Hi,

I am unable to update the Time Services i tried numerous ways but i am unable to find what is the issue is, I have run a dcdiag please find the results below, someone could help me as this server is running on the live environment.

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = ADServer2
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\ADSERVER2
      Starting test: Connectivity
         ......................... ADSERVER2 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\ADSERVER2
      Starting test: Advertising
         Warning: ADSERVER2 is not advertising as a time server.
         ......................... ADSERVER2 failed test Advertising
      Starting test: FrsEvent
         ......................... ADSERVER2 passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL
         replication problems may cause Group Policy problems.
         ......................... ADSERVER2 failed test DFSREvent
      Starting test: SysVolCheck
         ......................... ADSERVER2 passed test SysVolCheck
      Starting test: KccEvent
         A warning event occurred.  EventID: 0x80000603
            Time Generated: 08/12/2019   19:48:46
            Event String:
            Active Directory Domain Services could not disable the software-based disk write cache on the following hard disk.
         A warning event occurred.  EventID: 0x80000B46
            Time Generated: 08/12/2019   19:47:49
            Event String:
            The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection.  Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.
         A warning event occurred.  EventID: 0x800004C4
            Time Generated: 08/12/2019   19:48:12
            Event String:
            LDAP over Secure Sockets Layer (SSL) will be unavailable at this time because the server was unable to obtain a certificate.
         A warning event occurred.  EventID: 0x8000082C
            Time Generated: 08/12/2019   19:48:50
            Event String:
         ......................... ADSERVER2 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... ADSERVER2 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... ADSERVER2 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... ADSERVER2 passed test NCSecDesc
      Starting test: NetLogons
         ......................... ADSERVER2 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... ADSERVER2 passed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From DCSERVER01 to ADSERVER2
            Naming Context: DC=ForestDnsZones,DC=ad,DC=contoso,DC=com
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2019-08-12 19:48:53.
            The last success occurred at 2019-08-12 19:15:19.
            1 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From DCSERVER01 to ADSERVER2
            Naming Context: CN=Schema,CN=Configuration,DC=ad,DC=contoso,DC=com
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2019-08-12 19:48:53.
            The last success occurred at 2019-08-12 19:15:19.
            1 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From DCSERVER01 to ADSERVER2
            Naming Context: CN=Configuration,DC=ad,DC=contoso,DC=com
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2019-08-12 19:48:53.
            The last success occurred at 2019-08-12 19:15:19.
            1 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From DCSERVER01 to ADSERVER2
            Naming Context: DC=ad,DC=contoso,DC=com
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2019-08-12 19:48:53.
            The last success occurred at 2019-08-12 19:48:00.
            1 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         ......................... ADSERVER2 failed test Replications
      Starting test: RidManager
         ......................... ADSERVER2 passed test RidManager
      Starting test: Services
            Invalid service type: w32time on ADSERVER2, current value WIN32_OWN_PROCESS, expected value
            WIN32_SHARE_PROCESS
         ......................... ADSERVER2 failed test Services
      Starting test: SystemLog
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:34:36
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:33:44          
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x0000008E
            Time Generated: 08/12/2019   19:41:33
            Event String:
            The time service has stopped advertising as a time source because the local clock is not synchronized.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:41:36
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
        
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:47:36
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:47:36
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x0000008E
            Time Generated: 08/12/2019   19:47:39
            Event String:
            The time service has stopped advertising as a time source because the local clock is not synchronized.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:47:51
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:47:51
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:47:51
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x0000008E
            Time Generated: 08/12/2019   19:47:59
            Event String:
            The time service has stopped advertising as a time source because the local clock is not synchronized.
         A warning event occurred.  EventID: 0x000727A5
            Time Generated: 08/12/2019   19:48:06
            Event String: The WinRM service is not listening for WS-Management requests.
         A warning event occurred.  EventID: 0x80040020
            Time Generated: 08/12/2019   19:48:46
            Event String:
            The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.
         A warning event occurred.  EventID: 0x80040020
            Time Generated: 08/12/2019   19:48:46
            Event String:
            The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.
         A warning event occurred.  EventID: 0x80040020
            Time Generated: 08/12/2019   19:48:46
            Event String:
            The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.
         A warning event occurred.  EventID: 0x800009CF
            Time Generated: 08/12/2019   19:47:51
            Event String:
            The server service was unable to recreate the share WSUSTemp because the directory C:\Program Files\Update Services\LogFiles\WSUSTemp no longer exists.  Please run "net share WSUSTemp /delete" to delete the share, or recreate the directory C:\Program Files\Update Services\LogFiles\WSUSTemp.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:48:12
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:48:12
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:48:12
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:48:27
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:48:27
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         A warning event occurred.  EventID: 0x00009016
            Time Generated: 08/12/2019   19:48:27
            Event String:
            No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
         ......................... ADSERVER2 failed test SystemLog
      Starting test: VerifyReferences
         ......................... ADSERVER2 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : ad
      Starting test: CheckSDRefDom
         ......................... ad passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ad passed test CrossRefValidation

   Running enterprise tests on : ad.contoso.com
      Starting test: LocatorCheck
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
         A Good Time Server could not be located.
         ......................... ad.contoso.com failed test LocatorCheck
      Starting test: Intersite
         ......................... ad.contoso.com passed test Intersite

Thanks & Regards, D.Nithyananthan.

