Hi,
Can anyone assist me with the following questions?
What type of hashing algorithm Windows 2016 DC use for password?
Are salts added to the hashing algorithm?
Please advise.
↧
Windows 2016 Domain Controller password hash
↧
DC AD Replication is only one way
Hey guys, so I have 2 DC's in two different premieres and sites and services have been configured. My issue is that DC2 that is in the new premises is not replicating with DC1 however DC1 can replicate with DC2.
For the moment while I am setting up a site to site vpn connection DC2 has been maintaining its connection with a direct vpn connection using RRAS which is installed on DC2. DC1 has a vpn server on the same network which is what DC2 is connecting to.
I have tried to:
- Change the firewall settings (NOPE)
- Pull Down the Firewall (NOPE)
- Change the DNS Records (NOPE)
- Disable the IPsec Policy Agent (NOPE)
Here is the repadmin /repsum from DC1
Beginning data collection for replication summary, this may take awhile:
......
Source DSA largest delta fails/total %% error
DC2 17h:29m:52s 5 / 5 100 (1722) The RPC server is unavailable.
DC1 44m:53s 0 / 5 0
Destination DSA largest delta fails/total %% error
DC1 48m:16s 0 / 5 0
Experienced the following operational errors trying to retrieve replication info
rmation:
58 - DC1.domain.nameAnd the repadmin /replsum from DC2
Beginning data collection for replication summary, this may take awhile: ...... Source DSA largest delta fails/total %% error DC2 17h:29m:37s 5 / 5 100 (1722) The RPC server is unavailable. DC1 44m:38s 0 / 10 0 Destination DSA largest delta fails/total %% error DC2 05m:28s 0 / 5 0 DC1 48m:01s 0 / 5 0
Here is the dcdiag is ran on DC2, I renamed the ip addresses for security reasons. The IP address of DC2 via the VPN is 192.168.150.102 (which is correct).
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the name machine DC2, is a Directory Server.
Home Server = DC2
* Connecting to directory service on server DC2.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=name,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=SITE,CN=Sites,CN=Configuration,DC=domain,DC=name
Getting ISTG and options for the site
Looking at base site object: CN=NTDS Site Settings,CN=Azure,CN=Sites,CN=Configuration,DC=domain,DC=name
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=name,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=DC1,CN=Servers,CN=SITE,CN=Sites,CN=Configuration,DC=domain,DC=name
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=DC2,CN=Servers,CN=SITE,CN=Sites,CN=Configuration,DC=domain,DC=name
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=DC2,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=domain,DC=name
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 3 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Azure\DC2
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... DC2 passed test Connectivity
Doing primary tests
Testing server: Azure\DC2
Starting test: Advertising
The DC DC2 is advertising itself as a DC and having a DS.
The DC DC2 is advertising as an LDAP server
The DC DC2 is advertising as having a writeable directory
The DC DC2 is advertising as a Key Distribution Center
The DC DC2 is advertising as a time server
The DS DC2 is advertising as a GC.
......................... DC2 passed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
Skip the test because the server is running DFSR.
......................... DC2 passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
A warning event occurred. EventID: 0x80001396
Time Generated: 05/02/2019 18:00:17
Event String:
The DFS Replication service is stopping communication with partner DC1 for replication group Domain System Volume due to an error. The service will retry the connection periodically.
Additional Information:
Error: 9033 (The request was cancelled by a shutdown)
Connection ID: BEDBD793-C8C4-4F1F-806F-32228AA3A0F7
Replication Group ID: 0F12F395-44D4-46E5-965D-9116E698ADCA
An error event occurred. EventID: 0xC00004B2
Time Generated: 05/02/2019 23:16:14
Event String:
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.
Additional Information:
Error: 160 (One or more arguments are not correct.)
......................... DC2 failed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... DC2 passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
A warning event occurred. EventID: 0x80000603
Time Generated: 05/02/2019 23:15:49
Event String:
Active Directory Domain Services could not disable the software-based disk write cache on the following hard disk.
Hard disk:
c:
Data might be lost during system failures.
A warning event occurred. EventID: 0x80000B46
Time Generated: 05/02/2019 23:16:03
Event String:
The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.
Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds.
For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.
You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... DC2 passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=SITE,CN=Sites,CN=Configuration,DC=domain,DC=name
Role Domain Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=SITE,CN=Sites,CN=Configuration,DC=domain,DC=name
Role PDC Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=SITE,CN=Sites,CN=Configuration,DC=domain,DC=name
Role Rid Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=SITE,CN=Sites,CN=Configuration,DC=domain,DC=name
Role Infrastructure Update Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=SITE,CN=Sites,CN=Configuration,DC=domain,DC=name
......................... DC2 passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC DC2 on DC DC2.
* SPN found :LDAP/DC2.domain.name/domain.name
* SPN found :LDAP/DC2.domain.name
* SPN found :LDAP/DC2
* SPN found :LDAP/DC2.domain.name/domain
* SPN found :LDAP/667ee68c-1989-4600-aa36-748bb511d512._msdcs.domain.name
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/667ee68c-1989-4600-aa36-748bb511d512/domain.name
* SPN found :HOST/DC2.domain.name/domain.name
* SPN found :HOST/DC2.domain.name
* SPN found :HOST/DC2
* SPN found :HOST/DC2.domain.name/domain
* SPN found :GC/DC2.domain.name/domain.name
......................... DC2 passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC DC2.
* Security Permissions Check for
DC=ForestDnsZones,DC=domain,DC=name
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=domain,DC=name
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=domain,DC=name
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=domain,DC=name
(Configuration,Version 3)
* Security Permissions Check for
DC=domain,DC=name
(Domain,Version 3)
......................... DC2 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\DC2\netlogon
Verified share \\DC2\sysvol
......................... DC2 passed test NetLogons
Starting test: ObjectsReplicated
DC2 is in domain DC=domain,DC=name
Checking for CN=DC2,OU=Domain Controllers,DC=domain,DC=name in domain DC=domain,DC=name on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=DC2,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=domain,DC=name in domain CN=Configuration,DC=domain,DC=name on 1 servers
Object is up-to-date on all servers.
......................... DC2 passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=domain,DC=name
Latency information for 8 entries in the vector were ignored.
8 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=domain,DC=name
Latency information for 8 entries in the vector were ignored.
8 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=domain,DC=name
Latency information for 8 entries in the vector were ignored.
8 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=domain,DC=name
Latency information for 8 entries in the vector were ignored.
8 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=domain,DC=name
Latency information for 8 entries in the vector were ignored.
8 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
......................... DC2 passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 6603 to 1073741823
* DC1.domain.name is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 6103 to 6602
* rIDPreviousAllocationPool is 6103 to 6602
* rIDNextRID: 6124
......................... DC2 passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: DFSR
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... DC2 passed test Services
Starting test: SystemLog
* The System Event log test
A warning event occurred. EventID: 0x00001696
Time Generated: 05/02/2019 23:15:07
Event String:
Dynamic registration or deregistration of one or more DNS records failed with the following error:
No DNS servers configured for name system.
A warning event occurred. EventID: 0x00000081
Time Generated: 05/02/2019 23:15:08
Event String:
NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)
A warning event occurred. EventID: 0x000727A5
Time Generated: 05/02/2019 23:15:13
Event String:
The WinRM service is not listening for WS-Management requests.
User Action
If you did not intentionally stop the service, use the following command to see the WinRM configuration:
winrm enumerate winrm/config/listener
A warning event occurred. EventID: 0x000003F6
Time Generated: 05/02/2019 23:15:14
Event String:
Name resolution for the name wpad timed out after none of the configured DNS servers responded.
A warning event occurred. EventID: 0x80040020
Time Generated: 05/02/2019 23:15:49
Event String:
The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.
A warning event occurred. EventID: 0x80040020
Time Generated: 05/02/2019 23:15:49
Event String:
The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.
A warning event occurred. EventID: 0x80040020
Time Generated: 05/02/2019 23:15:49
Event String:
The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.
A warning event occurred. EventID: 0x00000C18
Time Generated: 05/02/2019 23:16:08
Event String:
The primary Domain Controller for this domain could not be located.
