Hi,

When i run the DCdiag in my domain controller, i am getting the below mentioned error stating failed test NCSecDesc!

Domain controller - Windows 2008 R2

Domain functional level - Windows 208 R2

-----

Starting test: NCSecDesc

    Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
       Replicating Directory Changes In Filtered Set
    access rights for the naming context:
    DC=ForestDnsZones,DC=xxx,DC=com
    Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
       Replicating Directory Changes In Filtered Set
    access rights for the naming context:
    DC=DomainDnsZones,DC=xxx,DC=com
    ......................... TLDC2 failed test NCSecDesc

I found similar issue  thread in technet and the suggestion was to prepare a RODC in Domain. 

My question is, how RODC can help to avoid those errors.....?? need to know the how reasons, please help??

I first noticed this as I was trying to bring up our 4^th DC (yeah, I know I should have checked the AD health first!). As expected, the forth DC is having problems joining the domain.

I also cannot use dcpromo to remove NPT-DC1 or NPT-DC4. So the domain is in a sort of limbo state.

The three original DCs are:

BU1                          Win2K8 Ent

NPT-DC1                  Win2K3 R2 Ent

NPT-DC3                  Win2K8 Ent                          PDC

The forth DC is

NPT-DC4                  Win2K8 R2 Ent

If I go to AD Sites & Services Servers and try to manually replicate I will get the following error when replicating BU1 to NPT-DC1 or NPT-DC3 to NPT-DC1.  Replicating from NPT-DC1 to either BU1 or NPT-DC3 will not throw an error.

 ----------------------------------

The following error occurred during the attempt to synchronize naming context npt.loc from domain controller NPT-DC1 to domain controller BU!:

The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.

This operation will not continue.

The following is the error that I get when I try to manually replicate from BU1 to NPT-DC4 or NPT-DC3 to NPT-DC4.

NPT-DC4 doesn’t show up on NPT-DC1 and NPT-DC1 doesn’t show up on NPT-DC4

-----------------------------------------

----------------------------------------

From NPT-DC1s Event log

Event Type:   Error

Event Source:            NTDS Replication

Event Category:        Replication

Event ID:       1863

Date:               10/29/2009

Time:              1:08:57 AM

User:               NT AUTHORITY\ANONYMOUS LOGON

Computer:     NPT-DC1

Description:

This is the replication status for the following directory partition on the local domain controller.

Directory partition:

CN=Configuration,DC=npt,DC=loc

The local domain controller has not received replication information from a number of domain controllers within the configured latency interval.

Latency Interval (Hours):

24

Number of domain controllers in all sites:

1

Number of domain controllers in this site:

1

The latency interval can be modified with the following registry key.

Registry Key: 

HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours)

To identify the domain controllers by name, install the support tools included on the installation  CD and run dcdiag.exe.

You can also use the support tool repadmin.exe to display the replication latencies of the domain controllers in the forest.   The command is "repadmin /showvector /latency <partition-dn>".

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp .

Also this event

Event Type:   Error

Event Source:            NTDS Replication

Event Category:        Replication

Event ID:       2042

Date:               6/4/2026

Time:              3:18:37 AM

User:               NT AUTHORITY\ANONYMOUS LOGON

Computer:     NPT-DC1

Description:

It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source.

The reason that replication is not allowed to continue is that the two machine's views of deleted objects may now be different. The source machine may still have copies of objects that have been deleted (and garbage collected) on this machine. If they were allowed to replicate, the source machine might return objects which have already been deleted.

Time of last successful replication:

2009-10-12 08:51:51

Invocation ID of source:

03fef6c8-f6b8-03fe-0100-000000000000

Name of source:

6231afa3-c39d-410f-acdf-6da9346c78dd._msdcs.npt.loc

Tombstone lifetime (days):

60

The replication operation has failed.

User Action:

Determine which of the two machines was disconnected from the forest and is now out of date. You have three options:

1. Demote or reinstall the machine(s) that were disconnected.

2. Use the "repadmin /removelingeringobjects" tool to remove inconsistent deleted objects and then resume replication.

3. Resume replication. Inconsistent deleted objects may be introduced. You can continue replication by using the following registry key. Once the systems replicate once, it is recommended that you remove the key to reinstate the protection.

  Registry Key:

HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner

I can’t do #1.

I did both 2 using the incantation on NPT-DC1:

I also tried 3 by creating the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner.

No change in replication status after either change.

I sure could use a hand here.

Hi everyone,

Kindly help me on how to expire all users password in the entire domain or a way that i can set "User must change password next logon" on all users.

Meshack

Hi,

I have existing environment : one DC 2003 32 bit , i would like to install additional dc

 I already have  windows 2003 x64 server and i'd like to promote it to be  DC.

So what's the steps?  currently i recieved error

thanks in advance!

