ADFS on a Domain Controller

Similar Messages

• What is the most appropriate way to generate a static IPv6 for a domain controller?

  DNS Role Best practives is giving errors. Looks like I need to assign ONE static IPv6 to each domain controller and use IT in DNS and DHCP. There are two routers on the network, each assigning a 2002: IP, plus a link local FE80: IP is also assigned.
  Is there a way to generate a static IPv6 for domain controllers that will not change even if the network cards or routers are changed?
  What is the best practice so that domain integrated DNS and DHCP with Exchange 2010 in the domain, will continue to function?
  There is ambiguous information as to whether DC's should have static or dynamic IPv6 IPs. I have tried variations such as IPv4 compatible. IPv4 mapped, ISATAP, etc. but over time have gotten different errors from different sources.
  It is one thing for Microsoft to give error messages about IPv6 but I cannot find any definitive recommednations on this.
  Thanks if anyone finds a universal answer.
  Bob.

  Excellent and valid points, Bob. Your outlook explains in an easy way how the challenges setting up Windows Server are in a sense, self-generated, and in every sense fully avoidable.
  No changes have been made to the warnings or errors in 2013 R2 despite improvements in other areas. This release mainly brought improvements to the setup in areas that were truly broken like automatic account generation for ADFS. Since that's a decade old
  feature it's probably best not to wait for Microsoft to clarify, and I appreciate your recommendations.
  I'm bumping this thread since it's the first result for 192.168.1.1 on ipv6 on Google right now, and since there's no way to see how often it's being referenced I wanted to add some additional information.
  Multiple NIC's can be specified by using the scope ID parameter supported since Vista, that appears as a percent-sign at the end of IPv6 addresses. It uniquely identifies the network adapter even when that adapter shares the same host portion of the IPv6
  address space (i.e. essentially, has the same IP, which in IPv4 is invalid.) I'll give some examples at the end of the post.
  Following the recommendation to deprecate the fec0 prefix while maintaining a link-local addressing scheme is possible through the prefix length at the beginning of the IPv6 address. As
  this reference at IBM explains, fe80:: maps to a link-local prefix length of 64 equivalent to the IPv4 version of 24, and anything else before the double-colon refers to the network portion of the IPv6 address.
  The host portion of the IP address then _could_ be ::20, ::21, etc., as you said, but to follow
  this MSDN recommendation, it would be more appropriate to use the same host portion and add a suffix for the scope ID documented on that page. The suffix may be specific to Windows
  and may not work in an equivalent way in heterogeneous platform deployments. But since the effect is limited to the local machine it should help anything past XP differentiate NICs when assigned the same host portion.
  The approach taken in the random IPv6 generator linked elsewhere on this page leaves open the possibility, however unlikely, that the generated IP can route to some other host on an open network that happens to have generated the same network portion of
  the address (the other host would be sharing the same network.) If any part should be random, it's the host portion after the double-colon, not the network portion at the beginning, so that the possibility does not exist.
  Additionally, the host portion doesn't have to be random, it's just done that way because it's usually automatically generated; a random number is safer for a computer than relying on a sequence that may not fully cover all the numbers used so far. If you're
  doing a manual deployment you can combine the above information with the inline 0-supression in IPv6 to assign numbers in the following way:
  fe80::1:1%1 (first computer is 1:1, first interface is %1)
  fe80::1:1%2 (second interface)
  fe80::1:2%1 (second computer, first interface)
  Effectively here we're swapping "192.168.1" for "fe80::1" which is roughly the same length (taking into account variations like 10.0.0). The only gotcha is that _either_ the string after the double-colon can't be 1 by itself since that's
  reserved for local machine loopback, _or_ that the second-to-last number after the double-colons can't be 0, since that's equivalent due to inline supression.
  Other combinations are fine, like fe80::2%1 and fe80::2%2 for the first computer, then ::3 for the second, etc. I thought having a 2-index for the first machine is too uncommon to look familiar so I chose the alternative, but even something like fe80::fe%80
  is perfectly fine.
  If you don't need to identify individual NICs then omitting the part after the percent sign makes fe80::10, fe80::11 a valid sequence for 2 computers. For over 255 computers just add another number before the last, so that it looks like fe80::1:10, fe80::1:11,
  etc. That should be easier to remember than the randomly generated numbers.
  There is also another way if the preference is to use IPv4-lookalike addresses. The mapped address spec is defined in RFC 4291 and it goes along the lines of "::ffff:192.168.1.1" for a valid IPv6 address to the gateway, for example. That is a newer
  recommendation than the RFC which the random-number generated linked elsewhere on this page relies on.

