We just got an error when running powershell commands like Get-ADGroupMember
and Get-ADGroupMember
and got an error message and the command failed. Other commands worked as before. It looks like every command that issues an LDAP query will fail. The error message was not really helpful.
Remove-ADobject (Get-ADUser 'foo.bar').DistinguishedName -Recursive -Confirm:$false;
Remove-ADobject : The server was unable to process the request due to an internal error. For more information about
the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the
<serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or
turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs.
At line:1 char:1
+ Remove-ADobject (Get-ADUser 'foo.bar').DistinguishedName - ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (CN=foo.bar...example,DC=local:ADObject) [Remove-ADObject], ADExceptio
n
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.RemoveADObject
Windows eventlog für "Active Directory Web Services" reported a warning with event id 1402:
Log Name: Active Directory Web Services
Source: ADWS
Date: 09.01.2024 19:45:27
Event ID: 1402
Task Category: ADWS Certificate Events
Level: Warning
Keywords: Classic
User: N/A
Computer: DC1.example.local
Description:
Active Directory Web Services was unable to process the server certificate. A certificate is required to use SSL/TLS connections. To use SSL/TLS connections, verify that a valid server authentication certificate from a trusted Certificate Authority (CA) is installed on the machine.
Certificate name: DC1.example.local
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="ADWS" />
<EventID Qualifiers="32768">1402</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>5</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2024-01-09T18:45:27.6559208Z" />
<EventRecordID>200</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Active Directory Web Services</Channel>
<Computer>DC1.example.local</Computer>
<Security />
</System>
<EventData>
<Data>DC1.example.local</Data>
</EventData>
</Event>
After some digging we found Always On VPN Clients Prompted for Authentication when Accessing Internal Resources that looks related. We checked the certificates, but this was all fine as documented.
Solution:
Run gpupdate /force
and reboot the server and the issue is gone. This may happen every time on a automated certificate renew. It looks like the initial Always On VPN installation has caused this issue to us. A server reboot has not solved the issue for unknown reasons. This may happens everytime the server certificate gets auto-renewed (e.g. once per year).