Windows Active directory server administration

Similar Messages

• Windows Active Directory 2008 And Java

  Hi,
  I need to do the following.
  1. Integrate my application's authentication module with Microsoft Windows Active Directory (Server 2008 Edition).
  2. Need to use Kerberos authentication.
  Can you please let me know what api can I use? Is there a good tutorial for this ?
  Regards,
  Pradeep.
  Edited by: user10502962 on Oct 9, 2011 12:51 AM

  Finally managed to resolve the problem.
  I tried to do a lot of things reading forums. But this is what worked.
  1. create a key store using $ keytool -genkey -keystore /home/rohan/mystore -keysize 1024 -keyalg RSA --- created "mystore" key store. From the cert file I got the information on RSA and encryption of 1024 bits.
  2. import the certificate the keystore - $ keytool -import -keystore /home/rohan/mystore -alias primarydc -file DC2K8.cer
  3. In the code just added these lines
  env.put(Context.PROVIDER_URL, "ldap://myldapserver:389"); // Port 389 on Windows Domain Controller
  String keystore = "/home/rohan/mystore";
  System.setProperty("javax.net.ssl.trustStore",keystore);
  System.setProperty("javax.net.ssl.keyStorePassword","password");
  4. Change of Password (code provided by stevead )
  StartTlsResponse tls = (StartTlsResponse)ctx.extendedOperation(new StartTlsRequest());
                 tls.negotiate();
                 ModificationItem[] mods = new ModificationItem[2];
  String newQuotedPassword = "\""+password+"\"";
                 byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
                 mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("unicodePwd", newUnicodePassword));
                 mods[1] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("userAccountControl",Integer.toString(UF_NORMAL_ACCOUNT + UF_PASSWD_NOTREQD)));
                 ctx.modifyAttributes(userName, mods);
  Useful links
  http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
  http://blog.smartkey.co.uk/2010/09/working-around-a-sslhandshakeexception/
  http://www.thinkplexx.com/learn/howto/security/tools/understanding-java-keytool-working-with-crt-files-fixing-certificate-problems
  Thanks to stevead and handat for helping.
  Rohan

• Replica Active Directory server in windows server 2008 R2

  I installed and configured a secondary active directory server in 2008 R2 for fault tolerance as well as backup active directory server
  what i wanted to know is if  my primary AD goes down??? what changes i need to do my users pc since they are  using primary DNS of of primary AD IP.. i am confused i want to know what need to be done if AD goes Down

  > shall i update my DHCP configuration to assign primary DNS as
  > 192.168.1.225 and secondary DNS as 192.168.3.245 and other DNS as
  > 8.8.8.8 etc.
  Yes. and you shall NOT deploy 8.8.8.8 as a DNS server to your clients,
  but you shall configure this as a forwarder on your DNS servers.
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Active Directory Server Problem

  Hi All,
  This mail Seeks to get help from people who have worked with Active Directory Server.
  The following is our Current scenario.
  We are in the process of establishing an SSL connection to Active Directory Server from java environment(a standalone class) in Windows 2000.
  1.Active Directory Server is installed in an independent Win 2k machine.
  2.SSL is enabled in the Active Directory Server Machine by installing the Enterprise Root Certificate.
  3.Microsoft High Encryption pack is installed in both the client and the Server(AD)
  4.The .cer file from the AD machine is imported in to the Client's keystore(cacerts) using the keytool utility.
  5.The AD m/c is part of a domain named "rsa" and client m/c is part of the domain named "cts"
  With the above setup,The following code tries to Establish an SSL context to the AD through JNDI.
  Hashtable env = new Hashtable();
  env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
  env.put(Context.PROVIDER_URL,"ldap://blr03srv1.rsa.com:636");
  env.put(Context.SECURITY_PROTOCOL, "ssl");
  env.put(Context.SECURITY_AUTHENTICATION, "simple");
  env.put(Context.SECURITY_PRINCIPAL,"CN=Administrator,CN=Users,DC=rsa,DC=com");
  env.put(Context.SECURITY_CREDENTIALS,"password");
  try{
       DirContext ctx = new InitialDirContext(env);
       ctx.close();
  }catch (Exception e){
       e.printStackTrace();
  When we try to run this Client we are facing a SSLHandShakeException with a message saying "No trusted certificate found".
  As far as we know the .cer file is successfully imported in to the cacerts which is used by the J2SE as the default keystore.
  Hence we ran out of ideas,as we think that there could be some other issue which is causing this problem.
  We are looking forward to get inputs from AD enlightened people to Solve this issue
  Thanks in Advance,
  Manivannan.A

