Customer has small AD, one DC. It’s a W2003 R2 x64 OS. AD is functional level Windows 2003.

They have made some changes to the AD schema for application reasons – 8 new attributes in there.

They want to look at upgrade to get off 2003. Rather not  in-place upgrade, so I propose:

-          -Leave 2003 DC in place

-          -Introduce 2008 R2 (or even 2012?) server

-          -Promote new server to be the DC, seize roles etc.

-         -  Retain/retire 2003 DC

I think as soon as a later version DC is brought in, it changes Schema version forest-wide. But what about schema content? Would they lose their Schema changes? How to avoid? Or can we just re-add them in (they are scripted)

Have to test of course, but in theory do changes like above ‘reset’ the AD schema? Or are the 'old' contents replicated to the new DC?

Many thanks

padraigd

Hi,

I'm trying to add an RODC to our domain. The server is 2008 R2. I just did a clean install and installed all windows updates.

The other two writeable DCs are 2008 R2 and 2003. The 2008 R2 server I just added a few weeks ago and works perfectly.

After running dcpromo I ran net share and I can see the sysvol and netlogon folders have not been shared out.

When I run DCDIAG I can see the following error message:

Doing initial required tests


   Testing server: Default-First-Site-Name\RODC-DC-2008

      Starting test: Connectivity

         The host

         fa616ded-3ba9-453d-9d49-a22ae85bbf70._msdcs.sub.mydomain.com

         could not be resolved to an IP address. Check the DNS server, DHCP,

         server name, etc.

         Got error while checking LDAP and RPC connectivity. Please check your

         firewall settings.

         ......................... RODC-DC-2008 failed test Connectivity



Doing primary tests


   Testing server: Default-First-Site-Name\RODC-DC-2008

      Skipping all tests, because server RODC-DC-2008 is not responding to

      directory service requests.

I can see fa616ded-3ba9-453d-9d49-a22ae85bbf70._msdcs.sub.mydomain.com in the DNS and it has the correct CNAME

--------- Update ---------

On the 2008 DC that is working I can also see the following error:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server pdc-2008$. The target name used was domain\RODC-DC-2008$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (myDomain) is different from the client domain (myDomain), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

We use Primary and Secondary win2003DC for AD trust.

Only two DCs have DNS forwarding setting which point trusting/trusted domain controller IP address directly.

Other DCs DNS forwarding setting for trusting/trusted domain point own domain's Primary and Secondary win2003DC .

1

If Primary and Secondary win2003DC were down , trust relation will be broken ?

2

If we set one other DC which DNS forwarding setting for trusting/trusted domain controller IP address, and

Primary and Secondary win2003DC were down , trust relation will be kept ?

3

What is recommended AD trust relationship setting for BCP ?

We should set DNS forwarding setting to point trusting/trusted domain controller IP address directly like Primary,Secondary DC for all DCs ?

Sometimes while migrating computers we encounter the problem of migration failing even when the following is in place:

1. Local Admin Rights on the subject computer

2. Started Services - SERVER, WORKSTATION, NETLOGON, REMOTE REGISTRY

3. Stopped Services - FIREWALL

4. Default Shares - ADMIN$, IPC$, C$

PRE-CHECK succeeds, but post check fails :-(

particularly disappointing is that SECURITY TRANSLATION IS A FAILURE 

EXAMINED              CHANGED        UNCHANGED

156313              0        156313

RE-RUNNING the SECURITY TRANSLATION ALSO FAILS

Sometimes it says that there is some issue with the Domain Membership of this Workstation - when the user tries to login

(in the ADMT logs it says - Changed domain affiliation of local computer to TARGET.NET)

Sometimes users are able to login but a new profile is created(this is understandable since the SECURITY TRANSLATION FAILS)

In such case are there any manual steps that we can follow?

