?
Solved

Lots of random Active Directory issues

Posted on 2012-08-21
29
Medium Priority
?
1,324 Views
Last Modified: 2012-09-07
I am migrating my 03 domain to 08.  Have decommissioned one of the 03 boxes, have one left.  At the site that no longer has the 03 domain and does have the 08 domain I have several users that have strange issues

Will come back from lunch (after screen locks) and their account will be locked out, no other devices are trying to login as them (like from a phone etc).  The account will sometimes only show its locked out on one DC (local) but not the other.

User will be unable to change their password - it says it does not meet the complexity requirements, but it does - Ive tried multiple passwords and the same passwords as others that work fine - but still says that.  I CAN change it to these same passwords directly in ADUC, but NOT from their workstation.  Looked in event viewer locally and on the domain she is on (did a gpresult /R to see what DC she was connected to), didnt see anything strange..

One user could not get in to her PC at all - not trusted by domain.  I joined workgroup, then back to domain and then she could login.  3 hours later it seemed to happen again but I looked and her account was locked - so unlocking it she could then get back in.  I looked in ADUC and searched her PC name, didnt find it at all.  Looked a few hours later, it was in the correct OU where it should be.
 
Randomly their desktop shortcuts disappear (not too concerned with this yet, still troubleshooting it)

Obviously there are some replication issues going on - let me know what tests to run and I can post the results here.  Everything I have looked at seems to be "ok".
0
Comment
Question by:rhwimmers
  • 18
  • 11
29 Comments
 
LVL 13

Expert Comment

by:xDUCKx
ID: 38317923
dcdiag /v

repadmin /showrepl

Post those results from your DC's as text files (remove any sensitive information) and we can try to figure out what's going on.
0
 
LVL 1

Author Comment

by:rhwimmers
ID: 38317985
Another thing that has happened a few times doing certain things...
Went to add telnet as a feature (hate that its disabled by default in 08!) - says the specified domain either does not exist or could not be contacted - I click choose a different DC, I then select the "DC with the operations master token for the pdc emulator", same issue, I try any available DC, same thing, then try any available DC again - then it works...  This is ON one of the 08 DCs!
0
 
LVL 13

Expert Comment

by:xDUCKx
ID: 38317993
Sounds like a DNS issue.  Once we have the logs we can go from there.

Is your primary DNS on the DC's bound to 127.0.0.1 and the secondary bound to the other DNS server?
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
LVL 1

Author Comment

by:rhwimmers
ID: 38318024
Attached.

SiteA (main site) - has sbdc01 (03 server, ready to be demoted, need to move dns/dhcp off first), also has mbidc01 a new 08 server that is running dns and AD etc)

siteb connected via p2p T1 has sbdc02 (03 server decommissioned, probably wont see anything about it) and mbidc02 new 08 server running AD/DNS/DHCP etc)
dcdiag.txt
repl.txt
0
 
LVL 1

Author Comment

by:rhwimmers
ID: 38318041
Also, mbiwarehouse is another 08 server at a 3rd location connected via VPN - its doing ad/dns/dhcp.  There has been 0 issues with this site.
ALL DCs are doing DFS for shared folders/folder redirection etc.
SiteB (where the 03 box was decommissioned) is the only site having these issues, which is why I have not dcpromo sbdc01 yet - not a stable environment..
0
 
LVL 1

Author Comment

by:rhwimmers
ID: 38318081
Well either im going crazy, or someone else changed this as I remember doing it..

mbidc01 was set primary to sbdc01 and secondary to the dead dc!
Changing this to 127.0.0.1 as primary and mbidc02 as secondary (will do the same on mbidc02 if not done already)
0
 
LVL 13

Expert Comment

by:xDUCKx
ID: 38318096
Ok, your replication is setup on MBIDC01 to only replicate from SBDC01 and not any of the other DC's.  You should go into Active Directory Sites and Services and configure the domain controller to have connectors to the other DC's.

You're getting this in the DCDiag logs:

        REPLICATION-RECEIVED LATENCY WARNING
         MBIDC01:  Current time is 2012-08-21 15:56:14.
            CN=Schema,CN=Configuration,DC=domainname,DC=local
               Last replication received from MBIDC02 at
          2012-04-18 17:39:09
               WARNING:  This latency is over the Tombstone Lifetime of 60
         days!


You're not replicating DNS to this domain controller.  After you setup additional connectors in Sites and Serivices, if the above error does not go away (give it 30 min to an hour) then you may have to change your DNS Zone <DomainName> on the server MBIDC01 to be NOT active Directory integrated.  Set it to Primary, and have it grab zone updates from the other DC's and then Active Directory Integrate it again.