• Macbook on a domain controller

  Dear all,
  i have a Macbook Air member of domain controller, however Network Share are mapped and working fine when i am in the office,
  when i am outside the office and i connect with the VPN, can't get the network mapped on,
  is there is a way to do this automatically ?
  when i log in it map the network drivers ?

  the question is about ADFS not ADLDS. To different technologies!
  although possible from technology standpoint, adfs should go on its own server. do not mix it with dcs.
  Cheers,
  Jorge de Almeida Pinto
  Principal Consultant | MVP Directory Services | IAM Technologies
  COMMUNITY...:
  DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

• Lack of Connectivty to Domain Controller - Domain Controller Access Issues Requires Repeated Reauthentication

  Sorry if my attempt to be thorough in my description may result in excessive and unnecessary information. 
  I'm running into some problems with a single server running WS 2012 R2 as a domain controller (AD and DNS) and I’m trying to figure out what the cause is. 
  The network has ~10 computers on it connected through a cable business gateway (running DHCP) which feeds 2 switches and a wireless router acting as a switch. (I also turned on remote services, but the end users aren’t using that until I get certificates
  setup.)
  For 6+ months everyone had access to the shared files and databases on each workstation without issue. 
  In the last month users would occasionally have to re-enter their credentials to get access to shared server folders despite being on a domain account already. 
  Last week one of the computers intermittently cannot gain access to the shared folders– entering the correct credentials just results in the credentials being requested again and again: There’s an error icon at the bottom saying that “there are currently
  no logon servers available to service the logon request”.  While access is rejected I’m still able to ping the DC both via its name and IPV4 address. 
  (Pinging via its name results in an IPv6 address in the response.) 
  Other network connectivity appears intact (able to browse the web, perform network discovery.)
  Things that ‘seem’ to allow access on this computer until the next failure:
  Entering a different domain username and password into the windows credentials request has allowed access a couple of times.
  Disconnecting and reconnecting the network cable allowed the original username to be used to log on (at least once.)
  After removing it from and then rejoining it to the domain (a few hours ago) it experienced the problem once more. Also, logging on with domain credentials created a TEMP user folder instead of the folder with the domain username. 
  Looking at the event logs, I notice there are quite a few warnings and errors reported regarding DC access on many of the computers; maybe this is normal?
  Most Problematic Computer:
  Event ID 8016:  System failed to register host A or AAAA resource records. (With an unknown Ipv6 and the server’s ipv4 address in the DNS server list.) 
  Event ID 131:  NtpClient unable to set a domain peer to use as a time source because of DNS resolution error on ‘Server.domain.local’ 
  ‘No such host is known.”
  Event ID 5719:  NETLOGON. This computer was not able to setup a secure session with a domain controller in the domain due …..: there are currently no logon servers available to service the logon request.
  And then pairs of: Event 1500: The Group Policy settings for the computer were processed successfully. There were no changes detected since the last successful processing of Group Policy. & Event 1054:
   The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
  Event 1030:  The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation
  at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.
  On the server I’ve run DCDIAG and DCDIAG /test:DNS and those all appeared to pass.
  Ipconfig/all from the server:
     Connection-specific DNS Suffix 
     Description . . . . . . . . . . . : Intel(R) Ethernet Connection I217-LM
     Physical Address. . . . . . . . . : FC-4D-D4-F2-A1-83
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : 2601:8:a182:1100:b155:a0b0:892d:9ed5(Pref
  erred)
     Link-local IPv6 Address . . . . . : fe80::b155:a0b0:892d:9ed5%13(Preferred)
     IPv4 Address. . . . . . . . . . . : 10.1.10.42(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . : fe80::abd:43ff:fe9a:ab47%13
   10.1.10.1
     DHCPv6 IAID . . . . . . . . . . . : 234638804
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-3F-7D-B9-68-05-CA-24-31-C4
     DNS Servers . . . . . . . . . . . : ::1
  127.0.0.1
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Ipconfig/all from the problematic computer:
  Wireless LAN adapter Wi-Fi:
     Connection-specific DNS Suffix 
  . : wp.comcast.net
     Description . . . . . . . . . . . : Intel(R) Centrino(R) Wireless-N 6150
     Physical Address. . . . . . . . . : 40-25-C2-63-C2-B8
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : 2601:8:a182:1100:8f5:1606:d0a8:6b25(Prefe
  rred)
     Temporary IPv6 Address. . . . . . : 2601:8:a182:1100:283e:f9e8:4841:6c50(Pref
  erred)
     Link-local IPv6 Address . . . . . : fe80::8f5:1606:d0a8:6b25%3(Preferred)
     IPv4 Address. . . . . . . . . . . : 10.1.10.31(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Lease Obtained. . . . . . . . . . : Tuesday, March 10, 2015 9:19:02 AM
     Lease Expires . . . . . . . . . . : Tuesday, March 17, 2015 1:23:15 PM
     Default Gateway . . . . . . . . . : fe80::abd:43ff:fe9a:ab47%3
  10.1.10.1
     DHCP Server . . . . . . . . . . . : 10.1.10.1
     DHCPv6 IAID . . . . . . . . . . . : 54535618
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-15-6B-AA-F0-DE-F1-9C-07-D4
     DNS Servers . . . . . . . . . . . : 2001:558:feed::1
  2001:558:feed::2
                  10.1.10.42
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Any thoughts? I was assuming it was a Domain Controller/DNS error, but I don't know where to check next.  Could a failing piece of hardware be the culprit? 
  Thanks,
   -JT

