Clients authenticating to wrong Domain Controllers

Similar Messages

• Domain Controllers that are DNS servers DNS Client settings

  [Copying verbatim from a mail by Joe ]
  So I have been pinged by a few folks recently on configuration of client DNS settings on Domain Controllers that are also functioning as DNS Servers. Lots of debate. I understand there has been long time debate within MSFT as well.
  From http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx there
  is the quote
  "3.When referencing a DNS server on itself, a DNS client should always use a loopback address and not a real IP address."
  From http://www.microsoft.com/en-us/download/confirmation.aspx?id=9166 (Windows
  Server 2008 R2 Core Network Guide)
  "9.        In Preferred DNS server, type the IP address of your DNS server. If you plan to use the local computer as the preferred DNS server, type the IP address of the
  local computer.
  10.       In Alternate DNS Server, type the IP address of your alternate DNS server, if any. If you plan to use the local computer as an alternate DNS server, type the IP address of
  the local computer."
  From http://technet.microsoft.com/en-us/library/dd378900(v=ws.10).aspx (DNS:
  DNS servers on <adapter name> should include their own IP addresses on their interface lists of DNS servers)
  "The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers. However, if the DNS server is also a domain controller and it points only to
  itself for name resolution, it can become an island and fail to replicate with other domain controllers. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should
  be configured only as a secondary or tertiary DNS server on a domain controller...
  Add the loopback IP address to the list of DNS servers on all active interfaces. The loopback IP address should not be the first server in the list."
  ESPECIALLY "For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should be configured only as a secondary or tertiary
  DNS server on a domain controller." and "Add the loopback IP address to the list of DNS servers on all active interfaces. The loopback IP address should not be the first server in the list."
  Why shouldn't loopback not be first, the justification is why you shouldn't only use loopback, not why it shouldn't be first.
  From http://technet.microsoft.com/en-us/library/ff807362(v=ws.10).aspx (DNS:
  DNS servers on <adapter name> should include the loopback address, but not as the first entry)
  "If the loopback IP address is the first entry in the list of DNS servers, Active Directory might be unable to find its replication partners. 
  The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers. However, if the DNS server is also a domain controller and it points only to itself,
  or points to itself first for name resolution, this can cause a delay during startup. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should be configured only
  as a secondary or tertiary DNS server on a domain controller."
  This also seems like justification against only using loopback versus using it first.
  Are there any actual real documented issues for using loopback first and a remote DNS server second and perhaps third? If the local DNS server service isn't working yet (or at all), I would expect the DNS Client process
  to try to connect to it, fail, and then failover to the secondary just like I would expect it to failover if the remote DNS server was secondary and it was unavailable and it failed back to the loopback. Am I making a bad assumption?
  And by documented I don't mean random responses to questions on the internet or other such items. I mean a KB article or technet article or properly researched and tested other web article from a reliable resource.
  thanks, 
  joe

  As I understand it, the scenario whereby a DC could become an 'island' if it points only to itself, or to itself first, was repaired in the Windows Server 2003 product cycle. See
  http://support.microsoft.com/kb/275278 for information about this scenario.
  However, there is still a known problem of slow boot times that can occur. See
  http://support.microsoft.com/kb/2001093 for information about this. The scenario that is discussed assumes there is a power failure and servers shut down due to overheating while on backup power. When
  multiple servers come online simultaneously after power is restored, there can be a significant delay.
  The recommended configuration is one that avoids a single point of failure, but also tries to optimize the speed of resource record registration, so that Active Directory can properly synchronize.
  -Greg

• Is it possible for Windows 2008R2 Domain Controllers to audit when a programs are installed/uninstalled on clients and send alerts to Admins?

  We have a program called Audit Wizard that we used with Windows 2003 that monitored all clients and alerted my department when a program was installed/uininstalled. since upgrading to windows server 2008R2, the program no longer works correctly.
  So we are wondering if it is possible for Windows 2008R2 Domain Controllers, running at a 2008R2 forest and domain level) to be able to audit when a programs are installed/uninstalled on clients and send alerts to our Admins?
  If so, How?
  Thanks in advance for your help!
  Pete Macias

  Hi Pete,
  >>So we are wondering if it is possible for Windows 2008R2 Domain Controllers, running at a 2008R2 forest and domain level) to be able to audit when a programs are installed/uninstalled on clients and send alerts to our Admins?
  As far as I know, group policy can't help us do this. If you are interested, we can take a look at System Center Operation Manager and ask for suggestions in the following SCOM forum.
  Operations Guide for System Center 2012 - Operations Manager
  https://technet.microsoft.com/en-us/library/hh212887.aspx
  System Center Operation Manager
  https://social.technet.microsoft.com/Forums/systemcenter/en-US/home?category=systemcenteroperationsmanager
  Best regards,
  Frank Shen 
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Fetch client IP addresses from the Netlogon.log file of all domain controllers in the domain

