ADDC Replication failed with The remote procedure call failed \ Cancelled.

February 26, 2019, 7:58 am

≫ Next: ESAE - offline IPSec Certificates

≪ Previous: All workstation on network (Unauthenticated) after authoritative restore.

Hi All,

We have multi-master AD environment running on Windows 2012. recently facing AD replication issue in a Domain controller located in spoke site getting RPC failed error in Dcdiag and Ad replication.

Below are DCs and site Name :
HUB\HUBDC11 (source DC)
HUB\HUBDC12 (Source DC)
SPOKE\SPOKEDC02 (Destination DC)

I have tried to fix this issue in all the possible way but no luck .The abnormal behavior found in spoke site DC 'SPOKEDC02" is while try to access sysvol share from source DCs(HUBDC11 and HUBDC12) using \\SPOKEDC02 getting error "The specified network name is no longer available". but using IP of SPOKEDC02 address is working without any issue.
HUBDC11 and HUBDC12 sysvol folder can access from SPOKEDC02 without any problem.

As workaround,if i restart the source DC HUBDC11 share "\\SPOKEDC02" start working from HUBDC** and AD replication stared working but after some days issue start reoccure.

What's been tried :

1.Network connectivity working fine
2.port connectivity , able to telenet TCP 135 and all required Domain ports vise versa.
3.DNS name resolution working fine
Network team claim that there is no issue in network level and no packet drops

Your input would be veryhelp to isloate the RPC issue. Please share you valuable troubleshooting method\steps to investigate this issue further.

---------------------------------------------
C:\WINDOWS\system32>repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost
SPOKE\SPOKEDC02
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 14cs2af0-8431-4296-b331-a29a5f38cb38
DSA invocationID: 69b9a4ac-b045-4a50-bcb1-6cfe9a2e9852

==== INBOUND NEIGHBORS ======================================

DC=hm,DC=com
HUB\HUBDC11 via RPC
DSA object GUID: 283efc59-d704-4cd8-8a66-2b537baabf0e
Last attempt @ (never) was successful.
HUB\HUBDC12 via RPC
DSA object GUID: c4adf97d-6dc8-4bb0-b54a-78a68b884e30
Last attempt @ 2019-02-26 20:26:06 failed, result 1818 (0x71a):
The remote procedure call was cancelled.
19 consecutive failure(s).
Last success @ 2019-02-26 01:23:56.

CN=Configuration,DC=hm,DC=com
HUB\HUBDC11 via RPC

↧

ESAE - offline IPSec Certificates

February 26, 2019, 8:05 am

≫ Next: Migrate AD CS from Serve 2012 R2 to Server 2016

≪ Previous: ADDC Replication failed with The remote procedure call failed \ Cancelled.

The offline IPSec certificates on our production domain, domain controllers are expiring in the next few weeks. When we deploy the newly generated offline IPSec certificates, do we need to delete the original (soon to be expiring) offline IPSec certificate? What will happen when the current offline certificate expires? Will the OS just start using the new one?

Thank you in advance,

Paul

↧

Migrate AD CS from Serve 2012 R2 to Server 2016

February 13, 2019, 11:08 am

≫ Next: CSV Report of an OU's ADUsers+Membership+ADGroup -Properties Select Description,whenCreated,whenModified

≪ Previous: ESAE - offline IPSec Certificates

Following the steps here to migrate AD CS to a new machine, but when I run the "certutil -catemplates" command I get a bunch of "access is denied" messages in the results. Anyone know why? I'm logged in as Domain Admin...

Shaun

↧

CSV Report of an OU's ADUsers+Membership+ADGroup -Properties Select Description,whenCreated,whenModified

February 25, 2019, 3:47 pm

≫ Next: Authentication - Monitor for authentications outside of defined site subnet range

≪ Previous: Migrate AD CS from Serve 2012 R2 to Server 2016

Two scripts generate useful .CSV files, as noted below, I'd prefer to improve the process for use with PowerBI front end.

