Verification of prerequisites for Active Directory preparation failed. The specified user is not a member of the following groups: Enterprise Admins group. !!!! but it is

November 17, 2018, 4:07 am

≫ Next: LDAP Configuration for SSO Over the internet

≪ Previous: Deleted/Recreated ADUC User, Drive Mapping Fails

I am trying to upgrade to dc 2012

I get this error :

Verification of prerequisites for Active Directory preparation failed. The specified user is not a member of the following groups: Enterprise Admins group.

but I use Administrator user that is member of Enterprise admin

Help please

[2018/11/17:15:05:07.325]
Adprep created the log file 'C:\Windows\debug\adprep\logs\20181117150507-test\ADPrep.log'
[2018/11/17:15:05:07.325]
Adprep successfully initialized global variables.

[Status/Consequence]

Adprep is continuing.
[2018/11/17:15:05:07.330]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Schema,CN=Configuration,DC=Shalgham,DC=lo,DC=com.
[2018/11/17:15:05:07.332]
LDAP API ldap_search_s() finished, return code is 0x0
[2018/11/17:15:05:07.332]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=AD2018-1,CN=Servers,CN=Shalgham,CN=Sites,CN=Configuration,DC=Shalgham,DC=lo,DC=com.
[2018/11/17:15:05:07.333]
LDAP API ldap_search_s() finished, return code is 0x0
[2018/11/17:15:05:07.333]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Schema,CN=Configuration,DC=Shalgham,DC=lo,DC=com.
[2018/11/17:15:05:07.333]
LDAP API ldap_search_s() finished, return code is 0x0
[2018/11/17:15:05:07.334]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Infrastructure,DC=Shalgham,DC=lo,DC=com.
[2018/11/17:15:05:07.335]
LDAP API ldap_search_s() finished, return code is 0x0
[2018/11/17:15:05:07.335]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=AD2018-1,CN=Servers,CN=Shalgham,CN=Sites,CN=Configuration,DC=Shalgham,DC=lo,DC=com.
[2018/11/17:15:05:07.335]
LDAP API ldap_search_s() finished, return code is 0x0
[2018/11/17:15:05:07.346]
Adprep discovered the schema FSMO: AD2018-1.Shalgham.lo.com.
[2018/11/17:15:05:07.350]
Adprep connected to the schema FSMO: AD2018-1.Shalgham.lo.com.
[2018/11/17:15:05:07.350]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2018/11/17:15:05:07.351]
LDAP API ldap_search_s() finished, return code is 0x0
[2018/11/17:15:05:07.351]
Adprep successfully retrieved information from the Active Dcomectory Domain Services.
[2018/11/17:15:05:07.351]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=Shalgham,DC=lo,DC=com.
[2018/11/17:15:05:07.352]
LDAP API ldap_search_s finished, return code is 0x0
[2018/11/17:15:05:07.352]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2018/11/17:15:05:07.353]
LDAP API ldap_search_ext_s finished, return code is 0x0
[2018/11/17:15:05:07.353]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2018/11/17:15:05:07.354]
LDAP API ldap_search_s finished, return code is 0x0
[2018/11/17:15:05:07.357]
Adprep discovered the Infrastructure FSMO: AD2018-1.Shalgham.lo.com.
[2018/11/17:15:05:07.360]
Adprep connected to the Infrastructure FSMO: AD2018-1.Shalgham.lo.com.
[2018/11/17:15:05:07.360]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2018/11/17:15:05:07.361]
LDAP API ldap_search_s() finished, return code is 0x0
[2018/11/17:15:05:07.361]
Adprep successfully retrieved information from the Active Dcomectory Domain Services.
[2018/11/17:15:05:07.361]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=Shalgham,DC=lo,DC=com.
[2018/11/17:15:05:07.361]
LDAP API ldap_search_s finished, return code is 0x0
[2018/11/17:15:05:07.361]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2018/11/17:15:05:07.362]
LDAP API ldap_search_ext_s finished, return code is 0x0
[2018/11/17:15:05:07.362]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2018/11/17:15:05:07.362]
LDAP API ldap_search_s finished, return code is 0x0
[2018/11/17:15:05:07.384]
Adprep successfully logged on to the local machine using the specified credentials for network connections.
[2018/11/17:15:05:07.384]
Adprep successfully made the network connection to the Active Dcomectory Domain Controller AD2018-1.Shalgham.lo.com.
[2018/11/17:15:05:07.406]
Adprep successfully stopped using the specified credentials for network connections.
[2018/11/17:15:05:07.406]
Adprep successfully closed the network connection to the Active Dcomectory Domain Controller AD2018-1.Shalgham.lo.com.

