I’m experiencing a problem with DomainDNSZones, and ForestDNSzones. These DNS sub zones are empty. Well actually they contain entries for legacy (removed) 2003 domain controllers, but no entries for the newly installed 2008 domain controllers. I’ve looked for the entries in the netlogon.dns files for each domain controller, and find no references for these zones. Thousands of entries for A  + SRV type records for the remain AD zones, which are being correctly registered.

When I check this in my test and preprod environments over a thousand entries can be found in the DNS and in each netlogon.dns file. The only difference between my test environments and production is DNS is Infoblox in prod, and Microsoft DNS is used in test environments.

I have neither netlogon errors nor any DCdiag errors. I stopped the netlogon, renamed the netlogon.dns to .old and restarted the netlogon service. No change, the netlogon.dns file was regenerated once again without any entries for DomainDNSZones, and ForestDNSzones.

Any ideas? How does the netlogon service determine what DNS entries are required? How does it know what to put in the netlogon.dns file?

Ernie Prescott

Hi,

I have multidomain environment with one root domain and 3 child domains. I created the forest oneway incoming trust on root domain dc with another forest (which is single domain environment).

I remove this same trust 6 hours later from the dc of a child domain.

Now problem is that on the root domain dc in domain trust > domain properties I still see that trust listed in incoming trusts. but if I check same in ADSIEdit  in system container trusteddomain class objects, it is not there. I tried removing it forcefully with netdom but it failed with error. I tried removing it via GUI. it gave me error

"A Trusted-Domain object cannot be found for the trust to domain <resource domain FQDN>. The Trust may have been removed by another user."

Please help.

Hello,

While researching one problem, I managed to create another problem.

For some time I have issues with my WinXp workstations, they were not always able to 

locate the logon script. See error in document marked sta3.txt. I thought the problems 

was do to the workstations not being able to see the all of the mounts, i.e. \SYSVOL\staging\domain.

The domain was missing in this mount so I copied the domain.com into staging.

Now I can no longer edit my logon scripts and now I am finding that the scope of the read only rights exists for

my entire domain. I running active directory on Win2003 server. I have 5 winxp as workstations.

Files

Hello everybody,

I'm a bit lost, quit history: had a Server 2008 with AD name DOM-ESTDEV, and all my workstations, multiple Network HD, Printers, Switche's, etc... with this Domain name. All working fine.

I did a clean install of WIndows 2012 Std Server (not upgrade), and during install I put in the domain name DOM-ESTDEV (don't remember if during the install of Server 2012, the setup did automatically put in DOM-ESTDEV.com). I have a DNS & DHCP on the server There's no other server runing on this machine, no Exchange, SQL, etc...

So my question is simple, is there a way to change the name back to DOM-ESTDEV without the .com at the end.
I can imagine the answer is not so simple, so if someone has a quick/simple quick around to this problem, so that all my clients can use the network operations (logon, etc...), It would mean a great deal to me.
Otherwise, I would have to make a new install of Windows Server 2012 again (Still have a doubt, I think the setup program add automatically ".com" after the Domain Name).

Thanks for helping in advance, I'm sure that somebody has a solutions, 'cause your guy's/girl's are geniuses ;-)

Richard

Hello Friends :

I want to show you that how can you findout the place which your domain users are logging in ,
Of Course i mean the computer account which the user is using for logging in :

1- The first way is to use a free command line tool called "PsLoggedOn v1.33" you can downlaod it from here:
    http://technet.microsoft.com/fa-ir/sysinternals/bb897545(en-us).aspx

2- The second way is to use a free and open source third pary application called " Kaboodle " :
    http://www.kaboodle.org/index.html

3-The Thirs way is to use a command line tool called "NBTSCAN " you can see a sample trick here :
  
 C:\nbtscan>nbtscan 192.168.0.100-200
 Doing NBT name scan for addresses from 192.168.0.100-200

 IP address       NetBIOS Name     Server    User             MAC address
 ------------------------------------------------------------------------------
 192.168.0.119    SQUASH           <server>  SQUASHMAN        12-34-ba-c0-52-32
 192.168.0.153    BUMBLE-BEE       <server>  BUMBLE-BEE       00-0f-1f-b3-b5-89

 C:\nbtscan>

You can downlaod it from here : http://linux.wareseeker.com/download/nbtscan-1.5.1.rar/334598

Hi All

So I am currently going through my AD and have come to a bit of a stumbling block in terms of my ISTG setup!

