Hi.

My apologies if this seems like a duplicate question, but I've searched until I am blue in the face and I cannot, for the life of me, find out how to fix this. All servers involved are running Windows 2008R2

I am attempting to add a new domain into our corporate forest - a new child from the forest root.

Every single time I run dcpromo, I get the same error, as below

Active Directory Domain Services could not create the object CN=<newdomain>,CN=Partitions,CN=Configuration,DC=<domain>,DC=<tld>.

Check the event log for possible system errors

"The replication operation failed due to a collision of object names."

I have followed several articles trying to find where the duplicate object is - used ADSIEdit and ntdsutil to search for the object, but I can't find it.

DNS in this site was a complete mess, so I suspected it, but as far as I can tell I've found and removed the duplicate objects which could have been causing this problem - to no avail.

Processes I've followed so far include

http://support.microsoft.com/kb/230306

http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx

(there may have been a couple of others, but I can't recall them off the top of my head).

I *can* promote this server to DC if I use a different domain name - which means there is something linked to the domain name I want to use - but I can't find it.

Is there anywhere else I can look, or any other suggestion someone can make to resolve this?

Thanks for any input

how I can create a new field that is requiredwhen creating a user account...

if thefield has no valuethen the accountcan not becreated..,

thanks

Hi all,

We have had this same issue now with two of our Hyper-V host servers.  The The symptoms are that when RDPing to the machine it asks for credentials, but then throws the error :
Remote Desktop Connection
---------------------------
Remote Desktop cannot verify the identity of the remote computer because there is a time or date difference between your computer and the remote computer. Make sure your computer’s clock is set to the correct time, and then try connecting again. If the problem occurs again, contact your network administrator or the owner of the remote computer.
---------------------------
When you try connecting via the Hyper-V manager, you get the error "RPC Server unavailable.  Unable to establish communications bettween ..."

I can connect all of the other remote tools to it (event viewer, server manager, services) and can see the following:

In the event viewer there are a multitude of errors, I'm guessing all with the same root cause:

GPO

The processing of Group Policy failed. Windows could not resolve the user name. This could be caused by one of more of the following:

a) Name Resolution failure on the current domain controller.

b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

DCOM

DCOM was unable to communicate with the computer <DPM Backup server> using any of the configured protocols.

NETLOGON - Looks like the worst and maybe root cause?

This computer was not able to set up a secure session with a domain controller in domain D01 due to the following:
The RPC server is unavailable.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. 

ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.

I can see that the service "Remote Procedure Call (RPC)" is started.  Restarting it makes no difference.  The RPC Locator service isnt started, but don't think this is an issue.

The DNS servers that are configured are the DCs and there are certainly fine for all our other servers and clients.  The time is indeed out of sync, but I think this is more because it cannot establish a session with the DCs, which are the NTP servers.  All of the guest machines are fine and running perfectly.

Like I said at the start, this has happened to another of our servers, suggesting that this is maybe a wider AD issue.  In the case of the first server, a restart solved the symptoms.  However, this second server is a bit more of a pain to restart and I want to sort out the root cause.

thanks in advance.

Hello all. We are currently running a Windows Server 2003 ADDC as a virtual machine on a Windows Server 2012 host using Hyper-V. We have recently added a second Windows Server 2012 ADDC also as a Hyper-V VM. I promoted the 2k12 to a DC, transferred all FMOS roles, and tested AD replication. All AD data was replicated fine. However a DCDIAG (the results of which I have attached to this post) show a few errors.

First off, it is failing the advertising test. This is more than likely due to a DNS error. Unfortunately, I can not seem to find the error within the DNS to resolve it. 

Secondly, it is failing the KccEvent test; also seeming as a DNS related error.

Thirdly, both SYSVOL and NETLOGON shares were not successfully replicated. This is likely the basis for the other issues. Without these successfully replicated, I can not demote the 2K3 server; which is the goal in the end, to replace the old server with the new. 

I am willing to try just about anything, so any suggestions would be greatly appreciated. As for what I have tried, I have tried a non-authoritative restore using burr flags with no success. I CAN ping both DCs from each other ensuring connectivity. All users can currently log on to the server (due to the fact that the 2K3 server is still running and still holds the SYSVOL and NETLOGON shares).