↧

LDAP Configuration for SSO Over the internet

November 20, 2018, 10:58 pm

≫ Next: A question about AD Server baselining

≪ Previous: Verification of prerequisites for Active Directory preparation failed. The specified user is not a member of the following groups: Enterprise Admins group. !!!! but it is

Dear Team,

I am using active directory windows 2016 server and other applications both are different internet connectivity and location.

My query is :- How to LDAP configuration with application over the internet for SSO (Without publish Active Directory Server).

1. Active directory windows 2016 server on ABC cloud's in vm.

2. Application server is also another XYZ cloud's in vm.

↧

A question about AD Server baselining

November 21, 2018, 5:25 am

≫ Next: Domain Controller change - how to tell

≪ Previous: LDAP Configuration for SSO Over the internet

Hello can someone please help me with the following :)

I understand there is a built in AD data collector set in Windows performance monitor, however I understand this is more aimed at troubleshooting a domain controller (please correct if I am incorrect)

However I want to 'baseline' an existing working AD domain controller (Windows 2012 R2) as my boss want to see for example how may users typically authenticate it it each day and also how many GPOs are pulled down from the domain controller when these computer and users logon, plus how may LDAP queries is the server fielding from clients in a given day etc.

The idea being we can collect key performance indicators from each site to see which are more loaded and where then others.

We have OMS (Operations management suite) to collect information from the DCs, but I need a list of 'performance counters' and important events (e.g. important events logged to directory services log) so I can then tell the OMS people which counters/log events to collect and why

Does anyone have a list I can refer to or a script with the information in (e.g. what to collect, why and how to interpret/thresholds) ?

Thanks very much

CXMelga

↧

Domain Controller change - how to tell

November 22, 2018, 1:52 pm

≫ Next: Add R2 DC in Data Center DC

≪ Previous: A question about AD Server baselining

Hi,

Is there a way to find out when a domain controller was changed to host a global catalog?

Thank you

Regards

Peter

↧

Add R2 DC in Data Center DC

November 24, 2018, 12:23 am

≫ Next: Windows Server 2016 out of its domain not allowing anyone to log in to it neither AD users nor local users.

≪ Previous: Domain Controller change - how to tell

Hi,

Our primary DC is having Data Center 2012. Can we add an additional DC having 2012 R2?

while promoting it to DC we are getting the below message. The DNS address on the 2nd DC is pointing to 1st DC.

Active Directory domain controller could not be contacted

Thanks.

↧

Windows Server 2016 out of its domain not allowing anyone to log in to it neither AD users nor local users.

November 27, 2018, 8:56 am

≫ Next: Event 11 The KDC encountered duplicate names while processing a Kerberos authentication request. (of type KEY ID)

≪ Previous: Add R2 DC in Data Center DC

This morning the server was preventing users from logging in so I went to check and according to the attachments I will post down below It appears online and responds to ping requests, but on its screen it does not have any available network connections and does not allow Administrator log on neither AD users to log in to the network nor access the folders because it says something is wrong with their credentials, which in fact is not. Somehow the server left the domain and maybe it's on a private network I suppose.

What has already been done:

Start with the last valid configuration (not resolved)

Log in safe mode (starts in protected mode and does not let the administrator do anything)

What was not done:

Exploit to Reset Password with Vulnerability CVE-2017-0213_x64
Other Hacking Methods ...

Frequently Asked Questions:
Is the server licensed? Yes, It is.

What is the Server Version?
Windows Server 2016 Standard

Does the server have UserCals and Are they properly registered and enabled?
Yes.

Is the network cable connected to the server?
Yes

Is the Switch Connected to Computers?
Yes

The network cables have signal?
Yes

Am I on the same server network?
Yes

Am I entering my credentials incorrectly?
No

LINKS from the GOOGLE DRIVE folder once the screenshots are hosted:
NOTE: MSDN site is not hosting images at the time of this post.

LINK safe for pictures.
https://drive.google.com/open?id=1rYDardwkLOBfIjqzG-aKenjsw9y6pT9-

↧

Event 11 The KDC encountered duplicate names while processing a Kerberos authentication request. (of type KEY ID)

November 26, 2018, 11:35 pm

≫ Next: Standalone Root CA - migration with different name

≪ Previous: Windows Server 2016 out of its domain not allowing anyone to log in to it neither AD users nor local users.