I have a Windows 2003 Func Level AD with one Windows 2008 R2 DC as well for a total 10 DC's

Previous team decided to create manual Intra and Inter Site links and so appear to have disabled ISTG

• I have used the AD Topology Diagram to create a diagram of my AD and this also says my Inter and Intra STG is disabled
• So today I ran dcdiag and it confirmed that out of my 10 DC's 8 have IntraSTG disabled. This confused me as my ADTD says that ALL sites have Inter and IntraSTG disabled?!?!
  
• I have run Dcdiag Topology and it does not say anywhere that InterSTG is disabled on all/any sites
• I have ran Dcdiag and it does say that out of 10 servers 8 have IntraSTG disabled
• I have carried out the following instructions [webiste url below] and in the integer under NTSD Options I have 32 for the servers that appear to not have Intra enabled and 1 for the two servers that have Intra Enabled

http://www.isaacoben.com/2009/03/23/how-to-configure-inter-or-intra-site-topology-generator-istg-in-active-directory/

I can not find out what the Integer 32 means?!

The list shows

ISTG Reference numbers:
0:To  Enable ISTG
1:To disable automatic intrasite topology generation
16:To disable automatic intersite topology generation
17:To disable both intrasite and inter-site topology generation

So, in summary what I want to do [and the questions for your guys here] is as follows

1. Validate which Sites have IntraSTG Enabled
2. Validate which sites have InterSTG Enabled
3. Find out how to enabled both ISTGS's as we want to revert back to automatically created links

khan19

Hi,

I am upgrading our 2008 R2 Domain Controllers (All Writable, no RODC) to DFSR for SYSVOL.

2 of our DCs are out our main head office, and 1 DC is in a small office (in a seperate site on a different subnet).

This issue is concerning the DC on in the second site.

I ran dfsrmig /setglobalstate 1 yesterday, and today I expected all to be OK when I ran dfsrmig /getmigrationstate, however I had the following issue:

The following Domain Controllers are not in sync with Global state ('Prepared'):


Domain Controller (Local Migration State) - DC Type
===================================================

FT-SGW-FAP ('Start') - Writable DC

Migration has not yet reached a consistent state on all Domain Controllers.
State information might be stale due to AD latency.

I then decided to check locally on server FT-SGW-FAP, and in the c:\Windows directory I have a SYSVOL_DFSR folder, and it is the same size as the other DC's, with the same number of files / folders so I know the SYSVOL_DFSR folder got created OK

I also checked the registry under HKLM\SYSTEM\CurrentControlSet\services\DFSR\Parameters\SysVols\Migrating SysVolsand Local State is set to 1 so I know that the server itself is prepared (according to http://blogs.technet.com/b/filecab/archive/2008/03/05/sysvol-migration-series-part-3-migrating-to-the-prepared-state.aspx ) I also checked (by comapring with 'successful DC') the other reg settings, and all looked OK

It has been around 24 hours since I started the dfsrmig /setglobalstate 1 command. Additionally I have tried variousrepadmin /syncall /AeD commands (with various switches), I have also tried a few timesdfsrdiag pollad commands, no errors occured. But the issue persists

I also checked the Event Viewer, and I got a few infomrational events which were normal with setting up DFSR for SYSVOL, the last event I got was this one:

Log Name:      DFS Replication
Source:        DFSR
Date:          27/08/2012 18:32:02
Event ID:      8014
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      FT-SGW-FAP.PAX.local
Description:
DFSR has successfully migrated the Domain Controller FT-SGW-FAP to the 'PREPARED' state.
 
TO CONTINUE MIGRATION: If you choose to continue the migration process and proceed to the 'REDIRECTED' state, please note that any changes made henceforth to the SYSVOL share located at C:\Windows\SYSVOL (which is under NTFRS replication) will not be updated in the SYSVOL_DFSR folder located at C:\Windows\SYSVOL_DFSR (which is under DFSR replication). To avoid this possibility of data loss, please make sure no file system changes on the SYSVOL share occur while DCs are migrating from 'PREPARED' to 'REDIRECTED' state.
 
TO ROLLBACK MIGRATION: If you choose to rollback the migration process and return to the 'START' state, please note that DFSR will no longer be replicating the SYSVOL_DFSR folder and all DFSR information will be removed from the Active Directory.

This obviously looks good, but that was over 22 hours ago, and still running dfsrmig /getmigrationstate returns that this server is in the 'start' state.

Additionally, I have tried to restart all the servers, I also checked the ADSI edit settings (according to http://blogs.technet.com/b/filecab/archive/2008/03/05/sysvol-migration-series-part-3-migrating-to-the-prepared-state.aspx ), and all is looking like it should work. But it doesnt! and now I can think of nothing else.

