimary is:
Cannot open file /var/centrifydc/previous/kset.domain: No such file or directory
due to unexpected configuration or network error.
Please try the --verbose option or run adinfo --diag to diagnose the problem.
Join to domain staff.local , zone null failed.
Has anyone seen this error before? I have compared the configs of the two instances and found no differences in configuration. One major difference I did find was that the primary is running Red Hat and the secondary is running Ubuntu.

Duplicate post.
Go HERE.

CCE Web Administration - Active Directory issue when managing agent attributes

I am experiencing an issue when managing agents (supervisors specifically) in CCE Web Admin. When attempting to add / remove / modify an Attribute for a supervisor agent we are getting an error that the supervisor must have a valid active directory account. (Screenshot attached) The agents that this is affecting are correctly configured in ICM as a supervisor and ICM was able to successfully move their AD account into the 'Config' AD Security Group. From looking at the logs on the AWS it appears that the Web Admin tool is attempting to lookup their account in AD via UPN by appending their username to the domain name.
Log Snippet:
exception=com.cisco.ccbu.api.jaxb.error.ApiException: supervisorUserInfo.userName: Could not find user. Check if a domain account exists for [email protected]
This isn't going to work for some users in our account because we have multiple suffixes in our domain. (Our domain is a single forest and I'm not aware of a requirement to have a single suffix.)
I'm curious why it wouldn't use samaccountname which is what I believe ICM Configuration Manager is using. Has anyone else experienced this issue?

Lo and behold, my AD sync started working.
Though I have added the site to my local intranet sites, I'm not very confident whether this was the actual solution. I've performed several actions configuring my farm before I started troubleshooting this issue again, so it might be another action that
solved this.
Alemaitre: can you try the following please:
See if the SharePoint Web Service site is started in IIS. If not, start it, see if that works.
Instead of adding the site to your Trusted Sites, try Local Intranet Sites (click Advanced to add sites besides using auto-discovery)
Turn the Security Level for the zone all the way down.
Turn off Compression for your site in IIS, do an iisreset, see if that works.
I've also had to remove a host header from my MySite portal (running on port 8080 here), unlikely for this to be the cause but it's just one of the things I did this morning :-)
Should I think of anything else, I'll let you know.
Bonne chance.

