SMB access over domain trust -

February 4, 2020, 4:39 am

≫ Next: Issues with Active directory and Error message 80090302

Ok, this is a weird one.

I cannot access file shares in a 2 way forest trust on 1 site only but works if the firewall is down! Monitoring log shows no dropped packets.

Domain admin\enterprise admin\administrators exist in built\admin group on each side.

Trust is validated from both sides.

All servers ping in all directions.

Domain B, access file share site 1 \ does not work. Drop the firewall - works.

Domain B, access file share site 2,3,4,5 \ works fine. Firewall is up.

RRAS sits between them, none domain joined. Has NIC in both Dom A and B. Static routes configured for Domain A gateway for all Domain A sites. Nothing else.

What am i missing?

Firewall rules are controlled via GPO across all sites so all servers are the same.

Totally baffled.

↧

Issues with Active directory and Error message 80090302

February 4, 2020, 6:55 am

≫ Next: Replication issue between the Sites DCs

≪ Previous: SMB access over domain trust -

Hello,

We have run into a LDAP issue recently that has me stumped. We promoted a brand new domain controller that we spun up on windows server 2019. we then migrated one of our domain controllers onto this server. Once we did that we shut down the original domain controller leaving us with DC2 (the new domain controller on windows server 2019) and DC1(our original domain controller on windows server 2012 r2). For some reason our other servers which use LDAP have been having issues pulling credentials. We have a Papercut server which is unable to pull active directory credentials, as well our Radius server is on another server which is unable to pull credentials. I have been unable to find any clear cut support article on what could be the cause of this issue or any resolution. Any thoughts you might have would be greatly appreciated

↧

Replication issue between the Sites DCs

February 4, 2020, 4:53 am

≫ Next: Users can't authenticate to DC when it has been moved to new host

≪ Previous: Issues with Active directory and Error message 80090302

Hi Guys, we have a domain and two sites, one head office and a branch in different City. Head office has two DC as DC1 and DC2 on Windows 2008 R2 and also a DC3 in branch Windows 2008 R2. now the issue is there is no replication between branch and head office, once dig into the issue found KCC events. the scenario as follows.

VPN link is ok between the sites.

DCs can ping each other with IP and Names.

net view \\DC1 and net view \\DC2 is fine as vise versa

But net view \\DC1 or \\DC2 from Brach office DC3 is showing errors. its like cant access shared folders from Branch office and also from Head office DC to branch.

The attempt to establish a replication link for the following writable directory partition failed.

Directory partition:
DC=Domain,DC=com
Source directory service:
CN=NTDS Settings,CN=DC1,CN=Servers,CN=Headoffice,CN=Sites,CN=Configuration,DC=Domain,DC=com
Source directory service address:
k826e336-99a7-4g2d-bdab-113db2a0f5f6._msdcs.domain.com
Intersite transport (if any):
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=Domain,DC=com

This directory service will be unable to replicate with the source directory service until this problem is corrected.

User Action
Verify if the source directory service is accessible or network connectivity is available.

Additional Data
Error value:
1722 The RPC server is unavailable.

↧

Users can't authenticate to DC when it has been moved to new host

February 4, 2020, 3:12 am

≫ Next: Domain Controller 2012 r2 somehow setup with DFSR - Our system is still FRS

≪ Previous: Replication issue between the Sites DCs

We moved the main (and only) DC from one host to another and in the morning users could authenticate to the DC, they could ping the hostname, domain, ip address, I did the basic troubleshooting like flush dns etc but it didn't work

Users were not able to remote into the terminal server as it couldn't authenticate with the DC and if you created a new share you could give permissions to anyone on the domain only a local account.

↧

Domain Controller 2012 r2 somehow setup with DFSR - Our system is still FRS

January 30, 2020, 3:59 pm

≫ Next: Domain Controller Not Working Properly

≪ Previous: Users can't authenticate to DC when it has been moved to new host

I recently demoted a 2019 Server as a DC, after a month because I did not realize it was not compatible with the FRS replication in SYSVOL.

