Hello,

We've a domain with 2 writable DC in head office and one Read-Only DC in branch office. We've some logon batches which mount the "network drives" to domain user profiles. Everything was working fine for a period. Now a day branch office users can access the network drives but not the share folders inside (the shared folder NTFS permissions are applied by "group" not by user account), but if we apply the permission by user that works fine.

I believe that there are some problems with Active directory replication which generates these type authentication problems, but couldn’t find how to resolve it. Your help will be highly appreciated.

For information:

• RODC is configured as GC
• On writeable DC, no      errors
• Writeable DC is connected to RODC server via VPN, all traffic is allowed

***Here is the result of command DCDIAG on RODC server***

Starting test: DFSREvent
Errors or warnings detected in the last 24 hours
after sharing SYSVOL. Problems related to the failure of the
SYSVOL replication can cause problems Strategy
group.
......................... The test DFSREvent
RODC – succeeded

Starting test: SystemLog
A warning event occurred. Event ID:
0x000003F6
Time generated: 08/05/2013 5:05:28 p.m.
Chain of events:
Name resolution 20.3.168.192.in-addr.arpa expired when no
No one answered the configured DNS servers.
......................... The test SystemLog
RODC – succeeded
Starting test: VerifyReferences
......................... The test VerifyReferences
RODC – succeeded

****Here are some logs generated on RODC server***

-------------------------------------------------------------------------------------------

Journal Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 23/07/2013 6:47:09
Event ID: 1224
Task Category: Internal Processing
Level: Warning
Keywords: Classic
User: ANONYMOUS LOGON
Computer: RODC.domaine.local
description:
An attempt to automatic update by the local domain controller information on one or more computer objects, or objects Server Settings objects failed.

This operation will be retried after the interval.

Interval (minutes):
5

additional Data
Error value:
1355 The specified domain either does not exist or could not be contacted.

Internal ID:
32b0980
XML Event
<event Xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> [^]
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
<EventID Qualifiers="32768"> 1224 </ EventID>
<Version> 0 </ Version>
<level> 3 </ Level>
<task> 9 </ Task>
<Opcode> 0 </ Opcode>
<keywords> 0x8080000000000000 </ Keywords>
<TimeCreated SystemTime="2013-07-23T04:47:09.392120800Z" />
<EventRecordID> 4303 </ EventRecordID>
<Correlation />
<Execution ProcessID="464" ThreadID="644" />
<channel> Directory </ Channel> Service
<Computer> RODC.domaine.local</ Computer>
<security UserID="S-1-5-7" />
</ System>
<EventData>
<Data> 5 </ Data>
<Data> 32b0980 </ Data>
<Data> 1355 </ Data>
<Data> The specified domain does not exist or could not be contacted. </ Data>
<Data>
</ Data>
</ EventData>
</ Event>

-----------------------------------------------------------------------------------------------------------------

Journal Name: DFS Replication
Source: DFSR
Date: 31/07/2013 9:00:13 p.m.
Event ID: 5014
Task Category: None
Level: Warning
Keywords: Classic
User: N / A
Computer: RODC.domaine.local
description:
The DFS Replication service is currently stopping communication with partner CAMBRIDGE replication group Domain System Volume due to an error. The service will attempt to re-establish the connection regularly.

Additional Information:
Error: 9036 (Paused for backup or restore.)
Connection ID: 0EACF62C-C9AE-4618-8A10-F6A3057ACB45
Replication Group ID: BE3F2387-162A-44A2-AF29-A637618C6A3C
XML Event
<event Xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> [^]
<System>
<Provider Name="DFSR" />
<EventID Qualifiers="32768"> 5014 </ EventID>
<level> 3 </ Level>
<task> 0 </ Task>
<keywords> 0x80000000000000 </ Keywords>
<TimeCreated SystemTime="2013-07-31T19:00:13.000000000Z" />
<EventRecordID> 1061 </ EventRecordID>
<channel> DFS Replication </ Channel>
<Computer> RODC.domaine.local </ Computer>
<security />
</ System>
<EventData>
<Data> 0EACF62C-C9AE-4618-8A10-F6A3057ACB45 </ Data>
<Data> CAMBRIDGE </ Data>
<Data> Domain System Volume </ Data>
<Data> 9,036 </ Data>
<Data> Paused for backup or restore. </ Data>
<Data> BE3F2387-162A-44A2-AF29-A637618C6A3C </ Data>
</ EventData>
</ Event>

Thanks in advance for your help!!!

