NPS + Domain Controller

Hello
Can i install NPS with RADIUS on a Domain Controller?
tks for answering
Marc

HI All,
I have install NPS in my production DC. Now our new SA is complaining about setting up in Productions?
We have 5 remote sites and he required 3 NPS Servers for VPN Clients ? all remote site got one DC and File Server.
Do we need three servers?
As

Similar Messages

Network Policy Server: No Domain Controller Available

When attempting to configure our domain controller as a Network Policy Server, I am receiving an error message stating that there is no domain controller available for domain K12.TX.US (which is the NETBIOS name of our domain).
The Full DNS Name of our Domain is : nederland.k12.tx.us
Log Name: System
Source: NPS
Date: 3/7/2014 12:55:51 PM
Event ID: 4402
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: ADMIN-PDC.nederland.k12.tx.us
Description:
There is no domain controller available for domain K12.TX.US.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="NPS" />
<EventID Qualifiers="49152">4402</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-03-07T18:55:51.000000000Z" />
<EventRecordID>84518</EventRecordID>
<Channel>System</Channel>
<Computer>ADMIN-PDC.nederland.k12.tx.us</Computer>
<Security />
</System>
<EventData>
<Data>K12.TX.US</Data>
</EventData>
</Event>
Please help, as I believe that this is causing the following error:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 3/7/2014 12:55:51 PM
Event ID: 6273
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: ADMIN-PDC.nederland.k12.tx.us
Description:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: abusby
Account Domain: K12.TX.US
Fully Qualified Account Name: K12.TX.US\abusby
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 00-19-92-0C-E4-E9:NISD_Testing
Calling Station Identifier: B8-E8-56-A8-D4-D9
NAS:
NAS IPv4 Address: 10.250.1.15
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0
RADIUS Client:
Client Friendly Name: Testing Access Point
Client IP Address: 10.250.1.15
Authentication Details:
Connection Request Policy Name: BlueSocket Wireless Connections
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: ADMIN-PDC.nederland.k12.tx.us
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 7
Reason: The specified domain does not exist.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>6273</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12552</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2014-03-07T18:55:51.061488000Z" />
<EventRecordID>3106129068</EventRecordID>
<Correlation />
<Execution ProcessID="584" ThreadID="4712" />
<Channel>Security</Channel>
<Computer>ADMIN-PDC.nederland.k12.tx.us</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">abusby</Data>
<Data Name="SubjectDomainName">K12.TX.US</Data>
<Data Name="FullyQualifiedSubjectUserName">K12.TX.US\abusby</Data>
<Data Name="SubjectMachineSID">S-1-0-0</Data>
<Data Name="SubjectMachineName">-</Data>
<Data Name="FullyQualifiedSubjectMachineName">-</Data>
<Data Name="MachineInventory">-</Data>
<Data Name="CalledStationID">00-19-92-0C-E4-E9:NISD_Testing</Data>
<Data Name="CallingStationID">B8-E8-56-A8-D4-D9</Data>
<Data Name="NASIPv4Address">10.250.1.15</Data>
<Data Name="NASIPv6Address">-</Data>
<Data Name="NASIdentifier">-</Data>
<Data Name="NASPortType">Wireless - IEEE 802.11</Data>
<Data Name="NASPort">0</Data>
<Data Name="ClientName">Testing Access Point</Data>
<Data Name="ClientIPAddress">10.250.1.15</Data>
<Data Name="ProxyPolicyName">BlueSocket Wireless Connections</Data>
<Data Name="NetworkPolicyName">-</Data>
<Data Name="AuthenticationProvider">Windows</Data>
<Data Name="AuthenticationServer">ADMIN-PDC.nederland.k12.tx.us</Data>
<Data Name="AuthenticationType">PEAP</Data>
<Data Name="EAPType">Microsoft: Secured password (EAP-MSCHAP v2)</Data>
<Data Name="AccountSessionIdentifier">-</Data>
<Data Name="ReasonCode">7</Data>
<Data Name="Reason">The specified domain does not exist.</Data>
<Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
</EventData>
</Event>

Yes I did see that article, and there are plenty of logs from another device that authenticates via
RADIUS. Requests from our 802.1x wireless network are giving the "the specified domain does not exist" error. I can enter the username asusername,
username@domain, or domain\username and
neither method fixes the error.

Lack of Connectivty to Domain Controller - Domain Controller Access Issues Requires Repeated Reauthentication

