Over 1 million tech questions and answers.

LDAP with Active Directory and kerberos

Q: LDAP with Active Directory and kerberos

I wanted to understand Authentication approch for Directory services like AD using LDAP and Kereros.
What are typical authentication configurations used in enterprise datacenter.

1. AD + LDAP
2.AD + Kerberos
or any other configurations.
The reason i am looking this is for my Backup workloads via CIFS/NFS we already have configuration supported as below.
LDAP authentication for our backup Appliances
AD + Kerberos,
however we see issues enabling AD as LDAP for our NFS/CIFS protocol workloads

1.AD as LDAP? is used, CIFS data access for AD users will not be possible due to technical limitations in our configuration/code
2. When ?AD as LDAP? is used, id mapping scheme recommended is RFC2307.
I also seen customers are asking NFSv4 for security reason support with RFC2307
RFC 2307 is LDAP integration with Linux users.
So any thoughts would be highly appreciable.

Read other answers
Preferred Solution: LDAP with Active Directory and kerberos

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)


I need to connect to Active Directory through LDAP in Microsoft Access. Is this possible?

A:ACCESS to LDAP to Active Directory

Please excuse my ignorance, but what is Active Directory and LDAP?
is LDAP a program and is Active Directory a location or folder?

Read other 3 answers


The attached samples demonstrate how to locate domain controllers, change user passwords, list accounts, and create new user and computer accounts in Microsoft® Windows® 2000 from UNIX.

Each sample includes an executable that is built for the desired UNIX platform and a UNIX-style man page that documents the command usage.

System Requirements
Supported Operating Systems: Windows 2000




A:Windows 2000 Active Directory and Kerberos Services: June 22

How does Kerberos affect XP Home clients' accessibility to domain resources, or does it?

Read other 1 answers

When I loaded Office 2003 Professional Edition, now when I go to open my email in Microsoft Outlook, it goes to LDAP Directory. I do not know what that is, if I click OK it bypasses it, but it is annoying - How do I get rid of it.

A:LDAP Directory

Hi Zippy Nana

Welcome to Tech Support Guy Forums!

In Outlook 2003
Tools > E-mail accounts

Under Directory
Click: View or change existing directories or address books
Click: Next

If present, select the LDAP Address Book and Remove it.
If the Outlook Address Book is not present you can Add it at that time.
Click: Finish
Close and restart Outlook 2003 for the changes to take effect.

This article may be of interest:
Contact information

Let us know if that works for you or not.

Read other 2 answers


I have a problem with LDAP, I use apache directory server and I would add a new user ....I use Visual Studio and the code is:

public static void prova(string FullName)
DirectoryEntry container;
DirectoryEntries ChildEntry;

container = new DirectoryEntry("LDAP://localhost:10389/cn=user1,ou=users,ou=system", "admin", "secret");


ChildEntry = container.Children;
DirectoryEntry NewEntry = ChildEntry.Add("cn=" + FullName, "user");
catch (Exception ex)
throw new Exception("Error " + ex.Message);

The problem is that I have this type of error:The directory service is not available
somebody could help me?
could be a error for the new protocol ntlm2?

Read other answers

When ever I open Outlook 2003 I get a box

Microsoft LDAP Directory

Connection Details

Server Name NULL

Port 3268

Username NULL

How do I get rid of this ???

A:Microsoft LDAP Directory

Try this:

Go to "Tools" and "Email Accounts", under "Directories" choose
"View or change directories or Address Books", click on "Next", highlight
the LDAP address book, and click on "Remove."

Read other 1 answers

Can't Contact LDAP Directory Server. Having installed MS Office 2003 whenever, I wish to send and email from my address book I am getting the message (Dialog Box) 'Can't contact LDAP Server' could someone please explain what this means and how that i can put it right. I am currently using outlook express.

Many Thanks


A:Can't Contact LDAP Directory Server

Read other 8 answers

when I open Outlook 2003 or try to access contacts I get the LDAP login, I dont use LDAP and I cant get rid of it.. I has someting to do with active directory..

Any ideas


A:Can not contact LDAP Directory server

Go to tools, then to E-Mail accounts. Then select View or Change exsiting directories, remove the LDAP and leave the MAPI address book.

