I opened up a discussion about new wsus install that computers are not beeen added to the wsus server properly it looks like computers from different containers are not showing after 24-48 hours to the console.
original discussion: https://social.technet.microsoft.com/Forums/windowsserver/en-US/4ab2467d-fe41-49d4-bf17-f663d1e698cb/new-wsus-install?forum=winserverwsus
any help will be appreciated. thanks
Hi everyone,
What is the most important highlight in the
dnscmd /statistics
command when I read the result and realize a state of health of the DNS server?
Best regards,
Luis G Mieles B
Hello,
I am a new Windows Server admin and back in March/April I brought a domain controller online and joined some Windows 8.1 Pro clients to it using ForensIT's software which converted local user profiles to domain account profiles. Things were working fine until about May when I noticed that group policies weren't being pushed to most/all computers. It appears that the computer accounts had simply vanished from ADUC. I can manually re-add these computers without a problem but I'd like to fix the root cause. A look at the event viewer on a client machine shows an Error for NETLOGON with Event ID: 5721 stating:
The session setup to the Windows NT or Windows 2000 Domain Controller \\mydomain.com for the domain mydomain failed because the Domain Controller did not have an account CLIENTMACHINE$ needed to set up the session by this computer CLIENTMACHINE.
There is also a subsequent warning from LSA (LsaSrv) of Event ID 40961 stating:
The session setup to the Windows NT or Windows 2000 Domain Controller \\mydomain.com for the domain mydomain failed because the Domain Controller did not have an account CLIENTMACHINE$ needed to set up the session by this computer CLIENTMACHINE.
I also get a warning from Time-Service with Event ID 130 stating:
NtpClient was unable to set a domain peer to use as a time source because of failure in establishing a trust relationship between this computer and the 'mydomain.com' domain in order to securely synchronize time. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: The trust relationship between this workstation and the primary domain failed. (0x800706FD)
Along with these, the next warning comes from Security-Kerberos with Event ID: 14 stating:
The password stored in Credential Manager is invalid. This might be caused by the logged on user changing the password from this computer or a different computer. To resolve this error, open Credential Manager in Control Panel, and reenter the password for the credential mydomain\domainuser.
Finally, I see an error from GroupPolicy (Microsoft-Windows-GroupPolicy) with Event ID 1129 stating:
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.
I have a failing Server, AD Controller running Server 2008 R2 that I preemptively put a new Server 2012 SP1 box in to replace.
I transferred DHCP, and DNS records, transferred Roles, the DCROMO down the old server. The DHCP is working fine, but the DNS is failing lookups for a SQL 2012 Enterprise DB Server. While the old server DNS is left on, it works fine, but when I stop the service, it throws lookup errors in the app (Eclinicalworks) eg. can't locate resource, end of file errors, etc
I am stumped what to do next, feel it is related to DCPROMO down before testing DNS functionality. I tried copying the System32\DNS folder to the new machine with no impact. Anyone have some "magic powder"?
Greetings,
Our area uses Qualys for vulnerability scanning and our DCs are showing the following vulnerabilities:
Remote User List Disclosure Using NetBIOS (7)
QID: 45003
Category: Information gathering
CVE ID: CVE-2000-1200
Vendor Reference: -
Bugtraq ID: 959
Modified: 10/08/2009
Edited: No
Null Session/Password NetBIOS Access (7)
QID: 70003
Category: SMB / NETBIOS
CVE ID: CVE-1999-0519
Vendor Reference: -
Bugtraq ID: -
Modified: 10/08/
Basically, it appears that anonymous users can generate a list of domain user names and that could be exploited via brute force attacks. I’ve followed most of the steps below in the MS articles listed below:
“It is recommended that you disable null sessions.
Before editing any configuration file in a production environment, the changes should be well tested in a rehearsal environment.