  Hi,
  According to the error you have posted.
  A Netlogon 5719 event indicates that the client component of Netlogon was unable to locate a DC for the domain it was trying to perform an operation against.
  Most of the time this is caused by network issues or name resolution (DNS/WINS) issues, you could refer to:
  Netlogon 5719 and the Disappearing Domain [Controller]
  http://blogs.technet.com/b/instan/archive/2008/09/18/netlogon-5719-and-the-disappearing-domain.aspx
  Did you refer to this KB article?
  Event ID 5719 is logged when you start a Domain Member
  http://support.microsoft.com/kb/938449
  Regards.
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Error in starting domain controller !

  I have installed on Windows 2000, Oracle 9i Database 9.0.1 and Oracle 9iFS release 9.0.1.
  Configuration was OK, but the domain doesn't start.
  I launch 'ifslaunchdc.bat', 'ifslaunchnode.bat', and when I launch 'ifsstartdomain.bat', I receive this error:
  "An exception occurred while starting Domain controller - oracle.ifs.common.IfsException: IFS-40066: Remothed method threw exception java.lang.NoSuchFieldError: OCIEnvHandle"
  OTHER WAY:
  If I try in Oracle Management Server (from Oracle Enterprise Management Console), I go to Internet File Systems, I go to the domain picasso:53140 and it is launched (yellow light). I do right click and I choose 'Start Domain'. I receive the following message:
  " The Domain Controller 'picasso:53140' is launched
  Command failed:
  IFS-40066: Remothed method threw exception java.lang.NoSuchFieldError: OCIEnvHandle"
  So, the same error, and I don't find anywhere this exception !
  What should be done? Thanks, Jeanina

  I am not sure how you got into this state, but to clear it up you can edit the boot.properties file to enter (clear text) the username and password for the server (entered when running the Configuration Wizard).
  The boot.properties file is located in your domain at:
  <domain root>/servers/AdminServer/security
  Just enter the username and password in the file:
  username=myUserName
  password=myPassword
  WebLogic Server will boot up using these values and immediately encrypt the username and password in the file.
  An alternate approach would be to delete boot.properties in which case WLS will prompt you for the id/pw each time it is started/stopped.
  Brad

• SAP Server Manager Error after BPC installation on domain controller

  Hi, I have installed BPC on a domain controller with windows 2003 server (english version). When I launch diagnostic in the "SAP Server Manager"  I have the following error message " Current user Name does not have permission for Adminitrators group" . I think that the application it's taking the local user (the diagnistic show that de current user is "server name\user name" instead of "domain name\user name" but I login with the domain Administrator ( this server is a domain controller don't have local users).
  Thanks

  Hi
  I have the same issue that you had.
  "I have installed BPC on a domain controller with windows 2003 server (english version). When I launch diagnostic in the "SAP Server Manager" I have the following error message " Current user Name does not have permission for Adminitrators group" . The application it's taking the local user (the diagnistic show that de current user is "server name\user name" instead of "domain name\user name" but I login with the domain Administrator ( this server is a domain controller don't have local users)."
  Can you please let me know how you solved this ?
  thanks & regards
  Lokesh

• Provision Search in SharePoint Foundation 2013 without Domain Controller / Active Directory - Domain accounts

  Hi,
  I have successfully setup SharePoint Foundation 2013 as single server farm with SQL Server Standard database in a DMZ environment using local accounts since DMZ doesn't have an Active Directory and hence Domain accounts using powershell as described
  in https://theblobfarm.wordpress.com/2012/12/03/installing-sharepoint-2013-without-a-domain-controller 
  When I run Farm configuration wizard to provision search service application, I get an error:
  ERROR: "The service application(s) for the service "Search Service Application" could not be provisioned because of the following error: I/O error occurred."
  The log file logged the details of this error as:
  ERROR: "Failed to create file share Analytics_e441aa1c-1a8d-4f0a-a079-58b499eb4c50 at D:\SharePoint Search\Office Server\Analytics_e441aa1c-1a8d-4f0a-a079-58b499eb4c50 (System.ArgumentException: The SDDL string contains an invalid sid or a sid
  that cannot be translated."
  After investigation, I found that potentially the error could be because the timer service is trying to setup a network share for analytics component (as part of provisioning search). It is trying to setup that share with a domain account that happens to
  be a local user instead in this case and fails with error “System.ArgumentException: The SDDL string contains an invalid sid or a sid that cannot be translated”.
  I got some pointer from the below thread
  https://social.technet.microsoft.com/Forums/en-US/c8e93984-f4e5-46da-8e8a-c5c79ea1ff62/error-creating-search-service-application-on-sharepoint-foundation-with-local-account?forum=sharepointadmin
  However, the above thread doesn't state that the solution worked.
  I have tried creating share manually for Analytics_<Guid> folder but it doesn't work since every time farm configuration wizards is run it creates a new Analytics_<Guid> folder.
  Since, I have setup SharePoint Foundation 2013 on a production environment I cannot test and trial various solutions.
  Can some please guide me on how to successfully provision search for SharePoint Foundation 2013 setup as a single server farm with SQL Server Standard database in a DMZ environment using local accounts (without Active Directory - domain accounts).
  Thanks in advance.
  Himanshu

