Hi everyone,

I'm new to RODCs and have been looking into them as an ideal replacement for the current read/write Windows 2003 domain controllers at our branch sites. Ideally I'd like to replace all branch DCs with RODCs, leveraging a central core of read/write doman controllers at our hub site.

I can see one issue with replication. At our branch sites we typically use a 3 hour replication interval to reduce replication traffic over the network. Our central helpdesks currently work around this by creating new accounts and resettng passwords on the DC at the branch. In addition domain joins of new computers are done using the local read/write DC at the branch.

Now my thinking is that switching the branches to RODCs will cause problems in this situation as changes cannot be written to them. I understand though that they will  forward write operations to read/write DCs in the hub. My question - are such "referred" changes immediately available to the branch via the RODC?

A scenario:

1. A branch worker locks their password
2. The central helpdesk attempts to reset the password using the RODC
3. The RODC fowards the request to a read/write DC in the hub site

Another scenario

1. A computer is "flattened" and the O/S reloaded at a branch site with an RODC
2. The scripted provisioning process attempts to delete/add the computer account using the RODC
3. The RODC forwards the request to a read/write DC in the hub site

My question: Would the password reset / updated computer account be immediately available on the branch RODC (as would be the case with a targetted local read/write DC) or will the branch have to wait up to 3 hours for scheduled replication from the hub?

Clarification on this point would be most greatly appreciated.

Server 2008 R2 scheduled task not working - action 

"C:\Windows\SYSTEM32\cmd.exe" with return code 1

Hi all,

I am stuck with the event 1202 (source ADWS) error on my ADLDS server hosting sharepoint extranet user repository. My sharepoint server is a domain member butNOT a domain controller. I do not replicate this ADLDS instance with any other server. This ADLDS instance is not synched with AD's at all.

I already read posts existing on the subject and no one solved my problem as they're all related to ADLDS instances hosted on domain controllers

As a reminder the event 1202 (raised minutely) description is:

This computer is now hosting the specified directory instance, but Active Directory Web Services could not service it. Active Directory Web Services will retry this operation periodically.
Directory instance: NTDS
Directory instance LDAP port: 389
Directory instance SSL port: 636

My ADLDS instance is not named NTDS (and cannot as NTDS is the instance name of an ADDS domain) and ADWS correctly service it as the following 1200 event proove it:

Active Directory Web Services is now servicing the specified directory instance.
Directory instance: ADAM_ExtranetUsers
Directory instance LDAP port: 18589
Directory instance SSL port: 18836

So... my investigations result after enabling ADWS diagnostics are:

Following is the trace corresponding to the 1202 event generation

InstanceMap: [14.11.2012 08:57:19] [4] OnTimedEvent: got an event
InstanceMap: [14.11.2012 08:57:19] [4] CheckAndLoadAll: beginning
InstanceMap: [14.11.2012 08:57:19] [4] CheckAndLoadNTDSInstance: entered
InstanceMap: [14.11.2012 08:57:19] [4] CheckAndLoadNTDSInstance: found NTDS Parameters key
InstanceMap: [14.11.2012 08:57:19] [4] CheckAndLoadNTDSInstance: trying to change state to DC
InstanceMap: [14.11.2012 08:57:19] [4] AddRemoveSessionPoolAndDictionaryEntry: trying to change state for identifier ldap:389
InstanceMap: [14.11.2012 08:57:19] [4] AddSessionPool: adding a session pool for NTDS
DirectoryDataAccessImplementation: [14.11.2012 08:57:19] [4] InitializeInstance: entering, instance=NTDS, init=5, max=20
LdapSessionPoolImplementation: [14.11.2012 08:57:19] [4] InitializeInstance: entering, instance=NTDS, init=5, max=20
InstanceMap: [14.11.2012 08:57:20] [4] AddSessionPool: DirectoryException trying to create pool: System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.

