Figured it out. Both DC's had inconsistencies between configurations and they basically weren't replicating or failing to serve DNS requests because the Interfaces were all over the place.
I used this opportunity to take a crash course on Configuring DNS to understand all of the settings, and I was able to fix it by thoroughly sweeping the settings and correcting as I went.
I've never seen the Security log so empty before. It's a great feeling. Also, I learned a bit about DNS so win-win.
Did you ever figure this out?
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: gijones
Source Workstation: DC1
Error Code: 0xC000006A
I recently opted to put Account lockout Policies in place as I'm learning more about the Security side of things having just passed my MTA Security. Instantly getting account lockouts on my account.
We never used elevation for admin privs, but we since stopped being idiots. I bring this up because we probably set up a lot of things with our older credentials, and the littlest bit of research tells me this is a mapped drive, a service, or a scheduled task that's trying to authenticate using incorrect credentials.
Things I've checked/additional info:
netlogon.log for accuracy and understanding. [LOGON] [716] DOMAIN: SamLogon: Network logon of (null)\gijones from DC1 Returns 0xC000006A (this code just means the user name is correct but the password is wrong)
We do use a VPN, and I have tunneled in from home previously, but I've double checked the service wasn't running on my home machine.
I've hit a point where I don't know where else to look. Now, I could just make a new username easy peasy and be done with it, but not knowing is driving me crazy. Any additional ideas on places to look or next steps? I'm tinkering around with Wireshark, so maybe if it's a mapped drive I could find it that way. Just gotta figure out these filters...
Among Trees - Got it yesterday and was able to play for about an hour. I'm a huge fan of survival games. Although an hour only got a toe into the game, it's really quite fun so far. Available in the Epic Games store. I had a $10 off coupon so I ended up paying only $9 for it. It's also Pre-Alpha, so I'm looking forward to future updates.
Also downloaded The Forest on PS4 after I had been playing Stranded Deep for about a week. Trying to persuade some of my friends to play it with me, because that just seems like more fun to me.
Man all y'all are lucky. I work at a college, lol. They making faculty staff and students do remote learning!
I really hoping to be at home soon. I have shit to do. Baseboards and doors need painted, cabinets need stained, I have 5 weeks until I take the Networking + test. I could really just use the extra time home in general.
Playstation had a sale in the store and I was able to buy Tomb Raider Definitive Edition (better than Shadow of the Tomb Raider somehow), Rise of the Tomb Raider, HUE, Dead Island, Dead Island Riptide, and Dead Island Retro Revenge (not a great game) for around $30!
It's only a matter of time before they send us all home for a while, so I got some mostly good games to play.
@Dashrender Ah, so in the future I need to pay more attention to the /26 part (which they did not notate here), but would have been implied had I known what I was doing prior to reading it.
I wasn't getting what I needed from my lesson and turned to google to grasp a better understanding of Subnetting. I'm reading this article : https://support.microsoft.com/en-us/help/164015/understanding-tcp-ip-addressing-and-subnetting-basics
About halfway down the page under Subnetting it explains that "The subnet mask 255.255.255.192 gives you four networks of 62 hosts each. This works because in binary notation, 255.255.255.192 is the same as 1111111.11111111.1111111.11000000. The first two digits of the last octet become network addresses, so you get the additional networks 00000000 (0), 01000000 (64), 10000000 (128) and 11000000 (192)....Using a subnet mask of 255.255.255.192, your 192.168.123.0 network then becomes the four networks 192.168.123.0, 192.168.123.64, 192.168.123.128 and 192.168.123.192. These four networks would have as valid host addresses:
192.168.123.1-62
192.168.123.65-126
192.168.123.129-190
192.168.123.193-254
Remember, again, that binary host addresses with all ones or all zeros are invalid, so you cannot use addresses with the last octet of 0, 63, 64, 127, 128, 191, 192, or 255."
What I don't understand is why they are excluding 63, 127, and 191? I've converted those to binary and they aren't all 1's or 0's
63=00111111
127=01111111
191=10111111
In fact, 64, 128, and 192 aren't all 1's or 0's either, are they incorrectly explaining leaving room for a switch or DC or is there another reason to exclude those numbers?
Edit: my binary conversions needed work, but I fixed that
Studying for my Networking + certificate with flash cards I made from the lessons. About 5/22 lessons through, with 139 flash cards made so far. Also drawing Fiber Optic connector types in Adobe Illustrator, and adding them to my desktop wallpaper so I have to see them constantly. Anything helps. Shooting for 8 weeks from now for the test.
@scottalanmiller said in Group Policy points to wrong DC:
It really only boiled down to I don't want to wait 15 minutes (the minimum replication between DC's) for a GPO to apply.
