Omnomnomnom's questions

I am currently setting up a new internal Windows PKI infrastructure in our organisation, to replace an old setup.

Things are mostly fine, but the OCSP location has the status "Error" in the pkiview console. When I check a certificate with certutil (certutil -URL test-certificate.cer or certutil -urlfetch -verify test-certificate.cer) it shows up as verified. So the responder does seem to work.

Does anyone know why the error status might show up in pkiview? Or where to find relevant logs about this error?

Some more info about the setup:

• As you can see in the image, it's a two tier PKI with an offline root CA and a domain joined issuing CA.
• The AIA and CDP locations are located on two Ubuntu-based Nginx servers, with keepalived for HA purposes.
• A script on the Nginx servers fetches the new CRL from the issuing CA every 15 mins.
• The same two Ubuntu servers have a second Nginx server block, which runs a load balancer to direct ocsp requests to two ocsp responder servers. This way, the certificates can contain just one ocsp url, and clients do not have to wait for timeouts when one ocsp responder would be down.

When googling the problem I found that this might be due to a stale CA-Exchange certificate. But renewing that did not help.

Update

I tested this with Wireshark and when launching pkiview, no ocsp request is actually made. When running certutil -URL test-certificate.cer Wireshark clearly shows the ocsp request and response.

Recently I added a Cloud Distribution Point and Cloud Management Gateway to our SCCM environment. The setup seems to work well, internet clients get their policies, can install software etc...

We would also like to allow internet clients to perform windows 10 feature updates through a task sequence. The task sequence works fine for intranet clients. But when an internet clients tries to start the TS, it can't download the relevant OS upgrade package.

An application package, that is referenced gets downloaded to cache fine, but when the client tries to download the upgrade package, cas.log says "No matching DP location found." for that package ID and downloading stays at 0%.

The package is distributed to the cloud DP. I have the deployment set to "Allow this task sequence to run for client on the internet" and "download all content locally before starting task sequence" since the documentation states that this is required. Pre-download is also enabled, but I don't know if that makes any difference in this situation. The client cache is also large enough.

It seems the client does not see the cloud DP as a valid location to download the upgrade package from.

Does anyone know what I might be missing? Or in which logs I can find what might be wrong?

The version of SCCM is 1802. The client is running Windows 10 Enterprise 1709, which we are trying to upgrade to 1803.

The situation

In our organisation I made a GPO that creates a scheduled task. This task triggers at logon of two user accounts.

It executes a powershell script that changes the DNS servers for the network connection. (To block some websites for these users, using dnsmasq. I know this is not a bulletproof solution, but its good enough.)

The action for the scheduled task is this command:

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe

And these are the parameters:

-ExecutionPolicy Bypass –NoProfile –Command "& {C:\ProgramData\ORGNAME\scripts\SetDNS.ps1}" > C:\ProgramData\ORGNAME\scripts\SetDNS.log

As you can see, the output gets sent to a log file.

This is the content of the script:

$wmi = get-wmiobject Win32_NetworkAdapterConfiguration -filter "ipenabled = 'true'"
foreach($adapter in $wmi)
{
    if($adapter.description -NotLike "*VMware*")
    {
        $adapter.SetDNSServerSearchOrder("XXX.XXX.XXX.XXX")
    }
}

invoke-expression -command "c:\windows\system32\ipconfig /flushdns"

The problem

The problem is that this works fine, approximately 9 out of 10 times. When it doesn't work, the task scheduler still reports exit code 0, but it seems the script does not even begin to execute because, nothing happens and the log file is not created.

Some extra info

• The task runs under the SYSTEM account
• It runs with highest privilleges
• When the task is ran on demand it works fine
• All computers run Windows 7 enterprise (x64)

Some things i've tried

• I thought maybe the task scheduler was triggering the script too fast and some things might not yet have initialized so i tried setting a 30s delay.

• Re-running the task every 5 minutes for 15 minutes.

• Restarting the task when it fails, this obviously doesn't work, since powershell.exe seems to return error code 0.

The problem

Recently the computers at our organization moved to a new AD domain, due to a merger. We are having problems getting the clients to dynamically register their DNS records in our AD-integrated DNS.

When a registration is triggered manually on the client (ipconfig /registerdns), everything works fine. You can see the registration process happening in wireshark as described here: https://technet.microsoft.com/en-us/library/cc771255.aspx

Only about 50% of the clients seem to be doing this by themselves however. On the other half, this process does not seem to trigger. Even though the events mentioned in the above article (e.g. on startup) should cause the client to register their A-record with the DNS server.

I have tcpdump constantly capturing traffic from a group of desktops which are exhibiting this problem. In these dumps, I can't find any registration attempts for the affected computers.

Some things to note about our environment

• The clients are getting their DHCP addresses from two DHCP servers in the old domain.
• The DNS servers the clients are told to use (option 006), are also the old domain controllers. But DNS requests for the new domain, are forwarded to the new DC's using conditional forwarding.
• For the new domain, updates are allowed. (Secure Only)
• The connection suffix provided by the DHCP (option 015) is still the old domain. But we have a list of suffixes deployed through a GPO, with the new domain suffix first in the list.
• The new AD domain has three domain controllers, two of which are also DNS servers.

Something we tried

For one of the DHCP scopes we set the connection suffix to the new domain and the DNS servers to the new domain controllers. This does not seem to make a difference.

This seems to be an interesting post about the subject: http://blogs.msmvps.com/acefekay/2012/11/19/ad-dynamic-dns-updates-registration-rules-of-engagement/ But most of the things mentioned there are in order. Except for the fact that IPv6 is disabled on the new domain controllers.

