Hi.. all,
FRS:
How to check FRS replication?
How to monitor FRS replication?
How to find the error logs?
FRS advantage and disadvantage ?
DFS:
1. DFS advantage and disadvantage
2. DFS error logs path?
↧
1. FRS replication and 2 DFS replication
↧
Replication access denied
Hi Support,
We have two Windows 2012 Standard DCs.
We did not make any recent changes.
When checked replication today we have seen the below error
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\AD1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 653b6bb0-39bc-4610-a4a7-b08248b940d6
DSA invocationID: 86a9e6b9-5f25-47f9-9147-3d8a13a108f1
DsBindWithCred to localhost failed with status 5 (0x5):
Access is denied.
The other DC, AD2 is fine. That dc is having inbound replication from the problematic DC. AD2 is the primary DC.
Please let me know how do I troubleshoot this.
↧
↧
move the users/groups/service account along with permission from one forest (domain xyz.com) to another forest (Domain abc.com)
We are looking to move the users/groups/service account along with permission from one forest (domainxyz.com) to another forest (Domain abc.com)
We have one-way trust between abc.com to xyz.com domains. Users/Groups and service account exist in xyz.com and accessing the resources ofabc.com (like file server (share folder), Citrix profile (Roaming, Terminal and folder redirection).
All user’s data exist in abc.com domain. Hence looking to move the Users/Groups/Service account and computer account into ABC.com domain without losing access to existing resources.
As of now users is accessing the resources in ABC.com as below.
1- Workstation is joined to xyz.com (which need to be move inabc.com)
2- Users login to xyz.com domain (users exist inxyz.com and configured the profile path (Roaming, Terminal, and redirected folder via group policy as\\abc.com\dfs\...........)
3- Users login to Citrix server (All Citrix servers/fileserver/Storage is inABC.com) and access their resources.
Looking some guidance here for seamless movement.
↧
Windows Server 2012 R2 SYSVOL folder replication
Hi All,
Recently I've come across to something I have never seen before. To be more precise on two Windows Server 2012 R2 domain controllers I found C:\Windows\SYSVOL\domain folder replicating between them by means of DFS Replication.
1) Should replication between domain controllers be performed by means of DFSR?
2) What if replication is disabled like on the screenshot?
Thank you.
↧
SYSVOL, NETLOGON share problem
Hi All,
I have faced an AD problem yesterday, and I have no experience in this kind of problem so I need some advice. We have a customer with multiple sites. They had moved their HQ to another city two months before while they're also working in the previous site, so we had built another infrastructure at the new site. Previously they had a single site with one server running 2012 (non-R2) Foundation in a single domain environment. Then, we installed a Linux based firewall at the new HQ and the old site, connected the sites by IPSec and installed the new DC (Win 2016 Standard) to the new HQ by joining it to the domain and promote as DC in the existing infrastructure. AD was fine as we had installed 3-4 more Win Servers in the new site, joined to the domain and everything was fine in the past 2 months. Now they're on a migration to a new site at the old HQ so there's the time to move FSMO roles to the new HQ and demote the old DC, as only a few PCs will remain in the prevoius city, they'll work fine through IPSec and no need for a new DC there. I had moved the FSMO roles 2 days before, first of all, and configured DHCP and DNS resolver on the Linux FW to forward DNS queries to HQ DC. Before FSMO move I had checked AD replication and run the dcdiag diagnostics and there wasn't any problem with the new DC. At the end of this project I have just stopped DNS and DHCP services to be sure that everything works through IPSec. I planned to demote the DC at the next evening if everything is fine on the test day. But users complained that DNS is not working as expected. After a few hours of investigation I have found that there's a problem with Active Directory. I had tried a server restart and then I got a lot of errors in event logs. Tried dcdiag again and found these problems:
(Netlogons) Unable to connect to the NETLOGON share! An net use or LsaPolicy operation failed with error 67
(DFSREvent) There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems.
(Advertising) Warning: DsGetDcName returned information for \\SERVER..., when we were trying to reach SRV.... IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
NETLOGON and SYSVOLT shares are missing. All other tests were successfull.
I had googled a lot and found the D2/D4 DFSR solution. It is unclear for me what to choose, the authoritative or the non-authoritative restore and that on what DC I have to run the guide? In a case of a failure what Will lost, so in addition to normal backup that files I have to backup manually? I had moved the FSMO roles back to the old DC as it's dcdiag was fine, so can be a better solution to demote the new DC and install the role again? What could cause this problem as before FSMO move dcdiag was fine?
Every advice or idea is also appreciated!
↧
↧
Ran Burflags D4 (authoritative restore) when I shouldn't have.
