802.1x using authentication from NT Domain Controller instead of Radius

Similar Messages

• Weblogic on Unix, authenticating users/groups from NT domain controller

  Hi!
  Our weblogic 6.1 server will eventually run on a non-windows platform, but
  needs to authenticate users from a Windows NT 4.0 domain controller. What's
  the best solution to this?
  - What (inexpensive) LDAP-servers supports synchronization with a Windows
  domain controller?
  - Or am I missing out on other ways of doing this?
  jan henrik

  Yes. Other instrinsic jobs are failed too. Does this related to Job Dispatcher service? Thank you for your help.

• NTLM Authentication with a domain controller/active directory

  Hi,
  I have a requirement to do an NTLM authentication with the MS active directory.
  I am aware that JNDI doesn't support this protocol to communicate with the AD.
  I have looked into couple of online solutions available but that doesn't seem to meet my requirement. Most of the solutions like (Apache commons NTLMScheme/NTCredentials and java.net.Authenticator etc...) are used for only NTLM proxy authentication (where both username, password is sent to the proxy server which does the actual NTLM authentication with the Active Directory.)
  What I need is a solution in Java where I can directly contact Active directory for negotiation of challenge/response mechanism.
  Can any of you guys suggest any alternative to achieve this ?

  it really depends to be honest. I'd probably go something like this though:
  One Small physical server to act as a domain controller - you could put DHCP on this too
  One or Two physical, quite powerful servers to act as Hyper-V hosts - these can be domain joined. 
  Then for your VM's create the following:
  1 x additional domain controller
  For remote desktop services:
  1 x Remote Desktop Session Host
  1 x Connection Broker
  1 x Gateway and web server
  For additional services
  1 or 2 x Exchange
  1 x sharepoint
  1 x IIS
  but it really depends what you want to achieve. 
  The benefit from Virtual machines is that you can keep separate virtual servers for separate applications. 
  If you have two hosts you could then replicate the virtual machines between them if you wanted some layer of fault tolerance. 
  Hope this helps you a bit more. And thanks for positive blog feedback - its appreciated. 
  Regards,
  Denis Cooper
  MCITP EA - MCT
  Help keep the forums tidy, if this has helped please mark it as an answer
  My Blog
  LinkedIn:

• Authentication from Win-Domain for all OU s.

  Hi,
  we have Win-Domain server which has users in different OU's(organization units). I use standart LDAP authentication for my apps.
  DN string: cn=%LDAP_USER%,ou=accountants,dc=mydomainname,dc=com
  But it is problem. Because users from different OUs can not use my application in same time.
  I tried number of different DN strings but it does not.
  How can I solve it?
  Edited by: Zair S. on Dec 5, 2012 4:15 AM

  Hi Zair,
  I don't know AD configuration well enough and I also don't know how you want to distinguish if a entered username exits in both organisations, but
  you might be able use the "LDAP Username Edit Function" function to get what you want.
  You could use that function to manipulate your DN String on the fly to also return the organisation. For example if you
  1) set your DN string to
  cn=%LDAP_USER%,dc=mydomainname,dc=com2) and create a "LDAP Username Edit Function" like
  return apex_escape.ldap_dn (
               p_string => :USERNAME,
               p_escape_non_ascii => false ) || ',ou=accountants';3) "Username Escaping" attribute would be set to "No Escaping".
  Note: You would have to add your own logic instead of the ',ou=accountants' to determine which OU should be set based on the user or some other setting.
  Regards
  Patrick
  My Blog: http://www.inside-oracle-apex.com
  APEX Plug-Ins: http://apex.oracle.com/plugins
  Twitter: http://www.twitter.com/patrickwolf
  Edited by: Patrick Wolf on Dec 5, 2012 3:21 PM

• DNS issues from one domain controller to another (but not the other way) nslookup DNS request timed out