  Microsoft documentation doesn't always specifically call out all products (Project Server isn't there, either). But it does apply. You'll need to stand up at least one Domain Controller, or allow port access back to a DC.
  Preferably, set up SharePoint on the internal network and use a reverse proxy (which will terminate client connections at the reverse proxy) present in the DMZ.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Windows Domain Controller on Windows Server 2012 R2: Hyper-V roaming profiles not loading due to slow connection

  I have racked my brain and done everything that I know to do for about two weeks now.  I am setting up a new system at our fire department and I am having the worst luck with getting the workstations to login to the domain controller with roaming
  profiles.  It keeps telling me that the roaming profile could not be loaded because of a slow connection.  These are workstations that are connected directly to the switch that the DC is connected to.  I have tried multiple connections regarding
  the layout (DC into the router, router into the switch).  The router is a Cisco RV220W.  I have two VLANS, one for public and one for private domain.  The Private VLAN has DHCP turned off since I am providing it through the DC.  I currently
  have a connection from the Private VLAN going to the unmanaged switch that the workstations and server are plugged into.
  The server is a Dell PowerEdge R420 that has 6 NIC ports (1 dual port and 1 quad port).  I have a virtual switch setup on Hyper-V for an external port (let's say Card 2 Port 3) that is assigned to the WS 2012R2 Domain Controller.  The DC can see
  the internet fine and the workstations can connect to the shared folders on the server.  I can retrieve files by just using the computer name or FQDN.  The DC is also running DNS and DHCP.  The DNS has the _msdcs setup from when I installed
  the active directory role.  I have attempted to assign static IP addresses to the workstations:
  IP:                     10.0.0.80
  Subnet:             255.255.255.0
  IPV4 Gateway:  10.0.0.1
  IPV4 DNS:        10.0.0.12
  I've attempted "append the specific DNS suffix", I've "registered the connection in DNS", I've used "use this connections suffix in DNS registration".
  The server is assigned:
  IP:                     10.0.0.12
  Subnet:             255.255.255.0
  IPV4 Gateway:  10.0.0.1
  IPV4 DNS:         10.0.0.12
  The DNS entries have forwarders that forward to my ISP DNS servers for lookup
  I've enabled and disabled DHCP, I've installed a new VM just to create another DC to make sure that I didn't goof up when I created it.
  I've lost my patience with this project and am sinking fast.  Can someone please offer some advice as to what I've done wrong?  I've created this exact scenario at work many times but, I've never done it with Windows Server 2012.  Is this
  possibly something to do with the Dell PowerEdge server (Generation 12) with the SR-IOV?  I am going to attempt to work on it some more tomorrow when I get over there.  I think there may be an issue with the SR-IOV not being enabled on the machine
  through the Dell Bios.  Would the SR-IOV really cause the workstations to report a slow connection?  When I login at the domain controller the roaming profiles and folder redirection work fine so, I know the GPO settings are correct.  I don't
  have "ignore slow connections" or any of those GPO's set.  I need to get it working the correct way so, I didn't want to fool the server when there is another underlying problem.  Any help that someone can offer, I am more than willing
  to listen.  If you need more information, please ask.
  Thanks,
  Jay

  So, I've managed to research this some more since Thursday and I've come to the conclusion that Hyper-V does a horrible job of supporting Qualcomm NIC cards. That's the only thing I can conclude as far as where the issue is originating. I've read many
  post and walkthroughs but nothing that has helped. The issue wasn't with any settings in the domain controller. The issue was that there really is a slow connection originating at the domain controller that is a VM and has network connectivity through the
  virtual switch from Hyper-V. So, next question is, how do I get the DC to have better connectivity through the NIC that Hyper-V won't give it? If hyper-v would allow passthrough, this would be so much simpler. VM-ware is looking really good at this point.
  Im disappointed in MS right now.

