Samba4 Domain Controller winbind problem

Hey,
I set up a samba4 active directory domain controller including dns, kerberos, network scripts, etc. Everything is working fine so far.
Now I read that it`s possible to authenticate all users against the active directory with winbind. I did a lot of reading but couldn`t find the answer if winbind is possible with the primary domain controller on the same linux machine without another server in the network.
So clearer: We only have one server, an archlinux machine with samba4 as primary domain controller. Is it possible to use the domain users for other services like ssh or do I need to give the users a local linux account?
If it is possible what will the smb.conf have to look like?
Thanks in advance

Similar Messages

NTP Service on Domain Controller have problem with cisco switch

Hello!
I have Windows Server 2008 R2 SP1 Domain Controller with NTP services
The windows opertion system clients get NTP time ok.
There are problem with cisco switch, can't get time from NTP.
Can anybody help me to fix problem?
C:\Users\Sysuser>w32tm /query /configuration
[Configuration]
EventLogFlags: 2 (Local)
AnnounceFlags: 5 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 1800 (Local)
MaxPosPhaseCorrection: 1800 (Local)
MaxAllowedPhaseOffset: 300 (Local)
FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)
[TimeProviders]
NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Policy)
ResolvePeerBackoffMaxTimes: 7 (Policy)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 0 (Policy)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Policy)
Type: NTP (Policy)
NtpServer: 10.7.0.4 (Policy)
NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)
VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
Cisco config and errors
CISCO1#show ntp ass det
10.7.0.7 configured, insane, invalid, stratum 3
ref ID 10.7.0.4, time D5BC850F.C8400AB2 (15:50:39.782 MSK Mon Aug 19 2013)
our mode client, peer mode server, our poll intvl 1024, peer poll intvl 1024
root delay 62.50 msec, root disp 11128.04, reach 377, sync dist 11218.796
delay 6.06 msec, offset -467951.1096 msec, dispersion 56.49
precision 2**6, version 3
org time D5BC8864.F79C33A7 (16:04:52.967 MSK Mon Aug 19 2013)
rcv time D5BC8A38.EBDECB39 (16:12:40.921 MSK Mon Aug 19 2013)
xmt time D5BC8A38.EA5173BE (16:12:40.915 MSK Mon Aug 19 2013)
filtdelay = 6.06 5.87 3.23 7.90 6.41 5.17 13.03 3.43
filtoffset = -467951 -467905 -467936 -467885 -467764 -467816 -467707 -467697
filterror = 0.02 15.64 31.27 46.89 62.52 78.14 93.75 93.78

Hi,
>>I gave log on as a service right to this account in Default Domain Controllers Policy but unfortunately it was not enough
Based on your description, we can try to grant this account Allow log on locally
user right in the default domain controller policy to see if it helps.
The policy setting is:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally
Allow log on locally
http://technet.microsoft.com/en-us/library/cc756809(v=ws.10).aspx#feedback
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best regards,
Frank Shen

Lack of Connectivty to Domain Controller - Domain Controller Access Issues Requires Repeated Reauthentication

Sorry if my attempt to be thorough in my description may result in excessive and unnecessary information.
I'm running into some problems with a single server running WS 2012 R2 as a domain controller (AD and DNS) and I’m trying to figure out what the cause is.
The network has ~10 computers on it connected through a cable business gateway (running DHCP) which feeds 2 switches and a wireless router acting as a switch. (I also turned on remote services, but the end users aren’t using that until I get certificates
setup.)
For 6+ months everyone had access to the shared files and databases on each workstation without issue.
In the last month users would occasionally have to re-enter their credentials to get access to shared server folders despite being on a domain account already.
Last week one of the computers intermittently cannot gain access to the shared folders– entering the correct credentials just results in the credentials being requested again and again: There’s an error icon at the bottom saying that “there are currently
no logon servers available to service the logon request”. While access is rejected I’m still able to ping the DC both via its name and IPV4 address.
(Pinging via its name results in an IPv6 address in the response.)
Other network connectivity appears intact (able to browse the web, perform network discovery.)
Things that ‘seem’ to allow access on this computer until the next failure:
Entering a different domain username and password into the windows credentials request has allowed access a couple of times.
Disconnecting and reconnecting the network cable allowed the original username to be used to log on (at least once.)
After removing it from and then rejoining it to the domain (a few hours ago) it experienced the problem once more. Also, logging on with domain credentials created a TEMP user folder instead of the folder with the domain username.
Looking at the event logs, I notice there are quite a few warnings and errors reported regarding DC access on many of the computers; maybe this is normal?
Most Problematic Computer:
Event ID 8016: System failed to register host A or AAAA resource records. (With an unknown Ipv6 and the server’s ipv4 address in the DNS server list.)
Event ID 131: NtpClient unable to set a domain peer to use as a time source because of DNS resolution error on ‘Server.domain.local’
‘No such host is known.”
Event ID 5719: NETLOGON. This computer was not able to setup a secure session with a domain controller in the domain due …..: there are currently no logon servers available to service the logon request.
And then pairs of: Event 1500: The Group Policy settings for the computer were processed successfully. There were no changes detected since the last successful processing of Group Policy. & Event 1054:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
Event 1030: The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation
at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.
On the server I’ve run DCDIAG and DCDIAG /test:DNS and those all appeared to pass.
Ipconfig/all from the server:
   Connection-specific DNS Suffix
   Description . . . . . . . . . . . : Intel(R) Ethernet Connection I217-LM
   Physical Address. . . . . . . . . : FC-4D-D4-F2-A1-83
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2601:8:a182:1100:b155:a0b0:892d:9ed5(Pref
erred)
   Link-local IPv6 Address . . . . . : fe80::b155:a0b0:892d:9ed5%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.1.10.42(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::abd:43ff:fe9a:ab47%13
10.1.10.1
   DHCPv6 IAID . . . . . . . . . . . : 234638804
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-3F-7D-B9-68-05-CA-24-31-C4
   DNS Servers . . . . . . . . . . . : ::1
127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
Ipconfig/all from the problematic computer:
Wireless LAN adapter Wi-Fi:
   Connection-specific DNS Suffix
. : wp.comcast.net
   Description . . . . . . . . . . . : Intel(R) Centrino(R) Wireless-N 6150
   Physical Address. . . . . . . . . : 40-25-C2-63-C2-B8
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2601:8:a182:1100:8f5:1606:d0a8:6b25(Prefe
rred)
   Temporary IPv6 Address. . . . . . : 2601:8:a182:1100:283e:f9e8:4841:6c50(Pref
erred)
   Link-local IPv6 Address . . . . . : fe80::8f5:1606:d0a8:6b25%3(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.1.10.31(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, March 10, 2015 9:19:02 AM
   Lease Expires . . . . . . . . . . : Tuesday, March 17, 2015 1:23:15 PM
   Default Gateway . . . . . . . . . : fe80::abd:43ff:fe9a:ab47%3
10.1.10.1
   DHCP Server . . . . . . . . . . . : 10.1.10.1
   DHCPv6 IAID . . . . . . . . . . . : 54535618
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-15-6B-AA-F0-DE-F1-9C-07-D4
   DNS Servers . . . . . . . . . . . : 2001:558:feed::1
2001:558:feed::2
                10.1.10.42
   NetBIOS over Tcpip. . . . . . . . : Enabled
Any thoughts? I was assuming it was a Domain Controller/DNS error, but I don't know where to check next. Could a failing piece of hardware be the culprit?
Thanks,
-JT