For me the BUGGY part of this ADWS error state within the CheckAndLoadNTDSInstance process. It effectively try to service NTDS instance because it found the NTDS registry key supposed to contain the AD DS instance configuration parameters. The content of the key is the following on my system (and any system I think):

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NTDS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NTDS\parameters]
"ldapserverintegrity"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NTDS\RID Values]

This is the normal content on any domain members. But this cause the ADWS service to think there is an NTDS domain service instance to serve which is not the case !!!!!

I resolved the error for a temporary period by removing the registry key above. Because I also think this key has nothing to do on client systems (as stated on technet). I also verified after removing the key that my ADLDS instance is still forcing SSL connections for simple bind (which is what the ldapserverintegrity registry value is supposed to do. Note this registry settings is also present is the ldap and my ADAM_ExtranetUsers service registry.) Everything worked like a charm for a day and my event log stopped reporting the 1202 event.

But during the first night, a process recreated the NTDS service registry key I deleted. So the event 1202 start reappearing every minute. Excepting filling my event log for nothing this error has no effect on the working ADLDS instance. So I can live with but it's rather annoying!

So finally my question is: Is it really a bug or did i make a mistake? If this is by design how can I prevent ADWS to try to serve an instance that does not exists on the system?

Can I set the undocumented ADWS configuration value "InstanceRediscoveryInterval" defaulted to "00:01:00" to something that say "NEVER".

At least to lower events count I will set it to something next to 1 hour or 1 day!

Does someone have a better solution?

Many thanks to any of you taking time to read my poor english ;-)

Greetings,

We have 14 DCs in our network, all running W2K3R2 SP2. I had a user call yesterday that said she was having issues with email. Further inspection showed that the NETLOGON share was missing. Then I took a step further and found that it was missing on all DCs in our network. I've done a lot of searching and have found several documents on 'missing sysvol and netlogon'. We are missing some of the policies in the sysvol share, but completely missing the netlogon folder. Articles talk about restoring by setting bur flags. The problem is that from what I read, you need to have an operational DC. While across the network, users are able to access shared resources like email, files and have no problems logging in, since no DC has a NETLOGON share, none would be 'operational'. Below, I'm posting the dcdiag I ran on our FSMO role holder:

C:\>dcdiag /fix

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Operations\SVR00DC01
      Starting test: Connectivity
         ......................... SVR00DC01 passed test Connectivity

Doing primary tests

   Testing server: Operations\SVR00DC01
      Starting test: Replications
         ......................... SVR00DC01 passed test Replications
      Starting test: NCSecDesc
         ......................... SVR00DC01 passed test NCSecDesc
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\SVR00DC01\netlogon)
         [SVR00DC01] An net use or LsaPolicy operation failed with error 1203, N
o network provider accepted the given network path..
         ......................... SVR00DC01 failed test NetLogons
      Starting test: Advertising
         ......................... SVR00DC01 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... SVR00DC01 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... SVR00DC01 passed test RidManager
      Starting test: MachineAccount
         ......................... SVR00DC01 passed test MachineAccount
      Starting test: Services
         ......................... SVR00DC01 passed test Services
      Starting test: ObjectsReplicated
         ......................... SVR00DC01 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... SVR00DC01 passed test frssysvol
      Starting test: frsevent
         ......................... SVR00DC01 passed test frsevent
      Starting test: kccevent
         ......................... SVR00DC01 passed test kccevent
      Starting test: systemlog
         ......................... SVR00DC01 passed test systemlog
      Starting test: VerifyReferences
         ......................... SVR00DC01 passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : secfedbank
      Starting test: CrossRefValidation
         ......................... secfedbank passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... secfedbank passed test CheckSDRefDom

   Running enterprise tests on : secfedbank.com
      Starting test: Intersite
         ......................... secfedbank.com passed test Intersite
      Starting test: FsmoCheck
         ......................... secfedbank.com passed test FsmoCheck

C:\>

I see no errors in the FRS event viewer. 

