Conundrum with a new DC

[Kurt Buff]

All,

I just stood up a new DC and transferred the /16 used in that location to the new site, and the DC resides in that site. The location is one that's been around for quite a while, but never had a DC before - it was using the DCs at the corporate office.

Sites and Services shows everything happy. Replication between DCs is happy as well.

I can see the sysvol on the new DC from the corporate office - dir \\newdc\sysvol and dir \\newdc\netlogon works - and so does browsing against the other DCs in our environment.

However, I've got some machines in that location that are not getting GPOs applied and are having printing problems and other issues because they can't browse the sysvol and netlogon shares on *ANY* DC, including the new one that location.

The host firewall on the DC is on, and allowing all traffic for the Domain profile, and the Domain profile is the active profile.

I've seen this once in our environment when we stood up a completely new location with a new DC, and I never did figure out the root cause, but it took weeks for it to resolve itself.

I've looked at the firewall appliance logs for both HQ and this location, and and am not seeing any traffic blocked by them. I've looked at the DC host firewall logs, and the machine that I'm working on shows in the DC logs with all traffic allowed, including icmp, tcp ports 88,389,445,etc.

I've rebooted the workstation in question several times, and that hasn't done anything.

I've examined the network settings on the workstation, and it says connected/unauthenticated. I changed the IP address to static, and rebooted, and then it said it was on a public network. I set it to Private, but that didn't make a difference

Just FYI: the workstation I'm working on now is getting its address from the old Windows DHCP server in this location, but AFAICT that shouldn't make any kind of difference.

I'm stumped.

Anyone have thoughts on this?

Thanks,

Kurt

[Michael B. Smith]

What is $env:LOGONSERVER?

 

Is replication to/from the site happy?

 

Thanks.

 

Regards,

Michael B. Smith

Managing Consultant

Smith Consulting, LLC

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce7Mvs5w-Lq89pUXxu%3DHjZK6X78pjmSCXoY1PhcEDQTJGw%40mail.gmail.com.

[Jim Kennedy]

What does %logonserver% show?

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Kurt Buff
Sent: Monday, November 21, 2022 3:10 PM
To: ntsys...@googlegroups.com
Subject: [ntsysadmin] Conundrum with a new DC

 

All,

--

You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce7Mvs5w-Lq89pUXxu%3DHjZK6X78pjmSCXoY1PhcEDQTJGw%40mail.gmail.com.

CAUTION: This email originated from outside of the organization. Do not click any links or open any attachments unless you trust the sender and know the content is safe.

[Mike]

Some machines in the new location but not all of them? Anything in common between those two cohorts?

[James Iversen]

ARP cache?

James Iversen Systems Analyst IT Infrastructure 1899 Central Plaza East Edmeston, NY 13335
nycm.com

From:        "Kurt Buff" <kurt...@gmail.com>
To:        ntsys...@googlegroups.com
Date:        11/21/2022 03:10 PM
Subject:        [ntsysadmin] Conundrum with a new DC

Sent by:        ntsys...@googlegroups.com

---

---

ATTENTION: This email was sent from someone outside of NYCM.

---

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce7Mvs5w-Lq89pUXxu%3DHjZK6X78pjmSCXoY1PhcEDQTJGw%40mail.gmail.com.

Join us on Facebook at www.facebook.com/NYCMInsurance.


***CONFIDENTIALITY NOTICE***

This email and any attachments to it are confidential and intended solely for the individual or entity to whom it is addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you have received this email in error, please contact the sender by reply email and destroy all copies of the original message.

[Philip Elder]

My local search foo is sucking right now. We have dealt with this but I need to dig in to figure out where my notes went. ☹

 

https://community.spiceworks.com/topic/2263002-domain-network-comes-up-as-unauthenticated

http://www.chicagotech.net/WordPress/2019/01/29/network-connection-shows-as-unauthenticated/

^^^

I think it’s the machine password being out of sync with the DC(s). That seems to tweak the grey matter.

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Skype: MPECSInc.

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Kurt Buff

Sent: Monday, November 21, 2022 13:10
To: ntsys...@googlegroups.com
Subject: [ntsysadmin] Conundrum with a new DC

 

All,

--

[Kurt Buff]

I'm logged into this machine with the LAPS credential.

