Hi all,

Pulling my hair out over this, as I truly feel it shouldn't be this hard!

Background:

New ADFS deployment on Server 2016 (I believe that makes it ADFS 4.0)

Staged all required service accounts

Opted for gMSA (this is where I believe my issues stem from)

DB on Active/Passive clustered SQL 2017

Domain functional level 2012R2 (althought the majority of DCs are 2016)

Servers:

ADFS1

ADFS2

SQLclstr

Accounts:

svcADFS (gMSA)

fs (domain federation service address)

I've deployed the first node without an issues; ADFS1, the database has been created on SQLclstr and it seems to be operational.

Before I can use this in a production environment I need it to be HA. When I attempt to add a second node to ADFS it receive the below errors from the prerequisites check:

There were no SPNs set on the following service account 'contoso\svcADFS$'. Specify the service account used to configure the other Federation Servers in the farm, or set host SPN for the farm on the service account.

Unable to determine the Service SPN. There were no SPNs set on the following service account 'contoso\svcADFS$'. Specify the service account used to configure the other Federation Servers in the farm, or set host SPN for the farm on the service account.

The SPNs do exist, firstly because ADFS1 wouldn't work if they didn't and I've checked from setspn and ADSIedit

Current configured SPNs against svcADFS are:

host/fs

host/fs.contoso.com

http/fs

http/fs.contoso.com

I've exhausted all the google links I can find for the things I know and I'm stuck. Please help me!

Thanks,

-Damo.

Hello,

we use in our organisation mobile profiles. Users very often login to one computer and go to another and there login to...

We have a lot problems with synchronization files. 

There is any solution to force logout users when they are login to another computer?

Hello,

We have a Windows Server 2016 running AD, we added a new Zone to its DNS server and configure that Zone to have not only the internal NameServers, but also its external NameServers, but for some reason it only uses its internal NameServers, so when an external site is called, it can't find it, for example:

Internal URL:

https://intranet.example.com

External URL:

https://www.example.com

What can we do so it points to the correct destination?

We want the Windows DNS to look in both places Internal and External NameServers for this.

Thanks.

Hi Team,

I am observing failure event ID 4776 (The computer attempted to validate the credentials for an account with code 0xc000006a) is getting generated on my domain controller, even i am entering correct login details. can some one help me to understood this event.

As i know this event generates when NTLM authentication happens, but in my case i can see failure event with ID 4776.

If its bad password attempts then;

>> Account should get locked, but i cant see account lock or any event with ID 4740.

>> I cant see bad password count on lockout.exe.

Could some one please provide some information on event 4776, i searched google but not getting an proper information.

Hi,

 Need urgent help guys... I know not a Good setup.. but thats what our budget allowed us...

I had I physical server AD and on top of it I had HyperV with SecondaryAD, Exchange. A normal iCore5 desktop as 3rd AD server.

My Physical HDD died and I had to do a fresh Install. but hell broke loose...

My Virtual SecondaryAD cant connect to Domain, AD users & Computers says cannot connect to domain, Cant open ADSIEDIT cannot connect to domain... Even on the 3rd AD.. same issues...

The Sysvol & Netlogon folders are blank..

I did metacleanup and removed my corrupt AD but the remaining 2 servers are still of no use.

DCDIAG

dcdiag /fix

Directory Server Diagnosis

Performing initial setup:
  Trying to find home server...
  Home Server = PrimaryAD
  * Identified AD Forest.
  Done gathering initial info.

Doing initial required tests

  Testing server: Default-First-Site-Name\SECAD
      Starting test: Connectivity
        ......................... SECAD passed test Connectivity

