So here is the problem that we are having.  We have a main branch location with a new active directory forest with one domain.  There are 3 DC's in this location.  We have a branch location that has a newly created RODC.  All DCs are Windows Server 2012 and there was no pre-existing domain that the DCs replaced.  The DCDIAG has no problems reported for the 3 write-able domain controllers at the main office.  The RODC isn't replicating the sysvol folder.  When I run DCDIAG I get errors.  Here is the output.

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = ADKE

   * Identified AD Forest. 
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Kelso\ADKE

      Starting test: Connectivity

         ......................... ADKE passed test Connectivity



Doing primary tests

   
   Testing server: Kelso\ADKE

      Starting test: Advertising

         Warning: DsGetDcName returned information for \\adops2.fibrecu.local,

         when we were trying to reach ADKE.

         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.

         ......................... ADKE failed test Advertising

      Starting test: FrsEvent

         ......................... ADKE passed test FrsEvent

      Starting test: DFSREvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems. 
         ......................... ADKE failed test DFSREvent

      Starting test: SysVolCheck

         ......................... ADKE passed test SysVolCheck

      Starting test: KccEvent

         ......................... ADKE passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... ADKE passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... ADKE passed test MachineAccount

      Starting test: NCSecDesc

         ......................... ADKE passed test NCSecDesc

      Starting test: NetLogons

         Unable to connect to the NETLOGON share! (\\ADKE\netlogon)

         [ADKE] An net use or LsaPolicy operation failed with error 67,

         The network name cannot be found..

         ......................... ADKE failed test NetLogons

      Starting test: ObjectsReplicated

         ......................... ADKE passed test ObjectsReplicated

      Starting test: Replications

         ......................... ADKE passed test Replications

      Starting test: Services

         ......................... ADKE passed test Services

      Starting test: SystemLog

         <Driver Errors from Roaming Profile>

         ......................... ADKE failed test SystemLog

      Starting test: VerifyReferences

         ......................... ADKE passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : fibrecu

      Starting test: CheckSDRefDom

         ......................... fibrecu passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... fibrecu passed test CrossRefValidation

   
   Running enterprise tests on : fibrecu.local

      Starting test: LocatorCheck

         ......................... fibrecu.local passed test LocatorCheck

      Starting test: Intersite

         ......................... fibrecu.local passed test Intersite

Hi all,

I'm setting up the first DC on Windows server 2012 following steps here (social.technet.microsoft.com/wiki/contents/articles/12370.step-by-step-guide-for-setting-up-a-windows-server-2012-domain-controller.aspx).

DCdiag gives following errors in SysVolCheck, services, and Netlogons while the rest of tests are successful:

------------------------- cut here --------------------------

      Test omitted by user request: DFSREvent

      Starting test: SysVolCheck
         * The File Replication Service SYSVOL ready test
         [ORT001C] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
         The registry lookup failed to determine the state of the SYSVOL.  The error returned  was 0x43
         "The network name cannot be found.".  Check the FRS event log to see if the SYSVOL has successfully been
         shared.
         ......................... ORT001C failed test SysVolCheck

[snipped]

     Starting test: Services
        Could not open Remote ipc to [ort001c.ad1.mydomain]: error 0x43 "The network name cannot be found."
        ......................... ORT001C failed test Services

[snipped]

      Starting test: NetLogons
         * Network Logons Privileges Check
         [ORT001C] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
         ......................... ORT001C failed test NetLogons

------------------------- cut here --------------------------

Some information collected:

----------------------- cut here --------------------

- net share

Share name   Resource                        Remark

-------------------------------------------------------------------------------
C$           C:\                             Default share
IPC$                                         Remote IPC
ADMIN$       C:\Windows                      Remote Admin
NETLOGON     C:\Windows\SYSVOL\sysvol\ad1.mydomain\SCRIPTS
                                             Logon server share
SYSVOL       C:\Windows\SYSVOL\sysvol        Logon server share
The command completed successfully.

