ERROR: dcdiag warning on userAccountControl

On a new build-up DC, running dcdiag I found this problem:

Starting test: MachineAccount
Warning:  Attribute userAccountControl of myDC is:
0x82020 = ( PASSWD_NOTREQD | SERVER_TRUST_ACCOUNT | TRUSTED_FOR_DELEGAT ION )
Typical setting for a DC is
0x82000 = ( SERVER_TRUST_ACCOUNT | TRUSTED_FOR_DELEGATION )
This may be affecting replication?

Using ADUC with “Advanced Features” enabled, on “Attributes Editor” you can change userAccountControl for your DC’s Computer Object

UserAccountControl values:
Typical user : 0x200 (512)
Domain controller : 0x82000 (532480)
Workstation/server: 0x1000 (4096)

Via: https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-properties

How to Find which DC is pruning your printer queues

When you publishing printer queues on Active Directory, by default the printer spooler save the shared printers info as object inside the printserver computer object.

On DC (generally the site DC of the printserver) by default is running a printers pruning; this job check if the printserver is reachable and if the printer is still shared and if not, delete the printQueue object from AD.

  • Printserver publish by default the printers only at startup (if you what to force the printer publishing just restart the printspooler service)
    This Setting is managed by “Computer Configuration / Administrative Templates / Printers / Check Published State”
  • Dc try to contact the prinserver/printer for 3 time every 8 hours. If for 3 time the prinserver/printer is not reachable then will be unpublished.
    This Setting is managed by “Computer Configuration / Administrative Templates / Printers / Allow Pruning of Published Printers”, “Directory Pruning Interval”, “Directory Pruning Retry”
“The Print Pruner is a thread that runs under the spooler context on all DCs. It
uses ADSI calls ( ADsGetObject, IID_IDirectorySearch->ExecuteSearch) to get the
list of all the printQueue servers in the AD.
To check whether the server is in same site it uses Winsock call (gethostbyname)
and other net APIs (DsAddressToSiteNames,DsGetDcSiteCoverage).
To check if the print queue\print server availability it uses OS APIs
(NetServerGetInfo, OpenPrinter,GetPrinter).
So all the work by pruner is done using ADSI, WinSock and OS functions.”

 

Can happen that for some firewall/network misconfiguration, a DC start to pruning some/every published print queues on regular basis. To find which DC is making too much cleaning, we first try to find the deleted printQueue object:

Find deleted Object

  1. Run ldp.exe as Domain Admin.
  2. On “Connection” menu click “Connect”. You can leave the server name black to connect to the DC on your site.
  3. On “Connection” menu click “Bind”
  4. On “Browse” menu click “Search”. Select the “Base DN” of the domain where you want to retrive tombstones. In “Filter” box use filter “(objectclass=printQueue)”. Under “Scope” select “Subtree”. Click “Options” and under “Search Call Type” select “Extended”. Then add “1.2.840.113556.1.4.417” on “Active Controls” using “Check in”.
    ldp_DeletedObject_PrintQueue_Conf
  5. Close “Search Options” and on “Search” dialog box, click “Run”
  6. On results, find your deleted printer and copy the CN of the deleted printQueue:

ldp_DeletedObject_PrintQueue

 

Find origin of change

Then using repadmin you can find from where this object was updated:

repadmin /showobjmeta [myDC] [CN of object]

repadmin_DeletedObject_PrintQueue

 

Via: https://blogs.technet.microsoft.com/askpfeplat/2012/03/05/how-to-track-the-who-what-when-and-where-of-active-directory-attribute-changes-part-i-the-case-of-the-mysteriously-modified-upn/

https://blogs.technet.microsoft.com/askpfeplat/2012/03/05/how-to-track-the-who-what-when-and-where-of-active-directory-attribute-changes-part-i-the-case-of-the-mysteriously-modified-upn/

How to solve Know Issue on MS16-072

Microsoft release MS16-072: Security update for Group Policy: June 14, 2016

MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the computer’s security context.

The issue was that all user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.

Resolution:
To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:

  • Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
  • If you are using security filtering, add the Domain Computers group with read permission.

 

Doing that manually it’s a nightmare… but powershell can help. With this script you can deploy ‘Read’ permission for “Authenticated Users” on all GPOs or only where needed because “Domain Computers” group with ‘read’ permission and/or it’s a “Per-User Setting” GPO. If you what to be restrictive, enable -checkDomainComputer and -checkPerUserSetting.

