Adding 2025 DC to 2016 functional level domain causes mapped drive issues

[David McSpadden]

We added 2025 DC's 2 months again to our domain that had 2 2016 DC's. We have moved NTP and FSMO rolls to 1 of the 2025 DC's but we still have some users that those connectivity to their Home drive and other network drives?  A reboot normally cleans it up but how do we fix for the long all...

[Michael B. Smith]

What kind of errors? Is timesync still good?

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/343c7048-32a8-4648-bf3a-81c4c9b14ba7n%40googlegroups.com.

[David McSpadden]

Time sync is good.  Rebooting normally corrects it.  I think it might be some old pc's that still have RC4 and DES enabled. (non inheriting OU's for the GPO's).  If that is truly the case slapping them with 0x18 in the HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\SupportedEncryptionTypes should correct them right?

[Michael B. Smith]

Correct.

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/380496cf-5876-448c-971c-b247e04cfe7dn%40googlegroups.com.

[David McSpadden]

to be clear on the workstations not the DC's, or even the member servers.

[Michael B. Smith]

Yes.

 

But to be sure – have you reset the krbtgt password at least twice “recently”? (That is, at least twice since the first Server 2008 DC was introduced into your environment.)

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/47941ccd-7799-4c87-baf6-284009ca0078n%40googlegroups.com.

[David McSpadden]

no, we were just having internal discussions on this.  So if I set KRBTGT on a 180 cycle and at that day reset the password, wait 2 full days and reset it again.  And it stays disabled in the USERs container, yes?

[Michael B. Smith]

You just need to wait a full replication cycle.

 

I think Kurt does it once a month. Some people do it weekly.

 

But yes, it stays disabled (the container/OU is irrelevant, it’s a WKO).

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/2fa1b559-74aa-4e8f-8c41-ff7c76b3050fn%40googlegroups.com.

[Kurt Buff]

Yes, I do it once a month. 

Unless it's been changed, the default for krbtgt lifetime is 10 hours, so theoretically you could do it twice a day.

If you do it twice in that 10 hour span, people will start to fail authentication, and while it's not the end of the world, it would be very annoying to users and any apps that depend on krb auth.

Kurt

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/efe751b3a53b4392ac1f78a4ea58ee41%40smithcons.com.

[John Anson]

just a thought

seems like those users are losing connection to the network or at least to the LAN

Are drives mapped via GPO?

depending on the settings of the policy for the drive mapping they could break / remove the connection if not connected to the network 

GPO will Re-Apply approximately every 90 min has also caused me problems with Access DB's that were set to use drive letters

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/47941ccd-7799-4c87-baf6-284009ca0078n%40googlegroups.com.

[David McSpadden]

some users are Work from home others are at their desk in office. Seems to be just 1 member server and it's shares and not others.  The GPO is set for Update if that helps.

A reboot corrects this 99% of the time currently?

What Diags, troubleshooting can I run on the workstation to see what protocol, cipher, smb, or other setting is goobered.

[Henry Awad]

Sysmon and Wireshark would be good for monitoring/troubleshooting.

Henry Awad

Principal Engineer

Technology Services

The Catholic University of America

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/fc9a1eab-97be-4439-9d47-f831a5f2054fn%40googlegroups.com.