You've also go this:


         * Security Permissions Check for
           CN=Configuration,DC=domainname,DC=local
            (Configuration,Version 3)


I don't have an answer for this off the top of my head.  But it's a security setting where the Enterprise Domain Controllers group doesn't have access to that directory partition.  Which is bad.  If you've disabled the default Domain Controllers GPO, this might be causing it.  Or it could be a replicaiton issue (which should be fixed with the above steps) or it could be something has changed where the Enterprise Domain Controllers group has been stripped of rights.  If the above steps for resolving replication/DNS don't work we can dig deeper into this one.  For now, let's hope that replication takes care of it.
0
 
LVL 1

Author Comment

by:rhwimmers
ID: 38318118
"You should go into Active Directory Sites and Services and configure the domain controller to have connectors to the other DC's."

So go to ADSS, go to sites, then SITEA, then servers, then on the right I just see mbidc01 and sbdc01, right click new server and add mbidc02?  Then do the same for SITEB and SITEC?
Noting that SiteC only has one server listed (mbiwarehouse), yet they have not had any issues at all.
0
 
LVL 13

Expert Comment

by:xDUCKx
ID: 38318134
Right.  You want to make sure there is a connector from each domain controller in a 1:1 scenario.  I apologize but I'm getting lost with the names  :-)  I'm going to speak in generics.

DC1 -> Connector to DC2
           Connector to DC3

DC2 ->  Connector to DC1
            Connector to DC3

DC3 ->  Connector to DC1
             Connector to DC2

There are valid reasons not to do this.  Mainly cost of replicating over a slow site to site WAN connection, security reasons, if you have a site that has RODC's only and don't want to replicate to all of them etc etc.  In your scenario, you can probably exclude the SiteC site.
0
 
LVL 1

Author Comment

by:rhwimmers
ID: 38318461
Got it - so click the server then click ntds settings then right click and new-connection.  The one that is in there is <automatically generated> but then one I added has the server name.  Why didnt these "auto generate"?
Under SiteB, servers, mbidc02 there were NO connections under ntds settings - shouldnt there be one that <auto generated>?

Now that these are complete - aside from not getting calls how can I tell if things are "healthy"  In doing some of the connection tests from ntdsutil a while back it seemed everything was "healthy"...
0
 
LVL 13

Expert Comment

by:xDUCKx
ID: 38320390
kk...it's been a few hours so now it should have replicated.  So you can run the command:

repadmin /showrepl

from the command line.  What you're looking for is that each connection was successful and the Last Attempt was done around the same time frame.  If you have any errors then we'll need to look at dcdiag /v again to see what's wrong.
0
 
LVL 13

Expert Comment

by:xDUCKx
ID: 38320411
Why didnt these "auto generate"?

DNS, replication issues on the other DC's, lag across a slow WAN, firewall issues....lots of reasons.  You'll probably see them show up now that replication should be working.  

Under SiteB, servers, mbidc02 there were NO connections under ntds settings - shouldnt there be one that <auto generated>?
Yes there should have been, which is why you're having such intermittent issues.  It's an island right now and not providing all services to the domain.  You added a computer to the domain, but it wasn't replicated to this DC.  The computer attempts to connect to this DC and you got the "Computer not trusted" error.

In doing some of the connection tests from ntdsutil a while back it seemed everything was "healthy"...

NTDSUtil is a tool but not overly great for getting information.  Best tools in your belt for any Active Directory issues are dcdiag and repadmin.  DCDiag gives you a quick overview of what's wrong, the /v switch is verbose and gives a lot of details.  There are other switches but you can run dcdiag periodically just to check what's up with the DC's.  The second tool repadmin shows the status of replication from the domain controller you are on to the other DC's in the forest.  You need to run this on ALL DC's to get a clear picture if replication is working.  Replication can work one way, but may break the other way.  

By using those two tools you should get a quick idea of what's happening with your DC's.  They are not the be-all-and-end-all of tools, but they do help to show you where to look when things aren't working quite right.