Hi,
According to the error you have posted.
A Netlogon 5719 event indicates that the client component of Netlogon was unable to locate a DC for the domain it was trying to perform an operation against.
Most of the time this is caused by network issues or name resolution (DNS/WINS) issues, you could refer to:
Netlogon 5719 and the Disappearing Domain [Controller]
http://blogs.technet.com/b/instan/archive/2008/09/18/netlogon-5719-and-the-disappearing-domain.aspx
Did you refer to this KB article?
Event ID 5719 is logged when you start a Domain Member
http://support.microsoft.com/kb/938449
Regards.
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Windows Domain Controller on Windows Server 2012 R2: Hyper-V roaming profiles not loading due to slow connection

I have racked my brain and done everything that I know to do for about two weeks now. I am setting up a new system at our fire department and I am having the worst luck with getting the workstations to login to the domain controller with roaming
profiles. It keeps telling me that the roaming profile could not be loaded because of a slow connection. These are workstations that are connected directly to the switch that the DC is connected to. I have tried multiple connections regarding
the layout (DC into the router, router into the switch). The router is a Cisco RV220W. I have two VLANS, one for public and one for private domain. The Private VLAN has DHCP turned off since I am providing it through the DC. I currently
have a connection from the Private VLAN going to the unmanaged switch that the workstations and server are plugged into.
The server is a Dell PowerEdge R420 that has 6 NIC ports (1 dual port and 1 quad port). I have a virtual switch setup on Hyper-V for an external port (let's say Card 2 Port 3) that is assigned to the WS 2012R2 Domain Controller. The DC can see
the internet fine and the workstations can connect to the shared folders on the server. I can retrieve files by just using the computer name or FQDN. The DC is also running DNS and DHCP. The DNS has the _msdcs setup from when I installed
the active directory role. I have attempted to assign static IP addresses to the workstations:
IP:                     10.0.0.80
Subnet:             255.255.255.0
IPV4 Gateway: 10.0.0.1
IPV4 DNS:        10.0.0.12
I've attempted "append the specific DNS suffix", I've "registered the connection in DNS", I've used "use this connections suffix in DNS registration".
The server is assigned:
IP:                     10.0.0.12
Subnet:             255.255.255.0
IPV4 Gateway: 10.0.0.1
IPV4 DNS:         10.0.0.12
The DNS entries have forwarders that forward to my ISP DNS servers for lookup
I've enabled and disabled DHCP, I've installed a new VM just to create another DC to make sure that I didn't goof up when I created it.
I've lost my patience with this project and am sinking fast. Can someone please offer some advice as to what I've done wrong? I've created this exact scenario at work many times but, I've never done it with Windows Server 2012. Is this
possibly something to do with the Dell PowerEdge server (Generation 12) with the SR-IOV? I am going to attempt to work on it some more tomorrow when I get over there. I think there may be an issue with the SR-IOV not being enabled on the machine
through the Dell Bios. Would the SR-IOV really cause the workstations to report a slow connection? When I login at the domain controller the roaming profiles and folder redirection work fine so, I know the GPO settings are correct. I don't
have "ignore slow connections" or any of those GPO's set. I need to get it working the correct way so, I didn't want to fool the server when there is another underlying problem. Any help that someone can offer, I am more than willing
to listen. If you need more information, please ask.
Thanks,
Jay

So, I've managed to research this some more since Thursday and I've come to the conclusion that Hyper-V does a horrible job of supporting Qualcomm NIC cards. That's the only thing I can conclude as far as where the issue is originating. I've read many
post and walkthroughs but nothing that has helped. The issue wasn't with any settings in the domain controller. The issue was that there really is a slow connection originating at the domain controller that is a VM and has network connectivity through the
virtual switch from Hyper-V. So, next question is, how do I get the DC to have better connectivity through the NIC that Hyper-V won't give it? If hyper-v would allow passthrough, this would be so much simpler. VM-ware is looking really good at this point.
Im disappointed in MS right now.

JRE 1.7 / Java Plug-in - Long delay in retrieving the applet File(JAR) due to a request to the Domain Controller(on port 53)