• Cannot Login to Read Only Domain Controller

  One of my Read Only Domain Controller Servers shut down unexpectedly due to a power outage and now I cannot login to it anymore. When the server powered on again, it came up with an error regarding on of the hard drives failing (RAID1)
  I get a message Access is Denied when I try to login with one of my domain admin accounts. As it is a RODC, there are no local accounts for me to use. The RODC is running on Windows Server 2008 R2. The server is also running as a DHCP/Print/File server for
  the office so these are not working as well.
  I checked my PDC and it is coming up with the following error in the event viewer
  Log Name: System
  Source: Security-Kerberos
  Event ID: 4
  Level: Error
  The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server rodc01$. The target name used was domain/rodc01.domain.local. This indicates that the target server failed to decrypt
  the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account
  used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the
  server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (domain.local) is different from the client domain (domain.local), check if there are identically named server accounts in these
  two domains, or use the fully-qualified name to identify the server.
  I have tried to reset the computer password with netdom but I get the following error
  netdom resetpwd /server:rodc01 /userd:administrator /passwordd:*
  The machine account password for the local machine could not be reset.
  Logon Failure: The target account name is incorrect.
  The command failed to complete successfully.
  If I try to reset the password using the IP address instead, I get the following error
  netdom resetpwd /server:192.168.10.1 /userd:administrator /passwordd:*
  The machine account password for the local machine could not be reset.
  Access is denied.
  The command failed to complete successfully.
  I checked my AD and DNS and the rodc object  is present
  If I run repadmin /replsum on the PDC I get the message for the faulty RODC server
  Experienced the following operational errors trying to retrieve replication information:
          8341 – rodc01.domain.local
  Any advice is appreciated
  Thanks

  Logon to the server in Directory Services Restore Mode (DSRM) using the password you supplied during DCPROMO and verify that the Active Directory database isn't corrupted on the RODC - You will most likely see indications on this in the Directory
  Services log.
  Enfo Zipper
  Christoffer Andersson – Principal Advisor
  http://blogs.chrisse.se - Directory Services Blog

• Maintain access to network(shared folders) resources if the site loses access to a Domain Controller?

  Scenario
  Windows 7 users log on to workstations at a site. Domain Controller is up and does the domain authentication for those users across the WAN. Users are then accessing a local(same building) Shared directory on a Windows 2008r2 server, in order to open, modify,
  save new files, etc.
  Then, the site loses access to the Domain Controller due to a WAN outage.
  Question
  Will those users that have already logged onto their Windows 7 workstations continue to have access to the shared resources on the local Windows 2008r2 server with their cached credentials(assuming they don't logoff or restart their machines)?? This has
  been the case in the past, but wondering if anything has changed with Windows 2008??
  Thanks

  Hi,
  The duration that you can access the server depends on when the server requires re-authentication.
  In Windows implementation, SMB session expiration is enforced based upon the client’s support of dynamic re-authentication capability [MS-SMB].
  If the client enables the CAP_DYNAMIC_REAUTH capability bit, the server will enforce session expiration. If a client does not set CAP_DYNAMIC_REAUTH, the Windows server does not return STATUS_NETWORK_SESSION_EXPIRED. 
  The SMB dynamic re-authentication feature was introduced in Windows XP. From there, Windows-based clients set the CAP_DYNAMIC_REAUTH capability bit to indicate to the server that the client supports re-authentication when the Kerberos service ticket for
  the session expires.
  Windows servers do check CAP_DYNAMIC_REAUTH:
  If clientCapabilities sets CAP_DYNAMIC_REAUTH, the server will set Server. Session.AuthenticationExpirationTime to the expiry time returned by AcceptSecuirtyContext.
  If clientCapabilities does not set CAP_DYNAMIC_REAUTH, the server will not set Server. Session.AuthenticationExpirationTime, basically a CAP_DYNAMIC_REAUTH capability bit not set by the client means the session will not expire on the server side.
  To configure Maximum lifetime for service ticket, you can use grouppolicy. The default value of
  Maximum lifetime for service ticket
  in Default Domain Policy is 600 minutes.
  Note:This setting is applied to DC, not clients.
  For detailed information, please view the link below
  CIFS and SMB Timeouts in Windows
  http://blogs.msdn.com/b/openspecification/archive/2013/03/19/cifs-and-smb-timeouts-in-windows.aspx
  Maximum lifetime for service ticket
  http://technet.microsoft.com/en-us/library/jj852188.aspx
  Hope this helps.
  Steven Lee
  TechNet Community Support

• Windows Server 2008 R2: Server unable to authenticate with Domain Controller

  Hello, I was wondering what could be the reason for this error if it is certain that there was no other computer on the network using the same name:
  This computer could not authenticate with<Domain-controller>, a Windows domain controller for domain <Domain-name>, and therefore this computer might deny logon requests. This
  inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. 
  What would cause the machine account pw to be 'not recognized'?

