Hi All,
I have received CSR files for which I need to provide the certificate, I have the access to issuing CA. Please advise what is the process for providing certificate using CSR. Thanks!!
Regards
Afsar
↧
Providing certificate using a CSR
↧
New domain trust - not receiving all options
Hi There,
We are trying to set up a new trust with one of our partners however we are not getting any of the options we are normally expecting, we want to set this up with a shared trust password instead of setting up user accounts in the other domain.
We have set up the necessary DNS zones as per this article - https://www.interfacett.com/blogs/how-to-configure-forest-level-trust-in-windows-server/
However when setting up the trust we are put straight onto this screen after entering the domain name (removed for privacy) and none of the options before it.
Any ideas?
Thanks
↧
↧
Can't Demote Windows 2012 R2 DC - DCPROMO - Access is denied. Account is in "Enable computer and user accounts to be trusted for delegation"
Hello!
I have two Windows Server 2012 R2 DC's which I'd like to demote from a domain leaving two Windows Server 2019 DC's to remain as the sole DC's. When I try to demote the 2012 R2 DC's I get a message "The operation failed because: The Active Directory Domain Services Installation Wizard (DCpromo.exe) would not configure the computer account <2012 DC> on the remote Active Directory Domain Controller <2019 DC>. Verify that the user running dcpromo.exe is granted the "Enable computer and user accounts to be trusted for delegation" user right in the Default Domain Controllers Policy. The error was: Access is denied".
I tried both my domain admin account and the domain Administrator account and both get this same error. Both of these accounts are added to the "Enable computer and user accounts to be trusted for delegation" user right in the Default Domain Controllers Policy.
"repadmin" shows that everything is replicated between all DC's. In fact the only hint that I see of any AD problem is that in the Group Policy Management is that from "Detect Now" on the status page, the two older DC's show that replication in progress. (And this never changes).
Anyone have any idea what I should look at? I suppose I could just do a "Force" on the DCPROMO demotion and then clean up the metadata by following the steps to manually remove a failed DC.
I appreciate anyone's help!
dave
↧
Identify potential domain joined computers.
Hello,
We need to deploy a very important group policy and we need to make sure every computer in the domain has a "healthy" connection to Active Directory and will get the GPO.
Is there a way to identify computers which are not connecting properly, secured channel is broken and so on?
Please advise.
Many thanks.
We need to deploy a very important group policy and we need to make sure every computer in the domain has a "healthy" connection to Active Directory and will get the GPO.
Is there a way to identify computers which are not connecting properly, secured channel is broken and so on?
Please advise.
Many thanks.
↧
GUI versus remote GUI or powershell for DNS (hint creates missing dns entries)
I have a rather interesting issue I'm hoping the community may be able to point me in the direction of what I should look at for troubleshooting the matter.
My first question is how does the DNS GUI retrieve DNS records?
I ask because when I'm logged directly into the Domain Controller I can see all DNS entries in the forward lookup zone for my domain. It then get interesting when I log into a management server and open DNS there, I connect to the same DC as above but
now I'm missing a number of records. (it would appear all computers on my domain can no longer translate these missing dns entry computer names to IP). However reverse lookup of the IP address do resolve to the name.
The plot get more interesting when I run the following powershell command on the DC the GUI shows all records.
Get-WmiObject -Class MicrosoftDNS_AType -NameSpace Root\MicrosoftDNS -Filter "DomainName = 'THEDOMAIN'" | %{
$table += New-Object PSObject -Property @{
computer = $_.Ownername
ip = $_.ipaddress
}
}
the powershell command is suffering the same missing dns entries as all the rest, so I'm curious on how the GUI does the look up locally versus remotely.
This is obviously having a flow on affect as name resolution failure leads to monitor failures and connection issues.
This may be related but I'm unsure as I remove a security group from the network thatpenetration testing claimed they got access to members and therefore access to edit the domain admins group. however again when running effective permissions on the DC it should they did not have the rights, however connecting to the same DC from a management server the effective permissions should they did. (I tested with an account they didn't have the rights so it was a false positive result) I can't help but wonder if the two issues are linked.
one thought could be replication but surely connecting to the same DC (let alone running the powershell locally on the DC) would rule this out.
anyone have any thoughts on what paths I should be looking into? Currently running 2008 R2 level (there is a project to upgrade 2016 hopefully in the next month so who knows this could be my cure)
↧
↧
NTFRS 13552/13555 on a single DC.
