Microsoft's official enterprise support blog for AD DS and more
New KB articles related to Directory Services for the week of 10/19-10/26.
959117
Certification Authority Service Startup Failure
959113
W32time Service does not start with the Error "System Error 126 has Occurred" "The Specified module could not be found"
951581
When you enable field engineering on an AD LDS or AD AM directory service on a Windows Server 2003-based or Windows Server 2008-based computer, an LDAP query is executed more slowly than expected, and Event ID 1699 is logged
959214
You may not be able to add or remove additional namespace servers using the DFS management console in Windows Server 2003 R2
948502
Error message when you try to store a security descriptor by using an administration tool or a script in Windows Server 2003: "The security ID structure is invalid Facility: Win32 ID no: 80070539"
959074
Software Restriction Policy Enforcement set to “All Software Files” causes checks against paths/files that are invalid
956279
A cross-domain Web single sign-on fails if there is a small time difference between Active Directory Federation Services in Windows Server 2003 R2 systems and IBM Tivoli Federated Identity Manager
957555
Error event IDs 2014 and 2004 and other Error events may be logged when you try to perform a replication on a Windows Server 2003 R2-based server that has DFSR installed
956943
You are prompted unexpectedly to enter your credentials when you access a SharePoint Server site from a Windows Vista-based or Windows Server 2008-based client computer that has a proxy server configured
958315
A user encounters an offline file sync conflict shortly after a successful synchronization on a Windows Vista-based or a Windows Server 2008-based client computer
959069
On a Windows-based computer, NTFS alternate data streams are lost on a shared folder that has the Offline Files feature enabled
959078
Domain local group from foreign domain can be added using "net localgroup" and GC search
959079
Installation of applications from network share results in an error: "Windows cannot access the specified device, path, or file"
959216
Cannot find the certificate request associated with this certificate file. A certificate request must be completed on the computer where it was created
955364
The "Active Directory Users and Computers" MMC snap-in crashes when you create a computer account in this MMC snap-in on a computer on which Windows Server 2003 was installed by using installation media that has SP2 slipstreamed
957502
Error message when you try to open some MMC 3.0 snap-ins in a localized version of Windows XP Service Pack 3: "MMC could not create the snap-in. The snap-in might not have been installed correctly."
959215
AD LDS service start fails with error "setup could not start the service..." + error code 8007041d
959210
DFSR may not operate correctly when used in conjunction with FSRM file screens
958664
Windows Server system software that is not supported in a Hyper-V virtual machine environment
958670
Error message when you try to install the certification authority role on a Windows Server 2008-based computer: "Cannot install Certification Authority"
958736
The "Set roaming profile path for all users logging onto this computer" Group Policy setting also applies to local user accounts in Windows Server 2008
959114
Moving DFSR Migration to the ELIMINATED state logs a misleading wrong event regarding read only domain controller objects
959066
USMT fails to install on Windows Server
Hey everyone, I’m Sean from the Directory Services team here at Microsoft. We support an up and coming technology called Active Directory Federation Services (ADFS). ADFS is a component first introduced in Windows Server 2003 R2 that includes web single-sign-on (SSO) that authenticate a user to numerous web applications during a single online session.
Recently, we have seen situations where ADFS components are missing after upgrading Windows Server 2003 computers. As you may already know, if you’re running Windows Server 2003 R2 Standard Edition, only the ADFS Web Agents component is available for installation. You have to use Enterprise Edition to get the Federation Service and Federation Service Proxy components. Most people fix this problem by popping the Enterprise Edition DVD into their server and performing an upgrade. If you upgrade a Windows 2003 R2 Standard server to Enterprise, you’ll soon find that you still only have the ADFS Web Agents component available.
Wait, what’s this? No Federation Service?
To resolve this issue, here’s what to do:
1. Move the following files out of the “C:\Windows\INF” directory and place them in another folder. sysoc.inf sysoc.pnf adfs.inf adfs.pnf 2. Browse to “C:\Windows” and delete or rename the adfs.msi file if it exists. 3. Reinstall the R2 Enterprise components from disk 2. 4. Reboot the server. 5. Copy the sysoc.inf and sysoc.pnf files that you had backed up earlier into the “C:\Windows\INF” directory.
1. Move the following files out of the “C:\Windows\INF” directory and place them in another folder.
sysoc.inf sysoc.pnf adfs.inf adfs.pnf
2. Browse to “C:\Windows” and delete or rename the adfs.msi file if it exists.
3. Reinstall the R2 Enterprise components from disk 2.
4. Reboot the server.
5. Copy the sysoc.inf and sysoc.pnf files that you had backed up earlier into the “C:\Windows\INF” directory.
Now all three of the ADFS components are available!
