SteelHead is unable to join/rejoin the domain in Active Directory Integrated Mode (Windows 2008 and later) or unexpected SMB2/3 problems occur after deploying Microsoft patches from January 11, 2022 and later

Categories:
Solution Number:
S35726
Last Modified:
2023-06-21
Issue
Observed problems:
1. SteelHead messages log display the following error while joining or rejoining to the domain:  Failed to join domain using ads: failed to verify domain membership after joining: The object name is not found.
 


2. When SteelHead is joined to the domain in Active Directory Integrated mode (Win2008 and later), it may report  NT_STATUS_OBJECT_NAME_NOT_FOUND after Microsoft Security Updates are applied to the Domain Controller (s), and new SMB 2/3 protocol sessions with UNC hardening are intercepted for signing and mutual authentication during the optimization process.

NTLM Auth Failed for user: *\SH_AUTH_MON. NT status string: NT_STATUS_OBJECT_NAME_NOT_FOUND Code: 3221225524 message: The object name is not found.
 
 
NOTE:  The SteelHead appliance is going to check every 30 seconds with the Domain Controller(s) using a non-existent user SH_AUTH_MON when it cannot communicate with the Domain.


3. Kerberos replication test failed with NT_STATUS_ACCOUNT_DISABLED.
 
[Jan 14 22:30:49 66688 -1 domain_auth/repl_test ERROR] {- -} nt status: NT_STATUS_ACCOUNT_DISABLED, vampire status: 8
Error message - Can't contact the DRSUAPI pipe. NT_STATUS_ACCOUNT_DISABLED


 
4. The SteelHead machine name object is 'Disabled' in Active Directory Users and Computers (ADUC).
 

 
NOTE:  When the SteelHead object is 'Disabled', the UserAccountControl bit set is ACCOUNT_DISABLE (0x1002).


5.  The Domain Controller Event Viewer starts to display: "Event ID 5722 - The system cannot find the file specified" for System NETLOGON service under Administrative Events.


 
 
Solution
Microsoft started enforcing msds-KrbTgtLink validation with the release of January 2022 Security Updates for NTLM authentication when the SteelHead is joined to the domain in Active Directory Integrated Mode (Windows 2008 and later) with the userAccountControl attribute 0x5011000 (RODC).   Microsoft announced these improvements and fixes are going to be part of Security Updates going forward and SteelHead RODC machine accounts might fail to establish a Netlogon secure channel.
 

enlightened It is recommended to evaluate the installation of the following Windows security updates to the DC's used by SteelHeads during the domain join or while performing SMB2/3 optimization.

yes  You can subscribe to this article to receive updates via email regarding any changes to the content.


Microsoft Security Updates affecting SteelHead devices joined or rejoined to the domain are:
 
Domain Controller OS version  January 2022 Updates Out-of-band
Windows Server 2012 KB5009586 (Monthly Rollup) KB5010797
Windows Server 2012 R2 KB5009595 (Security Update)
KB5009624 (Monthly Rollup)
KB5010794
Windows Server 2016 KB5009546 (Security Update) KB5010790
Windows Server 2019 KB5009557 (Security Update) KB5010791
Windows Server 2022 KB5009555 (Security Update) KB5010796
 
For example, February 2022 Cummulative Updates contains all updates deployed from January 2022 table above. Similar process would continue to occur with security releases on monthly basis.
 
Domain Controller OS version  February 2022 Cummulative Updates
Windows Server 2008 Service Pack 2 KB5010384
This security update includes improvements and fixes that were a part of update KB5009627 (released January 11, 2022) and update KB5010799 (released January 17, 2022).
Windows Server 2012 KB5010392
This security update includes improvements and fixes that were a part of update KB5009586 (released January 11, 2022) and update KB5010797 (released January 17, 2022).
Windows Server 2012 R2 KB5010419
This security update includes improvements and fixes that were a part of updates: KB5009624  (released January 11, 2022) and update KB5010794 (released January 17, 2022).
Windows Server 2016 KB5010359
This security update includes improvements and fixes that were a part of update KB5009546 (released January 11, 2022) and update KB5010790 (released January 17, 2022).
Windows Server 2019 KB5010351
This security update includes improvements and fixes that were a part of update KB5009557 (released January 11, 2022) and update KB5010791 (released January 17, 2022).
Windows Server 2022 KB5010354
This security update includes improvements and fixes that were a part of update KB5009555 (released January 11, 2022) and update KB5010796 (released January 17, 2022).
 

What are the steps to detect if the connected DC used by SteelHead appliance is affected by Microsoft security updates?

1. From the DC used by the SteelHead to join or to communicate, validate Microsoft 2022-01 Security Monthly Security update rollup and/or the Out-of-band patch and/or Cumulative Updates were installed running the following PowerShell commands to extract the OS version and installed updates:

PS C:\> systeminfo | findstr OS
PS C:\> Get-HotFix
 
 

2. Go to Microsoft Update Catalog portal and search for installed KB patch ID.  For example, searching for KB5011503 for Windows Server 2019 will include January 2022 security updates: KB5009557 and KB5010791 under "Package Details" tab.
 
 
enlightenedNOTE:  Microsoft is going to include these security updates as part of their monthly patch Tuesday cumulative updates for Windows Server (s) with a new security patch's ID number(s).
 



SOLUTION:
 
enlightenedIMPORTANT:
Active Directory Integrated Mode (2008 and later) is deprecated in RiOS 9.12.2a and later. For additional information refer to KB article S35945.
• Any updates released January 11, 2022 and later on your domain controllers, might fail to establish a Netlogon secure channel with SteelHead appliance joined the domain in Active Directory Integrated Mode (Windows 2008 and later).
• Deploying WinSec Controller (WSC) physical or virtual appliances are not affected by Microsoft 2022-01 security updates because this platform doesn't required to be joined the domain and meets Microsoft's tiered security model to optimize SMB protocol using secure negotiation. The WinSec Controller is a completely dedicated, non-network appliance that interacts with the domain controller as a Tier 0 entity. For more information, reach out to your Riverbed representative and visit riverbed.com to learn more.


Riverbed is recommending to perform a non-intrusive domain rejoin with Join Accoun Type: (1) WORKSTATION or (2) BDC modes (aka Active Directory Integrated Mode - Windows 2003).

yes Refer to KB article S35945 with the new joining modes available in RiOS 9.12.2a and later: (1) Kerberos Authentication (Workstation) or (2) NTLM authentication (BDC)

 
1. Change the joining mode to WORKSTATION.
This mode can be used with End to End Kerberos (eeKRB) environments where NTLM authentication is not required. See KB article S14342 containing Riverbed Best Practices for Domain Communication.
 
i. Proceed to modify userAccountControl attribute for the SteelHead machine account from Active Directory Integrated Mode (Windows 2008 and later) - RODC 0x5011000 to WORKSTATION trusted machine attribute 0x11000 from a domain controller within the domain.
 
PS C:\> Set-ADComputer -Identity "<Steelhead_Hostname>" -Replace @{UserAccountControl=0x11000}
 

 
ii. Rejoin the SteelHead appliance to the domain with Join Account Type: Workstation
 
  • From UI Console, go to OPTIMIZATION > Active Directory > Domain Join: Domain Settings