Search This Blog

Saturday, April 9, 2022

Error Event ID 345 on ADFS Server

Description:

You recently just upgraded your ADFS to newer OS version. After a while you notice Event ID 345 on one of the secondary ADFS server. It said "There was a communication error during AD FS configuration database synchronization. Synchronization of the data from primary federation server to a secondary federation server did not occur". You are sure that all of the network port requirement are met.


Resolution:

The previous ADFS upgrade process is somehow causing the farm behavior level (FBL) on the secondary server doesn't match with the FBL on the primary server.

We need to remove the ADFS role and WID database feature on the problematic secondary ADFS server. After that try to re-install the ADFS role and finish the post configuration. 

The secondary server will then use the correct version of ADFS configuration database and synchronization will works as expected.


Thursday, February 3, 2022

DNS Event 4015 on Windows 2012 R2 Domain Controller

Description:

At DNS Server which also a Domain Controller, you notice the Event Viewer is full with the following error.

The DNS server has encountered a critical error from the Active Directory. 
Check that the Active Directory is functioning properly. 
The extended error debug information (which may be empty) is
0000051B: AtrErr: DSID-031508EF, #1:0: 0000051B: DSID-031508EF, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor).

Resolution:

Enabled AD diagnostic logging, Enabled Directory access key and set the value to 5.
Look for Event ID 1175 at event viewer and noticed the Object Distinguished Name. You may need to change the ownership of that AD Object to SYSTEM and restarted the DNS service on the domain controller.

ADFS Error - MSIS8022: Unable to find the specified user account.

Description:

You saw several error at ADFS server event viewer. The error was saying "MSIS8022: Unable to find the specified user account."

Resolution:

First, always double check on the user name, make sure they are exist inside Active Directory. After that check for Extranet Lockout feature in ADFS.

When the Extranet Lockout is enabled, ADFS needs to query the badPwdCount attribute of the user, so it tries to look for it in AD before even trying to authenticate. If the user does not exist, you get the error message you see.

WAP and ADFS trust certificate lifetime

Description:

The proxy trust certificate between WAP and ADFS is a rolling certificate which valid for 2 weeks and periodically updated. This is stored in an internal, protected store so we can't see it in any of the usual certificate stores. 

What we see in the local machine store is the initial temporary certificate thumbprint used while the proxy trust is first being established. This explains why the WAP event log error included a strange, unknown certificate thumbprint.

If we leave our WAP server offline for more than 2 weeks, the proxy trust certificate will expire and we’ll need to re-initialise the proxy trust (Install-WebApplicationProxy cmdlet).

This can also happen when we move the VM’s configuration to another storage.

Resolution:

We can solve this issue by setting the following registry key to 1 on the WAP server and re-running post-install config from the Remote Management console:

HKLM\Software\Microsoft\ADFS

ProxyConfigurationStatus

  • 1 (not configured)
  • 2 (Web Application Proxy is configured)

Tuesday, January 25, 2022

Invalidate RID Pool Script

 

To invalidate the current RID pool in Active Directory

Open an elevated Windows PowerShell session, run the following command and press ENTER:

$Domain = New-Object System.DirectoryServices.DirectoryEntry
$DomainSid = $Domain.objectSid
$RootDSE = New-Object System.DirectoryServices.DirectoryEntry("LDAP://RootDSE")
$RootDSE.UsePropertyCache = $false
$RootDSE.Put("invalidateRidPool", $DomainSid.Value)$RootDSE.SetInfo()

Search Google