ISE 1.3 / WLC 8.x + Server 2012 R2

Hi All,
Just wondering if anyone has seen this issue and if so – a solution or any advice would be great!
Scenario.
ISE 1.3 is connected to Server 2012(R2) AD – and this is showing as connected and all tests are successful.
ISE is Connected to WLC 8.x (Tests on attachment showing succesfull)
The permissions of the service account I used for ISE to link in with AD – "domain admin" and also tried "domain users" (using domain users now) and we can see AD security groups etc
- WLC is succesfully connected to ISE
SSID "Test" is configured to send to AAA - ISE
ISE has a policy that permits "domain users" on the network.for web authentication
Issue I am experiencing is when I connect to the SSID I get prompted for a login - this is my domain account it’s looking for
(my account is a member of domain users only)
===============================================
I get a message on BYOD Portal (SEE ATTACHED SCREENSHOTS)
“Unable to obtain the user information needed for network access. Try again”
===============================================
If I use an account that has domain admin rights – everything works fine every time?? and I can start the process of registering my device on the network??
I would like to rule out AD if i can. (Win Server 2012 R2) -
everything looks ok from ISE as we can see AD groups etc when you select "retrieve AD groups" - i can see all built in groups etc ....
We get authenticated fine - the issue appears to be in the web-redirect and it seems like you need to be a domain admin for us to get the correct registration page.
Any help would be great
Thanks
James

HI David
Many thanks for your response.
Yeah I have tried different users and also on ISE different groups and cross checked the SID on ISE groups to the SID on the AD group and seems both match.
My colleague is doing the ISE part and I am doing the Windows 2012R2 part and all looks ok – the service account seems to be testing out fine when running tests on ISE and displaying groups etc when I "retrieve groups from AD" (from ISE)
The finger at this time seems to be pointing at my AD …due to the domain admin accounts working and domain users not (I know these are both domain users but as my colleague is the “boss” I just need to make sure 110% that there is no special requirements that I need to add to the computer account & or the user account
From the Cisco doc’s the service account just needs to be a domain user to read AD but is there anything special with the ISE computer account? – At this time the ISE computer account is in the default computer OU and the ISE service account is in the.
After removing and re-adding and double checking the groups (External Identity Stores > Groups) both SIDs match on both domain users group
When I connect to the SSID I initially get prompted for a username and password then –
The BYOD Portal splash page just says BYOD Welcome “Unable to obtain the user information needed for access. Try again. (If I use a standard user account member of “domain users” only BUT if I use my domain admin account when joining the SSID (member of domain users + domain admin) I can start the process or registering my device and I can proceed through the required steps 1,2,3,4 until I access the web
Standard “domain user” I can’t get by step 1 as I get the “Unable to obtain the user information needed for access. Try again” message
The boss says this SSID is stripped back to just domain users and asks the question why does domain admins work?? - Hence Server AD getting a finger pointed at it.
Regards
James
I have uploaded some picts that may assist & thanks again.

Similar Messages

Administrator cannot change printer properties on "Advanced" tab from "Devices and Printers" on Windows Server 2012 R2

Hello, dear Colleagues.
User with administrators rights cannot change printer properties on "Advanced" tab from "Devices and Printers" on Windows Server 2012 R2.
If to launch "Devices and Printers" on server, all printer properties on "Advanced" tab are inactive (see screen below).
But I can change it manually with "Print Management". Features become active.
The main purpose - to uncheck "Enable advanced printing features" with powershell
scripts.
$erroractionpreference = "continue"
$colPrinters = Get-Wmiobject -Class win32_printer -computername print_server -Filter "Name like 'printer1' or Name like 'printer2' or Name like 'printer3' or Name like 'printer4' or Name like 'printer5' or Name like 'printer6'" # get printers on server and filter with names
ForEach ($objPrinter in $colPrinters) { # get printer details from WMI
If ($objPrinter.RawOnly -ne "True") { # check that Advanced printing fetaures is turned on
Write-host $objPrinter.Name
Write-Host $objPrinter.RawOnly
$objPrinter.RawOnly = "True" # Untick and update the object in WMI
$objPrinter.Put()
It works on Windows 7 workstation, but does not on print server Windows Server 2012 R2 with error
Exception calling "Put" with "0" argument(s): "Generic failure "
At \\print_server\c$\DisableAdvancedPrintingFeatures.ps1:8 char:17
+ $objPrinter.Put()
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException
Can you help me with that? Look like somethings with rights.
Thank you.