Inherited a bit of a mess here.... I have one DC that has been in this condition for as far back as the logs go, which is 10/17/2015. I found the following article:
Since I have another DC with a clean ntfrs, I assume I would just want to perform steps 6 - 10 on the problematic DC? Is it really necessary to delete all those files manually, or can I just stop ntfrs, set burflag D2, and start ntfrs to recover from this?
Thanks!
↧
Verification of Directory Paths Failed - Does Not Point To Physical Drive
Hello,
I have installed Windows Server 2012 R2 on a temporary server because we are retiring old servers and have to have a Temporary Domain Controller. The server has an SSD installed. When installed AD DS on the server, I can not install because an error appears:"Verification of directory paths failed. The path does not point to a valid hard disk." I know many companies can run Windows Server on an SSD but I do not have a hard disk drive installed on the server. I have even tried plugging in an external HDD and pointing to it to store the directory files, but it will not accept that. Any ideas on why the server is being so stubborn?
Thanks,
Connor
↧
after promote RODC domain controller successfully but not showing in repadmin /replsum
Hello everybody,
I have windows server 2012 domain controller, and I have another server will be function as as RODC.
I promoted the server to be RODC server, the promotion was successfull and first i can see in domain controller by using repadmin /replsum. After several time, i checked it again by using repadmin /replsum and i cannot see my new RODC.
my domain controller and RODC are in same segment IP address.
I have tried to reinstall but still same problem.
Please help us to solve it.
Thank you.
Dodi.
↧
AD Home Directory disappearing from client randomly
Any help on this one would be appreciated.
We use AD home directories which map to a network location. Over the last couple of years(seems like maybe started with Windows 10) the home directory drive in file explorer on the client device. would either disappear all together, change its name to 'network drive' rather than the specific username, or would maintain the username label, but error when trying to access the drive. It also errors when its name changes to the generic 'network drive'.
It a random issues, that some users have more than others. generally the solution is to restart the device and it reappears, but that often takes a few restarts an lately sometimes even several restarts do not resolve the problem.
Has anyone else had similar issues in their environments? this issue only happens with Windows 10.
Thanks,
↧
↧
What is this icon mean?
from pic,
there are I: & L:
User have 2 drive access right...
User login well in other computer as she has permission on share folder(full control).....user get problem on own computer only.
Originally,
I: = \\DC\Common
L:= \\DC\Account
I use the trick that:
I: =\\192.168.x.x\Common
L:= \\DC\Account
Then both OK....but I would like to know what is it?
On her own computer,
User login I: and there is grey cross icon(A1) and one folder contain green circle(A2)...
User login L: well on her own computer....
On other computer, both network drives are OK.
What is the meaning?
↧
Unable to Disjoin and Rejoin Exchange server 2019
In my sandbox environment, I'm trying to disjoin and rejoin my exchange 2019 server from/to domain, but somehow i got the error as below.
I've tried to disable the network connection, disable exchanges services, but still failed. Any idea?
Thanks.
↧
DFS and roaming profiles and home folders
Guys,
When in a DFS environment, how should i create roaming profiles and home folders ? Anyone who has a decent tutorial for that?
I dont think it would be wise to let the profiles be synced. The homefolders could be synced by DFS, i guess.
thanks in advance.
↧
DNS not replicating - Server 2008 R2
For now, I am having to manually enter our DNS server into the ipv4 properties. If I don't I see our ISPs DNS listed using nslookup and other functions such as remote desktop and simply logging in are not working if those options aren't set.
When I logged into our DNS and ran a scan of the DNS role, I saw the error below. Would someone be able to give me advice on where to start looking for a solution?
Title:This domain controller must register a DNS SRV resource record, which is required for replication to function correctly
Severity:
Error
Date:
3/18/2019 3:13:54 PM
Category:
Configuration
Issue:
The "DcByGuid" DNS service (SRV) resource record that advertises this server as an available domain controller in the domain and ensures correct replication is not registered. All domain controllers (but not RODCs) in the domain must register this record.
Impact:
Other member computers and domain controllers in the domain or forest will not be able to locate this domain controller. This domain controller will not be able to provide a full suite of services.
Resolution:
Ensure that "DcByGuid" is not configured in the "DnsAvoidRegisteredRecords" list, either through Group Policy or through the registry. Restart the Netlogon service. Verify that the DNS service (SRV) resource record "_ldap._tcp.cfd4b2cd-fced-4639-8bb2-8bf87a6873d0.domains._msdcs.westeastdesign.com", pointing to the local domain controller "GuadiSer2.westeastdesign.com", is registered in DNS.
