I installed a Window 2012 R2 Failover Cluster in order to virtualize servers with Hyper-V. Both physical servers of the cluster are namedSRV-SAN01 and SRV-SAN02 and were installed usingWin2012 R2 Datacenter. The name of the cluster is SRV-HV01.

My environment is very simple : a unique domain and a unique site with 2 Domain Controllers (one onWin2013 and the second one on Win2008R2).

I first added a new Win2012 R2 Standard Domain Controller on a physical server namedSRV-DC01 and transferred the following Operation Masters to it :PDC, RID, Schema Master and Domain Naming. It is alsoGlobal Catalog.

I installed another Win2012 R2 Standard Domain Controller as a Virtual Server in the cluster whose name isSRV-DC02. It has the Insfrastructure Operation Master and is also aGlobal Catalog.

More 3 Member Servers using Win2012 R2 were installed on the cluster.

Everything worked fine until I ran my first Cluster-Aware remote updating. I installed the Failover Cluster Manager onSRV-DC01 and executed a remote CAU successfully.

At the end of the process, the Server Manager on the first physical serverSRV-SAN01 had a Manageability problem. The EventViewer showed the following error during 12 hours:

Error 4 from source Microsoft-Windows-Security-Kerberos : “The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server srv-san01$. The target name used was HTTP/SRV-HV01.mydomain.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (MYDOMAIN.COM) is different from the client domain (MYDOMAIN.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.”

On the second physical server SRV-SAN02 the Manageability problem still goes on after 27 hours after CAU with the exactly same error 4 form SourceMicrosoft-Windows-Security-Kerberos.

On the Failover Cluster Manager, I also have a Error 1023 from sourceMicrosoft-Windows-ClusterAwareUpdating-Management:

“Failed to get CAU report. Details:Microsoft.ClusterAwareUpdating.ClusterUpdateException: There was a failure in a Common Information Model (CIM) operation, that is, an operation performed by software that Cluster-Aware Updating depends on. The computer was "SRV-HV01", and the operation was "Contacting the Cluster-Aware Updating software on the cluster node.". The failure was: (CimException) WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 

 Possible causes are:

 -The user name or password specified are invalid.

 -Kerberos is used when no authentication method and no user name are specified.

 -Kerberos accepts domain user names, but not local user names.

 -The Service Principal Name (SPN) for the remote computer name and port does not exist.

 -The client and remote computers are in different domains and there is no trust between the two domains.

 After checking for the above issues, try the following:

 -Check the Event Viewer for events related to authentication.

 -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.

 Note that computers in the TrustedHosts list might not be authenticated.

  -For more information about WinRM configuration, run the following command: winrm help config. HRESULT 0x8033809d ---> Microsoft.Management.Infrastructure.CimException: WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 

 Possible causes are:

 -The user name or password specified are invalid.

 -Kerberos is used when no authentication method and no user name are specified.

 -Kerberos accepts domain user names, but not local user names.

 -The Service Principal Name (SPN) for the remote computer name and port does not exist.

 -The client and remote computers are in different domains and there is no trust between the two domains.

 After checking for the above issues, try the following:

 -Check the Event Viewer for events related to authentication.

 -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.

 Note that computers in the TrustedHosts list might not be authenticated.

  -For more information about WinRM configuration, run the following command: winrm help config.

  at Microsoft.Management.Infrastructure.Internal.Operations.CimAsyncObserverProxyBase`1.ProcessNativeCallback(OperationCallbackProcessingContext callbackProcessingContext, T currentItem, Boolean moreResults, MiResult operationResult, String errorMessage, InstanceHandle errorDetailsHandle)

--- End of stack trace from previous location where exception was thrown ---

  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

  at MS.Internal.ClusterAwareUpdating.Logger.<_TraceCallWorker>d__0`1.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

  at MS.Internal.ClusterAwareUpdating.Logger.<TraceCall>d__5`1.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

  at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()

  at MS.Internal.ClusterAwareUpdating.Wmi.ClientConnectionManager.<CreateInstancePreparationTask>d__0.MoveNext()

  --- End of inner exception stack trace ---

  at MS.Internal.ClusterAwareUpdating.Wmi.ClientConnectionManager.<CreateInstancePreparationTask>d__0.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

  at MS.Internal.ClusterAwareUpdating.Wmi.AbstractCauStreamedMethod`1.<OnInvokeAsync>d__0.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

  at MS.Internal.ClusterAwareUpdating.Wmi.AbstractCauMethod`1.<InvokeAsync>d__0.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

  at MS.Internal.ClusterAwareUpdating.Util.Await[TResult](Task`1 t)

  at MS.Internal.ClusterAwareUpdating.ReportManagerImpl.GetReportListFromMachine(String machineName, ClientConnectionManager clientConnectionMgr, Task instancePrepTask, CancellationToken cancelToken)

  at MS.Internal.ClusterAwareUpdating.ReportManagerImpl.GetReportInternal(String clusterName, PSCredential credential, DateTime reportTimestamp, CancellationToken cancelToken)

--- End of stack trace from previous location where exception was thrown ---

  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

  at MS.Internal.ClusterAwareUpdating.ReportManagerImpl.GetReportInternal(String clusterName, PSCredential credential, DateTime reportTimestamp, CancellationToken cancelToken)”

I have not found anything about that on the Internet.

