Until now we used a network path for the homedirectory. Now we want use the default local path.
In the Active Directory Console, you can change the Option "Home Folder" from "Connect" (Network Path) to "Local Path" and then the client use the default user path.
Is it possible to set this option with powershell for all users?
greetings from bremen
pascal peters
Noticed some errors in netlogon
05/03 09:36:57 [CRITICAL] NetpDcGetNameIp: Sausage.empire.bob.co.uk: No data returned from DnsQuery.
Which led me to do this
> _ldap._tcp.dc._msdcs.empire.bob.co.uk
Server: reaper.empire.bob.co.uk
Address: 172.16.222.1
_ldap._tcp.dc._msdcs.empire.bob.co.uk SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = bigflange.empire.bob.co.uk
_ldap._tcp.dc._msdcs.empire.bob.co.uk SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = caesar.empire.bob.co.uk
_ldap._tcp.dc._msdcs.empire.bob.co.uk SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = peterpaine.empire.bob.co.uk
_ldap._tcp.dc._msdcs.empire.bob.co.uk SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = spalding.empire.bob.co.uk
_ldap._tcp.dc._msdcs.empire.bob.co.uk SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = muffin.empire.bob.co.uk
_ldap._tcp.dc._msdcs.empire.bob.co.uk SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = sausage.empire.bob.co.uk
_ldap._tcp.dc._msdcs.empire.bob.co.uk SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = red-lion.empire.bob.co.uk
_ldap._tcp.dc._msdcs.empire.bob.co.uk SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = reaper.empire.bob.co.uk
bigflange.empire.bob.co.uk internet address = 192.168.100.245
caesar.empire.bob.co.uk internet address = 172.16.222.5
peterpaine.empire.bob.co.uk internet address = 172.16.16.200
spalding.empire.bob.co.uk internet address = 10.0.15.200
Only partial servers providing internet address from this query? Is this normal or do we have a problem?
Thanks
Robbie
New Systems Windows XP machines failed to join new build machine to the domain belonging to a site. The site has a DC.
Getting the error…”Error occured attempting to join the domain XXXX. The system Cannot find the file specified”
During the course of troubleshooting we found that…DCDiag says…
Starting test: RidManager * Available RID Pool for the Domain is 1084604 to 1073741823
* XXX.YYY.com is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 935104 to 935603
* rIDPreviousAllocationPool is 935104 to 935603
* rIDNextRID: 935247
......................... XXX passed test RidManager
That means -> 935603 – 935104 =499 plus it says Next RID is 935247
But Event log showed…
Event 16642:- The account-identifier allocator was unable to assign a new identifier. The identifier pool for this domain controller may have been
depleted. If this problem persists, restart the domain controller and view the initialization status of the allocator in the event log.
There is no other event showcasing this DC request for new RID POOL from RID master.
Due to the severity of the situation as event said to reboot the DC. I did and that fixed the issue.
I would like to know, if someone knows what caused this DC Behaviour???
With Credential Roaming enabled, users certificates are stored in AD so that they follow users between Terminal Servers. What is the correct procedure for a user to delete a certificate? When users try to delete a certificate, the next time they log in the deleted certificates reappear. I thought deleted certificates were tombstoned (for 60 days by default) and would have expected them to not be shown during this tombstoning period. Is there an admin utility for inspecting a user's Credential Roaming certificates and manageing them?
Thanks,
Dan Booth
SetSPN -S is failing with an error 0X00000525 - Unable to locate account XXXX
This seems to happen ONLY with accounts longer than 20 Characters - Is there a limitation on Account name length and search with SetSPN that is documented someplace? We are having to rename (trim the names of) a number of accounts to address issues with SetSPN and Kerberos due to these errors
Hello,
I am having a few issues promoting a brand new 2012 Std server to a domain controller. The OS is freshly installed with (almost) nothing else installed or added.
I have installed AD DS from roles and features, and it installed successfully. When I run the deployment configuration I am experiencing two issues. The first, is I get a warning that says "DNS cannot be installed on this domain controller because this domain does not host DNS." There are two other domain controllers, both running AD integrated DNS. After some searching, I found threads where people added the DNS zone afterwards and it worked fine. ALso of note, when I first started the wizard, it said it was not able to install DNS, so I manually added the role. Hence the almost from above.
The second error I am experiencing is more critical. I am getting the error message "Verification of prerequisites for Active Directory preperation failed. The specified user does not have SeSecurityPrivilegeEnabled." It will not let me continue.
The account I am using is my domain account which is a member of Domain, Enterprise and Schema admins. Our domain domain and forest functional level is 2008 R2.
