Lync trial and Active Directory changes

Similar Messages

• Sun java directory server and Active Directory

  We are using two different directory servers Sun java directory server and active directory.
  My question is how we can have password synchronization between these two directory servers.
  I have checked Sun Java[TM] System Identity Synchronization for Windows 1 2004Q3
  http://www.sun.com/download/products.xml?id=41537425
  It seems that it's supported platforms is only for solaris and windows , but I have installed my Sun java directory server on linux and obviously it doesn't work for me.
  I would be grateful if anyone can suggest a solution to work around this situation.
  I have checked identity manager , I would like to know that if I can do this using this product.
  http://www.sun.com/software/products/identity_mgr/specs.jsp
  --regards.
  Sara

  Yes RHEL 4 is a supported OS with DSEE 6.0.
  Identity Synchronization for Windows is a part of DSEE that allows synchronization of users, passwords and groups between Sun Directory Server and Active Directory bi-directionally without altering the users environments, ie it does not require that users change their current habits.
  Identity Manager is a complete identity management solution that is targetting enterprise work flow when it comes to user provisioning and de-provisioning, but also allows to build authentication and password change forms that will provision the passwords to many different systems including Sun Directory Server and Active Directory but also IBM mainframes, legacy applications, databases...
  If you are implementing a complete identity management solution, then go with Identity Manager. If you need a lightweight and fast solution for just synchronizing users and passwords between Sun DS and MS AD, Identity Synchronization for Windows should be your choice.
  Regards,
  Ludovic.

• Looking for successful auth debug between cisco 1113 acs 4.2 and Active Directory

