Copying user to make new user

November 25, 2015, 11:13 am

≪ Previous: Problem adding 2012 R2 AD to an existing 2003R2 AD

Hi, When i copy a domain user to make new user in Radius server 2012, it copies all dial-in properties of user including Caller ID. how to stop this thing? How to set default dial-in property: Access control through NPS network policy for every user??

Thanks

↧

AMDT Security Translation

November 26, 2015, 5:31 am

≫ Next: Will adding a second ADFS Web Application Proxy cause service disruption

≪ Previous: Copying user to make new user

I'm in the process of migrating several accounts and performing the Security Translation Wizard against the machines belonging to those users. The set of users are split between 2 distant geographic locations. One DC in the target domain, in one of the locations, has had ADMT installed from the very beginning and has been used for all the user and group migration so far. We're co-locating ADMT on DCs since we have a dependency on PES (Password Export Service).

Recently another instance of ADMT was deployed in the 2nd location. The goal would be to use this one as well for Security Translations against the machines located nearby. The problem is that right after the ADMT setup was complete, the wizard would refuse to run on the reason that no user had been migrated previously (on that instance). Getting rid of the error was simple enough - migrating a dummy account - but that didn't address the problem, since subsequent run of the wizard resulted in no profile being translated across any of the machines processed.

What would be needed in order to use the second ADMT instance for running the Security Translation wizard successfully ? One thing that would come to mind is simply export the ADMT database from the first instance and reuse it on the second one. However, wouldn't this lead to another problem, namely divergent databases from that point on ?

↧

Will adding a second ADFS Web Application Proxy cause service disruption

October 15, 2014, 9:36 am

≫ Next: Kerberos failure on api server

≪ Previous: AMDT Security Translation

Today I have attempted to add a second ADFS WAP server to an existing (working) ADFS solution based on 2012 R2.

I am able to install and configure the required role/services successfully but then I'm presented with the Remote Access Management console. This shows the two WAP servers but not the existing published application from the original WAP server and only seems to let me Publish a new application.

I'm not sure if I should go ahead and run the Publish Application wizard again in case it impacts on the existing application and causes disruption to the service/users.

Any suggestions would be much appreciated.

Cheers for now

Russell

↧

Kerberos failure on api server

November 25, 2015, 9:16 am

≫ Next: Root dc & Child dc sites configuration

≪ Previous: Will adding a second ADFS Web Application Proxy cause service disruption

Hi All,

We are using some client\server vendor api using Kerberos authentication under active directory,and its using the logged on user to authenticate to the server.

We noticed that we have an issue when using kind of delegated user for user accounts and computer creation and domain admin when authenticating with such user , while with regulare user we don't have any issue , in the same time when using such user we have fail audit security event with event #4625 with following description showed below.

My question is there any restriction with vendors api with mention type users , how can i debug this or any idea how to resolve such issue

Please advice

Thanks

An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:

Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xc0000133
Sub Status: 0x0

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

↧

Root dc & Child dc sites configuration

November 26, 2015, 10:29 am

≫ Next: Unable to change an expired password with smartcard authentication

≪ Previous: Kerberos failure on api server

Hi,

I am planning to install ROOT domain with ADC and child domain, child domain will have 4 ADC.

now i would like to know how can i design my sites and services so that my root domain and child replicate with each other, this what i am planning to configure.

1) i will create one site for root domain that will host root domain PDC,ADC server which will use default site link for replication between root DC's.

2) i will create another site for child DC that will host child domain PDC,ADC'S Server, create a new site link for replication between Child domain DC"s.

now there is now site link between child Domain & ROOT Domain so how replication will work between root and child.

↧

Unable to change an expired password with smartcard authentication

November 25, 2015, 6:10 am

≫ Next: Problem to change password between two trusted domains

≪ Previous: Root dc & Child dc sites configuration

We are using XenApp running on Windows 2008 R2 and Wyse Thin Clients.
In the office it is required to logon using smartcards.

Everything is working fine, except when a users password has expired.

Initially the smartcard authentication on the Wyse TC is accepted and an ICA session is started to a XenApp host running Windows 2008 R2. There the user is prompted to change his password.
But instead of getting a password change page, the user is asked for his smartcard pin.

The system could not log you on. Your password has expired and must be changed. You must log in with your password in order to change it. OK CANCEL

When pressing OK: user is asked for pin instead of password.
when pin entered: The system could not log you on. Your credentials could not be verified.

How can we change this behaviour so a user is able to change his expired password?

↧

Problem to change password between two trusted domains

November 25, 2015, 2:32 am

≫ Next: AD not replicating to Domain Controller

≪ Previous: Unable to change an expired password with smartcard authentication

Hi guys.

I have found a problem on my network and I have tried to figure out how to fix it, but no success so far.

I have two domains, the first one is my main domain and the second one is my homologation domain.

My homologation domain trusts my main domain, but my main domain doesn't trust my homologation domain (non transitive trust).