  I had problem the same and still I did not obtain to decide it, if for perhaps obtaining he passes me the solution.
  thank's
  Fernando Queiroz Fonseca
  Graduando em Engenharia El�trica
  Universidade Federal de Uberl�ndia
  http://www.fernandoqueiroz.com.br
  email : [email protected]

• Active Directory server is not available

  i have just setup and started testing a new exchange 2007 on my network. we did not have a exchange before, so this is a new install.
  my domain, xxx.com is a windows 2000 native AD. the exchange 2007 is a win 2003 sp1 x64, it is also a DC and has all roles assigned to it
  in my network i have
  dc01 win2000 sp4  dc (gc)
  dc02 win2000 sp4 dc (gc)
  exch01 win 2003 sp1 dc, rid, pdc, fmso, gc, infrastucture and naming
  the install went well, and i have been testing it for the past 2 weeks this dummy accounts. test smtp connectors, etc. all was working fine. to the point that i have started planing the migration of the users
   today i did some mods to IIS for a owa free SSL from startcom (as well as the root CAs). i have remove it since.
  i now get the following errors when i start the console, or shell. :
  Active Directory server exch01.xxx.com is not available. Error message: A local error occurred.
  It was running command 'get-ExchangeAdministrator'.
  The following error(s) were reported while loading topology information:
  get-ExchangeServer
  Failed
  Error:
  Active Directory server exch01.xxx.com is not available. Error message: A local error occurred.
  A local error occurred.
  get-UMServer
  Failed
  Error:
  Active Directory server exch01.xxx.com is not available. Error message: A local error occurred.
  A local error occurred.
  HELP.. i have no idea what it does not like.
   exbpa does not report anything, i even get it to connect to the exch01 for it AD access.
  Any ideas??
  Thanks
  Paul Gartner
  (over all i like what i have been seeing in ex2007) 

  i think that you might be confusing "AD user account" and "profile". you DO NOT delete administrator from your AD Users and Computers. you only delete the Profile (\documents and settings\administrator folder). you can NOT do this while you are logged on using the administrator account.
  be sure to backup any data in your my documents and any favorites
  create another user that is in the domain admin group of your active directory, log on with that account and verify that the exchange tools works. then follow this to remove the profile.
  >1). Logon the Exchange server by using another admin account.
  >2). Open Control Panel, select System.
  >3). Select Advanced tab and click the Settings button of User Profile.
  >4). Delete the Profile of user which encounters this issue.
  >5). Click OK.
  >6). Restart the server and logon it by using Administrator account.
  > 
  once this is done, logon with your administrator account and try the tools again, they should work.tn
  Paul Gartner

• How to create mailboxes under mac os x 10.6.4 either using ldapv3 or windows active directory?

  hi,
  i'm working on the mail server of our company. the plan is to implement the built in mail server feature of mac mini OS X 10.6.4 using either ldapv3 or preferably our existing window active directory users.
  i was able to set the open directory and can view the user accounts from AD. my problem is i do not have any clear documentation or manual on how to create mailboxes using either AD accounts or MAC LDAPv3. i already checked the manual of mac os x mail service administration and have found none pertaining to this case.
  i would really appreciate if someone can give me reference on how to do this. as of now im quite desperate because i have a deadline for this project.
  thank you in advance for your help.

