I've a GPO that won't work in Azure AD. I need to create multiple GPOs to map network drives. I've put the GPO right under the domain
I've mapped the drive, and targeted at a security group. Tried with an OU first, but that didn't work either.
So did I place the GPO wrong, or did I map the drive wrong? The client has a dynamic IP and it's DNS servers are the IP of the servers
When I run gpudate on the client, It seems that the server is unreachable:
Let me know if you need additional information
• Your procedure of mapping a network drive is correct but the error snapshot that you have posted regarding the reachability of the AD/DNS servers is a matter of concern due to which the group policies were not able to replicate and apply authoritatively from the AD or Group policy server. Thus, please check the connectivity of the DC/Group policy server from the client system as below: -
A) Check the SYSVOL replication is happening correctly or not. DFRS (Distributed File Replication Service) is used for SYSVOL replication, to confirm that run the below command and check its result
‘ dfsrmig.exe /getglobalstate ’ --> If the result shows: 3 (ELIMINATED), then its Ok
B) Then check whether which DC has the FSMO roles installed on it. For that, run the below command and check the IP and hostname whether it is configured as the correct DNS in IP configuration in the client system or not
‘ netdom query fsmo ’
C) Once the above is done, please check the replication between the DCs is working correctly or not by executing the below commands one by one and analyzing their results
‘ Dcdiag /v >c:\dcdiag1.log
Repadmin /showrepl
Repadmin /syncall /APeD ‘
D) Ensure that the ‘gpt.ini’ file exists on your DC at ‘\domain.local\SysVol\domain.local\Policies{Policy_GUID}\’ path and if not then your GPO server might be at risk of corruption of essential system files. Please reset it. Also, do ensure that your DNS server or DC is reachable and pingable through the below commands successfully. Try to reset the DNS resolver cache on client computers.
‘ ping<hostname of DC>
Nslookup<hostname of DC>
Ipconfig /flushdns ’ on client systems
Lastly, ensure that your DC and domain is accessible via RPC protocol through the below command: -
‘ nltest /dsgetdc:hostname of DC ’
If all of the above commands return positive results, then you should check your client’s network and domain settings for any issues as everything else is correct on the DC end.
Related
What I am trying to do:
We have a Task Scheduler that kicks off an EXE, which in the course of its runtime, will connect to SQL Server.
So that would be:
taskServer.myDomain triggers the Task Scheduler action
taskServer.myDomain exe runs locally
taskServer.myDomain initiates a connection to sqlServer.myDomain
The scheduled task is associated with a service account (svc_user) that is set to run with highest privilege, run whether the user is logged in or not, and store credentials for access to non-local resources.
The actual behavior
What we are seeing is the Task Scheduler is indeed running as svc_user. It triggers the EXE as expected, and the EXE is also running as svc_user. When the EXE initiates a connection to SQL Server, it errors on authentication.
Looking at the Event Viewer we can see the failure trying to initialize the connection to SQL
Exception Info: System.Data.SqlClient.SqlException
at System.Data.SqlClient.SqlInternalConnectionTds..ctor(System.Data.ProviderBase.DbConnectionPoolIdentity, System.Data.SqlClient.SqlConnectionString, System.Data.SqlClient.SqlCredential, System.Object, System.String, System.Security.SecureString, Boolean, System.Data.SqlClient.SqlConnectionString, System.Data.SqlClient.SessionData, System.Data.ProviderBase.DbConnectionPool, System.String, Boolean, System.Data.SqlClient.SqlAuthenticationProviderManager)
And then looking at the SQL Server logs we can see the root of the issue
Logon,Unknown,Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Reason: Could not find a login matching the name provided.
The connection initialized by the EXE to SQL Server is trying to authenticate as ANONYMOUS LOGON.
What I have tried
Background
This issue popped up when our IT team started deploying a GPO lockdown in our environments. So in order to get to this point, we first had to add some GPO exceptions to allow the svc_user to:
log on locally
log on as batch job
Progress?
This is where we started being able to capture the ANONYMOUS LOGON error in SQL Server. From there we tried a handful of other GPO exceptions including
Allow Credential Save
Enable computer and user accounts to be trusted for delegation
The actual issue?
So it would appear that this is a double hop delegation issue. Which eventually led me here and then via the answer, here and here.
So I tried adding GPO policies to allow delegating fresh credentials using the WSMAN/* protocol + wildcard.