Sorry if my attempt to be thorough in my description may result in excessive and unnecessary information.
I'm running into some problems with a single server running WS 2012 R2 as a domain controller (AD and DNS) and I’m trying to figure out what the cause is.
The network has ~10 computers on it connected through a cable business gateway (running DHCP) which feeds 2 switches and a wireless router acting as a switch. (I also turned on remote services, but the end users aren’t using that until I get certificates
setup.)
For 6+ months everyone had access to the shared files and databases on each workstation without issue.
In the last month users would occasionally have to re-enter their credentials to get access to shared server folders despite being on a domain account already.
Last week one of the computers intermittently cannot gain access to the shared folders– entering the correct credentials just results in the credentials being requested again and again: There’s an error icon at the bottom saying that “there are currently
no logon servers available to service the logon request”. While access is rejected I’m still able to ping the DC both via its name and IPV4 address.
(Pinging via its name results in an IPv6 address in the response.)
Other network connectivity appears intact (able to browse the web, perform network discovery.)
Things that ‘seem’ to allow access on this computer until the next failure:
Entering a different domain username and password into the windows credentials request has allowed access a couple of times.
Disconnecting and reconnecting the network cable allowed the original username to be used to log on (at least once.)
After removing it from and then rejoining it to the domain (a few hours ago) it experienced the problem once more. Also, logging on with domain credentials created a TEMP user folder instead of the folder with the domain username.
Looking at the event logs, I notice there are quite a few warnings and errors reported regarding DC access on many of the computers; maybe this is normal?
Most Problematic Computer:
Event ID 8016: System failed to register host A or AAAA resource records. (With an unknown Ipv6 and the server’s ipv4 address in the DNS server list.)
Event ID 131: NtpClient unable to set a domain peer to use as a time source because of DNS resolution error on ‘Server.domain.local’
‘No such host is known.”
Event ID 5719: NETLOGON. This computer was not able to setup a secure session with a domain controller in the domain due …..: there are currently no logon servers available to service the logon request.
And then pairs of: Event 1500: The Group Policy settings for the computer were processed successfully. There were no changes detected since the last successful processing of Group Policy. & Event 1054:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
Event 1030: The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation
at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.
On the server I’ve run DCDIAG and DCDIAG /test:DNS and those all appeared to pass.
Ipconfig/all from the server:
   Connection-specific DNS Suffix
   Description . . . . . . . . . . . : Intel(R) Ethernet Connection I217-LM
   Physical Address. . . . . . . . . : FC-4D-D4-F2-A1-83
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2601:8:a182:1100:b155:a0b0:892d:9ed5(Pref
erred)
   Link-local IPv6 Address . . . . . : fe80::b155:a0b0:892d:9ed5%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.1.10.42(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::abd:43ff:fe9a:ab47%13
10.1.10.1
   DHCPv6 IAID . . . . . . . . . . . : 234638804
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-3F-7D-B9-68-05-CA-24-31-C4
   DNS Servers . . . . . . . . . . . : ::1
127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
Ipconfig/all from the problematic computer:
Wireless LAN adapter Wi-Fi:
   Connection-specific DNS Suffix
. : wp.comcast.net
   Description . . . . . . . . . . . : Intel(R) Centrino(R) Wireless-N 6150
   Physical Address. . . . . . . . . : 40-25-C2-63-C2-B8
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2601:8:a182:1100:8f5:1606:d0a8:6b25(Prefe
rred)
   Temporary IPv6 Address. . . . . . : 2601:8:a182:1100:283e:f9e8:4841:6c50(Pref
erred)
   Link-local IPv6 Address . . . . . : fe80::8f5:1606:d0a8:6b25%3(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.1.10.31(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, March 10, 2015 9:19:02 AM
   Lease Expires . . . . . . . . . . : Tuesday, March 17, 2015 1:23:15 PM
   Default Gateway . . . . . . . . . : fe80::abd:43ff:fe9a:ab47%3
10.1.10.1
   DHCP Server . . . . . . . . . . . : 10.1.10.1
   DHCPv6 IAID . . . . . . . . . . . : 54535618
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-15-6B-AA-F0-DE-F1-9C-07-D4
   DNS Servers . . . . . . . . . . . : 2001:558:feed::1
2001:558:feed::2
                10.1.10.42
   NetBIOS over Tcpip. . . . . . . . : Enabled
Any thoughts? I was assuming it was a Domain Controller/DNS error, but I don't know where to check next. Could a failing piece of hardware be the culprit?
Thanks,
-JT

Hi,
According to the error you have posted.
A Netlogon 5719 event indicates that the client component of Netlogon was unable to locate a DC for the domain it was trying to perform an operation against.
Most of the time this is caused by network issues or name resolution (DNS/WINS) issues, you could refer to:
Netlogon 5719 and the Disappearing Domain [Controller]
http://blogs.technet.com/b/instan/archive/2008/09/18/netlogon-5719-and-the-disappearing-domain.aspx
Did you refer to this KB article?
Event ID 5719 is logged when you start a Domain Member
http://support.microsoft.com/kb/938449
Regards.
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Error in starting domain controller !

I have installed on Windows 2000, Oracle 9i Database 9.0.1 and Oracle 9iFS release 9.0.1.
Configuration was OK, but the domain doesn't start.
I launch 'ifslaunchdc.bat', 'ifslaunchnode.bat', and when I launch 'ifsstartdomain.bat', I receive this error:
"An exception occurred while starting Domain controller - oracle.ifs.common.IfsException: IFS-40066: Remothed method threw exception java.lang.NoSuchFieldError: OCIEnvHandle"
OTHER WAY:
If I try in Oracle Management Server (from Oracle Enterprise Management Console), I go to Internet File Systems, I go to the domain picasso:53140 and it is launched (yellow light). I do right click and I choose 'Start Domain'. I receive the following message:
" The Domain Controller 'picasso:53140' is launched
Command failed:
IFS-40066: Remothed method threw exception java.lang.NoSuchFieldError: OCIEnvHandle"
So, the same error, and I don't find anywhere this exception !
What should be done? Thanks, Jeanina

I am not sure how you got into this state, but to clear it up you can edit the boot.properties file to enter (clear text) the username and password for the server (entered when running the Configuration Wizard).
The boot.properties file is located in your domain at:
<domain root>/servers/AdminServer/security
Just enter the username and password in the file:
username=myUserName
password=myPassword
WebLogic Server will boot up using these values and immediately encrypt the username and password in the file.
An alternate approach would be to delete boot.properties in which case WLS will prompt you for the id/pw each time it is started/stopped.
Brad