Hello, Alan
Morris.
Thanks for your reply.
I've tried to runs PS Script both locally and remotely, previously running Powershell ISE as Administrator.
I've noticed interesting thing - if to
check "Enable advanced printing features"
manually thru Print Management snap-in, script works fine. But, time to time after some manipulations on print server, this advanced feature returns to enabled state automatically by system, I think. In this case PS Script does not work. Next, if to disable
feature manually again (thru Print Management snap-in),
and enable manually again, PS Script will work. Very strange situation.
Thanks.

DSC, SQL Server 2012 Enterprise sp2 x64, SQL Server Failover Cluster Install not succeeding

Summary: DSC fails to fully install the SQL Server 2012 Failover Cluster, but the identical code snippet below run in powershell ise with administrator credentials works perfectly as does running the SQL server install interface.
In order to develop DSC configurations, I have set up a Windows Server 2012 R2 failover cluster in VMware Workstation v10 consisting of 3 nodes. All have the same Windows Server 2012 version and have been fully patched via Microsoft Updates.
The cluster properly fails over on command and the cluster validates. Powershell 4.0 is being used as installed in windows.
PDC
Node1
Node2
The DSC script builds up the parameters to setup.exe for SQL Server. Here is the cmd that gets built...
$cmd2 = "C:\SOFTWARE\SQL\Setup.exe /Q /ACTION=InstallFailoverCluster /INSTANCENAME=MSSQLSERVER /INSTANCEID=MSSQLSERVER /IACCEPTSQLSERVERLICENSETERMS /UpdateEnabled=false /IndicateProgress=false /FEATURES=SQLEngine,FullText,SSMS,ADV_SSMS,BIDS,IS,BC,CONN,BOL /SECURITYMODE=SQL /SAPWD=password#1 /SQLSVCACCOUNT=SAASLAB1\sql_services /SQLSVCPASSWORD=password#1 /SQLSYSADMINACCOUNTS=`"SAASLAB1\sql_admin`" `"SAASLAB1\sql_services`" `"SAASLAB1\cubara01`" /AGTSVCACCOUNT=SAASLAB1\sql_services /AGTSVCPASSWORD=password#1 /ISSVCACCOUNT=SAASLAB1\sql_services /ISSVCPASSWORD=password#1 /ISSVCSTARTUPTYPE=Automatic /FAILOVERCLUSTERDISKS=MountRoot /FAILOVERCLUSTERGROUP='SQL Server (MSSQLSERVER)' /FAILOVERCLUSTERNETWORKNAME=SQLClusterLab1 /FAILOVERCLUSTERIPADDRESSES=`"IPv4;192.168.100.15;LAN;255.255.255.0`" /INSTALLSQLDATADIR=M:\SAN\SQLData\MSSQLSERVER /SQLUSERDBDIR=M:\SAN\SQLData\MSSQLSERVER /SQLUSERDBLOGDIR=M:\SAN\SQLLogs\MSSQLSERVER /SQLTEMPDBDIR=M:\SAN\SQLTempDB\MSSQLSERVER /SQLTEMPDBLOGDIR=M:\SAN\SQLTempDB\MSSQLSERVER /SQLBACKUPDIR=M:\SAN\Backups\MSSQLSERVER > C:\Logs\sqlInstall-log.txt "
Invoke-Expression $cmd2
When I run this specific command in Powershell ISE running as administrator, logged in as domain account that is in the Node1's administrators group and has domain administrative authority, it works perfectly fine and sets up the initial node properly.
When I use the EXACT SAME code above pasted into my custom DSC resource, as a test with a known successful install, run with the same user as above, it does NOT completely install the cluster properly. It still installs 17 applications
related to SQL Server and seems to properly configure everything except the cluster. The Failover Cluster Manager shows that the SQL Server Role will not come on line and the SQL Server Agent Role is not created.
The code is run on Node1 so the setup folder is local to Node1.
The ConfigurationFile.ini files for the two types of installs are identical.
Summary.txt does have issues..
Feature:                       Database Engine Services
Status:                        Failed: see logs for details
Reason for failure:            An error occurred during the setup process of the feature.
Next Step:                     Use the following information to resolve the error, uninstall this feature, and then run the setup process again.
Component name:                SQL Server Database Engine Services Instance Features
Component error code:          0x86D8003A
Error description:             The cluster resource 'SQL Server' could not be brought online. Error: There was a failure to call cluster code from a provider. Exception message: Generic
failure . Status code: 5023. Description: The group or resource is not in the correct state to perform the requested operation. .
It feels like this is a security issue with DSC or an issue with the setup in SQL Server, but please note I have granted administrators group and domain administrators authority. The nodes were built with the same login. Windows firewall
is completely disabled.
Please let me know if any more detail is required.