- dnslint /ad /s <DC IP>:   no error

- nltest /server:ort001c.ad1.mydomain /dsgetdc:AD1.MYDOMAIN

           DC: \\ort001c.ad1.mydomain
      Address: \\192.168.1.77
     Dom Guid: 9faa9bae-faae-42be-bf45-05a1d77b2bf0
     Dom Name: ad1.mydomain
  Forest Name: ad1.mydomain
 Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
        Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE FULL_SECRET WS DS_8 DS_9
The command completed successfully

- repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost

Default-First-Site-Name\ORT001C

DSA Options: IS_GC

Site Options: (none)

DSA object GUID: ff4092a2-62d8-4b83-a4d4-fec6920d8535

DSA invocationID: ff4092a2-62d8-4b83-a4d4-fec6920d8535

- netdom query /domain:AD1 fsmo

Schema master               ort001c.ad1.mydomain

Domain naming master       ort001c.ad1.mydomain

PDC                         ort001c.ad1.mydomain

RID pool manager            ort001c.ad1.mydomain

Infrastructure master      ort001c.ad1.mydomain

The command completed successfully.

----------------------- cut here --------------------

Besides, DFSR instead of FRS is used.

Sorry that I'm newbie to Windows and afraid if I've anything missed.   Would anyone please help?

Thanks a lot.

/ST Wong

Hi,

I got 1722 error ( The RPC server is unavailable) when I run repadmin /replsummary. The result points that one source DSA is having 1722 error and the problem DC is the DC I run repadmin command from.

Do it make sense. Why DC itself cannot rpc to itself?

Thanks

Qing

Hi,

By default, 2008 R2 allow 2 concurrent administrative remote desktop sessions. But when i trying to connect 2nd administrative remote session, the 1 st will be disconnected.

Is any settings need or just my misunderstanding ??

Thanks

Hi All

I know there are allot of questions on this, but I am yet to find a solution for my problem

I have a 2008 DC which is the PDC emulator, I want to sync it with an external time source, but I cannot get it to work

I have followed this: 

http://support.microsoft.com/kb/816042

tried the "Fix it for me" and also gone through the registry and everything is set correclty

I have also ran the commaind:  w32tm /config /manualpeerlist:0.au.pool.ntp.org,0×8, /syncfromflags:manual /update

Now, I get mixed results with what my time server is depending on which command I run, see below:

net time /querysntp
The current SNTP value is: 0.au.pool.ntp.org,0×8,

W32TM /QUERY /SOURCE
Free-running System Clock

W32TM /QUERY /STATUS
Leap Indicator: 0(no warning)
Stratum: 1 (primary reference - syncd by radio clock)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0000000s
Root Dispersion: 10.0000000s
ReferenceId: 0x4C4F434C (source name:  "LOCL")
Last Successful Sync Time: 14/02/2014 12:03:45 PM
Source: Free-running System Clock
Poll Interval: 10 (1024s)

I can also run the command below:

w32tm /stripchart /computer:0.au.pool.ntp.org /samples:10 /dataonly
Tracking 0.au.pool.ntp.org [118.88.20.194:123].
Collecting 10 samples.
The current time is 14/02/2014 1:15:43 PM.
13:15:43, +107.7639166s
13:15:45, +107.7569575s

I don't see any logs in the firewall logs where the box attempts to connect with an external source except for when I run the time difference check with the external time souce

I have followed all the instructions to make this sync with external, where am I going wrong here, why will it not try to get its time from an external source?

Thanks for your help

I am getting events 5774 and 5774 logged on my first Windows Server 2012 R2 DC, because I am using 3rd party DNS server (InfoBlox).

According to http://support.microsoft.com/kb/977158, the Hotfix can be applied to DC running Windows Server 2008 R2. Can the same Hotfix be applied to Windows Server 2012 R2 DC? Or is there some other way to resolve the issue?

________________________________

"You are using a 3rd party DNS server application for DNS updates on a computer that is running Windows Server 2008 R2 or Windows 7. Additionally, you enable the dynamic update feature on the DNS server. The DNS records are updated successfully. However, some DNS update errors may be recorded in the event logs or in other error logs." (...from the above KB977158).

Thanks.

Hello Experts,

.

Is there any easy way to pull up name of all DC's / inventory details ?

Hello,

If you have a domain with a one-way trust configured and you want to prevent a universal group in the trusted domain from being assigned permissions in the trusting domain, how would you do it? Convert it to a global group, correct? A domain local group can still be assigned permissions across the trust, right?

Can someone clarify for me?

TIA

Windows Server 2012 AD DC, users on Windows 7 SP1 x64 are logging in (~800 or so users). A small percentage of them are generating 300-400 logon events in the Security log - *per second*. 