  Hi All
  I've been trying to trudge my way through an issue our client is having but I'm getting nowhere fast. This issue was discovered when searching for why users at our second site were experiencing slow logons every morning (5-10minutes to login).
  Within our domain there are two domain controllers for the child domain we manage.
  DC1 has connection back to the parent DC's (managed by our clients parent company), and also replicates both ways with DC2. DC2 is at another site, on another subnet and replicates to and from DC1 only.
  DC2 appears to have no issues, it can resolve any address, nslookup either using itself or DC1 is fine and name servers resolve fine.
  DC1 has massive issues with DC2 - using it for nslookup gives me the following:
  I get this timeout error for internal and external names, but both DC's are able to ping and access internet with no issues.
  When trying to resolve name servers from DC1, DC2 sits at 'validating' for a while and then comes back with 'a timeout occurred during validation'.
  Restarting DNS Server, NETLOGON and registering in DNS from DC2 had DC1 talking to it fine for a few minutes, but then it went back how it is (and I haven't been able to replicate this fix since).
  Reverse DNS zones are setup for all the subnets used, there are A records and PTR's for both DC's.
  Performing 'ping -a dc2.ip.address' from DC1 comes back fine - it knows what it is in both directions (name and IP) but nslookup and nameserver resolution is still failing.
  I just don't know where to go from here - from everything I've read they should be happy... Any ideas?

  Hi,
  When NSLOOKUP starts, before anything else, it checks the computer's network configuration to determine the IP address of the DNS server that the computer uses.
  Then it does a reverse DNS lookup on that IP address to determine the name of the DNS server.
  If reverse DNS for that IP address is not setup correctly, then NSLOOKUP cannot determine the name associated with the IP address.
  http://support.simpledns.com/kb/a90/nslookup-cant-find-server-name___-default-server-unknown.aspx
  Also refer to:
  How to fix NSLOOKUP Default Server: UnKnown?
  http://www.randika.info/2013/01/how-to-fix-nslookup-default-server.html
  Regards.
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Clients authenticating to wrong Domain Controllers

  In our domain we have 28 sites and each site have its own Domain Controllers and we have one data center where we have 3 DCs.
  Domain Controllers run DNS role as well and DNS replication is active directory integrated.
  For all clients local DC is configured  as primary DNS and DataCenter DCs configured as secondary DNS.
  Problem is, most of the times, client machines are not gettings authentication from local domain controller, most of the times authentication happnes from other location domain controller or data center DCs.
  I have done the below troubleshooting steps;
  DNS - verified in the DHCP and ensured that local domain controller (DNS) server configured as promary DNS server and data center DCs as secondary
  SRV Records- verified and looks fine
  Subnets - Verifed and found its configured according to the sites in AD
  I can confirm the information in SRV records and AD subnet information is accurate.
  Please help me resolving the issue
  Mahesh

