20 Thousand Logon Audit Failures on a 6 User Network - All coming from Different Workstations

March 7, 2020, 4:41 pm

≪ Previous: anyone know what kind of edition is ServerStandardACor ???

Yep. It is making me nuts.

And no matter which anti-malware solution I try to use, I can find nothing.

I have login audit failures for user A coming from workstation C and user C coming from workstation F and user B coming from workstation E - you get the idea.

I have the Account Lockout Tool from Microsoft, as well as from ManageEngine and one from Netwrix too. And they all show the same things.

If we shut down Workstation C, then the same things just move to Workstation B, A, E, and F and so on. I have firewalled off the authentication and SMB ports, shut down services, closed programs, removed old user accounts, removed Windows Credentials, and on and on and on for several days and I am at a total loss. I am ready to wipe the server and all of the machines. I have spent so much time trying to figure this one out it would have taken me less time to recreate the AD network anyway.

Any thoughts or ideas would be greatly appreciated.

Thanks

Christian Wentz President Network-iQ

↧

SQL & AD connectivity issue.

March 9, 2020, 2:18 am

≫ Next: Windows 2016 BPA error - Cannot find directory server with identity: 'UServer$'

≪ Previous: 20 Thousand Logon Audit Failures on a 6 User Network - All coming from Different Workstations

SQL & AD connectivity issue.

I have an AD (WinServer_08_R2) & a database server_Sql (WinServer_2016_R2);

While trying to connect with my database it wont connect.

But after pinging few minutes the TTL value increased from 64 to 128 and then it connects.

recently database migrated from WinServer_08_R2 to WinServer_2016_R2.

How can i connect to my sql easily without pinging?

↧

Windows 2016 BPA error - Cannot find directory server with identity: 'UServer$'

March 11, 2020, 9:35 pm

≫ Next: Domain Controller Decommission Error - can't find a GC server

≪ Previous: SQL & AD connectivity issue.

Hi Support,

When run the BPA in the Windows 2016 DC, we found one of the DC have many error as below:

Issue:
The Active Directory Domain Services Best Practices Analyzer (AD DS BPA) is not able to collect data about the hostname DNS A/AAAA records from the DNS servers.

Impact:
The AD DS BPA will not be able to validate configuration data about the hostname DNS A/AAAA records.

Resolution:
Troubleshoot the DNS servers to determine the root cause of the problem.

When check the DirectoryServices_EngineReport, it have this error:
                          <HostNameDnsRecord>
                          <Error>
                          <Report>true</Report>
                          <DataItem>the hostname DNS A/AAAA records</DataItem>
                          <Computer>the DNS servers</Computer>
                          <Message>This element requires a valid Server Hostname</Message>
                          <FullyQualifiedErrorId>This element requires a valid Server Hostname</FullyQualifiedErrorId>
                          <Exception>
                          <Type>System.ArgumentException</Type>
                          <Message>This element requires a valid Server Hostname</Message>
                          <InnerException>
                          <Type>Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException</Type>
                          <Message>Cannot find directory server with identity: 'Server$'.</Message>

I checked DNS have the server record. Try to use ntdsutil and the server can be found. The replication on all DC is healthly.

Any idea?

Best Regards

Chong

↧

Domain Controller Decommission Error - can't find a GC server

March 11, 2020, 9:47 pm

≫ Next: DC Locator Process

≪ Previous: Windows 2016 BPA error - Cannot find directory server with identity: 'UServer$'

Hello,

We have a Windows Server SBS 2008 DC that we are trying to decommission. It also was our exchange server (2007) but we migrated to O365. We have a new Server 2012 R2 DC up and running. Ive moved the following roles to the 2012 server:

ADDS, DNS, DHCP
FSMO roles
Global Catalog Server

Now when I try to run dcpromo on the SBS server, it gets to the end and fails saying it can't find a global catalog server. Ive check the firewalls and also made sure the NIC is pointing to the new server for DNS. When I try to uninstall Exchange 2007 from the SBS server, I get the same error message stating it can't find a GC server. Does anyone have any suggestions?

Thanks.

