I am in the process of setting up a new certificate environment in parallel on Windows Server 2016. The current CA is on 2008 servers. I followed this guide to set this up.

https://timothygruber.com/pki/deploy-a-pki-on-windows-server-2016-part-1/

I have some questions 

What are the minimum required templates for an AD environment?

I understand - user, computer and webs server templates needs to be there. Is there anything else required? Like the Domain controller etc.?

Also what should be the intended purpose for 

user - (eg. Client Authentication, email signing, encryption etc.)

computer - (eg. Client Authentication, email signing, encryption etc.)

Any guidance is highly appreciated.

Following the steps here to migrate AD CS to a new machine, but when I run the "certutil -catemplates" command I get a bunch of "access is denied" messages in the results. Anyone know why? I'm logged in as Domain Admin...

Shaun

Hi All,

   I got 10 physical sites and two site and services ( S1 and S2 ) So some of the subnets are belong to S1 and some are in S2.

  How do i place two DFS servers?  All sites are IPVPN.

As

Hi All,

We created a one way external trust with our vendor which means Vendor.com domain now trust our Client.com domain. Therefore we can (Client.com) access resources hosted in vendor.com domain. 

We created a GPO to add URL hosted in our vendor domain to the trusted site of our machines in client.com. Now when we try to access these URLs it prompts for id & pwd. So we applied the GPO to select option in IE "Automatic Logon only in Intranet zone" . we were hoping that it will bypass the prompt and will automatically log us in but it still prompts for id & pwd.

First prompt is to enter the credentials for Vendor.com domain so we cancel the screen and then we are prompted for our client.com credentials. Once we enter the client.com credentials manually then it let us in. Any suggestions

Two scripts generate useful .CSV files, as noted below, I'd prefer to improve the process for use with PowerBI front end.  

Currently 2 result files require much manual effort to parse/sort in order to provide a useful reports mgmt can utilize to De-Provision (Based on Least Privilege Principles, Revoke) any of their reports unnecessary access.     

Current Scripts: 

1) Obtains ADUsers & ADGroup Membership based on a specific OU, writes to a CSV file; 

2) Given a list of GroupsNames, pulls ADGroup -Properties, selects fields for output: Desc,Created,Modified,Parent_OU;

Ideally speaking, the 1st script could be improved to look at the sum of all groups found, parse any duplicates, write results to an array or file then fire off a second process to get properties of each group (Provide Mgmt / Staff a more complete picture of their staff's group membership).  

Hi,

please help me understand and resolve the problem.

One node do not want replicate data to two other (small test txt file). The problem with 4 replication groups. Other 12 groups work properly.

result of diag report

STOR02

STOR03

STOR04

If i try run Propagation Test. On STOR02 or STOR03, I receive error (at STOR04 no problems).

Run test as administrator, at share "everyone" full access permissions.

Hi

I'd like to ask what are the steps for changing a username in a hybrid environment

Hello,

I'm having issues that I cannot figure out for the life of me. Some background on my environment, I have two hyper-v nodes running in a failover cluster(Server 2016). Each node is connected via 3 1GB connections all on the same subnet. My storage for the cluster is a Server 2019 storage spaces via SMB, which is also connected via 3 1GB connections all on the same subnet. I run 2 DC's in the failover cluster and 1 DC locally on one of the hyper-v host just in cast anything happens (All GC DC's and DNS fully replicating). Well something happened and I had one of the nodes paused and I forgot to un-pause it, so everything failed including the 2 DC's in the cluster, but the DC running locally is working just fine, but no matter what nothing will contact the DC. I have most DNS pointing to my firewall (pfsense) that then forwards to my 3 DC's. I've also tried pointing DNS to just the running DC but that doesn't help either. Each DC only has 1 IP address.

My VM's are set by the hostname of the storage that the VHD's are sitting on and since I cant get it resolved I cant get any of the VM's edited or running again. Let me know if you have any ideas

(DC Firewalls are set to off)

(SRV Records show up for LDAP and Kerberos)

Hi,

We have DNS scavenging enabled for some time now and has been working fine. Last week, someone changed the scavenging Refresh and Non-refresh interval on a zone to 9 hours each and it ended up deleting some crucial records from DNS. Though auditing shows the records got deleted by scavenging, is there a way to check who messed up with scavenging?
We have auditing DS Access auditing enabled but there's no log related to this.

Hi team,

I'm looking at a solution where I need to setup an RODC in the DMZ. I'm looking at IPSec for this. I want to clarify the below;

1. If I am to enable IPSec, can I just enable it between the RODC and one writable DC OR does enabling IPSec means enabling it between all domain controllers?
2. Any impact when enabling IPSec during production time?

