|
I'm having a strange issue that I can't figure out: I have an Active Directory network spanning two sites, with three subnets per site. I have just spun up computerA1in site A and it cannot browse to \\computerB1\c$ in site B. ComputerA1 can browse to C$ on other computers in site B and computerB1 can browse to C$ on other computers in site A. In fact of the ten existing computers in site B, computer A1 can successfully browse to 8 of the ten. And all computers can browse to \\computerA1\c$. In addition if I try to browse by IP address computerA1 can browse to the problematic computers succesfully. ComputerA1 can ping \\computerB1 by hostname and IP address successfully. All computers are domain joined and are managed by GPO so should theoretically be configured identically. Windows firewall is off on all computers currently. The error message is 0x80004005 "Windows cannot access \\computerA1\c$" Any advice?
|
# ? Jul 7, 2022 22:57 |
|
|
# ? May 30, 2024 09:46 |
|
Can any of the other site B machines browse B1? Are you sure B1 is configured to make windows sharing available?
|
# ? Jul 7, 2022 23:09 |
|
Potato Salad posted:Can any of the other site B machines browse B1? Every machine can ping browse to \c$ on every other machine just fine. It's only the new spun up A1 that cannot browse to \\B1\c$ and \\B2\c$ but can browse to c$ on every other machine. And A1 can browse to C$ on both of the problematic machines if I use IP instead of hostname. And yes, windows sharing is enabled on B1 and B2 because those machine are browseable by other machines in both sites.
|
# ? Jul 7, 2022 23:31 |
|
Agrikk posted:In addition if I try to browse by IP address computerA1 can browse to the problematic computers successfully. ComputerA1 can ping \\computerB1 by hostname and IP address successfully. This is the weird part. You mentioned that there's three subnets per site. Are the other B computers on different subnets than B1? E: B1 & B2
|
# ? Jul 7, 2022 23:33 |
|
klosterdev posted:This is the weird part. There’s between five and 10 computers on each site, evenly distributed across three subnets each. There are no firewalls between any of the sites or subnets. It is weird. It looks like a shearing issue, but other computers work where this one does not. And sharing works via IP address. It also looks like a hostname issue but DNS resolves for every computer to every other computer including the broken one.
|
# ? Jul 7, 2022 23:43 |
|
Agrikk posted:There’s between five and 10 computers on each site, evenly distributed across three subnets each. There are no firewalls between any of the sites or subnets. can you browse by FQDN? i.e. \\computerB1.domain.tld\c$\ Could be some weird issue with the dns suffix not getting added to the hostname when trying to browse.
|
# ? Jul 7, 2022 23:46 |
|
It definitely sounds like some kind of weird DNS issue, but it could be kerberos/DNS interaction or something stuck in the cache on the workstation or the specific DNS responses it's getting. In PowerShell, you can run "Resolve-DNSName computerB1 -type all" and should get some things back. You can specify a server with the -Server tag, to see if there's different responses from difference servers. Do you get anything interesting from "Test-NetworkConnection computerB1 -CommonTCPPort SMB"? ETA: Comedy Option: You've got a WINS server somewhere doing something dumb (beyond just existing).
|
# ? Jul 7, 2022 23:59 |
|
The power shell you suggested didn’t reveal any differences, nor did any event logs, or anything else google suggested. So I terminated the instance and I’m trying again.
|
# ? Jul 8, 2022 01:27 |
|
Makes me think of an SMB version issue possibly
|
# ? Jul 8, 2022 02:10 |
|
I have a workstation that absolutely will not apply group policy. C:\Windows\GroupPolicy or whatever is empty and gpupdate fails saying it can’t read the policy from the domain controller despite my being able to browse to the policy in the policy store on all DCs. If I disable the policy it complains about in gpupate another one fails, if I disable that one yet another fails, and so on I’ve decided the computer is haunted and I’m going to wipe it since I’ve wasted more than enough time on it and it’s not that important but I figured I’d pop it in here to see if anyone has an idea about how to get this to work? The only thing I can think of is to remove it from the domain and add it again but given the empty directory I don’t think that’ll do it Any ideas?