More information about this best practice and detailed resolution procedures: http://go.microsoft.com/fwlink/?LinkId=126968
↧
↧
DFSR replication with one hub and two spokes
Hi
I have a few questions about DFSR replication.
I have inherited a dfs setup with a windows server 2008 r2 as a hub server and two windows 2012 servers as spokes.
They are in 3 different locations.
What happens if dfs replication service is disabled on the hub server.
So the server is still online
It appears the two spoke servers are still replicating to each other.
Will this delete data or will it try and force the two servers to be the same.
Say if a folder is on one server but not on another will it delete it.
WHat happens when i bring the service back online on the hub server.
Need to turn it off to perform a backup
thanks
Jimi
↧
Local Administrators Group Members Strange Behavior
Hi i have a problem with Local administrators on Windows 10 computers. recently we deploy and update local administrator groups our windows 10 clients. We have group namedworkstation_admins(have members user1 and user2). We deploy GPO for clients and GPO applied ( with GPO preferences) and local administrator group shows correct members likedomain admins and workstation_admins. But thinks get interesting from now. user1 credentials accepted for example installing app but user2 credentials not accepted and gave error like this : this attempt required elevation
or something like that
↧
Active Directory Certificate Services disable
Active Directory Certificate Services is disabled automatically after 10-15 min
Dharmendra
↧
Enable Intranet zone enable
Hello,
i have create a group policy for internet explorer which is "*.domian.com" add in Local Intranet Site for auto login a application.
but now problem is internet security zone now disable and i can't add another site or domain. so, i need another GPO for enable.
see the below image.
↧
↧
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server AD1
Hello,
First thing this morning, I started experiencing issues with a few of my non PDC AD servers. Running DCDiag revealed a number of errors on the secondary DCs.
Here is my dcdiag output on the AD3 DC:
Doing initial required tests
Testing server: Site\AD3
Starting test: Connectivity
......................... AD3 passed test Connectivity
Doing primary tests
Testing server: Site\AD3
Starting test: Advertising
......................... AD3 passed test Advertising
Starting test: FrsEvent
......................... AD3 passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
......................... AD3 failed test DFSREvent
Starting test: SysVolCheck
......................... AD3 passed test SysVolCheck
Starting test: KccEvent
A warning event occurred. EventID: 0x8000061E
Time Generated: 03/18/2019 11:42:10
Event String:
All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.
An error event occurred. EventID: 0xC000051F
Time Generated: 03/18/2019 11:42:10
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
A warning event occurred. EventID: 0x80000749
Time Generated: 03/18/2019 11:42:10
Event String:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
An error event occurred. EventID: 0xC000051F
Time Generated: 03/18/2019 11:42:10
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
A warning event occurred. EventID: 0x80000749
Time Generated: 03/18/2019 11:42:10
Event String:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
A warning event occurred. EventID: 0x8000061E
Time Generated: 03/18/2019 11:42:10
Event String:
All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.
An error event occurred. EventID: 0xC000051F
Time Generated: 03/18/2019 11:42:10
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
A warning event occurred. EventID: 0x80000749
Time Generated: 03/18/2019 11:42:10
Event String:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
An error event occurred. EventID: 0xC000051F
Time Generated: 03/18/2019 11:42:10
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
A warning event occurred. EventID: 0x80000749
Time Generated: 03/18/2019 11:42:10
Event String:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
A warning event occurred. EventID: 0x8000061E
Time Generated: 03/18/2019 11:42:10
Event String:
All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.
An error event occurred. EventID: 0xC000051F
Time Generated: 03/18/2019 11:42:10
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
A warning event occurred. EventID: 0x80000749
Time Generated: 03/18/2019 11:42:10
Event String:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
An error event occurred. EventID: 0xC000051F
Time Generated: 03/18/2019 11:42:10
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
A warning event occurred. EventID: 0x80000749
Time Generated: 03/18/2019 11:42:10
Event String:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
A warning event occurred. EventID: 0x8000061E
Time Generated: 03/18/2019 11:42:10
Event String:
All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.
An error event occurred. EventID: 0xC000051F
Time Generated: 03/18/2019 11:42:10
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
A warning event occurred. EventID: 0x80000749
Time Generated: 03/18/2019 11:42:10
Event String:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
An error event occurred. EventID: 0xC000051F
Time Generated: 03/18/2019 11:42:10
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
A warning event occurred. EventID: 0x80000749
Time Generated: 03/18/2019 11:42:10
Event String:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
A warning event occurred. EventID: 0x80000785
Time Generated: 03/18/2019 11:42:10
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 03/18/2019 11:42:10
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 03/18/2019 11:42:10
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 03/18/2019 11:42:10
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 03/18/2019 11:42:10
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
......................... AD3 failed test KccEvent
Starting test: KnowsOfRoleHolders
[AD1] DsBindWithSpnEx() failed with error -2146893022,
The target principal name is incorrect..