Since beginning of November if anyone tries to change the password using Ctrl + Alt + Del and tries to change it of the other domain account, we get the error message below:

"The security database on the server does not have a computer account for this workstation trust relationship"

But this is quite weird because it changes the password successfully, but we get the error message.

Note: It just happens when I try to change the password from one domain to the second one.
For example: If I am logged on DOMAIN1 and I try to change password of an account on DOMAIN2, it changes successfully, but I get this error. It also happens if I try from DOMAIN2 to DOMAIN1, it changes, but error message.

Note2: Changing the password on the same domain that I am logged on, the problem doesn't happen.

Note3: When the problem started to happen we were installing and configuring ADFS (Federation Services) and Exchange Server (on different servers than Domain Controllers) on the homologation domain. Although we don't believe this is the problem.

Environment:
Main Domain: Domain Controllers running Windows Server 2012 R2 and Windows Server 2008 R2 (some branches, the headquarter is running 2012);
Homologation Domain: Domain Controllers running Windows Server 2012 R2 only;
Functional Level: Windows Server 2008 R2.
Client computer: Windows 8.1 (but even trying to change from any other computer the same problem happens).

What we've done trying to fix so far:
1. Uninstall ADFS (just in case);
2. Check Exchange configuration looking for some thing or issue about authentication;
3. Check for duplicates SPN (setspn -F -X);
4. Recreate the trust relationship (the same way than before);
5. Move FSMO between the servers;
6. Check DNS;
7. Reboot the servers (Domain Controllers);
8. DCDiag (no problems found);
9. Event Viewer of the domain controllers (nothing apparently related to the problem);
10. Rejoin the client to domain;
11. Check the workstation Event Viewer (just in case).

I don't know where is the problem exactly. We've researching for this since beginning of November and no success so far. :-(

Thank you in advance!

↧

AD not replicating to Domain Controller

November 25, 2015, 6:35 pm

≫ Next: Random AD Account Lockout

≪ Previous: Problem to change password between two trusted domains

Hi Everyone,

I have a Windows 2003 server, It's our primary AD and DNS, running all fsmo roles. Domain schema and forest was already upgraded to 2003 from NT/2000.

Problem is it seems that our DC's are not replicating to the AD,

How to check and solve for this issue?

↧

Random AD Account Lockout

March 4, 2010, 6:53 am

≫ Next: the account lockout, the logon user account (null)\AAAA, Interactive logon

≪ Previous: AD not replicating to Domain Controller

Synopsis :
I have 5 accounts in an AD setup of about 200 users that will randomly lock out. 3 of these users are used specifically for FTP, 2 are user accounts used by 2 office workers that are also Exchange accounts. In all 5 cases the only log files I can find on the problem state that the account is locked out but never do I actually see the account fail authentication and lock itself out.

Software Configuration :
1 Server 2003 R2 SP2 Standard 32bit domain controller
-> Runs AD
-> Runs FTP

1 Server 2003 R2 SP2 Standard 64bit Exchange Server
-> Manages all server roles, basic setup with only 1 domain

Problem Description :
There are 2 parts to this problem.

1) The 2 office worker accounts will randomly lock out while they are working and already logged into the system. The problem shows up when the Exchange account blows an authentication error and asks for the user credentials. The only log files I can find indicate that the account failed authentication due to the lockout policy.

2) The 3 FTP accounts are split between 3 things. 1 account is for salesman equipment that log in every evening between 6pm - 8pm to upload sales data. 1 account is for hand held scanners used for invoicing stores. They normally log in about 5am to grab their updated invoices. 1 account is for an as/400 server to log in and update the information for the other 2 accounts to grab.

Almost every time one account gets locked out I can log into the AD GUI and see that the other 4 accounts have also been locked out. In every instance I cannot find anything that is actually causing the accounts to lock out. This problem started on it's own, I made no changes to the servers and had not run any kind of Windows Updates or installed any new software.

I am unable to attach the problem to a time frame and lock it down to one source. It happens at random and sometimes goes days before the problem occurs.

Problem Resolution :
- For the time being I've lowered the account lockout refresh interval to 3 minutes so that when the problem occurs it corrects itself quickly.
- I'm recreating the accounts with a different SID in an attempt to bypass the problem by getting rid of the problem accounts. Because the issue is so sporadic I will have to wait several days to see if the problem has stopped.
- After the problem originally occurred I rebooted the servers and ran Windows updates as part of the Months End Maintenance, this did not resolve the problem.

Has anyone seen this before? I'm looking for a good explanation as to why this would start happening, especially without any changes made to the system.

↧

the account lockout, the logon user account (null)\AAAA, Interactive logon

November 26, 2015, 6:28 pm

≫ Next: Timeout issue in multiple Domain Controller

≪ Previous: Random AD Account Lockout

one user account always locked out some times, it's around 2-3 times one week.

I monitor the status in the Domain server, and notice it happended in the exchange sever (rca075).