  You said, "A 2014 iMac can't run either Snow Leopard or Lion." I know that. What I want to know is how I can install Lion or Snow Leopard on a peripheral hard drive, NOT on my iMac.
  – Larry

• Windows active directory logs

  Hi,
  We are using Windows active directory to manage our users. Another company has configured the same for us.
  Currently we don't have permissions to create a new user. They have given us one account and by using that account, we are able to create new groups in AD, add users to the groups, etc. We would like to get the logs for each user removal or addition to the
  AD groups. How do we enable the same. We would like to know who  and when each user is getting added to the AD groups. Please help us in this.

  Hi Kewpin,
  To enable the complete details on user account account changes including group membership, you need enable the following audit settings,
  1. Open GPMC console, click Start --> Administrative Tools --> Group Policy Management.
  2. Right click the Default Domain Controllers Policy, and then click Edit.
  3. Navigate to Audit Policy node, “Computer Configuration/ Policies/ Windows Settings/ Security Settings/ Local Policies/ Audit Policy”.
  4. Now enable the Success auditing for - Audit Account Management and Audit Directory Service Access.
  5. Execute the command “GPUPDATE /FORCE” in the Domain Controller to force apply the GPO settings.
  For Windows Server 2008 R2 and later versions, additional configuration is required in  “Advanced Audit Policy Configuration” section in Default Domain Controller Policy.
  For additional auditing configuration of,
  1. AD Changes 
      Go to the node DS Access (Computer Configuration/Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Audit Policies/DS Access.) 
     Enable Success auditing for the following settings
      - Audit Directory Service Changes
  2. Account Management
      Go to the node Account Management (Computer Configuration/Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Audit Policies/Account Management.) 
     Enable Success auditing for the following settings
     - Audit User Account Management
     - Audit Security Group Management
     - Audit Distribution Group Management
  Once you have enabled the above audit settings, you can set an auditing SACL for the AD object.
  Checkout the below screenshot for setting the  auditing SACL,
  Checkout the below link on Security Event id list for auditing AD changes,
  http://www.morgantechspace.com/2013/08/active-directory-change-audit-events.html
  Regards,
  Gopi
  JiJi Technologies

• Trying to login to Windows active directory at work

  I take my iMac back and forth between home and work. We have multiple types of servers which I can log into. But I'm unable to login to the Windows Active Directory. Note that I can login with the windows desktop. Just not my iMac which I strongly prefer to use.
  I went into \applications\utilities\directory access and put in the directory domain (as shown in the windows computer) and typed in what I want it to see as my computer name and then clicked on Bind.
  A new window opens (Network Administration Required) screen asking for my Username, password, and Computer OU: and I put them in as they show on my windows computer and hit enter.
  A new window comes up showing "Invalid domain" An invalid Domain and Forest combination was specified. You should enter a fully qualified DNS name for the domain and forest (e.g., ads.company.com).
  Tech support says they don't support anything other than Windows XP and don't look at all sorry about it. Any idea how I can find out the information I need from my Windows computer and typing things in at the command prompt?
  Thanks in advance.

  Note that are computers come preconfigured and already connecting to our Windows server. So users don't enter any information other than user-name and password to get in.
  So they have to create a computer name (like creating a user) on the server and then tell me what it is and I put the same info in my computer to login. Hmmm. Now the question is whether they will do that for me or not.
  Thank you.

