Title: Kerberos question
I got it, there is a shared secret ticket
key that was set wrong. (bad documentation).
Thanks for everyone’s help
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick
Sent: Thursday, August 05, 2004
4:02 PM
To: [EMAIL PROTECTED
Title: Re: [ActiveDir] krbtgt error when joining OS X client
Hmmm,
These directions look strangely familiar ; )
Don’t forget to set your timeserver...It is THE most common error.
If you have set the Mac to have a Domain Controller as the time server and you still have errors then you sh
Don't you think that there's a bigger issue that needs to be tackled first? What is
causing this? I'd make sure auditing is turned on for your domains ecurity policy and
start looking at failure records on your DCs.
That aside, ADModify.Net can probably do this.
--Brian
-Original
Try eventcombMT.exe, part of secops:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=9989D
151-5C55-4BD3-A9D2-B95A15C73E92
Sincerely,
Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realiz
Title: Message
Good morning
everyone,
I've been asked to
extract some information from our RAS server to see who has been dialling in
over a certain period of time. The RAS server is an NT4 server. When I connect
to it and have a look at the "Security" event logs I can see the
entry:
Fa
What I do here is put up a web interface to a script that does the
pre-creation in the background. I have 2 flavors. One is for the Helpdesk
Admins. They log into the website, type in a computer name, type in the name
of the computer's owner, pick the site/location of the owner (from a
drop-down) l
Perfect. Exactly what I wanted to know. I'm off to run the adfind
tool in my test forest and see the results.
Thanks for the information.
Cheers
On Thu, 5 Aug 2004 18:41:22 -0400, joe <[EMAIL PROTECTED]> wrote:
> I saw your previous post, just didn't get a chance to hit it yet.
>
> The answer
Hey I like to explain it out so people are empowered
None of this is rocket science, it all comes down to 1's and 0's.
Changing that from true to false would indeed clear the
non-expiring flag However it would clear ALL flags other than the account
was a normal user account. So af
The first thing I would do is visually inspect all of the DNS records for
the DCs and make sure they are all up to snuff with the new correct Ips and
that the DCs are all pointing at the right Ips for the DNS servers.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECT
That much is true.
:o)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: Wednesday, August 04, 2004 3:11 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD Backup - Sort of
At least they threw you a bone"Keeping with the Wind
I saw your previous post, just didn't get a chance to hit it yet.
The answer, if I understand the question, is the schema.
Whether an attribute replicates or not is controlled by a bit in the
systemFlags attribute. Bit 1 to be exact...
So if you want to look at your AD and find out all attribut
Title: Kerberos question
Pre-Authentication is a security measure to prevent a
client from calling to the KDC and getting a response back that it can work on
cracking to break the encryption. The client has to prove who it is before it
gets anything useful basically...
You can disable pre-a
Laura,
We have recently gone through this procedure and it is not as painful as you
would expect...The ADMT (Active Directory Migration Tool) is the way to go
if you the target domain is going to be in native mode and if you Google
ADMT NT 4.0 - 2003 migration you get all sorts of information, he
Title: Kerberos question
I have encountered a very
weird issue at this client.
The situation is as
follows (i will do my best to try not to confuse
anyone).
Client has an AD domain.
AD domain is 2003 based. Forest level: 2003
native. Domain level -
2003 native.
Hi Robert
I have two scripts we used a few weeks ago when we had this problem. They
were written based on some of Robbie Allens scripting in his Tuna Book.
(See attached file: bulkunlock3.vbs)(See attached file: collect nt
usernames.vbs)
Create a file on the root of drive C called ntuserlist.tx
Title: Kerberos question
What is the easiest way to unlock multiple
user accounts in Active Directory? Random accounts locked up today and I need
a way to unlock them without having to go user by user. Is there a tool or
script already written?
Any help would be appreciated.
Rober
Title: Kerberos question
I am looking that up now
Rick Gasper
Manager, Network
Services
King's College
133 N. River St
Wilkes-Barre
PA 18711
PH: 570-208-5845
Fax: 570-208-6072
Cell:
570-760-0335
[EMAIL PROTECTED]
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTEC
Title: Kerberos question
This stands out
Pre-authentication
failed:
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gasper,
RickSent: Thursday, August 05, 2004 3:24 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos
question
The program uses
apache, I am still wor
Thanks for checking.
Diane
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Thursday, August 05, 2004 10:02 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003
up grade attempt
Unfortunately
Title: Kerberos question
The program uses apache, I am still
working with the vendor on this.
This is the error from the DC:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 8/5/2004
Time:
Title: Kerberos question
There are tools to monitor kerberos conversations
(capture), but I think you're likely better off using success/failure audit
logging to see what's going on, what's being attempted and
where authentication is failing.