Description:
A specific group of users/customers (using Windows7 OS with IE and FireFox web browsers) are facing problems with retrieving the applet File, after they upgraded the JRE on the system(PC) to JRE 1.7.0_25-b17 from JRE version 1.6.0_29-b11.
With JRE 1.7.0_25-b17 it is noticed that when the Java plugin requests for the applet File; it sends a request to the Domain Controller of the user, which causes a delay of 2 to 5 minutes and sometimes hangs. The problem occurs consistently.
The current temporary workaround for this group of users is to use JRE version 1.6.0_29-b11.
Problem analysis:
To investigate the problem the below steps were executed:
1) Collected the Java console outputbelow details from the user's system. (The complete output is not posted due to lengthy content, though can be added further to this post if required.)
(a) Works fine with JRE version 1.6.0_29-b11. Kindly refer to Java console output in the code ‘section A’ towards the end of this post.
(b) The problem occurs with problem with JRE version 1.7.0_25-b17. Kindly refer to Java console output in the code ‘section B’ towards the end of this post. The step where the problem is observed, is indicated as(##<comment>##).
2) The network settings in the user's browser was checked. Internet Options > Connections > LAN setting
The configured option is 'Use automatic configuration script' and the value is http://www.userAppX.com/proxy.pac
This configuration remains the same irrespective of the JRE version in use.
3) The network settings in the Java Control Panel was checked.
The used/selected option is "Use browser settings", although values for 'Use proxy server' and 'use automatic proxy configuration script' are filled-in as 'user-proxy.com' and 'http://www.userAppX.com/proxy.pac' respectively.
This configuration remains the same irrespective of the JRE version in use.
4) The proxy PAC file was checked and debugging was done for the request 'https://myAppletHost.com/download/...'. The FindProxyForUrl function (including the conditions defined in it, for the hostname and domain checks) returns PROXY user-proxy.com:80
5) The user also tried the below
a. Changed the option in the network settings in the browser to 'Proxy server' with Address 'user-proxy.com' and Port '80'
b. Restarted the browser.
c. Tried with Java Plug-in 1.6.0_29, JRE version 1.6.0_29-b11. There was no problem and no request to the Domain Controller of the user.
d. Tried with Java Plug-in 10.40.2.43, JRE version 1.7.0_40-b43. The problem occurs with the delay and a request to the Domain Controller of the user is observed.
Kindly refer to Java console output in the code ‘section C’ towards the end of this post.
6) The user also tried setting the below property in the Java Control panel; restarted the browser, and try with JRE 1.7.0_40-b43. The problem stil persists.
-Djava.net.preferIPv4Stack=true
7) The Global Policy Management of the Domain Controller was verified by the user. It has GPO for proxy setting but nothing related to Java security.
Questions:
The problem seems be specific to a particular (user) environment setup, and the user faces the problem when using JRE 1.7.
We would like to know if the issue is in the (user) environment setup or in JRE 1.7.
Could you please help with information/ideas/suggestions to identify the root cause and solution for this problem?
Section A:
Java Plug-in 1.6.0_29
Using JRE version 1.6.0_29-b11 Java HotSpot(TM) Client VM
User home directory = C:\Users\userA
basic: Plugin2ClassLoader.addURL parent called for https://myAppletHost.com/download/myApplet.jar
network: Connecting https://myAppletHost.com/download/myApplet.jar with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-b1bb5056c5b0e83f=2; Path=/"
network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-b1bb5056c5b0e83f=2; Path=/"
security: Loading Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loaded Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loading SSL Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loaded SSL Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: Loading certificates from Internet Explorer ROOT certificate store
security: Loaded certificates from Internet Explorer ROOT certificate store
security: Checking if certificate is in Deployment denied certificate store
network: Connecting https://myAppletHost.com/download/myApplet.jar with cookie "JSESSIONID=0000IK4bEMoqXH10zsl88rwvoRI:175oe9tjd; BCSI-CS-b1bb5056c5b0e83f=2"
network: Downloading resource: https://myAppletHost.com/download/myApplet.jar
                Content-Length: 403.293
                Content-Encoding: null
Dump system properties ...
https.protocols = TLSv1,SSLv3
java.vm.info = mixed mode, sharing
java.vm.name = Java HotSpot(TM) Client VM
java.vm.specification.name = Java Virtual Machine Specification
java.vm.specification.vendor = Sun Microsystems Inc.
java.vm.specification.version = 1.0
java.vm.vendor = Sun Microsystems Inc.
java.vm.version = 20.4-b02
javaplugin.nodotversion = 160_29
javaplugin.version = 1.6.0_29
javaplugin.vm.options =
os.arch = x86
os.name = Windows 7
os.version = 6.1
trustProxy = true
deployment.proxy.auto.config.url = http://www.userAppX.com/proxy.pac
deployment.proxy.bypass.local = false
deployment.proxy.http.host = user-proxy.com
deployment.proxy.http.port = 80
deployment.proxy.override.hosts =
deployment.proxy.same = false
deployment.proxy.type = 3
deployment.security.SSLv2Hello = false
deployment.security.SSLv3 = true
deployment.security.TLSv1 = true
deployment.security.mixcode = ENABLE
Section B:
Java Plug-in 10.25.2.17
Using JRE version 1.7.0_25-b17 Java HotSpot(TM) Client VM
User home directory = C:\Users\userA
basic: Added progress listener: sun.plugin.util.ProgressMonitorAdapter@12adac5
basic: Plugin2ClassLoader.addURL parent called for https://myAppletHost.com/download/myApplet.jar
network: Connecting https://myAppletHost.com/download/myApplet.jar with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-2d4ce94a2ae7b460=2; Path=/"
network: Connecting http://10.x.x.xx:53/ with proxy=DIRECT
                (##THE ABOVE REQUEST CAUSES THE DELAY OR HANGS##)
network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-2d4ce94a2ae7b460=2; Path=/"
security: Loading Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
security: Loaded Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
security: Loading SSL Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
security: Loaded SSL Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: Loading certificates from Internet Explorer ROOT certificate store
security: Loaded certificates from Internet Explorer ROOT certificate store
network: Connecting https://myAppletHost.com/download/myApplet.jar with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-2d4ce94a2ae7b460=2; Path=/"
network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-2d4ce94a2ae7b460=2; Path=/"
network: Connecting https://myAppletHost.com/download/myApplet.jar with cookie "JSESSIONID=0000UQuXWY5tjxjpwcKHlfJKe_8:175oe9j45; BCSI-CS-2d4ce94a2ae7b460=2"
network: ResponseCode for https://myAppletHost.com/download/myApplet.jar : 200
network: Encoding for https://myAppletHost.com/download/myApplet.jar : null
network: Server response: (length: -1, lastModified: Thu Feb xx yy:yy:yy CET 2013, downloadVersion: null, mimeType: text/plain)
network: Downloading resource: https://myAppletHost.com/download/myApplet.jar
                Content-Length: -1
                Content-Encoding: null
Section C:
Java Plug-in 10.40.2.43
Using JRE version 1.7.0_40-b43 Java HotSpot(TM) Client VM
User home directory = C:\Users\userA
basic: Plugin2ClassLoader.addURL parent called for https://myAppletHost.com/download/myApplet.jar
network: Connecting https://myAppletHost.com/download/myApplet.jar with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-1d67c8b6508ca09c=2; Path=/"
network: Connecting http://10.x.x.xx:53/ with proxy=DIRECT
                (##THE ABOVE REQUEST CAUSES THE DELAY OR HANGS##)
network: Checking for update at: https://javadl-esd-secure.oracle.com/update/blacklist
network: Checking for update at: https://javadl-esd-secure.oracle.com/update/blacklisted.certs
network: Checking for update at: https://javadl-esd-secure.oracle.com/update/baseline.version
network: Connecting https://javadl-esd-secure.oracle.com/update/blacklist with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
network: Connecting https://javadl-esd-secure.oracle.com/update/baseline.version with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
network: Connecting https://javadl-esd-secure.oracle.com/update/blacklisted.certs with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
security: Loading Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
security: Loaded Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
security: Loading SSL Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
security: Loaded SSL Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
Dump system properties ...
https.protocols = TLSv1,SSLv3
java.vm.info = mixed mode, sharing
java.vm.name = Java HotSpot(TM) Client VM
java.vm.specification.name = Java Virtual Machine Specification
java.vm.specification.vendor = Oracle Corporation
java.vm.specification.version = 1.7
java.vm.vendor = Oracle Corporation
java.vm.version = 24.0-b56
javaplugin.nodotversion = 10402
javaplugin.version = 10.40.2.43
os.arch = x86
os.name = Windows 7
os.version = 6.1
trustProxy = true
active.deployment.proxy.auto.config.url = http://www.userAppX.com/proxy.pac
active.deployment.proxy.bypass.local = false
active.deployment.proxy.http.host = user-proxy.com
active.deployment.proxy.http.port = 80
active.deployment.proxy.same = false
active.deployment.proxy.type = 3
deployment.browser.path = C:\Program Files (x86)\Internet Explorer\iexplore.exe
deployment.proxy.auto.config.url = http://www.userAppX.com/proxy.pac
deployment.proxy.bypass.local = false
deployment.proxy.http.host = user-proxy.com
deployment.proxy.http.port = 80
deployment.proxy.override.hosts =
deployment.proxy.same = false
deployment.proxy.type = 3
deployment.security.SSLv2Hello = false
deployment.security.SSLv3 = true
deployment.security.TLSv1 = true
deployment.security.TLSv1.1 = false
deployment.security.TLSv1.2 = false
deployment.security.authenticator = true
deployment.security.disable = false
deployment.security.level = HIGH
deployment.security.mixcode = ENABLE
PS:
Since the JRE 1.7.0_25-b17 update, it is noticed that when the Java plugin requests for the applet File; it sends a request to the Domain Controller of the user, which causes a delay of 2 to 5 minutes and sometimes hangs.
The problem occurs consistently, and also with JRE 1.7.0_45-b18.
Java Plug-in 10.45.2.18
Using JRE version 1.7.0_45-b18 Java HotSpot(TM) Client VM
User home directory = C:\Users\userA
c:   clear console window
f:   finalize objects on finalization queue
g:   garbage collect
h:   display this help message
l:   dump classloader list
m:   print memory usage
o:   trigger logging
q:   hide console
r:   reload policy configuration
s:   dump system and deployment properties
t:   dump thread list
v:   dump thread stack
x:   clear classloader cache
0-5: set trace level to <n>
cache: Initialize resource manager: com.sun.deploy.cache.ResourceProviderImpl@134a33d
basic: Added progress listener: sun.plugin.util.ProgressMonitorAdapter@1971f66
basic: Plugin2ClassLoader.addURL parent called for https://myAppletHost.com/download/myApplet.jar
network: Connecting https://myAppletHost.com/download/myApplet.jar with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-f797d4d262467220=2; Path=/"
network: Connecting http://10.x.x.xx:53/ with proxy=DIRECT
network: Connecting http://10.x.x.xx:53/ with proxy=DIRECT
                (##THE ABOVE REQUEST CAUSES THE DELAY AND SOMETIMES HANGS##)

My organization is experiencing very similar problems. We have resolved it through several steps.
We upgraded the client to Java 8 and we saw in the console that the hanging connection with the Domain Controller no longer occurs. This may be all that is necessary for your environment as well.

