Hi everyone,

I'm new to RODCs and have been looking into them as an ideal replacement for the current read/write Windows 2003 domain controllers at our branch sites. Ideally I'd like to replace all branch DCs with RODCs, leveraging a central core of read/write doman controllers at our hub site.

I can see one issue with replication. At our branch sites we typically use a 3 hour replication interval to reduce replication traffic over the network. Our central helpdesks currently work around this by creating new accounts and resettng passwords on the DC at the branch. In addition domain joins of new computers are done using the local read/write DC at the branch.

Now my thinking is that switching the branches to RODCs will cause problems in this situation as changes cannot be written to them. I understand though that they will  forward write operations to read/write DCs in the hub. My question - are such "referred" changes immediately available to the branch via the RODC?

A scenario:

1. A branch worker locks their password
2. The central helpdesk attempts to reset the password using the RODC
3. The RODC fowards the request to a read/write DC in the hub site

Another scenario

1. A computer is "flattened" and the O/S reloaded at a branch site with an RODC
2. The scripted provisioning process attempts to delete/add the computer account using the RODC
3. The RODC forwards the request to a read/write DC in the hub site

My question: Would the password reset / updated computer account be immediately available on the branch RODC (as would be the case with a targetted local read/write DC) or will the branch have to wait up to 3 hours for scheduled replication from the hub?

Clarification on this point would be most greatly appreciated.

This should be a real easy one, I just want to double check.  I think this is the first time I have ever demoted a 2008r2 DC and this is NOT the last DC in the domain.  The DC I am demoting does have AD integrated DNS.  I do want to remove all the DNS records for this DC, including the srv records. etc.  The question being posed seems, to me, to be worded really weird.  I run dcpromo for demotion and it asks

"This server is also a DNS server and contains Active Directory integrated zones.  These zones will be deleted during the removal of ADDS on this server.  Confirm that you want this wizard to delete the DNS delegations pointing to this server" 

I find that notice alarming as I do not want to delete any zones from AD.  I just want them removed from that domain controller. To me, it sounds like this could have been reworded a little better and thought I would double-check, just to be safe.

Thanks,

Dan

Dan Heim

Hi,

I'm putting together a HA App-V setup: 2 servers (site A and site B - both with MGMT and PUB installed).  NetScalers provide Content Switched Load Balancing to ensure that an AppV Client at Site A is sent to the AppV MGMG/PUB server in Site A.  The NetScalers will also provide fault tolerance so that should Site A go down, it can direct requests to Site B.  Both servers have a locally attached 100GB VHD for content (I could do a LUN if required) of which DFS-R will take care of ensuring Content is in sync.

So with DFS-R, the AppV servers will reference their content via the single DFS Namespace.  How can I ensure that when the AppV server in Site A accesses the content in Site A, and Site B accesses its content from Site B (both sites are separated by a WAN link, hence my reasoning for wanting DFS to grab content locally)?

Cheers

Dear All,

I would request your help on the below mentioned problem

Scenario: I have a domain (Functional level: Windows Server 2003) which is spread across multiple country.

I have a member server 2003 in one of our location and more than 50 printers are installed on it and it is acting as a print server.

Problem: Printers are shared and “List in the Directory” option is checked. But unfortunately printers are not appearing in the active directory while searching by“share name”. However printers can be located in active directory by printer name.

Performed the following steps:

I have unshared the printers, restarted the print spooler service on print server and local site dc, forced the replication. Again shared the printers restarted print spooler service on print server and DC. forced the replication but result is same.

Opened ADSIEDIT and delete the printer from active dietary, unshared the printer restarted the print spooler service on print server and DC, forced the replication. Shared the printer restarted print spooler service on DC and print Server. But result is same the printer can be searched in AD by printer name but not by shared name. Please help

Thanks In Advance,

Subhangshu Chatterjee

I add a new server (DC2) to domain.Before addingon theserverS2(main server 200864bit)I startedfrom thecd2008R2 adprep:

adprep32 /forestPrep

adprep32 /domainPrep

adprep32 /domainPrep /gpprep

adprep32 /rodcPrep

Atthe commandadprep / domainprep/gpprepI gota message that thecommandis not required. I wait about 1h when I add AD and DNS on DC2. Installation of new roles went without any problems

After reboot new servereverything looked ok. Unfortunately,that's not true. Zones in DNS not replicateL.event viewer shows me: DNS error 4013. And system, 5773

http://wklej.to/Hp1bq

29

http://wklej.to/23KUE

1925

http://wklej.to/XTN7E

I add two new servers DC1 and DC2. On two servers I have this problem.Why new server not copy new zones?

