AD Issue ... Windows 10 or the Domain?

BRRABill

When you run dcdiag /dns ... do you get errors with the root servers, such as this?

DNS server: 198.41.0.4 (a.root-servers.net.)
2 test failures on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.41.0.4
[Error details: 9002 (Type: Win32 - Description: DNS server failure.)]

dbeato

@brrabill said in AD Issue ... Windows 10 or the Domain?:

When you run dcdiag /dns ... do you get errors with the root servers, such as this?

DNS server: 198.41.0.4 (a.root-servers.net.)
2 test failures on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.41.0.4
[Error details: 9002 (Type: Win32 - Description: DNS server failure.)]

No, I don't

BRRABill

I had it on all the root hint servers, and also the forwarders.

  The A record for this DC was found
  The SOA record for the Active Directory zone was found
  The Active Directory zone on this DC/DNS server was found
  Root zone on this DC/DNS server was not found

  TEST: Forwarders/Root hints (Forw)
           Recursion is enabled
           Root hint Information:
              Name: a.root-servers.net. IP: 198.41.0.4 [Invalid]
              Name: b.root-servers.net. IP: 192.228.79.201 [Invalid]
              Name: b.root-servers.net. IP: 199.9.14.201 [Invalid]
              Name: c.root-servers.net. IP: 192.33.4.12 [Invalid]
              Name: d.root-servers.net. IP: 199.7.91.13 [Invalid]
              Name: e.root-servers.net. IP: 192.203.230.10 [Invalid]
              Name: f.root-servers.net. IP: 192.5.5.241 [Invalid]
              Name: g.root-servers.net. IP: 192.112.36.4 [Valid]
              Name: h.root-servers.net. IP: 198.97.190.53 [Invalid]
              Name: i.root-servers.net. IP: 192.36.148.17 [Invalid]
              Name: j.root-servers.net. IP: 192.58.128.30 [Invalid]
              Name: k.root-servers.net. IP: 193.0.14.129 [Invalid]
              Name: l.root-servers.net. IP: 199.7.83.42 [Invalid]
              Name: m.root-servers.net. IP: 202.12.27.33 [Invalid]

BRRABill

Well, except for "G" ... WTH?

BRRABill

BTW:

Turns out the issue was a 1803 thing.

Maybe it is just my environment, but have never had to enable SMB1 before.

Though I did have a couple errors in DNS that I also fixed while I was in there.

And of course the errors above that I posted. Though everything is working perfectly.

JaredBusch

@brrabill said in AD Issue ... Windows 10 or the Domain?:

BTW:

Turns out the issue was a 1803 thing.

Maybe it is just my environment, but have never had to enable SMB1 before.

Though I did have a couple errors in DNS that I also fixed while I was in there.

And of course the errors above that I posted. Though everything is working perfectly.

SMBv1 Is recently just disabled on all new windows systems

BRRABill

@jaredbusch said in AD Issue ... Windows 10 or the Domain?:

@brrabill said in AD Issue ... Windows 10 or the Domain?:

BTW:

Turns out the issue was a 1803 thing.

Maybe it is just my environment, but have never had to enable SMB1 before.

Though I did have a couple errors in DNS that I also fixed while I was in there.

And of course the errors above that I posted. Though everything is working perfectly.

SMBv1 Is recently just disabled on all new windows systems

Probably why this is the first time I have seen it.

And assuming any upgrades would just keep it.

BRRABill

BTW: those DNS errors were caused by using an older version of DCDIAG, apparently.

Installed newest version and it works like a charm.

DustinB3403

@jaredbusch I've heard this before, but has anyone actually checked to see if it is disabled.

On 2016 that we just recently deployed it is active by default when configuring it as a file server.

BRRABill

I had to go into the Features section of the 1803 client (fresh install) and enable it.

BRRABill

It also warned that the share (when trying to connect to the domain) was insecure and SMB1.

dbeato

@dustinb3403 said in AD Issue ... Windows 10 or the Domain?:

@jaredbusch I've heard this before, but has anyone actually checked to see if it is disabled.

On 2016 that we just recently deployed it is active by default when configuring it as a file server.

