I have done a lot of searching on this but cannot find the answer to my question. 

I have a 2008 r2 server that was a 2nd DC at one subnet site.

The server failed quite a bit on DCPROMO orinially which caused a number of issues with LDAP connectivity  and replication. No matter what I tried I could not resolve the issues.

I tried to gracefully demote the DC using DCPROMO but it would fail as it could not reach the target DC. 

I did a dcpromo /force and removed the DC and then removed the AD DS and DNS roles from the server

I then on a current DC did a ntdsutil metadata cleanup of the demoted DC.

I removed the demoted DC from the site under AD sites and services.

My question is this:

The server is still in use and has file shares (user profiles) on it.

Do I need to do anything else?? (

Remove cname dns entries or any other type of steps to make sure this is seen as just as file serever?

It was never a primary dns (just backup) so nothing pointed to it directly for dns.

Thanks

If I open Computer Management and then connect to another computer on my network, I can manage it remotely. However, if I right-click on the computer in ADUC and select Manage, I get this error:

Computer Management"Computer \\computername.domain.com cannot be managed. The network path was not found. Choose 'Connect to another computer' from the Action menu to manage a different computer."

Any ideas on how I can make this work from within ADUC?

Blog / Facebook / Twitter

Trying to configure ADFS and SSO as per this article on a 2008 R2 server (domain controller) with WSS 3.0:

http://technet.microsoft.com/en-us/library/cc287811(office.12).aspx

I am getting this error when I access SharePoint:

http://technet.microsoft.com/en-us/library/cc734891(v=ws.10).aspx

In local security policy, the items show locks and the button to add users for Generate Security Audits is disabled.

I am using a domain account with admin privileges to run the related services and app pool.

Is it possible to add select multiple users and add them to a group within Active Directory all at the same time.  When adding users to a group, I've always had to do it one at a time.

Thanks for reading!

I changed my password today and my account locks out every 30 seconds or so.

I used the Account Lockout Status tool to determine the domain controller locking it out, then used EventComb to search for event IDs 4740 on that DC.  

It says the calling computer is the DC that locked it out.  I made sure I don't have any mapped drives or services running under my account, and I deleted any stored credentials in the Credential Manager from that DC.

Since it was always pointing at the domain controller as the calling computer, I turned off the primary domain controller and let the two backups take over.   I still get locked out and now the calling computer is the second domain controller.

Does anybody know of a way to find what computer is actually sending the credentials that are causing the lockout?  Maybe using the process monitor or something?  For now I've changed my password back to the old one, but I really don't want to keep the same password for security reasons.

I've already made sure my cell phone is off, there are no services running under my account, there are no scheduled tasks running under my account, and no persistent mapped drives.

In a network environment with Windows SBS 2003 domain controller, other than completely replace the domain, I am trying to setup a backup domain controller with the Windows Server 2012 Standard.

Here's the error I am getting:

"ADPrep execution failed --> System.ComponentModel.Win32Exception (0x80004005): A device attached to the system is not functioning"

Below is the abstract from the ADPreg log file:

I am scratching my head...Where shall I start with solving this problem?

Hello,

We have an application that makes use of an Active Directory (server 2008 R2) setup as its own forest and domain. We use it for an LDAP Directory and for DNS Services.

We create AD accounts in AD that have a particular UID value (e.g. uid=CN=\"My, Name\", OU=SOMEWHERE, O=YES, C=CA). NOTE: we're NOT using the AD GUID, rather the LDAP attribute UID.

Our application then executes an LDAP query on AD by filtering on the UID value to retrieve a specific AD account, and all its properties (i.e. the AD account status and group membership).

When the application executes the following LDAP Query, no results are found (I've executed that same query on the AD server itself, using ldifde, and nothing is returned):

- target DN:OU=SUBHERE,DC=XYZ,DC=LOCAL

- search scope: sub

- filter: ( & (objectClass=user) (uid=CN=\"My, Name\", OU=SOMEWHERE, O=YES, C=CA) )

- attributes to return: sAMAccountName,memberOf

ldifde -f testLDAP_loggedinuser.txt -s localhost -v -d "OU=SUBHERE,DC=XYZ,DC=LOCAL" -p SubTree -r "( & (objectClass=user) (uid=CN=\"My, Name\", OU=SOMEWHERE, O=YES, C=CA) )" -l "objectClass,sAMAccountName,memberOf"

> no entries found

And if I retrieve the AD account filtering on the sAMAccountNAme (instead of the UID), to see what value I have in the UID attribute, I'll get results but the UID will be outputed in Base64 encoding. I.e. I execute the following ldidfde:

ldifde -f testLDAP_filterAccountName.txt -s localhost -v -d "OU=SUBHERE,DC=XYZ,DC=LOCAL" -p SubTree -r "(&(objectClass=user)(samaccountname=my.account))" -l "objectClass,sAMAccountName,uid".

