Windows 8.1 Enterprise joined to Active Directory, shows email login

In Windows 7, I knew how to set the login default domain to Active Directory via the registry. That setting does not seem to have the same effect in Windows 8.1 Enterprise.
I have a tablet joined successfully, and can login without any errors. The only problem I have is when it boots up, or someone logs out, the login screen defaults to the MS Live email login. We do not use that in our Domain, and I want to either disable
that option, or set it to connect to our Active Directory servers as the first option.
I have looked in Local Group Policy, the Registry, etc. and have not found anything that refers to that. Is it something simple that I am just overlooking?
AKChappy

I believe the group policy you are looking for is called "Accounts: Block Microsoft Accounts"
You can find it here: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
More info:
http://technet.microsoft.com/en-us/library/jj966262.aspx

Similar Messages

I am getting a Changing Password Failed error when I try to join an active directory

I had a working AD configuration under Snow Leopard. When I upgraded to Mountain Lion, my account was no longer in sync with the domain. I got the red dot on the login screen and my domain password was out of sync. I unhooked from the domain at that point. This was several months ago.
However, over the last few weeks, I keep finding myself locked out of the domain. I suspect it's something on my Mac that is trying to use my old credentials. I was hoping to rejoin the domain and see if I could get my account back in sync. When I get a domain admin to enter his password on the Directory Utility join screen, it first notes that the computer account already exists in the domain. I tell it to continue, but I can't get past this point:
2013-06-24 14:21:20.729935 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - Computer account either already exists or DC is already Read/Write
2013-06-24 14:21:20.732774 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - existing record found 'CN=MYMACHINE,OU=Default,OU=Workstations,OU=MyCity,OU=North America,DC=GLOBAL,DC=OURCORP,DC=NET'
2013-06-24 14:21:20.732822 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - switching to cache 'MEMORY:0x7faef36ed770'
2013-06-24 14:21:20.733141 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - Trying to find service kdc for realm GLOBAL.OURCORP.NET flags 2
2013-06-24 14:21:20.734196 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to 12
2013-06-24 14:21:20.734221 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to host: tcp 10.22.94.212:kerberos (1.2.3.4)
2013-06-24 14:21:20.741380 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - host completed: tcp 10.22.94.212:kerberos (1.2.3.4)
2013-06-24 14:21:20.741416 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - krb5_sendto_context done: 0
2013-06-24 14:21:20.741619 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - trying to set password
2013-06-24 14:21:20.741637 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - trying to set password using: MS set password in realm GLOBAL.OURCORP.NET
2013-06-24 14:21:20.741648 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - using TCP since the ticket is large: 1560
2013-06-24 14:21:20.741665 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - Trying to find service change_password for realm GLOBAL.OURCORP.NET flags 2
2013-06-24 14:21:20.742867 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to 12
2013-06-24 14:21:20.742908 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to host: tcp 10.22.94.212:kpasswd (1.2.3.4)
2013-06-24 14:21:20.745231 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - host completed: tcp 10.22.94.212:kpasswd (1.2.3.4)
2013-06-24 14:21:20.745250 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - krb5_sendto_context done: 0
2013-06-24 14:21:20.745398 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - set password using MS set password returned: 0 result_code 3
2013-06-24 14:21:20.745417 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - Changing password failed for '[email protected]' with error '' (3)
2013-06-24 14:21:20.745426 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - setting Computer Password FAILED for existing record - 5103
2013-06-24 14:21:20.745818 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - ODNodeCustomCall failed with error 'Credential operation failed' (5103)

Reggierror,
Had the same issue and discovered that I made my AD object name too long (16 instead of 15 character which is the limit) You might want to try making the computer object name shorter if you can.

I have windows server 2012 R2 and install active directory

My question is I install active directory in windows server 2012 R2 and create Group Policy. ( These set-up is only for test)
Have not registered domain only install active directory to test.
So the problem is when I created Group policy for my user and put software restriction policy but its affected to my administrator accounts too, No when I open VMware (install Virtual Machine windows XP) and start os then its shows you can not user this
software as you restricted from installing software (Something like that don't know exact Error). I could not start installed Virtual Machine.
Please give me a solution for this.
This is the setup for a test use only so their not big environment connect with my pc.
Thanks in advance.
Regards,
Krunal