Read the Microsoft documents called How to Use the RestrictAnonymous Registry Value (http://support.microsoft.com/default.aspx?scid=kb;en-us;246261) and
Restricting Anonymous Access (http://technet2.microsoft.com/WindowsServer/en/library/2c82586e-bd58-42b7-9976-228a23721e351033.mspx?mfr=true) for
more information. If this vulnerability was discovered on a domain controller, please note that some of the recommended settings may not have any effect. Read
the Microsoft article Description of Dcpromo Permissions Choices (http://support.microsoft.com/kb/257988/) for more information regarding Pre-Windows 2000
Compatible Access.”
The only thing I haven’t done is set the restrictnullsessaccess key in the HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters setting to (2). It is currently set to (1) which limits some but not all null sessions.
The kicker is our test domain is configured the same way currently and it doesn’t show up on the scan as having these vulnerabilities? Has anyone seen this before? Our domain admins are worried about making the change (rightly so) because they think it must need to be this way and they don’t want to break the domain. I can’t recreate the issue on the test domain to try the fix. Security is telling us this has to be fixed NOW! and I’m not sure what we can do. Any help would be appreciated. Thanks.
Hello All,
1)we have disabled OU in environment and there are few machine which are enabled in that OU itself, when i check randomly.
Is there way to find out how many machines are in enabled status in that disabled OU.
2) And i want know if there is way to find out how many machines are pinging, i have list of around 4k machines.
Thanks
NA
Hi All
I want give domain users (non domain admin) rights to manage orginization units and it's contains (users, workstations and servers).
Our Topology
Central domain controller with 16 branches ( no addtional DC in any branch).
- I make OU for each branch which contain the branch's users, workstations and APP servers.
- I delegated 16 users "one user foreach OU related ,but those users not domain admin" .
MY questions:
- What's the best practice to give the rights to those users to fully manage the OU related?
- What's the best method to give those users RDP right each user only on the OU assigned.
Thanks in advance
Hi,
I have privileged to add machines in domain but I am unable do same once I removed computer from domain. Even I deleted the account from AD Users and computer but still not able to join machine into domain. Kindly check error message which I am getting"
The join operation was not successful. This could be because an existing computer account having name "my computer name"was previously created using a different set of credentials. Use a different computer name, or contact your administrator
to remove any stale conflicting account. This error was:
Access is denied.
Regards,
Jitendra Gautam
i am getting this error when trying to edit Default GP of my domain controller
ERROR : Failed to open the group policy object. You might not have the appropriate rights.
Please Help
Hello,
An user is able to open all the security groups managed by him via ADAC except one group , when I try to open the same group via ADUC it opens for me , displaying the members of that group
If I try to open the same group via ADAC , I am also getting the error "ADAC closes due to an unknown error"
ADAC abruptly closes ......The Domain functional level is Windows 2008 R2
Any help is greatly appreciated
Thanks & Regards S.Swaminathan Live & let others live!!!
Hi,
I am facing an issue moving computer object from computer container to another OU using powershell script.While I am using the script I am getting the error"Move-ADObject : The operation could not be performed because the object's parent is either uninstantiated or deleted ".But I am able to move this object manually without any issue. Also noticed that using the same script I am able to move the computer object from other OU to computer container without any error.The error only comes when the script use to move the object from computer container to another OU.
Does anyone know the fix for this ?
OS : Windows server 2008 R2
Domain and forest functional Level : Windows Server 2003
Hi all - I am fairly inexperienced with AD so here comes my layman terms question :)
I have two separate AD forests. In Forest A I have all the users defined and I would like to allow some of them to log into Forest B using Forest A's password, but I want control over which groups and access they have in Forest B so really the only thing I want to exchange between the Forests is the password.
Is this possible and could someone give me a pointer in the right direction to look into getting this done?
Thanks!
Hi,
We have multiple sites & all running on Win2008 r2 domain controller. Recently we have added ADC(xxxDC1) in new site (yyy) in existing domain (dddd.com).