SAP Server Manager Error after BPC installation on domain controller

Hi, I have installed BPC on a domain controller with windows 2003 server (english version). When I launch diagnostic in the "SAP Server Manager" I have the following error message " Current user Name does not have permission for Adminitrators group" . I think that the application it's taking the local user (the diagnistic show that de current user is "server name\user name" instead of "domain name\user name" but I login with the domain Administrator ( this server is a domain controller don't have local users).
Thanks

Hi
I have the same issue that you had.
"I have installed BPC on a domain controller with windows 2003 server (english version). When I launch diagnostic in the "SAP Server Manager" I have the following error message " Current user Name does not have permission for Adminitrators group" . The application it's taking the local user (the diagnistic show that de current user is "server name\user name" instead of "domain name\user name" but I login with the domain Administrator ( this server is a domain controller don't have local users)."
Can you please let me know how you solved this ?
thanks & regards
Lokesh

Provision Search in SharePoint Foundation 2013 without Domain Controller / Active Directory - Domain accounts

Hi,
I have successfully setup SharePoint Foundation 2013 as single server farm with SQL Server Standard database in a DMZ environment using local accounts since DMZ doesn't have an Active Directory and hence Domain accounts using powershell as described
in https://theblobfarm.wordpress.com/2012/12/03/installing-sharepoint-2013-without-a-domain-controller
When I run Farm configuration wizard to provision search service application, I get an error:
ERROR: "The service application(s) for the service "Search Service Application" could not be provisioned because of the following error: I/O error occurred."
The log file logged the details of this error as:
ERROR: "Failed to create file share Analytics_e441aa1c-1a8d-4f0a-a079-58b499eb4c50 at D:\SharePoint Search\Office Server\Analytics_e441aa1c-1a8d-4f0a-a079-58b499eb4c50 (System.ArgumentException: The SDDL string contains an invalid sid or a sid
that cannot be translated."
After investigation, I found that potentially the error could be because the timer service is trying to setup a network share for analytics component (as part of provisioning search). It is trying to setup that share with a domain account that happens to
be a local user instead in this case and fails with error “System.ArgumentException: The SDDL string contains an invalid sid or a sid that cannot be translated”.
I got some pointer from the below thread
https://social.technet.microsoft.com/Forums/en-US/c8e93984-f4e5-46da-8e8a-c5c79ea1ff62/error-creating-search-service-application-on-sharepoint-foundation-with-local-account?forum=sharepointadmin
However, the above thread doesn't state that the solution worked.
I have tried creating share manually for Analytics_<Guid> folder but it doesn't work since every time farm configuration wizards is run it creates a new Analytics_<Guid> folder.
Since, I have setup SharePoint Foundation 2013 on a production environment I cannot test and trial various solutions.
Can some please guide me on how to successfully provision search for SharePoint Foundation 2013 setup as a single server farm with SQL Server Standard database in a DMZ environment using local accounts (without Active Directory - domain accounts).
Thanks in advance.
Himanshu

Microsoft documentation doesn't always specifically call out all products (Project Server isn't there, either). But it does apply. You'll need to stand up at least one Domain Controller, or allow port access back to a DC.
Preferably, set up SharePoint on the internal network and use a reverse proxy (which will terminate client connections at the reverse proxy) present in the DMZ.
Trevor Seward
Follow or contact me at...
&nbsp&nbsp
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Windows Domain Controller on Windows Server 2012 R2: Hyper-V roaming profiles not loading due to slow connection

I have racked my brain and done everything that I know to do for about two weeks now. I am setting up a new system at our fire department and I am having the worst luck with getting the workstations to login to the domain controller with roaming
profiles. It keeps telling me that the roaming profile could not be loaded because of a slow connection. These are workstations that are connected directly to the switch that the DC is connected to. I have tried multiple connections regarding
the layout (DC into the router, router into the switch). The router is a Cisco RV220W. I have two VLANS, one for public and one for private domain. The Private VLAN has DHCP turned off since I am providing it through the DC. I currently
have a connection from the Private VLAN going to the unmanaged switch that the workstations and server are plugged into.
The server is a Dell PowerEdge R420 that has 6 NIC ports (1 dual port and 1 quad port). I have a virtual switch setup on Hyper-V for an external port (let's say Card 2 Port 3) that is assigned to the WS 2012R2 Domain Controller. The DC can see
the internet fine and the workstations can connect to the shared folders on the server. I can retrieve files by just using the computer name or FQDN. The DC is also running DNS and DHCP. The DNS has the _msdcs setup from when I installed
the active directory role. I have attempted to assign static IP addresses to the workstations:
IP:                     10.0.0.80
Subnet:             255.255.255.0
IPV4 Gateway: 10.0.0.1
IPV4 DNS:        10.0.0.12
I've attempted "append the specific DNS suffix", I've "registered the connection in DNS", I've used "use this connections suffix in DNS registration".
The server is assigned:
IP:                     10.0.0.12
Subnet:             255.255.255.0
IPV4 Gateway: 10.0.0.1
IPV4 DNS:         10.0.0.12
The DNS entries have forwarders that forward to my ISP DNS servers for lookup
I've enabled and disabled DHCP, I've installed a new VM just to create another DC to make sure that I didn't goof up when I created it.
I've lost my patience with this project and am sinking fast. Can someone please offer some advice as to what I've done wrong? I've created this exact scenario at work many times but, I've never done it with Windows Server 2012. Is this
possibly something to do with the Dell PowerEdge server (Generation 12) with the SR-IOV? I am going to attempt to work on it some more tomorrow when I get over there. I think there may be an issue with the SR-IOV not being enabled on the machine
through the Dell Bios. Would the SR-IOV really cause the workstations to report a slow connection? When I login at the domain controller the roaming profiles and folder redirection work fine so, I know the GPO settings are correct. I don't
have "ignore slow connections" or any of those GPO's set. I need to get it working the correct way so, I didn't want to fool the server when there is another underlying problem. Any help that someone can offer, I am more than willing
to listen. If you need more information, please ask.
Thanks,
Jay