Hello,

We have got a domain controller in server 2008. Forest is example.com. Recently added a child domain 'child.example.com' which is in server 2012. Due to some reasons we demoted server 2012 and was cleaning up the metadata using Active directory sites and services. But when I tried to delete NTDS setting of the demoted server an error is coming like below:

How do I troubleshoot this? Please help.

--

Tony

Hi to all.

I've installed 2 Hyper-v 2012.

Now, I want toinstall 2domaincontrolleron the respectivehyper-v.
TheseDCmust however have2 network cardswith2different ip.
There are problemsto have theDCmultihomedabout 2012??

Thanks to all for any suggestions.

/Mino

Hi,

My company has multiple Active Directory (AD) forests for security reasons. We can't have trust relationships between the forests for the same reasons that caused us to divide our AD infrastructure into different forests. However, our employees still need to access each other resources? File server.

How do i enable this?

AS

Hello forum users,

I have a cust. who is looking for a nice and easy way to list and remove inactive or disabled computer accounts from his Active Directory (recently upgraded on 2008 R2).

I have found the following two ways:

a)     via DSQUERY commands:

dsquery computer –inactive 16 –limit 0                                                 ->  list computers being inactive or stale for 16 weeks

dsquery computer –disabled –limit0                                                      ->  list disabled computer accounts

dsquery computer –inactive 16  –limit 0| dsrm -noprompt            -> list inactive / stale computers for 16 weeks and delete them
dsquery computer –disabled – limit0| dsrm –noprompt                -> list disabled computers and delete them

b)     via powershell script:

Provided that I have downloaded and installed Quest AD Cmdlets -which are free to download from PowerShell Commands (CMDLETs) for Active Directory by Quest Software– I can run

the following commands:

Notice :At first need to check thepwdLastSetattribute. Computers reset their AD password every 30 days, so if this date is too old (say, 120 or more days away) this computer might no longer exist.

# set the date to be used as a limit - in this example: 120 days earlier than the current date->$old = (Get-Date).AddDays(-120)

# get the list of computers with the date earlier than this date->Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old }

# get a csv report ->Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old } | select-object Name, ParentContainer, Description, pwdLastSet | export-csv c:\temp\outdated.csv

# move such computers to another OU ->Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old } | Move-QADObject -to my.corp/obsolete

# remove the computer records from AD (since this actually deletes the records, it would be preferable to run the command with -whatif switch before running without it) ->
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old } | Remove-QADObject -to my.corp/obsolete

Comment#1 -> use -SizeLimit 0to remove the default 1000 object retrieval limitation

Comment#2 -> select the columns  needed in the report with theSelect-Objectcmdlet.

I have found also this script, but I think it refers on users accounts rather than computers (?):

http://blogs.technet.com/b/bahramr/archive/2008/01/25/powershell-script-to-disable-inactive-accounts-in-active-directory.aspx

Could you pls validate both options above as the only available or there are alternatives as well?  Cust. is not interested on non-MS tools (i.e.ADManager Plus, etc)

Any advice or comment will be much appreciated

Thanks in advance for your time and effort

Rgds, Nick.

Problem: Not all Active Directory DNS Servers will resolve a new DNS record. A new CNAME or A record is added to the DNS of one server and even after replication time allotment the other DNS servers cannot resolve that new record. This seems to be intermittent as sometimes a new DNS record resolve as expected from all DNS server. These are new records and are not subject to tombstoning yet.

Environment: Many cross site Domain Controllers using Active Directory Integrated DNS (secure only), mostly 2008 R2 servers with a few 2003 R2 servers, Forest/Domain Function levels at 2003. This is the main forest DNS zone replicating to all DCs in the forest.