Hope that helps!
0
 
LVL 1

Author Comment

by:rhwimmers
ID: 38324631
Had a call this AM where a user was locked out for some reason.  3 of the 4 DCs had her as "locked out".  After unlocking on all of them and having her reboot she could get back in.  She was typing her password in right when she first walked in this AM so no clue how it got locked.
Attached updated files - did have one failure on repadmin - Last error: 1396 (0x574)
dcdiag.txt
rep.txt
0
 
LVL 13

Accepted Solution

by:
xDUCKx earned 2000 total points
ID: 38324789
Destination directory server:  f1ff216e-db02-4cf7-a7f4-49440192fddf._msdcs.domainname.local

Open in new window


Can you open DNS Management, expand the zone YourDomain.local _msdcs.  Locate the GUID above ff1ff... and verify which DC that is pointing to?  Does the DC still exist?  If it doesn't, then remove it from Active Directory Sites and Services and delete the DNS entry.  If it does, then we'll need to run the following command on MBIDC01:

setspn -A E3514235-4B06-11D1-AB04-00C04FC2DCD2/f1ff216e-db02-4cf7-a7f4-49440192fddf/domainname.local@domainname.local f1ff216e-db02-4cf7-a7f4-49440192fddf._msdcs.domainname.local

Open in new window


Replace domainname.local with your domain name.

For the error
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have             Replicating Directory Changes In Filtered Set
         access rights for the naming context:

Open in new window


Run the steps in this post.  It seems to be a benign error, but we can make it go away:

http://www.stknetwork.com/index.php?option=com_content&view=article&id=139:ad-filterset&catid=39:configuration-examples&Itemid=74

Another option, which might be less work, is to dcpromo this domain controller out of the domain and then dcpromo it back into the domain.  There is a lot broken on it.  We can work thru it step by step to resolve the issues, but a dcpromo will most likely fix all of these issues.
0
 
LVL 1

Author Comment

by:rhwimmers
ID: 38325020
That is a valid computer (its mbidc02) - got this when doing that command

FindDomainForAccount: Call to DsGetDcNameWithAccountW failed with return value 0
x00000525
Unable to locate account f1ff216e-db02-4cf7-a7f4-49440192fddf._msdcs.domainname.local
0
 
LVL 13

Expert Comment

by:xDUCKx
ID: 38325172
Is DNS running on MBIDC02?  Does it accept NSLookup?

start - Run -cmd

nslookup
>server MBIDC02.domain.local
>www.google.com
>OtherDC.domain.local

Do any of those error out?
0
 
LVL 1

Author Comment

by:rhwimmers
ID: 38325576
Yes, yes, no - nslookup works fine.
mbidc02 is set primary dns to 127.0.0.1 and second to mbidc01
0
 
LVL 1

Author Comment

by:rhwimmers
ID: 38325590
Also, I have been doing all of these tests from mbidc01, should I do them on mbidc02 as well?
0
 
LVL 13

Expert Comment

by:xDUCKx
ID: 38325597
Yes, please.  We can get more details with the more DC's that are scanned.
0
 
LVL 1

Author Comment

by:rhwimmers
ID: 38325666
attached
dcdiag.txt
rep.txt
0
 
LVL 13

Expert Comment

by:xDUCKx
ID: 38325691
Is MBIDC02 an RODC?  If that's the case then you need to run:

adprep /rodcprep
0
 
LVL 1

Author Comment

by:rhwimmers
ID: 38325773
No, its not - should be fully functional DC
0
 
LVL 13

Expert Comment

by:xDUCKx
ID: 38325782
         The forest is not ready for RODC. Will skip checking ERODC ACEs.
         * Security Permissions Check for           DC=DomainDnsZones,DC=domainname,DC=local
            (NDNC,Version 3)
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have             Replicating Directory Changes In Filtered Set
         access rights for the naming context:         DC=DomainDnsZones,DC=domainname,DC=local
         * Security Permissions Check for           DC=ForestDnsZones,DC=domainname,DC=local
            (NDNC,Version 3)
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have             Replicating Directory Changes In Filtered Set
         access rights for the naming context:         DC=ForestDnsZones,DC=domainname,DC=local
         * Security Permissions Check for           CN=Schema,CN=Configuration,DC=domainname,DC=local
            (Schema,Version 3)
         * Security Permissions Check for           CN=Configuration,DC=domainname,DC=local
            (Configuration,Version 3)
         * Security Permissions Check for           DC=domainname,DC=local
            (Domain,Version 3)
         ......................... MBIDC02 failed test NCSecDesc

Open in new window


It thinks it's an RODC.....
0
 
LVL 1

Author Comment

by:rhwimmers
ID: 38325787
Just went in to ADUC clicked DCs, then opened up mbidc02, under type it says global catalog...  How else can I be sure?
0
 
LVL 1

Author Comment

by:rhwimmers
ID: 38331721
Any other thoughts?  If I dcpromo twice, anything special need to be done?
0
 
LVL 1

Author Comment

by:rhwimmers
ID: 38335196
Tried to just DCPromo this bi$*@ and got the following:
The operation failed because:

Active Directory Domain Services could not transfer the remaining data in directory partition CN=Schema,CN=Configuration,DC=domainname,DC=local to
Active Directory Domain Controller MBIDC01.domainname.local.