So, I've managed to research this some more since Thursday and I've come to the conclusion that Hyper-V does a horrible job of supporting Qualcomm NIC cards. That's the only thing I can conclude as far as where the issue is originating. I've read many
post and walkthroughs but nothing that has helped. The issue wasn't with any settings in the domain controller. The issue was that there really is a slow connection originating at the domain controller that is a VM and has network connectivity through the
virtual switch from Hyper-V. So, next question is, how do I get the DC to have better connectivity through the NIC that Hyper-V won't give it? If hyper-v would allow passthrough, this would be so much simpler. VM-ware is looking really good at this point.
Im disappointed in MS right now.

Cannot Login to Read Only Domain Controller

One of my Read Only Domain Controller Servers shut down unexpectedly due to a power outage and now I cannot login to it anymore. When the server powered on again, it came up with an error regarding on of the hard drives failing (RAID1)
I get a message Access is Denied when I try to login with one of my domain admin accounts. As it is a RODC, there are no local accounts for me to use. The RODC is running on Windows Server 2008 R2. The server is also running as a DHCP/Print/File server for
the office so these are not working as well.
I checked my PDC and it is coming up with the following error in the event viewer
Log Name: System
Source: Security-Kerberos
Event ID: 4
Level: Error
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server rodc01$. The target name used was domain/rodc01.domain.local. This indicates that the target server failed to decrypt
the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account
used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the
server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (domain.local) is different from the client domain (domain.local), check if there are identically named server accounts in these
two domains, or use the fully-qualified name to identify the server.
I have tried to reset the computer password with netdom but I get the following error
netdom resetpwd /server:rodc01 /userd:administrator /passwordd:*
The machine account password for the local machine could not be reset.
Logon Failure: The target account name is incorrect.
The command failed to complete successfully.
If I try to reset the password using the IP address instead, I get the following error
netdom resetpwd /server:192.168.10.1 /userd:administrator /passwordd:*
The machine account password for the local machine could not be reset.
Access is denied.
The command failed to complete successfully.
I checked my AD and DNS and the rodc object is present
If I run repadmin /replsum on the PDC I get the message for the faulty RODC server
Experienced the following operational errors trying to retrieve replication information:
8341 – rodc01.domain.local
Any advice is appreciated
Thanks

Logon to the server in Directory Services Restore Mode (DSRM) using the password you supplied during DCPROMO and verify that the Active Directory database isn't corrupted on the RODC - You will most likely see indications on this in the Directory
Services log.
Enfo Zipper
Christoffer Andersson – Principal Advisor
http://blogs.chrisse.se - Directory Services Blog

Maintain access to network(shared folders) resources if the site loses access to a Domain Controller?

Scenario
Windows 7 users log on to workstations at a site. Domain Controller is up and does the domain authentication for those users across the WAN. Users are then accessing a local(same building) Shared directory on a Windows 2008r2 server, in order to open, modify,
save new files, etc.
Then, the site loses access to the Domain Controller due to a WAN outage.
Question
Will those users that have already logged onto their Windows 7 workstations continue to have access to the shared resources on the local Windows 2008r2 server with their cached credentials(assuming they don't logoff or restart their machines)?? This has
been the case in the past, but wondering if anything has changed with Windows 2008??
Thanks

Hi,
The duration that you can access the server depends on when the server requires re-authentication.
In Windows implementation, SMB session expiration is enforced based upon the client’s support of dynamic re-authentication capability [MS-SMB].
If the client enables the CAP_DYNAMIC_REAUTH capability bit, the server will enforce session expiration. If a client does not set CAP_DYNAMIC_REAUTH, the Windows server does not return STATUS_NETWORK_SESSION_EXPIRED.
The SMB dynamic re-authentication feature was introduced in Windows XP. From there, Windows-based clients set the CAP_DYNAMIC_REAUTH capability bit to indicate to the server that the client supports re-authentication when the Kerberos service ticket for
the session expires.
Windows servers do check CAP_DYNAMIC_REAUTH:
If clientCapabilities sets CAP_DYNAMIC_REAUTH, the server will set Server. Session.AuthenticationExpirationTime to the expiry time returned by AcceptSecuirtyContext.
If clientCapabilities does not set CAP_DYNAMIC_REAUTH, the server will not set Server. Session.AuthenticationExpirationTime, basically a CAP_DYNAMIC_REAUTH capability bit not set by the client means the session will not expire on the server side.
To configure Maximum lifetime for service ticket, you can use grouppolicy. The default value of
Maximum lifetime for service ticket
in Default Domain Policy is 600 minutes.
Note:This setting is applied to DC, not clients.
For detailed information, please view the link below
CIFS and SMB Timeouts in Windows
http://blogs.msdn.com/b/openspecification/archive/2013/03/19/cifs-and-smb-timeouts-in-windows.aspx
Maximum lifetime for service ticket
http://technet.microsoft.com/en-us/library/jj852188.aspx
Hope this helps.
Steven Lee
TechNet Community Support

Windows Server 2008 R2: Server unable to authenticate with Domain Controller

Hello, I was wondering what could be the reason for this error if it is certain that there was no other computer on the network using the same name:
This computer could not authenticate with<Domain-controller>, a Windows domain controller for domain <Domain-name>, and therefore this computer might deny logon requests. This
inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized.
What would cause the machine account pw to be 'not recognized'?

