Hi to All,

I am doing remote desktop to a Windows 2016 server. After I successfully logon in the credentials window, my profile takes a while to load.

What troubleshooting do you recommend me to do?

Warm regards MeVs

Hi Experts,

We have following network topology.

We have Single Forest and Single Domain with Multiple Sites names as NRA, JRN, HO, DC and CHL. All sites have there local domain controller (Windows Sever 2012R2).

When i am running below command i am getting below error.

Command :

repadmin /replsummary

Error : 

Replication Summary Start Time: 2019-11-26 12:53:10



Beginning data collection for replication summary, this may take awhile:

  ............









Destination DSA     largest delta    fails/total %%   error

 ADC-CO-DOMAIN             04m:44s    0 /  10    0  

 CSJRN-ADC                 29m:26s    0 /  10    0  

 HO-ADC                    04m:14s    0 /  15    0  

 HO-DC                     02m:04s    0 /  20    0  

 JRN-DC                    57m:23s    0 /  10    0  

 NRA-DC           >60 days           10 /  20   50  (1722) The RPC server is unavailable.





Experienced the following operational errors trying to retrieve replication information:

          58 - NRA-ADC.csaplho.pk

          58 - chl-dc.csaplho.pk

          58 - NRA-DC2.csaplho.pk

Our Servers  (NRA-ADC, NRA-DC2) are not operational  and i will demote them in future however NRA-DC is operational but as mention above we are facing 1722 RPC network error.

Please guide us how can i resolve this error.

Hello,

we are currently migrating old 2008R2 DCs to 2019. The old DCs are demoted and new DCs with different names are installed. The new DCs get the IP addresses of the old DCs so that DNS name resolution is not broken.

I noticed that some of the old DCs still have dynamically registered SRV-records in DNS, mainly under "_sites.dc._msdcs.<domain>.<suffix>"

I can find the _ldap and the _Kerberos entries for the new DCs but also for the old DCs. If I attempt to delete the old records I can do so successfully but when I hit F5 the entries ARE BACK IMMEDIATELY. So it seems that the entries are not replicated back from somewhere or recreated by NETLOGON. It seems that they just aren't deleted properly.

We do not have Scavenging turned on on _msdcs. I never had problems deleting these type of entries after demotions in the past. Does anybody have an idea what could be wrong?

Thanks for your help!

HarryNew

Good day,

There are 3 domain controllers - PDC, SGLO-AD02, SZA-AD04. SGLO-AD02 - Performs the functions of the FSMO.

All three domains are in different locations, locations with PDC and SZA-AD04 are connected by VPN tunnels with location SGLO-AD02.

Replication between PDC and SGLO-AD02 works, replication between PDC and SZA-AD04 works.

Replication between SGLO-AD02 and SZA-AD04 works for a while after rebooting SZA-AD04. Sometimes it stops working after 5 minutes, sometimes it fails after a couple of days.

I used PortQuery to find the problem. Judging by the PortQuery reports, all ports and connections between servers work well, except for the LDAP request from SGLO-AD02 to SZA-AD04.

When replication does not work, the command

PortQry.exe -n SGLO-AD02 -e 389 -p tcp

executed on SZA-AD04 produces the necessary data.

But

PortQry.exe -n SZA-AD04 -e 389 -p tcp

executed on SGLO-AD02 simply hangs and does not return anything.

If I restart SZA-AD04, the same command produces the necessary data and everything works for a couple of hours.

When replication between SZA-AD04 and SGLO-AD02 does not work, then all changes are still replicated to the PDC and then to the third domain controller.

Please help me deal with this strange situation.

Hi All,

I hope someone can help.

We are in the middle of a global migration rollout. I noticed through SET a vast majority of users were, and still are having slow connections to the HQ site were logging into Domain Controllers that were in another country, and not local to them.  

Upon investigation I found a GPO that sets a policy System/Net Logon/DC Locator DNS Records - Try Next Closest Site. So I guess this issue might come from that setting? I have also checked Sites and services and all the European sites have their Cost set at 100. On the legacy Domain they are all set differently and only HQ has the cost set at 100.

Does anyone know what might be the issue here. I need to get this resolved as a matter of urgency as we cannot have client machines traversing the wan for a connection that is hundreds sometimes thousands of miles away.