  Problem is, most of the times, client machines are not gettings authentication from local domain controller, most of the times authentication happnes from other location domain controller or data center DCs.
  This is usually caused due to one of the following:
  AD Sites and subnets are not configured properly: DCs not moved to the correct sites, missing subnets, subnets linked to wrong sites .... Here, netlogon.log on each DC will help you to have more information about this: http://support.microsoft.com/kb/109626
  Security filtering: If traffic to local DCs is filtered, client computers will not able to query them and will try to query other DCs. You can use PortQryUI to make sure that all needed ports for authentication are opened: http://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx
  Wrong DNS records which may cause wrong DNS resolution - Here clients may be redirected to DCs you don't like them to be contacted
  For AD sites and subnets, make sure that:
  You created an AD site per physical location you have DCs in them
  You created all usued subnets (Be careful about subnetting and supernetting) and link to their correct sites - Each subnet will be linked to AD sites containing DCs you would like them to be contacted
  For Filtering, use PortQryUI for checks and you can use event logs for more information.
  For the DNS system, you can proceed like that to be sure that all DCs were registered correctly and that DNS resolution will be fine:
  Make sure that all DCs has one IP address in use and only one NIC card enabled (Other NICs should be disabled)
  Make sure that public DNS servers are set as forwarders and not in IP settings
  Choose a healthy DC / DNS server and make all DCs point to it as primary DNS server. You can make other DNS servers point to their private IP address as secondary one
  Make sure that needed ports for AD replication are opened in both direction: http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx
  Once done, run ipconfig /registerdns and restart netlogon on each DC you have. Like that, all DCs will update their records on the chosen DNS server and the changes will be replicated to other DC / DNS servers using AD replication. Of couse,
  it will be better to remove manually all obsolete / unused DNS records.
  This
  posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   
  Microsoft Student Partner 2010 / 2011
  Microsoft Certified Professional
  Microsoft Certified Systems Administrator: Security
  Microsoft Certified Systems Engineer: Security
  Microsoft Certified Technology Specialist: Windows Server 2008 Active
  Directory, Configuration
  Microsoft Certified Technology Specialist: Windows Server 2008 Network
  Infrastructure, Configuration
  Microsoft Certified Technology Specialist: Windows Server 2008 Applications
  Infrastructure, Configuration
  Microsoft
  Certified Technology Specialist: Windows 7, Configuring
  Microsoft
  Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
  Microsoft Certified IT Professional: Enterprise Administrator
  Microsoft Certified IT Professional: Server Administrator
  Microsoft Certified Trainer

• AD account logging to a remote domain controller for authentication

  Hi,
  I have a weird issue with an AD account using a different logonserver when authenticating to AD.  A domain admin account uses the local site domain controller but another account is using a remote domain controller as logonserver. I'm using both account
  to logon to the same server (CRM 2011). But when I issue the command "set l' from the command line, they shows different logonserver value. 
  My issue is the crm account is pointing to a remote domain controller (windows 2012 R2) which I don't want and should use the local site domain controller (windows 2008 R2). The reason being is that the CRM server is on a  test network (isolated) and
  when we test an upgrade of CRM addon product called Experlogix, the upgrade requires to get authenticated by AD but it fails and I think the logonserver is the issue. When the crm account is used on the test server it points not to the local site domain controller
  but to the remote dc which is not in the test server.
  Thanks for your help!!!
  AA

  Start by checking that your are sites and subnets are well configured.
  Use dssite.msc and make sure that:
  You have AD sites that represent your physical sites
  All the subnets in use are created and moved to the correct AD site
  Your DCs belong to the correct AD site
  You can read more about the DC Locator process here: http://social.technet.microsoft.com/wiki/contents/articles/24457.how-domain-controllers-are-located-in-windows.aspx
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• DirectAccess Server 2012 Configuration cannot be retrieved from domain controller

  Hi everyone,
  We are using DirectAccess over Server 2012. There is just one server, no load balancing.
  Everything works fine, all clients can connect successfully and operations status page shows all in green. Nevertheless on the dashboard page in the configuration status section it say “Configuration for server [servername] cannot be retrieved
  from the domain controller.”
  I found a few hints what could cause this problem:
  In my case, the RAConfigTask, a scheduled task, was not enabled on the affected WS2012 server (DA entry point in a multisite deployment). After just enabling it, the errors has gone."
  http://blog.gocloud-security.ch/2013/01/11/ws2012-directaccess-and-the-configuration-for-server-server-name-retrieved-from-the-domain-controller-cannot-be-applied-error/
  Group Policy was filtering out my DA server from the GPO object for some reason. To fix, I opened up Group Policy Management on the domain controller and made sure that my DA server was a part of the group."http://www.joedissmeyer.com/2012/12/more-issues-and-solutions-for.html
  Server has no connectivity to the domain in order to update the policies. Run “gpupdate /force” on the server to force policy update. GPO replication might be required in order to retrieve the updated configuration.
   This could be because there is no writable domain controller in the Active Directory site of the Remote Access server. http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/56fedb17-1274-4e1a-b2d0-fea809f0bc45
  I checked everything. Task is enabled and completed successfully, GPO is not filtered out, run gpupdate without any errors, could connect to domain controller, no errors on domain controller, domain controller is writable.
  So, I have no idea what could cause this error. Any ideas or hints?
  Thanks
  Regards
  Sebastian

