We have an issue that recently showed up on our DHCP server. We've noticed that anything with the 3rd octect above 128 does not hand out a DHCP address properly to the device. For example a scope for 172.17.120.x leases addresses without issue, but when we go to a scope of 172.17.128.x the below image is what we get and the devices don't actually get an address assigned. We've restarted DHCP services, the server itself, reconciled the scope and also tried re-creating the scope with no luck so far. We can see the request go to the server but the server never sends anything back to the device. There is no A/V on the server nor is Windows Firewall turned on. Any insight is greatly appreciated. 

Hi, we see the following error on our Domain controller occurring at 6am on a daily basis.

Log Name:      System
Source:        Schannel
Date:          4/12/2014 6:00:55 AM
Event ID:      36887
Task Category: None
Level:         Error
Keywords:     
User:          SYSTEM
Computer:      IDCDC02.domain.com.au
Description:
The following fatal alert was received: 46.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
    <EventID>36887</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2014-12-03T19:00:55.640033000Z" />
    <EventRecordID>7780</EventRecordID>
    <Correlation />
    <Execution ProcessID="496" ThreadID="1116" />
    <Channel>System</Channel>
    <Computer>IDCDC02.domain.com.au</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="AlertDesc">46</Data>
  </EventData>
</Event>

The server is running Windows Server 2008 R2, Enterprise and is a domain controller.

I have read on previous posts that this is due to an invalid certificate and more IIS related, only being a Windows domain controller, we don't have IIS on this machine currently.

Does anyone know what (else) it could be that's causing this?

Is 1F678132-5938-4686-9FDC-C8FF68F15C85 not reference to a Component Service? If so, which one would it be?

SB.

I have the _msdcs subfolder under my domain (the grey folder). example below

It has only one DC inside of it for a NS server. This DC is old and no longer exists. I checked my test environment and it has the same scenario (an old DC that does that not exist). example below

I'm just wondering:

1) Is this normal, should this folder update itself with other servers?

2) should I be adding one of my other DC's? and removing the original?

I have a single forest, single domain setup 2008 functional level. My normal _msdcs Zone does behave as expected and removes and add the appropriate records. Thanks.

Hello,

I am studying dns deeper , and ran into a question:

The DNS client has its own cache, as well as the DNS server, so I was wondering where the dns client looks first for www.unknowdomain.com , in itslocal cache or in the DNS server's cache ?.

Thanks in advance!

Luis Olías Técnico/Admon Sistemas . Sevilla (España - Spain)

Hello,

I have a question related to DirectAccess and OTP. As far as I understand, when OTP is setup, the One Time Password has to be entered after the user opened his session with his Windows credentials.

My question is about the behaviour of the computer before the user opens his session: Is the computer already connected to the corporate network when a user tries to connect his session? I mean the biggest advantage of DirectAccess is to connect seemlessly to the corporate network before user logs on: that allows to deal easily with password expiration, account lockout, etc. on roaming users.

Thanks for your answers.

Kind regards

David

I have a conditional forwarder set up in Domain A to go to the DNS servers for Domain B.  This works fine as standard conditional forwarders, but if I change them to AD integrated they stop working!  I then have to remove the conditional forwarders and configure as standard again.  If I just remove the check from the 'Store this conditional forwarder in Active Directory and replicate it as follows:' box it doesn't return to working, I need to completely remove the conditional forwarders and recreate from scratch.

Has anyone else seen this and know how to resolve?

I observed that in a DirectAccess KerbProxy scenario, a Windows 8.1 DirectAccess client with native IPv6 Internet connectivity is still using the IP-HTTPS transition technology for connecting to a Windows 2012R2 DirectAccess server also with native IPv6 Internet connectivity.

Is this normal behavior, even when native IPv6 Internet connectivity is available?

Note 1: the use of the IP-HTTPS transition technology is confirmed with a Wireshark/NetMon trace.

Note 2: see also the related thread http://social.technet.microsoft.com/Forums/en-US/e4bbb30e-161a-4847-918d-ba34934b4877/directaccess-double-dns-registration-issue-with-native-ipv6-client?forum=winserverNIS

Regards,
Stefaan

I'm running a new domain controller with a DNS server on it. The event log entries for the"Microsoft-Windows-DNS-Server-Service" all fail to load. I look at the "DNS Events" item in the "Global Logs" section of the DNS server in the DNS manager tool and every entry there has the generic "cannot be found" message.