Could you please help me with these errors ?

Thanks in advance.

I am working on delegating control to a newly formed/reclassified position in my company. This role will primarily provide Desktop Support. They will have little to no need to log into servers.

I have already gave them admin rights to the end users machines, now I just need to grant them the proper rights in ADUC/Exchange so they can properly perform their role.

Here is what they will need to do:

• User account lifecycle management (Create, change, delete, change password, etc)
• Computer account lifecycle management (Create, change, delete)
• Security & Distribution Group membership management (Create, change, delete)
• Exchange mailbox creation (Exchange Recipient Administrators)
• Run RSOP for GPO

Basically, I want them to have full control over user, computer and group objects. This way they can create users, change group memberships,  add computers to domain, delete computer objects, etc.

The problem I am having, I am not sure what rights I need to grant them via the delegate control wizard to accomplish all of that. I know I could just grant them "Full Control" of the OU structure containing all of our user, computer and group objects, but would like to avoid that unless its really what I need to do in the end.

Any assistance would be appreciated!

Thanks!

History:  I migrated a 2003 domain to 2012 R2 (2 DCs), now native.  All was ok until my 1st reboot of the 2nd DC.  It lost its ability to communicate w/the domain.  I've demoted/removed it and am now on 1 DC until I can do some more testing.  DNS is now clean and dcdiag give a clean bill.  This has been running without issues for several weeks.

This AM I get a call and users cannot log into the terminal server.  I reboot it, but the problem persists.  I then try to log onto the DC.  I get a login error, the DC doesn't recognize administrator or the regular domain admin account I typically use.  I'm forced to do a power button shutdown and restart.  After restart I can log in and everything appears to be good.

A review of the event logs show that @ 4:30PM yesterday the scheduled backup (Win Backup) occurred successfully.  Then shortly after 5PM the system logs event 5823 (NETLOGON  The system successfully changed its password on the domain controller .  This event is logged when the password for the computer account is changed by the system. It is logged on the computer that changed the password. ). 

The nothing until ~ 2 1/2 hours later I start getting a bunch of event 4 (kerberos KRB_AP_ERR_MODIFIED)  and 1006 (Group Policy processing failed) errors every couple minutes until I reboot.

Can anyone shed some light on what possibly happened?  Did the automatic change of the system password break AD because I only have 1 DC?

Active directory functional level "Windows Server 2008 R2"

I would like to hide "Members" from all Authenticated Users except for the members of the group in question.

At the OU level I put a rule to "Deny Read Members" for "Authenticated Users".  This works as expected.  I then put an "Allow Read Members" for "SELF" on the group itself.  This does not allow the members of the group to see the members of the group.  If I add a rule for "Allow Read Members" for a specific user then that user can see the members of the group.

I assumed that SELF is the group in question.  Am I incorrect?

Hello,

I am having promoting a 2012 server that's already a member of a domain to a child domain controller.  All of the prereq's are met.  When I try to promote it, it shows the steps being processed.  When it begins to replicate the parent domain's database, it runs all night and never completes.  Any Idea what's going on?

Thanks

John G.

John Grace

Users Member Domain Users Connot Change Password

• Configuration Group Policy  Active Directory :
                          password must meet complexity requirment=Diable

• Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain

• • Configuration Group Policy  Active Directory And Cilent :
                             password must meet complexity requirment=Diable

• Client (Windows XP and Windows 7 and Windows 8) 

• Display  Message Error

Hi everyone, I have given delegation  few users certain rights on the domain. But how do i remove those rights.

and can i get the list of those users whom i have delegated. and how to use DSRevoke

Hello,

I am in a situation where I need to remove the expiration on user accounts in my domain.  I have removed the group policy that requires a password reset every 120 days.  My question is, if some accounts were already set to expire under the previous policy, will they still expire?  I need some guidance on how to make current users who are already expired or set to expire soon, basically not expire.  I use AD for wireless authentication, and if the users password has expired, they will be charged for mobile data on their phone unknowingly.

Thanks

Hi

I need to provide my one service account READ access on all windows 7 /servers 2003,2008,2012 in my domain.