  i have the exact same problem i figured out that there was a problem with the logon as a service
  secpol.msc --> Local Policies --> User Rights Assignement, Logon as a service i have NT Service\All Services
  i can acces the group policy via the cpnsole just fine i have not connectivity issues what so ever.
  i decided to open a call with microsoft, their suggestion .... we dont know reinstall so i did and here we are same problem and no solution. it is getting frustrating...

• VPN Concentrator authentication with multiple domains

  I have a hub and spoke network where a T1 comes in to the hub site A and there is a frame relay connection going over to the spoke site B. We want to add a VPN concentrator to site A for remote access but site A and site B have their own domains that are independant of one another. Can I set up the VPN Concentrator to authenticate users that belong to site A domain using site A's domain controller and authenticate users the belong to site B domain using site B's domain controller? That way we can use a single VPN concentrator and a single internet connection but keep the authentication seperate.
  Thanks in advance for any help.

  To authenticate users that belong to site A domain using site A's domain controller you should authenticate users the belong to site A domain using site A's domain controller

• Windows Server 2012 Standard - HP OfficeJet Pro 8600 Plus printer not working after promoting to Domain Controller / AD Services

  An associate and myself installed the built-in drivers for the HP OfficeJet Pro 8600 Plus multi-function (network) printer on a Windows Server 2012 Standard server installation and everything worked fine whenever I want to print anything directly from the
  Windows Server machine (there's a reason for this, so please understand that ;)  ).
  We were able to print without any problems from the Windows Server 2012 machine, using the drivers from Microsoft.  Mainly, because HP has not listed any specific support for Windows Server 2012, only Windows Server 2008 R2, however, the drivers that
  came with Windows 2012 seem to work very well.
  PROBLEM: I later had to promote the Windows Server 2012 to a Domain Controller, and created the Active Directory configurations, even enabled the Print Services.  After doing all of that, the HP printer will not print anything.  It's like all print
  requests directly from the Windows Server go to Nil.
  Has anyone encountered a problem like this before? The only thing I can think of is that after perhaps something affected printing directly once we promoted the server to being a DC, and added other features / roles.  I even tried installing the
  HP drivers for Windows Server 2008 R2, and the results are still the same...nothing prints.  Trust me, the printer is set as the Default Printer and even when choosing to print, we make sure the HP OfficeJet Pro is selected, and is on, as other Windows
  Client PC's can print to it directly.
  Does anyone have any suggestions we could try?  Thanks in advance.

  While it is quite a while since this was posted - I can concur a similar issue exists.
  We have spent the better part of a day trying to work out why other HP printers work fine but our 8620 prints are not printing and going to Nil.  The print server is hosted on a shared DC.  Comparing to the initial posters details, for some reason
  it seems to be most commonly related to the OfficeJet Pro 8600/8610/8620/8630 series printers.
  I ended up doing a print server migration from the domain controller to stand alone host and all printers now work from a single server rather than a mix.  Domain controller OSes varied from 2008, 2012, 2012 R2 (tested with multiple) and only after
  all of those failed then tried a stand alone server os machine as a last resort which worked fine.  Printing directly from Win 7 / 8 /8.1 clients to the IP always worked.