Hi,
The following article is talking about creating and managing Group Policy on a Windows Server 2012:
http://www.thomas-krenn.com/en/wiki/Creating_and_managing_a_Group_Policy_on_a_Windows_2012_Server
As Darren Blanchard mentioned, if you want to apply the GPO, you could link it to an OU that contain the computer or user.
Group Policy Overview
http://technet.microsoft.com/en-us/library/hh831791.aspx
Please feel free to let us know if you need further assistance.
Regards.
Vivian Wang

UME w/MS Active Directory - Storing email address as User ID

Thanks in advance.
I am looking to store an email address as the User ID using UME and LDAP/AD. I know that samAccountName is the UserID in active directory and it has a limitation of storing special characters like @ sign, etc. If I want to store the email address as the user ID, what options do I have with the UME? Is there a provision to do a data mapping or foreign key lookup??
Chris Temple
E.ON U.S.

For the question to relink the new account to the account which is already available in Project Server. You will have to update the WRES_AD_GUID to Null for the the Resource in MSP_RESOURCES table in the published database.
Whenever a users gets synchronized to the PWA his ADGUID, SAMAccountName, Display Name, Email Address and DepartmentName is Synchronized from AD to Project Server. When the user was deleted and recreated the ADGUID got changed. During the next sync, project
found the user with similar properties but different ADGUID which was updated in WRES_AD_GUID column in MSP_RESOURCES table. Hence it says that there is a duplicate account in the table with the same properties but a different ADGUID
Nullifying the WRES_AD_GUID column value in MSP_RESOURCES table should get the user synchronized to Project server in the next sync.
Cheers! Happy troubleshooting !!! Dinesh S. Rai - MSFT Enterprise Project Management Please click Mark As Answer; if a post solves your problem or Vote As Helpful if a post has been useful to you. This can be beneficial to other community members reading
the thread.

PowerShell Script Get the User's Active Directory Fully Qualified Login Name for Specific Locked Out Accounts

I have a script which displays locked out accounts. It works great.
I'd like to display the fully qualified Active Directory Login Name instead of the LastName, First Name:
Example: Davis, Susan
Want instead: Domain\Susan.Davis
I'd also like to include an additional filter to look for only Domain\Susan.Davis OR Domain\Robin.Givens
Here is my script:
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = "(&(objectClass=User)(lockoutTime>=1))"
$colProplist = "name","samaccountname"
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i) | out-null}
$colResults = $objSearcher.FindAll()
foreach ($objResult in $colResults) {
$domainname = $objDomain.name
$samaccountname = $objResult.Properties.samaccountname
$user = [ADSI]"WinNT://$domainname/$samaccountname"
$ADS_UF_LOCKOUT = 0x00000010
if(($user.UserFlags.Value -band $ADS_UF_LOCKOUT) -eq $ADS_UF_LOCKOUT) {
$objResult.Properties.name
John
John

Sorry, I should have mentioned that the cmdlets I'm using are part of the Active Directory module. You'll need to install the RSAT (Win7+) to use them.
If you'd rather stick with your DirectorySearcher methods instead of moving to the AD module, you can adjust your output by using something like this instead:
if(($user.UserFlags.Value -band $ADS_UF_LOCKOUT) -eq $ADS_UF_LOCKOUT) {
"$domainname\$($objResult.Properties.samaccountname)"
$domainname might not be what you're expecting, just FYI.
As for filtering, you can add to the if statement and check for your known usernames only.
Don't retire TechNet! -
(Don't give up yet - 12,700+ strong and growing)

Active Directory replication and login errors (Plz HELP !!)

