Hi All,

OS - Windows Server 2008 R2 Standard

What do you mean by SELF in DNS Zone Security Setting. ( Access Control List )

Please see the print-screen for more info.

Thanks & Regards,
Param
www.paramgupta.blogspot.com

I keep getting dozens of failed login attempts (event id 4625) for various users in AD.  All are valid user names.

Here's one of the messages:

An account failed to log on.

Subject:
Security ID: SYSTEM
Account Name: [DCNAME]$
Account Domain:[DOMAINNAME]
Logon ID: 0x3e7

Logon Type:3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: [USERNAME]
Account Domain:[DOMAINNAME]

Failure Information:
Failure Reason:Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a

Process Information:
Caller Process ID:0x4cc
Caller Process Name:C:\Windows\System32\svchost.exe

Network Information:
Workstation Name:
Source Network Address:-
Source Port: -

Detailed Authentication Information:
Logon Process:CHAP
Authentication Package:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services:-
Package Name (NTLM only):-
Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.

One of the users that this is happening with wasn't here for a day last week.  She turns her computer off each day before she leaves.  There were no failed login attempts for her on that day.  This tells me that there's probably something on her computer that's generating the failed login attempts.  Aside from an Android phone and an iPad, there are no third-party devices attached to her computer.

Any ideas?

Dear all,

I have a third party application which holds an independent list of all my AD users and there is a requirement to store the unique identifier into a select group of AD attributes for each user object. Unfortunately this application does not allow the use of custom attributes and most of the supported attributes are already in use, except Personal-Title. However I am unable to find any detailed information on this particular attribute so that I can investigate if it may be required in the future. For example if I decided to use another Microsoft application or feature?

The attributes which were also available are:

Title; manager; wWWHomePage; proxyAddresses.

However I may need to use any one of these in the future. 

I am trying to figure out what is wrong with my AD DS Config. I ran dcdiag. The results were:

C:\Users\Administrator>dcdiag /test:dns

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = R210_1_2K12
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\R210_1_2K12
      Starting test: Connectivity
         ......................... R210_1_2K12 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\R210_1_2K12

      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... R210_1_2K12 passed test DNS

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : bcas-tbf

   Running enterprise tests on : bcas-tbf.local
      Starting test: DNS
         Test results for domain controllers:

            DC: R210_1_2K12.bcas-tbf.local
            Domain: bcas-tbf.local

               TEST: Basic (Basc)
                  Warning: The AAAA record for this DC was not found

               TEST: Records registration (RReg)
                  Network Adapter [00000017] Hyper-V Virtual Ethernet Adapter:
                     Warning:
                     Missing AAAA record at DNS server 172.16.0.202:
                     R210_1_2K12.bcas-tbf.local

                     Warning:
                     Missing AAAA record at DNS server 172.16.0.202:
                     gc._msdcs.bcas-tbf.local

                     Warning:
                     Missing AAAA record at DNS server ::1:
                     R210_1_2K12.bcas-tbf.local

                     Warning:
                     Missing AAAA record at DNS server ::1:
                     gc._msdcs.bcas-tbf.local

               Warning: Record Registrations not found in some network adapters

               R210_1_2K12                  PASS WARN PASS PASS PASS WARN n/a
         ......................... bcas-tbf.local passed test DNS

IPCONFIG info:

C:\Users\Administrator>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : R210_1_2K12
   Primary Dns Suffix  . . . . . . . : bcas-tbf.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : bcas-tbf.local

Ethernet adapter vEthernet (Broadcom BCM5716C NetXtreme II GigE (NDIS VBD Client
) #36 - Virtual Switch):

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #2
   Physical Address. . . . . . . . . : 00-26-B9-7E-81-74
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::bda9:1a28:974a:5fc3%19(Preferred)
   IPv4 Address. . . . . . . . . . . : 172.16.0.202(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 172.16.0.1
   DHCPv6 IAID . . . . . . . . . . . : 335554233
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-0A-52-45-00-26-B9-7E-81-75

   DNS Servers . . . . . . . . . . . : ::1
                                       172.16.0.202
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{AE70C63E-0A8A-4461-A789-8E4CD99CEA46}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:90d7:1cf5:1d4f:53ef:ff35(Pref
erred)
   Link-local IPv6 Address . . . . . : fe80::1cf5:1d4f:53ef:ff35%15(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled

I'm unsure of what the problem is or what to do next.  Thank You.