• SAP User Authentication via Windows Active Directory

  The non-profit company I work for as an SAP Security Admin has been using SAP since 1999.  We are currently running ECC 6.0, BI 7.0, and CRM 7.0.  With fewer than 300 SAP users, we have not implemented CUA, so each of our multiple clients in these systems is managed independently. 
  The company recently licensed and implemented some non-SAP software to be used by all of our employees (~1200) in keeping track of & catagorizing their work time; a very handy feature of this software is that it depends upon Windows Active Directory for user authentication.  Therefore, each employee logs into this time-keeping package by entering his/her standard PC userID & password.  If you can log onto your PC, you can log into the time-keeping software. 
  That got me thinking & researching, because our SAP users - especially those who have access to three or more SAP clients - must maintain their passwords independently in each SAP client that they hope to access in the future.  I'm certainly not the first person who has thought of how nice it would be to permit SAP users to log into all SAP clients across the landscape in which they have defined userIDs, using the same password that they are using to log into their PCs (i.e., the password that is stored & maintained in Windows Active Directory).  My quest has led me to find presentations on this topic that typically involve modules we aren't using & very complicated configurations that we really lack the time & resources to employ; or, to third-party solution providers who claim to be certified SAP partners who would love to sell us more software to provide this convenience, usually irelated to single sign-on, LDAP, etc.  The lowest pricing tier for such software usually would cover many times the number of SAP users we have to serve here - and it feels like trying to push in a tack using a sledgehammer.  It is true that we have not used the same userID for our PCs that we have defined in SAP, so there would need to be some way to translate from one to the other, but our PC password rules are consistent with those we have configured in SAP clients, so it seems to me it should be very simple.   Can anyone lead me to a more straightforward solution?  If not, can you articulate why this has to be so complicated using SAP software when it seems so simple using relatively inexpensive timekeeping sotware?

  >
  Gagan Deep Kaushal wrote:
  > Hi Tim,
  >
  > Its nice to see video.
  >
  > Is that mean using different username on OS and SAP level still we can achieve SSO.
  >
  > Correct if if am wrong.
  > The only thing we need to maintain SNC name.
  Once installed, yes. This is all you need to maintain when users are added. You can even use LDAP if you like to sync all user info between SAP and MS AD domain, but this cannot sync the password, so using SNC authentication instead of using SAP passwords is ideal.
  >
  > So for user test1 i can manage name as p:test2.....  ??
  Yes, that is correct. The mapping is maintained using standard SAP user management, such as su01. The user in AD domain might have long account name, e.g. "firstname.verylonglastname" which is too big for use as a SAP username so you can map this long AD account name onto a SAP user called FIRSTLAST in one or more SAP clients.
  >
  > I think that is what Ronald is also looking, user name need not to be same.
  >
  > Regards,
  > Gagan Deep Kaushal

• Oracle Linux and Windows Active Directory

  I am looking for a good article on joining an Oracle Linux server to a Windows Active directory domain.
  We are primarily a Windows shop but need to bring up a couple of Oracle Linux servers (VM Server and VM Manager). I would like to use the existing Windows domain controller for user authentication.

  I don't have experience in joining a Linux system with Windows AD, and it generally does not sound like the best idea to me, but since Oracle Enterprise Linux is a clone of Red Hat Enterprise Linux, the solution you are looking for could be called Winbind.
  Perhaps the following links are useful:
  http://spiralbound.net/blog/2007/04/11/rhel-winbind-authentication-against-active-directory
  http://www.linuxmail.info/active-directory-integration-samba-centos-5/
  http://magazine.redhat.com/2007/11/12/tips-and-tricks-how-can-i-configure-winbind-to-synchronize-user-and-group-ids-across-multiple-red-hat-enterprise-linux-hosts-on-active-directory-accounts/

• OIA Windows Active Directory

  Hello everyone,
  I'm learing OIA and trying to create namespace for Window Active Directory.
  Created name space using administration-->Configuration-->resource types--> Windows Active Directory
  then Created Attribute category. Now I want to create attributes, but I dont know attribute names for the same.
  Can any one help me on this.
  Thanks in advance
  Regards,
  Krish.

