Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1161
  • Last Modified:

ad health check

I am having a few issues with Active Directory health check..


sporadic latency in running some network-dependent programs,
spur-of-the-moment loss and subsequent reconnection of DFS-named connections,
scanning for 3 IPs and getting 56 devices with Angry IP scanner




Anything I should check...



Found some things as follows:

I have four DCs in the environment.

All FSMO roles are on one server -- In windows 2008, does it matter anymore about have some of the FSMO roles on a Global Catalog Server


All Servers are Global Catalog servers

The PDC syncs time with external time source.

DNS forwarders to go resolverx.opendns.org



Getting error on each resolverx.opendns.org

DCOM was unable to communicate with the computer 208.67.220.222 using any of the configured protocols.  An Error Event occurred.  EventID: 0xC0002719
DistributedCOM  10009



Each ADS server has IPV6 enabled, and I am getting

Missing AAAA record at DNS server

Is it safe to Disable IPv6 on a DC? any issues? gotchas?

After Disabling, does it automatically removal IPV6 from DNS


Problem:
Missing Expected Value
             
Base Object:
            CN=DC-02,OU=Domain Controllers,DC=thedomain,DC=com
             
Base Object Description: "DC Account Object"
             
Value Object Attribute Name: msDFSR-ComputerReferenceBL
             
Value Object Description: "SYSVOL FRS Member Object"
           
Recommended Action: See Knowledge Base Article: Q312862


Starting test: NCSecDesc
         
* Security Permissions check for all NC's on DC DC-02.
         
The forest is not ready for RODC. Will skip checking ERODC ACEs.
         
* Security Permissions Check for
         
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set


Figure I need to Adprep /rodc


Also found that inside ADUC there is a Domain controller OU

Inside that OU is the normal DCs,  but someone placed all the other servers inside this ou too.  
Is the default domain controller GPO good to place on these servers too. dont seem right to me.




Found 1 ADS server has WINS enabled, but not the others, doesnt appear like anyone is using this, and that server gets errors.

WINS  4224


WINS encountered a database error. This may or may not be a serious error. WINS will try to recover from it. You can check the database error events under 'Application Log' category of the Event Viewer for the Exchange Component,  ESENT, source to find out more details about database errors.  If you continue to see a large number of these errors consistently over time (a span of few hours), you may want to restore the WINS database from a backup.  The error number is in the second DWORD of the data section.




DHCP-Server
1056


The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service.   This is not a recommended security configuration.  Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the DHCP Administrative tool.


Whats this mean?

The WinRM service failed to create the following SPNs: WSMAN/DC-02.thedomain.com; WSMAN/DC-02.

 Additional Data
 The error received was 8344: %%8344.

 User Action
 The SPNs can be created by an administrator using setspn.exe utility.
Windows Remote Management  ID: 10154

DsBindWithCred to * failed with status 1722 (0x6ba):
    The RPC server is unavailable.

The winlogon notification subscriber <TrustedInstaller> failed a critical notification event.

A provider, WmiPerfClass, has been registered in the Windows Management Instrumentation namespace root\cimv2 to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.



Getting these errors:
Failed to connect to DNS server because: the connection attempt timed out. Please make sure the DNS service is running. (both DNS server and Client are running on server and set to Automatic)
0
Indyrb
Asked:
Indyrb
  • 2
1 Solution
 
Exchange_GeekCommented:
Confused confused more confusion.

What are you aiming to solve here - you're listing symptoms for solving what???

Each of the error listed is to solve a particular issue related to it, so I'd like to know what are we going to be talking about in next few posts.

Regards,
Exchange_Geek
0
 
IndyrbAuthor Commented:
Main issue is as follows:

sporadic latency in running some network-dependent programs,
spur-of-the-moment loss and subsequent reconnection of DFS-named connections,
scanning for 3 IPs and getting 56 devices with Angry IP scanner

Other issues:
All FSMO roles are on one server -- In windows 2008, does it matter anymore about have some of the FSMO roles on a Global Catalog Server

DCOM was unable to communicate with the computer 208.67.220.222 using any of the configured protocols.  An Error Event occurred.  EventID: 0xC0002719
DistributedCOM  10009


Each ADS server has IPV6 enabled, and I am getting
Missing AAAA record at DNS server
Is it safe to Disable IPv6 on a DC? any issues? gotchas?
After Disabling, does it automatically removal IPV6 from DNS

Also found that inside ADUC there is a Domain controller OU
Inside that OU is the normal DCs,  but someone placed all the other servers inside this ou too.  
Is the default domain controller GPO good to place on these servers too. dont seem right to me.


The WinRM service failed to create the following SPNs: WSMAN/DC-02.thedomain.com; WSMAN/DC-02.

 Additional Data
 The error received was 8344: %%8344.
 User Action
 The SPNs can be created by an administrator using setspn.exe utility.
Windows Remote Management  ID: 10154
DsBindWithCred to * failed with status 1722 (0x6ba):
    The RPC server is unavailable.


The winlogon notification subscriber <TrustedInstaller> failed a critical notification event.

A provider, WmiPerfClass, has been registered in the Windows Management Instrumentation namespace root\cimv2 to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Failed to connect to DNS server because: the connection attempt timed out. Please make sure the DNS service is running. (both DNS server and Client are running on server and set to Automatic)
0
 
IndyrbAuthor Commented:
Fixed some of my own issues...

Reposting on outstanding issues.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now