Install AADSync on a Workgroup server (non-domain joined)

Does anyone has experiences with installing AADSync on a non-domain joined server (workgroup). A company with multiple forests wants to have a "neutral" server for the identity synchronisation. It looks like the tool is installing fine, but can
there be some configuration issues?

This is supported.  See here:
"Your computer can be stand-alone, a member server or a domain controller. "
ref: http://msdn.microsoft.com/en-us/library/azure/dn757602.aspx
Mike Crowley | MVP
My Blog --
Planet Technologies

Similar Messages

  • Non-Domain joined clients connect to server initially but cannot connect via Launchpad

    Running SBS 2011 Essentials in a small office. Running XP/Vista/7 clients. All working fine until we swapped routers. Old router died, new router was installed. 
    Now all domain-joined PC's connect as normal, but all NON-Domain-Joined PC's cannot access the server via the launchpad. I get the "The server appears to be offline. Do you want to sign in to offline mode?" box. 
    Tried removing PC from the SBS Dashboard, uninstalling the connector from the client, restarting client, and reinstalling the connector. I can install the connector (using
    http://<server ip>/connect , but not http://<servername>/connect
    ). Connector installs but it still tells me the server is offline when trying to use dashboard or launchpad on the client.
    Note: I can add a network location or Map a network drive to ther server after inputting my network password from Windows.
    Any Services to check? Firewalls exceptions to ensure? Advice?
    EDIT: Dashboard on Server shows Client, sometimes as online, sometimes as offline. 

    Sounds like name resolution issue to me.
    Are all your clients set to use the IP of the Essentials Server for their primary DNS?
    Robert Pearman SBS MVP
    itauthority.co.uk |
    Title(Required)
    Facebook |
    Twitter |
    Linked in |
    Google+

  • Non domain-joined Clients (CES/CEP)

    Hello Everyone!
    This is my first post to the security forum and it is not an overly familiar tech for me so please be gentle. :)
    I am looking at building a lab to test a web based application for a client.  The client has very stringent security requirements and as such have mandated the need for both the web server to be secured using SSL certs and requires the connecting
    users to have a certificate.  The infrastructure will be hosted in a central DC in it's own AD forest whilst the users connecting in will have their own AD as they work for different companies.  Each user will have an AD account within the hosted
    environment.  My initial thought was to provide public certs for the web servers but my problem was providing certificates to the clients.  Clearly using public certs would be very expensive.  After a bit of research I stumbled across the following:
    http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx
    What I am trying to understand is, will the combination of Certificate services & CES/CEP effectively do away with the need for public certs in this instance?  Can I simply use the internal authority to publish certificates to the web server and
    to the end users?

    Yes - I think this is one of the scenarios CES/CEP have been developed for.
    End users would have to trust your internal CA and validate the chain, so intermediate CAs should be found via AIA URLs. But since you need user - not computer - certificates this is simpler than described in the article as users do not need to be local
    admins to import a root. (But on principle the admin of a user's home AD could restrict this though I have never encountered that.)
    You would need to publish the CES/CEP services via a reverse proxy and external users would have to configure the enrollment HTTP URLs and enter their AD credentials in the hosted AD when connecting.
    As users have imported your CA certificate they will also trust the web server's certificate issued from the same CA.
    Elke

  • Problems connecting a non-domain joined outlook to exchange

    Hello,
    i'm having issues configuring outlook (be it 2007, 2010 or 2013 all fail the same) on non-domain joined computers in the LAN to a exchange 2013 server.
    I select manual config, in server we put "mail.domain.local" and user "domain\user" and it bounces with "cannot complete action, the connection to exchange is not available, outlook must be online".
    We tried with external full email address, nothing
    tried setting the outlook anywhere proxy, same, tried using ip address, same
    it simply refuses to configure.
    any ideaS?