  Hi,
  The event ID 5807 is logged in the system logs of domain controllers as a result of which the IP addresses for the missing subnets are logged in Netlogon.log under %systemroot%/debug. The end goal is to fetch the IP addresses along with rest of the respective
  attributes from the Netlogon.log for all the domain controllers in the domain. I have the following script however, it gives me a 0KB file despite the fact that the Netlogon.log on the DC contains ample entries from last two months. 
  function GetDomainControllers {
      $DCs=[system.directoryservices.activedirectory.domain]::GetCurrentDomain() | ForEach-Object {$_.DomainControllers} | ForEach-Object {$_.Name}
      return $DCs
  function GetNetLogonFile ($server) {
      $path= '\\' + $server + '\c$\windows\debug\netlogon.log'
      try {$netlogon=get-content -Path $path -ErrorAction stop}
      catch { "Can't open $path"}
      #reverse the array's order to the end of the file
      [array]::Reverse($netlogon)
      $IPs=@()
      foreach ($line in $netlogon) {
          #split the line into pieces using a space as the delimiter
          $splitline=$line.split(' ')
          #Get the date stamp which is in the mm/dd format
          $logdate=$splitline[0]
          #split the date
          $logdatesplit=($logdate.split('/'))
          [int]$logmonth=$logdatesplit[0]
  #last month and this month
          if (($logmonth -eq $thismonth) -or ($logmonth -eq $lastmonth)) {
              #only push it into an array if it matches an IP address format
              if ($splitline[5] -match '\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b'){
                  $objuser = new-object system.object
                  $objuser | add-member -type NoteProperty -name IPaddress -value $splitline[5]
                  $objuser | add-member -type NoteProperty -name Computername -value $splitline[4]
                  $objuser | add-member -type NoteProperty -name Server -value $server
                  $objuser | add-member -type NoteProperty -name Date -value $splitline[0]
                  $objuser | add-member -type NoteProperty -name Time -value $splitline[1]
                  $IPs+=$objuser
          } else {
              #break out of loop if the date is not this month or last month
              break
      return $IPs
  #Get last month's date
  $thismonth=(get-date).month
  $lastmonth=((get-date).addmonths(-1)).month
  #get all the domain controllers
  $DomainControllers=GetDomainControllers
  #Get the Netlogon.log from each DC
  Foreach ($DomainController in $DomainControllers) {
      $IPsFromDC=GetNetLogonFile($DomainController)
      $allIPs+=$IPsFromDC
  $allIPs | Sort-Object -Property IPaddress -Unique | Export-Csv "E:\bin\NetlogonIPs.csv"
  PLEASE HELP!!

  Hi jrv,
  Thanks a lot for your help.
  I understand you cannot keep on iterating the code for me. However, I am stuck at this error :-
  ERROR : Exception calling "Parse" with "1" argument(s): "String was not recognized as a valid DateTime."
  After the following code finishes executing, I get the following output :-
  $csv=cat c:\windows\debug\netlogon.log |
  %{'{0}|{1}' -f $_.SubString(0,14),$_.SubString(15,$_.Length-15)}|
  ConvertFrom-Csv -Delimiter '|' -header time,message
  time message
  04/14 01:18:45
  NO_CLIENT_SITE: ServerX 10.x.x.x
  04/14 01:17:45
  NO_CLIENT_SITE: ServerY 10.x.x.x
  04/14 01:17:44
  NO_CLIENT_SITE: ServerY 10.x.x.x
  04/14 01:17:43
  NO_CLIENT_SITE: ServerX 10.x.x.x
  However, I get the above mentioned error at the following line :-
  $csv|%{$_.time=[datetime]::Parse(($_.time -replace ' ','/2015 '))}
  I would later want to run the query just for logs from past day.
  Entire code is as follows :-
  function GetDomainControllers {
      $DCs=[system.directoryservices.activedirectory.domain]::GetCurrentDomain() | ForEach-Object {$_.DomainControllers} | ForEach-Object {$_.Name}
      return $DCs
  function GetNetLogonFile ($server) {
      $path= 'C:\Test\netlogon.log'
      try {$netlogon=get-content -Path $path -ErrorAction stop}
      catch { "Can't open $path"}
      #reverse the array's order to the end of the file
      [array]::Reverse($netlogon)
      foreach ($line in $netlogon) {
     $csv=  $netlogon | %{'{0}|{1}' -f $_.SubString(0,14),$_.SubString(15,$_.Length-15)}| ConvertFrom-Csv -Delimiter '|' -header time,message | Out-Gridview
     $csv|%{$_.time=[datetime]::Parse(($_.time -replace ' ','/2015 '))}
  #get all the domain controllers
  $DomainControllers=GetDomainControllers
  #Get the Netlogon.log from each DC
  Foreach ($DomainController in $DomainControllers) {
      GetNetLogonFile($DomainController)
  Please help!! Any help will be highly appreciated.