You can track changes in AD by enabling AD Auditing: https://technet.microsoft.com/en-us/library/cc731764%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
As reading the logs is usually a complicated and time consuming task, it is recommended to use a third party tool for auditing. The one I usually recommend is Lepide Auditor - Active Directory: http://www.lepide.com/lepideauditor/active-directory.html
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile

JRE 1.7 / Java Plug-in - Long delay in retrieving the applet File(JAR) due to a request to the Domain Controller(on port 53)

Description:
A specific group of users/customers (using Windows7 OS with IE and FireFox web browsers) are facing problems with retrieving the applet File, after they upgraded the JRE on the system(PC) to JRE 1.7.0_25-b17 from JRE version 1.6.0_29-b11.
With JRE 1.7.0_25-b17 it is noticed that when the Java plugin requests for the applet File; it sends a request to the Domain Controller of the user, which causes a delay of 2 to 5 minutes and sometimes hangs. The problem occurs consistently.
The current temporary workaround for this group of users is to use JRE version 1.6.0_29-b11.
Problem analysis:
To investigate the problem the below steps were executed:
1) Collected the Java console outputbelow details from the user's system. (The complete output is not posted due to lengthy content, though can be added further to this post if required.)
(a) Works fine with JRE version 1.6.0_29-b11. Kindly refer to Java console output in the code ‘section A’ towards the end of this post.
(b) The problem occurs with problem with JRE version 1.7.0_25-b17. Kindly refer to Java console output in the code ‘section B’ towards the end of this post. The step where the problem is observed, is indicated as(##<comment>##).
2) The network settings in the user's browser was checked. Internet Options > Connections > LAN setting
The configured option is 'Use automatic configuration script' and the value is http://www.userAppX.com/proxy.pac
This configuration remains the same irrespective of the JRE version in use.
3) The network settings in the Java Control Panel was checked.
The used/selected option is "Use browser settings", although values for 'Use proxy server' and 'use automatic proxy configuration script' are filled-in as 'user-proxy.com' and 'http://www.userAppX.com/proxy.pac' respectively.
This configuration remains the same irrespective of the JRE version in use.
4) The proxy PAC file was checked and debugging was done for the request 'https://myAppletHost.com/download/...'. The FindProxyForUrl function (including the conditions defined in it, for the hostname and domain checks) returns PROXY user-proxy.com:80
5) The user also tried the below
a. Changed the option in the network settings in the browser to 'Proxy server' with Address 'user-proxy.com' and Port '80'
b. Restarted the browser.
c. Tried with Java Plug-in 1.6.0_29, JRE version 1.6.0_29-b11. There was no problem and no request to the Domain Controller of the user.
d. Tried with Java Plug-in 10.40.2.43, JRE version 1.7.0_40-b43. The problem occurs with the delay and a request to the Domain Controller of the user is observed.
Kindly refer to Java console output in the code ‘section C’ towards the end of this post.
6) The user also tried setting the below property in the Java Control panel; restarted the browser, and try with JRE 1.7.0_40-b43. The problem stil persists.
-Djava.net.preferIPv4Stack=true
7) The Global Policy Management of the Domain Controller was verified by the user. It has GPO for proxy setting but nothing related to Java security.
Questions:
The problem seems be specific to a particular (user) environment setup, and the user faces the problem when using JRE 1.7.
We would like to know if the issue is in the (user) environment setup or in JRE 1.7.
Could you please help with information/ideas/suggestions to identify the root cause and solution for this problem?
Section A:
Java Plug-in 1.6.0_29
Using JRE version 1.6.0_29-b11 Java HotSpot(TM) Client VM
User home directory = C:\Users\userA
basic: Plugin2ClassLoader.addURL parent called for https://myAppletHost.com/download/myApplet.jar
network: Connecting https://myAppletHost.com/download/myApplet.jar with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-b1bb5056c5b0e83f=2; Path=/"
network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-b1bb5056c5b0e83f=2; Path=/"
security: Loading Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loaded Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loading SSL Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loaded SSL Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: Loading certificates from Internet Explorer ROOT certificate store
security: Loaded certificates from Internet Explorer ROOT certificate store
security: Checking if certificate is in Deployment denied certificate store
network: Connecting https://myAppletHost.com/download/myApplet.jar with cookie "JSESSIONID=0000IK4bEMoqXH10zsl88rwvoRI:175oe9tjd; BCSI-CS-b1bb5056c5b0e83f=2"
network: Downloading resource: https://myAppletHost.com/download/myApplet.jar
                Content-Length: 403.293
                Content-Encoding: null
Dump system properties ...
https.protocols = TLSv1,SSLv3
java.vm.info = mixed mode, sharing
java.vm.name = Java HotSpot(TM) Client VM
java.vm.specification.name = Java Virtual Machine Specification
java.vm.specification.vendor = Sun Microsystems Inc.
java.vm.specification.version = 1.0
java.vm.vendor = Sun Microsystems Inc.
java.vm.version = 20.4-b02
javaplugin.nodotversion = 160_29
javaplugin.version = 1.6.0_29
javaplugin.vm.options =
os.arch = x86
os.name = Windows 7
os.version = 6.1
trustProxy = true
deployment.proxy.auto.config.url = http://www.userAppX.com/proxy.pac
deployment.proxy.bypass.local = false
deployment.proxy.http.host = user-proxy.com
deployment.proxy.http.port = 80
deployment.proxy.override.hosts =
deployment.proxy.same = false
deployment.proxy.type = 3
deployment.security.SSLv2Hello = false
deployment.security.SSLv3 = true
deployment.security.TLSv1 = true
deployment.security.mixcode = ENABLE
Section B:
Java Plug-in 10.25.2.17
