Unable to add system in Domain due to DNS error 4000

Symptoms

One of the DNS servers in your environment starts showing an issue that the zones aren’t loaded on the DNS console. And Event IDs 4000 and 4007 are logged in the DNS event logs:

Event ID 4000:

The DNS server was unable to open Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

Event ID 4007:

The DNS server was unable to open zone <zone> in the Active Directory from the application directory partition <partition name>. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

Also when you try to open the DNS console you get a pop-up giving Access Denied.

You notice that the DNS Server service is up and running.

When you try to perform any operation on the AD-integrated zones using DNSCMD, you receive the Access Denied error message.

Cause

• This issue happens when that particular DC/DNS server has lost its Secure channel with itself or PDC.

•  This issue can also happen in a single DC environment where that DC/DNS server holds all the FSMO roles and is pointing to itself as Primary DNS server.

Resolution

Step 1 :- Kindly stop KDC (Kerberos Key Distribution Center) Service

Step 2 :- Run command prompt with elevated priviledges (as Administrator) and enter following command

netdom resetpwd /server:DC.domain.local /userd:Domain\domain_admin /passwordd:*

Step 3 :- It will prompt for the password of the Domain Admin account that you used, enter that.

Step 4 :- Once the command executes, reboot the server.

Thanks and Regards

Kiran Sawant

Read Full Post »

Remote registry service causes Windows to hang

Symptoms

On a Windows-based computer, you notice that more system memory and paged pool memory are being consumed than expected. This memory leak occurs after about 10 minutes of system uptime and eventually causes the system to hang.

Additionally, PoolMon analysis may show that the Windows Notification Facility (WnF) tag is consuming all the available paged pool memory.

Cause

The issue occurs in the Endpoint Mapper Logic component. The Remote Registry service is designed to stop running after the connection has been idle for 10 minutes.

Solutions

To work around this issue, follow these steps:

1. Open the run command box by pressing the Windows key+R.
2. Type regedit.exe, and then press Enter.
3. Locate the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RemoteRegistry

4. In the details pane (on the right side), double-click DisableIdleStop.
5. Change the value to 00000001.

   NoteThe default value is 00000000.

6. Exit Registry Editor.

Thanks and Regards

Kiran Sawant

Read Full Post »

Group Policy fail to apply on domain joined computers

Symptoms

All user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers.

Cause

This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.

Resolution

To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:

• Add theAuthenticated Users group with Read Permissions on the Group Policy Object (GPO).
• If you are using security filtering, add theDomain Computers group with read permission.

Thanks and Regards

Kiran Sawant

Read Full Post »

Logging on a user account that is a member of more than 1010 groups may fail on a Windows Server-based computer

Symptoms

When a user tries to log on to a computer by using a local computer account or a domain user account, the logon request may fail, and you receive the following error message:

Logon Message: The system cannot log you on due to the following error: During a logon attempt, the user’s security context accumulated too many security IDs. Please try again or consult your system administrator.

The issue occurs when the logon user is an explicit or transitive member of about 1010 or more security groups.

Event Type:   Warning
Event Source:          LsaSrv
Event Category:       None
Event ID:       6035
Date:            Date
Time:           time
User:            N/A
Computer:     hostname

Description:

During a logon attempt, the user’s security context accumulated too many security IDs. This is a very unusual situation.  Remove the user from some global or local groups to reduce the number of security IDs to incorporate into the security context.

User’s SID is SID

If this is the Administrator account, logging on in safe mode will enable Administrator to log on by automatically restricting group memberships.

Cause

When a user logs on to a computer, the Local Security Authority (LSA, a part of the Local Security Authority Subsystem) generates an access token that represents the user’s security context. The access token consists of unique security identifiers (SID) for every group that the user is a member of. These SIDs include transitive groups and SID values from SIDHistory of the user and the group accounts.