Hi All,
We have one forest domain (XXXX.LOCAL)and lots of child domains (XXX.XXXX.LOCAL).
We are facing issue that child domains are not able to login with forest administrator account and there are also lots of replication errors.
Exchange OWA gives error of not able to find particular XXX.XXX.local child domain.
dcdiag from child domain is :
C:\Windows\system32>
C:\Windows\system32>nltest.exe /dsregdns
Flags: 0
Connection Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
The command completed successfully
C:\Windows\system32>nltest.exe /dsregdns
Flags: 0
Connection Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
The command completed successfully
C:\Windows\system32>
C:\Windows\system32>dcdiag
Directory Server Diagnosis
Performing initial setup:
   Trying to find home server...
   Home Server = PMA-DC01
   * Identified AD Forest.
   Done gathering initial info.
Doing initial required tests
   Testing server: HEC-CITY\PMA-DC01
      Starting test: Connectivity
         ......................... PMA-DC01 passed test Connectivity
Doing primary tests
   Testing server: HEC-CITY\PMA-DC01
      Starting test: Advertising
         Warning: PMA-DC01 is not advertising as a time server.
         ......................... PMA-DC01 failed test Advertising
      Starting test: FrsEvent
         ......................... PMA-DC01 passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared. Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... PMA-DC01 failed test DFSREvent
      Starting test: SysVolCheck
         ......................... PMA-DC01 passed test SysVolCheck
      Starting test: KccEvent
         ......................... PMA-DC01 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         [PMA-DC02] DsBindWithSpnEx() failed with error -2146893022,
         The target principal name is incorrect..
         Warning: PMA-DC02 is the PDC Owner, but is not responding to DS RPC
         Bind.
         [PMA-DC02] LDAP bind failed with error 8341,
         A directory service error has occurred..
         Warning: PMA-DC02 is the PDC Owner, but is not responding to LDAP
         Bind.
         Warning: PMA-DC02 is the Rid Owner, but is not responding to DS RPC
         Bind.
         Warning: PMA-DC02 is the Rid Owner, but is not responding to LDAP
         Bind.
         Warning: PMA-DC02 is the Infrastructure Update Owner, but is not
         responding to DS RPC Bind.
         Warning: PMA-DC02 is the Infrastructure Update Owner, but is not
         responding to LDAP Bind.
         ......................... PMA-DC01 failed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... PMA-DC01 passed test MachineAccount
      Starting test: NCSecDesc
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         ......................... PMA-DC01 failed test NCSecDesc
      Starting test: NetLogons
         ......................... PMA-DC01 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... PMA-DC01 passed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,Replications Check] Inbound replication is
         disabled.
         To correct, run "repadmin /options PMA-DC01 -DISABLE_INBOUND_REPL"
         [Replications Check,PMA-DC01] Outbound replication is disabled.
         To correct, run "repadmin /options PMA-DC01 -DISABLE_OUTBOUND_REPL"
         ......................... PMA-DC01 failed test Replications
      Starting test: RidManager
         ......................... PMA-DC01 failed test RidManager
      Starting test: Services
            w32time Service is stopped on [PMA-DC01]
         ......................... PMA-DC01 failed test Services
      Starting test: SystemLog
         A warning event occurred. EventID: 0x00000010
            Time Generated: 04/21/2014   19:16:04
            Event String:
            Unable to Connect: Windows is unable to connect to the automatic upd
ates service and therefore cannot download and install updates according to the
set schedule. Windows will continue to try to establish a connection.
         An error event occurred. EventID: 0x0000168E
            Time Generated: 04/21/2014   19:44:42
            Event String:
            The dynamic registration of the DNS record '_kerberos._tcp.dc._msdcs
.PMA.XXXX.LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.' failed on the fol
lowing DNS server:
         An error event occurred. EventID: 0x0000168E
            Time Generated: 04/21/2014   19:44:43
            Event String:
            The dynamic registration of the DNS record '_kerberos._tcp.PMA.XXXX.
LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.' failed on the following DNS
server:
         An error event occurred. EventID: 0x0000168E
            Time Generated: 04/21/2014   19:44:43
            Event String:
            The dynamic registration of the DNS record '_kerberos._tcp.HEC-LAHOR
E._sites.PMA.XXXX.LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.' failed on
the following DNS server:
         An error event occurred. EventID: 0x0000168E
            Time Generated: 04/21/2014   19:44:43
            Event String:
            The dynamic registration of the DNS record '_kerberos._udp.PMA.XXXX.
LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.' failed on the following DNS
server:
         An error event occurred. EventID: 0x0000168E
            Time Generated: 04/21/2014   19:44:43
            Event String:
            The dynamic registration of the DNS record '_kpasswd._tcp.PMA.XXXX.L
OCAL. 600 IN SRV 0 100 464 PMA-DC01.PMA.XXXX.LOCAL.' failed on the following DNS
server:
         An error event occurred. EventID: 0x0000168E
            Time Generated: 04/21/2014   19:44:43
            Event String:
            The dynamic registration of the DNS record '_kpasswd._udp.PMA.XXXX.L
OCAL. 600 IN SRV 0 100 464 PMA-DC01.PMA.XXXX.LOCAL.' failed on the following DNS
server:
         An error event occurred. EventID: 0x0000168E
            Time Generated: 04/21/2014   19:44:43
            Event String:
            The dynamic registration of the DNS record '_kerberos._tcp.HEC-LAHOR
E._sites.dc._msdcs.PMA.XXXX.LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.'
failed on the following DNS server:
         An error event occurred. EventID: 0x00000C8A
            Time Generated: 04/21/2014   19:44:51
            Event String:
            This computer could not authenticate with \\LHR-DC01.XXXX.LOCAL, a W
indows domain controller for domain XXXX, and therefore this computer might deny
logon requests. This inability to authenticate might be caused by another compu
ter on the same network using the same name or the password for this computer ac
count is not recognized. If this message appears again, contact your system admi
nistrator.
         An error event occurred. EventID: 0xC00A0038
            Time Generated: 04/21/2014   19:46:02
            Event String:
            The Terminal Server security layer detected an error in the protocol
stream and has disconnected the client. Client IP: 10.87.193.37.
         An error event occurred. EventID: 0x40000004
            Time Generated: 04/21/2014   19:52:41
            Event String:
            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver pma-dc02$. The target name used was PMA\PMA-DC02$. This indicates that the
target server failed to decrypt the ticket provided by the client. This can occu
r when the target server principal name (SPN) is registered on an account other
than the account the target service is using. Please ensure that the target SPN
is registered on, and only registered on, the account used by the server. This e
rror can also happen when the target service is using a different password for t
he target service account than what the Kerberos Key Distribution Center (KDC) h
as for the target service account. Please ensure that the service on the server
and the KDC are both updated to use the current password. If the server name is
not fully qualified, and the target domain (PMA.XXXX.LOCAL) is different from th
e client domain (PMA.XXXX.LOCAL), check if there are identically named server ac
counts in these two domains, or use the fully-qualified name to identify the ser
ver.
         A warning event occurred. EventID: 0x8000001C
            Time Generated: 04/21/2014   19:53:42
            Event String:
            When generating a cross realm referal from domain XXXX.LOCAL the KDC
was not able to find the suitable key to verify the ticket. The ticket key vers
ion in the request was 25 and the available key version was 22. This most common
reason for this error is a delay in replicating the keys. In order to remove th
is problem try forcing replication or wait for the replication of keys to occur.
         An error event occurred. EventID: 0x40000004
            Time Generated: 04/21/2014   20:13:25
            Event String:
            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver pma-dc02$. The target name used was LDAP/4a166db9-c39c-4069-99e7-8a233ce2c0
be._msdcs.XXXX.LOCAL. This indicates that the target server failed to decrypt th
e ticket provided by the client. This can occur when the target server principal
name (SPN) is registered on an account other than the account the target servic
e is using. Please ensure that the target SPN is registered on, and only registe
red on, the account used by the server. This error can also happen when the targ
et service is using a different password for the target service account than wha
t the Kerberos Key Distribution Center (KDC) has for the target service account.
Please ensure that the service on the server and the KDC are both updated to us
e the current password. If the server name is not fully qualified, and the targe
t domain (PMA.XXXX.LOCAL) is different from the client domain (PMA.XXXX.LOCAL),
check if there are identically named server accounts in these two domains, or us
e the fully-qualified name to identify the server.
         An error event occurred. EventID: 0x40000004
            Time Generated: 04/21/2014   20:13:25
            Event String:
            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver pma-dc02$. The target name used was ldap/pma-dc02.pma.XXXX.LOCAL. This indi
cates that the target server failed to decrypt the ticket provided by the client
. This can occur when the target server principal name (SPN) is registered on an
account other than the account the target service is using. Please ensure that
the target SPN is registered on, and only registered on, the account used by the
server. This error can also happen when the target service is using a different
password for the target service account than what the Kerberos Key Distribution
Center (KDC) has for the target service account. Please ensure that the service
on the server and the KDC are both updated to use the current password. If the
server name is not fully qualified, and the target domain (PMA.XXXX.LOCAL) is di
fferent from the client domain (PMA.XXXX.LOCAL), check if there are identically
named server accounts in these two domains, or use the fully-qualified name to i
dentify the server.
         ......................... PMA-DC01 failed test SystemLog
      Starting test: VerifyReferences
         ......................... PMA-DC01 passed test VerifyReferences
   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation
   Running partition tests on : PMA
      Starting test: CheckSDRefDom
         ......................... PMA passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... PMA passed test CrossRefValidation
   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation
   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
   Running enterprise tests on : XXXX.LOCAL
      Starting test: LocatorCheck
         ......................... XXXX.LOCAL passed test LocatorCheck
      Starting test: Intersite
         ......................... XXXX.LOCAL passed test Intersite
C:\Windows\system32>