    Hi,
    Generally, the external non-domain joined computers can connect to Exchange 2013 by using Outlook Anywhere and the Autodiscover service to auto-setup the Exchange account.
    If the auto-setup for Exchange account fails, please check the Autodiscover service and Outlook Anywhere configuration by the following command:
    Get-OutlookAnywhere | FL
    Directly access the following URL in IE respectively, and check whether an Error 600 returns:
    Https://autodiscover.domain.com/autodiscover/autodiscover.xml
    Https://mail.domain.com/autodiscover/autodiscover.xml
    Please make sure the the ExternalHostName parameter for Outlook Anywhere is configured to your external namespace for Exchange 2013 (for example: mail.domain.com).
    In Exchange certificate, please make sure the namespace mail.domain.com is included in your trusted certificate which is assigned with IIS service.
    For manual Exchange account setup, please run the following command to get the mailbox GUID for server name configuration:
    Get-Mailbox UserA | FL Identity,ExchangeGuid
    Then go to Control Pane > Mail to configure the Outlook profile. In Server Settings, import the [email protected] into the Server box and click Check Name to have a try.
    Regards,
    Winnie Liang
    TechNet Community Support

  • DNS working intermittently for non-domain joined machines

    I have a small single Server 2012 based network, with about 90% windows clients.  DNS is running on the Windows Server 2008 machine, but DHCP is provided via a unix based firewall machine.  Within the DNS configuration I have all of my windows
    clients (mostly Windows 8.x clients, but there are a few Windows 7 ones as well) and a few *nix ones as well.  All of the Windows clients are domain joined, except for one machine which is currently running Windows 10 preview, though it was a Windows
    7 machine originally.  In the DNS configuration I have a number of statically entered A records, used to give my *nix machines a name on the local network.
    When trying to access systems by name (via ping or by other services), there is a very consistent behavior - my domain joined machines are able to resolve all names 100% of the time without any issues.  However, the non-domain joined machines, both
    Windows and not, are consistently inconsistent.  To be more precise, when I try to resolve a name it will randomly work and randomly not.  IP setup and configuration looks correct, meaning they have  valid IP, DNS is set to my Windows Server,
    default gateway, etc. are all correct.  Pinging external machines (ie google.com, etc.) works 100% of the time, but trying to ping any internal machine is a total crap shoot.  The only exception to this is the Windows Server 2012 machine itself,
    which always works.
    From past experience I know that the moment I join a machine to the domain all of the DNS issues goes away, which is fine for the Windows boxes but not so much for the rest.  I also have visitors occasionally come by, who I cannot expect to join my
    domain just to make things work normally.
    This network originally started life out as Windows Server 2003 domain, but was upgraded to 2012 about two months ago.  I have been seeing this problem for years, but have always assumed it to be a Server 2003 issue and figured it would go away when
    I upgraded.  Nope...
    Any ideas as to the cause of this and what I can do about it?
    Thanks,
    peter

    Its really weird - I can ping an address and not have it work, then do a NSLookup of the same address against my DNS server and it resolves just fine.  Take a look at this screen copy below:
    C:\Users\Peter>ping apollo.bakonet.local
    Ping request could not find host apollo.bakonet.local. Please check the name and try again.
    C:\Users\Peter>nslookup apollo.bakonet.local 192.168.124.9
    Server:  orac.bakonet.local
    Address:  192.168.124.9
    Name:    apollo.bakonet.local
    Address:  192.168.124.27
    C:\Users\Peter>ping apollo.bakonet.local
    Ping request could not find host apollo.bakonet.local. Please check the name and try again.
    C:\Users\Peter>ipconfig /all |more
    Windows IP Configuration
       Host Name . . . . . . . . . . . . : Win10
       Primary Dns Suffix  . . . . . . . :
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : bakonet.local
    Ethernet adapter Ethernet:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
       Physical Address. . . . . . . . . : 00-21-CC-65-1B-8F
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
    Wireless LAN adapter Local Area Connection* 3:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
       Physical Address. . . . . . . . . : A0-88-B4-A2-41-81
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
    Wireless LAN adapter Wi-Fi:
       Connection-specific DNS Suffix  . : bakonet.local
       Description . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6205
       Physical Address. . . . . . . . . : A0-88-B4-A2-41-80
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::fc47:8a91:6b25:bd0e%2(Preferred)
       IPv4 Address. . . . . . . . . . . : 192.168.124.64(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : Monday, January 5, 2015 7:34:47 PM
       Lease Expires . . . . . . . . . . : Tuesday, February 3, 2015 7:15:20 PM
       Default Gateway . . . . . . . . . : 192.168.124.1
       DHCP Server . . . . . . . . . . . : 192.168.124.1
       DHCPv6 IAID . . . . . . . . . . . : 60852404
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-C6-18-82-00-21-CC-65-1B-8F
       DNS Servers . . . . . . . . . . . : 192.168.124.9
                                           24.229.54.212
                                           216.144.187.199
       Primary WINS Server . . . . . . . : 192.168.124.9
       NetBIOS over Tcpip. . . . . . . . : Enabled
    Ethernet adapter Bluetooth Network Connection:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
       Physical Address. . . . . . . . . : EC-55-F9-F5-14-76
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
    Does this actually make sense?  Obviously the DNS server is online, it works and when a lookup is requested directly it works, and the DNS server is listed as first in the IP configuration.  So why would it not work?!

