Hi

I have searched all over the internet for an answer so hopefully someone here can help.

I have an SQL 2017 server set to use Windows or SQL authentication.

The DB's that are on it work fine using either authentication method on the LAN.

My issue is that when a user tries to connect over our VPN it will fail with the above error message about its login is from an untrusted domain. 

However, if I use an SQL credential (SA) it connects no issues.

Both server and PC are on the same domain and the PC is regularly connected to the LAN during the day, its just when they go home and use the VPN that it doesn't work and I get this untrusted domain error. This happens for all users over VPN. 

Hi, 

I've seen some people create domains with a .local suffix and I was wondering why? 

I know that the domain is non routable, so it's probably as the name suggests local only. Therefore to my understanding it can't be looked up externally and it is private from the internet. But, I tend to create my forest with a routable tld like .com so that it matches with my public registered DNS name. 

The problem with .local is that what happens if you want to use directory sync, or have your users use a .com suffix later on? 

Is it not prudent these days to just use a public .tld suffix when creating your forest? I even think that this is recommended in the ADDS Wizard.  

Thanks 

Hi All,

When i run the below command against schema database, I could see few deleted DSA entries and these DC's were removed some time back but still exists in this result. Is it normal one or need to cleanup from somewhere?

repadmin /showvector /latency

Also could see two GUID entries as well. Hope these GUID entries are belongs to old DC's.

Hi,

I would like to know how certificates work in both windows and Linux clients.

Here is my setup. We have a windows internal CA, we have windows domain controllers that serve as our ldap server. We have in dns Host A record ldap-dc.domain.com point to two ip address of our domain controllers. We did this so that they will use the FQDN in ldaps connection string for failover.

1. Will windows based applications that connect via ldaps require a certificate? If so, where did that certificate should come from? Should it come from our Domain controller which its certificate is issued by our internal CA?

2. The  certificate of our domain controllers did it came automatically from our CA since I don't recall requesting for certificate when setting up domain controller? How will windows client machines make use of this certificate? Do they receive it automatically?

3. How about for apps based on Linux that will use ldaps? Where should it's certificate come from? Does it need to request for certificate or will it use the domain controller's certificate by importing it on the Linux machine?

Thanks!

Hi there. We had a Server 2012 R2 domain controller. It's a HyperV VM and the host it was running on had a serious hardware failure that resulted in the VM being corrupted and blue screening even in safe mode. No luck with safe mode etc or the Directory Services repair options. So we did a force removal of the DC in AD. This particular DC had no FSMO roles and wasn't a file server, so there wasn't much needed to recover that we didn't already have from backups. After the host was repaired, we built a new DC VM to replace the dead one and linked it to the same subnet in AD Sites and Services etc. We gave it a different name.

Things appear to be working normally. I ran a number of AD replication tests using Microsoft's AD Replication Status tool and no errors are coming up. I've gone through DNS and removed any references to the dead DC. The dead DC does not show up anywhere in AD Sites and Services.

My question is about NTDSUtil. I know that if you have to force remove a DC, you should clean up the metadata using NTDSUtil. The problem(?) is NTDSutil couldn't find any reference to the failed DC for me to remove. Is there anything left to check? The Microsoft articles I found simply said that if the dead DC couldn't be found there, it may have already been removed.... So does that mean I'm in the clear?

Thanks in advance,

Sir Timbit.

Hello ,

       we are using 3 domain server. there if hit repadmin /showrepl command

everything status will success but SYSVOL policy folder can not replicate properly

please suggest

thank you in advance

Lakhan Sawant

Hi,

The 2008 R2 DC restarts intermittently. Please see the event log below. Could you please suggest how to fix ?

Thanks..!

Hi,

Please help me to understand the usage of "Managed by" attribute. If we right click -properties of Group / computers there we can see the attribute called "Managed By".

Hello everybody,

Does anyone met with error 14017 on AD/DNS server?

I have configured domain authentication on third party appliance and it work fine till adding ip addresses of DNS servers to it's configuration.

After adding DNS IP's i get 14017 error and I'm not able to login with domain credentials. After removing DNS IP i can once again authenticate.

AD and DNS are located on the same server and IP address.

Any advise will be appreciated.

Below description isn't really helpful:

I have the following GP/Advanced Audit:

Recently, some users are complaining about accounts being locked several times a day

But despite the proper configurations, searching at the Event Viewer logs, i can find the 4740 event, showing exactly when the account has been locked but i can´t find any evidence on ANY of the 5 times required to lock an account at ANY DC available. No events 4625 were found

If i create a test user, force the user to fail several times, all proper events 4625&4740 show up in the logs wuth no problem, so auditing is ok.