When I searched on this error, it said to ensure the account had Manage Auditing and Security Log privileges. The account is a member of the local admin group which is listed in the local policy. Of note, the policy was defined by a GPO with domain admins (and a service account) added in. While my account still should have had permission, I moved the server to an OU that blocks policy inheritance, ran gpupdate, and restarted. Still no luck. I also created a new user, added to the enterprise and schema admins, and am still experiencing this problem.
I seem to have exhausted all efforts, short of scrapping this server and starting over. I also did not try through PowerShell as I don't think it will produce a different result.
Really stuck on this, any help is much appreciated.
Thanks,
Chris
Hi,
I have one domain controller on 2008 R2 and it holds all the FSMO roles. I am having a few issues and I am struggling to resolve the issue.
So here it goes, below is a list of problems:
1. Cannot open ADUS, Sites & Services, ADSI Edit or Domains and Trust because of error: Naming Information cannot be located. However I can open AD Admin Centre to manage users.
2. Netdom query fsmo reports: specified domain either does not exist.
3. DcDiag reports: ALL GCs are down and server holding PDC is down.
Things I have checked so far:
1. Check DNS to ensure all SRV records are in place for the GC and PDC under msdcs container.
2. NTDS util to check the FSMO roles returns the correct server for each role (itself).
3. IP config has DNS server setup correctly. i.e. Primary DNS is the server itself and Secondary points elsewhere.
4. IPv6 is disabled in the Network Adapter and in the registry.
5. Nslookup of _ldap._tcp.dc._msdcs.domainname returns the correct SRV record.
6. Restart AD Service, DNS service, netlogon service and problem still exists.
7. Windows firewall is turned off so pretty sure its not causing the issue.
8. Anti-virus installed is Forefront Endpoint Protection, doubt this is causing any interference.
Things I haven't done:
1. Delete the _msdcs zone and restart DNS server service.
2. I have read in an article somewhere that a tdi filter driver on 2008 R2 could result in networking issues? How do I check if TDI filter driver is installed or its causing the problem?
The funny thing is on random occasions you can open ADUS and netdom query fsmo reports all the FSMO roles but most of the time there is this problem. I am sort of stuck right now on where to go next with this issue. Any help will be appreciated.
Thanks
I am trying to redirect .ost file to User home drive ( U:) . To do the same I imported admin templated for Outlook 2010 in GPO.
In that we have an option to redirect .OST file so I updated the path as "required and I am able to redirect .OST to users homedrive but it's also creating the same replica of .OST file in user profile as well.
In addition I have enable exchange cache mode using the same admin templates.
So help me to resolve this issue.
Rgds Vinay
Greeting's,
I'm having difficulties deploying Folder Redirection and Offline Files for our users. I've followed this link (http://technet.microsoft.com/en-us/library/jj649074.aspx) but I'm unable to set up folder redirection and offiline files even though I've followed to document word to word (using the suggested names for groups, etc).
I'm not aware of how to diagnose this, i am hoping someone can help me get started. I'm deploying this on windows server 2012 and clients running windows 7 (mix of all editions).
Thanking you in anticipation,
Parth D. Maniar
Here is my environment:
- 4 domain controllers in one site. Two are Windows 2003 and two are new 2008 R2 servers.
- Several other sites, each with one DC in them for regional purposes.
Here's what happened:
- We had an issue with our SAN that caused us some issue. Someone rolled back the snapshots for two of the domain controllers (the Windows 2003 ones) to their state several hours before the outage. This caused some AD replication issues that I have since resolved (using instructions found online for recovering from a USN Rollback).
Here's what's wrong now:
- All went swimmingly yesterday with AD playing nicely, but today I moved the DHCP server from one of the 2003 servers to one of the 2008 R2 severs. I used a laptop to release and renew my address, and successfully got an IP from the new DHCP server.
- Now however, I am having replication problems. My 2003 servers are basicallyDC1 and DC2. The new 2008 servers that will be replacing them areDC-1 and DC-2. The DHCP server was moved fromDC2 to DC-2. When I go into Active Directory Sites and Services, drill down to NTDS Settings forDC-1 and try to replicate to either DC1 or
DC2 I get the following error:
The following error occurred during the attempt to synchronize naming context DomainDnsZones.domain.local from Domain Controller DC2 to DC-1: Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.
This operation will not continue.
Looking at the event logs on DC-1 and DC-2, I am getting event 1988 indicating there are lingering objects that have been deleted from the local DCs. It gives me this info:
Source domain controller:
8118aa24-fe90-434e-96b7-1c108b0e4489._msdcs.domain.local
Object:
DC=IT-LAPTOP\0ADEL:818d56c4-56c7-4585-b93c-e9fca0553961,CN=Deleted Objects,DC=DomainDnsZones,DC=domain,DC=local
Object GUID:
818d56c4-56c7-4585-b93c-e9fca0553961
The source domain controller listed is the mscds DNS entry for DC2 (which coincidentally or not is the DC I demoted and promoted back into the fold a couple of days ago). Also, the object mentioned is the laptop I used to get an IP address from the new server (DC-2), which may or may not mean anything. It has never been deleted, however, and has been logged into the domain on and off for weeks.