The level offunctionality:

Domain2003

Forest2000 

Old servers:

S2- DC (mainwith allroles), 2008 64bit SP2

S3- DC, 200332bitSP2 

new:

DC1- 2008R2

DC2- 2008R2

I addedmanuallyforward link onDC1domena.comand_msdcs.domena.com.

On DC2 I add only link to domena.comOnSkyDrive I copy structure of domena.comand_msdcs.domena.com on 4 servers.

https://skydrive.live.com/redir?resid=8120A1BDA1918531!219&authkey=!ALK8EqKqW1SI55I

DCDIAG
DC1
http://wklej.to/NMRFF

DC2
http://wklej.to/k1d1G

S2
http://wklej.to/NkY62

S3
http://wklej.to/oxTeL


REPADMIN
DC1
http://wklej.to/kERJW

DC2
http://wklej.to/tulye

S2
http://wklej.to/if16G

S3
http://wklej.to/KaLSb

ipconfig /all

S2

http://wklej.to/waXWz

S3

http://wklej.to/lGgeZ

DC1

http://wklej.to/LYQSj

DC2

http://wklej.to/Yp2lO

While attempting to run ADPREP from the Server 2008 R2 CD, ADPREP returns an error message after attemting to modify the base domain object. The error looks like this:

 Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is DC=AA,DC=BB,DC=COM.
[2011/05/13:11:11:16.392]
LDAP API ldap_modify_s() finished, return code is 0x13
[2011/05/13:11:11:16.408]
Adprep was unable to modify some attributes on object DC=AA,DC=BB,DC=COM.
[User Action]
Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20110513111116 directory for more information.
[2011/05/13:11:11:16.408]
Adprep encountered an LDAP error.
Error code: 0x13. Server extended error code: 0x20b5, Server error message: 000020B5: AtrErr: DSID-03152395, #1:
 0: 000020B5: DSID-03152395, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9054f (otherWellKnownObjects)
.
[2011/05/13:11:11:16.423]
Adprep was unable to update domain information.
[Status/Consequence]
Adprep requires access to existing domain-wide information from the infrastructure master in order to complete this operation.
[User Action]
Check the log file, ADPrep.log, in the C:\Windows\debug\adprep\logs\20110513111116 directory for more information.

Any idea what this might be?

 I am using DirSync to get the changes from active directory...Its working fine if the directoryEntry is binded to the root (LDAP://DCNAME/DC=domain,DC=com)... If i change the directoryEntry path to (LDAP://DCNAME/CN=users,DC=domain,DC=com) then i am getting no changes and when i try to access the SearchResultCollection.Count it gives 

"System.Runtime.InteropServices.COMException was unhandled
  Message=Access is denied.

  Source=System.DirectoryServices
  ErrorCode=-2147024891"

(I am using Domain Admin Account)

bin hex

About 15 days ago we had a virtual host issue which reset the time of our primary time server (domain controller) to something back in 2011. We quickly resolved the issue but replication hasn't been completely functional since then to our remote domain controllers (another site). Replication to DC01 is function from all servers. DC04 is not replicating to DC02 (SiteA), DC03(SiteB) or DC04(SiteB). DC03(SiteB) & DC04(SiteB) replicate between eachother. DC01 is set to replicate to DC04. When I look at the operations master under ADUC for DC03 & DC04 the PDC/RID are not set to a host but are set to ERROR. I am pretty sure that it is a Kerberos issue but I am not sure how to fix it! Below is the repadmin /replsummary (only from DC03 & DC04 as they are the ones with issues) as well as the dcdiag below that. Furthermore, I have ran through all of this article... to no success. Hopefully someone can help shed some light!

http://technet.microsoft.com/en-us/library/replication-error-2146893022-the-target-principal-name-is-incorrect(v=ws.10).aspx

repadmin /replsummary

DC04
DC01               17d.04h:22m:14s   10 /  10  100  (2148074274) The target principal name is incorrect.
DC04                 02m:44s    0 /   5     
DC03                 02m:40s    0 /   5    0

