NTLM Authentication with a domain controller/active directory

Similar Messages

• Provision Search in SharePoint Foundation 2013 without Domain Controller / Active Directory - Domain accounts

  Hi,
  I have successfully setup SharePoint Foundation 2013 as single server farm with SQL Server Standard database in a DMZ environment using local accounts since DMZ doesn't have an Active Directory and hence Domain accounts using powershell as described
  in https://theblobfarm.wordpress.com/2012/12/03/installing-sharepoint-2013-without-a-domain-controller 
  When I run Farm configuration wizard to provision search service application, I get an error:
  ERROR: "The service application(s) for the service "Search Service Application" could not be provisioned because of the following error: I/O error occurred."
  The log file logged the details of this error as:
  ERROR: "Failed to create file share Analytics_e441aa1c-1a8d-4f0a-a079-58b499eb4c50 at D:\SharePoint Search\Office Server\Analytics_e441aa1c-1a8d-4f0a-a079-58b499eb4c50 (System.ArgumentException: The SDDL string contains an invalid sid or a sid
  that cannot be translated."
  After investigation, I found that potentially the error could be because the timer service is trying to setup a network share for analytics component (as part of provisioning search). It is trying to setup that share with a domain account that happens to
  be a local user instead in this case and fails with error “System.ArgumentException: The SDDL string contains an invalid sid or a sid that cannot be translated”.
  I got some pointer from the below thread
  https://social.technet.microsoft.com/Forums/en-US/c8e93984-f4e5-46da-8e8a-c5c79ea1ff62/error-creating-search-service-application-on-sharepoint-foundation-with-local-account?forum=sharepointadmin
  However, the above thread doesn't state that the solution worked.
  I have tried creating share manually for Analytics_<Guid> folder but it doesn't work since every time farm configuration wizards is run it creates a new Analytics_<Guid> folder.
  Since, I have setup SharePoint Foundation 2013 on a production environment I cannot test and trial various solutions.
  Can some please guide me on how to successfully provision search for SharePoint Foundation 2013 setup as a single server farm with SQL Server Standard database in a DMZ environment using local accounts (without Active Directory - domain accounts).
  Thanks in advance.
  Himanshu

  Microsoft documentation doesn't always specifically call out all products (Project Server isn't there, either). But it does apply. You'll need to stand up at least one Domain Controller, or allow port access back to a DC.
  Preferably, set up SharePoint on the internal network and use a reverse proxy (which will terminate client connections at the reverse proxy) present in the DMZ.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Install Domain Controller, Active Directory, RemoteApps on Single Server?

  Have a server that I want to experiment with RemoteApps.   Documentation I have read state you need to have a Domain Controller setup with AD on one server, and have a second server to install all the RemoteApps requirements. Is this true or can
  this all be done on one server.
  If I need a separate server for the Domain Controller and Active Directory, can I assume that a low end server would be sufficient?  Or would using Hyper-V with a single hardware server and create two virtual machines: one as the DC/AD, and the other
  to run Remote Apps be a possible solution.  Any advice?

  it really depends to be honest. I'd probably go something like this though:
  One Small physical server to act as a domain controller - you could put DHCP on this too
  One or Two physical, quite powerful servers to act as Hyper-V hosts - these can be domain joined. 
  Then for your VM's create the following:
  1 x additional domain controller
  For remote desktop services:
  1 x Remote Desktop Session Host
  1 x Connection Broker
  1 x Gateway and web server
  For additional services
  1 or 2 x Exchange
  1 x sharepoint
  1 x IIS
  but it really depends what you want to achieve. 
  The benefit from Virtual machines is that you can keep separate virtual servers for separate applications. 
  If you have two hosts you could then replicate the virtual machines between them if you wanted some layer of fault tolerance. 
  Hope this helps you a bit more. And thanks for positive blog feedback - its appreciated. 
  Regards,
  Denis Cooper
  MCITP EA - MCT
  Help keep the forums tidy, if this has helped please mark it as an answer
  My Blog
  LinkedIn:

• BO XI 3.1 : Active Directory Authentication failed to get the Active Directory groups

  Dear all 
          In our environment, there are 2 domain (domain A and B); it works well all the time. Today, all the user belong to domain A are not logi n; for user in domain B, all of them can log in but BO server response is very slowly. and there is error message popup when opening Webi report for domain B user. Below are the error message: 
         " Active Directory Authentication failed to get the Active Directory groups for the account with ID:XXXX; pls make sure this account is valid and belongs to an accessible domain"
        Anyone has encountered similar issue?
     BO version: BO XI 3.1 SP5
     Authenticate: Windows AD
  Thanks and Regards