The array that contains the SIDs of the user’s group memberships in the access token can contain no more than 1024 SIDs. The LSA cannot drop any SID from the token. So, if there are more SIDs, the LSA fails to create the access token and the user will be unable to log on.

When the list of SIDs is built, the LSA also inserts several generic, well-known SIDs in addition to the SIDs for the user’s group memberships (evaluated transitively). Thus if a user is a member of more than about 1,010 custom security groups, the total number of SIDs can exceed the 1,024 SID limit.

Important

• Tokens for both administrator and non-administrator accounts are subject to the limit.
• The exact number of custom SIDs varies with the logon type (For example, interactive, service, network) and operating system version of the domain controller and computer that creates the token.
• Using Kerberos or NTLM as the authentication protocol has no bearing on access token limit.
• “Token” in the Kerberos Context refers to the buffer for the tickets received by a Windows Kerberos host. Depending on the size of the ticket, the type of SIDs and whether SID compression is enabled, the buffer can hold fewer or many more SIDs than that would fit into the access token.

The list of custom SIDs will include the following:

• The primary SIDs of the user/computer and the security groups the account is member of.
• The SIDs in the SIDHistory attribute of the groups in scope of the logon.

Because the SIDHistory attribute can contain multiple values, the limit of 1024 SIDs can be reached very quickly if accounts are migrated multiple times. The number of SIDs in the Access Token will be less than the total number of groups that the user is a member of in the following situation:

• The user is from a trusted domain where SIDHistory and SIDs are filtered out.
• The user is from a trusted domain across a trust where SIDs are quarantined. Then, only SIDs from the same domain as the user’s are included.
• Only the Domain Local Group SIDs from the domain of the resource are included.
• Only the Server Local Group SIDs from the resource server are included.

Because of these differences, it’s possible that the user can log on to a computer in one domain, but not to a computer in another domain. The user might also be able to log on to one server in a domain, but not to another server in the same domain.

Resolution

To fix this problem, use one of the following methods, as appropriate for your situation.

Method 1

This resolution applies to the situation in which the user who encounters the logon error is not an administrator, and administrators can successfully log on to the computer or to the domain.

This resolution must be performed by an administrator who has permissions to change the group memberships that the affected user is a member of. The administrator must change the user’s group memberships to make sure that the user is no longer a member of more than about 1010 security groups (considering the transitive group memberships and the local group memberships).

Options to reduce the number of SIDs in the user token include the following:

• Remove the user from a sufficient number of security groups.
• Convert unused security groups to distribution groups. Distribution groups don’t count against the access token limit. Distribution groups can be converted back to security groups when a converted group is required.
• Determine whether security principals are relying on SID History for resource access. If not, remove the SIDHistory attribute from these accounts. You can retrieve the attribute value through an authoritative restore.

Note Although the maximum number of security groups that a user can be a member of is 1024, as a best-practice, restrict the number to less than 1010. This number makes sure that token generation will always succeed because it provides space for generic SIDs that are inserted by the LSA.

Method 2

The resolution applies to the situation in which administrator account cannot log on to the computer.

When the user whose logon fails because of too many group memberships is a member of the Administrators group, an administrator who has the credentials for the Administrator account (that is, an account that has a well-known relative identifier [RID] of 500) must restart a domain controller by selecting the Safe Mode startup option (or by selecting theSafe Mode with Networking startup option). In safe mode, he must then log on to the domain controller by using this Administrator account credentials.

Microsoft has changed the token generation algorithm so that the LSA can create an access token for the Administrator account so that the administrator can log on regardless of how many transitive groups or intransitive groups that the Administrator account is a member of. When one of these safe mode startup options is used, the access-token that is created for the Administrator account includes the SIDs of all Built-in and all Domain Global groups that the Administrator account is a member of.