 So that migration is completed and user is able to get the same profile that he got in the source domain and the rights on the files/folders are also the same.

given here is the log of the computer migration:

===================================================================================

[Settings Section]
Task: Computer Migration (18)
ADMT Console
    User:       TARGET\ADMTADMIN
    Computer:   TARGETFileServer.TARGET.NET (TARGETFileServer)
        Domain:     TARGET.NET (TARGET)
        OS:         Windows Server 2008 R2 Standard 6.1 (7601) Service Pack 1
Source Domain
    Name:   SOURCE.NET (SOURCE)
    DC:     SOURCEDC.SOURCE.NET (SOURCEDC)
        OS:     Windows Server 2003 5.2 (3790) Service Pack 2
    OU:    
Target Domain
    Name:   TARGET.NET (TARGET)
    DC:     PDEMUNSRDC1001.TARGET.NET (PDEMUNSRDC1001)
        OS:     Windows Server 2008 R2 Enterprise 6.1 (7601) Service Pack 1
    OU:     LDAP://TARGET.NET/OU=WORKSTATIONS,OU=US,OU=TARGET,DC=TARGET,DC=NET
Intra-Forest: No
Translate Option: Add
Translate Files:         Yes
Translate Local Groups:  Yes
Translate Printers:      Yes
Translate Registry:      Yes
Translate Rights:        Yes
Translate Shares:        Yes
Translate User Profiles: Yes
Conflict Option: Ignore
Update managed service accounts: No
Perform Pre-check Only: No

[Object Migration Section]
2013-08-21 10:51:10 Starting Account Replicator.
2013-08-21 10:51:18 CN=SUBJECTCOMPUTER      - Created
2013-08-21 10:51:24 WRN1:7561 ADMT could not migrate some properties for this object type (computer) due to schema mismatches.  Please refer to the Schema Section in the migration log for a complete listing.  The Schema Section will be available once object migration is complete.
2013-08-21 10:51:28  - Set password for CN=SUBJECTCOMPUTER.
2013-08-21 10:51:28 Operation completed.

[Schema Section]
The following properties for computer objects are not defined in the target forest schema.
<CONTAINS A LOT OF ATTRIBUTES>

[Agent Dispatch Section]
2013-08-21 10:52:26 Read 864 accounts from the database that were previously migrated from the domain 'SOURCE.NET' to the domain 'TARGET.NET'.
2013-08-21 10:52:27 Created account input file for remote agents: Accounts000018.txt
2013-08-21 10:52:28 Installing agent on 1 servers
     
2013-08-21 10:52:28 The Active Directory Migration Tool Agent will be installed on SUBJECTCOMPUTER.SOURCE.NET
2013-08-21 10:55:14 Started job:  SUBJECTCOMPUTER.SOURCE.NET 000018_SUBJECTCOMPUTER {4F4B548A-94FD-45E9-9B9A-7C4EF4165F9C}
2013-08-21 11:07:29 Done waiting for the computer 'SUBJECTCOMPUTER.SOURCE.NET' to reboot.
2013-08-21 11:07:29 ERR2:7711 Unable to retrieve the DNS hostname for the migrated computer 'SUBJECTCOMPUTER.SOURCE.NET'. The ADSI property cannot be found in the property cache.
 (hr=0x8000500d)
2013-08-21 11:07:29 Post-check will be retried on the computer 'SUBJECTCOMPUTER'.
2013-08-21 11:08:34 ERR2:7711 Unable to retrieve the DNS hostname for the migrated computer 'SUBJECTCOMPUTER.SOURCE.NET'. The ADSI property cannot be found in the property cache.
 (hr=0x8000500d)
2013-08-21 11:08:34 Post-check will be retried on the computer 'SUBJECTCOMPUTER'.
2013-08-21 11:09:34 ERR2:7711 Unable to retrieve the DNS hostname for the migrated computer 'SUBJECTCOMPUTER.SOURCE.NET'. The ADSI property cannot be found in the property cache.
 (hr=0x8000500d)
     
2013-08-21 11:10:04 ERR2:7888 Agent-based operations completed with errors.