Doing primary tests

  Testing server: Default-First-Site-Name\SECAD
      Starting test: Advertising Fatal Error:DsGetDcName (SECAD) call failed, error 1355
        The Locator could not find the server.
        ......................... SECAD failed test Advertising
      Starting test: FrsEvent
        ......................... SECAD passed test FrsEvent
      Starting test: DFSREvent
        There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
        replication problems may cause Group Policy problems.
        ......................... SECAD failed test DFSREvent
      Starting test: SysVolCheck
        ......................... SECAD passed test SysVolCheck
      Starting test: KccEvent
        ......................... SECAD passed test KccEvent
      Starting test: KnowsOfRoleHolders
        ......................... SECAD passed test KnowsOfRoleHolders
      Starting test: MachineAccount
        ......................... SECAD passed test MachineAccount
      Starting test: NCSecDesc
        ......................... SECAD passed test NCSecDesc
      Starting test: NetLogons
        ......................... SECAD passed test NetLogons
      Starting test: ObjectsReplicated
        ......................... SECAD passed test ObjectsReplicated
      Starting test: Replications
        ......................... SECAD passed test Replications
      Starting test: RidManager
        ......................... SECAD passed test RidManager
      Starting test: Services
            DFSR Service is stopped on [SECAD]
        ......................... SECAD failed test Services
      Starting test: SystemLog
        An error event occurred. EventID: 0x00000423
            Time Generated: 06/01/2019 02:53:04
            Event String: The DHCP service failed to see a directory server for authorization.
        An error event occurred. EventID: 0xC00038D6
            Time Generated: 06/01/2019 02:58:48
            Event String:
            The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.
        ......................... SECAD failed test SystemLog
      Starting test: VerifyReferences
        ......................... SECAD passed test VerifyReferences


  Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
        ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
        ......................... ForestDnsZones passed test CrossRefValidation

  Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
        ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
        ......................... DomainDnsZones passed test CrossRefValidation

  Running partition tests on : Schema
      Starting test: CheckSDRefDom
        ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
        ......................... Schema passed test CrossRefValidation

  Running partition tests on : Configuration
      Starting test: CheckSDRefDom
        ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
        ......................... Configuration passed test CrossRefValidation

  Running partition tests on : Mydomain
      Starting test: CheckSDRefDom
        ......................... Mydomain passed test CheckSDRefDom
      Starting test: CrossRefValidation
        ......................... Mydomain passed test CrossRefValidation

  Running enterprise tests on : Mydomain.com
      Starting test: LocatorCheck
        Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
        A Global Catalog Server could not be located - All GC's are down.
        Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
        A Time Server could not be located.
        The server holding the PDC role is down.
        Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
        A Good Time Server could not be located.
        Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
        A KDC could not be located - All the KDCs are down.
        ......................... Mydomain.com failed test LocatorCheck
      Starting test: Intersite
        ......................... Mydomain.com passed test Intersite

If I try giving permission to any folder I can see all users. but they are as Local users not Domain users..

Can anyone help me here...

Any pointer... Anything to bring this alive... I have approx 90 users attached who are offline since past 2 days....

creating now domain will be creating New Exchange too..

Please HELP!!

bikram

What is TechNet Guru Competition?

Each month Microsoft TechNet Wiki council organizes a contest of the best articles posted that month. This is your chance to be announced as MICROSOFT TECHNOLOGY GURU OF THE MONTH!

One winner in each category will be selected each month for glory and adoration by the MSDN/TechNet Ninjas and community as a whole. Winners will be announced in dedicated blog post that will be published inMicrosoft Wiki Ninjas blog, a tweet fromMicrosoft Wiki Ninjas Twitter account, links will be published atMicrosoft TNWiki group on Facebook, and other acknowledgement from the community will follow.

Some of our biggest community voices and many MVPs have passed through these halls on their way to fame and fortune.

If you have already made a contribution in the forums or gallery or you published a nice blog, then you can simply convert it into a shared wiki article, reference the original post, and register the article for the TechNet Guru Competition. The articles must be written in June 2019 and must be in English. However, the original blog or forum content can be from beforeJune 2019.

Come and see who is making waves in all your favorite technologies. Maybe it will be you!

Who can join the Competition?

Anyone who has basic knowledge and the desire to share the knowledge is welcome. Articles can appeal to beginners or discusse advanced topics. All you have to do is to add your article to TechNet Wiki from your own specialty category.

How can you win?

1. Please copy/Write over your Microsoft technical solutions and revelations to TechNetWiki.
2. Add a link to your new article on THIS WIKI COMPETITION PAGE (so we know you've contributed)
3. (Optional but recommended) Add a link to your article at the TechNetWiki group on Facebook to get feedback and tips from the council members and from the community. The group is very active and people love to help. You can even get direct improvements to your article before the contest starts.