An error event occurred. EventID: 0xC0001B7E
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service was unable to log on as domain\AAD_syncuser with the currently configured password due to the following error:
The user name or password is incorrect.
To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
An error event occurred. EventID: 0xC0001B77
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
An error event occurred. EventID: 0xC0001B58
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service failed to start due to the following error:
The service did not start due to a logon failure.
An error event occurred. EventID: 0xC0001B7E
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service was unable to log on as domain\AAD_syncuser with the currently configured password due to the following error:
The user name or password is incorrect.
To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
An error event occurred. EventID: 0xC0001B77
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
An error event occurred. EventID: 0xC0001B58
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service failed to start due to the following error:
The service did not start due to a logon failure.
An error event occurred. EventID: 0xC0001B7E
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service was unable to log on as domain\AAD_syncuser with the currently configured password due to the following error:
The user name or password is incorrect.
To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
An error event occurred. EventID: 0xC0001B77
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
An error event occurred. EventID: 0xC0001B58
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service failed to start due to the following error:
The service did not start due to a logon failure.
An error event occurred. EventID: 0xC0001B7E
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service was unable to log on as domain\AAD_syncuser with the currently configured password due to the following error:
The user name or password is incorrect.
To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
An error event occurred. EventID: 0xC0001B77
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
An error event occurred. EventID: 0xC0001B58
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service failed to start due to the following error:
The service did not start due to a logon failure.
An error event occurred. EventID: 0xC0001B7E
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service was unable to log on as domain\AAD_syncuser with the currently configured password due to the following error:
The user name or password is incorrect.
To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
An error event occurred. EventID: 0xC0001B77
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
An error event occurred. EventID: 0xC0001B58
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service failed to start due to the following error:
The service did not start due to a logon failure.
An error event occurred. EventID: 0xC0001B7E
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service was unable to log on as domain\AAD_syncuser with the currently configured password due to the following error:
The user name or password is incorrect.
To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
An error event occurred. EventID: 0xC0001B77
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
An error event occurred. EventID: 0xC0001B58
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service failed to start due to the following error:
The service did not start due to a logon failure.
An error event occurred. EventID: 0xC0001B7E
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service was unable to log on as domain\AAD_syncuser with the currently configured password due to the following error:
The user name or password is incorrect.
To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
An error event occurred. EventID: 0xC0001B77
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
An error event occurred. EventID: 0xC0001B58
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service failed to start due to the following error:
The service did not start due to a logon failure.
An error event occurred. EventID: 0xC0001B7E
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service was unable to log on as domain\AAD_syncuser with the currently configured password due to the following error:
The user name or password is incorrect.
To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
An error event occurred. EventID: 0xC0001B77
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
An error event occurred. EventID: 0xC0001B58
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service failed to start due to the following error:
The service did not start due to a logon failure.
An error event occurred. EventID: 0xC0001B7E
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service was unable to log on as domain\AAD_syncuser with the currently configured password due to the following error:
The user name or password is incorrect.
To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
An error event occurred. EventID: 0xC0001B77
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
An error event occurred. EventID: 0xC0001B58
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service failed to start due to the following error:
The service did not start due to a logon failure.
An error event occurred. EventID: 0xC0001B7E
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service was unable to log on as domain\AAD_syncuser with the currently configured password due to the following error:
The user name or password is incorrect.
To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
An error event occurred. EventID: 0xC0001B77
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
An error event occurred. EventID: 0xC0001B58
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service failed to start due to the following error:
The service did not start due to a logon failure.
An error event occurred. EventID: 0xC0001B7E
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service was unable to log on as domain\AAD_syncuser with the currently configured password due to the following error:
The user name or password is incorrect.
To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
An error event occurred. EventID: 0xC0001B77
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
An error event occurred. EventID: 0xC0001B58
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service failed to start due to the following error:
The service did not start due to a logon failure.
An error event occurred. EventID: 0xC0001B7E
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service was unable to log on as domain\AAD_syncuser with the currently configured password due to the following error:
The user name or password is incorrect.
To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
An error event occurred. EventID: 0xC0001B77
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
An error event occurred. EventID: 0xC0001B58
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service failed to start due to the following error:
The service did not start due to a logon failure.
