Hi,
Which one is the Microsoft recommended approach or best practice for implement infra applications like Exchange, SCCM, SCOM on single forest multiple domain environment.Hi
we have recently installed domain and FQDN of Child Domain is "PDC.PDC.ABC.com" and we tried install the ADC for the child domain. We found that our ADC is not able to contact PDC.PDC.ABC.com and SYVOL folder is empty.
so i have doubt that name of the child domain "PDC" might be the issue so please guide me.
We found the below error :
Event ID 2974:
The attribute value provided is not unique in the forest or partition. Attribute: servicePrincipalName Value=TERMSRV/PDC
CN=PDC,OU=XXX Computers,DC=ABC,DC=com Winerror: 8647
So I'm trying to understand if we have an issue here or not…
We have a PowerShell script that uses the Get-ADPrincipalGroupMembership cmdlet.
One of our domain controllers was offline temporarily and the script suddenly started to fail with an error stating, "The server is not operational." When the domain controller came back online the script suddenly worked again.
From what I can tell, the Get-ADPrincipalGroupMembership cmdlet requires a global catalog to perform the group search, so I presume the domain controller in question was somehow the global catalog server of choice for the server running the script. However, I'm confused as to why the server would not simply try to locate another global catalog server in the site (of which there are two).
If I run Get-ADForest, I can see all the global catalog servers listed correctly. The DC in question has held FSMO roles in the past, but does not any longer.
So the question is, does the above behavior indicate some kind of issue? I wouldn't expect the loss of a single domain controller in a site with multiple domain controllers to cause this issue.
The link below talks about RPC settings for clients in a GPO. My question is if this setting is enabled but only on desktops can it still cause issues?
https://blogs.technet.microsoft.com/askds/2011/04/08/restrictions-for-unauthenticated-rpc-clients-the-group-policy-that-punches-your-domain-in-the-face/
Hi everyone,
i locked a user yesterday because of problematic traffic and kicked him out of VPN.
Today i inspected his notebook after reenabling the user and everything was fine. So i though...
After lunch he called and said he cannot login because his account is disabled. In AD his account was enabled in the morning.
So we are stuck at the login screen. He has no possibility to go to an office. We have a dummy user that can login and start a VPN session. So i though - runas user and then the client would save the unlocked state of this user.
Well it did not. How to reenable a remote worker after he got disabled?
My next approach is "Switch user" i hope this will work. But what is best practice here?
<h3>Regards Stephan</h3>
We operates two AD servers. I want to add one server to operate the same domain as necessary. However, unlike the two existing servers, one network that will be added must be secure and isolated.
Assuming that the port needed for synchronizing AD between two networks should be blocked for security reasons, I would like to get your experience or technical knowledge of what method is best to use. Also, it would be better if you let me know the port that should be open at least when using the method.
Thanx alot!
No FSMO Role on this DC,
The server was being promoted, after reboot, I could login in but could not open anything from system32 "Access Denied" after a while it fixed itself this error but now DNS service is no starting "
The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. " Event ID 4013
Any idea will be much appreciate .
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 6/11/2018 4:23:46 PM
Event ID: 1557
Task Category: Replication
Level: Information
Keywords: Classic
User: ANONYMOUS LOGON
Computer: XYZDC11.com.au
Description:
This directory server has not completed a full synchronization of the following directory partition. This directory server will not available to clients until this task is completed.
Directory partition:
DC=com.au
An attempt to complete a full synchronization of this directory partition will be tried again later.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
<EventID Qualifiers="16384">1557</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>5</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2018-11-06T05:23:46.304087400Z" />
<EventRecordID>529</EventRecordID>
<Correlation />
<Execution ProcessID="492" ThreadID="1460" />
<Channel>Directory Service</Channel>
<Computer>XYZDC11.com.au</Computer>
<Security UserID="S-1-5-7" />
</System>
<EventData>
<Data>DC=Com,DC=au</Data>
</EventData>
</Event>
aWindows PowerShell
Copyright (C) 2012 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> dcdiag /kcc
Invalid Syntax: Invalid option /kcc. Use dcdiag.exe /h for help.
PS C:\Windows\system32> repadmin /kcc
Repadmin: running command /kcc against full DC localhost
XYZDC
Current Site Options: (none)
Consistency check on localhost successful.
PS C:\Windows\system32> dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = XYZDCDC11
The directory service on XYZDCDC11 has not finished initializing.
