Hi,
We have DNS scavenging enabled for some time now and has been working fine. Last week, someone changed the scavenging Refresh and Non-refresh interval on a zone to 9 hours each and it ended up deleting some crucial records from DNS. Though auditing shows
the records got deleted by scavenging, is there a way to check who messed up with scavenging?
We have auditing DS Access auditing enabled but there's no log related to this.
When you click on the network status icon in the notification area on the taskbar it says: "ddt.edu 2 (Unauthenticated)" and therefore, group policies are not applied to workstations.
I have two Windows 2016 Standard Servers (Version 1607) and 50 Windows 10 Education (Version 1709) workstations. All workstations and servers are x64. It was all working fine except SYSVOL was not replicating. We tried to fix the replication issue by doing an authoritative restore. Afterwards all workstations have Authentication issues. I have not found anything of help on the Internet. Most of the similar authentication problems I’ve found are just for some workstations on the network, not all of them. I have been banging my head against this one for a week. Help!
Workstations can still access shares on server with no problem.
We are in a secure environment with no internet access.
I can ping successfully using either name or IP so DNS and DHCP seem to work fine.
Connectivity under view you network properties says "Connected to unknown network" on workstations.
Tried removing workstation from domain then joining it back to domain. Did not get any error messages but after rebooting problem still persists.
Also tried creating a new user, connecting a new computer who’s name had never been used before, joining it to the domain and logging in to the network with the new user name. Didn’t help.
The primary domain controller/global catalog is called SERVER01
I demoted the second domain controller called SERVER02. Didn't help.
Group policies are not applied. Gpupdate /force returns:
Computer policy could not be updated successfully. The following errors were encountered:
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.
User Policy could not be updated successfully. The following errors were encountered:
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.
When I run repadmin /showreps I get:
LDAP error 81 (Server Down) Win32 Err 58
Ran nltest /sc_query:server01.ddt.edu
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
Ran Netdom reset EllisZ01 /Domain:ddt.edu /Server:Server01
Succeeds but does't help
Ran netdom resetpwd /server:server01.ddt.edu /UserD:MyUserName /PasswordD:*
Password resets successfully but doesn’t help.
Ran dcdiag /s:server01 and all tests passed except SystemLog which returned multiple Eventid: 0X0000272C errors and one Eventid: 0x800000003 error:
An error event occurred. EventID: 0x0000272C
Time Generated: 02/13/2019 07:29:13
Event String:
DCOM was unable to communicate with the computer SERVER02.ddt.edu using any of the configured protocols; requested by PID 2ab0 (C:\Windows\system32\ServerManager.exe).
An error event occurred. EventID: 0x80000003
Time Generated: 02/13/2019 07:29:40
Event String: A Kerberos error message was received:
An error event occurred. EventID: 0x0000272C
Time Generated: 02/13/2019 07:39:13
Event String:
DCOM was unable to communicate with the computer SERVER02.ddt.edu using any of the configured protocols; requested by PID 2ab0 (C:\Windows\system32\ServerManager.exe).
Group Policy fails with the following message in the event log of the workstation.
Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 2/7/2019 8:55:35 AM
Event ID: 1006
Task Category: None
Level: Error
Keywords:
User: DDT\EllisR
Computer: EllisZ01.ddt.edu
Description:
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
<EventID>1006</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>1</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-07T14:55:35.994342700Z" />
<EventRecordID>54940</EventRecordID>
<Correlation ActivityID="{E8639B9C-06D8-49E8-8A85-39C7D6993B6A}" />
<Execution ProcessID="6212" ThreadID="9680" />
<Channel>System</Channel>
<Computer>EllisZ01.ddt.edu</Computer>
<Security UserID="S-1-5-21-2772296466-3582803739-2678735995-1107" />
</System>
<EventData>
<Data Name="SupportInfo1">1</Data>
<Data Name="SupportInfo2">6154</Data>
<Data Name="ProcessingMode">0</Data>
<Data Name="ProcessingTimeInMilliseconds">890</Data>
<Data Name="ErrorCode">49</Data>
<Data Name="ErrorDescription">Invalid Credentials</Data>
<Data Name="DCName">
</Data>
</EventData>
</Event>
The following audit failure is in server event log. There are multiple entries with different client port numbers.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2/7/2019 1:35:55 PM
Event ID: 4771
Task Category: Kerberos Authentication Service
Level: Information
Keywords: Audit Failure
User: N/A
Computer: Server01.ddt.edu
Description:
Kerberos pre-authentication failed.