Active Directory Issues 10.7.4 & 10.7.5

Hi
I'm having problems with all my 10.7.4 & 10.7.5 mac's. They're losing their connection to AD. When I got to unbind I get the follwing error:
Unable to access domain controller
This computer is unable to access the domain controller for an unknown reason. Warning: If you click force unbind you will leave an unused computer account in the directory.
I then get an option to ok or force unbind. If I force unbind if I force unbind I get the following error:
An unknown error occurred
An unknown error occurred
Helpful, I'm sure you'll agree! If I go in to Console I can see the following to errors:
02/10/2012 16:01:25.682 Directory Utility: An instance 0x7f8f02b30f30 of class ODCUnbindFromADAction was deallocated while key value observers were still registered with it. Observation info was leaked, and may even become mistakenly attached to some other object. Set a breakpoint on NSKVODeallocateBreak to stop here in the debugger. Here's the current observation info:
<NSKeyValueObservationInfo 0x7f8f02b56970> (
<NSKeyValueObservance 0x7f8f02b568c0: Observer: 0x7f8f01cea980, Key path: progressStatus, Options: <New: NO, Old: NO, Prior: NO> Context: 0x0, Property: 0x7f8f02b569a0>
and...
02/10/2012 16:03:32.463 Directory Utility: -[SFAuthorization obtainWithRights:::::] failed with error Error Domain=NSOSStatusErrorDomain Code=-60007 "The operation couldn’t be completed. (OSStatus error -60007.)" (The authorization was denied since no user interaction was possible. )
When users are curently logged in they lose access to SSH sessions, and network drives etc... they have had issues with saving work and subsiqently losing it!
When I go in to opendirectyd.log I see the following:
2012-10-02 15:37:42.208 BST - opendirectoryd (build 172.17) launched...
2012-10-02 15:37:42.265 BST - Logging level limit changed to 'error'
2012-10-02 15:37:42.902 BST - Initialize trigger support
2012-10-02 15:37:42.904 BST - Registered node with name '/Active Directory' as hidden
2012-10-02 15:37:42.904 BST - Registered node with name '/Configure' as hidden
2012-10-02 15:37:42.905 BST - Discovered configuration for node name '/Contacts' at path '/Library/Preferences/OpenDirectory/Configurations//Contacts.plist'
2012-10-02 15:37:42.905 BST - Registered node with name '/Contacts'
2012-10-02 15:37:42.906 BST - Registered node with name '/LDAPv3' as hidden
2012-10-02 15:37:42.939 BST - Registered node with name '/Local' as hidden
2012-10-02 15:37:42.964 BST - Registered node with name '/NIS' as hidden
2012-10-02 15:37:42.965 BST - Discovered configuration for node name '/Search' at path '/Library/Preferences/OpenDirectory/Configurations//Search.plist'
2012-10-02 15:37:42.965 BST - Registered node with name '/Search'
2012-10-02 15:37:43.024 BST - Discovered configuration for node name '/Active Directory/NUCA-AD' at path '/Library/Preferences/OpenDirectory/Configurations/Active Directory/NUCA-AD.plist'
2012-10-02 15:37:43.024 BST - Registered subnode with name '/Active Directory/NUCA-AD'
2012-10-02 15:37:43.024 BST - Registered placeholder subnode with name '/Active Directory/NUCA-AD/All Domains'
2012-10-02 15:37:43.040 BST - Discovered configuration for node name '/LDAPv3/nuca-mon1.nuca.ac.uk' at path '/Library/Preferences/OpenDirectory/Configurations/LDAPv3/nuca-mon1.nuca.ac.uk. plist'
2012-10-02 15:37:43.040 BST - Registered subnode with name '/LDAPv3/nuca-mon1.nuca.ac.uk'
2012-10-02 15:37:43.108 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/legacy.bundle'
2012-10-02 15:37:43.307 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/search.bundle'
2012-10-02 15:37:44.311 BST - '/Search' has registered, loading additional services
2012-10-02 15:37:44.311 BST - Initialize augmentation support
2012-10-02 15:37:44.352 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/SystemCache.bundle'
2012-10-02 15:37:44.423 BST - Successfully registered for Kernel identity service requests
2012-10-02 15:37:44.482 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/PlistFile.bundle'
2012-10-02 15:37:44.566 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/FDESupport.bundle'
2012-10-02 15:37:45.461 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ConfigurationProfiles.bundle'
2012-10-02 15:37:45.463 BST - Registered subnode with name '/Local/Default'
2012-10-02 15:37:45.556 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ldap.bundle'
2012-10-02 15:37:45.600 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/AppleODClient.bundle'
2012-10-02 15:37:45.645 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ActiveDirectory.bundle'
2012-10-02 15:37:45.654 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/Kerberosv5.bundle'
2012-10-02 15:37:45.858 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/NetLogon.bundle'
2012-10-02 15:37:45.858 BST - Registered subnode with name '/Active Directory/NUCA-AD/nuca.ac.uk' as hidden
2012-10-02 15:37:45.859 BST - Unregistered placeholder node with name '/Active Directory/NUCA-AD/All Domains'
2012-10-02 15:37:45.860 BST - Registered subnode with name '/Active Directory/NUCA-AD/All Domains'
2012-10-02 15:37:45.861 BST - Registered subnode with name '/Active Directory/NUCA-AD/Global Catalog' as hidden
2012-10-02 15:37:57.468 BST - failed to retrieve password for credential
2012-10-02 15:37:59.051 BST - failed to retrieve password for credential
2012-10-02 15:38:04.052 BST - failed to retrieve password for credential
2012-10-02 15:38:14.054 BST - failed to retrieve password for credential
2012-10-02 15:38:29.056 BST - failed to retrieve password for credential
2012-10-02 15:38:49.076 BST - failed to retrieve password for credential
2012-10-02 15:39:11.505 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/configure.bundle'
2012-10-02 15:39:11.900 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/keychain.bundle'
Interestingly enough, the problem doesn't seem to effect users runing 10.6.8 or my iMac which is running 10.8.2. I've spoken to network manager and he can't see anything strange going on, on the network.
I've also spoekn to our AD guy and nothing has changed.
This is now the second time it's happend, I've managed to get everyone working (before it happened again) by deleting the AD plist in /Library/Preferences/OpenDirectory/Configurations/Active\ Directory/ then rebinding via a scipt pushed out via ARD
If anyone can offer any assitance I'd be most gratful as I'm about to be shot by our users! as it's the start of our new academic year!
Thanks!
Paul