I just migrated a 2003  domain to 2012 R2.   Things were working ok & then XP clients became AD stupid.

Steps I took:

Added a VM 2012 R2 DC to the domain.  Server had DNS installed.  Ran dcdiag & bpa and resolved any issues. 

About a week later I moved all roles over to the VM DC.

Tore down one of the NT2003 DCs (not VM) and rebuit it as a 2012 R2 DC w/DNS.  Ran dcdiag & bpa and resolved any issues.   Had problems with DNS scavenging removing some static records.  readded records & made sure the  "Delete record when it becomes stale" was unchecked on all static records (all fwd & rev zones).

Moved all roles from the VM DC to the hardware DC.

After a week I tore down the 2nd (& last) nt2003 DC (not VM) and rebuilt it as a 2012 R2 DC w/DNS.  Ran dcdiag/bpa and fixed any issues.  Also ran it on the other DCs.

Removed the VM 2012 R2 DC from the domain (demote, remove features, remove from domain, power off, delete VM).

Everything seems to be working fine.  dcdiags look clean, event logs seem good.

Bump forest/domain to 2012 R2 native.

Then, a few days later,  it goes bad.  I (after hours) install all accumulated updates on both DCs.  Reboot both.

Next AM a user calls.  Her thin client cannot connect to the terminal services server.  DNS has deleted its dns record, even though the delete when stale was unchecked.  :|  So I readd the static record and turn off scavenging.  Problem solved.

Next call s from a XP user (we have XP, Win 7, and thin clients).  She cannot print.  Printers show "cannot connect".  Try various things to no avail.  Check Win 7 boxes and they're working fine & printers are connected.  Note that the XP & Win7 boxes all pull their DHCP address from the same dhcp server/scope.

Review error logs and run dcdiag.  There are several somewhat esoteric errors.  After several hours or tail chasing I decide to take a more scorched earth tack.  I demote the 2nd DC and remove AD & DNS from it. After demotion and role removal I check AD and it still shows the DC.  I remove the now just a server from the domain.  Clean up DNS & AD removing all traces.  This takes a while as I have to run variuos scripts (tahnk you google) to ensure AD is clean.

Run dcdiag and resolve issues.  Even a detailed dcdiag comes out clean.  Replication tests show the old server is now forgotten.

Check XP boxes and they still show printers as "cannot connect".

Remove a XP PC from the domain.  Try to rejoin and I get a error.  Rename it and still get the error.  I can ping, nslookup, etc and they return the correct IP.

I've tried the simple change the join a domain in system properties.  That gives a somewht non descript error.  The network identification wizard seemed to find the domain but didn't work.  As it was trying to find the PC in AD, I went ahead and added it via AD users& Computer console.  Run the wizard and it tells me it found the record in AD.  It then says "a domain controller for the domain [ourdomain] could not be contacted."  !?  Yet the prior screen it told me it had found the record for the PC on the DC.

nslookup for ourdomain.local as well as dcname.ourdomain.local resolve correctly.  Tried chenging the PC to static - no change.  Rename the old win 2012 R2 dc (now just a server outside the domain), reboot, and the try to rejoin the domain.  Works flawlessly.

BTW - We're running tcpip w/o netbios over tcpip.

So basically my XP boxes cannot use AD printers and cannot join the domain.  IDK if they're picking up gp updates (I'll check in the AM), but I suspect they're not.

Short of buying a truckload of Win 7 licenses and reloading OSs, what can I do to fix this?

Details on the XP box error (fyi - I did a record to record comparison to a Win 2008 domain's SRV records and they look identical (except, fo course, the domain& server names)) :

The domain name [ourdomain] might be a NetBIOS domain name.  If this is the case, verify that the domain name is properly registered with WINS.

If you are certain that the name is not a NetBIOS domain name, then the following information can help you troubleshoot your DNS configuration.

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain [ourdomain]:

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.[ourdomain]

Common causes of this error include the following:

- The DNS SRV record is not registered in DNS.