Read other 1 answers

I installed ATA in my environment yesterday and the server alerted me to my AADSync server.  I allowed the activity, but I'm wondering if it is best practice to install the (Lightweight) Gateway on the AADSync server?
AADSync server is running Windows 2008 R2 without any roles installed.  Microsoft Azure AD Connect is the only service running on this server.

Read other answers

I am trying to create an "End-User" Friend Company Directory site that links to field in Active Directory.

Active Directory is currently hosted on Server 2003 with latest Service packs.

I have seen several pieces of software such as People Updater/Finder most of which do more than I want to do.

Any suggestions on a CHEAP or even FREE solution?


-- BS

A:Active Directory to Company Directory

How often will you update this?

If its a one time deal, excel, Dsquery/ dsget and a little vbs/ JS can get you done... querying the LDAP is not too hard to put into a txt file or xls. Cleaning it up can be depending on how much you want to put into the development.

Read other 1 answers

We will be upgrading our Server to Win2k and implementing Active Directory and was wondering what effect Active Directory will have on Data Recovery - Are there any issues with this, any differences we should know about.

Also when we upgrade the PDC to Win2k DC, it is a must that we install or configure Active Directory at the same time?

Thanks for all your help

A:Active Directory

You do not have to install AD when upgrading, it can be installed later. One thing to keep in mind is to install DNS on the DC during the upgrade or prior to installing AD as dynamic DNS is required for AD to work. It does not have to support anything but AD. As for Data recovery, my understanding is that there is a AD plugin for Backup Exec (if that is what you are using, probably one for each backup system) that you need to backup AD. It is structurally similar to SQL server and needs the plugin to deal with the AD db being open during backups.

If I am wrong, please correct me!

Read other 1 answers

Help, I am trying to install Active Directory on a Windows 98 machine this program is suppose to make these machine connect to a windows server 2003
I am getting the following error machine DNSAPI.Dll is linked to missing Export ADVAPI32.dll:Trace Event
I a have gone into explorer both files are on the machine.

Read other answers

Hai team

My Active Directory is running on windows 2000 server Is there any scope for me to make a Authentication password contain a numeric & special Character for all the users in the adcivetirectory
replay me urgently.

A:Active Directory

I don't know if there is anyway to force to use Special characters. You can set a group policy to force password complexity and you can also use a utility called passprop which in the 2000 resource kit. I think both of these only enforce you to use uppercase and lowercase as well as numbers. I am not sure if it will force special characters. These are the only two ways I know of. You should definitely be forcing the password length in a group policy because Microsofts password encyrption algorith has a flaw in it. If you have ever used lopht crack you will notice that it can immediately figure out characters 8 thru 13 when it tries to crack a password. So you need to force password lengths 14 or greater.

Look at this link.

and these policies.

Read other 3 answers

k guys, I posted the same thread in security.
ok my question is can I access my active directory on my servers through other workstations I have connected.?? is there software I have to buy or download and if so what is it called???? or is there another method for this.
ps. im running windows 2k on my server and workstations.

A:active directory

You should be able to, W2k looks for AD by default, if you cannot see it, run dcpromo from a command prompt and follow the clicks, when you installed W2k server, did you enable AD or install as a 'standard' (i.e. NT4) server ??.
If you're running AD, you need to enable GPO and enforce policies to get the most from it.

Read other 1 answers

Seemingly huge problem seeking a possibly easy solution.

Ok. Background is our network runs on MS Small Business Server 2000. Users and computers were set up on Active Directory running a domain. A few weeks ago our server got hit with a virus that caused us to do a full reinstall. Active Directory was rebuilt from the ground up. Easy part was adding all the users again. Problem now is that none of the computers are registering on Active Directory.

Easy fix was to unjoin the domain and rejoin it. Solution works, but problem is that it creates a new user profile instead of using the one that was in there already. Tried to switch names (rename the new user profile to something else, rename the old user profile to the new one) but every time I logged in afterwards it created another new profile. Also tried to add the computer name to Active Directory, but that did no good either.

Anybody else have a better idea? I'd rather not unjoin and rejoin every single workstation and also migrate every single user profile on every single workstation to the new profile.