Via: https://support.microsoft.com/en-us/kb/3163622

How to send email to users with approacing password expiration

I created and scheduled a script for send email when the user password expiration is approaching.

We are on a international company, so this script have an option to specify a file where the mail body is written in the appropriate language and with the appropriate info.

Here the parameters of Send-PasswordNotify.ps1:

  • notificationGroup: it’s the Active Directory group the have the users that should receive the password expiry notification.
  • emailBodyFile: the text file that contain the body of email (the default option is mailbox.txt).
  • logFile: This is a Boolean option. If $True a log file (Send-PasswordNotify.log) is created. By default is $False. You can change the path of logfile at line 51
  • eventLog: This is a Boolean option. If $True an entry on eventlog (Scripts) is written. By default is $True.
    NOTE: You should enable/create the eventlog running this command once:

    New-EventLog -LogName "Scripts" -Source Send-PasswordNotify

    You can change the eventlog where send the info atn line 49. If you change the eventlog, remember also to enable it for this script with the command above. Example: New-EventLog -LogName “Application” -Source Send-PasswordNotify

On Send-PasswordNotify.ps1 at lines 43-51 you can fine the parameters that you can adjust, like days before the expiration, smtp server, etc.

Copy Send-PasswordNotify.ps1 and mailbox.txt on the same folder.

 

Error:The DFS Replication service detected a conflict between two or more nTDSConnection objects while polling for configuration information

I had this warning on a bad wan connected DC:

Log Name: DFS Replication
Source: DFSR
Date: 30/03/2016 02:27:44
Event ID: 6004
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: [ServerName]
Description:
The DFS Replication service detected a conflict between two or more nTDSConnection objects while polling for configuration information. The DFS Replication service resolved the conflict between CN=1a46e70a-b0f5-410f-afdd-7049b1685292,CN=NTDS Settings,CN=MyDC,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=Domain,DC=Local, CN=b1f0fddb-18cc-459a-9891-15458f6c9a06,CN=NTDS Settings,CN=MyDC,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=Domain,DC=Local, CN=b377e129-e214-4c52-bbe8-867686db3cb7,CN=NTDS Settings,CN=MyDC,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=Domain,DC=Local, CN=c037d3d8-16cb-4ede-bf82-c2c72c025ea5,CN=NTDS Settings,CN=MyDC,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=Domain,DC=Local, CN=82dff205-bc51-4f00-bf18-c47e96215608,CN=NTDS Settings,CN=MyDC,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=Domain,DC=Local by using CN=ee5b0d6a-d843-48e5-8d8c-b3164dfa4b1a,CN=NTDS Settings,CN=MyDC,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=Domain,DC=Local.

This error means that there are some connection objects conflicting. To solve it run ADSI Edit and connect to “Configuration” naming context

ADSI_Configuration

and delete the connection objects listed in the event where the conflict was detected, making sure to leave the object after “by using” in place because it’s the working connection.

Right click on connection object:

CN=1a46e70a-b0f5-410f-afdd-7049b1685292,CN=NTDS Settings,CN=MyDC,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=Domain,DC=Local

and delete it.

Repeat the process for any additional connection object on eventlog.

 

Via: https://social.technet.microsoft.com/Forums/en-US/e8e5d0ea-4fc6-4df0-acf7-39dd1c1987cd/dfs-health-report-inconsistent-configuration-detected-conflict?forum=winserverDS

 

How to configure Network Adapter DNS settings for a Domain Controller

When we came to DNS Client settings on domain controller there is always a bit of confusion about what we should set as preferred DNS servers in to the network adapter configuration.

Here the common rules:

  • Primary DNS: If possible a DC of the same domain on the same site. If not define a well connected DNS (use the same DNS server as not-site alternative on every DCs)
  • Secondary DNS: PDCe
  • Third DNS: 127.0.0.1 (if the DC is also a DNS)

Do:

  • Clear the automatically added ::1 as the primary and only DNS server for the IPv6 stack unless you actively use IPv6.
  • Use the loopback address, but not as the preferred server. Set it as the last server in the order. When referencing itself as DNS, you should always use a loopback address and not a real IP address.
  • DCs should have at least two DNS client entries.
  • all DCs in a domain should be running DNS and hosting at least their own DNS zone; all DCs in the forest should be hosting the _MSDCS zones.

Do not:

  • Use the server’s own IP as the primary. This to avoid various DNS islanding and performance issues that can occur.
  • Disable IPv6 entirely.