An error event occurred. EventID: 0xC0001B7E
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service was unable to log on as domain\AAD_syncuser with the currently configured password due to the following error:
The user name or password is incorrect.
To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
An error event occurred. EventID: 0xC0001B77
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
An error event occurred. EventID: 0xC0001B58
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service failed to start due to the following error:
The service did not start due to a logon failure.
An error event occurred. EventID: 0xC0001B7E
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service was unable to log on as domain\AAD_syncuser with the currently configured password due to the following error:
The user name or password is incorrect.
To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
An error event occurred. EventID: 0xC0001B77
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
An error event occurred. EventID: 0xC0001B58
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service failed to start due to the following error:
The service did not start due to a logon failure.
An error event occurred. EventID: 0xC0001B7E
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service was unable to log on as domain\AAD_syncuser with the currently configured password due to the following error:
The user name or password is incorrect.
To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
An error event occurred. EventID: 0xC0001B77
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
An error event occurred. EventID: 0xC0001B58
Time Generated: 05/02/2019 23:16:08
Event String:
The ADSync service failed to start due to the following error:
The service did not start due to a logon failure.
A warning event occurred. EventID: 0x00000081
Time Generated: 05/02/2019 23:16:09
Event String:
NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)
A warning event occurred. EventID: 0x000727AA
Time Generated: 05/02/2019 23:16:10
Event String:
The WinRM service failed to create the following SPNs: WSMAN/DC2.domain.name; WSMAN/DC2.
Additional Data
The error received was 1355: %%1355.
User Action
The SPNs can be created by an administrator using setspn.exe utility.
A warning event occurred. EventID: 0x00000081
Time Generated: 05/02/2019 23:16:10
Event String:
NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)
An error event occurred. EventID: 0x00002710
Time Generated: 05/02/2019 23:16:12
Event String:
Unable to start a DCOM Server: {9C38ED61-D565-4728-AEEE-C80952F0ECDE}. The error:
"0"
Happened while starting this command:
C:\windows\System32\vdsldr.exe -Embedding
A warning event occurred. EventID: 0x00000081
Time Generated: 05/02/2019 23:16:17
Event String:
NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)
A warning event occurred. EventID: 0x000016AA
Time Generated: 05/02/2019 23:16:33
Event String:
None of the IP addresses (192.168.150.102) of this Domain Controller map to the configured site 'Azure'. While this may be a temporary situation due to IP address changes, it is generally recommended that the IP address of the Domain Controller (accessible to machines in its domain) maps to the Site which it services. If the above list of IP addresses is stable, consider moving this server to a site (or create one if it does not already exist) such that the above IP address maps to the selected site. This may require the creation of a new subnet object (whose range includes the above IP address) which maps to the selected site object.
A warning event occurred. EventID: 0x00001796
Time Generated: 05/02/2019 23:16:43
Event String:
Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
NTLM is a weaker authentication mechanism. Please check:
Which applications are using NTLM authentication?
Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication?
If NTLM must be supported, is Extended Protection configured?
Details on how to complete these checks can be found at http://go.microsoft.com/fwlink/?LinkId=225699.
An error event occurred. EventID: 0xC0001B81
Time Generated: 05/02/2019 23:18:41
Event String:
The MSSQL$MICROSOFT##WID service was unable to log on as NT SERVICE\MSSQL$MICROSOFT##WID with the currently configured password due to the following error:
Logon failure: the user has not been granted the requested logon type at this computer.
Service: MSSQL$MICROSOFT##WID
Domain and account: NT SERVICE\MSSQL$MICROSOFT##WID
This service account does not have the required user right "Log on as a service."
User Action
Assign "Log on as a service" to the service account on this computer. You can use name Security Settings (Secpol.msc) to do this. If this computer is a node in a cluster, check that this user right is assigned to the Cluster service account on all nodes in the cluster.
If you have already assigned this user right to the service account, and the user right appears to be removed, check with your domain administrator to find out if a Group Policy object associated with this node might be removing the right.
An error event occurred. EventID: 0xC0001B58
Time Generated: 05/02/2019 23:18:41
Event String:
The Windows Internal Database service failed to start due to the following error:
The service did not start due to a logon failure.
