Install AADSync on a Workgroup server (non-domain joined)
Does anyone has experiences with installing AADSync on a non-domain joined server (workgroup). A company with multiple forests wants to have a "neutral" server for the identity synchronisation. It looks like the tool is installing fine, but can
there be some configuration issues?
This is supported. See here:
"Your computer can be stand-alone, a member server or a domain controller. "
ref: http://msdn.microsoft.com/en-us/library/azure/dn757602.aspx
Mike Crowley | MVP
My Blog --
Planet Technologies
Similar Messages
-
Non-Domain joined clients connect to server initially but cannot connect via Launchpad
Running SBS 2011 Essentials in a small office. Running XP/Vista/7 clients. All working fine until we swapped routers. Old router died, new router was installed.
Now all domain-joined PC's connect as normal, but all NON-Domain-Joined PC's cannot access the server via the launchpad. I get the "The server appears to be offline. Do you want to sign in to offline mode?" box.
Tried removing PC from the SBS Dashboard, uninstalling the connector from the client, restarting client, and reinstalling the connector. I can install the connector (using
http://<server ip>/connect , but not http://<servername>/connect
). Connector installs but it still tells me the server is offline when trying to use dashboard or launchpad on the client.
Note: I can add a network location or Map a network drive to ther server after inputting my network password from Windows.
Any Services to check? Firewalls exceptions to ensure? Advice?
EDIT: Dashboard on Server shows Client, sometimes as online, sometimes as offline.Sounds like name resolution issue to me.
Are all your clients set to use the IP of the Essentials Server for their primary DNS?
Robert Pearman SBS MVP
itauthority.co.uk |
Title(Required)
Facebook |
Twitter |
Linked in |
Google+ -
Non domain-joined Clients (CES/CEP)
Hello Everyone!
This is my first post to the security forum and it is not an overly familiar tech for me so please be gentle. :)
I am looking at building a lab to test a web based application for a client. The client has very stringent security requirements and as such have mandated the need for both the web server to be secured using SSL certs and requires the connecting
users to have a certificate. The infrastructure will be hosted in a central DC in it's own AD forest whilst the users connecting in will have their own AD as they work for different companies. Each user will have an AD account within the hosted
environment. My initial thought was to provide public certs for the web servers but my problem was providing certificates to the clients. Clearly using public certs would be very expensive. After a bit of research I stumbled across the following:
http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx
What I am trying to understand is, will the combination of Certificate services & CES/CEP effectively do away with the need for public certs in this instance? Can I simply use the internal authority to publish certificates to the web server and
to the end users?Yes - I think this is one of the scenarios CES/CEP have been developed for.
End users would have to trust your internal CA and validate the chain, so intermediate CAs should be found via AIA URLs. But since you need user - not computer - certificates this is simpler than described in the article as users do not need to be local
admins to import a root. (But on principle the admin of a user's home AD could restrict this though I have never encountered that.)
You would need to publish the CES/CEP services via a reverse proxy and external users would have to configure the enrollment HTTP URLs and enter their AD credentials in the hosted AD when connecting.
As users have imported your CA certificate they will also trust the web server's certificate issued from the same CA.
Elke -
Problems connecting a non-domain joined outlook to exchange
Hello,
i'm having issues configuring outlook (be it 2007, 2010 or 2013 all fail the same) on non-domain joined computers in the LAN to a exchange 2013 server.
I select manual config, in server we put "mail.domain.local" and user "domain\user" and it bounces with "cannot complete action, the connection to exchange is not available, outlook must be online".
We tried with external full email address, nothing
tried setting the outlook anywhere proxy, same, tried using ip address, same
it simply refuses to configure.
any ideaS?Hi,
Generally, the external non-domain joined computers can connect to Exchange 2013 by using Outlook Anywhere and the Autodiscover service to auto-setup the Exchange account.
If the auto-setup for Exchange account fails, please check the Autodiscover service and Outlook Anywhere configuration by the following command:
Get-OutlookAnywhere | FL
Directly access the following URL in IE respectively, and check whether an Error 600 returns:
Https://autodiscover.domain.com/autodiscover/autodiscover.xml
Https://mail.domain.com/autodiscover/autodiscover.xml
Please make sure the the ExternalHostName parameter for Outlook Anywhere is configured to your external namespace for Exchange 2013 (for example: mail.domain.com).