How can I repair the event log messages for the Microsoft-Windows-DNS-Server-Service?

Event Type:    Information
Event Source:    Microsoft-Windows-DNS-Server-Service
Event Category:    None
Event ID:    4
Date:        9/21/2014
Time:        15:02:03
User:        NT AUTHORITY\SYSTEM
Computer:    server.domain.corp
Description:
The description for Event ID ( 4 ) in Source ( Microsoft-Windows-DNS-Server-Service ) cannot be found. Either the component that raises this event is not installed on your local computer, or the installation is corrupted. You can install or repair the component on the local computer, or contact the component manufacturer for a newer version.

If the event was saved from another computer or forwarded from a remote computer, you might have to include display information with the events when saving them or when setting up the forwarding s .

Hey guys, I was wondering how the list of root hints were actually used when the DNS server performs iterative queries. 

Since it's a list that seems to be in alphabetical order, does it simple use a.root-servers.net. first until it is unavailable, and go down the list? That seems unlikely since that one root would receive disproportional load compared to the others. I am aware that most of the roots use anycasting, so multiple servers are behind each entry. 

Maybe it's round-robin? 

I suppose I can capture packets and see what is actually going on... I might do that if no one replies!

I have a Windows 2008 R2 server on an isolated, (no internet connectivity), network.  The server is providing DHCP and DNS.

The server was delivered to me configured with the domain name set to "testareaisolan".  No dot anything as part of the domain name.

It is the only server on this isolated network.  There is no Active Directory.

Short name resolution does not work, though "long" name resolution does.  In other words, if I ping "t94ups.testareaisolan" I get a response.  If I ping just "t94ups" I eventually get "unknown host".

From what I have read, it could be due to the "illegal" domain name.

How do I go about changing the domain name to "testareaisolan.something"?  And if I do so, is it likely to fix the short name resolution problem?

Hello All,

I am working on setting up authentication into an Acme Packet Net-Net 3820 (SBC) via RADIUS. The accounting side of things is working just fine with no issues. The authentication side of things is another matter. I can see from a packet capture that the access-request messages are in fact getting to the RADIUS server at which point the RADIUS server starts communicating with the domain controllers. I then see the chain of communication going back to the RADIUS and then finally back to the SBC. The problem is the response I get back is always an access-reject message with a reason code of 16 (Authentication failed due to a user credentials mismatch. Either the user name provided does not match an existing user account or the password was incorrect). This is confirmed by looking at the security event logs where I can see events 4625 and 6273. See the events below (Note: The names and IPs have been changed to protect the innocent):

Event ID: 6273
******************************************************************************
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: NULL SID
Account Name: real_username
Account Domain:real_domain
Fully Qualified Account Name:real_domain\real_username

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name:-
OS-Version: -
Called Station Identifier:-
Calling Station Identifier:-

NAS:
NAS IPv4 Address:10.0.0.10
NAS IPv6 Address:-
NAS Identifier:radius1.real_domain
NAS Port-Type:-
NAS Port: 101451540

RADIUS Client:
Client Friendly Name:sbc1mgmt
Client IP Address:10.0.0.10

Authentication Details:
Connection Request Policy Name:SBC Authentication
Network Policy Name:-
Authentication Provider:Windows
Authentication Server:RADIUS1.real_domain
Authentication Type:MS-CHAPv2
EAP Type: -
Account Session Identifier:-
Logging Results:Accounting information was written to the SQL data store and the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
******************************************************************************

Event ID: 4625
******************************************************************************
An account failed to log on.