An error event occurred. EventID: 0xC0001B59
Time Generated: 05/02/2019 23:18:41
Event String:
The Remote Access Management service service depends on the Windows Internal Database service which failed to start because of the following error:
The service did not start due to a logon failure.
......................... DC2 failed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference)
CN=DC2,OU=Domain Controllers,DC=domain,DC=name and backlink on
CN=DC2,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=domain,DC=name
are correct.
The system object reference (serverReferenceBL)
CN=DC2,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=domain,DC=name
and backlink on
CN=NTDS Settings,CN=DC2,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=domain,DC=name
are correct.
The system object reference (msDFSR-ComputerReferenceBL)
CN=DC2,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=domain,DC=name
and backlink on CN=DC2,OU=Domain Controllers,DC=domain,DC=name are
correct.
......................... DC2 passed test VerifyReferences
Test omitted by user request: VerifyReplicas
Test omitted by user request: DNS
Test omitted by user request: DNS
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : domain
Starting test: CheckSDRefDom
......................... domain passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... domain passed test CrossRefValidation
Running enterprise tests on : domain.name
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\DC2.domain.name
Locator Flags: 0xe001f1fc
PDC Name: \\DC1.domain.name
Locator Flags: 0xe00071fd
Time Server Name: \\DC2.domain.name
Locator Flags: 0xe001f1fc
Preferred Time Server Name: \\DC2.domain.name
Locator Flags: 0xe001f1fc
KDC Name: \\DC2.domain.name
Locator Flags: 0xe001f1fc
......................... domain.name passed test LocatorCheck
Starting test: Intersite
Skipping site SITE, this site is outside the scope provided by
the command line arguments provided.
Skipping site Azure, this site is outside the scope provided by the
command line arguments provided.
......................... domain.name passed test Intersite↧
↧
How to change time/date of domain controller
Hello Folks,
How can i change the time of my one and only domain controller, without using any NTP server.
I have to adjust the time and date on this server.
Any help would be really appreciated.
Thanks,
Aamir
↧
Windows Server 2012 R2 SYSVOL folder replication
Hi All,
Recently I've come across to something I have never seen before. To be more precise on two Windows Server 2012 R2 domain controllers I found C:\Windows\SYSVOL\domain folder replicating between them by means of DFS Replication.
1) Should replication between domain controllers be performed by means of DFSR?
2) What if replication is disabled like on the screenshot?
Thank you.
↧
The DFS Replication service failed to initialize replicated folder C:\Windows\SYSVOL\domain
Hi All,
Accidentally have came across this error.
This is how replication for SYSVOL folder is configured between two domain controllers.
If someone have ever resolved the same issue please advise which steps should be taken to rectify this issue.
Thank you.
↧
↧
GPO Question
Hi All,
I have been trying to understand the Group Policy Modelling wizard. There seems to be an awful lot of good information that it displays but I don't necessarily understand what it all stands for.
One example is below. What does it mean by "The following GPOs have special alerts" ?
Does anyone know of what the Modelling wizard is really about as it looks a handy tool...Any information would be greatly received.
Regards.
↧
Getting DHCP server and Range configuration for each
Dear all,
I need to actually get in an excel sheet the list of Servers acting as DHCP server and for each of those servers get the DHCP configuration and IP range they use.
The idea is that I will use then the ActiveDirectory datasource from Excel and then build a Power query to get the data, but for than I need to know from which table I can get the DHCP config from a given Server.
For instance I can list from the AD andComputer table all machine wich are Server based
I am not familiar with how to find the DHCP configuration information in Active Directory.
Does anyone can inform how to get those information ?
regards
↧
Active Directory for Test environement
Hello ,
we have an application that use active directory in our prod env and we are thinking to do the same in Test environement .
But i dont know how ca n i implement the same active directory for the test environement with the same domain and data !!
i'm thinking to implemented as CG wiithout replication , this is my point today !!
what do you thinking ?
Regards
↧
We are facing cache credentials issue in one of system (Window Server 2012 r2) not domain joined
Dear All,
Please get me help to resolved below scenario issues.