Thank you.

Jude.

Hi,

We have a little issue with Sites & Services (or at least I believe we do).

I noticed by chance yesterday that one of our servers over in France was pointing to a server in Romania in order for it to logon using its credentials. I have checked in Sites & Services and established that all the Subnets are pointing to the correct range and the Set up in Sites & Services is correct I.E. all remote site servers point to their internal AD server for resolution and to the backup server that the whole of the European estate connects to if there are issues.

Any idea what would be causing a server in Romania to look to France for resolution considering that Sites & Services is setup correctly?

Any help or guidance would be greatly appreciated.

Regards.

Hi,

We are having problems to reset expired passwords on RDWEB.
I have an exisiting topic on the forum here about it: https://social.technet.microsoft.com/Forums/windowsserver/en-US/f43f548d-1921-401d-8ff0-5f5979411c0e/expired-password-reset-option-rdweb-2012r2?forum=winserverTS

We dont found a solution yet and we think the issue is with the existing trust relationship between the 2 domains. My RD collection is on another domain then the users that login to it.
The trust between the domains is an external one, maybe to make this work we need to change it to an transistive trust?

However 100's of users are working on this enviroment. We dont want to break it.
Is it safe to change a trust relationship from external to transistive without breaking things? Could this be the solution for the problems we are experiencing?

Thanks,

LEVD

Hi Team,

I am observing failure event ID 4776 (The computer attempted to validate the credentials for an account with code 0xc000006a) is getting generated on my domain controller, even i am entering correct login details. can some one help me to understood this event.

As i know this event generates when NTLM authentication happens, but in my case i can see failure event with ID 4776.

If its bad password attempts then;

>> Account should get locked, but i cant see account lock or any event with ID 4740.

>> I cant see bad password count on lockout.exe.

Could some one please provide some information on event 4776, i searched google but not getting an proper information.

I am facing domain account lockout the issue and I am stuck in troubleshooting.

According to below link, I am able to find our problematic domain controller but unable to find event id 4625 on the caller computer name

https://activedirectorypro.com/account-lockout-tool/

Hi,

I have a Primary Domain Controller and Secondary Domain controller. The problem is that when Primary Domain Controllers goes down, Secondary Domain Controller does not authenticate the users.

I've an Exchange Server in the environment but everything goes down with Primary Domain Controller.

Any thoughts?

Thanks,

Hello All, this is my first post and it's a good one!

Netbios over TCP/IP has been disabled in my work environment. We are strictly DNS. 

I've been troubleshooting a domain trust issue with another company and was told netbios was the reason. Out of curiosity, I enabled netbios on my 4 DC's. I rebooted 2 DC's. 1 of which is a Global Catalog and the other is Primary DNS.

Once they rebooted all my users could no longer use anything that is AD integrated. I couldn't even log into the DC's because it kept telling me bad password.

My coworker was able to somehow get into the Primary DNS DC and we disabled Netbios. From there things got back to normal.

Of course I'm freaked out because I don't understand how that could have broken DNS and AD!

Can someone shed some light on what might have happened?

When you click on the network status icon in the notification area on the taskbar it says: "ddt.edu 2 (Unauthenticated)" and therefore, group policies are not applied to workstations.

I have two Windows 2016 Standard Servers (Version 1607) and 50 Windows 10 Education (Version 1709) workstations. All workstations and servers are x64. It was all working fine except SYSVOL was not replicating. We tried to fix the replication issue by doing an authoritative restore. Afterwards all workstations have Authentication issues. I have not found anything of help on the Internet. Most of the similar authentication problems I’ve found are just for some workstations on the network, not all of them. I have been banging my head against this one for a week. Help!

Workstations can still access shares on server with no problem.

We are in a secure environment with no internet access.

I can ping successfully using either name or IP so DNS and DHCP seem to work fine.

Connectivity under view you network properties says "Connected to unknown network" on workstations.

Tried removing workstation from domain then joining it back to domain. Did not get any error messages but after rebooting problem still persists.

Also tried creating a new user, connecting a new computer who’s name had never been used before, joining it to the domain and logging in to the network with the new user name. Didn’t help.

The primary domain controller/global catalog is called SERVER01

I demoted the second domain controller called SERVER02. Didn't help.

Group policies are not applied. Gpupdate /force returns:

Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.

User Policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

When I run repadmin /showreps I get:

      LDAP error 81 (Server Down) Win32 Err 58

Ran nltest /sc_query:server01.ddt.edu

I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

Ran Netdom reset EllisZ01 /Domain:ddt.edu /Server:Server01

     Succeeds but does't help

Ran netdom resetpwd /server:server01.ddt.edu /UserD:MyUserName /PasswordD:*

      Password resets successfully but doesn’t help.