A:Active Directory

Sorry dude. You have to to rejoin all computers to the domain. There's no way around that. In the future, you can copy everyone's profiles to the server and when you recreate their user account, just set their profile to Roaming so their old profiles propagate down to their computers. Then you can set it back to local if you like. The reason why their old profiles won't work is because the security identifyers are different. Every user has one. Even if you reinstall Active Directory with the same configuration as before, it won't matter.

If you go into your profiles tab on one of the computers, it will most like say "Account Unknown."

Read other 1 answers


I am trying to get AD working on my PC, but i keep getting the message:

Naming information cannot be located for the following reason:
The server is not operational.
And i don't know how to get rid of it . I have tried putting in the server name and the domain name but it still doesn't like it. . .

please can you help me understand this mesage and what to do. . .

A:Active Directory Help

What is the staus of your domain? Does the client computer that you are installing AD on have the appropriate permissions in the computer account? Have you ran DCPROMO from the domain controller? I have experience with implementing a new domain, so I can get you past the bumps.

Read other 3 answers

Hi Guys,

I have a problem in my windows 2000 server ,
when i am trying to add new user in Active directory I am getting the error
"Naming Information cannot be located , specified domain either does not exist"

A:Active Directory

Sounds like fixes aplenty -




Have you tried these?

Read other 1 answers

Hi! I'm not sure if I'm in the right forum, but it's as close a match as I could decipher.I'm doing exercises on GPMC, and I went to Active Dirctory Users and Computers to setup some OUs. The only container that has the option for new OUs is the Domain Controllers container. That's not right. Why are the OU options missing for the other containers? I'm running Server 2003. Any and all responses will be reatly appreciated. Thanks.

A:Active Directory

Doesn't sound like any OUs were created. You would make the root OU under your forest name.

Read other 1 answers

Not sure this is the right forum for this but I don't have experience with AD as of yet. In NT (many moons ago) I did create and manage accounts/pwds and the like.

I was wondering, can anyone recommend maybe simple books to start out with and get the basics down? Good tutorials online or something? I was offered a job $40/hr but I have no ADexperience so I want to learn it and put it on my resume.

I have W2K Server that I will install on another pc at home and try to pick it up....is 2003 sever much different that 2000 server?

Thanks for your help.

A:Active Directory

Yes, 2K3 is very much different from 2K. The Small Business Servers are very different from there corresponding regular servers.

I can't really recommend a book, though you could just look at the course materials for Microsoft Certification courses.

Read other 1 answers

Dear all

I am using windows 2003 domain controller.i also have Addtional domain controller for the same domain to avoid failure purpose

now my windows 2003 primary domain controller is failed . i can't able to activate . So i wish to activate my additional domain controller to act as an primary domain controller

what's step i've to do....

your friend

A:Active Directory help

If AD and DNS was set up both computers and working correctly go to the backup DC and open a command prompt and enter DCPROMO

Read other 3 answers

Hi Everyone!!

I am having a problem with setting up a screen saver password protect for Reps in Active directory. I enable screen saver timeout to 120 sec.
After 120 sec screen saver will come on but its not going to the CTRL-ALT-DEL (Lock state).

Please Help!

Read other answers

I have a windows 2003 domain server. the problem is that mostly twice a week (with no particular days) i need to restart the server because the workstations connected to the domain cannot connect anymore. and to make them connected again, is i need to restart the server to refresh the server.

any idea regarding on this problem?

A:Active Directory

Read other 16 answers

Is it anyhow possible to specify a user group to only be able to log onto a specified host on a domain?

I need to limit certain users from logging onto certain machines. Can anyone help me?

A:Active Directory Help!