DC03
DC01            17d.04h:25m:12s   10 /  10  100  (2148074274) The target principal name is incorrect.
DC04                    05m:42s    0 /   5    0
DC03                    05m:38s    0 /   5    0

DCDIAG

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = DC04

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: SiteB\DC04

      Starting test: Connectivity

         ......................... DC04 passed test Connectivity



Doing primary tests

   
   Testing server: SiteB\DC04

      Starting test: Advertising

         ......................... DC04 passed test Advertising

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... DC04 passed test FrsEvent

      Starting test: DFSREvent

         ......................... DC04 passed test DFSREvent

      Starting test: SysVolCheck

         ......................... DC04 passed test SysVolCheck

      Starting test: KccEvent

         A warning event occurred.  EventID: 0x80000B46

            Time Generated: 06/01/2012   05:17:12

            Event String:

            The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate,  Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that  are performed on a cleartext (non-SSL/TLS-encrypted) connection.  Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.


         A warning event occurred.  EventID: 0x8000051C

            Time Generated: 06/01/2012   05:22:12

            Event String:

            The Knowledge Consistency Checker (KCC) has detected that successive attempts to replicate with the following directory service has consistently failed.


         A warning event occurred.  EventID: 0x8000061E

            Time Generated: 06/01/2012   05:22:12

            Event String:

            All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.


         An error event occurred.  EventID: 0xC000051F

            Time Generated: 06/01/2012   05:22:12

            Event String:

            The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.


         A warning event occurred.  EventID: 0x80000749

            Time Generated: 06/01/2012   05:22:12

            Event String:

            The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.


         A warning event occurred.  EventID: 0x8000061E

            Time Generated: 06/01/2012   05:22:12

            Event String:

            All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.


         An error event occurred.  EventID: 0xC000051F

            Time Generated: 06/01/2012   05:22:12

            Event String:

            The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.


         A warning event occurred.  EventID: 0x80000749

            Time Generated: 06/01/2012   05:22:12

            Event String:

            The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.


         A warning event occurred.  EventID: 0x8000061E

            Time Generated: 06/01/2012   05:22:12

            Event String:

            All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.


         An error event occurred.  EventID: 0xC000051F

            Time Generated: 06/01/2012   05:22:12

            Event String:

            The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.


         A warning event occurred.  EventID: 0x80000749

            Time Generated: 06/01/2012   05:22:12

            Event String:

            The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.


         A warning event occurred.  EventID: 0x8000061E

            Time Generated: 06/01/2012   05:22:12

            Event String:

            All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.


         An error event occurred.  EventID: 0xC000051F

            Time Generated: 06/01/2012   05:22:12

            Event String:

            The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.


         A warning event occurred.  EventID: 0x80000749

            Time Generated: 06/01/2012   05:22:12

            Event String:

            The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.


         ......................... DC04 failed test KccEvent

      Starting test: KnowsOfRoleHolders

         [DC1] DsBindWithSpnEx() failed with error -2146893022,

         The target principal name is incorrect..
         Warning: DC1 is the PDC Owner, but is not responding to DS RPC

         Bind.

         [DC1] LDAP bind failed with error 8341,

         A directory service error has occurred..
         Warning: DC1 is the PDC Owner, but is not responding to LDAP Bind.

         Warning: DC1 is the Infrastructure Update Owner, but is not

         responding to DS RPC Bind.

         Warning: DC1 is the Infrastructure Update Owner, but is not

         responding to LDAP Bind.

         ......................... DC04 failed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... DC04 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... DC04 passed test NCSecDesc

      Starting test: NetLogons

         ......................... DC04 passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... DC04 passed test ObjectsReplicated

      Starting test: Replications

         [Replications Check,DC04] A recent replication attempt failed:

            From DC1 to DC04

            Naming Context: DC=ForestDnsZones,DC=company,DC=local

            The replication generated an error (1256):

            The remote system is not available. For information about network troubleshooting, see Windows Help.

            

            The failure occurred at 2012-06-01 05:14:15.

            The last success occurred at 2012-05-14 20:02:37.

            1672 failures have occurred since the last success.