Most other users are not generating excessive logon events... this is filling our security log quite fast. 

P.S. I suspect this happened after Logon and Logoff event auditing has been configured in the Advanced Audit Policy Configuration (Success and Failure). Still - most users do not generate that much logon events when logging in. 

Some incompetent moderator is marking all similar questions as answered even though they are NOT. So I am reposting - yet again - and let's hope this time the mods will hold their horses until the reason and a solution is actually found. 

I'm unable to find definitive information that says it is not allowable or feasible to install multiple PES servers in the domain.  The only hit I have is "Can PES (for password migration) be installed on more than one DC on source domain?.

I'm unsure if the generated key is good for only establishing a single PES connection, or if it can be used multiple times, or if by generating a new one for the same domain, does it deactivate the other one.

The reason I ask is that we have a distributed forest and will be migrating users from many different locations.  We've found that the replication delays between the DCs in the source location can take quite a while to reach the site where the PES server is running.  We can create replication connectors, but I'd also like to see if simply adding another PES service to the local DC is possible.

Hello,

I use oldcmp.exe to show me what computers have not been used for months and I can disable them, but I wish to do the same for users Active Directory accounts, is this possible?

We use AD 2003

Thanks

Hi,

We have an Active Directory 2008 R2 forest, with two domains. We found 66 duplicate universal security groups with the same SamAccountName. If we change the SamAccount name for the groups, what are the implications? As this groups are used for share permissions and applications, we are afraid that when we change the samccountname, the share/NTFS permissions will not update, the same is for applications that use the groups to authenticate users.

Can you please advice? It will be best if you cand send a link, as we will need proof when we present the solution to the client.

Thank you

Hi,

Does anyone know of a good password reset tool that integrates with Microsoft Active Directory that provides a good way of distributing e-mails/sms as a means of providing the user's changed or reset password?  We've bee using Dell/Quest's Password Reset Tool but it is too confusing for our users who favor a more simplified interface.  Any suggestions would be much appreciated.

Thanks,

Kevin C.

kconway@fnal.gov

Hi There,

I am preparing to change the password of one of or main and oldest Domain Admin accounts. It has been used for years for all kinds of authentication within applications, services and appliances (really bad practice I know). I have obtained a list of all services on relevant member servers where it is used. I have also loaded ADAudit plus and ran a report for member server log on activity with this account name as a filter. there are lots of TGT requests for that account form lots of servers.I have checked a sample of them and can't find any applications that would be configured with this account that would try to authenticate to the domain.

Is there a way of determining which application or process is authenticating with this account? any suggestions are welcome.

Thanks in advance.

Event ID = 4010
I am getting error on my Windows Server 2008 R2 ADC.

The DNS server was unable to create a resource record for  62ebf5b9-1450-4eef-aeaf-f4eb0a16457c._msdcs.domain.local. in zone domain.local. 
The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.

The DNS server was unable to create a resource record for  1c9ddd24-8672-4052-a22a-22f853d81269._msdcs.domain.local. in zone domain.local.
 The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.

The DNS server was unable to create a resource record for  8a8a8..............._msdcs.domain.local. in zone domain.local.
 The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.

The First two GUIDS are for my other Domain Controllers , Third 8a8a i dont know 
I have logged in to mmc- Adsiedit--ForestDNSZones, DC=Domain, DC=local
I can see two Guids but third one i am not able to trace out.
Should i delete the first GUIDS(as they are for other domain controllers and in active dir sites and services replication is success without any errors)
Should i delete them and restart netlogon services and dns service
and delete from %windir%\system32\config\netlog.dns

please do guide me i am afraid to delete the GUIDS as they are for other domaincontrollers

Hello Everyone,

we have a forest and a domain both running in 2003 native mode. We have a mixture of domain controllers running 2003 and 2008 R2 and just recently deployed two new domain controllers running 2012 R2. The 2012 R2s are configured as global catalogs but do not hold any additional FSMO roles.