Using JRE version 1.7.0_25-b17 Java HotSpot(TM) Client VM
User home directory = C:\Users\userA
basic: Added progress listener: sun.plugin.util.ProgressMonitorAdapter@12adac5
basic: Plugin2ClassLoader.addURL parent called for https://myAppletHost.com/download/myApplet.jar
network: Connecting https://myAppletHost.com/download/myApplet.jar with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-2d4ce94a2ae7b460=2; Path=/"
network: Connecting http://10.x.x.xx:53/ with proxy=DIRECT
                (##THE ABOVE REQUEST CAUSES THE DELAY OR HANGS##)
network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-2d4ce94a2ae7b460=2; Path=/"
security: Loading Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
security: Loaded Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
security: Loading SSL Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
security: Loaded SSL Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: Loading certificates from Internet Explorer ROOT certificate store
security: Loaded certificates from Internet Explorer ROOT certificate store
network: Connecting https://myAppletHost.com/download/myApplet.jar with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-2d4ce94a2ae7b460=2; Path=/"
network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-2d4ce94a2ae7b460=2; Path=/"
network: Connecting https://myAppletHost.com/download/myApplet.jar with cookie "JSESSIONID=0000UQuXWY5tjxjpwcKHlfJKe_8:175oe9j45; BCSI-CS-2d4ce94a2ae7b460=2"
network: ResponseCode for https://myAppletHost.com/download/myApplet.jar : 200
network: Encoding for https://myAppletHost.com/download/myApplet.jar : null
network: Server response: (length: -1, lastModified: Thu Feb xx yy:yy:yy CET 2013, downloadVersion: null, mimeType: text/plain)
network: Downloading resource: https://myAppletHost.com/download/myApplet.jar
                Content-Length: -1
                Content-Encoding: null
Section C:
Java Plug-in 10.40.2.43
Using JRE version 1.7.0_40-b43 Java HotSpot(TM) Client VM
User home directory = C:\Users\userA
basic: Plugin2ClassLoader.addURL parent called for https://myAppletHost.com/download/myApplet.jar
network: Connecting https://myAppletHost.com/download/myApplet.jar with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-1d67c8b6508ca09c=2; Path=/"
network: Connecting http://10.x.x.xx:53/ with proxy=DIRECT
                (##THE ABOVE REQUEST CAUSES THE DELAY OR HANGS##)
network: Checking for update at: https://javadl-esd-secure.oracle.com/update/blacklist
network: Checking for update at: https://javadl-esd-secure.oracle.com/update/blacklisted.certs
network: Checking for update at: https://javadl-esd-secure.oracle.com/update/baseline.version
network: Connecting https://javadl-esd-secure.oracle.com/update/blacklist with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
network: Connecting https://javadl-esd-secure.oracle.com/update/baseline.version with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
network: Connecting https://javadl-esd-secure.oracle.com/update/blacklisted.certs with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
security: Loading Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
security: Loaded Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
security: Loading SSL Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
security: Loaded SSL Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
Dump system properties ...
https.protocols = TLSv1,SSLv3
java.vm.info = mixed mode, sharing
java.vm.name = Java HotSpot(TM) Client VM
java.vm.specification.name = Java Virtual Machine Specification
java.vm.specification.vendor = Oracle Corporation
java.vm.specification.version = 1.7
java.vm.vendor = Oracle Corporation
java.vm.version = 24.0-b56
javaplugin.nodotversion = 10402
javaplugin.version = 10.40.2.43
os.arch = x86
os.name = Windows 7
os.version = 6.1
trustProxy = true
active.deployment.proxy.auto.config.url = http://www.userAppX.com/proxy.pac
active.deployment.proxy.bypass.local = false
active.deployment.proxy.http.host = user-proxy.com
active.deployment.proxy.http.port = 80
active.deployment.proxy.same = false
active.deployment.proxy.type = 3
deployment.browser.path = C:\Program Files (x86)\Internet Explorer\iexplore.exe
deployment.proxy.auto.config.url = http://www.userAppX.com/proxy.pac
deployment.proxy.bypass.local = false
deployment.proxy.http.host = user-proxy.com
deployment.proxy.http.port = 80
deployment.proxy.override.hosts =
deployment.proxy.same = false
deployment.proxy.type = 3
deployment.security.SSLv2Hello = false
deployment.security.SSLv3 = true
deployment.security.TLSv1 = true
deployment.security.TLSv1.1 = false
deployment.security.TLSv1.2 = false
deployment.security.authenticator = true
deployment.security.disable = false
deployment.security.level = HIGH
deployment.security.mixcode = ENABLE
PS:
Since the JRE 1.7.0_25-b17 update, it is noticed that when the Java plugin requests for the applet File; it sends a request to the Domain Controller of the user, which causes a delay of 2 to 5 minutes and sometimes hangs.
The problem occurs consistently, and also with JRE 1.7.0_45-b18.
Java Plug-in 10.45.2.18
Using JRE version 1.7.0_45-b18 Java HotSpot(TM) Client VM
User home directory = C:\Users\userA
c:   clear console window
f:   finalize objects on finalization queue
g:   garbage collect
h:   display this help message
l:   dump classloader list
m:   print memory usage
o:   trigger logging
q:   hide console
r:   reload policy configuration
s:   dump system and deployment properties
t:   dump thread list
v:   dump thread stack
x:   clear classloader cache
0-5: set trace level to <n>
cache: Initialize resource manager: com.sun.deploy.cache.ResourceProviderImpl@134a33d
basic: Added progress listener: sun.plugin.util.ProgressMonitorAdapter@1971f66
basic: Plugin2ClassLoader.addURL parent called for https://myAppletHost.com/download/myApplet.jar
network: Connecting https://myAppletHost.com/download/myApplet.jar with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-f797d4d262467220=2; Path=/"
network: Connecting http://10.x.x.xx:53/ with proxy=DIRECT
network: Connecting http://10.x.x.xx:53/ with proxy=DIRECT
                (##THE ABOVE REQUEST CAUSES THE DELAY AND SOMETIMES HANGS##)

