We have about 10 Different  Domains on Sites and one Domain (Main.local) in Head Quarter.

All 10 Sites have 2 Dot net base Application Servers ( High Availability) + SQL database (Cluster) + 1 Domain Controller.

Each Site have about 100 Users created in local domains and Application user use these users to login.

Each Domain Users are Different from main.local Domain users Accounts naming System and we want all sites users should use same user names.

Managing these 10 sites is not easy task, so our High management wants to merge all sites domains to Main.local

Here i feel the issues:

1- Different Domain Names with Different users cannot merged with Central Domain so only Solution is Trust between Domains but still Users in Site Domain cannot login to Main.local Domain

2- If we Create new User Name for all the users in Site Domains we have to Change the Application Structure also.

So what is the Best Thing we can do in this situation.

I have inherited a domain setup at my new company and unfortunately a few of the 2008 R2 domain controllers only have 1 hard drive installed so if that drive fails the server is gone.  I am going to purchase a second hard drive so I can get this DC on a RAID system, but was wondering the best way to do so.  I was looking into doing a BMR of the domain controller but I have some concerns since it is a DC.  I would perform the backup first, add the second drive, create a RAID1 and then boot the Windows DVD and restore from the BMR that I created earlier.  My plan is to do this all in one day.  

Has anyone successfully used BMR on a DC?  The server does have other roles beside just being a DC so I really don't want to have to rebuild the server.

I've been reading technet and KB articles for about a month. After some problems in my domain, I had to demote the new server I had been working to add to the domain. I wasn't able to do it with dcpromo, so i had to use adsiedit. I followed the knowledge base article for demoting an orphaned DC. I then reinstalled server 2008 on the new server. Unfortunately, there are still lingering issues. Currently there is only one DC on the network, gets call it PG. PG isn't looking for replication partners, so i figured everything was okay. It seems the other server was successfully removed. However when i tried to edit some group policies, i realized i was getting the "RPC server unavailable" error. The server failed to replicate with its partner for a while and I think that's what started all of this. I remember something about a journal wrap error (ive read so many articles, they're blurring together).

I followed the knowledge base article for that issue and ended up doing a non-authoritative restore. No luck, RPC server still unavailable. Then a few days later, AD failed all together. I restored with a system state backup I had made. I was in a rush to get the server going again, and i forgot to save a dcdiag log of the issue. I remember the group policy service throwing error 1058. After the restore, AD works again and users can access network shares, but I still have the "RPC server not available" issue. Should i have done the authoritative restore as well? 

I have an old system state backup I'm thinking of using, from before I added the new server to the domain. Would it be a good idea to restore with this? I might loose my user account.. Which isn't a huge deal, but I'd rather not. I'm not sure if anything else has changed since.. I can't afford to loose anything other than my account. I guess I could just go back to a current system state if something happened though.

Excuse the wall of text. Any help would be appreciated. I'll post my current dcdiag output in my next post.

Hello Expert,

I already have a domain controller at my DC (data center), now we are planning to implement our DRC (Disaster recovery center) at a remote site, now my question is, can I integrate my DRC with our existing DC or should I implement a new domain controller at DRC site? what is the best practice? please suggest.

Swaprakash..

Hi Guys,

i have got a question about AD Sites and Subnets configuration.

In our environment we have 3 geographical physical locations:

Site A = HQ

Site B = Datacenter

Site C = Branch office

We are running an active-active vmware cluster over site A and B. Furthermore we have a physical domain controller in site B and a virtual domain controller running by DRS on the hosts in site A. 

There are no servers running in site C.

Almost all servers belong to the same subnet. Furthermore, we are using a couple of subnets for the clients in Site A, and one single subnet for Site C.

What is the best way to configure our AD Sites?

1 single site? Attach both DC's and subnets to this site?

2 sites, 1 site HQ with the virtual domain controller as server and 1 site Datacenter with the physical domain controller and link all client subnets to site 1?

I am looking forward to your opinion.

Cheers!