Troubleshooting:

At first it was suspected it was a replication issue, but after using ADSIEdit and connecting to dc=forestDNSZones,dc=********,dc=*** a dnsNode instance was found for each problematic DNS record on every domain controller. It just wasn’t getting published to the DNS service. Digging a little deeper, it was found that these new dnsNode instance security permissions only included permissions inherited from the Zone and did not include the “Default Security” permissions of the dnsNode class as defined by the Active Directory schema. 

Workaround:

Opening the Advanced Security settings for the problematic dnsNode instance in ADSIEdit and clicking “Restore defaults”, which applies all the schema defined default security permissions as well as the inherited permissions from the hosting zone, will allow that DNS record to be published to the DNS service. This ‘fixes’ the issue for that one broken DNS record, but has to be done each time these DNS records do no publish

Root Cause: Not Found!!

What would cause the schema defined default security permissions to not apply to ‘some’ new dnsNode instances causing those DNS records to not publish to the same servers DNS service?

I have windows 2008 R2 Active Directory environment with 2 Domain controllers and the PDC is serving as DHCP .we have around 300 win 7 clients . Now I am asked to make another DC as Secondary or failover DHCP server for redundancy . I thought to ckeck with you guys ? as I heard that you can't creat scondary or failover in DHCP but you can make another DHCP server as primary DHCP and both will be serving parrallel to each other as first come first serve bases.? I don't want to split the scope, but want to have 2 DHCP Servers incase if one crashes
Any body have thoughts on this please ?

I was using two ADFS 2.0 server (Primary and Secondary ) with WID (Windows internal Database). Primary ADFS Server was Crashed. So I transfer the Primary role on my Secondary ADFS Server. this server is showing that it is Primary Server but database is not showing.

Sonu Klaynia

Sonu Klaynia prem01263@gmail.com

Hi,

We have a bunch of 2008r2 servers that on occasion we cannot ping from certain domian PCs (Win7 Professional). DNS on the servers that we can't ping is set as expected and the Firewall is off.

One thing we notice is that on some of the PCs that we cannot ping the problems servers - the return address will time out and the hostname is resolved to IPV6.  

If we reboot the problematic servers i can eventually ping again (say 10 mins) and the servers that were returning an IPv6 address will now return an IPV4 address and all works.

Some people say to turn off IPV6 on your servers but not MS according to the following article.

http://technet.microsoft.com/en-us/network/cc987595.aspx

Anyone know why this is as we’re losing connectivity to serversso is a big issue!

There was domain trust issue.

I heard here that to just check if domain trust is valid or not , it needs DomainAdmins right.

I tried nltest /sc_query and it return like the below. Does it mean the trust is valid though I am not using DomainAdmins ?

I need to rebuild my current DC so I setup a second DC but there seems to be an issue with replication. Here are the results of dcdiag ran on the new server, SERVER2. This is also a single label domain at this time. Any help would be appreciated.

Performing initial setup:
   Trying to find home server...
   Home Server = server2
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Hanover\SERVER2
      Starting test: Connectivity
         ......................... SERVER2 passed test Connectivity

