Monthly Archives: August 2014

DC userAccountControl 0x81000

Got a question from a friend about a weird problem when trying to promote a 2012R2 Domain Controller.

The error is in the prereq test before promoting:

Verification of outbound replicaton failed. Error reading the NTDS settings on replication source domain controller 2k3dc.secid.local. Domain Controller data not found for the specified Active Directory domain controller. Continue reading

Alternate Login ID for ADFS

This is a most welcome update to ADFS that comes packaged with the Update for Windows 2012R2 servers: KB 2927690 – Update enables an alternative logon ID in AD FS in Windows Server 2012 R2.

A big challenge for many companies in their on-prem AD is that the UPN suffix doesn’t have a publicly routable domain name which is a requirement for e.g. O365, AAD and is preferred/recommended when using any cloud services. Continue reading

Mixed DC 2003 2012R2 Domain logon problems.

A good post about Kerberos Authentication problems with mixed 2003 and 2012R2 Domain Controllers – Ask DS Team

The Kerberos client depends on a “salt” from the KDC in order to create the AES keys on the client side. These AES keys are used to hash the password that the user enters on the client, and protect it in transit over the wire so that it can’t be intercepted and decrypted. The “salt” refers to information that is fed into the algorithm used to generate the keys, so that the KDC is able to verify the password hash and issue tickets to the user.

When a Windows 2012 R2 DC is promoted in an environment where Windows 2003 DCs are present, there is a mismatch in the encryption types that are supported on the KDCs and used for salting. Windows Server 2003 DCs do not support AES and Windows Server 2012 R2 DCs don’t support DES for salting.