In order for the directory service to consider itself synchronized, it must attempt an initial synchronization with
at least one replica of this server's writeable domain. It must also obtain Rid information from the Rid FSMO
holder.
The directory service has not signalled the event which lets other services know that it is ready to accept
requests. Services such as the Key Distribution Center, Intersite Messaging Service, and NetLogon will not consider
this system as an eligible domain controller.
* Identified AD Forest.
The directory service on XYZDCDC11 has not finished initializing.
In order for the directory service to consider itself synchronized, it must attempt an initial synchronization with
at least one replica of this server's writeable domain. It must also obtain Rid information from the Rid FSMO
holder.
The directory service has not signalled the event which lets other services know that it is ready to accept
requests. Services such as the Key Distribution Center, Intersite Messaging Service, and NetLogon will not consider
this system as an eligible domain controller.
Done gathering initial info.
Doing initial required tests
Testing server: XYZDC\XYZDCDC11
Starting test: Connectivity
The directory service on XYZDCDC11 has not finished initializing.
In order for the directory service to consider itself synchronized, it must attempt an initial
synchronization with at least one replica of this server's writeable domain. It must also obtain Rid
information from the Rid FSMO holder.
The directory service has not signalled the event which lets other services know that it is ready to accept
requests. Services such as the Key Distribution Center, Intersite Messaging Service, and NetLogon will not
consider this system as an eligible domain controller.
......................... XYZDCDC11 passed test Connectivity
Doing primary tests
Testing server: XYZDC\XYZDCDC11
Starting test: Advertising
Warning: the directory service on XYZDCDC11 has not completed initial synchronization.
Other services will be delayed.
Verify that the server can replicate.
Warning: DsGetDcName returned information for\\XYZDCDC02.domain.com, when we were trying to reach XYZDCDC11.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... XYZDCDC11 failed test Advertising
Starting test: FrsEvent
......................... XYZDCDC11 passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
......................... XYZDCDC11 failed test DFSREvent
Starting test: SysVolCheck
......................... XYZDCDC11 passed test SysVolCheck
Starting test: KccEvent
A warning event occurred. EventID: 0x8000051C
Time Generated: 11/06/2018 16:27:18
Event String:
The Knowledge Consistency Checker (KCC) has detected that successive attempts to replicate with the followin
g directory service has consistently failed.
......................... XYZDCDC11 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... XYZDCDC11 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... XYZDCDC11 passed test MachineAccount
Starting test: NCSecDesc
......................... XYZDCDC11 passed test NCSecDesc
Starting test: NetLogons
......................... XYZDCDC11 passed test NetLogons
Starting test: ObjectsReplicated
......................... XYZDCDC11 passed test ObjectsReplicated
Starting test: Replications
REPLICATION LATENCY WARNING
XYZDCDC11: This replication path was preempted by higher priority work.
from GOULBDC01 to XYZDCDC11
Reason: The operation completed successfully.
The last success occurred at (never).
Replication of new changes along this path will be delayed.
REPLICATION LATENCY WARNING
XYZDCDC11: This replication path was preempted by higher priority work.
from GOULBDC01 to XYZDCDC11
Reason: The operation completed successfully.
The last success occurred at (never).
Replication of new changes along this path will be delayed.
REPLICATION LATENCY WARNING
XYZDCDC11: This replication path was preempted by higher priority work.
from GOULBDC01 to XYZDCDC11
Reason: The operation completed successfully.
The last success occurred at (never).
Replication of new changes along this path will be delayed.
REPLICATION LATENCY WARNING
XYZDCDC11: This replication path was preempted by higher priority work.
from GOULBDC01 to XYZDCDC11
Reason: The operation completed successfully.
The last success occurred at (never).
Replication of new changes along this path will be delayed.
REPLICATION LATENCY WARNING
XYZDCDC11: This replication path was preempted by higher priority work.
from GOULBDC01 to XYZDCDC11
Reason: The operation completed successfully.
The last success occurred at (never).
Replication of new changes along this path will be delayed.
REPLICATION LATENCY WARNING
XYZDCDC11: A full synchronization is in progress
from GOULBDC01 to XYZDCDC11
Replication of new changes along this path will be delayed.
The full sync is 0 percent complete.
[Replications Check,XYZDCDC11] A recent replication attempt failed:
From XYZDCDC02 to XYZDCDC11
Naming Context:
The replication generated an error (8461):
The replication operation was preempted.
The failure occurred at 2018-11-06 16:31:21.