• Local user account is trying to autenticating against domain controller

  Hi all.  I am seeing a weird user logon issue on one of my laptop and on another user's PC.  Both of the laptop and the PC is a member of our domain.  However, on this particular laptop and PC, we are not login with a domain user account,
  rather we've created a local user account, grant it the local admin access, and login with this local user account.  Now, on my domain controller, I am seeing a bunch of account login failure message, which happens few times per minute and filling up
  the domain controller security log.  For the laptop, this is a clean build, with fresh Windows 7 installation, alone with MS Office 2010 and few third party application (eg: Adobe Reader, 7-ZIP, etc).  I've checked all group policy to ensure there
  are no service or connection that requires domain credential access that have applied to this laptop (or the PC).  I am not sure why this local user is trying to authenticating to our domain controller.  This user account doesn't exist in our domain. 
  The only thing I can think of is Microsoft Outlook 2010 might doing back ground authentication against the domain controller by using the current login user account, I just can't confirm this.  Did anyone encountered this issue in their environment? 
  Thank you.
  Below is a copy of the event.
  Log Name:      Security
  Source:        Microsoft-Windows-Security-Auditing
  Date:          13/06/2014 8:56:27 AM
  Event ID:      4625
  Task Category: Logon
  Level:         Information
  Keywords:      Audit Failure
  User:          N/A
  Computer:      domaincontroller.mydomain.local
  Description:
  An account failed to log on.
  Subject:
      Security ID:        NULL SID
      Account Name:        -
      Account Domain:        -
      Logon ID:        0x0
  Logon Type:            3
  Account For Which Logon Failed:
      Security ID:        NULL SID
      Account Name:        dummy
      Account Domain:        l-sparet400sc
  Failure Information:
      Failure Reason:        Unknown user name or bad password.
      Status:            0xc000006d
      Sub Status:        0xc0000064
  Process Information:
      Caller Process ID:    0x0
      Caller Process Name:    -
  Network Information:
      Workstation Name:    L-SPARET400SC
      Source Network Address:    192.168.2.181
      Source Port:        60720
  Detailed Authentication Information:
      Logon Process:        NtLmSsp
      Authentication Package:    NTLM
      Transited Services:    -
      Package Name (NTLM only):    -
      Key Length:        0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
      - Transited services indicate which intermediate services have participated in this logon request.
      - Package name indicates which sub-protocol was used among the NTLM protocols.
      - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
      <EventID>4625</EventID>
      <Version>0</Version>
      <Level>0</Level>
      <Task>12544</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8010000000000000</Keywords>
      <TimeCreated SystemTime="2014-06-13T12:56:27.263546000Z" />
      <EventRecordID>299829083</EventRecordID>
      <Correlation />
      <Execution ProcessID="488" ThreadID="640" />
      <Channel>Security</Channel>
      <Computer>domaincontroller.mydomain.local</Computer>
      <Security />
    </System>
    <EventData>
      <Data Name="SubjectUserSid">S-1-0-0</Data>
      <Data Name="SubjectUserName">-</Data>
      <Data Name="SubjectDomainName">-</Data>
      <Data Name="SubjectLogonId">0x0</Data>
      <Data Name="TargetUserSid">S-1-0-0</Data>
      <Data Name="TargetUserName">dummy</Data>
      <Data Name="TargetDomainName">l-sparet400sc</Data>
      <Data Name="Status">0xc000006d</Data>
      <Data Name="FailureReason">%%2313</Data>
      <Data Name="SubStatus">0xc0000064</Data>
      <Data Name="LogonType">3</Data>
      <Data Name="LogonProcessName">NtLmSsp </Data>
      <Data Name="AuthenticationPackageName">NTLM</Data>
      <Data Name="WorkstationName">L-SPARET400SC</Data>
      <Data Name="TransmittedServices">-</Data>
      <Data Name="LmPackageName">-</Data>
      <Data Name="KeyLength">0</Data>
      <Data Name="ProcessId">0x0</Data>
      <Data Name="ProcessName">-</Data>
      <Data Name="IpAddress">192.168.2.181</Data>
      <Data Name="IpPort">60720</Data>
    </EventData>
  </Event>