I knew I had a replication error I needed to track down and fix before migrating our SYSVOL file system to DFSR. Well that replication error was due to the fact that last year (Jan 2019) apparently when I stood up a Server 2012 R2 DC, somehow it defaulted to DFSR during it's setup.

So, essentially I've been living with a SYSVol that has not been replicating properly between 3 DCs for about a year. What do I need to do to revert this one DC to FRS, so I can start out with all 3 DC replicating properly before the migration.

The DFS Management tool is active in server manager for this DC. There are no created namespaces, but under replication it shows C:\Windows\SYSVOL\domain for each of 3 DC's

Advise appreciated

UPDATE: I may not completely know what I'm talking about here. When I open powershell on all 3 existing DC,s as admin and type:

dfsrmig /getGlobalState, they all return "eleminated" suceeded. Does this in fact mean that the replication system is already indeed DFSR, and the problem is something else?

↧

Domain Controller Not Working Properly

February 4, 2020, 10:11 am

≫ Next: eventid 5722 huge amount

≪ Previous: Domain Controller 2012 r2 somehow setup with DFSR - Our system is still FRS

Our company infrastructure is below .

Server Name	Operating System	Server Role
CORPDC01.pooja.com	Win 2008 R2	RollOver DC
RODC02.pooja.com	Win 2008 R2	RollOver DC
RODC01.pooja.com	Win 2012 R2	RollOver DC
ADC03.pooja.com	Win Server 2012 R2	RollOver DC
PrimDC01.pooja.com	Win server 2008 R2	Primary DC
ADC01.pooja.com	Win server 2012 R2	Additional DC
ADC02.pooja.com	Win server 2012 R2	Additional DC
ADC03.pooja.com	Win server 2012 R2	Additional DC
Exchange01.pooja.com	Win Server 2008 R2	Exchange Mailbox
Exchange02.pooja.com	Win Server 2008 R2	Exchange Mailbox
Exchange03.pooja.com	Win Server 2008 R2	Exchange Mailbox

Few days ago . Our Primary Domain Controller named "PrimDC01.pooja.com" becomes hangs . Upon forcefully shutdown and then start , it stopped functioning properly .While check , we observed that FSMO roles were transferred to additional DC named "ADC01.pooja.com".After that we can add/remove users successfully in AD . Join workstations to AD successfully , however while joining any new Win Server 2008 R2 , its not joining to AD. DNS is not updating/adding records of newly joined workstations .

Exchange Server DAG is not connecting. Cluster Nodes are not communicating with each other. Throwing error of 'authentication problem'.

Emails flow stopped. No email send /receive .

We run AD health check and got this result .

Active Directory Health Check Result

Identity	PingSTatus	NetlogonService	NTDSService	DNSServiceStatus	NetlogonsTest	ReplicationTest	ServicesTest	AdvertisingTest	FSMOCheckTest
CORPDC01.pooja.com	Success	Running	Running	Running	NetlogonsFail	ReplicationsFail	ServicesFail	AdvertisingFail	FSMOCheckPassed
RODC02.pooja.com	Success	Running	Running	Running	NetlogonsFail	ReplicationsFail	ServicesFail	AdvertisingFail	FSMOCheckPassed
RODC01.pooja.com	Success	NetlogonsFail	ReplicationsFail	ServicesFail	AdvertisingFail	FSMOCheckFail
ADC03.pooja.com	Success	Running	Running	Running	NetlogonsFail	ReplicationsFail	ServicesFail	AdvertisingFail	FSMOCheckPassed
PrimDC01.pooja.com	Success	Running	Running	Running	NetlogonsFail	ReplicationsFail	ServicesFail	AdvertisingFail	FSMOCheckPassed
ADC01.pooja.com	Success	NetlogonsFail	ReplicationsFail	ServicesFail	AdvertisingFail	FSMOCheckFail
ADC02.pooja.com	Success	Running	Running	Running	NetlogonsFail	ReplicationsFail	ServicesFail	AdvertisingFail	FSMOCheckPassed
ADC03.pooja.com	Success	Running	Running	Running	NetlogonsFail	ReplicationsFail	ServicesFail	AdvertisingFail	FSMOCheckPassed

Result of netdom query fsmo command on "PrimDC01.pooja.com" is

List of domain controllers with accounts in the domain:

Access is denied.