Hi Lydia,
Thanks for your interest and help.
I tried "Option 3 (recommended)" and that did not help.
The issue I encounter with the fail-over cluster only occurs when trying to install with DSC!
Using the SQL Server Install wizard, Command Prompt and even in Powershell by invoking the setup.exe all work perfectly.
So, to reiterate, this issue only occurs while running in the context of DSC.
I am using the same domain login with Domain Admin Security and locally the account has Administrators group credentials. The SQL Server Service account also has Administrators Group Credentials.

USB Pass-Through From Windows 8.1 Host To Windows Server 2012 R2 VM

I want to be able to connect with a Windows Mobile Device through Windows Mobile Device Center, within a Virtual Machine. When connecting through the Hyper-V Manager and through Remote Desktop, under "Other supported RemoteFX USB devices",
I can see the Symbol USB Sync Cradle. In the VM, in Device Manager, I don't see a USB connection. In the VM, I don't see any meaningful errors in the Event Viewer.
Host: Windows 8.1 Enterprise Hyper-V on a Domain. Upgraded from Windows 8.1 Pro. When this computer was originally installed with Windows 8 Pro, Hyper-V was enabled. I removed Hyper-V, and installed VMWare Player, because I wanted
USB Pass-through. I then uninstalled VMWare and installed VirtualBox. Recently, I uninstalled VirtualBox, upgraded to Windows 8.1 Enterprise, and enabled Hyper-V.
Virtual Machine OS: Windows Server 2012 R2 on a Workgroup. Started out with being a VMWare VM, using VMWare Player. Moved to VirtualBox. USB Pass-through was working in both those virtual environments. Used Disk2VHD to convert the
VM to a VHDX file.
On the Host:
Windows Mobile Device Center is connected to a Motorola Windows Mobile Device (MC959X) sitting in a Symbol USB Cradle. The OS on the scanner is Windows Embedded Handheld 6.5 Classic CE OS 5.2.29217 (Build 29217.5.3.12.26). Advanced Networking
(USB to PC) is not enabled.
Enabled RemoteFX.
In the RDP file, and in the Registry, added the GUID's for:
WPD "{eec5ad98-8080-425f-922a-dabf3de3f69a}";
Windows Mobile "{6AC27878-A6FA-4155-BA85-F98F491D4F33}";
USB Device "{88BAE032-5A81-49f0-BC3D-A4FF138216D6}";
Windows CE USB Device "{25dbce51-6c8f-4a72-8a6d-b54c2b4fc835}";
GUID_DEVINTERFACE_USB_DEVICE "{A5DCBF10-6530-11D2-901F-00C04FB951ED}"
Ran "sfc /scannow"
All Microsoft Updates are current.
What am I missing?

I hope it's something like that. Those features have been installed. Here's what PowerShell shows is installed:
PS C:\Windows\system32> Get-WindowsFeature |Where {$_.Installed -eq "True"} | ft DisplayName, Installed
DisplayName
Installed
File and Storage Services
True
File and iSCSI Services
True
File Server
True
Storage Services
True
Remote Desktop Services
True
Remote Desktop Licensing
True
Remote Desktop Session Host
True
Web Server (IIS)
True
Web Server
True
Common HTTP Features
True
Default Document
True
Directory Browsing
True
HTTP Errors
True
Static Content
True
HTTP Redirection
True
Health and Diagnostics
True
HTTP Logging
True
Performance
True
Static Content Compression
True
Security
True
Request Filtering
True
Windows Authentication
True
Application Development
True
.NET Extensibility 3.5
True
.NET Extensibility 4.5
True
ASP.NET 3.5
True
ASP.NET 4.5
True
ISAPI Extensions
True
ISAPI Filters
True
Management Tools
True
IIS Management Console
True
.NET Framework 3.5 Features
True
.NET Framework 3.5 (includes .NET 2.0 and 3.0)
True
.NET Framework 4.5 Features
True
.NET Framework 4.5
True
ASP.NET 4.5
True
WCF Services
True
TCP Port Sharing
True
Ink and Handwriting Services
True
Media Foundation
True
Remote Server Administration Tools
True
Role Administration Tools
True
Remote Desktop Services Tools
True
Remote Desktop Licensing Diagnoser Tools
True
Remote Desktop Licensing Tools
True
SMB 1.0/CIFS File Sharing Support
True
User Interfaces and Infrastructure
True
Graphical Management Tools and Infrastructure
True
Desktop Experience
True
Server Graphical Shell
True
Windows PowerShell
True
Windows PowerShell 4.0
True
Windows PowerShell 2.0 Engine
True
Windows PowerShell ISE
True
WoW64 Support
True