Read other 6 answers

I am sorta new to this, but this is my problem, we work in an office which uses active directory, i have setup multiple accounts, i have setup group policys etc.
My problem is recently we have encountered a problem with a website, the only way we have found to access it is to go onto the host file on each computer and add the ip address and the website address - www.bwfghwoefgh.com (example)

I was wondering if there is a way using actove direcory to make this sorta change using a group policy or something, instead of me having to access each computer on the directory and edit the host file

Read other answers

H E L P ! ! !
I have a Win2000 server, main DC for 80 users with Active Directory. We don't use Exchange and I wanted to remove it. Tried uninstalling but that messed up our IIS webpage, so I restored system state and all was fine.
Then I followed Microsoft directions for manually removing Exchange. Still messed up IIS webpage (said it's under construction) even though IIS was reinstalled. At the same time it messed up Active Directory even though system state was restored to earlier good state, and all I can figure is it happened because the Exchange object was deleted from AD.
Now my 2nd Win 2000 DC won't recognize or see anything on the entire network but itself, although it can be accessed across the network and does replicate AD from the other server. It doesn't show the other 2 domains on NT servers except when I was rebooting the main 2000 DC.
My users can't access some of their folders on the main server (this server is a key file server for active work) so I have given some of them logons on one of the other domains, but it's an old domain I am phasing out and so still they can't access everything they need from one logon.
Trust relationships are OK. DNS is OK. AD replicates to the other server. Creating new logons on AD doesn't help - they are as messed up as the old ones. No DHCP. No Internet connection, no connection to anything outside, no wireless access to the network - it is totally self-contained and internal.
I took... Read more

A:Active Directory Seriously Ill

Read other 6 answers

Can somebody tell me how to confirm which user created a specific account in AD? Where and which log to check? Thanks!

A:Active Directory help

Check the security event log for IDs 624 (creation) 642 (changes) and 630 (deletion) and that should tell you what you need, well it'll tell you which admin account created, changed or deleted the account

Read other 2 answers

Dear all
My setup is one windows 2003 server running DC server name is A. It has all operation master roles as well as Active directory Integrated DNS is running.

My domain name is test.com. I have configured one additional domain controller for test.com domain server name is B

Now my server A [which has all operation masters] has problem unable to boot OS due to hard disk problem. So server A is downstate now.

What steps has to do to all users [client machines] logging server B and continue their work with out disturbance…?


A:Active directory

If you setup the additional Domain Controller as a Replication Partner it will take control if the primary Domain Controller fails, so the clients don't have to do any thing.

Here's a link describing how to set it up and validate you did it correctly: http://www.microsoft.com/technet/pr...tory/activedirectory/stepbystep/addomcon.mspx

Have a Happy New Year.

Read other 1 answers

Hey guys and gals,

A few quick questions with active directory, I have just installed active directory on a windows 2000 server everything seems to be working ok except every once in awhile i'm not able to add new machines to the domain it says that the network name is not found however it prompts me for an admin logon to put it on the domain seems odd anyone have any ideas on this one?

Secondly, I have 2 network printers with their own IP's and whatnot however i am having trouble adding them to active directory i found one way of doing it and that is adding them as local printers to the server and then sharing them on the network and this worked fine for a day or so, which leeds me into my third and final ( so far ) problem for some reason i am not able to browse the network when i try to it tells me that the server does not allow transactions, however it worked one day then the next day when i came to work this little problem crept up. Please help i cant seem to find the answers anywhere. Thanks in advance

A:Need a little help with active directory

Read other 13 answers


More of an annoyance than anything else. I currently am running a network with around 200 users half of which are remote (using a VPN to get access to email and other resources). I have 3 DC's (for resiliance) all running 2000 server. Everyday at least 10 users become locked out of there accounts, we are running exchange 5.5. Now we are migrating to Server 2003 and Exchange 2003 over the next few months, but remote users are getting locked out of the network at randomn times, and if there is noone in suport to unlock there account then they are stuffed, however sometimes it can unlock itself!!!!!! Even if you set the account to full access 24/7, password never expires, they still can be locked out. Has anyone come across this before????


Read other answers

I'm attempting to run Active Directory in Win2000 Server from MMC, using "Run As" to log on to the domain. Not having much luck. My support at work is not the most helpful (imagine that?). It's an odd setup...I have my own server for my dept, but cannot log on with my domain account. So I'm looking for a way to access Active Directory while logged in as the local admin on my server. Confused? I am. Any suggestions helpful.

