Hi,

I have a client case where our client has Windows Server 2003 AD environment. On one member server (not DC, this has Terminal Server role) I receive following error messages in Event Viewer Application log every time I run "gpupdate /force":

Event ID 1030

and Event ID 1058

I have hidden client domain name as per security reasons. Let's call domain as "domain.net". Let's say this problematic client server name is for example "SRV01" and Domain Controller name is "DC01".

Here is how I have trobleshooted this issue:

1. Tried to ping domain.net - reply from on of the DC's (DC01) 192.168.100.100 (for example)
2. Open \\domain.net\SysVol\domain.net\Policies\ share with Windows Explorer from SRV01 - working ok
3. Open \\domain.net\SysVol\domain.net\Policies\{DA12E8D1-8712-40C6-BC86-91084100ED4A}\ share with Windows Explorer from SRV01 - not working (error message: Windows cannot find '\\domain.net\SysVol\domain.net\Policies\{DA12E8D1-8712-40C6-BC86-91084100ED4A}\'. Check the spelling and try again, or try searching for the item by clicking the Start button and then clicking Search.)
4. Open \\DC01\SysVol\domain.net\Policies\{DA12E8D1-8712-40C6-BC86-91084100ED4A}\ - working ok!
5. Clear client MUP cache (on SRV01) with command: "dfsutil /PurgeMupCache" - no help

Can you figure out based on this information what is the problem here? It seems weird to me that when using the domain name this folder does not open but when using the DC name instead of domain name, it does open. I have managed to repeat this problem (step 3.) on other servers as well but on some servers this works just fine. Any ideas what is causing this problem?

Thanks in advance for your answers and help!

Best regards,

Toni

www.triuvare.fi

I've seen posting: 
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/16d3e32b-ef01-459d-8426-74347aff4d89/

And looked at:
http://blogs.technet.com/b/askpfeplat/archive/2012/09/03/introducing-the-first-windows-server-2012-domain-controller.aspx

I've got ADS installed and at the promotion task I get past the first step to the second step - 'Domain Controller Options' I get the warning about RODC (just as noted on the above blog) but the 'Next' button is grayed out. I can't get past it even though the blog above says to just go past the warning. And I don't have RODC checked either.

It's running fine just can't figure out how to get past that warning...

I have five DC's all 2003 or 2003 R2. I want to replace the DC at this particular site but first I want to promote it to DC level and make sure everything is working fine first. The other DC's will stay at 2003. 

Dan Reynolds Network Administrator BLDD Architects, Inc. 217-429-5105

I have an older 2000 AD network I am upgrading to 2008r2. I know the first step is to run an adprep32 /forestprep on the existing DC.

Keep in mind there USED to be an Exchange 2000 server on this network, but I have removed it entirely from the network using How to completely remove Exchange 2000 or Exchange 2003 from Active Directory which removes the Exchange 2000 org. 

Now when I go to run the adprep32 /forestprep from 2008r2 media on the 2000 DC I get the following error message:

Adprep was unable to extend the schema.

[Status/Consequence]
There is a schema conflict with Exchange 2000. The schema is not upgraded.

FYI, my eventual goal is to bring Exchange 2010 up on another server after I upgrade the domain.

Thanks!

We have trusted domain and I would like to query by ldifde.( I can see that domain by ADUC)

I tried

ldifde -b mydomain\myaccount targetdomainFQDN password -f test.txt

ldifde -b mydomain\myaccount targetdomainNetBiosDomainname password -f test.txt

ldifde -b myaccount targetdomainFQDN password -f test.txt

but, failed.

The Active Directory Web Services service will not start on a 2008 R2 server with Exchange 2010.

System Specs: 
Dell PowerEdge T310
Dual Xeon 2.67GHz X3450
24Gb DDR3 RAM
Perc h700/1Gb BBWC 8 disks/ 3 volumes
Server 2008R2 SP1 Rollup 3
Exchange 2010 SP1 Rollup 7

Server has been in production since Jan. 2012 with no issues.

When attempting to start the service manually, I am presented with the error "Windows could not start the Active Directory Web Services service on Local Computer.  Error:1053: The service did not respond to the start or control request in a timely fashion."

