Category Archives: Active Directory

disable SMB2 caused massive DFS issues on 2012 R2 Domain Controller

  1. Users are not able to access shares on server
  2. unable to access netlogon and sysvol share on server
  3. unable to load or edit GPO’s
  4. DFS namespace seems to be broke on the domain controller

GPO2 GPO1 netlogon1
updates1

 

Decided to open a case with MS Support before restoring from backups.

  1.  ‘netdom query dc’  – resulted in error
  2. net share
  3. \\localhost – failed to open shares on server
  4. \\server\sysvol – failed to open with ‘You might not have permissions to use this network resource’ The specified network name is no longer available.
  5. Advanced Settings in Network adapter, Provider Order, Symantec was at top, moved WIndows Network up to top priority
  6. netsh int tcp show global
  7. C:\ programdata, microsoft, crypto, rsa, machinekeys
  8. uninstall Symantec Endpoint Protection Client per MS support, and reboot
  9. fltmc
  10. gpupdate /force failed
  11. DIsabled SMB2 the correct way instead of through the registry, this resolved all issues after rebooting

Dcdiag is reporting FRS Event Error

I set aside an hour a week to work with our domain controllers.  During this time I run health checks, review logs, and review event viewer entries.  I have been looking for a way to automate a health check script using powershell, but for the time being I am sticking with the normal commands.  I ran Dcdiag.exe /v this morning to review the overall health of the domain controller (DC) and everything was normal except one thing.  There was an error in the FrsEvent which is the File Replication Service.

FRS Error on Domain Controller DC

I have been hearing of issues of group policy replication issues going around, and until now, the domain controllers have been reporting back as healthy, but now I have something to work with.  I ran the Dcdiag.exe /v command on our second domain controller and everything came back healthy.

FRS on Domain Controller DC1

At this point I did a search for 0x800034C4.  I wasn’t able to find much specific about the error, but went to check the services status on both domain controllers to make sure the services were started that needed to be.  I usually do this by sorting to show automatic startup type and then check to make sure all of those are started.  All the services looked fine on both domain controllers.

Next I started going through the actual reasons why it may be showing this error.  The first being that is not able to resolve the domain controller’s DNS name.  I pinged the DC1 from DC and it resolved the DNS name just fine.

Next was FRS is not running on DC1.  I verified that the File Replication Service was indeed running on DC1, but do I need to restart the service for some reason, will this have any impact?  After reading a little bit, it did not sound like it would affect anything, I restarted the File Replication Service on both domain controllers.

Next I went into the File Replication Service Event Log in Event Viewer on both Domain Controllers, and DC looked fine, while DC1 had a lot of errors.

13568

I followed the instructions for creating a new DWORD Value for “Enable Journal Wrap Automatic Restore” and restarted the Ntfrs service on the problem DC1.

restore

After restarting the service, I went back into the Event Viewer to watch for any new events and this appeared.

13516

After 5 minutes the following entries showed up in the event viewer.
13560
13554

13554

I changed back the registry key to 0, from 1, and will continue to keep an eye on this for a few days.

ActiveSync Remote Wipe caveat

Today I had to remotely wipe a users phone that was setup to our Exchange 2010 server through ActiveSync.  I haven’t done this yet, since we are migrating from BlackBerry’s and usually just do a Remote Wipe on the BES server, so I figured I would try it out with ActiveSync and get a documented process and KB article created.

Ran the following commands in the Exchange Management Shell

Get-ActiveSyncDeviceStatistics -Mailbox bstollfus | fl Identity

Identity: internal.domain.com/Information_Systems/SystemsAdmins/Users/Brad Stollfus/ExchangeActiveSyncDevices/SAMSUNGPHD710SAMSUNGA00000F78349FA

Clear-ActiveSyncDevice -Identity internal.domain.com/Information_Systems/SystemsAdmins/Users/Brad Stollfus/ExchangeActiveSyncDevices/SAMSUNGPHD710SAMSUNGA00000F78349FA -NotificationEmailAddress “bstollfus@internal.domain.com

Initially the wipe didnt work so I rebooted the phone which didnt resolve the issue so I started to look into why.  It turns out that because the way ActiveSync works with the remote wipe flag, if the user is disabled in Active Directory, the phone is unable to authenticate (obviously) and the remote wipe flag can not get received by the phone if it is unable to authenticate.

Here is an article that goes into the details a little bit more.
http://msinfluentials.com/blogs/jesper/archive/2010/04/08/don-t-fire-people-until-after-you-wipe-their-phones.aspx

Adding Employee Photo’s to Active Directory

I had our graphics department convert all of our employee photo’s to 96×96 pixel images less than 10KB so I could import them all into AD.  We are looking at adding on Lync and SharePoint so I thought getting everyone’s pictures in now, would be a good idea.

Here is the Exchange PowerShell Command to import

-Import-RecipientDataProperty -Identity “Brad Stollfus” -Picture -FileData ([Byte[]]$(Get-Content -Path “C:UsersAdministrator.INTERNALDesktopOutlookBrad-Stollfus.jpg” -Encoding Byte -ReadCount 0))

Here is a link with more info:
http://www.techrepublic.com/blog/networking/how-to-manage-employee-photographs-with-active-directory/5740?tag=nl.e102