  • Create a certificate for non domain-joined PCs

    We have a standard AD domain wit a CA and SharePoint/Exchange servers, hosted internally and externally with TMG 2010 as our firewall. For the external hosting, we have an external certificate from one of the main certificate providers. Internally, our domain-joined
    PCs look to the CA to get their trusted certificate from.
    This is the issue I am encountering:
    Our external users (the ones whose PC is not joined to our domain) are fine when they access our SharePoint and Exchange services externally.
    However, when they are connected via VPN, they receive a certificate error and when I look in Certificate > Certification path, I can see that it says:
    "DOMAIN NAME" Issuing CA1 > "NAME OF SHAREPOINT WEBSITE".
    When such a PC connects to the same website when NOT connected via VPN to the domain, they receive:
    "DOMAIN NAME" Root CA > "DOMAIN NAME" Issuing CA1 > "NAME OF SHAREPOINT WEBSITE".
    How can I create a certificate for these non-domain joined PCs so that I can import the certificate in the Trusted Root Certification Authorities store? Thank you!

    It sounds like the question you are really asking is :
    How do I designate the internal root CA as a trusted root CA
    Run certutil -addstore root RootCert.crt (this must be run from an administrative command prompt)
    This designates the root CA as a trusted root on the client. You also may want to install the intermediate cert to the store (you are not clear on what VPN product you are using, so it may or may not do proper chain building).
    Run Certutil -addstore CA IssuingCA.crt 
    Brian

  • Windows 2012 R2 ADRMS domain controller version and Non-domain-joined Mac Client with outlook 2011

    Hi,
    What is the AD version for Windows 2012R2 ADRMS?  Is it possible to have Windows 2003 R2 DC with Windows 2012R2 ADRMS?
    Any installation guide Non-domain-joined Mac Client with outlook 2011?
    What is the SQL version for Windows 2012R2 ADRMS?
    Please advise.  Thanks.
    Kelvin Teang

    Hi Kelvin -
    There is no RMS Client for Macs.  That functionality is actually provided through the Office for Mac application (this is different compared to the PC).  Domain-joined clients will autodiscover the RMS server and should be able to create and consume
    protected content.  Non-domain-joined clients cannot automatically discover their RMS server.  In this scenario, prepare a protected document or email from a domain-joined machine and send it to your non-domain-joined users.  They will open
    the document or email up and the URLs contained in the publishing license of the document will direct them to the correct RMS server. 
    I hope that helps!
    Micah LaNasa
    Synergy Advisors
    synergyadvisors.biz

  • Change default key size on non Domain joined CA.

    Hello,
    I have one standalone non domain joined CA I would like to change the default key size of all issued certs to 2048.  Since it is a stand along, there are no AD template to modify.  Can this be changed in the registry?
    Shawn

    CAPolicy.inf is the way to go.
    See the following thread
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/ce001d8f-c722-4429-83cb-328b92876292/how-to-change-root-certificate-keys-length-and-validity-period?forum=winserversecurity
    Hth, Anders Janson Enfo Zipper

  • Licensing for non domain joined machines

    Good Day
    would additional licensing be required to manage non domain joined machines or would this be covered by the current EA. can someone explain how licensing for the management of non domain machines would work?
    thanks
    daniel

    Hi,
    There is no difference if you don't want to license them differently and if that is possibly in you agreement, so you should contact you MS License reseller.
    You could buy a System Center Configuration Manager CAL if you want to manage it, that will only cover ConfigMgr and not Endpoint protection for instance. So you should really contact your reseller and see what is the most optimal solution for you company/organisation.
    Regards,
    Jörgen
    -- My System Center blog ccmexec.com -- Twitter
    @ccmexec

  • Procedure to migrate workgroup server to domain?