Two issues with this:
the Fresh credentials refer to prompted credentials while the EXE is running as a service during off-hours and inheriting the credentials from the TaskScheduler
the WSMAN protocol appears to be used for remote PowerShell sessions (via the original question in the serverfault post) and not SQL Service connections.
So, I added the protocol MSSQLSvc/* to the enabled delegation and tried all permutations of Fresh, Saved and Default delegation. (This was all done in Local Computer Policy -> Computer Configuration -> Administrative Templates -> system -> Credentials Delegation)
Where it gets weird
We have another server, otherServer.myDomain, which we setup with the same TaskSchedule. It is setup with the same GPO memberships, but seems to be able to successfully connect to SQL Server. AFAIK, the servers are identical as far as setup and configuration.
The Present
I have done a bit more digging into anywhere I could think that might offer clues as to how I can feed the credentials through or where they might be falling through. Including watching the traffic between the taskServer and the sqlServer as well as otherServer and sqlServer.
I was able to see NTLM challenges coming from the sqlServer to the taskServer/otherServer.
In the case of taskServer, the NTLM response only has a workstationString=taskServer
On otherServer, the NTLM response has workstationString=otherServer, domainString=myDomain, and userString=svc_user.
Question
What is the disconnect between hop 1 (task scheduler to EXE) and hop 2 (EXE to SQL on sqlServer)? And why does this behavior not match between taskServer and otherServer?
So I finally have an update/solution for this post.
The crux of the issue was a missing SPN. The short answer:
Add an SPN for sqlServer associated with the service account SQL services are running as (not the svc_user)
example: SetSPN -S MSSQLSvc/sqlServer.myDomain myDomain\svc_sql_user
Add another SPN like above but w/ the sql service port
example: SetSPN -S MSSQLSvc/sqlServer.myDomain:1433 myDomain\svc_sql_user
Set the SQL service user account to allow delegation like so
I have created 4 Active Directory Domain Controllers both in different locations. One is in Delhi and Another one in Mumbai.
Delhi has 2 domain controllers Primary(DDC01) and Secondary(DDC02).
Mumbai has 2 domain controllers Primary(MDC01) and Secondary(MDC02).
Both have different networks and I can take the RDP of both Domain controllers from different locations.
Now I want to connect all 4 Domain Controllers so they can replicate the data and policies.
I saw this can be done through Active Directory Site and Services.
I Added Subnet's of Both Sites in Mumbai DC i.e. MDC01
I created Sites such as Mumbai-HO and Delhi-BO in MDC01 it got replicated to MDC02.
I could see MDC01 and MDC02 but I cannot see any of the DDC01 or DDC02 showing there.
Am I missing something?
Just FYI... DDC01 and DDC02 are having different gateways due to some reason.
• Please check the active directory site replication ports are open between for communication between the Mumbai and Delhi sites by doing telnet from command prompt on each of the ports. The inbound as well as outbound communication from these to ports to each other sites should be successful. Please find the list of ports as below: -
UDP Port 88 for Kerberos authentication
UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.
TCP Port 139 and UDP 138 for File Replication Service between domain controllers.
UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.
TCP and UDP Port 445 for File Replication Service
TCP and UDP Port 464 for Kerberos Password Change
TCP Port 3268 and 3269 for Global Catalog from client to domain controller.
TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller.
• Check the replication status of the AD sites through the repadmin utility by running the below command on the replicating DCs in powershell: -
‘ repadmin /syncall /force ’ or ‘ repadmin /syncall /APeD ’ or ‘ repadmin /replsum ’
If the message replied in the powershell states that ‘Syncall terminated with no errors’, then everything is fine and you need not worry about the replication status between sites. Also, you can check the replication topology status in AD Sites and subnets where all the sites are listed whether created automatically or manually as below: -
This will give out the replication status and issues relating to AD site replication. For more detailed information on the replication issues, execute the below command and check for replication issues on site level. This will give out the site wise information in csv format: -
‘ repadmin /showrepl * /csv > showrepl.csv ’
• Also, please check whether Delhi site is automatically created by KCC or not, if not, then wait for at least 24 hours after the above steps revert successful status of replication. The check the ‘Cost’ parameter of replication link in the site details workspace by clicking on it. It defines the priority level of network connection sync level between the two sites. Please find the snapshot below to know the actual cost of your network connection and set it accordingly: -
For more information on AD site replication issues, please refer the link below: -
https://learn.microsoft.com/en-GB/troubleshoot/windows-server/identity/common-active-directory-replication-errors
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/diagnose-replication-failures
PowerShell Script
New-Cluster -Name "DI-XXX-YY-CLUSTER" -Node "di-XXX-YY-db1","di-XXX-YY-db2" -NoStorage -StaticAddress 172.17.XX.YYY
Set-ClusterQuorum -NodeAndFileShareMajority "\\DI-XXX-YY-WS1\ClusterQuorum"
Invoke-Command -ComputerName "DI-XXX-YY-WS1" -ScriptBlock { mkdir c:\Quorum}
Invoke-Command -ComputerName "DI-XXX-YY-WS1" -ScriptBlock { New-SmbShare -Name "Quorum" -Path "c:\Quorum" -FullAccess "didevtest.local\DI-XXX-YY-CLUSTE"}
Add-ClusterNode -Cluster "DI-XXX-YY-CLUSTER" -Name "di-XXX-YY-db2" -NoStorage
The Server manager on the second node (di-XXX-YY-db2) showing a warning.