SQL Server 2012 Import-Module 'sqlps' breaks the "Test-Path" PowerShell cmdlet

I've run into something that is "very" frustrating with the new SQL Server 2012 PowerShell module. When I Import the module, it breaks the "Test-Path" cmdlet when trying to test a UNC path to a directory.
For example:
"Test-Path -path \\server\dirname" returns true as expected before the sqlps module is imported. But after you import the SQL Server module "Import-Module 'sqlps' –DisableNameChecking" the same Test-Path
now returns false.
If I run the following in Windows PowerShell ISE I see the following results:
Test-Path -path "\\server\directoryname"
Import-Module 'sqlps' –DisableNameChecking
Test-Path -path "\\server\directoryname"
True
False
Anyone have any idea what's going on?
UPDATE: after more testing, it looks like the problem happens with any cmdlet that references a UNC. The New-Item has the same problem. Before importing 'sqlps', New-Item is able to create a directory at the UNC path specified, but ater importing
'sqlps', the New-Item fails.
Thanks!

Hi Mikea730,
Sqlps.exe doesn't take advantage of a couple of these nice PowerShell V2 cmdlets without doing a bit of configuring in your environment.
Please refer to the following references to make some configuration in your server
http://www.maxtblog.com/2010/11/denali-get-your-sqlpsv2-module-set-to-go/
http://www.simple-talk.com/sql/database-administration/practical-powershell-for-sql-server-developers-and-dbas-%E2%80%93-part-1/
http://sev17.com/2010/07/making-a-sqlps-module/
Thanks,
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedback
here.
Iric Wen
TechNet Community Support

How to do Server 2012 R2 Network Policy Server MAC Authentication without adding ad users?

I have a Network Policy Server running on Server 2012 R2. I have set it up to do certificate and PEAP authentication for our 802.1x wireless authentication
and that works great.
Now I want to add a policy to this server so I can also do MAC address authentication our unauthenticated open wireless ssid so i can assign roles based on the
mac address. I got our Aruba controller setup to send the mac address to the radius server, but the radius server just denies access because I am not sure how to get it to use themsNPCallingStationID attribute.
I have found several ways do to this included adding active directory users for every single MAC address with the mac address as the username and password. I
do not want to do that. This is not an option.
I have also found several posts about using ieee802Device. I can't find a way to get that to work.
I also found a suggestion to use msNPCallingStationID ad attribute. I can easily set this for each user as their mac addresses but how do I configure the
NPS server to use this attribute to authenticate this?
If you have any other ideas on how to get MAC authentication to work, I would greatly appreciate it!
Thank you for your assistance!

Hi,
I think you may have some misunderstand about the MAC address Authorization, MAC address authorization is based on the MAC address of the network adapter installed in
the access client computer. Like ANI authorization, MAC address authorization uses the Calling-Station-ID attribute instead of user name and password or certificate-based credentials to identify the user during the connection attempt.
MAC address authorization is performed when the user does not type in any user name or password, and refuses to use any valid authentication method. In this case, Network
Policy Server (NPS) receives the Calling-Station-ID attribute, and no user name and password. To support MAC address authorization, Active Directory Domain Services (AD DS) must have user accounts that contain MAC addresses as user names, therefore you need
add the MAC address as the computer user name and password,
To use the MAC address as user name and password is Cisco® switch require condition, about your switch device please ask your hardware vendor.
If you want to combine the MAC address MAC filtering and
EAP Authentication, you can refer the following related article:
Enhance your 802.1x deployment security with MAC filtering
http://blogs.technet.com/b/nap/archive/2006/09/08/454705.aspx
More information:
MAC Address Authorization
http://technet.microsoft.com/en-us/library/dd197535(v=ws.10).aspx
Authorization by User and Group
http://technet.microsoft.com/en-us/library/dd197615(v=ws.10).aspx
The similar thread:
NPS: Override User-Name and User Identity Attribute
http://social.technet.microsoft.com/Forums/windowsserver/en-US/6dd983f9-973f-4d23-be0c-032d3a1592d0/nps-override-username-and-user-identity-attribute?forum=winserverNAP
The related third party article:
Configuring IEEE 802.1x Port-Based Authentication
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-2_25_see/configuration/guide/3550SCG/sw8021x.html#wp1170569
MAC Filters with Wireless LAN Controllers (WLCs) Configuration Example
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html#backinfo
Hope this helps.