It's been a few weeks now, and (touch wood) it's not happended again on mass. We have had a few individual ones, but nothing major.
We still don't quite know exactly what happened, but trouble shooting found the following:
Our time server wasn't working corrctly centrifys ADCheck tool showed it as having a firewall (even though it didn't) our AD guy fixed that problem (sorry not sure exactly what he did)
We checked the AD kerberos ticket from a machine that lost it's connection to AD, on another mac that worked and found that it couldn't connect as the password was wrong. It seems that by default Active Directory ticket wants to change it's password every 14, and when trying to it's failing so I set it to 0
We had tried to set the server the AD plugin see's to a specific DC but this wasnt happening due to subnets not being configured in AD sites and Services
Some of the Mac's did not like being set to GMT in the time zone and the time was an hour out, people where able to login though! So I've now set them to Eurpoe\London and they're now picking up the correct time and even picked up the daylight savings over the weekend.
Our DNS is still not great but we are in the process of sorting out our subnets and when we do the consolodation we'll also asign reservations for all the mac's in the hope that apeases DDNS
Thanks Paul

ISE 1.2 Active Directory Question

Hi,
I have a question regarding using Active Directory as an External Identity Source.
Our customer has 4 AD servers in their domain and thus 4 DNS entries for the domain. When I join ISE to the domain DNS resolves to one address and uses that machine to perform the join operation. What happens if the machine subsequently fails - does my ISE node need to leave and then re-join the domain or is this handled by some other method?
Thanks
Alan

Assuming that they're part of the same AD domain ISE will learn all of the DCs in the domain and you'll likely find after a while that it has moved to a different DC. We have over 100 DCs in our domain and it works just fine, no intervention is required to get it to connect to a different DC if the one it's connected to disappears.

Cisco ISE 1.2.1 deplyomet issue with Anyconnect and Profiling

Hi All,
We are running cisco ise box in 1.2.1 version wherein I am facing below issue while deployment. We are having two ISE boxes where One box act as Primary Admin,Secondary MNT and Policy Service and Second Box act as Secondary Admin,Primary MNT and Policy Service
1) Profiling of Endpoints - HP Laster jet printer 55XX series and scanner profiling are not happing in Cisco ISE 1.2.1 wherein I have enabled below probes in ISE for profiling
RADIUS Probe
SNMP Probe SNMP Trap HTTP Prob and DNS
2) Any-connect issue - We are using any-connect supplicant 3.0.11042 for wired and wireless user profile in windows 7 enterprises 32 bit machine
- Yellow mark issue -  Once authentication , posturing completed we are getting yellow mark on network drive but still we are able to connect to network
- Network Map Drive issue -  Once authentication , posturing completed we are getting red cross mark on Network map drive and if we double click on that drive then its get accessible and red mark turns in to green.
For that we have already allowed Ip level access to all domain in before logon dacl ( Machine authentication )
That would be really great if any one can help me on the same.
Thanks & Regards
Pranav

Hi Pablo ,
Please find below solutions
Yellow mark issue - - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet. This Service is by default disabled on Windows XP and Widows 8.X operating system. This is only enabled by default on Windows 7 and Windows Vista operating system.
Network Map Drive issue   - Create logon script and deploy it using group policy. Script will check full network connectivity and then map network drives
Regards
Pranav

IPhone/Active Directory Issue

I was helping a co-worker sync their 3G iPhone to my company's Microsoft Exchange 2004 server so she can receive company emails. Everything was setup fine and verified. Later in the day, I get a call saying she can't log into her Mac, which is on our network. I checked Active Directory and noticed that her account was locked, so I unlocked it. A few minutes later, she called again with the same issue. This problem persisted a few more times within a 30 minute window.
We finally decided to delete her company email account off the phone and was no longer was locked out of her machine. My question is why would adding her company email account on her iPhone lock up her account on our network and cease right after we removed the account?

I'm having the same problem. I have change mail to POP back to exchange, from push (15min to 1 hr) to Fetch, Fetch to manual, and SSL on to off. The funny thing is that this wan't not a problem until I change my network password. It connected fine previously without any locking of the email account.
I'm not changing my password at all during all of this and after the SA unlocks my account (done about 30 times over 2 weeks now) it connects and pulls down mail right away.
Is there a setting on the exchannge server that can help debug this?
CMB

Integration Of Cisco ACS and MS Active Directory !!!