There are a number of things that can cause this, such as:
DNS is misconfigured to support a parent-child-additional tree forest.
Incorrect DNS zone replication scope for the design, which points back to the point #1.
AD Sites are misconfigured for the physical environment. For example if you have a hub and spoke physical environment, you can't use the default settings that bridge all sites (BASL) and must individually configure them.
Incorrect DNS settings on the DCs.
Multi-homed DCs.
Time service is not configured properly and/or syncing from the VM host, which should be configured otherwise (Microsoft, VMware and Citrix have KBs explaining this).
Default security settings at either the parent, child or both domains, have been altered.
Firewalls between DCs, such as perimeter firewalls, or installed antivirus protection features if not excluded on DCs properly, will cause this, too.
That's the short list. If you can describe some of the points above, it may help us pinpoint where the issue may be.
Some links that may help understand some of the bullet points:
AD Site Design, DNS & the DC Locator Process, and Auto Site Link Bridging, or Bridge All Site Links (BASL)
http://blogs.msmvps.com/acefekay/2013/02/24/ad-site-design-and-auto-site-link-bridging-or-bridge-all-site-links-basl/
DNS Design Options in a Multi-Domain Forest - How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest
Published by Ace Fekay, MCT, MVP DS on Oct 1, 2010 at 12:22 PM
http://msmvps.com/blogs/acefekay/archive/2010/10/01/dns-parent-child-dns-delegation-how-to-create-a-dns-delegation.aspx
Configuring the Windows Time Service for Windows 2000, 2003, 2008 and newer, explanation of the time service hierarchy, and more
Published by Ace Fekay, MCT, MVP DS on Sep 18, 2009 at 8:14 PM 3050 1
http://msmvps.com/blogs/acefekay/archive/2009/09/18/configuring-the-windows-time-service-for-windows-server.aspx
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Active Directory Cached Domain Login question

