UAG Direct Access IP-HTTPS fail with SAN Certificate

Lately I passed by this issue with a client trying to implement the UAG Direct Access using UCC SAN (Subject Alternative Name) Certificate. The Problem was that the Direct Access IPHTTPS URL name “da.company.com” was not the common name of the Certificate (The common name was www.company.com).  Microsoft recommends either Wildcard certificate or normal HTTPS certificate for the DA name. If you don't have other option but the SAN certificate then Its recommended to have the Common name matching the Direct Access IPHTTPS URL otherwise a manual work around should be done on both the UAG server and the UAG client.

UAG Server

The Direct Access URL should be adjusted manually on the UAG server using the Netsh command as follows:

Netsh Interface HTTPStunnel Set Interface https://da.company.com:443/IPHTTPS

Then run

Netsh Interface HTTPStunnel show interface

UAG Client

The UAG clients/OU (according to your setup) GPO need to be modifed manually to add the Direct Access URL.

Computer Configuration/Policies/Administrative Templates/Network/TCPIP Settings/IPv6 Transition Technologies/IP-HTTPS State

Make sure to update the GPO on the client (GPupdate /force) and activate the UAG configuration.

Read More

The Active Directory integrated DNS zone _msdcs.domain.com was not found

Error Reported in Event Viewer or DNS Best Practices Analyzer.

"The Active Directory integrated DNS zone _msdcs.domain.com was not found"

This error might appear in environments and domains that were already built back in the days of windows 2000 or Windows 2003. By default, before windows server 2003 SP1, there was no independent _msdcs.domain.com zone in the DNS console. When the domain was originally created under Windows 2000 or Windows 2003, there was only a _msdcs folder under the domain.com zone which could also provide the resolution for _msdcs.domain.com zone. After windows server 2003 SP1, when you create a zone such as domain1.com, there is an independent _msdcs.domain1.com zone which is the delegation of the original _msdcs folder. This _msdcs will highly benefit the DNS replication.

What is the _msdcs Zone?

According to Microsoft documentation/definition:

“Microsoft-specific subdomain enables location of domain controllers that have specific roles in the Active Directory domain or forest. Resource records for the DNS root domain of a new Active Directory forest are stored in a _msdcs zone instead of a subdomain, and that zone is stored in the forest-wide application directory partition.”

This Zone will host only DNS SRV records that are registered by Microsoft-based services as well as the globally unique identifier (GUID) for all domains in the forest and a list of GC servers in your forest/domain.


DNS support for AD guide
http://technet.microsoft.com/en-us/library/cc759550(WS.10).aspx

The Steps needed to resolve these issues are as follows:

1.     Manually created _msdcs.domain.com zone

·         Open DNS console, right-click “Forward Lookup Zones”, click “New Zone”, manually create new zone _msdcs.Domain.com, please select primary zone and check “Store the zone in Active Directory” on the page of Zone Type.

2.     After that, please check if _ msdcs.Domain.com has been created and the records are correct. If not continue with the next step.

3.     Create a delegated _msdcs zone under the domain.com and delegate it to the _msdcs.domain.com zone. Right-click “Domain.com”, click “New Delegation”, please type _msdcs in the Delegated domain text box

4.     Click Add button to type DNS server’s IP address.

5.     Stop and restart NETLOGON and DNS Service.

Read More

Troubleshooting Event ID 1058, Group Policy gpt.ini

Event ID: 1058
Source: Group Policy

"The Processing of Group Policy failed. Windows attempted to read the file \\domain\sysvol\domain\policies\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\gpt.ini from a domain controller and was not successful."

I passed by this error lately with several environments running Windows 2008 or 2008R2 Domain controllers. The key element in resolving this issue is to determine which group policy is causing this problem.

When you install GPMC you get a sample folder full of very useful scripts that make use of GPMC COM interfaces, The Script we are looking for is the DumpGPOInfo.wsf. For some reason Windows 2008 doesn’t include this folder and you will have to download it manually from the following link

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=14536

After downloading and installing the Sample scripts, use the above mentioned file to get the name of the GPO generating the above error.

Cscript DumpGPOInfo.wsf {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}

This will give you the friendly name of the GPO.

You may delete, rename……….etc the GPO from the Group Policy Management Console. In my case I just enabled/disabled one setting and it worked fine and I was able to recreate the GPT.ini file back.

Read More