  its the service which is using the account info and authenticating against the DC to obtain service ticket and fails
  Interesting log section is NULL SID which doesn't corresponds to any account name.
  Security ID:        NULL SID
      Account Name:        -
      Account Domain:        -
      Logon ID:        0x0
  and the below section explains , the request is made over network, which is most of the times by the service
  Detailed Authentication Information:
      Logon Process:        NtLmSsp
      Authentication Package:    NTLM
      Transited Services:    -
      Package Name (NTLM only):    -
      Key Length:        0
  The below is assumed to be performed on a client which does not run mission critical production applications which has zero impact when you perform the below actions,
  can you disable
  a) Server service
  b) Workstation service
  c) Disable RPC dependent service and services which depend on RPC and test
  Question:
  What is the level of DC hardening you have in your environment ?

• Install Active Directory Domain Controller on Windows server 2008 enterprise, dont login on Sql Server 2008 R2

  I install Active Directory Domain Controller on Windows server 2008 enterprise and dont login on Sql Server 2008 R2. Before install ADDC, I have logon SQL Server 2008r2 Success, After when i install ADDC is don't logon on SQL Server 2008r2 -->not success.
  I have uninstalled ADDC but i still can't login on SQL server 2008r2.
  please help me. it  is very very disaster!
  I think is loss account SQL server 2008r2!

  Hello,
  I stronly recommend you post the detail error message to us while you try to connect to SQL Server instance, it's useful for us to do further investigation.
  Microsoft recommends that you do not install SQL Server 2008 R2 on a domain controller, there are some limitations:
  You cannot run SQL Server services on a domain controller under a local service account or a network service account.
  After SQL Server is installed on a computer, you cannot change the computer from a domain member to a domain controller. You must uninstall SQL Server before you change the host computer to a domain controller.
  After SQL Server is installed on a computer, you cannot change the computer from a domain controller to a domain member. You must uninstall SQL Server before you change the host computer to a domain member.
  SQL Server failover cluster instances are not supported where cluster nodes are domain controllers.
  SQL Server Setup cannot create security groups or provision SQL Server service accounts on a read-only domain controller. In this scenario, Setup will fail.
  On Windows Server 2003, SQL Server services can run under a domain account or a local system account.
  So, I would suggest you try to open up Windows Services list and changed the account for SQL Server service.
  Regards,
  Elvis Long
  TechNet Community Support

• Version number for GPO's not in sync with the version number for GPO's on the Baseline domain controller

  Hi
  I accidentally removed one of our domain controller's hyper-v image (DC-02) from the hyper-v manager and to bring it back online launched a new virtual machine using the same virtual hard drive. This brought back the domain controller machine and I set the
  original IP address to the same assuming that everything would just working fine.
  Sadly, that wasn't the case as when I tried to open the group policy manager on that machine I started getting "Access is denied" error. I was then presented with an option to open the group policy manager with the first available DC which I did
  and was able to open it with showing the same machine as the baseline domain controller under the status tab (DC-01 is actually the baseline DC). I then clicked Detect now and noticed it was showing 1 DC under replication in progress with problems in GPO version.
  I then did the same thing on the primary DC (DC-01) and even there it was showing this only (images attached).
  So I started exploring over the internet going through various articles but couldn't find a solution which I could apply without worrying about corrupting something somewhere. I also went to the SYSVOL folder on both the DC's to check the version number
  in GPT.ini files which are mentioned below:
  \\CC-DC01\sysvol\cloudchowk.lab\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
  [General]
  Version=3
  \\CC-DC01\sysvol\cloudchowk.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
  [General]
  Version=5439513
  \\cc-dc02\SYSVOL\cloudchowk.lab\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
  [General]
  Version=3
  \\cc-dc02\SYSVOL\cloudchowk.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
  [General]
  Version=5308439
  Could anyone please help me sort this out? I am no system admin and whatever knowledge I have of setting up DC, AD etc is from following one article or the other over the internet.
  Regards
  Sajat Jain