"Logon Failure: The target account name is incorrect."
0
 
LVL 1

Author Comment

by:rhwimmers
ID: 38335400
If I do setspn mbidc02 FROM mbidc02 I get:


C:\>setspn mbidc02
Registered ServicePrincipalNames for CN=MBIDC02,OU=Domain Controllers,DC=domainname,DC=local:
        Microsoft Virtual System Migration Service/MBIDC02
        Microsoft Virtual System Migration Service/MBIDC02.domainname.local
        Microsoft Virtual Console Service/MBIDC02
        Microsoft Virtual Console Service/MBIDC02.domainname.local
        DNS/MBIDC02.domainname.local
        HOST/MBIDC02/domainname
        HOST/MBIDC02.domainname.local/domainname
        exchangeAB/MBIDC02
        exchangeAB/MBIDC02.domainname.local
        HOST/MBIDC02.domainname.local/domainname.local
        GC/MBIDC02.domainname.local/domainname.local
        ldap/MBIDC02/domainname
        ldap/f1ff216e-db02-4cf7-a7f4-49440192fddf._msdcs.domainname.local
        ldap/MBIDC02.domainname.local/domainname
        ldap/MBIDC02
        ldap/MBIDC02.domainname.local
        ldap/MBIDC02.domainname.local/DomainDnsZones.domainname.local
        ldap/MBIDC02.domainname.local/ForestDnsZones.domainname.local
        ldap/MBIDC02.domainname.local/domainname.local
        E3514235-4B06-11D1-AB04-00C04FC2DCD2/f1ff216e-db02-4cf7-a7f4-49440192fdd
f/domainname.local
        NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/MBIDC02.domainname.local
        Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/MBIDC02.domainname.local
        TERMSRV/MBIDC02
        TERMSRV/MBIDC02.domainname.local
        WSMAN/MBIDC02
        WSMAN/MBIDC02.domainname.local
        RestrictedKrbHost/MBIDC02
        HOST/MBIDC02
        RestrictedKrbHost/MBIDC02.domainname.local
        HOST/MBIDC02.domainname.local

If I do the same from MBIDC01 I only get
C:\>setspn mbidc02
Registered ServicePrincipalNames for CN=MBIDC02,OU=Domain Controllers,DC=domainname,DC=local:
        E3514235-4B06-11D1-AB04-00C04FC2DCD2/f1ff216e-db02-4cf7-a7f4-49440192fdd
f/domainname.local
        Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/MBIDC02.domainname.local
        MSSQLSvc/MBIDC02.domainname.local:52294
        MSSQLSvc/MBIDC02.domainname.local:AVASTSBC
        TERMSRV/MBIDC02
        TERMSRV/MBIDC02.domainname.local
        WSMAN/MBIDC02
        WSMAN/MBIDC02.domainname.local
        RestrictedKrbHost/MBIDC02
        HOST/MBIDC02
        RestrictedKrbHost/MBIDC02.domainname.local
        HOST/MBIDC02.domainname.local
0
 
LVL 1

Author Comment

by:rhwimmers
ID: 38335459
Did a setspn that actually took - used command off ms site

in group policy (needed to do it in default domain controllers policy AND default default domain policy) go to policies, windows, security, local policies/user right assignment, access this computer from the network - be sure enterprise domain controllers,authenticated users,administrators are all listed.

Somehow under the top domain controllers OU clicking on mbidc02 didnt have the "trust for delegation" box checked...

Going to ADUC then users and then domain controllers "group" then going to members tab it did not show mbidc02, if I tried to add it it acted as if that was not a computer.  Yet above in the top level domain controllers folder (ou) mbidc02 was listed.  After changing the above it was displayed correctly.

I am now getting 2042 and 1925 in event viewer / directory service.  Talking about it cant replicate because of tombstone live of 60 days referencing mbidc02, which is not even 60 days old!
0
 
LVL 1

Author Comment

by:rhwimmers
ID: 38376791
Ended up disjoin from domain and rejoin - problems went away.
thanks microsoft
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question