We have two Windows 2012 servers reside on the same subnet on domain "FACTORY".
And we have intermittent authentication issue(3rd party app) with users from domain "OFFICE".
During troubleshooting using nltest command, something which I don't understand.
Here is the output from the first Windows 2021 server:
nltest /dclist:OFFICE
Get list of DCs in domain 'OFFICE' from '\\DC01'.
You don't have access to DsBind to OFFICE (\\DC01) (Trying NetServerEnum).
I_NetGetDCList failed: Status = 6118 0x17e6 ERROR_NO_BROWSER_SERVERS_FOUND
Here is the output from the second Windows 2012 server:
nltest /dclist:OFFICE
Get list of DCs in domain 'OFFICE' from '\\DC02'.
You don't have access to DsBind to OFFICE (\\DC02) (Trying NetServerEnum).
List of DCs in Domain OFFICE
\\DC03 (PDC)
The command completed successfully
Why the 2nd Windows 2012 could get list of DCs in Domain OFFICE? Both servers are located on the same network subnet, both have the same network settings, no WINS. I can see that the nltest was using different DC (DC01 vs DC02) to get the result, which I also don't understand.
I was reading a lot of articles about the error ERROR_NO_BROWSER_SERVERS_FOUND, which pointed to "Computer Browser Service". However, this service is disabled on both servers.
The intermittent authentication issue has never been reported from the 2nd Windows 2012, so I would suspect this nltest result might contribute to that.
What's the domain topology?
What kind of trust is it?
Are there any error events from NETLOGON in the DC event logs on either side?
Does nltest /trusted_domains show the correct info on the FACTORY DCs
Does nltest /sc_query:OtherDomain show any errors on the Trusting side?
Same with netdom trust TrustingDomainName /domain:TrustedDomainName /verify on each of the DCs on each side of the trust? (Or you can check it in AD Domains and Trusts). Unlike nltest, this requires credentials.
Are all the required ports, including all the required RPC ports, open between all the DCs in each domain? And in Windows Firewall? The most important aspect is that the Trusting domain DCs must be able to get to the PDCE in the Trusted domain. At the very least, you need these ports: LDAP (389 UDP and TCP), SMB (445 TCP), Kerberos (88 UDP), RPC portmapper (135 TCP), DNS (53 UDP and TCP)
Have you tried DNS queries from all the DCs to see if you can resolve the SRVs on each side? e.g. nslookup -q=SRV _ldap._tcp.mydomain.com (and the same for _kerberos.tcp and _kerberos.udp)
Do any of the DCs in either domain have the same hostname? Or duplicate SIDs? If the DCs were built from a custom image, were they Sysprepped?
Is the time in sync on all DCs on both sides of the trust? (Within 5 minutes, maximum)
Any errors in NETLOGON.LOG? You can enable NETLOGON debug logging for richer information, but only leave it on for a short time.
Related
since 1-2 months I have problems on some machines in my environment when I try to connect via RDP.
The environment configuration uses a Microsoft PKI (Windows Server Certificate Authority). All computers that are integrated in the domain, request and are given a certificate from:
Computer
RDP (as server)
All machines in the domain have the ROOT CA and SUBCA certificate installed.
The problem is intermittent, on the same machine it does not work, the computer is restarted and for a while it works.
The credentials with which I connect work and the user with which I connect has permissions for RDP (he is a domain administrator).
When I connect using the FQDN (pc1.mydomain.com) the window to enter credentials appears, I enter them correctly and it tells me that the credentials are invalid. I make several tests to verify that I have not made a mistake when entering the credentials. It seems to fail in the connection protection process.
When I connect using IP to the same machine as before, the certificate appears, but if checked, the certificate is valid for the FQDN indicated above, so the certificate is OK (in date, valid and has not been revoked). If I accept the certificate, it starts the connection protection and finally connects.
If I access the same machine physically or through VMWare console, it lets me login correctly.
I have gone to check the Windows event log both in system, as application, as in RDP and I do not see any error, neither in the client from which I connect, nor from the server from which I connect.
If I connect from another machine that is not Windows (Mac) using the Microsoft RDP application, if it lets me connect, even when from Windows it fails.
It happens from several clients and on several machines to which I connect via RDP.
At the Firewall level all the rules are correct, both in the Windows Firewall and in the Network Firewall.
What is the operating system of the pc/server with the issues? I have an issue with an old Windows 2008 r2 server similar to this.
