Networking
280 TopicsWindows 11 and NPS authentication issue
Hi everyone, I am in the process of testing Windows 11 23H2 and I am having issue with RADIUS Authentication. Radius Authentication is working fine with Windows 10 so I know there is nothing wrong with the Radius. However I seen a lot discussions online and looks like it is related to EAP types and some claiming it's TLS1.3 related issue. Has anyone got it working and if you did can you please share your settings? My current test settings on NPS end as below. And my GPO settings are as below I have all the names format matching (upper case, lower case) for Server name and SSID names. Thanks432Views0likes1CommentForce a specific default lock screen and logon image
Dear, I currently have a DC deployed on Windows Server 2019. i want to configure a specific default image on lock screens on Windows 10 pro clients via group policy. Is this possible or is it only compatible with Enterprise or Education editions? Thanks in advance,136Views0likes2CommentsAD DS Users in Remote Desktop Users group receive not authorized for remote login
Hello, thanks for checking! My AD DS config was lost. I have now built a new PDC for AD DS. I have recreated users and given them remote permissions via remote tab on user details, I have added them to administrators group, and I have added them to Remote Desktop Users group. I have joined "PC1" I can confirm the user can login via console, but when attempting to remote in, is receiving "The connection was denied because the user account is not authorised for remote login." The only user that can use RDP at this time is domain 'administrator'. It was working previously. I have verified that the PC1 has remote desktop enabled, and can connect via domain 'administrator' I would appreciate any insight into this matter!Solved238Views0likes2CommentsCommunication problem between two Windows Server servers on port 38008
Good afternoon everyone, I have been trying to solve a communication problem between two servers for 2 weeks. I need from virtual server A (Azure VM) to query server B (Azure VM) via POSTMAN. Both servers are communicating with each other on standard ports. I have made an Inbound and Outbound exception in Windows Firewall and in Network Security Groups in Azure. I am still getting errors related to timeout and no communication when I test it with telnet or Azure VM with Connection Troubleshooting. When I try to run a GET in POSTMAN, I end up with a failure to communicate error. Any ideas on how to fix this? I can put you more details - let me know what you need. Thank you221Views0likes1CommentVerify Active directory synchronization before primary domain controller demotion
I just added a second domain controller to my domain and transferred the fsmo roles to it as I plan to demote and retire the original dc. Once the new dc2 was added I ran dcdiag to verify no errors and communication was established. I also waited several days (72hrs or more) to make sure synchronization completed. Everything looked good so prior to demoting the original dc1, I powered it off. After about an hour I was unable to access AD from dc2. No objects or containers were visible, and users couldn't access shares (on dc2) until dc1 was rebooted and communication reestablished with dc2. After scanning the event logs of dc1 I determine that dfs replication had stopped and both sysvol and netlogon folders were missing on dc2. After some research I was able to create both shares and restarted replication which appears to have worked since both folders are now synchronized with dc1. My concern is how do I know if AD is now available on dc2? AD synch commands show no errors, but they did before. Short of powering off the server again, as I am remote, is there a way to disable AD on dc1 and see if I still have access to AD on dc2? Would an incomplete replication of sysvol cause user authentication issues? Any advice would be greatly appreciated.396Views0likes1CommentKdc error after installing DC 2022
We’re upgrading the AD domain from 2008R2 to 2022. we deployed the new 2022 DC and also successfully moved the FSMO roles. however some old 2003 servers started having issue authenticating clients, as for example connecting to file shares, with kdc errors. “The encryption type requested is not supported by the KDC” how can we fix it ? is there a group policy we can apply to the 2022 DC to enable the old 2003 servers to authenticate clients ? thanks274Views0likes1CommentBypass LBFO Teaming deprecation on Hyper-V and Windows Server 2022
Starting with Windows Server 1903 and 1909, Hyper-V virtual switches on an LBFO-type network adapter cluster are deprecated (see documentation). The technology remains supported, but it will not evolve. It is recommended to createan aggregate of type SET. In practice The SET is a very interesting technology that has some constraints. The interfaces used must have identical characteristics: Manufacturer Model Link speed Configuration Even if these constraints do not seem huge, we are very far from the flexibility of LBFO Teaming. As a reminder, this one has absolutely no constraints. In practice the SET is recommended with network interfaces of 10Gb or more. Therefore, we are very far from the target of the LBFO (use of all integrated boards with motherboard pro, Home Lab, refurbish). If SET cannot be used As of Windows Server 2022, it is not possible to use the Hyper-V Management Console to create a virtual switch with LBFO, as it will prompt an error saying that LBFO have been depreciated. However, it is possible to use PowerShell to create this virtual switch. First, create the Teaming of your network cards using the Server Manager, in my case the teaming will be with LACP mode and Dynamic load balancing mode. Then execute the below PowerShell Command to create the virtual switch based on the teaming created in the previous step: New-VMSwitch -Name "LAN" -NetAdapterName "LINK-AGGREGATION" -AllowNetLbfoTeams $true -AllowManagementOS $true In detail: The virtual switch will be named "LAN" The network adapter cluster teaming is named "LINK-AGGREGATION" The aggregate remains usable to access the Hyper-V host. You will see your network teaming up and running on Hyper-V host. Thats it!127KViews4likes9CommentsCVE-2024-38063 - Disabling IPv6 binding = fix - or not?