Can I move a Virtual Domain Controller from one host(Win Server 2008 R2) to another (Win Server 2012 R2) ? Are there any issues?

Can I move a Virtual Domain Controller from one host(Win Server 2008 R2) to another (Win Server 2012 R2) ? Are there any issues?

I also had this error: "Setup cannot continue. Your computer will now restart, and your previous version of Windows will be restored."
trying to do a in-place upgrade of a Domain Controller Windows 2008 R2 to Windows 2012 R2.
The problem was the separated System Reserved Partition. After I removed using this instructions:
http://jacobackerman.blogspot.com/2012/12/how-to-remove-system-reserved-partition.html
The upgrade ran ok, and now have my DC as Windows 2012 R2.
Hope that helps!.

CERT_TRUST_IS_NOT_SIGNATURE_VALID when installing a 3rd-party cert in Windows 2008 Domain Controller

Hello,
I'm facing with a problem while trying to install a 3rd-party digital certificate on a Windows 2008 Domain Controller.
Basically, I'm following this TechNet
http://technet.microsoft.com/en-us/library/cc783835(v=ws.10).aspx
1) I did create the file Reqdccert.vbs on the Domain Controller
2) then I did generate the inf file
cscript reqdccert.vbs DomainController E
3) and then I generated a certificate request
certreq -new AD.inf AD.req
4) also I've imported RootCA and SubCA into the Certificate Store of the DC
5) I got a signed certificate from our 3rd-party CA running on Windows 2000
6) when importing the certificate I get the below error
C:\>certreq -ACCEPT ad.p7c
Certificate Request Processor: The signature of the certificate cannot be verifi
ed. 0x80096004 (-2146869244)
Here is the verbose log from CAPI2:
+ System
- Provider
[ Name] Microsoft-Windows-CAPI2
[ Guid] {5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}
EventID 11
Version 0
Level 2
Task 11
Opcode 2
Keywords 0x4000000000000003
- TimeCreated
[ SystemTime] 2014-06-13T09:33:02.604870500Z
EventRecordID 304
Correlation
- Execution
[ ProcessID] 1700
[ ThreadID] 3032
Channel Microsoft-Windows-CAPI2/Operational
Computer ad.eac.igs
- Security
[ UserID] S-1-5-21-4171312682-976198474-2692596432-500
- UserData
- CertGetCertificateChain
- Certificate
[ fileRef] 4DA02894B4AFB76F8D6B8722A96A3444041573C6.cer
[ subjectName] ad.eac.com
- AdditionalStore
- Certificate
[ fileRef] 691847ADD248AEB8579462249B063A1555716B21.cer
[ subjectName] SubCA
- Certificate
[ fileRef] 4DA02894B4AFB76F8D6B8722A96A3444041573C6.cer
[ subjectName] ad.eac.com
- Certificate
[ fileRef] 0175DDA12776ED8CA4657E921E9AE3C6B0698F71.cer
[ subjectName] RootCA
ExtendedKeyUsage
- Flags
[ value] 0
- ChainEngineInfo
[ context] user
- AdditionalInfo
- NetworkConnectivityStatus
[ value] 1
[ _SENSAPI_NETWORK_ALIVE_LAN] true
- CertificateChain
[ chainRef] {0B005F9F-F15B-4FE2-A630-7BBEE6AB5C0A}
- TrustStatus
- ErrorStatus
[ value] 8
[ CERT_TRUST_IS_NOT_SIGNATURE_VALID] true
- InfoStatus
[ value] 0
- ChainElement
- Certificate
[ fileRef] 4DA02894B4AFB76F8D6B8722A96A3444041573C6.cer
[ subjectName] ad.eac.com
- SignatureAlgorithm
[ oid] 1.2.840.113549.1.1.11
[ hashName] SHA256
[ publicKeyName] RSA
- PublicKeyAlgorithm
[ oid] 1.2.840.113549.1.1.1
[ publicKeyName] RSA
[ publicKeyLength] 2048
- TrustStatus
- ErrorStatus
[ value] 8
[ CERT_TRUST_IS_NOT_SIGNATURE_VALID] true
- InfoStatus
[ value] 4
[ CERT_TRUST_HAS_NAME_MATCH_ISSUER] true
- ApplicationUsage
- Usage
[ oid] 1.3.6.1.5.5.7.3.1
[ name] Server Authentication
- Usage
[ oid] 1.3.6.1.5.5.7.3.2
[ name] Client Authentication
- Usage
[ oid] 1.3.6.1.4.1.311.20.2.2
[ name] Smart Card Logon
IssuanceUsage
- ChainElement
- Certificate
[ fileRef] 691847ADD248AEB8579462249B063A1555716B21.cer
[ subjectName] SubCA
- SignatureAlgorithm
[ oid] 1.2.840.113549.1.1.5
[ hashName] SHA1
[ publicKeyName] RSA
- PublicKeyAlgorithm
[ oid] 1.2.840.113549.1.1.1
[ publicKeyName] RSA
[ publicKeyLength] 2048
- TrustStatus
- ErrorStatus
[ value] 0
- InfoStatus
[ value] 101
[ CERT_TRUST_HAS_EXACT_MATCH_ISSUER] true
[ CERT_TRUST_HAS_PREFERRED_ISSUER] true
- ApplicationUsage
[ any] true
IssuanceUsage
- ChainElement
- Certificate
[ fileRef] 0175DDA12776ED8CA4657E921E9AE3C6B0698F71.cer
[ subjectName] RootCA
- SignatureAlgorithm
[ oid] 1.2.840.113549.1.1.5
[ hashName] SHA1
[ publicKeyName] RSA
- PublicKeyAlgorithm
[ oid] 1.2.840.113549.1.1.1
[ publicKeyName] RSA
[ publicKeyLength] 2048
- TrustStatus
- ErrorStatus
[ value] 0
- InfoStatus
[ value] 10C
[ CERT_TRUST_HAS_NAME_MATCH_ISSUER] true
[ CERT_TRUST_IS_SELF_SIGNED] true
[ CERT_TRUST_HAS_PREFERRED_ISSUER] true
- ApplicationUsage
[ any] true
- IssuanceUsage
[ any] true
- EventAuxInfo
[ ProcessName] certreq.exe
[ startTime] 2014-06-13T09:32:53.369Z
[ endTime] 2014-06-13T09:33:02.604Z
[ duration] PT9.232850S
- CorrelationAuxInfo
[ TaskId] {A8DC7725-FEE9-4E09-905A-FEFF7FAE9B8B}
[ SeqNumber] 27
- Result The signature of the certificate cannot be verified.
[ value] 80096004
Any idea what the problem is?
Thanks in advance,
Davide.