The command failed to complete successfully.

Result of netdom query fsmo command on "ADC01.pooja.com" is

Schema master ADC01.pooja.com
Domain naming master ADC01.pooja.com
PDC ADC01.pooja.com
RID pool manager ADC01.pooja.com
Infrastructure master ADC01.pooja.com
The command completed successfully.

Result of nslookup command on "ADC01.pooja.com" is

DNS request timed out.
timeout was 2 seconds.
Default Server: UnKnown
Address: 172.20.4.29

>

Can any one here guide me whats wrong here and how can I handle this issue. Trying to restore thePrimDC01.pooja.com server with lastavailable system state backup , but restore fails . Now I am stuck what to do ?

↧

eventid 5722 huge amount

February 4, 2020, 10:44 am

≫ Next: Adding a Windows Server 2019 Domain Controller

≪ Previous: Domain Controller Not Working Properly

Hello,

we had a huge amount of computer password change (40 x times more than usual)

Since then, we have a lot of eventID 5722 and when we test computerchannel, we get a lot of false result. an usual amount of eventid 5723 (trust Relationship broken)

When we repair them (test-computersecurechannel -repair) , we can get them false, again after few hours

Any idea ?

Regards

Thierry

↧

Adding a Windows Server 2019 Domain Controller

February 4, 2020, 4:12 pm

≫ Next: [VULNERABILITY ADVISORY] Microsoft Security Advisory ADV190023 Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing

≪ Previous: eventid 5722 huge amount

Hello All,

I am trying to add a 2019 server to our existing domain and it gives me this error:

verification of replica failed. the forest functional level is not supported. To install a Windows Server 2019 domain or domain controller, the forest functional level must be Windows Server 2008 or higher.

We are currently functional level is 2008 R2.

Restarted the new server to no avail. According to everything I have researched this should work.

Any insight would be a great help

Thank you :)

↧

[VULNERABILITY ADVISORY] Microsoft Security Advisory ADV190023 Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing

January 27, 2020, 10:13 pm

≫ Next: Reducing AD tombstoneLifetime

≪ Previous: Adding a Windows Server 2019 Domain Controller

Hi,

This is with regards to Microsoft Advisory:

[VULNERABILITY ADVISORY] Microsoft Security Advisory ADV190023 Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing

Thus this mean implement either signing for windows client and servers or implement ldaps?

Applications using ldap are mixed, windows, Linux and other appliance.

Thanks!

↧

Reducing AD tombstoneLifetime

January 28, 2020, 2:42 pm

≫ Next: The sign in method youre trying to use isnt allowed.For more info contact network your Network Administrator

≪ Previous: [VULNERABILITY ADVISORY] Microsoft Security Advisory ADV190023 Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing

Hi, if i reduce the AD tombstoneLifetime value do the tombstone object immediately get cleaned up, or do they still wait the default 180 days to be removed. Also what is the process that cleans up the tombstone object after the lifetime is expired?

Thanks

Alan Burchill (MVP)
http://www.grouppolicy.biz

@alanburchill

↧

The sign in method youre trying to use isnt allowed.For more info contact network your Network Administrator

January 29, 2020, 1:50 am

≫ Next: Running application from Network share fails

≪ Previous: Reducing AD tombstoneLifetime

Good Morning,

After removing a group which was mistakenly added to Administrators users on that group cannot log-in to the Domain and are getting the above error .

The workaround is to have them Disconnnect from the network (Wi-Fi)Log-in to the machine then connect to the Network.

Please can you assist with a permanent solution as we cannot have these users as Administrators.

↧

Running application from Network share fails

January 30, 2020, 12:12 pm

≫ Next: Active Directory: Object Visibility between OU's

≪ Previous: The sign in method youre trying to use isnt allowed.For more info contact network your Network Administrator

Several users are experiencing problems running applications on network shares in the past few weeks.

One of the users is getting an error pop up: "The application was unable to start correctly (0xc0000006)". The others just see nothing happen at all when clicking on the application shortcut.