I checked the mobile device, it seems ok.

we open the log in the RCA075 , and use the altool->nlparse.exe toathe netlogon.log,I use the altools to analyze the log on the exchange server, it shows as below:

you may find the logon account isn't the domain account, it's the account name without the domain name (null)\yuwang

I confused why it's the Interactive logon. Please help us on it, how can I solve thi issue or which tool/command can I use for a further analysis? thanks.

I also notice there is guest & administrator which have the same issue. plus, the RCA075 is the exchange server

2015/11/17	10:36:01	Interactive logon	(null)\guest	RCA075	0xC0000234
2015/11/17	10:36:08	Interactive logon	(null)\guest	RCA075	0xC0000234
2015/11/17	10:36:19	Interactive logon	(null)\guest	RCA075	0xC0000234
2015/11/17	10:36:31	Interactive logon	(null)\guest	RCA075	0xC0000234
2015/11/17	10:36:42	Interactive logon	(null)\guest	RCA075	0xC0000234
2015/11/17	10:36:49	Interactive logon	(null)\guest	RCA075	0xC0000234
2015/11/17	11:37:18	Interactive logon	(null)\administrator	RCA075	0xC000006A
2015/11/17	11:52:38	Interactive logon	(null)\administrator	RCA075	0xC000006A
2015/11/18	7:31:23	Interactive logon	(null)\a-ymbi	RCA075	0xC000006A
2015/11/18	10:15:25	Interactive logon	(null)\yuwang	RCA075	0xC000006A
2015/11/18	10:15:30	Interactive logon	(null)\yuwang	RCA075	0xC000006A
2015/11/18	10:15:35	Interactive logon	(null)\yuwang	RCA075	0xC000006A
2015/11/18	10:15:40	Interactive logon	(null)\yuwang	RCA075	0xC000006A
2015/11/18	10:15:45	Interactive logon	(null)\yuwang	RCA075	0xC000006A
2015/11/18	10:15:51	Interactive logon	(null)\yuwang	RCA075	0xC000006A
2015/11/18	10:15:56	Interactive logon	(null)\yuwang	RCA075	0xC0000234
2015/11/18	10:16:01	Interactive logon	(null)\yuwang	RCA075	0xC0000234
2015/11/18	10:16:06	Interactive logon	(null)\yuwang	RCA075	0xC0000234
2015/11/18	10:16:11	Interactive logon	(null)\yuwang	RCA075	0xC0000234
2015/11/18	10:16:16	Interactive logon	(null)\yuwang	RCA075	0xC0000234
2015/11/18	10:16:22	Interactive logon	(null)\yuwang	RCA075	0xC0000234
2015/11/18	10:16:27	Interactive logon	(null)\yuwang	RCA075	0xC0000234
2015/11/18	10:16:32	Interactive logon	(null)\yuwang	RCA075	0xC0000234
2015/11/18	10:16:37	Interactive logon	(null)\yuwang	RCA075	0xC0000234
2015/11/18	16:45:44	Interactive logon	(null)\guest	RCA075	0xC0000234
2015/11/19	3:20:24	Interactive logon	(null)\administrator	RCA075	0xC000006A
2015/11/19	3:20:29	Interactive logon	(null)\administrator	RCA075	0xC000006A
2015/11/19	3:20:34	Interactive logon	(null)\administrator	RCA075	0xC000006A
2015/11/19	3:20:40	Interactive logon	(null)\administrator	RCA075	0xC000006A
2015/11/19	7:31:17	Interactive logon	(null)\a-ymbi	RCA075	0xC000006A

the part of the netlogon.log is shown as below:

11/18 10:15:25 [LOGON] SamLogon: Interactive logon of (null)\yuwang from RCA075 Entered
11/18 10:15:25 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc000006a)
11/18 10:15:25 [LOGON] SamLogon: Interactive logon of (null)\yuwang from RCA075 Returns 0xC000006A
11/18 10:15:29 [SESSION] I_NetLogonGetAuthData called: (null) PCT (Flags 0x1)
11/18 10:15:29 [SESSION] I_NetLogonGetAuthData called: (null) PCT (Flags 0x1)
11/18 10:15:30 [LOGON] SamLogon: Interactive logon of (null)\yuwang from RCA075 Entered
11/18 10:15:30 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc000006a)
11/18 10:15:30 [LOGON] SamLogon: Interactive logon of (null)\yuwang from RCA075 Returns 0xC000006A
11/18 10:15:34 [SESSION] I_NetLogonGetAuthData called: (null) PCT (Flags 0x1)
11/18 10:15:34 [SESSION] I_NetLogonGetAuthData called: (null) PCT (Flags 0x1)
11/18 10:15:35 [LOGON] SamLogon: Interactive logon of (null)\yuwang from RCA075 Entered
11/18 10:15:35 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc000006a)
11/18 10:15:35 [LOGON] SamLogon: Interactive logon of (null)\yuwang from RCA075 Returns 0xC000006A
11/18 10:15:35 [SESSION] I_NetLogonGetAuthData called: (null) PCT (Flags 0x1)
11/18 10:15:35 [SESSION] I_NetLogonGetAuthData called: (null) PCT (Flags 0x1)
11/18 10:15:36 [SESSION] I_NetLogonGetAuthData called: (null) PCT (Flags 0x1)
11/18 10:15:36 [SESSION] I_NetLogonGetAuthData called: (null) PCT (Flags 0x1)
11/18 10:15:37 [SESSION] I_NetLogonGetAuthData called: (null) PCT (Flags 0x1)
11/18 10:15:37 [SESSION] I_NetLogonGetAuthData called: (null) PCT (Flags 0x1)
11/18 10:15:40 [SESSION] I_NetLogonGetAuthData called: (null) PCT (Flags 0x1)
11/18 10:15:40 [SESSION] I_NetLogonGetAuthData called: (null) PCT (Flags 0x1)
11/18 10:15:40 [LOGON] SamLogon: Interactive logon of (null)\yuwang from RCA075 Entered
11/18 10:15:40 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc000006a)
11/18 10:15:40 [LOGON] SamLogon: Interactive logon of (null)\yuwang from RCA075 Returns 0xC000006A
11/18 10:15:40 [SESSION] I_NetLogonGetAuthData called: (null) PCT (Flags 0x1)
11/18 10:15:45 [SESSION] I_NetLogonGetAuthData called: (null) PCT (Flags 0x1)
11/18 10:15:45 [SESSION] I_NetLogonGetAuthData called: (null) PCT (Flags 0x1)
11/18 10:15:45 [LOGON] SamLogon: Interactive logon of (null)\yuwang from RCA075 Entered
11/18 10:15:45 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc000006a)
11/18 10:15:45 [LOGON] SamLogon: Interactive logon of (null)\yuwang from RCA075 Returns 0xC000006A
11/18 10:15:51 [LOGON] SamLogon: Interactive logon of (null)\yuwang from RCA075 Entered
11/18 10:15:51 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc000006a)
11/18 10:15:51 [LOGON] SamLogon: Interactive logon of (null)\yuwang from RCA075 Returns 0xC000006A
11/18 10:15:56 [SESSION] I_NetLogonGetAuthData called: (null) PCT (Flags 0x1)
11/18 10:15:56 [SESSION] I_NetLogonGetAuthData called: (null) PCT (Flags 0x1)
11/18 10:15:56 [LOGON] SamLogon: Interactive logon of (null)\yuwang from RCA075 Entered
11/18 10:15:56 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000234)
11/18 10:15:56 [LOGON] SamLogon: Interactive logon of (null)\yuwang from RCA075 Returns 0xC0000234
11/18 10:16:01 [LOGON] SamLogon: Interactive logon of (null)\yuwang from RCA075 Entered
11/18 10:16:01 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000234)
11/18 10:16:01 [LOGON] SamLogon: Interactive logon of (null)\yuwang from RCA075 Returns 0xC0000234
11/18 10:16:03 [SESSION] I_NetLogonGetAuthData called: (null) PCT (Flags 0x1)
11/18 10:16:03 [SESSION] I_NetLogonGetAuthData called: (null) PCT (Flags 0x1)
11/18 10:16:06 [SESSION] I_NetLogonGetAuthData called: (null) PCT (Flags 0x1)
11/18 10:16:06 [SESSION] I_NetLogonGetAuthData called: (null) PCT (Flags 0x1)
11/18 10:16:06 [LOGON] SamLogon: Interactive logon of (null)\yuwang from RCA075 Entered
11/18 10:16:06 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000234)
11/18 10:16:06 [LOGON] SamLogon: Interactive logon of (null)\yuwang from RCA075 Returns 0xC0000234
11/18 10:16:09 [SESSION] I_NetLogonGetAuthData called: (null) PCT (Flags 0x1)
11/18 10:16:11 [LOGON] SamLogon: Interactive logon of (null)\yuwang from RCA075 Entered
11/18 10:16:11 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000234)
11/18 10:16:11 [LOGON] SamLogon: Interactive logon of (null)\yuwang from RCA075 Returns 0xC0000234
11/18 10:16:16 [LOGON] SamLogon: Interactive logon of (null)\yuwang from RCA075 Entered
11/18 10:16:16 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000234)
11/18 10:16:16 [LOGON] SamLogon: Interactive logon of (null)\yuwang from RCA075 Returns 0xC0000234
11/18 10:16:21 [SESSION] I_NetLogonGetAuthData called: (null) PCT (Flags 0x1)
11/18 10:16:22 [LOGON] SamLogon: Interactive logon of (null)\yuwang from RCA075 Entered
11/18 10:16:22 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000234)
11/18 10:16:22 [LOGON] SamLogon: Interactive logon of (null)\yuwang from RCA075 Returns 0xC0000234
11/18 10:16:22 [SESSION] I_NetLogonGetAuthData called: (null) PCT (Flags 0x1)
11/18 10:16:23 [MISC] In control handler (Opcode: 4)
11/18 10:16:25 [SESSION] I_NetLogonGetAuthData called: (null) PCT (Flags 0x1)
11/18 10:16:26 [SESSION] I_NetLogonGetAuthData called: (null) PCT (Flags 0x1)
11/18 10:16:27 [LOGON] SamLogon: Interactive logon of (null)\yuwang from RCA075 Entered
11/18 10:16:27 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000234)
11/18 10:16:27 [LOGON] SamLogon: Interactive logon of (null)\yuwang from RCA075 Returns 0xC0000234
11/18 10:16:29 [SESSION] I_NetLogonGetAuthData called: (null) PCT (Flags 0x1)
11/18 10:16:29 [SESSION] I_NetLogonGetAuthData called: (null) PCT (Flags 0x1)
11/18 10:16:30 [SESSION] I_NetLogonGetAuthData called: (null) PCT (Flags 0x1)
11/18 10:16:30 [SESSION] I_NetLogonGetAuthData called: (null) PCT (Flags 0x1)
11/18 10:16:32 [LOGON] SamLogon: Interactive logon of (null)\yuwang from RCA075 Entered
11/18 10:16:32 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000234)
11/18 10:16:32 [LOGON] SamLogon: Interactive logon of (null)\yuwang from RCA075 Returns 0xC0000234
11/18 10:16:37 [LOGON] SamLogon: Interactive logon of (null)\yuwang from RCA075 Entered
11/18 10:16:37 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000234)
11/18 10:16:37 [LOGON] SamLogon: Interactive logon of (null)\yuwang from RCA075 Returns 0xC0000234
11/18 10:16:42 [MISC] DsGetDcName function called: Dom:prinxchengshan.com Acct:(null) Flags: IP KDC
11/18 10:16:42 [MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c01ffff1
11/18 10:16:42 [CRITICAL] NetpDcGetNameIp: prinxchengshan.com: No data returned from DnsQuery.
11/18 10:16:42 [MISC] NetpDcGetName: NetpDcGetNameIp returned 1355
11/18 10:16:42 [CRITICAL] NetpDcGetName: prinxchengshan.com: IP and Netbios are both done.
11/18 10:16:42 [MISC] DsGetDcName function returns 1355: Dom:prinxchengshan.com Acct:(null) Flags: IP KDC