SharePoint Foundation 2013 installed on Windows Server 2012 not sending out email notification

I have a server where i installed SP Foundation 2013 on top of Windows Server 2012. I have configured the SMTP as well as the outgoing SMTP in Central Administration
of SharePoint. When i create an alert on a document library, its did not sent any email notification on the changes made to the document in the document library. So, i created a workflow to send out email using SPD2013. The workflow run, but it cannot sent
out email with error saying that outgoing email is not configured correctly. I have checked with another server which i installed SP foundation 2013 on top of Windows Server 2008 R2 - its sending out email just fine using same configuration and outgoing SMTP.
I need help to resolve this issue or at least the cause of the problem.
Any help is greatly appreciated.

Try below:
http://social.technet.microsoft.com/wiki/contents/articles/13771.troubleshooting-steps-for-sharepoint-alert-email-does-not-go-out.aspx
Go to Central Admin ---->Operations----->outgoing email settings and verify that SMTP server is mentioned correctly
2) Test the connectivity with the SMTP server.
In order to do that follow these steps:
Open cmd
telnet <SMTP server name> 25 ( We connect smtp server to the port 25)
you should see a response like this 220 <servername> Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at date and time
Beware that different servers will come up with different settings but you will get something
If you dont get anything then there could be 2 possible reasons, either port 25 is blocked or
the smtp server is not responding.
For testing response from your server
For testing response say ehlo to it.
Type :
ehlo <servername>
output:
250 <servername> Hello [IP Address]
Now a test mail can be sent from that SharePoint server.
Now we need to enter the From address of the mail.
Type :
mail from: [email protected]
output:
250 2.1.0 [email protected]….Sender OK
It's time to enter the recepient email address.
Type : rcpt to: [email protected]
output:
250 2.1.5 [email protected]
Now we are left with the data of the email. i.e. subject and body.
Type : data
output:
354 Start mail input; end with <CRLF>.<CRLF>
Type:
subject: this is a test mail
Hi
This is test mail body
I am testing SMTP server.
Hit Enter, then . and then Enter.
output:
250 2.6.0 <<servername>C8wSA00000006@<servername>> Queued mail for delivery
Type: quit
output:
221 2.0.0 <servername> Service closing transmission channe
3) Check alerts are enabled for your web application
verify if the windows timer service is running or not.
Run this stsadm command to check that
Stsadm.exe -o getproperty -url http://SharePoint-web-App-URL -pn alerts-enabled
This should return <Property Exist="Yes" Value="yes" />
If you don’t get this, Enable alerts by:
stsadm.exe -o setproperty -pn alerts-enabled -pv "true" -url http://SharePoint-web-App-URL
If its already enabled, try turn off and turn on it back.
4) Check the Timer job and Properties
Go to
MOSS 2007: Central Administration > Operations > Timer Job Definitions (under Global Configuration)
In SharePoint 2010: Central Administration > Monitoring > Review Job Definitions
Check whether the "Immediate Alerts" job is enabled for your web application. check these properties:
job-immediate-alerts
job-daily-alerts
job-weekly-alerts
stsadm.exe -o getproperty -url "http://Your-SharePoint-web-App-URL" -pn job-immediate-alerts
The expected output is:
<Property Exist="Yes" Value="every 5 minutes between 0 and 59"/>.
If you don’t get this, run the following command to set its value.
stsadm.exe -o setproperty -pn job-immediate-alerts -pv “every 5 minutes between 0 and 59" -url http://Your-SharePoint-web-App-URL
5) Check whether the account is subscribed for alerts and it has a valid email account. This should be the first thing to check if the problem persists for some users not for all.
6) Then check if at all those users have at least read permission for the list. Because the first mail should go out for every user without security validation but the next ones won't be delivered unless the user has at least read
permission.
7) If it is happening for one user, can also try to delete and re add the user in the site.
8) Most importantly , you should try this one.
Run this SQL query to the content db < Select * from Timerlock>
This will give you the name of the server which is locking the content database and since when.
In order to get rid of that lock
Go to that server which is locking the content db and then restart the windows timer service.
within some time it should release the lock from content db, if not then at the most stop the timer job for some time
Once the lock will be released then try to send some alerts
You will surely get the email alert.
I found this is the most probable reason for alert not working most of the time. We should start troubleshooting with above steps before coming to this step for any alert email issue but from step 1 to step 7 are best for new environments or new servers.
If the issue is like this ,alert was working before and suddenly stopped working without any environmental change then above conditions in step 1-7 should be ideally fine.
Even after this if it is not working, then you can try these few more steps too
9) Try re-registering the alert template:
stsadm -o updatealerttemplates -url http://Your-SharePoint-Web-App-URL -f "c:\Program Files\Common Files\Microsoft Shared\web server extensions\12\TEMPLATE\XML\alerttemplates.xml" -LCID 1033
10) Try to clear the configuration cache
If this helped you resolve your issue, please mark it Answered