  Please get in touch with your AD team and verify if there are any changes applied to the domain controller and there are no network issues.
  Also since this is a multi domain, make sure you have 2 way transitive forest trust as mentioned in SAP Note : 1323391 and FQDN for Directory servers are maintained in registry as per 1199995
  http://service.sap.com/sap/support/notes/1323391
  http://service.sap.com/sap/support/notes/1199995
  -Ambarish-

• [Forum FAQ] How to sync time with a Domain Controller for a standalone server

  As we all known, if a computer belongs to an Active Directory domain, it will sync the time automatically by using the Windows Time service that is available on Domain Controllers.
  While a standalone server will synchronize with its local hardware time and Windows time server. (Figure 1)
  Figure 1.
  Under some circumstances, a standalone server is necessary in a product environment. We can sync the time of this standalone server with the Domain Controller using
  the steps below:
  1. Modified the value of the AnnounceFlags:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
  Under this entry we can see the default value of AnnounceFlags is 10 (Decimal), we configure the value as 5 (Decimal). (Figure 2)
  Figure 2.
  2. Confirm the value of the registry key below is set to 0:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer 
  Figure 3.
  3. Configure the standalone server to synchronize with a specific time source (Domain Controller).
  In our test, we configured our Domain Controller (192.168.10.200) as the time source. Used the following commands:
  w32tm /config /syncfromflags:manual /manualpeerlist:192.168.10.200
  4. Sync the time with the Domain Controller using the command below:
  w32tm /config /update
  From the figure below (Figure 4), you can see the after we did all the steps above, the time on the standalone server was synced with the Domain Controller.
  Figure 4.
  (Note: Peerlist is a separated list of DNS servers, or IP Addresses for the time servers)
  More information:
  Windows Time Service Tools and Settings
  http://technet.microsoft.com/en-us/library/cc773263(WS.10).aspx#w2k3tr_times_tools_dyax
  Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

  Thank you for the instruction! I am sure it is one of the scenarios that majority of administrators will run into. So I suggest to write a wiki about it and publish it for this month's TechNet Guru in Windows Server section. This month's TechNet Guru can
  be found here:
  Calling All Wise Men! Windows
  Server Gurus Needed! Apply Within! No One Turned Away!
  Thanks for your informative post. :)
  Regards.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• How to configure multiple domains in Active directory

  HI,
  How can I configure multiple domains on Active Directory. When I installed AD it asked for a domain name, there I gave ravigupta.com as domain name. But now I find no way of creating another domain.
  I am a java developer and my task is to write a programme which returns all the domains available in LDAP server.
  To start with ,I tried to create few domains in LDAP server ( AD ) but stuck up ,as i found there could exist only one domain.
  Please tell me how to configure multiple domains in LDAP server ( Active Directory).
  I skiped DNS configuration while AD installation.
  -ravi

  I'm sorry, but you should be asking on a different forum. This has nothing to do with Java.

• Integrating SAP ECC 6.0 with Microsoft Windows 2003 Active Directory

  Hi Gurus,
  We are planning to integrate our SAP ECC 6.0 with Microsoft Windows 2003 Active directory.
  I have several questions on this:
  1. Can i authenticate all the users from SAP
  2. It is used only for user authentication or can it be also used for password authentication
      ie user can login using his windows password?
  3. While integration in SAP does a separate table or a field is created in database.
  4.If a employee leaves a company than in SAP is it possible to lock & deactivate the user automatically.
  Thanks in advance.
  Regards,
  Nihar

  Hi Mastek,
  You should be able to accomodate your needs with respect to integration of your AD accounts with SAP ECC ABAP. This can be done via LDAP connector configuration. The below has info on how to perfrom the configuration at a high level. You will have to integrate, and map certain user data. You may also want to do some LDAP Connector research:
  [http://help.sap.com/saphelp_nw70/helpdata/en/10/1a063a15c611d4b61f0000e835363f/content.htm]
  On the Java stack - you can also confugure UME to integrate/authenticate with AD:
  [http://help.sap.com/saphelp_nw70ehp2/helpdata/en/12/7678123c96814bada2c8632d825443/content.htm]
  Hope this helps!

