Hello,

with every start of WINS service I see logged error ID 4337 including this description:

The WINS Server could not initialize security to allow the read-only operations.

The server is running version 2012 R2 but I saw this error before when we had 2008 R2.

Some users recommended to create WINS Users security group but it did not help me. I tried reinstalling WINS with deleting %windir%\system32\wins.I also tried to give Everyone full rights permissions to this folder.

Any ideas how to fix this error?

Hello Microsoft IT colleagues

Please, I would appreciate if someone can give me a suggestion about the following problem:

I have a Windows server Windows 2008 R2.  That server is a virtual server and has IP Class A (10.129.32.x), its default gateway has also Class A address (10.129.32.1).

The local area network where the PCs run belongs to Class C (192.168.144.x), those PCs should be able to recognize the virtual Windows 2008 R2 server through the windows network discovery process, but they are not seeing it.

I started up following services on the Windows 2008 R2 server:

“DNS Client”, "Computer Browser", "SSCP Discovery", "UPnP Device Host", "Function Discovery Resource Publication", "Function Discovery Provider Host" and "Link-Layer Topology Mapper". I also set the network discovery to “turned on” on the network and sharing center.

Despite of those services started up, the PCs on my LAN still don’t recognize the virtual Windows 2008 R2 server through the network discovery.

The network recognizing works fine for the Class C servers (those who belong to the “192.168.144.x” segment), once the services I mentioned above were started up.  All LAN PCs see them through the network.

There is no routing enabled between network Class A and Class C networks as both belong to the same “trusted” zone.

What can I do please to enable network discovery for the virtual Windows 2008 R2 server that has Class A IP address?

thanks for any suggestion or tip 

Mauricio

Hi there,

What would be the most efficient way to re-direct network logins from a small site from their current domain controller to another domain controller in separate geographical location?

The DC at the small site is running Windows Server 2003 and I'd like to re-point the User logins to a Windows Server 2008 R2 Domain controller in a different location with the intention of demoting the 2003 box to just a file/print server.

Because of the distinct differences between the OS's and varied articles out there explaining different ways to go about it, what would be the Microsoft preferred way to carry this out?

Cheers,

SB.

Hi,

I have several GC/DNS servers, each in their own location/AD Site. They all replicate AD and DNS records with one another. I am having an issue with one particular CNAME record. When I create the record it will replicate and resolve correctly for a short time, but after a while none of the DNS server can resolve the name via ping. nslookup shows only the name of the record and not the alias or address. And the alias is actually the name. For instance, I create a CNAME mysite.gslb.me.com with the alias mysite.me.com. When I ping mysite.me.com I cannot resolve. And nslookup mysite.me.com will only show a name of mysite.me.com and nothing else. this only happens with this particular CNAME. I have many others that I have never had a problem with.

Thanks in advance

Doctor Dac

Hi,

I'm trying to setup Direct access on a Windows Server 2012 r2 Standard server. The installation goes ok but the operational status of the DNS is not ok.

Error message: None of the enterprise DNS servers DC2,DC1 used by DirectAccess clients for name resolution are responding. This might affect DirectAccess client connectivity to corporate resources.

Some info:

* Our DCs are Windows Server 2008 r2.

* We use a third party certificate to the domain da.company.com.

* The DNS servers are online and responding. I can ping them from the DA server, I can make a nslookup from tha DA server.

* Server is updated with the latest windows Updates.

* The infrastructure is IPv4 only e.g I have not implemented IPv6.

I have goolged for hours and hours and I have not found anyting that could help.

Any help is much apprechiated!

Hello,

Basic question here. I am setting up an new domain server and want to configure the IP to 10.1.10.2 and have the Verizon router 10.1.10.1. Will I need to contact Verizon support for this or can I log in to the router and change settings? Also, do I need to turn off DHCP? Thanks!

Abe

I am trying to get Direct Access setup but I am getting an error. There was no match for the specified key in the index.

We are using the Behind an edge device (with two network adapters) configuration.

Everything looks to be setup correctly but I can't seem to find the answer to this error.

Any help here would be great.

SHarepoint GUy

I am having trouble with my radius server. I can not seem to find an article that deals with this issue on the internet so here goes.  I am currently getting an even ID of 6274 reason code of 2.  There are not sufficient access rights to process the request. Can someone point me in the right direction?