Doing primary tests

   Testing server: Hanover\SERVER2
      Starting test: Advertising
         Warning: DsGetDcName returned information for \\Server.hanover, when
         we were trying to reach SERVER2.
         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
         ......................... SERVER2 failed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... SERVER2 passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... SERVER2 failed test DFSREvent
      Starting test: SysVolCheck
         ......................... SERVER2 passed test SysVolCheck
      Starting test: KccEvent
         An Warning Event occurred.  EventID: 0x80000B46
            Time Generated: 08/01/2013   22:55:25
            Event String:
            The security of this directory server can be significantly enhanced
by configuring the server to reject SASL (Negotiate,  Kerberos, NTLM, or Digest)
 LDAP binds that do not request signing (integrity verification) and LDAP simple
 binds that  are performed on a cleartext (non-SSL/TLS-encrypted) connection.  E
ven if no clients are using such binds, configuring the server to reject them wi
ll improve the security of this server.
         ......................... SERVER2 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... SERVER2 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... SERVER2 passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=hanover
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=hanover
         ......................... SERVER2 failed test NCSecDesc
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\SERVER2\netlogon)
         [SERVER2] An net use or LsaPolicy operation failed with error 67,
         The network name cannot be found..
         ......................... SERVER2 failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... SERVER2 passed test ObjectsReplicated
      Starting test: Replications
         ......................... SERVER2 passed test Replications
      Starting test: RidManager
         ......................... SERVER2 passed test RidManager
      Starting test: Services
         ......................... SERVER2 passed test Services
      Starting test: SystemLog
         An Error Event occurred.  EventID: 0x000003FB
            Time Generated: 08/01/2013   22:19:04
            Event String:
            The DHCP service failed to restore the DHCP registry configuration.
The following error occurred:
         An Warning Event occurred.  EventID: 0x00002724
            Time Generated: 08/01/2013   22:19:12
            Event String:
            This computer has at least one dynamically assigned IPv6 address.For
 reliable DHCPv6 server operation, you should use only static IPv6 addresses.
         An Error Event occurred.  EventID: 0x000003FA
            Time Generated: 08/01/2013   22:20:17
            Event String:
            The DHCP service failed to restore the database. The following error
 occurred:
         An Warning Event occurred.  EventID: 0x00002724
            Time Generated: 08/01/2013   22:20:25
            Event String:
            This computer has at least one dynamically assigned IPv6 address.For
 reliable DHCPv6 server operation, you should use only static IPv6 addresses.
         An Error Event occurred.  EventID: 0x000003FA
            Time Generated: 08/01/2013   22:21:39
            Event String:
            The DHCP service failed to restore the database. The following error
 occurred:
         An Warning Event occurred.  EventID: 0x00002724
            Time Generated: 08/01/2013   22:21:48
            Event String:
            This computer has at least one dynamically assigned IPv6 address.For
 reliable DHCPv6 server operation, you should use only static IPv6 addresses.
         An Error Event occurred.  EventID: 0x00000416
            Time Generated: 08/01/2013   22:22:06
            Event String:
            The DHCP/BINL service on the local machine, belonging to the Windows
 Administrative domain hanover, has determined that it is not authorized to star
t.  It has stopped servicing clients.  The following are some possible reasons f
or this:
         An Warning Event occurred.  EventID: 0x00002724
            Time Generated: 08/01/2013   22:25:57
            Event String:
            This computer has at least one dynamically assigned IPv6 address.For
 reliable DHCPv6 server operation, you should use only static IPv6 addresses.
         An Warning Event occurred.  EventID: 0x825A000C
            Time Generated: 08/01/2013   22:31:49
            Event String:
            Time Provider NtpClient: This machine is configured to use the domai
n hierarchy to determine its time source, but it is the AD PDC emulator for the
domain at the root of the forest, so there is no machine above it in the domain
hierarchy to use as a time source. It is recommended that you either configure a
 reliable time service in the root domain, or manually configure the AD PDC to s
ynchronize with an external time source. Otherwise, this machine will function a
s the authoritative time source in the domain hierarchy. If an external time sou
rce is not configured or used for this computer, you may choose to disable the N
tpClient.
         An Warning Event occurred.  EventID: 0x000727A5
            Time Generated: 08/01/2013   22:53:09
            Event String:
            The WinRM service is not listening for WS-Management requests.
         An Warning Event occurred.  EventID: 0x8000001D
            Time Generated: 08/01/2013   22:55:20
            Event String:
            The Key Distribution Center (KDC) cannot find a suitable certificate
 to use for smart card logons, or the KDC certificate could not be verified. Sma
rt card logon may not function correctly if this problem is not resolved. To cor
rect this problem, either verify the existing KDC certificate using certutil.exe
 or enroll for a new KDC certificate.
         An Error Event occurred.  EventID: 0xC0001B72
            Time Generated: 08/01/2013   22:55:57
            Event String:
            The following boot-start or system-start driver(s) failed to load:
         An Warning Event occurred.  EventID: 0x00002724
            Time Generated: 08/01/2013   22:55:57
            Event String:
            This computer has at least one dynamically assigned IPv6 address.For
 reliable DHCPv6 server operation, you should use only static IPv6 addresses.
         An Warning Event occurred.  EventID: 0xC25A0090
            Time Generated: 08/01/2013   22:56:03
            Event String:
            The time service has stopped advertising as a good time source.
         ......................... SERVER2 failed test SystemLog
      Starting test: VerifyReferences
         ......................... SERVER2 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : hanover
      Starting test: CheckSDRefDom
         ......................... hanover passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... hanover passed test CrossRefValidation