Chris

We've implemented Account Logout policies in our Windows 2008 R2 domain with these settings

Lockout duration: 30 minutes
Lockout threshold: 15 invalid login attempts
Reset account lockout counter after: 30 minutes

We've turned on NETLOGON.log logging and are watching for any user problems. On a few users, we see over 300 attempted logins from a machine (0xC000006A Transitive Login attempt) over a 4 hour period. We're watching the account but it's not locking out. Are these types of login exempt from the Account Lockout policy?

Orange County District Attorney

ADC server replication summary - 

C:\>repadmin /showrepl

repadmin running command /showrepl against server localhost

Default-First-Site-Name\ADCMOFTWARE
DC Options: IS_GC
Site Options: (none)
DC object GUID: 700f4da0-0471-42dc-9a0a-453a5656d2a9
DC invocationID: e88f24d9-5108-4513-922f-d62497b6db6e

==== INBOUND NEIGHBORS ======================================

DC=fi,DC=com
    Default-First-Site-Name\DCM via RPC
        DC object GUID: 8fdd74a5-c2b9-4ba9-89fc-8f2fa97af716
        Last attempt @ 2012-11-26 16:28:09 failed, result 8614 (0x21a6):
            The Active Directory cannot replicate with this server because the t
ime since the last replication with this server has exceeded the tombstone lifet
ime.
        4013 consecutive failure(s).
        Last success @ 2012-11-20 03:00:24.

CN=Configuration,DC=Fi,DC=com
    Default-First-Site-Name\DCM via RPC
        DC object GUID: 8fdd74a5-c2b9-4ba9-89fc-8f2fa97af716
        Last attempt @ 2012-11-26 16:24:52 was successful.

CN=Schema,CN=Configuration,DC=fi,DC=com
    Default-First-Site-Name\DCM via RPC
        DC object GUID: 8fdd74a5-c2b9-4ba9-89fc-8f2fa97af716
        Last attempt @ 2012-11-26 16:24:52 was successful.

DC=ForestDnsZones,DC=fi,DC=com
    Default-First-Site-Name\DCM via RPC
        DC object GUID: 8fdd74a5-c2b9-4ba9-89fc-8f2fa97af716
        Last attempt @ 2012-11-26 16:24:52 was successful.

DC=DomainDnsZones,DC=fi,DC=com
    Default-First-Site-Name\DCM via RPC
        DC object GUID: 8fdd74a5-c2b9-4ba9-89fc-8f2fa97af716
        Last attempt @ 2012-11-26 16:24:52 was successful.

Source: Default-First-Site-Name\DCM
******* 3992 CONSECUTIVE FAILURES since 2012-11-20 03:00:24
Last error: 8614 (0x21a6):
            The Active Directory cannot replicate with this server because the t
ime since the last replication with this server has exceeded the tombstone lifet
ime.

******************************************************************************************

Main domain controller repadmin summary - 

C:\>repadmin /showrepl

repadmin running command /showrepl against server localhost

Default-First-Site-Name\DCM
DC Options: IS_GC
Site Options: (none)
DC object GUID: 8fdd74a5-c2b9-4ba9-89fc-8f2fa97af716
DC invocationID: 19470c50-6d7e-48d0-afcc-54faac6dacc4

==== INBOUND NEIGHBORS ======================================

DC=fi,DC=com
    Default-First-Site-Name\ADCM via RPC
        DC object GUID: 700f4da0-0471-42dc-9a0a-453a5656d2a9
        Last attempt @ 2012-11-26 14:52:52 was successful.

CN=Configuration,DC=fi,DC=com
    Default-First-Site-Name\ADCM via RPC
        DC object GUID: 700f4da0-0471-42dc-9a0a-453a5656d2a9
        Last attempt @ 2012-11-26 14:29:20 was successful.

CN=Schema,CN=Configuration,DC=fi,DC=com
    Default-First-Site-Name\ADCM via RPC
        DC object GUID: 700f4da0-0471-42dc-9a0a-453a5656d2a9
        Last attempt @ 2012-11-26 14:23:30 was successful.