Ran dcdiag /s:server01 and all tests passed except SystemLog which returned multiple Eventid: 0X0000272C errors and one Eventid: 0x800000003 error:

An error event occurred.  EventID: 0x0000272C

           Time Generated: 02/13/2019   07:29:13

            Event String:

      DCOM was unable to communicate with the computer SERVER02.ddt.edu using any of the configured protocols; requested by PID    2ab0 (C:\Windows\system32\ServerManager.exe).

 An error event occurred. EventID: 0x80000003

           Time Generated: 02/13/2019   07:29:40

           Event String: A Kerberos error message was received:

        An error event occurred.  EventID: 0x0000272C

           Time Generated: 02/13/2019   07:39:13

           Event String:

           DCOM was unable to communicate with the computer SERVER02.ddt.edu using any of the configured protocols; requested by PID    2ab0 (C:\Windows\system32\ServerManager.exe).

Group Policy fails with the following message in the event log of the workstation.

Log Name:     System

Source:       Microsoft-Windows-GroupPolicy

Date:         2/7/2019 8:55:35 AM

Event ID:     1006

Task Category: None

Level:        Error

Keywords:     

User:         DDT\EllisR

Computer:     EllisZ01.ddt.edu

Description:

The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />

    <EventID>1006</EventID>

    <Version>0</Version>

    <Level>2</Level>

    <Task>0</Task>

    <Opcode>1</Opcode>

    <Keywords>0x8000000000000000</Keywords>

    <TimeCreated SystemTime="2019-02-07T14:55:35.994342700Z" />

    <EventRecordID>54940</EventRecordID>

    <Correlation ActivityID="{E8639B9C-06D8-49E8-8A85-39C7D6993B6A}" />

    <Execution ProcessID="6212" ThreadID="9680" />

    <Channel>System</Channel>

    <Computer>EllisZ01.ddt.edu</Computer>

    <Security UserID="S-1-5-21-2772296466-3582803739-2678735995-1107" />

  </System>

  <EventData>

    <Data Name="SupportInfo1">1</Data>

    <Data Name="SupportInfo2">6154</Data>

    <Data Name="ProcessingMode">0</Data>

    <Data Name="ProcessingTimeInMilliseconds">890</Data>

    <Data Name="ErrorCode">49</Data>

    <Data Name="ErrorDescription">Invalid Credentials</Data>

    <Data Name="DCName">

    </Data>

  </EventData>

</Event>

The following audit failure is in server event log. There are multiple entries with different client port numbers.

Log Name:     Security

Source:       Microsoft-Windows-Security-Auditing

Date:         2/7/2019 1:35:55 PM

Event ID:     4771

Task Category: Kerberos Authentication Service

Level:        Information

Keywords:     Audit Failure

User:         N/A

Computer:     Server01.ddt.edu

Description:

Kerberos pre-authentication failed.

Account Information:

      Security ID:           DDT\ELLISZ01$

      Account Name:          ELLISZ01$

Service Information:

      Service Name:          krbtgt/ddt.edu

Network Information:

      Client Address:        ::ffff:111.111.111.12

      Client Port:           49878

Additional Information:

      Ticket Options:        0x40810010

      Failure Code:          0x18

      Pre-Authentication Type:     2

Certificate Information:

      Certificate Issuer Name:          

      Certificate Serial Number:  

      Certificate Thumbprint:           

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />

    <EventID>4771</EventID>

    <Version>0</Version>

    <Level>0</Level>

    <Task>14339</Task>

    <Opcode>0</Opcode>

    <Keywords>0x8010000000000000</Keywords>

    <TimeCreated SystemTime="2019-02-07T19:35:55.282935600Z" />

    <EventRecordID>23631687</EventRecordID>

    <Correlation />

    <Execution ProcessID="720" ThreadID="2184" />

    <Channel>Security</Channel>

    <Computer>Server01.ddt.edu</Computer>

    <Security />

  </System>

  <EventData>

    <Data Name="TargetUserName">ELLISZ01$</Data>

    <Data Name="TargetSid">S-1-5-21-2772296466-3582803739-2678735995-6605</Data>

    <Data Name="ServiceName">krbtgt/ddt.edu</Data>

    <Data Name="TicketOptions">0x40810010</Data>

    <Data Name="Status">0x18</Data>

    <Data Name="PreAuthType">2</Data>

    <Data Name="IpAddress">::ffff:111.111.111.12</Data>

    <Data Name="IpPort">49878</Data>

    <Data Name="CertIssuerName">

    </Data>

    <Data Name="CertSerialNumber">

    </Data>

    <Data Name="CertThumbprint">

    </Data>

  </EventData>

</Event>

The following is in the event log of the Domain controller Server01. There are many entries with different Account Names.