[Agent Summary Section]
***** Start of Pre-check Summary *****
Machine Name                Status Message
SUBJECTCOMPUTER.SOURCE.NET Passed 
***** End of Pre-check Summary *****
***** Start of Agent Operation Summary *****
For more information about operations that completed with warnings or errors, refer to the Agent Details section.
Machine Name                Status                Message
SUBJECTCOMPUTER.SOURCE.NET Completed with Errors 
***** End of Agent Operation Summary *****
***** Start of Post-check Summary *****
Machine Name                Status Message
SUBJECTCOMPUTER.SOURCE.NET Failed Unable to retrieve the DNS hostname for the migrated computer 'SUBJECTCOMPUTER.SOURCE.NET'. The ADSI property cannot be found in the property cache.   (hr=0x8000500d) 
***** End of Post-check Summary *****

[Agent Details Section]

Details for SUBJECTCOMPUTER.SOURCE.NET
Local Machine
    Computer:   SUBJECTCOMPUTER.SOURCE.NET (SUBJECTCOMPUTER)
        Domain:     SOURCE.NET (SOURCE)
        OS:         Windows 7 Enterprise 6.1 (7601) Service Pack 1
2013-08-21 08:55:14 Starting Security Translator.
2013-08-21 08:55:14 Agent is running in local mode.
2013-08-21 08:55:14 Read 864 accounts from C:\Windows\OnePointDomainAgent\Accounts000018.txt
2013-08-21 08:55:14 SecurityTranslation Files:Yes Shares:Yes LGroups:Yes UserRights:Yes Printers:Yes Profiles:Yes RecycleBin:Yes TranslationMode:Add SOURCE.NET TARGET.NET
2013-08-21 08:55:14 Starting
2013-08-21 08:55:15 Translating local machine.
2013-08-21 08:55:15 Processing C:\
2013-08-21 08:55:35 Could not open file 'C:\Program Files\AVAST Software\Avast' (5)  Access is denied.
2013-08-21 08:55:54 Could not open file 'C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget' (5)  Access is denied.
2013-08-21 08:55:55 Could not open file 'C:\ProgramData\AVAST Software\Avast' (5)  Access is denied.
2013-08-21 08:56:05 Could not open file 'C:\System Volume Information\{1859fb6f-0428-11e3-a09a-af17d7c5b5fa}{3808876b-c176-4e48-b7ae-04046e6cc752}' (5)  Access is denied.
2013-08-21 08:56:05 Could not open file 'C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}' (5)  Access is denied.
2013-08-21 08:56:06 Could not open file 'C:\System Volume Information\{4bb0b3c2-04e5-11e3-9f3a-d2e11a08caf8}{3808876b-c176-4e48-b7ae-04046e6cc752}' (5)  Access is denied.
2013-08-21 08:56:06 Could not open file 'C:\System Volume Information\{70800a3a-09a5-11e3-b41d-c2c498c855e4}{3808876b-c176-4e48-b7ae-04046e6cc752}' (5)  Access is denied.
2013-08-21 08:56:41 Could not open file 'C:\Users\aic6026\My Documents' (2)  The system cannot find the file specified.
2013-08-21 08:56:45 Could not open file 'C:\Windows\avastSS.scr' (5)  Access is denied.
2013-08-21 08:56:56 Could not open file 'C:\Windows\System32\aswBoot.exe' (5)  Access is denied.
2013-08-21 08:56:57 Could not open file 'C:\Windows\System32\drivers\aswFsBlk.sys' (5)  Access is denied.
2013-08-21 08:56:57 Could not open file 'C:\Windows\System32\drivers\aswMonFlt.sys' (5)  Access is denied.
2013-08-21 08:56:58 Could not open file 'C:\Windows\System32\drivers\aswRdr.sys' (5)  Access is denied.
2013-08-21 08:56:58 Could not open file 'C:\Windows\System32\drivers\aswRdr2.sys' (5)  Access is denied.
2013-08-21 08:56:58 Could not open file 'C:\Windows\System32\drivers\aswSnx.sys' (5)  Access is denied.
2013-08-21 08:56:58 Could not open file 'C:\Windows\System32\drivers\aswSP.sys' (5)  Access is denied.
2013-08-21 08:56:58 Could not open file 'C:\Windows\System32\drivers\aswTdi.sys' (5)  Access is denied.
2013-08-21 08:58:17 Processing recycle bin files and folders on C:\.
2013-08-21 08:58:17 Examining: S-1-5-21-2393316171-1833054269-3584435943-1000
2013-08-21 08:58:17 Examining: S-1-5-21-2393316171-1833054269-3584435943-1002
2013-08-21 08:58:17 Examining: S-1-5-21-424429321-1812619029-1179000955-35560
2013-08-21 08:58:17 Examining: S-1-5-21-424429321-1812619029-1179000955-4716
2013-08-21 08:58:17 Skipping D:\.  D:\ is a CD-ROM drive.
2013-08-21 08:58:17 Processing shares on local machine.
2013-08-21 08:58:17 Processing printer security...
2013-08-21 08:58:17 Translating local groups.
2013-08-21 08:58:17 Translating user rights.
2013-08-21 08:58:18 Granted right SUBJECTCOMPUTER\SeDenyInteractiveLogonRight to TARGET.NET\DenyInteractiveLogon
2013-08-21 08:58:18 Translating security on registry keys.
2013-08-21 08:59:05 ERR3:7330 Failed to open registry key HKEY_LOCAL_MACHINE\SOFTWARE\AVAST Software\Avast, rc=5  Access is denied.
2013-08-21 08:59:43 ERR3:7330 Failed to open registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\aswFsBlk, rc=5  Access is denied.
2013-08-21 08:59:46 ERR3:7330 Failed to open registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\aswFsBlk, rc=5  Access is denied.
2013-08-21 08:59:50 ERR3:7330 Failed to open registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\services\aswFsBlk, rc=5  Access is denied.
2013-08-21 08:59:53 ERR3:7330 Failed to open registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\aswFsBlk, rc=5  Access is denied.
2013-08-21 08:59:54 ------Account Detail---------
2013-08-21 08:59:54 The account detail section uses the following format: AccountName(OwnerChanges, GroupChanges, DaclChanges, SaclChanges).
2013-08-21 08:59:54 -----------------------------
2013-08-21 08:59:54 0 users, 864 groups, 0 msas
2013-08-21 08:59:54 864 accounts selected.  864 resolved, 0 unresolved.
2013-08-21 08:59:54            Examined        Changed     Unchanged
2013-08-21 08:59:54 Files         156313              0        156313
2013-08-21 08:59:54 Dirs           28909              0         28909
2013-08-21 08:59:54 Shares             3              0             3
2013-08-21 08:59:55 Members           12              0            12
2013-08-21 08:59:55 User Rights       72              1            71
2013-08-21 08:59:55 Exchange Objects          0              0             0
2013-08-21 08:59:55 Containers         0              0             0
2013-08-21 08:59:55 DACLs         616293              0        616293
2013-08-21 08:59:55 SACLs          32632              0         32632
2013-08-21 08:59:55            Examined        Changed     No Target   Not Selected     Unknown
2013-08-21 08:59:55 Owners       616295              0        616295              0           0
2013-08-21 08:59:55 Groups       616295              0        616295              0           0
2013-08-21 08:59:55 DACEs       3400775              0       3400775        3400775           0
2013-08-21 08:59:55 SACEs         29143              0         29143          29143           0