DC=DomainDnsZones,DC=fi,DC=com
    Default-First-Site-Name\ADCM via RPC
        DC object GUID: 700f4da0-0471-42dc-9a0a-453a5656d2a9
        Last attempt @ 2012-11-26 14:50:11 was successful.

DC=ForestDnsZones,DC=fi,DC=com
    Default-First-Site-Name\ADCM via RPC
        DC object GUID: 700f4da0-0471-42dc-9a0a-453a5656d2a9
        Last attempt @ 2012-11-26 14:23:30 was successful.

*****************************************************************************

Check this line

"4013 consecutive failure(s).
        Last success @ 2012-11-20 03:00:24."

At the same time (2012-11-20 03:00:24) i have checked on DCM time was goes to 10 Years back like (2002) And i have sync time on DCM server manually. and automatic all client time goes automatically correct. But still ADCM and DCM did not synchroniz properly.

Thanks

Rakesh

Rakesh Kumar

We have a domain trust between DomainA.com and DomainB.local.

DomainA.com is an external non-transitive incoming trust to DomainB.local and DomainB.local is an external non-transitive outgoing trust to DomainA.com. Both are set to selective authentication.

The issue is: I can’t lookup users or groups or computer objects from domainB.local   in DomainA.com.

I am a Domain and Enterprise admin in the DomainB.local .

So , when I log-on to a DC in the domainB.local domain and use ADUC to search for objects in the domainA.com. Nothing comes up.

I have double check DNS resolutions and that is working fine. What can I test or do to get this working,

 I will need to add user objects from domainA.com to resources in the DomainB.local for our migration.

Thanks

Greetings,

When first installing AD RMS via the wizard, I chose an HTTP: address rather than the https: address.

I would like to change this to the https:\\rms.clustername.com address.

Can I do this through the registry below?

http://technet.microsoft.com/en-us/library/dd772665%28v=ws.10%29.aspx

Also, where do i make the change so that the environment is pointing to the cname (alias) for my sql server? I do not see registry keys or any way of doing this without uninstalling and reinstalling.

Thank you kindly,

Frank

Frank Garcia

All Windows 2003 domain controllers will be replaced with  Windows 2008 R2 domain controllers

Domain functional level is Windows 2003 will be upgraded later

There are few NT 4 and Windows 2000 clients .

Will upgrading all domain controllers to 2008 r2 cause problem for NT 4.0 and Windows 2000. Consider domain functional level is still 2003.

So, Active Directory Newbie here. Have enough experience/knowledge to be dangerous. We have some trouble in the office, but I got a good feeling whats going on, but I don't how to professionally handle the problem.

We have 3 DCs. The DC with all the operations master roles seemed to flat out stop replicating with the other two. Those two are still communicating and replicating with each other just fine. Have troubles accessing network shares because of it. Can't pull down Group Policy because of it to desktops.

I'm interested in learning the quick and dirty way to get us back in good shape.

I was thinking demote the machine with all the operation's master roles, configure one of the other DCs to have all the roles, and the re-promote it DC. Switching the operation masters a second time isn't a requirement here.

I'm uncomfortable pulling the trigger with that method.

Could I bother anyone to share how they would approach this situtation? I would perfer not to try create any dump files or post error messages related to why the server became "isolated." I want to know how to fix this in the shortest amount of time, not a complex procedure of complete rebuilding my schema.

Please and Thank you.

"Knowledge changes life" "The quieter you are, the more you are able to hear" >Backtrack Linux FAN<

Hi, I'm working on the 70-640 training kit. I'm having trouble getting 2 accounts created with LDIFDE, checked for typos and can't find any. It gives me an add error starting on line 1. Says attribute doesn't exist. Here is what I have typed in Notepad. Saved it as NewUsers.ldf. Trying to run as: ldifde -i -f NewUsers.ldf -k -h The User Account OU exists so I don't know what I'm doing wrong.