• Upgrade to Server 2012 R2 domain controllers from 2003

  I am at a loss as to what I did wrong here. Everything seems to be working fine except for one subnet (which is behind a hardware firewall).
  We had two Server 2003 domain controllers and one of them was failing.  I raised the forest functional level of our old primary domain controllers to 2003.  I built the first replacement Server 2012 R2 domain controller.  Added the AD DS roles
  and promoted it as a domain controller.  I let it sit for a couple days.  The FSMO roles were currently being handled by our other 2003 domain controller.  Once this had been sitting for a while (don't recall how long) I ran dcpromo on the failing
  server and demoted it.  Once demoted I shut it down and pulled it out of the rack.  I then built our second 2012 R2 server and gave it the same IP as the failing one.  Installed the AD DS roles and integrated DNS as prompted by the wizard. 
  I then made it the operations master for Schema master, Domain naming master, PDC, RID pool manager, and Infrastructure master.  Then I ran dcpromo on the second 2003 domain controller to demote it and removed it from the network.  I then demoted
  the first new controller (DC03) changed the hostname and IP to the name and IP of the second 2003 controller and promoted it again.  I'm not sure at what point things broke, but everything works from the same subnet that the domain controllers are in,
  just not a second subnet that is through a hardware firewall.  I don't see anything getting blocked while watching firewall logs so I don't think the firewall is the issue.
  Here is the dcdiag and ipconfig from the first controller (which has all 5 FSMO roles).
  Microsoft Windows [Version 6.3.9600]
  (c) 2013 Microsoft Corporation. All rights reserved.
  C:\Users\username>dcdiag /v /test:dns
  Directory Server Diagnosis
  Performing initial setup:
     Trying to find home server...
     * Verifying that the local machine WGDDC01, is a Directory Server.
     Home Server = WGDDC01
     * Connecting to directory service on server WGDDC01.
     * Identified AD Forest.
     Collecting AD specific global data
     * Collecting site info.
     Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=wgd,DC=inet,LD
  AP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
     The previous call succeeded
     Iterating through the sites
     Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name
  ,CN=Sites,CN=Configuration,DC=wgd,DC=inet
     Getting ISTG and options for the site
     * Identifying all servers.
     Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=wgd,DC=inet,LD
  AP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
     The previous call succeeded....
     The previous call succeeded
     Iterating through the list of servers
     Getting information for the server CN=NTDS Settings,CN=WGDDC01,CN=Servers,CN=
  Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wgd,DC=inet
     objectGuid obtained
     InvocationID obtained
     dnsHostname obtained
     site info obtained
     All the info for the server collected
     Getting information for the server CN=NTDS Settings,CN=WGDDC02,CN=Servers,CN=
  Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wgd,DC=inet
     objectGuid obtained
     InvocationID obtained
     dnsHostname obtained
     site info obtained
     All the info for the server collected
     * Identifying all NC cross-refs.
     * Found 2 DC(s). Testing 1 of them.
     Done gathering initial info.
  Doing initial required tests
     Testing server: Default-First-Site-Name\WGDDC01
        Starting test: Connectivity
           * Active Directory LDAP Services Check
           Determining IP4 connectivity
           * Active Directory RPC Services Check
           ......................... WGDDC01 passed test Connectivity
  Doing primary tests
     Testing server: Default-First-Site-Name\WGDDC01
        Test omitted by user request: Advertising
        Test omitted by user request: CheckSecurityError
        Test omitted by user request: CutoffServers
        Test omitted by user request: FrsEvent
        Test omitted by user request: DFSREvent
        Test omitted by user request: SysVolCheck
        Test omitted by user request: KccEvent
        Test omitted by user request: KnowsOfRoleHolders
        Test omitted by user request: MachineAccount
        Test omitted by user request: NCSecDesc
        Test omitted by user request: NetLogons
        Test omitted by user request: ObjectsReplicated
        Test omitted by user request: OutboundSecureChannels
        Test omitted by user request: Replications
        Test omitted by user request: RidManager
        Test omitted by user request: Services
        Test omitted by user request: SystemLog
        Test omitted by user request: Topology
        Test omitted by user request: VerifyEnterpriseReferences
        Test omitted by user request: VerifyReferences
        Test omitted by user request: VerifyReplicas
        Starting test: DNS
           DNS Tests are running and not hung. Please wait a few minutes...
           See DNS test in enterprise tests section for results
           ......................... WGDDC01 failed test DNS
     Running partition tests on : DomainDnsZones
        Test omitted by user request: CheckSDRefDom
        Test omitted by user request: CrossRefValidation
     Running partition tests on : ForestDnsZones
        Test omitted by user request: CheckSDRefDom
        Test omitted by user request: CrossRefValidation
     Running partition tests on : Schema
        Test omitted by user request: CheckSDRefDom
        Test omitted by user request: CrossRefValidation
     Running partition tests on : Configuration
        Test omitted by user request: CheckSDRefDom
        Test omitted by user request: CrossRefValidation
     Running partition tests on : wgd
        Test omitted by user request: CheckSDRefDom
        Test omitted by user request: CrossRefValidation
     Running enterprise tests on : wgd.inet
        Starting test: DNS
           Test results for domain controllers:
              DC: WGDDC01.wgd.inet
              Domain: wgd.inet
                 TEST: Authentication (Auth)
                    Authentication test: Successfully completed
                 TEST: Basic (Basc)
                    The OS
                    Microsoft Windows Server 2012 R2 Standard (Service Pack level:
   0.0)
                    is supported.
                    NETLOGON service is running
                    kdc service is running
                    DNSCACHE service is running
                    DNS service is running
                    DC is a DNS server
                    Network adapters information:
                    Adapter [00000010] Broadcom NetXtreme Gigabit Ethernet:
                       MAC address is B0:83:FE:C1:98:07
                       IP Address is static
                       IP address: 10.240.1.23
                       DNS servers:
                          10.240.1.23 (WGDDC01) [Valid]
                          10.240.1.24 (WGDDC02) [Valid]
                          127.0.0.1 (WGDDC01) [Valid]
                    The A host record(s) for this DC was found
                    The SOA record for the Active Directory zone was found
                    Warning: no DNS RPC connectivity (error or non Microsoft DNS s
  erver is running)
                    [Error details: 5 (Type: Win32 - Description: Access is denied
           Summary of test results for DNS servers used by the above domain
           controllers:
              DNS server: 10.240.1.23 (WGDDC01)
                 All tests passed on this DNS server
                 Name resolution is functional._ldap._tcp SRV record for the fores
  t root domain is registered
              DNS server: 10.240.1.24 (WGDDC02)
                 All tests passed on this DNS server
                 Name resolution is functional._ldap._tcp SRV record for the fores
  t root domain is registered
           Summary of DNS test results:
  Auth Basc Forw Del  Dyn  RReg Ext
              Domain: wgd.inet
                 WGDDC01                      PASS WARN n/a  n/a  n/a 
  n/a  n/a
           ......................... wgd.inet passed test DNS
        Test omitted by user request: LocatorCheck
        Test omitted by user request: Intersite
  C:\Users\dsmythe>ipconfig /all
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : WGDDC01
     Primary Dns Suffix  . . . . . . . : wgd.inet
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : wgd.inet
  Ethernet adapter WGD_INET:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
     Physical Address. . . . . . . . . : B0-83-FE-C1-98-07
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv4 Address. . . . . . . . . . . : 10.240.1.23(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . : 10.240.1.1
     DNS Servers . . . . . . . . . . . : 10.240.1.23
                                         10.240.1.24
                                         127.0.0.1
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Tunnel adapter isatap.{2C28B0FA-6BF8-4201-A6DA-081AED63B496}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  When I try to bind a machine to the domain I get an error message that says "
  The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "wgd.inet":
  The error was: "This operation returned because the timeout period expired."
  (error code 0x000005B4 ERROR_TIMEOUT)
  The query was for the SRV record for _ldap._tcp.dc._msdcs.wgd.inet
  The DNS servers used by this computer for name resolution are not responding. This computer is configured to use DNS servers with the following IP addresses:
  10.240.1.24
  10.240.1.23
  Verify that this computer is connected to the network, that these are the correct DNS server IP addresses, and that at least one of the DNS servers is running.
  Please let me know if I'm missing something or if there are other things I can check.
  Thanks!
  I forgot to mention that after the 2003 domain controllers were out of the environment, I raised the domain and forest functional level to 2012 R2.  All clients in the environment are Windows XP Pro or above.  The XP Pro boxes will be going away as
  soon as our vendor supports their software to run on Windows 7.