    Hi, One of my satellite offices has been working with a server 2008 file server as a workgroup.  The administrator has created local  accounts on the server for all of the users.
    We are about to embark on moving the fileserver to the domain, and then the user workstations.   Is it possible to join the fileserver to the domain, and then create user accounts, apply appropriate ACLs, then move the workstations over to the
    domain over a period of a week or two, and still allow workgroup users to access files, or will access to files be granted only to domain users?
    If anyone can point me to some best practices for workgroup>domain migration, I'd love to do some reading.
    Thanks,
    Kevin

    Hi Kevin,
    Workgroup users can access a domain-joined server with one of the following two options:
    1. Set local user account and password which is the same as workgroup users (and passwords).
    2. Share folders to Everyone, and including anonymous account in Everyone group (this is a group policy).
    So basically you can join the server to domain. 
    If you have any feedback on our support, please send to [email protected]

  • IE 11 security settings / Server 2012 domain joined server

    Can someone clarify how the Security settings are automatically managed on domain jointed computers in IE 11 / Server 2012 R2:
    There seem to be different settings depending on the IE Enhanced Security Settings.
    I particular if IE Enhanced Security Settings are on, Security is forced to High for Internet and admins cannot change it.
    If IE Enhanced Security Settings is off for admins Security is forced to Medium High and admins cannot change it
    If IE Enhanced Security Settings is off Security is Medium-High and admins can change it
    Is this by design?
    Run As Administrator seems to have no effect.
    This only happens on domain joined systems
    CarolChi

    Hi CarolChi,
    IE-ESC is a feature from Windows Server. Yes, just as what your think, this behavior is by design.
    For more information, please read this article:
    Internet Explorer Enhanced Security Configuration changes the browsing experience
    http://support.microsoft.com/kb/815141
    Karen Hu
    TechNet Community Support

  • Netinstall: install additional software using a script + AD domain join

    Hi Guys,
    I want to install Macs using NetInstall. I built an image using the System Image Utility.
    It's a NetInstall Iamge and it looks like that:
    Source Mac OS X 10.8. install disk
    partition disk
    enable automated installation
    add packages and post-install scripts
    customize package selection
    create image
    Instaling the OS works.
    Now I want to do the following things.
    - adding a script which installs a programm. it's a .sh script which runs different actions like unpacking a tgz and copying the unpacked files
    To be honest, I have no idea how to add this to the installation
    - rename the device (best with an ongoing number)
    - adding an admin account
    - joining the new device to the ad domain
    Can anyone help me with this issues?
    Regards,
    Andre

    that helped, thanks
    now I have the problem, that the script is not working in netinstall.
    I can run the script on a mac manually and it works.
    But when I add it to the netinstall, the accounts isn't there after the installation.
    my script:
         #!/bin/sh
         . /etc/rc.common
         dscl . create /Users/admin
         dscl . create /Users/admin RealName "admin"
         dscl . create /Users/admin hint "hint"
         dscl . passwd /Users/admin password
         dscl . create /Users/admin UniqueID 501
         dscl . create /Users/admin PrimaryGroupID 80
         dscl . create /Users/admin UserShell /bin/bash
         dscl . create /Users/admin NFSHomeDirectory /Users/admin
         cp -R /System/Library/User\ Template/English.lproj /Users/admin
         chown -R admin:staff /Users/admin

  • NDES & Non Domain Joined Devices

    Hi Guys
    So I've been working on a problem to get a client mobile devices (Laptops, iOS, Andriod et al) to authenticate to their wireless Network using Certificates.
    The solution is 90% complete but I've come across a problem with NDES and how I can get iOS, Android and windows mobile devices getting root certificates and the device/user certificates essentially "Over the Air". 
    I've researched a few MDM solutions but that only works if the device is company owned. The reason being is that if the mobile devices aren't company owned we can't install the required MDM apps on them which will enable us to control them and therefore
    install Root Certificates and the like.
    I'm curious to know who else out there has configured something like this before.
    The systems I'm working with are: a Cisco WLC, NPS, AD, AD CA, NDES (Win2012).
    Any help will be greatly appreciated.
    Prince K.
    vtechnology.com.au