Once again, any help would be greatly appreciated! Thank you in advance!

DCDIAG Output:

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = RETIRED2012

   * Identified AD Forest. 
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site\RETIRED2012

      Starting test: Connectivity

         ......................... RETIRED2012 passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site\RETIRED2012

      Starting test: Advertising

         Warning: DsGetDcName returned information for

         \\retired1.RetireFirst.local, when we were trying to reach

         RETIRED2012.

         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.

         ......................... RETIRED2012 failed test Advertising

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems. 
         ......................... RETIRED2012 passed test FrsEvent

      Starting test: DFSREvent

         ......................... RETIRED2012 passed test DFSREvent

      Starting test: SysVolCheck

         ......................... RETIRED2012 passed test SysVolCheck

      Starting test: KccEvent

         An error event occurred.  EventID: 0xC0000827

            Time Generated: 08/09/2013   22:08:34

            Event String:

            Active Directory Domain Services could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory Domain Services from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources. 


         A warning event occurred.  EventID: 0x80000677

            Time Generated: 08/09/2013   22:10:02

            Event String:

            Active Directory Domain Services attempted to communicate with the following global catalog and the attempts were unsuccessful. 


         An error event occurred.  EventID: 0xC0000466

            Time Generated: 08/09/2013   22:10:06

            Event String:

            Active Directory Domain Services was unable to establish a connection with the global catalog. 


         ......................... RETIRED2012 failed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... RETIRED2012 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... RETIRED2012 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... RETIRED2012 passed test NCSecDesc

      Starting test: NetLogons

         Unable to connect to the NETLOGON share! (\\RETIRED2012\netlogon)

         [RETIRED2012] An net use or LsaPolicy operation failed with error 67,

         The network name cannot be found..

         ......................... RETIRED2012 failed test NetLogons

      Starting test: ObjectsReplicated

         ......................... RETIRED2012 passed test ObjectsReplicated

      Starting test: Replications

         ......................... RETIRED2012 passed test Replications

      Starting test: RidManager

         ......................... RETIRED2012 passed test RidManager

      Starting test: Services

         ......................... RETIRED2012 passed test Services

      Starting test: SystemLog

         A warning event occurred.  EventID: 0x00001695

            Time Generated: 08/09/2013   22:06:48

            Event String:

            Dynamic registration or deletion of one or more DNS records associated with DNS domain 'RetireFirst.local.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).  


         A warning event occurred.  EventID: 0x000003F6

            Time Generated: 08/09/2013   22:06:49

            Event String:

            Name resolution for the name _ldap._tcp.Default-First-Site._sites.dc._msdcs.RetireFirst.local. timed out after none of the configured DNS servers responded.

         A warning event occurred.  EventID: 0x00001696

            Time Generated: 08/09/2013   22:07:44

            Event String:

            Dynamic registration or deregistration of one or more DNS records failed with the following error: 


         A warning event occurred.  EventID: 0x000003F6

            Time Generated: 08/09/2013   22:07:51

            Event String:

            Name resolution for the name retired1.RetireFirst.local timed out after none of the configured DNS servers responded.

         A warning event occurred.  EventID: 0x00001695

            Time Generated: 08/09/2013   22:08:23

            Event String:

            Dynamic registration or deletion of one or more DNS records associated with DNS domain 'DomainDnsZones.RetireFirst.local.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).  


         A warning event occurred.  EventID: 0x00001695

            Time Generated: 08/09/2013   22:08:35

            Event String:

            Dynamic registration or deletion of one or more DNS records associated with DNS domain 'ForestDnsZones.RetireFirst.local.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).  


         An error event occurred.  EventID: 0x0000041E

            Time Generated: 08/09/2013   22:08:45

            Event String:

            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

         An error event occurred.  EventID: 0x00000423

            Time Generated: 08/09/2013   22:08:53

            Event String:

            The DHCP service failed to see a directory server for authorization.

         A warning event occurred.  EventID: 0x000003F6

            Time Generated: 08/09/2013   22:10:04

            Event String:

            Name resolution for the name isatap timed out after none of the configured DNS servers responded.