Hi all,
I would like to seek assistance on the following scenario setup where I have 2 independent AD forest setup
Production Forest #1 - Contoso
Test Lab Forest #2 - Contoso
Assuming both AD forests domain controllers are issued with Domain Controller Certs (to support smartcard login) from the same CA, and there exists a AD user acct - Mark in Production Forest #1 and this user is currently using a issued smartcard to perform
AD login on desktop client #1
Would it be possible to create a AD user acct - Mark in Test Lab Forest #2 and use the same issued production smartcard to perform AD login on laptop client #2 which is joined to Test Lab Forest #2? If not technically possible, why??? :(
I am trying to find a solution where I can have the laptop clients support login using the issued production smartcard. The challenge here is not all the laptop clients site have access to the production domain controllers hence am thinking of building the
Test Lab Forest #2 on another "server" laptop which provides a mobile means to allow the laptop clients to be joined to the Test Lab Forest and then supporting the issued production smartcard via domain cached login.

So far I know the only requirement is that the UPN match and that the PKI is trusted (in NTAuth) in the forest, but I'm not a PKI expert. I suggest to ask this question in the security forum as well:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity
Enfo Zipper
Christoffer Andersson – Principal Advisor
http://blogs.chrisse.se - Directory Services Blog

New Windows 7 machine won't sync Calendars, or show eMail programs in iTunes

I just got a new Laptop with Windows 7 on it, and have migrated my iPhone and iPod to it. Was able to get the music, videos, and TV shows over, and all of the contacts, apps, and other stuffon the phone is OK. But when I sync the iPhone, iTunes shows no email programs listed, even though AOL 9.6 is installed, and the phone will open AOL email. When I go to the info page, it also does not show anything to handle calendars, and will not back them up.
I should add that I do not have Exchange/Outlook on the computer, nor MS Office. I have been using open source IBM/Lotus Symphony for this.
How can I get this to acknowledge the AOL mail program, and backup the calendar.