One common reason for that error is that the wrong SubCA certificate had been imported accidentally - e.g. an earlier 'version' of that SubCA with the same Subject CA name but a different key. In this case the validating client will try to build a chain
based on name only but finally the signature check fails.
Could you cross-check if the extension Authority Key Identifier in your DC certificate is the same as the field
Subject Key Identifier of the SubCA certificate? (These are typically hashes of the keys though it is not standardized - it should be a unique string characteristic for the CA)
For the client cert. CERT_TRUST_HAS_NAME_MATCH_ISSUER is indicated in your log - thus Isser name in client cert. matches Subject Name in CA cert, but we don't know about SKI/AKI.
Elke

The KDC encountered duplicate names while processing a Kerberos authentication request in a Domain controller server

HI
we have a sharepoint farm and in domain controller server, this error is in event viewer
Log Name:      System
Source:        Microsoft-Windows-Kerberos-Key-Distribution-Center
Date:          9/15/2014 10:44:15 PM
Event ID:      11
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      XXXAPP01.xxxportal.com
Description:
The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is HTTP/XXXWFE01.xxxportal.com (of type DS_SERVICE_PRINCIPAL_NAME). This may result in authentication failures or downgrades to NTLM. In order to prevent
this from occuring remove the duplicate entries for HTTP/XXXWFE01.xxxportal.com in Active Directory.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-Kerberos-Key-Distribution-Center" Guid="{3FD9DA1A-5A54-46C5-9A26-9BD7C0685056}" EventSourceName="KDC" />
    <EventID Qualifiers="49152">11</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-09-15T19:44:15.000000000Z" />
    <EventRecordID>131824</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>XXXAPP01.xxxportal.com</Computer>
    <Security />
</System>
<EventData>
    <Data Name="Name">HTTP/XXXWFE01.xxxportal.com</Data>
    <Data Name="Type">DS_SERVICE_PRINCIPAL_NAME</Data>
    <Binary>
    </Binary>
</EventData>
</Event>
adil

Hi adil,
Service principal names (SPNs) are stored as a property of the associated account object in Active Directory
Domain Services (AD DS). I noticed that you have used setpn –X to identify the duplicate SPN. Please refer to following articles and check if help you to solve this issue.
Event ID 11 — Service Principal
Name Configuration
Event ID 11 in the System log of domain controllers
Please also refer to following article and check if can help you.
The problem with duplicate SPNs
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft
does not guarantee the accuracy of this information.
If any update, please feel free to let me know.
Hope this helps.
Best regards,
Justin Gu

Cant figure out the IP address of the domain controller

I just started at a new company and would like to change my domain password but cannot because I cant communicate with the domain controller. I can see it when I do a net view, but I cannot ping it because my DNS server is set to the local router IP
address rather than the DC IP address and the name simply won't resolve.
I suspect if I manually change my DNS server to point to the IP of the DC, my problem will go away. I asked the local IT guy and he says 'nobody has ever asked to change their domain password before' ???!?!?!????? nor does he have any idea about the
IP and he would have to submit a ticket to the overseas IT desk (where the DC physically resides) and they would change my password manually.
Any ideas?

Robr2,
I agree with others about the ONLY DNS that must be set on ALL machines is ONLY the DC's IP address. That's it. Not the router, or the ISP's DNS. This is one of the most common configuration errors that will cause
MAJOR problems with DC to client communcations.
Here's a full explanation with a great analogy:
Active Directory's Reliance on DNS, and why you should never use an ISP's DNS address or your router as a DNS address, or any other DNS server that does not host the AD zone name
Published by Ace Fekay, MCT, MVP DS on Aug 17, 2009 at 7:35 PM 1058 2
http://msmvps.com/blogs/acefekay/archive/2009/08/17/ad-and-its-reliance-on-dns.aspx
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This post is provided AS-IS with no warranties or guarantees and confers no rights.

ACL migration Error : 1210 could not find a domain controller for domain "Test Domain" (Old Domain)

Hi
We are migrating from old domain to new domain. Before live migration, we are trying to check the ACE/ACL migration through SubInACL. We are running the SubInACL on a cluster, which is a member of the Old Domain (Test Domain). We are able to resolve and
ping both Old Domain and the New domain from this cluster machine. We have created a network share on this cluster, which is accessible to all Domain Users of the Old Domain. Both Domains have two way forest level trust. we are trying to migrate
the ACL of this share (\\ClusterMachine\testshare$) to the new domain using SubInACL. We are trying to run the below command to get it done.
subinacl /outputlog=C:\Users\Administrator\Desktop\Migrationlog.txt /subdirectories
\\ClusterMachine\testshare$\*.* /migratetodomain=OldDomain=NewDomain=mappingfile.txt
Mapping file contains : Domain Users=NewDomain_Users
But we are geeting the Error that "1210 could not find a domain controller for domain "Test Domain". Error finding domain name : 1210 the format of the specified computer name is invalid. Current Object "\\ClusterMachine\testshare$"
will not be processed."

Hello,
how in detail is DNS set up in each domain?
Any problems when using nslookup to verify?
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://blogs.msmvps.com/MWeber
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Twitter:

Windows Server 2012 Standard - HP OfficeJet Pro 8600 Plus printer not working after promoting to Domain Controller / AD Services

An associate and myself installed the built-in drivers for the HP OfficeJet Pro 8600 Plus multi-function (network) printer on a Windows Server 2012 Standard server installation and everything worked fine whenever I want to print anything directly from the
Windows Server machine (there's a reason for this, so please understand that ;) ).
We were able to print without any problems from the Windows Server 2012 machine, using the drivers from Microsoft. Mainly, because HP has not listed any specific support for Windows Server 2012, only Windows Server 2008 R2, however, the drivers that
came with Windows 2012 seem to work very well.
PROBLEM: I later had to promote the Windows Server 2012 to a Domain Controller, and created the Active Directory configurations, even enabled the Print Services. After doing all of that, the HP printer will not print anything. It's like all print
requests directly from the Windows Server go to Nil.
Has anyone encountered a problem like this before? The only thing I can think of is that after perhaps something affected printing directly once we promoted the server to being a DC, and added other features / roles. I even tried installing the
HP drivers for Windows Server 2008 R2, and the results are still the same...nothing prints. Trust me, the printer is set as the Default Printer and even when choosing to print, we make sure the HP OfficeJet Pro is selected, and is on, as other Windows
Client PC's can print to it directly.
Does anyone have any suggestions we could try? Thanks in advance.

While it is quite a while since this was posted - I can concur a similar issue exists.
We have spent the better part of a day trying to work out why other HP printers work fine but our 8620 prints are not printing and going to Nil. The print server is hosted on a shared DC. Comparing to the initial posters details, for some reason
it seems to be most commonly related to the OfficeJet Pro 8600/8610/8620/8630 series printers.
I ended up doing a print server migration from the domain controller to stand alone host and all printers now work from a single server rather than a mix. Domain controller OSes varied from 2008, 2012, 2012 R2 (tested with multiple) and only after
all of those failed then tried a stand alone server os machine as a last resort which worked fine. Printing directly from Win 7 / 8 /8.1 clients to the IP always worked.

DirectAccess Server 2012 Configuration cannot be retrieved from domain controller

Hi everyone,
We are using DirectAccess over Server 2012. There is just one server, no load balancing.
Everything works fine, all clients can connect successfully and operations status page shows all in green. Nevertheless on the dashboard page in the configuration status section it say “Configuration for server [servername] cannot be retrieved
from the domain controller.”
I found a few hints what could cause this problem:
In my case, the RAConfigTask, a scheduled task, was not enabled on the affected WS2012 server (DA entry point in a multisite deployment). After just enabling it, the errors has gone."
http://blog.gocloud-security.ch/2013/01/11/ws2012-directaccess-and-the-configuration-for-server-server-name-retrieved-from-the-domain-controller-cannot-be-applied-error/
Group Policy was filtering out my DA server from the GPO object for some reason. To fix, I opened up Group Policy Management on the domain controller and made sure that my DA server was a part of the group."http://www.joedissmeyer.com/2012/12/more-issues-and-solutions-for.html
Server has no connectivity to the domain in order to update the policies. Run “gpupdate /force” on the server to force policy update. GPO replication might be required in order to retrieve the updated configuration.
This could be because there is no writable domain controller in the Active Directory site of the Remote Access server. http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/56fedb17-1274-4e1a-b2d0-fea809f0bc45
I checked everything. Task is enabled and completed successfully, GPO is not filtered out, run gpupdate without any errors, could connect to domain controller, no errors on domain controller, domain controller is writable.
So, I have no idea what could cause this error. Any ideas or hints?
Thanks
Regards
Sebastian

i have the exact same problem i figured out that there was a problem with the logon as a service
secpol.msc --> Local Policies --> User Rights Assignement, Logon as a service i have NT Service\All Services
i can acces the group policy via the cpnsole just fine i have not connectivity issues what so ever.
i decided to open a call with microsoft, their suggestion .... we dont know reinstall so i did and here we are same problem and no solution. it is getting frustrating...