↧

DC Locator Process

March 11, 2020, 11:48 pm

≫ Next: Network Device Enrollment Service (NDES) Fails to Issue Certificate

≪ Previous: Domain Controller Decommission Error - can't find a GC server

Hi all,

As I know that the DC locator is not enabled by default and if i enabled it, it follows the below process:

Try to find a domain controller in the same site.
If no domain controller is available in the same site, try to find a domain controller in the next closest site. A site is closer if it has a lower site-link cost than another site with a higher site-link cost.
If no domain controller is available in the next closest site, try to find any domain controller in the domain.

My question is, if I have five sites and all these sites are using the DEFAULTSITELINK with site link cost of 100. How should they pick the nearest DC when they are having the same site link and cost? Is it just randomly pick one?

Thank you.

↧

Network Device Enrollment Service (NDES) Fails to Issue Certificate

March 4, 2020, 8:13 am

≫ Next: Active Directory account look out behaviour

≪ Previous: DC Locator Process

The following links were used as references for configuring NDES on Windows Server 2016 core:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831498(v%3Dws.11)
https://social.technet.microsoft.com/wiki/contents/articles/9063.active-directory-certificate-services-ad-cs-network-device-enrollment-service-ndes.aspx

The issuing CA is an enterprise intermediate/subordinate CA. NDES is installed on a separate server using a service account (domain user, not gMSA). The default password behavior is configured (required, max 5, expiring after an hour). A custom certificate template has been created for devices, added as a template to issue on the CA, and configured on the NDES server. Appropriate permissions have been set on the template and the CA for requesting and enrolling.

The mscep_admin page shows a password. However, requests from devices fail. The Application event log shows the following:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-NetworkDeviceEnrollmentService" Guid="{73144342-19D1-47A4-94DE-D38E6A054AD5}" /><EventID>29</EventID><Version>0</Version><Level>2</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2020-03-04T15:12:17.367859700Z" /><EventRecordID>1647</EventRecordID><Correlation /><Execution ProcessID="3732" ThreadID="3768" /><Channel>Application</Channel><Computer>NDES-Comp-Name.foo.bar</Computer><Security UserID="S-1-5-21-701053380-3347107659-2942889231-2638" /></System><EventData Name="EVENT_MSCEP_INVALID_PASSWORD" /></Event>

The mscep.log file shows the following:

402.478.948: Begin: 3/4/2020 7:03 AM 24.845s
402.483.0: w3wp.exe
402.491.0: GMT - 8.00
2901.1286.0:<2020/3/4, 7:03:24>: 0x80004005 (-2147467259 E_FAIL)
2905.923.0:<2020/3/4, 7:03:24>: 0x80090349 (-2146892983 SEC_E_CERT_WRONG_USAGE): B96FCFEE D3EC2220 8077AF3F C2C46A2A 22BFBB57
2905.923.0:<2020/3/4, 7:03:24>: 0x80090349 (-2146892983 SEC_E_CERT_WRONG_USAGE): 70553F1F 27D5F499 4493B530 038929AC 4A4AD191
2905.947.0:<2020/3/4, 7:03:24>: 0x0 (WIN32: 0): CN=Issuing-CA-Name, DC=foo, DC=bar:1a25a5e55b879c18334c1ca24bb1b5f043d18dc6
419.5431.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0)
2905.1055.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0): CN=NDES-Request-Agent-Name, C=US:6d7e33f8e4a8fdd64f381815c18e8af0fe6fa144
2905.1497.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0): CN=NDES-Request-Agent-Name, C=US:6d7e33f8e4a8fdd64f381815c18e8af0fe6fa144
2905.923.0:<2020/3/4, 7:03:25>: 0x80090349 (-2146892983 SEC_E_CERT_WRONG_USAGE): 4ED75197 6054E100 DAE442EC 35A46969 120EA1EF
2905.947.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0): CN=Issuing-CA-Name, DC=foo, DC=bar:1a25a5e55b879c18334c1ca24bb1b5f043d18dc6
419.5431.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0)
2905.1062.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0): CN=NDES-Request-Agent-Name, C=US:43c449746084d661e5345753dda96b2d7f53ee62
2905.1534.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0): CN=NDES-Request-Agent-Name, C=US:43c449746084d661e5345753dda96b2d7f53ee62
419.5431.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0)
419.5431.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0)
419.5431.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0)
2906.1405.0:<2020/3/4, 7:03:57>: 0x8007007a (WIN32/HTTP: 122 ERROR_INSUFFICIENT_BUFFER)
2902.419.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
2905.4738.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
2905.3690.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
2905.5284.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
2905.5823.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
2905.5799.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
2905.1864.0:<2020/3/4, 7:03:57>: 0x1 (WIN32: 1 ERROR_INVALID_FUNCTION)
2905.1865.0:<2020/3/4, 7:03:57>: 0x3 (WIN32: 3 ERROR_PATH_NOT_FOUND)
2905.1866.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
2905.1867.0:<2020/3/4, 7:03:57>: 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)
2905.2006.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)