         [Replications Check,DC04] A recent replication attempt failed:

            From DC1 to DC04

            Naming Context: DC=DomainDnsZones,DC=company,DC=local

            The replication generated an error (1256):

            The remote system is not available. For information about network troubleshooting, see Windows Help.

            

            The failure occurred at 2012-06-01 05:14:15.

            The last success occurred at 2012-05-14 20:02:37.

            1672 failures have occurred since the last success.

         [Replications Check,DC04] A recent replication attempt failed:

            From DC1 to DC04

            Naming Context: CN=Schema,CN=Configuration,DC=company,DC=local

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2012-06-01 05:14:17.

            The last success occurred at 2012-05-14 20:02:36.

            1672 failures have occurred since the last success.

         [Replications Check,DC04] A recent replication attempt failed:

            From DC1 to DC04

            Naming Context: CN=Configuration,DC=company,DC=local

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2012-06-01 05:14:16.

            The last success occurred at 2012-05-14 20:02:36.

            1672 failures have occurred since the last success.

         [Replications Check,DC04] A recent replication attempt failed:

            From DC1 to DC04

            Naming Context: DC=company,DC=local

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2012-06-01 05:14:15.

            The last success occurred at 2012-05-14 20:02:35.

            1672 failures have occurred since the last success.

         ......................... DC04 failed test Replications

      Starting test: RidManager

         ......................... DC04 passed test RidManager

      Starting test: Services

         ......................... DC04 passed test Services

      Starting test: SystemLog

         A warning event occurred.  EventID: 0x8000001D

            Time Generated: 06/01/2012   04:29:13

            Event String:

            The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

         A warning event occurred.  EventID: 0x00001695

            Time Generated: 06/01/2012   04:29:45

            Event String:

            Dynamic registration or deletion of one or more DNS records associated with DNS domain 'DomainDnsZones.company.local.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).  


         An error event occurred.  EventID: 0x40000004

            Time Generated: 06/01/2012   04:32:12

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC1$. The target name used was LDAP/bfcad039-6a2a-4e12-9e7e-5be7f3aa1a62._msdcs.company.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (company.LOCAL) is different from the client domain (company.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An error event occurred.  EventID: 0x0000165B

            Time Generated: 06/01/2012   04:33:47

            Event String:

            The session setup from computer 'ANALLAPATI' failed because the security database does not contain a trust account 'ANALLAPATI$' referenced by the specified computer.  


         An error event occurred.  EventID: 0x000016AD

            Time Generated: 06/01/2012   04:36:49

            Event String:

            The session setup from the computer ANALLAPATI failed to authenticate. The following error occurred:


         An error event occurred.  EventID: 0x40000004

            Time Generated: 06/01/2012   04:40:21

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC1$. The target name used was cifs/DC1.company.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (company.LOCAL) is different from the client domain (company.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An error event occurred.  EventID: 0x40000004

            Time Generated: 06/01/2012   05:05:49

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC1$. The target name used was ldap/DC1.company.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (company.LOCAL) is different from the client domain (company.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An error event occurred.  EventID: 0x40000004

            Time Generated: 06/01/2012   05:09:08

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC1$. The target name used was company\DC1$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (company.LOCAL) is different from the client domain (company.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An error event occurred.  EventID: 0x40000004

            Time Generated: 06/01/2012   05:14:15

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC1$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/bfcad039-6a2a-4e12-9e7e-5be7f3aa1a62/company.local@company.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (company.LOCAL) is different from the client domain (company.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         A warning event occurred.  EventID: 0x8000001D

            Time Generated: 06/01/2012   05:17:21

            Event String:

            The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

         A warning event occurred.  EventID: 0x00002724

            Time Generated: 06/01/2012   05:17:22

            Event String:

            This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.

         A warning event occurred.  EventID: 0x000003F6

            Time Generated: 06/01/2012   05:17:45

            Event String:

            Name resolution for the name company.local timed out after none of the configured DNS servers responded.