DFSR failed to contact domain controller

Im having an odd problem with DFSR group we created to replicate web content between two of our web servers.
In event viewer we have this event 1202 for DFSR.
"The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can
be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.
Additional Information:
Error: 160 (One or more arguments are not correct.)"
In the DFSR logs I see this.
20140303 12:18:27.874 1404 CFAD 8300 Config::AdConfig::GetLocalComputerNameWithDns Computer's fully-qualified DNS name: DFSRSERVER.domain.tld
20140303 12:18:27.920 1404 CFAD 311 Config::AdConnection::Connect Binding to dcAddr:\\1.1.1.1 dcDnsName:\\MYDC.domain.tld
20140303 12:18:27.936 1404 CFAD 143 Config::AdConnection::BindToAd Trying to connect. hostName:MYDC.domain.tld
20140303 12:18:28.467 1404 CFAD 162 Config::AdConnection::BindToAd Bound. hostName:MYDC.domain.tld
20140303 12:18:28.467 1404 CFAD 199 Config::AdConnection::BindToDc Try to bind. hostName:\\MYDC.domain.tld domainName:<null>
20140303 12:18:28.514 1404 CFAD 3373 [ERROR] Config::DsSession::Bind Failed to DsBind(). dc:\\MYDC.domain.tld domainName:<null> Error:5
20140303 12:18:28.514 1404 CFAD 215 Config::AdConnection::BindToDc (Ignored) Failed to bind. hostName:\\MYDC.domain.tld domainName:<null> Error:[Error:5(0x5) Config::DsSession::Bind ad.cpp:3380 1404 W Access is denied.]
20140303 12:18:28.514 1404 CFAD 199 Config::AdConnection::BindToDc Try to bind. hostName:\\1.1.1.1 domainName:<null>
20140303 12:18:28.514 1404 CFAD 3373 [ERROR] Config::DsSession::Bind Failed to DsBind(). dc:\\1.1.1.1 domainName:<null> Error:87
20140303 12:18:28.514 1404 CFAD 215 Config::AdConnection::BindToDc (Ignored) Failed to bind. hostName:\\1.1.1.1 domainName:<null> Error:[Error:87(0x57) Config::DsSession::Bind ad.cpp:3380 1404 W The parameter is incorrect.]
20140303 12:18:28.514 1404 SCFS 150 [WARN] ServiceConfig::DsPollIsDue Failed to enable lightweight polling. Error:
+ [Error:160(0xa0) Config::AdConfig::ConnectToLocalDc ad.cpp:8365 1404 W One or more arguments are not correct.]
+ [Error:160(0xa0) Config::AdConfig::Connect ad.cpp:8113 1404 W One or more arguments are not correct.]
+ [Error:160(0xa0) Config::AdConnection::Connect adconnection.cpp:377 1404 W One or more arguments are not correct.]
+ [Error:160(0xa0) Config::AdConnection::BindToDc adconnection.cpp:226 1404 W One or more arguments are not correct.]
20140303 12:18:28.514 1404 CREG 1419 Config::RegReader::IsSysVolCommitFlagSet key: System\CurrentControlSet\Services\DFSR\Parameters\SysVols\Demoting SysVols valueName:'SysVol Information is Committed' result:0
20140303 12:18:28.514 1404 W2CH 266 ConfigurationHelper::PollAdConfigNow Trying to connect to AD
20140303 12:18:28.514 1404 CFAD 311 Config::AdConnection::Connect Binding to dcAddr:\\1.1.1.1 dcDnsName:\\MYDC.domain.tld
20140303 12:18:28.514 1404 CFAD 143 Config::AdConnection::BindToAd Trying to connect. hostName:MYDC.domain.tld
20140303 12:18:28.514 1404 CFAD 162 Config::AdConnection::BindToAd Bound. hostName:MYDC.domain.tld
20140303 12:18:28.514 1404 CFAD 199 Config::AdConnection::BindToDc Try to bind. hostName:\\MYDC.domain.tld domainName:<null>
20140303 12:18:28.514 1404 CFAD 3373 [ERROR] Config::DsSession::Bind Failed to DsBind(). dc:\\MYDC.domain.tld domainName:<null> Error:5
20140303 12:18:28.514 1404 CFAD 215 Config::AdConnection::BindToDc (Ignored) Failed to bind. hostName:\\MYDC.domain.tld domainName:<null> Error:[Error:5(0x5) Config::DsSession::Bind ad.cpp:3380 1404 W Access is denied.]
20140303 12:18:28.514 1404 CFAD 199 Config::AdConnection::BindToDc Try to bind. hostName:\\1.1.1.1 domainName:<null>
20140303 12:18:28.514 1404 CFAD 3373 [ERROR] Config::DsSession::Bind Failed to DsBind(). dc:\\1.1.1.1 domainName:<null> Error:87
20140303 12:18:28.514 1404 CFAD 215 Config::AdConnection::BindToDc (Ignored) Failed to bind. hostName:\\1.1.1.1 domainName:<null> Error:[Error:87(0x57) Config::DsSession::Bind ad.cpp:3380 1404 W The parameter is incorrect.]
20140303 12:18:28.514 1404 EVNT 1194 EventLog::Report Logging eventId:1202 parameterCount:4
20140303 12:18:28.514 1404 EVNT 1214 EventLog::Report eventId:1202 parameter1:
20140303 12:18:28.514 1404 EVNT 1214 EventLog::Report eventId:1202 parameter2:60
20140303 12:18:28.514 1404 EVNT 1214 EventLog::Report eventId:1202 parameter3:160
20140303 12:18:28.514 1404 EVNT 1214 EventLog::Report eventId:1202 parameter4:One or more arguments are not correct.
20140303 12:18:28.530 1404 W2CH 318 [ERROR] ConfigurationHelper::PollAdConfigNow (Ignored) Failed to connect to AD. Error:
+ [Error:160(0xa0) Config::AdConfig::ConnectToLocalDc ad.cpp:8365 1404 W One or more arguments are not correct.]
+ [Error:160(0xa0) Config::AdConfig::Connect ad.cpp:8113 1404 W One or more arguments are not correct.]
+ [Error:160(0xa0) Config::AdConnection::Connect adconnection.cpp:377 1404 W One or more arguments are not correct.]
+ [Error:160(0xa0) Config::AdConnection::BindToDc adconnection.cpp:226 1404 W One or more arguments are not correct.]
When I run "dfsrdiag pollad":
[ERROR] PollDsNow method executed unsuccessfully. ReturnValue: 12 (0xc)
[ERROR] Failed to execute PollAD command Err: -2147217407 (0x80041001)
However I can run "dfsrdiag dumpadcfg" and it outputs everything fine.
We don't have any other problems with AD. It seems like this started after we installed KB2467173 & KB2538242. We are going to uninstall those and see if it works.

