After demoting a Server 2008 R2 domain controller, renaming it, and then creating and promoting a new Server 2012 Domain Controller with the same name (DC6) I am seeing this error intermittently on the new DC.

Log Name:      DNS Server

Source:       Microsoft-Windows-DNS-Server-Service

Date:         4/16/2013 6:58:37 PM

Event ID:      4015

Task Category: None

Level:        Error

Keywords:      Classic

User:         N/A

Computer:      DC6.MyDomain.local

Description:

The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.

There does not appear to be any actual problem otherwise however. DNS can be restarted on the new DC without issue or error message. Replication seems to be working everywhere.  Repadmin /replsummary results are:

Beginning data collection for replication summary, this may take awhile:

  ...........

Source DSA         largest delta    fails/total %%  error

 DC1                      10m:07s    0 /  20   0

 DC2                      11m:49s    0 /  20   0

 DC3                      10m:08s    0 /  20   0

 DC4                      11m:50s    0 /  20   0

 DC5                      11m:50s    0 /  20   0

 DC6                      10m:08s    0 /   5   0

 DC7                      10m:09s    0 /  20   0

 DC8                      11m:50s    0 /  20   0

Destination DSA     largest delta    fails/total %%   error

 DC1                      09m:13s    0 /  20   0

 DC2                      07m:54s    0 /  15   0

 DC3                      09m:59s    0 /  20   0

 DC4                      08m:48s    0 /  15   0

 DC5                      10m:10s    0 /  20   0

 DC6                      11m:57s    0 /  20   0

 DC7                      10m:03s    0 /  20   0

 DC8                      02m:33s    0 /  15   0

There are two DC’s at each of 4 sites.  The local site replication partner for this DC is DC5 and there are no errors on DC5 although there is an informational event related to the old DC which is logged intermittently:

Log Name:      Directory Service

Source:       Microsoft-Windows-ActiveDirectory_DomainService

Date:         4/16/2013 9:28:15 AM

Event ID:      1104

Task Category: Knowledge Consistency Checker

Level:        Information

Keywords:      Classic

User:         ANONYMOUS LOGON

Computer:      DC5.MyDomain.local

Description:

The Knowledge Consistency Checker (KCC) successfully terminated the following change notifications.

Directory partition:

DC=MyDomain,DC=local

Destination network address:

963562c1-fc7d-41e7-bbf9-4acc2f02b2d5._msdcs.PBJFS.local

Destination directory service (if available):

CN=NTDS Settings\0ADEL:963562c1-fc7d-41e7-bbf9-4acc2f02b2d5,CN=DC6\0ADEL:6753a055-0c0f-42de-819f-e267d9e34601,CN=Servers,CN=MySiteName,CN=Sites,CN=Configuration,DC=MyDomain,DC=local

This event can occur if either this directory service or the destination directory service has been moved to another site.

My understanding is that this can be ignored and will go away. There is no correlation between these events on DC5 and the problematic error logged on DC6 but I mention them just in case.

The final piece of information I will provide is that I have an issue with non-domain joined computers being unable to register in DNS if they get their DHCP address from Server 2008 R2 DC’s. (The DC’s all run DHCP and DNS and DNS is AD integrated.)  Two of my 8 DC’s are Server 2008 R1 including DC5. Non-domain computers that get DHCP from the Server 2008 R1 servers have their addresses registered in DNS just fine. All domain computers get their addresses registered regardless of the operating system of the DHCP server which they connect to and only non-domain computers are affected by that issue. In an attempt to remedy that situation I had recently changed my Dynamic Updates in DNS from ‘Secure Only’ to both ‘Non-Secure and Secure’ but it did not help. 

I would like to rebuild DC5 as a Server 2012 DC here pretty soon but I want to first see if I can eliminate this DNS error message from DC6. The error is logged irregularly and averages about once every 24 hours but can sometimes happen twice in a day or not at all for two days.  The original DC6 is still in use under another name and it has registered in DNS under the new name already.  I also did, in-between the demotion and promotion of the replacement DC, make sure the old DC6 had all of it's DNS entries removed and that replication had finished amongst all my DC's.  The old DC6 computer object under it's new name is no-longer in the domain controllers group and the new DC6 computer object is, just as expected.

I did try changing the DNS server IP entries for the network configuration on the DC itself but this did not help.  Currently DC6 is setup to use DC5 as primary and itself by IP as secondary (these were originally reversed but changing them has not eliminated the error).  The loopback is listed as the third DNS entry for the network config.

I have an ADAM instance where half the users are in the AD domain, and the other half isn't. I'd like to convert the users that have corresponding AD accounts from user objects to userproxy objects so I can do proxy authentication. 

Is something like this possible? If so is there any documentation on how to do this?

Thanks!

Hi,

I have only 1 Domain Controller at my site. It used to be more than 1. I am getting this error on DCDIAG. Can anyone help please?

Hi everyone

I need to improve the security of my ntds.dit file of my domain controllers. Is there any way of changing the name of the ntds.dit file or changing it´s default location?