Warning: AD1 is the Schema Owner, but is not responding to DS RPC Bind.
[AD1] LDAP bind failed with error 8341,
A directory service error has occurred..
Warning: AD1 is the Schema Owner, but is not responding to LDAP Bind.
Warning: AD1 is the Domain Owner, but is not responding to DS RPC Bind.
Warning: AD1 is the Domain Owner, but is not responding to LDAP Bind.
Warning: AD1 is the PDC Owner, but is not responding to DS RPC Bind.
Warning: AD1 is the PDC Owner, but is not responding to LDAP Bind.
Warning: AD1 is the Rid Owner, but is not responding to DS RPC Bind.
Warning: AD1 is the Rid Owner, but is not responding to LDAP Bind.
Warning: AD1 is the Infrastructure Update Owner, but is not responding to DS RPC Bind.
Warning: AD1 is the Infrastructure Update Owner, but is not responding to LDAP Bind.
......................... AD3 failed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... AD3 passed test MachineAccount
Starting test: NCSecDesc
......................... AD3 passed test NCSecDesc
Starting test: NetLogons
......................... AD3 passed test NetLogons
Starting test: ObjectsReplicated
......................... AD3 passed test ObjectsReplicated
Starting test: Replications
REPLICATION-RECEIVED LATENCY WARNING
AD3: Current time is 2019-03-18 11:42:45.
DC=ForestDnsZones,DC=ad,DC=domain,DC=com
Last replication received from AD2 at
2019-02-27 21:37:33
Last replication received from AD1 at
2019-02-27 21:38:13
DC=DomainDnsZones,DC=ad,DC=domain,DC=com
Last replication received from AD2 at
2019-02-27 21:37:33
Last replication received from AD1 at
2019-02-27 21:38:21
CN=Schema,CN=Configuration,DC=ad,DC=domain,DC=com
Last replication received from AD2 at
2019-02-27 21:37:33
Last replication received from AD1 at
2019-02-27 21:38:13
CN=Configuration,DC=ad,DC=domain,DC=com
Last replication received from AD2 at
2019-02-27 21:37:33
Last replication received from AD1 at
2019-02-27 21:38:13
DC=ad,DC=domain,DC=com
Last replication received from AD2 at
2019-02-27 21:37:33
Last replication received from AD1 at
2019-02-27 21:42:28
......................... AD3 passed test Replications
Starting test: RidManager
......................... AD3 failed test RidManager
Starting test: Services
......................... AD3 passed test Services
Starting test: SystemLog
An error event occurred. EventID: 0x40000004
Time Generated: 03/18/2019 11:08:39
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server ad1$. The target name used was ldap/AD1.ad.domain.com. This indicates that the target server failed to decrypt the ticket
provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can
also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the
server name is not fully qualified, and the target domain (AD.DOMAIN.COM) is different from the client domain (AD.DOMAIN.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 03/18/2019 11:12:10
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server ad1$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/98e808a5-c419-48fa-b5b1-c64f03eb83df/ad.domain.com@ad.domain.com.
This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN
is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server
and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (AD.DOMAIN.COM) is different from the client domain (AD.DOMAIN.COM), check if there are identically named server accounts in these two
domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 03/18/2019 11:22:57
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server ad1$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/98E808A5-C419-48FA-B5B1-C64F03EB83DF/ad.domain.com@ad.domain.com.
This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN
is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server
and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (AD.DOMAIN.COM) is different from the client domain (AD.DOMAIN.COM), check if there are identically named server accounts in these two
domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 03/18/2019 11:27:10
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server ad1$. The target name used was LDAP/98e808a5-c419-48fa-b5b1-c64f03eb83df._msdcs.ad.domain.com. This indicates that the
target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the
account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured
to use the same password. If the server name is not fully qualified, and the target domain (AD.DOMAIN.COM) is different from the client domain (AD.DOMAIN.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified
name to identify the server.