2013-08-21 09:00:14 Changed domain affiliation of local computer to TARGET.NET.
2013-08-21 09:00:14 The local machine will be rebooted in 1 minutes.
2013-08-21 09:00:14 Wrote result file C:\Windows\OnePointDomainAgent\000018_SUBJECTCOMPUTER.result
2013-08-21 09:00:14 Operation completed.

===================================================================================

We use Win2003R2 Root CA.

1

How could we migrate win2003 Root CA to win2008 Root CA ?

2

CA need to be Domain Controller ?

after i set forest functional level to 2008 and domain functional level to 2008 R2, then i restarted ntds, so everything fail, how can i fix it?

i admit, it is a whim test to find if powershell has such rules to prevent it.

however it prooves not!

I;m Charles Lee.

I have a windows server 2008 domain controller with two network interfaces, one connected to our intranet and another connected to internet. When I finish install the DC, both of NICs are identified as Domain Network. Is it possible to change the NIC connected to Internet as Public Network? I do know it's not good to connect the DC to Internet but it's required for our small corporate network.

Thanks

Leo

Hi,

I have some external laptop users that they are join to domain. They have access to some licensed-software in our network and they authenticated by PKI infrastructure.

Now I'm worry if someone can clone one of this laptop to another exact same model laptop and use our licensed-software too. It means two computers that they are completely same have access to our domain and our resources.