A:MMC and Active Directory

When trying to access a server, you can only use the default domain admin account. You cannot use any other account to log onto the server itself. If you would like to administer active directory through your workstation, simply install the administrative tools from the Windows 2000 Server CD on your workstation. The admin tools are located in the Support Folder, Tools Folder. Once you install those, you will have to right click the task bar and click properties. Click on the advance tab and put a check box next to Display Administrative Tools. Remember also, in order to administer Active Directory through your workstation, you need add your domain user account to the Domain Admins group on the server itself. To access the active directory tools, you can then just simply click start, programs and then administrative tools. YOU CANT USE LOCAL ADMIN ACCOUNTS TO ACCESS ACTIVE DIRECTORY.

Read other 2 answers

Ok folks, I have this issue with NT4.0 where I need to add it to our active directory services domain. Microsoft has a client which I believe (I can be wrong) facilitates this. The name of the client is Active Directory Client Extension for nt4.0. Ok so I installed the client and attempted to create a computer account in our active directory domain which has more than 16 characters, however when I attempted to input the domain name form the NT workstation, I cant exceed 16 characters. I would appreciate if anyone has any insight into this problem as Microsoft's website provides no assistance to that issue whatsoever. Many thanks and kindest regards.

A:NT4.0 and Active Directory

Can you manually add the computer to the domain on the AD controller?

Did you try entering the pre windows 2000 domain name? You can find this out by going onto the domain controller and opening up the active directory users and computers snap in. Then right click the domain name and click properties. There is a field there that gived the pre 2000 domain name. Should be usable from NT.

Read other 3 answers

i have a problem and wondering if any of you have come across or known of how to fix the problem,

#. i have a currently active AD
i got another box and installing AD -child domain.

however it transfer all the information to the child domain.
but you can still see it in the parent AD but only in the tree(left hand side).
and Domain Controller in the parent AD disappears. and is appearing on the Child domain

then when i try to remove the child domain. i accidently select that it is the last Domain server. and removed. half way there was some error contacting my Domain.
removed the box from the network. AD still working but is not showing up data on the right window in the AD.
and it's affecting my Mail Server.

i was wondering if there's a way to recover the AD to some previous state? as i haven't add anything into the AD.


Read other answers

I am very new to active directory. Hence I need to make my basics strong. Hence if any one could answer this for me please.
If I run a company, say 'a financial', If I have 10 users. I have also installed windows server 2008 in one of my computers and
given windows vista to the client computers. How will I make the client computers connect to my server? If I install DHCP server
will it give private IP or APIPA(169.X.X.X). With APIPA could I communicate? Also I dont have ISP becuase I am not hosting a webste.
Is it possible to have active directory in this environment? Or to have active directory I should always be conected to the internet?

A:Active directory

Welcome to SF.

On the client, right click on computer. Left click on properties. Under computer name, domain, and workgroup settings -> select "change settings".

I typically select "Change" to specify the domain. You might want to use the wizard.

Read other 9 answers

I am looking to make an active directory server on my windows XP Pro machine. I gather this wouldn't be included in XP but does anyone have any ideas on this?

I know this may sound stupid but I want to put it on there for educational purposes.

Read other answers

Can I install active directory on Xp pro? Would like to do it for educational purposes. I'm running it on my home pc and do not have a network setup. Just want to learn about it in a scaled down manner. Is this possible?

A:Xp And Active Directory

Have a read of this and see what you make out of it.


Read other 3 answers

I just installed Winodws XP Pro and connected it to the companies domain. Where can I download Active Directory from?

A:How do I get active directory?

Active Directory is not something you download - you join a domain with an account that has privileges to do so within the domain. Just change your machine location in Control Panel > System from Workgroup to Domain and enter the domain name. It should then prompt you for credentials.

Read other 3 answers

Hi Everyone,

So in active directory I have Generic User accounts (e.g Security, Sales, Transport) as well as email accounts attached to them, Then I have user accounts (e.g John, Michael) and they have their personal email accounts attached to outlook but they will also both have the "SALES" Email address attached to their inbox in outlook.

The above is working great but my problem now comes in below.

Due to company policy we need to Lock the generic accounts down to only the computers that they are needed to log onto. (e.g in AD right click generic account then select properties, then Account, the "LOG ON TO...")

See Image below:

When i add in the computer names into the generic accounts after about 2H the generic email address stop working and refuses to accept the password. Even if i log on with the generic account Outlook still refuses to accept the password.