  We now have 2 2012 R2 DCs. The 2003 DCs are gone. Metadata from the old DCs is all cleaned up. DNS seems to be working fine in 3 out of 4 subnets. The 4th is behind a hardware firewall and I can see the IP address of the machine I am trying to bind to the
  domain connecting to the two new domain controllers but the client machine that is trying to bind gives an error.  An Active Directory Domain Controller for the domain wgd.inet could not be contacted.  It seems that this is just a DNS issue for one
  particular subnet (10.240.2.0/24).  This subnet is setup in AD Sites and Services\Sites\Subnets\10.240.2.0/24 (Site: Default-First-Site-Name).
  When trying to do anything with nslookup from the 10.240.2.0/24 subnet it times out.  The route is there and I can watch it connect through our hardware firewall over port 53.
  DC01
  Microsoft Windows [Version 6.3.9600]
  (c) 2013 Microsoft Corporation. All rights reserved.
  C:\Users\dsmythe>netdom query fsmo
  Schema master               WGDDC01.wgd.inet
  Domain naming master        WGDDC01.wgd.inet
  PDC                         WGDDC01.wgd.inet
  RID pool manager            WGDDC01.wgd.inet
  Infrastructure master       WGDDC01.wgd.inet
  The command completed successfully.
  C:\Users\dsmythe>ipconfig /all
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : WGDDC01
     Primary Dns Suffix  . . . . . . . : wgd.inet
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : wgd.inet
  Ethernet adapter WGD_INET:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
     Physical Address. . . . . . . . . : B0-83-FE-C1-98-07
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv4 Address. . . . . . . . . . . : 10.240.1.23(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . : 10.240.1.1
     DNS Servers . . . . . . . . . . . : 10.240.1.23
                                         10.240.1.24
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Tunnel adapter isatap.{2C28B0FA-6BF8-4201-A6DA-081AED63B496}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  C:\Users\dsmythe>
  DC02
  Microsoft Windows [Version 6.3.9600]
  (c) 2013 Microsoft Corporation. All rights reserved.
  C:\Users\dsmythe>netdom query fsmo
  Schema master               WGDDC01.wgd.inet
  Domain naming master        WGDDC01.wgd.inet
  PDC                         WGDDC01.wgd.inet
  RID pool manager            WGDDC01.wgd.inet
  Infrastructure master       WGDDC01.wgd.inet
  The command completed successfully.
  C:\Users\dsmythe>ipconfig /all
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : WGDDC02
     Primary Dns Suffix  . . . . . . . : wgd.inet
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : wgd.inet
  Ethernet adapter NIC1:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
     Physical Address. . . . . . . . . : B0-83-FE-C1-9F-74
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv4 Address. . . . . . . . . . . : 10.240.1.24(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . : 10.240.1.1
     DNS Servers . . . . . . . . . . . : 10.240.1.24
                                         10.240.1.23
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Tunnel adapter isatap.{4F45E51E-FC2F-49ED-85CF-0750A9EEECF5}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  C:\Users\dsmythe>