My organization is experiencing very similar problems. We have resolved it through several steps.
We upgraded the client to Java 8 and we saw in the console that the hanging connection with the Domain Controller no longer occurs. This may be all that is necessary for your environment as well.

Can I move a Virtual Domain Controller from one host(Win Server 2008 R2) to another (Win Server 2012 R2) ? Are there any issues?

Can I move a Virtual Domain Controller from one host(Win Server 2008 R2) to another (Win Server 2012 R2) ? Are there any issues?

I also had this error: "Setup cannot continue. Your computer will now restart, and your previous version of Windows will be restored."
trying to do a in-place upgrade of a Domain Controller Windows 2008 R2 to Windows 2012 R2.
The problem was the separated System Reserved Partition. After I removed using this instructions:
http://jacobackerman.blogspot.com/2012/12/how-to-remove-system-reserved-partition.html
The upgrade ran ok, and now have my DC as Windows 2012 R2.
Hope that helps!.

¿Is it possible to upgrade from SCCM 2012 a domain controller in Windows Server 2008 R2 TO 2012 R2?

Hi all.
I want to know if is it possible to upgrade a domain controller from Windows Server 2008 r2 to 2012 r2 installing from SCCM 2012.
Thanks.
Regards.

Hi all.
I want to know if is it possible to upgrade a domain controller from Windows Server 2008 r2 to 2012 r2 installing from SCCM 2012.
Thanks.
Regards.
Anything is possible if you can script it. You could create a task sequence to do the following (with scripts):
1. Demote 2008R2 DC to member server
2. Remove 2008R2 member server from domain
3. Build new 2012R2 member server and join to domain
4. Promote 2012R2 member server to DC
You can do this. However, why would you? Just because you can doesn't mean you should. In my opinion it's more trouble and testing than it's worth. How many times would you need to do this?
Gerry Hampson | Blog:
www.gerryhampsoncm.blogspot.ie | LinkedIn:
Gerry Hampson | Twitter:
@gerryhampson

Is it possible to restrict a local admin from accessing/viewing AD accounts on a Domain Controller?

I am working on determining if I can have a separate administrator group handle patching and performing maintenance on four servers that are DCs of their own AD domain, but restrict these administrators from the ability to see the active directory user
accounts in that AD domain?

Hello,
Since you are talking about domain controllers I have to say there are no Power Users group in them. Actually the local user management will be disabled as soon as you promote a server to a domain controller. The only option which is left here is to grant
Administrators handle the job. In case of RODC you can go through what Albert suggested.
However since domain controllers are sensitive and plays a key role in your environment I strongly recommend not to allow non administrators to perform maintanance or other related tasks (At least for domain controllers).
Another option you have left for your patch management is to use a member server like WSUS to automatically install updates on your DCs.
Regards.
Mahdi Tehrani |
|
www.mahditehrani.ir
Please click on Propose As Answer or to mark this post as
and helpful for other people.
This posting is provided AS-IS with no warranties, and confers no rights.
How to query members of 'Local Administrators' group in all computers?

CERT_TRUST_IS_NOT_SIGNATURE_VALID when installing a 3rd-party cert in Windows 2008 Domain Controller

