Hi,
This is with regards to Microsoft Advisory:
Thus this mean implement either signing for windows client and servers or implement ldaps?
Applications using ldap are mixed, windows, Linux and other appliance.
Thanks!
Hi Guys, we have a domain and two sites, one head office and a branch in different City. Head office has two DC as DC1 and DC2 on Windows 2008 R2 and also a DC3 in branch Windows 2008 R2. now the issue is there is no replication between branch and head office, once dig into the issue found KCC events. the scenario as follows.
VPN link is ok between the sites.
DCs can ping each other with IP and Names.
net view \\DC1 and net view \\DC2 is fine as vise versa
But net view \\DC1 or \\DC2 from Brach office DC3 is showing errors. its like cant access shared folders from Branch office and also from Head office DC to branch.
The attempt to establish a replication link for the following writable directory partition failed.We have a newly promoted Domain Controller that’s our first 2019 box in the domain. Our other DC is a 2012R2 box (we’ve migrated to DFS-R already). After promoting it to a DC I ran DCDIAG and got the following error so I manually created the CNAME record under the _mcds forward lookup zone but the error persists.
I have both domain controllers pointing to each other as the primary DNS and I’m using the loopback for the secondary and they can ping to each other. Also, I can ping “89d723f5-4355-4bc2-9854-705d364a2abf._msdcs.NY.domain.com” successfully.
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = OSTDC
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\OSTDC
Starting test: Connectivity
......................... OSTDC passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\OSTDC
Starting test: Advertising
......................... OSTDC passed test Advertising
Starting test: FrsEvent
......................... OSTDC passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... OSTDC passed test DFSREvent
Starting test: SysVolCheck
......................... OSTDC passed test SysVolCheck
Starting test: KccEvent
......................... OSTDC passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... OSTDC passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... OSTDC passed test MachineAccount
Starting test: NCSecDesc
......................... OSTDC passed test NCSecDesc
Starting test: NetLogons
......................... OSTDC passed test NetLogons
Starting test: ObjectsReplicated
......................... OSTDC passed test ObjectsReplicated
Starting test: Replications
......................... OSTDC passed test Replications
Starting test: RidManager
......................... OSTDC passed test RidManager
Starting test: Services
......................... OSTDC passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x80040020
Time Generated: 02/05/2020 15:19:59
Event String:
The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.
A warning event occurred. EventID: 0x80040020
Time Generated: 02/05/2020 15:19:59
Event String:
The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.
A warning event occurred. EventID: 0x80040020
Time Generated: 02/05/2020 15:19:59
Event String:
The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.
A warning event occurred. EventID: 0x000727A5
Time Generated: 02/05/2020 15:21:22
Event String:
The WinRM service is not listening for WS-Management requests.
A warning event occurred. EventID: 0x80040020
Time Generated: 02/05/2020 15:22:20
Event String:
The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.
A warning event occurred. EventID: 0x80040020
Time Generated: 02/05/2020 15:22:20
Event String:
The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.
A warning event occurred. EventID: 0x80040020
Time Generated: 02/05/2020 15:22:20
Event String:
The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.
An error event occurred. EventID: 0x0000168E
Time Generated: 02/05/2020 15:22:54
Event String:
The dynamic registration of the DNS record '89d723f5-4355-4bc2-9854-705d364a2abf._msdcs.NY.domain. 600 IN CNAME OSTDC.NY.domain.' failed on the following DNS server:
An error event occurred. EventID: 0x00002710
Time Generated: 02/05/2020 15:23:00
Event String:
Unable to start a DCOM Server: {9C38ED61-D565-4728-AEEE-C80952F0ECDE}. The error:
An error event occurred. EventID: 0xC0001B61
Time Generated: 02/05/2020 15:23:10
Event String:
A timeout was reached (30000 milliseconds) while waiting for the ADWS service to connect.