11/19 03:20:12 [LOGON] SamLogon: Interactive logon of (null)\www from RCA075 Returns 0xC0000064
11/19 03:20:13 [MISC] In control handler (Opcode: 4)
11/19 03:20:17 [LOGON] SamLogon: Interactive logon of (null)\www from RCA075 Entered
11/19 03:20:17 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000064)
11/19 03:20:17 [LOGON] SamLogon: Interactive logon of (null)\www from RCA075 Returns 0xC0000064
11/19 03:20:24 [LOGON] SamLogon: Interactive logon of (null)\administrator from RCA075 Entered
11/19 03:20:24 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc000006a)
11/19 03:20:24 [LOGON] SamLogon: Interactive logon of (null)\administrator from RCA075 Returns 0xC000006A
11/19 03:20:29 [LOGON] SamLogon: Interactive logon of (null)\administrator from RCA075 Entered
11/19 03:20:29 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc000006a)
11/19 03:20:29 [LOGON] SamLogon: Interactive logon of (null)\administrator from RCA075 Returns 0xC000006A
11/19 03:20:34 [LOGON] SamLogon: Interactive logon of (null)\administrator from RCA075 Entered
11/19 03:20:34 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc000006a)
11/19 03:20:34 [LOGON] SamLogon: Interactive logon of (null)\administrator from RCA075 Returns 0xC000006A
11/19 03:20:40 [LOGON] SamLogon: Interactive logon of (null)\administrator from RCA075 Entered
11/19 03:20:40 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc000006a)
11/19 03:20:40 [LOGON] SamLogon: Interactive logon of (null)\administrator from RCA075 Returns 0xC000006A
11/19 03:20:46 [LOGON] SamLogon: Interactive logon of (null)\backup from RCA075 Entered
11/19 03:20:46 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000064)
11/19 03:20:46 [LOGON] SamLogon: Interactive logon of (null)\backup from RCA075 Returns 0xC0000064
11/19 03:20:51 [LOGON] SamLogon: Interactive logon of (null)\backup from RCA075 Entered
11/19 03:20:51 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000064)
11/19 03:20:51 [LOGON] SamLogon: Interactive logon of (null)\backup from RCA075 Returns 0xC0000064
11/19 03:20:57 [LOGON] SamLogon: Interactive logon of (null)\backup from RCA075 Entered
11/19 03:20:57 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000064)
11/19 03:20:57 [LOGON] SamLogon: Interactive logon of (null)\backup from RCA075 Returns 0xC0000064
11/19 03:21:02 [LOGON] SamLogon: Interactive logon of (null)\backup from RCA075 Entered
11/19 03:21:02 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000064)
11/19 03:21:02 [LOGON] SamLogon: Interactive logon of (null)\backup from RCA075 Returns 0xC0000064
11/19 03:21:08 [LOGON] SamLogon: Interactive logon of (null)\server from RCA075 Entered
11/19 03:21:08 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000064)
11/19 03:21:08 [LOGON] SamLogon: Interactive logon of (null)\server from RCA075 Returns 0xC0000064
11/19 03:21:13 [LOGON] SamLogon: Interactive logon of (null)\server from RCA075 Entered
11/19 03:21:13 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000064)
11/19 03:21:13 [LOGON] SamLogon: Interactive logon of (null)\server from RCA075 Returns 0xC0000064
11/19 03:21:14 [MISC] In control handler (Opcode: 4)
11/19 03:21:19 [LOGON] SamLogon: Interactive logon of (null)\server from RCA075 Entered
11/19 03:21:19 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000064)
11/19 03:21:19 [LOGON] SamLogon: Interactive logon of (null)\server from RCA075 Returns 0xC0000064
11/19 03:21:24 [LOGON] SamLogon: Interactive logon of (null)\server from RCA075 Entered
11/19 03:21:24 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000064)
11/19 03:21:24 [LOGON] SamLogon: Interactive logon of (null)\server from RCA075 Returns 0xC0000064
11/19 03:21:31 [LOGON] SamLogon: Interactive logon of (null)\data from RCA075 Entered
11/19 03:21:31 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000064)
11/19 03:21:31 [LOGON] SamLogon: Interactive logon of (null)\data from RCA075 Returns 0xC0000064
11/19 03:21:36 [LOGON] SamLogon: Interactive logon of (null)\data from RCA075 Entered
11/19 03:21:36 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000064)
11/19 03:21:36 [LOGON] SamLogon: Interactive logon of (null)\data from RCA075 Returns 0xC0000064
11/19 03:21:41 [LOGON] SamLogon: Interactive logon of (null)\data from RCA075 Entered
11/19 03:21:41 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000064)
11/19 03:21:41 [LOGON] SamLogon: Interactive logon of (null)\data from RCA075 Returns 0xC0000064
11/19 03:21:47 [LOGON] SamLogon: Interactive logon of (null)\data from RCA075 Entered
11/19 03:21:47 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000064)
11/19 03:21:47 [LOGON] SamLogon: Interactive logon of (null)\data from RCA075 Returns 0xC0000064
11/19 03:21:53 [LOGON] SamLogon: Interactive logon of (null)\info from RCA075 Entered
11/19 03:21:53 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000064)
11/19 03:21:53 [LOGON] SamLogon: Interactive logon of (null)\info from RCA075 Returns 0xC0000064
11/19 03:21:58 [LOGON] SamLogon: Interactive logon of (null)\info from RCA075 Entered
11/19 03:21:58 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000064)
11/19 03:21:58 [LOGON] SamLogon: Interactive logon of (null)\info from RCA075 Returns 0xC0000064
11/19 03:22:04 [LOGON] SamLogon: Interactive logon of (null)\info from RCA075 Entered
11/19 03:22:04 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000064)
11/19 03:22:04 [LOGON] SamLogon: Interactive logon of (null)\info from RCA075 Returns 0xC0000064
11/19 03:22:09 [LOGON] SamLogon: Interactive logon of (null)\info from RCA075 Entered
11/19 03:22:09 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000064)
11/19 03:22:09 [LOGON] SamLogon: Interactive logon of (null)\info from RCA075 Returns 0xC0000064
11/19 03:22:14 [MISC] In control handler (Opcode: 4)
11/19 03:23:15 [MISC] In control handler (Opcode: 4)
11/19 03:24:15 [MISC] In control handler (Opcode: 4)
11/19 03:25:16 [MISC] In control handler (Opcode: 4)