         A warning event occurred.  EventID: 0x000003F6

            Time Generated: 06/01/2012   05:17:45

            Event String:

            Name resolution for the name company.local timed out after none of the configured DNS servers responded.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 06/01/2012   05:18:03

            Event String:

            Driver WebEx Document Loader required for printer WebEx Document Loader is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 06/01/2012   05:18:04

            Event String:

            Driver KONICA MINOLTA C353 Series PCL required for printer !!noxfile!CopyRoom.2 is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 06/01/2012   05:18:04

            Event String:

            Driver KONICA MINOLTA bizhub 40P PCL required for printer !!noxfile!IT.1 is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 06/01/2012   05:18:05

            Event String:

            Driver CutePDF Writer required for printer CutePDF Writer is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x0000165B

            Time Generated: 06/01/2012   05:18:47

            Event String:

            The session setup from computer 'ANALLAPATI' failed because the security database does not contain a trust account 'ANALLAPATI$' referenced by the specified computer.  


         A warning event occurred.  EventID: 0x000727AA

            Time Generated: 06/01/2012   05:19:51

            Event String:

            The WinRM service failed to create the following SPNs: WSMAN/DC04.company.local; WSMAN/DC04.


         An error event occurred.  EventID: 0x40000004

            Time Generated: 06/01/2012   05:20:58

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC1$. The target name used was ldap/DC1.company.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (company.LOCAL) is different from the client domain (company.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An error event occurred.  EventID: 0x40000004

            Time Generated: 06/01/2012   05:23:24

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC1$. The target name used was LDAP/bfcad039-6a2a-4e12-9e7e-5be7f3aa1a62._msdcs.company.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (company.LOCAL) is different from the client domain (company.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An error event occurred.  EventID: 0x000016AD

            Time Generated: 06/01/2012   05:23:49

            Event String:

            The session setup from the computer ANALLAPATI failed to authenticate. The following error occurred:


         ......................... DC04 failed test SystemLog

      Starting test: VerifyReferences

         ......................... DC04 passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : company

      Starting test: CheckSDRefDom

         ......................... company passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... company passed test CrossRefValidation

   
   Running enterprise tests on : company.local

      Starting test: LocatorCheck

         ......................... company.local passed test LocatorCheck

      Starting test: Intersite

         ......................... company.local passed test Intersite

Hi Dears,

I am planning deploy RODC in my Branch office, I have the following doubts:

1. Can I enable Bit locker on RODC?(is it supproted)?
2. Can I enable Shadow copy with Bitlocker on my RODC?(is it supproted)?
3. Can I deploy Hyper-V on my RODC? (is it supproted)?
4. Is there any additional feature or role do you recommened for my Branch Office

Thanks

first of all i hope that u are fine and healthy and accept my greeting .

my dear sir!

i have some problem abut DNS my dns is some request timeout 8.8.8.8 and also 8.8.4.4 pls give me some info abut this problem.

thanks

best regards

suliman mujaddidi form afghanistan

Hallo.

I have 2 domain controllers (DC1 a windows 2003 SBS Server and DC2 windows 2003 Standard server). Dc1 one is named srv and Dc2 is named Data. 

Some months ago the servers stopped replicating and the tombstone lifetime has expired.

I have beeen investigating the issue and found out that i am unable to connect to dc1 from dc2 using active directory console (But i am able to dc2 from dc1). I also found out that i wasn't able to browse dc1 from dc2 using the servername - ip works fine but not using the unc path. It gives the error \\srv is not accessible......... Logon failure: The target account name is incorrect.

I set KDC service on dc2 to manuel and stopped the service. Rebooted the server and ran the command "netdom resetpwd /server:srv /userd:t-f\administrator /passwordd:x". Rebootet the server again and set the service to automatic again and started the service. Now i was able to browse dc1 again and was also able to connect to the dc1 again.

I now started to remove lingering objects. I found 2 1988 events on dc1 and no 1388 or 1988 found on dc2. So i deleted the 2 lingering object found in the event your using the command "repadmin /removelingeringobjectsServerName ServerGUID DirectoryPartition" and forced the replication to start again by editing the following registry settings on both DC1 and DC2

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]

"Allow Replication With Divergent and Corrupt Partner"=dword:00000001

After that the replication started and i could se computers object and user object was updated but now the eventviewer logs event 1988 about lingering object again.