I looked at Funambol - something is not correct here, as the version I downloaded yesterday does NOT do calendars, only contacts and photos/movies. Maybe this only works for Android phones? I saw an entry that implied that calendars had been added to the functionality - perhaps it has been withdrawn from iTunes.
I checked my old laptop, and on it, it acknowledges Outlook as the backup for calendars. The new Windows 7 machine wants me to download Windows Live Essentials. Does anyone know if this will be, or is recognized by iTunes as a backup for calendars?
Thanks in advance,
Jerry

10g Express Edition on Windows 2008 Enterprise R2 x64 with Active Directory

I have successfully installed the 10g Express Edition on Windows 2008 Ent. r2 x64 with Microsoft Active Directory Domain Controller but i could not be able to run http://127.0.0.1:8080/apex
Although i have run the http://127.0.0.1:8080/apex on my another Windows 2008 R2 x64 ant WITHOUT Active Directory Domain Controller Role.
i think its related with AD Domain server role of my server, because i run that on same config and operation without Active Directory Domain Controller role.
Can anyone help about this issue?
thanks in advance

I have experienced the same problem - running 10g Express on a Win 2008 (32-bit). When not being a Domain controller, the install was fine. When installing after the server had been given the Domain Controller role (+the required DNS), it failed. NO FIREWALLS are involved on the server. Seems like Oracle Express has problems being installed in this kind of environment - independent of x32 or x64 bit OS.
Edited by: 811504 on Nov 17, 2010 11:44 PM

Difference between Windows NT domain registry and Active Directory registry

What are the difference(s) ?

Frank, thanks for your response :)
I want WebSphere Application Server to take advantage of a directory service. There are multiple options available for a directory service.
In my configuration the requirement is to make WebSphere Application server to use Microsoft's Active Directory.
While I was going through (WebSphere) documentation, I see following note.
" With Windows NT domain registry support for Windows 2000 and 2003 domain
controllers, WebSphere Application Server only supports Global groups that are the Security type. It is recommended that you use the Active Directory registry support rather than a Windows NT domain registry if you use Windows 2000 and 2003 domain controllers
because the Active Directory supports all group scopes and types. The Active Directory also supports a nested group that is not support by Windows NT domain registry. The Active Directory is a centralized control registry."
You can find the above note in this link (somewhere after 7th line)
http://www-01.ibm.com/support/knowledgecenter/SSAW57_7.0.0/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/csec_localos.html?cp=SSAW57_7.0.0%2F3-11-5-1-0-0
Does it mean that they are recommending to use Active Directory over Windows NT (which is an older approach) with windows server 2000 or windows server 2003 because Active directory is
advanced ?
I was under the impression that, Active Directory was started with Microsoft Windows Server 2003 and Windows NT registry was used till Windows 2000 server.
After going through above links,
Windows NT registry in an old method. However, it is compatible with Windows Server 2000 and Windows server 2003 but it is recommended to use Active directory with Windows Serve 2003 as it is more advanced. And the same is recommended in WebSphere documentation
(I am aware that support for Windows Server 2000 is over and only extended support is available for Windows Server 2003 however this is to clear doubt). Is my understanding correct ? And does windows server 2000 also support both i.e we can use either Windows
NT registry or Active directory and similarly, Either of them (Windows NT or Active Directory) could be used with Windows Server 2003 ?
And if I got it correct, Is Windows NT and Active Directory, both directory service offering from Microsoft? While NT being an old method and Active Directory being a new/advanced approach ?

'Public' Active Directory account no longer works w/Tiger?

We have approx 20 public Macs that all log onto our Windows 2003 server using the same Active Directory account - 'Public'
This has worked fine until Tiger - Now when we attempt to log onto one of our network drives with this account name I'm told by a pop-up window that the account is either disabled or I've put the password in incorrectly.
Can anyone confirm if 'Public' cannot be used by a user on Tiger? Is it exclusively for the OS?

Ran accross this in help file...
"Mac OS X 10.3 or later: "Invalid user name and password combination" Message When Using Active Directory
When binding a Mac OS X client computer to Active Directory, the account entered is not validated (resolved) at that time. It is used as entered. If entered incorrectly, you will see an alert message later.
Symptom
After configuring the Active Directory Directory Access plug-in, an alert message appears at the client computer that says "invalid user name and password combination."
Products affected
Mac OS X 10.3 or later
Solution
This happens when an incorrect name and/or password is entered, including a username entered with incorrect syntax.
The user's login name (also known as "PrincipalName") is required when binding a computer to Active Directory.
The user can also use the short part of the login name (such as "virginia"). The typical syntax of a login name is similar to "[email protected]".
Note: If the user's login name has been modified from the default "[email protected]", then the default login name must be used. The modified login name (such as "[email protected]") cannot be used."