Incidently, going through the event log I found 1 Warning:

Log Name:      DFS Replication
Source:        DFSR
Date:          28/08/2012 12:10:47
Event ID:      5014
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      FT-SGW-FAP.PAX.local
Description:
The DFS Replication service is stopping communication with partner DC1 for replication group Domain System Volume due to an error. The service will retry the connection periodically

Additionally, this third DC on the second site usually works OK, policies get pushed out, AD replicates fine, so theAD Service is running OK. The server is also a File server, and we use DFS to replicate our files to / from this server with our main file servers,so I know the DFS service is running OK. While the connection is usually 'quite' stable, it does every now and then drop, but its not so bad. The speed is about 1Mbps both ways under ideal situations, but can drop to around 600Kbps both ways under day-to-day usage.

Thanks, would appreciate any assistance

Richard

Very recently a Navy Time Server had pushed out an incorrect time to users whom were misconfigured with W32TM and ended up causing havoc on their Windows domains. I'm proposing a modification to the BPA which tells Admins to point to a single time source to inform the user that they should configure multiple time sources in the /manualpeerlist option.

Much of my recommendation comes from the following URL: http://support.ntp.org/bin/view/Support/SelectingOffsiteNTPServers

I have validated with the debug log for W32TM that it does indeed follow a proper clock selection algorithm which would provide significantly more redundancy and accurate time to a Windows AD Environment.

Recommendation:

Configure your /manualpeerlist option with 5 geographically distinct time sources at a minimum, with the possibility of utilizing more as-needed.

w32tm /config /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org time.windows.com" /update

Hi

  we are having win server 2008 domain controller. I need to create one host record of my vendor website ip address in order to provide access to my employees. i want to create that host record without creating one. Is it possible to create conditional forwarder for that entry.. any suggestions

Hi

  We are having DHCP server running on primary domain controller. I am planning to give redundancy for dhcp in secondary domain controller or other server. Anybody help me in this how to acheive redundancy..

  Any documents...

I installed a new DC running server2008r2 named (VMSERVER1).  Everythign seem to have went well after the domainprep and forestprep.  I made it the GC and then tested it by shutting off the first DC (server1) running 2003.  What I found is that none of the workstaitons could login.  Also on VMServer1 all my domain information in AD Users and Groups disappeared.  I checked the event logs on VMSERVER1 and see some issues:

NTFRS 13508

ADWS 1400

DNS 4013

So I checked DCDIAG and I got a few errors here...

Doing primary tests

   Testing server: Default-First-Site-Name\VMSERVER1
      Starting test: Advertising
         Warning: DsGetDcName returned information for\\server1.lentine.com,
         when we were trying to reach VMSERVER1.
         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
         ......................... VMSERVER1 failed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.

      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=lentine,DC=com
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=lentine,DC=com
         ......................... VMSERVER1 failed test NCSecDesc

      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\VMSERVER1\netlogon)
         [VMSERVER1] An net use or LsaPolicy operation failed with error 67,
         The network name cannot be found..
         ......................... VMSERVER1 failed test NetLogons

   Running enterprise tests on : lentine.com
      Starting test: LocatorCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         ......................... lentine.com failed test LocatorCheck
      Starting test: Intersite
         ......................... lentine.com passed test Intersite

*Note both DC's are a GC.

Both Servers have both DNS entries for both servers.  Both Servers have DNS running on them and the DNS Server seems to function and resolve both server names. 

I am puzzled at this point.

Any ideas?

My Primary DC is a 2008 Standard Server SP2

I had a BDC running 2003 and it crashed.  It was also running my fax software for my domain as well as some additional small shared programs.  I have another, newer 2003 Server SP2 and I would like to replace the previous 2003 Server.  I am not sure if the old one was 2003 R2 or not.  Is it possible to completely replace the dead BDC with the new BDC?  I can use the old IP address, Change the server name to the same as the old and recreate the shares.  I would like the PDC (2008) to replicate the AD to this new PC without causing issues.

Can you please advise me on the steps required and the best way to do this without destroying my existing domain or settings?

Thank you in advance.

MJK

Problem1:

I have a Win Svr 2003 St Sp2 (svr A),  and a Win Svr 2008 R2 Ent (svrB) active directory. NIC settings for svr A, prefered dns ip was point to himself and alternate to svr B ip, and NIC settings for svr B vice versa. I went to svr A's dnsmgmt, I'm getting a "X" on svr B and error stating "Cannot contact DNS server", so i run a ping test, able to ping svr B. On svr B dnsmgmt console, I'm able to view both svr on the list. Can anyone out there help me?

