Computers loosing trust to my domain!

September 8, 2015, 4:06 am

≫ Next: Authentication forwarding possible between DCs in trusting domains?

≪ Previous: AD Schema - duplicate classchema object

Hi!

So we deployed windows 7 to a many remote locations where we have no local domain controller and they are connected to head quarter with a slow link, now a couple months later I have received a couple of cases where the computers looses its trust with the domain so when a user tries to login they get: "Trust Relationshitp between Workstation and Primary Domain failed"

On domain controller i see this event (4625):

An account failed to log on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		TheComputer$
	Account Domain:		TheDomain

Failure Information:
	Failure Reason:		Unknown user name or bad password.
	Status:			0xc000006d
	Sub Status:		0xc000006a

Process Information:
	Caller Process ID:	0x0
	Caller Process Name:	-

Network Information:
	Workstation Name:	TheComputer
	Source Network Address:	10.146.34.31
	Source Port:		62728

Detailed Authentication Information:
	Logon Process:		NtLmSsp
	Authentication Package:	NTLM
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

According to this site: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625

The event id is saying that the computer is trying to login with wrong password:

0xC000006A

user name is correct but the password is wrong

I have read through this blog post and the only thing I can imagine is that the secure channel have failed, for some reason?

Checking the password with powershell:

PS C:\Windows\system32> Get-ADComputer The Computer -Properties * |select *pass*


AllowReversiblePasswordEncryption : False
badPasswordTime                   : 0
CannotChangePassword              : False
LastBadPasswordAttempt            :
PasswordExpired                   : False
PasswordLastSet                   : 2015-09-03 20:38:20
PasswordNeverExpires              : False
PasswordNotRequired               : False

As you can see the password where reset recently.

Any ideas ? I don't want this to happen on all 400~ machines we have remote.

Thanks!

↧

Authentication forwarding possible between DCs in trusting domains?

September 11, 2015, 3:47 am

≫ Next: Why can't we create two user accounts ( same display name) with two different userid's in Active Directory.?

≪ Previous: Computers loosing trust to my domain!

Is it possible to allow a user from an internal domain to authenticate to a server in an external domain, using the trust, without the need to open the firewall from the server to the internal domain? See simple schematic below. Thanks in advance for any advise!

↧

Why can't we create two user accounts ( same display name) with two different userid's in Active Directory.?

September 11, 2015, 5:02 am

≫ Next: ADFS 3.0 Windows Security Prompt Doesn't Permit Selection of Smart Card Certificate

≪ Previous: Authentication forwarding possible between DCs in trusting domains?

Why can't we create two user accounts ( same display name) with two different userid's in Active Directory.?

↧

ADFS 3.0 Windows Security Prompt Doesn't Permit Selection of Smart Card Certificate

September 11, 2015, 9:27 am

≫ Next: RE: AD Health Monitoring

≪ Previous: Why can't we create two user accounts ( same display name) with two different userid's in Active Directory.?

I'm trying to get ADFS 3.0 to perform authentication using a DoD CAC. This smart card carries 3 certificates (encryption, signing, and identification). In a working authentication scenario (not using ADFS), the Windows Security prompt presented by the browser allows a user to specify which of the certificates (it gives the option of 2, actually, but it does present an option) should be used for authentication. The "Email" certificate is the one to choose for a successful login, but if the other is selected, the browser will fail to authenticate and present a different Windows Security prompt with the top option being "Use another account" (to perform username/password authentication) and the second option being "Smart card credential" with the option to enter the card's PIN. From here, all is lost... smart card authentication won't happen because the option to select the "Email" certificate is not presented without closing the browser and starting over. If I try to test my ADFS 3.0 implementation using the IdpInitiatedSignon.aspx page, the second Windows Security prompt is the only one ever presented. I never get the option to select the "Email" certificate so the attempt to login loops and never succeeds. How do I get ADFS to offer up the Windows Security prompt that I describe first where the option to select a certificate is presented? Thanks in advance.

↧

RE: AD Health Monitoring

September 11, 2015, 5:01 am

≫ Next: LogOnTo keeps getting re-enabled for User in Active Directory

≪ Previous: ADFS 3.0 Windows Security Prompt Doesn't Permit Selection of Smart Card Certificate

hi. i would like to write some scripts to monitor the health of active directory on a daily basis. what would be good active directory components to monitor every single day? also, i would need to be able to run these from powershell, which is what i will use to script with.