I've tried following instructions in KBs and forums to use the repadmin command to remove this object. I typed the following on DC-1 and DC-2:
repadmin /removelingeringobjects DC2 a1ef938c-fbfc-461f-a85e-d9276c680b9c dc=domain,dc=local /advisory_mode
RemoveLingeringObjects successful on DC2.
The GUID above is for server DC-1.
If I check the event log on DC2 however, it indicates that no objects were found:
Active Directory has completed the verification of lingering objects on the local domain controller in advisory mode. All objects on this domain controller have had their existence verified on the following source domain controller.
Source domain controller:
a1ef938c-fbfc-461f-a85e-d9276c680b9c._msdcs.domain.local
Number of objects examined and verified:
0
I've also tried running the command with the GUID of server DC2 (as it's that and not the Netbios name of the server listed in the original event) with the same results. I'm really not sure what to do in order to get this working. Ultimately DC1 and DC2 are going bye-bye anyway, and I'm not getting the error when I try to replicate to the regional DC's, but I'm worried about replication in the meantime (as currently most servers and workstations are still pointed at DC1 and DC2 for their DNS and other AD related things; DC1 still holding all the FSMO roles).
Any thoughts are appreciated. Thanks in advance.
**EDIT**
Also, replication the other way works fine (drill down to DC1 and select DC-1 or DC-2 to replicate). To further muddy the situation, although I get errors trying to replicate with DC1, I am *not* getting Event 1988 on it. Instead I get Event 1226:
The following object was created on a remote domain controller with an object name that already exists on the local domain controller.
Object:
DC=IT-LAPTOP,DC=domain.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=local
Object GUID:
3456863a-d31d-4833-8c94-65db160e06ec
Existing object GUID:
818d56c4-56c7-4585-b93c-e9fca0553961
The object with the following GUID will be renamed since the other object had this name more recently.
Object GUID:
818d56c4-56c7-4585-b93c-e9fca0553961
Renamed object name:
IT-LAPTOP
CNF:818d56c4-56c7-4585-b93c-e9fca0553961
I have a 2008 R2 domain controller. I don't use the windows backup. I have a full image of the server using Appassure backups, so I can restore individual files.
I know I have to boot into Directory Services Restore Mode, but what files do I need to manually restore to the server from my backup to restore the Active Directory database to a previous date?
Do I just copy the contents of the %windir%\NTDS and %windir%\sysvol\sysvol from my backup and overwrite the same folders on the server? Or is there more to it than that? I can only find info on restoring active directory using the system state backup from windows backup.
Hi
I have some trouble with 2 DCs. Both servers are running fully patched versions of Server 2008 R2 (with SP1).
The problem I have is that the contents of the SYSVOL folders are not replicating properly
between the 2.
I have tried to make a 3rd DC to see the result. It is the same problem.
The servers are called DC00, DC01 and DC02.
The DC00 has shared the SYSVOL and NETLOGON.
But the DC01 and DC02 does not show the SYSVOL and NETLOGON.
I need some help to solve this...
Regards
Kim
About 5 weeks ago i built 5 Windwos server 2008 machines using SCCM. They are all added to my 2008 mixed mode domain.
one machien is ahving an issue where it drops connection to the domain. it has happened on two occasions and both times a reboot instantly fixes the issue. As this is now a productions server i would like to know root casue for the issue an how to stop it form happenenign again.
all serversa re patched to the latest level.
When the server drops comm to the domain the follwoing happens;
unable to browse to any networks hares
domain accounts in the local admins groups show as SIDS
GPO processing fails
unable to authenticate to any services the server is running
all WMI queries fail
following events are logged;
Log Name: System
Source: NETLOGON
Date: 01/05/2013 06:59:20
Event ID: 5719
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer:
Description:
This computer was not able to set up a secure session with a domain controller in domain XXXXX due to the following:
The RPC server is unavailable.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.
ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified
domain.
Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 01/05/2013 11:13:03
Event ID: 1053
Task Category: None
Level: Error
Keywords:
User: XX
Computer: XX
Description:
The processing of Group Policy failed. Windows could not resolve the user name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
I have done the following troubleshooting while in the dropped comm state;
checked date and time: all ok
check dns look ups. i can ping all domain controllers by name, i can ping external websites
there are no errors in the application log
only errors in system log are the above netlogon one (RPC server service , which is started in services.msc, but unable to bounce as it its greyed out) and GPO related errors
After i bounecd the servers and serviecs resumed, no errors in event log.
at this point i ran some secure channel tests
nltest /scquery:domainname - PASSES
nltest /query - PASSES
netdom verifiy computrname - PASSES
nest time the server drops comm to the domain i will run these tests againa dn post results.
are there any other tests i can run, or any suggestions as to why this happens.