Made an idiotic mistake. Was trying to solve a sysvol/netlogon issue on a newly built off site DC. Was doing research and someone wrote that I should run the d4 flag in burflags. It was flagged as the correct answer so I didn't dig into it further as it was1am. And I've never had to do a restore so was unaware of what that flag was. After I ran it I started digging more into it and realized what I've done. I checked my other DCs and they seem to be fine, I did not disable frs on the other DCs nor did I run an unauthoritative restore on them.
So I don't know how to assess the damage I've done. GPOs are fine, dns changes, user changes seem to replicate just fine.
To be honest, I want to just demote this problematic off site DC, remove the meta data and start over but considering I already ran the authoritative restore on it, I wanted to see if anyone knew if there were some steps I needed to perform or items to check before I demote this server and start over. Any guidance be appreciated.
↧
Bulk chang user's UPN SAMaccount proxy address
HI Experts,
I really need your help:
we have many users in AD that their samaccount and upn doesn't match their email address. How can bulk edit their samaccount and UPN based on their email address.
thanks
Sky
↧
Read Only Domain Controller: Delegation of AD tasks vs hardware management
Hello,
If I understand correctly, when we talk about RODC there is a clear distinction between delegating AD tasks and delegating somebody to manage hardware on RODC?
So if f.e I wanted to delegate creating of accounts to a person, I'd go and use delegation wiz:
But on another hand, if it comes to server management(hardware) I'd need to delegate it from Managed By tab? Am I on target or missing something???
↧
Data Collector Sets: Active Directory Diagnostics
Hey,
I have another interesting question. In Event Viewer there is this funny thing called Data Collector Sets that can be also used totroubleshoot AD. You can run it f.e from User Defined or f.e fromSystem.
Also, the templates usually create different types of things like: event traces, performance counters and configurations. My issue is to somehow measureREPLICATION. So in DCS you can either use a TEMPLATE which gives you a combination of all 3 or CUSTOM to select f.e onlyperformance counters. Can anybody explain to me in a plain terms what are those event traces? After a moment or few of research I found out that there are the whole bunch ofperformance counters I could use for replication (examples:)
- NTDS / DRA Inbound Objects Applied/sec
- Database adds/sec
- NTDS / DRA Inbound Values (DNs only)/sec
https://support.microsoft.com/en-ie/help/2981628/adrepl-troubleshooting-ad-replication-error-8461
A neat table is here(if anybody would need it):
Active Directory System Monitor Counters on the NTDS Object
| Counter | Description |
|---|---|
| DRA Inbound Bytes Compressed (Between Sites, After Compression)/sec | The compressed size (in bytes) of compressed replication data inbound from directory system agents (DSAs) in other sites (per second). |
| DRA Inbound Bytes Compressed (Between Sites, Before Compression)/sec | The uncompressed size (in bytes) of compressed replication data inbound from DSAs in other sites (per second). |
| DRA Inbound Bytes Not Compressed (Within Site)/sec | The uncompressed size (in bytes) of replication data that was not compressed at the source - that is, inbound from other DSAs in the same site (per second). |
| DRA Inbound Bytes Total/sec | The total number of bytes (per second) received through replication. It is the sum of the number of bytes of uncompressed data (never compressed) and compressed data (after compression). |
| DRA Inbound Full Sync Objects Remaining | The number of objects remaining until the full synchronization process is completed. |
| DRA Inbound Objects/sec | The number of objects received (per second) through inbound replication from replication partners. |
| DRA Inbound Objects Applied/sec | The number of objects received (per second) from replication partners and applied by the local directory service. This counter excludes changes that are received but not applied (for example, when
the update is already made). This counter indicates how many replication updates are occurring on the server as a result of changes generated on other servers. |
| DRA Inbound Objects Filtered/sec | The number of objects received (per second) from replication partners that contained no updates that needed to be applied. |
| DRA Inbound Object Updates Remaining in Packet | The number of object updates received in the current directory replication update packet that have not yet been applied to the local server. This counter tells you whether the monitored server
is receiving changes, but is taking a long time applying them to the database. |
| DRA Inbound Properties Applied/sec | The number of changes (per second) to object properties that are applied through inbound replication as a result of reconciliation logic. |
| DRA Inbound Properties Filtered/sec | The number of changes (per second) to object properties received during the replication that are already made. |
| DRA Inbound Properties Total/sec | The total number of changes (per second) to object properties received from replication partners. |
| DRA Inbound Values (DNs only)/sec | The number of values of object properties received (per second) from replication partners in which the values are for object properties that belong to distinguished names. This number includes
objects that reference other objects. Values for distinguished names, such as group or distribution list memberships, are more expensive to apply than other kinds of values because a group or distribution list object can include hundreds or thousands of members.