I will then get the output:

dn: CN=My Account,OU=SUBHERE,DC=XYZ,DC=LOCAL
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
sAMAccountName: my.account
uid:: Q049Ik15LCBOYW1lIiwgT1U9U09NRVdIRVJFLCBPPVlFUywgQz1DQQ==

Could someone share some lights on this?

Is there a configuration settings I'm missing on AD to enable querying on UID attribute?

NOTE: We have setup a 2nd AD (forest/domain) the same way on a different server, for testing purposes. And all is working as expected (application is retrieving the AD account, and if I execute the above ldfifde queries I get a UID in plain text). But this new environment we're in now doesn't behave the same  and I can't figure out what is different between them. Any help would be appreciated.

Thanks,

Captain

Hi,

We are currently in the process of migrating from Exchange 2003 forest A to a Exchange 2010 forest B. That needs a shared smtp (@test.com) for the co-exsistence period for the migration. All outside email flows from to Exchange 2003 which then relay emails to Exchange 2010 (via SMTP Connector). A two way forest trust is setup, DNS with conditional forwarding between the two forests, I have set Exchange 2010 as Authrotative (for @test.com) and Exchange 2003 as non-authorative (I have setup a dummy smtp domain @test.local as the authoraitive domain in the email receipt policy, and set @test.com as non authorative). And is using FIM 2010 to sync mail enabled contacts from Exchange 2003 forest to the Exchange 2010 Forest and vice versa with @test.com as the SMTP address.

Mail flow works for a short period before NDR gets generated. Or inbound email (outside to Exchange 2003) stops working completely. Is there a mail loop occuring or NDR loop i am not aware of?

(e.g. A configuration error in the e-mail system caused the message to bounce between two servers or to be forwarded between two recipients. Contact your administrator.<#5.4.6>)

I am also aware that I can change the contact smtp to user @test.local, but this will be a issue when users reply to a email with internal/external reciepts. (e.g. bob@test.com reply email to jane@test.local and joe@gmail.com, when joe replys the test.local will cause a NDR.

Please advise, sorry for the long post, just wanted to be detailed.

Hi

I have a setup with 2 domain controllers running Windows Server 2012

When accessing \\MyDomain\Netlogon from a workstation

Server1: I can access the share

Server2: I can NOT access the share

If I change the active DFS server in proberties on the share to Server1 I can successfully access the share.

If I locally on Server2 access \\MyDomain\Netlogon I can access the share, when looking at the proberties on the share I can only see the local server in the referral list. This is also the case in my other domains, so I think this is by design!

Any input is apreciated

Lars Laursen System Consultant

Hello,

Long story short, our active directory server at work crashed (hard drives) and the backup of AD we had was corrupt. I rebuild the new server from scratch including active directory with all our users. Everything seems to be working correctly on the active directory as I can add new users without any issues. The problem come in with the 40 existing users we have. I named the AD server the same as the old one. However when I try to log on with an existing user, using a windows 7 laptop, the following happens. I get asked to change the password (since I set a default pass for everyone) It accepts the changes to the password and then continues the login process. After a couple of seconds I get an error message along the lines of the trust between workstation and domain does not exist. I have read a couple articles and found out how to rebuild that trust by logging on as local admin and changing the workgroup, rebooting, etc. After that the computer is seen on the domain and can register with the domain.

The problem is that if I try to login with an existing username, it creates a new user profile on the machine and does not copy all the data, docs, setting, etc. I found someone had posted to rename the OLD user profile, log in as that same user so it creates a NEW user profile. Then simply rename the OLD user profile to the NEW one and relogin. I tried that and it worked on 1 out of three profiles. The other two it keeps logging me into a temporary profile. I even tried removing, copying, renaming registry keys, but still get a temp profile. I can copy all the files and rebuild the users settings, but I do not want have to do that for 40 users. Anyone run into something like this? Any advise? Work around? Any info/help would be greatly appreciated.

Thanks

I'm running powershell modules, as a member of Domain Admins.  I have also tried as the domain administrator account, which is also a member of domain admins, enterprise admins, schema admins.  The powershell itself is indeed running elevated. The results were the same.  I tried locally on my laptop, and also while logged into a DC via RDP.  Same results either way.  All servers are 2012.

While experimenting to figure out powershell commands to create a bunch of users, I created some, and deleted (New-ADUser and Remove-ADUser) and then, when I try New-ADUser again, it says:
New-ADUser : An attempt was made to add an object to the directory with a name that is already in use

I search for it, and it doesn't exist:
Get-ADObject -Identity hsimpson -IncludeDeletedObjects
Get-ADObject : Cannot find an object with identity: 'hsimpson'

I replicated everything everywhere, and repeated.  Same results.

