Event ID 2896 can be generated in AD replication.

in article http://technet.microsoft.com/en-us/library/replication-error-8453-replication-access-was-denied(v=ws.10).aspx has an excellent workaround solution to troubleshoot the main cause of AD replication access was denied.

in the screen shot below, I have a quick answer why my domain controller generate event id 2896. I have highlight in Red.

it says “Netoverme\RTCService. from here, I already know that it was a service account of Office Communicator / Lync that did not have permission to do replication directory changes.

This is usually happened when I create new child domain such as north.netoverme.info whereas my parent domain is netoverme.info.

So, solution:

Run Domain Preparation from Office Communication Server Media. or

run this command “LCSCMD /domain:”north.netoverme.info” /action:domainprep.

Hi,

I would like to share some experiences that I need to proof on Kerberos Authentication Ports. I know that I am a bit odd and legacy to bring this Windows Server 2003 platform.

The reason I need to legacy server because some ITs did not know the changes on authentication part especially between Windows Server 2003 & XP, and Windows 7 & Windows Server 2008 & 2008 R2 above.

Even we give them the URL reference http://support.microsoft.com/kb/244474 and http://technet.microsoft.com/nl-nl/library/dd772723(v=ws.10).aspx , they still insist Windows 7 & 2008 use UDP 88 or vice versa.

Then, I show this network trace using network monitor.

in Windows Server 2003 authentication to Active Directory:

Figure 1 Windows Server 2003.

in Windows 7 authentication to Active Directory:

Figure 2

You see the difference now.. Figure 1 (Windows 2003) shows UDP flags whereas Figure 2 (Windows 7) shows TCP flags.

Also, you see the Dynamic port in Windows 2003 use the range 1025-5000, whereas windows 7 use 49152-65535 range…

if you deep more in network monitor, you see the figure “KRB_ERR_RESPONSE_TOO_BIG”, then it will initially cannot handle the packet that large., then will go the TCP port 88.

please see the reference below:

http://technet.microsoft.com/en-us/library/cc779511(v=ws.10).aspx

http://support.microsoft.com/kb/244474

Hi Everyone,

In Some client in Windows 8 and above, if you run RSOP.msc, you will see this warning sign in user configuration:

What I discovered, the Internet Explorer Maintenance configuration in User Configuration GPO, will not supported in Internet Explorer 10 & above.

So solution is there are many option whether you use Administrative Template in your Group Policy. There are two Administrative Template you can find which are Computer Configuration and User Configuration

another solution: Install new Security patches and updates.

Reference link:

http://support.microsoft.com/kb/2813272

Hi,

I have used this lingering object liquidator to make my work easier instead using the command “repadmin /removelingeringobjects“.

To use this tool is simple. You may download it from Microsoft website.

This is how it looks like.

all you have to do is:

-identify the naming context. For example “dc=netoverme,dc=info”

-Identify the good source DC which is the reference DC.

-Identify the affected lingering object DC or which may likely the lingering object appear.

click “Detect” button. then it will list out the objects listed.

Once you found the lingering object or listed, you may try to delete the object by click the remove button.

on the confirmation message, please click Yes to proceed.

In this post, there were problems appeared last few months, where the AD replication issue and cause tombstone.

In my example, there are two domain controllers which are NOM-DC1.netoverme.info and NOM-DC2.netoverme.info and one child domain (north.netoverme.info) which is nom-ndc1.north.netoverme.info.

How I found the error?

Here is my finding:

1. Via Repadmin /Showrepl. In this “repadmin /showrepl” result, shows the failure replication result 8614 error.

2. Via Event Viewer of Directory Services. In this event log, it shows the event ID 2042 appeared and describing the current of error. In this event ID 2042, the time between replications with this source has exceeded the tombstone lifetime.

Workaround Solution:-

What Tombstone? okay, don’t jump to conclusion to do metadata cleanup. try to find the workaround and read the possible way to check from the Microsoft TechNet.

Well, I found this article:

For Event ID 2042, I suggest to read the topic related to the problem.

https://technet.microsoft.com/en-us/library/cc757610(v=ws.10).aspx

For Error 8614, I also suggest to read this link https://support.microsoft.com/en-us/kb/2020053.

Resolved:

How do I resolve this? When you read the two articles that I mentioned above, the solution is almost similar. what you need to do is to edit registry “Allow Replication With Divergent and Corrupt Partner”.

After that, I let the replication to be occurred. After few minutes later, I check the AD replicaton using repadmin /showrepl, then there are no more error appeared.

After the multiple replication checking done, I modify the registry “Allow Replication with Divergent and Corrupt Partner” and set the value to 0.