Now when user started complaining that they are getting error 'Domain trust relationship not established' while logging to the system. Then we started troubleshoot & executed 'dcdiag.exe' on Additional Domain controller (xxxdc1) then found 'failed test DFSRevent'. Earlier all users used to authenticate using DC (xxxdc) from remote site. In existing site SYSVOL is located in D:\SYSVOL_DFSR & in new site SYSVOL is located in D:\SYSVOL.
How can I troubleshoot issue?
Hello Experts,
We have Single Forest and Single Domain with 4 sites on which we have Places Min 2 domain controllers , On One site name as HADEED , When the Replication link/Domain Controller Links Down the user at remote site unable to authenticate and below error comes
The password is incorrect. Try again."
Although Domain Admin account not able to login on Domain Controller.
I have done following troubleshooting
1.DC Diag does not report any error
2.When Link UP users successfully able to authenticate. (NO PASSWORD ERROR).
3.Clients DNS is local site domain controllers
I can see following event ids generated when Replication Link Downs
Events ID generated Under Active Directory Domain Services
1126,4015,1925,1865,1311,1566,1800,2041
Events ID generated Under Security
4776,4768,4625
All EVENTS ARE ATTACHED HERE
HI all,
As per security concern we need to remove the everyone from share permission on SYSVOL and NETLOGON share.......can anyone provide me the suggesstion for the same...or any documented article which says that how to do it or what precaution showld we take....
Or if the permission is by design has any document or Kb article which says the permission should not be changed.
Appreciate any help.
Thanks........
Hi,
I'm currently developping a portal to authentificate users of my AD LDS with a PHP script.
I have succeeded in connecting them with LDAP, but it doesn't work with LDAPS and I don't know why.
Indeed the HTTPS works but LDAPS can't bind the server, meaning that should not be a certificate issue (SSL being enabled).
Futhermore I am quite sure my script is right and I can connect with LDAPS in the LDP.exe.
I think there is a misconfiguration but I couldn't find anything about that (some dirty tricks like PUTENV = ...)
<?php
$ldapbase = 'base';
$ldapuser = 'DanielCraig';
$ldappass = 'Azerty.123';
$ldapserv = 'ldaps://IP:636';
$ldaprdn = 'CN='.$ldapuser.$ldapbase;
$ldapconnect = ldap_connect($ldapserv) or die("Impossible to connect...");
if ($ldapconnect) {
ldap_set_option($ldapconnect, LDAP_OPT_REFERRALS, 0);
ldap_set_option($ldapconnect, LDAP_OPT_PROTOCOL_VERSION, 3);
$ldapbind = ldap_bind($ldapconnect, $ldaprdn, $ldappass);
if ($ldapbind == false) {
echo "LDAPS Failure";
}
else{
echo "LDAPS success";
}
}
?>
Notice that I can't neither connect with port 389 through TLS.
Thank you.
Hi,
i just upgraded DC's from a child domain and after removing old 2003 DC's, i can't access to computers in this domain.
Here is a quick overview. root-A.local, child.root-A.local and external.local are the 3 domains.
There is a 2-way Forest trust (Forest-Wide) between external.local and root-A.local. Root-A.local DC's has been upgraded to 2012 and old 2003 DC's has been de-promoted. No promblems happens after that.
Then, we upgraded all DC's in the child.root-A.local domain and after removing the last 2003 DC, we were not able to access the child.root-A.local domain from the external.local domain.
I can reach all domains using ping / nslookup. I did a validation of the Forest trust (and it's ok).
One of the operation we tried is using get-wmiobject command fromthe external.local domain:
Get-WmiObject -computername Server01.child.root-A.local -class win32_operatingsystem
The error we get is: Get-WmiObject : The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
BTW, all required TCP ports are open because it was working before... And also, i flip the IP Address of the DC's (new 2012 DC's reuse the old 2003 DC's)
Any other hints ?
This posting is provided AS IS without warranty of any kind
I'm getting a ton of audit failures. Problem is I can't ID the source. Any suggestions?
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">