↧

Timeout issue in multiple Domain Controller

November 27, 2015, 12:58 am

≫ Next: Unable to Install Active Directory Role

≪ Previous: the account lockout, the logon user account (null)\AAAA, Interactive logon

Hi,

When I run test for Netlogons Test,Replication Test,Advertising Test,FSMOCheck Test,KCCCheck Test,FRSCheck Test all these test are getting timeout. When checked all 4 DC, I could not see Dcidagerrors and any replication erros too.

What I noticed here is the time taken to run these test are comparatively more.

When I open AD Sites and Services/AD users and Computer it is taking minimum 5 minutes to open these. But I am able to open AD Domains and trusts immediately.

One more thing I noticed is when I start/stop netlogon service, that time sites and services/users and computers console are opening fast.But again after a minute the issue is repeating.

Does anyone know the cause of this issue ?

↧

Unable to Install Active Directory Role

November 27, 2015, 12:10 am

≫ Next: Add-kdsrootkey child domain

≪ Previous: Timeout issue in multiple Domain Controller

Hi Experts

Trying to introduce first 2012 R2 dc in network and getting below mentioned error. Domain and Forest functional Level is 2003. Any idea to fix it.

Thanks Cloudy Lynx

↧

Add-kdsrootkey child domain

November 27, 2015, 12:45 am

≫ Next: dynamic security group

≪ Previous: Unable to Install Active Directory Role

Hi,

I have the following configuration.

