Hi,
I was wondering what are the implications/drawbacks for having sites with no subnets listed in them. Bearing in mind, on our network, clients are on a VLAN subnet which cannot ping the client VLAN on a remote site, so this prevents clients using a remote DC.
Thanks,
Hi,
we have at this moment mixed OS of Domain Controller:
- Windows Server 2016 (W2K16)
- Windows Server 2008 R2 (W2K8R2)
All FSMO roles are on W2K16 DCs.
We have a Time Service issue on W2K8R2 DCs for a few days.
First, we have seen that "Time Service" (w32tm) were no any more existing on DCs.
PS> w32tm /resync
The following error occurred: The specified service does not exist as an installed service. (0x80070424)
We could register Time Service:
PS> w32tm /register
W32Time successfully registered.
But if we tried to start w32time we got following error:
PS> net start w32time
System error 1290 has occurred.
The service start failed since one or more services in the same process have an incompatible service SID type setting. A service with restricted service SID type can only coexist in the same process with other services with a restricted SID type. If the
service SID type for this service was just configured, the hosting process must be restarted in order to start this service.
Afterwards we run the following command:
PS>sc config w32time type= own
[SC] ChangeServiceConfig SUCCESS
Then we could start w32time.
We checked also im Event Viewer time snyc of W2K8R2 DCs with PDC Emulator. All worked well.
BUT, if we run time resync manually in elovated command, then we get error:
PS> w32tm /resyncThe same is also, if we want to unregister w32tm:
PS> w32tm /resync
The following error occurred: Access is denied. (0x80070005)
I debugged time service on problem DCs. All sync works well.
Any idea?
Best regards
Birdal
Hello All,
I am trying to remove old servers from AD and some state that 'object * contains other objects are you sure you want to delete * object?'. I changed the view and see that theses servers have one or both of these service folders.
IASIdentity
RouterIdentify
What is the correct/ clean way to remove these and also ensure there are no issues afterwards. Please advise
thank you
Brian Sawyer
I want to be able to grant rights to 2 people in the HR department to be able to modify the following fields (I am using the Delegate Control wizard):
General tab:
First name/Display name/Description/Office/Telephone number
Address tab:
Street/P.O. Box/City/State province/Zip Postal Code/Country region
Telephones tab:
Home/Pager/Mobile/Fax/IP phone/Notes
Organization tab:
Job Title/Department/Company/Manager/Direct Reports
note 1: If I use .qds file (dsquery, OpenQueryWindow) on their desktop. Everything but the "Manager" and "Direct Reports" field is working.
note 2: If I use the mmc snap-in for Active Directory Users & Computers. Its too much access plus the "Direct Reports" still doesn't work.
How can I over this?
Tommy
I want to be able to grant rights to 2 people in the HR department to be able to modify the following fields in AD (I am using Delegate Control wizard):
General tab:
First name/Display name/Description/Office/Telephone number
Address tab:
Street/P.O. Box/City/State province/Zip Postal Code/Country region
Telephones tab:
Home/Pager/Mobile/Fax/IP phone/Notes
Organization tab:
Job Title/Department/Company/Manager/Direct Reports
note 1: If I use .qds file (dsquery, OpenQueryWindow) on their desktop. Everything but the assign a "Manager" field is working. They need to be able to assign a Manager.
note 2: If I use the mmc snap-in for Active Directory Users & Computers. Everything works but, its too much access. They would be able to add/remove Users.
How can I over come this?
Tommy
Support analyst
I've been working on a DCPromo issue for about 6 months that I can't seem to get around. Some of my specific details are a little fuzzy at this point since it's been so long but I tried the process 3 times in the last 24 hours & I still get a failure.
2016 servers were RWDC & I demoted them & then tried to DCPromo as RODC. I continuously get these results:
The operation failed because:
While promoting Read-only Domain Controller, failed to replicate the secrets from the helper AD DC.
"The replication operation failed because the target object referred by a link value is recycled."