Example1:

Source DC (Transport-specific network address):
56487647-e24b-4764-826b-6de2b501a09c._msdcs.T-F.local
Object:
DC=_gc._tcp\0ADEL:8aa54e2e-5439-4739-b491-a65e99498884,CN=Deleted Objects,DC=DomainDnsZones,DC=T-F,DC=local
Object GUID:
8aa54e2e-5439-4739-b491-a65e99498884

Example2:

Source DC (Transport-specific network address):

56487647-e24b-4764-826b-6de2b501a09c._msdcs.T-F.local
Object:
CN=SE3,OU=Win7_Computers,OU=Workstation_OU,OU=Klinik_OU,DC=T-F,DC=local
Object GUID:
49362c52-4703-4215-8883-0a9860b8e521

I tried deleting these lingering object using the following command for example 1
repadmin /removelingeringobjects srv 4348ce81-0585-4ce3-8cbe-e87c0164a127 DC=DomainDnsZones,DC=T-F,DC=local

But it gives me the following error message:

DsBindWithCred to srv.T-F.local failed with status -2146893022 (0x80090322):
    The target principal name is incorrect.

I investigated further and found that i was again uable to browse dc1 using unc path and i was unable to connect to dc1 using active directory. I ran the netdom command again to reset the secure channels and it then worked again but after about 15 minutes the error was back and i was again unable to browse dc1.

What happens? Why does does dc2 keep missing the connection to dc1 and when running the netdom command it works shortly and then it fails again?

I have uploaded dcdiag /v and netdiag /v from both servers to skydrive.

https://skydrive.live.com/#cid=8A4BEFEB96D5263F&id=8A4BEFEB96D5263F%21154

Hope you guys can help me with this issue.

We have a domain trust between DomainA.com and DomainB.local.

DomainA.com is an external non-transitive incoming trust to DomainB.local and DomainB.local is an external non-transitive outgoing trust to DomainA.com. Both are set to selective authentication.

The issue is: I can’t lookup users or groups or computer objects from domainB.local   in DomainA.com.

I am a Domain and Enterprise admin in the DomainB.local .

So , when I log-on to a DC in the domainB.local domain and use ADUC to search for objects in the domainA.com. Nothing comes up.

I have double check DNS resolutions and that is working fine. What can I test or do to get this working,

 I will need to add user objects from domainA.com to resources in the DomainB.local for our migration.

Thanks

We got strange errors on one of our W2K8R2+SP1 domain controllers. The DC had been up and running over a year. It stopped AD replication yesterday and ADUC/ADsite/DNS consoles were unable to open locally. But able to connect to this DC from ADUC/ADsite/DNS on the other DC. At the same time, it got following errors in system log.

Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          11/13/2012 6:23:00 AM
Event ID:      1054
Task Category: None
Level:         Error
Keywords:     
User:          SYSTEM
Computer:      DC1
Description:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

Log Name:      System
Source:        NETLOGON
Date:          11/13/2012 6:53:18 AM
Event ID:      5719
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      DC1
Description:
This computer was not able to set up a secure session with a domain controller in domain  due to the following:
The RPC server is unavailable.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. 

When I run DCDIAG, got following errors

Directory Server Diagnosis
Performing initial setup:   Trying to find home server...   * Verifying that the local machine DC1, is a Directory Server.
   Home Server = DC1   * Connecting to directory service on server DC1.   Ldap search capabality attribute search failed on server DC1, return   value = 81

A simple reboot resolved the issue but we just didn't know why this happened.  Searched on the web and found those articles related but not exact. Can anyone shed light on what cause the problem and how to resolve it? Thanks in advance.

http://support.microsoft.com/kb/326152/en-us

http://social.technet.microsoft.com/wiki/contents/articles/2466.active-directory-event-id-5719-source-netlogon-dsforum2wiki.aspx

http://blogs.technet.com/b/instan/archive/2008/09/18/netlogon-5719-and-the-disappearing-domain.aspx?wa=wsignin1.0

This posting is provided AS-IS with no warranties/guarantees and confers no rights.

Trying to determine how to clear a replication issue.  Have a multi domain/multi forest configuration.  Trying to standup a new dc/gc in an existing domain and getting errors which is preventing it from completing replication of the PAS and becoming a GC.  The replication seems to be isolated at one particular site.  At the site, there are currently 2 DC's/GC's. (DC1.firstdomain.contoso.com and DC2.firstdomain.contoso.com).  In AD sites and services, I see the auto generated connections.  DC2 has one connection to DC1.  DC1 has two connections.  One to DC2 and another to a DC in a neighboring site (NDC1.firstdomain.contoso.com).  If I chose replicate now on the connection between DC1 and DC2, I get the following error:

Synchronization attempt failed because the destination DC is currently waiting to synchronize new partial attributes from source.  This condition is normal if a recent schema change modified the partial attribute set.  The destination partial attribute set is not a subset of source partial attribute set.  The operation will not continue.