In contrast, a simple object might have only one or two attributes. A high number from this counter might explain why inbound changes are slow to be applied to the database. |
| DRA Inbound Values Total/sec | The total number of values of object properties received (per second) from replication partners. Each inbound object has one or more properties, and each property has zero or more values. A value
of zero indicates that the property is to be removed. |
| DRA Outbound Bytes Compressed (Between Sites, After Compression)/sec | The compressed size (in bytes) of compressed replication data that is outbound to DSAs in other sites (per second). |
| DRA Outbound Bytes Compressed (Between Sites, Before Compression)/sec | The uncompressed size (in bytes) of compressed replication data outbound to DSAs in other sites (per second). |
| DRA Outbound Bytes Not Compressed (Within Site)/sec | The uncompressed size (in bytes) of outbound replication data that was not compressed - that is, outbound to DSAs in the same site - per second. |
| DRA Outbound Bytes Total/sec | The total number of bytes sent per second. It is the sum of the number of bytes of uncompressed data (never compressed) and compressed data (after compression). |
| DRA Outbound Objects Filtered/sec | The number of objects (per second) acknowledged by outbound replication partners that required no updates. This counter includes objects that the outbound partner did not already have. |
| DRA Outbound Objects/sec | The number of objects sent (per second) though outbound replication to replication partners. |
| DRA Outbound Properties/sec | The number of properties sent per second. This counter tells you whether a source server is returning objects or not. Sometimes, the server might stop working correctly and not return objects quickly
or at all. |
| DRA Outbound Values (DNs only)/sec | The number values of object properties sent (per second), to replication partners in which the values are for object properties that belong to distinguished names. Values for distinguished names,
such as group or distribution list memberships, are more expensive to apply than other kinds of values because a group or distribution list object can include hundreds or thousands of members. In contrast, a simple object might have only one or two attributes. |
| DRA Outbound Values Total/sec | The total number of values of object properties sent (per second), to replication partners. |
| DRA Remaining Replication Updates | The number of changes to objects that have been received in the current directory replication update packet for the DRA that have not yet been applied to the local server. A sharp decline in the
rate at which objects are applied to the database indicates normal operation, while a gradual decline indicates that complex objects are being applied. This counter is a helpful gauge of whether a server is slow to replicate. |
| DRA Pending Replication Synchronizations | The number of directory synchronizations that are queued for this server that are not yet processed. This counter helps in determining replication backlog - the larger the number, the larger the
backlog. |
| DRA Sync Requests Made | The number of synchronization requests made to replication partners since computer was last restarted. |
| DS Security Descriptor Suboperations/sec | The number of suboperations (per second) of security descriptor propagation. One operation of security descriptor propagation comprises many suboperations. There is approximately one suboperation
for each object that the propagation operation causes the propagator to examine. |
| DS Security Descriptor Propagation Events | The number of events of Security Descriptor Propagation that are queued but not yet processed. |
| DS Threads in Use | The current number of threads in use by the directory service (different from the number of threads in the directory service process). This counter represents the number of threads currently servicing
API calls by clients, and you can use it to determine whether additional CPUs would be beneficial. |
| LDAP Client Sessions | The number of sessions of connected LDAP clients. |
| LDAP Bind Time | The time (in milliseconds) required for the completion of the last successful LDAP binding. |
| Kerberos Authentications/sec | The number of times per second that clients use a client ticket to this domain controller to authenticate to this domain controller. |
| NTLM Authentications/sec | The number of NTLM authentications (per second) serviced by this domain controller. |
| LDAP Successful Binds/sec | The number LDAP bindings (per second) that occurred successfully. |
| LDAP Searches/sec | The number of search operations per second performed by LDAP clients. |
Can I use event traces to measure/check replication? When you run AD Diagnostic report, it will show the repl:
If I want to create them manually (for replication only)- what options would I have (betweenevent traces, performance counters and configurations)??? I understand that configs are about registry...
From my research I know there are performance counters, but should I include also the "event trace data" or even system config info? Can anybody explain this issue?
Thanks!
↧
↧
export Distribution group members
Hi Experts
I have a distribution group and i want to export the member of that distribution group to csv file and i am getting error. please guide me as the below syntax is not working.
Get-ADGroupMember -identity “My-DistributionGroup” | Select DisplayName, Email Address, EmployeeID | Export-csv -path C:\output.csv -NoTypeInformation
↧
Unable to view/setup domain trust
Hi, I been ask to setup one way trust between two domians but for some reason I can't do anything from domian A. i dont get option to setup any trust.