  Hello,
  Does anyone have a successful authentication debug using cisco 1113 acs 4.2 and Active Directory?  I'm not having success in setting this up and would like to see what a successful authentication debug looks.  Below is my current situation:
  Oct  6 13:52:23: TPLUS: Queuing AAA Authentication request 444 for processing
  Oct  6 13:52:23: TPLUS: processing authentication start request id 444
  Oct  6 13:52:23: TPLUS: Authentication start packet created for 444()
  Oct  6 13:52:23: TPLUS: Using server 110.34.5.143
  Oct  6 13:52:23: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
  Oct  6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: socket event 2
  Oct  6 13:52:23: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
  Oct  6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 26 (0x1A)
  Oct  6 13:52:23: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
  Oct  6 13:52:23: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
  Oct  6 13:52:23: T+: user: 
  Oct  6 13:52:23: T+: port:  tty515
  Oct  6 13:52:23: T+: rem_addr:  10.10.10.10
  Oct  6 13:52:23: T+: data: 
  Oct  6 13:52:23: T+: End Packet
  Oct  6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
  Oct  6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:23: TPLUS(000001BC)/0/READ: Would block while reading
  Oct  6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:23: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
  Oct  6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:23: TPLUS(000001BC)/0/READ: read entire 28 bytes response
  Oct  6 13:52:23: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
  Oct  6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
  Oct  6 13:52:23: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:10, data_len:0
  Oct  6 13:52:23: T+: msg:  Username:
  Oct  6 13:52:23: T+: data: 
  Oct  6 13:52:23: T+: End Packet
  Oct  6 13:52:23: TPLUS(000001BC)/0/46130160: Processing the reply packet
  Oct  6 13:52:23: TPLUS: Received authen response status GET_USER (7)
  Oct  6 13:52:30: TPLUS: Queuing AAA Authentication request 444 for processing
  Oct  6 13:52:30: TPLUS: processing authentication continue request id 444
  Oct  6 13:52:30: TPLUS: Authentication continue packet generated for 444
  Oct  6 13:52:30: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
  Oct  6 13:52:30: T+: Version 192 (0xC0), type 1, seq 3, encryption 1
  Oct  6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 15 (0xF)
  Oct  6 13:52:30: T+: AUTHEN/CONT msg_len:10 (0xA), data_len:0 (0x0) flags:0x0
  Oct  6 13:52:30: T+: User msg: <elided>
  Oct  6 13:52:30: T+: User data: 
  Oct  6 13:52:30: T+: End Packet
  Oct  6 13:52:30: TPLUS(000001BC)/0/WRITE: wrote entire 27 bytes request
  Oct  6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:30: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
  Oct  6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:30: TPLUS(000001BC)/0/READ: read entire 28 bytes response
  Oct  6 13:52:30: T+: Version 192 (0xC0), type 1, seq 4, encryption 1
  Oct  6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
  Oct  6 13:52:30: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
  Oct  6 13:52:30: T+: msg:  Password:
  Oct  6 13:52:30: T+: data: 
  Oct  6 13:52:30: T+: End Packet
  Oct  6 13:52:30: TPLUS(000001BC)/0/46130160: Processing the reply packet
  Oct  6 13:52:30: TPLUS: Received authen response status GET_PASSWORD (8)
  Oct  6 13:52:37: TPLUS: Queuing AAA Authentication request 444 for processing
  Oct  6 13:52:37: TPLUS: processing authentication continue request id 444
  Oct  6 13:52:37: TPLUS: Authentication continue packet generated for 444
  Oct  6 13:52:37: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
  Oct  6 13:52:37: T+: Version 192 (0xC0), type 1, seq 5, encryption 1
  Oct  6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
  Oct  6 13:52:37: T+: AUTHEN/CONT msg_len:11 (0xB), data_len:0 (0x0) flags:0x0
  Oct  6 13:52:37: T+: User msg: <elided>
  Oct  6 13:52:37: T+: User data: 
  Oct  6 13:52:37: T+: End Packet
  Oct  6 13:52:37: TPLUS(000001BC)/0/WRITE: wrote entire 28 bytes request
  Oct  6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:37: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 33bytes data)
  Oct  6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:37: TPLUS(000001BC)/0/READ: read entire 45 bytes response
  Oct  6 13:52:37: T+: Version 192 (0xC0), type 1, seq 6, encryption 1
  Oct  6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 33 (0x21)
  Oct  6 13:52:37: T+: AUTHEN/REPLY status:7 flags:0x0 msg_len:27, data_len:0
  Oct  6 13:52:37: T+: msg:  Error during authentication
  Oct  6 13:52:37: T+: data: 
  Oct  6 13:52:37: T+: End Packet
  Oct  6 13:52:37: TPLUS(000001BC)/0/46130160: Processing the reply packet
  Oct  6 13:52:37: TPLUS: Received Authen status error
  Oct  6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: timed out
  Oct  6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: No sock_ctx found while handling request timeout
  Oct  6 13:52:37: TPLUS: Choosing next server 101.34.5.143
  Oct  6 13:52:37: TPLUS(000001BC)/1/NB_WAIT/46130160: Started 5 sec timeout
  Oct  6 13:52:37: TPLUS(000001BC)/46130160: releasing old socket 0
  Oct  6 13:52:37: TPLUS(000001BC)/1/46130160: Processing the reply packet
  Oct  6 13:52:49: TPLUS: Queuing AAA Authentication request 444 for processing
  Oct  6 13:52:49: TPLUS: processing authentication start request id 444
  Oct  6 13:52:49: TPLUS: Authentication start packet created for 444()
  Oct  6 13:52:49: TPLUS: Using server 172.24.5.143
  Oct  6 13:52:49: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
  Oct  6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: socket event 2
  Oct  6 13:52:49: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
  Oct  6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 26 (0x1A)
  Oct  6 13:52:49: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
  Oct  6 13:52:49: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
  Oct  6 13:52:49: T+: user: 
  Oct  6 13:52:49: T+: port:  tty515
  Oct  6 13:52:49: T+: rem_addr:  10.10.10.10
  Oct  6 13:52:49: T+: data: 
  Oct  6 13:52:49: T+: End Packet
  Oct  6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
  Oct  6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:49: TPLUS(000001BC)/0/READ: Would block while reading
  Oct  6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:49: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 43bytes data)
  Oct  6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:49: TPLUS(000001BC)/0/READ: read entire 55 bytes response
  Oct  6 13:52:49: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
  Oct  6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 43 (0x2B)
  Oct  6 13:52:49: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:37, data_len:0
  Oct  6 13:52:49: T+: msg:   0x0A User Access Verification 0x0A  0x0A Username:
  Oct  6 13:52:49: T+: data: 
  Oct  6 13:52:49: T+: End Packet
  Oct  6 13:52:49: TPLUS(000001BC)/0/46130160: Processing the reply packet
  Oct  6 13:52:49: TPLUS: Received authen response status GET_USER (7)
  The 1113 acs failed reports shows:
  External DB is not operational
  thanks,
  james