Upon inspection of the error log, I see the following errors after a start attempt:

System:
EventID 7009
A timeout was reached (90000 milliseconds) while waiting for the Active Directory Web Services service to connect.

EventID 7000
The Active Directory Web Services service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

There are no log entries in the Application log, and there hasn’t been an entry in \Active Directory Web Services log since the end of last month. The last entry is:

EventID 1004
Active Directory Web Services has successfully started and is now accepting requests.

As far as I can tell by looking at the logs and checking AD and Replication, DNS, DFS, and everything else, all systems seem to be working except for ADWS.

I have done the following (in addition to hours of searching and research):

I added “<add key="DebugLevel" Value="Info" />” and “<add key="DebugLogFile" value="C:\ADWSLog\Adws_trace_log.txt" />” to the Microsoft.ActiveDirectory.WebServices.exe.config to enable logging, but the service doesn’t seem to be logging anything.

I have copied the “Microsoft.ActiveDirectory.WebServices.exe” file from another working server.

I have export/imported registry keys from a working server.

I attempted to re-register the ADWS DLLs.

I have uninstalled/reinstalled hotfixes installed immediately prior to the point when the service stopped.

After that I installed all current updates to the system.

I am at a loss here, I have no idea what else to try.  I’m looking for any help or suggestions.

Thanks.

I am trying to replicate a scenario where an organization will have multiple child domains associated to multiple root domains in the same forest. 

The child domain installation under the first root domain went fine because, it is the first domain installed in the forest and it has the enterprise admins group permissions under active directory users and computers.  

The problem occurs when I try to create a child domain under the second root domain because it doesnt have the enterprise admins group permissions. And it says the child domain creation fails. 

Is there a way to install child domains under multiple root domains in the same forest? 

Please let me know if you have answers 

Hi

Kindly explain me Distributed file system console and DFS management console.

In 2000 and 2003 only one console is available there we can configure the DFS but in 2003R2 two consoles are available that is Distributed file system console and DFS management console.

In 2008 only one console is available called DFS management console.

I'm quite confused with DFS consoles please explain.

So I installed Windows Server 2008 after that I installed Active Directory Domain Services, DHCP Server, DNS Server, File Services (I don't remember why), Network Policy and Access Services, Print Services, IIS.

I wanted to install SCCM 2007 and that required SQL Server, so I installed SQL Server 2008 R2. I configured it to run with a Domain Account.

After that I had to install Active Directory Certificate Services. I started the installation and followed this guide:

http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx

At some point I was able to create the certificate for the SCCM 2007 installation to continue (I wanted it to run in native mode). After that I stopped going through the guide as I was successful and other stuff in the guide were just giving errors.

I installed SCCM 2007. Installed SP1, SP 2, R2. I installed Forefront Security and when I tried to distribute it to the computers added in the DC it failed. The computers can be seen in All Systems but none of them have clients. So I clicked on one (PC1) and ran Install Client. Nothing happened, I went to the Computer (PC1), navigate to the log file: C:\Windows\system32\ccminstall\ccminstall.log

Here is the output of the file:

<![LOG[Updated security on object C:\Windows\system32\ccmsetup\.]LOG]!><time="19:59:46.568+-120" date="11-06-2012" component="ccmsetup" context="" type="0" thread="4204" file="ccmsetup.cpp:8849"><![LOG[Sending Fallback Status Point message, STATEID='100'.]LOG]!><time="19:59:46.568+-120" date="11-06-2012" component="ccmsetup" context="" type="1" thread="4204" file="ccmsetup.cpp:9326"><![LOG[State message with TopicType 800 and TopicId {B3119322-1521-4C96-A4C3-88206B90A50F} has been sent to the FSP]LOG]!><time="19:59:47.239+-120" date="11-06-2012" component="FSPStateMessage" context="" type="1" thread="4204" file="fsputillib.cpp:730"><![LOG[Running as user "SYSTEM"]LOG]!><time="19:59:47.242+-120" date="11-06-2012" component="ccmsetup" context="" type="1" thread="4300" file="ccmsetup.cpp:2690"><![LOG[Detected 23742 MB free disk space on system drive.]LOG]!><time="19:59:47.242+-120" date="11-06-2012" component="ccmsetup" context="" type="1" thread="4300" file="ccmsetup.cpp:463"><![LOG[DetectWindowsEmbeddedFBWF() Detecting OS Version]LOG]!><time="19:59:47.242+-120" date="11-06-2012" component="ccmsetup" context="" type="1" thread="4300" file="ccmsetup.cpp:509"><![LOG[Client OS Version is 6.1, Service Pack Version 1]LOG]!><time="19:59:47.242+-120" date="11-06-2012" component="ccmsetup" context="" type="1" thread="4300" file="ccmsetup.cpp:533"><![LOG[Client OS is not a supported Windows Embedded Platform]LOG]!><time="19:59:47.242+-120" date="11-06-2012" component="ccmsetup" context="" type="1" thread="4300" file="ccmsetup.cpp:535"><![LOG[Ccmsetup is being restarted due to an administrative action. Installation files will be reset and downloaded again.]LOG]!><time="19:59:47.243+-120" date="11-06-2012" component="ccmsetup" context="" type="1" thread="4300" file="ccmsetup.cpp:2774"><![LOG[Successfully ran BITS check.]LOG]!><time="19:59:47.358+-120" date="11-06-2012" component="ccmsetup" context="" type="1" thread="4300" file="ccmsetup.cpp:7105"><![LOG[The 'Certificate Store' is empty in the registry, using default store name 'MY'.]LOG]!><time="19:59:47.358+-120" date="11-06-2012" component="ccmsetup" context="" type="1" thread="4300" file="ccmcert.cpp:204"><![LOG[The 'Certificate Selection Criteria' was not specified, counting number of certificates  present in 'MY' store of 'Local Computer'.]LOG]!><time="19:59:47.360+-120" date="11-06-2012" component="ccmsetup" context="" type="0" thread="4300" file="ccmcert.cpp:3518"><![LOG[1 certificate(s) found in the 'MY' certificate store.]LOG]!><time="19:59:47.360+-120" date="11-06-2012" component="ccmsetup" context="" type="0" thread="4300" file="ccmcert.cpp:3547"><![LOG[Only one certificate present in the certificate store.]LOG]!><time="19:59:47.360+-120" date="11-06-2012" component="ccmsetup" context="" type="0" thread="4300" file="ccmcert.cpp:3555"><![LOG[SSL Registry key Software\Microsoft\CCM not found, assuming Client SSL is disabled.]LOG]!><time="19:59:47.360+-120" date="11-06-2012" component="ccmsetup" context="" type="2" thread="4300" file="ccmutillib.cpp:134"><![LOG[The certificate issued to 'localhost' doesn't have 'Client Authentication' capability.]LOG]!><time="19:59:47.370+-120" date="11-06-2012" component="ccmsetup" context="" type="0" thread="4300" file="ccmcert.cpp:449"><![LOG[Sending Fallback Status Point message, STATEID='315'.]LOG]!><time="19:59:47.370+-120" date="11-06-2012" component="ccmsetup" context="" type="1" thread="4300" file="ccmsetup.cpp:9326"><![LOG[State message with TopicType 800 and TopicId {90EAF712-ABEB-4FFA-A2D8-D177B098BCFD} has been sent to the FSP]LOG]!><time="19:59:47.458+-120" date="11-06-2012" component="FSPStateMessage" context="" type="1" thread="4300" file="fsputillib.cpp:730">

So I thought that the problem is with the Certificate Services. I go as far asStep 7: Enrolling for an OCSP Response Signing Certificate but I don't seem to get the certificate. Also I have changed step 6 to allow enroll not only autoenroll for the SERVER.

Also I have recreated the CA Exchange certificate.

Can you please tell me what I should do?

Hello,

We are trying to join a server to a domain.  The domain is a DMZ domain with 2 R/W and 2 RODCs.  The server we are trying to join only has the AD ports open to the RODC and is 'firewalled off' from the R/Ws. 

I've prestaged the Computer Account on the R/W and pre-populated its password on the RODC, so the Computer Account is part of the Password Replication Policy and shows up in the 'Accounts whose passwords are stored on this Read-only Domain Controller.