$env:logonserver is \\workstation

Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/c7d14ee2a05a42d487e3e47e3b9b9898%40smithcons.com.

[Kurt Buff]

Just logged on with my non-privileged domain credentials, and the logon server is the local/new DC.

Kurt

On Mon, Nov 21, 2022 at 1:17 PM Michael B. Smith <mic...@smithcons.com> wrote:

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/c7d14ee2a05a42d487e3e47e3b9b9898%40smithcons.com.

[Kurt Buff]

Unknown at the moment - I'm working from home, supposed to be on PTO.

Supposedly it's a few machines

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CA%2BSdsNG9ny2Rnpxck-5iP%3Djy8-OVSqcE1OsbdtSqyjinrcGRww%40mail.gmail.com.

[Michael B. Smith]

Good. And repl health?

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce7_ynUcbq7pj5QUgVftiqOUhA3kh3H283muen7p4sbq-A%40mail.gmail.com.

[Glen]

Is newdc also a dns server?  Did you update the dhcp options for this site to prefer newdc as their primary dns server?

 

From: Kurt Buff
Sent: Monday, November 21, 2022 3:10 PM
To: ntsys...@googlegroups.com
Subject: [ntsysadmin] Conundrum with a new DC

 

All,

--

[Kurt Buff]

Nah - name resolvution works, and I can ping and test-netconneciton by IP address, plus I've rebooted several times.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/OF44490C0F.D2933E9D-ON85258901.006FAA18-85258901.006FB38A%40nycm.com.

[Kurt Buff]

Yes, new DC does DNS.

Didn't update old DHCP server yet. That's a good call.

Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/ECAB66DA-D024-4A8F-8EE9-51C2BA8BA897%40hxcore.ol.

[James Iversen]

I've seen network Admins have to add DC's to IPHELPER in Cisco before they would be recognized by the general population.

Just another thought.

From:        "Kurt Buff" <kurt...@gmail.com>
To:        ntsys...@googlegroups.com
Date:        11/21/2022 03:26 PM
Subject:        Re: [ntsysadmin] Conundrum with a new DC
Sent by:        ntsys...@googlegroups.com

---

---

ATTENTION: This email was sent from someone outside of NYCM.

---

 

.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce6OKE5ifn9pF-J%3DmJLwARtn26irRRLEqg4uG9WyL7rc7g%40mail.gmail.com.

[Kurt Buff]

I'll look at thos.

Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/424d94c9a4ba4e228177592a56499cf0%40MPECSInc.Ca.

[Kurt Buff]

The output of these three looked clean to me:

   dcdiag /v > C:\temp\dcdiag.log
   repadmin /showrepl > C:\temp\showrepl.log
   repadmin /replsum > C:\temp\replsum.log

Tan them on the FSMO role holder.

Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/c6973527cb0a48a280f75cb2d83cbfcf%40smithcons.com.

[Kurt Buff]

Just changed that, and rebooted the workstation to pick it up, which it did along with a different IP address.

Didn't make a difference, AFAICT.

Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/ECAB66DA-D024-4A8F-8EE9-51C2BA8BA897%40hxcore.ol.

[Kurt Buff]

I just ran test-computersecurechannel from the workstation, and it returned true.

Kurt

On Mon, Nov 21, 2022 at 1:17 PM Michael B. Smith <mic...@smithcons.com> wrote:

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/c7d14ee2a05a42d487e3e47e3b9b9898%40smithcons.com.

[Michael B. Smith]

I would take a look at them on the new dc.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce6Y3v-V-rPprWVWMvEO_gq5JRoAbAaa-%2BKET3637%2BWodw%40mail.gmail.com.

[Kurt Buff]

If I log on with my non-priv domain credential, I can browse netlogon and sysvol for the DCs, but 'gpupdate /force' for the computer is still failing, with this message:

gpupdate /force
Updating policy...

Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.
User Policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

In the System event log I see IDs 1129 followed by 1006, both for "Group Policy (Microsoft-Windows-GroupPolicy)", which have errors of "The network not is present or not started" and "Invalid credentials", respectively.

Kurt

On Mon, Nov 21, 2022 at 1:17 PM Michael B. Smith <mic...@smithcons.com> wrote:

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/c7d14ee2a05a42d487e3e47e3b9b9898%40smithcons.com.