I have recently migrated a Windows 2012 R2 DC to Windows Server 2016. Afterwards I started noticing series of this particular error.

Log Name: System

Source: Microsoft-Windows-Kerberos-Key-Distribution-Center

Date: 11/27/2018 9:24:24 AM

Event ID: 11

Task Category: None

Level: Error

Keywords: Classic

User: N/A

Computer: BBL-DC-CDC01.bd.bracbank.com

Description:

The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is D5B2E9E1E8C74C45D7F939E93ED09C7B0315FE69EE06D2F2458E0A050E453763 (of type KEY ID). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occurring remove the duplicate entries for D5B2E9E1E8C74C45D7F939E93ED09C7B0315FE69EE06D2F2458E0A050E453763 in Active Directory.

Event Xml:

<Channel>System</Channel>

<Computer>BBL-DC-CDC01.bd.bracbank.com</Computer>

</System>

</Binary>

</EventData>

</Event>

I have been struggling with this error for the last few days. Even though Event 11 is a very common error and there are clear instructions on how to mitigate the error, they fail to address my specific scenario.

All the solutions I got so far is related to "Type DS_SERVICE_PRINCIPAL_NAME" but mine is "Type KEY ID ". Basically this error says that KDC encountered duplicate names and then spits out a large string of hexadecimal no. rather than producing which SPN is duplicated. Therefore, it's difficult to solve the issue with "setspn" cmdlet.

I'm an amateur when it comes to Windows Server Active Directory, so any help is highly appreciated. Thanks.

↧

Standalone Root CA - migration with different name

November 22, 2018, 8:03 am

≫ Next: Error: An asynchronous module or handler completed while an asynchronous operation was still pending.

≪ Previous: Event 11 The KDC encountered duplicate names while processing a Kerberos authentication request. (of type KEY ID)

Hi all,

I need to demote&remove my old internal standalone Root CA (an old windows 2k8 R2 server) and replace it with a brand new W2016 server.

The new server cannot be renamed as the old one, so I just need to know which steps I should take in order to avoid any clients issues.

My environment: W2k8 R2 domain

The standalone Root CA is a domain member server (not in workgroup!).

I also have an Enterprise Root Certificate Authority server (sub CA), which is obviously binded to the standalone Root CA.

Any ideas?

↧

Error: An asynchronous module or handler completed while an asynchronous operation was still pending.

November 27, 2018, 2:03 am

≫ Next: Active Directory extensible match

≪ Previous: Standalone Root CA - migration with different name

Error Message:

An asynchronous module or handler completed while an asynchronous operation was still pending.

Behavior:

The application tries to get the UserPrincipalfor an Active Directory user through System.DirectoryServices.AccountManagement.dll. When for example GetUser("berste") is called once (see code snippet at the end), everything works as expected. When GetUser("reisbru") is called again within the same HTTP request the following error is returned to the calling client:

An asynchronous module or handler completed while an asynchronous operation was still pending.

In the log files we see, that the call (FindByIdentity()) returns with the correct result (existing AD users are found / non existing AD users are not found) also for the 2nd call, but nevertheless the mentioned error is shown when UserPrincipal.FindByIdentity()is called more than once.

In our tests we further figured out, that when the user to query is deactivated (not enabled) in the Active Directory the error (An asynchronous module or handler…) does not occur.

Environment / Application:

Asp.Net WebApi 2 application running in IIS environment. Version: 4.6.2.

Sample Code:

public UserPrincipalInternal GetUser(string sUserName)

{

var principalContext = new PrincipalContext(ContextType.Domain, domain, defaultOU, serviceUser, password);

var userPrincipal = UserPrincipal.FindByIdentity(principalContext, IdentityType.SamAccountName, sUserName);

UserPrincipalInternal userPrincipialInternal = new UserPrincipalInternal()

{

Guid = userPrincipal.Guid,

Sid = userPrincipal.Sid?.ToString(),

EmailAddress = userPrincipal.EmailAddress,

GivenName = userPrincipal.GivenName,

Surname = userPrincipal.Surname,

SamAccountName = userPrincipal.SamAccountName

};

userPrincipal.Dispose();

principalContext.Dispose();

return userPrincipialInternal;

}

public void Working()

{

var user1 = GetUser1("berste");

LOGGER.Debug($"User surname: {user1.Surname}"); // "Berer"

// No error occours. HTTP requests returns as expected.

