How to Fix "Trust Relationship Failed" error without Rejoin Domain

Description:

One of your users suddenly sees the error message "Trust Relationship Between This Workstation And The Primary Domain Failed" when trying to logon to their machine.
You have verify the Computer Account is exist on Active Directory. DNS settings are properly set and there's no problem with port or networking.
You wish to remediate the issue without having to disjoin and rejoin the computer to the domain.

Resolution:

On the problematic machine, logon using local admin credential. Open PowerShell and run as Administrator. 
Type the following:
Reset-ComputerMachinePassword -Server DomainController -Credential

DomainAdmin

If the command completed successfully, logoff and try to logon again.

Error connecting to SQL Server after changing Service Account to normal domain users

Description:

As security best practice, we should not run SQL Server Services with domain admin credential. However after changing it to the normal domain user credential, you encounter connection error message when trying to connect from SQL Server Management Studio.

The error may say something like "The target principal name is incorrect.  Cannot generate SSPI context."

Resolution:

We need to provide the appropriate permission for the domain user credential to modify ServicePrincipalName attribute in Active Directory.

• Run Adsiedit.msc
• In the ADSI Edit snap-in, expand Domain [YourDomainName], expand DC= RootDomainName, expand CN=Users, right-click CN= [YourAccountName, and then click Properties.
• In the CN= AccountName Properties dialog box, click the Security tab.
• On the Security tab, click Advanced.
• In the Advanced Security Settings dialog box, select one (any) of "SELF"'s row
• Click Edit, Open Permission Entry dialog box.
• Make sure Pricipal is "SELF", Type is "Allow" and "Applied to" is "This Object Only", in Properties section, select the properties below:
  • Read servicePrincipalName
  • Write servicePrincipalName
• Click OK to apply all changes and exit the ADSI Edit snap-in
• Restart the SQL Service(s) that use the account in question.

Error Connecting to SQL Server Instances after enabling Windows Firewall

Description:

For security reason, you need to enable the Windows Firewall on your SQL server machine.

However, after you enable them, user cannot connect to one of your SQL Instances. You already create Inbound TCP rule to allow port 1433 and another TCP port where the instance listened, but users still cannot connect. They can connect if the specified the port number for that instance was directly written on the connection page.

Resolution:

Make sure you also create inbound rule for UDP port 1434. The SQL Server browser service runs on UDP port 1434 and listens for incoming connections to a named instance.

BitLocker with MBAM Failed to Encrypt because Access Denied by Remote Endpoint

Description:

You have configure MBAM Application server, MBAM Database server and set GPO for Drive Encryption to run automatically with minimal user interaction. However when you test it, it shows error "failed to encrypt".

When you look at the event viewer in the client machine, it said "Unable to connect to the MBAM Recovery and Hardware Service". It also give Error Code: -2143485947 and more detail "Access was denied by the remote endpoint".

Resolution:

Make sure the account for MBAM web application pool has the correct SPN.

You can use the following command to set the SPN for FQDN and NETBIOS.

Setspn -s http/mbamvirtual contoso\mbamapppooluser

Setspn -s http/mbamvirtual.contoso.com contoso\mbamapppooluser

Removing Extended Rights delegation on AdminSDHolder

Description:

You have Active Directory and Exchange servers running in your environment. One day, the Security team told you that they encounter an account with excessive access on AdminSDHolder container. The Account was "DomainName\Exchange Servers" and has Extended Rights permission of Replication Synchronization. Yow want to remove this excessive access.

First, you try to remove it through the GUI. Open AD User and Computer console, go to System, go to AdminSDHolder container. Right click, open Properties, open Security, and click Advanced. You try to search the "DomainName\Exchange Servers" with permission Replication Synchronization, but couldn't find it.

Second, you try to confirm the existence of the extended rights by running the following command:

DSACLS "CN=AdminSDHolder, CN=System, DC=DomainName, DC=Local"

And you can confirmed the existence of the permission as per below picture:

Third, your try to remove it using Exchange Management Shell, and run the following PowerShell command:

Remove-ADPermission -Identity "CN=AdminSDHolder, CN=System, DC=DomainName, DC=Local" -User "DomainName\Exchange Servers" -ExtendedRights "Replication Synchronization"

However it fails with access denied error.