I'm enterprise/domain admin on both domains.
if I go to Actie Durectory Domians and Trusts (ADDT) in Domain B then I am able to see the option to setup trust but not from Domian A.
Domain A setup
3 Domian Controller
- 2008 R2 DC
- 2012 R2 DC
- 2016 DC
Domian B Setup
- 2012 R2
- 2016
Both of the domian are on 2008 R2 Functional level
↧
VM DC restore
Hi,
I am writing a document for a disaster recovery for our DC's.
We have 2 server 2019 Hyper-v hosts and each have 1 VM DC. we backup each DC with Backup exect and hyper-v agent.
My question is, How to recover the VM DC that has the 5 FSMO roles?
I understand becuase we using Hyper-v higher then 2012 and VM DC is also 2012 R2 we can just resore the VM DC and no issue with Generation-ID. is this correct? or we still have to do a non autherative resotre of the DC with FSMO roles?
Shahin
↧
The security database on the server does not have a computer account for this workstation trust relationship
Hello there,
Earlier on this morning I changed the name of my server. It used to have one of those default WIN-....... computer names, and I changed it to DC1. I restarted the server as I was prompted to, and now I can no longer sign-in to the local Domain Controller at all. There's nothing that I am able to do to access the User Interface. Users on workstations are able to connect to the Domain as normal. Only the server is having this problem. While trying to log-in, I am faced with this error message: "The security database on the server does not have a computer account for this workstation trust relationship." I have read online and this is normally fixed by reconnecting the computer to the domain however this isn't something that I am able to do as i can't access the machine at all.
↧
↧
Audit failure 4776, blank workstation
I have a user who gets locked out occasionally (been a few weeks since the last time). The bad password attempts show as a time where he was successfully logged into his computer and working. I looked in the event logs on the DC and see some
4776 Audit failures for this user, with the error code 0xc000006a, which I believe means bad password. However, the "Source Workstation" field is blank. How can I track down where these bad attempts are coming from?
↧
Exchange Server Computer account password changed
I recently had an issue where a customer's Exchange production environment servers both had their passwords changed, seemingly inexplicably. The security logs were predictably overwritten shortly after so I cannot state what actually made the change any more.
Given the fact that the rest of the computers in the domain did not also change passwords at the same time, I'm concluding that an administrator (or an application / service running elsewhere) made the change to the password to both machines within a few seconds of each other. The issue hasn't re-occurred in the last three weeks.
Has anyone seen anything similar in the past?
↧
Can't PING domain AD DC
Hi Friends,
I have a DC with 2 Network Adapters (2 IP) of different network and 2 IPs of respective network on Client PC. I am able to ping both the IPs of DC from client PC but if I am pinging domain name the nit is being resolved to only 1 IP. Although both IPs are appearing in DNS zone on DC.I have tried disabling the 1 adapter card to which domain name was pinging, after that I started getting RTO.
Why domain is not resolving to the other IP ??
↧
Active Directory Migration
About AD domain migration, the source environment is 2008R2 and the target environment is 2016. Can I use ADMT to migrate in both versions?
↧
↧
Home Folders does NOT map on Initial Logon Using ADUC Settings
I do have Computer Configuration\Administrative Templates\System\Logon\ Always wait for the network at computer startup and logon (enabled)
All switches have Portfast enabled
All GPO are processed fine.
On few users (same user on ANY different device) will not map home drive that is in profile
It just simply is not there. But "set" shows:
HOMEDRIVE=U: HOMEPATH=\ HOMESHARE=\\server.domain.local\Stafffile\Users\UserInQuestion
So it should be there. But no matter what, it does not happen.
Only way I can do is Loopback GPO with GPP but there I can even specify %HOMESHARE% and it maps perfectly fine.
Been all over the Internet, trying to figure that one out, but simply can not
Maybe somebody has any idea?
Seb
↧
ADMT account migration, proxy address?
Hi Team,
I am migrating the account from one forest to another forest using ADMT tool. However , the ADMT tool can't migrate the proxy address. Does anyone know how to resolve it in this situation?
Thanks,
Jianggai
↧
How to find a Distinguished Name in AD
I have a program when I need to tell it the Distinguished Name of a user. The problem is what if I move that user to a new OU? Is there a way to point to a user so it will be found in AD no matter what OU I move the object to?
For example: CN=User1, CN=Users, DC=Contoso, DC=com
What if I move User1 to a new OU called Marketing? My program might stop working because it was looking for User1 at CN=User1, CN=Users, DC=Contoso, DC=com
We are running a Window 2003 domain.
Any ideas?
TIA,
Lamar
Lamar
↧