The last success occurred at (never).
1 failures have occurred since the last success.
REPLICATION LATENCY WARNING
XYZDCDC11: A full synchronization is in progress
from XYZDCDC02 to XYZDCDC11
Replication of new changes along this path will be delayed.
The full sync is 87 percent complete.
......................... XYZDCDC11 failed test Replications
Starting test: RidManager
Warning: attribute rIdSetReferences missing from CN=XYZDCDC11,OU=Domain Controllers,
Could not get Rid set Reference :failed with 8481: The search failed to retrieve attributes from the database.
......................... XYZDCDC11 failed test RidManager
Starting test: Services
......................... XYZDCDC11 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x00001796
Time Generated: 11/06/2018 15:38:55
Event String:
Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and t
his server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
An error event occurred. EventID: 0x0000271A
Time Generated: 11/06/2018 16:21:43
Event String:
The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
An error event occurred. EventID: 0x0000271A
Time Generated: 11/06/2018 16:21:43
Event String:
The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
An error event occurred. EventID: 0x0000271A
Time Generated: 11/06/2018 16:21:43
Event String:
The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
An error event occurred. EventID: 0x0000271A
Time Generated: 11/06/2018 16:21:43
Event String:
The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
A warning event occurred. EventID: 0x00002724
Time Generated: 11/06/2018 16:22:27
Event String:
This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you s
hould use only static IPv6 addresses.
An error event occurred. EventID: 0x00000416
Time Generated: 11/06/2018 16:22:28
Event String:
The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain domain.com, has dete
rmined that it is not authorized to start. It has stopped servicing clients. The following are some possible reasons f
or this:
An error event occurred. EventID: 0x0000410B
Time Generated: 11/06/2018 16:22:48
Event String:
The request for a new account-identifier pool failed. The operation will be retried until the request succee
ds. The error is
......................... XYZDCDC11 failed test SystemLog
Starting test: VerifyReferences
......................... XYZDCDC11 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : dec
Starting test: CheckSDRefDom
......................... dec passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... dec passed test CrossRefValidation
Running enterprise tests on : domain.com
Starting test: LocatorCheck
......................... domain.com passed test LocatorCheck
Starting test: Intersite
......................... domain.com passed test Intersite
PS C:\Windows\system32>
PS C:\Windows\system32> repadmin
Usage: repadmin <cmd> <args> [/u:{domain\user}] [/pw:{password|*}]
[/retry[:<retries>][:<delay>]]
[/csv]
Use these commands to see the help:
/? Displays a list of commands available for use in repadmin and their
description.
/help Same as /?
/?:<cmd> Displays the list of possible arguments <args>, appropriate
syntaxes and examples for the specified command <cmd>.
/help:<cmd> Same as /?:<cmd>
/experthelp Displays a list of commands for use by advanced users only.
/listhelp Displays the variations of syntax available for the DSA_NAME,
DSA_LIST, NCNAME and OBJ_LIST strings.
/oldhelp Displays a list of deprecated commands that still work but
are no longer supported by Microsoft.
Supported <cmd> commands (use /?<cmd> for detailed help):
/kcc Forces the KCC on targeted domain controller(s) to immediately
recalculate its inbound replication topology.
/prp This command allows an admin to view or modify the
password replication policy for RODCs.
/queue Displays inbound replication requests that the DC needs to issue
to become consistent with its source replication partners.
/replicate Triggers the immediate replication of the specified directory
partition to the destination domain controller from the source DC.
/replsingleobj Replicates a single object between any two domain
controllers that have common directory partitions.
/replsummary The replsummary operation quickly and concisely summarizes
the replication state and relative health of a forest.
/rodcpwdrepl Triggers replication of passwords for the specified user(s)
from the source (Hub DC) to one or more Read Only DC's.
/showattr Displays the attributes of an object.
/showobjmeta Displays the replication metadata for a specified object
stored in Active Directory, such as attribute ID, version
number, originating and local Update Sequence Number (USN), and
originating server's GUID and Date and Time stamp.
/showrepl Displays the replication status when specified domain controller
last attempted to inbound replicate Active Directory partitions.
/showutdvec displays the highest committed Update Sequence Number (USN)
that the targeted DC's copy of Active Directory shows as
committed for itself and its transitive partners.
/syncall Synchronizes a specified domain controller with all replication
partners.
Supported additional parameters:
/u: Specifies the domain and user name separated by a backslash
{domain\user} that has permissions to perform operations in
Active Directory. UPN logons not supported.