Dear community, in today's LinkedIn Stream and other social media you might have noticed a recent CVE and the recommendation to disable IPv6 in Windows Server and Windows Client. We are talking about this one: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063 Reading the advisory carefully, Microsoft, strictly speaking, does not directly recommend disabling (technically remove binding) of IPv6. Citing: "Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors might be helpful in your situation: Systems are not affected if IPv6 is disabled on the target machine." Maybe I am a bit nitpicking here about old experiences and would greatly appreciate a refreshed Microsoft statement on the disablement (unbinding) of IPv6 and the side-effects in 2024. What we have learned in the past - do no disable IPv6 easily. - yes, you can face issues with IPv6 being on by default and unexpected or misconfiguration. Often caused by DHCPv6, especially in the combination of critical domain controllers, Dual Stack ISPs and SoHo routers messing up your DNS. What's the fuss about IPv6? I am not actively using it in corporate / at home. IPv6 is being used in Windows. More specifically non-routable fe80 addresses and loopback ::1 for internal purposes of Windows or other software. One may complain use cases are - unrightfully - not well and transparent documented. Have a read in the past Here are some references that Copilot brings up. Trust my memory, I've read more like this. https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ipv6-for-the-windows-administrator-why-you-need-to-care-about/ba-p/256251 https://community.spiceworks.com/t/is-it-a-bad-practice-to-disabe-ipv6/781811/9 https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows My personal conclusion Hold on, we need patches for this CVE, but we should not disable IPv6 easily. Please disable IPv6 temporarily, when you cannot patch this CVE immediately / in time. Take notes which system you have had to disable and consider re-enabling once patches have been tested and applied. If you are using IPv6 knowingly, note the NIC configs. They will be lost when using static settings rather DHCPv6. I am sad to see that NetSec people, undoubtedly experts in their area, jump on the bandwaggon esp. on Social Media to easily disgrace the IPv6 by default enablement of Windows Client and Windows Server, telling you the easier story: "Disable IPv6 and you are good / if you do not need it." Let me counter: You might not know you're "needing it" it in the first place. Whenever you are changing system defaults in Windows, mind that Microsoft and other software vendors may not consider these changes in their testing. And the Crowdstrike Black Friday showed us clearly how outlier system configs and unwell testing goes along. Not very well. IPv6 usage and defaults today One of the most recent example that Microsoft is using IPv6 can be found in the Azure Arc Agent (Connected Machine Agent) changelog: "Better handling when IPv6 local loopback is disabled" source:https://learn.microsoft.com/en-us/azure/azure-arc/servers/agent-release-notes How can I disable IPv6, if required? Many roads led to Rome. Windows + X > Terminal / PowerShell (Admin) #save current NIC config into a simple text file Get-NetAdapterBinding -ComponentID "ms_tcpip6" | where Enabled -eq $true | Out-File $env:temp\original-ipv6-config.txt #disable IPv6 on all adapters Get-NetAdapterBinding -ComponentID "ms_tcpip6" | where Enabled -eq $true | Disable-NetAdapterBinding And how to revert the change? Windows + X > Terminal / PowerShell (Admin) #enable IPv6 on all adapters (mind the text file) Get-NetAdapterBinding -ComponentID "ms_tcpip6" | where Enabled -eq $true | Enable-NetAdapterBinding TL:DR Microsoft is using fe80 addresses and loopback ::1 addresses for internal reasons. IPv6 is preferrably used over IPv4 when it is bound to a network adapter, including said special non- routable addresses. Please disable IPv6 temporarily, when you cannot patch this CVE immediately / in time. Take notes of current config. Please share the word and mind that disabling IPv6 can turn your OS into an outlier system, causing immediate or later issue due lack of testing by Microsoft or other software vendors, assuming the defaults, which is IPv6 being turned on.5.8KViews1like0CommentsHow Windows determines that a connection is a domain network
Hello, When a Windows client boots, how does it determine that connection is a domain network? Does it have to connect with a PDC domain controller, or can it be any domain controller in the domain? I'm asking because I'm troubleshooting an issue with clients recognizing the network as a domain network and I'm getting inconsistent results. Any information or guidance will be helpful. Thanks,211Views0likes1Comment