Then time to go to a single DC
But GPOs aren't meant to work this way, really. If you want faster results, GPO is the wrong tool.
What alternative to Group Policy do you recommend?
@Dashrender said in Group Policy points to wrong DC:
@G-I-Jones said in Group Policy points to wrong DC:
@Dashrender said in Group Policy points to wrong DC:
@G-I-Jones said in Group Policy points to wrong DC:
e secondary to another site, then it would default to the one I wanted it to, but I got two things wrong: first and most i
As I recall - it's either which ever DC is provided by DNS when a query for a DC is given, OR in the case of broadcast - whomever answers first.
Yea I think it might be the latter, as the DNS for my machine's NIC is pointing to the primary DC, but
setreplies with the secondary.you're misunderstanding DNS. The query the client machine is making is - give me the IP of a DC - ANY DC, and DNS is likely following a round robin affect and just handing out the IP of the next one that hasn't been handed out.
Let's assume there are 2 DCs.
ClientA queries for any DC - answer - DC1
ClientB queries for any DC - answer - DC2
ClientC queries for any DC - answer - DC1
etc
Ah, I see what you are saying here. Goes in with the idea that these are a pool. Appreciate that point of view, I hadn't thought of that just yet.
@Dashrender said in Group Policy points to wrong DC:
@G-I-Jones said in Group Policy points to wrong DC:
e secondary to another site, then it would default to the one I wanted it to, but I got two things wrong: first and most i
As I recall - it's either which ever DC is provided by DNS when a query for a DC is given, OR in the case of broadcast - whomever answers first.
Yea I think it might be the latter, as the DNS for my machine's NIC is pointing to the primary DC, but set replies with the secondary.
@scottalanmiller said in Group Policy points to wrong DC:
@G-I-Jones said in Group Policy points to wrong DC:
Your client devices will use the DC that is in their same site, and if there's more than one DC in it's site, the best DC will be chosen... which leads to the second point.
I guess what I was playing at was how I could trick the process of "the best DC will be chosen".
So if this is just an exercise in learning. Great. If not, let's back up. Why do you want to do this? What makes you feel one is better than another?
It really only boiled down to I don't want to wait 15 minutes (the minimum replication between DC's) for a GPO to apply.
@Obsolesce said in Group Policy points to wrong DC:
Secondly, there are no "Backup DCs". It's not something you use like that, and it really makes sense why. It's a HA system by design, think CDN style if you see what I mean.
Thanks for the heads up on the terminology. :raised_fist_medium-light_skin_tone:
Your client devices will use the DC that is in their same site, and if there's more than one DC in it's site, the best DC will be chosen... which leads to the second point.
I guess what I was playing at was how I could trick the process of "the best DC will be chosen". I figured if I moved the secondary to another site, then it would default to the one I wanted it to, but I got two things wrong: first and most important, I can just manage Group Policy on the secondary and there wouldn't be a wait, and two, I don't have a full understanding of how Windows picks the "best DC". Is it hops? Is it strictly Subnet? Maybe I'll look into that at some point. For now I'll consider this issue solved.
Are your DCs in the same physical site ( NOT separated by WAN or VPN)? If so, then yes, Main DC and backup DC should be in the same site.
So it sounds like there isn't a way to choose the DC that Group Policy reads from. Or at least set a priority for one.
@DustinB3403 said in Group Policy points to wrong DC:
What is the output of
Get-ADDomainController -Discover -Service PrimaryDC?
It points to the main DC
Regardless, you may want to cut that replication time from 3 hours down to something more reasonable like 15 minutes. Our AD servers here are in the "Default-First-Site-Name and generally replicate nearly real time.
You know, I thought about that, but wondered if that would bog down the network.
As the title suggests, I have recently been having a hell of a time getting policies to apply in a timely manner.
I ran gpresult /z and it returned our backup DC instead of the primary.
So I start researching how to possibly point Group Policy at the main DC and come up with either "it can't be done", or you have to adjust the "weight" of the DC's and make the main one "heavier", which I mostly understand, but won't explain because the Registry key change they suggested doesn't exist and the walkthrough was from 2013 so it possibly doesn't apply.
So I'm in AD Sites and Services and see that our backup DC is set for replication intervals of 180 minutes (explains the less than timely policy updates). And now I'm finding and reading all I can on how to configure and understand AD Sites and Services.
I'm wondering, should my main DC and backup DC be in the same "SITE" (Default-First-Site-Name) or is them having an IP Inter-Site Transport really the only important detail here? If, from what I've read so far, the Inter-Site Transport is responsible for replication, then I feel like moving the backup to another "SITE" would be the right move as they will still be set for replication because they are still present in the Inter-Site Transport. However, after doing this nothing has changed and gpresult /z still returns backup DC.
Is AD Sites and Services even what I should be looking at?