Global query block is causing a DNS server to fail a query with error code Name Error exists in the DNS database for WPAD on a Windows 2008 server.

I was referring to following 2 links to trace changes happened since last time sync with AD. 
1.http://msdn.microsoft.com/en-us/library/windows/desktop/ms677626(v=vs.85).aspx

2. http://support.microsoft.com/kb/891995

I have java application which gets changes happened  since last sync. This application is created based on example providedhere .
 My problem is after each DirSync search server sends cookies and this cookie can be used for further searchs in future. So is it possible that directly get cookie with respect to curernt state of AD ? I don't want to preform search to get cookies first time. Is it stored somewhere in registry ?  In case of uSNChanged we directly get number without iterating through all objects.
 

Today I discovered that about 6 months ago, someone had reconfigured our PDC emulator to sync from non-existent time servers, causing it (and in effect everything else in AD) to be off by 37 seconds from the intended, reliable NTP server.  I corrected it on the PDC emulator and made sure the other DCs got in sync with it.  (We have one domain, forest and site so that part was easy.)

Since I did that, many member computers are off from the DCs by 37 seconds, which is expected.  Many of them show Event ID 50 in the System Log: "The time service detected a time difference of greater than 5000 milliseconds for 900 seconds.......When a valid time stamp is received from a time service provider, the time service will correct itself". 

I assume I don't have too much to worry about since it's well within the 5 minute difference allowed by Kerberos.  However, it's now been 5 hours since then time correction on the DCs and when I spot check clients, many are still off by 37 seconds.

When will these member computers correct their clocks WITHOUT INTERVENTION?  I'm wondering how they will find a "valid time stamp".

Thanks.

Hi,

I am using DirectorySearcher to search for changes made to AD using DirectorySynchronization. I know that if we set tombstone property to true , search will return objects which were deleted too. I would like to know what happens when objects in deleted objects container are removed automatically because their tombstone lifetime has expired. When I perform a search on deleted objects container , will the tombstone expired objects be returned too?

Scenario:

New physical DC running Server 2012 R2 (AD DS and DNS) with no other roles. Installed and configured AD FS. First server in a new farm. Service account created in AD for the farm servers. Wildcard certificate used. No problems with this part.

Trying to add a second server to the farm. This is an existing virtual DC running Server 2012 (not R2). Again no other roles other than AD DS and DNS. Installed AD FS. Running the configuration I select 'Add a federation server to an existing Federation Service'. I use the internal FQDN of the first server and select my service account (entering the password). I hit next and get the green progress bar for a few seconds then errors with the following...

"The primary federation server was contacted successfully, but the configuration data was not valid."

There is nothing in the AD FS logs. Tried a search and found nothing related to this specific message. I've tried importing the certificate manually before running the configuration. I've also associated the certificate with the default website.

Any suggestions would be greatly appreciated.

Hello,

I've got a Windows 2012 standard server with IDMU Password synchronization.

I've configured password synchronization from the Windows Server To A Unix Server.

When the Unix Server is up everything is working fine.

When the Unix Server is down, the Windows 2012 server reboot !

I've got this error :

Nom de l’application défaillante lsass.exe, version : 6.2.9200.16384, horodatage : 0x50108ab2
Nom du module défaillant : ntdll.dll, version : 6.2.9200.16384, horodatage : 0x5010acd2
Code d’exception : 0xc0000008
Décalage d’erreur : 0x0000000000004c19
ID du processus défaillant : 0x1fc
Heure de début de l’application défaillante : 0x01cefa66797832d8
Chemin d’accès de l’application défaillante : C:\Windows\system32\lsass.exe
Chemin d’accès du module défaillant: C:\Windows\SYSTEM32\ntdll.dll
ID de rapport : b1b6e089-6891-11e3-9405-005056ad24df
Nom complet du package défaillant : 
ID de l’application relative au package défaillant : 

Is it a known bug ?

Regards.

Hi,

I have a 2003 server running AD services and I added a 2008R2 DC. Now the 2008 DC has all the FSMO roles (I think so) as well acts as DHCP. The 2003 is now a backup DC.