/pw: Specifies the password for the user name entered with the /u
parameter.
/retry This parameter will cause repadmin to repeat its attempt to bind
to the target dc should the first attempt fail with one of the
following error status:
1722 / 0x6ba : "The RPC Server is unavailable"
1753 / 0x6d9 : "There are no more endpoints available from the
endpoint mapper"
/csv Used with /showrepl to output results in comma separated
value format. See /csvhelp
Note: Most commands take their parameters in the order of "Destination or
Target DSA_LIST", then a "Source DSA_NAME" if required, and finally the
NC or Object DN if required.
<DSA_NAME> (or <DSA_LIST>) is a Directory Service Agent binding
string. For Active Directory Domain Services, this is simply a network
label (such as a DNS, NetBios, or IP address) of a Domain Controller.
For Active Directory Lightweight Directory Services, this must be a
network label of the AD LDS server followed by a colon and the LDAP
port of the AD LDS instance
Examples (AD DS): dc-01
dc-01.microsoft.com
Examples (AD LDS): ad-am-01:2000
ad-am-01.microsoft.com:2000
<Naming Context> is the Distinguished Name of the root of the NC
Example: DC=My-Domain,DC=Microsoft,DC=Com
Note: Text (Naming Context names, server names, etc) with International or
Unicode characters will only display correctly if appropriate fonts and
language support are loaded.
PS C:\Windows\system32> repadmin
NSW DECC
Hi,
We are replacing a Server 2008 R2 domain controller with a Windows Server 2012 R2 domain controller at a remote site. We installed a server running Windows Server 2012 R2 and the Active Directory. In order to test that the new server was functioning correctly, we shut down the 2008 R2 server. Unfortunately, we have not been able to get back to the remote site for over a week, and now we would like to boot up the 2008 R2 server and remove the Active Directory. Is it alright to boot up the 2008 server, since it has been off the network for so long? Additionally, no new users have been created, and no security changes have been made in the last week. Please let me know if we can bring the 2008 server back online without any issues, so that we may remove the AD from it.
Thanks in advance.
Ed Khan
Hey friends,
I am trying to troubleshoot the cause of one of my domain controllers (vmware virtual server servers) shutting down last night and while looking through the System log in the event viewer I spotted something that I am trying to determine how concerned I should be about it. The first sentence concerns me the most because I am not sure if it's an issue or not. So at that location we do have users from other office go there and log in so they should be hitting that domain controller any way.
Also, in Computer Management, Under shared folders I looked at the "sessions" folder and can see a mix of computer authenticated that are local to that site and also some from other other sites, I am thinking those are visitors to the office?
Below is from the System log in the even viewer.
During the past 4.21 hours there have been 60 connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise. Those clients, therefore, have undefined sites and may connect to any Domain Controller including those that are in far distant locations from the clients. A client's site is determined by the mapping of its subnet to one of the existing sites. To move the above clients to one of the sites, please consider creating subnet object(s) covering the above IP addresses with mapping to one of the existing sites. The names and IP addresses of the clients in question have been logged on this computer in the following log file '%SystemRoot%\debug\netlogon.log' and, potentially, in the log file '%SystemRoot%\debug\netlogon.bak' created if the former log becomes full. The log(s) may contain additional unrelated debugging information. To filter out the needed information, please search for lines which contain text 'NO_CLIENT_SITE:'. The first word after this string is the client name and the second word is the client IP address. The maximum size of the log(s) is controlled by the following registry DWORD value 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LogFileMaxSize'; the default is 20000000 bytes. The current maximum size is 20000000 bytes. To set a different maximum size, create the above registry value and set the desired maximum size in bytes.
Phil Balderos
Hi All,
This should be quite a simple one to answer hopefully.
We are two physical datacenter sites, Site A and Site B. We are using a stretched VXLAN accross both sites, so where we would previously have setup AD sites to represent each physical site and controll replication, we can't do that here.
In terms of AD, it all appears on the same network regardless of physical location globally. Does anyone have any ideas on how we could manage excess east / west traffic in this situation? I'm currently considering DNS weightings but there may be a better way.
Thanks in advance !
M
Hi Guy's,
we have a slight issue with Microsoft Edge which cannot be resolved with our current build and we need to revert to I.E. as our default browser.
Can anyone let me know if there is a GPO that can disable Microsoft Edge and ENABLE Internet Explorer. Any information would be greatly received.
Regards.