I just found that ther SYSVOL and NETLOGON folders are neither shared nor replicating with my FSMO roles holder which is a Windows 2003 Std, so i have to fix before i can go on with my pla to move my domain to windows 2008 functional level.

I found this link http://support.microsoft.com/kb/315457/en-us?wa=wsignin1.0 that explain how to fix it, but i would like to fix the causes of the problem first, may be i wont need the previous procedure if i fix the causes of the problem because the DCs try constantly to replicate each other as showed in my logs in the event 13508 without 13509.

Any ideas

HI,

We are adding a RODC in our DMZ. I have read the ms articles on this and deployed the RODC without error. I can log onto the RODC with domain credentials and have no problems. The problem I am having is adding a DMZ server to the domain and then logging on. I have read the 2 methods ms suggested, the script and using Djoin.exe.

I decided to use the djoin method cause it seems pretty simple. Ran the command and copied the blob file to the machine I want to join, added the pc account to the PRP and forced it to populate,  Ran the djoin command again on the machine i want to add to the domain (dmz server) to "consume" the blob file and rebooted it. No problem. But when I try to logon I get told there are no logon servers available to complete the request. I have looked on the RODC eventlogs and don't see any errors.

not sure what else to do. Please help

Showing Error on RODC..

The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.

Directory partition:
CN=Configuration,DC=parkergroup,DC=com

There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers.

User Action
Perform one of the following actions:
- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
- Add a Connection object to a directory service that contains the directory partition in this site from a directory service that contains the same directory partition in another site.

If neither of the tasks correct this condition, see previous events logged by the KCC that identify the inaccessible directory servers.

Arvind

Hi all, hopefully it's an easy explanation.

The environment is a single forest / single domain.

All DC's are DNS servers, and all are either 2008R2 or 2008.

Both domain/forest functional levels are Windows Server 2003.

Whenever one of the DCs is rebooted, we see Event 4515 logged in the DNS logs

The zone _msdcs.domain.com was previously loaded from the directory partition DomainDnsZones.domain.com but another copy of the zone has been found in directory partition ForestDnsZones.domain.com. The DNS Server will ignore this new copy of the zone. Please resolve this conflict as soon as possible.

When I run ADSI Edit, I can see this in both ForestDnsZones.domain.com AND DomainDnsZones.domain.com

Is this normal? If not, is this a problem?

When I check that zone in DNS Manager, it is AD Integrated, and replicated to all DNS servers in this domain

Hi All,

I have in the DHCP MMC, an old (serveral) DHCP servers in the list of authorized servers.  I want to remove it from the list.  Drilling down into ADSIedit I see a list of authorized servers along with the CN=DhcpRoot entry.  In that list I deleted one of the old computers, but it still appears in DHCP MMC.

Every post I am finding says to edit the CN=DhcpRoot and remove them from there.  What are my other options?

Philip P. Mennenoh

Hi All

I setup DC1 in new root forest domain. Then continue setup DC2 as ADC. I've the privileges of Enterprise Admin and Domain Admin.

Problem is:

After logged in to DC1, i cannot create folder in \\DC1\Netlogon. And the option to create files in \\DC1\Netlogon is missing.

Or even C:\Windows\SYSVOL\Sysvol\domain\Scripts

But when trying to create folders/files in \DC2\Netlogon, I'm able to do it.

Does anyone have any idea about this ?

Hi All,

I am working with our PeopleSoft admins to get PeopleSoft setup as the authoritative source for directory type information. We are establishing a process where PeopleSoft will build an LDIF file of any changes it wants to make to AD, it will go to our System Admins who will review the changes, and then import them into AD. We are in the testing phase now, and cant seem to get any of the LDIF files to import.

Here is the file, spit out by PeopleSoft:

dn: cn=testA\, psoft,ou=Employees,ou=User Accounts,dc=domain1,dc=company
changetype: modify
objectClass: top
replace: mail
cn: testA\, psoft
mail: traceyA@company.org

dn: cn=testB\, psoft,ou=Employees,ou=User Accounts,dc=domain1,dc=company
changetype: modify
objectClass: top
cn: testB\, psoft
replace: mail
mail: traceyB@company.org

It errors like:

PS C:\temp> ldifde -i -f RAJU_PERSON6.ldif -s DC1
Connecting to "DC1"
Logging in as current user using SSPI
Importing directory from file "RAJU_PERSON6.ldif"
Loading entries.
There is a syntax error in the input file
Failed on line 1.  The last token starts with 'ï'.
0 entries modified successfully.
An error has occurred in the program
No log files were written.  In order to generate a log file, please
specify the log file path via the -j option.