Subject:
Security ID: SYSTEM
Account Name: RADIUS1$
Account Domain:REAL_DOMAIN
Logon ID: 0x3E7

Logon Type:3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: real_username
Account Domain:REAL_DOMAIN

Failure Information:
Failure Reason:Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC000006A

Process Information:
Caller Process ID:0x2cc
Caller Process Name:C:\Windows\System32\svchost.exe

Network Information:
Workstation Name:
Source Network Address:-
Source Port: -

Detailed Authentication Information:
Logon Process:IAS
Authentication Package:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services:-
Package Name (NTLM only):-
Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
******************************************************************************

So at first glance it would seem that the issue is merely a case of an invalid username or mismatched password. This is further confirmed in the packet capture where I can see the MSCHAPv2 response has an error code of 691 (Access denied because username or password, or both, are not valid on the domain). The thing is I know I am using a valid username and I have tried many usernames including new ones I created just for troubleshooting. I don't know how many times I have reset the password in an attempt to ensure it is not a mismatch password. I have even made sure to use passwords that are fairly short and contain only letters to ensure there was no terminal encoding issues (we connect to the SBC via SSH clients). I have also done this same thing with the shared secret used during communication between the SBC and the RADIUS server. I have tried prefixing the username with the domain name at login (though I don't think that should be necessary). I have also tried using the full UPN of the user to login. I have tried several RADIUS testing clients (NTRadPing, RadiusTest, etc.), but they either don't support MSCHAPv2 or only support EAP-MSCHAPv2. I have even created my own client using PHP's PECL RADIUS module. Still it always seems to fail with the MSCHAPv2 authentication with an error code of 691. Does anyone have any ideas as to why I always get an invalid username or bad password response when I have done everything possible to ensure that is not the case?

Here are the specs for our RADIUS configuration:

• Windows Server 2012 R2
• SQL Server 2012 Back End Database for accounting.
• The server has been authorized on the domain and is a member of the "RAS and IAS Servers" group. For which that group does have access to the accounts we are testing with.
• The accounts we are testing with do have the "Control access through NPS Network Policy" option checked under their "Dial-in" property tab.
• RADIUS clients configured to simply match on the IP address which you can see from the events above that it is applying the client friendly name.
• Connection Request Policy: The "SBC Authenication" policy is being applied as seen above. The only condition is a regex expression that does successfully match the friendly name.
• Network Policy: As seen in events above, none are getting applied. For troubleshooting purposes I have created a Network Policy that is set to "1" for the processing order and its only condition is a Day and Time Restriction currently set to any time, any day.
• The authentication method is set to only MSCHAPv2 or MSCHAPv2 (User can change password after it has expired). I have tried adding this to just the Network Policy and I have also tried adding this to the Connection Request Policy and setting it to override the authentication method of the Network Policy.
• We do have other RADIUS servers in our domain that use PEAP to authenticate wireless clients and they all work fine. However, we need this to work with MSCHAPv2 only (No EAP).
• All other configurations are set to the defaults.

The only other things of note to consider is the fact that in the events above you can see that the Security ID is "NULL SID". Now I know this is common especially among failed logons but given that this issue is stating an invalid username or bad password, perhaps it matters in this case. Also, this server has been rebuilt using the same computer account in Active Directory. I do not know if it would have worked before the rebuild. Essentially we built this server and only got as far as authorizing the server to the domain and adding SQL when we decided to separate out the SQL role onto another server. Rather than uninstalling SQL we just rebuilt the machine. However, before reinstalling Windows I did do a reset on the computer account. I don't think this should matter but thought I would point it out if there is some weird quirk where reusing the same SID of a previously authorized NPS server would cause an issue.

All in all it is a fairly basic setup and hopefully I have provided enough information for someone to get an idea of what might be going on. I hope this was the right forum to post this too, I figured there would be a higher number of RADIUS experts here than any of the other categories. Apologies if my understanding of this seems a bit basic, after all, when it comes to RADIUS servers I guess you could say I'm the new guy here.

When installing NPS/Radius, is installing AD directory services required?

When looking at the how-to blogs/or sites, I can see that directory services was installed as I review the screenshots.  Is this just a by product of using a single server in a lab environment where the posters already have AD installed?

Basically, is AD directory services required to be on the same server for NPS/Radius to be installed?

Thanks

Ron

so for an assignment at college we had to configure a router connected to two switches which both had a server connected to them.

the computers were connected via dhcp to either server however each side had a different IP. we have now been asked to justify as to why two servers were used with different IP which I cannot quite produce a business orientated answer.

I can understand connecting two dchp servers on same IP to increase fault tolerance but I do not understand using two separate IP addresses.