We have configure one Additional Domain in my environment, from last few day server is not replicating with my Domain controller.
While running dcdiag /e getting below error.
Got error while checking if the DC is using FRS or DFSR. Error:
Win32 Error 81The VerifyReferences, FrsEvent and DfsrEvent tests might fail
because of this error.
Also while doing manually replication from sites and service getting below error.
The naming context is in the process of being removed or is not replicated from the specified server.
Can anyone help me to fix the issue. Our one of domain controller with OS windows server 2012 R2 keep on rebooting frequently like in 10 days 2 times . With below error
Also do we have any details article that can be understand about the error code xxx status.
D.K Konar. NMS
I've heard it being rererred to a "Container", "Canonical Name" and "Common Name". I'm confused.
Also, does it always have to be the last object in the chain? Is it a leaf object?
Grant Ward, a.k.a. Bigteddy
Hi
I'm trying to create a new child domain (F) in a mixed 2012R2 / 2016 DC environment best pictured as follows
Root
/ \
A B
/ | | \
C D E F
Summary of domains
Root - 2012 R2 DCs / Domain and Forest Function Levels 2012R2
A, C, D - 2012 R2 DCs / Domain Function Level 2012R2
B - 2016 DCs / Domain Function Level 2016
E - 2016 DCs / Domain Function Level 2012R2
F - Failing to create first DC
All replication and firewall rules appear to look fine, however on trying to create the first domain controller for the Domain F (basically the same setup as Domain E) I get the following error in the GUI
The operation failed because
Active Directory Domain Services could not replicate the directory partition CN=Schema,CN=Configuration,DC=…… from the remote Active Directory Domain Controller ….
"The replication operation encountered a database error"
DCPROMO.LOG on the server shows the following and I'm struggling to find any relevant information for a fix
-----------------------------------------
------------------------------------------
All sensible suggestions gratefully received
Thanks
Apologies for dumb question. We raised our domain functional level from Server 2003 to Server 2008 R2 a few months ago, but completely overlooked the forest functional level, which is still at 2003. We only have the one domain though, so is there any issue with raising the forest level that I should be aware of?
Background... Being overly paranoid here. Prior to introducing our first Server 2016 DC, we had to raise our domain functional level as it was still on Server 2003 and we were still using FRS for Sysvol and replication. We had long-since decommissioned our last Server 2003-based DCs. No replication errors showed up at the time. But when I raised the domain functional level from 2003 to 2008 R2, that caused all user passwords in our domain to expire. That was not a good day. As it turns out, there was a fine grained password policy in place that for some reason took precedence over our default domain policy when I raised the domain functional level. I've since removed the FGP as it should never have been there and things seem OK so far. But as I say, now I'm a bit paranoid, as I had been reading up on raising the domain functional level and couldn't find anything that would suggest that would happen. We used to have Exchange years ago but switched to Gmail. We do have some basic Azure AD connectivity.
Thanks,
Syd
Hi,
I want to add physical mac address (Thin client) attribute to AD schema in a environment where user logon though remote desktop server (Windows Server 2012R2) from thin client. Any script, 3rd party tool, guidelines.
Regards
Rox_Star
We have an account that exists to host a mailbox. This mailbox is accessed by multiple users. If I try to give a user Send As permission - it works for a while and then the permission reverts back and the Send As access is lost.
The other permissions - Full Access and Send on Behalf work fine. It is not a protected account or in any protected group (though it may have been at one time - I don't know) It is just a normal mailbox on Exchange 2016.
Hi All,
I have 2 servers active directory using windows server 2012.
After install windows update, I got issue, cannot using RDP with error :
An authentication error has occurred.
The Local Security Authority cannot be contacted
Remote computer:IP Addrees Sever
This could be due to an expired password
Please update your password if it has expired.
While I'm using hostname, theres no error and i can remote server smothly. Anyone can help me?
BR,
HariseRo
HariseRo
I have several machines that show a last logon in the future.
I ran repadmin /showobjmeta DC "OU Paths" >temp.txt and the output for the DC looks like a GUID.
Loc.USN Originating DSA Org.USN Org.Time/Date Ver Attribute 38623490 f191c38d-bdea-4cb4-862d-24ed6f996ed1 3555424 2032-04-21 08:22:12 78 lastLogonTimestamp Should be something like 38623490 City\DCNAME 3555424 2018-10-03 08:22:12 78 lastLogonTimestamp
Is there a way to get AD to report correctly.
- LZ