|
# ? Jul 8, 2022 03:29 |
|
sounds like it would be really fun to troubleshoot, but lmao you have other work to get back to steamroll the fucker
|
# ? Jul 8, 2022 05:10 |
|
Yeah that’s where I’m at. I tried for an hour or so and I’ve hit my “it’s faster to rebuild it” threshold It’s legacy anyways so once I get the owners to evacuate any worthwhile data it’s going into the bin E: I might keep it around as a side project to plink around with when I have free time blocks since this kind of thing is exactly what I need to hone and refine troubleshooting skills but there’s no way it’s ever going back into production Number19 fucked around with this message at 05:59 on Jul 8, 2022 |
# ? Jul 8, 2022 05:57 |
|
Agrikk posted:So I terminated the instance and I’m trying again. The new instance is having the same issue, so now I'm deep in the muck. looking in the evet log reveals this gem: quote:The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server MyCertificateServer$. The target name used was RPCSS/MyCertificateServer.int.mydomain.net. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (INT.MYDOMAIN.NET) is different from the client domain (INT.MyDOMAIN.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server. and quote:The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server computerB1 $. The target name used was cifs/computerB1 . This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (INT.MYDOMAIN.NET) is different from the client domain (INT.MYDOMAIN.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server. So it looks like Wizard of the Deep was heading in the right direction with their kerberos suggestion. This error message is repeated on two other computers that I've found so far. I've started digging into replication issues between my DCs but of course the Active Directory Replication Status tool has expired effective July 1, 2022. What loving poo poo is that? Why would MS have a tool that expires on an arbitrary date for no apparent reason? Agrikk fucked around with this message at 07:41 on Jul 8, 2022 |
# ? Jul 8, 2022 07:25 |
|
So the schad is on me. It was a replication issue with one of my domain controllers. I had been messing around with AWS DNS endpoints and I forgot to turn the setting back, causing it to desync with the rest of the DCs. Revering the settings on the DC started replication up again, which solved the issue with computerB1. Success! So now I can go about doing the thing I wanted to do fifteen hours ago.
|
# ? Jul 8, 2022 08:21 |
|
quote:It’s not DNS
|
# ? Jul 8, 2022 09:31 |
|
Anyone ever see an issue where you can ping a DC by both IP and hostname, DNS setting on the system is pointed to the DC, but you can't ping domainname.local or add it to the domain? Server 2003 if relevant. (lmao I know, it was even on Win2k functional level until I raised it 10 minutes ago)
|
# ? Jul 26, 2022 17:34 |
|
Do you have any conditional forwarders?
|
# ? Jul 27, 2022 23:25 |
|
This looks cool https://docs.microsoft.com/en-us/microsoft-365/enterprise/cross-tenant-mailbox-migration?view=o365-worldwide
|
# ? Aug 1, 2022 17:55 |
|
Thanks Ants posted:This looks cool Well poo poo that only took them over a decade to figure out. Very nice.
|
# ? Aug 1, 2022 18:26 |
|
This is a killer loving feature to get the hell out of a godaddy hosted exchange. Also, they're sloooowwwly closing the exchange requirement by non-office365 group writeback in preview https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-write-back-portal These guys have a deep dive on it
|
# ? Aug 3, 2022 04:04 |
|
I wish they would clarify when they are talking about Azure AD Connect and Azure AD Connect Cloud Sync because there are subtle differences between the two
|
# ? Aug 3, 2022 13:20 |
|
incoherent posted:This is a killer loving feature to get the hell out of a godaddy hosted exchange. sooooooooooooooo it's not the writeback silver bullet I'm looking for buuuuuuut well actually, uh, what WOULD you use this for?
|
# ? Aug 4, 2022 01:46 |
|
Do we have an Azure / M365 all the wincloud things thread?
|
# ? Aug 4, 2022 01:47 |
|
No, but azure people read and post in this thread, the other IT threads, and the cloud giant thread.