I think the following is most likely to be help
Title: Kerberos question
Question,: is there a utility that would
use Kerberos to login (Kind of like a test login utility)?
We are not experiencing any problem with
logins anywhere (except as mentioned).. This is the first non windows
application we are deploying that uses Kerberos (o
Title: Kerberos question
So that leads to the next question then: do you have a
problem going on? If so, can you give some details?
Al
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gasper,
RickSent: Thursday, August 05, 2004 11:26 AMTo:
[EMAIL PROTECTED]Subject: RE: [Ac
Title: Message
Your
local liquor store is a good place to start, followed by the drug store for a
few gallons of Maalox.
Kerberos interoperability is a pain. It is possible, but you will have to
do LOTS of research.
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL P
Unfortunately, I don't know, and the SAP guy who installed it doesn't
remember either.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane
Sent: Wednesday, August 04, 2004 7:20 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Schema Gurus needed
Title: default containers
Thanks all
for the responses – We’re 2000 presently, so I’ll look at the
scripted or pre-create options. Thanks again
From: joe
[mailto:[EMAIL PROTECTED]
Sent: Thursday, August 05, 2004
11:58 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] defa
Title: default containers
Of course if you have a Windows 2003
Domain Mode domain you could use the redircmp
hack. Note that Exchange 2000 domainprep (and who knows what else) expect some
objects to be created in the “native” default locations (I think
groups in the case of E2K). Most of
Title: default containers
Yep, this can fairly easily be configured to be handled
with say a web page so you can proxy the process so people don't have to have
rights to create machine accounts or do any join they want to. This also allows
you to have business logic rules behind it so you can
Title: default containers
Create the machine accounts in the
destination container(s) prior to joining the domain. There is
another method with scripted unattended installs that would allow you to
specify the container.
James Borris
[EMAIL PROTECTED]
From: [EMAIL PROTE
with w2k3 Domain:
"Redirecting the users and computers containers in Windows Server 2003
domains"
http://support.microsoft.com/default.aspx?scid=kb;en-us;324949
Creamer, Mark wrote:
Is there a way to change the default location for a computer when it
gets added to the domain to be a specific OU,
Title: default containers
In a FFL 2003 Active Directory you can modify the default
path. RedirCMP is the CMD (http://support.microsoft.com/default.aspx?scid=kb;en-us;324949).
Otherwise, you'd want a process or a script to do it for you. Netdom is
one such tool that can put it in particular
Title: default containers
I don’t think there is anyway to
change the default location when adding a computer through the joining
computers GUI. If you are using a tool, most of them offer the ability to
specify an alternate location. You could of course pre-create machine accounts
in the
ok, great...
thanks
-Mensaje original-
De: joe [mailto:[EMAIL PROTECTED]
Enviado el: jueves, 05 de agosto de 2004 12:18
Para: [EMAIL PROTECTED]
Asunto: RE: [ActiveDir] urgent help needed
This is why I indicated you should promote it and demote it and then you are
back at square one and
Yep. Problem is, especially in small environments, there are times when a DC
is also the file server or it runs other services. Getting a small business
to pay for an additional server is sometimes problematic. The high
eggs-to-basket ratio is often accepted in relation to the costs.
Thus the need
No real clue, but perhaps some tips for further investigation:
Does the problem occur with all versions of the 5.5 Admin program? Use SP4 version
if in doubt.
Is there any difference if you run the 5.5. Admin program on NT platform compared to
W2K?
If the accounts are already in AD, how many
i already recovered the DC, but since i demoted it by changing the registry property,
i can't access AD...i want to eliminate any trash that might be left...or reinstall AD
over it to start again from the begining...and then maybe uninstall properly...
-Mensaje original-
De: Carr, Jonath
Title: Kerberos question
Joe,
I was pretty sure that was the case, but I
wanted to make sure.
Thanks,
Rick Gasper
Manager, Network
Services
King's College
133 N. River St
Wilkes-Barre
PA 18711
PH: 570-208-5845
Fax: 570-208-6072
Cell:
570-760-0335
[EMAIL PROTECTED]
Title: Kerberos question
The application is called WebCT. www.webct.com. It is a distance learning app
that runs off a web server. Their documentation is some what lacking, and their
support is not really that good.
I do have everything set up as they
request, so I was thinking that my
Ah yeah, I "duh"ed there for a second. Of course ffl.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric
FleischmanSent: Monday, August 02, 2004 1:55 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Exceeding the
LDAP Look Through Limit
Change “domain
functional mode”
Title: default containers
Is there a way to change the default location for a computer when it gets added to the domain to be a specific OU, rather than the Computers container? Or would this have to be done by scripting the add computer process?