↧

LogOnTo keeps getting re-enabled for User in Active Directory

September 11, 2015, 8:55 am

≫ Next: GET-ADUser, enabled and disabled users..AND NULL users...

≪ Previous: RE: AD Health Monitoring

Transitioning away from Windows Essentials Business Server 2008 over to a Windows Server 2012 R2 Environment.

With Windows Essentials Business Server 2008 they had Windows Essential Business Server Administration Console which could be used to assign either standard or premium cal's to either a user or a computer. Any user without a cal assigned could only log onto a small subset of computers which show on the LogOnTo list in active directory for the created user. Once a cal is assigned to a user it allows logon to any system unless otherwise restricted. That console stopped running, I am in the process of migrating fully over to server 2012 R2 which does not have that interface for assigning cals. I have 110 cals purchased for Windows Server for my users. How can I make it so users can log onto any system? I do not need a default list for LogOnTo restricting my users, just want them allowed to logon to any system unless I create a specific group policy limiting them. Any ideas on how I stop this behavior?

The clients are on Windows 7 Pro. Hope I selected proper area to post in as didn't see a server category...

↧

GET-ADUser, enabled and disabled users..AND NULL users...

September 11, 2015, 6:57 am

≫ Next: DSRM Mode

≪ Previous: LogOnTo keeps getting re-enabled for User in Active Directory

I´m trying to grab a AD listing, with the enabled/disabled status for all AD users (with some minor excpetions)

in 4.000 users more than 140 shows the Enabled/Disabled status as NULL

The powershell command, and even targeting a diferent DC, the result is the same

Get-ADUser -server srv-dtc-018 -Filter 'samaccountname -ne "administrator" -and samaccountname -ne "krbtgt" -and samaccountname -like "*" -and samaccountname -notlike "svc-*" -and samaccountname -notlike "*-adm"' -properties samaccountname,enabled,name | ft samaccountname,enabled,name -A

The other Get-ADUSer command, but using Select-Object, shows the same problem:

I noticed that most of the NULL users are DISABLED users, but the Get-ADuser can´t detecte the user was disabled?

EXAMPLE OF THE OUTPUT:

samaccountname	enabled

lcaldas	False
aaheleno
ABARBOZA
acaraujo
ACOMERIO
acronis
ALARIBEIRO
fcarneiro	False
shipolito	True
acgois	True
voliveira	True

...

↧

DSRM Mode

September 11, 2015, 10:48 am

≫ Next: NetBIOS Name Alias for Login?

≪ Previous: GET-ADUser, enabled and disabled users..AND NULL users...

Hi Experts -

I have booted my DC in "Active Directory repair" mode. But now from DSRM i cant reboot the server in normal mode.

i have tried "bcdedit /deletevalue safeboot " command. but getting error msg "

Tried "bcdedit -enum all" command and getting below details... Could you pls help me with the right command to reboot the server in normal mode

This is how i set the Repair mode

Regards, Nidhin.CK

↧

NetBIOS Name Alias for Login?

September 11, 2015, 12:46 pm

≫ Next: Client & AD Certificates

≪ Previous: DSRM Mode

At the moment, users have been logging on with 'CURRICULUM\[Username]'. However, we have recently started using an app that refuses to change the domain name from 'corp' (we are currently in the process of resolving this issue with the software company).

In the meantime, is there a way users can also use the 'corp\[Username]' to logon? I have tried adding the OptionalNames in the registry of the DC, however, this doesn't seem to work when logging in on a client.

↧

Client & AD Certificates

September 4, 2015, 5:13 am

≫ Next: Replicate now error and Kcc event id 1311 and 1865 are all occurring.

≪ Previous: NetBIOS Name Alias for Login?

Hi All,

Few Days Back we just migrate from Google Apps to Office365.Every things seems to be working fine except Offline Address Book.Offiline Address Book is not able to download just going in send and receive process and produce timeout error.

We just raised Service Request to Microsoft and below is their findings which they send on email.

