Looks like KB5009557 (2019) and KB5009555 (2022) are causing something to fail on domain controllers, which then keep rebooting every few minutes.
Edit: seems to affect at least 2012 R2, too.
Edit2: if you can't uninstall the update, disconnect the network, that should stop the reboots.
Edit3: Out-of-band updates that supposedly fix these problems are now available.
This came through on the MS 365 admin console.
MessageCenter messages MC315398
Microsoft is releasing Out-of-band (OOB) updates today, January 18, 2022, for some versions of Windows. This update addresses issues related to VPN connectivity, Windows Server Domain Controllers restarting, Virtual Machines start failures, and ReFS-formatted removable media failing to mount. All updates are available on the Microsoft Update Catalog, and some are also available on Windows Update as an optional update. Check the release notes for your version of Windows for more information.
Updates for the following Windows versions are available on Windows Update as an optional update. For instructions, see the KB for your OS listed below:
- Windows 11, version 21H1 (original release): KB5010795
- Windows Server 2022: KB5010796
- Windows 10, version 21H2: KB5010793
- Windows 10, version 21H1: KB5010793
- Windows 10, version 20H2, Windows Server, version 20H2: KB5010793
- Windows 10, version 20H1, Windows Server, version 20H1: KB5010793
- Windows 10, version 1909, Windows Server, version 1909: KB5010792
- Windows 10, version 1607, Windows Server 2016: KB5010790
- Windows 10, version 1507: KB5010789
- Windows 7 SP1: KB5010798
- Windows Server 2008 SP2: KB5010799
*Updates for the following Windows versions
... keep reading on reddit β‘Hello Sysadmins,
Just applied todays patches on two DCs running 2012 R2.
DC02 took the update no issues, started handing out tickets right after reboot.
DC01 (FSMO) would boot for about 3 min and then reboot itself. I reverted to a snapshot I took right before applying the update and the DC came back.
During the boot loop cycle, all authentication failed in the domain. Exchange/Outlook, file servers, could not even get into DC02. DC02 said it was failing to reach the domain (NETLOGON failures). After the revert to snapshot, auth and replication functioning.
Edit: removed questions not germane to the report
I've been exploring moving our domain controllers to Azure. Ping times are about 10-15msec to our current cloud provider (that's about the only good thing about them) while they're around 50-70msec up in Azure. Is that a giant problem? It's like 5x+ higher than our current provider but we desperately need to get away from them.
I'm a dumbass. I started in on patches without looking at reddit first. Never again.
I've patched nine servers now, and best I can tell, only the DC's were affected (fingers crossed).
My two 2012R2 DC's (both VMWare guests) seem to be back to working after my uninstalling KB009624 between reboots. no jinx.
Another AD I administer has a physical 2016 DC that got updated but not yet rebooted. I don't see that KB on him, but other threads have indicated that KB5009546 needs to go.
The one other physical 2016 I have seems just fine. All of the other servers are 2016 VM's and are awaiting reboots.
Are DC's the only ones that should require uninstalling? THANKS!
Hey guys, I have been studying Active Directory and Domain Controller came across and I am still confused on the difference between AD and DC and how they work together. Thank you
What's the latest guidance on this? I know at one point years ago it was not recommended but I don't see anything current about it. I can't imagine it is still a problem as the stun is brief.
Are there any NIC concerns?
Typically I deal with companies that need a few DCs as they're not large companies so pretty much get them set with 2 to 3. But dealing with a larger company now and keep wondering if there utilization issues with infrastructure. They have many sites all with a persistent vpn back to their data center and some of the larger sites have their own controller or two. But,whats the harm to just spin up like 10 new domain controllers and just add them into the infrastructure. Some of the other controllers are running older os (not too old but not 2016/2019 os) so like to get everything on a consistent os also.
Not sure if this is the place to post (ill delete it if it isnβt), but anyone got ideas on what to name my domain controller?
Humerus answers only!
What are you guys running in the lab these days?
Oh and did I mention that as of 5PM I'm on PTO for 6.5 days to go to my brother's wedding?
How's everyone else's day going?
CVE-2021-42278 was fixed in last patch:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278
Microsoft's assessment above:
- Publicly disclosed: no
- Exploited: no
- Exploitability assessment: Exploitation less likely
Working Domain Admin exploit now being shared around:
https://github.com/cube0x0/noPac
https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-of-easy-windows-domain-takeover-via-active-directory-bugs/amp/
Not sure if anyoneβs posted this in here already, so apologies if this is redundant. This can be tracked via event ID 4662 on the domain controllers (which tracks SAMAccountName changes). Could potentially be very bad for orgs with fully on-prem AD setups.