An error event occurred. EventID: 0xC0001B58
Time Generated: 02/05/2020 15:23:10
Event String:
The ADWS service failed to start due to the following error:
An error event occurred. EventID: 0xC0001B61
Time Generated: 02/05/2020 15:23:11
Event String:
A timeout was reached (30000 milliseconds) while waiting for the Windows Agent Service service to connect.
An error event occurred. EventID: 0xC0001B58
Time Generated: 02/05/2020 15:23:11
Event String:
The Windows Agent Service service failed to start due to the following error:
A warning event occurred. EventID: 0x00001796
Time Generated: 02/05/2020 15:27:36
Event String:
Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
A warning event occurred. EventID: 0x00001695
Time Generated: 02/05/2020 16:07:17
Event String:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'NY.domain.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
......................... OSTDC failed test SystemLog
Starting test: VerifyReferences
......................... OSTDC passed test VerifyReferences
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : ost-ny
Starting test: CheckSDRefDom
......................... ost-ny passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ost-ny passed test CrossRefValidation
Running enterprise tests on : NY.domain
Starting test: LocatorCheck
......................... NY.domain passed test
LocatorCheck
Starting test: Intersite
......................... NY.domain passed test
Intersite
Dear all,
I have two Windows Server 2003 as Domain controllers with replication working very well, as they are old, i decided to upgrade them to Windows 2016 Server by creating two new windows server 2016 machine and add them into the domain as domain controller (upgrade
forest functionnal level from 2003 to 2008)
For now, 2003 server are still serving and replicating to Windows 2016 servers, so now i have 4 domain controllers.The FSMO roles are still spread accross the two 2003 DCs, so the 2016 DCs are just here but that's all.
I have an RDS server which is hosting some apps, and i had the following issue, which is now solved (https://www.mysysadmintips.com/windows/servers/505-the-remote-desktop-license-server-cannot-update-event-4105).
Another issue is now present and i have problems regarding solving it.
That issue is that users who wants to log to the RDS app obtain an "acces denied" when trying to login.
If i disconnect the two 2016 DCs, the RDS login is working....
Do somebody have any idea about that issue ?Is there a version problem ?2K16 not compatible with RDS servers which are 2008 R2.. ?I'm totally stuck :(
Many thanks at all for your help !
Hi,
We have a requirement where a security group of helpdesk users is required to unlock admin accounts. I understand if the user is member of domain admin account than it is not possible to delegate the permission to reset/unlock his/her account by a helpdesk user.
However, in out case most of the admin users are not member of domain admins and when we delegate the rights to helpdesk group to be able to "Read LockoutTime" and "Write LockoutTime", helpdesk is able to unlock normal users but not able to unlock admin accounts (customized power users)
Can you please highlight on how this works and what I am missing here...
Referenced Links...
Junaid Abrar
Hello,
We are trying to add a windows 10 with winver 1809 machine to AD Domain.
Adding the machine to domain is successful but the domain root certificate is NOT getting added toMMC -> Certificates -> Trusted Root Certificate Authorities.
Can anybody please help us to know why/what might be blocking the addition of domain certificate.
With best regards.
Hello All,
I have a network that was upgrading their Exchange to the latest CU 15. During the upgrade the process stopped around 98%. They rebooted the servers(Exchange 2016, PDC running CA and a secondary DC running DNS) and when they came back up there were major
issues. The first and foremost is(I think) an RPC error 1722 between the PDC and the secondary DC. I have run all the dcdiag tests along with dtcping and each shows the RPC error 1722. This is where it gets interesting. Most of the tests will come back that
they have passed(except for the 1722 error). After digging into the system for the day I found that the security settings for the secondary as well as the primary DNS servers are showing SIDs for about half of their accounts. The on site Enterprise CA
is not working with RPC server unavailable errors. The on-premise Exchange 2016 server will not boot due to this issue either. Under Server manager when trying to access the other DC I receive"target not accessible" error message. There are DCOM
10028 errors about connecting to the other servers(unable to communicate using any of the configured protocols). It looks like the DC1(which is the PDC-Em) holds the RID/PDC/Infra roles(according to itself) when looked at from the ADU&C snap-in. On DC2
it shows unknown for each.