Issue Definition:

Your users are not able to download Offline Address Book from Outlook. OWA is not affected. The Autodiscover Test from Microsoft Remote Connectivity Analyzer is successful. With a domain user logged on a domain joined machine, the issue can be reproduced from local network and from outside. With a machine not joined to the domain, the OAB can be downloaded without any problems. The issue is present for all users. For troubleshooting reasons we chose user:osama.mansoor@crescent.com.pk

Steps performed so far:

We ran again the Autodiscover testfrom Microsoft Remote Connectivity Analyzer and was successful.

We made the AutoConfiguration test from Outlook 2013. Test was successful and provided the same URL for OAB:https://outlook.office365.com/OAB/df3bf201-d31f-4a69-e51dcf5daa09/

We tested in the IE the OAB link: https://outlook.office365.com/OAB/df3bf201-d31f-4a69-e51dcf5daa09/OAB.xml. We were able to access the XML after entering the affected user’s credentials.

In Outlook Web App the issue is not present.

We started the ETL logging for Outlook 2013 and ran the Fiddler Trace Application to capture the HTTPS traffic decoded.

With Fiddler Trace running the issue was solved. Fiddler Trace application installed a certificate for decoding the HTTPS traffic. After removing the Fiddler Trace certificate the issue came back.

Steps to be performed:

Please send me by email the files collected in our LMI session.

We conclude that issue is not Office 365 related. Please check the following in your internal network:

verify the certificate installed for users from local AD.
if you have proxy, check if the OAB request is allowed to pass.
check that the Background Intelligence Transfer Service (BITS) service is running on the affected machine: http://blogs.technet.com/b/ehlro/archive/2014/03/21/oab-download-and-bits-service.aspx
please be sure BITS service is not blocked at proxy / firewall level.
please check local AD policies that can be related with BITS and certificates.

MY Question :

Can someone help me how can I check is localAD certificate having this problem or not ?

↧

Replicate now error and Kcc event id 1311 and 1865 are all occurring.

September 11, 2015, 9:33 pm

≫ Next: Client computer assigned to different dc

≪ Previous: Client & AD Certificates

I have run into the 2 different KCC event errors and a failed dcdiag /test:services.

The 2 KCC id's are 1865 and 1311. I have verified all sites and subnets are correct in AD Sites and Services. All DC's pass all other dcdiag tests without issue. When I right click the site link and chose replicate now I get the following error message.

I know that the replication is working across all 3 domain controllers because there was an account that was missing this morning that I had created that is now showing up in Users and Computers now on all servers when it was not earlier today.

I was getting an unexpected network error occurred when I ran a dcdiag /test:services however this seems to have cleared on all 3 domain controllers and I am now just simply getting the above message when trying to replicate now over a given site link.

If there is any additional information you may need me to provide or want added let me know. Thanks in advance for all of your help.

Thanks

Zack

↧

Client computer assigned to different dc

September 11, 2015, 9:07 am

≫ Next: group policy

≪ Previous: Replicate now error and Kcc event id 1311 and 1865 are all occurring.

Hi,

I have 4 dc:

Svvm (DC)

VM2(DC)

TestVM1 (DC)

VMRODC (RODC)

and each of them have their own site and subnet , once i wrote the command nltest /dsgetdc:domain.com on vm2 for exalmple i got that it assigned correctly based on the subnets but in DC it is not assigned probably to the right dc and assigned only to svvm. any help please because i still face the same problem

Result of the command:

C:\Users\mulhimm>nltest /dsgetdc:domain.com
DC: \\svvm.doman.com
Address: \\192.168.1.210
Dom Guid: 9e1f3082-0330-459c-8d6b-6cf457fe240a
Dom Name: domain.com
Forest Name: domain.com
Dc Site Name: DC-main
Our Site Name: VM2-site
Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
FULL_SECRET WS DS_8 DS_9
The command completed successfully

↧

group policy

September 8, 2015, 9:03 am

≫ Next: Kerberos security error

≪ Previous: Client computer assigned to different dc

HI,

WIndows AD Client machine is very slow. where should i check in Group Policy setting For this issue ?

thanks

↧

Kerberos security error

September 12, 2015, 12:28 pm

≫ Next: Authentication issues with Internet

≪ Previous: group policy

I just added a Hyper-V 2012 R2 server to the 2012 R2 main server. Using "Right-click ThisPC>Properties> change from workgroup to Domain: mysite.com I added to the main server domain. On the main server I added the computer to DNS with the Hyper-V IPv4 address. The problem is in Server Manager>All Servers it showed there but the is an error: "Kerberos security error". How do I correct for this?