         A warning event occurred.  EventID: 0x000003F6

            Time Generated: 08/09/2013   22:10:08

            Event String:

            Name resolution for the name e45ad288-70ff-4d9e-adf9-3035e459e126._msdcs.RetireFirst.local timed out after none of the configured DNS servers responded.

         A warning event occurred.  EventID: 0x000003F6

            Time Generated: 08/09/2013   22:10:21

            Event String:

            Name resolution for the name _ldap._tcp.Default-First-Site._sites.dc._msdcs.RetireFirst.local. timed out after none of the configured DNS servers responded.

         An error event occurred.  EventID: 0x00000423

            Time Generated: 08/09/2013   22:11:14

            Event String:

            The DHCP service failed to see a directory server for authorization.

         An error event occurred.  EventID: 0x0000041E

            Time Generated: 08/09/2013   22:13:45

            Event String:

            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

         ......................... RETIRED2012 failed test SystemLog

      Starting test: VerifyReferences

         ......................... RETIRED2012 passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : RetireFirst

      Starting test: CheckSDRefDom

         ......................... RetireFirst passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... RetireFirst passed test CrossRefValidation

   
   Running enterprise tests on : RetireFirst.local

      Starting test: LocatorCheck

         ......................... RetireFirst.local passed test LocatorCheck

      Starting test: Intersite

         ......................... RetireFirst.local passed test Intersite

Hello

Can someone please help me with the following question.

I have Microsoft Windows 2003 R2 SP2 and the Enterprise CA's the Rota CA and a Subordinate CA to the Root CA.

I know little about AD CS and PKI in general

I see certificates in the issued store, all with the following name but different expiry dates,

lets say my root CA is called "MyDomainCA" and the subordinate CA called "MyDomainSubCA" as above I have several certificates I can see in the Issued store in the subordinate CA these are all called "MyDomainSubCA-Xchg" all of these certificates have expired. AD CS appears to be working at least on the service.

Can someone please explain what the above Certificate? is used for. Is the cert created by the root for the subordinate when it was fist initiated?

As stated  the several certs in the store (all with the same name) have expired at varying dates in the past.

Is this important? if so should I create a new "MyDomainSubCA-Xchg" and if so how?

Does any one of a good video/s about PKI and in particular AD CS, as I  learn faster via videos (or a good book on PKI and in particular AD CS.

Thanks All
JoB333x!

I have a Microsoft Windows Server 2008 R2 Server as a Domain Controller with three Microsoft Windows 7 Professional clients. Two of the clients are laptops, while the other client is a desktop. In order for a Windows 7 Professional client to connect to my domain controller, I have to go under Control Panel, Network and Internet, Network and Sharing Center, Change adapter settings, Wireless Network Connection (laptops) or Local Area Connection (desktop), Internet Protocol Version 4, and for a preferred DNS server I need to enter the DNS of my domain controller, which is 192.168.1.202. The IP address is static and does not change. The problem is that even though my laptops will connect to the Internet just fine within my network, when I try to connect to a different network with my laptops, I can not access the Internet. I am guessing this is happening because the preferred DNS server does not exist on other networks. Is there a way I can still connect to my domain controller on my network without having to manually change my preferred DNS server when I connect to a different network? Any answers or suggestions would be greatly appreciated, as this situation has become very frustrating.

Hello all. I will keep this brief. First of all, I have been searching the forums for something that can help and indeed have tried many of the suggestions, but I am always open to new ideas. Here's the issue.

We have 1 Windows Server 2003 AD DC and 1 Windows Server 2012 AD DC running. The goal was to migrate from 2003 to 2012. They are both Virtual Machines run by Hyper-V on a Windows Server 2012 Standard Host. FRS Replication is connected and forced replication comes with no errors, however DCDIAG shows multiple errors. Symptoms include DNS issues, missing SYSVOL and NETLOGON shares (verified with NET SHARE not showing components). The goal here is to completely replicate the 2K3 onto the 2K13 server and then decommission the 2K3. Hopefully someone out there can offer support.