I found below article, but this is not for read access..

http://blogs.msdn.com/b/spatdsg/archive/2007/11/21/set-wmi-namespace-security-via-gpo-script.aspx?PageIndex=2#comments

Please help me to achieve it..

Thanks in advance.

Hi,

Currently a lot of effort and interest goes into the golden ticket scenario that mimikatz and metasploit are able to do using the krbtgt account.

I know you would have to own a DC or get a NDTS dump to get the hash of the krbtgt account, but for the sake of this question let's assume we want to change the krbtgt password because a domain admin left the company, and could potentially have taken the DB with him.

In a number of scenarios, part of the restore procedure or resolution to an issue is to reset the password of the krbtgt account (for example:http://technet.microsoft.com/en-us/library/cc733991(WS.10).aspx)

As part of a forest recovery procedure you have to change the password of the krbtgt account twice to make sure replication no longer occurs. Wouldn't this mean that existing replication breaks as well when you change the password, as the steer is in a lot of blogs, recommendations or technet articles?

In short, I'm wondering what would break when you change the password of the krbtgt account, and if anything does, for how long and will it automatically repair? It wouldn't be nice to have to tell a customer to do a forest recovery because they followed steer from security companies telling them to change their krbtgt password.

Thanks in advance for your responses!

In our environment, we have 3 dc's 

two which run server 2008 (they work perfectly)

and one never off branch dc that runs server 2008 r2.

We have been having some problems where we feel the replication isnt up too speed(stuff could take up to 24 hours to replicate) and now when i tried opening active directory users and computers i am met with this error window:

We have a third party DNS solution.

How do i troubleshoot this issue?

Hi,

I am one of multiple administrators at my company and for the past couple of weeks I have had a problem were my AD account will belocked out every couple hours or so. At least once a day. I fear that possibly while troubleshooting a computer my username was "stuck", or embedded if you will, into a running service or such.

Our previous Senior Systems Administrator was able to tell me the name of the computer when it first started happening and I logged in but didn't see anything out of the ordinary. I checked the services I had toyed around with such as RPC etc and nothing.

That Senior Sys Adm. is now gone from the company and I never bothered to ask him how he found out. I am still having the problem so I need to figure out what computer is trying to login to AD with my account(an old credentials) to stop it from being locked out. It seems to only lock my account when people are at work. For example, when people normally get back from lunch and login to their computers I notice my account gets locked.

I think he may have been just looking at event logs in MMC but I am not positive on which. Security audit logs possibly?

Anyways, I appreciate any help in advance and if someone can help me track down the computer(s) responsible I would be greatly appreciated.

Sean

hi,

today we are observing many sessions from clients to a DC / DNS (all 5 roles on it) on port 389

they have an about 2MB session on this port (like they are getting something from it)

but as the port is 389 i do not have an idea what are these connections

Antivirus is updated on all of them and ... ! no new policy, not any change ..

what can be this traffic ?!?!

I am researching an issue that I noticed today and hoping to get some direction.

My company is part of a larger one now. We have an old domain that consists of 3 DC's for some old servers that can't be migrated (clusters).  Unfortunately, the old domain isn't checked very frequently.  I did look at the DC's today and found that one (DC1) was having some issues.  I wound up rebooting it and Event Viewer said all problems preventing updates had been cleared (evtid 1394), but here is my issue:

DC2 can talk/ping to DC1 and DC3. 

DC1 and DC3 can talk/ping to DC2. 

BUT DC1 and DC3 can't ping each other (IP address resolve correctly).  I wound up rebooting 3 and still no luck.

They are on the same subnet and can ping other servers.  Replication is working (i imagine because of DC2) as a change on DC1 does get replicated to DC3.  All servers are 2008 R2. 

DC1 = PDC emulator and a regular DC

DC2/3 are global catalog servers.

Not sure why this would happen.  I know that replication will stop if a DC has been tombstoned, but the initial replication event said 0 tombstones.  Any direction would be appreciated.

Thanks

hi,

i already have a Windows Server 2008, on which AD is running with DNS. i have added a new physical server with Server 2012 R2 and i have installed the AD role onto it. i have moved the fsmo roles to the new server and dns as well. when i do netdom query fmso, all roles have been moved to the new server.

i would like to remove the AD role on the old server. can you please guide me the steps?

the previous server has been shut down. when i click on the new server's AD, i get the error :naming information cannot be located

any help pls.

thks.

sundeep jogoo

Hello,

We have a very odd issue with one particular user.  Every morning when they try to logon it fails repeatedly.  For the last several days I have been using EventCombMT to search through all our domain controller logs for anything related to their user.  Every morning I find this on one of the 4 domain controllers.