- One or more of the following zones do not include delegation to its child zone:

[ourdomain]
. (the root zone)

For information about correcting this problem, click Help.

dcdiag /test:dns results

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = Domctl1
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DOMCTL1
      Starting test: Connectivity
         ......................... DOMCTL1 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DOMCTL1

      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... DOMCTL1 passed test DNS

   Running partition tests on : DomainDnsZones

   Running partition tests on : ForestDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : [ourdomain]

   Running enterprise tests on : [ourdomain].local
      Starting test: DNS
         Test results for domain controllers:

            DC: Domctl1.[ourdomain].local
            Domain: [ourdomain].local


               TEST: Dynamic update (Dyn)
                  Warning: Failed to delete the test record dcdiag-test-record in zone [ourdomain].local

               Domctl1                      PASS PASS PASS PASS WARN PASS n/a
         ......................... [ourdomain].local passed test DNS

First of all thanks for taking the time to read, any response is greatly appreciated.

If I setup ADFS between my in-house operations with an off-site host and my in-house AD's go down, can users still use SSO to log into the off-site host?

I guess I'm curious to know if the off-site host can cache accounts.

Is it bad practice to have account credentials cached for a long time due to security reasons?

How can I get my users to log into the off-site location using SSO when my in-house ADs and ADFS servers are down?

Thanks in advance for your help,

John

Hi All....I have a 2 DC setup both w2008SP2 Stnd now.  I recently lost one of these when it was configured with W2003SP2. I posted here and went through force remove and cleaning the metadata from the domain, etc.  I built it as W2008SP2 and renamed it the same name and IP before adding it again as a DC.  It is running the bulk of the fsmo roles for our domain as before, which is in an enterprise (university) forest.  

The transition seemed to go very smoothly except that now I noticed that if I restart the 2nd DC, with only the newly built w2008 remaining online, the login time for clients is very slow.  Slower than when the inverse happens, ie. i have it (1st DC) offline with the 2nd DC online, the clients login faster but not as fast as when the 1st DC box was originally W2003SP2.  

So my question is did I miss something in regard to configuration when bringing the 1st DC back online as the W2008SP2 build/transferring all roles back to it/resetting its time server setting, etc?  I'd appreciate some ideas on how to troubleshoot the slow logins when it is the only DC online.

ps.  there has been a vbs script running on the DC's to map clients to drives and printers.  Maybe it runs better with W2003SP2 instead of W2008SP2.  

LDAP authentication works with any random domain name.  I created a sample console app to isolate the problem from all other code.

void MainX()
{
    NetworkCredential netCred1 = new NetworkCredential("user1", "pass", "aaaaa"); //AAAA is incorrect domain name
    LdapDirectoryIdentifier _LdapId1 = new LdapDirectoryIdentifier( IP + ":" + 389, true, false);

    LdapConnection ldap = new LdapConnection(_LdapId1, netCred1, AuthType.Negotiate);
    ldap.SessionOptions.SecureSocketLayer = false;
    ldap.SessionOptions.ProtocolVersion = 3;
    ldap.Bind(); //WORKS without any problem
    ldap.Dispose();
}

I ran 'network Monitor' and found that NEGOTIATE resolves to NTLM. My machine is not part of domain (aaaaa); DC is on Windows 2008 R2 and above app is ran from Windows 2008 R2. 

BASIC security scheme does validate domain name; means Bind() fails when the domain name is wrong. So this is something to do with security scheme (NTLM and BASIC).

Please let me know if anyone knows more about this.


Thanks
Ramesh

- I have ~200 forests in a corporate network. These are all user/account forests. e.g:  Forest B, Forest C, Forest D and so on.

- ADFS 2.0 has only been setup in Forest A and all applications (mainly web-based) are under Forest A.

- 2-way transitive trust have been established between A <> B, A<> C, A <> D and so on.

The challenge is:

1) does these many forest-trusts cause  security risk ? Would a user in forest B be able to see resources/accounts in Forest C, D etc?

2) Since in the ADFS claims rule, we are mapping E-mail-Addresses (as Active Dir LDAP attribute) to NameID (Outgoing Claim type),  and email addresses are known to everyone. Will it cause a greater risk if a person with malicious intent, creates a fake user with in Forest B (eg. B\Alvin Shane) who is given the same email as another user from Forest C?

Will that fake user in forest B have same access/privileges as user in Forest C when their email address is matching?