  Hi James,
  We get External DB is not operational. Could you confirm if under External Databases > Unknown User           Policy, and verify you have the AD/ Windows database at the top?
  this error means the external server might not correctly configured on ACS external database section.
  Another point is to make sure we have remote agent installed on supported windows server.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawi.html#wp289013
  Also provide the Auth logs from the server running remote agent, e.g.:-
  AUTH 10/25/2007 15:21:31 I 0376 1276 External DB [NTAuthenDLL.dll]:
  Attempting Windows authentication for user v-michal
  AUTH 10/25/2007 15:21:31 E 0376 1276 External DB [NTAuthenDLL.dll]: Windows
  authentication FAILED (error 1783L)
  thanks,
  Vinay

• ### How to make integration between UCCX and Active Directory##

  Hello,
  I want to know what is the right procedure to perform a right integration between the UCCX and the Active Directory?
  Waiting Yours Reply,,,,
  Thanks a lot......

  What version?
  Assuming a current version (5.0 and higher): there is NO direct integration between CCX and Active Directory. The CCX server must not be joined to a domain.
  CCX uses UC Manager End Users for synchronized usernames and passwords. If UC Manager is synchronized with an LDAP source, such as Active Directory, then this will carry forward to CCX. CCX would pass authentication requests to CCX through AXL. UCM would perform the LDAP authentication and inform CCX of the success/failure.

• Cucm 9.1.2 and Active Directory(Windows Server 2003 Standart Edition SP2)

    Hello!
   Can CUCM 9.1.2 support an integration with Active Directory(Windows Server 2003 Standart Edition SP2)? How do I have to write down LDAP Manager Distinguished Name? I can find supporting only Active Directory 2003 in documentations without reference to Operation System.

  Yes, it is possible.
  Check this how-to if you have any doubts about the process.
  http://blog.ipexpert.com/2010/04/28/cucm-and-active-directory-integration/
  http://www.markholloway.com/blog/?p=1189

• Difference between Windows NT domain registry and Active Directory registry

  What are the difference(s) ?

  Frank, thanks for your response :)
  I want WebSphere Application Server to take advantage of a directory service. There are multiple options available for a directory service. 
  In my configuration the requirement is to make WebSphere Application server to use Microsoft's Active Directory. 
  While I was going through (WebSphere) documentation, I see following note.
  " With Windows NT domain registry support for Windows 2000 and 2003 domain
  controllers, WebSphere Application Server only supports Global groups that are the Security type. It is recommended that you use the Active Directory registry support rather than a Windows NT domain registry if you use Windows 2000 and 2003 domain controllers
  because the Active Directory supports all group scopes and types. The Active Directory also supports a nested group that is not support by Windows NT domain registry. The Active Directory is a centralized control registry."
  You can find the above note in this link (somewhere after 7th line)
  http://www-01.ibm.com/support/knowledgecenter/SSAW57_7.0.0/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/csec_localos.html?cp=SSAW57_7.0.0%2F3-11-5-1-0-0
  Does it mean that they are recommending to use Active Directory over Windows NT (which is an older approach) with windows server 2000 or windows server 2003 because Active directory is
  advanced ?
  I was under the impression that, Active Directory was started with Microsoft Windows Server 2003 and Windows NT registry was used till Windows 2000 server.
  After going through above links, 
  Windows NT registry in an old method. However, it is compatible with Windows Server 2000 and Windows server 2003 but it is recommended to use Active directory with Windows Serve 2003 as it is more advanced. And the same is recommended in WebSphere documentation
  (I am aware that support for Windows Server 2000 is over and only extended support is available for Windows Server 2003 however this is to clear doubt). Is my understanding correct ? And does windows server 2000 also support both i.e we can use either Windows
  NT registry or Active directory and similarly, Either of them (Windows NT or Active Directory) could be used with Windows Server 2003 ?
  And if I got it correct, Is Windows NT and Active Directory, both directory service offering from Microsoft? While NT being an old method and Active Directory being a new/advanced approach ?