I have tried some things already. These include checking firewalls that could be opposing RPC connections; anti-virus software; tried nonauthorative restore and replication; restarting various services including netlogon, dns, frs. I have included the output from DCDIAG and DCDIAG /test:dns. Hopefully this will shed some light on this issue. If there is any other information I can provide, please let me know. Thank you in advance!

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = RETIRED2012

   * Identified AD Forest. 
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site\RETIRED2012

      Starting test: Connectivity

         ......................... RETIRED2012 passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site\RETIRED2012

      Starting test: Advertising

         Warning: DsGetDcName returned information for

         \\retired1.RetireFirst.local, when we were trying to reach

         RETIRED2012.

         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.

         ......................... RETIRED2012 failed test Advertising

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems. 
         ......................... RETIRED2012 passed test FrsEvent

      Starting test: DFSREvent

         ......................... RETIRED2012 passed test DFSREvent

      Starting test: SysVolCheck

         ......................... RETIRED2012 passed test SysVolCheck

      Starting test: KccEvent

         ......................... RETIRED2012 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... RETIRED2012 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... RETIRED2012 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... RETIRED2012 passed test NCSecDesc

      Starting test: NetLogons

         Unable to connect to the NETLOGON share! (\\RETIRED2012\netlogon)

         [RETIRED2012] An net use or LsaPolicy operation failed with error 67,

         The network name cannot be found..

         ......................... RETIRED2012 failed test NetLogons

      Starting test: ObjectsReplicated

         ......................... RETIRED2012 passed test ObjectsReplicated

      Starting test: Replications

         [Replications Check,RETIRED2012] DsReplicaGetInfo(PENDING_OPS, NULL)

         failed, error 0x2105 "Replication access was denied."

         ......................... RETIRED2012 failed test Replications

      Starting test: RidManager

         ......................... RETIRED2012 passed test RidManager

      Starting test: Services

         ......................... RETIRED2012 passed test Services

      Starting test: SystemLog

         An error event occurred.  EventID: 0x00000457

            Time Generated: 07/31/2013   09:39:30

            Event String:

            Driver SHARP MX-2600N FAX required for printer SHARP MX-2600N FAX is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 07/31/2013   09:39:31

            Event String:

            Driver Adobe PDF Converter required for printer Adobe PDF is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 07/31/2013   09:39:32

            Event String:

            Driver Microsoft XPS Document Writer required for printer Microsoft XPS Document Writer is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 07/31/2013   09:39:32

            Event String:

            Driver Send To Microsoft OneNote 2010 Driver required for printer Send To OneNote 2010 is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 07/31/2013   09:39:33

            Event String:

            Driver HP Color LaserJet 2800 Series PS required for printer HP Color LaserJet 2800 Series PS - IT Office is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 07/31/2013   09:39:33

            Event String:

            Driver Send to Microsoft OneNote 15 Driver required for printer Send To OneNote 2013 is unknown. Contact the administrator to install the driver before you log in again.

         ......................... RETIRED2012 failed test SystemLog

      Starting test: VerifyReferences

         ......................... RETIRED2012 passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : RetireFirst

      Starting test: CheckSDRefDom

         ......................... RetireFirst passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... RetireFirst passed test CrossRefValidation

   
   Running enterprise tests on : RetireFirst.local

      Starting test: LocatorCheck

         ......................... RetireFirst.local passed test LocatorCheck

      Starting test: Intersite

         ......................... RetireFirst.local passed test Intersite

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = RETIRED2012

   * Identified AD Forest. 
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site\RETIRED2012

      Starting test: Connectivity

         ......................... RETIRED2012 passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site\RETIRED2012

   
      Starting test: DNS

         

         DNS Tests are running and not hung. Please wait a few minutes...