I can successfully run "dfsrdiag.exe dumpadcfg" and it outputs the entire config. Why does "dfsrdiag pollad" fail then if the config can be read.
Why did it work before I rebooted the server? In both cases it broke after rebooting.
PS C:\Windows\system32> dfsrdiag dumpadcfg
LDAP Bind : mydc.domain.tld
SitesDn : cn=sites,cn=configuration,dc=domain,dc=tld
ServicesDn : cn=services,cn=configuration,dc=domain,dc=tld
SystemDn : cn=system,dc=domain,dc=tld
DefaultNcDn : dc=domain,dc=tld
ComputersDn : cn=computers,dc=domain,dc=tld
DomainCtlDn : ou=domain controllers,dc=domain,dc=tld
SchemaDn : CN=Schema,CN=Configuration,dc=domain,dc=tld
COMPUTER: web1
DN : cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
GUID : 152E849C-4D7B-4AE8-B034-83747DBC1E89
DNS : web1.domain.tld
Server Ref : (null)
USN Changed : 10862129
When Created : Friday, January 31, 2014 8:41:06 PM
When Changed : Tuesday, March 4, 2014 2:54:36 PM
LOCAL SETTINGS: DFSR-LOCALSETTINGS
DN : cn=dfsr-localsettings,cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
GUID : 3FD696E7-6598-4CDB-B2AB-98F148C0D2F7
Version : 1.0.0.0
USN Changed : 10932017
When Created : Thursday, March 6, 2014 2:11:12 PM
When Changed : Thursday, March 6, 2014 2:15:25 PM
SUBSCRIBER: FF88A312-A0EB-44CC-A614-7A3D06DCC0AB
DN : cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=dfsr-localsettings,cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
GUID : 1119B663-F02A-4F1F-A904-23A87CFC93C3
Member Ref : cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
USN Changed : 10931931
When Created : Thursday, March 6, 2014 2:11:12 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
SUBSCRIPTION: 6783DDE1-C795-4E8B-B07D-4EA8D7D0317F
DN : cn=6783dde1-c795-4e8b-b07d-4ea8d7d0317f,cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=dfsr-localsettings,cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
GUID : 3737B1F2-7E38-47E2-90E7-E57D82B145F1
ContentSetGuid: 6783DDE1-C795-4E8B-B07D-4EA8D7D0317F
Root Path : c:\inetpub\internetsites
Root Size : 10240 (MB)
Staging Path : c:\inetpub\internetsites\dfsrprivate\staging
Staging Size : 4096 (MB)
Conflict Path : c:\inetpub\internetsites\dfsrprivate\conflictanddeleted
Conflict Size : 4096 (MB)
USN Changed : 10931919
When Created : Thursday, March 6, 2014 2:11:13 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
SUBSCRIPTION: F2F1F3A2-B36F-4170-B371-8E8043DF73F4
DN : cn=f2f1f3a2-b36f-4170-b371-8e8043df73f4,cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=dfsr-localsettings,cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
GUID : 57E7F8D7-1121-4334-BC81-74226ADF8969
ContentSetGuid: F2F1F3A2-B36F-4170-B371-8E8043DF73F4
Root Path : c:\internet_data
Root Size : 10240 (MB)
Staging Path : c:\internet_data\dfsrprivate\staging
Staging Size : 4096 (MB)
Conflict Path : c:\internet_data\dfsrprivate\conflictanddeleted
Conflict Size : 4096 (MB)
USN Changed : 10931921
When Created : Thursday, March 6, 2014 2:11:13 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
SUBSCRIPTION: D0438B52-B706-4E40-B4C3-FE7A1ACA5FCF
DN : cn=d0438b52-b706-4e40-b4c3-fe7a1aca5fcf,cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=dfsr-localsettings,cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
GUID : F8217091-F71A-4D4A-A676-097583171A63
ContentSetGuid: D0438B52-B706-4E40-B4C3-FE7A1ACA5FCF
Root Path : c:\php\phpsites
Root Size : 10240 (MB)
Staging Path : c:\php\phpsites\dfsrprivate\staging
Staging Size : 4096 (MB)
Conflict Path : c:\php\phpsites\dfsrprivate\conflictanddeleted
Conflict Size : 4096 (MB)
USN Changed : 10931923
When Created : Thursday, March 6, 2014 2:11:13 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
GLOBAL SETTINGS: DFSR-GLOBALSETTINGS
DN : cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
GUID : 2E98CE5E-5CC7-4322-B5EA-2B6B340C689F
USN Changed : 12525
When Created : Saturday, October 22, 2011 1:56:38 AM
When Changed : Saturday, October 22, 2011 1:56:38 AM
REPLICATION GROUP: WEB CONTENT
DN : cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
GUID : 9C94A417-6F6C-4F6C-BBFA-B8F52854C4DF
Type : 0 (UNKNOWN REPLICATION GROUP TYPE)
Options : 0x1 [Local Time Schedule]
USN Changed : 10931906
When Created : Thursday, March 6, 2014 2:11:12 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
CONTENT: CONTENT
DN : cn=content,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
GUID : 6714C533-E631-4E71-930D-E4934FB7BD7E
USN Changed : 10931908
When Created : Thursday, March 6, 2014 2:11:12 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
CONTENT SET: INTERNET_DATA
DN : cn=internet_data,cn=content,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
GUID : F2F1F3A2-B36F-4170-B371-8E8043DF73F4
File Filter : ~*, *.bak, *.tmp
Compression Excl : (null)
Dir Filter : (null)
USN Changed : 10931916
When Created : Thursday, March 6, 2014 2:11:13 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
CONTENT SET: INTERNETSITES
DN : cn=internetsites,cn=content,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
GUID : 6783DDE1-C795-4E8B-B07D-4EA8D7D0317F
File Filter : ~*, *.bak, *.tmp
Compression Excl : (null)
Dir Filter : (null)
USN Changed : 10931915
When Created : Thursday, March 6, 2014 2:11:13 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
CONTENT SET: PHPSITES
DN : cn=phpsites,cn=content,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
GUID : D0438B52-B706-4E40-B4C3-FE7A1ACA5FCF
File Filter : ~*, *.bak, *.tmp
Compression Excl : (null)
Dir Filter : (null)
USN Changed : 10931917
When Created : Thursday, March 6, 2014 2:11:13 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
TOPOLOGY: TOPOLOGY
DN : cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
GUID : 16053002-7B99-4DA7-BFE5-2A6418040640
USN Changed : 10931907
When Created : Thursday, March 6, 2014 2:11:12 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
MEMBER: FF88A312-A0EB-44CC-A614-7A3D06DCC0AB
DN : cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
GUID : 75A99277-C401-409F-A32D-6D8EE18E5D0C
Server Ref : (null)
Computer Ref : cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
Keywords : (null)
Computer DNS : web1.domain.tld
USN Changed : 10931933
When Created : Thursday, March 6, 2014 2:11:12 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
CXTION: 9ECE3EB7-FE97-4A1B-8DE3-47A77B2C625B
DN : cn=9ece3eb7-fe97-4a1b-8de3-47a77b2c625b,cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
GUID : 1D26B348-3875-4BD1-9473-E72506AFA222
Inbound : true
Partner DN : cn=46f913db-8509-4581-a66d-d37e4ea3ef29,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
Enabled : TRUE
Options : 0x1 [Local Time Schedule]
USN Changed : 10931924
When Created : Thursday, March 6, 2014 2:11:13 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
CXTION: 2BFA8BE2-0444-4AAF-8293-A5486CF8D7A3
DN : cn=2bfa8be2-0444-4aaf-8293-a5486cf8d7a3,cn=46f913db-8509-4581-a66d-d37e4ea3ef29,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
GUID : A7203451-D95F-44D5-AC04-13056DCE5A89
Inbound : false
Partner DN : cn=46f913db-8509-4581-a66d-d37e4ea3ef29,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
Enabled : TRUE
Options : 0x1 [Local Time Schedule]
USN Changed : 10931925
When Created : Thursday, March 6, 2014 2:11:13 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
MEMBER: 46F913DB-8509-4581-A66D-D37E4EA3EF29
DN : cn=46f913db-8509-4581-a66d-d37e4ea3ef29,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
GUID : 1BA26D07-45F5-44A0-8450-9274AFD99B1C
Server Ref : (null)
Computer Ref : cn=fccu01web,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
Keywords : (null)
Computer DNS : fccu01web.domain.tld
USN Changed : 10931927
When Created : Thursday, March 6, 2014 2:11:12 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
Operation Succeeded