However, you may still have failure above after performing the steps above. In that case, you may do uninstall or demote the problematic domain controller by metadata cleanup.

in steps 10 of this https://support.microsoft.com/en-us/kb/2020053 says, “at 50 percent of TSL,make strong push to resolve the replication errors.At 90 percent, consider demoting (forcibly, if it is ncessary, by using the dcpromo /forceremoval command) DCs that are cause replication error.

In this topic, I will cover to use Group Policy to Deploy Task Scheduler to Map a network drive.

I used batch file called testmap.bat as content below:

testmap.bat:

@echo off

Net use M: \\nom-dc1\shared

Start M:

So I put it into NOM-DC1\Netlogon .

Configure Group Policy:

1. Open Management Console, right-click intended OU or domain. choose “Create GPO and Link it here…”
2. In just GPO created, right click GPO and select Edit.
3. Go to User Configuration, Under Preferences, Choose Control Panel and Select Scheduled Tasks.
4. At the Scheduled Task, Right-Click on it and choose New. Type a the name of the schedule. Please choose at appropriate operating system you want to configure.
5. At the Schedule tab, I choose at start log on
6. At the Action,

7. Finally, click OK button.

After we configure the group policy, you may use Gpupdate /force and restart the workstation and log on the workstation using the username in the OU that group policy sits.

8. After log on, check the task scheduler at the workstation.

you may get like this.

and check the computer windows or explorer.

Then…your network map drive is working.

Hi,

I just want to blog on how to disable the IE Enhance Security Configuration via group policy.

One thing I share this post is because, usually, I create the test environmental lab in virtual machine (VMWare or Hyper-v or VirtualBox), I turn off this IE ESC and Windows Firewall.

Step 1:

Create a new group policy under Group Policy management (gpmc.msc) in your domain controller.

Step 2:

Right-click the group policy and edit.

Under Computer configuration, expand Preferences -> Windows Setting -> Registry

Step 3:

Create New Registry item and under HKEY Local Machine -> Software -> Microsoft -> Active Setup -> Installed Components ->

Find this ID. this GUID is turning off the IE ESC

for Administrators:

For Users:

Step 4: Modify the value under “IsInstalled” to 0

Hi,

I actually wanted to share you earlier however I have something to post first.hehehe.

Ok. Back to our topic, As an AD administrators, you will already know that the previous ADMT version can be installed in Windows Server only.

if you try to install the old ADMT in windows 8, you will have a warning.

However the new ADMT3.2 can be installed in your Windows 8.1. So I feel much better to do this.

To install the ADMT3.2, you need SQL Server Express or Standard or Enterprise Version.

You can install SQL Server Express in your Workstation Windows 8.1 as well.

Shot 1:

Shot 2:

Shot 3:

Shot 4:

Shot 5:

Shot 6:

Hi,

I would like to share you some information on how to assign the static IP Address in virtual machine Azure where some of the VMs need static IP Address such as Domain controller.

We need to use Azure Powershell to configure the the static IP Address.

Firstly, We need to use Test-AzureStaticVNetIP.

Type the command: For example, Test-AzureStatic -VNetName ‘TestNetwork’ -IPAddress ‘10.0.0.10’. if the operationstatus is succeeded, that means we can use the IP address.

Type the command : Get-VMAzure -ServiceName ‘Nom-DC1’ -Name ‘NOM-DC1’. This is to verify the IP Address of the VM which were assigned by DHCP. Here the IpAddress value is 10.0.0.4

Then after that, we need to assign the IP address from 10.0.0.4 (by DHCP) to static ip address 10.0.0.10

Type the command:

Get-AzureVM -ServiceName ‘Nom-DC1’ -Name ‘Nom-DC1 | Set-AzureStaticVNetIP -IPAddress ‘10.0.0.10’ | Update-AzureVM

Then verify it by typing “get-azurevm -servicename ‘nom-dc1’ -name ‘nom-dc1’. You see the IP address have changed to 10.0.10 and the powerstate is ‘starting’

In this topic, I would like to cover to connect and integrate  your existing AD accounts at home or office (premises) to Azure AD. This could benefit you to have single sign on to other applications such as office 365, dropbox, etc.

All you need is to install the Azure AD Connect Tool. you may download at this link here.

Follow this step below.

Step 1: At the welcoming wizard of Microsoft Azure Active Directory Connect, you need to check the box “I agree to the license terms and privacy notice” and click Continue

Step 2: You may use the express setting for faster installation. This is to get you understand on how you can connect to the Azure AD. In this express setting, the wizard will automatically discover your forest. In this example is NETOVERME.

