Hello,

I have a problem, I want to promote a new Server as DC,i s VM 2012 R2, from a Physical 2008R2

Ih hungs up on Replicating Crtical Information... and the DCPROMO.LOG says the next:

08/28/2018 19:19:04 [INFO] EVENTLOG (Error): NTDS Replication / Setup : 1125
The Active Directory Domain Services Installation Wizard (Dcpromo) was unable to establish connection with the following domain controller.

Domain controller:
6e47a2d5-200f-4f90-b6a1-b4edda11059c._msdcs.MYDOMAIN.local

Additional Data

Error value:
1722 The RPC server is unavailable.

I have tried everythinh, I restarted the main DC and nothing.

Please Help

I have a large Enterprise AD environment. I have MY OU structure goes has follows Country OU then Site OU then an OU called Server.

Every Site OU has a Sub OU called Servers.

I am trying to implement laps, specifically trying to set computer permission the command as follows is how it is documented

Set-AdmPwdComputerSelfPermission -OrgUnit OU=Server.DC=Contoso,DC=ORZG.

I have tried running the command Set-AdmPwdComputerSelfPermission -OrgUnit OU=Servers,OU=site,OU=Country,DC=Contoso,DC=org.

The command failing. What am I doing wrong?

On our ADFS servers (We have 2) are getting multiple failed login attempts from a particular user. Can we trace where they are coming from? These attempts are happening every 5 Minutes. Below are the security logs for these login attempts.

               Below is a table of failed login attempts and from what server. They all have the same event ID’s in event viewer 4771 & 4625

Below are the event ID 4771 and 4625 logs

Audit Failure - Event ID 4771

Kerberos pre-authentication failed.

Account Information:

                Security ID:                            Domain\Account Trying to Login

                Account Name:                     Account Trying to Login

Service Information:

                Service Name:                       krbtgt/****************************************

Network Information:

                Client Address:                      ::1

                Client Port:                             0

Additional Information:

                Ticket Options:                      0x40810010

                Failure Code:                         0x18

                Pre-Authentication Type:     2

Certificate Information:

                Certificate Issuer Name:                      

                Certificate Serial Number:  

                Certificate Thumbprint:                       

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

Audit Failure - Event ID 4625

An account failed to log on.

Subject:

                Security ID:                            *****\ADFS Account

                Account Name:                     ADFS Account

                Account Domain:                  *********

                Logon ID:                               0x167BB

Logon Type:                                           3

Account For Which Logon Failed:

                Security ID:                            NULL SID

                Account Name:                     ******@****** (Account Trying to Login)

                Account Domain:                 

Failure Information:

                Failure Reason:                     Unknown user name or bad password.

                Status:                                    0xC000006D

                Sub Status:                            0xC000006A

Process Information:

                Caller Process ID:  0x5f8(This is the adfssrv proces)

                Caller Process Name:           C:\Windows\ADFS\Microsoft.IdentityServer.ServiceHost.exe

Network Information:

                Workstation Name:              Server logs have come from

                Source Network Address:     -

                Source Port:                           -

Detailed Authentication Information:

                Logon Process:                       W

                Authentication Package:     Negotiate

                Transited Services: -

                Package Name (NTLM only):              -

                Key Length:                           0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.

                - Transited services indicate which intermediate services have participated in this logon request.

                - Package name indicates which sub-protocol was used among the NTLM protocols.

                - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Now looking in the ADFS event viewer it has the Event ID 342 at the same time as the failed login attempts

Token validation failed. 

Additional Data

Token Type:

(Omitted due to unable to submit link)

%Error message:

AccountTrying to login -The user name or password is incorrect

Exception details:

System.IdentityModel.Tokens.SecurityTokenValidationException:AccountTrying to login ---> System.ComponentModel.Win32Exception: The user name or password is incorrect

   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)

   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)

   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)

   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)

   --- End of inner exception stack trace ---

   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)

   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)

System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect

   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)

   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)

   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)

   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)

As the login attempts are coming from the ADFS server, I assumed they are coming from Azure however when looking at this users sign in attempts on the Azure portal there are no failed attempts.

So how can a trace where these login attempts are coming from? Bearing in mind that according to the event log, they are coming from the ADFS server. How can I find out what is attempting to login to the affected account through the ADFS server.

Thanks,

Sean

Hi All

We have just upgraded an application that required an upgrade of HPC from 2014 to 2016 update 1, and we are having issues with a service account that uses a federated credentials, as we did previously. Our working model is based upon a Resource domain in AD1 and our user base that is in AD2.

To get around the issue we have created users in our resource AD, but this is temporary, as this breaks our security rules. Does anyone know why the change in versions no longer allow us to have users and servers in different domains, even though they are trusted?

thanks for your help

Tim

Hi,

1. I have setup 2016 print server say IP as (10.10.x.x).
2. I can send print jobs to printers available in the same network ( say printer IP as 10.10.x.x )  and I can print.
3. When I send print job to printers ( say printer IP as 10.11.x.x ) that belong to different subnet it returns error as ' Error priniting '.