• How to restrict users working on Windows 7 clients from accessing Windows Explorer and other systems in the network through Group Policy with a domain controller running on Windows Server 2008 r2

  Dear All,
  We are having an infrastructure setup of around 500 client computers managed through group policy.
  Recently the domain controllers have been migrated from Windows Server 2003 to Server 2008 R2.
  Since this account requires extremely strict environment, we need to figure the solution for restricting the users from access anything locally.
  It would be great if you can assist me with the following query.
  How to restrict users logged on Windows 7 clients from accessing Windows Explorer and browsing other systems in the network through Group Policy with a domain controller running on Windows Server 2008 r2 ?
  Can we disable Network Tab on the left hand pane ?
  explorer.exe is blocked already, but users are able to enter the Windows Explorer by clicking on the name which is visible on the Start Menu.

  >   * explorer.exe is blocked already, but users are able to enter the
  >     Windows Explorer by clicking on the name which is visible on the
  >     Start Menu.
  You cannot block explorer.exe when you do not replace the shell - the
  desktop you see effectively IS explorer.exe...
  Your requirement sounds like you need a custom shell:
  http://gpsearch.azurewebsites.net/#2812
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• 802.1x using authentication from NT Domain Controller instead of Radius

  I would like to know if it's possible to configure 802.1x using authentication from NT Domain Controller, instead of using Radius or Tacacs.

  It is possible to use MS AD, generic LDAP, Novell NDS for authentication, it's fairly common.
  The issue is "How do get the device to talk to the authentication source ... (AD, DC, NDS, LDAP)?"
  The answer is RADIUS.
  You can configure RADIUS to pull authentication from a variety of source (depending on the RADIUS - many/most can use any of the LDAP-based systems).
  So, yes, certainly you can use the Microsoft AD, but you need RADIUS to connect the two systems (the 802.1x device and the AD server).
  If cost is the issue, try freeRADIUS (www.freeradius.org) - it's fully featured (can use LDAP, AD, NDS, Certificates, etc), it's free, and configuration is much easier than it looks ....
  Good Luck
  Scott

• Active Directory integrated LION with offline Domain Controller

  Hi,
  I have some OS X Lion machine, and all of them joined into the Win2008 AD. There is no any issue when the Domain Controller is reahcable, but when it is not reahcable, or the machine is not in the same network as the DC, then I am not able to login with my AD user.
  In Windows the last credential is stored on the local machines. So if the machine is OFFLINE from the DC, then it is able to let the AD user to login.
  Is there any trick or option how I can implement it with my LION clients? Or there is no way to use AD user when the AD is not reachable?
  Thanks in advance!