[Kurt Buff]

They show clean from the new DC as well.

The only anomaly I see is this error for the workstation:

         An error event occurred.  EventID: 0xC000000E

            Time Generated: 11/21/2022   14:09:47

            Event String:

            While processing an AS request for target service krbtgt, the account WORKSTATION$ did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes : 18  17  3. The accounts available etypes : 23  18  17. Changing or resetting the password of WORKSTATION$ will generate a proper key.

         An error event occurred.  EventID: 0xC000000E

However, I'm seeing that for any number of machines, and only about 4 out of 45 or so seem to have this problem.

Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/ef27cc6e32944166980cd8916ef1eb66%40smithcons.com.

[Michael B. Smith]

Did you install the OOB DC patch from yesterday? (Or back out the November patch?)

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce539K31AT3xt%2B8mQLKzMoaoLF1MEzs_OQcBnYp2o94dCg%40mail.gmail.com.

[Mike]

Any chance the new DC is missing the OoB Kerberos RC4 update? (I would guess not but just would rule it out.)

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce539K31AT3xt%2B8mQLKzMoaoLF1MEzs_OQcBnYp2o94dCg%40mail.gmail.com.

[Kurt Buff]

I backed out the patch on Thursday.

Root cause of that message seems to be a GPO (configured long before I got here) that disables RC4 for the workstations.

Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/5ef9f90437724470b44a8a594e8f2e75%40smithcons.com.

[Kurt Buff]

Never applied - I ran the updates in test last week, which included one of the DCs (the new one wasn't part of the test) and backed it out on the test DC after we saw problems with a few machines.

Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CA%2BSdsNGz65cL9JJe63L-yig049MJCpqbKe%2BT4YGOBqY22Q_nZQ%40mail.gmail.com.

[Michael B. Smith]

This still sounds like a secure channel issue (yes, I read where you tested it).

 

I’d reset it, just for grins and giggles. (That means I’m out of ideas.)

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce4SBV1Sb-B7fXochfWedPzQNJJuCQaaVZXsLCNXazir_w%40mail.gmail.com.

[Kurt Buff]

Well, so am I, so I'll do that reset, and see if it makes a difference.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/c42b08b2aba1474bacea86c67065a875%40smithcons.com.

[Philip Elder]

# Renew Domain Trust

# Machine Password

 

# Option 1

 

Test-ComputerSecureChannel

# ! FALSE = BROKEN

 

# TODO Fix it!

$Domain = "DOMAIN.Com"

$NETBIOS = "DOMAIN"

$DomainAdmin = "MyAdmin"

Test-ComputerSecureChannel -Credential "$($NETBIOS)\$($DomainAdmin)" -Repair

# True = #? Fixed

Test-ComputerSecureChannel

# True

 

# Option 2

 

# We have found that you can rejoin the domain by simply changing the domain from the full domain name (domain.company.org) to NetBIOS name (or vice-versa) in the system control panel.

# No need to reset the computer account.

 

<#

Michael Smith:

Is this about secure channels?

Has anyone tried a simple

# ? nltest /sc_reset

# ? netdom resetpwd

#>

 

# Sign in as local admin on Win10/Server

$Domain = "DOMAIN.Com"

$DomainAdmin = "MyAdmin"

Reset-ComputerMachinePassword -Credential "$($Domain)\$($DomainAdmin)"

 

# ! Live Test

 

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Skype: MPECSInc.

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/c42b08b2aba1474bacea86c67065a875%40smithcons.com.

[Kurt Buff]

Didn't make a difference.

However, I shut down the DC, rebooted the workstation, and it's talking with a DC in another site/location, and group policies are applying.

I am *SO* effing confused.

Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/c42b08b2aba1474bacea86c67065a875%40smithcons.com.

[Kurt Buff]

Since the problem disappeared with the DC shut down, I've been told to leave it shut down until the first of the year, to avoid further impact.

Can't even bring it up during off hours to troubleshoot.

So, I'll probably have to reanimate this thread later.

Kurt

[Markus Klocker]

really sounds like the gremlins are in some kind of cache.
do the affected machines point to the new dc as dns server?
did you try a "klist purge" on affected machines?
"arp -d" "Ipconfig /flushdns" just to get all things out what could go wrong.