Various sources recommend enabling the CAPI2 log. However, that does not show any warnings or errors related to the attempt. Are there any other logs worth examining?

↧

Active Directory account look out behaviour

March 12, 2020, 3:31 am

≫ Next: PSO number of passwords remembered not working

≪ Previous: Network Device Enrollment Service (NDES) Fails to Issue Certificate

Hi Team,

I have some doubts in the AD 2019 user account lock out issue.

I have two user say user1 and user2 in AD with account lockout settings of 3 wrong password.

user1 tries to login with wrong password 2 times.
then user2 login with correct credentials and log out.
again user1 tries to login 2 times with wrong password(Totally 4 times wrong password)
still no account lock out for user1

The account lock out will happen if it exceeds 3 times consecutively. That is in a single attempt.

If any other user logged in the middle means , the previous count of wrong password is getting reset.

Could you please confirm on this behavior, also if possible please share official link to understand it properly.

Thanks in Advance.

Regards,

Venkadesh

↧

PSO number of passwords remembered not working

March 12, 2020, 8:56 am

≫ Next: Setting up AD lightweight services

≪ Previous: Active Directory account look out behaviour

I am working with a domain using several Password Settings Objects applied to groups. Everything seems to be working except for the Enforce password history - Number of passwords remembered feature. I can verify a user that has the other features like password complexity and expiration working but not the password history. How can I verify this setting is being applied or diagnose the issue?

Thanks

↧

Setting up AD lightweight services

March 12, 2020, 10:43 am

≫ Next: SamAccountName

≪ Previous: PSO number of passwords remembered not working

Server 2016.

I tried creating a lightweight instance with both creating a partition and without creating one.

How do I add users that can use the lightweight services and restrict access?

Thanks

↧

SamAccountName

March 12, 2020, 10:47 am

≫ Next: Raise domain functional level without domain FSMO available

≪ Previous: Setting up AD lightweight services

Hi Experts

I am using Windows Server 2012R2, Our UPN's and SamAccount Names are same, but i have a requirement for one user who SamAccount name is 18 characters, can i have a SamAccount Name of 18 characters, i remember it supports up to 15 but not sure.

↧

Raise domain functional level without domain FSMO available

March 12, 2020, 11:26 am

≫ Next: Error connection client to new domain.

≪ Previous: SamAccountName

Hi Experts

We need raise domain functional level of 2003 to 2012 R2, but mi domain controller FSMO is death, is crash.

Is possible move the roles to another domain controller server without this server?

I try move the roles and i see this warnings:

Thank you so much!!

Ing Carlos Pernia.

↧

Error connection client to new domain.

March 10, 2020, 9:57 am

≫ Next: Our DFS namespace server crashed, how can I add a new namespace server with dfsutil if I cant access the DFS from console

≪ Previous: Raise domain functional level without domain FSMO available

I'm new working with server and i'm trying to connection a client with a new domain. The name of this domain is for example: microsoft and complete name is microsoft.com.

In my client dns i change it the first one for the IP of my Server. So when i try to join the client to domain server only with microsoft aske me for my user and my password, i insert all data and after that get a error about cant solved the name DNS, but if i try to connect the client with microsoft.com i get another error: error 0x0000232B RCODE_NAME_ERROR).

Say the DNS not exist. i dont know if i have to create or configurate the DNS from my server. I read a lot in a many pages but i cant solved. i really appreciate any help!.

Aditional note: I cant ping microsoft.com, but i can create a new dns with the name microsoft.com and ping but nothing change with the error.