These groups typically include the following:

• Everyone (S-1-1-0)
• BUILTIN\Users (S-1-5-32-545)
• BUILTIN\Administrators (S-1-5-32-544)
• NT AUTHORITY\INTERACTIVE (S-1-5-4)
• NT AUTHORITY\Authenticated Users (S-1-5-11)
• LOCAL (S-1-2-0)
• Domain\Domain Users (S-1-5-21-xxxxxxxx-yyyyyyyy-zzzzzzzz-513)
• Domain\Domain Admins (S-1-5-21-xxxxxxxx-yyyyyyyy-zzzzzzzz-512)
• BUILTIN\Pre-Windows 2000 Compatible Access(S-1-5-32-554) if Everyone is a member of this group
• NT AUTHORITY\This Organization (S-1-5-15) if the domain controller is running Windows Server 2003

Note If the Safe Mode startup option is used, the Active Directory Users and Computers snap-in user interface (UI) is not available. In Windows Server 2003, the administrator may alternatively log on by selecting the Safe Mode with Networking startup option; in this mode, the Active Directory Users and Computers snap-in UI is available.

After an administrator has logged on by selecting one of the safe mode startup options and by using the credentials of the Administrator account, the administrator must then identify and modify the membership of the security groups that caused the denial of logon service.

After this change is made, users should be able to log on successfully after a time period that is equal to the domain’s replication latency has elapsed.

Thanks and Regards

KIRAN SAWANT

Read Full Post »

Event source “ESENT” with event ID “327” and “326” occur in large amounts

Symptoms

While using Windows Server 2012, events as shown below are logged in the application event log at high frequency (about 5 times/sec) regarding SystemIdentity.mdb.
——————————————————————————
Source: ESENT
Event ID: 327
Task category: General
Level: Information
Keyword: Classic
Description:
svchost (2576) database engine has attached database (2, C:\Windows\system32\LogFiles\Sum\SystemIdentity.mdb). (Time=0 sec)

Internal timing sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.032, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.000, [12] 0.015.
Recovery cache: 0
——————————————————————————
Source: ESENT
Event ID: 326
Task category: General
Level: Information
Keyword: Classic
Description:
svchost (2576) database engine has attached database (2, C:\Windows\system32\LogFiles\Sum\SystemIdentity.mdb). (Time=0 sec)

Internal timing sequence: [1] 0.000, [2] 0.000, [3] 0.281, [4] 0.000, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.000, [12] 0.000.
Storage cache: 1
——————————————————————————

As a result, the application event log will be filled up and other events may be difficult to confirm.

Cause

This issue occurs when there is a problem with the data in the SystemIdentity.mdb database file.

Resolution

To stop the occurrence of this event, stop the “User Access Logging” service.
After stopping the service, do one of the following.

<Database File Deletion and Regeneration>
Delete and regenerate the damaged database file.
After stopping the service, delete all files in the folder “%SystemRoot%\system32\LogFiles\Sum\”.
After that, launch the “User Access Logging” service.The database will be newly generated.

<Stopping “User Access Logging” Service>
If not using the “User Access Logging” service, disable it.
After stopping the service, disable “Startup Type” for “User Access Logging” at the “Service” item of the maintenance tool.

Thanks and Regards

KIRAN SAWANT

 

Read Full Post »

“Network path was not found” when trying to set file sharing permissions

“Network path was not found” when trying to set file sharing permissions

Troubleshooting Steps:

1. Run “netsh winsock reset cmd” in commond prompt

2. Run services.msc and look for the “Computer Browser” service. This should be somewhere between the “COM+” services, and “Cryptographic Service”.

• If the “Computer Browser” service is not present, you probably need to re-install Client for Microsoft Networks. Proceed to step 2. If the service is present, follow the rest of the bullets in this step, and skip the remaining steps.

• If the “Computer Browser” service’s Startup Type is Disabled or Manual, open the Properties page and change it to Automatic.

• If the “Computer Browser” service is stopped, start it.

3. Open the Properties page of your network connection. In the list that says “This connection uses the following items:” check for “Client for Microsoft Networks”.

