An authentication error has occured (Code: 0×80090303)


An authentication error has occurred (Code: 0×80090303)


An authentication error has occured (Code: 0x80090303)

An authentication error has occured (Code: 0x80090303)

I got this message today after setting up a very basic VPN with Server 2008 (yes, an article for that is coming).
After logging on successfully to the VPN, I noticed I couldn’t ping my server by name.  I chalked this up to a badly (or rather, mis-) configured DNS server.  I could ping the IP, though, so I plugged that into the remote desktop client.

Lo and behold, the above error message appeared.
Read the rest of this entry »

, , , , , , ,

No Comments

AD DS: DNS Server requires static IPv4 and IPv6 IP Addresses

While installing and configuring Server 2008 (Standard), I decided to set up the AD DS service.
AD DS requires that the DNS service be set up as well.  DNS doesn’t function properly if you’re getting a DHCP address.

I personally haven’t yet made time to to educate myself about IPv6, though I should.  The DNS setup process will complain if you do not have a static IPv6 address configured.

My server has two NICs.  Their IPv4 addresses are 192.168.3.2 and 192.168.3.3, respectively.
I went to the following website – http://www.subnetonline.com/pages/subnet-calculators/ipv4-to-ipv6-converter.php, plugged in the respective IPv4 addresses, and used the tool to pull out the equivalent IPv6 address, subnet mask, and default gateway.

I then also set the primary DNS server to 127.0.0.1 (in IPv6 notation of course, which I believe is 0:0:0:0:0:0:7f00:1),
and my local router – 192.168.3.1, again in IPv6 notation.

, , , , , , , , ,

2 Comments

Remote Desktop Beep, Server 2008

I’ve noticed that since installing Server 2008, audible beeps come through to my local computer. I’ve tried tweaking the remote desktop client settings, to no avail. I know this is a common issue – here’s the fix.

Read the rest of this entry »

, , , ,

No Comments

The remote computer requires Network Level Authentication, which your computer does not support.


The remote computer requires Network Level Authentication, which your computer does not support.


If you get this message, it’s because you’re trying to connect to a computer which uses a newer version of the remote desktop protocol, which supports a higher level of encryption.  The connection will not go through because you are using an older version.

If you’re using Windows XP, make sure you are up to date with windows update.  You will need to be using service pack 3 for these instructions to work.  Also make sure there are no updates for the remote desktop client listed in windows update.

Read the rest of this entry »

, , , , , , , , , , , ,

No Comments

Active Directory 2008 Notes 3: The Global Catalog

Global Catalog Servers

  • Validates group membership.
  • Enables forest-wide search for resources or AD objects.
  • Validates UPN’s across entire forest, allowing logon to other domains.

Promoting a domain controller to a global catalog server

  • The first domain controller in each domain is automatically set up to be a GC server.  Every DC that gets added to an already-existing domain has the option of also serving as a GC.  This may be desirable, for example, if one domain is divided into two sites or physical locations.
  1. On the DC, open Active Directory Sites and Services.
  2. Expand Sites, Servers, and the entry for the domain controller which will be designated a global catalog.
  3. Right-click NTDS settings, choose properties.
  4. In the General tab, check the global catalog option.  Press OK or apply.
  5. That’s it!  Apply the steps in reverse order to demote a DC from GC duty.


UGMC (Universal group membership caching)

  • If UGMC is enabled, users’ universal group information is cached when the user logs on to the domain for the first time.  This allows future requests to be serviced quickly, without the need to contact the GC.
  • This also allows a lower-spec RODC or DC to be on-site with a high end DC GC server elsewhere.

Enabling it

  1. Open up AD Sites and Services.
  2. Select the site which needs UGMC caching.
  3. Right click NTDS Site Settings, choose properties.
  4. Select Universal Group Memership Caching.
  5. Specific sites can be used for replication.  Use the drop-down selector if necessary.
  6. Click ok.

When it’s necessary – or How do I decide between additional GC’s and UGMC?

  • In a single domain forest, GC servers nor UGMC provide any benefit.
  • If users complain that logons are slow but resource access is not, go with UGMC.
  • If users complain that logons are slow and resource access across a link (WAN) is slow, go with GC.
  • Having additional GC servers and UGMC is not beneficial at the same site.

, , , , , , , , , , ,

No Comments

Active Directory 2008 Notes 2

Preparing Active Directory for Server 2008 DC’s


Note:  These steps should be completed before promoting or upgrading an existing domain controller.

  • Run adprep /forestprep on the schema master of the forest.  This extends the schema to receive new 2008 features.  The changes must replicate through the forest before proceeding.
    You must be a member of the Enterprise Admins, Schema Admins, and Domain Admins in the forest root domain.
    Any Windows 2000 DC’s must be upgraded to SP2 or later, or SP1 with hotfix QFE265089.
  • Run adprep /domainprep on the infrastructure master of each domain that will be accepting Server 2008 DC’s.
    It adjusts ACL’s on AD objects, and the SYSVOL shared folder.
    You must be a member of Domain Admins, and the domain’s functional level must be Windows 2000 server native or higher.
    adprep /domainprep /prep can also be run to enable resultant set of policy planning mode functionality.