Any help would be greatly appreciated.

Regards.

Hi,

We are observing a strange behavior in one of our LAB Forest 1 which has a forest trust with another LAB Forest 2. In the security log of LAB Forest1 DC we can see that there are several 4624 (Windows logon) events with logon type as 3(network logon) for the users of Forest2. We have verified those users in LAB Forest2 and found that they are not part of any cross forest group. There is no application access which is provided to them in Forest1. They are using the VM's which are added to Forest 2.

I am not getting any clue why such events are getting recorded in the forest1. Is anyone aware of any default logon activity which happens when there is forest trust for which the client verifies the something in trusted forest as well.

We need to implement the similar setup in other LABS but due to these events we are stuck, is there any configuration glitch etc.

Hi,

I'm getting this error when trying to promote a Server 2016 Standard server to a DC.

"ADPrep execution failed - System.ComponentModel.Win32Exception (0x80004005): A device attached to the system is not functioning."

The user account is a member of Enterprise Admins, Domain Admins, Schema Admins.

All DCs are online and I am able to login to all of them remotely.

Current schema version is 77.

Remote Registry service is turned on.

Currently 6 DCs in the domain and all are 2012 R2.

Domain and Forest Functional levels are 2012 R2.

Here is the output of the adprep log file:

[2019/11/25:14:32:16.083]
Adprep created the log file 'C:\Windows\debug\adprep\logs\20191125143216\ADPrep.log'
[2019/11/25:14:32:16.083]
Adprep successfully initialized global variables.

[Status/Consequence]

Adprep is continuing.
[2019/11/25:14:32:16.098]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Schema,CN=Configuration,DC=****,DC=****.
[2019/11/25:14:32:16.098]
LDAP API ldap_search_s() finished, return code is 0x0
[2019/11/25:14:32:16.098]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=****1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=****,DC=****.
[2019/11/25:14:32:16.099]
LDAP API ldap_search_s() finished, return code is 0x0
[2019/11/25:14:32:16.099]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Schema,CN=Configuration,DC=****,DC=****.
[2019/11/25:14:32:16.099]
LDAP API ldap_search_s() finished, return code is 0x0
[2019/11/25:14:32:16.111]
Adprep discovered the schema FSMO: ****1.****.****.
[2019/11/25:14:32:16.114]
Adprep connected to the schema FSMO: ****1.****.****.
[2019/11/25:14:32:16.114]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2019/11/25:14:32:16.115]
LDAP API ldap_search_s() finished, return code is 0x0
[2019/11/25:14:32:16.115]
Adprep successfully retrieved information from the Active Directory Domain Services.
[2019/11/25:14:32:16.115]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=****,DC=****.
[2019/11/25:14:32:16.115]
LDAP API ldap_search_s finished, return code is 0x0
[2019/11/25:14:32:16.115]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2019/11/25:14:32:16.115]
LDAP API ldap_search_ext_s finished, return code is 0x0
[2019/11/25:14:32:16.116]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2019/11/25:14:32:16.116]
LDAP API ldap_search_s finished, return code is 0x0
[2019/11/25:14:32:16.127]
Adprep discovered the schema FSMO: ****1.****.****.
[2019/11/25:14:32:16.129]
Adprep connected to the schema FSMO: ****1.****.****.
[2019/11/25:14:32:16.130]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Schema,CN=Configuration,DC=****,DC=****.
[2019/11/25:14:32:16.130]
LDAP API ldap_search_s() finished, return code is 0x0
[2019/11/25:14:32:16.131]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=****1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=****,DC=****.
[2019/11/25:14:32:16.131]
LDAP API ldap_search_s() finished, return code is 0x0
[2019/11/25:14:32:16.131]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Schema,CN=Configuration,DC=****,DC=****.
[2019/11/25:14:32:16.131]
LDAP API ldap_search_s() finished, return code is 0x0
[2019/11/25:14:32:16.132]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2019/11/25:14:32:16.132]
LDAP API ldap_search_s() finished, return code is 0x0
[2019/11/25:14:32:16.132]
Adprep successfully retrieved information from the Active Directory Domain Services.
[2019/11/25:14:32:16.132]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=UID,CN=Schema,CN=Configuration,DC=****,DC=****.
[2019/11/25:14:32:16.133]
LDAP API ldap_search_s() finished, return code is 0x0
[2019/11/25:14:32:16.133]
Adprep successfully determined whether Microsoft Windows Services for UNIX (SFU) is installed or not. If adprep detected SFU, adprep also verified that Microsoft hotfix Q293783 for SFU has been applied.
[2019/11/25:14:32:16.162]
Adprep successfully retrieved data from the Active Directory Domain Controller ****1.****.**** through WMI.
[2019/11/25:14:32:16.165]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Schema,CN=Configuration,DC=****,DC=****.
[2019/11/25:14:32:16.166]
LDAP API ldap_search_s() finished, return code is 0x0
[2019/11/25:14:32:16.166]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=****1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=****,DC=****.
[2019/11/25:14:32:16.166]
LDAP API ldap_search_s() finished, return code is 0x0
[2019/11/25:14:32:16.166]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Schema,CN=Configuration,DC=****,DC=****.
[2019/11/25:14:32:16.167]
LDAP API ldap_search_s() finished, return code is 0x0
[2019/11/25:14:32:16.167]
Adprep is about to upgrade the Active Directory Schema on the Domain Controller ****1.****.****.
[2019/11/25:14:32:16.169]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2019/11/25:14:32:16.169]
LDAP API ldap_search_s() finished, return code is 0x0
[2019/11/25:14:32:16.169]
Adprep successfully retrieved information from the Active Directory Domain Services.
[2019/11/25:14:32:16.169]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=****,DC=****.
[2019/11/25:14:32:16.170]
LDAP API ldap_search_s finished, return code is 0x0
[2019/11/25:14:32:16.170]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2019/11/25:14:32:16.170]
LDAP API ldap_search_ext_s finished, return code is 0x0
[2019/11/25:14:32:16.170]
Current Schema Version is 77
[2019/11/25:14:32:16.170]
Upgrading schema to version 87
[2019/11/25:14:32:16.292]
The command line passed to ldifde is ldifde -i -f "C:\Windows\system32\adprep\sch78.ldf" -s "****1.****.****" -h -j "C:\Windows\debug\adprep\logs\20191125143216" -$ "C:\Windows\system32\adprep\schupgrade.cat"
[2019/11/25:14:32:17.469]
ERROR: Import from file C:\Windows\system32\adprep\sch78.ldf failed. Error file is saved in C:\Windows\debug\adprep\logs\20191125143216\ldif.err.78.