Read other answers

I'm describing the scenario, suppose I have two sites one in USA and the other at UK, both these two sites are well communicating with each other now I want to demote one of the server in the UK. It is for sure each of the DCs in these sites are communicating
with each other now on demoting this server in UK will for sure hamper the communication occurring in between these sites.

So I want to know if I create an orphan site and put this server into this site making sure that there is no communication gap or delay or any such error in the sites which is now holding 3DC.

Let me know if you need more information or any such relevant information on this scenario.


Read other answers

I have a problem with a MS Access file being in use by another user. IT will not tell me who has the file open and i want to save some changes to it. Is there anyway that you can view what programs a specific user has opened, or any other way to find out who has the file open thru active directory. I am running 2000 server.

Read other answers

DB2 Nerd: Using Microsoft Active Directory to Store DB2 Catalog Information 
followed the above link,but when i i run db2schex, i get server down error. this is not making much sense since i installed both db2 and active directory on my server. donno how to get this solved. please help!

Read other answers

i am new to system administration . can anyone brief me about AD and DNS.? difference between two and importnce of DNS in setting up and AD server.
what is forest? is it relevent to AD or DNS?


Read other answers

We're relatively new to active directory so were surprised that a user - who was never set up on this win2000 computer but still a user in AD - could get into the files of this win2000 computer merely by logging into AD. In our environment we wish to basically authenticate to the local user list as well as AD. I have looked over info on AD users and computers as well as group policies but I haven't been able to find something addressing this. I have given thought to permission settings on computers in AD (no testing done yet) but maybe there is a better way. Your help would be appreciated.

A:win 2000 and active directory

so you want users to only be able to log on to certin computers? It is somewhare in the users propteries, I think, I'll update my post when I confirm that.

Read other 3 answers

In a domain controlled by Server 2003, what printers should be listed in Active Directory? Specifically, should ones that are network-connected be listed there? My concern is that the listing is done under printer sharing and I do not think I want the server involved in printing when it does not have to be.

Read other answers

I'm in the process of creating a plan to eliminate unused computer and user objects within an Active Directory domain. Over time the AD was not managed correctly and now, we have a host of issues with our AD and are going to start running in to licensing issues soon. We thought a good place to start would be to get rid of any computer and user objects no longer in use.

We have a physical count of about 350 computers on the network, while we report from AD with having almost 500. There is no telling how many user accounts are lurking around either.

I have an idea of where to start, but at the same time I don't want to do anything too risky as we all know the ramifications of deleting a computer or user account in an AD accidentally.

Basically what I am after is the most painless way of finding out what computer and user objects are no longer in use so they may be deleted.

Any help would be appreciated. Thanks.

A:Active Directory Cleanup

Well there is Oldcmp (do a goole search on it) and there is the non freeware Active Directory Janitor then there is this tool here -


I am sure you could query AD with a VBS and get an output on some of this as well but I'm sure you owuld have to fiddle with the code a little.

Read other 1 answers

Ok, here's my situation. We have about 16 ppl in our office. I'm getting more and more server duties (Administrator, Backup Admin, Schema Admin)put onto my shoulders every day. I have about 95% admin privs in the server. There are some things that are only for the four partners and the Senior Developer. These things I cannot access and really have no need nor want to. I do , however, need access to things that only the Senior Dev has access to. I don't think we're ready for AD as we have 16 ppl on the office network, any suggestions on what to do to get me full admin access, but still keeping me from being able to access the company sensitive stuff?
If I'm too vague, let me know, It's early in the morning & i'm a little tired.

A:Switching to Active Directory

The company's proprietary things should be data, not programs, and they can password protect or use encryption protection for the data that they want to keep confidential without locking you out of the software used to produce it.

Read other 1 answers

How do I create a "Group Policy" that will take away "deletion" rights from a user?

A:Win2k3 Active Directory

Are you confusing GPO's and NTFS rights settings ?

You need to make the user member of enough groups to grant him the rights he needs to files. If you do not want the user to modify the files (deleting is part of modifying), then do not grant them the modify right.

If a specific user needs a specific deny right (not recommended) then make a new Security Group, grant this group the appropiate deny rights, and add the user to this group. Deny rights inheritance can be very tricky though.

Please be more specific as to what you are trying to accomplish.

Read other 1 answers