In all cases, two errors appear in the Application event log:

Event ID 1005

Windows cannot access the file for one of the following reasons: there is a problem with the network connection, the disk that the file is stored on, or the storage drivers installed on this computer; or the disk is missing. Windows closed the program WinReport because of this error.

Program: WinReport

Additional Data
Error value: C00000C4
Disk type: 0

With the same additional data.

Event ID 1000 shows the faulting applicationFaulting application path:

Faulting application path: \\er-mas\apps\Sage\Sage 100 Advanced 2017\MAS90\Home\Pvxwin32.exe
Faulting module path: \\er-mas\apps\Sage\Sage 100 Advanced 2017\MAS90\Home\Pvxwin32.exe

Faulting application path: \\newera\common\winreport\WinReport.exe
Faulting module path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll

This is affecting applications on several application servers: er-mas is Server 2008 R2, and newera, er-files and hf-dc are 2012 R2.

This is affecting one user directly on their Windows 10 PC, and several users running these applications from Remote Desktop servers that are running Server 2016.

Also the mapped drives are showing the following message if you manually go to the UNC path and try to run the application: "This file is in a location outside your local network", even though its a mapped drive on a server internal to our lan.

↧

Active Directory: Object Visibility between OU's

January 31, 2020, 1:45 am

≫ Next: Understanding DNS root domains vs Active Directory parent/root domain

≪ Previous: Running application from Network share fails

I'm currently an intern at a company which uses a single Windows Server 2012 R2 DC. They make use of a Active Directory structure which includes both the employees of the company and external partners/clients that need an AD account in the domain.

The current situation is that we want to hide the partners/clients OU objects, such as users, from the employees because we dont want the names of our partners/clients to be visible for every employee in the company. This means that employees cant find the specific partners/clients when they use the "net user /domain" or "net group /domain" command or search in file explorer for these specific AD objects.

I've tackled the problem that you cant find users with "net user /domain" by denying "List Content" for all the employers on the specific OU advanced security setting for the partners/clients. But this does not fix the problem when an employee searches for a specific Global Group with "net group <groupname> /domain". The partners/clients will still show as "Members" of that specific group.

My question is: Is there a way in the Windows AD Users and Computers to hide the partners/clients objects totally from the employees? This includes the "net" command and every other way of searching for AD objects in Windows clients.

↧

Understanding DNS root domains vs Active Directory parent/root domain

January 31, 2020, 2:03 pm

≫ Next: Windows Firewall on Domain Controller

≪ Previous: Active Directory: Object Visibility between OU's

Hello,

I'm currently learning about the active directory infrastructure and the domain name system. As I'm reading, I understood the root domain of an active directory to be the base level of a web address almost. For example, in www.google.com, the root domain would be google.com, and sub-domains would things like finance.google.com or sports.google.com. That made sense to me when i was trying differentiate between child domains and parent domains, but then when I'm reading about DNS I get confused again. DNS dissects an address such as www.example.com and says that 'www' is the hostname, the full address is the FQDN, and the root domain is the final period or '.'. That seems to contradict what active directory taught me about root domains.

I'm also confused as to why active directory domains seem to be related to web addresses. Does this imply that every single web address is linked to an active directory? And when I try to get deep into the weeds as far understanding the large scale infrastructure of microsoft.com's or facebook.com's active directory, I get too confused to even know where to start. I would really appreciate some explanation as to the difference between domains, as referenced in DNS and AD, and also clarification as to whether or not a web address and a corresponding active directory domain are related.

↧

Windows Firewall on Domain Controller

January 30, 2020, 10:57 pm

≫ Next: Kerberos and MIM

≪ Previous: Understanding DNS root domains vs Active Directory parent/root domain

Hello All,

We have 2016OS Domain Controllers in our Environment. Most of the Domain Controllers host DHCP server. Currently we have disbabled the Windows Firewall Services and we are not using firewall.

But we want to enable the Windows Firewall, I would like to know what kind of services/port which need to configure in Firewall rules to enable the DHCP Services.