If the error is "Insufficient Rights" (Ldap error code 50), please make sure the specified user has rights to read/write objects in the schema and configuration containers, or log off and log in as an user with these rights and rerun forestprep. In most cases, being a member of both Schema Admins and Enterprise Admins is sufficient to run forestprep.
[2019/11/25:14:32:18.480]
ERROR: The directory service refused the request for schema upgrade: 81 (Server Down)



If the error code is "Insufficient Rights", make sure you supply a user who is a member of the schema admin group.
[2019/11/25:14:32:18.480]
Adprep was unable to upgrade the schema on the schema master.

[Status/Consequence]

The schema will not be restored to its original state.

[User Action]

Check the Ldif.err log file in the C:\Windows\debug\adprep\logs\20191125143216 directory for detailed information.
[2019/11/25:14:32:18.481]
Adprep was unable to update forest information.

[Status/Consequence]

Adprep requires access to existing forest-wide information from the schema master in order to complete this operation.

[User Action]

Check the log file, ADPrep.log, in the C:\Windows\debug\adprep\logs\20191125143216 directory for more information.

Hay

How can i tell if My computers in dc retrieve Environment Variables setting from a gpo?

I cant find it when i run rsop.msc

Thanks

Elad

Hi everybody,

I am curious whether the protected users group works across an AD trust. Suppose we have two domains A and B. A trusts B and users from B sign in to machines of the domain A. Since the Protected Users group is a Global Group, users from B cannot be members of the protected users group in domain A. But they can be member of that group in their own domain B. However, does this have any impact on the logon in domain A? I.e. are the restrictions that the protected users group enforces also in effect if the users from B log on to machines in A?

Best regards

Jan

Before anything, I am fully aware that Windows 2000 is NOT supported and has long been that way.

Notwithstanding, this client presently has a Domain which is still running on it and is being decommissioned.