What are my next steps here to join the Computer object to the domain given I can only see RODCs and am 'Firewalled off' from the R/W DCs?

Thanks for your help! SdeDot

How to create new active directory sites ?

I have 1 DC & 1 Ex2003 on A site "LONDON". Now I am planning to create a another site "Manchester" with 1 DC & 1 Ex2003 server.

London site IP subnet is  192.168.9.0
Manchester site IP subnet is 192.168.11.0

this I am doing on test enviroment to ping each other i am using Bridge Network . given alternate IPs to each network

Does anyone know, if it's possible to migrate objects (users, groups etc) from Windows Server 2008 domain to another domain with Windows Server 2003 functional level? There'is no mention in documentation that target domain level should be the same or higher than source domain level. But I'm doubtful about sets of objects' attributes on both sides: if source object in 2008 domain has some extra attributes that's not been introduced in 2003 schema, how can such object migrate?

Hi
Will there be any problem If I convert group type from Distribution to Security.

These Groups scope is Universal.

Any help would be much appreciated, thank you.

Im trying to tranfer domain from 2008 r2 to 2012 while i try to use this command adprep/ forestprep am getting this error message.

D:\support\adprep>adprep /forestprep

ADPREP WARNING:

Before running adprep, all Windows 2000 Active Directory Domain Controllers in t
he forest should be upgraded to Windows 2000 Service Pack 4 (SP4) or later.

[User Action]
If ALL your existing Windows 2000 Active Directory Domain Controllers meet this
requirement, type C and then press ENTER to continue. Otherwise, type any other
key and press ENTER to quit.


c
Forest-wide information has already been updated.
[Status/Consequence]
Adprep did not attempt to rerun this operation.

feroz syed ;)

Are there any best practices on what to audit in a domain/AD from a security perspective?

What do you audit - and what do those audit logs help you prove/disprove/prevent/detect etc.

Are there any guides from Microsoft on auditable options and the benefits doing so bring.

Thanks

Back Round:

ok, i have inherited a 3 site company... site meaning physical properties in one comapny. One site no dc just a shared file server which imnot worried about well call site 3. Site one and two have there own forest and DC's and connected via a cable internet VPN. My issue of course is to bring them into one as there is growing need to share files\folders etc... To start off with I cannot even create a trust between them, domain and forest level are 2008 (not r2) no reason just what i stopped at as they were in various flavors of domain and forest level when i got here. I do not push down any GP's (as of yet), only use the servers at this point for authentication for file and folder sharing and DHCP.

Question:

Why cant i trust the domains?

Will migrating with admt 3.2 (to a site) be my answer if so what happens to the dc's at site 2 when i move them to 1.

ideas?

I have done this multiple times with 2000, 2003 but dont seem to be able to find the solution to 2008.

When i run the trust it fails right after putting in the information of domains i go no further, it gives me no details just says "cannot finish"

How to reserve extensionAttribute12 for use by the testing for GALSync filtering in Active directory..

Does anybody have idea on this ??

Currently there are 20 physically dispersed locations.  Physical locations are separated by as many as 1300 miles. Between these 20 locations there are an X number of forests and domains. (I believe X is irrelevant) The end goal is to get all 20 locations under one forest/one domain in a centralized management style with a single location being the HQ. (All enterprise applications such as SCCM, Sharepoint, Exchange, etc will be centralized….to a degree)

I am looking at standing up a new forest/domain CONCURRENTLY with existing domain. I would request new subnets (separated by VLAN) for each location starting at the HQ.

SCCM will be rebuilt on new domain and as workstations are ready to be migrated, I would move workstations to new VLAN and use OSD deployments to rebuild and join workstations to new domain.

This is in a very tiny nutshell!!!

Comments???

   Hi All,

   I had installed SQL server 2008 R2 in windows Server 2008 R2 machine .After that i installed the active directory domain in the same server machine and created a domain .I also added one user to  the domain.After that i am unable to login in the SQL server.I the showing an error on the server name the error codes showing here are errorcode-2,10061,40

 please get me a solution

Thanks to all

I have 4 DCs in my two sites..

I want to know how client machine (XP and windows 7) get the nearest DC for authentication out of 4 Dcs in same site with same IP subnet.