Problem2:

After the case with svr A unable to contact svr B DNS, users are unable to contact the some servers in the domain via hostname e.g \\printsvr01, but instead of using hostname IP address works e.g \\192.168.0.1. So, are they related to each other Problem 1 and Problem 2

After some replication issues that i believe are resolved,  I have 2 folders in the sysvol\policies folder that as an admin and system get access denied too when trying to access the content of them or delete them. the GPOs related to these policies have been removed from the domain in an attempt to see if AD would delete the folders for me.

I have tried takeown and rmdir, from a psexec -s -i -h cmd session 

I think this is easy question but I do not know how to answer.

Could you please explain to me what is automated user provisioning?

Suppose I create a user in ADUC and what does automated user provisioning do?

Thanks.

------------------------------

Below excerpt is taken from this url:

http://download.microsoft.com/download/D/4/5/D45CBC6E-E255-48E9-A303-14C3191AA3ED/taking_the_lead_wp.pdf

------------------------------

Excerpt:

Automated User Provisioning
This best practice requires a single directory or synchronized
directories with a metadirectory service and IT processes for
automated user provisioning. Users are provisioned (including adds,
removes, and changes) only once in a primary directory, and the
changes are propagated to all related directories. It helps
organizations move from a standardized to a rationalized level of
Optimization for Identity and Access Management in the Core
Infrastructure Optimization model.

We have 5 source forests consolidated in to one ADAM instance (running on Win 2003 R2 member server for a domain). We have imported the schema and users from the 5 forests and they are all collapsed in to on big ADAM tree structure ending with DC=ADAM,DC=local

Our external application is pointing to ADAM for (1) User Account Sync and (2) Authentication

Question: When ADAM receives a user auth request from external application, how does it decide to pass it on to the right Domain Controller in the right domain/forest?

My assumption: I think it uses SID to locate the home domain for a user and accordingly proxies/forwards the user auth request. If this is correct, then does it matter what a user account's Distinguished Name (DN) on the ADAM is? Does DN matter? Right now we have a lot of over-lapping OU structures in all 5 source forests and they have all been collapsed in to one BIG ADAM tree structure. All their DNs end with DC=ADAM,DC=LOCAL. I am worried if this is going to be a problem. Does DNs matter at all for ADAM?

Thanks in advance!

Hi All,

I am truly hope that you will be able to help me with this as i am devastated after realizing that i lost my data from the last 10 years.

I backed up my documents from win 7 to an external hard drive and formatted my laptop twice after having on it win 7. I then installed a fresh windows 8 and when i tried to copy back my files from the external hard drive to the new windows 8 or even to any other computer, I couldn't access the files nor open them as they are encrypted. I then realized that i should have saved the certificate to restore access to EFS encrypted files. I tried all sort of tools such as Advanced EFS data recovery and other online professional services and offline data recovery companies with no success to recover the data.

Can anyone, please help me with any input to sort out this issue if possible. I don't mind to pay for such a service but so far online and offline data recovery companies couldn't help me with a solution and said that i lost my data forever since i didn't save the EFS certificate .

Please note that the files/data is still on the external hard drive with the original files sizes. I still believe that there is a way of bypassing the EFS encryption even that i wont be able to get hold of the old win 7 EFS certificate for these files.

Thank you in advance for any input,

Ben

Scenario:

• Single domain with 2 DCs, one 2008 R2 and one 2003
• AD replicates fine
• I’m getting journal_wraperrors on the 2008 R2 DC. This prevents FRS replication of sysvol.
• Administrators have made changes to group policy settings on both DCs and I want to keep all changes somehow before fix the journal_wrap error

Question 1:

• Is there any supported way (or if not a workaround) to “export” the GPO changes from the 2008 R3 DC and “merge” them to the (functional) 2003 server GPOs (without overwriting current ones)?
• If the answer is no and no I guess I can somehow export or just compare the GPOs and make sure all changes on the 2008 server are on the 2003 one, and if not, add them…
  

Question 2:

• My plan is to somehow make sure all GPO changes on the 2008 DCs are in place on the 2003 server and then use the FRS BurFlags registry key to perform a nonauthoritative restore on the 2008 R2 DC to make it "restore" sysvol from the 2003 sever.
• All references are Server 2000 and 2003 in SP levels, I find no mention of sevrer 2008, but since this one uses FRS I'm hoping it will work. Will it?

Question 3:

• Is there anything else that will "happen" besides GPOs resyncing if I use the burlap registry command?
• Will it resync the netlogon folder for example?
• Anything else?

Any help would me much appreciated!