↧

Authentication issues with Internet

September 12, 2015, 8:29 pm

≫ Next: Config PDC As Not Reliable TIme + Config Domain Controller As Reliable Time

≪ Previous: Kerberos security error

users are complaining randomly about internet will not work. It displays page cannot be found. however if there log out and log back in and it seems to work for a while and then will drop again.

If the user clicks on any network share drive then internet starts to work without logging out.

What i can see that the issue is with users authenticating with domain controller is dropping but cannot work out what is causing the issue.

DC=windows 2008 R2 ( running DNS/DHCP )

I appreciate any help anyone can provide to my issue. Thanks!!

↧

Config PDC As Not Reliable TIme + Config Domain Controller As Reliable Time

September 9, 2015, 11:39 pm

≫ Next: failed to authenticate to DC (event ID 3210)

≪ Previous: Authentication issues with Internet

I Followed Microsoft Article : https://technet.microsoft.com/en-us/library/cc738042(v=ws.10).aspx

To Cofig Pdc To Be Not Reliable Time As Follow: w32tm /config /syncfromflags:domhier /reliable:no /update;net stop/Start w32time .

Config Domain Controller As Reliable TIme:W32tm /config /reliable:yes /update

After That Procedure All The w32tm/monitor /status /source Show The Correct Config : Pdc Sync Time From That Dc Relaible Time

And Of Course All The Members.

But When I Do Net Time To Members And Pdc I Got The Pdc TIme And Name,

I Checked The AnnounceFlags On The Pdc And I changed It To 10 From A

After That All The Members And The Pdc Show The DC Reliable TIme With Net TIme Command.

My Ques Is Why The Change OF The Flag Solve It ?

The PDc Not Reliable when i typed:w32tm /config /syncfromflags:domhier /reliable:no /update;

Why Do I need To Change AnnounceFlags Additionally To The Prior Command?

Thx

kobi

↧

failed to authenticate to DC (event ID 3210)

May 22, 2015, 1:05 am

≫ Next: Does RODC need a replication Partner?

≪ Previous: Config PDC As Not Reliable TIme + Config Domain Controller As Reliable Time

I´m troubleshooting different Workstation slowness scenarios, and one of the conserning event ID is 3210 which indicates some authorization issues between Client Computer and Domain. Also group policy errors (lack of connectivity to domain controller) follows this error.

I´m tryng to solve this event ID 3210 issue without succsess, so far I´ve done:

- Ports are opened between Client and DC (I ran portQui tests)
- Computer is patched 100%, also KB2958122 included.
- Computer account deleted, Computer re-joined to domain

↧

Does RODC need a replication Partner?

September 14, 2015, 4:47 am

≫ Next: Error applying gpo

≪ Previous: failed to authenticate to DC (event ID 3210)

I'm unable to understand how it is getting replicated for RODC?

↧

Error applying gpo

September 14, 2015, 4:32 am

≫ Next: Cleanup Failover Cluster after Cluster is already shut down

≪ Previous: Does RODC need a replication Partner?

Hi,

I have just created a new gpo in AD and have applied this one to a OU.

The GPO is very easy, I have enabled user settings > Administrative templates > printers > prevent from deletion.

I have propagated the gpo but in the computers inside the 0U the gpo haven't changed. I reseted the computers but the same.

Can anybody tell me if it is possible to know what's wrong when a gpo fails?

Thanks in advance.

Regards.

↧

Cleanup Failover Cluster after Cluster is already shut down

September 8, 2015, 12:22 pm

≫ Next: after dcprmo cant login (domain admins) but can in domain administrator

≪ Previous: Error applying gpo

I have inherited an environment where things were not properly decommissioned. I have a cluster that was just shutdown and the machines were destroyed (deleted VMs), so the cluster object still exists in Active Directory. If I try to destroy the cluster using cluster.exe or Remove-Cluster in PowerShell, I get errors since both try to connect to the cluster to destroy it. I am thinking I am going to have to manually remove it from AD. Aside from deleting the Computer object, what else do I have to do? I want to make sure that it is not listed in the "cluster list" for AD (cluster /list -or- Get-Cluster -Domain contoso.com).

↧