System Windows Server 2012 tries to and have failed for logon attempts on Domain credentials using cache credentials. We have checked server neither showing any of connections in file share nor in credential manager. As per our understanding, cache credential can be zero via registry or secpol.msc. Can you assist if this does not affect other processes as this system is critical and system restart is not an option.
Need assistance and feedback on this will be highly appreciated
↧
↧
GPP item-lever targeting languages not listed properly
Hello,
I want use item-level targeting on language in user configuration of GPO. The problem is that only 4 languages (from the beginning of alphabet) are listed in drop-down menu (see screenshot). I am running W2016x64.
How can I solve this issue?
Thanks!
↧
Trust between domains - does not see some security groups
Hi. I have a trust established between domain1.com and domain2.com.When from ADUC I open a user from domain2.com and go to add a security group from domain1.com it does not see it. But it does see some other security groups. I have verified from both domains
SID filtering is NOT on. What else can be causing this issue?
The trust details are 'Get-ADTrust -Identity "domain2.com":
Direction : BiDirectional
DisallowTransivity : False
DistinguishedName : CN=domain2.com,CN=System,DC=ad,DC=domain1,DC=com
ForestTransitive : True
IntraForest : False
IsTreeParent : False
IsTreeRoot : False
Name : bracketglobal.com
ObjectClass : trustedDomain
ObjectGUID : e6daf12a-85a5-4df7-86a2-9b92cb6e8c43
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source : DC=ad,DC=domain1,DC=com
Target : domain2.com
TGTDelegation : False
TrustAttributes : 12
TrustedPolicy :
TrustingPolicy :
TrustType : Uplevel
UplevelOnly : False
UsesAESKeys : False
UsesRC4Encryption : False
MK
↧
PowerShell Script to Generate One month report for Popularity and Search Reports in SharePoint 2016 site
Hi All,
By default "Popularity and Search Reports" can fetch reports to the maximum of 15 days, but our client is expecting the report to be generated for last one month.
I heard that there is a PowerShell script for generating the One month report of the Analytics. Could you please help me out with the exact PowerShell script please?
Thanks,
Raj
↧
Display-Name vs Display-name-printable
Greetings,
AD has two 'display name' attributes: 'Display name' and 'display name printable'.
The Public information property set allows write to the 'printable' attribute but not 'display name'. Does that mean I have to set the write property permission for the display name separately or are they both the same thing i.e. if I give the write permission to 'Public information' they will also have the permission to modify the display name property?
Thanks
David Z
↧
↧
trust relationship and sites and services
Guys,
In a lab, when having a trust relationship between 2 dc's, do i need to add the second DC in the sites and services parts of AD?
Also, when i would like to replace the second DC with its own domainname9the other company) through a RODC in the domain of DC1, but i want the active directory structure, shared folder,... available at the second DC migrated, how should i do that?
many thanks in advance
↧
Problem with joining servers to domain
Hello All,
I'm working on migration from local Data center to AWS and I faced issue with joining servers to Domain.
Overview:
Our current infrastructure
[local data center] <--(VPN Connection)---> [AWS Account 1 (TEST ENV)] <--(peering connection)--> [AWS Account 2 (PROD ENV)]
We have 2 AWS accounts one for test environment and one for production environment.
Currently there
is VPN connection between test nad local data center, and vpc where domain controllers are located is able to communicate with domain controller in local data center.Between AWS accounts peering connection has been configured. Peering connection allows to communicate servers located
in production environment with domain controllers in test environment, but from production there is no access to local data center.
And few test confirms that, if domain controller in local environment is not reachable servers are not able to join
to domain.
I tried to switch Operations Master for RID, PDC and Infrastructure to domain controller located in AWS but it not helps. Also I'm also wonder if that is proper behaviour, that
I'm not able to join to domain because one of AD controller is not reachable.
And what will happen when AD controller in local Data Center will be removed.
↧
How to determine the IP Address from MAC Address
How does one find the IP Address from the MAC Address. When using the ARP-a command, I do not see the item listed. Since I know the MAC Address is there a way to use the ARP + MAC Address to reveal the IP Address?