Incomplete communication with DI-XXX-YY-CLUSTER. The following nodes
or cluster roles might be offline or have connectivity issues
Server Manager->All Servers
The Server Manager refresh fails on the second node (di-XXX-YY-db2)
Windows error log entries
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the
server di-XXX-XX-db1$. The target name used was
MSServerClusterMgmtAPI/DI-XXX-XX-CLUSTER.didevtest.local. This
indicates that the target server failed to decrypt the ticket provided
by the client. This can occur when the target server principal name
(SPN) is registered on an account other than the account the target
service is using. Ensure that the target SPN is only registered on the
account used by the server. This error can also happen if the target
service account password is different than what is configured on the
Kerberos Key Distribution Center for that target service. Ensure that
the service on the server and the KDC are both configured to use the
same password. If the server name is not fully qualified, and the
target domain (DIDEVTEST.LOCAL) is different from the client domain
(DIDEVTEST.LOCAL), check if there are identically named server
accounts in these two domains, or use the fully-qualified name to
identify the server.
DCOM was unable to communicate with the computer
DI-XXX-XX-CLUSTER.didevtest.local using any of the configured
protocols; requested by PID 14d4
(C:\Windows\system32\ServerManager.exe).
You are creating a Windows Server Failover Cluster (WSFC), not an FCI. FCI is the clustered instance of SQL Server.
That said, check networking (including DNS), firewall, and most importantly, AD. If the WSFC is not coming online, it could be any of these things. Make sure that the CNO is precreated or the account creating the WSFC has rights to create objects in AD. If the object is there but not in DNS, similar issue - make sure DNS is right.
Also, why are you running Add-ClusterNode? The WSFC is being formed with both nodes in New-Cluster.
Check the logs and Event Viewer. They will give you a clue as to why things are messed up.
One NIC is fine if it's virtualized. There are cases where you would have two NICs (always in physical). Do you have two NICs in one server but not the other?
Also read all the text and not just go by the yellow/green/blue. Sometimes the problem is in the notes.
That said, again, go check SPNs and DNS. Look for things like duplicate or stale DNS records or duplicate SPNs.
You can search for "KRB_AP_ERR_MODIFIED cluster" on the web to see quite a few different solutions, but most are DNS related (including what I mentioned).
I am trying to find the name of the SMTP server responsible for delivering outgoing Exchange messages.
I can easily find the incoming SMTP server name though the MX record, but I need the SMTP server for the outgoing messages. Autodiscover does not help either - it has everything and a kitchen sink (EWS endpoint, etc.), but not the outgoing SMTP server name.
Is it in the Active Directory (for the on-prem Exchange servers)?
Thank you!
Which version of Exchange are you running?
You can run the following from an Exchange Management Shell, it should provide you with sufficient information.
Get-SendConnector | Select-Object -Property Identity,Enabled,SmartHosts,AddressSpaces,SourceTransportServers
Or from the ECP/EAC, select mail flow, and then select Send Connectors. If you have more than one, you'll have to poke around and find the one that is enabled, for the address space '*' with the lowest cost - that will most likely be your default connector. Open/view the send connector. Select Scoping, on the bottom half of the popup window, you will see a "Source server" box. The server(s) in that box are those responsible for getting outbound email out of the Exchange organization.
