分类目录归档:Active Directory

解决域里的Windows和域控制器时间不同步问题

今天刚开了个新的AD,兴高采烈地把设备都加了域,结果WinRM不工作。报错如下:

PS C:\Windows\system32> enter-pssession server02
enter-pssession : Connecting to remote server server02 failed with the following error message : WinRM cannot process
the request. The following error with errorcode 0x80090324 occurred while using Kerberos authentication: There is a
time and/or date difference between the client and server.
 Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
 After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
use HTTPS transport.
 Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more
information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ enter-pssession server02
+ ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (server02:String) [Enter-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

对于一个新的域,这种情况大概率是两台设备的时钟不同步了。

继续阅读

Windows MDM未知错误0x80192efe的解决方案

症状:

设备无法自动enroll MDM,事件管理器里面(Applications and Services Logs -> Microsoft -> Windows -> DeviceManagement-Enterprise-Diagnostics-Provider -> Admin)有如下报错:

MDM Enroll: Failed (Unknown Win32 Error code: 0x80192efe)

解决方法:

首先去Azure AD和Intune删掉这台设备(能看到的都删掉)。

然后让Azure AD Sync重新同步一次:在安装有Azure AD Sync的服务器上执行

PS C:\Windows\system32> Import-Module ADSync
PS C:\Windows\system32> Start-ADSyncSyncCycle -PolicyType Initial

等这台机子被重新同步到Azure AD以后,强制重新enroll MDM:在目标设备上执行

gpupdate /force

AD DS允许外部用户访问本域Users and Computers的方法

近日给一个Forest级别Trust的Domain设置了Selective Trust,然后跨域访问开始爆炸。AD Administrative Center(dsac.exe)打开就报错(System.Security.Authentication.AuthenticationException )退出;几个MMC Snap-in则不是报告莫名其妙的local error就是提示Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. 。用Delegation of Control Wizard给外部用户分配所有权限也没有用。

继续阅读