ASA and RADUIS on Windows server 2012

hi i have ASA5505 i want to get the Authentication from Raduis Server using NPS on windows Server 2012 i test the Raduis Server over "Kerio Control VMware Virtual Appliance" its work Perfect for testing my Setting on Raduis but with the ASA5505 i get this message "Error authentication rejected aaa failure"
Running Config
: Saved
ASA Version 9.1(3)
hostname NazcoFW
domain-name default.domain.invalid
enable password XgEKS9WizHnI9IUJ encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd XgEKS9WizHnI9IUJ encrypted
names
interface Ethernet0/0
switchport access vlan 22
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 12
interface Ethernet0/3
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
switchport access vlan 32
shutdown
interface Vlan1
nameif NAZCO
security-level 100
ddns update hostname OSI
dhcp client update dns server both
ip address 172.16.200.1 255.255.255.0
interface Vlan12
nameif outside4
security-level 0
ip address 172.16.4.254 255.255.255.0
interface Vlan22
nameif Outside20
security-level 0
ip address 172.16.20.254 255.255.255.0
boot system disk0:/asa913-k8.bin
ftp mode passive
dns domain-lookup NAZCO
dns server-group DefaultDNS
name-server 10.1.1.1
name-server 10.1.2.1
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network HP5220
host 10.10.10.105
object network ak20
host 10.10.10.110
object network hp5520
host 192.168.2.105
object network HP7000
host 192.168.2.106
object network HP5520
host 192.168.2.105
object network ak04
host 10.10.10.110
object network HP400
host 192.168.2.107
object network out04
range 192.168.2.200 192.168.2.220
object network AK04
host 10.10.10.110
object network oooo
subnet 10.10.10.0 255.255.255.0
object network 444
host 10.10.10.110
object network OSITOINT
subnet 10.10.10.0 255.255.255.0
object-group network OSItoOUT04
network-object object out04
access-list outside20_access_in extended permit icmp any4 any4
pager lines 24
logging enable
logging asdm-buffer-size 512
logging trap informational
logging asdm informational
logging host NAZCO 10.10.10.10 17/6161
logging debug-trace
logging permit-hostdown
mtu NAZCO 1500
mtu Outside20 1500
mtu outside4 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-721.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (NAZCO,outside4) source dynamic any interface dns
nat (NAZCO,Outside20) source dynamic any interface dns
route Outside20 0.0.0.0 0.0.0.0 172.16.20.1 1
route outside4 0.0.0.0 0.0.0.0 172.16.4.1 11
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Keefa-Raduis protocol radius
aaa-server Keefa-Raduis (NAZCO) host 172.16.200.10
key *****
radius-common-pw *****
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 NAZCO
snmp-server host NAZCO 10.10.10.196 community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity fru-insert
snmp-server enable traps remote-access session-threshold-exceeded
snmp-server enable traps connection-limit-reached
snmp-server enable traps cpu threshold rising
snmp-server enable traps ikev2 start stop
snmp-server enable traps nat packet-discard
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355
1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609
2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit
telnet timeout 5
ssh scopy enable
ssh 172.16.200.0 255.255.255.0 NAZCO
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access NAZCO
dhcp-client update dns server both
dhcpd dns
dhcpd update dns both
dhcpd address 172.16.200.20-172.16.200.89 NAZCO
dhcpd dns 172.16.20.1 172.16.4.1 interface NAZCO
dhcpd lease 1048575 interface NAZCO
dhcpd update dns both interface NAZCO
dhcpd enable NAZCO
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
username admin password bZmVDHuxUzzxS3yz encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
class class-default
user-statistics accounting
service-policy global_policy global
prompt hostname context
service call-home
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:357b7c6f861e8aa9bb3a3674a789b39b
: end
asdm image disk0:/asdm-721.bin
no asdm history enable