1: the last event viewer entries show DC 1&2 that Active directory Web Service is servicing the directory instance as GC, LDAP & SSL.
2: DFSR is showing 1727 on each DC. It reported that the last time it worked was about noon today.
3: Port Query shows port 135 (epmap) listening on both servers. It lists 120+ endpoints for each server.
4: DNS was/is signed. I can remove from DC1 dns and reapply, but not from DC2(I tried to remove and transfer the Key Master role to no avail.
5: I have tried to reset the machine and user account passwords.
What am I missing???
Devin
Hi All,
I have setup the LAB for RODC testing. But i didn't create RODC account before promote the server to RODC.
I have noticed that users not login to RODC.
Site configured and add users to PRP.
when i run sel its showin the RWDC?
Client PC:
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.
C:\Users\itlabuser1>set l
LOCALAPPDATA=C:\Users\itlabuser1\AppData\Local
LOGONSERVER=\\APDC01
C:\Users\itlabuser1>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : AP-PCN-Client01
Primary Dns Suffix . . . . . . . : ap.lan
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ap.lan
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
Physical Address. . . . . . . . . : 00-0C-29-D6-E5-67
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.3.150(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.3.1
DNS Servers . . . . . . . . . . . : 192.168.3.100
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{82F08C32-390B-48E7-B846-81AA0E0472AB}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
C:\Users\itlabuser1>nltest /server:rodc01 /dsgetsite
AP-PCN
The command completed successfully
C:\Users\itlabuser1>nltest /server:apdc01 /dsgetsite
Default-First-Site-Name
The command completed successfully
C:\Users\itlabuser1>nltest /server:ap-pcn-client01 /dsgetsite
Default-First-Site-Name
The command completed successfully
C:\Users\itlabuser1>
RODC:
Windows IP Configuration
Host Name . . . . . . . . . . . . : RODC01
Primary Dns Suffix . . . . . . . : ap.lan
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ap.lan
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
Physical Address. . . . . . . . . : 00-0C-29-6D-4D-6B
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.3.100(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.3.1
DNS Servers . . . . . . . . . . . : 192.168.1.100
NetBIOS over Tcpip. . . . . . . . : Enabled
DCdiag:
As
I have set up a script that disable computer account if it is not used in 90 days.Here my query is , if i enabled that account after was disabled 50 days before then what will be computer account behaviour.
Whether it will be giving an error or we will be able to login successfully ?
Hi,
I am looking for a "poster" that shows all port openings with arrows between Domain Controllers and Windows 10 clients / Windows Servers.
Is there any Microsoft official posters ?
Thanks for reply
/Regards
Andreas
Hello Everyone,
I was checking my domain for blank passwords. I found more than 100 users with Passwd_NotReqd flag set to true.
Before setting it to false, I would like to know if there are any users in AD(2008R2) which will have Passwd_NotReqd flag set to true by default.
What should I consider before setting the flag to false.
Kindly advice. Thanks!!
We are having accounts get locked out, from the logs on the DC in the security log we see event ID 4776 for these users but the source workstation is blank. on the DC we have the netlogon log and
I can see an entry saying its coming from our Wifi radius server, on the radius server there is an entry in its netlogon log however it doesn't tell me where the attempt is coming from and the radius logs themselves don't have any entries related to the users
getting locked out. Is there any way I can tell whats causing this?