• Step by step process to create domain name and active directory in windows 7 64 bit

  Step by step process to create domain and active directory in windows 7 64 bit
  I work in an organization
  I want to create a domain name SBBYDP and make it server for other computers
  I want that, all users’ have a personal account while they use any computer from this organization, even they use any computer from this network they use their own account to login to network.
  And this may be in Active directory option.
  I installed windows 7 professional edition 64 bit
  Can any person help me? Step by step process, I always thanks full all of you

  Hi,
  You must use the Windows Server platform system for the AD service, you can refer the following KB first:
  Active Directory
  http://technet.microsoft.com/en-us/library/bb742424.aspx
  AD DS Deployment Guide
  http://technet.microsoft.com/zh-cn/library/cc753963(v=ws.10).aspx
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Open directory and Active directory

  Hello everyone.
  I am from a school in london. We currently have 8 servers (7 running Server 2003 and a recently installed Mac server running os x server 10.5)
  We have recently installed new macs into our media room and need them to be set up to work with the current domain setup.
  what we wish to do is to run the media centers computers through the Mac server but get the existing domain information from the Active directory server running windows. As i have not set up a mac server before I am having certain difficulties doing this. The first time we set up the active directory on the mac server we could log into the mac computers but could not change any of the policies to different groups to allow or deny certain applications from running. Everytime i go to save a policy for a certain group we get the error message
  "Error while saving record "Finchley\Level 1@ Error -14140
  Im guessing this is because we are trying to save that to the active directory and not onto the mac server so how can we Map the active directory to the Macs open directory so that we can customize the mac group policies?
  Sorry if that didnt make alot of sense im typing abit fast
  Thanks

  Have you been here?
  http://docs.info.apple.com/article.html?path=DirectoryAccess/1.8/en/c7od45.html
  It should be straight forward, depending on how your AD accounts are setup.
  Unfortunately, I currently see a bug in the system which is often causing the home directory share to fail to mount when I use the AD plug-in in its default configuration. I'm pleading with Apple to fix this soon.
  If you use the plug-in in "true network home" fashion, by unchecking the 'force local home' option, then you should avoid this annoying bug. This method however requires plenty of network bandwidth and space for your entire Mac home folder.

• DNS, Certificates, and Active Directory - School Setup Issues

  Our school has been piloting a small iPad depolyment.  I have been struggling with getting Profile Manager to work correctly since August of last year. Here's the setup:
  1. Active Directory DNS/DHCP server (set as "school.local"--yes, I know .local is bad form, but it was set before I got here). I have changed the "Digest" to "Basic" setting
  2. Mac Mini server that has its own external IP and hostname ("mac.school.org") and is also bound to the AD server for user authentication for services (Profile Manager, WebDAV, wiki, etc.). I have a self-signed SSL certificate installed under the name "mac.school.org"
  3. About 90 iPads, and a handfull of Mac desktops
  In a perfect world, users would be able to login (with their AD credentials) to the Profile Manager self-service portal using the external hostname of the mac server ("mac.school.org/mydevices"), install the Trust Profile, and enroll the device (iPad, Mac, etc).
  However, this is not the case.  The setup seems to work for awhile; quite perfectly in fact. But then for reasons unknown to me, everything just "breaks" and Profile Manager ceases to work like it should. Here are some of issues I am seeing:
  a.) DNS service on the Mac server turns itself ON randomly.  DNS should NOT be running this server, correct? All DNS lookups internally are done by the AD server. I've used changeip and everything matches (both say "mac.school.org")
  b.) Whenever we use VPN, and at other seemingly random times, the server's hostname changes from "mac.school.org" to "mac.school.local" I would make the server external only, but it needs to have an internal IP to talk to the AD server.
  c.) AD binding breaks randomly and I have to rebind the server to AD
  d.) When enrolling devices, Profile Manager starts rejecting certificates (not a trusted source, etc.) and I have to destroy OD and PM and start all over again.
  I know this is a lot and I'm not necessarily expecting anyone to answer all of these questions. I guess I'm wondering if anyone could point me in the right direction? I've looked for help with these issues all over the place, but none of the environments I read about are quite like the one I'm in.