• Client Authentication - Received fatal alert: bad_certificate

  I am making a "secure" chat server that has some simple functionality.
  For the server cert, I sent off the CSR to Thawte and set up the trust chain. That keystore seems to be fine:
  Keystore type: jks
  Keystore provider: SUN
  Your keystore contains 2 entries
  Alias name: verisigntestroot
  Creation date: Nov 10, 2006
  Entry type: trustedCertEntry
  Owner: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, ST=FOR TESTING PURPOSES ONLY, C=ZA
  Issuer: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, ST=FOR TESTING PURPOSES ONLY, C=ZA
  Serial number: 0
  Valid from: Wed Jul 31 20:00:00 EDT 1996 until: Thu Dec 31 16:59:59 EST 2020
  Certificate fingerprints:
  MD5: 5E:E0:0E:1D:17:B7:CA:A5:7D:36:D6:02:DF:4D:26:A4
  SHA1: 39:C6:9D:27:AF:DC:EB:47:D6:33:36:6A:B2:05:F1:47:A9:B4:DA:EA
  Alias name: server
  Creation date: Nov 10, 2006
  Entry type: keyEntry
  Certificate chain length: 2
  Certificate[1]:
  Owner: CN=TestServer, OU=Thawte SSL123 certificate, OU=Go to https://www.thawte.com/repository/index.html, OU=Domain Validated, O=TestServer
  Issuer: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, ST=FOR TESTING PURPOSES ONLY, C=ZA
  Serial number: 76369fba895ca9f8f5b44dd1f28307ad
  Valid from: Fri Nov 10 15:29:22 EST 2006 until: Fri Dec 01 15:29:22 EST 2006
  Certificate fingerprints:
  MD5: 5B:7D:EE:B3:0A:CC:7B:B8:A2:73:D3:96:FB:D3:43:ED
  SHA1: E2:FD:31:00:D7:9D:F5:93:4E:99:D9:8B:C3:70:87:D9:CF:83:EC:36
  Certificate[2]:
  Owner: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, ST=FOR TESTING PURPOSES ONLY, C=ZA
  Issuer: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, ST=FOR TESTING PURPOSES ONLY, C=ZA
  Serial number: 0
  Valid from: Wed Jul 31 20:00:00 EDT 1996 until: Thu Dec 31 16:59:59 EST 2020
  Certificate fingerprints:
  MD5: 5E:E0:0E:1D:17:B7:CA:A5:7D:36:D6:02:DF:4D:26:A4
  SHA1: 39:C6:9D:27:AF:DC:EB:47:D6:33:36:6A:B2:05:F1:47:A9:B4:DA:EA
  So next I want to set up my client. The professor said that it's fine to just give the clients all self-signed certs, so I ran:
  keytool -genkey -alias client1 -keyalg RSA -keystore c1keystore -storepass client1 -keypass client1 -dname "o=jhu, cn=Client 1"
  I assumed that I need to add the Thawte Root CA Cert to this keystore as well since I'm doing client authentication:
  keytool -import -v -file ../server/thawtecert.txt -trustcacerts -keystore c1keystore -storepass client1
  I start up the server, and then I attempt to connect with the client with these options:
  -Djavax.net.ssl.trustStore=server/serverstore
  -Djavax.net.ssl.keyStore=client/c1keystore
  -Djavax.net.ssl.keyStorePassword=client1
  Now when I attempt to connect to the server and write to the buffer, I get this error on the client side:
  javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
  And this error on the server side:
  javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: null cert chain
  If I connect to the server with these options, I connect fine:
  -Djavax.net.ssl.trustStore=server/serverstore
  -Djavax.net.ssl.keyStore=server/serverstore
  -Djavax.net.ssl.keyStorePassword=server
  I assume this means that I have done something very wrong creating the client's keystore. Does anyone know how I'm supposed to create it?

  Hi ,
  Even i get the same error . Although ,I imported the contents of my self-signed certificate into the truststore of tomcat i.e.cacerts file of jre/lib/security (in tomcat) , I get the following error:-
  Tomcat does not seem to accept the client's certitficate.
  Also , Incase if i use a standalone Java application to connect to a tomcat application , I get the same error? Any idea as to how does tomcat server authenticate the client from a standalone Java application .
  javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
       at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
       at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:117)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1584)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:866)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:622)
       at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
       at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
       at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
       at org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:827)
       at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:1975)
       at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:993)
       at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:397)
       at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
       at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
       at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)

• SCCM 2012 Distribution Points on Domain Controllers

  I want to install Distribution points on all of my remote servers. They are all domain controllers though. I know one of the prerequisites to host the DP role is to have the SCCM computer object apart of that servers local administrators group. Since they
  are domain controllers they dont have a local security policy and it is controlled by AD. I'm sure you can add the SCCM computer object to the domain admins group to solve this but my question is if this is considered a supported configuration?