DN: CN=April Stewart,OU=User Accounts,DC=contoso,DC=com
changeType: add
CN: April Stewart
objectClass: user
sAMAccountName: april.stewart
userPrincipalName: april.stewart@contoso.com
givenName: April
sn: Stewart
displayName: Stewart, April
mail: april.stewart@contoso.com
description: Sales Representative in the USA
title: Sales Representative
department: Sales
company: Contoso, Ltd.
unicodePwd::IgBQAGEAJAAkAHcAMAByAGQAIgA=
userAccountControl:512

DN: CN=Tony Krijnen,OU=User Accounts,DC=contoso,DC=com
changeType: add
CN: Tony Krijnen
objectClass: user
sAMAccountName: tony.krijnen
userPrincipalName: tony.krijnen@contoso.com
givenName: Tony
sn: Krijnen
displayName: Krijnen, Tony
mail: tony.krijnen@contoso.com
description: Sales Representative in the Netherlands
title: Sales Representative
department: Sales
company: Contoso, Ltd.
unicodePwd::IgBQAGEAJAAkAHcAMAByAGQAIgA=
userAccountControl:512

Running adprep32 to prep our Windows 2003 domain for new Windows Server 2008 R2 DCs.

adprep32 /forrestprep ran without error after changing domain to native mode.  However running adprep32 /domainprep /gpprep fails with adprep was unable to complete because the call back function failed.  After running it a second time, it looks like /domainprep worked as it says that the domain-wide information was already updated.  However the log shows this:

I've check other forum questions and not found an answer.  I've check all the symptoms mentioned by http://technet.microsoft.com/en-us/library/dd464018(WS.10).aspx and all of those check out.

What I have found is that if I look in ADUC (after going to view ->advanced features), under system -> domainupdates -> operations there is no a3dac986-80e7-4e59-a059-54cb1ab43cb9 listed.  This appears to be my issue, but I can't find a resolution.  Please Advise.

Thanks!

Hi Guys,

Our client has a script that they are using to query the LastLogonTimeStamp of their users in their domains. Unfortunately, they have this domain that when they use this script to query for users LastLogonTimeStamp, the displayed result is 0? Do you think this could be a setting in the Domain Controller that needs to be enabled for the script to function properly? By the way, they are using Windows Server 2003. Please advise.

Thank You,

Arnel

Hi

I'm trying to use "w32tm" to check on out servers here and I'm,
seeing the following problem with some (not all) of our server and can't seem to find out why. Here's the command:

w32tm /query /verbose /computer:server1 /status

w32tm /query /computer:server1 /source
The following error occurred: The procedure number is out of range.
(0x800706D1)

but other machines are fine. Any ideas what I should check here?

Also This issue occurring only for windows 2003 Server DC.

Hi,

I´ve created a service in a windows server 2008 R2, but when I try to start the service :

Windows could not start the Test service on Local Computer

Error 1068: The dependency service or group failed to start

I´ve checked the service dependencies, and all services which appear in the dependencies tab are started.

So any idea why is failing?

Thanks thaks thanks

i know this might sound strange, i was working in a customer side fixing a direct access related issue - along with a Microsoft support engineer

the last thing we were working on is unlink some GPO from an OU using the GPMC

this OU disappeared suddenly i went to the AD users and computers - refresh and it is gone - logically deleted some how

me & the engineer are banging our heads on the wall and as you know all fingers are pointing @ us and looks like we will lose this whole project for this

the OU was restored using a backup solution and the SCCM showing items deleted inside this OU the same time this happened

the question is did anyone face such a thing before - does anyone know how to find out what happened & how could this happen

if it was only me i could have doubted myself but both of us are 100% sure we did not delete this OU

the DC we were working on is a 2008, they have many DCs in the network some of them is 2003, the deletion of this OU was replicated in a blink if a eye

i would really appreciate any help in this case

Microsoft Certified IT Professional Server Administrator