Ryan Ries's questions

I've noticed that when I use Powershell to get the group membership of an Active Directory domain security group, the Powershell cmdlet Get-ADGroupMember $Group fails with the error message:

PS C:\> get-adgroupmember MyGroup
get-adgroupmember : An operations error occurred
At line:1 char:1
+ get-adgroupmember MyGroup
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (MyGroup:ADGroup) [Get-ADGroupMember], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:8224,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember

I have tried specifying the -server $DC parameter so that the cmdlet targets a specific DC, and then I check the Security logs on that DC as I reproduce the error and no relevant security failure audits are generated. I turned up all the Diagnostics registry entries in the services\NTDS\Diagnostics key and that doesn't produce anything interesting in the Directory Services logs either.

If I remove the group members that reside in the other domain from MyGroup, the cmdlet works no problem.

Interestingly, I notice that if I run the command locally on the DC itself, it works. But when I run the command remotely from a member server, using the same user account, (who is a Domain Admin,) it fails.

Any idea what's wrong?

OS: Server 2012 Core and Server 2012 R2 Core. DFS-Replication is installed and appears healthy.

I am using WMI to collect information from DFSR replication members. The queries work on many of the computers, but there are a couple of replication members on which the queries do not work.

It is the DfsrReplicatedFolderInfo class from the root\MicrosoftDFS namespace.

If I execute the following Powershell command:

Get-WmiObject -Namespace 'root\MicrosoftDFS' -Class DfsrReplicatedFolderInfo

The result is null. No error, but absolutely no output.

If I execute the following corresponding wmic command:

wmic /namespace:\\root\microsoftdfs path DfsrReplicatedFolderInfo get

it returns:

No Instance(s) Available.

This happens regardless of whether the commands are executed locally or remotely.

winmgmt /verifyrepository returns:

WMI repository is consistent

Using wbemtest, I am able to view the DfsrReplicatedFolderInfo class definition, but there appear to be no instances of it.

Other DFSR-related classes in the same namespace appear to be working correctly.

Using the Task Scheduler in Windows Server 2008 R2 or Windows 2012, etc...

What is the difference between this setting:

and this setting on the same task:

Does one take precedence over the other? Do they conflict?

In an Active Directory domain, if I configure a Windows service on a domain member computer to start with an AD user account (aka "ye olde service account",) and the then the service stays running but I don't restart the service or reboot the machine for a year... does the LastLogonTimestamp of the service account's user object continue to update?

Edit: If you say "it depends on the service," then use MS SQL Server as an example. I set MSSQL Engine to run as contoso\sql-service. Then I leave it alone for a year.

Windows Server 2008 R2.

SQL Server 2008 R2 installed.

MSSQL Service runs as Local System.

Server FQDN is SQL01.domain.com.

SQL01 is joined to an Active Directory domain named domain.com.

The following is the output of setspn:

C:\> setspn -L sql01
...
MSSQLSvc/SQL01.domain.com:1433
MSSQLSvc/SQL01.domain.com
WSMAN/SQL01.domain.com
WSMAN/SQL01
TERMSRV/SQL01.domain.com
TERMSRV/SQL01
RestrictedKrbHost/SQL01    
RestrictedKrbHost/SQL01.domain.com
HOST/SQL01.domain.com
HOST/SQL01

I then launch SQL Server Management studio and connect to SQL01 thusly:

I then run the following query:

SELECT auth_scheme FROM sys.dm_exec_connections WHERE session_id = @@spid 

And the result is NTLM. Why is the result not Kerberos? The SPNs seem to be correct for using the Local System account. The server is not in a cluster or using a CNAME.

Server 2012, Powershell 3.0.

I'm doing some work that requires automating the enabling and disabling of network adapters. Here is an example of what I see when I run Get-NetAdapter:

Name                      InterfaceDescription                    ifIndex Status       MacAddress             LinkSpeed
----                      --------------------                    ------- ------       ----------             ---------
Slot 0 Port 4             HP NC382i DP Multifunction Gigabi...#53      15 Not Present  11-80-1B-94-2A-82          0 bps
Slot 0 Port 2 (TM-2)      HP NC382i DP Multifunction Gigabi...#51      14 Up           11-80-1B-94-27-72         1 Gbps
Team 1 (Team)             Microsoft Network Adapter Multiplexo...      17 Up           11-80-1B-94-2A-72         1 Gbps
Slot 0 Port 3             HP NC382i DP Multifunction Gigabi...#52      13 Disabled     11-80-1B-94-2A-80         1 Gbps
Slot 0 Port 1 (TM-1)      HP NC382i DP Multifunction Gigabi...#50      12 Up           11-80-1B-94-2A-70         1 Gbps

Notice that the Status attribute is not binary. It could be Up, Disabled, or Not Present.