  Yes, I am not giving the real domain name here.
  No prob. just checking, sometimes people have weird domain names never know if they are real or they expect them to be real or they put domain names owned by someone else on their internal network eek.
  Not really needed to use mac.school.org internally, that is in local LAN. The thing to understand about DNS is the scope for which a DNS zone is relevant WRT a client machine — inside LAN or on Internet, and which DNS server is authoritative for a domain. Authoritative in the sense of 'the final word'.
  Go to Network Utility on your mac, type in your real domain name (whatever you are changing to school.org to hide it) what comes back. On my server I see the below (I have replaced my real, Internet legal domain, to 'example.com')
  In my setup I have, on the LAN, setup the Mac server to be authoritative for domain 'example.com'. On the Internet however it is another external DNS server.
  So you have set DNS forwarders on the Mac machine?
  I really don't believe that the machine's hostname is changing, it is statically configured. What I believe is happening is that DNS name resolution is telling you different things at different times because you are using different DNS servers.
  On mac machine terminal type $less /etc/resolv.conf and copy paste what it says. In server app Services | DNS right side does it say you have forwarders?
  Still it is not good to have two DNS domains in your internal LAN, there is no need to have school.org on the mac DNS unless it is going to be fully setup to be authoritative in the internal LAN for the domain school.org. You can have school.org on the Internet (Internet scope of users point 1) and school.local on internal machine (LAN scope of users).
  Lookup has started…
  Trying "example.com"
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53292
  ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
  ;; QUESTION SECTION:
  ;example.com.                   IN        ANY
  ;; ANSWER SECTION:
  example.com.     10800          IN        SOA          example.com. admin.example.com. 2013010907 3600 900 1209600 86400
  example.com.     10800          IN         NS          server.example.com.
  example.com.     10800          IN         MX          10 server.example.com.
  ;; ADDITIONAL SECTION:
  server.example.com. 10800       IN          A          192.168.1.20
  Received 145 bytes from 127.0.0.1#53 in 2 ms

• Oracle 9i and Active directory

  Hi,
  We have Oracle 9i R2 and windows 2003 Active Directory as domain controller on the same server.
  I'm not comfortable with this idea having both on the same machine and I am considering to put them on separate servers, and to integrate Oracle with Active Directory.
  Is it advisable to leave then on the same machine? are there any known problems?
  I couldn't find any documents from Oracle regarding this. any suggestions any links will be appreciated.
  Tony Garabedian

  If I remove the server of being a domain controller with AD (dcpromo out, and losing the Administrator profile on that machine) and leave only Oracle on it, will Oracle still be functional?Yes. But I'd check file access rights. Anyway you'll still have local Admin account available. Think about:
  . I got a domain admin account
  . I install Oracle
  . I leave the company and my account is deleted
  => oracle is still working perfectly
  I can't see any reason this would work otherwise in your case. Anyway you could just create a full server backup, and if any problem restore it (Ghost for example).
  The sole problem would be if you defined oracle users identified via AD acess, but that works weird anyway.
  Furthermore, I totally agree with Jaffar. Use OID rather than AD. We had many problems to setup a working config there... afterwards this was too much time-consuming to manage and I changed it to OID. Since then it's working kind of magic.
  Regards,
  Yoann.

• 801.x WLANs authenticated via Radius and Active Directory permit any user access any WLAN

  Hi,
  I have configured several WLANs with WPA2 and 8021.x which authenticate users through Radius server (Windows Internet authentication service) that conects with an Active Directory, into the AD exists one user group for each WLAN but the problem is that any user that was added to some group can get access to any WLAN, does anyboby know if I need some configuraion on the WLC to restric that?
  thanks for your help.

