Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Windows security log - flooded with Error Code: 0xC0000371

November 27, 2018, 5:02 am
$
0
0

Hi Everyone,

my Cisco Ironport E-mail gateway is connected with Windows AD Servers. Every time when new e-mail is comming in, Cisco Ironport trying to establish connection to one of our AD servers and checking if recipient e-mail address exist in the AD. If not e-mail is rejected. More or less this is how my system is integrated with AD. Few days ago Windows team told me that my system trying to open too many connections to AD and in the result Windows Security log is flooded (>6mln) with this kind of errors:

#################

LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=GLS0020.torp.mir TaskCategory=Credential Validation OpCode=Info RecordNumber=1363466953 Keywords=Audit Failure Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: TEC-LDAP-I-IRON1 Source Workstation: GLS0020 Error Code: 0xC0000371

#################

As I see in the AD client logs (Ironport LDAP logs), Ironport trying to establish 1 connection to AD Server, but AD rejecting it.After several tries connection is established. Some times connection is established after 2-10 tries and some times more than 1000.

########### Ironport ldap log

Mon Nov 26 15:36:16 2018 Debug: LDAP: (accept) Query (mail=sdfsdf@testdomain.de) to server InternLDAP (10.201.134.182,10.201.134.183:636)
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.182(10.201.134.182:636) (20) Connection Error: [Errno 54] Connection reset by peer
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.182(10.201.134.182:636) this server marked DOWN
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.182(10.201.134.182:636) (20) Connection interrupted (writer)
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.182(10.201.134.182:636) (21) connecting to server
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.183(10.201.134.183:636) (19) Connection Error: [Errno 54] Connection reset by peer
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.183(10.201.134.183:636) this server marked DOWN
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.183(10.201.134.183:636) (19) Connection interrupted (writer)
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.183(10.201.134.183:636) (20) connecting to server
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.183(10.201.134.183:636) (20) connected to server
Mon Nov 26 15:36:16 2018 Debug: LDAP: Could not find a server to follow continuation: ldaps://ForestDnsZones.corp.dir/DC=ForestDnsZones,DC=corp,DC=dir
Mon Nov 26 15:36:16 2018 Debug: LDAP: Query (mail=sdfsdf@testdomain.de) could not follow continuation: ldaps://ForestDnsZones.corp.dir/DC=ForestDnsZones,DC=corp,DC=dir
Mon Nov 26 15:36:16 2018 Debug: LDAP: Could not find a server to follow continuation: ldaps://DomainDnsZones.corp.dir/DC=DomainDnsZones,DC=corp,DC=dir
Mon Nov 26 15:36:16 2018 Debug: LDAP: Query (mail=sdfsdf@testdomain.de) could not follow continuation: ldaps://DomainDnsZones.corp.dir/DC=DomainDnsZones,DC=corp,DC=dir
Mon Nov 26 15:36:16 2018 Debug: LDAP: Could not find a server to follow continuation: ldaps://corp.dir/CN=Configuration,DC=corp,DC=dir
Mon Nov 26 15:36:16 2018 Debug: LDAP: Query (mail=sdfsdf@testdomain.de) could not follow continuation: ldaps://corp.dir/CN=Configuration,DC=corp,DC=dir
Mon Nov 26 15:36:16 2018 Debug: LDAP: (accept) Query (mail=sdfsdf@testdomain.de) lookup success, (10.201.134.183:636) returned 0 results
Mon Nov 26 15:36:16 2018 Info: LDAP: Bounce query InternLDAP.ldapaccept MID 136648 RID 0 address sdfsdf@testdomain.de
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.182(10.201.134.182:636) (21) connected to server

########### Ironport ldap log

Is it normal that AD Server rejecting so many connections ?

I have asked Windows Team to enable debug mode for AD server, just to check if what is the reason, that AD rejecting 90% of connections ? They told me that is not possible, is it true? Is it realy not possible to check in Windows Servers why system rejecting connections ?

What is exacly means that error:

Error Code: 0xC0000371

Everytime when AD rejecting connection this error appear, what is mean ?

Thanks in advance for any support.