However, there is a possibility that Exchange just sends to a smart host which scans, logs or otherwise handles your outbound mail before it actually leaves your network. There would be an entry under "SmartHosts" if that were the case in the powershell output or under "Delivery" in the EAC.
As a side note, there is no real de facto "outbound smtp" server like there is a de facto "inbound smtp server" (i.e the MX). I think about as close as you can get is to have a name, address, or block designated in your SPF record, but its not quite the same thing.
Edit - find information in Active Directory:
Get-ADObject -Filter 'objectClass -eq "msExchRoutingSMTPConnector" -SearchBase "CN=Configuration,DC=domain,dc=com"
Will give you a list of send connectors, the routingList Attribute will tell you what namespace each connector is valid for and what the cost is. Unfortunately, from these objects, I do not know how to obtain the server names included in those send connectors.
You could also find these via ADSIedit or another tool that would allow you to browse the configuration in AD. The rough path is:
CN=Connections,CN=ExchangeRouting Group (xxxxxx),CN=RoutingGroups,CN=Exchange Administrative Group (xxxxxx),CN=Administrative Groups,CN=ExchangeOrganization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com".
Your mileage may vary.
I have hosted my WebApp on server 1 and my database on server 2
But I'm getting following error
Communication with the underlying transaction manager has failed.
I googled and found a post which mentioned that it is the issue of DTC(Distributed Transaction)
I enabled DTC on server2(DB server) and made an exception of it in Firewall.
But still same error.
Here is the full stack trace
Message: System.Transactions.TransactionManagerCommunicationException: Communication with the underlying transaction manager has failed. ---> System.Runtime.InteropServices.COMException: The MSDTC transaction manager was unable to pull the transaction from the source transaction manager due to communication problems. Possible causes are: a firewall is present and it doesn't have an exception for the MSDTC process, the two machines cannot find each other by their NetBIOS names, or the support for network transactions is not enabled for one of the two transaction managers. (Exception from HRESULT: 0x8004D02B)
at System.Transactions.Oletx.IDtcProxyShimFactory.ReceiveTransaction(UInt32 propgationTokenSize, Byte[] propgationToken, IntPtr managedIdentifier, Guid& transactionIdentifier, OletxTransactionIsolationLevel& isolationLevel, ITransactionShim& transactionShim)
at System.Transactions.TransactionInterop.GetOletxTransactionFromTransmitterPropigationToken(Byte[] propagationToken)
Kindly advice
We had the exact same situation, and more than once. Each time, it was one of the following:
The IP address in the DNS for the server is outdated (as said in error message: "two machines cannot find each other by their NetBIOS names"). You can check if this is the case by trying ping servername from one server to another in the command prompt. If the ping by name fails and ping by IP succeeds (or ping by name returns the wrong IP), than you should talk to the System Admins to take a look at DNS/DHCP.
The servers are created as an image of preconfigured server (for example, if you are working with virtual machines, and instead of doing a fresh install for each of the servers, you simply clone the image). This is a problem because DTC has an internal "Identifier" - and in case of image cloning both your installations now have same DTC ID, and won't be able to communicate with each other. The solution is to simply uninstall and install the DTC again.
Hope it helps.
Things to check:
Have you done this configuration on both servers?
Are both servers members of the same domain?
Have you checked the event log?
I had the same problem while connecting to a remote SQl Server.
The solution in my case was to add "enlist=false" to the connection string.
I was missing quite a lot of things:
No authentication (as DB server and APP server and not within same AD domain)
Rule to Windows Firewall enabling msdtc.exe
Rule to firewall between DMZ and internal zone TCP 135,1024-65535 in both directions. The link tell you how to restrict the firewall policy to few ports only.
short / long server names to hosts or a shared DNS server. Eg. 192.168.1.1 app1 as well as 192.168.1.1 app1.domain.local
On the other hand based on this link my setup doesn't require:
Allow Remote Clients
Allow Remote Administration
Enable XA Transactions (required prior Windows Server 2003 SP1)
Solved after adding remote IP\machine name to files on server:
hosts, lmhosts
in folder
C:\Windows\System32\drivers\etc
One of our servers displayed this error after the Virtual Machine (VM) controlling our Domain Controller froze. Several related communication problems also started to pop up (like failed password resets). Resetting the frozen VM fixed the issue.
Lots of helpful answers already given.
One problem for me was the presence of invalid (cyrillic) characters in the computer name.
And there is also a way to validate the connection between two servers (or between a server and a computer) using a small tool from Microsoft called DTCPing.