|
# ? Aug 4, 2022 01:50 |
|
Potato Salad posted:sooooooooooooooo it's not the writeback silver bullet I'm looking for buuuuuuut I can see a number of use cases for a hybrid environment where all of your messaging stuff is done in M365, but you want to be able to manage group memberships with on-prem ad tooling. I would have loved this at my last job, current job is azuread first so it's less useful.
|
# ? Aug 4, 2022 01:54 |
Potato Salad posted:sooooooooooooooo it's not the writeback silver bullet I'm looking for buuuuuuut Multi forest stuff seems like a big deal, haven’t been doing identity stuff directly for two years but I remember that being a sticking/pain point in the past. Plus having an easy way to HA the sync seems nice having to have a secondary in staging mode or whatever always seemed sus af
|
|
# ? Aug 4, 2022 01:55 |
|
The Fool posted:No, but azure people read and post in this thread, the other IT threads, and the cloud giant thread. *goes looking for the cloud giant thread* thank you
|
# ? Aug 4, 2022 02:02 |
|
https://forums.somethingawful.com/showthread.php?threadid=3791735&perpage=40&noseen=1&pagenumber=47
|
# ? Aug 4, 2022 02:03 |
|
The Fool posted:No, but azure people read and post in this thread, the other IT threads, and the cloud giant thread. Dang didn't know that existed. Goes to show how computer janitor mindset I am lol.
|
# ? Aug 4, 2022 18:53 |
|
What's the best way to decrease the time taken DNS queries for an AD integrated zone to show up and become resolvable at another site? We have a separate AD site that runs DNS and DHCP services for a bunch of Linux VMs that make up our dev/staging environment. We'd like to have our devs start self-provisioning VMs as needed, however the biggest hurdle we have right now is newly provisioned VMs take 10-15 minutes to become resolvable as this staging site is technically a separate site in our AD topology.
|
# ? Aug 4, 2022 19:19 |
|
Change intersite replication to be immediate.
|
# ? Aug 4, 2022 20:08 |
|
devmd01 posted:Change intersite replication to be immediate. This would work, or just point the dev/test machines at the DNS server where the records are being created.
|
# ? Aug 4, 2022 20:31 |
|
Make a new DNS zone for your dev environment that is integrated with your build platform and delegate that zone in your corporate DNS.
|
# ? Aug 4, 2022 20:53 |
|
Get rid of AD DNS and move to a real platform.
|
# ? Aug 5, 2022 01:35 |
|
I'm not sure if there is an Azure thread or if this is functionally the spot for it, but I am trying to configure alerts if an account is logged-into. I am trying to do so without Workspace Analytics, with standard O365 E3 and Azure AD P2 licensing. Essentially I have a use-case where an org does not have Azure Monitor/Workspace Analytics, but we must alert IT and Security admins if the Emergency Global Admin account is touched. Anybody have any experience with this?
|
# ? Aug 9, 2022 20:19 |
If you’re not sending those logs to a SIEM or something I think you’re SOL
|
|
# ? Aug 9, 2022 20:32 |
|
Otis Reddit posted:I'm not sure if there is an Azure thread or if this is functionally the spot for it, but I am trying to configure alerts if an account is logged-into. I am trying to do so without Workspace Analytics, with standard O365 E3 and Azure AD P2 licensing. Spin up an azure function running powershell to look for sign ins maybe?
|
# ? Aug 9, 2022 21:32 |
That would legit probably cost more than just putting those logs in a workspace
|
|
# ? Aug 9, 2022 21:36 |
|
I don't know if there's a better way, but if you are trying to work around not using Workspace Analytics, you shouldn't. It costs a tiny amount for such a small use case.
|
# ? Aug 9, 2022 21:41 |
|
|
# ? May 30, 2024 09:46 |
Splunk (and I’m assuming other SIEMs) can pull that data down directly without a workspace. That is the only other non-headache inducing way of getting that data I’m aware of
|
|
# ? Aug 9, 2022 21:43 |