hi,
my company is planning to update Active Directory forest function level to 2016 but we are wondering if it is downwards comparable to intergated windows authentication(IWA) service 2003. what are the important things to check before bringing up the forest function level to 2016?
I have a pair of DCs in one location (Azure) and another DC in another location. All are replicating correctly, dcdiag is confirming everything is good. Replication between sites is set to USE_NOTIFY, too, but my issue is present even within a single site.
Now, within the Azure subnet, on a Windows machine say CCC01, I run an application (Java, no source code available) that creates a Domain Group (using LDAP) and seemingly picks a random DC to do that (which should be OK, anyway). That is successful, but mostly uses the DC in the other location, which I would.
It also creates a directory within a Fileshare on a Fail-over Cluster (FS01 + FS02 forming SOFS), and thendelegates the permission assignment to another Windows machine, say CCC02. That permission assignment (running on CCC02) to the folder fails with the error message that the domain group does not exist. And indeed, the domain group takes a couple of seconds (15-20 usually) to be replicated to all DCs, so I am guessing that CCC02 (or one of the FS0* machines?) at that stage is querying a different DC than where the group was actually created.
So, my question is, short of only leaving one DC in the infrastructure, is there any way to tell CCC01 and CCC02 (or would I have to include FS01 and FS02, too?) to actually work with DCs in a specific order?
Of course, if the program was mine, I'd change that behavior altogether, but that's not an option in this case.
Hope somebody has an idea than can help...
Thanks!
Joerg.
how do i fix the time on my PDC???
C:\Windows\system32>w32tm /query /statusGreetings,
I am working as Infrastructure Engineer for Microsoft partner and currently working on a project for one of our customers to built AD, DFS and Exchange in DR site.
I am facing some issues for communication between main site and DR site for DFS and Exchange.
I need to be sure that no issue is related to AD sites and services setup.
Sites and services setup
Site1 (Azure Site): 1 DC (turned off)
Site2 (Main site): 2 DCs
Site3 (DR site): 1 DC
All domain controllers running Windows Server 2012 R2
How can i check that AD sites and services setup is valid?
Regards,
Hi All,
I have been trying to understand the Group Policy Modelling wizard. There seems to be an awful lot of good information that it displays but I don't necessarily understand what it all stands for.
One example is below. What does it mean by "The following GPOs have special alerts" ?
Does anyone know of what the Modelling wizard is really about as it looks a handy tool...Any information would be greatly received.
Regards.
Hello everybody!
I'm currently trying to migrate our Root Certification Authority (CA) from Windows Server 2008 (x86) to Windows Server 2016 (x64). I followed the migration guide under https://blogs.technet.microsoft.com/canitpro/2014/11/11/step-by-step-migrating-the-active-directory-certificate-service-from-windows-server-2003-to-2012-r2/
for the main steps.
Both old and new CA-Server will be standalone CA-Servers in our domain and will havedifferent hostnames (the CA-Name will stay the same of course).
The migration process works without any error messages. The CA-Service starts without any problems before restoring the CA-Backup.
But as soon as I restore the CA-Backup and try to start the CA-Services again, I receive the following error message:
"Current log file missing 0xc8000210 (ESE: -528 JET_errMissingLogFile)"
The service won't start anymore. The eventlog shows similiar error messages.
I made a procmon-trace to analyse which files the certsrv.exe is looking for and found out, that it's looking for "edb,chk", "edb.jcp" and "edbtmp.log" in the CA-data-folder. Those files are not there (and I don't know why, as I only restored the previous created CA-backup).
Any hints? :)
Thank you!!
Hi Guy's,
We have 2 physical DC and both are 2008 R2. we have to remove both of the DC's becuse both servers have problem with one of thier none OS drives and we cannot backup the systemstate anymore.
I did install a server 2012 R2 on a Hyper-v Host and made it the 3rd DC and almost week later move all of the FSMO roles from server 2008 R2 to this server 2012 R2. and it looks like login and opening shares is working without any issue.
The domain level is 2008 and forest level is 2003.
Now we want to decommission the old DC that had the FSMO roles. I made usre that the DNS of the clients/servers in the domain are pointgin to the new server 2012 R2 DC.
Can I now run the dcpromo on the DC 2008 R2 that we want to remove?
Thanks
Shahin
Hi all,
I'm planning to migrate one of my clients directory servers to windows server 2016. At the moments there is a mix of Server 2008R2 and Server 2012. Customer got 3 sites. 2 sites got separate VMS for root domain controllers and other site small site is replicating AD from one of the big sites i mentioned earlier. Forest and Domain functional levels are Server 2003.