Hello,
I'm facing with a problem while trying to install a 3rd-party digital certificate on a Windows 2008 Domain Controller.
Basically, I'm following this TechNet
http://technet.microsoft.com/en-us/library/cc783835(v=ws.10).aspx
1) I did create the file Reqdccert.vbs on the Domain Controller
2) then I did generate the inf file
cscript reqdccert.vbs DomainController E
3) and then I generated a certificate request
certreq -new AD.inf AD.req
4) also I've imported RootCA and SubCA into the Certificate Store of the DC
5) I got a signed certificate from our 3rd-party CA running on Windows 2000
6) when importing the certificate I get the below error
C:\>certreq -ACCEPT ad.p7c
Certificate Request Processor: The signature of the certificate cannot be verifi
ed. 0x80096004 (-2146869244)
Here is the verbose log from CAPI2:
+ System
- Provider
[ Name] Microsoft-Windows-CAPI2
[ Guid] {5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}
EventID 11
Version 0
Level 2
Task 11
Opcode 2
Keywords 0x4000000000000003
- TimeCreated
[ SystemTime] 2014-06-13T09:33:02.604870500Z
EventRecordID 304
Correlation
- Execution
[ ProcessID] 1700
[ ThreadID] 3032
Channel Microsoft-Windows-CAPI2/Operational
Computer ad.eac.igs
- Security
[ UserID] S-1-5-21-4171312682-976198474-2692596432-500
- UserData
- CertGetCertificateChain
- Certificate
[ fileRef] 4DA02894B4AFB76F8D6B8722A96A3444041573C6.cer
[ subjectName] ad.eac.com
- AdditionalStore
- Certificate
[ fileRef] 691847ADD248AEB8579462249B063A1555716B21.cer
[ subjectName] SubCA
- Certificate
[ fileRef] 4DA02894B4AFB76F8D6B8722A96A3444041573C6.cer
[ subjectName] ad.eac.com
- Certificate
[ fileRef] 0175DDA12776ED8CA4657E921E9AE3C6B0698F71.cer
[ subjectName] RootCA
ExtendedKeyUsage
- Flags
[ value] 0
- ChainEngineInfo
[ context] user
- AdditionalInfo
- NetworkConnectivityStatus
[ value] 1
[ _SENSAPI_NETWORK_ALIVE_LAN] true
- CertificateChain
[ chainRef] {0B005F9F-F15B-4FE2-A630-7BBEE6AB5C0A}
- TrustStatus
- ErrorStatus
[ value] 8
[ CERT_TRUST_IS_NOT_SIGNATURE_VALID] true
- InfoStatus
[ value] 0
- ChainElement
- Certificate
[ fileRef] 4DA02894B4AFB76F8D6B8722A96A3444041573C6.cer
[ subjectName] ad.eac.com
- SignatureAlgorithm
[ oid] 1.2.840.113549.1.1.11
[ hashName] SHA256
[ publicKeyName] RSA
- PublicKeyAlgorithm
[ oid] 1.2.840.113549.1.1.1
[ publicKeyName] RSA
[ publicKeyLength] 2048
- TrustStatus
- ErrorStatus
[ value] 8
[ CERT_TRUST_IS_NOT_SIGNATURE_VALID] true
- InfoStatus
[ value] 4
[ CERT_TRUST_HAS_NAME_MATCH_ISSUER] true
- ApplicationUsage
- Usage
[ oid] 1.3.6.1.5.5.7.3.1
[ name] Server Authentication
- Usage
[ oid] 1.3.6.1.5.5.7.3.2
[ name] Client Authentication
- Usage
[ oid] 1.3.6.1.4.1.311.20.2.2
[ name] Smart Card Logon
IssuanceUsage
- ChainElement
- Certificate
[ fileRef] 691847ADD248AEB8579462249B063A1555716B21.cer
[ subjectName] SubCA
- SignatureAlgorithm
[ oid] 1.2.840.113549.1.1.5
[ hashName] SHA1
[ publicKeyName] RSA
- PublicKeyAlgorithm
[ oid] 1.2.840.113549.1.1.1
[ publicKeyName] RSA
[ publicKeyLength] 2048
- TrustStatus
- ErrorStatus
[ value] 0
- InfoStatus
[ value] 101
[ CERT_TRUST_HAS_EXACT_MATCH_ISSUER] true
[ CERT_TRUST_HAS_PREFERRED_ISSUER] true
- ApplicationUsage
[ any] true
IssuanceUsage
- ChainElement
- Certificate
[ fileRef] 0175DDA12776ED8CA4657E921E9AE3C6B0698F71.cer
[ subjectName] RootCA
- SignatureAlgorithm
[ oid] 1.2.840.113549.1.1.5
[ hashName] SHA1
[ publicKeyName] RSA
- PublicKeyAlgorithm
[ oid] 1.2.840.113549.1.1.1
[ publicKeyName] RSA
[ publicKeyLength] 2048
- TrustStatus
- ErrorStatus
[ value] 0
- InfoStatus
[ value] 10C
[ CERT_TRUST_HAS_NAME_MATCH_ISSUER] true
[ CERT_TRUST_IS_SELF_SIGNED] true
[ CERT_TRUST_HAS_PREFERRED_ISSUER] true
- ApplicationUsage
[ any] true
- IssuanceUsage
[ any] true
- EventAuxInfo
[ ProcessName] certreq.exe
[ startTime] 2014-06-13T09:32:53.369Z
[ endTime] 2014-06-13T09:33:02.604Z
[ duration] PT9.232850S
- CorrelationAuxInfo
[ TaskId] {A8DC7725-FEE9-4E09-905A-FEFF7FAE9B8B}
[ SeqNumber] 27
- Result The signature of the certificate cannot be verified.
[ value] 80096004
Any idea what the problem is?
Thanks in advance,
Davide.

One common reason for that error is that the wrong SubCA certificate had been imported accidentally - e.g. an earlier 'version' of that SubCA with the same Subject CA name but a different key. In this case the validating client will try to build a chain
based on name only but finally the signature check fails.
Could you cross-check if the extension Authority Key Identifier in your DC certificate is the same as the field
Subject Key Identifier of the SubCA certificate? (These are typically hashes of the keys though it is not standardized - it should be a unique string characteristic for the CA)
For the client cert. CERT_TRUST_HAS_NAME_MATCH_ISSUER is indicated in your log - thus Isser name in client cert. matches Subject Name in CA cert, but we don't know about SKI/AKI.
Elke

NPS + Domain Controller

Similar Messages

Maybe you are looking for