Resolution:

We can remove the Extended Rights in AdminSDHolder container with the help of LDP.exe

1. Open LDP.exe
2. Go to Connection > Click Connect > Click OK
3. Go to Connection again > Click Bind > Click OK
4. Click View > Click Tree
5. Enter the Base DN "DC=DomainName ,DC=Local". Click OK
6. On the left, double click Domainname, double click "CN=System, DC=DomainName, DC=Local", right click AdminSDHolder container.
7. Click Advanced > Click Security Descriptor
   
   
   
8. Check the SACL box > Click OK
9. Scroll Down until you find the Rights that you want to remove 
   
   
   
10. Click Delete ACE > Select Yes
11. Click Update to commit the changes
12. Close the LDP.exe

Note:

Be careful when removing this "Rights" as it may affect your Exchange Servers behavior. Prior testing is required.

Point Client Machine or Member Server to a Specific Domain Controller

There maybe times when you want to restrict client machine or member server authentication to a specific Domain Controller only. One possible reasons is that you're doing security hardening to Domain Controller or Active Directory and want to test the impact to a limited production system before going company wide.

To restrict the client or member server authentication to specific DC only, please do the following:

1. Open Active Directory Sites and Services Console.

• Create a new Site.
• Assign a proper subnet to that site.
• Move the Specific Domain Controller to that site.

2. Open Registry Editor on the client or member server.

• In Registry Editor, navigate to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
• Add the following multistring value (REG_MULTI_SZ) Value Name: SiteName
• For Value Data: TheNewSitename

3. Restart the client or member server to get the new setting. If you cannot restart the machine, you can run the following command:

nltest /dsgetdc:domainname /force 

Local Administrator Password Solution (LAPS) - Cannot Reset Password

Description:

You have properly setup Local Administrator Password Solution (LAPS) in your Domain Environment.

• Admpwd.dll is being deployed and register at client computer
• Group Policy to manage password is configured and linked to the proper OU
• Permission to read and reset password is properly setup at the OU

However when you try to reset the local admin password for one of the computer, the new password never get generated automatically.

Resolution:

Please check the time configuration on where you reset the password. Does the machine time sync properly with the Domain Controller? If not, please fix it, restart the machine, and try to reset the password again.

Please also check the following registry at the machine:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

Value Name: Type

Value Data: NT5DS

Cannot Install Windows 2008 R2 Service Pack 1

Description

You are experiencing an error or problem when installing Windows 2008 R2 Service Pack 1. It says "Installation was not successful", error code 0x800f0826.

 

You have followed  the steps in https://support.microsoft.com/en-us/kb/2575082.
SYSTEM and Administrators already have Full Permission on usbstor.inf and usbstor.pnf files.
You have also follow http://windows.microsoft.com/en-ID/windows7/troubleshoot-problems-installing-service-pack to download and run the latest System Update Readiness Tool.
Other than those, you have also try to run sfc /scannow command but no error found.

At c:/windows/inf/Setupapi.dev.log you found a couple of errors similar to:
inf:      Opened INF: 'C:\WINDOWS\System32\DriverStore\FileRepository\compositebus.inf_amd64_neutral_b9280780a8000d4b\compositebus.inf' ([strings])
sto:      {Update Device: ROOT\COMPOSITEBUS\0000}
sto:           Updating installed driver version:
sto:                Driver Version Last     = 6/21/2006,6.1.7600.16385
sto:                Driver Version New      = 6/21/2006,6.1.7601.17514
!!!  sto:           Failed to update driver date. Error = 0x00000005
sto:      {Update Device: exit(0x00000005)}
sto: {Update Device Drivers: exit(0x00000005)} 12:07:37.106
!!!  sto: Failed to update devices for all driver updates. Error = 0x00000005

  inf:      Opened INF: 'C:\Windows\System32\DriverStore\FileRepository\umbus.inf_amd64_neutral_2d4257afa2e35253\umbus.inf' ([strings])
     sto:      {Update Device: ROOT\UMBUS\0000}
     sto:           Updating installed driver version:
     sto:                Driver Version Last     = 6/21/2006,6.1.7600.16385
     sto:                Driver Version New      = 6/21/2006,6.1.7601.17514
!!!  sto:           Failed to update driver date. Error = 0x00000005

Resolution

There's a missing permission on the registry that related to the drivers.

1. Download psexec.exe (http://technet.microsoft.com/en-us/sysinternals/bb897553)
2. Execute the following command from an elevated command prompt – ‘psexec /i /s cmd’
3. When a new command prompt opens execute regedit
4. Navigate to HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\COMPOSITEBUS\0000\PROPERTIES\
5. Verify that ‘System’ has ‘full control’ of each subkey. If not force inheritance from the ‘PROPERTIES’ key.
6. Test the install of SP1.