DC
02/05 07:54:41 [LOGON] [2452] XXXXX: SamLogon: Transitive Network logon of XXXXX\USER from (via RADIUSSVR) Entered
02/05 07:54:41 [LOGON] [2452] XXXXX: SamLogon: Transitive Network logon of XXXXX\USER from (via RADIUSSVR) Returns 0xC000006A
Radius server
02/05 07:54:41 [LOGON] [2044] SamLogon: Network logon of XXXXX\USER from Entered
02/05 07:54:41 [LOGON] [2044] SamLogon: Network logon of XXXXX\USER from Returns 0xC000006A
Jason
Hello all,
I have inherited a Server 2012 Essentials environment at a customer's, and I am currently trying to migrate to Server 2019 Standard. From all I read it should be a normal procedure except for leaving the FSMO roles up to the last minute. I checked that sysvol
replication was on DFSR and then introduced the new DC. Regular AD replication is fine (repadmin reports all DCs up to date). However, sysvol was not being replicated and I went to check deeper.
SYSVOL looks complete, junction points are good, state of DFSRMIG is "eliminated" so DFSR should be used. Now the new DC is waiting for initial sync, and the old DC shows no errors, but it seems the sysvol folder is simply not a known replicated
folder on that system.
As sysvol is basically healthy, I did a backup of the files and tried the steps in this article:
https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-fo
It goes well up to the point where I should see event 4602 in the DFSR event log of the authoritative DC after doing the dfrsdiag pollad. Checking withwmic /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername='SYSVOL share' get replicationgroupname,replicatedfoldername,state
on the old DC (of course after reverting the ADSI changes) I get "No instance(s) available". I found that this problem can occur when the DFSR database is corrupt after disk problems, but neither have I found any indication of this (there should be a warning 2213 or such in the event logs, but there isn't) nor am I able to "ResumeReplication" on any of the GUIDs I found in the DFSR config (in System Volume Information). I tried the folder GUID, the replication group GUID as well as the volume GUID, but each attempt only reports "no instances available".
Further checking the DFSR config files is seems as though the Replication group is known, I can also see it in the DFSR console. Running a health report there I get the message which basically says the same as "no instances available", namely that the folder is not in a replicated state on the original DC.
Now I am faced with a decision to either try to repair the state of the original DC or (without being sure this is possible) force the new DC to just skip initial sync and let me seed the sysvol manually. So I have two questions and I really hope anyone can help me out here.
1. Is there any obvious solution I am missing in my attempt to repair the DFSR on the old DC?
2. Can I force the new DC to skip initial sync by making it authoritative? Then just copy the sysvol contents where they belong? Has anyone tried this on a completely new DC? I am wondering about the implications here and how to go about sharing the SYSVOL and NETLOGON as those are not shared right now, of course.
Thanks everyone in advance!
Claudia
Hi
I have Windows Server with 50 user CALS and want now to add an Exchange Server 2016 to the same domain.
Do I need also to buy 50 Exchange Server CALs?
Does not the 50 CALs for the AD Server be enough?
Can we use 2FA(two form authentication) on Windows server active directory?
Hi All,
We are planning to create one way trust and putting RODC in Trusting forest DMZ. All the AD firewall ports are going to open.
I can add users to the RWDC and add to the PRP Allow group for password cache.
But how this computer domain join work with RODC?
As
I am having issues with Macs connecting to the domain and I just want to understand what the error message means.
The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection. Client IP address: 10.63.10.23:55885 Identity the client attempted to authenticate as: Domain\test-mac$ Binding Type: 0
Plus, I am seeing some services connect with Binding Type: 1
When I force the mac to use signing, it just doesn't connect. dsconfigad -packetencrypt ssl or dsconfigad -packetsign require
Is this an actual issue that I need to be worried about or what?
Thank you
Charles
Hello,
I am trying to monitor changes to AD users, but I can't seem to find the event ID that generates when a change to User's job title/manager is made. If anyone knows which event ID monitors this, please share.
I have tested 4738 and several others but they don't seem to generate any events even after enabling the audit policies that are user account related.
Thanks
Hi,
I am getting the below error when entering GPupdate in server 2012. How to address the below issue.
provide me the step by step troubleshooting.
Computer policy could not be updated successfully. The following errors were enc