In Exchange certificate, please make sure the namespace mail.domain.com is included in your trusted certificate which is assigned with IIS service.
For manual Exchange account setup, please run the following command to get the mailbox GUID for server name configuration:
Get-Mailbox UserA | FL Identity,ExchangeGuid
Then go to Control Pane > Mail to configure the Outlook profile. In Server Settings, import the [email protected] into the Server box and click Check Name to have a try.
Regards,
Winnie Liang
TechNet Community Support -
DNS working intermittently for non-domain joined machines
I have a small single Server 2012 based network, with about 90% windows clients. DNS is running on the Windows Server 2008 machine, but DHCP is provided via a unix based firewall machine. Within the DNS configuration I have all of my windows
clients (mostly Windows 8.x clients, but there are a few Windows 7 ones as well) and a few *nix ones as well. All of the Windows clients are domain joined, except for one machine which is currently running Windows 10 preview, though it was a Windows
7 machine originally. In the DNS configuration I have a number of statically entered A records, used to give my *nix machines a name on the local network.
When trying to access systems by name (via ping or by other services), there is a very consistent behavior - my domain joined machines are able to resolve all names 100% of the time without any issues. However, the non-domain joined machines, both
Windows and not, are consistently inconsistent. To be more precise, when I try to resolve a name it will randomly work and randomly not. IP setup and configuration looks correct, meaning they have valid IP, DNS is set to my Windows Server,
default gateway, etc. are all correct. Pinging external machines (ie google.com, etc.) works 100% of the time, but trying to ping any internal machine is a total crap shoot. The only exception to this is the Windows Server 2012 machine itself,
which always works.
From past experience I know that the moment I join a machine to the domain all of the DNS issues goes away, which is fine for the Windows boxes but not so much for the rest. I also have visitors occasionally come by, who I cannot expect to join my
domain just to make things work normally.
This network originally started life out as Windows Server 2003 domain, but was upgraded to 2012 about two months ago. I have been seeing this problem for years, but have always assumed it to be a Server 2003 issue and figured it would go away when
I upgraded. Nope...
Any ideas as to the cause of this and what I can do about it?
Thanks,
peterIts really weird - I can ping an address and not have it work, then do a NSLookup of the same address against my DNS server and it resolves just fine. Take a look at this screen copy below:
C:\Users\Peter>ping apollo.bakonet.local
Ping request could not find host apollo.bakonet.local. Please check the name and try again.
C:\Users\Peter>nslookup apollo.bakonet.local 192.168.124.9
Server: orac.bakonet.local
Address: 192.168.124.9
Name: apollo.bakonet.local
Address: 192.168.124.27
C:\Users\Peter>ping apollo.bakonet.local
Ping request could not find host apollo.bakonet.local. Please check the name and try again.
C:\Users\Peter>ipconfig /all |more
Windows IP Configuration
Host Name . . . . . . . . . . . . : Win10
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : bakonet.local
Ethernet adapter Ethernet:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
Physical Address. . . . . . . . . : 00-21-CC-65-1B-8F
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Local Area Connection* 3:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
Physical Address. . . . . . . . . : A0-88-B4-A2-41-81
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Wi-Fi:
Connection-specific DNS Suffix . : bakonet.local
Description . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6205
Physical Address. . . . . . . . . : A0-88-B4-A2-41-80
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::fc47:8a91:6b25:bd0e%2(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.124.64(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, January 5, 2015 7:34:47 PM
Lease Expires . . . . . . . . . . : Tuesday, February 3, 2015 7:15:20 PM
Default Gateway . . . . . . . . . : 192.168.124.1
DHCP Server . . . . . . . . . . . : 192.168.124.1
DHCPv6 IAID . . . . . . . . . . . : 60852404
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-C6-18-82-00-21-CC-65-1B-8F
DNS Servers . . . . . . . . . . . : 192.168.124.9
24.229.54.212
216.144.187.199
Primary WINS Server . . . . . . . : 192.168.124.9
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Bluetooth Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
Physical Address. . . . . . . . . : EC-55-F9-F5-14-76
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Does this actually make sense? Obviously the DNS server is online, it works and when a lookup is requested directly it works, and the DNS server is listed as first in the IP configuration. So why would it not work?! -
Create a certificate for non domain-joined PCs
We have a standard AD domain wit a CA and SharePoint/Exchange servers, hosted internally and externally with TMG 2010 as our firewall. For the external hosting, we have an external certificate from one of the main certificate providers. Internally, our domain-joined
PCs look to the CA to get their trusted certificate from.