All computers on the LAN obtain DNS addresses from DHCP. The primary DNS is set to 2008R2 and the secondary is set to 2003.

When I shut down the secondary DC (2003), all clients can't open network shares, Outlooks can't contact with on-premises exchange server and I can't log into other servers (via DRP) running Windows 2003. Anyway I still can log into servers running Windows 2008.

I think the DNS works fine because I can open RDP sessions and ping using hostname or using FQDN (hostname.mydomain.local).

How we can have unattended answer  file for  replica domain controller installation in windows server 2012 

in windows 2008 it was easy do from the IFM . in windows server 2012 dcpromo is deprecated how we can acheive the same using ifm and unattended answerfile  i got this article from technet http://technet.microsoft.com/en-us/library/hh472162.aspx

where it tells to use powershell  which is fine but it also tells me to specify database and log files location which i don't want to do everytime .As in windows 2008 you can just specify everything in unattended answer file and you are good to go that feature is not available any more . is there a workaround for this 

we are in the pilot phase of testing windows server 2012 r2 any feedback is appreceiated

The network I just inherited has a 192.168.1.0 scheme that causes no end of headaches for VPN users.  I've been tasked with getting this changed sooner than later - but I've never touched true "networking" on this scale and have only ever administered a network - not configured one.  It's generated a lot of questions for me and I was hoping someone could direct me to resources that can help.

I've found a number of posts here with a lot of helpful information, but still have some (quite a few) blanks that I need to fill in.  My biggest concerns are that I'll make a change somewhere and find myself unable to access that system to correct it, or that I'll run into an issue where everything should be working but it just isn't.

We have a primary network (192.168.1.x, Small Business 2003 (planning to move to 2008/2012 before April)) and multiple sites external to that, connected via VPN through their firewalls.  Each site has it's own backup domain controller.  I'm planning to undertake an IP conversion at the smaller sites first to see how well I handle it and build on what I do there if it's feasible.

The sub-sites have very simple networks - just the backup domain controller, a firewall, and a switch for the most part.  The primary site has a larger server room and multiple buildings connected to it directly.

For the sub-site TestA I think my order of operations is (please let me know if I've got this wrong):

Pre-Project:

1. Plan my change - I've got my scope picked out and will assign each device a new IP on paper before I ever launch. 
2. Check DNS and DHCP scopes for devices that have been manually configured and document them.
3. Add firewall rules to all sites to route traffic to my new IP range across the VPN, duplicating the existing rules so I can reconnect as I work.
4. Set my domain DHCP rules to refresh every 2 hours a couple days before.

Project Start:

1. Change static IP of the site Backup Domain Controller on the NIC.  I imagine this will reset my connection to the server and I'll need those firewall rules to let me get back in.
2. Restart DNS and NetLogon services.
3. Open cmd and run ipconfig /flushdns as well as ipconfig /registerdns
4. Open DNS and check domain zone properties > Nameservers and make sure the new IP is listed; remove old one as needed and manually recreate if required.
5. In DNS, clean out any old IP references to the SiteA devices.
6. In DNS, create a new Reverse Lookup zone for the SiteA IP.  
7. In DNS, delete old Reverse Lookup Zone.
8. Open DHCP, create a secondary DHCP scope that covers my new 10.74.21.x IP range and after ensuring it's a good duplicate, delete the old one.
9. Update Firewall IP Address
10. Check ports and routing on firewall and update as required (should be pre-planned and documented)
11. Ensure other locations are using the new IP Address for SiteA in their DNS > Zone (r-click) Properties > NameServers tabs
12. Clean out old Firewall rules  from Pre-Project Step 3 that should now be obsolete.
13. Test internet and server connectivity from SiteA Server.
14. Check Active Directory Sites and Services on primary Domain Controller and Add the new site as needed.
15. Update static IP addresses devices for servers.
16. Run ipconfig /registerdns on servers as needed
17. Update static IP addresses for computers, printers, devices
18. Update static IP addresses and rules on routers and switches
19. Log in as a user, test AD, test printing