My ISP is running NAT and DHCP service so it dynamically assigns IP's to clients and gives one public IP to thousands of users through the internet, so I have to turn on my NAT service in my router so it translates my 192.168.x.x to a public IP given to me by my ISP which is given to many many clients at the same time but their port are different for sure because when I want to open a website ISP server forwards my packet with source and port to destination ip address which is 80 for example and send me back the request from webserver to my isp then forwarding it to me, now what?!!!

How can I determine my public ip address port assigned to me dynamically by ISP dhcp server? and if I find out about that can I do port forwarding on my router for the port number of my public ip that I know temporarily because it changes by dhcp and can I connect to it by remote desktop following a column with port number of my ip?

Hi,

I would like to know if it is still supported to change to perference of IPv4 (first) and IPv6 (second) in Windows Server 2012 R2 ? It seems like this was supported in Server 2008 R2, but not anymore in server 2012 R2. I would like to have confirmation about this.

Also, if it still is supported, is it the same registry key as in Server 2008 R2 or something different ?

Thanks,

Rochen

Hello,

I have setup Server 2012 with roles Primary DC, RAAS, DHCP and DNS. SSTP has been configured as the type of VPN.

My server is on the 10.0.0.0/24 network. Under IPv4 Address Assignment a static pool has been configured in the 10.0.98.0/24 range, instead of default "use DHCP"

Enable broadcast name resolution is ticked.

The LAN adapter has been selected to be used to for DHCP, DNS, and WINS addresses for dial-up clients. The LAN adapter has got the ip address of 10.0.0.231, DNS 10.0.0.231.

When a client VPNs into the server it correctly gets an address on the 10.0.98.0/24 range. Pinging works fine but DNS resolution does not. Only if the 'Connection Specific DNS Suffix' is manually configured in the VPN properties on the client does DNS work.

DHCP relay agent has been configured to point to 10.0.0.231 (IP address of the DHCP server).

There is no scope configured for the 10.0.98.0/24 range on the DHCP server, but under 'Server Options' in the DHCP console, option 015 DNS Domain Name has been configured appropriately.

Any clues as to what is causing my clients to not receive a Connection Specific DNS suffix?

Thanks in advance.

Peter

hi there

I have a SBS Windows Server 2011 with 10 Workstation (Windows 7)

on the Server WINS, DHCP and DNS is running

DNS1 Points to the local Server

DNS2 Points to the Router / provider 

if i do a nslookup to for example www.telecom.de ,

all Workstations are able to resolve the domainname to the IP adress

that Looks then like this:

Server:                                  
server1.rayit.local   Address: 192.168.0.5   (local Server)

not authorized answer:    Name:www.telecom.de   Address: 46.29.100.77

if i do the same nslookup on the Server...  the WAN ip of the Domains can not be resolved

even the DNS1 and DNS2 configuration is the same as it is on the workstations

ist sais then

Server:                                  
server1.rayit.local   Address: 192.168.0.5   (local Server)

DNS request timed out.  timeout was 2 seconds
***Request do Server1.rayit.local  timed-out<o:p></o:p>

i just dont understand that

thanks for any ideas

Raymond, switzerland<o:p></o:p>

raymond reininger

I am in the process of implementing machine based 802.1x to my company. I have 2 radius servers and 1 CA. The machines get their certificates via group policy. The group policy is working fine and everyone has been issued their certificates that are supposed to have them. I wait til they get their certificates, then enter the commands for 802.1x on their port. I have about 50 machines that are working as they should, but I have three random machines that will not communicate whenever I flip the port on the switch. The three machines have valid certificates and have full connectivity to the two radius servers and the CA. I do not believe it is a switch problem, because I have other machines connected to this switch that are authenticating properly. Also, I have tried the 802.1x hotfix on these machines with no luck. I am wondering if there is anything that I could try on the clients that would keep them from authenticating. All of my clients are Windows 7 SP1 64 bit. Any suggestions would be appreciated! 

Hi,

we have a 2008 server with 2 public ip addresses. We want to use RRAS with SSTP protocol with one of the public ip addresses. So, port 443 is in use with one public ip address.

We want to use the other public ip address also with port 443 for a special web server.

But the RRAS takes all of the public ip addresses automatically. How can we limit RRAS to only one?

Regards,
Hans-Peter

Hans-Peter