I have used windows 2008 AD since 2013.and I have secondary domain as well. unfortunate due to hardware failure the primary domain was corrupted. I configured a new AD on windows 2012R2.now my concern is when I restart my primary domain it giving many errors. "Naming information cannot be located because: The specified domain either does not exist or could not be contacted. Contact your system administrator to verify that your domain is properly configured and is currently online."
It will automatically resolving when I switch on the secondary domain.
Now what I want to do , I need to resolve this error..
Which server holds the FSMO roles? Are both servers Global Catalog and DNS servers?
What is the status of Sysvol.Go to Registry editor and open the key SysvolReady at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Hi this is a known issue.
These issues may occur if TCP/IP filtering is configured to permit only port 80 for TCP/IP traffic.
And you can consult the link for a possible solution
I have a shared folder on a windows 10 host machine. I could access it from a windows 10 client machine, where I had set "remember credentials" when first accessing the share. I changed the password on the host. Now the client cannot access the shared folder. That was expected. But I could not find a way on the client to allow the user to re-establish access to the shared folder.
I expected it would ask for credentials again. However I got a network error saying that windows cannot access the host machine.
Based on a number of entries on various forums, I tried a few things. The credentials manager on the client does not show the host. I stopped and restarted file and printer sharing on the client, without any change in the result. Network diagnosis and the windows troubleshooter gave no help.
The problem was due to some previous connections remaining in the network table, even though disconnected, as presented by the "net use" command from the command prompt.
>net use
Status Local Remote Network
--------------------------------------------------------------------------
Disconnected \\192.168.1.71\IPC$ Microsoft Windows Network
Disconnected \\HOST\IPC$ Microsoft Windows Network
After deleting them (via "net use /delete") the next attempt to access the host asked for credentials. Yay!
I began the path to the solution when I tried
net use z: \\host\shared /user:admin password
which gave system error 1219 stating multiple connections to a server are not allowed. Disconnect all previous connections and try again. Obviously, even though known to be disconnected, the entries prevented reconnection.
Hello Stack Overflow community, I am encountering the following errors when I try to add a node to my local computer cluster using Microsoft HPC Pack 2016:
Could not contact node 'NODE-A08' to perform change. Identity check
failed for outgoing message. The expected DNS identity of the remote
endpoint was 'HEAD-NODE01' but the remote endpoint provided DNS claim
'NODE-A08'. If this is a legitimate remote endpoint, you can fix the
problem by explicitly specifying DNS identity 'NODE-A08' as the
Identity property of EndpointAddress when creating channel proxy.
Could not contact node 'NODE-A08' to perform change. The management
service was unable to connect to the node using any of the IP
addresses resolved for the node.
Ultimately I would like to write and test my own MPI programs while using HPC Pack as my cluster manager, but I cannot seem to get past this preliminary step of setting up my cluster.
Through my research in to the issue I have found "Identity check failed for outgoing message..." to be a well documented error related to Windows Communication Foundation (WCF). My understanding is that it occurs when the common name (CN) of the endpoint computer's certificate does not match its DNS identity.
The solutions that I found where lines of code for people writing their own programs, however those solutions do not apply to HPC Pack because I cannot access its source code directly.
Some additional information specific to my situation:
the certificates used by both the head node and the node were issued
individually by a trusted domain
all computers are connect to one enterprise network
the head node's PC name is 'HEAD-NODE01'
the node's PC name is 'NODE-A08'
these errors occur during the provisioning stage of adding a node
the errors are displayed in the provisioning log within HPC Pack
2016's user interface
I was successful in pinging each computer from the other
both computers display the proper DNS IP address when I use command
prompt
the head node is running Windows Server 2012 R2
the node is preconfigured to be a workstation node and is running
Windows 10 Enterprise
Any help would be greatly appreciated. I have looked for a few days and in a lot of places for an answer, but I have not been very successful. Thank you very much in advance!
Subject names of both SSL certificates must be identical
I integrated a small http server in my software distribution, intended to allow access to my installed application from the customer's LAN.
Right now, the customer has to manually update the firewall's list of trusted applications. I want to either open a hole in the firewall at install-time, or to ensure that the firewall prompts the user to allow my web server as a trusted application, able to receive inbound traffic.
Any solution should work with the built-in Windows Firewall at minimum.
Suggestions?
I would start out by reading up on the following sections on MSDN. This should give you enough background to know what you need. In short you could be looking to talk to the INetFwMgr COM object.
XP
http://msdn.microsoft.com/en-us/library/windows/desktop/aa366453%28v=vs.85%29.aspx
Vista or later INetFwPolicy2
http://msdn.microsoft.com/en-us/library/windows/desktop/ff956124(v=vs.85).aspx