If I browse with ADExplorer, into the "Deleted Objects" container, I see a bunch of things there, and one of them is the deleted user, and its sAMAccountName does indeed match the conflicting name hsimpson.  Unfortunately, ADExplorer doesn't have the ability to delete (when I right-click, the "Delete" option is grayed out.)

So I simply try to empty the AD recycle bin:
Get-ADObject -Filter 'isDeleted -eq $true -and Name -like "*DEL:*"' -IncludeDeletedObjects | Remove-ADObject -IncludeDeletedObjects -Confirm:$false

It finds a whole bunch of objects, attempts to remove them all, and spews error messages about each one.

As I said, tried as Super Admin, locally and on the server.  So I've done everything I can think of, to make sure I have the proper permissions and access.  Can't seem to figure out what's wrong.

dcdiag comes back all clean (everything passed)

The one thing I have some suspicion about is:  Not too long ago, we used the Security Compliance Manager to generate the WS 2012 Domain and Domain Controller Baselines.  For the most part, we accepted whatever MS Baseline suggested.  To test whether or not this is related, I temporarily disabled the GPO that was derived from the Baseline, (did gpupdate /force on the server) and attempted to empty the recycle bin.  Unfortunately, it was the same result.

Hello,

is it possible to create a trust between the following domains?  mydomain-bank.local (Windows 2003) and mydomain.bank (Windows 2008) I have all DNS configured properly, I can ping between domains but I am having problems establishing the trust.

I have a mixed domain consisting of Windows 2008 R2 and 2003 DCs.  One exchange 2003 server.  This was done recently and ever since then I have a user that sometimes experiences what looks like a dropped connection in Outlook.  A pop up would appear asking for credential authentication.  The user workstation is standalone and not logged onto the domain.  After that it seems fine.  Does anybody know why this sometimes happens?

Hello Friends :

I want to show you that how can you findout the place which your domain users are logging in ,
Of Course i mean the computer account which the user is using for logging in :

1- The first way is to use a free command line tool called "PsLoggedOn v1.33" you can downlaod it from here:
    http://technet.microsoft.com/fa-ir/sysinternals/bb897545(en-us).aspx

2- The second way is to use a free and open source third pary application called " Kaboodle " :
    http://www.kaboodle.org/index.html

3-The Thirs way is to use a command line tool called "NBTSCAN " you can see a sample trick here :
  
 C:\nbtscan>nbtscan 192.168.0.100-200
 Doing NBT name scan for addresses from 192.168.0.100-200

 IP address       NetBIOS Name     Server    User             MAC address
 ------------------------------------------------------------------------------
 192.168.0.119    SQUASH           <server>  SQUASHMAN        12-34-ba-c0-52-32
 192.168.0.153    BUMBLE-BEE       <server>  BUMBLE-BEE       00-0f-1f-b3-b5-89

 C:\nbtscan>

You can downlaod it from here : http://linux.wareseeker.com/download/nbtscan-1.5.1.rar/334598

Any guidance or guides? i have installed second dc that i would like to promote and added as secondary server.

Is it just a matter of removing the ad roles? i need the GPOs to migrate.

Thanks

Is there a User State Migration Tool (USMT) for Server 2012?

We have a mixed 2003/2008/2008R2 domain running a 2003 Forest Functional Level that we'd like to upgrade to Server 2012 OS and FFL.

We'd like to build a test environment and use USMT, but I'm told it only supports 2003 to 2008, not 2003 to 2012.

Comments? Suggestions?

Ed

After demoting a Server 2008 R2 domain controller, renaming it, and then creating and promoting a new Server 2012 Domain Controller with the same name (DC6) I am seeing this error intermittently on the new DC.

Log Name:      DNS Server

Source:       Microsoft-Windows-DNS-Server-Service

Date:         4/16/2013 6:58:37 PM

Event ID:      4015

Task Category: None

Level:        Error

Keywords:      Classic

User:         N/A

Computer:      DC6.MyDomain.local

Description:

The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.

There does not appear to be any actual problem otherwise however. DNS can be restarted on the new DC without issue or error message. Replication seems to be working everywhere.  Repadmin /replsummary results are:

Beginning data collection for replication summary, this may take awhile:

  ...........