Hi
Looks like the AAA configuration is set for local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
Change it to Radius
aaa-server Keefa-Raduis protocol radius
aaa-server Keefa-Raduis (NAZCO) host 172.16.200.10
key *****
radius-common-pw *****
for example :
aaa authentication telnet console Keefa-Raduis LOCAL
Now when you will do telnet to using Radius credentials, Its Should work, If radius goes down you can use LOCAL username and password as fallback method.
Cheers!
Minakshi(Do rate the helpful post)

How can i use ONE server 2012 to be DC for a domain on the WAN only.. NO LAN. and NO VPN..

I need to run an active directory that is on a WAN (Utah). a server 2012 standard will be the DC with 60Mbps internet speed both up and downstream.
approximately 100 clients/member systems will be all over the united states. NO VPN. only via internet. I can use SSL certificate for secure ldap.
I need this setup to use GPO for different permissions and policies instead of manually doing those on each windows 7 or 8 professional system.
Ideas??

Daniel,
I think since this will be the ONLY system that will be running as a DC providing ADDS and the Direct access server, i should follow this advice from the article you sent:
For users who never connect directly to the Contoso intranet or through a VPN, they must use the DirectAccess
Offline Domain Join process to initially join the appropriate domain and configure DirectAccess. When this process
is complete, the users log on normally and have the same experience as if they were directly connected to the Contoso intranet.
Because remember, no user will ever connect directly to the subnet where the server is. so do an offline join First and then start managing.. Only thing im worried about is: they keep saying that the direct access function has significantly improved in windows
8. hmmmmm many systems will be using windows 7 Pro 64Bit. Some windows 8.1 Pro 64bit. should i worry?

Use one profile for all user profiles in Server 2012 R2

Hi
I am setting up an Windows Server 2012 R2 Template on VMware.
I will do som changes with the local admin user, and want all user that will log in to servers made from this Template, get the user profile I have set up for the admin account.
How to I do that?
Regards
StigKSand

the way I used to do this was to create a new profile the way I wanted with any shortcuts applications etc installed. then I would create another user account on the PC and make it an admin.
reboot the pc to ensure it hasn't got the pre-configured profile loaded and login with your newly created admin account.
then right click This PC in windows explorer and select properties, then select advanced system settings, and select user profiles on the advanced tab. You can then select the profile you made all the configuration to, and click copy and then select default
profile.
this should then mean any new users who login get this default profile on this server.
hopefully that is what you were referring to.
Regards,
Denis Cooper
MCITP EA - MCT
Help keep the forums tidy, if this has helped please mark it as an answer
My Blog
LinkedIn:

Remote Desktop Connection Manager can only open 6 sessions at a time on Server 2012

I am only able to open, and view thumbnails, for a maximum of 6 RDP sessions on my Server 2012 box at a time in Remote Desktop Connection Manager (RDCM). If I add more sessions I just get a variety of connection errors for the additional sessions. If I activate
a 7th session one of the existing 6 sessions goes off-line with a connection error message. Sometimes the error says 3334, sometimes the error says 0x8345000E, and sometimes it just says there is a connection error.
I have checked Group Policy on the server to ensure I don't have any settings restricting the number of RDP sessions.
In fact, I will often have 30 or 40 RDP simultaneous sessions opened, I am just not able to view them all in RDCM. I have seen reviews of RDCM with screenshots showing dozens of thumbnails so it seems to be something that's possible to do.
Are there any settings I should make on the server to allow RDCM to connect to more than 6 simultaneous RDP sessions?
Just to be clear, all these RDP sessions are running on the same server. Also, I am just using the trial license for Server 2012 and Remote Desktop Services right now. I don't think that should have an impact, but I wanted to be thorough.