Hello Tech Masters,

Hope everyone is having a great day. 

I am investigating an Active Directory issue in Windows 2008 R2 domain. 

The environment is single 2008 R2 forest with 3 2008 R2 domains. Each domain has at least 3 2008 R2 domain controllers. 

My goal is to promote both the forest and domains to 2016 functional level.

I am replacing all 2008 R2 and 2012 R2 domain controllers by building new 2016 domain controllers. 

Issue: Browsing any of the 3 domains by domain name \\domain.local works if domain.local is pointing to specific domain controller (old PDC DC). This is happens in all 3 domains. Otherwise, it will error out "Windows cannot access \\domain.local.  

The issue is global to all computers in the 3 domains. 

I can ping all 3 domains by name successfully. 

I am able to navigate directly to any domain controller shares (Netlogon and Sysvol) using FGDN (ex: dc01.domain.local). 

Domain AD replication work properly in all domains. 

Group polices apply properly to users’ computers.

See attached error (screen shot).

Please share your thoughts if your thought if you have experienced same issue or you have the knowledge to help.

Thank You 

Raed

Support analyst

I have migrated AD to Server 2019 and now I am getting this error when demoting the 2008r2 DC.

The domain controller hold the last replica of the following application directory partitions.

I have attached a picture.

I don't see any issues with replication on my 2019 box.  I am able to use all functions of AD and DNS.  I had AD services on the 2008 server turned off for a week without issue.

Hi,

Do you know if there is a way to force using ldaps 636 and disable LDAP access on non secure port 389 without affect AD features?

Regards

Hi there. We had a Server 2012 R2 domain controller. It's a HyperV VM and the host it was running on had a serious hardware failure that resulted in the VM being corrupted and blue screening even in safe mode. No luck with safe mode etc or the Directory Services repair options. So we did a force removal of the DC in AD. This particular DC had no FSMO roles and wasn't a file server, so there wasn't much needed to recover that we didn't already have from backups. After the host was repaired, we built a new DC VM to replace the dead one and linked it to the same subnet in AD Sites and Services etc. We gave it a different name.

Things appear to be working normally. I ran a number of AD replication tests using Microsoft's AD Replication Status tool and no errors are coming up. I've gone through DNS and removed any references to the dead DC. The dead DC does not show up anywhere in AD Sites and Services.

My question is about NTDSUtil. I know that if you have to force remove a DC, you should clean up the metadata using NTDSUtil. The problem(?) is NTDSutil couldn't find any reference to the failed DC for me to remove. Is there anything left to check? The Microsoft articles I found simply said that if the dead DC couldn't be found there, it may have already been removed.... So does that mean I'm in the clear?

Thanks in advance,

Sir Timbit.

Hi All,

In our root domain, we have a domain controller (Server1.par.com) on old hardware and its currently acting as time server with below configuration

Type: NTP

NTPServer: Defined some outside IP

Looks like other DC's shows Type as NT5DS & their NTPServer registry is pointing to Server1 but not all because in our child domains I took one of our child domain DC (ServerDC2.child.par.com) and run command "w32tm /query /source" then it shows a DC name (ServerDC3.child.par.com) which exists in same child domain but when I check the registry on ServerDC2 then it shows NTPServer as "time.windows.com,0x9".

To check further I logged on to ServerDC3.child.par.com and when I run "w32tm /query /source" it shows DC name as "Server1.par.com" but when I check the NTPServer registry , its currently set to "time.windows.com,0x9".

My question:

1. Is our current configuration for time source looks correct on DCs?

2. We have to decommission Server1.par.com , how do I check all DC's which are pointing to this Server1.par.com as their time source?

3. Once we have answer to question 2 above then to make another DC as authoritative time (Server2.par.com) server should I just set Type as NTP and set its NTPServer registry setting? How will I tell my other DC's , servers, member machines that now we have a new time server in place?