• If “Client for Microsoft Networks” is present, verify the “Computer Browser” service’s settings, per the last two bullets of step 1. If those settings are correct, and a reboot does not solve the problem, there’s a different issue at hand.

• If “Client for Microsoft Networks” is not present, proceed to step 3.

4. Reinstall “Client for Microsoft Networks”.

• In the Properties page of your network connection, below the list marked “This connection uses the following items:”, click “Install…”.

• In the “Select Network Component Type” dialog, select “Client”, then click “Add…”.

• In the “Select Network Client” dialog, select “Client for Microsoft Networks”, then click “OK.

• In the Connection Properties dialog, click OK.

5. Reboot the computer.

With Warm Regards

Kiran Sawant

Read Full Post »

Tools for discover and troubleshoot replication failures

When you want to discover and troubleshoot replication failures, the following tools can be useful:

• repadmin /failcache: Run this command from the console of each ISTG domain controller in the forest to discover replication failures for bridgeheads in the site for that ISTG.

  Note You can also run this command remotely against other ISTG domain controllers in the forest.

• repadmin /showreps: Run this command from the console of each ISTG domain controller in the forest to analyze replication of specific domain controllers that are exposed by the repadmin /failcache command.
• dcdiag /test:intersite /e /q: This command tests inter-site connectivity for bridgehead domain controllers in the forest. The result set is limited to domain controllers that experience errors with the /q switch.
• dcdiag /test:connectivity /e /q: This command tests name resolution and ldap / rpc connectivity to all domain controllers in the forest. The result set is limited to domain controllers that experience errors with the /q switch.

With Warm Regards

Kiran Sawant

Read Full Post »

Change the garbage collection logging level

 

To change the garbage collection logging level

---

1. Click Start, click Run, type regedit, and then press ENTER.
2. In Registry Editor, navigate to the Garbage Collection entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics.
3. Double-click Garbage Collection. In the Value data box, type 1, and then click OK.

With Warm Regards

Kiran Sawant

Read Full Post »

Replication Error Event ID 1988

Event ID 1988

Active Directory Replication encountered the existence of objects in the following partition that have been deleted from the local….

in other domains in the forest are known as “lingering objects”.

Domain controllers are bound by “Strict Replication” and there is an item in Active Directory that’s “hanging about” and needs deleting.

Solution

Option 1

 

1. In the Event ID you will see the following information…

Source DC (Transport-specific network address):
9160d4ef-7d65-45fd-aa8e-624acff91688._msdcs.domaina.com 
Object:
CN=926e60b0-13d9-447d-bff6-70334e598823ADEL:dc784939-66f9-4433-9830-28fd0f965736,CN=Deleted Objects,CN=Configuration,DC=domaina,DC=com
Object GUID:
dc784939-66f9-4433-9830-28fd0f965737

The only info you need from that is the GUID of the source domain controller, in the example above that’s 9160d4ef-7d65-45fd-aa8e-624acff91688 also take note of the domain “DC=domaina,DC=com”.

2. On the top of the event Error It will give you the server name (hint it’s the server name the event log is on).

Event Type: Error
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1988
Date: 26/05/2010
Time: 09:34:59
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SERVER01

3. From here you need the server name in this example that’s SERVER01

3. Start > Run > cmd {enter}.

4. Issue the following command,

repadmin /removelingeringobjects SERVER01 9160d4ef-7d65-45fd-aa8e-624acff91688 DC=domaina,DC=com /advisory_mode

IMPORTANT: If either server is Windows Server 2000 this won’t work! You need to do this instead.

Option 2

1. Disable Strict replication on your domain controllers. Start > Regedit > {Enter}.

2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters > In the right hand pane either create or modify the DWORD Object “Strict Replication Consistency”

4. Set it as follows,

• Value: 1 (0 to disable)
• Default: 1 (enabled) in a new Windows Server 2003 forest; otherwise 0.
• Data type: REG_DWORD

With Warm Regards

Kiran Sawant

Read Full Post »

Knowledge Consistency Checker (KCC) has detected problems (Event ID 1311 and 1925)

Event Error –>

The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.