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/13/2015 2:16:37 PM
Event ID:      6274
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      MSFC-Server5.SLTMAS.ET30.com
Description:
Network Policy Server discarded the request for a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: SLTMAS\SLTMAS
Account Name: sltmas
Account Domain:SLTMAS
Fully Qualified Account Name:SLTMAS\sltmas

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name:-
OS-Version: -
Called Station Identifier:20-4e-7f-7b-f9-43
Calling Station Identifier:74:d0:2b:12:77:93

NAS:
NAS IPv4 Address:192.168.1.42
NAS IPv6 Address:-
NAS Identifier:20-4e-7f-7b-f9-41
NAS Port-Type:Ethernet
NAS Port: 3

RADIUS Client:
Client Friendly Name:testswitch
Client IP Address:192.168.1.79

Authentication Details:
Connection Request Policy Name:Secure Wired (Ethernet) Connections
Network Policy Name:-
Authentication Provider:Windows
Authentication Server:MSFC-Server5.SLTMAS.ET30.com
Authentication Type:EAP
EAP Type: -
Account Session Identifier:-
Reason Code: 2
Reason: There are not sufficient access rights to process the request.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>6274</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12552</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2015-01-13T20:16:37.941687000Z" />
    <EventRecordID>373396</EventRecordID>
    <Correlation />
    <Execution ProcessID="640" ThreadID="8520" />
    <Channel>Security</Channel>
    <Computer>MSFC-Server5.SLTMAS.ET30.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-21-3664835645-39314575-1963916244-1103</Data>
    <Data Name="SubjectUserName">sltmas</Data>
    <Data Name="SubjectDomainName">SLTMAS</Data>
    <Data Name="FullyQualifiedSubjectUserName">SLTMAS\sltmas</Data>
    <Data Name="SubjectMachineSID">S-1-0-0</Data>
    <Data Name="SubjectMachineName">-</Data>
    <Data Name="FullyQualifiedSubjectMachineName">-</Data>
    <Data Name="MachineInventory">-</Data>
    <Data Name="CalledStationID">20-4e-7f-7b-f9-43</Data>
    <Data Name="CallingStationID">74:d0:2b:12:77:93</Data>
    <Data Name="NASIPv4Address">192.168.1.42</Data>
    <Data Name="NASIPv6Address">-</Data>
    <Data Name="NASIdentifier">20-4e-7f-7b-f9-41</Data>
    <Data Name="NASPortType">Ethernet</Data>
    <Data Name="NASPort">3</Data>
    <Data Name="ClientName">testswitch</Data>
    <Data Name="ClientIPAddress">192.168.1.79</Data>
    <Data Name="ProxyPolicyName">Secure Wired (Ethernet) Connections</Data>
    <Data Name="NetworkPolicyName">-</Data>
    <Data Name="AuthenticationProvider">Windows</Data>
    <Data Name="AuthenticationServer">MSFC-Server5.SLTMAS.ET30.com</Data>
    <Data Name="AuthenticationType">EAP</Data>
    <Data Name="EAPType">-</Data>
    <Data Name="AccountSessionIdentifier">-</Data>
    <Data Name="ReasonCode">2</Data>
    <Data Name="Reason">There are not sufficient access rights to process the request.</Data>
  </EventData>
</Event>

Log Name:      Application
Source:        Microsoft-Windows-EapHost
Date:          1/13/2015 1:50:09 PM
Event ID:      1006
Task Category: Authenticator
Level:         Information
Keywords:      
User:          SYSTEM
Computer:      MSFC-Server5.SLTMAS.ET30.com
Description:
Negotiation failed. Requested EAP methods not available
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-EapHost" Guid="{6EB8DB94-FE96-443F-A366-5FE0CEE7FB1C}" />
    <EventID>1006</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>1</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2015-01-13T19:50:09.219296600Z" />
    <EventRecordID>418473</EventRecordID>
    <Correlation />
    <Execution ProcessID="412" ThreadID="8984" />
    <Channel>Application</Channel>
    <Computer>MSFC-Server5.SLTMAS.ET30.com</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  </EventData>
</Event>

We have three Windows Server 2012r2 servers which act as a fail-over partner for each other (1 to 1 trust relationship).

This means that the European Server acts as a fail-over partner for the US and Asia, while the US acts as a fail-over partner for Europe. The Asian Server does not act as a fail-over partner as your trust relation is one to one per configured scope. This configuration works fine as leases are replicated between both partners. However we saw that Scope configuration changes are not replicated between the partners unless you initialize a manual replication. We were expecting that the scopes would merge between the partners, however this does not seem to be the case. Yesterday i made several changes to multiple scopes on the European DHCP server.  instead of replicating them one by one I choose the "Replicate Scopes" option on the IPV4 level. Today it was reported that many of the configured reservations in the US were gone. The only reasonable explanation is that scope do not merge, but are effectively overwritten with the settings configured in the replication source (the server from where you initiate the replication).    

Answers provided are coming from personal experience, and come with no warranty of success. I as everybody else do make mistakes.