I have done some research on it, on these forums and abroad, and I have found a few things:

1. When using "changetype: modify" you need to have your change listed on the next line

2. You dont need the "objectClass: top" line (or any object class lines for a modify)

3. I havent found anyone else using a line like "cn: testB\, psoft"

4. The file needs to be "UTF-8" format

5. And finally, I likely need quotes around

dn: cn=testB\, psoft,ou=Employees,ou=User Accounts,dc=domain1,dc=company

So, I recreated the file to look like:

dn: "cn=testA\, psoft,ou=Employees,ou=User Accounts,dc=domain1,dc=company"
changetype: modify
replace: mail
mail: traceyA@company.org

dn: "cn=testB\, psoft,ou=Employees,ou=User Accounts,dc=domain1,dc=company"
changetype: modify
replace: mail
mail: traceyB@company.org

I ran the import again and get this failure:

PS C:\temp> ldifde -i -f nates_edited.ldif -s DC1
Connecting to "DC1"
Logging in as current user using SSPI
Importing directory from file "nates_edited.ldif"
Loading entries.
There is a syntax error in the input file
Failed on line 3.  The last token starts with '"'.
0 entries modified successfully.
An error has occurred in the program
No log files were written.  In order to generate a log file, please
specify the log file path via the -j option.

I have messed around with this, editing the file and trying different things and am just having a real hard time figuring out what I need to do.  Any thoughts from the community?

Hello,

I have a Windows Server 2012 DC that I need to manually remove from AD.  I would normally remove it from Server Manager, but I'm experiencing some issues with the server which is not allowing to do so.   I found the following KB article - 216490, but it appears to be written for Windows Server 2003 and 2008.  Does anyone have any info on how to manually remove a DC which is running Windows Server 2012?  Doug

I have looked up and down for the answer to this problem.

I was assigned the task of implementing an Active Directory environment for my Office workers. Server 2008 R2 and Windows 7 Pro.

I have Active Directory setup and functioning as it should. My goal for roaming profiles is to have each user's profile stored on the server (I assume that using Profile path when creating their account) and their profile Mapped to H: (On the same dialog). I also would like their profile directories redirected to the mapped location, which is under group policy editor. So far I feel I have done what I need to. Except I have this issue when a user logs on for the first time, .v2 is appended to the end of each profile directory, thus the profiles aren't being mapped as they need to be. 

What am I missing?

Note: I have seen this especially being an issue for those with legacy servers and clients (Older then Windows 7 and 2008) I am building a clean, new system from scratch using 7 and Server 2008 R2

Hello Experts,

I am seeking your expert advice here, because right now undergoing with a strange issue in one of the child domain in the production forest.

The problem is when I try to search an object ( user / computer usually ) by selecting Find in “Entire directory”, I do get the result of the objects in Entire forest, but in the same result when I click properties of those objects , nothing showing except security tab.

But If I manually find the searched user / computer in the created OU and right click, I can see all tabs and the problem only choosing “Right click domain -- > Find “

Example: If I search my name in child (problematic) domain, I get results in 5 domains (which believes GC search is working on child Domain DC) , but the strange thing  is none of the default tabs are showing at this time, but if I drill down to correct OU path and right click my account name, I can see all tab.

There are no issues on other 4 domains and "Entire Directory" Findings on those DC's are showing all required tabs.

I first thought that it might be some inconsistency with any DLL (Windows\system32) files on problem DC's, but the issue seems to appear on other DC’s in same Domain frequently and some time resolve its own. So being the issue is intermittent I don't think this is something related with DLL files.

All DC’s are Windows Server 2008 R2 and repadmin /showreps shows no errors and recent replication completed successfully.

I did repadmin /rebuildgc as well, but seem no luck.

I really confused what and where to be checked further since not sure what is causing the issue (ANY Directory partition issues ?) , at the Same time wondering how come problem DC manage to get objects details ( My name ) in other 4 domains.

Please Note: I don’t have issues creating / deleting AD objects on all DC’s in problematic domain.<o:p></o:p>

I will be much obliged to your expert view since this is considered as an showstopper sooner in our environment.<o:p></o:p>

Rahul

Hi guys, 

We're planning to setup our testing environment which will model the production network as close as possible.

We have setup the network/routers for the testing and it's working ok.

Now the focus is on the domain restore.

Our production contains one domain with two sites: CHINA site and USA site; 

USA site has 2 DC: USDC1, USDC2; 

USDC1 holds the naming master and schema mater, USDC2 holds the PDC,RID and IM;

China site has 1 DC: CNDC1;

All DCs are GC;

We use windows server backup to backup each DC every day contains system state and C; 

Now here it goes:

Do you have any suggestions on how to setup the DCs accordingly in the testing network?

We're planning to use Windows Complete PC Restore to restore the DC backups to the testing machine: USDC2 will be using a physical server, USDC1 and CNDC1 will be VM; will this work?

Which DC do i need to restore first? any other considerations?

Weicong888

I really don't have any experience with NTLM or AD; however, I am setting up a VM with Active Directory and NTLM for my personal use/development stuff. I got Active Directory set up and the DNS relatively easily. In the process I set up my domain which, since it is restricted to that VM only I set it up to myvm.local. I tested AD with an application I'm working with and it finds AD just fine and "sees" the users, OU's, etc.

Now, I also want NTLM so I can implement single-sing-on in this application; but I am not sure what I have to do and how I configure it before using it. I did a quick google search and found this article which basically shows how to enable it. That is fine but I don't see any "Local Security" in my server. Sooo, I guess I have to set it up before enabling it?? What do I have to do?? Is it already there?? Is there any admin application for this?? Any information, articles, ideas, would be appreciated.

Thanks!