I have tried deleting any related AD recycle bin records short of just deleting everything, which I'm not doing. I'm searching by date, by server name & by "KRBTGT_" & deleting anything I find but the issue persists:
Get-ADObject -IncludeDeletedObjects -Filter {(IsDeleted -eq $true)} -Properties * -Server domaincontroller.domain.com | Where-Object {$_.DistinguishedName -like "*krbtgt_*"} | Select-Object Name,DistinguishedName,WhenChanged | sort whenchanged
Get-ADObject -IncludeDeletedObjects -Filter {(IsDeleted -eq $true)} -Properties * -Server pdc-necorp.nesl.com | Where-Object {$_.DistinguishedName -like "*xxxxxx*"} | Select-Object Name,DistinguishedName,WhenChanged | sort whenchanged
Get-ADObject -IncludeDeletedObjects -Filter {(IsDeleted -eq $true)} -Properties * -Server dhcp-necorp.nesl.com | Where-Object {$_.WhenChanged -gt "7/17/2018 4:00:00 PM"} | Select-Object Name,DistinguishedName,WhenChanged | sort whenchangedI've also waited over 30 days between attempts (after deleting the recycle bin items) - no good!
The only way around it is to promote as an RWDC again.
Any suggestions would be appreciated.
-Dave
Hi,
I am experiencing problem on newly deployed ADFS farm with windows server 2016. Everything is setup and relaying party trusts are authenticating but after a day or two, on random one of the farm servers starts giving Unknown user name or bad password for account NT SERVICE\MSSQL$MICROSOFT##WID and stop authenticating. After rebooting the server experiencing the issue it starts to work again for awhile.
Account has been set in in GPO "Log on as a Service" and also NT SERVICE\ALL SERVICES, also confirmed that there is no GPO's blocking this setting.
Server is rebooted and installed latest windows updates. Any ideas how to fix this and prevent this happening?
An account failed to log on.Hello,
We have 3 domain controllers. 2 of them is in Sync with GPOs.
DC1 and DC3 have 80 policies in sysvol folder.
DC2 has 85
The contoso.com policies folder contains 115 policies.
DFS is not reporting eny arror, I made health check which says everything is super.
Can you help me how solve this issue?
If you need more info or something like let me know.
Thanks
MrGergely
Dear All,
I am facing a problem regarding my AD servers. I have 3 Domain control servers.
1- DC (primary)
2- ADC
3-VDC
Schema master DC.noc.pil.com.pk
Domain naming master DC.noc.pil.com.pk
PDC ADC-KHI.noc.pil.com.pk
RID pool manager DC.noc.pil.com.pk
Infrastructure master ADC-KHI.noc.pil.com.pk
my primary server (DC) HardDisk got faulty the the server is completely down. Now when i try to create new user on my other Domain control it gives me subjected error.
My question is , Is there any way that i can update my ADC to SCHEMA, RID and Domain naming master (As my DC is completely down and no chance to bring it UP).
Getting this below error in my windows server 2012 domain controller and getting restarted automatically.
i can find hotfix only for server 2012 r2 not for server 2012.
A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000005. The machine must now be restarted.
Please advice.
A long time ago, we had a specific DC, removed by an unexperienced admin, so we had to remove all related objects, mannually, using Sites And Services tool, and making sure that all old objects were also removed, like deleting DNS records and also checking ntdsutil/metadata cleanup procedure
So, now, í´m migrating from FRS to DFS-R and, the mig tool is showing references of the old (and previously removed AD/DC)
dfsrmig /getMigrationState
The following Domain Controllers are not in sync with Global state ('Redirected'):
Domain Controller (Local Migration State) - DC Type
===================================================
OLD_SERVER_NAME ('Start') - Writable DC
OTHER1 ('Start') - Writable DC
OTHER2 ('Start') - Writable DC
Where the heck this reference is coming?
As far as I konow, this old server never had DFS Namespace amd maybe it had DFS replication for file services purposes, but anyway, why this old refernces are there, if we got rid of this old DC/AD a long time ago? (now we have Win2008R2, WIn2012R2 and WIn2016, but at the time of the removal of this old DC, there were only WIn2008R2)
Also the NETDOM QUERY DC also shows the name of this old Server too...
[2018/10/18:11:31:10.528]
ERROR: Import from file D:\support\adprep\sch78.ldf failed. Error file is saved in C:\Windows\debug\adprep\logs\20181018113106\ldif.err.78.
If the error is "Insufficient Rights" (Ldap error code 50), please make sure the specified user has rights to read/write objects in the schema and configuration containers, or log off and log in as an user with these rights and rerun forestprep. In
most cases, being a member of both Schema Admins and Enterprise Admins is sufficient to run forestprep.