↧

Our DFS namespace server crashed, how can I add a new namespace server with dfsutil if I cant access the DFS from console

March 12, 2020, 3:22 pm

≫ Next: Event ID 1005 - ADWS on domain controller 2016.

≪ Previous: Error connection client to new domain.

Our DFS namespace server crashed and now the DFS is innaccesible from DFS management console, it wont let me add a new namespace server. How can I add a new DFS namespace server from DFSUtil or other utility? and what would be the procedure

↧

Event ID 1005 - ADWS on domain controller 2016.

March 3, 2020, 2:40 am

≫ Next: Unable to connect to domain

≪ Previous: Our DFS namespace server crashed, how can I add a new namespace server with dfsutil if I cant access the DFS from console

Hi,

I am getting Event ID 1005 - ADWS on domain controller 2016.

Detail :

Active Directory Web Services could not change its advertising state. The Netlogon service might not be running. Restart Netlogon and then restart Active Directory Web Services.

Desired state: True

Pls help me solve this problem.

Thanks and best your regard.

↧

Unable to connect to domain

March 7, 2020, 9:44 pm

≫ Next: Linux server Join Active Directory Domain

≪ Previous: Event ID 1005 - ADWS on domain controller 2016.

I just recently created a AD DS and I can't seam to join from another computer on my network. I believe it to be a dns issue because im not able to ping the domain But I can't seam to figure out what it is.

↧

Linux server Join Active Directory Domain

March 12, 2020, 6:18 pm

≫ Next: AD Migration from 2008 with DFL-2003 and FFL-2003 to 2016 server

≪ Previous: Unable to connect to domain

I have a requirement to configure Kerberos for my application. Application is hosted on linux server and when I tried to join the Active directory using linux realmd it is asking for Administrator password. I don't want to use the default Administrator account as it points to entire directory . If i create a separate administrator account (say TestAdmin) and give access to only one linux server , Is it possible to join Active Directory ?

↧

AD Migration from 2008 with DFL-2003 and FFL-2003 to 2016 server

March 9, 2020, 5:52 am

≫ Next: RODC Setup with two domains

≪ Previous: Linux server Join Active Directory Domain

Team

i have rather a funny scenerio where i want to migrate my current AD running on server 2008 R2 with Domain Functional Level 2003 and Forest functional level 2003 to windows server 2016. the problem is when i try to promote the 2016 server, i get a message that " the server cannot be promoted on a windows 2000 server forest function level" which i even dont have on my entire network. is there a way i can proceed from here??

i have tried to run adrep no changes .. help

↧

RODC Setup with two domains

March 3, 2020, 9:01 pm

≫ Next: Upgrade Domain Controller

≪ Previous: AD Migration from 2008 with DFL-2003 and FFL-2003 to 2016 server

Hi All,

We have two domains and trying to setup the trust and allow users login to ABC RODC in DMZ.

So computers are xyz domain joined but users are login to abc domain. Do i have to set only RODC IP in client DNS?

Will this setup works or any better solution? I got around 1000+ user/computers in xyz.

↧

Upgrade Domain Controller

March 6, 2020, 12:59 pm

≫ Next: The server with this IP address is not authoritative for the required zone?

≪ Previous: RODC Setup with two domains

Hi!

What is the simplest way to upgrade a Microsoft Domain Controller from 2008R2 to 2019 version?

Should I migrate from version to version (ex: from 2008 to 2012, then from 2012 to 2016 and so on) or can I upgrade directly to the latest version?

Are DNS and DHCP services running on the same DC server is impacted during this upgrade procedure? Should they also under go a specific procedure during this upgrade?

tks!

Bruno

↧

The server with this IP address is not authoritative for the required zone?

March 7, 2020, 1:48 am

≫ Next: ADDS to integrate to existing Domain Name System

≪ Previous: Upgrade Domain Controller

Hi team,

I created two Forest with 1 DC in both. Checked Reverse Lookup zone is created. The issue I'm facing is with conditional Forwarders which is on entering the IP address, I'm getting "The server with this IP address is not authoritative for the required zone" . The other point is once Forwarder is created and when I open the conditional forwarder and then edit the record , there its working fine. So, I'm confused why its throwing this error , am I missing some configuration ?

↧