Hi,

I started

esentutl /p ntds.dit

and get error:

Unable to find the callback library ntdsai.dll

Operation terminated with error -2102 (JET_errCallbackNotResolved, A callback function could not be found)

What i do wrong?

Thanks.

Hi All,

I am trying to track down what exactly is going on with these failures. I am concerned because these failures are against my Domain Administrator Accounts (10 accounts exactly) from multiple users.

EVENT 4662 - Microsoft Windows Security Auditing - AUDIT FAILURE

Subject:

Security ID: Domain\UserAccount1

Account Name: UserAccount1

Account Domain: Domain

Object:

Object Server: DS

Object Type: user

Object Name: CN=Domain Admin1, OU=XXXX, OU=XXX, DC=XXX,

Operation:

Operation Type: Object Access

Accesses: Control Access

Access Mask: 0x100

I see that 0 x 100 is Access allowed only after extended rights checks supported by the object are performed. The right to perform an operation controlled by an extended access right.

This same userAccount1 has 10 entries all at the same time against different Domain Administrator accounts. There are a number of users with these same entries against the same 10 domain administrator accounts.

My questions is UserAccount1 (or any of the other users) trying to gain access to each of the 10 domain admin accounts?

I am certain that the User is not doing this intentionally and possible some background service. How can I track this down?

Please help.

Regards,

Richard 

Hello,

We have a Windows Server SBS 2008 DC that we are trying to decommission.  It also was our exchange server (2007) but we migrated to O365.  We have a new Server 2012 R2 DC up and running.  Ive moved the following roles to the 2012 server:

• ADDS, DNS, DHCP
• FSMO roles
• Global Catalog Server

Now when I try to run dcpromo on the SBS server, it gets to the end and fails saying it can't find a global catalog server.  Ive check the firewalls and also made sure  the NIC is pointing to the new server for DNS.  When I try to uninstall Exchange 2007 from the SBS server, I get the same error message stating it can't find a GC server.  Does anyone have any suggestions? 

Thanks.

Hello,

I add a new member to the Event Log Readers group but the account is removed by System and I am unable to find the cause.  This only seems to be happening in one of my domains.  I have found the event id 4733 that states system but I am not sure why its doing this.  How do I get a membership to stick to this group?

The Domain Controllers are 2012 R2.

Thanks!

Shawn

There are threads here in the forums that include statements that computer accounts are not automatically deleted.

Given the number of tools and scripts that look for old/stale computer accounts for deletion this seems to all make sense. Likewise, this would apply to user accounts too. This question does not apply to tombstone objects which I realize have been 'deleted'.

My question is if there is a canonical/authoritative statement from Microsoft stating that (computer or user) accounts are not auto-deleted, e.g. KB article or product documentation?

Thank-you.

We have configured AD Connect and synced users successfully with O365.

However, the only problem remains is that on AD, we have some disabled users and on O365 their Sign-in Status is still Allowed. This should be blocked for such accounts.

How can we resolve this issue?

Hello,

Recently, I did a complete noob move in my AWS environment.  Renamed both primary and backup domain controller's computer name.  Was doing it without thinking and of course the DCs went offline as I didn't think there are steps to follow when renaming DCs.  Will never do this again.  I was able to netdom to fix the backup DC and now backup DC is back online.  Now I would like to clean all of this up.  I do not think I can recover the primary DC so I wanted to promote the secondary DC to primary and then create a new server to be the new backup DC and then just kill the primary DC. Please help!  Thank you!

Hi,

I was trying to migrate my old WIndows Server 2008 32 bit OS to new OS Windows Server 2019, but apparently it was not possible.

My exchange server 2007 was my copy of my old domain controller still intact but unable to connect to my newly renamed DC server.

My existing Active directory server was roles for the below.