   Running enterprise tests on : hanover
      Starting test: LocatorCheck
         ......................... hanover passed test LocatorCheck
      Starting test: Intersite
         ......................... hanover passed test Intersite

C:\Users\administrator.HANOVER>

I just modify replace opeartion in AD LDS attribute cn and sn values,
I see some strange value during update:

Ldif one save with notepad++ with setting ANSI encoding
dn: uid=x1234y,ou=people,o=com
changetype: modify
replace: sn
sn: Ruben Arellano Dueñez
-
Base64 value=>  cn: Ruben Arellano Dueñez
Actual value in AD LDS=> cn:: UnViZW4gQXJlbGxhbm8gRHVlw7Fleg==
-------
Ldif one save with notepad++ with setting UTF-8 encoding
dn: uid=x1234y,ou=people,o=com
changetype: modify
replace: sn
sn: Ruben Arellano Dueñez
-
Base64 value=> sn:: UnViZW4gQXJlbGxhbm8gRHVlw4PCsWV6
Actual value in AD LDS=> Ruben Arellano Dueñez

So my concern is
1. Which format AD LDS accept value?
2. Is it problem with some Europian characters? then how can we eanble in AD LDS.

Hi all,

        I'm having trouble with the domain functionality level when trying to add the 2008 server as a secondary DC.  Went through the process of adprep ( /forestprep /rodcprep etc.) on the 2003 DC and changed the functionality level from 2000 to 2003.  I verified this again by running the ldp.exe tool and all looks good on that end. During the process of adding the DC role to the 2008 server it stops saying the functionality level is still 2000 and of course won't continue on.  I was unable to find any errors when running dcdiag.  

Any help on this would be much appreciated.

Hello,

I believe this is true but my knowledge on such details comes from long ago and is a bit foggy...

when a user is authenticated in a domain, that process would first try to use a domain controller within the same active directory site from which the authentication request originated from, correct? ... and if it is a multi-site domain, it would only try a domain controller in another site if it could not contact a domain controller within the same site, correct?

am I remembering correctly here?

Hi experts,

could someone help me to get the event id list of DFSR running in win2k8r2. This will help me to add these events id's in monitoring tool.

Regards, Nidhin.CK

Hi all,

Can anyone help me out in what extensive area which makes people to be expert in AD?

Thank you.

Hi,

if we click the properties of an Active Directory User, there is a option named "Deny this user permissions to log on to Remote Desktop Session Host server" under the "Remote Desktop Services Profile" tab.

Does someone  know where this option is saved if we check or unchek it ? It is not an User Obejcts Attribute. I have already dumped the object with ldifde before and after checking this option and there is no difference between the ldifde files.

I also cheked the DACL before and after checking this option. There is still no difference.

I would really appreciate your help.

With kind regards,

Cengiz Kuskaya

We have an up and running NPS and certificate solution running EAP-TLS for machine and user authentication with PC.

We recently added several Windows 8 Professional tablets - they're domain joined and have machine certificates enrolled when deployed via SCCM.

But - and we're pretty sure, we got user certificate enrollment to work over wireless, with the tablet authenticated as machine, and then switch to user after certificate is enrolled.

But 2nd try we cannot get this going. I must admit that before first try I didn't think this should work - considering that user possibly could not request certificate before he starts logon, and when logon for user starts computer authentication would break ...

But then again - i cannot find any hard evidence that this is true --- so - is there anyone that positively can acknowledge that Win 8 wireless logon - the switch from computer to user happens BEFORE user enrolls for cert ??