    Markus

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce6DM-r-je_qF5%3Dv48W_6jeenuNNRC_8McwmZdHYBO0XyQ%40mail.gmail.com.

[Kurt Buff]

I just figured it out - I think. I literally woke from a dream a few minutes ago and figured it out.

This VM patched itself before joining the domain, which means it didn't get its patches from WSUS, and it was built last week. probably on Tuesday or Wednesday, and it wasn't until either Wednesday that it was promoted..

Therefore, it got the faulty 2019 patch, which was unapproved in WSUS.

The problem will be convincing the IT director to allow it to be turned back on and remove the patch.

Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/8e6d7b3a-eb86-ae58-2645-642d0f36f698%40univie.ac.at.

[Markus Klocker]

Install the fix instead and give it a try?
absolutely nasty stuff this 2022-11 CU ...

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce4eUR76e%3Dd2cEubdJuTAcc25r9ok%2B-Co9ZvkD-fhiG0hg%40mail.gmail.com.

[Kurt Buff]

Not going to be approved. Not even sure they'll allow it to be turned on to remove the November patch.

Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/66a78ad9-83fe-3c69-30e7-658c3b5ff927%40univie.ac.at.

[James Iversen]

If it's a VM, remove the NIC...

From:        "Kurt Buff" <kurt...@gmail.com>
To:        ntsys...@googlegroups.com
Date:        11/22/2022 08:40 AM
Subject:        Re: [ntsysadmin] Conundrum with a new DC
Sent by:        ntsys...@googlegroups.com

---

---

ATTENTION: This email was sent from someone outside of NYCM.

---

 

.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce5W0iwBZRU4R%2ByEXC4VJcTOoTBLKS2m4hZ-z9Q%3D9KxjMA%40mail.gmail.com.

[Mike]

Obviously the IT Director has to approve turning it on to remove the patch…because now we are all invested in the mystery and need to know!

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce4eUR76e%3Dd2cEubdJuTAcc25r9ok%2B-Co9ZvkD-fhiG0hg%40mail.gmail.com.

[Henry Awad]

The only problem with turning off a DC is sync skew. If it becomes too much out of sync then the other DCs will not sync up with it anymore. So keep that in mind. You might be better off decommissioning it and starting fresh later.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CA%2BSdsNFY4ZEhB%3DRhMcdn%2BKEqiDXAMssS%2BWULb_cXmu5Rm%3D6HPA%40mail.gmail.com.

[Jonathan Raper]

#ApproveTheRemove is starting to trend on Twitter.

We will not be silenced.

We must know the truth: #WasItThePatch?

Thanks,

Jonboy

Get Outlook for iOS

---

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> on behalf of Mike <craigs...@gmail.com>
Sent: Tuesday, November 22, 2022 9:51:07 AM
To: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
Subject: Re: [ntsysadmin] Conundrum with a new DC

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CA%2BSdsNFY4ZEhB%3DRhMcdn%2BKEqiDXAMssS%2BWULb_cXmu5Rm%3D6HPA%40mail.gmail.com.

[Jonathan Raper]

That, and you will have all kinds of errors on the rest of your DCs until this is resolved.

Leaving a DC off/disconnected for an extended period of time is a bad idea, IMO.

Thanks,

Jonboy

Get Outlook for iOS

---

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> on behalf of Henry Awad <aw...@cua.edu>
Sent: Tuesday, November 22, 2022 10:18:42 AM
To: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
Subject: Re: [ntsysadmin] Conundrum with a new DC

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAGaCHK4tjL1qYRa-RYUiGPA6pN-57NSFqfVYZvCcL9DmHyBZ3Q%40mail.gmail.com.

[Melvin Backus]

Since the OOB is small, you could probably disconnect the network, push the update file via USB, etc., and patch it offline.

 

--
There are 10 kinds of people in the world...
         those who understand binary and those who don't.

 

¯\_(ツ)_/¯

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce5W0iwBZRU4R%2ByEXC4VJcTOoTBLKS2m4hZ-z9Q%3D9KxjMA%40mail.gmail.com.

[Kurt Buff]

Well, disconnect it from the network anyway.

And that's what they're doing.

Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/OF5BCA9CAA.3E7B4598-ON85258902.004D2B0D-85258902.004D359F%40nycm.com.