Mark Creamer
This is why I indicated you should promote it and demote it and then you are
back at square one and can start the promo back into a useable domain. There
are all sorts of things in the file system and registry handled when you do
a proper demotion.
jeo
-Original Message-
From: [EMAIL
Another note is that a DC is only a DC it should not under any
circumstances have any DATA that is critical on it.. If you need to
recover the server you need to follow the kb at MS about recovery of a
failed DC.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Be
Hi,
In trying to diagnose an issue that came up yesterday, I am trying to use the
showacls.exe from the 2003 server reskit. It seems that it will only
produce output for directories, not individual files. Has anyone else
experienced this behavior? (Any other recommended tools to captu
Title: Kerberos question
I would contact the vendor. They should know. There should
be nothing extra you have to do to support kerberos on your dc as the support is
already there, that is the primary authentication mechanism
now.
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
I find if I went though a Dcpromo demote. The server was trash anyway
and I rebuild from scratch. NICER and NEATER.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alicia Szerenyi
Sent: Thursday, August 05, 2004 11:09 AM
To: [EMAIL PROTECTED]
Subject: R
what happens if i reinstall AD over the previous files? will they be overwritten? or
will that cause more errors?
-Mensaje original-
De: Charlie Kaiser [mailto:[EMAIL PROTECTED]
Enviado el: jueves, 05 de agosto de 2004 11:59
Para: [EMAIL PROTECTED]
Asunto: RE: [ActiveDir] urgent help need
Personally, on this machine, after all this trouble, I'd back up the
critical data that I wanted to keep, verify that the backup of that data
could be restored to another location, wipe the machine and reinstall from
scratch.
Faster, easier, and more dependable than trying to clean up the wreckage.
All,
After migrating to Windows 2003 from NT4 we are now
migrating from Exchange 5.5 to Exchange 2003 however we are having a couple of "strange"
issues which did not occur in the lab...After scavenging the web and
finding nothing will try here as it could be AD related. When I click o
I'm also pretty pleased with the new
xcacls.vbs.
http://www.microsoft.com/downloads/details.aspx?FamilyID=0ad33a24-0616-473c-b103-c35bc2820bda&DisplayLang=en
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of René de
HaasSent: Thursday, August 05, 2004 8:42 AMTo:
[EMAIL PROTE
http://www.microsoft.com/technet/prodtechnol/exchange/default.mspx is a
pretty good place to start.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E.
Sent: Thursday, August 05, 2004 10:18 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OT:
Title: Kerberos question
Sorry Rick. Thread overlap. :)
Whether or not you need to make a change depends on the
application. For example, if they use the operating system to handle the
authentication calls, then it should work fine, right? If they do something
else, they should have docum
After i forced demotion of the DC changing the property from LanmanNT to ServerNT, i
can't access AD (obviously)...but i have left a lot of files and stuff from the
previous install of AD...how do i get rid of all that junk? can i just delete
everything? i don't think i can...i have files in the
(Resend as I did not see this hit the list yesterday)
This is a learning question. Nothing is broken but I would like to know
where some information is located.
How can I tell and where do I go to find out what information is
replicated in Active Directory at the DNS zone level itself. For
exam
See if
any of this helps as far as getting an AD computer account:
3. Join
the Machine to Active Directory
Open the finder and browse to /Applications/Utilities
and open Directory Access.
If
the lock in the lower left corner is in the locked position, click on it and
So I may be inheriting a new network that needs to do the "5.5 on NT4 to
2003 on 2003" shuffle. Your basic Google search returns any number of
resources, obviously; but what does my favourite group of smart people
have to say? Recommended Books/FAQs/Blogs/Sites that will make me not
want to kill
Title: Kerberos question
I think we have a miscom here: I have no
5.5 server-- I assume that you mean exchange 5.5 (we are all ex2k3).
More details:
I have an app that runs on a win2k3 that
uses either LDAP or Kerberos to authenticate it’s users against our 2003
active directory. Th
Title: Kerberos question
Quick question:
I have a remote system that needs to authenticate to our 2003 dcs, I have the choices of Kerberos and ldap. I would perfer to use Kerberos for security reasons, but I do not know if I need to do anything on the DC server in order to make this work.
Thanks Hunter for that information,
unfortunately however, the workstations within the domain are Win2K Pro and
software policies and from what I understand software policies will not work
unless with WinXP or Win2K3.
I think I am just going to have to bust
some heads around here and
Hi
SAP last year has published a reviewed version of their schema
extension. They renamed uid to SAP-uid.
That schema version is "SAP Active Directory Schema Extension Script for
EP 5.0" rev 3.6.7/94301.
We run it in production without any problems. Mail me directly if you
need a copy.
Bart
59 matches
Mail list logo