This is the issue I am encountering:
Our external users (the ones whose PC is not joined to our domain) are fine when they access our SharePoint and Exchange services externally.
However, when they are connected via VPN, they receive a certificate error and when I look in Certificate > Certification path, I can see that it says:
"DOMAIN NAME" Issuing CA1 > "NAME OF SHAREPOINT WEBSITE".
When such a PC connects to the same website when NOT connected via VPN to the domain, they receive:
"DOMAIN NAME" Root CA > "DOMAIN NAME" Issuing CA1 > "NAME OF SHAREPOINT WEBSITE".
How can I create a certificate for these non-domain joined PCs so that I can import the certificate in the Trusted Root Certification Authorities store? Thank you!It sounds like the question you are really asking is :
How do I designate the internal root CA as a trusted root CA
Run certutil -addstore root RootCert.crt (this must be run from an administrative command prompt)
This designates the root CA as a trusted root on the client. You also may want to install the intermediate cert to the store (you are not clear on what VPN product you are using, so it may or may not do proper chain building).
Run Certutil -addstore CA IssuingCA.crt
Brian -
Windows 2012 R2 ADRMS domain controller version and Non-domain-joined Mac Client with outlook 2011
Hi,
What is the AD version for Windows 2012R2 ADRMS? Is it possible to have Windows 2003 R2 DC with Windows 2012R2 ADRMS?
Any installation guide Non-domain-joined Mac Client with outlook 2011?
What is the SQL version for Windows 2012R2 ADRMS?
Please advise. Thanks.
Kelvin TeangHi Kelvin -
There is no RMS Client for Macs. That functionality is actually provided through the Office for Mac application (this is different compared to the PC). Domain-joined clients will autodiscover the RMS server and should be able to create and consume
protected content. Non-domain-joined clients cannot automatically discover their RMS server. In this scenario, prepare a protected document or email from a domain-joined machine and send it to your non-domain-joined users. They will open
the document or email up and the URLs contained in the publishing license of the document will direct them to the correct RMS server.
I hope that helps!
Micah LaNasa
Synergy Advisors
synergyadvisors.biz -
Change default key size on non Domain joined CA.
Hello,
I have one standalone non domain joined CA I would like to change the default key size of all issued certs to 2048. Since it is a stand along, there are no AD template to modify. Can this be changed in the registry?
ShawnCAPolicy.inf is the way to go.
See the following thread
http://social.technet.microsoft.com/Forums/windowsserver/en-US/ce001d8f-c722-4429-83cb-328b92876292/how-to-change-root-certificate-keys-length-and-validity-period?forum=winserversecurity
Hth, Anders Janson Enfo Zipper -
Licensing for non domain joined machines
Good Day
would additional licensing be required to manage non domain joined machines or would this be covered by the current EA. can someone explain how licensing for the management of non domain machines would work?
thanks
danielHi,
There is no difference if you don't want to license them differently and if that is possibly in you agreement, so you should contact you MS License reseller.
You could buy a System Center Configuration Manager CAL if you want to manage it, that will only cover ConfigMgr and not Endpoint protection for instance. So you should really contact your reseller and see what is the most optimal solution for you company/organisation.
Regards,
Jörgen
-- My System Center blog ccmexec.com -- Twitter
@ccmexec -
Procedure to migrate workgroup server to domain?
Hi, One of my satellite offices has been working with a server 2008 file server as a workgroup. The administrator has created local accounts on the server for all of the users.
We are about to embark on moving the fileserver to the domain, and then the user workstations. Is it possible to join the fileserver to the domain, and then create user accounts, apply appropriate ACLs, then move the workstations over to the
domain over a period of a week or two, and still allow workgroup users to access files, or will access to files be granted only to domain users?