Thanks Jakub for "corflags" info.
Unfortunatelly it doesn't work because running mRemoteNG.exe process in 64bit can't load MSTSC ActiveX component (referenced assemblies) because original files were assembled from 32bit dll [mstscax.dll]?
Error message when making RDP connection:
Could not load file or assembly 'Interop.MSTSCLib, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. An attempt was made to load a program with an incorrect format.
I was able to create new AxInterop.MSTSCLib.dll and Interop.MSTSCLib.dll assemblies from 64bit dll version and now it works with "AnyCPU":-)
http://www.filedropper.com/axinteropmstsclib-mremoteng
Using AxImp.exe and TlbImp.exe didn't worked for me because it creates assemblies in wrong namespace "MSTSCLib" instead of "Interop.MSTSCLib" (AxImp.exe) and TlbImp.exe for changing namespace generated many "marshaled errors"
so final .dll wasn't working.
Adding MSTSCAX.dll reference in Visual Studio directly created correct and functional assemblies. Who don't know how to create 64bit compatible assemblies or don't have Visual Studio, feel free to check linked file.
Hope it helps
P.S. Sorry for possible technical misinterpretation, I am not programmer so creating new assemblies was trial-error process...

Error while installing SQL Server 2012 X64 SP2,

Error while installing SQL Server 2012 X64 SP2,
When I installed the SQL Server 2012 X64 SP1, I got the attached error.
What might be the issue here?
Thank you
Best
Jamal

Hello,
Are you trying to install SQL Server on a compressed or encrypted drive? SQL Server won’t install on a drive/folder with these attributes.
Are you trying to install SQL Server on a ReFS file system? It is not supported on SQL Server 2012.
Disable any security/antivirus software and download the media again. Mount the media (.ISO file) and try to install again.
Hope this helps.
Regards,
Alberto Morillo
SQLCoffee.com

New Server 2012 install - Active Directory not working properly

We recently converted from 2003 to 2012. Our 2012 R2 server seems to be running fine. We did a DCPROMO on the OLD 2003 DC just fine but now there are all sorts of odd errors (Sharepoint can't authenticate users, Can't run Exchange 2013 on another 2012 server
because it can't find AD, etc.)
on the DC we have a Group Policy error 1096. "Group Policy Object LDAP://CN=User,cn={2B476B3E-2749-4B1B-8EC1-F5672A66F94F},cn=policies,cn=system,DC=mydom,DC=local\\mydom.local\SysVol\mydom.local\Policies\{2B476B3E-2749-4B1B-8EC1-F5672A66F94F}\User\registry.pol"
So far I haven't found anything on how to fix this (and the AD itself.) There are some errors in the DCDIAG log, too:
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\ISD-DC1\netlogon)
         [ISD-DC1] An net use or LsaPolicy operation failed with error 67,
         The network name cannot be found..
Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared. Failing SYSVOL replication problems may cause
         Group Policy problems.
Any suggestions how we can fix these errors are greatly appreciated!

Hi,
Did you migrate the Active Directory from Windows server 2003 to Windows server 2012?
Please refer to this article:
https://blogs.technet.com/b/canitpro/archive/2013/05/27/step-by-step-active-directory-migration-from-windows-server-2003-to-windows-server-2012.aspx
Regards.
Vivian Wang

Failed to install windows server 2012 in virtual machine hosted in window 8.1

I installed Hyper-V in windows 8.1, then when I tried to install windows server 2012 R2 or windows server 2008 R2 in virtual machine, I got the following error:
the following is my virtual machine setting:
is there anyone an help to resolve it? thank you very much.

Hi,
Good to hear that you have solved this issue. Thanks for sharing as it would be helpful to anyone who encounters similar issues.
Best regards,
Susie

How to install Windows Server 2012 as a Virtual Machine on Window 7 64 bit machine

Hi All,
I need to install virtual Window Server 2012 on Window 7 machine(8gb ram,64 bit machine).
Please give me the list of required softwares to install. If possible the please give download link as well.
Thanks
mit

Since you're on Windows 7 I'd probably go for using VirtualBox
https://www.virtualbox.org/ to host the virtual machine.
Downloading 2012 depends what you're after really, if you've got TechNet / MSDN then you can download it from there, otherwise you'd need to have a licenced copy. You can download 180 day evaluation versions from the Microsoft website here :
2012 - http://technet.microsoft.com/en-gb/evalcenter/hh670538.aspx
2012 R2 -
http://technet.microsoft.com/en-gb/evalcenter/dn205286.aspx

ISE 1.3 / WLC 8.x + Server 2012 R2

Similar Messages

Maybe you are looking for