    Hi,
    how I can get iOS, Android and windows mobile devices getting root certificates and the device/user certificates essentially "Over the Air". 
    I haven’t done it myself, though here are some resources I searched for you:
    Installing the root CA on iOS
    http://www-01.ibm.com/support/knowledgecenter/SSZH4A_6.2.0/com.ibm.worklight.installconfig.doc/admin/t_installing_root_CA_iOS.html?lang=en
    Installing the root CA on Android
    http://www-01.ibm.com/support/knowledgecenter/SSZH4A_6.2.0/com.ibm.worklight.installconfig.doc/admin/t_installing_root_CA_android.html?lang=en
    Installing the root CA on Windows Phone
    http://www-01.ibm.com/support/knowledgecenter/SSZH4A_6.2.0/com.ibm.worklight.installconfig.doc/admin/t_installing_root_CA_windows_phone.html?lang=en
    Please Note: Since these web sites are not hosted by Microsoft, these links may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best Regards,
    Amy
    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • Non-domain machines cannot launch RemoteAPP

    Hi.
    I have Server 1 with RDS WEB and RD Gateway Role. And I have Server 2 with RDS Host, License Manager, RemoteApp installed and they are in collection.
    For test: I installed certificate of Enterprise CA on non-domain computer and now it connects successfully to RDS Web service (globalDNSname.mycompany.com). Non-Domain computers login to RDWeb well (certificate is good). But when I launch RemoteApp it asks
    me credentials and write that logon is unsuccessfull.
    It works with domain computers and asks no credentials. Certificate is isssued to globalDNSname.mycompany.com.
    Could you help me?

    Hi,
    Can you open successful connection of RemoteApp on domain joined system?
    The PC which is no-domain joined is on same LAN. Might possible that DNS or Hostname of server can’t resolve the name correctly from non-domain joined system. Please see whether you can directly ping or get successful connection to the server from non-domain
    joined system.
    Apart there are certain point list which need to make sure before successful connection. Check whether you have correctly configured RD CAP and RD RAP policy. When you create the RD RAP, add the user groups that you defined in the RD CAP. Also, create a new
    RD Gateway-managed computer group that contains both the NetBIOS names and the fully qualified domain names (FQDNs) of the RD Session Host servers or the RD Session Host server farm that hosts the RemoteApp programs.
    For more details you can check beneath article.
    Checklist: Make RemoteApp Programs Available from the Internet
    https://technet.microsoft.com/en-in/library/cc772415.aspx
    Hope it helps!
    Thanks.
    Dharmesh Solanki
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • Non-domain computer request certificate

    We have Enterprise CA with Certificate Enrollment Policy Web Service and Certificate Enrollment Web Service on same domain computer. 
    When I configure Enrollment policy on non-domain computers by adding exist Certificate Enrollment Policy Server: 
    mmc->Certificates(local computer)->Personal-Manage Enrollment Policy, all looks fine. But when I do request
    New Certificate -> Select Certificate Enrollment Policy appears window with empty list and message:
    Certificate types are not available.You cannot request a certificate at this time because no certificate types are available. From domain computers all works fine, I can choose templates from the list and can do command:
       certutil -config "DomainComp\CAname" -ping. 
    from non-domain computers I can't do certutil -ping:
    ...Connecting to DomainComp\CAname ...
    Server could not be reached: The RPC server is unavailable. 0x800706ba

    I'm used select username/password authentication when installed CES/CEP roles. If I want to use authentication with
    certificates, I must to make request and enroll it on CA. This is a problem for non-domain computer. By the way, using method:
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/098f858a-3e89-48d2-828e-274487033f6b/how-to-request-certificate-from-a-nondomain-computer?forum=winserversecurity
    I can manually make request file, issue it on Enterprise CA and export certificate file, when import certificate.
    This method
    http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx not work because appears empty list of enrolment templates.

Maybe you are looking for