      Log Name:      Security

      Source:        Microsoft-Windows-Security-Auditing

      Date:          2/7/2019 1:21:04 PM

      Event ID:      4625

      Task Category: Logon

      Level:         Information

      Keywords:      Audit Failure

      User:          N/A

      Computer:      Server01.ddt.edu

      Description:

      An account failed to log on.

      Subject:

           Security ID:          NULL SID

           Account Name:          -

           Account Domain:        -

           Logon ID:         0x0

      Logon Type:            3

      Account For Which Logon Failed:

           Security ID:          NULL SID

            Account Name:         LARUEZ02$

           Account Domain:        DDT.EDU

      Failure Information:

           Failure Reason:        The user has not been granted the requested logon type at this machine.

           Status:                0xC000015B

           Sub Status:       0x0

      Process Information:

           Caller Process ID:     0x0

           Caller Process Name:   -

      Network Information:

           Workstation Name:-

           Source Network Address:      111.111.111.22

           Source Port:          59243

      Detailed Authentication Information:

           Logon Process:         Kerberos

           Authentication Package:      Kerberos

           Transited Services:    -

           Package Name (NTLM only):    -

           Key Length:       0

      This event is generated when a logon request fails. It is generated on the computer where access was attempted.

      .

      .

      .

      Event Xml:

      < Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

        <System>

           <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />

           <EventID>4625</EventID>

           <Version>0</Version>

           <Level>0</Level>

           <Task>12544</Task>

           <Opcode>0</Opcode>

           <Keywords>0x8010000000000000</Keywords>

           <TimeCreated SystemTime="2019-02-07T19:21:04.284065900Z" />

           <EventRecordID>23628647</EventRecordID>

           <Correlation />

           <Execution ProcessID="720" ThreadID="10656" />

           <Channel>Security</Channel>

           <Computer>Server01.ddt.edu</Computer>

           <Security />

        </System>

        <EventData>

           <Data Name="SubjectUserSid">S-1-0-0</Data>

           <Data Name="SubjectUserName">-</Data>

           <Data Name="SubjectDomainName">-</Data>

           <Data Name="SubjectLogonId">0x0</Data>

           <Data Name="TargetUserSid">S-1-0-0</Data>

           <Data Name="TargetUserName">LARUEZ02$</Data>

           <Data Name="TargetDomainName">DDT.EDU</Data>

           <Data Name="Status">0xc000015b</Data>

           <Data Name="FailureReason">%%2308</Data>

           <Data Name="SubStatus">0x0</Data>

           <Data Name="LogonType">3</Data>

           <Data Name="LogonProcessName">Kerberos</Data>

           <Data Name="AuthenticationPackageName">Kerberos</Data>

           <Data Name="WorkstationName">-</Data>

           <Data Name="TransmittedServices">-</Data>

           <Data Name="LmPackageName">-</Data>

           <Data Name="KeyLength">0</Data>

           <Data Name="ProcessId">0x0</Data>

           <Data Name="ProcessName">-</Data>

           <Data Name="IpAddress">111.111.111.22</Data>

           <Data Name="IpPort">59243</Data>

        </EventData>

      < /Event>

Also in server event log

Log Name:     Security

Source:       Microsoft-Windows-Security-Auditing

Date:         2/7/2019 1:38:55 PM

Event ID:     4776

Task Category: Credential Validation

Level:        Information

Keywords:     Audit Failure

User:         N/A

Computer:     Server01.ddt.edu

Description:

The computer attempted to validate the credentials for an account.

Authentication Package:     MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Logon Account:   ELLISZ01$

Source Workstation:   ELLISZ01

Error Code:0xC000006A

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />

    <EventID>4776</EventID>

    <Version>0</Version>

    <Level>0</Level>

    <Task>14336</Task>

    <Opcode>0</Opcode>

    <Keywords>0x8010000000000000</Keywords>

    <TimeCreated SystemTime="2019-02-07T19:38:55.434802400Z" />

    <EventRecordID>23632339</EventRecordID>

    <Correlation />

    <Execution ProcessID="720" ThreadID="10656" />

    <Channel>Security</Channel>

    <Computer>Server01.ddt.edu</Computer>

    <Security />

  </System>

  <EventData>

    <Data Name="PackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>

    <Data Name="TargetUserName">ELLISZ01$</Data>

    <Data Name="Workstation">ELLISZ01</Data>

    <Data Name="Status">0xc000006a</Data>

  </EventData>

</Event>