Hello Guys,

I have two forest with domain name abc.com & xyz.com exist and they are configured with two way trust.

Now User administrator of domain abc.com want to access the resources of domain xyz.com hence can some please help to to confgure this.

Thanks in advance.

NM-BG

Greetings,

We have a Windows Server 2008 SP2 AD forest. Newly hired users are enforced to change their temporary passwords at the 1st logon, but the problem is some users can't perform that password change even they respect password policy, so we have to invite the user to change their passwords from ADUC.

Please help.

Thanks in advance.

Redouane SARRA

Just a simple question. We lost a 2003 Domain Controller last night due to a hardware failure. This server was scheduled for removal in the next month so it won't be replaced. It is just a Domain Controller, Global Catalog, and WINS server. It does not hold and FSMO roles and it is not a DNS server. All other Domain Controllers in the Domain are 2012 Domain Controllers. The Primary WINS server has already been moved to another 2012 DC until WINS is retired. I know I need to do a force removal and meta data cleanup. My question is this:

Since our other Domain Controllers are 2012 Servers, If I delete the failed 2003 DC thru ADUC or Sites and Services on the 2012 Domain controller, will it trigger the meta Data cleanup automatically or do I still need to do it manually based on the following article:

http://technet.microsoft.com/en-us/library/cc736378(v=ws.10).aspx

Just curious as I have not seen an article asking about this scenario.

Thanks

Russ

hello,

i have an active directory with 2008 domain functional level i have created a custom attribute in the active directory but i need this attribute to be displayed when right click on the user object in the active directory .

this is the current stat of the attribute

i want this attribute to be like the following Employee ID

Thanks all for you support.

Scenario- Windows 2003 Single Domain, Single Forest, Forest/Domain functional level is 2003.

Planning to upgrade Schema to 2012.

Win2012 will perform Adprep automatically if we run setup, but still want to know the steps to ran in each DC, to accomplish Schema update manually

Hi,

We have set up Remote Desktop Apps using Remote Desktop Services
The apps are permissioned with AD user accounts in our forest

When an external company that has network access (i.e. routable addresses) tries to log in (with credentials in our AD) they sometimes get in and other times do not. They see an error message saying 'The credentials did not work' or 'The Local Security Authority cannot be contacted'

I think this may be because all the Domain controllers for that domain are not reachable from the external company's PC

i.e. if they get lucky they try and authenticate using a reachable DC but sometimes they pick a DC that is not routable and see this error

Is my thinking correct?
How is a DC chosen by a PC belonging to an external company?

This article leads me to believe it is random: How Domain Controllers are Located Across Trusts

Thank you for your time

I confronted the following situation :

On a workgroup member PC with win 7 OS installed, i created an user with the same username and password as another one which is created in an active directory domain. I joined the PC on the domain, and logon with the domain user credentials.

After that, i removed the pc from domain, and logon with the local user credentials. I was amazed to observe that despite the fact that the PC was not join to domain, i was able to access all network shares as the domain user ( the share and NTFS security on that shares are specific to domain users, and not contain everyone or interactive permissions).

  In conclusion, Domain Controller authenticate local user as it is domain user or the credentials of the domain user remain cached on the PC.

  The DC is win 2008 R2, and the functional level of domain is 2003.

  My question is : It's a bug or there is an reasonable explanation ?

Hi

I have root domain contoso.dom (DC1 and DC2) and subdomain sub.contoso.dom (DC3).

I see error event 2896 on DC3

A client made a DirSync LDAP request for a directory partition. Access was denied due to the following error. 

Directory partition: 
DC=sub,DC=contoso,DC=DOM 
Error value: 
8453 Replication access was denied. 

User Action 
The client may not have access for this request.  If the client requires it, they should be  assigned the control access right "Replicating Directory Changes" on the  directory partition in question.

No fails or errors in BPA.

Also if I try to run on DC1 repadmin /replsummary I can see:

site\DC3 via RPC

        DSA object GUID: 0458a97c-437e-49a4-8f9c-095fd7340834

        Last attempt @ 2013-12-19 15:27:27 failed, result 8418 (0x20e2):

  The replication operation failed because of a schema mismatch between the servers involved.

        118 consecutive failure(s).

        Last success @ 2013-12-18 08:12:03.

How can I solve this problem?