1. CA server
2. Active directory domain services
3. Network policy server
4. Web Server
5. File Server
6. DNS Server

For the migration, below were the steps i did

1. Add 2 domain controller to the existing active directory pool for replication and failover (one windows Server 2012, one is Windows Server 2019 to migrate - during the migration stage, im getting a lot of DNS issue, but i kept persist it and it worked (tried many times of ipconfig /flushdns & ipconfig /registerdns, took a few tries)
2. Successfully added 2 domain controller into the pool and replicated (but the DNS server needed to be manually replicated)
3. Backup CA cert, policies & SYSVOL folder, Did DC Promo.exe the old server, remove CA server then proceeded with the removal of DC server, then change the IP address and domain name of the server

Replication status of the server at that time unknown. I proceeded with the switchover, initially there was already error, but didn't know where to start. I started changing one of the server back to the old server name & IP address, the second server which was added to the DC pool was demoted, and this is where all hell broke loose. The problems became nightmare for me

In my attempt to get the 1st DC server which I replicated, below were the errors found.

C:\Users\pcsb002pg>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = adserver
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\ADSERVER2
      Starting test: Connectivity
         ......................... ADSERVER2 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\ADSERVER2
      Starting test: Advertising
         Fatal Error:DsGetDcName (ADSERVER2) call failed, error 1722
         The Locator could not find the server.
         ......................... ADSERVER2 failed test Advertising
      Starting test: FrsEvent
         ......................... ADSERVER2 passed test FrsEvent
      Starting test: DFSREvent
         The event log DFS Replication on server ADServer2.pcsb.local could not
         be queried, error 0x721 "A security package specific error occurred."
         ......................... ADSERVER2 failed test DFSREvent
      Starting test: SysVolCheck
         [ADSERVER2] An net use or LsaPolicy operation failed with error 64,
         The specified network name is no longer available..
         ......................... ADSERVER2 failed test SysVolCheck
      Starting test: KccEvent
         The event log Directory Service on server ADServer2.pcsb.local could
         not be queried, error 0x721"A security package specific error occurred."
         ......................... ADSERVER2 failed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... ADSERVER2 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         Could not open pipe with [ADSERVER2]:failed with 64:
         The specified network name is no longer available.
         Could not get NetBIOSDomainName
         Failed can not test for HOST SPN
         Failed can not test for HOST SPN
         ......................... ADSERVER2 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... ADSERVER2 passed test NCSecDesc
      Starting test: NetLogons
         [ADSERVER2] An net use or LsaPolicy operation failed with error 64,
         The specified network name is no longer available..
         ......................... ADSERVER2 failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... ADSERVER2 passed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From EXCHANGE to ADSERVER2
            Naming Context: DC=ForestDnsZones,DC=pcsb,DC=local
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2020-03-17 00:01:12.
            The last success occurred at 2020-03-16 22:29:03.
            5 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From EXCHANGE to ADSERVER2
            Naming Context: DC=DomainDnsZones,DC=pcsb,DC=local
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2020-03-17 00:01:12.
            The last success occurred at 2020-03-16 22:29:06.
            5 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From EXCHANGE to ADSERVER2
            Naming Context: CN=Schema,CN=Configuration,DC=pcsb,DC=local
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2020-03-17 00:01:12.
            The last success occurred at 2020-03-16 22:28:45.
            5 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From EXCHANGE to ADSERVER2
            Naming Context: CN=Configuration,DC=pcsb,DC=local
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2020-03-17 00:01:12.
            The last success occurred at 2020-03-16 22:34:34.
            5 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From EXCHANGE to ADSERVER2
            Naming Context: DC=pcsb,DC=local
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2020-03-17 00:01:12.
            The last success occurred at 2020-03-16 22:35:25.
            5 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         ......................... ADSERVER2 failed test Replications
      Starting test: RidManager
         ......................... ADSERVER2 passed test RidManager
      Starting test: Services
         Could not open Remote ipc to [ADServer2.pcsb.local]: error 0x40"The specified network name is no longer available."
         ......................... ADSERVER2 failed test Services
      Starting test: SystemLog
         The event log System on server ADServer2.pcsb.local could not be
         queried, error 0x721 "A security package specific error occurred."
         ......................... ADSERVER2 failed test SystemLog
      Starting test: VerifyReferences
         ......................... ADSERVER2 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : pcsb
      Starting test: CheckSDRefDom
         ......................... pcsb passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... pcsb passed test CrossRefValidation

   Running enterprise tests on : pcsb.local
      Starting test: LocatorCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1722
         A Global Catalog Server could not be located - All GC's are down.
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1722
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1722
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
         1722
         A Good Time Server could not be located.
         Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1722
         A KDC could not be located - All the KDCs are down.
         ......................... pcsb.local failed test LocatorCheck
      Starting test: Intersite
         ......................... pcsb.local passed test Intersite

C:\Users\pcsb002pg>

The above is my DCdiag diagnostics.