  He actually didn't specify much about dynamic updates requirements for old domains, if they don't need secure dynamic updates then a primary zone would work:
  The DNS Server service allows dynamic update to be enabled or disabled on a per-zone basis at each server that is configured to load
  either a standard primary or directory-integrated zone.
  REF: Understanding Dynamic updates
  This post is provided AS IS with no warranties or guarantees, and confers no rights.
  ~~~
  Questo post non fornisce garanzie e non conferisce diritti

• Web-controller Active Directory authentication

  We have a 10.5.7 xserve as our Podcast Producer server. The server is tied to Active Directory for authentication. I just recently installed the web controller. When I authenticate with a local server account, I get in just fine. But, when I try to authenticate to the web controller with an AD account it fails.
  Now I know that since 10.5.6 in Podcast Capture I have had to select "single sign-on" in the app's preferences. Does anyone know if there is something similar in the web controller?

  I figured it out. May not be the perfect solution, but it works until 10.5.8.
  In /Library/Preferences/com.apple.pcastserverd.plist
  Find the following:
  <key>httpauthtype</key>
  <array>
  <string>basic</string>
  <string>digest</string>
  <string>kerberos</string>
  </array>
  Change to:
  <key>httpauthtype</key>
  <array>
  <string>basic</string>
  </array>
  Restart PCP:
  sudo launchctl unload /System/Library/LaunchDaemons/com.apple.pcastserverd.plist
  sudo launchctl load /System/Library/LaunchDaemons/com.apple.pcastserverd.plist
  Log into your server with an AD account at https://server.domain:8143

• Joining 10.8.5 with existing account to Active Directory domain

  Hi-
  I have a MacBook Pro that I am using as a test computer to figure out how to introduce the growing population of Mac's into our Active Directory environment in our small company. This comptuer is running OSX 10.8.5
  There is a test account in AD that I will be using to connect to the windows domain. I am able to get the Laptop binded to AD, and have no problem authenticating, and seeing all the network resources required.
  Here is the part that has me stumped:
  Is there any way to take my existing "local" account that was configured when I began using my MBP without Active Directory and continue to use it, but logon to the laptop using my Active Directory account?
  Perhaps copy all the settings and preferences from the local account ontop of the AD account on the laptop?
  I have been using this laptop as my personal machine for many months and have quite a few customizations made to my deskop preferences, icon layouts, etc. This will be same case with all of the users that will soon be authenticating on the domain. We need this for centralized management of network shares, password policies, and number of other security features.
  There is some limited information on the web, but nothing that I have tried really works, here's some of what i found and the difficulty that resulted.
  http://community.spiceworks.com/how_to/show/37886-convert-mac-local-user-into-ac tive-directory-network-user
  - The script mentioned in step 3 was not able to copy local account to the destination folder.
  http://robotcloud.screenstepslive.com/s/2459/m/5322/l/112415-convert-local-accou nts-to-network-mobile-accounts
  - The sudo mv /Users/USERNAME /Users/DIRUSERNAME command was not able to make the "DIRUSERNAME" directory, and did not have any effect if this directory already existed due to a prior logon.
  I'm just looking for some help making it so that my users can retain their desktop layouts that they are used to, but logon to the domain using AD credentials.
  Seems simple, but is pretty difficult to get done.
  Thanks in advance for any help....
  -Aaron

  This might help:
  http://www.afp548.com/article.php?story=20060517222656622&query=radius

• Replication with Domain and Sub domain in Active directory sites and services

  I seen many AD enviroments and know that when you have mutiple DCs you use Active Directory Sites and services to replicate using the NTDS Settings. If you have a Domain and sub domain do you need to do this as well or does it sync up automatically because
  it's a sub domain? A see a couple of domains where the NTDS settings isn't being used to snyc with the child domain. Just wondering if that is normal or will it cause authentication errors?

  I seen many AD enviroments and know that when you have mutiple DCs you use Active Directory Sites and services to replicate using the NTDS Settings. If you have a Domain and sub domain do you need to do this as well or does it sync up automatically
  because it's a sub domain? A see a couple of domains where the NTDS settings isn't being used to snyc with the child domain. Just wondering if that is normal or will it cause authentication errors?
  Two way transitive trusts are configured automatically when you create a child domain or tree root domain. You don't have to worry about site/subnet or replication part at least from trust perspective. But make sure site's names are unique in each domain.
  How Domain and Forest Trusts Work
  http://technet.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx
  http://technet.microsoft.com/en-us/library/cc730868.aspx
  http://blogs.technet.com/b/askds/archive/2008/09/24/domain-locator-across-a-forest-trust.aspx
  Awinish Vishwakarma - MVP
  My Blog: awinish.wordpress.com
  Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

• Windows client error joining with Samba 4.2 Active Directory server

  I have a basic samba 4.2 ADC setup on CentOS 7 and I get a RPC server not available whenever I attempt to join a windows client to the domain. The smb.conf is default on created during provisioning. All indicated pre-testing seems to work as expected. The windows client finds the domain and recognizes a valid user or not but the last step of joining the domain ends with the error "Unable to join the Domain RPC server not available. Does anyone have any ideas?
  Thanks Paul 
  This topic first appeared in the Spiceworks Community

  I have a scenario for you in active directory when two passwords may be valid:
  Old passwords can also work on domain controllers that have not received replication yet from either the domain controller the password was changed on, or the PDC emulator in the domain.
  Let's take a scenario where we have a 3 site, 3 domain controller (DC) active directory: Site1 with DC1, site2 with DC2 and site3 with DC3.
  The ACS application resides in Site3 and is configured to use DC3 for authentication. We have a user "user1" with a password of "123".
  User1 decides to call the helpdesk and changes his password to "456".
  The helpdesk uses DC1 to make password changes because they are located in site1. For a period of time (based on replication, which defaults to 3 hours between sites) the 123 password and the 456 password will be
  valid.
  If the user1 user tries the "123" password it will work until DC3 receives the changed password from normal replication. If user1 tries to use 456, DC3 will flag this as a wrong password, and then check the PDC
  emulator of the domain to see if it has received a newer password. The PDC emulator will validate the login, and then trigger an immediate replication with DC3.
  Regards,
  ~JG
  Do rate helpful posts

• Downgrade of Windows 2012 r2 to Windows 2012 Domain Service Active Directory

  I have an uncertainty. we used adprep /forest and adprep /domain tools on windows 2012 R2 to update the domain active directory. But after promoting a domain controller to windows 2012 R2, we realized that a tool we use to authenticate computer account not
  supported for domain controllers in Windows 2012 R2. Here comes the question, I can to install direct and promote a domain controller windows 2012 without running the adprep /forest and adprep /domain tools of Windows 2012?.
  I hope be clearly.
  tks.
  migrations

  Hello,
  as others mentioned there is no problem to promote a Windows Server 2012 into the domain as the functional level is fine for this.
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://msmvps.com/blogs/mweber/
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.