More info in response to Craig620's answer

• The DNS servers are running Windows server 2012 R2, the clients are all Windows 7, the DHCP servers are running server 2008 R2.
• All clients are joined to the same domain (new domain since merger), the problems occur only in this domain.
• There are no clients with static IP-addresses.
• We are not in the process of moving clients from the old to the new domain. We did this with some clients, but the computers which are having problems have not moved. They have been deployed using SCCM in the new domain.
• I can't find significant differences between the 50% that are having the problems and other systems. For example: Some computers in the same classroom are having problems, others are not. They are generally running the same software, updates, etc. And are connected to the same part of the network. Same hardware also. The difference that I can think of is that they are trying to contact another domain controller, but I can't see any attempts to do this.
• The problem has been going on for weeks so computers should have had plenty of time to register themselves.
• The clients don't seem to query for the zone SOA. The zone names for the old and new domain are not similar. (e.g. green.local for the old domain and int.blue.com for the new)
• I have a GPO in place for the DNS suffix search list. This is a list containing the new AD-domain in first place, followed by the legacy domains of the different merger organizations. This is the only DNS related GPO. But I will check this more thoroughly.

The problem

Due to a merger in our organisation, we are migrating to a new common Active Directory domain. Our old legacy domain and the new domain have a two-way trust between them.

We have two main fileservers in our old domain, on which users have a personal folder. Some users have their folder on one server, others on the other one, depending on which department they work for. On these personal folders, NTFS permissions are granted using the users account directly.

A user has an account in both the old and the new domain. So now I was in the process of adding permissions to these personal folders for the corresponding user from the new (trusted) domain. Strangely, this works fine on one fileserver but not on the other.

I scripted this in powershell and it throws the following error:

Add-NTFSAccess : Cannot bind parameter 'Account'. Cannot convert value "<New Domain>\<New Username>" to type "Security2.IdentityReference2". Error: "The trust relationship between the primary domain and the trusted domain failed.

When i manually try to add the permission. I can see the other domain as well as check the name of the user. But when I try to apply the permissions I get the following error:

Things I've checked so far

• The DNS names of the DC's of the trusted domain resolve fine from the fileserver
• Verified the trust in the "domains & trusts" mmc (All other trust related things work fine btw)
• The fileservers are in different firewall zones. I asked the network guys to temporarily allow all traffic between the file servers and the DC's of the trusted domain for testing. (But the correct ports should have been open anyway, since the rules are the same for both fileservers)

At my workplace we inherited a file server running Windows 2008 R2. (Core server unfortunatly, so no GUI)

Last year we decided it would be nice to have previous versions of files available for users. So we gave VSS a seperate volume, with 10% of the space of the data volume. (300GB and 3TB respectively) We set a scheduled task to take two VSS snapshots per day and everyhting worked fine. Previous versions showed up nicely.

Recently, previous versions just dissappeared and I can't find out why. I checked if administrative shares are working, they are. When i list the VSS writers, all the writers show the stable state, with no last error. And the VSS shadows also show up when you use vssadmin to list them.

The event log sometimes shows some errors from volsnap saying "The flush and hold writes operation on volume D: timed out while waiting for a release writes command." My guess is this is just due to activity while creating the shadows. They are created in any case.

Is there anything else I can check?

We did this on two, nearly identical file servers and on the other one everyhting is still working fine.

At work we have an ESX 4.1 cluster with some vlan's (Port Groups) configured on a vswitch on each host. A lot of these port groups aren't in use anymore so we decided to clean them up.

We don't have a distributed vswitch, so each port group has to be removed on each host. This works fine in most cases. But we have one group that refuses to be deleted. It returns the following error: "Unable to delete portgroup "VLAN-XXXX", for the following reasons: 1 active ports"

We've tried deleting it through the vcenter console, as well as using the esxcfg-vswitch command. With the same result.

We checked multiple times that none of the VM's on the host are using the portgroup. So I don't think it should be active.

When we check the vswitch using esxcfg-vswitch -l, the output shows that one port in that PortGroup is indeed in use. Does anyone know how to get rid of this one used port?

In our Active Directory domain, we have some strange things happening to a certain user account:

In the security rights for that user object, the "Include inheritable permissions from this object's parent" flag keeps getting disabled. Which causes some problems for that user.

If an administrator enables it, a few hours later its disabled again. So we enabled auditing on that user object, to see who or what is doing that.

The auditing works: If I manually check or uncheck the flag on that user, an entry is created in security log on the domain controllers, stating a directory service object was modified etc,...

However, it does not log the mystery process that disables the flag. When I enable the flag, it gets logged in the auditing log. But a few hours later its disabled again and the audit log shows nothing.

So i'm quite stumped. Are there any processes or user accounts that can modify AD objects without this showing up in the audit log?

I recently set up a new SCCM 2012 environment at my workplace and now we are creating our applications for distribution.

Some applications are set up using a script. When during testing, something was not right and the content of the application needs to be changed. The distribution point keeps on serving the old content to the clients.

I was wondering what the proper procedure is for updating the DP's when the content of an application changes. I have tried redistributing to the distribution points and deleting old revisions but to no avail.

I have a nas running Windows server 2008 standard sp2 (x86) and in the past few days it has started crashing whenever there was more then only light network traffic going on.

It happens when: - Downloading torrents (both in µtorrent and vuze) - Copying files to and from the nas using teracopy

The nas has 4 disks, which are not in a raid configuration but are encrypted using truecrypt. First I thought one of the disks went bad, so I checked all of them using hdtune, but no bad sectors were found. It seems to be quite mysterious problem. With only light traffic, just watching some movies off it etc,... it runs perfectly fine.