Hi all,
We have and Cisco ACS v4.2 on a Cisco Appliance, and we need to integrate it with Active Directory. Can you help me??
Thanks for your help
Regards!!!
Rafael Turriago

Hi,
If you have ACS SE and you want to integrate with MS AD, then you need to install Cisco ACS Remote Agent on a PC that belongs to the domain.
The ACS SE does not "speak" directly to the DCs, but rather to the ACS Remote Agent.
The Remote Agent is the application responsible to exchange data with the DCs.
You can find detailed information in the config guide:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp353636.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Active directory issue

This is the replication status for the following directory partition on this directory server.
Directory partition:
DC=ForestDnsZones,DC=shankarpack,DC=com
This directory server has not received replication information from a number of directory servers within the configured latency interval.
Latency Interval (Hours):
24
Number of directory servers in all sites:
1
Number of directory servers in this site:
1
The latency interval can be modified with the following registry key.
Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours)
To identify the directory servers by name, use the dcdiag.exe tool.
You can also use the support tool repadmin.exe to display the replication latencies of the directory servers. The command is "repadmin /showvector /latency <partition-dn>".

sir, i means that secondary domain server is down due to system motherboard issue.so guide to me that how remove all setting of the secondary domain from primary domain. (shankarpack.com).
errors are :
Active Directory Domain Services could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory Domain Services from replicating between one or more
domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.
Source domain controller:
AVS1
Failing DNS host name:
f0c8f1a9-50fd-4785-8ca4-29b1d824b251._msdcs.shankarpack.com
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all individual failure events, set the following diagnostics registry value to 1:
Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
User Action:
1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined
in MSKB article 216498.
2) Confirm that the source domain controller is running Active Directory Domain Services and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".
3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns
dcdiag /test:dns
4) Verify that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:
dcdiag /test:dns
5) For further analysis of DNS error failures see KB 824449:
http://support.microsoft.com/?kbid=824449
Additional Data
Error value:
11004 The requested name is valid, but no data of the requested type was found.
This is the replication status for the following directory partition on this directory server.
Directory partition:
DC=ForestDnsZones,DC=shankarpack,DC=com
This directory server has not received replication information from a number of directory servers within the configured latency interval.
Latency Interval (Hours):
24
Number of directory servers in all sites:
1
Number of directory servers in this site:
1
The latency interval can be modified with the following registry key.
Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours)
To identify the directory servers by name, use the dcdiag.exe tool.
You can also use the support tool repadmin.exe to display the replication latencies of the directory servers. The command is "repadmin /showvector /latency <partition-dn>".
This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are
preventing validation of this role.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: DC=shankarpack,DC=com
User Action:
1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors. Correct the error in question. For example there maybe problems with IP connectivity,
DNS name resolution, or security authentication that are preventing successful replication.
3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server.
This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

Active directory issue regarding time (DST) - Cant bind any Macs to 2000 AD

I am working with a new server at a small mostly Windows based school district. I am here to do a small AD/OD integration with nothing out of the normal. They are using Windows 2000 server and 10.4.11 with all the current software updates. I tested binding to their AD several months back and it ran without a hitch. Now, today when I attempted to bind their new Intel Xserve running 10.4.11 to their AD, it fails yielding the "Active directory only permits slight variations between the clocks..." error message.
I have seen this before and the message has always been very descriptive in describing the problem (time is off on one end or the other). The issue here is that the machines are all running within a second or two of each other. I verified this my self several times on all the AD servers, each mac client and the mac server. I also checked other normal pitfalls and could not find anything. I can reproduce this error on 10.4.11 server, 10.4.11 client and 10.5.2 client (my laptop) so its not any specific install of OS X, its something in AD.
Is there any chance that this has something to do with the recent changes to daylight savings time? The on-staff admin at the district manually moved the time ahead one hour on Monday morning to bring the windows system up to the current time. As I stated before, this district uses 2000 server. MS does not support 2000 any more and has not issued any updates regarding the recent daylight savings time changes. I have done a ton of searching and I have not been able to find any other mention of such an issue as I would assume that it would be rather wide spread.
Any help would be appreciated. Thanks!