I for the life of me can not figure this out

The setup:

Windows Server 2008 R2 Foundation

2 Users set up in Active Directory

Is the PDC and only Domain Controller on the network

There are no trusts, this is a single domain very simple setup

I'm getting both the Forest Trust Check and Root Domain Check license compliance check errors.  This is causing my server to shut down every 3 days.  

Root domain check did not pass because error 0x80005000 occurred in function f1981 [AYLN].
An invalid directory pathname was passed

The Forest Trust Check in the Licensing component did not pass because error 0x80005000 occurred in function fe2 [PHQG]. 
An invalid directory pathname was passed

Make sure that each primary domain controller in your Active Directory forest can be contacted and the following services are running on it: Active Directory Domain Services (NTDS), DNS Server (DNS) and Kerberos Key Distribution Center (KDC). This server will be automatically shut down if the issue is not corrected.

I am well aware of the Foundation compliances.  This is the root of the domain, there are not more than 15 users.  So the only other thing that I have been reading while researching is to check DNS.  DNS is running with proper forwards setup. I can ping the server from its self, in the IP Configuration for the server the DNS server is set to the local IP of the server as the primary and 127.0.0.1 as secondary.  Users can log into the domain and all of that appears to be running fine. NSLOOKUP can find the server and proper IP addresses from the server.  

I am really at a loss here and my googling hasn't brought up anything promising to try.  Anyone have any suggestions or have seen this issue before?

Thank you!

Hi everyone,

i have two 2003 DC in my organization,, and recently addes two 2008 ones to them,, when i tried to demote the 2003 one i got an error, and after try DCDIAG i saw that in both DCs frsevent test failed,,, and understood that my sysvol `s not been shared,

Starting test: frsevent
         * The File Replication Service Event log test 
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems. 
         An Error Event occured.  EventID: 0xC00034F0
            Time Generated: 11/12/2012   11:21:13
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC00034F3
            Time Generated: 11/12/2012   11:21:14
            (Event String could not be retrieved)
         ......................... ****** failed test frsevent

frsdiag :  NtFrs11/13/2012 11:23:53 AMError13555The File Replication Service is in an error state

can anyone help plz?

After renaming the domain on windows 2008 R2 (using rendom.exe), I cannot join the clients to server and the following error occurs: "The network path was not found" and moreover one of the clients cannot log in with this error: "the security database on the servers does not have a computer account for this workstation trust relationship".

In addition, "DNS name" of the clients that are not in "computers OU" is previous domain name.

I'm a newbie and don't understands these issues so please help and give me a step by step solution. Any help is appreciated.

After renaming the domain on windows 2008 R2 (using rendom.exe), I cannot join the clients to server and the following error occurs: "The network path was not found" and moreover one of the clients cannot log in with this error: "the security database on the servers does not have a computer account for this workstation trust relationship".

In addition, "DNS name" of the clients that are not in "computers OU" is previous domain name.

I'm a newbie and don't understands these issues so please help and give me a step by step solution. Any help is appreciated.

Hi

  I am facing one different problem in my dns server. Having two domain controllers( win 2008) based. Dns server role installed in domain controller itself. Within one or two weeks once one or two host records are missing. I am not able to find out how its missed. I searched in DNS events, not able to find related events. Is there any way to identify this...

Problem1:

I have a Win Svr 2003 St Sp2 (svr A),  and a Win Svr 2008 R2 Ent (svrB) active directory. NIC settings for svr A, prefered dns ip was point to himself and alternate to svr B ip, and NIC settings for svr B vice versa. I went to svr A's dnsmgmt, I'm getting a "X" on svr B and error stating "Cannot contact DNS server", so i run a ping test, able to ping svr B. On svr B dnsmgmt console, I'm able to view both svr on the list. Can anyone out there help me?

Problem2:

After the case with svr A unable to contact svr B DNS, users are unable to contact the some servers in the domain via hostname e.g \\printsvr01, but instead of using hostname IP address works e.g \\192.168.0.1. So, are they related to each other Problem 1 and Problem 2

Hi Everyone,

Sorry if this is misplaced, but I couldn't find an ADFS specific forum.

I have an ADFS 2.0 installation where we have several relying parties setup and working correctly already.  We have a new one coming on board and they want me to install an encryption certificate on our side.  I go into the RP Properties, click on Encryption, and browse out to their p7b cert that they sent me and I get the following error.

"An Error occurred during an attempt to load the certificate.  The certificate may be corrupt or in an invalid format.  Specify a valid certificate and try again.  The index value is not valid."

I CAN however import this cert into my private cert store on the same server.  Unfortunately, it doesn't look like the RP has any experience with ADFS.  Any ideas on how I may be able to fix this?

Thanks.

Hi, i am preparing for my 70-640 AD 2008 R2, 2nd edition and during the DNS Lab (DNS Delegation) i was able to create DNS delegation for the domain tree northwindtraders.com in SERVER10,but when i tried to create domain tree through the AD Installtion wizard on SERVER20 i was getting error "domain already exists" error and it failed with that, after further research i checked and made sure that SID's are different in tha both the servers SERVER10 and SERVER20 and tried it once again and this time i ended up with "Cannot create a turst with parent domain|" request not supported error and i tried it multiple times and i keep ending in same error.