Directory partition:

CN=Configuration,DC=cry,DC=in

There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers.

User Action

Perform one of the following actions:

– Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.

– Add a Connection object to a directory service that contains the directory partition in this site from a directory service that contains the same directory partition in another site.

If neither of the tasks correct this condition, see previous events logged by the KCC that identify the inaccessible directory servers.

_____________________________________________________________________________________________

Solutions –>

Run CMD :–> “repadmin /showrepl” and check result If  The destination server is currently rejecting replication requests then follow below steps

Step :–> 1

Run CMDS

1. repadmin /options <DC NAME> +DISABLE_OUTBOUND_REPL
2. repadmin /options <DC NAME> -DISABLE_OUTBOUND_REPL
3. repadmin /options <DC NAME> +DISABLE_INBOUND_REPL
4. repadmin /options <DC NAME> -DISABLE_INBOUND_REPL

There is the output of repadmin / options command

 C:\Documents and Settings\Administrator>repadmin /options DC1 +DISABLE_OUTBOUND

_REPL

Current options: IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL

New options    : IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL

 C:\Documents and Settings\Administrator>repadmin /options DC1 -DISABLE_OUTBOUND_REPL

Current options: IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL

New options    : IS_GC DISABLE_INBOUND_REPL

C:\Documents and Settings\Administrator>repadmin /options DC1 +DISABLE_INBOUND_REPL

Current options: IS_GC DISABLE_INBOUND_REPL

New options    : IS_GC DISABLE_INBOUND_REPL

C:\Documents and Settings\Administrator>repadmin /options DC1 -DISABLE_INBOUND_REPL

Current options: IS_GC DISABLE_INBOUND_REPL

New options    : IS_GC

Step :–> 2

1) Identify the ISTG covering each site by running this command:

“repadmin /istg”

The output will list all sites in the forest and the ISTG for each site:

repadmin running command /istg against server localhost

Gathering topology from site Default-First-Site-Name (DC1.contoso.com):

                                   Site                                ISTG 
================== ================= 
                                 SiteX                               DC1X 
                                 SiteY                               DC1Y

NOTE: Determine from the output if the DC logging these events (DC1X) is the ISTG or not.

2) If the DC logging the events is the ISTG any one of the DCs in the same site as this ISTG could have connectivity issues to the site identified in the 1566 event. You can identify which DC(s) are failing to replicate from the site identified in the 1566 event by running this command which targets all DCs in the site that the ISTG logging the errors resides in. For example, DC1X is logging the events and it is the ISTG for siteX. To identify which DCs in siteX are failing to replicate from siteY run this command:

repadmin /failcache site:siteX >siteX-failcache.txt

The failcache output shows two DCs in siteX:

repadmin running command /failcache against server DC1X._msdcs.contoso.com 

==== KCC CONNECTION FAILURES =========================== (none)

==== KCC LINK FAILURES ===============================     SiteY\DC1Y         
    DC object GUID: 7c2eb482-ad81-4ba7-891e-9b77814f7473         
    No Failures.

repadmin running command /failcache against server DC2X._msdcs.contoso.com 

==== KCC CONNECTION FAILURES =========================== (none) 

==== KCC LINK FAILURES ===============================     SiteY\DC1Y         
    DC object GUID: 7c2eb482-ad81-4ba7-891e-9b77814f7473          
    46 consecutive failures since 2008-08-12 22:14:39. 
SiteZ\DC1Z        DC object GUID: fh3h8bde-a928-466a-97b0-39a507acbe54         
    No Failures.