......................... AD3 failed test SystemLog
Starting test: VerifyReferences
......................... AD3 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : ad
Starting test: CheckSDRefDom
......................... ad passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ad passed test CrossRefValidation
Running enterprise tests on : ad.domain.com
Starting test: LocatorCheck
......................... ad.domain.com passed test LocatorCheck
Starting test: Intersite
......................... ad.domain.com passed test Intersite
So I checked on the PDC and found the following:
Doing initial required tests
Testing server: Site\AD1
Starting test: Connectivity
......................... AD1 passed test Connectivity
Doing primary tests
Testing server: Site\AD1
Starting test: Advertising
......................... AD1 passed test Advertising
Starting test: FrsEvent
......................... AD1 passed test FrsEvent
Starting test: DFSREvent
......................... AD1 passed test DFSREvent
Starting test: SysVolCheck
......................... AD1 passed test SysVolCheck
Starting test: KccEvent
An error event occurred. EventID: 0xC000051F
Time Generated: 03/18/2019 11:45:07
Event String: The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
A warning event occurred. EventID: 0x80000749
Time Generated: 03/18/2019 11:45:07
Event String: The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local
site.
An error event occurred. EventID: 0xC000051F
Time Generated: 03/18/2019 11:45:07
Event String: The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
A warning event occurred. EventID: 0x80000749
Time Generated: 03/18/2019 11:45:07
Event String: The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local
site.
An error event occurred. EventID: 0xC000051F
Time Generated: 03/18/2019 11:45:07
Event String: The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
A warning event occurred. EventID: 0x80000749
Time Generated: 03/18/2019 11:45:07
Event String: The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local
site.
An error event occurred. EventID: 0xC000051F
Time Generated: 03/18/2019 11:45:07
Event String: The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
A warning event occurred. EventID: 0x80000749
Time Generated: 03/18/2019 11:45:07
Event String: The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local
site.
......................... AD1 failed test KccEvent
Starting test: KnowsOfRoleHolders
......................... AD1 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... AD1 passed test MachineAccount
Starting test: NCSecDesc
......................... AD1 passed test NCSecDesc
Starting test: NetLogons
......................... AD1 passed test NetLogons
Starting test: ObjectsReplicated
......................... AD1 passed test ObjectsReplicated
Starting test: Replications
REPLICATION-RECEIVED LATENCY WARNING
AD1: Current time is 2019-03-18 11:50:47.
CN=Schema,CN=Configuration,DC=ad,DC=domain,DC=com
Last replication received from AD4 at
2019-02-27 15:00:11
CN=Configuration,DC=ad,DC=domain,DC=com
Last replication received from AD4 at
2019-02-27 15:00:11
DC=ad,DC=domain,DC=com
Last replication received from AD4 at
2019-02-27 15:00:12
......................... AD1 passed test Replications
Starting test: RidManager
......................... AD1 passed test RidManager
Starting test: Services
......................... AD1 passed test Services
Starting test: SystemLog
......................... AD1 passed test SystemLog
Starting test: VerifyReferences
......................... AD1 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : ad
Starting test: CheckSDRefDom
......................... ad passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ad passed test CrossRefValidation
Running enterprise tests on : ad.domain.com
Starting test: LocatorCheck
......................... ad.domain.com passed test LocatorCheck
Starting test: Intersite
......................... ad.domain.com passed test Intersite
If I go into sites and services, and manually force the sync between AD3 and AD1, I get the following:
The following error occurred during the attempt to synchronize naming context CN=Configuration,DC=ad,DC=domain,DC=com from Domain Controller AD1 to Domain Controller AD3: The target principal name is incorrect.
The operation will not continue.
I've looked to see if there are duplicate SPNs on the PDC (AD1) but I don't see any duplicates.
The other odd thing is the result I get when I run the following:
C:\Windows\system32>netdom verify ad3
The secure channel from AD3 to the domain DOMAIN has been verified. The connection
is with the machine \\AD1.AD.DOMAIN.COM.
I'm not sure what broke. I haven't changed any admin passwords recently. I'm stumped. Any ideas or suggestions?
Thanks!
↧
2008R2 - Netdom.exe Broken
Hello,
reporting an issue with the last update. Netdom was broken with the last update on Server 2008R2. We are receiving "“The command failed to complete successfully” when running Netdom. After googling the error message we noticed others are experiencing this issue as well; below is a link detailing the issue and workaround others have tried.
https://serverfault.com/questions/958161/running-netdom-query-fsmo-on-domain-controller-fails/958340
Unfortunately, we do not have an old copy of Netdom.exe
Thank you,
↧
Clean up DFSR folder after replication group reconfiguration
Hi guys,
DFSR replication group(s) were reconfigured and now almost 500GB of iles left under E:\System Volume Information\DFSR folder.
The System Volume Information is not visible and I only can see it in TreeSize Free software.
Please advise if it is safe to delete files and and which folders I should delete.
Regards
↧