  You can track changes in AD by enabling AD Auditing: https://technet.microsoft.com/en-us/library/cc731764%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
  As reading the logs is usually a complicated and time consuming task, it is recommended to use a third party tool for auditing. The one I usually recommend is Lepide Auditor - Active Directory: http://www.lepide.com/lepideauditor/active-directory.html
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• JRE 1.7 / Java Plug-in - Long delay in retrieving the applet File(JAR) due to a request to the Domain Controller(on port 53)

  Description:
  A specific group of users/customers (using Windows7 OS with IE and FireFox web browsers) are facing problems with retrieving the applet File, after they upgraded the JRE on the system(PC) to JRE 1.7.0_25-b17 from JRE version 1.6.0_29-b11.
  With JRE 1.7.0_25-b17 it is noticed that when the Java plugin requests for the applet File; it sends a request to the Domain Controller of the user, which causes a delay of 2 to 5 minutes and sometimes hangs. The problem occurs consistently.
  The current temporary workaround for this group of users is to use JRE version 1.6.0_29-b11.
  Problem analysis:
  To investigate the problem the below steps were executed:
  1) Collected the Java console outputbelow details from the user's system. (The complete output is not posted due to lengthy content, though can be added further to this post if required.)
  (a) Works fine with JRE version 1.6.0_29-b11. Kindly refer to Java console output in the code ‘section A’ towards the end of this post.
  (b) The problem occurs with problem with JRE version 1.7.0_25-b17. Kindly refer to Java console output in the code ‘section B’ towards the end of this post. The step where the problem is observed, is indicated as(##<comment>##).
  2) The network settings in the user's browser was checked. Internet Options > Connections > LAN setting
  The configured option is 'Use automatic configuration script' and the value is http://www.userAppX.com/proxy.pac
  This configuration remains the same irrespective of the JRE version in use.
  3) The network settings in the Java Control Panel was checked.
  The used/selected option is "Use browser settings", although values for 'Use proxy server' and 'use automatic proxy configuration script' are filled-in as 'user-proxy.com' and 'http://www.userAppX.com/proxy.pac' respectively.
  This configuration remains the same irrespective of the JRE version in use.
  4) The proxy PAC file was checked and debugging was done for the request 'https://myAppletHost.com/download/...'. The FindProxyForUrl function (including the conditions defined in it, for the hostname and domain checks) returns PROXY user-proxy.com:80
  5) The user also tried the below
  a. Changed the option in the network settings in the browser to 'Proxy server' with Address 'user-proxy.com' and Port '80'
  b. Restarted the browser.
  c. Tried with Java Plug-in 1.6.0_29, JRE version 1.6.0_29-b11. There was no problem and no request to the Domain Controller of the user.
  d. Tried with Java Plug-in 10.40.2.43, JRE version 1.7.0_40-b43. The problem occurs with the delay and a request to the Domain Controller of the user is observed.
  Kindly refer to Java console output in the code ‘section C’ towards the end of this post.
  6) The user also tried setting the below property in the Java Control panel; restarted the browser, and try with JRE 1.7.0_40-b43. The problem stil persists.
  -Djava.net.preferIPv4Stack=true
  7) The Global Policy Management of the Domain Controller was verified by the user. It has GPO for proxy setting but nothing related to Java security.
  Questions:
  The problem seems be specific to a particular (user) environment setup, and the user faces the problem when using JRE 1.7.
  We would like to know if the issue is in the (user) environment setup or in JRE 1.7.
  Could you please help with information/ideas/suggestions to identify the root cause and solution for this problem?
  Section A:
  Java Plug-in 1.6.0_29
  Using JRE version 1.6.0_29-b11 Java HotSpot(TM) Client VM
  User home directory = C:\Users\userA
  basic: Plugin2ClassLoader.addURL parent called for https://myAppletHost.com/download/myApplet.jar
  network: Connecting https://myAppletHost.com/download/myApplet.jar with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
  network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-b1bb5056c5b0e83f=2; Path=/"
  network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-b1bb5056c5b0e83f=2; Path=/"
  security: Loading Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
  security: Loaded Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
  security: Loading SSL Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
  security: Loaded SSL Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
  security: Loading certificates from Deployment session certificate store
  security: Loaded certificates from Deployment session certificate store
  security: Loading certificates from Internet Explorer ROOT certificate store
  security: Loaded certificates from Internet Explorer ROOT certificate store
  security: Checking if certificate is in Deployment denied certificate store
  network: Connecting https://myAppletHost.com/download/myApplet.jar with cookie "JSESSIONID=0000IK4bEMoqXH10zsl88rwvoRI:175oe9tjd; BCSI-CS-b1bb5056c5b0e83f=2"
  network: Downloading resource: https://myAppletHost.com/download/myApplet.jar
                  Content-Length: 403.293
                  Content-Encoding: null
  Dump system properties ...
  https.protocols = TLSv1,SSLv3
  java.vm.info = mixed mode, sharing
  java.vm.name = Java HotSpot(TM) Client VM
  java.vm.specification.name = Java Virtual Machine Specification
  java.vm.specification.vendor = Sun Microsystems Inc.
  java.vm.specification.version = 1.0
  java.vm.vendor = Sun Microsystems Inc.
  java.vm.version = 20.4-b02
  javaplugin.nodotversion = 160_29
  javaplugin.version = 1.6.0_29
  javaplugin.vm.options =
  os.arch = x86
  os.name = Windows 7
  os.version = 6.1
  trustProxy = true
  deployment.proxy.auto.config.url = http://www.userAppX.com/proxy.pac
  deployment.proxy.bypass.local = false
  deployment.proxy.http.host = user-proxy.com
  deployment.proxy.http.port = 80
  deployment.proxy.override.hosts =
  deployment.proxy.same = false
  deployment.proxy.type = 3
  deployment.security.SSLv2Hello = false
  deployment.security.SSLv3 = true
  deployment.security.TLSv1 = true
  deployment.security.mixcode = ENABLE
  Section B:
  Java Plug-in 10.25.2.17
  Using JRE version 1.7.0_25-b17 Java HotSpot(TM) Client VM
  User home directory = C:\Users\userA
  basic: Added progress listener: sun.plugin.util.ProgressMonitorAdapter@12adac5
  basic: Plugin2ClassLoader.addURL parent called for https://myAppletHost.com/download/myApplet.jar