If you’re not sure if you are experiencing the same problem as I’ve outlined here, take a look at the size of the adfs.inf file in “C:\Windows\INF”. If it is 3,282 bytes and you’re running Enterprise Edition, then you are experiencing this problem. The file should be 4,243 bytes in size (as of this writing; this may change later as the product is updated).
Now that you can start setting up your environment, take a look at some additional documentation for ADFS.
ADFS Design and Deployment Guide: http://www.microsoft.com/downloads/details.aspx?FamilyID=b92ea722-0c30-4ea6-bd45-7e5934b870cf&DisplayLang=en
This document goes through all of the different ADFS deployment scenarios and has links to many other useful ADFS documents.
Also, if you’re setting up a test environment, check out the step-by-step guide.
ADFS Step-by-Step Guide: http://www.microsoft.com/downloads/details.aspx?familyid=062f7382-a82f-4428-9bbd-a103b9f27654&displaylang=en
I recommend supplementing this guide with the ADFS Product Support Blog located here: http://blogs.technet.com/adfs/archive/tags/Installation-How+to/default.aspx
- Sean “Lurch” Ivey
Ned here with a quick heads up. The IE 8 dev blog has posted some news about Group Policy changes in Internet Explorer 8. It's definitely worth a read:Group Policy Support Updated in IE8
The article is mainly tickler, but it links to the extremely interesting:
Internet Explorer 8 Deployment Guide
That goes into insane detail on all the new GP options for IE8. 1300 new policy settings in fact! This reference goes into far more detail about IE8 itself as well and is worth a save in the Favorites folder.
- Ned "Posting this from IE8 Beta 2" Pyle
New KB articles related to Directory Services for the week of 10/5-10/11 -
957772
Error message when you access a share that you pinned by using Always Available Offline: "Access is denied"
950825
The Created and Last Modified time and date for some files are displayed incorrectly as the current time and date on a Windows XP-based computer
953835
You cannot perform NetSH commands by using a user account that belongs to the "Network Configuration Operators" security group on a Windows Vista-based computer or on a Windows Server 2008-based computer
957656
Error message when you log on to a Windows Vista-based or Windows Server 2008-based computer that has the "Allow user name hint" Group Policy setting enabled: "The specified username is invalid"
958336
Windows Vista does not keep its DHCP IP address if a DHCP server is not available
954434
A multiprocessor computer that is running a Windows XP, Windows Server 2003, or Windows Vista stops responding on a black screen after you resume the computer from hibernation
952685
A deadlock situation occurs in Windows Management Instrumentation Service (WMI) on a Windows Server 2008-based or Windows Vista SP1-based computer
954902
After a user is deleted from a role in the Authorization Manager in an Active Directory domain environment, the user can still unexpectedly access that role from a Windows Vista-based or Windows Server 2008-based client computer
957700
How to uninstall Internet Explorer 8 Beta 2
Not much to talk about this week. In fact, no articles related to Directory Services at all. Nonetheless, here are two new articles that may interest you.
957517
A dedicated complete memory dump file may not be successfully generated if the volume that stores the dedicated dump file has insufficient free space
957274
An ad hoc network connection is not automatically reconnected when you restart Windows Vista
New KB articles related to Directory Services for the week of 10/12-10/19.
955832
An SSL connection may fail when you use Internet Explorer to make an SSL connection to an HTTPS Web site that is certified by a Digital Signature Standards (DSS) certificate on a Windows XP-based computer
955427
Copy process is very slow when you copy large files from one computer to another computer in a high-bandwidth network environment if both computers are running either Windows Vista or Windows Sever 2008
957653
Windows Search may fail if you search a network folder from the toolbar in the Windows Explorer while offline on a computer that is running Windows Vista or Windows Server 2008
957624
A Windows Vista-based or Windows Server 2008-based computer behind a NAT device cannot communicate with another computer through an IPsec tunnel-mode connection
958893
How to configure DFSR logging
954879
The LSASS.exe process crashes and the computer restarts when you try to start the Network Access Protection Agent service on a Windows XP Service Pack 3 -based client computer
956580
You cannot enroll for a certificate that is larger than 4096 bits on an SCEP client in Windows Server 2008
Ned here. Our developer team colleagues at the File Cabinet have posted an interesting article on the DFSDIAG tool. Introduced with Windows Server 2008, this utility is excellent for testing, documenting, and troubleshooting your DFS Namespaces environment. Make sure you give the article a read.
What Does DFSDIAG Do? (FileCabinet Blog)
PS: not be confused with the DFSRDIAG tool, which is used with DFSR. Don't worry, I do it all the time myself. :-)
- Ned Pyle