Thanks
I am getting the following error on bootup on a new DC I've promoted and moved all the FSMO roles to, funny thing is I can ping this "failing dns host name" and it resolves correctly to the old DC that is still online and functional. No changes
have been made to the name, ip or anything other than having its FSMO roles moved to the new DC and having it's GC unchecked, and then eventually checked again to make it a GC after I had some problems (detailed later):
Active Directory could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory from replicating between one or more domain controllers in the forest.
Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.
Source domain controller:
oldserver
Failing DNS host name:
cf67bfb1-d468-47de-9b4e-b129d36ef406._msdcs.domain.com
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all individual failure events, set the following diagnostics registry value to 1:
Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
User Action:
1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined
in MSKB article 216498.
2) Confirm that the source domain controller is running Active directory and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".
3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns
dcdiag /test:dns
4) Verify that that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:
dcdiag /test:dns
5) For further analysis of DNS error failures see KB 824449:
http://support.microsoft.com/?kbid=824449
Additional Data
Error value:
11004 The requested name is valid, but no data of the requested type was found.
I get the above error, then:
All problems preventing updates to the Active Directory Database have been cleared. New updates to the Active Directory database are succeeding. The Net Logon service has restarted.
Then a few minutes later:
This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains
the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: CN=Schema,CN=Configuration,DC=domain,DC=com
User Action:
1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize
may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command
repadmin /showrepl to display the replication errors. Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.
3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or
a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password
resets for non-Active Directory accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their
target object is moved or renamed.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
dcdiag completes successfully using the old and new dc as targets, repadmin /showrepl shows all successful, dcdiag /knowsofroleholders states all roles are held by the new DC. Do I need to fix this DNS issue for the schema role to be validated? Is that the root of my problems?
Thanks for any help.
A little backstory:
I have an old 2003 32 bit server with sp2, not sure how much it's patched beyond that. I've installed and promoted a new 2003 r2 x64 server (sp2 and fully patched), transferred all fsmo roles and made it the GC, unchecked GC on the old server, and while the old dc's nic was unplugged (for testing), I wasn't able to resolve names (check name) when adding only new clients (creating a new outlook profile) to exchange 2007, existing clients connected fine and all other network resources seemed to function correctly. I thought exchange wasn't finding the new GC, even after multiple reboots, dcdiag came back clean, etc. I posted in the exchange forum and after some talking they think it's an AD issue. I've since made the old DC a global catalog again to fix the check name issue I was having, but I still need to resolve this and demote the old server.
Hello!
We have an issue with resolving dns name or our domain, lets say, mycompany.com
In the domain there are around 100 sites, geographically spread. The DC\DNS servers are windows server 2003 r2, the clients are windows xp, DNS zones are active directory integrated, Round Robin, Netmask ordering are enabled.
The issue: when I ping mycompany.com from the XP clients the answer is everytime different DC\DNS server ip address. E.g.
H:\>ping mycompany.comH:\>ipconfig /flushdns
H:\>ping mydomain.com
Pinging mycompany.com [2.2.2.2] with 32 bytes of data:
and so on.
1.1.1.1, 2.2.2.2 servers may be quite far from the site of the client with huge latency
If I ping mycompany.com from the servers (W2K3 R2) the answer each time is the ip address of the DNS server which actually provides the answer(the "closest" DC\DNS to the server)
I assume that in the normal circumstances it should be like this:
1) DNS client sending a request to the closest DC\DNS server (the server in the same AD site) to resolve mycompany.com to ip address
2) The DNS server should answer with the ip of itself (and it actully does if I perform request from W2K3 servers)
Could you please advise the reason why DNS servers answer to clients with everytime different ip addresses? And how to fix it?
I am trying to redirect .ost file to User home drive ( U:) . To do the same I imported admin templated for Outlook 2010 in GPO.
In that we have an option to redirect .OST file so I updated the path as "required and I am able to redirect .OST to users homedrive but it's also creating the same replica of .OST file in user profile as well.
In addition I have enable exchange cache mode using the same admin templates.
So help me to resolve this issue.
Rgds Vinay
We have to request that someone manually registers the SRV records for our AD domain. Now we are upgrading to 2008 R2 from 2003 R2 and we will demote the 2 olds ones and bring in 2 new. My question is, is it a problem if we have both the old PDC and the new PDC registered as PDCwith the SRV record in the DNS at some period of time when we migrate the domain? There will be difficult to switch at an exact time. I mean will the clients who look for the PDC just pass on over to the one who is actually the PDC at the time and ignore the false PDC record?
New at this...