  network: Connecting https://myAppletHost.com/download/myApplet.jar with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
  network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-2d4ce94a2ae7b460=2; Path=/"
  network: Connecting http://10.x.x.xx:53/ with proxy=DIRECT
                  (##THE ABOVE REQUEST CAUSES THE DELAY OR HANGS##)
  network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-2d4ce94a2ae7b460=2; Path=/"
  security: Loading Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
  security: Loaded Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
  security: Loading SSL Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
  security: Loaded SSL Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
  security: Loading certificates from Deployment session certificate store
  security: Loaded certificates from Deployment session certificate store
  security: Loading certificates from Internet Explorer ROOT certificate store
  security: Loaded certificates from Internet Explorer ROOT certificate store
  network: Connecting https://myAppletHost.com/download/myApplet.jar with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
  network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-2d4ce94a2ae7b460=2; Path=/"
  network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-2d4ce94a2ae7b460=2; Path=/"
  network: Connecting https://myAppletHost.com/download/myApplet.jar with cookie "JSESSIONID=0000UQuXWY5tjxjpwcKHlfJKe_8:175oe9j45; BCSI-CS-2d4ce94a2ae7b460=2"
  network: ResponseCode for https://myAppletHost.com/download/myApplet.jar : 200
  network: Encoding for https://myAppletHost.com/download/myApplet.jar : null
  network: Server response: (length: -1, lastModified: Thu Feb xx yy:yy:yy CET 2013, downloadVersion: null, mimeType: text/plain)
  network: Downloading resource: https://myAppletHost.com/download/myApplet.jar
                  Content-Length: -1
                  Content-Encoding: null
  Section C:
  Java Plug-in 10.40.2.43
  Using JRE version 1.7.0_40-b43 Java HotSpot(TM) Client VM
  User home directory = C:\Users\userA
  basic: Plugin2ClassLoader.addURL parent called for https://myAppletHost.com/download/myApplet.jar
  network: Connecting https://myAppletHost.com/download/myApplet.jar with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
  network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-1d67c8b6508ca09c=2; Path=/"
  network: Connecting http://10.x.x.xx:53/ with proxy=DIRECT
                  (##THE ABOVE REQUEST CAUSES THE DELAY OR HANGS##)
  network: Checking for update at: https://javadl-esd-secure.oracle.com/update/blacklist
  network: Checking for update at: https://javadl-esd-secure.oracle.com/update/blacklisted.certs
  network: Checking for update at: https://javadl-esd-secure.oracle.com/update/baseline.version
  network: Connecting https://javadl-esd-secure.oracle.com/update/blacklist with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
  network: Connecting https://javadl-esd-secure.oracle.com/update/baseline.version with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
  network: Connecting https://javadl-esd-secure.oracle.com/update/blacklisted.certs with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
  security: Loading Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
  security: Loaded Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
  security: Loading SSL Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
  security: Loaded SSL Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
  Dump system properties ...
  https.protocols = TLSv1,SSLv3
  java.vm.info = mixed mode, sharing
  java.vm.name = Java HotSpot(TM) Client VM
  java.vm.specification.name = Java Virtual Machine Specification
  java.vm.specification.vendor = Oracle Corporation
  java.vm.specification.version = 1.7
  java.vm.vendor = Oracle Corporation
  java.vm.version = 24.0-b56
  javaplugin.nodotversion = 10402
  javaplugin.version = 10.40.2.43
  os.arch = x86
  os.name = Windows 7
  os.version = 6.1
  trustProxy = true
  active.deployment.proxy.auto.config.url = http://www.userAppX.com/proxy.pac
  active.deployment.proxy.bypass.local = false
  active.deployment.proxy.http.host = user-proxy.com
  active.deployment.proxy.http.port = 80
  active.deployment.proxy.same = false
  active.deployment.proxy.type = 3
  deployment.browser.path = C:\Program Files (x86)\Internet Explorer\iexplore.exe
  deployment.proxy.auto.config.url = http://www.userAppX.com/proxy.pac
  deployment.proxy.bypass.local = false
  deployment.proxy.http.host = user-proxy.com
  deployment.proxy.http.port = 80
  deployment.proxy.override.hosts =
  deployment.proxy.same = false
  deployment.proxy.type = 3                                                                                                                                                                                                                                                            
  deployment.security.SSLv2Hello = false
  deployment.security.SSLv3 = true
  deployment.security.TLSv1 = true
  deployment.security.TLSv1.1 = false
  deployment.security.TLSv1.2 = false
  deployment.security.authenticator = true
  deployment.security.disable = false
  deployment.security.level = HIGH
  deployment.security.mixcode = ENABLE
  PS:
  Since the JRE 1.7.0_25-b17 update, it is noticed that when the Java plugin requests for the applet File; it sends a request to the Domain Controller of the user, which causes a delay of 2 to 5 minutes and sometimes hangs.
  The problem occurs consistently, and also with JRE 1.7.0_45-b18.
  Java Plug-in 10.45.2.18
  Using JRE version 1.7.0_45-b18 Java HotSpot(TM) Client VM
  User home directory = C:\Users\userA
  c:   clear console window
  f:   finalize objects on finalization queue
  g:   garbage collect
  h:   display this help message
  l:   dump classloader list
  m:   print memory usage
  o:   trigger logging
  q:   hide console
  r:   reload policy configuration
  s:   dump system and deployment properties
  t:   dump thread list
  v:   dump thread stack
  x:   clear classloader cache
  0-5: set trace level to <n>
  cache: Initialize resource manager: com.sun.deploy.cache.ResourceProviderImpl@134a33d
  basic: Added progress listener: sun.plugin.util.ProgressMonitorAdapter@1971f66
  basic: Plugin2ClassLoader.addURL parent called for https://myAppletHost.com/download/myApplet.jar
  network: Connecting https://myAppletHost.com/download/myApplet.jar with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
  network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-f797d4d262467220=2; Path=/"
  network: Connecting http://10.x.x.xx:53/ with proxy=DIRECT
  network: Connecting http://10.x.x.xx:53/ with proxy=DIRECT
                  (##THE ABOVE REQUEST CAUSES THE DELAY AND SOMETIMES HANGS##)