}

public void NotWorking()

{

var user1 = GetUser1("berste");

LOGGER.Debug($"User surname: {user1.Surname}"); // "Berer"

var user2 = GetUser1("reisbru");

LOGGER.Debug($"User surname: {user2.Surname}"); // "Reisinger"

// Result for user1 and user2 are correct, but ...

// Error occurs: An asynchronous module or handler completed while an asynchronous operation was still pending.

}

System.DirectoryServices.AccountManagement.dll version 4.0.0.0

↧

Active Directory extensible match

November 19, 2018, 12:00 am

≫ Next: Orphaned dc entry in REPADMIN /SHOWVECTOR /LATENCY

≪ Previous: Error: An asynchronous module or handler completed while an asynchronous operation was still pending.

Hello, All!

How i can found users in some OU in domain in case when bindDN it is a root of domain?

As far as i understand i must use https://ldapwiki.com/wiki/LDAP_MATCHING_RULE_DN_WITH_DATA for this.

I'm stuck at creating filter. My variant is:

(Common-Name:1.2.840.113556.1.4.2253:=S:4:myou:dc=td,dc=local)

What i must use at place where "Common-Name"?

What i must use at place where "S:4:myou"?

Will be glad for any information related to this issue.

↧

Orphaned dc entry in REPADMIN /SHOWVECTOR /LATENCY

November 30, 2018, 5:54 am

≫ Next: Duplicate 4776 events for every RADIUS authentication request

≪ Previous: Active Directory extensible match

Hi everyone,

scenario: total 4 DomainController one of these RODC. The three writeable DCs are on the mainsite (default-first-site) and the rodc located on remote site. One year ago there was a dc crasch and one dc was uninstalled and installed again. Before metadatacleanup was done (after crash). DCs name is the same as before crash. No replication issues after the installation.

Here is my question: after integrating the "new dc" I detected after executing this command

repadmin /showvector /latency "CN=schema,dc=domain,dc=de"

that DSA is set to "deleted DSA"

I found these Links, so everything was fine.

https://www.mcseboard.de/topic/143789-alte-repadmin-einträge-entfernen/

https://community.spiceworks.com/topic/505590-server-2012-tombstoned-objects-cleanup

Event ID 1864 occured serveral times and half a year later it disappeared. Great!

After executing the same command again I see 3 DCs alive and one orphand.

If I use PowerShell see the Output:

Get-ADReplicationUpToDatenessVectorTable -Target dc01 | fl


LastReplicationSuccess : 29.10.2018 16:42:46
Partition              : DC=domain,DC=de
PartitionGuid          : 527f8e23-92f1-4cb3-8064-df93389127af
Partner                : CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-S
                         ite-Name,CN=Sites,CN=Configuration,DC=domain,DC=de
PartnerInvocationId    : db5d40d3-95f4-4b47-99bf-c6133424188
Server                 : dc01.domain.de
UsnFilter              : 10698889

LastReplicationSuccess : 24.11.2017 18:04:15
Partition              : DC=domain,DC=de
PartitionGuid          : 527f8e23-92f1-4cb3-8064-df93389127af
Partner                :
PartnerInvocationId    : 8c568a69-233b-454d-8294-01d33be3d02f
Server                 : dc01.domain.de
UsnFilter              : 23959668

LastReplicationSuccess : 29.10.2018 16:41:12
Partition              : DC=domain,DC=de
PartitionGuid          : 527f8e23-92f1-4cb3-8064-df9cd89127af
Partner                : CN=NTDS Settings,CN=DC02,CN=Servers,CN=Default-First-S
                         ite-Name,CN=Sites,CN=Configuration,DC=domain,DC=de
PartnerInvocationId    : 71171eab-c620-49ff-b1c4-9e331fe034da
Server                 : dc01.domain.de
UsnFilter              : 34571773

LastReplicationSuccess : 29.10.2018 16:42:10
Partition              : DC=domain,DC=de
PartitionGuid          : 527f8e23-92f1-4cb3-8064-df9c339127af
Partner                : CN=NTDS Settings,CN=DC03,CN=Servers,CN=Default-First-S
                         ite-Name,CN=Sites,CN=Configuration,DC=domain,DC=de
PartnerInvocationId    : 57f842e8-9b08-427a-b194-db919e333529
Server                 : dc01.domain.de
UsnFilter              : 35223142

Is it possible to remove the cursive entry (no PartnerInvocationID)? If it is possible how and where can I remove it? I searched in ADSI but found nothing. Sites and Services also no match.

