Search This Blog

Thursday, February 3, 2022

DNS Event 4015 on Windows 2012 R2 Domain Controller

Description:

At DNS Server which also a Domain Controller, you notice the Event Viewer is full with the following error.

The DNS server has encountered a critical error from the Active Directory. 
Check that the Active Directory is functioning properly. 
The extended error debug information (which may be empty) is 0000051B: AtrErr: DSID-031508EF, #1:0: 0000051B: DSID-031508EF, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor).

Resolution:

Enabled AD diagnostic logging, Enabled Directory access key and set the value to 5.
Look for Event ID 1175 at event viewer and noticed the Object Distinguished Name. You may need to change the ownership of that AD Object to SYSTEM and restarted the DNS service on the domain controller.

Diposting oleh di No comments:
Label: , ,

ADFS Error - MSIS8022: Unable to find the specified user account.

Description:

You saw several error at ADFS server event viewer. The error was saying "MSIS8022: Unable to find the specified user account."

Resolution:

First, always double check on the user name, make sure they are exist inside Active Directory. After that check for Extranet Lockout feature in ADFS.

When the Extranet Lockout is enabled, ADFS needs to query the badPwdCount attribute of the user, so it tries to look for it in AD before even trying to authenticate. If the user does not exist, you get the error message you see.

Diposting oleh di No comments:
Label: ,

WAP and ADFS trust certificate lifetime

Description:

The proxy trust certificate between WAP and ADFS is a rolling certificate which valid for 2 weeks and periodically updated. This is stored in an internal, protected store so we can't see it in any of the usual certificate stores. 

What we see in the local machine store is the initial temporary certificate thumbprint used while the proxy trust is first being established. This explains why the WAP event log error included a strange, unknown certificate thumbprint.

If we leave our WAP server offline for more than 2 weeks, the proxy trust certificate will expire and we’ll need to re-initialise the proxy trust (Install-WebApplicationProxy cmdlet).

This can also happen when we move the VM’s configuration to another storage.

Resolution:

We can solve this issue by setting the following registry key to 1 on the WAP server and re-running post-install config from the Remote Management console:

HKLM\Software\Microsoft\ADFS

ProxyConfigurationStatus

  • 1 (not configured)
  • 2 (Web Application Proxy is configured)
Diposting oleh di No comments:
Label: , , ,
Subscribe to: Posts (Atom)

Search Google