         ......................... RETIRED2012 passed test DNS

   
   Running partition tests on : ForestDnsZones

   
   Running partition tests on : DomainDnsZones

   
   Running partition tests on : Schema

   
   Running partition tests on : Configuration

   
   Running partition tests on : RetireFirst

   
   Running enterprise tests on : RetireFirst.local

      Starting test: DNS

         Summary of test results for DNS servers used by the above domain

         controllers:

         

            DNS server: 198.32.64.12 (l.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.32.64.12               
            DNS server: 2001:500:1::803f:235 (h.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:1::803f:235               
            DNS server: 2001:500:2d::d (d.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2d::d               
            DNS server: 2001:500:2f::f (f.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2f::f               
            DNS server: 2001:500:3::42 (l.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:3::42               
            DNS server: 2001:503:ba3e::2:30 (a.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:ba3e::2:30               
            DNS server: 2001:503:c27::2:30 (j.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:c27::2:30               
            DNS server: 2001:7fd::1 (k.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fd::1               
            DNS server: 2001:7fe::53 (i.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fe::53               
            DNS server: 2001:dc3::35 (m.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:dc3::35               
         ......................... RetireFirst.local passed test DNS

Kind Regards,

I'm struggling with a “Query refused” in nslookup while trying to list all records using ls –d mydomain.local

Error message I got:

***Can’t list domain mydomain.local:Query refused. The DNS Server refused to transfer zone to your computer. If this is incorrect check the zone transfer security settings for mydomain.local on the DNS server on the address x.x.x.x

I’m trying it from one of my DC-s (DNS servers).

I have enabled DNS zone   transfer “Only to servers listed on Name servers tab”. Both my DCs (DNS servers) are listed on the Name servers tab.

When I change DNS zone transfer “To any server” it works fine, but I’m wondering why it doesn’t work with zone transfer set to “Only to servers listed on Name servers tab”

What am I missing?

I have a very small domain (25 users) with the server being used as the DC and some very limited (36 Gb) file sharing, including a QuickBooks Db.  I'm going t replace this with a new server running 2012 standard.  Is there any 3rd party software out there to assist with this migration or would I be better off just doing it manually, creating the file shares and users, then joining the computers to the domain on site?

-Jim

-Jim

How to reset Windows server 2008 password when forgot domain administrator password? Is there any easy and effective way available?

Dear All,

  I have 2 Windows 2008 R2 DC setup at the production site with windows 2003 functional level. However, I found that when windows 7 client connect with static ip. It can not be able to recognize the domain network which cause any domain service, DNS lookup and other service fail. I have disable windows 7 firewall, ipv6 and add the domain suffix to the DNS.

Please kindly advise what would the possibility issue?

Many Thanks

Best Regards,

Elroy

Hi,

I have single domain environment with 2008 domain controllers, Now I am planning to add new Additional Domain Controller having Server 2012. Schema upgrade is done. Current Schema Version is 56 on FSMO holder running on 2008 standard.

Other details

Forest Functional Level - 2003

Domain Functional Level - 2008

PDC OS - 2008 (No issues)

Old ADC OS - 2008 (No issues)

1 New ADC - 2012 (Issue)

ISSUE:- I have promoted new ADC having 2012 OS, all partitions were replicated, but after 4-5 days, it started giving following error.

C:\Windows\system32>repadmin /syncall
CALLBACK MESSAGE: The following replication is in progress:
    From: cb90bbbc-3e02-4bed-b72f-e53ae5871517._msdcs.Domain.COM
    To  : 6fb5aaac-711b-4d9c-94f2-ce81cbec970e._msdcs.Domain.COM
CALLBACK MESSAGE: Error issuing replication: -2146892990 (0x80090342):
    The encryption type requested is not supported by the KDC.
    From: cb90bbbc-3e02-4bed-b72f-e53ae5871517._msdcs.Domain.COM
    To  : 6fb5aaac-711b-4d9c-94f2-ce81cbec970e._msdcs.Domain.COM
CALLBACK MESSAGE: The following replication is in progress:
    From: 50a7c316-bb24-449a-a540-f2baba037efe._msdcs.Domain.COM
    To  : 6fb5aaac-711b-4d9c-94f2-ce81cbec970e._msdcs.Domain.COM
CALLBACK MESSAGE: Error issuing replication: -2146892990 (0x80090342):
    The encryption type requested is not supported by the KDC.
    From: 50a7c316-bb24-449a-a540-f2baba037efe._msdcs.Domain.COM
    To  : 6fb5aaac-711b-4d9c-94f2-ce81cbec970e._msdcs.Domain.COM
CALLBACK MESSAGE: SyncAll Finished.