Thanks for your advice.

Viele Gruesse /best wishes Alexander (blog.it-koehler.com)

↧

Duplicate 4776 events for every RADIUS authentication request

November 30, 2018, 6:47 am

≫ Next: Trying to Demote 2008R2 AD Server but cannot remove AD Certificate Services, keep getting error 0x80073701

≪ Previous: Orphaned dc entry in REPADMIN /SHOWVECTOR /LATENCY

We have Cisco ISE servers (2.3.0.298) consuming AD as an external identity provider via EAP-MSCHAPv2 w/ NTLMv2.

Every authentication request via these servers is generating a pair of 4776 events: one success, and one failure with the reason "Bad Username" (0x0000064). The user is authenticated via ISE without issue.

The events always list the "Source Workstation" as the ISE server and the username is valid, and both events happen milliseconds apart and always in pairs.

There is a single Cisco article that claims this is default behavior for Domain Controllers -- to first consult a local database before sending the lookup to he domain. Does anyone know if this is accurate? It seems odd to me that we would only see this behavior from RADIUS requests. I have also read that MS-RPC authentication requests may generate duplicate events, but I don't think it's possible to use Kerberos with MSCHAPv2.

Anyone have any insight at all?

↧

Trying to Demote 2008R2 AD Server but cannot remove AD Certificate Services, keep getting error 0x80073701

November 29, 2018, 1:52 pm

≫ Next: 2016 Domain fucntional levels

≪ Previous: Duplicate 4776 events for every RADIUS authentication request

I am trying to Demote a 2008R2 AD Server that has Certificate Services installed but when I try to remove AD Certificate Services keep getting error 0x80073701. I have tried everything to remove it with no luck. Any Ideas, we want to upgrade our network to the latest servers and Exchange but cant because we cannot raise the functional level of the Forest and the domain

↧

2016 Domain fucntional levels

February 7, 2017, 2:19 am

≫ Next: Home Folder - User Move to Another Server

≪ Previous: Trying to Demote 2008R2 AD Server but cannot remove AD Certificate Services, keep getting error 0x80073701

Hi,

We would like to upgrade our domain from 2008 R2 and go to 2016. I can't seem to find any official documentation on 2016 domain & forest functional levels, what the new features are, and any other requirements. We still have the odd 2003 server, all clients are Windows 7 and above, and some Linux serers around.

I've reviewed the following or found them via searches, but they don't have any info post 2012r2.

https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/plan/security-best-practices/understanding-active-directory-domain-services--ad-ds--functional-levels?f=255&MSPPError=-2147217396
https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/windows-server-2016-functional-levels?f=255&MSPPError=-2147217396
https://technet.microsoft.com/library/understanding-active-directory-functional-levels(<g class="gr_ gr_913 gr-alert gr_spell gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="913" id="913">ws</g>.10).aspx

Has anyone got any more info, please?

↧

Home Folder - User Move to Another Server

November 30, 2018, 10:57 am

≫ Next: Sysvol Constantly disconnecting

≪ Previous: 2016 Domain fucntional levels

Greetings. For our AD users, we have the home folder path set to the data server user share (ex.\\dataserver\username$). As a school district, each school has it's own data server. Users (teachers/students) often move locations which moves them to a new data server but everything is routed together as a WAN. <o:p></o:p>

The issue is when a user moves to a new school, often they log in there before their data share is moved to the new server and then the local profile is still looking to the old server. The only way we've found to fix this is to remove the local profile which then will then pull the new account location. We are not doing roaming profiles and are using folder redirection that points to the home folder drive (H:).<o:p></o:p>

Is there a way to have this home directory information renewed at each login? <o:p></o:p>

Thank you for your help.

Ryan

↧

Sysvol Constantly disconnecting

November 30, 2018, 10:44 am

≫ Next: The DNS server 206.89.179.3 on Local Area Connection 2 did not successfully resolve the name for the start of authority (SOA) record of the zone hosting the computer's primary DNS domain name.

≪ Previous: Home Folder - User Move to Another Server

I have 8 Servers accross the State Mixed 2008R2 and 2012R2.