If anyone can point me to some best practices for workgroup>domain migration, I'd love to do some reading.
Thanks,
KevinHi Kevin,
Workgroup users can access a domain-joined server with one of the following two options:
1. Set local user account and password which is the same as workgroup users (and passwords).
2. Share folders to Everyone, and including anonymous account in Everyone group (this is a group policy).
So basically you can join the server to domain.
If you have any feedback on our support, please send to [email protected] -
IE 11 security settings / Server 2012 domain joined server
Can someone clarify how the Security settings are automatically managed on domain jointed computers in IE 11 / Server 2012 R2:
There seem to be different settings depending on the IE Enhanced Security Settings.
I particular if IE Enhanced Security Settings are on, Security is forced to High for Internet and admins cannot change it.
If IE Enhanced Security Settings is off for admins Security is forced to Medium High and admins cannot change it
If IE Enhanced Security Settings is off Security is Medium-High and admins can change it
Is this by design?
Run As Administrator seems to have no effect.
This only happens on domain joined systems
CarolChiHi CarolChi,
IE-ESC is a feature from Windows Server. Yes, just as what your think, this behavior is by design.
For more information, please read this article:
Internet Explorer Enhanced Security Configuration changes the browsing experience
http://support.microsoft.com/kb/815141
Karen Hu
TechNet Community Support -
Netinstall: install additional software using a script + AD domain join
Hi Guys,
I want to install Macs using NetInstall. I built an image using the System Image Utility.
It's a NetInstall Iamge and it looks like that:
Source Mac OS X 10.8. install disk
partition disk
enable automated installation
add packages and post-install scripts
customize package selection
create image
Instaling the OS works.
Now I want to do the following things.
- adding a script which installs a programm. it's a .sh script which runs different actions like unpacking a tgz and copying the unpacked files
To be honest, I have no idea how to add this to the installation
- rename the device (best with an ongoing number)
- adding an admin account
- joining the new device to the ad domain
Can anyone help me with this issues?
Regards,
Andrethat helped, thanks
now I have the problem, that the script is not working in netinstall.
I can run the script on a mac manually and it works.
But when I add it to the netinstall, the accounts isn't there after the installation.
my script:
#!/bin/sh
. /etc/rc.common
dscl . create /Users/admin
dscl . create /Users/admin RealName "admin"
dscl . create /Users/admin hint "hint"
dscl . passwd /Users/admin password
dscl . create /Users/admin UniqueID 501
dscl . create /Users/admin PrimaryGroupID 80
dscl . create /Users/admin UserShell /bin/bash
dscl . create /Users/admin NFSHomeDirectory /Users/admin
cp -R /System/Library/User\ Template/English.lproj /Users/admin
chown -R admin:staff /Users/admin -
NDES & Non Domain Joined Devices
Hi Guys
So I've been working on a problem to get a client mobile devices (Laptops, iOS, Andriod et al) to authenticate to their wireless Network using Certificates.
The solution is 90% complete but I've come across a problem with NDES and how I can get iOS, Android and windows mobile devices getting root certificates and the device/user certificates essentially "Over the Air".
I've researched a few MDM solutions but that only works if the device is company owned. The reason being is that if the mobile devices aren't company owned we can't install the required MDM apps on them which will enable us to control them and therefore
install Root Certificates and the like.
I'm curious to know who else out there has configured something like this before.
The systems I'm working with are: a Cisco WLC, NPS, AD, AD CA, NDES (Win2012).
Any help will be greatly appreciated.
Prince K.
vtechnology.com.auHi,
how I can get iOS, Android and windows mobile devices getting root certificates and the device/user certificates essentially "Over the Air".
I haven’t done it myself, though here are some resources I searched for you:
Installing the root CA on iOS
http://www-01.ibm.com/support/knowledgecenter/SSZH4A_6.2.0/com.ibm.worklight.installconfig.doc/admin/t_installing_root_CA_iOS.html?lang=en
Installing the root CA on Android
http://www-01.ibm.com/support/knowledgecenter/SSZH4A_6.2.0/com.ibm.worklight.installconfig.doc/admin/t_installing_root_CA_android.html?lang=en
Installing the root CA on Windows Phone
http://www-01.ibm.com/support/knowledgecenter/SSZH4A_6.2.0/com.ibm.worklight.installconfig.doc/admin/t_installing_root_CA_windows_phone.html?lang=en
Please Note: Since these web sites are not hosted by Microsoft, these links may change without notice. Microsoft does not guarantee the accuracy of this information.