At office365, there are no login failure , only success login events, so, the lockout is not coming from O365 back to my on-premisse AD/DC

What else can I do?

In the AzureADSync, nothing usefull (an the Log capabilities are terrible) and my PDC emulator shows the lockout with the ALTools/Account lockou Tool  as the lockout propagate through the replication proccess, nothing wrong

The local user´s machine has some events, but again, only successfull events, including the .EXE name responsible for the login, but no failure events are shown

What else can I do? What am i missing here?

Hi,

Please help me to understand the use case of "Disable cross forest TGT delegation"

what is the use of TGT delegation and why MS recommended to disable the cross forest TGT delegation

Hello Tech Masters,

Hope everyone is having a great day. 

I am investigating an Active Directory issue in Windows 2008 R2 domain. 

The environment is single 2008 R2 forest with 3 2008 R2 domains. Each domain has at least 3 2008 R2 domain controllers. 

My goal is to promote both the forest and domains to 2016 functional level.

I am replacing all 2008 R2 and 2012 R2 domain controllers by building new 2016 domain controllers. 

Issue: Browsing any of the 3 domains by domain name \\domain.local works if domain.local is pointing to specific domain controller (old PDC DC). This is happens in all 3 domains. Otherwise, it will error out "Windows cannot access \\domain.local.  

The issue is global to all computers in the 3 domains. 

I can ping all 3 domains by name successfully. 

I am able to navigate directly to any domain controller shares (Netlogon and Sysvol) using FGDN (ex: dc01.domain.local). 

Domain AD replication work properly in all domains. 

Group polices apply properly to users’ computers.

See attached error (screen shot).

Please share your thoughts if your thought if you have experienced same issue or you have the knowledge to help.

Thank You 

Raed

Morning all,

I have just upgraded all the local DCs , on the same subnet, to 2019. I had a few replication issues with 2 remote DCs, that was just the fact that they were trying to replicate to IPs that no longer existed. This was resolved by changing the NTDS settings in sites and services. Replication is now working as it should with repadmin and dcdiag giving a clean bill of health...

The reason we have the two remote DCs is at that time bandwidth was a limitation, it no longer is and now serve no purpose. All nodes use the data center servers for all services, so I want to remove the two remote servers.

Is the process the same? In sites and services they fall under their own subnet but are of the same domain, not a sub-domain.

Is it simply a case of  running DCPromo on the remote servers then deleting the subnets from sites and services?

Many thanks

I need to setup a scheduled task to delegate full control permissions. This task will be run late at night. I probably need to use DSACLS unless you recommend otherwise.

Question. What is the correct syntax for DSACLS to allow a user to have full control over an OU and the ability to create/delete all classes of objects within that OU?

Thanks again.

Hi Everyone,

We have an ADLDS Instance running on windows server 2008 R2  and forest functional level of instance is windows server 2003 R2. We have an application which is relying on this instance and it already extended the schema with the application attributes. Initially ADsync was running which is now stopped and accounts are created manually.Now we are planning to include the recycle bin feature on this instance , my query is can we promote the forest functional level without upgrading schema? since i have read the article regarding enabling recycle bin needs to import the below .ldf files which i suspect it may conflict with application attributes.

MS-ADAM-Upgrade-1 and MS-ADAM-Upgrade-2 

Thanks in advance

Hi,

I am unable to update the Time Services i tried numerous ways but i am unable to find what is the issue is, I have run a dcdiag please find the results below, someone could help me as this server is running on the live environment.