I'm just tightening up AD, and trying to make sure that we're scanning the Domain Controllers but also, not exposing ourselves too much.
Evening guys. As the title suggests. Is there a way to tell if a connected server is a Domain Controller.
Iβm working on making a script that will connect to a server, and I want to add logic to have it detect if that server is a domain controller and if itβs not throw an error.
All the normal logic and framework I can do just fine, just curious if thereβs any cmdlets or classes I can leverage to do a check other than doing a check for if the host name contains βDCβ.
According to https://book.hacktricks.xyz/windows/active-directory-methodology, the strategy is to scan the network, find machines and open ports (look for kerberos & LDAP) and try to exploit vulnerabilities.
However, we can't simply go ahead and scan client network right?
My goal is only limited to nonprod and right now I don't even know their IP range yet.
The only information I have is there are two domains, prod (DMNPROD) & nonprod (DMNNONPROD).
I've access to both, but only nonprod is allowed to be tested.
Domain
DMNPROD
DMNNONPROD
Test with nltest
C:\Users\user1>whoami
DMNNONPROD\user1
C:\Users\user1>nltest /dclist:DMNNONPROD
Get list of DCs in domain 'DMNNONPROD' from '\\server1'.
Cannot DsBind to DMNNONPROD (\\server1).Status = 1722 0x6ba
RPC_S_SERVER_UNAVAILABLE
List of DCs in Domain DMNNONPROD
\\server2 (PDC)
The command completed successfully
C:\>
There are 2 servers found in nltest output, but I can't ping to both of them.
C:\Users\user1>ping server1
Ping request could not find host server1. Please check the name and try again
C:\Users\user1>ping server2
Ping request could not find host server2. Please check the name and try again
How do I get the Domain Controller (DC) IP Address in this case?
I'm a bit stuck, hopefully someone can send me in the right direction. I'm setting up 2 ESXi hosts and have vCenter installed. I've got a network (Network A) in which my Windows domain controller resides. I'm running DNS on the domain controllers in this network.
I want to set up a management network (Network B) from which I can connect to the ESXi web interfaces and vCenter. The issue I'm having is that I can't resolve DNS on Network B, thus largely rendering my vCenter useless. I set up vCenter on Network A initially, should I reinstall it on Network B and would that work if I can't connect to my DNS server?
I feel like this might be pretty basic, but I'm not sure what's the best way to move forward. Hopefully someone can help me out.
Hi!
We used to have domain controllers on hosted site and after the contract ended the previous guy didnt perform the removal of those 3 domain controllers that were at hosted site and now we can see that they are still shows up in our AD environment. We dont have any communication to them so they are kind of dead.
What is best way to remove them?
Thanks
One is running Windows Server 2008 R2, the other running Windows Server 2016. I figured out that someone fat fingered the DNS on the 2008 server (which is the primary, we are migrating to the 2016 server) and had it's IP in the DHCP/DNS as .19 instead of .10. I caught this, and upon correcting it, we can't log in! I create a new user on .1 (2008) and it doesn't show on .10 (2016). In fact, I can see now that several users haven't been syncing.
Is there ANY way to fix this remotely, and even if I have to be on site, what would I need to do to resolve this? They are both on the same HyperV server.
I'm a linux guy who was thrusted into this responsibility because I happened to reset passwords on a 2003 server. Fucking hell. I gotta get this online. ANYTHING would be great. I have VPN and RDP, as well as VNC, so I can get to them. I would expect that I can do anything remotely, since it is a VM/HyperV.
Please, please, I have been working 12 hours a day for 3 days on this migration, please have mercy for the widow's son. (the issue was found during a server migration, and I starting seeing AD issues)
Hi,
Due to some restructure in network infrastructure, have to change local IP address of our DC Servers.
Is there any problems that anyone has experienced when changing the IP address of a DC that holds all the FSMO roles and is it's own DNS server?
We have 2 Domain Controllers on the running Windows Server 2016 OS.
We don't have Exchange Server / DHCP Server.
My workflow : Correct ?