Hi There,

I'm looking to deploy DA with Server 2012 R2 and Win 7 clients. I want to use 6to4, Toredo and IP-HTTPS but I'm a little confused about the firewall config required. Our firewall is administered by a third party so I need to submit a set of rules for DA functionality.

The Firewall admins have created a DMZ for me with two consecutive public IP addresses - Ill plug the external interface of the DA server to that. The other interface of the DA server will be connected to a switch on the internal network which is itself connected to the internal interface of the same firewall. With this config it makes a domain joined machine contactable from the internet which I really don't like but I guess there is no way round this is there?

With this config is this what my firewall rules should look like?

Protocol                    Source                                       Destination                                           Port
6to4                         Internet                                     External NIC of DA                               41 (destination)
6to4                         External NIC of DA                     Internet                                               41 (destination)

Toredo                     Internet                                     External NIC of DA                               3544 (destination)
Toredo                     External NIC of DA                     Internet                                               3544 (source)

IP-HTTPS                 Internet                                      External NIC of DA                               443 (destination)
IP-HTTPS                 External NIC of DA                      Internal                                               443 (source)

Also, when publishing the external DNS host name do I use just the first public IP address only?

I'm trying to set up a split-tunnel site-to-site VPN using an RRAS server that is currently doing NAT. Right now, the NAT works: all clients are assigned an IP address in the192.168.2.0/24 range, and they are able to access the internet through the RRAS server.

I want to add a split-tunnel VPN so that all packets destined for 192.168.1.0/24 are routed through a VPN connection running on the RRAS server, while continuing to route other packets directly to the internet. I thought I could do this by setting up a static route with the VPN connection as the interface, 192.168.1.0 as the destination, and255.255.255.0 as the mask, but it doesn't work.

The RRAS server is able to ping computers on the 192.168.1.0 subnet perfectly well, but none of the other computers on the192.168.2.0 subnet can.

Is this the right static route to add?

I think I could do this with 2 VMs, one doing the NAT and one doing the site-to-site VPN, but I'd rather do it without VMs if possible.

Hi Experts,

I have done a MAC binding for a MAC address AA3F920B9BF0 with a 10.88.69.62 in our DHCP. But when this MAC address request for DORA process it does not get the binded IP.  

In DHCP Server Log I have founded this log for the MAC

15,02/04/15,09:34:13,NACK,10.88.68.177,,AA3F920B9BF0,,0,6,,,

1. Could you please let me know what every word and number indicates here (ex - 0, 6) ?

We currently have 2 NPS servers on their own Windows 2008 R2 VM's in a cluster that are not Domain Controllers.

Moving forward we want to get rid of the current NPS servers because for Windows clustering to work we had to use Raw Device Mappings (RDM's) and its caused nothing but issues.

I'm planning to build brand new 2012 servers with NPS, but should I promote these to DC's once we migrate our existing PDC and other DC's to 2012?  Or is it best to have the NPS role on their own servers without being domain replicas?

We have about 500 wireless access points talking to the existing NPS servers with roughly 7500 users in total.

Hi All,

Thank you in advance for any responses, we would appreciate any assistance!  In any case, here is the issue we are experiencing.  We have DirectAccess setup and working using ForeFront UAG without any issues.  On all of our laptop clients we have folder redirection (and thus offline files setup).  Our problem is as follows.  BEFORE we had direct access if a user was off the network, they simply worked with their offline files cache and synced when they came back into the office or logged into the VPN.  This was great because the performance for accessing their redirected My Documents was great when they were in the office and great when they were out of the office.  Unfortunately, with DirectAccess, whenever you are online, you are on the VPN and thus their laptops are trying to use the redirected My Documents location on the server and NOT the locally cached copy.  Performance is fairly terrible when they do this, causing lengthy wait times to save a file or 'not responding' applications while it is saving.

To try to 'get around' this issue and force clients whenever they are not in the main office or any of the branch offices to use the offline cache, we have been experimenting with the 'Configure slow-link mode' GPO.  However, this policy isn't exactly resolution we were hoping for.  We have tried setting it to a variety of options but none seem to work (it is currently set to Value Name = "*" Value = "Throughput=11534336, Latency=20").  The problem this policy seems to create is that while what we currently have set DOES appear to mostly keep the machine in "offline" mode while you are on the guest network, if you connect to the corporate wireless network and do a largish (200MB or so) file copy in My Documents, this causes you to get pushed back "offline" despite being on the corporate wireless network.  Even further, once the transfer is finished even though it is supposed to check every 1 minute to see if it is in slow link mode, it sometimes takes 30-35 minutes after it was moved to "offline" mode to determine that it is "online".