  Hi
  Apologies for responding late. I followed through all the points mentioned by Frank and even did a non-authoritative restore synchronization but still no luck.
  I am attaching the output from the dcdiag /q and the from the event viewer after doing to non-authoritative restore synchronization.
  DCDIAG /Q
  There are warning or error events within the last 24 hours after the
  SYSVOL has been shared. Failing SYSVOL replication problems may cause
  Group Policy problems.
  ......................... CC-DC03 failed test DFSREvent
  Unable to connect to the NETLOGON share! (\\CC-DC03\netlogon)
  [CC-DC03] An net use or LsaPolicy operation failed with error 67,
  The network name cannot be found..
  ......................... CC-DC03 failed test NetLogons
  An error event occurred. EventID: 0x0000164A
  Time Generated: 01/18/2015 17:52:17
  Event String:
  The Netlogon service could not create server share C:\Windows\SYSVOL\sysvol\cloudchowk.lab\SCRIPTS. The following error occurred:
  An error event occurred. EventID: 0x0000164A
  Time Generated: 01/18/2015 17:54:12
  Event String:
  The Netlogon service could not create server share C:\Windows\SYSVOL\sysvol\cloudchowk.lab\SCRIPTS. The following error occurred:
  An error event occurred. EventID: 0x00000422
  Time Generated: 01/18/2015 17:54:41
  Event String:
  The processing of Group Policy failed. Windows attempted to read the file \\cloudchowk.lab\sysvol\cloudchowk.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
  An error event occurred. EventID: 0x00000422
  Time Generated: 01/18/2015 17:55:42
  Event String:
  The processing of Group Policy failed. Windows attempted to read the file \\cloudchowk.lab\sysvol\cloudchowk.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
  An error event occurred. EventID: 0x00000422
  Time Generated: 01/18/2015 17:59:41
  Event String:
  The processing of Group Policy failed. Windows attempted to read the file \\cloudchowk.lab\sysvol\cloudchowk.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
  An error event occurred. EventID: 0x00000422
  Time Generated: 01/18/2015 18:04:42
  Event String:
  The processing of Group Policy failed. Windows attempted to read the file \\cloudchowk.lab\sysvol\cloudchowk.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
  An error event occurred. EventID: 0x0000164A
  Time Generated: 01/18/2015 18:05:10
  Event String:
  The Netlogon service could not create server share C:\Windows\SYSVOL\sysvol\cloudchowk.lab\SCRIPTS. The following error occurred:
  An error event occurred. EventID: 0x00000422
  Time Generated: 01/18/2015 18:09:42
  Event String:
  The processing of Group Policy failed. Windows attempted to read the file \\cloudchowk.lab\sysvol\cloudchowk.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
  An error event occurred. EventID: 0x00000422
  Time Generated: 01/18/2015 18:14:42
  Event String:
  The processing of Group Policy failed. Windows attempted to read the file \\cloudchowk.lab\sysvol\cloudchowk.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
  An error event occurred. EventID: 0x00000422
  Time Generated: 01/18/2015 18:19:43
  Event String:
  The processing of Group Policy failed. Windows attempted to read the file \\cloudchowk.lab\sysvol\cloudchowk.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
  An error event occurred. EventID: 0x00000422
  Time Generated: 01/18/2015 18:24:43
  Event String:
  The processing of Group Policy failed. Windows attempted to read the file \\cloudchowk.lab\sysvol\cloudchowk.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
  ......................... CC-DC03 failed test SystemLog
  EVENT VIEWER LOGS
  The DFS Replication service initialized SYSVOL at local path C:\Windows\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner CC-DC01.cloudchowk.lab. If the server was in the process of being promoted to a domain controller, the domain controller will not advertize and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the synchronization partner. If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers.
  Additional Information:
  Replicated Folder Name: SYSVOL Share
  Replicated Folder ID: 4689406D-D6D8-49E0-8079-2B1D4AE61BC6
  Replication Group Name: Domain System Volume
  Replication Group ID: 6B162096-2EFA-4D4C-BF13-62CC5B112B97
  Member ID: 566943F9-D2FB-4304-823D-10DC972F831A
  Read-Only: 0
  Should I just start over again by removing DC03 and setting up another DC?
  Regards
  Sajat Jain

• How to configure secondary domain controller read only, but prevent write in replication?