  If you are using the DC as a Distribution point to install clients via Client Push, the "NT Authority\Authenticated Users" group must be added to the local group "Users" to the DC/DP.
  Clients are still able to get installed manually, but Client Push fails.
  Failed to correctly receive a WEBDAV HTTP request.. (StatusCode at WinHttpQueryHeaders: 401)
  Run elevated command prompt (net localgroup users "Authenticated Users" /add)
  Test Client Push - Should be successful.
  Reason: By default the local groups NT Authority\Interactive Users and
  NT Authority\Authenticated Users are removed from the Domain Controller. Clients that are using the DP for content cannot authenticate using the computer account.

• Block Based replication of Domain Controllers to DR site

  I have to bring up a business critical application at a DR site using the same hostname and IP address as in production site. For this purpose, I plan to use a block replication software to replicate data from production servers to a SAN at the DR site.
  For DR invocation or testing, I am planning to take a snapshot from the SAN, create virtual disks and attach them to newly created VM's at the DR site.
  This application depends on Active Directory and hence I need to have a domain controller at the DR site. If I create a new domain controller for the DR site, as it will be in a separate IP subnet, it will have to be in a separate AD site and the application
  servers will not be able to use this domain controllers, as they will look for domain controllers in their AD site (which is from the production site). If I put the domain controller in the same IP subnet as the application servers, the same IP subnet has
  user workstations and hence user authentication requests from production site will start coming to the DR site across the WAN.
  In this scenario, I am proposing to replicate the domain controllers also from the production site to the DR site, like the application servers. But I am not sure if block replication of production DC's to DR site and then when required for testing/invocation,
  can we create a new VM and attaching virtual hard disks with the replicated data, will bring these VM's up as domain controllers in the DR site or will they have any negative effects ? Would this be a supported solution ? Any response will be highly appreciated.
  Thanks in advance.

  You don't want to run any type of duplicated software to clone the DC, that is a bad idea.  You could end up with lingering objects and/or Directory Service corruption. 
  If you want the DC's to exist in the same subnet then you are in a quandry.  You can start to modify srv records so the DC won't authenticate clients (BUt you will have to manually change that at DR time).
  I have a Blog that talks about lag site replication that blocks clients from ever attempting to authenticate to the DC, you should be able to use this same logic.
  http://blogs.dirteam.com/blogs/paulbergson/archive/2013/05/14/how-to-build-an-ad-replication-delay-lag-site.aspx
  You will want to create yourself a group policy that prevents the DC in the DR site from registering records that will advertise itself as an authenticating DC.  If you need to use the DR site, you will need to remove the gpo and either reboot the DC
  or run a gpupdate and restart NetLogon on the DC so it will register the records so the clients can then use this DC.
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• DNS setup on server bound to AD and using domain controllers for DNS

  My server is bound to our AD network and in the network pref I have entered the two IPs for the domain controllers on our network that serve DNS.
  My question is, am I right not to enable/configure and start the DNS service on the Mac server since it is getting DNS already?
  If yes, how do I confirm that my Mac server is correctly listed in our domain controllers DNS? Should I be concerned that I get the following?
  knws3135:~ mactech$ sudo changeip -checkhostname
  Password:
  Primary address = 10.31.3.135
  Current HostName = knws3135.ad.ewsad.net
  The DNS hostname is not available, please repair DNS and re-run this tool.

  Hi
  It looks all OK to me? As for the hostname having capitals could pose a problem but only if the Mac Server was its own KDC. Which it is not. If the hostname is defined as you have it now in the AD's DNS Service then leave it alone.
  Sometimes even when DNS checks out OK you can still have fundamental errors that only demotion to Standalone will cure. I think this is the point that you are at now. To be honest I would do this. Judging from what you've said there would be very little to lose when you do this apart from managed preferences. These can easily be re-applyed on successful promotion.
  needs to be changed so it is configured in Open Directory as connected to a Directory Server
  Not sure what you mean by this?
  If you have or are about to update your Server to 10.5.4 - which I recommend you do. Then you could follow this procedure:
  Demote to Standalone
  Stop all Services
  Restart the Server
  Update to 10.5.4. Restart the Server (this happens anyway)
  Make sure your Server resolves on the forward and reverse pointers (again)
  If you want run changeip again (you may be surprised)
  Use the Active Directory plug in in Directory Utility to bind the Server to the AD. Make sure you use an AD admin account that has authority to do this. De-select 'force home directory creation on startup disk' I have a feeling this will be de-selected anyway.
  After successful binding quit out of Directory Utility and launch Server Admin
  Select the Open Directory Service
  Change the role from Standalone to Open Directory Master
  Create the Directory Administrator account's username and password. Don't be tempted to change the UID or use the system admin account's user name. You can use the same password if you wish. What I've done before in the past is to create the diradmin account on the AD first with full authority for the domain.
  On successful promotion you should now see in the Overview Pane everything running apart from Kerberos which should be Stopped. This is how it should be. Apple's 10.5.4 Update has took a lot of the donkey work out of this whole process. No need for the command line. Simply click.
  If you launch Directory Utility you should now see the server's loopback address has been added in the LDAPv3 Plugin. Also the Server should be topmost in the Search Order under the Authentication and Contacts field. Bind your clients first to the AD and then the OD (make sure use for authentication and contacts are unchecked).
  Browse the two nodes, add your groups and apply MCX in the usual way.
  Does this help?
  Tony