To continue, click on Express Settings

Step 3: You need to input the Azure AD account. If you have multiple accounts in this Azure, you need to use the account which has “Global Admin” role.

In my example, I use “aliyani@example.onmicrosoft.com”. click Next to continue.

Step 4:  Then, you will ask the admin account in your premise AD forest. click Next.

Step 5:  Final step is to start installation.

Output Success: This is the screenshot that I captured from my Azure.

Hi,

I am back with similar questions being asked when they install the LAPS.

“Question: Why I still have blank password and expiration set time?”

Answer:

1. First of all, Computer has to be joined domain. if the computer is not joined domain, you won’t get those two values on that attributes.
2. Make sure that you don’t manually add the computer account at the active directory. some they claimed that they already join to the domain, but it actually create the computer account manually with the same computer name in it.
3. LAPS was installed differently with other deployment system.
4. LAPS was installed manually. some of computers are joined domain, but they were installed manually and unable to connect or communicate with active directory.
5. I recommend the LAPS installation was deploying the group policy.
6. The computers are located on different organizational unit (OU). If you have large organization, you might have many computers and other inventory that sometime hard to manage and cascade. So you may not have the LAPS install or the attributes’ value. For example, your computers was at HQ OU in Florida, you have multiple ‘HQ’ OU in New York OU and you also have HQ OU in Florida.LAPS Group policy was configured at HQ OU in New York. This lead you don’t have the password blank
7. Local Administrator account are misconfigured. By Default, the LAPS will look into built-in account. if you configured in group policy to use specific account, make sure that you create the user account in the client computer.
8. Make sure you have supported OS platform. Please check the link here https://technet.microsoft.com/en-us/mt227395.aspx.
9. Please make sure that you have permission to view and proper delegation of users to view the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime. Mostly, domain user would not be able to see this because this confidential attribute only managed by AD administrators.

Here is the example screenshot for the software deployment via group policy.

Hi,

I would like to post this topic on securing you infrastructure with some least privileges based on server requirement. Everybody love to make some more easy and full privileges to some extent. but have you cross to your mind to secure your infrastructure.

I believe that by using Windows Environment, Active Directory is the most famous service where system admin like to centralize. I agree with that. And the highest privileges in AD environment are Domain Admins for every child domains and Enterprise Admins for Forest and Child domains.

Of course, in lab environment system admin like to use domain admins and enterprise admin even myself. However, in production zone, I would not suggest to have so much domain users given or attached with those domain admins enterprise admins. It was quite and most scary.

In the attachment, I did summarize some of all privileges based on the services required.

For example, in DHCP Server, in a AD domain environment, you may require Delegation permission to authorize to the AD for first time configuration.. Also, to manage DHCP Server, you can only have DHCP administrators without domain admins.

Attachment:

Requirement Privilege Document

Hi, today’s topic is about securing virtual domain controller using BitLocker Encryption.

Virtual domain controller is sometimes at critical risk where the VHD folders can be copied and placed to another. Of course nowadays, by using BitLocker Encryption might be useful and one factor to secure our production environment.

Moreover, the very best friend comes out with BitLocker encryption on more enhancing technology is the Trust Platform Module (TPM) where you can find in the BIOS motherboard itself.

In my lab environment, I run my host hyper-V in my lenovo thinkpad. To secure the virtual domain controller is by enabling the BitLocker Encryption on the host of the virtual machine.

Simple to do:

1. I enable the TPM / security chip at the bios setup. I am very fortunate the Lenovo has the tools to check. You may download it here. You can here the setting is Active. that’s mean the TPM is enabled.
   
2. After that, you need to add features BitLocker encryption at the host hyper-v. you may need to restart the server.
   
3. On control panel, you manage your bitlocker on which volume drive you need to turn on. on the screenshot below, I turn on the bitlocker on my operating system. because the virtual machine folders are located at default. you may relocate your virtual machine folder in different drive and you turn on the bitlocker on the drive that you locate the VM VHD/VHDX files.
   

Hi Folks,

In this post, I would like to share the issue on the Event 16653. It was one of directory services logs that you would come across in Windows Server 2012 Environment.

As you are all know, RID master FSMO role issued a domain with 500 RIDs. When each domain’s RID has slowly exhausted which exceeds to 500, it will contact the RID master to request for the RID.

so, in Windows Server 2012 / R2 environment, the event 16653 will not be appeared as the changes of registry has been made.

by default, the RIDs can only issue 500 RIDs. however, this value can be modified in the registry so that the AD Administrators can make such a bulk AD object created more than 500.

The Event 16653 will be appeared when the Administrators created more than 15,000 objects. The maximum value that the RID can be issued is 15,000 RIDs.