There have been no schema changes to my knowledge.  If I try and replicate now on the connection between DC1 and NDC1, I get the following error:  The following error occured during the attempt to synchronize naming context seconddomain.contoso.com from Domain Controller NDC1 to Domain Controller DC1:  The naming context is in the process of being removed or is not replicated from the specified server.  The operation will not continue.

I can ping/resolve with no issues between the two boxes.  The following are items of interest during a dcdiag:

Starting test: MachineAccount
Warning: Attribute userAccountControl of DC1 is: 0x82020 = (PASSWD_NOTREQD | SERVER_TRUST_ACCOUNT | TRUSTED_FOR_DELEGATION)
Typical setting for a DC is: 0x82000 = (SERVER_TRUST_ACCOUNT | TRUSTED_FOR_DELEGATION)
This may be affecting replication?
................................DC1 passed test MachineAccount

Starting test: Replications
[Replications Check, DC1] A recent replication attempt failed:
From DC2 to DC1
Naming Context: DC=seconddomain,DC=contoso,DC=com
The replication generated an error(8464):  Synchronization attempt failed because the destination DC is currently waiting to synchronize new partial attributes from source. This condition is normal if a recent schema change modified the partial attribute set. The destination partial attribute set is not a subset of source partial attribute set.
The failure occured at 2012-11-17 08:00:00.
The last success occured at 2012-10-09 23:00:00

1 failures have occured since the last success. 
Try synchronizing the Schema partition on all servers in the forest.

When running repadmin /showrepl, there is this entry:

Naming context: DC=seconddomain,DC=contoso,DC=com
Source: SITE1\NDC1
***Warning: KCC could not add this REPLICA LINK due to error.

In the Directory Service event log, I'm seeing event 1864: This is the replication status for the following directory partition of this directory server.
Directory partition:
DC=seconddomain,DC=contoso,DC=com

This directory server has not recently recieved replication information from a number of directory servers.  The count of directory servers is shown, diveded into the following intervals.

More than 24 hours:
32
More than a week:
32
More than one month:
32
More than two months:
0
More than a tombstone lifetime:
0
Tombstone lifetime (days):
180

Directory servers that do not replicate in a timely manner may encounter errors.  They may miss password changes and be unable to authenticate.  A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled.

What started this investigation was people from the site where DC1/DC2 are located were complaining that GPO's were not being applied successfully which makes sense given the fact that there are replication issues.

Any ideas?

Hi,

Why is it that changing a users last name for example from within its properties does not reflect in ADUC immedaitely but using the 'rename' process reflect that change. 

Thanks

Hi,

What is the difference between Sysvol replication and NTDS.dit replication?  I assume sysvol uses FRS/DFS to replicate GP, logon scripts etc between DC's and i can see that NTDS replication occurs as per a pre-defined schedule (through sites and services) but does it also use DFS/FRS services?

For example, if i update a user object on the DC holding the PDC emulator role -

1 - Does it update the NTDS.dit file which then gets replicated to the other DC's as per the schedule?

2 - If so, if the change is not visible in the GAL, what is the default period before this gets updated?  Does this link in with the NTDS replication?

3 - For Exchange Cached Mode users, rather than forcing a GAL update and downloading the OAB from Outlook, what is the default period for this to occur automatically and how can we change this?

If i update a GPO or introduce a script, i'm assuming that this would be replicated by Sysvol using FRS/DFS?

I would really appreciate some guidance! :-)

Thanks All

We have 3 DCs in one site in one subnet.  1 Physical, 2 Virtual.

Right now, one of the virtuals is playing host to all of the FMSO Roles (moving soon, but I want to nail down this issue first.)  I did a reboot on the this DC and all of the other DCs stopped serving AD requests.

Errors like the following started showing up:
Event 2138: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
Event 14550:The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.
Event 510:Folder redirection policy application has been delayed until the next logon because the group policy logon optimization is in effect.