Problem authenticating with Active Directory

Hi,
We want to authenticate the users from Microsoft Active directory.We created users by doing a bootstrapping from AD to OID (10.1.2).
I enabled the plug in by following the Chapter 18 Configuring Active Directory External Authentication plug -in.
After running through the plug in is installed if i try to login with AD user id I am getting authentication failure error.
I am not sure whether OID is connecting to Active Directory for authentication.How to ensure that it is connecting to AD
I am giving uid attribute as login id.What is the login id to be given
I have tried many combinations no luck. I am getting following error in ssoServer.log
Sun Dec 11 19:44:13 EST 2005 [ERROR] AJPRequestHandler-ApplicationServerThread-5 Communication Exception received. Cleaning up the stale connection
oracle.ldap.util.CommunicationErrorException: Unable to establish connection to directory. Please verify the input parameters: host, port, dn & password connection closed
     at oracle.ldap.util.Subscriber.getUser_NICKNAME(Subscriber.java:1213)
     at oracle.ldap.util.Subscriber.getUser(Subscriber.java:912)
     at oracle.ldap.util.Subscriber.getUser(Subscriber.java:859)
     at oracle.security.sso.server.ldap.OIDUserRepository.getUserProperties(OIDUserRepository.java:493)
     at oracle.security.sso.server.auth.SSOServerAuth.authenticate(SSOServerAuth.java:485)
     at oracle.security.sso.server.ui.SSOLoginServlet.processSSOPartnerRequest(SSOLoginServlet.java:796)
     at oracle.security.sso.server.ui.SSOLoginServlet.doPost(SSOLoginServlet.java:328)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
     at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:824)
     at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:330)
     at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:830)
     at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:224)
     at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:133)
     at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:192)
     at java.lang.Thread.run(Thread.java:534)
Thanks

Did you check the debug information from the external auth plugin.?
This is mentioned in metalink note https://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=277382.1
here an excerpt:
D) Enabled plug in debugging at the database level. Reference documentation: Oracle Internet Directory Administrator's Guide 10g (9.0.4) Chapter 43 Integration with the Microsoft Windows Environment - Troubleshooting Integration with Microsoft Windows Under section "Debugging the Microsoft Active Directory External Authentication Plug-in"
...enable the plug-in debugging. To do this, enter:
sqlplus ods/odspassword @$ORACLE_HOME/ldap/admin/oidspdon.plsTo check the plug-in debugging log, enter:
sqlplus system/managerSQL> select * from ods.plg_debug_log order by id;
(To delete the plug-in debugging log:
sqlplus system/managerSQL> truncate table ods.plg_debug_log
To disable the plug-in debugging:
sqlplus ods/ods @$ORACLE_HOME/ldap/admin/oidspdof.plsE) Dump the plug-in profile to make sure it is enabled and configured correctly:
ldapsearch -h <OID host> -p <OID port> -D "cn=orcladmin" -w <orcladmin password> -b "cn=plugin,cn=subconfigsubentry" -L -s sub "(objectclass=*)" "*"please take also a look into the DIPTESTER tool available in
http://www.oracle.com/technology/sample_code/products/oid/java_diptester.tar
regards
--Olaf

10.6 home directory mounting with active directory and open directory integration

Hi guys i am having some issues in my new mac environment. I have a windows network with an server 2008 active directory. I have just recentlly created a "magic triangle" setup with active directory and open directory. When my users login via windows their home folders mount perfect. When any user logs in to any iMac in the building it does not work. They login perfectly fine, but their home folders do not mount. When i try mounting them manually with smb, i get a prompt for credentials. I am thinking this is my issue, my Single sign on with kerbos is working but for some reason is not logging in correctly. If i type in my credentials with my domain first then my name it works.
For example DOMAIN\jsmith works, but the way i think the mac and active directory is doing it now is just jsmith without the DOMAIN.
I feel like this is the problem with the home folders not mounting.
Can anyone provide some help with this?
Thanks,
Dani

Hi dani190,
are you using the fully qualified domain name of the network server? ie if your server is bob. and your domain is domain.company.com. then the FQDNS would typically be bob.domain.company.com or bob.company.com.
If the FQDNS works, then have you checked in the AD to make sure the path to the network home folder uses the FQDNS?
For the contact search path, did you put the AD at the top the list? (in directory utility)
Did you set the WINS work group on your client computer to your domain?
ie:Apple Menu, System Preferences, Network, Active Network Port (ethernet and or airport) , Advanced Button, WINS Tab, set workgroup to the name of your domain. ie domain.company.com and or company.com

