question

AA88 avatar image
0 Votes"
AA88 asked DaisyZhou-MSFT commented

Domain Controllers replicate error code 110

Hello,

I need some advice here, as the current environment contain Parent domain & 2 child domains. Due to some security policy RC4 has been disabled for all domain controllers. I noticed while doing health check or manual repadmin /replsum etc.

Seem to getting AD health check is unhealthy.
[DC2] DsBindWithSpnEx() failed with error 5,
Access is denied..
Warning: DC2 is the Schema Owner, but is not responding to DS RPC Bind.

[DC1] DsBindWithSpnEx() failed with error 5,
Access is denied..
Warning: DC1 is the PDC Owner, but is not responding to DS RPC Bind

Does it necessary to enable AES Encryption?114879-properties-of-a-child-domain.png


windows-active-directory
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @RussellAng-0425,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

Hello @RussellAng-0425,
I'm just following up to make sure you received my last reply and that my answers properly address your questions. If you have any further questions or concerns about this post, please let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered AA88 edited

Hello @RussellAng-0425,

Thank you for posting here.

To better understand your question, please confirm the following information at your convenience.

1.Based on the description "Due to some security policy RC4 has been disabled for all domain controllers.
", how did you disable RC4 for all DCs?

2.Did you mean AD replication works fine before disabling RC4 for all DCs?

3.Where did you see "Domain Controllers replicate error code 110", please provide the screenshot if possible.


You can enable RC4 for all DCs if possible and then check if AD replication will become healthy again.


Hope the information above is helpful to you.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.


Hello @DaisyZhou-MSFT

Does disabled RC4 will result in replication error?


1.Based on the description "Due to some security policy RC4 has been disabled for all domain controllers.
", how did you disable RC4 for all DCs?

Registry Key (Refer to attached screeshot)


2.Did you mean AD replication works fine before disabling RC4 for all DCs?
Y>>>> Correct

3.Where did you see "Domain Controllers replicate error code 110", please provide the screenshot if possible.

(Refer to attached screenshot)


You can enable RC4 for all DCs if possible and then check if AD replication will become healthy again.![115288-registry-key.gif][2] [2]: /answers/storage/attachments/115288-registry-key.gif
115351-error-110.jpg


0 Votes 0 ·
registry-key.gif (64.9 KiB)
error-110.jpg (65.6 KiB)
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello @RussellAng-0425,

Thank you for your confirmation.

Does it necessary to enable AES Encryption?
A: Because DC supports RC4, AES 128 and AES 256, if you disable RC4, please enable AES Encryption, then check if AD replication will work fine.
116109-pro1.png

Hope the information above is helpful to you.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.



pro1.png (17.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AA88 avatar image
0 Votes"
AA88 answered DaisyZhou-MSFT commented

Hello @DaisyZhou-MSFT

Below is the setting, does it mean RC4 & AES is enabled?

116611-image.png



image.png (114.8 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @RussellAng-0425,

Thank you for your update.

By default, DCs support AES and RC4, but when they use it, they negotiate to use one of the two, either RC4 or AES.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.


0 Votes 0 ·
AA88 avatar image
0 Votes"
AA88 answered DaisyZhou-MSFT commented

Hello @DaisyZhou-MSFT

Seem to be permission issues. Even with enterprise admin run cmd as administraor will show replicate 110 error same for above screenshot.

If i launch those application, dsa.msc, cmd or domain trust etc - without prompt for authentication will get access denied.

Some sort of permission issues.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @RussellAng-0425,

Thank you for your update.

I suggest you can try to enable RC4 for all DCs if possible and then check if AD replication will become healthy again. Also check those application, dsa.msc, cmd or domain trust etc.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
AA88 avatar image
0 Votes"
AA88 answered DaisyZhou-MSFT commented

Hello @DaisyZhou-MSFT ,

I read up some of the blog related to RC4 disabled.

  1. RC4 is disabled in registry & GPO is set to not defined. Necessary to enable AES in GPO?


  2. I noticed enterprise admin accounts, login to server need to run as different users to authenticate. In order to access dsa.msc or even
    run cmd or powershell with privileges' access to perfrom repadmin /replsum

  3. RC4 is disabled. Does domain or service account need to enable AES?

  4. How to check on the logs if there is error on RC4 Kerberos or KDC ticket is expired?

https://docs.microsoft.com/en-us/answers/questions/377020/if-we-disable-rc4-encryption-in-gpo-domain-level-i.html


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @RussellAng-0425,

Thank you for your update.

1-RC4 is disabled in registry & GPO is set to not defined. Necessary to enable AES in GPO?
A1: It is not necessary to enable AES in GPO.

  • noticed enterprise admin accounts, login to server need to run as different users to authenticate. In order to access dsa.msc or even run cmd or powershell with privileges' access to perfrom repadmin /replsum*


3-RC4 is disabled. Does domain or service account need to enable AES?
A3: AES is enabled by default, because you do not disable it, you do not need to enable AES for domain or service account.

4-How to check on the logs if there is error on RC4 Kerberos or KDC ticket is expired?
A4: We can check the error message prompted if the authentication fails, or Security logs (such as Event ID 4771, 4768 or 4625) in Event Viewer.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
AA88 avatar image
0 Votes"
AA88 answered

Hello @DaisyZhou-MSFT,

Last question, Since AES is enabled by default.

  1. Require to enable for child domain with domain trust?





118015-image.png



image.png (336.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @RussellAng-0425,

Thank you for your update.

I am sorry, I cannot explain it clearly.

Q: Last question, Since AES is enabled by default. Require to enable for child domain with domain trust?
A: Yes, AES is enabled by default in the same domain.

It is required to enable for Parent-Child domain with domain trust.

Parent domain and child domain use the default Parent-Child trusts, but this trusts by default uses RC4 as ETYPE for Kerberos.

Now RC4 is disabled, so if you want to enable AES on this trust you need to enable this flag (disabled by default) in the trusts properties:
118445-tru1.png


For more information, please refer to link below.

Tough Questions Answered: Can I disable RC4 Etype for Kerberos on Windows 10?
https://techcommunity.microsoft.com/t5/itops-talk-blog/tough-questions-answered-can-i-disable-rc4-etype-for-kerberos-on/ba-p/382718


Hope the information above is helpful to you.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.





tru1.png (333.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.