• Communication issues between domain controllers

  Hi everyone,
  I am experiencing some problems in communication between domain controllers in our organization
  We have three domain controllers, one of them is a Windows 2003 server service pack 2 which is physical (controller A), another which is Windows 2008 Service Pack 2 (controller B), also physical, and a third one (controller C) which is a Windows 2008
  service pack 1 and is virtual.
  I have problems with this last DC, it won't respond to pings, or DNS query. I can't Access it by remote desktop client even when it is enabled. I cannot update it, it prompts error messages if I try to do so.
  This problems are solved if I reboot it, it will work fine some hours or days, but not much longer. I have checked event viewer and I didn't found any message about this.
  I read some time ago it would be great to have a DC in a virtual machine, so I did it, but is it right?
  Do you know what might be going on with it? would depromoting it and seting it up again the best solución?
  Thank you very much.
  Best regards.
  David.

  This sounds like a NIC issue, which is odd since it is a virtual machine.  Have you checked the host for any logs about the client? 
  I think the first thing I would do is destroy the current virtual NIC card and add a new one.  Since this has nothing to do with Active Directory I would also suggest you post this in a forum of for the Host (VMWare or Hyper-V).
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• Autodiscover, domain controllers, and certificate errors

  I have just deployed and Exchange 2013 server in one of my sites. I'm having tons of issues with it, but one issue I'm having trouble thinking through goes like this:
  All users have email addresses that are [email protected] Domain.com is our internal domain name and also a public domain. Now, in a Windows environment, if you were to nslookup domain.com within our network it
  will resolve to any one of the domain controllers. On our infrastructure master DC there is an IIS website, with SSL, that handles certificate services for our internal CA.
  Here's my problem: When a user opens Outlook and autodiscover attempts to find their Exchange connection info it first tries to reach the site
  https://domain.com/autodiscover/autodiscover.xml. If that PC happens to resolve domain.com to the DC that has our certificate services website on it then the Outlook client sends a certificate error.
  If the client is prior to Outlook 2013, the mailbox configuration just halts and throws an error.
  What do I do to prevent this?

  Hi,
  Yes, we can have the following “switchers”
  PreferLocalXML
  ExcludeHttpRedirect
  ExcludeHttpsAutoDiscoverDomain
  ExcludeHttpsRootDomain
  ExcludeScpLookup
  ExcludeSrvRecord
  ExcludeLastKnownGoodUR
  Thanks,
  Simon Wu
  TechNet Community Support

• Clients can't rejoin domain after server clean install

  Hello, I've got an issue with having client computers rejoin the domain after reinstalling the server software. Another post I read suggested saving the plist files to get the settings the same, but I need to reconfigure manually to eliminate some other problems we've been having.
  We've got an Xserve running 10.4.8 with a mix of XP and Tiger clients all authenticating with the server. Our XP clients have remote profiles converted to local and our Tiger clients use mobile accounts. Generally things were running OK, but we kept having some authentication issues and have SMB crashes. In reviewing our log files it was suggested that our Open Directory was messed up (probably during our upgrade from 10.3 to 10.4) and that a clean install was the best course of action. The server has been running 24x7 for over 3 years without any signifigant maintenance, so this seemed like a good idea.
  Everything was going great. I did the clean install and had DNS and DHCP configured and working, then started setting up Open Directory as the PDC and Windows Services as the Primary WINS. I had intended to recreate the user accounts because I didn't want to reintroduce problems by restoring the settings, however when I added one account and tested logging in on a XP machine it couldn't authenticate even though the domain name and user name was the same as before (short names too). On a whim, I moved the computer from the domain to WORKGROUP and then rejoined the (new) domain. Upon login it created a new roaming profile named user.domain instead of using the other account already there. On the XP client in accounts, the old profile showed up as unknown. I then went to a Mac and tried to log in and had similiar issues not finding the authenticating server.
  After pulling my hair out this evening and realizing that there was no way I was going to have the office operation in the morning, I did a full restore from backup and pretended like I hadn't just wasted my weekend. After I got the server running, I was able to get my client machines to see the domain again and all is as it was.
  Soooo, now the question is how do I create a clean installation with newly created user accounts and get the client computers to recognize the domain server as the same old one? Is there a hidden domain ID or something that is telling the client computers that it isn't the same domain or LDAP server? Any suggestions would be greatly appreciated.
  Thanks.
  xserve G4 & XRaid   Mac OS X (10.4.8)  

  Sorry, to clarify I did not want to use the archive & restore because I didn't want to reintroduce the errors I was trying to eliminate. I setup the Open Directory as a PDC from scratch and then ran into the client authtenication issue. In a desperate attempt to salvage the situation I did restore the previous settings which (A) didn't work and (B) may have made things worse because I already had created some groups and a few users and ended up with groups with duplicate IDs. That was when I scrapped everything and restored the disk from backup.
  Your idea of using export/import is a slightly different avenue. However, now that I'm thinking about it, I didn't even get far enough for the user profiles to be an issue because the client computers weren't even communicating with the server to get the list of users (the Macs log-in by selecting a user name from a list).
  Does export/import of a computer list work? I think I tried to import the computer list last night and the one I had only contained the Macs and these didn't preserve the MAC address info for some reason. I didn't have an export of the XP machines, but tried to manually add them to the list with no success.
  Thanks again for your help.