↧
Unable to Remove Child Domains (Windows 2008 R2 Functional Level)
Hi All,
I'm running into an issue when deleting (3) child domains on a Windows 2008 R2 functional level domain. The child domains have been severed for several years and the child domain DCs have been removed from the domain utilizing NTDSUTIL. When attempting to use ntsdutil: metadata cleanup > remove selected domain, I receive error: DsRemoveDsDomainW error 0x2015(The directory service can perform the requested operation only on a leaf object.)
Output:
metadata cleanup: select operation target
select operation target: list sites
Found 4 site(s)
0 - CN=site1,CN=Sites,CN=Configuration,DC=domain1,DC=com
1 - CN=site2,CN=Sites,CN=Configuration,DC=domain1,DC=com
2 - CN=site3,CN=Sites,CN=Configuration,DC=domain1,DC=com
3 - CN=site4,CN=Sites,CN=Configuration,DC=domain1,DC=com
select operation target: list domains
Found 4 domain(s)
0 - DC=domain1,DC=com
1 - DC=child1,DC=domain1,DC=com
2 - DC=child2,DC=domain1,DC=com
3 - DC=child3,DC=domain1,DC=com
select operation target: select domain 1
No current site
Domain - DC=child1,DC=domain1,DC=com
No current server
No current Naming Context
select operation target: quit
metadata cleanup: remove selected domain
DsRemoveDsDomainW error 0x2015(The directory service can perform the requested operation only on a leaf object.)
After looking up the error, it appears it's due to the DomainDnsZones still being available. So I ran NTDSUTIL: partition management > list and have (10) naming contexts available, but I'm not sure which ones to remove.
C:\Windows\system32\ntdsutil.exe: partition management
partition management: list
Note: Directory partition names with International/Unicode characters will only display correctly if appropriate fonts a
nd language support are loaded
Found 10 Naming Context(s)
0 - CN=Configuration,DC=domain1,DC=com
1 - CN=Schema,CN=Configuration,DC=domain1,DC=com
2 - DC=domain1,DC=com
3 - DC=child1,DC=domain1,DC=com
4 - DC=child2,DC=domain1,DC=com
5 - DC=child3,DC=domain1,DC=com
6 - DC=DomainDnsZones,DC=child1,DC=domain1,DC=com
7 - DC=DomainDnsZones,DC=domain1,DC=com
8 - DC=DomainDnsZones,DC=child2,DC=domain1,DC=com
9 - DC=ForestDnsZones,DC=domain1,DC=com
partition management:
Do I remove the DomainDNSZones entries for the child domains I'm attempting to remove or do I remove all child domain records above?
↧
↧
dsamain adsiedit read only
One of our client's Small Business Server for Windows 2011 went down. We restored the whole server from backup but it is having issues login in saying
"The security database on the server does not have a computer account for this workstation trust relationship"
This server is the only domain controller.
After doing some digging retrieving the active directory database NTDS and mounting it using DSAMIN and ADUC, I discovered that the domain controller computer account shows (Unoccupied DC Account (GC). I tried to use ADSIEDIT to modify theUserAccountControl but it seems to be read only. What do I need to do in order to modify this to enable it?
↧
How to detect group membership delta changes using LDAP query
Hi,
I'm writing an LDAP plugin to detect AD user/group membership changes. For detecting any changes to the user objects, I'm depending on 'uSNChanged' attribute. So when I query next time, I'll only get delta changes.
However, if I make any changes to the group membership like adding a user/removing a user from a group, the user's 'usNChanged' doesn't change.
I tried querying the group based on the modifyTimeStamp and it does return a list of groups that may have changed the group membership. However, it gives the full list of members belonging to that group at that particular instance but not the delta.
Is there a way to the delta of group membership changes using LDAP? I see many people implemented AD plugin to monitor audit events on the AD and then create a delta but I cannot create any AD plugin at the instance.
Any help is highly appreciated.
↧
dns error 14 not enough storage available
I have a windows 2003 storage that has a dns issue, this server is also a dc. I cant get dns to start and I have 1gb of free space. sp2 64bit was partially loaded then failed and cannot be removed. However, when I look at the properties of the server is states windows service pack 1 is installed. any ideas how to get dns to start??
↧