Cheers

Konrad

Search

DFS - Wrong Targets

November 22, 2018, 7:04 pm
$
0
0

I have some AppV Shared Content Stores, all of which are referenced by a DFS NameSpace.

Consider this:  I have 2 servers.  Server A on 10.100.1.1 and Server B on 20.200.2.1

I also have 2 AppV SCS's, SCS A on 10.100.1.2 and SCS B on 20.200.2.2.

Both Server A and SCS A hang off the same switch and are in the same chassis.

Both Server B and SCS B also hang off the same switch and are in the same chassis.

Server B is getting its content from SCS A, rather than my preferred option of SCS B.

How can I make sure that the DFS Namespace and clients get to the most preferred SCS?

Group Managed Service Accounts in Business Essentials 2016 Sites and Services

December 1, 2018, 1:37 pm
$
0
0

The Group Key Distribution Service does not show up in the Active Directory Sites and Services under my domain.   Frankly, Services does not show up under my Sites and Services.   A week ago, I created a KDS-Root

"Add-KdsRootKey -EffectiveImmediately"

I was hoping it might create the hive in the Sites and Services that is called Services.   Nothing shows after a week.   Does the Business Essentials Server need prodding to get the Services to show?

R, J

Windows 2012 Logs configuration performance impact

November 13, 2018, 12:52 am
$
0
0

We have a requirement to configure  windows detailed logs like Security audit and other minimum logs configuration for an organization.
we have 15 windows 2012  Domain Controllers which has 2 CPU ,4 GB ram and 50 GB one system Drive . what is the best practice to configure the logs and what will be the performance and storage impact?

Thanks

Baiju Mathew

Rebuild DC with same name/IP

December 3, 2018, 3:34 am
$
0
0

I'm trying to weigh up the options (least risk) for building a ew DC (DNS) server on new hardware but retaining server name and IP.

My environment is:

DC1 (Site 1) - rebuild but retain name and IP.
DC2 (Site 2)
DC3 (Site 3)

I have figured there are two options (demote DC first, and build new with DC1 details, or build temp DC first, demote then rename/re-IP)

Option 1:

  • Demote DC1
  • Rename DC1 to Server1 (re-IP)
  • DC2 and DC3 will ensure no service impact for AD/DNS (even in different sites)
  • Build new DC - DC1 (re-IP with original DC1 IP)

Option 2:

  • Build new DC - TEMPDC
  • Demote DC1
  • Rename DC1 to Server1 (re-IP)
  • Rename TEMPDC to DC1 (re-IP with original DC1 IP)

Best practice? Risks?


Enable option for user account in AD

December 4, 2018, 6:00 am
$
0
0

Hi All,

What needs to be checked before and after for enable below option in Domain admin account properties.

"Account is sensitive and cannot be delegated"

Thanks in advance.

vicky

Pwdlasset attribute changed after setting user account as password never expires

December 4, 2018, 10:45 pm
$
0
0

Hi Team,

Pwdlasset attribute changed after setting user account as password never expires.

Please help to understand why it is changed.

Regards,
Mahadev Nitture

Regards, Mahadev

DFS Replicate group with 3 server

December 4, 2018, 10:50 pm
$
0
0

Dear Forum,

i am crazy with our DFS servers, currently we have DFS with 3 Server(DFS01,DFS02,DFS03), i noted that sometime it active the primary server on DFS01 sometime on DFS02 and sometime on DFS03, 

i would like to ask that , how we can set the permanent to DFS02 is primary ?

Thanks you!

Search

Can Windows 7 mandatory profiles be created with current tools in a Windows 2012 R2 domain environment?

December 3, 2018, 1:39 pm
$
0
0

I am working at a elementary school with a mixed environment of Windows 7 Pro and Windows 10 Pro workstations.  We need a roaming mandatory profile for a generic login.  The student often are changing settings even with a GPO limiting what is accessible to the students.

The Windows 7 tools for creating profiles are apparently no longer available.  The current tool sets (Windows 8 and Windows 10) have not produced a workable Windows 7 mandatory profile.  We get one or another error message when we try them.

Is it still possible to create an usable Windows 7 mandatory profile with "today's" tool sets?

If it still is possible, would you please point me in the correct direction.