When I run Enable-NetAdapter on a NIC whose status is 'Not Present,' the command silently returns, no error output, but it does not enable the NIC. I then enabled the NIC manually by right-clicking its icon in the Control Panel and choosing Enable. Its status was now Enabled with a Status of Up.

Then I ran Disable-NetAdapter on the NIC. Its status was now 'Disabled.'

Now, the Enable-NetAdapter Cmdlet worked as expected and turns the NIC on.

• So what was 'Not Present' and why did Powershell fail to enable the NIC when it was in that state, but I had no problems enabling it via the GUI, but now it seems to only flip back and forth between Enabled and Disabled?
• How do I get 'Not Present' back if I wanted to?
• How do I enable a NIC with Powershell when it's in a 'Not Present' state?

I have an AD domain. 2003 FFL/DFL. The schema was upgraded to version 56 for Server 2012. The domain contains a mix of domain controllers from Server 2003, Server 2008, Server 2008 R2, and now Server 2012.

I have an Enterprise Issuing Certificate Authority running 2008 R2.

On the Server 2012 domain controllers, they are unable to enroll or autoenroll for their KerberosAuthentication certificates. Error event IDs 6 and 13 in the Application log:

Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

Certificate enrollment for Local system failed to enroll for a KerberosAuthentication certificate with request ID 5512 from ECA.domain.com\Company Issuing CA (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).

Seeing that "RPC server is unavailable" instinctively makes one jump to the conclusion that there are network connectivity issues. But it's not that.

• I've used portqry.exe to verify that the endpoint mapper and all high-numbered ports are indeed available from the DC to the ECA.
• The 2012 domain controller did successfully autoenroll for two other types of certificates. It's just this one certificate that's the problem.
• I see the request on the ECA and it failed and has the same reason for failure as the client.

So it's obviously got network comms. There's something about this particular certificate. No other domain controllers have problems with this certificate. Only the 2012 DCs.

Windows Server 2008 Non-R2, 64bit. It's an AD domain controller. It uses a third party certificate (not AD CS and autoenrollment) in its Computer\Personal store to enable LDAP over SSL.

I obtained a new certificate to replace the expiring certificate. I imported it into the Computer\Personal store.

I deleted the old certificate entirely, I did not archive it. Now the new certificate is the only one left in the store.

I rebooted the domain controller just for good measure.

I have verified via Network Monitor packet capture from another machine, that the domain controller is still somehow handing out the old certificate to clients when they attempt to connect to the LDAP-S service using for example ldp.exe and connecting to port 636 with SSL.

How in the world is the domain controller still passing out the expired certificate? I've completely deleted it from the Computer\Personal store! This makes me a sad panda.

Edit: HKLM\SOFTWARE\Mirosoft\SystemCertificates\MY\Certificates contains only one subkey, which matches the thumbprint of the new, good certificate.

I know WINS is ancient. No need to remind me. For what it's worth, this effort is going toward a project to retire it from the environment altogether.

But before I can do that - I need to be able to scriptomatically or programmatically gather statistics from it.

See the screenshot below:

See "Total querries," (lol at the misspelling) "Record found", etc.?

How do I get at those values? They're not in Perfmon, they're not in any WMI class I've found. I can't find any related COM objects. There are counters like "queries/sec," but I don't care about queries/sec. I want total queries. Just like in the screenshot above.

I'll P/Invoke Win32 if I have to... just... where do I get these metrics?

This is one of those little things that I was always curious about but never asked.

On a Windows DNS Server, you can enable DNS Debug Logging and watch the packets fly by.

A line from that log might look like this:

6/5/2013 10:00:32 AM 0E70 PACKET  00000000033397A0 UDP Rcv 10.161.60.71    5b47   Q [0001   D   NOERROR] A      (12)somecomputer(6)domain(3)com(0)

The part that I'm interested in is the actual queried name at the end:

(12)somecomputer(6)domain(3)com(0)

What do those numbers that have replaced the periods mean?

Server 2012 Core.

I can manually check for Windows Updates with sconfig option 6. I can set Windows Updates to automatic with sconfig option 5. Great.