  Hi Krish,
  All the attribute values are all the entitlements you are intending to populate into OIA.
  Note, endpoint, domain,name, statuskey don't need to be registered as a attributes within the attribute page
  Read from the 'Understanding the Schema File for Accounts' down
  http://docs.oracle.com/cd/E24179_01/doc.1111/e23369/oiaimporting.htm
  Regards,
  Daniel

• Windows active directory for Weblogic

  Can anyone help me how to configure the Windows Active Directory to use for the authentication of Weblogic server. Is this possible? If yes can give me any documentation for doing the same.
  Thanks in advance

  Hi,
  Please refer to the following article:
  http://weblogic-wonders.com/weblogic/2010/12/04/configuring-active-directory-authenticator-with-weblogic-server/
  Thanks
  Ravish Mody

• Windows Active Directory replacement

  Hello All,
  My company is using Windows Active Directory and now we are going to replace it with Novell solution. Is there any product from Novell to replace Windows Active Directory for 2 main features?
  - Group Policy
  - Windows users and workstations authentication and administration
  I did some researches on Domain Service for Windows, Identity Manager, ZENworks. Could you give me advice on which product meet my requirement?
  Thanks in advance.
  Best regards,
  Khiet Manh.

  ab wrote:
  > Domain Services for Windows (DSfW) is meant to emulate MAD to a large
  > degree, and is probably what you need more than the other two
  > products.
  Well, that depends. If there's a need to still supply AD functionality
  after MAD is gone, then yes DSfW is a replacement. However, if that's
  not a requirement, then ZENworks Configuration Management is likely a
  better choice since it will provide much more Windows desktop
  administration capabilities than DSfW (or MAD) alone.
  Your world is on the move. http://www.novell.com/mobility/
  Supercharge your IT knowledge. http://www.novell.com/techtalks/

• Portal integration and Windows Active Directory

  Hello experts,
  We have a SAP Netweaver Portal SP14 and the UME is configure in one Active Directory of Windows 2003. The UME is working correctly but the SSL connection between the two system doesn't work.
  We have applied the help in the link:
  "http://help.sap.com/saphelp_nw70/helpdata/en/7d/77fa735e5f47a2a50b5336fd1b5a61/content.htm"
  but we got the error
  "Peer certificate is not trusted or expired".
  The Active Directory server has its own certificate.
  We think that the problem is with the trusted certificate but we have not correct it.
  In active directory server when we access to  https:
  myserverAD:636, we got the error that the page could not be show.
  Thanks in advanced.
  Paco Hernandis.

  >  https:
  myserverAD:636, we got the error that the page could not be show.
  The SAP Help is outdated: MS IE doesn't show those certs any more, as you have found.
  I'm sure there's a better way, but here's how I get that when I need it: install an OLD version of Firefox (I keep the install EXE for Firefox 1.5.0.8 around just for this) because v.2 responds with an error the same as IE. I use Firefox for this (rather than an old version of IE) so that it doesn't clobber my IE config. Since it's an old release there are many security problems: so don't use it for anything else, and uninstall it immediately afterwards.
  http://download.mozilla.org/?product=firefox-1.5.0.8&os=win&lang=en-US

• Crystal Reports and Windows Active Directory

  Hi,
  I am trying to authenticate using the Windows Active Directory. I have created a test group in the Active directory and added myself as a member to that group. On the Crystal reports server side, I have enabled the Windows Active Directory. I can see the group that I created on the Active Directory. But I do not see any users. I have a Java infoview and I changed the web.xml file. I changed the authentication parameter to secWinAD. But does anyone know how to restart the web application server? I restarted the service Intelligent Agent. But when I login using my user id and password it still gives me the same error:
  Account Information Not Recognized: Enterprise authentication could not log you on. Please make sure your logon information is correct. (FWB 00008)
  Any help will be appreciated.
  Thanks.

  Infoview doesn't even need to be restarted.
  You said "I have a Java infoview and I changed the web.xml file" in your original post
  If you have .net IIS then it would be a web.config file that needs to be changed. IIS will pick up the changes as soon as you save the file and open an infoview logon page. you may also opt to set authentication.visible to true so users will have the ability to select AD when logging in.
  Regards,
  Tim