Please if anyone have a plan for above situation then please help me out

Hi Everyone,

We have an ADLDS Instance running on windows server 2008 R2  and forest functional level of instance is windows server 2003 R2. We have an application which is relying on this instance and it already extended the schema with the application attributes. Initially ADsync was running which is now stopped and accounts are created manually.Now we are planning to include the recycle bin feature on this instance , my query is can we promote the forest functional level without upgrading schema? since i have read the article regarding enabling recycle bin needs to import the below .ldf files which i suspect it may conflict with application attributes.

MS-ADAM-Upgrade-1 and MS-ADAM-Upgrade-2 

Thanks in advance

Hi,

I have seen in my experience there are some AD domains have block policy inheritance enabled in the root level and domain controller OU. 

Please help me to understand the use case of GPO block policy inheritance.

Hi,

Please help me to understand the use case of "Disable cross forest TGT delegation"

what is the use of TGT delegation and why MS recommended to disable the cross forest TGT delegation

Hello,

My current AD domain/forest level is Server 2012 R2, and I'm about to add 3 2019 Servers and then raise the AD level to 2019. However, I'm contemplating deploying an AD Certificate Services server, and I'd like to re-use one of my 2012 licenses for that if possible.  What I'm wondering is if I install AD CS role on a 2012 R2 server, and then raise the AD level to 2019, can my AD CS remain on 2012 R2, or does it have to be 2019 before I could raise it?   (Main reason to raising it to 2019, my entire environment is Windows 10 Pro, with 2 2012 R2 servers running various services, and were about to connect it to Azure, so 2019 would offer the best matched controls from what I understand).

hello i have two DC Controller as name DC1,DC2 but DC2 can not replicate with DC1 and faced with error bellow

How to Resolve this problem?

Event ID 2042:  replication error

the flowing  error occureed during the attempt to synchoronize naming context myDomain.com from domain controller DC2 to Domain controller DC1.

the directory service can not replicate with this server because the last replication with this  server has  exceeded the timebstone  lifetime

the opration will not continue

The process in which we create new computers on our domain is:

Go to our policy-free OU, create a new pc name and then, on the same initial screen, we click Change... and add a group under User or Group. This, for us, allows anyone in that group to manage that pc within AD.

Rather than manually add a pc and add the group, I am currently using MDT to join to our domain, but I want to auto-create the pc names as well, on the fly. I can do this, but I don't know how to add a GPO to automatically apply that specific group to the security properties of the pc.

For every single pc on our domain, if you look at the properties and choose Security, there is the group (because we've been manually adding it). I'd like, from the very top down, for that group to be part of the standard Security Group on every pc we have. I don't work in AD so I don't know how to apply this, but I'm hoping for a reply that will work.

Hi Support team,

I have installed a new domain controller in my domain. Installed Windows 2012 R2, install AD DS role. And promote to domain controller.

After finishing the promotion, the server had worked fine but after some time approx 2 month late its give warning message,i  have to configure it but errors remaining same. the warning Post-Deployment configuration is still there, 

How can I avoid that warning and reconfigure it.



HI Team,

Is there an option to delegate control to users on the few groups(not all) in the Organisational Unit or it's for all groups inside OU.

Kindly let me know. 

Paramesh KA

Hi, is it possible to lock a computer to one specific login through AD?

Example, we have around 170 staff members and hundreds of different devices. Some of these devices are used for testing and we only want them accessible by the Testing user account. 

Sorry in my question is too simple for here but I am only just starting to learn how to use AD.

Thanks in advance. 

Hi

I have searched all over the internet for an answer so hopefully someone here can help.

I have an SQL 2017 server set to use Windows or SQL authentication.

The DB's that are on it work fine using either authentication method on the LAN.

My issue is that when a user tries to connect over our VPN it will fail with the above error message about its login is from an untrusted domain. 

However, if I use an SQL credential (SA) it connects no issues.

Both server and PC are on the same domain and the PC is regularly connected to the LAN during the day, its just when they go home and use the VPN that it doesn't work and I get this untrusted domain error. This happens for all users over VPN. 

Hi Everyone,

Im new to this forum and unfortunately i do not have enough experience to move past the issue that im currently facing. 

To give you an overview on the current task at hand. I have a domain controller(2016) with RDS installed on one of the domain joined windows servers(2016). Basically to protect myself from any unexpected issues i have cloned the servers into an isolated environment to test on the renaming process before actually performing on production. 

I have went through multiple articles and blogs on the process of renaming a domain name ie. ABC.local to ABZ.local.

The main issue is when the domain name is renamed(completed successfully), the RDS deployment breaks as it still detects the old server vm1.abc.local instead of the updated vm1.abz.local. 

Most of the blogs available mention that it might be necessary to completely remove the roles and then re-add them back, however from my understanding it looks like the issue is primarily the server not updating its fqdn in the RDS deployment

I would really appreciate any advice on this matter and in the mean time i will continue to try and solve it. 

Thank you.