Do you have any question or want more information?

Feel free to ask any questions below, or Join us at the official MicrosoftTechNet Wiki groups on facebook. Read More about TechNet Guru Awards.

If you win, people will sing your praises online and your name will be raised as Guru of the Month.

PS: Above top banner came from Bala S.

Ronen Ariely  [Personal Site]    [Blog]    [Facebook]   [Linkedin]

Can someone please help me with the following as I have never found an answer to this question

As far as I know/have heard/read etc.

In a Windows Active Directory Domain environment, if I (the user) want to authenticate to a domain controller (logon) using Kerberos then the computer I am login in from must be domain joined. In other words the computer has to already share a secure (symmetric key/computer account password) with the DC in order that the computer authenticates in the first instance with the DC, and sets up a secure channel over which data can be encrypted to/from the computer and DC (leave Kerberos armoring to one side a moment as not relevant to my question).

So the computer has a secure connection to the DC (which I believe most people refer to as a secure-pipes connection, due to the pipes protocol).

The thing is I do not see why this secure connection is require for a user to perform Kerberos authentication to a DC for the (e.g. from a standalone workstation) following reason 

As long as the DC/KDC know the users long term key (password hash) e.g. entered by an Admin when the user was created, and the user know to password too. The the usual Kerberos Pre-authentication (encrypt time stamp with hash) can take place between the user and the DC (along with the rest of the Kerberos handshake protocol exchange). For example a TGT along with a session key can be delivered to the user (session key encrypted using user password has as the key). etc....

So why on earth does it state everywhere I have come across this you need an existing secure connection (domain joined) computer before the user can use kerberos to authenticate themselves?

I would appreciate it if someone could explain (what I am missing, if anything), and if I am pointed to a URL please make it one with the answer in it to this specific question rather than a general discussion on Kerberos

Thanks very much everyone 

CXMelga

Short version: one of our domain controllers has DFSR Event 5008 errors, regarding a domain controller that has be demoted and removed from our domain. It is the only domain controller, of five, to have this error, the other four domain controllers are clean.

Longer version: we are in the process of upgrading Active Directory from 2008 to 2012 R2, at this time we have three 2012 R2 servers and one of those three owns all the FSMO roles, it also happens to be the one that we see the DFSR Event 5008 errors on. In addition to those three 2012 R2 servers, we have two 2008 servers remaining, until we clear up the remaining errors.

DFS Replication, on DC-2012-1, says that it failed to communicate to partner DC-2008-2; however, that is to be expected since DC-2008-2 is no longer a domain controller, nor a member of the domain. When we go into DFS Management and look at the sysvol replication, we do not see DC-2008-2 referenced anywhere, nor have I found a reference to it anywhere else that I have looked.

What can we do remove the reference to the partner, to eliminate these errors?

Hello,

Linux administrators use ADDS for user authentication and provide roaming profiles using samba. But for some reason computer broke trust with AD (or AD broke trust with PC). Linux administrator trying to explain the pattern:

On A computer

1.User logon and authenticate in AD
2.Try get profile, go to samba server
3.Samba using user credentials ask group membership 
4.AD give group membership
5.User sync his profile

If client try logon from other computer "B". Than AD begin not trust for "A" computer if user again come back on computer "A".

Possible for A computer answer DC01 and for B computer answer DC02.

Hi Team,
I want to disable Microsoft Edge and want to use default browser IE . i tried some few links for removal but not working 
For removal ,getting error:

https://www.drivereasy.com/knowledge/how-to-remove-microsoft-edge-from-windows-10-solved/
FOr default browser :

https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy   template options its self not available.

In a Server 2003 setting, the gpt.ini file in our SYSVOL folder has been encrypted across all our DCs.   I have a backup of the "system state" on the DCs made using NTBackup and was going to just restore the GPT.ini file that had been corrupted but it appears NTBackup will only restore the entire system state at once.  I can try to redirect that restore to an alternative location but I'm not sure that will have the desire affect and instead the full system state will be restored, which I don't want since I know that group policy had not been changed since the last system state backup.   I could run the dcgpofix tool but we are also running Exchange server and I'm worried that resetting the GPO back to the default will cause problems there.  Any suggestions for recovering my domain and DC policy?   

 when i try to excute adprep in my Ad i have this error ,please some help 

C:\adprep>adprep.exe  /DomainPrep /GPPrep
Running domainprep ...