Forest: ms-opsmgr.eu
Domain: ms-opsmgr.eu
Child Domain: dev.ms-opsmgr.eu

Now I want to start using Managed Service accounts.

When I run the following command on the domain Controller add-kdsrootkey((get-date).addhours(-10)) on the ms-opsmgr.eu domain everything is working fine.

When I run the command: add-kdsrootkey((get-date).addhours(-10)) in the child domain: dev.ms-opsmgr.eu. I am getting the error: "Request not supported" The user is member of the domain-admins group and I run the powershell command ass administrator.

What I'am doing wrong?

Hope someone can help me?

Greetings Roel Knippen

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

↧

dynamic security group

November 26, 2015, 9:47 pm

≫ Next: AD LDS in DMZ

≪ Previous: Add-kdsrootkey child domain

Can we create dynamic security group in windows 2012 R2 AD

↧

AD LDS in DMZ

December 26, 2012, 9:57 am

≫ Next: Sysvol/netlogon not replicating between DCs - Windows Server 2012

≪ Previous: dynamic security group

I set up a stand alone AD LDS server in DMZ, and was able to configure it to adamsync to our internal AD manually. The way I sync is to run adamsync as a local administrator, while in the configuration XML file I added internal AD user (see below).

<source-ad-account>adldsuser</source-ad-account>
<account-domain>domain.us</account-domain>

When I run adamsync, I use /passprompt to enter domain\adldsuser password in command line. The problem is obvious: I have to remember to login to manually sync it every a couple days. I am desperate to know how to schedule it so that it can sync automatically. I tried search online but can't find any solution to it.

In a practical world, how do you guys configure AD LDS in DMZ? and how to you accomplish syncing automatically?

Thanks

Byron

↧

Sysvol/netlogon not replicating between DCs - Windows Server 2012

November 27, 2015, 3:16 am

≫ Next: Maximum Password Age questions

≪ Previous: AD LDS in DMZ

Summary of issue
My main FSMO DC (DC1) crashed recently so I forced the roles over to DC2.
The thing I found was that the replication wasn't working between DC1/DC2 so as a quick fix the sysvol folder was copied manually from DC1 to DC2 and bingo everything seemed to work again.
Users were receiving their profiles etc. and folder redirection was back working again.
When I added a new DC (DC3) and tried to setup replication, I got just one error on DC1 when I ran dcdiag

Testing Server: DFSREvent

There are warnings or error events within the last 24 hours after teh SYSVOL has been shared. Failing sysvol replication problems may cause Group Policy problems.

...................................... server failed test DRSREVent

There was plenty of errors in the such as event 5002

The DFS replication service encountered an error communicating with partner 'DC01' (old FSMO server that died) for replication group Domain System Volume.

Event 5008 and Event 4612 are now showing

5008 is a similar event to 5002

The DFS Replication service failed to communicate with partner DC1 for replication group Domain System Volume. this error can occur if the host is unreachable, or if the DFS Replication service is not running on the server.

I found a KB that advised that the primary server was pointing to the wrong server in HKLM/currentcontrolset/services/DFSR/Parameters/sysvols/seedingSysVols/domain, the parent company server was the old FSMO server (DC1) so I changed the server to the new FSMO server DC2.

Current state

I've demoted DC3 and I just want to make sure that DC2 is setup correctly as the FSMO server and that replication can work successfully.

Obviously working through the registry and ADSI I noticed that DC2 is not an authoritative server even when DC3 was trying to replicate.

Can anyone offer any advice on next steps to clean up DC2 please?

↧

Maximum Password Age questions

November 27, 2015, 2:13 am

≫ Next: People seeing different things in dfs

≪ Previous: Sysvol/netlogon not replicating between DCs - Windows Server 2012

Hi all,

I'm in an environment where the students computers are not in the domain. However the users are.
Now, to connect to the complex WiFi, they must auth with their domain user accounts.
They won't be able to connect if their passwords are expired.

Now, we use a service that lets the students know their password is about to expire, since they otherwise wouldn't get notified, and their passwords would expire.

Here's the pickle though. They have requested a change to the Maximum Password Age policy.

I went a head and made the change, but it seems not to apply. I'm guessing it's because the policy setting is a machine policy setting and in fact it's the local machine (in a normal domain env) that actually is verifying the users password age? Anyone got any ideas on how to go about this?

Thanks in advance!