So, is there a way that we can set the a GPO to make the laptop client determine if it is working with its My Documents offline or online based on something that is more "consistent" than throughput or latency, like say what IP address it has or subnet that it is in?  Basically we just want it to be like this: if you are in the corporate office or any of the branch offices (wired connection OR wireless connection) you are working in "online" mode with the redirected My Documents.  If you are outside the corporate office and using Direct Access, you are operating in "offline" mode.  Is this possible?

Please let me know if you require any additional information/details/clarification and I would be happy to provide it!  Thanks!

Hey there,

A customer who is using DirectAccess with Windows 8.1 contacted me recently reporting that for his clients a reconnect via DirectAccess takes too long if the internet connection gets interrupted by switching to another connection method (e.g. from WLAN to WWAN).  It seems to happen very sporadically and not on every client.

Has anyone of you experienced that problem, too?

I asked for the troubleshooting assistant logs und took a look at them. It seems as the IPHTTPSInterface recovers very fast from the disruption. I figured that out because the PING-Test to the DA-Server’s IPHTTPSInterface worked as the log stated. Resolution of the DNS-Names of the target resources we configured the assistant to check also worked, but traffic that requires to be protected by IPSec doesn't work (e.g. the HTTP-Test).

This lead me to the assumption that the IPSec re-negotiation hasn’t taken place at that point of time. Unfortunately I didn’t get the chance to jump onto a client and have a look at the time the problem arises yet.

I am not sure if the idle timeout for existing IPSec-SAs plays a role here. Although DA forces on drop on the SAs once it reconnects usually. Maybe in this case it doesn’t?

I am aware that the minimum idle timeout for an IPSec connection before it gets dropped on Windows is 5 minutes. This setting is configurable with the command “netsh advfirewall set global saidletimemin” but doesn’t allow any value below 5 minutes.

Is there a supported way of lowering that value to e.g. 1 minute?

Another option I have in my mind is to configure the following registry key on the DA-Server to 1, as stated in this KB https://technet.microsoft.com/en-us/library/ee382281(v=ws.10).aspx: “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakley\NLBSFlags”

As far as I understood this key is used to shorten the time it takes for doing a failover when the DA-Server running Server 2008 R2 is made highly available via Hyper-V. Does anyone of you have experiences with that key regarding DirectAccess on Server 2012 R2? Does anyone think this may help in our scenario here, too?

I also found another KB for Server 2008 R2 here http://support.microsoft.com/kb/980915/en-us which recommends setting the following registry keys after installing a hotfix:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IKEEXT\Parameters\nlbsflags

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IKEEXT\Parameters\NlbsIdleTime

Does anyone of you have experiences with those keys regarding DirectAccess on Server 2012 R2? Does anyone think this may help in our scenario here, too?

The last option I have in my mind is deploying a script to clients that uses the Get-NetIPsecMainModeSA and Remove-NetIPsecMainModeSA cmdlets to manually flush the SAs and force a reestablishment. Unfortunately those cmdlets require admin rights. The only way I know now to get around this permission issue would be to deploy the script via the DA troubleshooting assistant. Does anyone of you know if I could somehow grand end users the ability to run those cmdlets without granting them admin rights? Network Configuration Operators group membership isn’t enough as I tested out. The script would be kind of a last resort, though

EDIT: While digging deeper into the Logfile of the DA Troubleshooting assistant I noticed lots of dropped packets because of a queue overflow:

 <localAddrV6.byteArray16>xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx</localAddrV6.byteArray16>
   <remoteAddrV6.byteArray16>fc00:a:58:7777::xxxx:xxxx</remoteAddrV6.byteArray16>
   <localPort>58361</localPort>
   <remotePort>389</remotePort>
   <scopeId>0</scopeId>
   <appId/>
   <userId/>
   <addressFamily>FWP_AF_INET</addressFamily>
   <packageSid/>
  </header>
  <type>FWPM_NET_EVENT_TYPE_IPSEC_KERNEL_DROP</type>
  <ipsecDrop>
   <failureStatus>0xC000A010 (STATUS_IPSEC_QUEUE_OVERFLOW)</failureStatus>
   <direction>FWP_DIRECTION_OUTBOUND</direction>
   <spi>3779956078</spi>
   <filterId>9223372036854775838</filterId>
   <layerId>0</layerId>
  </ipsecDrop>

Best regards and thanks,

Steven

Howdy!

in our network we have hundreds of subnets and due to redesigns of LANs etc these subnets change over time.  For each of these subnets we create a RLZ in our AD integrated DNS.  This works fine but we have to constantly chase local IT Staff for any subnet changes and in turn update our DNS infrastructure.  My question is instead of using hundreds of /24 RLZ (i.e. 80.142.10.in-addr.arpa), can we setup a single /8 RLZ (i.e. 0.0.10.in-addr.arpa) that covers all the subnets so we don't have to worry about updating the RLZ all the time? 

Thanks in advance for your input

Stefano