I want to know what is the best approach in upgrading these servers? I want to migrate all these servers to newly installed servers. I'm familiar with that. Confusion is with the complication added by site replication and separate servers for root and local domains. This customer doesn't have Local exchange. File servers are already updated to 2016 and heavily depend on authentication.
Any ideas ?
Janindu Nanayakkara
So something is broken on my AD. I have two servers one being removed and one new one. All services have been moved from Old to new (DNS, DHCP and FSMO Roles) no errors. When both servers are powered on i have no issues, Dcdiag passes no problem. I turned off the old server for a pre-decom check and the new server is reporting that it can not talk to the domain.
DNS is pointed to itself by private ip not loopback. Name resolution works fine. When i try and load Group policy manager it says Directory service is unavailable and i can choose the dc i want to use and when i select the new server the error repeats.
Also getting a DNS error every 5 min that says "The DNS server has encountered a critical error from the Active Directory. "
I am trying to configure Windows Domain Controllers to send all events to a Linux syslog server (syslog-ng). Configured the Subscription Manager group policy to point to the URL of the syslog server to port 5985. But it is not working... have tried entering the Root and Intermediate thumbprint in the value of the subscription manger connection string.
Getting this error in the Event Viewer "Eventlog-ForwardingPlugin"
The forwarder is having a problem communicating with subscription manager at address http://xxxxxxxx-xxx.xxxxxxxxxxxxns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859027" Machine="XXXXXXXX.xxxxxxxx.com"><f:Message>The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support the WS-Management protocol. </f:Message></f:WSManFault>.
Somehow, I don't think it is a certificate issue at this point.
Hi,
Last week we did move the FSMO roles from a server 2008 R2 DC to a server 2012 R2. I have enable the netlogon debugging logs on both Dc's. From what I can see in the netlogon logs it looks like that still all of the login process goes trough the old DC even the old DC is not anymore PDC, saying that the old DC like the new one is a GC.
Any idea why I dont see any info regarding login process in the server 2012 R2 netlogon logs?
Thanks
Shahin
I'm trying to create a script either as a .bat file or stored procedure. The script would look at all the users of Active Directory with a particular attribute and I can then import or update those users in another system / database.
Is it possible to connect to the database of Active Directory by mySQL ? If so, can someone point me in the right direction on how I would achieve this? I'm more of a Javascript / PHP guy.
Apologise for the vague question.
Nitin
Hi,
I have two domain controllers that are windows server 2019. The first one is primary dc and second one is secondary(additional) dc. The problem is that I can't access to SYSVOL share folder of domain controllers from each domain controller and I'm prompted for credentials. And when I enter username/password I get "Access denied" error. Please Note, some of the clients can successfully connect to SYSVOL share folder. I did non-autoritative sysvol restore based on DFSR and I saw the following error:
Log Name: DFS Replication Source: DFSR Date: 4/26/2019 7:02:35 PM Event ID: 4614 Task Category: None Level: Warning Keywords: Classic User: N/A Computer: AD-DC01.rsz.local Description: The DFS Replication service initialized SYSVOL at local path C:\WINDOWS\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner SRV-additional.rsz.local. If the server was in the process of being promoted to a domain controller , the domain controller will not advertize and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the synchronization partner. If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers. Additional Information: Replicated Folder Name: SYSVOL Share Replicated Folder ID: 30DDCF9A-51E4-4610-A05A-E3C1A530A85D Replication Group Name: Domain System Volume Replication Group ID: 355A21AE-E72E-40F5-83B8-8FC9E05468B2 Member ID: 0B7EE151-3FF3-438F-BA71-4262143017F1 Read-Only: 0 Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="DFSR" /><EventID Qualifiers="32768">4614</EventID><Level>3</Level><Task>0</Task><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime="2019-04-26T14:32:35.612433700Z" /><EventRecordID>171</EventRecordID><Channel>DFS Replication</Channel><Computer>AD-DC01.rsz.local</Computer><Security /></System><EventData><Data>30DDCF9A-51E4-4610-A05A-E3C1A530A85D</Data><Data>C:\WINDOWS\SYSVOL\domain</Data><Data>SYSVOL Share</Data><Data>Domain System Volume</Data><Data>355A21AE-E72E-40F5-83B8-8FC9E05468B2</Data><Data>0B7EE151-3FF3-438F-BA71-4262143017F1</Data><Data>SRV-additional.rsz.local</Data><Data>0</Data></EventData></Event>
Hint: SYSVOL folder on both DCs is empty.