SyncAll reported the following errors:
Error issuing replication: -2146892990 (0x80090342):
    The encryption type requested is not supported by the KDC.
    From: cb90bbbc-3e02-4bed-b72f-e53ae5871517._msdcs.Domain.COM
    To  : 6fb5aaac-711b-4d9c-94f2-ce81cbec970e._msdcs.Domain.COM
Error issuing replication: -2146892990 (0x80090342):
    The encryption type requested is not supported by the KDC.
    From: 50a7c316-bb24-449a-a540-f2baba037efe._msdcs.Domain.COM
    To  : 6fb5aaac-711b-4d9c-94f2-ce81cbec970e._msdcs.Domain.COM

But there is no issue with my other Additional domain controller which is running on 2008.

Hi guys,

maybe someone can help in the following Problem we have. Right now we are still using some 2003 Server for user account Administration. Now we have Setup a new 2008R2 Server for the administration team and have the following issue.

Our user homefolders are located on a hidden share. E.g.: \\server1\userhomes$\username

The home Folder path within AD account is set to: \\server1\username

If the admin team is moving any homefolder for any reason, they have to adapt the home Folder path within the ad account to e.g.: \\server2\username

On Server 2003 you will get an error message, that the path could not be found, but the new home Folder path will be taken over from the MMC (there is just an OK button). If you are doing the same procedure on the new 2008 Server, you also get the same error message, that the path could not be found. But after click on OK, no changes will be written to the AD object. :(

Which means: On 2008 i'm unable to set a hidden home Folder path, if i skip the hidden share Name (userhomes$) in the home Folder path.

Funny, this is still working on Server 2003.

Any ideas? :)

Thanks in advance. Niggoh

*********************** Haben ist besser als brauchen ***********************

I'm getting this weird error when trying to work with a SmartCard on an ec2 machine running Windows Server 2008.

I'm using AnywhereUSB to connect my physical smart-card reader to the remote machine. The device itself seems to be recognized fine by the OS, but when I try to access it, I'm getting this error:

General application error (The Smart Card service is down).

Hi,

I keep getting the below event logged when a DC's Dns services are restarted.

The DNS server was unable to create a resource record for 899494f1-fac0-4405-8bf4-d3d2326d0449._msdcs.domain.local. in zone domain.local. The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.

The server was demoted and promoted and the server received a new GUID but the server is still trying to register the 899494f1-fac0-4405-8bf4-d3d2326d0449._msdcs.domain.local entry. The entry does not exist in the domain.

I used the below article before we demoted the server and it however did not resolve the problem:

http://technet.microsoft.com/en-us/library/cc735667(v=ws.10).aspx

Does anyone have any ideas?

Thanks

Don

Kind Regards Don

I'm using server 2012

And I need to change domain name since my local domain name is conflict with our company website and dns mistakenly pointed to our domain instead of website.

As a result of this issue, users within domain network cannot access to company website.

Plus  we have intranet web portal within network with domain name.

I believe to resolve this problem, we need to change domain name.

And I have read in some forum said MS doesn't recommend to change domain name in server 2012 version.

Please let me know what would be the best solution for above issue.

thanks adv,

In researching changes to our password policy, I came across the documentation on the pwdLastSet attribute. An admin can only set it to 0 or -1 regardless of the tool you use to edit it (Powershell, ADSI edit, etc.). Out of curiosity, I looked at the attributes of of the attribute itself and I didn't glean anything useful.

How exactly does the domain service know which attributes to enforce in this fasion and how does it know what the valid values are?

Justin Cervero - MS Enterprise Admin - Appalachian State University

Hi All,

I'm looking for a way to export an Active Directory to CSV that contains a list of all user accounts, and the group memberships each user belongs to.

Can someone please help?

I am having a problem with some of the machines on my network, as I noticed that some machines are not resolving the short name mapped drives anymore due to some reason where I had to go back and add the FQDN to bypass this issue.

Other machines are still working with no problems though, but had faced this issue couple of times now.