Account Information:
Security ID: DDT\ELLISZ01$
Account Name: ELLISZ01$
Service Information:
Service Name: krbtgt/ddt.edu
Network Information:
Client Address: ::ffff:111.111.111.12
Client Port: 49878
Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4771</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2019-02-07T19:35:55.282935600Z" />
<EventRecordID>23631687</EventRecordID>
<Correlation />
<Execution ProcessID="720" ThreadID="2184" />
<Channel>Security</Channel>
<Computer>Server01.ddt.edu</Computer>
<Security />
</System>
<EventData>
<Data Name="TargetUserName">ELLISZ01$</Data>
<Data Name="TargetSid">S-1-5-21-2772296466-3582803739-2678735995-6605</Data>
<Data Name="ServiceName">krbtgt/ddt.edu</Data>
<Data Name="TicketOptions">0x40810010</Data>
<Data Name="Status">0x18</Data>
<Data Name="PreAuthType">2</Data>
<Data Name="IpAddress">::ffff:111.111.111.12</Data>
<Data Name="IpPort">49878</Data>
<Data Name="CertIssuerName">
</Data>
<Data Name="CertSerialNumber">
</Data>
<Data Name="CertThumbprint">
</Data>
</EventData>
</Event>
The following is in the event log of the Domain controller Server01. There are many entries with different Account Names.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2/7/2019 1:21:04 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: Server01.ddt.edu
Description:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: LARUEZ02$
Account Domain: DDT.EDU
Failure Information:
Failure Reason: The user has not been granted the requested logon type at this machine.
Status: 0xC000015B
Sub Status: 0x0
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name:-
Source Network Address: 111.111.111.22
Source Port: 59243
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
.
.
.
Event Xml:
< Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2019-02-07T19:21:04.284065900Z" />
<EventRecordID>23628647</EventRecordID>
<Correlation />
<Execution ProcessID="720" ThreadID="10656" />
<Channel>Security</Channel>
<Computer>Server01.ddt.edu</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">LARUEZ02$</Data>
<Data Name="TargetDomainName">DDT.EDU</Data>
<Data Name="Status">0xc000015b</Data>
<Data Name="FailureReason">%%2308</Data>
<Data Name="SubStatus">0x0</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">Kerberos</Data>
<Data Name="AuthenticationPackageName">Kerberos</Data>
<Data Name="WorkstationName">-</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">111.111.111.22</Data>
<Data Name="IpPort">59243</Data>
</EventData>
< /Event>
Also in server event log
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2/7/2019 1:38:55 PM
Event ID: 4776
Task Category: Credential Validation
Level: Information
Keywords: Audit Failure
User: N/A
Computer: Server01.ddt.edu
Description:
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: ELLISZ01$
Source Workstation: ELLISZ01
Error Code:0xC000006A
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4776</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14336</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2019-02-07T19:38:55.434802400Z" />
<EventRecordID>23632339</EventRecordID>
<Correlation />
<Execution ProcessID="720" ThreadID="10656" />
<Channel>Security</Channel>
<Computer>Server01.ddt.edu</Computer>
<Security />
</System>
<EventData>
<Data Name="PackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
<Data Name="TargetUserName">ELLISZ01$</Data>
<Data Name="Workstation">ELLISZ01</Data>
<Data Name="Status">0xc000006a</Data>
</EventData>
</Event>
Two scripts generate useful .CSV files, as noted below, I'd prefer to improve the process for use with PowerBI front end.
Currently 2 result files require much manual effort to parse/sort in order to provide a useful reports mgmt can utilize to De-Provision (Based on Least Privilege Principles, Revoke) any of their reports unnecessary access.
Current Scripts:
1) Obtains ADUsers & ADGroup Membership based on a specific OU, writes to a CSV file;
2) Given a list of GroupsNames, pulls ADGroup -Properties, selects fields for output: Desc,Created,Modified,Parent_OU;
Ideally speaking, the 1st script could be improved to look at the sum of all groups found, parse any duplicates, write results to an array or file then fire off a second process to get properties of each group (Provide Mgmt / Staff a more complete picture of their staff's group membership).
Hello
I have a colleague who is experiencing problems with getting the Remote Server Administration Tools in his windows features. We have followed the installation proccess for RSAT windows 10, and everything goes smoothly. However, after the required restart, active directory does not show up when searching for it. When trying to enable RSAT in Windows features, there is no "Remote Server Administration Tools". When searching for a solution, it was suggested to delete the english language package and reinstall it. This did not solve the issue. Active directory isessential for some work tasks, so we really need to solve it.
Kind regards
Hakan
Hi
I'd like to ask what are the steps for changing a username in a hybrid environment
hi
we prepare a admt migration atm (server 2012r2), all user accounts are premigrated and mailenabled the initial password sync 6 months ago went fine...
now we want to do the final password sync before we start the migration but we get errors on all users that changed their password since the initial sync...
2019-02-25 11:57:55 ERR2:7084 Failed to set strong password for CN=xxxxx. The specified network password is not correct.