My question is that is it possible to do something or there is a restriction on that?!

Thanks,

Bob

I have promoted one ADC to DC which is 2008 64 Bit having GC also. and main DC demoted to ADC which is server 2008 32 Bit.

I have successfully transfer the role and confirm and user was also authenticate on DC which was promoted. After few days user are authenticate on ADC. I have Set Primary DNS as DC and Secondary DNS as ADC.

When i have  checked, i have found that due to port blocking Replication was not proper. Now Replication is working fine but when i have test FSMO test i have found below error and still user authenticate by ADC which is my old server.

Error :

unning enterprise tests on : XXXX-res.ad
      Starting test: FsmoCheck
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
         1355
         A Good Time Server could not be located.
         ......................... XXXX-res.ad failed test FsmoCheck

Your suggestions will help me a lot and thanks in Advance.

At one AD (remote) site is a Windows 2003 domain controller. We want to place a Windows 2008R2 RODC in that site and later demote the Windows 2003 DC. All other domain controllers in our domain/forest will be Windows 2008 R2 before we will replace this one.

Because Windows 2008R2 RODC can't replicate (the domain partition) with Windows 2003, the question will be how to configure replication when we place the RODC in the same AD site as the last Windows 2003. There are no other DC's in that site.

We don't have preference to create a new site in that location because of our complex environment

Regards,

Jeroen Bleeker

Hi,

Please can someone tell me why the following Powershell is giving me this permissions error:

PS C:\Users\Charles> Move-ADObject 'CN=VD-SALES-04,OU=Computers,OU=TIUK,DC=tiuk,DC=local' -TargetPath 'OU=VirtualDesktop
s,OU=Desktops,OU=Workstations,OU=Computers,OU=TIUK,DC=tiuk,DC=local'
Move-ADObject : Access is denied
At line:1 char:1+ Move-ADObject 'CN=VD-SALES-04,OU=Computers,OU=TIUK,DC=tiuk,DC=local' -TargetPath ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo          : PermissionDenied: (CN=VD-SALES-04,...C=tiuk,DC=local:ADObject) [Move-ADObject], Unauthor
   izedAccessException+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.UnauthorizedAccessException,Microsoft.ActiveDirectory.Manag
   ement.Commands.MoveADObject

I am a member of the Domain Admins and Enterprise Admins group
I can move the computer object via ADUC no problem logged in as me
The above Powershell is run as me - I have made sure it is not running as local Administrator using RUNAS
I have made sure that Protect from Accidental Deletion is off on all OUs and AD objects concerned
My effective permissions on all concerned OUs and AD objects is FULL CONTROL - no denies at all

Please help, this is driving me mad and wasting a lot of time I really need to be spending on other things.

Thanks,

Charles

Hi there,

Here is my issue.   We have a single 2008R2 domain.  It has about 36 locations (sites) that all have their own OU.

A user can work at more than one site. His or her loginname is only available once, but is it posible for a script (or policy) to let it find out on which OU the user is and then maps to the right home-drive and right profile map.

So when working in site one the user gets the home and profile stuff that is on server

When the user is working on site 2 the user needs to get the home drive and profile map on that perticular server.

At the moment I  use simple scripts that reside in the netlogon map.

Through Policy should be neater and less maintenance.

Like to hear from you.

Yours,

Ben.

Ben van der Meer

Hello,

As per MS KB article http://support.microsoft.com/kb/938118, if you want to increase

Kerberos Token Size, you should set following registry value:

Entry: MaxTokenSize

Data type: REG_DWORD

Value: 48000

We have case opened with 1st line Microsoft support, and they are suggesting the following:

1. Right click the value “MaxTokenSize”, and rename it to MaxTokenSizeValue

2. Right click the value MaxTokenSizeValue, and choose Modify

3. Please choose Decimal, and type the value as 144000

I cannot find any references regarding MaxTokenSizeValue in the internet :-(

Does anybody has experience is the “MaxTokenSize” is correct value?

I can provide MS case ID if necessary.

Thanks!

windows server 2008 's adam writer always fail in Windows 8.1 's Hyper-V while Windows Server 2008 R2 will not.

i'v had the newest integration service of windows 8.1 's hyper-v installed.

do you know how i can fix it?

thanks very much.

