During a Project for my college, where I will use multiple Microsoft Servers, I found out a problem that I could replicate from scratch.
Environment: VMware Workstation 9.0.1
-Server 1-
Site: Site1
SO: Windows Server 2012 with a GUI
Name: DC-GUI-01
IP: 10.10.5.100/24
DNS: 10.10.5.100
-Server 2-
Site: Site2
SO: Windows Server 2012 Server Core
Name: DC-CORE-02
IP: 10.10.6.200/24
DNS: 10.10.6.200
Configuration: Both servers with same hardware and connected to different virtual networks correctly configured (as I have fully communication between both site).
Procedures:
1 - Install both servers normally, with all the updates;
2 - On Server 1 Install Role Domain Services and create a domain called contoso.local, pretty straight forward (next, next, finish), and after confirm that it is working correctly (event logs, DNS, sysvol, etc);
3 - On Server 1 configure Sites and Services (Site, Subnet, IP connectivity, etc);
4 - On Server 2 disable windows firewall by running "netsh advfirewall set allprofiles state off" (just in case) and confirm bi-direccional communication;
5 - Add Server 2 to the contoso.local domain using sconfig;
6 - Logon with the Domain Administrator user in Server 2;
- At this stage everything is working just fine. I can create users in Active Directory and give them permissions on shared folders created on Server 2, etc. No problem at all. -
(Sorry I cannot post images...) dl.dropbox.com/u/13587974/Pic1.jpg
7 - On Server 2 install Domain Services by running "get-windowsfeature AD-Domain-Services | install-windowsfeature" in Powershell;
8 - On Server 2 promote to Domain Controller by running "Install-ADDSDomainController –DomainName contoso.local";
(I have tried also installing and promoting remotely through Server 1 Server Manager, it didn't helped);
9 - Confirm DNS Records (SRV), Sites and Services, etc, that everything is correctly done.
Problem:
From now on, with both GUI and Core as Domain Controllers, on different Sites, I can't no longer give permissions to any AD User as it simply doesn't show up when searching for Users:
dl.dropbox.com/u/13587974/Pic2.jpg
Note that you can't see anymore the _Technet User that I have created in AD.
Also, in Active Directory Users and Computers, if I right Click, go to Change Domain Controller and select the DC-CORE-02, I get the "Server is not Operational" message:
dl.dropbox.com/u/13587974/Pic3.jpg
In DC-CORE-02 Event Viewer the only error I have that I think could be related is this one:
"Log Name: System
Source: LsaSrv
Date: 12/02/2013 14:07:29
Event ID: 6038
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: DC-CORE-02.contoso.local
Description:
Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
NTLM is a weaker authentication mechanism. Please check:
Which applications are using NTLM authentication?
Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication?
If NTLM must be supported, is Extended Protection configured?
Details on how to complete these checks can be found at http://go.microsoft.com/fwlink/?LinkId=225699.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="LsaSrv" Guid="{199fe037-2b82-40a9-82ac-e1d46c792b99}" EventSourceName="LsaSrv" />
<EventID Qualifiers="0">6038</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-02-12T14:07:29.000000000Z" />
<EventRecordID>1564</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>DC-CORE-02.contoso.local</Computer>
<Security />
</System>
<EventData>
</EventData>
</Event>"
All my searches about this problem turned out to not have any solution for my case.
If I put this Server Core in the same Site (Site1) as the DC-GUI-01, this problem doesn't happen.
Can someone help?