Thanks in advance.

Ristric few user to access authenticate from public network

December 4, 2018, 3:02 am
$
0
0

Hi,

How can I restrict few users from outside of my network to access my website using ADFS 2012 R2.

Example. All my company users has to access abccompany.com from company network and Public network but my Sales department users has to access from company network only not through public network. Whenever those user access from public network it should block.



The retry counts and timeout value of authentication in Active Directory

December 5, 2018, 12:21 am
$
0
0
Hello everyone,

I have a question about the login authentication in AD.

My colleague's PC has a network problem(Cisco ISE issue), the OS can't retrieve the IP address after PC starts(through the wired network), when he login the OS, it takes about 2 minutes to show the desktop.

During the two minutes, the PC attempts to connect to DC.

How many times does PC retries authenticate?

How long is the timeout value of authentication?

Is there has a document states this knowledge on Microsoft website?

Thanks in advance.

NIC Teaming - Windows 2016 server and Active directory ADDS

December 4, 2018, 8:14 am
$
0
0

Hi There,

Struggling to find a solid Microsoft response on this one please. Im deploying physical domain controllers running windows server 2016 standard with ADDS and I would like to know what the best practice is for network configuration please? specifically for domain services

The servers are HP DL380 with 2 x 10GB network cards

Specifically...

1. Should we team the NICs using windows teaming?

2. What are the supported teaming configurations (switch independent/LACP) active/active or active/passive

3. Any reasons not to use LACP? im guessing because active/active is not recommended

I've read numerous articles stating that active/active should not be used and also that teaming is not recommended etc but nothing recent and not alot from official Microsoft either way on the matter.

Could anyone shine some light on this please? a MS article in black & white would be useful :-)

I'm proposing to team the NICs using switch independent/Dynamic or address hash and configure a standby NIC.

Restrict local user login through group policy

December 2, 2018, 11:11 am
$
0
0

Dear Folks,

As I am working on one Important project  due to this I need to disable all local user login of all domain PC.

My problem is that I do not have local user list which is created on workstation. Please suggest any GPO or batch file to achieve my goal.

all client computer are created multiple local user and user's login with local credential I want to stop this behavior of user to di this need to restrict all local user login and enable only domain user login .

Yogesh 

Sysvol Constantly disconnecting

November 30, 2018, 10:44 am
$
0
0

I have 8 Servers accross the State Mixed 2008R2 and 2012R2.

Recently the sysvol has stopped working.

This is causing group policy not to function.

I have to rebuild it once a month or so.

This just started happening out of the blue.

I reset it using D4 and D2 on the burflags, and it fixes the issue for a while.

User Migration with ADMT

November 28, 2018, 11:12 pm
$
0
0

Hello,

We are migrating users, groups, computer objects from one forest to another forest domain. and user name is different in each domain. below is the scenario,

Source Domain User : 10025@abc.com (User Name: 10025)

Target Domain User: KES052@xyz.com (User Name: KES052)

we have created users in Target domain with new user id (common id), when i am migrated SID for those users is replace with user name. (10025 is replacing with KES052), how could i migrate only SID without replacing anything from source domain?

In ADMT console i am performing include file and merging the user and excluded all the attributes but only username is changing, all SAM and UPN as is target.

Appreciate if inputs to get rid of this.

Regards,

Vinay

Search

User rights report

November 28, 2018, 8:08 am
$
0
0
Can anyone tell me how I can obtain a system generated list of privileged user rights (e.g., users with full system access or access to security administration functionality)or a system-generated report of all privileged users in the system.  Privileged users will be those users who have access above and beyond what a typical end user would have.  As an example they may be able to change password configurations or administer users access.

Support analyst

AD Cloud deployment guidance.

November 28, 2018, 3:45 am
$
0
0

Hi Guys,
Bare with me I won't be as technical as even a fraction of you here.

I am looking at deploying a completely new windows environment DC/AD etc. There is currently no infrastructure setup and I have been looking at different deployment possibilities. Would be looking at setting this up for multiple sites in the UK, NY & LA

I am looking at possibly a hybrid solution (On-Prem & Cloud) via AWS or Azure. Firstly as I haven't been exposed to a windows domain environment hosted in either, does anyone have any recommendations or insight into either they could share? 