The output above identifies the Destination DC as (DC2X) in siteX that is failing to inbound replicate from siteY. In some cases the DC name is not resolved and shows as a GUID (s9hr423d-a477-4285-adc5-2644b5a170f0._msdcs.contoso.com). If the DC name is not resolved determine the hostname of the Destination DC by pinging the fully qualified CNAME:

ping s9hr423d-a477-4285-adc5-2644b5a170f0._msdcs.contoso.com

NOTE: DC2X may or may not be logging Error events in its Directory Services event log like the DC1X the ISTG is.

3) Logon to the Destination DC identified in the previous step and determine if RPC connectivity from the Destination DC to the Source DC (DC1Y) is working.

repadmin /bind DC1Y.contoso.com

• If “repadmin /bind DC1Y” from the Destination DC succeeds:

Run “repadmin /showrepl <Destination DC>” and examine the output to determine if Active Directory Replication is blocked. The reason for replication failure should be identified in the output. Take the appropriate corrective action to get replication working.

• If “repadmin /bind DC1Y” from the Destination DC fails:

Verify firewall rules are not interfering with connectivity between the Destination DC and the Source DC. If the port blockage between the Destination DC and the Source DC cannot be resolved, configure the other DCs in the site where the errors are logged to be Preferred Bridgeheads and force KCC to build new connection objects with the Preferred Bridgeheads only.

NOTE: Running “repadmin /bind DC1Y” from the ISTG logging the KCC errors may reveal no connectivity issues to DC1Y in the remote site. As noted earlier, the ISTG is responsible for maintaining inter-site connectivity and may not be the DC having the problem. For this reason the command must be run from the Destination DC that repadmin /failcache identified as failing to inbound replicate

A successful bind looks similar to this:

C:\>repadmin /bind DC1Y 
Bind to DC1Y succeeded. 
NTDSAPI V1 BindState, printing extended members. 
    bindAddr: DC1Y 
Extensions supported (cb=48): 
    BASE                             : Yes 
    ASYNCREPL                        : Yes 
    REMOVEAPI                        : Yes 
    MOVEREQ_V2                       : Yes 
    GETCHG_COMPRESS                  : Yes 
    DCINFO_V1                        : Yes 
    RESTORE_USN_OPTIMIZATION         : Yes 
    KCC_EXECUTE                      : Yes 
    ADDENTRY_V2                      : Yes 
    LINKED_VALUE_REPLICATION         : Yes 
    DCINFO_V2                        : Yes 
    INSTANCE_TYPE_NOT_REQ_ON_MOD     : Yes 
    CRYPTO_BIND                      : Yes 
    GET_REPL_INFO                    : Yes 
    STRONG_ENCRYPTION                : Yes 
    DCINFO_VFFFFFFFF                 : Yes 
    TRANSITIVE_MEMBERSHIP            : Yes 
    ADD_SID_HISTORY                  : Yes 
    POST_BETA3                       : Yes 
    GET_MEMBERSHIPS2                 : Yes 
    GETCHGREQ_V6 (WHISTLER PREVIEW)  : Yes 
    NONDOMAIN_NCS                    : Yes 
    GETCHGREQ_V8 (WHISTLER BETA 1)   : Yes 
    GETCHGREPLY_V5 (WHISTLER BETA 2) : Yes 
    GETCHGREPLY_V6 (WHISTLER BETA 2) : Yes 
    ADDENTRYREPLY_V3 (WHISTLER BETA 3): Yes 
    GETCHGREPLY_V7 (WHISTLER BETA 3) : Yes 
    VERIFY_OBJECT (WHISTLER BETA 3)  : Yes 
    XPRESS_COMPRESSION               : Yes 
    DRS_EXT_ADAM                     : No 
Site GUID: stn45bf5-f33f-4d53-9b1b-e7a0371f9a3d 
Repl epoch: 0 
Forest GUID: idk4734-eeca-11d2-a5d8-00805f9f21f5 
Security information on the binding is as follows: 
    SPN Requested:  LDAP/DC1Y 
    Authn Service:  9 
    Authn Level:  6 
    Authz Service:  0

With Warm Regards

Kiran Sawant

Read Full Post »