[2018/10/18:11:31:11.559]
ERROR: The directory service refused the request for schema upgrade: 52 (Unavailable)
If the error code is "Insufficient Rights", make sure you supply a user who is a member of the schema admin group.
[2018/10/18:11:31:11.591]
Adprep was unable to upgrade the schema on the schema master.
[Status/Consequence]
The schema will not be restored to its original state.
[User Action]
Check the Ldif.err log file in the C:\Windows\debug\adprep\logs\20181018113106 directory for detailed information.
[2018/10/18:11:31:11.606]
Adprep was unable to update forest information.
[Status/Consequence]
Adprep requires access to existing forest-wide information from the schema master in order to complete this operation.
[User Action]
Check the log file, ADPrep.log, in the C:\Windows\debug\adprep\logs\20181018113106 directory for more information.
Entry DN: CN=Expiring Group Membership Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=corp,DC=xxxxxx,DC=com
Add error on entry starting on line 11: Server Down
An error has occurred in the program
Hi,
I disabled in hyper-v virtual switch option "Allow management operating system to share this connection" to have dedicated psychical network adapter for my virtual guest - domain controller 2012 r2. But after that, on domain my network connection is treated as "Public" not Domain. I tried to change this using command:
"Set-NetconnectionProfile -InterfaceAlias Ethernet -NetworkCategory Domain"
but I get error: Unable to set NetworkCategory to 'DomainAuthenticated'. This NetworkCategory type will be set automatically when authenticated to a domain network.
I asked in hyper-v forum already but did not get any help. Please help.
Hi
I'm trying to create a new child domain (F) in a mixed 2012R2 / 2016 DC environment best pictured as follows
Root
/ \
A B
/ | | \
C D E F
Summary of domains
Root - 2012 R2 DCs / Domain and Forest Function Levels 2012R2
A, C, D - 2012 R2 DCs / Domain Function Level 2012R2
B - 2016 DCs / Domain Function Level 2016
E - 2016 DCs / Domain Function Level 2012R2
F - Failing to create first DC
All replication and firewall rules appear to look fine, however on trying to create the first domain controller for the Domain F (basically the same setup as Domain E) I get the following error in the GUI
The operation failed because
Active Directory Domain Services could not replicate the directory partition CN=Schema,CN=Configuration,DC=…… from the remote Active Directory Domain Controller ….
"The replication operation encountered a database error"
DCPROMO.LOG on the server shows the following and I'm struggling to find any relevant information for a fix
-----------------------------------------
------------------------------------------
All sensible suggestions gratefully received
Thanks
Hello Experts, I am trying to trouble-shoot some Active Directory Based Activation / KMS related issues on our Windows Desktop clients, and using the ADSI Edit tool to make sure that the ADBA entries appear in our configuration. My understanding is that I need to look at CN=Activation Objects,CN=Microsoft SPP,CN=Services,CN=Configuration for some new activation Objects, but I cannot even find the CN=configuration object on our domain controller. Any idea what I am doing wrong ?
Hello,
I have been using MS ATA is find systems & apps making clear text LDAP connections to our domain controllers and have reconfigured them to use SLDAP / port 636. I have the clear text connections down to zero, but the count for the "performed without signing" is showing several thousand. (This is from the event 2887 in the Directory Service log.) I want to set the GPO mentioned in this article: https://support.microsoft.com/en-us/help/935834/how-to-enable-ldap-signing-in-windows-server-2008
My question is could I break anything? No one is using clear text anymore but there are a ton of non-signed connections. Can I block one and not the other? Thanks!
Number of simple binds performed without SSL/TLS: 0
Number of Negotiate/Kerberos/NTLM/Digest binds performed without signing: 3267
Dear ALL,,
i have domain 2003 , i need to migration to 2008 R2
after upgrade Schema adprep successfully in domain 2003
i go server 2008 R2 to Start migration , now open dcpromo , then
i put my domain and administrator password ,then the server is hang as attachment file ,
then he give me error "network not found " but i am sure the server in same range of IP and same switch
both server can ping to gather ,i can't continue the migration and my network is stop ,
can any one help Me?
please this urgent
thanks for all.
Regards