I also noticed my DNS is quite screwed.

I'm so stuck and don't know what to do and where to start. My whole office is gonna come after me tomorrow.

I have roughly 25 staffs i the office, with exchange server & some other applications such as firewall, Lyncserver & network drivers require active directory to connect.

Please help me. 

Dear TechNet Members

In our environment currently we have windows server 2008 R2 Active directory 3 DC at Head Office and 2 Domain Controller at DR site As per Microsoft End of support and End of Life we are planning to upgrade our DC's to Windows Server 2016 or Windows Server 2019

I need expert advice for the migration as I have my ROOT DC as on Physical IBM Blade.

I have below concerns

1. We have ROOT CA on Additional Domain controller

2. We have many application which still doesn't support TLS 1.2

3. Currently We are using Exchange Server 2013 CU 23 in our environment

4. We have 1000 plus users inside our Organization

5. Currently We are using SCCM and SCOM 2016 

6. Symantec Enterprise Vault 12.3 & Symantec NetBackup as Backup Solution

7. Some Applications are directly connected to ROOT DC with ROOT DC DNS Name and its point of concerns for us. 

I need some expert advise prior to migration so I will not miss out any point during the Migration as its very critical task for the organization.

Hi Experts

We need raise domain functional level of 2003 to 2012 R2, but mi domain controller FSMO is death, is crash.

Is possible move the roles to another domain controller server without this server?

I try move the roles and i see this warnings:



Thank you so much!!

Ing Carlos Pernia.

Hi people,

I have various load/speed troubles over my network. Not only on my location, but also with SAAS-services throuch MPLS-network or the other way around via VPN to my location.

I reported it with central IT who administrates the network connections. He showed me the "klist.exe" command as a way to prove Kerberos is working as it should.

It resulted in:

Credentials cache C:\Users\username\krb5cc_username not found.

He pointed to this as the main reason for my problems.

Searching the Internet give zero information, but the info that the client having this result uses probably NTLM to authenticate. That could explane (some) of the slow connections.

Config:

• Servers: Windows 2016 DC, domain functional level 2016
• Windows 2008R2 fileserver
• Synology NAS as archive

Client:

• Windows 7
• Windows 10

It happens on multiple clients, but, a client can have the problem one day while having normal multiple tickets the next day. Without me knowing why...

"klist.exe" on the domaincontrollers and the servers always results in Kerberos tickets.

On clients without tickets: "kinit.exe" creates a ticket, but no additional ticket is made when I access a new resource on the network.

Does anybody know a way to address this problem?

All the best,

Jan

Team

i have rather a funny scenerio where i want to migrate my current AD running on server 2008 R2 with Domain Functional Level 2003 and Forest functional level 2003 to windows server 2016. the problem is when i try to promote the 2016 server, i get a message that " the server cannot be promoted on a windows 2000 server forest function level" which i even dont have on my entire network. is there a way i can proceed from here?? 

i have tried to run adrep no changes .. help 

Hi,

Is it possible to Export Users with OU and Description information from an AD Group?

Thanks.

Hi,

Let say i have 2 Domain controller in different region DC1 (PDC) and DC2. Now DC2 sysvol and netlogon have long time not replicate with DC1. Last replicate around 2018. If System Admin actively stored file like script under DC 2 netlogon for GPO deployment, i wonder what will happen if we demote and promote DC2 in order to fix the sysvol and netlogon replication? Is it file in netlogon DC2 will lost since it not replicate with DC1? 

If yes, meaning i have tough job to compare which file exist in DC1 and DC2.

Thanks