Any help would be appreciated.

last logon timestamps showing 2015 year for 20 userss?

hi..

In My domain. I have pulled the report of lastlogontimestamp of 25/04/2015 for 20 users.

An all 20 users are active an login in domain in daily basis and their last logon attribute value is correct.

We recently migrated our company domain to a new domain. Old domain controllers were windows server 2003 and the new domain controllers are windows server 2008 r2 (FFL & DFL windows server 2003) . We have both Windows 7 and Windows XP SP3 computers in the new domain. After migration security logs are filling in windows XP computers and users can not log in until we clear security logs. Please check the attached security log. This problem is only with windows XP computers in the domain. Windows 7 computers are not affected, what would be the cause for this?

Hi

I want to add one user in two OU.

How can ?

Windows Server 2008 R2, Active Dirtectory

any help will appreciate.

Arvind

I've got a small virtual lab I am trying to setup.  Got the first and second Domain Controllers going, no problem.  I made my account a member of the Domain Admins group.  Now, I'm trying to setup my first member server which is not going to be a Domain Controller.  Everything is fine, able to create the machine, join it to the domain and THEN...  Can't do anything on it if I am logged in with my account as Domain Admin.  I can do anything I want as the local Admin.  But something as simple as viewing the properties of the network adapter, it tells me I do not have sufficient permissions.  One really weird one is when I close the Initial Configuration screen, the Server Manager pops up.  But if I close it and try re-open the Server Manager again, it says I don't have permission to access...

It also does not matter whether UAC is on or off.  Further, I have made NO changes to group policy.  Another oddity is when I log back in as local Admin and look at the properties of the Local Administrators group, no other groups are explicitly listed.  If I try to add Domain Admins, it prompts me for credentials, which I provide, then it tells me Domain Admins are already a member of this group.  It is a bit frustrating.  I cannot do anything, for another example, if I try to launch a command prompt by right-clicking and selecting Run As Administrator, it says I do not have accesss to do so. 

Any thought or suggestions would be much apprecaited.

Joe...

I've gone through a whole range of scenarios/fixes for this problem, but I can't seem to fully pinpoint the cause. So I'm hoping someone here might have some insight.

Problem:

Clients (Windows 7, both physical and VDI) are able to log on, but aren't getting policies between 10 and 30% of the time.

DC's are 2003 and 2008 R2. (Two or three in each site, three sites).

What I've done:

-Gone over DNS setup and verified that everything is correct. No old entries, no missing entries (that I can see).

-Run dcdiag, which gives the A-OK; not a single error.

- Tried setting policies to wait for network on startup, even the dial-up wait policy.

-Enabled netlogon-logging for both DC's and clients (VDI)

-Verified that total query received/sec and sent/sec is in line in perfmon on the mail DC (2008 R2, holding all FSOM roles)

What I see:

-Netlogon on clients gives a whole bunch of these:

[CRITICAL] NetpDcGetNameIp: (Primary DC): No data returned from DnsQuery.

Patricularily "using cached information" is repeated. So I'm enterpreting this as it's using a whole lot of cached info due to not getting anything from DNS.

-Netlogon on DC holds a zilllion of these:

[MAILSLOT] (domain): Ping response 'Sam Logon Response Ex' (null) to \\(file server) Site: (Primary site) on UDP LDAP
[MAILSLOT] Received ping from (file server).domain.local. (null) on UDP LDAP

These:

[MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c01ffff1

And these:

[MAILSLOT] Received ping from (Primary DC) (secondary dc).domain.local (null) on <Local>
[CRITICAL] Ping from (Primary DC) for domain (secondary dc).domain.local (null) for (null) on <Local> is invalid since we don't host the named domain.
[CRITICAL] NetpDcGetNameIp: (secondary dc).domain.local: No data returned from DnsQuery.

[MISC] (Domain): DsGetDcName function returns 1355: Dom:(Primary DC) Acct:(null) Flags: WRITABLE LDAPONLY RET_DNS 

This is very obvious in the VDI environment, as profiles aren't roaming and users aren't getting their desktops and files.

Beyond it being a possible performance problem (this is all virtual/VMWare based), I'm stumped at this point.

Hi All,

We have Windows 2008 R2 DHCP server, and seprate AD integrated DNS server in our environment. One of our non windows client has recived IP from scope X.X.74.0 and later the same machine has connected to other VLAN and got new IP from VLAN X.X.78.0. When we come to the DNS part, the new IP has not reflected on the DNS server. The A record has there with the old IP only X.X.74.91, but both the leases are there in the DHCP server scopes. We have enabled the option "Always Dynamically Update DNS A and PTR record", but couldn't find any logs on the DHCP server for DNS registration failures. Please