oh.
i spent my afternoon doing stuff and staring at output from this command:
tail -f -n 30 log.win2012adcontroller
i am seeing this:
rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed.
Rejecting auth request from client WIN2012ADCONTROLLER machine account MSAD$
why?
http://support.microsoft.com/?id=942564
The Net Logon service on Windows Server 2008 and on Windows Server 2008 R2 domain
controllers does not allow the use of older cryptography algorithms that are compatible
with Windows NT 4.0 by default.
well then:
Log on to a Windows Server 2008-based domain controller.
Click Start, click Run, type gpmc.msc, and then click OK.
In the Group Policy Management console, expand Forest: DomainName, expand DomainName, expand Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.
In the Group Policy Management Editor console, expand Computer Configuration, expand Policies, expand Administrative Templates, expand System, click Net Logon, and then double-click Allow cryptography algorithms compatible with Windows NT 4.0.
In the Properties dialog box, click the Enabled option, and then click OK.
Notes
By default, the Not Configured option is set for the Allow cryptography algorithms compatible with Windows NT 4.0 policy in the following Group Policy objects (GPO):
Default Domain Policy
Default Domain Controllers Policy
Local Computer Policy
thanks microsoft good thing i do this on non-prod domains first.
and this helps, too:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
"DomainCompatibilityMode"=dword:00000001
"DNSNameResolutionRequired"=dword:00000000
(hint: it can be added in a gpo to affect/ruin all your systems)
No comments:
Post a Comment