Active Directory domain failed

Hello Team,
When i joined to our active directory, everytime bui gives same error messages:
The attempt to join the Active Directory domain failed either because the clocks of the appliance and the domain controller are skewed or the administrative user
does not have the appropriate permissions to create a computer account in Active Directory.
It is recommended that NTP be used to keep clocks synchronized when using Active Directory.
Storage Appliance: 7310 One Controller, No firewall for ntp server also which connect directly NTP Domain server. Actually my believe is that no time sync issue.
Firmware version is latest patch.
What is your idea about this issue?
i did many times this action plan: but result is same
ActiveDirectoryTasks
B)Joining a Domain
1.Configure an ActiveDirectory site in the CIFS context. (optional)
2.Configure a preferred domain controller in the CIFS context. (optional)
3.Enable NTP, or ensure that the clocks of the appliance and domain controller are synchronized
to within five minutes.
4.Ensure that your DNS infrastructure correctly delegates to the ActiveDirectory domain, or add
your domain contoller's IP address as an additional name server in the DNS context.
5.Configure the ActiveDirectory domain, administrative user, and administrative password.
6.Apply/commit the configuration.
A)Joining aWorkgroup
Configure theworkgroup name.
Apply/commit the configuration.
1. First of all LAN Compatibility Mode 4 works fine with Win 2003 (AD Server)
2. While trying to join the AD, using a non ADMIN username and passsword will not help
Try using a username/pass which has Administrative Privileges (specifically having the rights for Account Creation in
the AD Server) on the AD server.
(I was trying by a different username/pass but it was not joing the storage to AD. It joined when i tried a user having
the privileges to create Machine Accounts in AD)
3. For Clock Sync, the tolerance limit is upto 5 Minutes..So you can take care that the difference does not go beyond
5 minutes.
Thanks
Can
Gantek Tech.

Your first post to these OTN forums.
You posted your inquiry to a HARDWARE forum.
Your issue seems to be a Microsoft OS issue and you just happen to have your OS volumes on a model 7310 appliance.
I suggest you go find a forum somewhere that is hosted for Microsoft AD issues.
If you happen to need the documentation for that piece of storage hardware, there are currently three PDF's available:
http://docs.oracle.com/cd/E19935-01/index.html
They are the Installation Guide, the hardware Administration Guide, and the Service Manual.
There are no current Oracle-published documents for that box as related to Active Directory.

Cakll Manager 4.1 compatibility with Active Directory 2008

I need to know the compatibility
between windows 2008 Active Directory and Call Manager 4.1. I was told Call Manager
4.1 was incompatibile with windows 2008 AD. Is that Active Directory
2008 Domain and Forest functional level? I'm moving forw
ard with replacing all our windows 2003 DCs with Windows 2008 DCs. The question is will
call manager 4.1 be compatible? Need actual windows 2003 DC or can WIndows 200
3 forest and domain functional level enough?

Hello gentlemen,
I just wanted to let you know that we actually got everything working again on our test bed environment.The DC is running on a virtualized Windows Server 2008 but with the forest and domain functional levels at 2003. What we had to do to resolve the ICM issues (Roggers, PGs and AW/HDS) was for all of the services that wouldn't automatically start, we had to update the 'log on as' settings to re-add those accounts and re-enter the passwords. Also, when running the ICMSetup util, it came back with an error saying that it couldn't see the 'Call Center Applications' OU even though it existed. To resolve that, we ran ICMSetup again, added the ICM instance, then upon going back to the main screen, exiting then re-running ICMSetup, everything worked again and the error did not re-occur. We were able to click on the various instance components (PG1A, CG1A, etc) where as before doing that, those instances were greyed out.
For our CallManager server 4.1(3) we didn't need to resolve anything on it. It appears to be running ok and phones are registered to it as well.
Mind you, this is a test bed environment, and the old test bed DC was created a few years ago, and with this new one being a copy of our existing production DC, there were many changes and updates done to it, so that's probably why the old accounts weren't recognized and new ones were created.
We don't think that will happen in our production environment, but even so, we're not going to upgrade our production DCs to Windows Server 2008 just yet.
Thanks for the feed back.
Joe

Windows 8.1 Enterprise joined to Active Directory, shows email login

Similar Messages

Maybe you are looking for