The processing of Group Policy failed because of lack of network connectivity to a domain controller

We are setting up a new AD environment with one AD/DC running DNS services, and a secondary DNS server configured with secondary zone. The problem is that none of the machines in the the domain are getting GPO.
When I run a gpupdate /force from a machine, I get the following output:
"Updating Policy...
User Policy update has completed successfully.
Computer policy could not be updated successfully. The following errors were enc
ountered:
The processing of Group Policy failed because of lack of network connectivity to
a domain controller. This may be a transient condition. A success message would
be generated once the machine gets connected to the domain controller and Group
Policy has succesfully processed. If you do not see a success message for sever
al hours, then contact your administrator.
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
rom the command line to access information about Group Policy results."
While the system event log outputs the following:
"The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy
has succesfully processed. If you do not see a success message for several hours, then contact your administrator."
All the machines that were joined to the domain are able to resolve in forward and reverse lookups, ping the DC and ping each other so I dont understand how the error can be resolved.
Here are few things I have tried:
1. I came across this KB which checked ok for me: http://support.microsoft.com/kb/241515
2. Made a copy of the default GPO, applied to a OU with one machine, and made sure to remove any GPO links from above
3. Enabled the following two local Group policies on a test member:
GP slow link detection
Startup policy processing wait time
4. Modified firewall to allow everything on both member and DC
5. Verified DSN logs, SRV records, access to sysvol ( added authenticated users to sysvol)
I have yet to figure out the reason for this issue. Has anyone seen anything like this before?

1. I checked the NIC, it only has one IP. and I followed your article. I set the primary DNS to its own IP and the secondary DNS to the loopback ip
2. This is a new DC and DNS server. I dont have old records yet. I also check the DNS event logs. No errors
3. I made sure the member server is pointing only to the only DC/DNS server
4. Here is the output from the dcdiag.... everything passed except, the Netlogons part. I'm not sure what means or how to fix it yet:
Starting test: NetLogons
* Warning BUILTIN\Administrators did not have the "Access this
computer
"* from network" right.
[hostname] An net use or LsaPolicy operation failed with error
1, Incorrect function..
......................... hostname failed test NetLogons
Complete output:
> hostname
Server: hostname.domain.local
Address: X.X.X.95
> ^C
C:\Windows\system32>
C:\Windows\system32>nslookup
> set type=all
>
>
>
> _ldap._tcp.dc._msdcs.domainname
_ldap._tcp.dc._msdcs.domain.local SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = hostname.domain.local
hostname.domain.local internet address = X.X.X.95
> ^C
C:\Windows\system32>cd ..
C:\Windows>cd SYSVOL
C:\Windows\SYSVOL>cd sysvol
C:\Windows\SYSVOL\sysvol>dir
Volume in drive C has no label.
Volume Serial Number is F624-CDB2
Directory of C:\Windows\SYSVOL\sysvol
10/29/2014 08:25 PM <DIR> .
10/29/2014 08:25 PM <DIR> ..
10/29/2014 08:25 PM <JUNCTION> domain.local [C:\Windows\SYSVOL\domain]
0 File(s) 0 bytes
3 Dir(s) 63,971,037,184 bytes free
C:\Windows\SYSVOL\sysvol>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = hostname
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\hostname
Starting test: Connectivity
......................... hostname passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\hostname
Starting test: Advertising
......................... hostname passed test Advertising
Starting test: FrsEvent
......................... hostname passed test FrsEvent
Starting test: DFSREvent
......................... hostname passed test DFSREvent
Starting test: SysVolCheck
......................... hostname passed test SysVolCheck
Starting test: KccEvent
......................... hostname passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... hostname passed test
KnowsOfRoleHolders
Starting test: MachineAccount
......................... hostname passed test MachineAccount
Starting test: NCSecDesc
......................... hostname passed test NCSecDesc
Starting test: NetLogons
* Warning BUILTIN\Administrators did not have the "Access this
computer
"* from network" right.
[hostname] An net use or LsaPolicy operation failed with error
1, Incorrect function..
......................... hostname failed test NetLogons
Starting test: ObjectsReplicated
......................... hostname passed test
ObjectsReplicated
Starting test: Replications
......................... hostname passed test Replications
Starting test: RidManager
......................... hostname passed test RidManager
Starting test: Services
......................... hostname passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/04/2015 18:23:06
Event String:
Name resolution for the name ctldl.windowsupdate.com timed out after
none of the configured DNS servers responded.
......................... hostname passed test SystemLog
Starting test: VerifyReferences
......................... hostname passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : emcdsm
Starting test: CheckSDRefDom
......................... emcdsm passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... emcdsm passed test CrossRefValidation
Running enterprise tests on : domain.local
Starting test: LocatorCheck
......................... domain.local passed test LocatorCheck
Starting test: Intersite
......................... domain.local passed test Intersite
C:\Windows\SYSVOL\sysvol>

Domain controller 2008 Server with SP2

Here is a real issue which i cannot track down what is causing it.
It appears that in windows 2008 Server running DHCP, DNS and AD i am getting some weird errors on the clients.
The client machines are all Windows 7 Professional x64.
The Issue is that the Domain controller seems to disappear as the logon server from the client after a few days. On some it indicates that there was no logon server available, but still logs in.. Which should be impossible since i have group policy configured
to block the ability of logon without a logon server.
The issue with this, is that over time, the desktops seem to go rogue, they no longer populate the information as to password expiration, and at times don't allow the clients to access the network shares.
The security log, shows hit and miss as to if it sees them log into the domain.
the weird issue is that if you log out, switch user, and change the users password, then log back into the desktop with domain\username and a new password the issue goes away for about 10 days.. then re-appears and causes all sorts of fun issues on the domain.
I took another step and decided that i would give a shot to building a clone test network, using a cloned image of the Domain controller, and it doesn't seem to happen on that side..The test network just has less PC's but they are all the same hardware..
Here is what i have troubleshot so far:
DNS looks fine.. no errors or issues..
DHCP looks fine, no duplicates etc..
AD has all the information correctly, and the security log looks fine, most of the time..
Windows updates are all up to date
All desktops have logon scripts, but i have removed the cached data from the management console (Cred manager)
Modified Group policy and forced it across the network.. Can see the GPResult from the clients and they have the updated settings, but the clients don't seem to care..
Group policy is set to wait till network comes up and require a domain controller to log into the client desktop.. This sometimes works, sometimes does not, it was done to see if the problem was happening on other machines, there are about 15 total out of
47 currently having the issue.
All the desktops are fresh installs, not ghosted images, not clones, or something you would need to sysprep.
Thoughts?
Rob

Hello,
please post an unedited ipconfig /all from the DC/DNS servers and a client with the problems.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://blogs.msmvps.com/MWeber
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Twitter:

Samba4 Domain Controller winbind problem

Similar Messages

Maybe you are looking for