- first domain controller :
old ip address : 10.10.20.11 /24 DNS : 10.10.20.11 and 10.10.20.12
-> 10.20.20.3 /24 DNS : 10.20.20.3 and 10.10.20.12
then :
- ipconfig /flushdns Enter
- Net Stop DNS Enter
- Net Start DNS Enter
- Net Stop Netlogon Enter
- Net Start Netlogon Enter
- ipconfig /registerdns Enter
- second domain controller :
old ip address : 10.10.20.12 /24 DNS : 10.10.20.12 and 10.10.20.11
-> 10.20.20.4 /24 DNS : 10.20.20.4 and 10.20.20.3
- ipconfig /flushdns Enter
- Net Stop DNS Enter
- Net Start DNS Enter
- Net Stop Netlogon Enter
- Net Start Netlogon Enter
- ipconfig /registerdns Enter
run NSLookup from an MS-DOS prompt and see if all is resolved OK or not.
thanks,
I'm helping set up a new branch office (some health mumbo jumbo pharmacy), it will have 10 employees and 2 managers, each with their own PC
I'm wondering if I even need to bother with AD/AADDS, or if I can just stick to Azure AD, the only things the employees will need is access to O365 apps, so I wanted to try to get away with just Azure AD and probably Intune
Hey there! First off, I'm a new system administrator so forgive me if my question has an easy answer.
We are currently working on upgrading our company's server from Windows Server 2012 R2 to Windows Server 2019. Our plan is to install Windows Server 2019 on the new server, connect it to the domain, and eventually promote the new server to the primary domain controller. As we only have one server, it is also acting as a file server and so I'm wondering the best way to transfer or mirror the file share data to the new server in addition to promoting it to the primary domain controller.
I've been doing a bit of reading on the Storage Migration Service offered by Microsoft and was wondering if this is the best route to take to accomplish this upgrade. There is this bit of information posted on the Storage Migration Service FAQ:
Is domain controller migration supported?
The Storage Migration Service doesn't currently migrate domain controllers in Windows Server 2019. As a workaround, as long as you have more than one domain controller in the Active Directory domain, demote the domain controller before migrating it, then promote the destination after cut over completes. If you do choose to migrate a domain controller source or destination, you won't be able to cut over. You must never migrate users and groups when migrating from or to a domain controller.
I am hoping someone has a bit of advice here as I want to be as prepared as possible before jumping into my first server upgrade. Any help is appreciated and thank you for taking the time to read this!
Edit: Thanks everyone for your responses and have a great weekend! :)
According to https://book.hacktricks.xyz/windows/active-directory-methodology, the strategy is to scan the network, find machines and open ports (look for kerberos & LDAP) and try to exploit vulnerabilities.
However, we can't simply go ahead and scan client network right?
My goal is only limited to nonprod and right now I don't even know their IP range yet.
The only information I have is there are two domains, prod (DMNPROD) & nonprod (DMNNONPROD).
I've access to both, but only nonprod is allowed to be tested.
Domain
DMNPROD
DMNNONPROD
Test with nltest
C:\Users\user1>whoami
DMNNONPROD\user1
C:\Users\user1>nltest /dclist:DMNNONPROD
Get list of DCs in domain 'DMNNONPROD' from '\\server1'.
Cannot DsBind to DMNNONPROD (\\server1).Status = 1722 0x6ba
RPC_S_SERVER_UNAVAILABLE
List of DCs in Domain DMNNONPROD
\\server2 (PDC)
The command completed successfully
C:\>
There are 2 servers found in nltest output, but I can't ping to both of them.
C:\Users\user1>ping server1
Ping request could not find host server1. Please check the name and try again
C:\Users\user1>ping server2
Ping request could not find host server2. Please check the name and try again
How do I get the Domain Controller (DC) IP Address in this case?
According to https://book.hacktricks.xyz/windows/active-directory-methodology, the strategy is to scan the network, find machines and open ports (look for kerberos & LDAP) and try to exploit vulnerabilities.
However, we can't simply go ahead and scan client network right?
My goal is only limited to nonprod and right now I don't even know their IP range yet.
The only information I have is there are two domains, prod (DMNPROD) & nonprod (DMNNONPROD).
I've access to both, but only nonprod is allowed to be tested.
Domain
DMNPROD
DMNNONPROD
Test with nltest
C:\Users\user1>whoami
DMNNONPROD\user1
C:\Users\user1>nltest /dclist:DMNNONPROD
Get list of DCs in domain 'DMNNONPROD' from '\\server1'.
Cannot DsBind to DMNNONPROD (\\server1).Status = 1722 0x6ba
RPC_S_SERVER_UNAVAILABLE
List of DCs in Domain DMNNONPROD
\\server2 (PDC)
The command completed successfully
C:\>
There are 2 servers found in nltest output, but I can't ping to both of them.
C:\Users\user1>ping server1
Ping request could not find host server1. Please check the name and try again
C:\Users\user1>ping server2
Ping request could not find host server2. Please check the name and try again
How do I get the Domain Controller (DC) IP Address in this case?
Hi!
I have physical server running just dhcp server. I am planning to create role in Domain controller server and move the dhcp file over there.
Is there any bad practice involve having dhcp server running on the domain controller server?
Thanks