Recently the sysvol has stopped working.

This is causing group policy not to function.

I have to rebuild it once a month or so.

This just started happening out of the blue.

I reset it using D4 and D2 on the burflags, and it fixes the issue for a while.

↧

The DNS server 206.89.179.3 on Local Area Connection 2 did not successfully resolve the name for the start of authority (SOA) record of the zone hosting the computer's primary DNS domain name.

November 27, 2018, 12:22 pm

≫ Next: AD LDS able to accept wholeSubtree queries to RootDSE?

≪ Previous: Sysvol Constantly disconnecting

I am at a loss here. I have checked the network settings the <g class="gr_ gr_41 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" data-gr-id="41" id="41">dns</g> is the same <g class="gr_ gr_58 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" data-gr-id="58" id="58">ip</g> address of the server. only one NIC is enabled. I have flushed <g class="gr_ gr_292 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" data-gr-id="292" id="292">dns</g> and registered <g class="gr_ gr_348 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" data-gr-id="348" id="348">dns</g> followed by reset of <g class="gr_ gr_416 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling" data-gr-id="416" id="416">netlogon</g> and <g class="gr_ gr_435 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" data-gr-id="435" id="435">dns</g>. Still no luck. I notice that in the forwards that the domain only shows an A record as static.

<g class="gr_ gr_1071 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling" data-gr-id="1071" id="1071">ipconfig</g> /all

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\Administrator.MERCEDES>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : Mercedes2
Primary Dns Suffix . . . . . . . : Mercedes
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : Mercedes

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet #2
Physical Address. . . . . . . . . : 54-9F-35-1E-24-AE
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2603:3014:23be:8000:d0f5:3492:1c72:e8a5(P
referred)
Link-local IPv6 Address . . . . . : fe80::d0f5:3492:1c72:e8a5%10(Preferred)
IPv4 Address. . . . . . . . . . . : 206.89.179.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::3817:e1ff:fef5:2a82%10
206.89.179.125
DNS Servers . . . . . . . . . . . : 206.89.179.3
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{69735297-E6C5-499E-AC88-599137266A2D}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

C:\Users\Administrator.MERCEDES>

Enabling ipv6 <g class="gr_ gr_686 gr-alert gr_tiny gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling multiReplace" data-gr-id="686" id="686">i</g> get this error on <g class="gr_ gr_699 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling" data-gr-id="699" id="699">dcdiag</g>

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\Administrator.MERCEDES>dcdiag test:dns
Invalid Syntax: Invalid option test:dns. Use dcdiag.exe /h for help.

C:\Users\Administrator.MERCEDES>dcdiag /test:dns

Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
Home Server = Mercedes2
* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\MERCEDES2
Starting test: Connectivity
......................... MERCEDES2 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\MERCEDES2

Starting test: DNS

DNS Tests are running and not hung. Please wait a few minutes...
ERROR: NO DNS servers for IPV6 stack was found
......................... MERCEDES2 passed test DNS

Running partition tests <g class="gr_ gr_930 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" data-gr-id="930" id="930"><g class="gr_ gr_925 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Punctuation only-del replaceWithoutSep" data-gr-id="925" id="925">on :</g></g> ForestDnsZones

Running partition tests <g class="gr_ gr_927 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" data-gr-id="927" id="927"><g class="gr_ gr_920 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Punctuation only-del replaceWithoutSep" data-gr-id="920" id="920">on :</g></g> DomainDnsZones

Running partition tests <g class="gr_ gr_931 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" data-gr-id="931" id="931"><g class="gr_ gr_926 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Punctuation only-del replaceWithoutSep" data-gr-id="926" id="926">on :</g></g> Schema

Running partition tests <g class="gr_ gr_923 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" data-gr-id="923" id="923"><g class="gr_ gr_921 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Punctuation only-del replaceWithoutSep" data-gr-id="921" id="921">on :</g></g> Configuration

Running partition tests <g class="gr_ gr_928 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" data-gr-id="928" id="928"><g class="gr_ gr_922 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Punctuation only-del replaceWithoutSep" data-gr-id="922" id="922">on :</g></g> Mercedes

Running enterprise tests <g class="gr_ gr_929 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" data-gr-id="929" id="929"><g class="gr_ gr_924 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Punctuation only-del replaceWithoutSep" data-gr-id="924" id="924">on :</g></g> Mercedes
Starting test: DNS
Test results for domain controllers:

DC: Mercedes2.Mercedes
Domain: Mercedes

TEST: Basic (Basc)
Warning: The AAAA record for this DC was not found

TEST: Dynamic update (Dyn)
Warning: Failed to delete the test record <g class="gr_ gr_933 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling" data-gr-id="933" id="933">dcdiag</g>-test-record i
n zone Mercedes

TEST: Records registration (RReg)
Network Adapter
[00000012] Broadcom NetXtreme Gigabit Ethernet:
Warning:
Missing AAAA record at DNS server 206.89.179.3:
Mercedes2.Mercedes

Warning: Record Registrations not found in some network adapters

Mercedes2 PASS WARN PASS PASS WARN WARN n/a
......................... Mercedes passed test DNS

C:\Users\Administrator.MERCEDES>

Is there something I am missing here? This was a server 2000 upgraded to 2008 r2. When I disable ipv6 the error is still present but <g class="gr_ gr_1502 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling" data-gr-id="1502" id="1502">dcdiag</g> runs all pass.

↧

AD LDS able to accept wholeSubtree queries to RootDSE?

November 21, 2018, 7:12 pm

≫ Next: KCC could not add this Replica Link due to error

≪ Previous: The DNS server 206.89.179.3 on Local Area Connection 2 did not successfully resolve the name for the start of authority (SOA) record of the zone hosting the computer's primary DNS domain name.

Hello All,

I have multiple outlook clients which are already configured to do contact lookup to a special Unix box via LDAP.
The LDAP query configured on these clients does not specify any base DN, and is querying directly to the RootDSE for contacts, which this special box is somehow able to respond.

But when I do this query to a AD LDS instance, it gives me a Result <32>, problem 2001 error.

Is there a way to configure AD LDS to accept wholeSubtree queries without specifying the baseDN?

Thanks!

↧

KCC could not add this Replica Link due to error

November 13, 2018, 10:11 am

≫ Next: Verification of prerequisites for Active Directory preparation failed. The specified user is not a member of the following groups: Enterprise Admins group. !!!! but it is

≪ Previous: AD LDS able to accept wholeSubtree queries to RootDSE?

In the process of migrating DCs to new hardware. I have 2 - Windows 2008R2 DCs on older servers, 1 - 2012R2 VM DC on HyperV, and 1 - Windows 2012R2 DC on a new server. All was working well for several weeks. Four days ago, after a network outage on the new DC I started getting replication errors. I noticed DNS on the new server was not populating and the server was in the wrong time zone - we don't use DST. I corrected the time zona, reset that machines password using - netdom resetpwd and rebooted. DNS is now working but replication is not. Ran DCDiag and everything passes except for:

From GoodDC02 to BadDC3
            Naming Context: DC=ourdomain,DC=com
            The replication generated an error (8453):
            Replication access was denied.
            The failure occurred at 2018-11-13 09:46:03.
            The last success occurred at 2018-11-09 09:59:37.
            98 failures have occurred since the last success.
            The machine account for the destination BadDC3.
            is not configured properly.
            Check the userAccountControl field.
            Kerberos Error.
            The machine account is not present, or does not match on the.
            destination, source or KDC servers.
            Verify domain partition of KDC is in sync with rest of enterprise.
            The tool repadmin/syncall can be used for this purpose.
         REPLICATION LATENCY WARNING
         ERROR: Expected notification link is missing.
         Source GoodDC02
         Replication of new changes along this path will be delayed.
         This problem should self-correct on the next periodic sync.

I can ping between all DCs using IP address, Name, or GUID. When I run repadmin /showreps all the other DCs are replicating but the BadDC3 shows "KCC could not add this Replica Link due to error" and "error 8453 Access was denied". I followed the ADSI edit articles and the BadDC3 has delegation, DNS is set the same as the other DCs, UserAccountControl shows 0X82000 (Server_Trust_Anchor|Trusted_For_Delegation) on all servers. AD Sites and Services I see 2 connectors between each domain controller - GoodDC01 connected to GoodDC03 and BadDC3, GoodDC02 connected to GoodDC03 and BadDC3, GoodDC03 connected to GoodDC01 and GoodDC02, except for BadDC3 which is connected to GoodDC01, GoodDC02, and GoodDC03. After two days I do not know what to look for?

Thoughts

eburch@lasertel.com

↧