It is disabled by default on RS3 of Server 2016 onwards.

dbeato

@brrabill said in AD Issue ... Windows 10 or the Domain?:

I had to go into the Features section of the 1803 client (fresh install) and enable it.

Yeah, makes sense since Server 2003 still uses SMBv1.

IRJ

I hate to be rude, but using 2003 as DCs is asking the company and IT to bend over and just take it. I would seriously question IT and business leadership for making this decision.

EOL was over 4 years ago!!!!!! seroiously WTF is your company doing? and like @JaredBusch said at least dont use it for DCs?

dbeato

@irj said in AD Issue ... Windows 10 or the Domain?:

I hate to be rude, but using 2003 as DCs is asking the company and IT to bend over and just take it. I would seriously questions IT and business leadership for making this decision.

I am not sure if the they have but @BRRABill will explain better. Sometimes reality is different than what we feel needs to be done.

IRJ

@dbeato said in AD Issue ... Windows 10 or the Domain?:

@irj said in AD Issue ... Windows 10 or the Domain?:

I hate to be rude, but using 2003 as DCs is asking the company and IT to bend over and just take it. I would seriously questions IT and business leadership for making this decision.

I am not sure if the they have but @BRRABill will explain better. Sometimes reality is different than what we feel needs to be done.

I disagree. The only way it makes any sense to run a product that is 4 years EOL as your DC is if you are paying for support for Microsoft. Anything else is reckless.

dbeato

@irj said in AD Issue ... Windows 10 or the Domain?:

@dbeato said in AD Issue ... Windows 10 or the Domain?:

@irj said in AD Issue ... Windows 10 or the Domain?:

I hate to be rude, but using 2003 as DCs is asking the company and IT to bend over and just take it. I would seriously questions IT and business leadership for making this decision.

I am not sure if the they have but @BRRABill will explain better. Sometimes reality is different than what we feel needs to be done.

I disagree. The only way it makes any sense to run a product that is 4 years EOL as your DC is if you are paying for support for Microsoft. Anything else is reckless.

I understand that Server 2003 should be gone and I don’t have it in any of my networks or costumers. But I knkw plenty of government and organizations that have not fully replaced server 2003 for various reasons. All that with IT Department telling them to upgrade... and yeah you can question leadership.

scottalanmiller

@irj said in AD Issue ... Windows 10 or the Domain?:

@dbeato said in AD Issue ... Windows 10 or the Domain?:

@irj said in AD Issue ... Windows 10 or the Domain?:

I hate to be rude, but using 2003 as DCs is asking the company and IT to bend over and just take it. I would seriously questions IT and business leadership for making this decision.

I am not sure if the they have but @BRRABill will explain better. Sometimes reality is different than what we feel needs to be done.

I disagree. The only way it makes any sense to run a product that is 4 years EOL as your DC is if you are paying for support for Microsoft. Anything else is reckless.

Even then, I'd say anything that depends on MS support is reckless. MS Support doesn't qualify as "support" by any normal standard.

scottalanmiller

@dbeato said in AD Issue ... Windows 10 or the Domain?:

@irj said in AD Issue ... Windows 10 or the Domain?:

@dbeato said in AD Issue ... Windows 10 or the Domain?:

@irj said in AD Issue ... Windows 10 or the Domain?:

I hate to be rude, but using 2003 as DCs is asking the company and IT to bend over and just take it. I would seriously questions IT and business leadership for making this decision.

I am not sure if the they have but @BRRABill will explain better. Sometimes reality is different than what we feel needs to be done.

I disagree. The only way it makes any sense to run a product that is 4 years EOL as your DC is if you are paying for support for Microsoft. Anything else is reckless.

I understand that Server 2003 should be gone and I don’t have it in any of my networks or costumers. But I knkw plenty of government and organizations that have not fully replaced server 2003 for various reasons. All that with IT Department telling them to upgrade... and yeah you can question leadership.

But they ARE reckless and unprofessional. Just because reckless people do bad things doesn't make it any better. Its' not questioning the leadership, it's outright bad leadership.

BRRABill

Yeah the IT guy at this place is a real jackhole, let me tell you...