4768,AUDIT FAILURE,Microsoft-Windows-Security-Auditing,Tue Jul 22 08:12:54 2014,No User,A Kerberos authentication ticket (TGT) was requested.    Account Information:   Account Name:  failinguser    Supplied Realm Name: MYDOMAIN   User ID:   S-1-0-0    Service Information:   Service Name:  krbtgt/MYDOMAIN   Service ID:  S-1-0-0    Network Information:   Client Address:  ::ffff:1.1.1.1   Client Port:  63362    Additional Information:   Ticket Options:  0x40810010   Result Code:  0x6   Ticket Encryption Type: 0xffffffff   Pre-Authentication Type: -    Certificate Information:   Certificate Issuer Name:     Certificate Serial Number:    Certificate Thumbprint:      Certificate information is only provided if a certificate was used for pre-authentication.    Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.  
4768,AUDIT FAILURE,Microsoft-Windows-Security-Auditing,Tue Jul 22 08:12:09 2014,No User,A Kerberos authentication ticket (TGT) was requested.    Account Information:   Account Name:  failinguser    Supplied Realm Name: MYDOMAIN   User ID:   S-1-0-0    Service Information:   Service Name:  krbtgt/MYDOMAIN   Service ID:  S-1-0-0    Network Information:   Client Address:  ::ffff:1.1.1.1   Client Port:  63361    Additional Information:   Ticket Options:  0x40810010   Result Code:  0x6   Ticket Encryption Type: 0xffffffff   Pre-Authentication Type: -    Certificate Information:   Certificate Issuer Name:     Certificate Serial Number:    Certificate Thumbprint:      Certificate information is only provided if a certificate was used for pre-authentication.    Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.  
4768,AUDIT FAILURE,Microsoft-Windows-Security-Auditing,Tue Jul 22 08:09:11 2014,No User, failinguser  MYDOMAIN S-1-0-0 krbtgt/MYDOMAIN S-1-0-0 0x40810010 0x6 0xffffffff - ::ffff:1.1.1.1 63360   
4768,AUDIT FAILURE,Microsoft-Windows-Security-Auditing,Tue Jul 22 08:08:58 2014,No User, failinguser  MYDOMAIN S-1-0-0 krbtgt/MYDOMAIN S-1-0-0 0x40810010 0x6 0xffffffff - ::ffff:1.1.1.1 63359   
4768,AUDIT FAILURE,Microsoft-Windows-Security-Auditing,Tue Jul 22 08:08:39 2014,No User, failinguser  MYDOMAIN S-1-0-0 krbtgt/MYDOMAIN S-1-0-0 0x40810010 0x6 0xffffffff - ::ffff:1.1.1.1 63357   

So I restart the KDC service on that server and then they are able to logon until later.  I can find this user in "dsa.msc" on the domain controller displaying this error and have verified that replication and everything seems to be working correctly between all of the 4 domain controllers (renamed account verified it replicated, renamed from another dc ect, ect)

I recently changed a users last name in ADUC by right clicking the user and clicking rename then proceeded to go into ADSIedit and change users proxy SMTP address to reflect and with our rich coexistence on our dirsync server ran or pushed a online sync to Office 365. User was able to login with new username and use email successfully.

My Issue is that now with one of our proprietary web based applications that ties into AD meaning user has to be logged in with there domain account in order to log in so the website is ad integrated. User logs in with new username but page will display this error username in this case i'll say jdoe does not match Windows Login jsmith.

Thoughts please? 

Hi all, hoping I could get some input how to stick to the best practice AGDLP nesting strategy while meeting the specific needs of my users/departments.

I have a network share for our Marketing department. Following AGDLP, I have put my Marketing users in a Global group called G_Marketing, I then put that group in a Domain Local group called DL_MRKShareModify, and I have assigned the appropriate share/NTFS permissions to the DL_MRKShareModify group on the actual shared folder. This works perfectly if ALL of my Marketing users should have access to the share, but in reality, only a select few Marketing users should have access to the share.

What is the best way to set this up while also sticking to the AGDLP best practice?

Hello can anyone help me, I want in our organization contact should not be view in Global Address List but should view in All contacts in outlook, I tried the option by removing value in showinaddressbook using ADSIEDIT.MSC but after few minutes its again getting revert to the previous value. My changes is not getting saved.

Is there any option to tackle this problem. Please share if anyone have idea of this.

We are planning to migrate AD objects from x.com (Global forest) to y.com (Single domain forest).

There are two parts of migration :

part 1)  Users, compauters and profile migration.
part 2) Application server and service account migration.

in part 1 - Can some help me to get best approaches / tools / procedures.

In part 2 - Please help me to get application testing procedures during domain change of application servers, and how to troubleshoot them in case of any issues.