Currently 2 result files require much manual effort to parse/sort in order to provide a useful reports mgmt can utilize to De-Provision (Based on Least Privilege Principles, Revoke) any of their reports unnecessary access.

Current Scripts:

1) Obtains ADUsers & ADGroup Membership based on a specific OU, writes to a CSV file;

2) Given a list of GroupsNames, pulls ADGroup -Properties, selects fields for output: Desc,Created,Modified,Parent_OU;

Ideally speaking, the 1st script could be improved to look at the sum of all groups found, parse any duplicates, write results to an array or file then fire off a second process to get properties of each group (Provide Mgmt / Staff a more complete picture of their staff's group membership).

↧

Authentication - Monitor for authentications outside of defined site subnet range

February 26, 2019, 12:42 pm

≫ Next: RSAT not showing under Windows features

≪ Previous: CSV Report of an OU's ADUsers+Membership+ADGroup -Properties Select Description,whenCreated,whenModified

Hello all,

I'm trying to optimize my AD Sites and Services subnets, and I was curious if anyone knew if there was some kind of built-in functionality to monitor for authentications that have a source IP address that is outside the defined subnet range for a given site. Note that I'm not asking for authentications from a subnet with no defined site. What I am asking for is how to tell when an IP address in analready-defined subnet in a site authenticates against a Domain Controllerin another site. Here is an example:

Consider a domain with 2 sites, Site 1 and Site 2.

Consider Workstation1 with IP address 1.1.1.1 which is located in Site 1 along with DC1. Let's also say that I have the Workstation1 IP address strictly defined in AD Sites and Services, e.g. 1.1.1.1/32 pointed to Site 1.

Consider a similar situation in Site 2, where Workstation2 has IP address 2.2.2.2 and is located in Site 2 along with DC2, and Workstation2 is strictly defined in AD Sites and Services, e.g. 2.2.2.2/32 pointed to Site 2.

Now of course, using DC Locator, Workstation1 and Workstation2 would always be assigned the local DC in their site (unless the link were down and Next Closest Site was used, but assume the links are up).

However, let's consider a scenario where Workstation1 has installed a new application, and the application does not use DC Locator, but instead has LDAP configuration settings that need to be manually set. One of these settings is an LDAP URL to use when performing LDAP queries/authentications against the domain.

Let’s say the user did not put in a URL to a Domain Controller, but instead just puts in the name of the domain, e.g. ldap://contoso.com:389.

Now, when the application attempts LDAP queries/authentications, it will first attempt to resolve contoso.com to an IP address. Of course, every Domain Controller in a domain registers an A record for the domain name, so the application will rely on DNS to perform its round-robin resolution of contoso.com and consequently return an IP address of one of the Domain Controllers in the domain.

In this case, because of the LDAP manual settings that forced DNS round-robin, the application running on Workstation1 is returned the IP address of DC2 to use in connecting to contoso.com. Of course, DC2 is in a different site than Workstation1, and is not the most optimal DC for Workstation1 to use in this case.

So, I am curious if there is any built-in functionality in Windows (or AD or SCOM or whatever) that can monitor and alert on these kinds of situations, where an authentication attempt is made from an IP address outside of the subnet range for a given site. I could probably write some PS code against a debug-level Netlogon.log file, but I was hoping there was a more “native” way to check for this?

↧

RSAT not showing under Windows features

March 13, 2018, 8:45 am

≫ Next: change username in hybrid environment

≪ Previous: Authentication - Monitor for authentications outside of defined site subnet range

Hello

I have a colleague who is experiencing problems with getting the Remote Server Administration Tools in his windows features. We have followed the installation proccess for RSAT windows 10, and everything goes smoothly. However, after the required restart, active directory does not show up when searching for it. When trying to enable RSAT in Windows features, there is no "Remote Server Administration Tools". When searching for a solution, it was suggested to delete the english language package and reinstall it. This did not solve the issue. Active directory isessential for some work tasks, so we really need to solve it.

Kind regards

Hakan

↧

change username in hybrid environment

February 24, 2019, 6:45 pm

≫ Next: DFSR Private folder huge and doesn't match DFS management console.