, , , , , , , , , , , , , , ,

No Comments

Active Directory 2008 Notes 1

- X.500 and LDAP rather than flat file.
– Blocks: domains, trees, forests, OU’s.  Phyiscal location is represented by including all objects in a given (physical) location in its own site.

- Domain: A logical grouping of computers.  They share a common directory database.  A series of domains can be organized, through trust relationships, into forests and trees.

- Tree: A group of domains that share a namespace.  For example, learnwithharv.com would represent the parent, blog.learnwithharv.com would be a child domain.  On the same level could sit thing.learnwithharv.com.  A child to these domains might be some.thing.learnwithharv.com or my.blog.learnwithharv.com.
Trust relationships in a tree are two-way, transitive relationships, meaning resources are accessible both ways.
(A forest can contain multiple trees, and trees can contain multiple levels of child domains.)

- Forest: A forest would be a group of domain trees that do not share a namespace.  For example, microsoft.com and apple.com.  You may find foobar.microsoft.com and foobar.apple.com as children of their respective domains, however while foobar.apple.com shares a transitive two-way relationship with apple.com, it in no way shares any information with microsoft.com or foobar.microsoft.com, and vice versa. The first domain created in a new Active Directory structure is the forest root domain.

- Organization Unit (OU): I think of OU’s as being like folders.  They can contain objects of various types (users, computers, distribution groups, etc).  They are the smallest type of unit that can be used for organization.  Policies and security can be applied to an OU.  For example, one might create an OU which contains company departments.  The OU name might be Departments.  The objects inside might be groups such as Accounting, Administration, and IT.  Policies and security options or permissions can be set on each of these groups individually, and/or to the entire OU itself.

- Sites: A site is a grouping of resources within a forest by physical location or subnet.  Sites allow for control of replication as well as policy application control.  By that I mean- by grouping things physically within a site, the LAN link can be taken advantage of.  If one has multiple physical locations and multiple DC’s (patience, we’re getting to a DC) at each location, grouping users/computers/etc by Site allows the DC’s to know which computers should be under their direct control and which they should allow the other DC’s to control.  To elaborate further:  pushing out a group policy to 200 machines not physically located in the same office as the DC may not be a good idea.  Grouping by Site allows DC’s to know where they physically site and therefore who they should spend their time serving.

- Domain Controller (DC): This is any server that has an active directory.  All directory objects are that are within the domain, plus the schema and any configuration information for the forest where the domain is located, are located here.  If there are multiple DC’s within a domain, data is shared and kept in sync via replication.

- Global Catalog: Sort of like an index, the global catalog server’s role is to allow domain controllers in other domains to access information or resources from another domain in the same forest.  IE, files, folders, printers, etc.  Universal group membership is also done here, so that someone can be a member of two domains.

- Operations masters:  Specialialized roles.  Only one DC can fulfill any given one of these roles;
– Schema Master: The only writable copy of the AD Schema.  All objects in a forest are held in the schema.
One DC in the forest does this.

- Domain naming master: Ensures that any new domains adhere to the naming conventions for new trees or child domains in existing trees.
One DC in the forest does this.

- PDC emulator: Serves as a primary domain controller for NT 4 client computers authenticating to the domain.
One DC in each domain does this.

- Infrastructure master: updates other domains as to changes in it’s own domain.  This is a middle-man;  it receives and processes changes in the forest received from GC servers and replicates the changes to other DC’s in its domain.
One DC in each domain does this.

- RID master: Assigns SID’s (security ID) to objects in its domain.  Each SID is comprized of a non-unique domain identifier to idenfity which domain the object belongs to, as well as an RID (relative ID) that is unique to each object.  This particular server (RID Master) ensures no two objects have the same RID.  It also serves out pools of RIDS to every DC in its domain.
One DC in each domain does this.

- RODC: Read-Only Domain Controller:  A DC that is read only.  Useful for a branch office where personell don’t necessarily need to make updates.  A good security practise is to use these if possible.  They are perfect to put in place if you simply need authentication and a new on-site DC for purposes of pushing out GPO’s etc over a LAN link.

, , , , , , , , , , , , , , , , , ,

No Comments

Server update

Blog’s server has been updated.  I’ve immediately noticed an upgrade in speed.  Yay!


I will start putting in blog posts with my notes from my current study topic- Windows Server 2008 Active Directory configuration.  Stay tuned.

, , , ,

No Comments

0×0000007b – the dreaded blue screen of death.

While installing Windows XP on a computer the other day, I ran into a rather strange problem.
I got a blue screen of death and my STOP code was 0×0000007b.  The solution?  I turned AHCI off in my BIOS, and reverted it back into IDE mode.

Read the rest of this entry »

, , , , , , , , , , , , , , , ,

No Comments

RPC over HTTP(S) Test Utility

Setting up RPC over HTTP can be a real pain. Especially because there doesn’t seem to be a good way of getting an error message, either on the client end or the server end. This site just saved my bacon!
http://www.testexchangeconnectivity.com/

I will be making a follow-up screencast to go through configuring an exchange server for RPC over HTTPS, stay tuned.

, , ,

No Comments