  Hi Scott,
  I have done some test modifying the Radius Policy to look at called station ID and test too looking at the NAS-ID, In the first case, I change the Call Station ID Type into WLC RADIUS Authentication Servers configuration to AP MAC Address:SSID and AP Name:SSID and into the Radius Server using .*:SSID-NAME$ and SSID-NAME$ ,but it blocks access for any user. In the second case, I change the NAS-ID into WLC WLAN and interface confguration and into the radius server Policy to match all, but it doesn´t have any impact, what other test could I try?
  thanks for your help. 

• Route mail and Active Directory Sites and Services configuration

  Folks,
  I have a problem in the internal email routing. My network is spread across various regions and the branch offices are connected together in a mpls network (full mesh). Every region has its own Exchange Server with all roles installed and the smtp connection
  to the outside world is linked to two Exchange servers in the headquarter server farm.
  The problem is that internally I often see emails going across the Exchange Servers in the branch offices where there is low bandwidth (from 3 to 5 Mbps), thus email are sent first to these servers instead of going immediately to the Exchange hosting
  the mailboxes of the intended recipients. This happens also with inbound emails.
  This causes slowness in the email system and sometimes also the network with these branch offices suffers from packet loss or very high latency.
  I know that Exchange is a site-aware application and uses the Active Directory topology for message routing and to communicate with the services that are running on other Exchange 2013 computers. For this reason I have checked the Active Directory Sites
  and Services and surprisingly I have found that there are no sites, no subnets, nothing has been defined but the default settings, included the Inter-Sites transport which contains the default DEFAULTIPSITELINK.
  Apart from the fact that clients use logon servers which are not supposed to use in the far remote offices, I am concerned of changing the Exchange Infrastructure whilst the email system is running and I would like to ask your opinion about my next steps:
  1) Create subnets for every office
  2) Create sites and then link them to the subnets done in point 1
  3) Delete the DEFAULTIPSITELINK and create new site links based on the costs (network speed) in order to determine the best routing server. I have 5 remote offices with 5 different network bandwidth, so I'll have to create 5 IP site links: high cost for
  link with slow network, low cost for fast network.
  4) (Optional) Configure the Exchange-specific cost using the Set-AdSiteLink cmdlet to the AD IP site links created previously
  Apart from the valid questions on why the previous Exchange Administrator have forgotten to set up the Active Directory (Topology) Sites and Services...
  ...And why have chosen to install all Exchange Roles to each server when there was no reason to do that (there are two servers connected to the external smtp gateways in the headquarter, so in my opinion the Exchange Servers in the remote branch offices
  should have had only the mailbox and the cas role)...
  As a matter of fact, my idea is to go further and create the sites,subnets and the ip site link. If I still notice a wrong email flow, I can configure an ad-hoc Exchange-specific cost using the Set-AdSiteLink cmdlet. Does this sound reasonable to you guys
  or I am taking the wrong decisions?
  Thanks

  Thank you very much for your link. This is exactly the page I have read just before posting my question here. It is not easy for me to understand why this has been setup this way by a Microsoft certified engineer.
  There are specific rules to follow when Active Directory and Exchange are located in multiple sites and I am not a skilled Exchange Administrator... he keeps saying that it is correct and also tells that if I go forward with my ideas there is the
  risk to increase the level of complexity. I prefer more complexity than default setting, and as a consequence of that, connectivity problems!
  Hopefully everything goes well. I will post my results here once I have done the changes
  Regards

• OS X Server and Active Directory

  Hi
  I'm trying to use OS X Server 10.5 with Active Directory and have got to the stage where I can view AD users and groups in Workgroup Manager and have authenticated on the domain.
  However, if I try and change a user's password I get "The password could not be set. The action failed because you are not authorized to perform the operation."
  Also, if I try and create an account on the domain I receive the following - "Got unexpected error Error of type eDSNoStdMappingAvailable (-14140) on line 4267 of /SourceCache/WorkgroupManager/WorkgroupManager-319/PMMUGMainView.mm".
  I can delete accounts using Workgroup Manager and have confirm this has worked by checking in AD so can't understand what's going on.
  Any help greatly appreciated!