Unfortunately we have a very strange issue with the two new 2012 R2 DCs:

We have installed the domain management tools on the 2012 R2 domain controllers. When managing our domain using the locally installed tools on the DCs everything is ok. DSA.MSC shows version 6.3.9600.16384. We also have a number of admin workstations running windows 7 enterprise 64 bit with service pack 1. We have RSAT tools for windows 7 sp1 (Windows6.1-KB958830-x64-RefreshPkg.msu) installed on these machines. DSA.MSC shows version 6.1.7601.17514. Whenever we try to rename a user account from the win7 computers, the 2012 R2 DC that is targeted shows a message saying that it will reboot within 60 seconds - and then does just that. On the client we see a message saying

"Windows cannot complete the rename operation on <name> because: The server is not operational. Name related properties on this object might be out of sync."

The server logs two errors in the application log:

1. Event ID 1000, Application Error:

Faulting application name: lsass.exe, version: 6.3.9600.16384, time stamp: 0x5215e25f
Faulting module name: ntdsai.dll, version: 6.3.9600.16421, time stamp: 0x524fcaed
Exception code: 0xc0000005
Fault offset: 0x000000000019e45d
Faulting process id: 0x214
Faulting application start time: 0x01cefa6743edbeec
Faulting application path: C:\Windows\system32\lsass.exe
Faulting module path: C:\Windows\system32\ntdsai.dll
Report Id: d4cd7581-665c-11e3-80d7-005056984a2b
Faulting package full name:
Faulting package-relative application ID:

2. Event ID 1015, Source Wininit:

A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000005.  The machine must now be restarted.

These issues do not occur if we target the admin workstations to use one of our older 2008 R2 DCs. Does anyone have an idea? Any help would be appreciated!

Regards

Harry

I have two Server in my office in same network.

Server A is Active Directory / Domain Server. Certain user join domain and connect to this server.

Server B is File Server. The other user just use Workgroup. But now this server want to Up Domain to be Domain Server.

But user that connect to the domain Server A will not connect to domain server B and user connect to domain server B will not connect to domain server A.

Is there any problem if I setup two domain in one network?

Please Advise.

Hello Everyone.

We migrate a Windows Server 2008 R2 DC with Root CA to an Windows Server 2012 R2 DC with same IP and Computername on a new VM. The Windows Server 2012 R2 works fine before we import the Root CA Information from a Backup (http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx)

After import the Root CA Information, we can´t rename any object, OU, user account, etc, whichever DC AD Users and Computers is pointing at, lsass.exe will crash and the DC will reboot after 60 seconds. Remove ADCS is no helping.

Depromote DC and removing ADDS, reboot... and promote the W12R2 to DC is the same Problem. Now we delete (properly) the Server and reinstall the W12R2 OS and promote the Server to DC. After new install the rename any object works fine.

Regards Achim

I have a strange issue that I'm having an issue figuring out...

I have a branch office that has two network subnets.

One is a public IP range that we are moving off of because its a public range... (128.1.8.x/23) and the other is a private range (172.16.20.x)

We are moving users and servers off of the public network to the private network. I have already done this for all of my 20 branch offices (all from the 128.1.x.x network) and this is the last one.

I have created a new DC and placed it on the 172 network in that site and have assigned all the necessary subnets to that site. The DC is a global catalog.  Currently I have a 2008 R2 DC on both the local site 172 network DC1 and the 128 network DC2.

So here's the issue.

In the migration process I point all the user PC's and servers to DC1 as their primary DNS server and DataCenter DC as the secondary with DC2 as a third.

Also in our environment we have Desktop Authority as a script engine that we've had for ever and I mention it because it has a great log that it generates at login for the user that I use for troubleshooting these types of issues.

So, when DC1 and DC2 are both on the PC's have no issues logging onto the network. Typically 15-20 seconds for a desktop to show up. The set command shows the login DC as DC1. If I look at the log file generated by the script engine it also states its using DC1 as it login server. The issue is when I turn DC2 Off. If the PC reboots just the booting process takes 15-20 minutes before it gets to a cntr-alt-del login. IF a user logs on, local account OR domain account it takes another 20-30 minutes. In looking at the same logs I see that it is logging onto DC1. I don't see any real issues in the Windows Evnt logs. This continues for all the PCs until DC2 is turned back on. Then logons go back to normal. I see no warnings or errors on the DC's event logs. Replication test show good. And when I look at the logs the PC's are still using DC1 as the login server.

The PC is currently on the 128 network and my plan today is to move a PC over to the 172 network and test again but I'm really confused on what's going on here and what log I should look at to see what's going on during the delay.

Any ideas/help would be appreciated.

Thanks

RS