Secondly, I was wondering if there was a purely cloud-based option using VM's in either AWS or Azure? I am obviously opposed to setting up such an environment due to low guaranteed availability & bandwidth constraints of everything using the IGW.

The business would like the possibility explored and there are multiple DaaS which don't offer GPO, which is a deal breaker.

Users:

UK - 70, NY - 15, LA - 8

No existing domain or windows services currently running (Except DNS)

If you need to know anything to get a better feel of our need please ask.

Event 11 The KDC encountered duplicate names while processing a Kerberos authentication request. (of type KEY ID)

November 26, 2018, 11:35 pm
$
0
0

I have recently migrated a Windows 2012 R2 DC to Windows Server 2016. Afterwards I started noticing series of this particular error.

Log Name:      System

Source:        Microsoft-Windows-Kerberos-Key-Distribution-Center

Date:          11/27/2018 9:24:24 AM

Event ID:      11

Task Category: None

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      BBL-DC-CDC01.bd.bracbank.com

Description:

The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is D5B2E9E1E8C74C45D7F939E93ED09C7B0315FE69EE06D2F2458E0A050E453763 (of type KEY ID). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occurring remove the duplicate entries for D5B2E9E1E8C74C45D7F939E93ED09C7B0315FE69EE06D2F2458E0A050E453763 in Active Directory.

Event Xml:

<Event xmlns="">

  <System>

    <Provider Name="Microsoft-Windows-Kerberos-Key-Distribution-Center" Guid="{3FD9DA1A-5A54-46C5-9A26-9BD7C0685056}" EventSourceName="KDC" />

    <EventID Qualifiers="49152">11</EventID>

    <Version>0</Version>

    <Level>2</Level>

    <Task>0</Task>

    <Opcode>0</Opcode>

    <Keywords>0x80000000000000</Keywords>

    <TimeCreated SystemTime="2018-11-27T03:24:24.310757900Z" />

    <EventRecordID>3984</EventRecordID>

    <Correlation />

    <Execution ProcessID="0" ThreadID="0" />

    <Channel>System</Channel>

    <Computer>BBL-DC-CDC01.bd.bracbank.com</Computer>

    <Security />

  </System>

  <EventData>

    <Data Name="Name">D5B2E9E1E8C74C45D7F939E93ED09C7B0315FE69EE06D2F2458E0A050E453763</Data>

    <Data Name="Type">KEY ID</Data>

    <Binary>

    </Binary>

  </EventData>

</Event>

I have been struggling with this error for the last few days. Even though Event 11 is a very common error and there are clear instructions on how to mitigate the error, they fail to address my specific scenario.

All the solutions I got so far is related to "Type DS_SERVICE_PRINCIPAL_NAME" but mine is "Type KEY ID ". Basically this error says that KDC encountered duplicate names and then spits out a large string of hexadecimal no. rather than producing which SPN is duplicated. Therefore, it's difficult to solve the issue with "setspn" cmdlet.

I'm an amateur when it comes to Windows Server Active Directory, so any help is highly appreciated. Thanks.

Cannot ping domain without full name

November 24, 2018, 5:13 am
$
0
0

Hi,

We have just installed a new windows 2012 Datacenter R2 virtual server and promoted it to an additional DC. When we try to ping our domain NetBIOS name, it is pinging from the new DC but if we try to ping from our primary DC, it does not ping. We can only ping the full DNS Name.

For Example:

If our domain name is abc.com. We can ping abc.com from our main DC but if we try to ping only abc it does not ping.

Whereas it we are able to ping both ways from the newly created DC.

I believe this is also creating problem with our main DC because sometimes it does not open ADUC or DNS Consoles and shows an error that "The Domain could not be found"

Any Suggestions?

Add R2 DC in Data Center DC

November 24, 2018, 12:23 am
$
0
0

Hi,

Our primary DC is having Data Center 2012. Can we add an additional DC having 2012 R2?

while promoting it to DC we are getting the below message. The DNS address on the 2nd DC is pointing to 1st DC.

Active Directory domain controller could not be contacted

Thanks.


Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>