Questions:

1. My How well will I be able to work on devices with dissimilar IP addresses?  If I've changed the Domain Controller IP to 10.73.21.x will I have trouble connecting to other devices on the network using their old 192.168.1.x IP's?  Logically this seems like it has to work, since - you know - the internet works - but some part of me is afraid that when I switch the IP on the Domain Controller, I'll be locked out of every other device on the network.
2. I'm not sure how to maintain the link between sites.  I was in the Active Directory Sites and Services list on the Primary Domain Controller, but couldn't make adjustments to SiteA's displayed IP of 192.168.2.0/24.  Will this simply auto-update itself - I have a step to recreate this, but I haven't researched how that works or exactly what it does.

I appreciate any feedback or help provided.  This is new territory for me and I really want to nail it as best as I can.

Once I get through the first remote site, I plan to duplicate the process on the others and then return to the main site and handle it like the remote sites but on a larger scale with more switches/routers/PC's.

Thank you!

Hi

I have root domain contoso.dom (DC1 and DC2) and subdomain sub.contoso.dom (DC3).

I see error event 2896 on DC3

A client made a DirSync LDAP request for a directory partition. Access was denied due to the following error. 

Directory partition: 
DC=sub,DC=contoso,DC=DOM 
Error value: 
8453 Replication access was denied. 

User Action 
The client may not have access for this request.  If the client requires it, they should be  assigned the control access right "Replicating Directory Changes" on the  directory partition in question.

No fails or errors in BPA.

Also if I try to run on DC1 repadmin /replsummary I can see:

site\DC3 via RPC

        DSA object GUID: 0458a97c-437e-49a4-8f9c-095fd7340834

        Last attempt @ 2013-12-19 15:27:27 failed, result 8418 (0x20e2):

  The replication operation failed because of a schema mismatch between the servers involved.

        118 consecutive failure(s).

        Last success @ 2013-12-18 08:12:03.

How can I solve this problem?

Hi,

I want to know that does Active Directory Support Non English Languages like japanes, Arabian?

I think we can have domain name in non english languages also. How active directory handles it.

Sandeep Gupta

Hi,

is event 4624 on all Domain Controllers (where targetusername is administrator) enought for knowledge of using domain Admin account in organization?

or maybe toy have better way to check when , who and from are using domain Admin account?

thx in adv

Voytas

Is there a way to pull a list of Security Groups and/or E-Mail Distro Group from AD that would include the Group manager?  Something like:

Group Name: Team1   Manager: George Washington

Group Name: Team2   Manager: <not found>

Thanks all for your time

Hi,

We have set up Remote Desktop Apps using Remote Desktop Services
The apps are permissioned with AD user accounts in our forest

When an external company that has network access (i.e. routable addresses) tries to log in (with credentials in our AD) they sometimes get in and other times do not. They see an error message saying 'The credentials did not work' or 'The Local Security Authority cannot be contacted'

I think this may be because all the Domain controllers for that domain are not reachable from the external company's PC

i.e. if they get lucky they try and authenticate using a reachable DC but sometimes they pick a DC that is not routable and see this error

Is my thinking correct?
How is a DC chosen by a PC belonging to an external company?

This article leads me to believe it is random: How Domain Controllers are Located Across Trusts

Thank you for your time

I am trying to use new computer account created in Windows 2008 R2 Active Directory from my external LDAP client. The LDAP client connection fails to connect displaying error "AcceptSecurityContext error, data 710, v1db1".  The credentials and other connection details are all correct. I see the same error code when I attempt to use localhost ldp.exe client from Windows 2008 server.

The audit failure log for the failed attempt has status code 0xC0000199 for which the description says "The account used is a computer account. Use your global user account or local user account to access this server." 

I am able to use computer account in Windows 2003 server from my LDAP client, and authentication works fine. Is there a special security setting required to make it work in Windows 2008 R2?.

Could anyone please help me here? Thanks