Describe 首頁/work/CD-AD-CHECK here.

Contents

  1. Event ID
  2. Warning :There is less than 14% available RIDs in the current pool
    1. Solution
  3. 0x000016AD
    1. Resolution
  4. 0x00009017
  5. 0xC0000071
    1. info
    2. CASE
  6. EventID: 0x0000165
    1. CASE
  7. A single Domain with more than two Domain Controllers
  8. Security日志中的错误代码
    1. 票证选项: 0x40810010 失败代码: 0x18

Event ID

grep EventID *.txt | awk -F"。" '{ print $2 }' | sort -n | uniq -c 

 $ grep EventID *.txt | awk -F"。" '{ print $2 }' | sort -n | uniq -c
      1 EventID: 0x000003F6
     11 EventID: 0x0000165B
     12 EventID: 0x000016AD
     18 EventID: 0x00002734
     18 EventID: 0x00009017
      8 EventID: 0x80000023
    111 EventID: 0x80000025
      1 EventID: 0x80000434
      1 EventID: 0x800034C4

Warning :There is less than 14% available RIDs in the current pool

I have seen this warning in my environment. This basically states that the RID pool is about to exhaust in that specific domain controller. When the RID pool is completely exhausted, the Domain Controller in question will contact the RID master to get a new pool allocated to it. All these run in background and you may not even notice it.

We have a Monitoring / Dashboard tool that picks up this warning and display it. I have seen warnings at 0% RIDs available in RID pool. All I did to fix it is connect to that DC using ADUC and created a dummy computer object. This way I force the DC to contact RID Master and get a new pool.

By default the RID pool will have 500 IDs. As and when it exhausts, the DC would get a new pool allocated automatically.

If you feel that the RID pool is depleting very rapidly, the link GSS1 posted is a very good starting point.

Solution

This states that the RID pool is about to exhaust **in that specific domain controller. ** When the RID pool is completely exhausted, the Domain Controller in question will contact the RID master to get a new pool allocated to it. For now, it is suggested to check if the RID Master have any issues.

You can check FSMO holders by run command: 

Netdom query fsmo

You may run following command to confirm the status of all your DCs. 

ipconfig /all
Results of a dcdiag /v > c:\dcdiag.txt
Repadmin /showrepl >C:\repl.txt
Repadmin /showreps *

Check if there are any event log errors on all the DCs

0x000016AD

The “0x0000165B and 0x000016AD” Event ID appeared for a computer account(s) that had been disabled for some time before it was re-enabled. It had probably become invalid.

Resolution

Disable the Windows XP Firewall. Remove and re-join the computer to the domain. Consider deleting the computer object in Active Directory users and computers in-between to delete any sub-components of the computer object.

0x00009017

0xC0000071

info

4776,AUDIT FAILURE,Microsoft-Windows-Security-Auditing,Sat May 01 13:00:12 2021,No User,计算机试图验证帐户的凭据。 验证包: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 登录帐户: kkzhang1 源工作站: DLA0191 错误代码: 0xc0000071

CASE

User logon with expired password

EventID: 0x0000165

从计算机 'WIN10-249' 设置会话失败,因为安全数据库 没有包含指定计算机引用的信任帐户 'WIN10-249$'。

CASE

A single Domain with more than two Domain Controllers

  1. Choose a healthy DC / DNS server
  2. Make the other Domain Controllers point to the private IP address of the chosen Domain Controller as primary DNS server
  3. For each DC/DNS server except the chosen one, make it point to its private IP address as secondary DNS server
  4. For each DC/DNS server except the chosen one, make it point to its 127.0.0.1 as third DNS server
  5. You can make the chosen Domain Controller point to its private IP address as primary DNS server and 127.0.0.1 as secondary one (After solving the AD replication issue resolution, I recommend to make it point to another Domain Controller as primary DNS server)

Security日志中的错误代码

for i in 'ls *Security*.txt'; do piconv -f gbk -t utf8 $i; done | tee Security.info

grep -i '错误代码' Security.info | awk -F"错误代码:" '{ print $2 }' | sort -n | uniq -c 

$ grep -i '错误代码' Security.info  | awk -F"错误代码:" '{ print $2 }' | sort -n | uniq -c
   3477  0xc0000064  
  98012  0xc000006a  
   8908  0xc0000071  
    362  0xc0000072  
   2521  0xc0000234

票证选项: 0x40810010 失败代码: 0x18

4771,AUDIT FAILURE,Microsoft-Windows-Security-Auditing,Tue Mar 09 03:35:57 2021,No User,Kerberos 预身份验证失败。    
帐户信息:   安全 ID:  S-1-5-21-1708537768-1993962763-725345543-14887   
帐户名称:  bzeng    
服务信息:   服务名称:  krbtgt/suntakpcb.com    
网络信息:   客户端地址:  ::ffff:10.3.133.155   
客户端端口:  63863    
附加信息:   票证选项:  0x40810010   失败代码:  0x18   预身份验证类型: 
2    证书信息:   证书颁发者名称:     证书序列号:    证书指纹:      仅当证书用于预身份验证时才会提供证书信息。    
预身份验证类型、票证选项和失败代码在 RFC 4120 中定义。    
如果票证在传递过程中格式错误或者损坏因而无法解密,则可能无法提供此事件中的很多字段。

关于方案的完善要求如下:

1. 补充Windows 2016兼容性官方说明 2. 完善规划细节和相关操作说明.

项目实施前要求进行验证: 1. AD备份和回退操作验证. 2. Windows XP登录Windows 2016 AD环境验证. 3. 部分应用绑定了固定的单个DNS服务器(在AD中), 需要尽量避免影响业务

待跟进事项: 需要确认直接修改主域控IP是否可行( 主要涉及DC2,DC3,DC4) . 如果不可行, 提供建议的解决方案.

首頁/work/CD-AD-CHECK (last edited 2024-01-28 07:58:15 by merlyn)