Error while creating Windows 2016 Cluster at "Find a suitable Domain Controller"

Description:

You want to create Windows 2016 cluster on Windows 2012 R2 Domain. You run the Wizard, however encountered error and the cluster cannot be created. 

During investigation, you saw several error message such as:
"Check whether the computer object "clustername" for node "hostnameFQDN" exists in the domain. More data is available".

At event viewer (after enabling Debug Log) you could see:
"Failed to find suitable DC. Error 234"
"Searching for object "clustername" on first choice DC failed. Error 234"
"Couldn't resolve RPC binding to cluster, Status = 1753"

You then try to run the Cluster Validation wizard but everything seems to pass. You validated that the required AD permission for the User Account creating the Cluster are already meet. You also verify the Group Policy setting for "Deny Access to this computer from the Network" is correct. You check the network port requirement and verify all the necessary port are open.

Resolution:

First, verified the DNS record in your DNS Server. Especially the record for all of your Domain Controllers. Make sure the Active Directory required Zones has the correct NS records, CNAME records, A Records, and also SRV DNS records. Remove the stale records for old or unknown broken Domain Controllers.

Second, check the Application partition (DomainDnsZone and ForestDnsZone) in your Active Directory. Use ADSIedit to connect to the application partition and try to browse the content. If you encountered error, you may need to delete the application partition using NTDSUtil.

You should be able to create the Windows Cluster afterwards.

Error Event ID 345 on ADFS Server

Description:

You recently just upgraded your ADFS to newer OS version. After a while you notice Event ID 345 on one of the secondary ADFS server. It said "There was a communication error during AD FS configuration database synchronization. Synchronization of the data from primary federation server to a secondary federation server did not occur". You are sure that all of the network port requirement are met.

Resolution:

The previous ADFS upgrade process is somehow causing the farm behavior level (FBL) on the secondary server doesn't match with the FBL on the primary server.

We need to remove the ADFS role and WID database feature on the problematic secondary ADFS server. After that try to re-install the ADFS role and finish the post configuration. 

The secondary server will then use the correct version of ADFS configuration database and synchronization will works as expected.

DNS Event 4015 on Windows 2012 R2 Domain Controller

Description:

At DNS Server which also a Domain Controller, you notice the Event Viewer is full with the following error.

The DNS server has encountered a critical error from the Active Directory. 
Check that the Active Directory is functioning properly. 
The extended error debug information (which may be empty) is 0000051B: AtrErr: DSID-031508EF, #1:0: 0000051B: DSID-031508EF, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor).

Resolution:

Enabled AD diagnostic logging, Enabled Directory access key and set the value to 5.
Look for Event ID 1175 at event viewer and noticed the Object Distinguished Name. You may need to change the ownership of that AD Object to SYSTEM and restarted the DNS service on the domain controller.

ADFS Error - MSIS8022: Unable to find the specified user account.

Description:

You saw several error at ADFS server event viewer. The error was saying "MSIS8022: Unable to find the specified user account."

Resolution:

First, always double check on the user name, make sure they are exist inside Active Directory. After that check for Extranet Lockout feature in ADFS.

When the Extranet Lockout is enabled, ADFS needs to query the badPwdCount attribute of the user, so it tries to look for it in AD before even trying to authenticate. If the user does not exist, you get the error message you see.

WAP and ADFS trust certificate lifetime

Description:

The proxy trust certificate between WAP and ADFS is a rolling certificate which valid for 2 weeks and periodically updated. This is stored in an internal, protected store so we can't see it in any of the usual certificate stores. 

What we see in the local machine store is the initial temporary certificate thumbprint used while the proxy trust is first being established. This explains why the WAP event log error included a strange, unknown certificate thumbprint.

If we leave our WAP server offline for more than 2 weeks, the proxy trust certificate will expire and we’ll need to re-initialise the proxy trust (Install-WebApplicationProxy cmdlet).

This can also happen when we move the VM’s configuration to another storage.

Resolution:

We can solve this issue by setting the following registry key to 1 on the WAP server and re-running post-install config from the Remote Management console:

HKLM\Software\Microsoft\ADFS

ProxyConfigurationStatus

• 1 (not configured)
• 2 (Web Application Proxy is configured)