What if I want to change that to 4 AM? What if I want to change it to only check once a week?

I sniffed around in HKLM:\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\ but didn't see anything that looked like it let me fine tune the schedule like I want.

Windows 2008 R2 domain controllers and functional levels. Network connectivity is as follows:

DC03 ------ DC02 ------ DC01(FSMOs)

DC01 holds all the FSMOs. DC03, which has not been promoted yet, is currently communicating just fine with DC02. All of the FSMO roles are on DC01. All Sites, Subnets, and Site Link objects are correctly configured to represent the network situation shown above.

DC03 cannot communicate directly with DC01.

DCPromo on DC03 is currently failing because DCPromo runs some tests of direct network connectivity to the FSMO role holder. It's attempting an LDAP bind to the RID Master, which is failing, and at that point DCPromo assumes the RID Master is offline. But it is not offline.

Is there a way I can bypass the connectivity tests? DC03 is currently syncing with DC02 just fine and can read all the Active Directory it wants to from it.

I thought about doing an Install From Media, but I'd like more confirmation that it'll actually work before I try it, and I don't see any evidence that an IFM installation skips the connectivity tests that regular DCPromo does.

PS - Without moving the FSMO roles.

Let's use the product formerly known as Likewise as an example. I can very easily install this on a Linux machine and join it to an Active Directory domain.

I can also use an RSA PAM module so that users are forced to authenticate with a 2-factor hardware token PIN and passcode, using a username that is known to the RSA authenticating server.

Can I use these two together? In other words, I guess what I'm asking is can I use two PAM modules at the same time? (I'm not a Linux guy so take it easy on me please.)

This screenshot is of me transferring a large file (a .VHD) from one logical volume (made of 2 spindles in RAID0) to another one (made of 2 spindles in RAID0) on the same physical machine. (This is not production so don't worry about the sanity of that hardware configuration.) I initiated the transfer via explorer.exe on a third machine on the same LAN, so some TCP protocol may be implicated in the crime here; I don't know.

As the file transfer starts, it peaks out at around 220MB/sec, which is the speed I would expect from a volume to volume transfer on this machine, and then right about 50% of the way through, it drops down to around 50-75MB/s and finishes out at around that rate.

Any ideas as to why the file transfer rate from volume to volume consistently halves half way through the transfer? I tested the same transfer a few times and got the exact same behavior each time.

EDIT: I have tested this again by using robocopy instead of Explorer. I'm using a different file but I'm still initiating the copy from a third workstation:

I did not observe the drastic slowdown about halfway through the file copy using robocopy, however, if you look at the transfer speed at the end, it is still well above the theoretical limit of gigabit Ethernet.

EDIT #2: Here's the same transfer viewed through Explorer. There's no slowdown with this file. The only difference is that this VHD is about half the size of the first one:

Consistent evidence from two different tools that the file copy speed is faster than what GigE should be able to provide, so I'm still not convinced that the transfer is going over the network. But I still have no idea why the bigger file in the beginning would suffer from the slowdown halfway through the transfer. Perhaps there are two many variables/factors in this experiment.

So I have a server, and every time a user or service account logs on to the machine, an error event is generated in the System log:

A Kerberos Error Message was received:
 on logon session DOMAIN\serviceaccount
 Client Time: 
 Server Time: 12:44:21.0000 10/9/2012 Z
 Error Code: 0x19 KDC_ERR_PREAUTH_REQUIRED
 Extended Error: 
 Client Realm: 
 Client Name: 
 Server Realm: DOMAIN
 Server Name: krbtgt/DOMAIN
 Target Name: krbtgt/DOMAIN@DOMAIN
 Error Text: 
 File: e
 Line: 9fe
 Error Data is in record data.

So of course I Googled this, and the only information I'm getting for it is that "it doesn't necessarily indicate a problem and you can usually ignore it."

Well, gee, that's great, but these errors are spamming my System log about once a minute and I'd really like to make them stop. Any ideas?

From the Microsoft AskDS blog:

KDC_ERR_PREAUTH_REQUIRED

If you see this error in the trace, it does not indicate there is a problem at all. The client requested a ticket but did not include the pre-authentication data with it. You will typically see the same request sent again with the data and the domain controller issuing the ticket. Windows uses this technique to determine the supported encryption types.

I hope this isn't a stupid question, and if it is, then I want to at least get it over with so I don't feel so dumb in the future.