Even my Exchange server went offline complaining that DC was not available.
Event 2155: Process ExSetupUI.exe (PID=4764). Exchange Active Directory Provider received a request to connection to domain controller DC2.alllanguages.com but that domain controller is not available. Use the Ping or PathPing command-line tools to test network connectivity to local domain controllers. Run the Dcdiag command line tool to test domain controller health.

When I do a DCDiag, the only errors I get are from the event log about printer drivers from rdc sessions.

I suspect DNS issues, but am running out of things to look at.  Anyone have any suggestions to look for? 

Hallo.

I have 2 domain controllers (DC1 a windows 2003 SBS Server and DC2 windows 2003 Standard server). Dc1 one is named srv and Dc2 is named Data. 

Some months ago the servers stopped replicating and the tombstone lifetime has expired.

I have beeen investigating the issue and found out that i am unable to connect to dc1 from dc2 using active directory console (But i am able to dc2 from dc1). I also found out that i wasn't able to browse dc1 from dc2 using the servername - ip works fine but not using the unc path. It gives the error \\srv is not accessible......... Logon failure: The target account name is incorrect.

I set KDC service on dc2 to manuel and stopped the service. Rebooted the server and ran the command "netdom resetpwd /server:srv /userd:t-f\administrator /passwordd:x". Rebootet the server again and set the service to automatic again and started the service. Now i was able to browse dc1 again and was also able to connect to the dc1 again.

I now started to remove lingering objects. I found 2 1988 events on dc1 and no 1388 or 1988 found on dc2. So i deleted the 2 lingering object found in the event your using the command "repadmin /removelingeringobjectsServerName ServerGUID DirectoryPartition" and forced the replication to start again by editing the following registry settings on both DC1 and DC2

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]

"Allow Replication With Divergent and Corrupt Partner"=dword:00000001

After that the replication started and i could se computers object and user object was updated but now the eventviewer logs event 1988 about lingering object again.

Example1:

Source DC (Transport-specific network address):
56487647-e24b-4764-826b-6de2b501a09c._msdcs.T-F.local
Object:
DC=_gc._tcp\0ADEL:8aa54e2e-5439-4739-b491-a65e99498884,CN=Deleted Objects,DC=DomainDnsZones,DC=T-F,DC=local
Object GUID:
8aa54e2e-5439-4739-b491-a65e99498884

Example2:

Source DC (Transport-specific network address):

56487647-e24b-4764-826b-6de2b501a09c._msdcs.T-F.local
Object:
CN=SE3,OU=Win7_Computers,OU=Workstation_OU,OU=Klinik_OU,DC=T-F,DC=local
Object GUID:
49362c52-4703-4215-8883-0a9860b8e521

I tried deleting these lingering object using the following command for example 1
repadmin /removelingeringobjects srv 4348ce81-0585-4ce3-8cbe-e87c0164a127 DC=DomainDnsZones,DC=T-F,DC=local

But it gives me the following error message:

DsBindWithCred to srv.T-F.local failed with status -2146893022 (0x80090322):
    The target principal name is incorrect.

I investigated further and found that i was again uable to browse dc1 using unc path and i was unable to connect to dc1 using active directory. I ran the netdom command again to reset the secure channels and it then worked again but after about 15 minutes the error was back and i was again uable to browse dc1.

What happens? Why does does dc2 keep missing the connection to dc1 and when running the netdom command it works shortly at then again it fails?

Hi all,

I've a Windows Domain "OLD" (Windows 2003 forest & domain functional level), I've some old Windows NT4 machines that are client of this domain. I've a new domain "NEW" (Windows 2008R2 forest & domain functional level), I plan to create an external trust between theese two domains, my doubt is:

"Do the old Windows NT client have access to the resource of the "NEW" domain? For example can they access a file share on the "NEW" domain?"

Management wants me to install a new 2012 Domain Controller though keep the name of the Existing DC Server.

The Existing DC had DNS, DHCP, WINS, Print Services, Trend Micro OfficeScan, and a few other things running on it.  There are several other DCs in the Local Site.

I've never performed an Upgrade from one OS version to another, always seems like a bad thing to do, is this the same for 2012?

What are my Options?  

Demote the DC, Change its name/IP, Install new server with Old Name/IP, and install DNS, DHCP, WINS, Print Services, Trend Micro OfficeScan, and a few other things. 

In-Placde Upgrade?

Thanks,

  Scott<-