↧

People seeing different things in dfs

November 27, 2015, 2:17 am

≫ Next: ADFS: how does it use certificates

≪ Previous: Maximum Password Age questions

I believe home users are being pointed to different shares than onsite users, this has only just started happening about a week ago, no changes as far as I know, any help much appreciated

I have a DFS Replication Health report

<vmlframe class="pm1" src="#Minus"></vmlframe><vmlframe class="er1" src="#Err1"></vmlframe> ERRORS (There is 1 error to report)


<vmlframe class="er1a" src="#Err1"></vmlframe>	Inconsistent configuration detected (invalid object).
	Affected replicated folders:	All replicated folders on this server.
	Description:	The DFS Replication service detected invalid msDFSR-Subscriber object data while polling for configuration information. Additional information includes Object DN: CN=ab93cf11-6904-4de9-b411-bbb67d8afe32,CN=DFSR-LocalSettings,CN=DEVON,OU=Domain Controllers,DC=insall-lon,DC=co,DC=uk Attribute Name: msDFSR-MemberReference and domain controller: DEVON.insall-lon.co.uk. Event ID: 6002
	Last occurred:	26 November 2015 at 15:37:48 (GMT0:00)
	Suggested action:	For information about troubleshooting this problem, see The Microsoft Web Site. and a dcdiag C:\Users\administrator.INSALL-LON>dcdiag Directory Server Diagnosis Performing initial setup: Trying to find home server... Home Server = DEVON * Identified AD Forest. Done gathering initial info. Doing initial required tests Testing server: WEP\DEVON Starting test: Connectivity ......................... DEVON passed test Connectivity Doing primary tests Testing server: WEP\DEVON Starting test: Advertising ......................... DEVON passed test Advertising Starting test: FrsEvent ......................... DEVON passed test FrsEvent Starting test: DFSREvent ......................... DEVON passed test DFSREvent Starting test: SysVolCheck ......................... DEVON passed test SysVolCheck Starting test: KccEvent ......................... DEVON passed test KccEvent Starting test: KnowsOfRoleHolders ......................... DEVON passed test KnowsOfRoleHolders Starting test: MachineAccount ......................... DEVON passed test MachineAccount Starting test: NCSecDesc Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=ForestDnsZones,DC=insall-lon,DC=co,DC=uk Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=DomainDnsZones,DC=insall-lon,DC=co,DC=uk ......................... DEVON failed test NCSecDesc Starting test: NetLogons ......................... DEVON passed test NetLogons Starting test: ObjectsReplicated ......................... DEVON passed test ObjectsReplicated Starting test: Replications ......................... DEVON passed test Replications Starting test: RidManager ......................... DEVON passed test RidManager Starting test: Services ......................... DEVON passed test Services Starting test: SystemLog A warning event occurred. EventID: 0x000003FC Time Generated: 11/27/2015 09:09:17 Event String: Scope, 192.168.50.0, is 95 percent full with only 4 IP addresses remaining. An error event occurred. EventID: 0x00000457 Time Generated: 11/27/2015 09:46:14 Event String: Driver Microsoft XPS Document Writer v4 required for printer Microsoft XPS Document Writ er is unknown. Contact the administrator to install the driver before you log in again. An error event occurred. EventID: 0x00000457 Time Generated: 11/27/2015 09:46:15 Event String: Driver Send To Microsoft OneNote 2010 Driver required for printer Send To OneNote 2010 i s unknown. Contact the administrator to install the driver before you log in again. ......................... DEVON failed test SystemLog Starting test: VerifyReferences ......................... DEVON passed test VerifyReferences Running partition tests on : ForestDnsZones Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Running partition tests on : DomainDnsZones Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Running partition tests on : Schema Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Running partition tests on : Configuration Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Running partition tests on : insall-lon Starting test: CheckSDRefDom ......................... insall-lon passed test CheckSDRefDom Starting test: CrossRefValidation ......................... insall-lon passed test CrossRefValidation Running enterprise tests on : insall-lon.co.uk Starting test: LocatorCheck ......................... insall-lon.co.uk passed test LocatorCheck Starting test: Intersite ......................... insall-lon.co.uk passed test Intersite

↧

ADFS: how does it use certificates

November 27, 2015, 7:31 am

≫ Next: how to create service account in windows server 2012 R2

≪ Previous: People seeing different things in dfs

Hello

we are lookin to implement adfs for our client so they can use same sign on. i understand that certificates enable 1 identity to trust the identity of another. what i am struggling to understand is why a common name such assts.domain.com is assigned to that certificate, especially if we are implementing adfs to use with office 365. we dont have any roaming users so cant see how that address would be used.

would be grateful if someone could explain how on-premise AD and office 365 use the certificate, especially the common name.

regards,

Elroy

↧

how to create service account in windows server 2012 R2

May 3, 2014, 8:00 am

≫ Next: Existing UPN will conflict with new subdomain FQDN

≪ Previous: ADFS: how does it use certificates

Hi everyone,

i want to create a service account in active directory and bind it with computer account.
(the computer would be running sql server 2012 and during sql setup i want to use this account)

i am running the below commands in active directory module for windows powershell on windows server 2012 R2 but it doesnot seems to workout

Import-Module ActiveDirectory
New-ADServiceAccount -Name sqladmin -Path "cn=Managed Service Accounts, dc=mydomain,dc=com" -enabled $true

Please also do refer the below link

http://social.msdn.microsoft.com/Forums/sqlserver/en-US/d34a36a4-568c-4447-8c30-30a526e8c662/installation-of-sql2012service-accounts?forum=sqlgetstarted#5ecf9617-f146-4270-b9d8-737aa9796c00

↧