Password Policys are the same in Source and Target Forest this only occurs on Accounts that have already a Password migrated due the initial sync 6 months ago, on new Users the Password is migrated without any error.
regards
harald
Hello All, this is my first post and it's a good one!
Netbios over TCP/IP has been disabled in my work environment. We are strictly DNS.
I've been troubleshooting a domain trust issue with another company and was told netbios was the reason. Out of curiosity, I enabled netbios on my 4 DC's. I rebooted 2 DC's. 1 of which is a Global
Catalog and the other is Primary DNS.
Once they rebooted all my users could no longer use anything that is AD integrated. I couldn't even log into the DC's because it kept telling me bad password.
My coworker was able to somehow get into the Primary DNS DC and we disabled Netbios. From there things got back to normal.
Of course I'm freaked out because I don't understand how that could have broken DNS and AD!
Can someone shed some light on what might have happened?
Hi,
I have the following scripts running.
Basically both scripts create files at runtime, and then the servers restart and run the newly created files, however there is an error when the child DC joins the forest, even though it joins successfully.
Scripts uploaded in the links below as the forum wouldn't allow characters more than60000 (mine is ~6095)
Error (Even though the child DC joins Forest successfully)
At C:\Users\Administrator\Desktop\JoinForest.ps1:9 char:1+ Install-ADDSDomain -credential $cred -CreateDnsDelegation:$true -Data ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : NotSpecified: (:) [Install-ADDSDomain], TestFailedException+ FullyQualifiedErrorId : Test.VerifyDcPromoCore.DCPromo.General.77,Microsoft.DirectoryServices.Deployment.PowerShell.Commands.InstallADDSDomainCommand
Message : Verification of prerequisites for Domain Controller promotion failed. The specified argument 'ChildName' was not recognized.
Context : Test.VerifyDcPromoCore.DCPromo.General.77
RebootRequired : False
Status : ErrorHI, we had a user that had delegated permissions all over Active directory and i need to find out exactly where she has access.
is there an easy way to export a users effective permissions in AD or a script that i can run
thx
jason
Hi all,
We want to migrate our domain controllers (server 2012R2 / DL/FL 2008R2) to server 2019 core DL/FL 2016 and keep the ip addresses but change hostnames.
Reason to keep ip addresses : many devices like printers, scanners, applications have the dns/ldap/... ip addresses manually configured to point to the domain controllers.
Current situation :
Domain controllers A and B with ip address 1 and 2 (A-1, B-2)
A and B have DHCP in failover mode (load balance), DNS, DFS, and ADDS.
C-3 and D-4 are newly installed server 2019 core domain controllers with the same roles but these domaincontrollers should have ip addresses 1 and 2 after the migration. This is our plan :
Any suggestions ?
kind regards
Hi,
We have a little issue with Sites & Services (or at least I believe we do).
I noticed by chance yesterday that one of our servers over in France was pointing to a server in Romania in order for it to logon using its credentials. I have checked in Sites & Services and established that all the Subnets are pointing to the correct range and the Set up in Sites & Services is correct I.E. all remote site servers point to their internal AD server for resolution and to the backup server that the whole of the European estate connects to if there are issues.
Any idea what would be causing a server in Romania to look to France for resolution considering that Sites & Services is setup correctly?
Any help or guidance would be greatly appreciated.
Regards.
Following the steps here to migrate AD CS to a new machine, but when I run the "certutil -catemplates" command I get a bunch of "access is denied" messages in the results. Anyone know why? I'm logged in as Domain Admin...
Shaun
Hi All,
We have multi-master AD environment running on Windows 2012. recently facing AD replication issue in a Domain controller located in spoke site getting RPC failed error in Dcdiag and Ad replication.
Below are DCs and site Name :
HUB\HUBDC11 (source DC)
HUB\HUBDC12 (Source DC)
SPOKE\SPOKEDC02 (Destination DC)
I have tried to fix this issue in all the possible way but no luck .The abnormal behavior found in spoke site DC 'SPOKEDC02" is while try to access sysvol share from source DCs(HUBDC11 and HUBDC12) using \\SPOKEDC02 getting error "The specified
network name is no longer available". but using IP of SPOKEDC02 address is working without any issue.
HUBDC11 and HUBDC12 sysvol folder can access from SPOKEDC02 without any problem.
As workaround,if i restart the source DC HUBDC11 share "\\SPOKEDC02" start working from HUBDC** and AD replication stared working but after some days issue start reoccure.
What's been tried :
1.Network connectivity working fine
2.port connectivity , able to telenet TCP 135 and all required Domain ports vise versa.
3.DNS name resolution working fine
Network team claim that there is no issue in network level and no packet drops
Your input would be veryhelp to isloate the RPC issue. Please share you valuable troubleshooting method\steps to investigate this issue further.