Is there anything that need to be configured at the print server? like any service or rule.
Or is this something need to be done at the router level.

Please let me know.

Thanks

Hi,

We have a server 2008 R2 Domain with 2 DC's.

we have now problem that some of the users are not able to change thier password from RDweb change password pagehttps://remote.mydomain.com/RDWeb/Pages/nl-NL/password.aspx or when they login to an RDP session to one of our server 2012 R2 RDS servers. I cannot try to change the problematic users password from inside the domain coz these users are external.

users get the error that the username is not exist or the password is not correct!! but this is not the case!!

The strange thing is that I cannot find the event 4723 or 4724 for these users on any of the 2 DC's. I can see these event for other users 

Any suggestions?

Thanks

Shahin

Hi,

I'm looking at adding iMacs to our windows server 2016 network, how would i go about doing this, i want to have control over what the user can see and  use, and setting they're able to change (just like a windows pc), like for example blocking icloud so users aren't able to backup their data to keep information save. Is this possible?

Thanks,

Adam.

Hi,

Intermittently ( 5 out of 10 times) I am seeing an issue.

1. I am logged onto my windows PC (10.10.10.10) with username "test1"

2. From this machine I RDP to another server (192.168.1.10) with a username 'test2'.

However after this I see a logon event in AD stating user 'test2' logged in PC 10.10.10.10 , which is my local PC.Rather AD should be showing user 'test2' logged on to 192.168.1.10.

Please help to identify where the issue could be, is it my PC settings or some issue on AD ?

Hello All,

I did a bulk modification " through .csv file" for all AD users and i did add a description "description field"  for each user "in Arabic language" but it showing the description as "  ♥♥♥♥ ". If i type it manual then it works fine.Is there is anyway to add the description "Arabic language" through bulk modification.

Best Regards,

Greetings,

Hope you are doing well,

I am running Windows Server 2016 AD + DNS + DHCP on the same machine. My DNS aging and scavenging was activated recently to run automatically. It is working well for the new created DNS records, but the old ones are still remaining. Is it safe to manually delete those records and in general is it safe to manually remove dynamic created DNS records?

Regards,

Hi,

    We are running into following issue while trying to impersonate as the gMSA account from a program that is NOT a Windows Service. We would like to know how can we use the gMSA account in a program which is not a Windows Service. 

Here are our steps:

1. We created a gMSA ( vayu\TestgMSA$) in Domain Controller, and this gMSA can be used in a Machine A which is a member server of the domain used (Domain Name: Vayu)
2. We configured a Windows Service (SQL Server Service) on Machine 1 to logon using this gMSA account with empty password and verified that Service is able to run using the gMSA account successfully
3. We wrote a simple test application (It is NOT a Windows Service) and we are trying to impersonate as the gMSA in this application.

Here is the code, we are passing user and domain name to LogonUser API and passing an empty string as the password because we are expecting the API to retrieve password on its own.

+++++++++++++++++++++++++++++++++++++++++++++

int main()

{

    HANDLE tokenHandle;

    BOOL bRet = LogonUser("TestgMSA$", "vayu", "", LOGON32_LOGON_BATCH, LOGON32_PROVIDER_DEFAULT, &tokenHandle);

    if (!bRet)
    {
       cout << "Logon failed with error code: " << GetLastError() << endl;
       return -1;
    }

    if(!ImpersonateLoggedOnUser(tokenHandle))
    {
       cout << "User impersonation failed!" << endl;
       CloseHandle(tokenHandle);
       return -1;
    }
    CloseHandle(tokenHandle);
    return 0;
}

+++++++++++++++++++++++++++++++++++++++++++++

Here is the command showing that the machine on which this code is run has been configured to be able to retrieve gMSA password

+++++++++++++++++++++++++++++++++++++++++++++

PS C:\Users\Administrator.VAYU> Test-ADServiceAccount TestgMSA

True

++++++++++++++++++++++++++++++++++++++++++++

However, when we run above code on Machine A using a Domain Administrator user (vayu\Administrator), it fails with following output

+++++++++++++++++++++++++++++++++++++++++++++

Logon failed with error code: 1326

Error Description: The user name or password is incorrect

+++++++++++++++++++++++++++++++++++++++++++++

We further investigated this to determine which of the two things User Name or Password is incorrect here and with below details we are able to confirm that incorrect password is getting used here.

Following Logon Failure Event is logged into Event Viewer with value for Sub Status field logged as 0xC000006A.  Description for Sub Status value 0xC000006A is “user name is correct but the password is wrong” which verifies that provided user name vayu\TestgMSA$ is indeed correct but somehow the program is not able to retrieve the password for this gMSA account from AD even though the machine on which this program is running has been configured to be able to retrieve gMSA password.