Here we are, loading up a Windows crash dump with Windbg. Here are the first few lines of the debugger output:

0: kd> .dumpdebug
----- 64 bit Kernel Summary Dump Analysis
DUMP_HEADER64:
MajorVersion 0000000f
MinorVersion 00001db1
...

The MinorVersion I mostly understand. It's hexadecimal and it translates to 7601 in decimal. Windows admins would already be able to tell from that that this must be either a Win7 x64 machine or a 2k8 R2 machine with SP1. But isn't 7601 the build number? It's supposed to be Major.Minor.Build/Revision... right?

Also I don't understand the MajorVersion. It should be 6. This version of Windows is 6. But isn't 0000000f in hexadecimal 15 in decimal?

The full version string of this version of Windows, when you launch the Command Prompt for instance, is 6.1.7601. If 7601 is the MinorVersion, then what is 1 and what is 6? And why does the crash dump say 0F?

I believe it is correct to say that users and computers are treated as equal principals with respect to Active Directory. Both users and computers have passwords, and both users and computers are required to logon to the domain independently.

I understand that the NetLogon service, which starts automatically, is responsible for logging a computer on to the domain at startup. At that time, NetLogon uses some domain controller locator logic via DNS lookups to help it locate a domain controller.

If the computer had logged on to the domain before and already knows to which site it belongs, it can start with a site-specific DNS query to locate a DC, failing back to a more general one if it has to.

Please correct me if I'm wrong in any of my assumptions thus far.

So does a user, when logging in to a computer, have a separate DC locator process when he/she logs on to a computer? Or does the user use whatever the computer already came up with when it logged on? Would it be possible for a computer and a user logged on to that computer to have different authenticating DCs?

Most of us know that we need to create subnet objects and associate them to site objects in our Active Directories. This keeps clients in Site A authenticating to domain controllers in Site A, getting correct DFS referrals, etc.

How do I manage this in an environment with thousands of subnets? Literally, thousands of subnets that are ever-evolving, being added to and taken away.

Ideally, the answer should not be "hire 50 administrators."

In Windows/Windows Server, if I have a physical NIC that has two or four ports on it, is there a scriptable/programmatic way to determine which "Network Connection" (such as "Local Area Connection 3", for example,) is associated with which physical NIC port?

I took a quick glance through the win32_networkadapter and win32_networkadapterconfiguration classes, but didn't see anything immediately helpful.

All Windows 2K8R2 SP1 environment.

I have a working Enterprise Certificate Authority in my domain. I want to issue a Computer certificate (for Server Authentication purpose) to an external, stand-alone machine. So I add the Certification Authority Web Enrollment, Certificate Enrollment Web Service, and Certificate Enrollment Policy Web Service role services to my ECA.

Now on my standalone machine, I browse to http://myCA/certsrv. I see that I am only able to request a "User Certificate." In the Advanced Certificate Request, there is still no option to request a Computer certificate or anything that will give me what I need, as far as I can tell.

So I edit the certrqtp.inc file on my ECA such that I replace rgAvailReqTypes(1,5) with rgAvailReqTypes(2,5), and I add this to toward the end of the file:

    rgAvailReqTypes(1,FIELD_TEMPLATE)="Computer"
    rgAvailReqTypes(1,FIELD_FRIENDLYNAME)="Computer"
    rgAvailReqTypes(1,FIELD_OID)="1.3.6.1.5.5.7.3.1"
    rgAvailReqTypes(1,FIELD_CSPLIST)=""

Now when I browse the website, I see a new certificate request type: Computer. However, when I try to submit that request on my standalone machine, I get this error:

Certificate Request Denied 
The disposition message is "Denied by Policy Module 0x80094800, The request was for
a certificate template that is not supported by the Active Directory Certificate
Services policy: 1.3.6.1.5.5.7.3.1(Server Authentication). ".

How can I issue a computer certificate from my ECA to an external, standalone computer?

If it helps, I am trying to use the cert on the standalone computer for the purposes of running a WinRM listener on that computer that uses SSL.

edit: What I did was request a "Web Server" certificate from the CA, which was granted. It was automatically installed into my user account store. From there, I exported the certificate on my standalone machine, and then imported it into my Local Computer -> Personal store. Now I have a certificate in there that is named after my HOSTNAME of my standalone computer, in the Subject property, it says CN = HOSTNAME, and for "intended purposes" it says "Server Authentication."

However, now I get this:

Even though I have a certificate in my local computer personal store that appears to meet all those requirements. :(