• Virtual Domain Controllers in 2012 Failover Cluster. Time Skew

  Hi All,
  Not sure if this is the correct space for this topic, however i'll give it a go anyway.
  We have a 2 Hosts (HP DL385) Windows Server 2012 Failover Cluster.
  Storage is provided by a 12 Bay NAS with iSCSI connections (This is catering for CSV's and Quorum)
  We are running 2 Virtual domain controllers (2008R2)
  The issue we experience is that if the cluster goes down, and when it comes back online the time on the domain controllers (one or the other or both) skews by any where up to 3 days which causes havoc for our office until we can resync clocks with the PDCe.
  Time Synchronisation Integration Service is disabled on both Domain Contollers
  A few days back we need to reboot the storage on the cluster, and the tasks performed were as follows:
  -Power off all virtual machines (Graceful Shutdown)
  -Put all CSV's into maintenance mode
  -Offline Disk Witness to Quorum
  -Rebooted Storage (Waited until it came back online)
  -Online Quorum Storage (Successful)
  -Bring CSV's out of maintenance mode (Successful & Browsable)
  -Power on all Virtual Machines (Successful)
  This is where the time Skewed and caused headaches. The time for some reason went to 2 days 11hrs in the past on 1 domain controller.
  With this DNS lookups failed to work, Cluster services failed, Cluster Aware Updating Failed, RDP to VM's (and Virtual Hosts) by DNS Name failed (Date time error) 
  There doesn't seem to be anything in the EventLog except for date/time stamp on events being 2 days in the past.
  Now this is why i'm not sure if the issue is cause by fail over clustering, or is an issue with the domain controllers.
  Any advice regarding this or if anyone has seen this behaviour before any info would be great
  Thanks
  Rob 

  Hi Rob,
  Does both this two DCs on your cluster VM and there have not others DCs? Microsoft recommends that files for virtualized domain controllers be placed on non-CSV
  disks, Non-CSV disks can be brought online without authentication. Because non-CSV disks can be brought online more easily.
  For virtual machines that are configured as domain controllers, it is recommended that you disable time synchronization between the host system and guest operating
  system acting as a domain controller. This enables your guest domain controller to synchronize time from the domain hierarchy, please confirm your PDC time is always correct.
  The related KB:
  Running Domain Controllers in Hyper-V
  https://technet.microsoft.com/en-us/library/d2cae85b-41ac-497f-8cd1-5fbaa6740ffe(v=ws.10)#deployment_considerations_for_virtualized_domain_controllers
  Things to consider when you host Active Directory domain controllers in virtual hosting environments
  http://support.microsoft.com/kb/888794?wa=wsignin1.0
  I’m glad to be of help to you!
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'NTLM'.

  when i connect to wcf service , i am getting the client authentication error.
  It happens only when i connect to wcf service from a client machine (virtual machine) that is logged in with local user account.
  Wcf service is hosted as windows service in my case.
  Client application is a windows application that connects using below security mode.
  BasicHttpBinding httpbind = new BasicHttpBinding();
  httpbind.Security.Mode = BasicHttpSecurityMode.TransportCredentialOnly;
  httpbind.Security.Transport.ClientCredentialType = HttpClientCredentialType.Ntlm;
  httpFactory.Credentials.Windows.AllowedImpersonationLevel
                                  = System.Security.Principal.TokenImpersonationLevel.Impersonation;
  Please help me with a solution.
  As i read more through below link , i doubt if the client is not in the same domain, it might not work ? is it rite.
  http://blogs.msdn.com/b/chiranth/archive/2013/09/21/ntlm-want-to-know-how-it-works.aspx
  Regards Battech

  https://msdn.microsoft.com/en-us/library/windows/desktop/aa378749%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396
  Well, you need to figure out what the authentication is supposed to be bettwen the WCF client and WCF service, because Windows Authentication is being rejected.

• Client Authentication certificate not working in ADFS3.0

  Hi,
  I am currently working on integrating ADFS 3.o for Single Sign On to some 3rd party services along with PKI solution. The basic requirement is that I should be able to choose client authentication certificate as an authentication method in ADFS and then
  federate user credentials to 3rd party trust for single-sign-on.
  I had done this successfully with ADFS 2.0 and that setup is working fine. I have the setup as ADFS 3.0 client authentication method enabled. When I open browser to logon, the ADFS 3.0 page displays a message as "Select a certificate that you want to
  use for authentication. If you cancel the operation, please close your browser and try again." but the certificates are not displayed for selection.
  The certificates are valid and have valid chaining to CA. Could someone help me resolve this issue?
  Thanks!
  -Chinmaya Karve

  I am also having this problem where the certificate dialog (Windows Security is usually the title) is never prompted to the user. I tried it on several computers which are all part of the domain. The same computers can also login on another ADFS, so I have
  working certificates.
  I just get a page where a text says I should select a certificate but I never get the dialog to do so.
  Any updates on this issue?