Adprep was unable to modify the security descriptor on object CN=Domain System V
olume (SYSVOL share),CN=File Replication Service,CN=System,DC=xxxx,DC=xx.
[Status/Consequence]
ADPREP was unable to merge the existing security descriptor with the new access
control entry (ACE).
[User Action]
Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20190530093213
 directory for more information.

Adprep encountered an LDAP error.
Error code: 0x20. Server extended error code: 0x208d, Server error message: 0000
208D: NameErr: DSID-031001E4, problem 2001 (NO_OBJECT), data 0, best match of:
        'CN=File Replication Service,CN=System,DC=xxxx,DC=xx'
.



Adprep was unable to update domain information.
[Status/Consequence]
Adprep requires access to existing domain-wide information from the infrastructu
re master in order to complete this operation.

Hello, we have a Password policy defined in the Default Domain Policy enforced in AD which is working on all our Windows 2008+ machines except recently deployed Windows 2016 machines.

On those machines which are in the appropriate OU, running gpresult /V shows that the Default Domain Policy is applied successfully.  Running RSOP also shows that it is enforced.  However, if I run "net accounts" from an Administrator command prompt it doesn't show the appropriate settings.  Additionally, access the Local group policy, doesn't show the settings, but they are greyed out.

I have removed one of the machines from the OU where this is defined to a test one which blocks inheritance and the settings are available in local policy to change, but are set to Windows defaults.I have gone through all the Group Policies to see if the settings are defined elsewhere and they are not.

The scope of the Default Domain Policy covers the machine.

Does anyone have any idea why the password policy isn't applying correctly? and how to fix it?

Thanks

Gerrard

Hello Everyone,

 We are running one script for our Active directory health Check and in that health check we are getting most of the things fine but only one thing is showing fail as below.Can anyone help me about this why this is failing and what should we need to do to fix this issue.



Hi,

I have created one GPO with some security settings suggested by our security team. The GPO contains only Computer Settings. I had to apply it to the OU with 80 computer accounts (Hyper-V servers). I have put those 80 computers in a Group and then add that group into the security filtering of that GPO. Then I linked that GPO to that specific OU, containing those servers. 

Everything goes well for almost 15 days.

Then I thought that since the settings needs to be implemented to all the computers in that OU, I have deleted the group from security filtering and add "Authenticated Users" in the security filtering.

Once the replication done, I have lost connection to ALL computers in the entire domain. All Hyper-V host was down and I was not able to connect to ANY computers, including the DC as it was also the VM. I have accessed the physical host and took the console of DC and unlink that GPO from that OU which fixed the issue.

Now my question is, what exactly went wrong? I have just changed the security filtering to "Authenticated Users" from computers accounts. Why it was working when Computer accounts were added in the security filtering and why it wend down after I have added the "Authenticated Users" account. Anyhow we had to apply that GPO to all the computers inside that OU. Also there was not any User related settings in that GPO. Can someone please help me understand this?

Thanks!

Nilabh Verma

Hello,

When installing AD, almost at the end one gets a script, the so called active directory DSC script. One can even see it script. is it somehow possible to see this script after closing the ADDS configuration gui?

many thanks.

I have a site with one Domain Controller, but for redundancy they have 2 switches. Are we able to NIC team on the said domain controller, so that if one of the switches goes down, the domain controller will continue to work?

Are there any risks or gotchas that I should be aware of?

Do Microsoft have an official statement on this?

** When responding please keep in mind it is Windows Server 2012 R2 **

For security concerns, in our environment we block all the inbound ports of our desktops.  However, seems I can't AD domain.  However, if I add the following firewall rule:

• Source: domain controller   
• Destination: desktop client 
• ports: all   
• Allow: yes

I can join domain successfully

So I wonder if any inbound client port is used.  However, I googled but I couldn't find any "official" answer.  (I could find the inbound ports required for a domain controller, but that's not what I want).  Could anyone give me some advices?