Thanks HA

↧

Kerberos and MIM

February 5, 2020, 1:18 am

≫ Next: Impact in Active Directory Certificate Service - upgrade domain and forest functional level

≪ Previous: Windows Firewall on Domain Controller

Hi

I am trying to make everything authenticate with AES256 in our domain(s)
However, one service account(used with MIM) still authenticates with RC4. The traffic is between two domains. Other traffic between the domains is AES256.
I have run
ksetup /setenctypeattr <trustingdomain> RC4-HMAC-MD5 AES128-CTS-HMAC-SHA1-96 AES256-CTS-HMAC-SHA1-96
on both domains and verified ok in adsi edit. It also made almost everything use AES256 encryption

Also checked the service account and ticked:
"this account supports kerberos aes128bit encryption"
"this account supports kerberos aes256bit encryption"
And restarted the service on MIM server. But it still authenticates with RC4.

I checked the domain controllers and found in secpol.msc:
network security: configure encryption types allowed for kerberos
I then removed RC4 but then the MIM server started complaining with this event:

An unexpected error has occurred during a password set operation.
"BAIL: MMS(7848): ..\dnutils.cpp(1341): 0x800700b7 (Cannot create a file when that file already exists.)
BAIL: MMS(7848): ..\dnutils.cpp(1341): 0x800700b7 (Cannot create a file when that file already exists.)
BAIL: MMS(7848): ..\dnutils.cpp(1341): 0x800700b7 (Cannot create a file when that file already exists.)
ERR_: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMADoNormalization', 0x2
BAIL: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
ERR_: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveUserDelete', 0x2
BAIL: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
ERR_: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveComputerDelete', 0x2
BAIL: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
ERR_: MMS(7848): admaexport.cpp(4207): The Kerberos change operation failed: 0xc00002fd
ERR_: MMS(7848): ..\ma.cpp(8531): ExportPasswordSet failed with 0x80004005
Forefront Identity Manager 4.4.1302.0"

So I guess I can't force it that way.

The service account is from 2009 and has a service principal name made with "setspn" command.
Microsoft Identity Manager Password ChangeNotification Service (PCNS) is installed on domain controllers and PCNSCFG commands has been used with the account.

Domain Functional level/Forest functional level on both domains: above 2008
Forefront Identity Manager version: 4.4.1302.0
Microsoft Identity Manager Password Change Notification Service Version: 4.3.1935.0

Just thinking of stuff that might be related.

Any thoughts?

↧

Impact in Active Directory Certificate Service - upgrade domain and forest functional level

February 5, 2020, 12:04 am

≫ Next: Windows 2003 server to Windows 2016 Server Upgrade , RDS ISSUES

≪ Previous: Kerberos and MIM

Hi,

May i know if there will be any impact on AD CS (which is installed on a different server, domain joined. Certs are being used for Exchange Server) if i will upgrade the domain and forest functional level? Currently my functional levels are Windows Server 2003, i plan to upgrade it to 2016.

Thank you

↧

Windows 2003 server to Windows 2016 Server Upgrade , RDS ISSUES

February 5, 2020, 2:55 am

≫ Next: Active Directory domaine Services error message

≪ Previous: Impact in Active Directory Certificate Service - upgrade domain and forest functional level

Dear all,

I have two Windows Server 2003 as Domain controllers with replication working very well, as they are old, i decided to upgrade them to Windows 2016 Server by creating two new windows server 2016 machine and add them into the domain as domain controller (upgrade forest functionnal level from 2003 to 2008)

For now, 2003 server are still serving and replicating to Windows 2016 servers, so now i have 4 domain controllers.The FSMO roles are still spread accross the two 2003 DCs, so the 2016 DCs are just here but that's all.

I have an RDS server which is hosting some apps, and i had the following issue, which is now solved (https://www.mysysadmintips.com/windows/servers/505-the-remote-desktop-license-server-cannot-update-event-4105).

Another issue is now present and i have problems regarding solving it.

That issue is that users who wants to log to the RDS app obtain an "acces denied" when trying to login.

If i disconnect the two 2016 DCs, the RDS login is working....

Do somebody have any idea about that issue ?Is there a version problem ?2K16 not compatible with RDS servers which are 2008 R2.. ?I'm totally stuck :(

Many thanks at all for your help !

↧