  Hi all,
  I have one primary Domain controller (dc1.abc.local) at site, production mode.
  I am trying to do some Proof of Concept with the firewall appliance, which the user datastore need extract and bind to AD.
  I am thinking setup another new computer and promote it domain controller (new.abc.local), same domain, same forest. But this only can read the configuration replicate from primary Domain controller (dc1.abc.local) but cannot write.
  Firewall will use the ID agent to pull the log event from the DC and do the IP mapping table (User - IP).
  What is the setting i need to on both domain controller?
  p.s: one criteria i cannot set this server role as RODC.
  p,s: platform is window servers 2008 R2
  Thank

  Not very easy telling you how to extract info, not sure what it is you need and your skill level scripting.
  There is a Microsoft Script Center that has scripts available
  http://gallery.technet.microsoft.com/scriptcenter/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=activedirectory&f%5B0%5D.Text=Active%20Directory
  Also there is a scripting forum, where you could ask for help in crafting your script
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?category=windowsserver#forum=winserverpowershell&filter=alltypes&sort=lastpostdesc&content=Search
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• Installing Domain Controller certificates remotely - private key remains on local server!

  Using a 3rd party CA (Entrust), I have successfully requested and installed Domain Controller certificates via the Certificates MMC snap-in.
  I did this from one Domain Controller, and then just used the (right click) "Connect to another computer" option to do the rest.  Everything looks absolutely fine, the certificates look ok.... certificate chain is complete, and valid (all
  CA certs are installed) and the certificates say "You have the private key that corresponds to this certificate".
  If I do a LDAPS bind using LDP.exe, it works fine on the first DC.
  Do this on the next and I get the error:
  Cannot open connection
  Error 81 = ldap_connect(hLdap, NULL);
  Server error: <empty>
  Error <0x51>: Fail to connect to DCHostname.
  After some checking I looked in the folder C:\ProgramData\Microsoft\Crypto\Keys
  This contains a lot of files on the DC I was logged onto when installing the certs, and no files on any of the other DCs.  I am guessing this is the private key file and it has stored all of them on the local machine I was running MMC from rather than
  on the machines I connected to from MMC.
  Is there any way to get these keys onto the correct DCs now - or will I have to re-request all of the others.  The private key was not exportable.
  I figured copying and pasting them was probably not going to work with a private key, but I tried it anyway just to be sure!
  It is pretty annoying as no clue was given during the process of requesting and installing the certificates, and there is no error when you look at the certificate - they all think they have the private key associated to them, even though it rather looks
  like they don't!
  It's a bit painful requesting certificates here, so any help in avoiding this would be appreciated!  Thank you

  Thank you Elke,
  So I copied the key files across from the server where they were all generated to the server I remotely connected to (which had no key files at all).  Copied all just to be sure, though I’m
  pretty sure which one actually relates to that server as I did them all in order - reflected by the time stamps.
  Ensured all the permissions were the same, and that they were marked as ‘system’ files.
  Ran the command
  certutil -repairstore my [SerialNumber of cert]as
  you suggested, but no luck unfortunately.
  So firstly, I get the same error message:
  Cannot find the certificate and private key for decryption.
  CertUtil: -repairstore command FAILED: 0x80090010 (-2146893808)
  And then I get:
  CertUtil: Access denied.
  Not sure why the access denied, I am running elevated with full local and domain administration rights.
  Toby