---------------------------------------------
C:\WINDOWS\system32>repadmin /showrepl
Repadmin: running command /showrepl against full DC localhost
SPOKE\SPOKEDC02
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 14cs2af0-8431-4296-b331-a29a5f38cb38
DSA invocationID: 69b9a4ac-b045-4a50-bcb1-6cfe9a2e9852
==== INBOUND NEIGHBORS ======================================
DC=hm,DC=com
HUB\HUBDC11 via RPC
DSA object GUID: 283efc59-d704-4cd8-8a66-2b537baabf0e
Last attempt @ (never) was successful.
HUB\HUBDC12 via RPC
DSA object GUID: c4adf97d-6dc8-4bb0-b54a-78a68b884e30
Last attempt @ 2019-02-26 20:26:06 failed, result 1818 (0x71a):
The remote procedure call was cancelled.
19 consecutive failure(s).
Last success @ 2019-02-26 01:23:56.
CN=Configuration,DC=hm,DC=com
HUB\HUBDC11 via RPC
Hi,
I am getting the below netlogon error in some servers and the application services are getting restarting in those servers.
Netlogon error 5719
This computer was not able to set up a secure session with a domain controller in domain due to the following:
The remote procedure call was cancelled.
5783
The session setup to the Windows NT or Windows 2000 Domain Controller \\domain.com for the domain is not responsive. The current RPC call from Netlogon on \\machinename to \\domain.com has been cancelled.
When i checked the domain controller (PDC role) i can see that the below error in event viewer 5805 stating
"The session setup from the computer MachineName failed to authenticate. The following error occurred: Access is denied."
This was started happening recently only. And the replication between domain controllers are working fine showing no errors..
Could any one please help.
Regards
Anu
Hello all,
I'm trying to optimize my AD Sites and Services subnets, and I was curious if anyone knew if there was some kind of built-in functionality to monitor for authentications that have a source IP address that is outside the defined subnet range for a given site. Note that I'm not asking for authentications from a subnet with no defined site. What I am asking for is how to tell when an IP address in analready-defined subnet in a site authenticates against a Domain Controllerin another site. Here is an example:
Consider a domain with 2 sites, Site 1 and Site 2.
Consider Workstation1 with IP address 1.1.1.1 which is located in Site 1 along with DC1. Let's also say that I have the Workstation1 IP address strictly defined in AD Sites and Services, e.g. 1.1.1.1/32 pointed to Site 1.
Consider a similar situation in Site 2, where Workstation2 has IP address 2.2.2.2 and is located in Site 2 along with DC2, and Workstation2 is strictly defined in AD Sites and Services, e.g. 2.2.2.2/32 pointed to Site 2.
Now of course, using DC Locator, Workstation1 and Workstation2 would always be assigned the local DC in their site (unless the link were down and Next Closest Site was used, but assume the links are up).
However, let's consider a scenario where Workstation1 has installed a new application, and the application does not use DC Locator, but instead has LDAP configuration settings that need to be manually set. One of these settings is an LDAP URL to use when performing LDAP queries/authentications against the domain.
Let’s say the user did not put in a URL to a Domain Controller, but instead just puts in the name of the domain, e.g. ldap://contoso.com:389.
Now, when the application attempts LDAP queries/authentications, it will first attempt to resolve contoso.com to an IP address. Of course, every Domain Controller in a domain registers an A record for the domain name, so the application will rely on DNS to perform its round-robin resolution of contoso.com and consequently return an IP address of one of the Domain Controllers in the domain.
In this case, because of the LDAP manual settings that forced DNS round-robin, the application running on Workstation1 is returned the IP address of DC2 to use in connecting to contoso.com. Of course, DC2 is in a different site than Workstation1, and is not the most optimal DC for Workstation1 to use in this case.
So, I am curious if there is any built-in functionality in Windows (or AD or SCOM or whatever) that can monitor and alert on these kinds of situations, where an authentication attempt is made from an IP address outside of the subnet range for a given site.
I could probably write some PS code against a debug-level Netlogon.log file, but I was hoping there was a more “native” way to check for this?
The offline IPSec certificates on our production domain, domain controllers are expiring in the next few weeks. When we deploy the newly generated offline IPSec certificates, do we need to delete the original (soon to be expiring) offline IPSec certificate? What will happen when the current offline certificate expires? Will the OS just start using the new one?
Thank you in advance,
Paul
I new install RODC. then assign to UserA.
This RODC do not enable DNS and GC.
When I access to RODC via UserA. In ADUC can change DC to RWDC. then UserA can modify "member of".
if ADUC connect to RODC, any user can read-only.
I need to allow UserA access to RODC only.
How can I disable change DC in ADUC for UserA. or disable modify "member of" permission?