≪ Previous: RSAT not showing under Windows features

I'd like to ask what are the steps for changing a username in a hybrid environment

↧

DFSR Private folder huge and doesn't match DFS management console.

February 26, 2019, 8:07 am

≫ Next: Error joining DC as a child to Forest DC | The specified argument 'ChildName' was not recognized

≪ Previous: change username in hybrid environment

We have inherited this DFS situation and neither my coworker or I have ever used DFS other than for AD. I am showing all of my user folders in DFSR\private folder. We had a comm failure at one of the locations then we saw this. I don't see these folders or their location listed in the DFS management console, but I do show them in DFSR/Private with TreeSize. Is it safe to delete these folders? I have a good backup of the data. We are also planning on removing DFS for the file servers at our two locations.

↧

Error joining DC as a child to Forest DC | The specified argument 'ChildName' was not recognized

February 22, 2019, 12:27 pm

≫ Next: users effective permissions in AD

≪ Previous: DFSR Private folder huge and doesn't match DFS management console.

Hi,

I have the following scripts running.

Basically both scripts create files at runtime, and then the servers restart and run the newly created files, however there is an error when the child DC joins the forest, even though it joins successfully.

Scripts uploaded in the links below as the forum wouldn't allow characters more than60000 (mine is ~6095)

Forest DC

Child DC

Error (Even though the child DC joins Forest successfully)

At C:\Users\Administrator\Desktop\JoinForest.ps1:9 char:1+ Install-ADDSDomain -credential $cred -CreateDnsDelegation:$true -Data ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo          : NotSpecified: (:) [Install-ADDSDomain], TestFailedException+ FullyQualifiedErrorId : Test.VerifyDcPromoCore.DCPromo.General.77,Microsoft.DirectoryServices.Deployment.PowerShell.Commands.InstallADDSDomainCommand

Message        : Verification of prerequisites for Domain Controller promotion failed. The specified argument 'ChildName' was not recognized.

Context        : Test.VerifyDcPromoCore.DCPromo.General.77
RebootRequired : False
Status         : Error

Thank You

↧

users effective permissions in AD

February 21, 2019, 7:46 am

≫ Next: Migrate domain controllers but keep ip addresses

≪ Previous: Error joining DC as a child to Forest DC | The specified argument 'ChildName' was not recognized

HI, we had a user that had delegated permissions all over Active directory and i need to find out exactly where she has access.

is there an easy way to export a users effective permissions in AD or a script that i can run

thx

jason

↧

Migrate domain controllers but keep ip addresses

February 21, 2019, 7:21 am

≫ Next: (uuzoa2.com) →유유닷컴← 강남오피 룸싸롱후기

≪ Previous: users effective permissions in AD

Hi all,

We want to migrate our domain controllers (server 2012R2 / DL/FL 2008R2) to server 2019 core DL/FL 2016 and keep the ip addresses but change hostnames.

Reason to keep ip addresses : many devices like printers, scanners, applications have the dns/ldap/... ip addresses manually configured to point to the domain controllers.

Current situation :

Domain controllers A and B with ip address 1 and 2 (A-1, B-2)
A and B have DHCP in failover mode (load balance), DNS, DFS, and ADDS.
C-3 and D-4 are newly installed server 2019 core domain controllers with the same roles but these domaincontrollers should have ip addresses 1 and 2 after the migration. This is our plan :

migrate fsmo roles to C
Create domain controllers C and D with ips 3 and 4, Server 2019 core, install all roles but dont authorize dhcp
Demote B as ADDS (dhcp should not work now on B), authorize D as dhcp server, change dhcp failover replication partner on A to D (DHCP D should be synced with A now)
Turn off B and remove NIC
Change ip address D to 2 (old B address)
Reboot D and monitor events (DHCP, DNS, ADDS, ...)
Change DHCP replication partner D to C
Demote A, turn off
Change ip address C to 1 (old A ) + reboot
check health state, monitor events, replication etc ...
raise functional level to 2016 on domain,forest
metadata cleanup

Regards.

↧