The 2000 Domain (Domain A) has a Trust Relationship with a Windows 2003 R2 Domain (Domain B).  Domain B is in the process of being upgraded to Windows 2012 R2 and presently has a mix of 2003 R2 and 2012 R2 DC's.

Using NETDOM to verify the trust, if the the 2012 R2 DC's are switched off, everything reports back as successful and permissions assigned to folders in Domain A with Domain B users and groups are OK. 

Once the 2012 DC's are powered back on, NETDOM can no longer verify the trust and gives an error stating 'the trust relationship between the primary domain and the trusted domain failed' and the assigned permissions revert to SID's.  Switch 2012 DC's off again and everything starts working again.  The 2003 and 2012 DC's get different Domain Controller GPO's via WMI filtering as we want 2012 to get the more stringent Microsoft Baseline settings (We relaxed the ability to use LM and NTLM for legacy application reasons).

Does anyone know why the AD Trust would fail with 2012 DC's present and the the permissions would revert to SID's? 

Thanks,

Martin

 i have a Wsus  sever and  i need to update my client but the size of my clients hard disk is limit  about 30G 

doses It make a problem when  it download the update ?

and if it will make a problem can i use   one shared folder to download update on it and install it so? i need a way to install the update without download it locally on the client? 

thanks

Hi,

We are using server 2012 R2, some of our internal dns servers [AD integrated] where the cached lookups shows empty even those servers response to dns queries , also for some other dns servers cached lookups are present. Verified that no script has been in placed to clear the cache lookup. 

Thanks,

We are is process of migrate 15000 computers from one domain to another using Quest migration tool. everyday we are planning X number of users in remote sites. based on our email the user logoff the computer for migration .Our challenge is that post migration, many times users waiting for our confirmation and not logon to the comupter. We are willing to display a logon screen prior the user press Ctrl+Alt+Delete that we have to show the users that the system has migrated to new domain and they can logon to the system.

Can it be possible using GPO?

Thanks and Regards,

Hariharan

Roy

Hello all,

I'd really appreciate your input if you have OR haven't the same problem in your Active Directory with server 2019.

We recently promoted three freshly installed 2019 servers to become domain controllers, demoted our three old servers and then raised forest/domain from 2012 to 2016 level. During the process we had to change to DFS Replication since 2019 only support that method.

All is working well as long as all servers are up. The update was done some month ago and we see normal operation as far as we can tell. 
But EVERY time we reboot one of the DC:s the replication partners will log errors in DFS Replication event log and trigger our surveillance system to shine like a Christmas tree. This never ever happened with FSR.

We see event id 5002 with error codes such as
Error: 1753 (There are no more endpoints available from the endpoint mapper.) 
Error: 1726 (The remote procedure call failed.) 

When the server that was rebooted is back up replication is working just fine and when running different diagnoses there are no replication problems.

I opened a support case with Microsoft and after providing a lot of log information and also providing remote access to the tech guy we just got the answer that this is expected behavior and that we should ignore the errors since all is working correctly...
Well it is hard to ignore replication errors since something might actually be wrong.

Google tells me that very few seem to be in the same situation, those with event id 5002 actually have replication problems in most cases.

How about you guys, do you see errors in the DFSR log when a replication partner is rebooted in a controlled manner?

Any suggestion on how to resolve this matter? Microsoft will close the case within a couple of days even though we feel that these errors might not be expected behavior.

Thanks in advance for any input!

/Niklas

Hi,

An active directory account needs the permissions below applying via group policy but they are NOT in the list of permissions under user rights assignment - so HOW do you assign these permissions below via Group Policy?

These are not under user rights assignment:

• Permission to start SQL Writer
• Permission to read the Event Log service
• Permission to read the Remote Procedure Call service

I'm building a setup with a root forest with child domains. Every child domain will be a seperate customer domain. Is it possible that when a users searches for example printers they only see their own child domain? Now when I click on search for printers in active directory I see the whole root domain and all the child domains. I want to hide this so people don't see the names of the other child domains. 

Hello Everyone,

We are facing problem when joining (binding)  a MAC machine to our Active Directory Domain.In the process of joining ,it briefly shows the host name of the PC in AD but once the joining process failed it get disappear from there as well.

The error message is as below.

"Unable to Add server.

Authentication Server failed to complete the requested operation.

(5103)"

Thank YOU!