Any help would be appreciated.
Thanks for your efforts and time.
Best Regards
Hi All,
I have just noticed I am getting various errors on our Active Directory servers. The error we are getting is below.
Unsure what is causing this issue at the moment and keen to get it resolved as soon as possible.
Our infrastructure consists of a main site in Asia and various other sites globally. In sites and services we have a DC in (HQ) that connects to the main site in Asia. Other DC's on sites around Europe connect back to HQ DC. when setting up DC's around Europe I pointed the Local DNS server to the HQ/DC. Is this correct or should the local DC be pointing to itself first and then another DC as a secondary option.
Thanks for any information.
Regards.
The DNS server was unable to add or write an update of domain name win3pxx5 in zone calsonickansei.co.jp to the Active Directory. Check that the Active Directory is functioning properly and add or update this domain name using the DNS console. The extended error debug information (which may be empty) is "00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0". The event data contains the error.
Hi,
Is it possible to add a note to a OU in DC?
I am asking this because we have many OU's and users in each OU have different requirements e.g. logon hours, etc.
We would like to know if it is possible to add a note to each of these OU and when Admins are going to create a users ccount they know what should they do.
Thanks
Shahin
Hi,
I am writing a document for a disaster recovery for our DC's.
We have 2 server 2019 Hyper-v hosts and each have 1 VM DC. we backup each DC with Backup exect and hyper-v agent.
My question is, How to recover the VM DC that has the 5 FSMO roles?
I understand becuase we using Hyper-v higher then 2012 and VM DC is also 2012 R2 we can just resore the VM DC and no issue with Generation-ID. is this correct? or we still have to do a non autherative resotre of the DC with FSMO roles?
Shahin
Sometimes the deleted objects from On premises AD is not getting deleted from Azure AD. So how do we find the list of orphaned user objects from Azure AD so that we can delete the same.
Regards, Nidhin.CK
Hi All,
I'm running into an issue when deleting (3) child domains on a Windows 2008 R2 functional level domain. The child domains have been severed for several years and the child domain DCs have been removed from the domain utilizing NTDSUTIL. When attempting to use ntsdutil: metadata cleanup > remove selected domain, I receive error: DsRemoveDsDomainW error 0x2015(The directory service can perform the requested operation only on a leaf object.)
Output:
metadata cleanup: select operation target
select operation target: list sites
Found 4 site(s)
0 - CN=site1,CN=Sites,CN=Configuration,DC=domain1,DC=com
1 - CN=site2,CN=Sites,CN=Configuration,DC=domain1,DC=com
2 - CN=site3,CN=Sites,CN=Configuration,DC=domain1,DC=com
3 - CN=site4,CN=Sites,CN=Configuration,DC=domain1,DC=com
select operation target: list domains
Found 4 domain(s)
0 - DC=domain1,DC=com
1 - DC=child1,DC=domain1,DC=com
2 - DC=child2,DC=domain1,DC=com
3 - DC=child3,DC=domain1,DC=com
select operation target: select domain 1
No current site
Domain - DC=child1,DC=domain1,DC=com
No current server
No current Naming Context
select operation target: quit
metadata cleanup: remove selected domain
DsRemoveDsDomainW error 0x2015(The directory service can perform the requested operation only on a leaf object.)
After looking up the error, it appears it's due to the DomainDnsZones still being available. So I ran NTDSUTIL: partition management > list and have (10) naming contexts available, but I'm not sure which ones to remove.
C:\Windows\system32\ntdsutil.exe: partition management
partition management: list
Note: Directory partition names with International/Unicode characters will only display correctly if appropriate fonts a
nd language support are loaded
Found 10 Naming Context(s)
0 - CN=Configuration,DC=domain1,DC=com
1 - CN=Schema,CN=Configuration,DC=domain1,DC=com
2 - DC=domain1,DC=com
3 - DC=child1,DC=domain1,DC=com
4 - DC=child2,DC=domain1,DC=com
5 - DC=child3,DC=domain1,DC=com
6 - DC=DomainDnsZones,DC=child1,DC=domain1,DC=com
7 - DC=DomainDnsZones,DC=domain1,DC=com
8 - DC=DomainDnsZones,DC=child2,DC=domain1,DC=com
9 - DC=ForestDnsZones,DC=domain1,DC=com
partition management:
Do I remove the DomainDNSZones entries for the child domains I'm attempting to remove or do I remove all child domain records above?