  You should post your question in the OS X Server forums:
  http://discussions.apple.com/category.jspa?categoryID=96

• OID and Active Directory

  1 Does Oracle OID integrate with Active Directory to synch data with Active Directory periodically?
  2 Marshall data from Active Directory on demand (live link)?
  3 Does Oracle Single Sign-on solution work with multiple directories (i.e. OID and AD both being used by Oracle Single Sign-on)
  4 Can Oracle Single-Sing-on work with a Desktop login into a Domain (also called NT Authentication or Desktop authentication).

  This is what I have to share with you....For further details refer link http://otn.oracle.com/products/oid/index.html and Oracle Internet Directory Administrator's Guide.
  1 Does Oracle OID integrate with Active Directory to synch data with Active Directory periodically?
  For synchronizing from Microsoft Active Directory to Oracle Internet Directory, you need to track changes in Microsoft Active Directory and configure your Active directory connector giving its URL, user account and password to be used by the Active Directory connector, its DIT info on domain which contain the users/groups. And in the Active Directory synchronization profile you'll have to set the mapping rule.
  2 Marshall data from Active Directory on demand (live link)?
  Yes, its possible to migrate data between directories. Configure your Active Directory connector and External auth Plug-in. And use the Directory Integration and Provisioning Assistant.
  3 Does Oracle Single Sign-on solution work with multiple directories (i.e. OID and AD both being used by Oracle Single Sign-on)
  Yes, its possible. When a user tries to log in, the OracleAS Single Sign-On server tries to verify the credentials the user enters against those stored in Oracle Internet Directory. If the user credentials are not there, then the Oracle directory server invokes the Active Directory external authentication plug-in. This plug-in verifies the user credentials in Microsoft Windows. If the verification is successful, then the Oracle directory server notifies the OracleAS Single Sign-On accordingly.
  4 Can Oracle Single-Sing-on work with a Desktop login into a Domain (also called NT Authentication or Desktop authentication).
  Oracle Application Server Single Sign-On enables native authentication, also called autologin, in a Microsoft Windows environment. Once logged into the Windows desktop, the user automatically has access to Oracle components. OracleAS Single Sign-On automatically logs the user into the Oracle environment using user's Kerberos credentials.

• ACS 5.2 does not check Active directory changes

  Hi all,
  I am working with ACS 5.2 and using Radius authentication for vpn client.
  The authentication method used is Active Directory in an Windows enviroment with multiple domains in the same forest.
  My problem occurs when i change a user from one group to another in Active Directory. After that i receive the following message when try to connect:
  15039 Selected Authorization Profile is DenyAccess
  The message is because match the default policy.
  Another user in the same AD group works fine.
  All domain in the forest have trust relation each other.
  I am using universal groups to include users from all domain belongs this forest.
  Can anyone help me?
  Regards

  Dear all,
  Hope you can help me with a similar issue i am facing on migration from Cisco ACS 4.1.24 to Cisco 5.3.0.40
  and testing Radius authentication for vpn client users.
  The authentication method used is external Active Directory and for some users authenticating to the external AD via ACS, the following message is obtained:
  "15039 Selected Authorization Profile is DenyAcces", which results in Auth failure.
  Other users on the same AD group seem to work fine and there are no changes performed on the AD for any of the  concerned users.
  Looking at the detail report for the user, confirms  that no attributes  are returned to the Radius(under the other  attributes field) from the  external server. The Radius also returns the  following messages:
  "24412 User not  found in Active Directory"
  "22056 Subject not found in the applicable  identity store(s)"
  Within the ACS Identity sequence in the ID store, the  sequence is set to match on AD first and then Internal user.         The  Identity for the default network profile(for Radius users) is  configured to General sequence. The same user/s seem to work fine when  swithced to ACS4.
  We are also looking at possible NTP sync issue with the ACS/AD or  any NTLM/Kerberos auth issues or any issues related to applying the  latest ACS patch to the box.Please let me know if there is any AD related configs to be modified.
  Any help will be appreciated.
  Thanks and Regards.