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = ADServer2
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\ADSERVER2
      Starting test: Connectivity
         ......................... ADSERVER2 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\ADSERVER2
      Starting test: Advertising
         Warning: ADSERVER2 is not advertising as a time server.
         ......................... ADSERVER2 failed test Advertising
      Starting test: FrsEvent
         ......................... ADSERVER2 passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL
         replication problems may cause Group Policy problems.
         ......................... ADSERVER2 failed test DFSREvent
      Starting test: SysVolCheck
         ......................... ADSERVER2 passed test SysVolCheck
      Starting test: KccEvent
         A warning event occurred.  EventID: 0x80000603
            Time Generated: 08/12/2019   19:48:46
            Event String:
            Active Directory Domain Services could not disable the software-based disk write cache on the following hard disk.
         A warning event occurred.  EventID: 0x80000B46
            Time Generated: 08/12/2019   19:47:49
            Event String:
            The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection.  Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.
         A warning event occurred.  EventID: 0x800004C4
            Time Generated: 08/12/2019   19:48:12
            Event String:
            LDAP over Secure Sockets Layer (SSL) will be unavailable at this time because the server was unable to obtain a certificate.
         A warning event occurred.  EventID: 0x8000082C
            Time Generated: 08/12/2019   19:48:50
            Event String:
         ......................... ADSERVER2 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... ADSERVER2 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... ADSERVER2 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... ADSERVER2 passed test NCSecDesc
      Starting test: NetLogons
         ......................... ADSERVER2 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... ADSERVER2 passed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From DCSERVER01 to ADSERVER2
            Naming Context: DC=ForestDnsZones,DC=ad,DC=contoso,DC=com
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2019-08-12 19:48:53.
            The last success occurred at 2019-08-12 19:15:19.
            1 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From DCSERVER01 to ADSERVER2
            Naming Context: CN=Schema,CN=Configuration,DC=ad,DC=contoso,DC=com
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2019-08-12 19:48:53.
            The last success occurred at 2019-08-12 19:15:19.
            1 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From DCSERVER01 to ADSERVER2
            Naming Context: CN=Configuration,DC=ad,DC=contoso,DC=com
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2019-08-12 19:48:53.
            The last success occurred at 2019-08-12 19:15:19.
            1 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From DCSERVER01 to ADSERVER2
            Naming Context: DC=ad,DC=contoso,DC=com
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2019-08-12 19:48:53.
            The last success occurred at 2019-08-12 19:48:00.
            1 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         ......................... ADSERVER2 failed test Replications
      Starting test: RidManager
         ......................... ADSERVER2 passed test RidManager
      Starting test: Services
            Invalid service type: w32time on ADSERVER2, current value WIN32_OWN_PROCESS, expected value
            WIN32_SHARE_PROCESS
         ......................... ADSERVER2 failed test Services
      Starting test: SystemLog
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:34:36
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:33:44          
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x0000008E
            Time Generated: 08/12/2019   19:41:33
            Event String:
            The time service has stopped advertising as a time source because the local clock is not synchronized.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:41:36
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
        
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:47:36
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:47:36
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x0000008E
            Time Generated: 08/12/2019   19:47:39
            Event String:
            The time service has stopped advertising as a time source because the local clock is not synchronized.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:47:51
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:47:51
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:47:51
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x0000008E
            Time Generated: 08/12/2019   19:47:59
            Event String:
            The time service has stopped advertising as a time source because the local clock is not synchronized.
         A warning event occurred.  EventID: 0x000727A5
            Time Generated: 08/12/2019   19:48:06
            Event String: The WinRM service is not listening for WS-Management requests.
         A warning event occurred.  EventID: 0x80040020
            Time Generated: 08/12/2019   19:48:46
            Event String:
            The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.
         A warning event occurred.  EventID: 0x80040020
            Time Generated: 08/12/2019   19:48:46
            Event String:
            The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.
         A warning event occurred.  EventID: 0x80040020
            Time Generated: 08/12/2019   19:48:46
            Event String:
            The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.
         A warning event occurred.  EventID: 0x800009CF
            Time Generated: 08/12/2019   19:47:51
            Event String:
            The server service was unable to recreate the share WSUSTemp because the directory C:\Program Files\Update Services\LogFiles\WSUSTemp no longer exists.  Please run "net share WSUSTemp /delete" to delete the share, or recreate the directory C:\Program Files\Update Services\LogFiles\WSUSTemp.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:48:12
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:48:12
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:48:12
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:48:27
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:48:27
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:48:27
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         ......................... ADSERVER2 failed test SystemLog
      Starting test: VerifyReferences
         ......................... ADSERVER2 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : ad
      Starting test: CheckSDRefDom
         ......................... ad passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ad passed test CrossRefValidation

   Running enterprise tests on : ad.contoso.com
      Starting test: LocatorCheck
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
         A Good Time Server could not be located.
         ......................... ad.contoso.com failed test LocatorCheck
      Starting test: Intersite
         ......................... ad.contoso.com passed test Intersite

Thanks & Regards, D.Nithyananthan.

Hello All,

we are using win2012 R2 and DFL 2012R2, when tryging to open the AD admin center in DC, it gives error "cannot find available server in xXXXX domain that is running ADWS"

However ADWS services are running and i have restarted it

i have cheked in 3 DC and all 3 says same.

can you please advise.

regards

Aamir Masthan

NA

Hi,

I had 2 DC 2008R2 were DFS namespace SERVER

These 2 DCs have been replaced by new 2016 DCs but the DFS namespace server roles has not been installed.

Now my DFS namespace are not reachable, i tried to install dfs namespace role on my new DCs, i can see my name spaces but when i add it to the DFS management snap in i can't browse.

I can see my namespace in ADSIedit