+++++++++++++++++++++++++++++++++++++++++++++

An account failed to log on.

Subject:

      Security ID:      VAYU\Administrator

      Account Name:     Administrator

      Account Domain:   VAYU

      Logon ID:         0x60120A

Logon Type:             4

Account For Which Logon Failed:

      Security ID:      NULL SID

      Account Name:     TestgMSA$

      Account Domain:   vayu

Failure Information:

      Failure Reason:   Unknown user name or bad password.

      Status:           0xC000006D

      Sub Status:       0xC000006A

Process Information:

      Caller Process ID:      0x1814

      Caller Process Name:    C:\Test\TryLogin_GMSA.exe

Detailed Authentication Information:

      Logon Process:          Advapi 

      Authentication Package: Negotiate

      Transited Services:     -

      Package Name (NTLM only):     -

      Key Length:       0

+++++++++++++++++++++++++++++++++++++++++++++

Are we missing any additional configuration either on the user account being used to launch this program (vayu\Administrator) or the gMSA account (vayu\TestgMSA$)itself?

We saw some discussion regarding this at https://social.technet.microsoft.com/Forums/lync/en-US/7aec7a1e-7b5f-4fa1-abf7-ce00a0c5356a/impersonate-as-group-managed-service-account-gmsa-in-windows-2012?forum=winserverDS and tried to implement following suggestion from the post.

“If you wanted your code sample to work, you could configure the security context your code is running as to delegate to your gMSA with protocol transition ("Any protocol" in the UI).”  - In our case, security context our code is running as is a domain user (vayu\Administrator) and so we tried following settings in terms of SPN Registration and Kerberos Delegation. May be we are doing something wrong here.  Any help regarding this will be highly appreciated.

SPNs for vayu\TestgMSA$

MSSQLSvc/VISHALCLIENT.VAYU.COMMVAULT.COM:VISHALSQL

MSSQLSvc/VISHALCLIENT.VAYU.COMMVAULT.COM:63254

SPNs for vayu\Admnistrator

CVAPP/VISHALCLIENT.vayu.commvault.com

CVAPP/VISHALCLIENT

Delegation Settings for vayu\Admnistrator

Trust this user for delegation to specified services only

--> Use any authentication protocol

----> Services to which this account can present delegated credentials 

Service Type  User or Computer                                          Port 

MSSQLSvc       VISHALCLIENT.VAYU.COMMVAULT.COM     63254

MSSQLSvc       VISHALCLIENT.VAYU.COMMVAULT.COM     VISHALSQL

With Kind Regards,

Vishal Khule.

Hi,

Im creating an external trust between 2 domain in different forest. Both is windows server 2008. Ive googled around and found out that i need to open this port in the firewall for the trust creation

 53           TCP/UDP         DNS
 88           TCP/UDP         Kerberos
 389         TCP/UDP         LDAP
 445         TCP                 SMB
 636         TCP                 LDAP (SSL

 My question is this the only port i need to open? and both domain have multiple DC's, do i need to open port for PDC only or all the DC in the domain? 

I am using the Domains.GetAllTrustRelationships() method to read the trust info .My current setup has a one way trust with the domain in other forest.But for some reason when i execute the the Domains.GetAllTrustRelationShips method with Network service account ,I get the trust direction as Bidirectional.SO i suspect that the Bidirectional Trust is returned because the current user is not having sufficient rights in active directory to read this value and maybe returning null .

And if this is the case then the below code from TrustRelationshipInformation class of System.DirectoryServices.ActiveDirectory assembly will return Bidirectional trust

So can i get the set of permissions required in active directory for a user such that it is able to read the trust info

Hello,

I have a problem, I want to promote a new Server as DC,i s VM 2012 R2, from a Physical 2008R2

Ih hungs up on Replicating Crtical Information... and the DCPROMO.LOG says the next:

08/28/2018 19:19:04 [INFO] EVENTLOG (Error): NTDS Replication / Setup : 1125
The Active Directory Domain Services Installation Wizard (Dcpromo) was unable to establish connection with the following domain controller.

Domain controller:
6e47a2d5-200f-4f90-b6a1-b4edda11059c._msdcs.MYDOMAIN.local

Additional Data

Error value:
1722 The RPC server is unavailable.

I have tried everythinh, I restarted the main DC and nothing.

Please Help

Hello,

I just promoted a new DC 2012 R2 from a 2008 R2 DC, but I noticed that all the DNS Zones has no loaded well, just the one from my main Domain, Do I need to trasnfer them manually?

It is displayed the error: THE DNS encontered a problem while attempting to load the zone. The transfer from the master server failed.

Thanks

Hello everyone

I have this issue.

Y have my parent domain and have some child domain in my infrastructure.

In he past weeks i configure one child domain with name pdc01-svz, i dont know why in the ADSS register other name in the same site.

I want delete this other connection and i have this error