Source DSA         largest delta    fails/total %%  error

 DC1                      10m:07s    0 /  20   0

 DC2                      11m:49s    0 /  20   0

 DC3                      10m:08s    0 /  20   0

 DC4                      11m:50s    0 /  20   0

 DC5                      11m:50s    0 /  20   0

 DC6                      10m:08s    0 /   5   0

 DC7                      10m:09s    0 /  20   0

 DC8                      11m:50s    0 /  20   0

Destination DSA     largest delta    fails/total %%   error

 DC1                      09m:13s    0 /  20   0

 DC2                      07m:54s    0 /  15   0

 DC3                      09m:59s    0 /  20   0

 DC4                      08m:48s    0 /  15   0

 DC5                      10m:10s    0 /  20   0

 DC6                      11m:57s    0 /  20   0

 DC7                      10m:03s    0 /  20   0

 DC8                      02m:33s    0 /  15   0

There are two DC’s at each of 4 sites.  The local site replication partner for this DC is DC5 and there are no errors on DC5 although there is an informational event related to the old DC which is logged intermittently:

Log Name:      Directory Service

Source:       Microsoft-Windows-ActiveDirectory_DomainService

Date:         4/16/2013 9:28:15 AM

Event ID:      1104

Task Category: Knowledge Consistency Checker

Level:        Information

Keywords:      Classic

User:         ANONYMOUS LOGON

Computer:      DC5.MyDomain.local

Description:

The Knowledge Consistency Checker (KCC) successfully terminated the following change notifications.

Directory partition:

DC=MyDomain,DC=local

Destination network address:

963562c1-fc7d-41e7-bbf9-4acc2f02b2d5._msdcs.PBJFS.local

Destination directory service (if available):

CN=NTDS Settings\0ADEL:963562c1-fc7d-41e7-bbf9-4acc2f02b2d5,CN=DC6\0ADEL:6753a055-0c0f-42de-819f-e267d9e34601,CN=Servers,CN=MySiteName,CN=Sites,CN=Configuration,DC=MyDomain,DC=local

This event can occur if either this directory service or the destination directory service has been moved to another site.

My understanding is that this can be ignored and will go away. There is no correlation between these events on DC5 and the problematic error logged on DC6 but I mention them just in case.

The final piece of information I will provide is that I have an issue with non-domain joined computers being unable to register in DNS if they get their DHCP address from Server 2008 R2 DC’s. (The DC’s all run DHCP and DNS and DNS is AD integrated.)  Two of my 8 DC’s are Server 2008 R1 including DC5. Non-domain computers that get DHCP from the Server 2008 R1 servers have their addresses registered in DNS just fine. All domain computers get their addresses registered regardless of the operating system of the DHCP server which they connect to and only non-domain computers are affected by that issue. In an attempt to remedy that situation I had recently changed my Dynamic Updates in DNS from ‘Secure Only’ to both ‘Non-Secure and Secure’ but it did not help. 

I would like to rebuild DC5 as a Server 2012 DC here pretty soon but I want to first see if I can eliminate this DNS error message from DC6. The error is logged irregularly and averages about once every 24 hours but can sometimes happen twice in a day or not at all for two days.  The original DC6 is still in use under another name and it has registered in DNS under the new name already.  I also did, in-between the demotion and promotion of the replacement DC, make sure the old DC6 had all of it's DNS entries removed and that replication had finished amongst all my DC's.  The old DC6 computer object under it's new name is no-longer in the domain controllers group and the new DC6 computer object is, just as expected.

I did try changing the DNS server IP entries for the network configuration on the DC itself but this did not help.  Currently DC6 is setup to use DC5 as primary and itself by IP as secondary (these were originally reversed but changing them has not eliminated the error).  The loopback is listed as the third DNS entry for the network config.

The scripts folder got renamed. Can I just rename it on one machine and let it replicate or is there some special procedure? I can't seem to find anything other than talk about D2s and D4s and restores that don't seem like restores...

I have added a server 2008 R2 domain controller to my domain and when running dcdiag I get an error:

Starting test: NetLogons
   Unable to connect to the NETLOGON share! (\\MYSERVER\netlogon)
   [MYSERVER] An net use or LsaPolicy operation failed with error 67,
   The network name cannot be found..

That error only happens on this machine, but all domain controllers have the following in their system event log:

Source:        NETLOGON
Event ID:      5706
Level:         Error
Description:
The Netlogon service could not create server share C:\Windows\SYSVOL\sysvol\MYDOMAIN.NAME.COM\SCRIPTS. The following error occurred:
The system cannot find the file specified.

That is because at some point NTFRS renamed the scripts folder to scripts_NTFRS_4aa45cc8. I think if I just change that folder name back everything will be fine. The folder exists on all domain controllers and the files are there. It's just that the Netlogon share is not created. It exists on two domain controllers. I suspect a previous sysadmin just manually shared the folder as Netlogon. I'd rather fix the actual problem.

Hi

I recently installed two new 2008R2 DC's, removed all 2003 DC's.  The main DC is on a physical server that holds the FSMO roles.  The other is a Hyper-V VM.  I am seeing two warnings under the event logs.  One once a day, the other a few times a day.  The first one I have tried and followed the below document which Microsoft gives you under the event warning, but it has not stopped these from appearing.  The other one that appears a few times a day is below.