  My organization is experiencing very similar problems.  We have resolved it through several steps.
  We upgraded the client to Java 8 and we saw in the console that the hanging connection with the Domain Controller no longer occurs.  This may be all that is necessary for your environment as well. 

• Can I move a Virtual Domain Controller from one host(Win Server 2008 R2) to another (Win Server 2012 R2) ? Are there any issues?

  Can I move a Virtual Domain Controller from one host(Win Server 2008 R2) to another (Win Server 2012 R2) ? Are there any issues?

  I also had this error: "Setup cannot continue. Your computer will now restart, and your previous version of Windows will be restored."
  trying to do a in-place upgrade of a Domain Controller Windows 2008 R2 to Windows 2012 R2.
  The problem was the separated System Reserved Partition. After I removed using this instructions:
  http://jacobackerman.blogspot.com/2012/12/how-to-remove-system-reserved-partition.html
  The upgrade ran ok, and now have my DC as Windows 2012 R2.
  Hope that helps!.

• ¿Is it possible to upgrade from SCCM 2012 a domain controller in Windows Server 2008 R2 TO 2012 R2?

  Hi all.
  I want to know if is it possible to upgrade a domain controller from Windows Server 2008 r2 to 2012 r2 installing from SCCM 2012.
  Thanks.
  Regards.

  Hi all.
  I want to know if is it possible to upgrade a domain controller from Windows Server 2008 r2 to 2012 r2 installing from SCCM 2012.
  Thanks.
  Regards.
  Anything is possible if you can script it. You could create a task sequence to do the following (with scripts):
  1. Demote 2008R2 DC to member server
  2. Remove 2008R2 member server from domain
  3. Build new 2012R2 member server and join to domain
  4. Promote 2012R2 member server to DC
  You can do this. However, why would you? Just because you can doesn't mean you should. In my opinion it's more trouble and testing than it's worth. How many times would you need to do this?
  Gerry Hampson | Blog:
  www.gerryhampsoncm.blogspot.ie | LinkedIn:
  Gerry Hampson | Twitter:
  @gerryhampson

• Is it possible to restrict a local admin from accessing/viewing AD accounts on a Domain Controller?

  I am working on determining if I can have a separate administrator group handle patching and performing maintenance on four servers that are DCs of their own AD domain, but restrict these administrators from the ability to see the active directory user
  accounts in that AD domain?

  Hello,
  Since you are talking about domain controllers I have to say there are no Power Users group in them. Actually the local user management will be disabled as soon as you promote a server to a domain controller. The only option which is left here is to grant
  Administrators handle the job. In case of RODC you can go through what Albert suggested.
  However since domain controllers are sensitive and plays a key role in your environment I strongly recommend not to allow non administrators to perform maintanance or other related tasks (At least for domain controllers). 
  Another option you have left for your patch management is to use a member server like WSUS to automatically install updates on your DCs.
  Regards.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?