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Non-domain machines cannot launch RemoteAPP
Hi.
I have Server 1 with RDS WEB and RD Gateway Role. And I have Server 2 with RDS Host, License Manager, RemoteApp installed and they are in collection.
For test: I installed certificate of Enterprise CA on non-domain computer and now it connects successfully to RDS Web service (globalDNSname.mycompany.com). Non-Domain computers login to RDWeb well (certificate is good). But when I launch RemoteApp it asks
me credentials and write that logon is unsuccessfull.
It works with domain computers and asks no credentials. Certificate is isssued to globalDNSname.mycompany.com.
Could you help me?Hi,
Can you open successful connection of RemoteApp on domain joined system?
The PC which is no-domain joined is on same LAN. Might possible that DNS or Hostname of server can’t resolve the name correctly from non-domain joined system. Please see whether you can directly ping or get successful connection to the server from non-domain
joined system.
Apart there are certain point list which need to make sure before successful connection. Check whether you have correctly configured RD CAP and RD RAP policy. When you create the RD RAP, add the user groups that you defined in the RD CAP. Also, create a new
RD Gateway-managed computer group that contains both the NetBIOS names and the fully qualified domain names (FQDNs) of the RD Session Host servers or the RD Session Host server farm that hosts the RemoteApp programs.
For more details you can check beneath article.
Checklist: Make RemoteApp Programs Available from the Internet
https://technet.microsoft.com/en-in/library/cc772415.aspx
Hope it helps!
Thanks.
Dharmesh Solanki
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Non-domain computer request certificate
We have Enterprise CA with Certificate Enrollment Policy Web Service and Certificate Enrollment Web Service on same domain computer.
When I configure Enrollment policy on non-domain computers by adding exist Certificate Enrollment Policy Server:
mmc->Certificates(local computer)->Personal-Manage Enrollment Policy, all looks fine. But when I do request
New Certificate -> Select Certificate Enrollment Policy appears window with empty list and message:
Certificate types are not available.You cannot request a certificate at this time because no certificate types are available. From domain computers all works fine, I can choose templates from the list and can do command:
certutil -config "DomainComp\CAname" -ping.
from non-domain computers I can't do certutil -ping:
...Connecting to DomainComp\CAname ...
Server could not be reached: The RPC server is unavailable. 0x800706baI'm used select username/password authentication when installed CES/CEP roles. If I want to use authentication with
certificates, I must to make request and enroll it on CA. This is a problem for non-domain computer. By the way, using method:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/098f858a-3e89-48d2-828e-274487033f6b/how-to-request-certificate-from-a-nondomain-computer?forum=winserversecurity
I can manually make request file, issue it on Enterprise CA and export certificate file, when import certificate.
This method
http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx not work because appears empty list of enrolment templates.
Maybe you are looking for
-
Development environment for SharePoint 2013
Hi, We have requirement for one of the project. Team size would be approximately 30 resources. Development would be entirely for SharePoint 2013 Intranet solution. this will be OOTB Intranet application. We will be developing InfoPath forms and Ninte
-
802.1X Port Based Authentication - IP Phone- MDA - Port Security Violation
I have configured 802.1X authentication on selected ports of a Cisco Catalyst 2960S with Micorsoft NPS Radius authentication on a test LAN. I have tested the authentication with a windows XP laptop, a windows 7 laptop with 802.1X, eap-tls authenticat
-
Installing Phtoshop Lightroom without a CD Drive
I have just purchased and received an approved education license for adobe photoshop lighthouse. My PC does not have a CD drive. Is there anyway I can complete the install without one?
-
White line in the middle of my NEW IPad 2, please help
Dears, i just get my Ipad 2 (64 GB + 3G) and when i press the power button a white line occurred in the middle of the screen. your keen interest is highly appreciate
-
Need Landscape printing in Mac OS X
I see from the release notes for 5.2.3 that landscape printing is not currently working. Any idea when this will work again?