I;m Charles Lee.

Our company have three different locations, each location have separate domain/forest and not connected to each other. Here in headquarter we have domain called abc.com, in second location we have kabc.com & third location we have babc.com. 

What i want to do now is to connect current domains under one in headquarter. In which case abc.com would be the parent domain, having kabc.com & babc.com as their child. 

Will it be possible, if yes how to connect them as they are working totally separate now and i don't want to loose data or re-install on each locations. 

Thanks in advance

Hey all, this one has me pulling my hair out.  Hopefully you can help.

I am trying to test a particular piece of software and how it behaves when the user logging in has an expired password.  The problem is that I seem to be unable to expire a password "on-demand".  I am running a domain at Windows 2003 functional level with a mix of 2003 and 2008 DCs (all of the required prepping has been done).

I know that I can set an expiration date for the account, and that is not what I want.  I also know that you can change (either programmatically or via ADSIEdit) the value of "pwdLastSet" to 0, and that will force the user to change the password. However, this is technically not the same thing as having an expired password, it's more akin to ticking the box labeled "User must change password on next logon".  I have observed that ticking that box does in fact set "pwdLastSet" to 0.

So I've done some further digging and it appears that you can set "userAccountControl" flags on the AD object.  The account that I am testing with presently has a "userAccountControl" value of 0x200 (512 in decimal), and the ADUC Attribute Editor parses that as NORMAL_ACCOUNT.  The flag for EXPIRED_PASSWORD is 0x800000 (decimal 8388608).  So basically I should be able to do the typical bitmask math, adding the currently set flags (512) to the desire flag (8388608) to get the new value of 8389120.  So I edit "userAccountControl", key in 8389120, click OK, click Apply.  Then when I look at the "userAccountControl" property is see a new hex value of 0x800200 and that it is parsed out as NORMAL_ACCOUNT | PASSWORD_EXPIRED.

Fantasic!  Everything works as intended, right?  Wrong.  Because as soon as I hit OK to close the account's properties tab and go to view the account, I see that"userAccountControl" has reverted to 0x200 (decimal 512), i.e., the PASSWORD_EXPIRED flag has been cleared somehow.  I also verified that having the PASSWORD_EXPIRED flag doesn't reset the "pwdLastSet" field either. So what is going on here?  Is there another attribute that I need to flip?  Why does this keep reverting on me?

I have tested setting some of the other flags (DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH, etc) and none of them revert automatically, so I know that the attribute is writable and that my account has permissions to set the flags.

Hi ,

I set up two different domain server (windows 2008r2)  in the same subnet (192.168.44.0/24) with this configuration:

server1.test1.local:

IP address:192.168.44.150/24

and:

server2.test2.local

 IP address:192.168.44.149/24

these are 2  domain servers are in different forest and I want to create a trust relation between them.

they can ping each other and also with their name ( server1 and server2) and I add their IP address as a secondary DNS for each other

but when I want to add for example server1.test1.local in the name server list of server2 or add server2.test2.local in the name server list of server1 , I see this error:

the server with this IP address is not authoritative for the required zone 

I saw this error whenever I want to add  one of the  dns name and resolve the ip address of that in another dns server.

could you please assist 

Thanks

Hello everybody,

im suffering from a problem that i could not solve yet.

In short, my UnattendJoin with an AutoUnattend.xml in WDS fails due to error 0x54b (1355, NO_SUCH_DOMAIN), but works fine when i join the domain manually directly after deployment without further configuration or limitations.

Well, i have to say that i build a Windows infrastructure inside of an Unix environment. I don't have access to configure the main DNS or DHCP. Thus i have to configure the DNS manually before the domain join and the WDS operates in standalone mode. I do so with the DNS Client component in the unattend.xml. In the Setupact log file i can see that the DNS configuration is successfully applied before setup is trying the domain join. After several retries setup stops the domain join with gdwError = 0x54b.

I could deal with it if the join would not work afterwards without any problems -.- I just can't take it anymore. Any suggestions?

Clients OS: Windows 7 Ent. x64
AD: Windows Server 2008r2 (DNS role installed)
WDS on Server 2012 with prestaged clients operating in standalone mode

with best regards,

strade