Hi
You can extend the time difference from the default 5 minutes to 10 minutes. This is done on the AD Server either using the GMM or the DMM. This might help with the issue you are seeing.
Failing that you could point the AD to an internet based time server along with everything else on the network OR make everything on the network use the AD as the time server.
Apologies if you have already tried this, Tony

Ise personas and Active directory

hello everybody ,
just a question...
which persona needs more bandwidth with Active Directory?
Supposing I have admin/monitor ----------firewall ----------- policy service
on wich side should I place AD ? (cause firewall limits bandwidth?)
thank you in advance for your response

The primary admin node and the policy service nodes. All nodes join to AD, but when you create groups in AD and build your polices that is done from the primary admin node, the PSN nodes are responsible for enforcing these policies. This is my personal opinion.
Thanks,
Tarik Admani
*Please rate helpful posts*

Odd Active directory issue

Some background. The company I work for is almost all PC, however, our graphic designers run mac, for obvious reasons. I'm the only I.S. tech with any mac experience at all, so it has fallen on me to get them all officially on the domain now.
I'm using my G3 ibook as a testbed for this, and so far, rather easily I have used the directory access module to get myself on the domain, and authenticated. I can smb\\______ to any server or network share resource I need. However, when I click on the network icon in finder, I am presented with a list of our domain resources (about 50). From there, I select the main device domain which should contain all the PC's/printers/fileservers for my company (around 5500). Despite all my best attempts, I cannot get finder to show more than the first 2200 or so items.
Here's the odd thing. I installed a demo of AdmitMAC (which we are not able to purchase for these users, i'm told now) and I am able to see all 5500 items in finder. Any ideas?
IbookG3 600 - 512 - 30GB - Airport Mac OS X (10.3.9)
Asus K8VSE - AMD64 3200+ - 1024DDR Windows XP Pro

This most likely isn't related to Active Directory but rather the Mac OS X SMB client. They are related but don't do the same thing.
I suspect the reason that the ADmitMac client worked for you is that it either has a more robust SMB browsing mechanism or it's better able to work with your network's Master Browser workstations. Windows machines (or most modern SMB clients) can nominate the most robust machines on the network to be Master Browsers for the network, which then pass the network list to the other computers. Domain controllers typically assume this role when a domain is present.
Sorry that this isn't a solution but maybe it will give you some insight into what's happening.
1 GHz Powerbook G4 Mac OS X (10.4.6)

Pulling "cn=Users" account data from Active Directory issue

I'm using the following general syntax:
ldapsearch -h <active directory server> -p 389 -D "CN=Administrator,CN=Users,dc=ORACLE,dc=COM" -b "DC=ORACLE,DC=COM" -s base objectclass=*
What I get is only "cn=System" output. Any ideas to get the "cn=Users" data?? I can authenticate users in other ways using the Oracle LDAP tools through the same "active directory server". So it's not a matter of it not existing in the Active Directory Server. Also, there is no password right now for the "Administrator" account; so it's not a matter of including/excluding the "-w" option.
Any suggestions??
Thanks.

I recommend you to post this here:
Forums Home » Oracle Technology Network (OTN) » Products » Application Server » Oracle Internet Directory
Identity Manager
Joel Pérez
http://otn.oracle.com/experts

Cisco ACS 4.2 + Active directory + peap

Hello guys!
We have acs 4.2 SE + remoteAgent which is located on our DC. WLAN with wpa+wpa2[802.1x auth] has been configured and all working perfectly - domain users trying to connect and gets user\pass prompt, after it auth succesfull and wireless access granted. But its a bit complicated with non-domain users, when they trying to connect to this network they get windows security alert because machine authentication not passed(PC not in domain so ACS can't auth this users). So, if i enable machine authentication under external windows database setting, acs succesfully authenticated station but wont promt for user\password. How can we enable prompting for user\pass while still maintain machine auth ?
Thank you!

I have a scenario for you in active directory when two passwords may be valid:
Old passwords can also work on domain controllers that have not received replication yet from either the domain controller the password was changed on, or the PDC emulator in the domain.
Let's take a scenario where we have a 3 site, 3 domain controller (DC) active directory: Site1 with DC1, site2 with DC2 and site3 with DC3.
The ACS application resides in Site3 and is configured to use DC3 for authentication. We have a user "user1" with a password of "123".
User1 decides to call the helpdesk and changes his password to "456".
The helpdesk uses DC1 to make password changes because they are located in site1. For a period of time (based on replication, which defaults to 3 hours between sites) the 123 password and the 456 password will be
valid.
If the user1 user tries the "123" password it will work until DC3 receives the changed password from normal replication. If user1 tries to use 456, DC3 will flag this as a wrong password, and then check the PDC
emulator of the domain to see if it has received a newer password. The PDC emulator will validate the login, and then trigger an immediate replication with DC3.
Regards,
~JG
Do rate helpful posts

Cisco ISE 1.3 Active Directory issue

Similar Messages

Maybe you are looking for