We are in the process of implementing least privilege rights in Active Directory for our desktop team, and cannot find authoritative information on what rights are required for facilitating this change.

We set up auditing on a test computer object in active directory to see what attributes need to be modified, but when we rename a computer we noticed something we didn't expect. The Rename-Computer commandlet in powershell is making an SMB call instead of an LDAP request, and the security log does not capture the access denied message we see in the SMB call. Since the SMB call is encrypted, all we see is the access denied message. At this point we cannot see how we can find the correct attributes to facilitate the rename.

We are fully aware that if we give Read all properties / Write all properties, the rename will work, but there are attributes on the computer object that the group should not be able to read. Where can we go for a real answer to this question?

We are using DSACLS for implementation of changes. The following line works for adding workstations to the domain, and moving them between OUs, but does not work for renaming.

One of our domain controllers recently started reported Event ID 1126 stating that it was unable to establish a connection with the global catalog. It also errors when I try to load the Powershell module for Active Directory (Error Initializing the Default Drive: Unable to contact the server. It may be because server does not exist.)

NLTEST has been used to verify that the Domain controller can talk to itself, and the other DC in the domain. LDP.EXE works with both 636 and 389 to ensure the server can talk to everything it is suppose to be able to talk to. I have removed the McAfee host based intrusion prevention, and no other firewall is currently installed or enabled. The only problem DCDIAG reports is the event in the event log (1126).

Is there something I am overlooking?

All DCs are Server 2008 R2 and fully patched.

I have a domain with two DC's.  I cannot browse to \\dc1\sysvol from any member server or DC2 on the network.  While trying to troubleshoot this error I came across a value that I think is incorrect (Corrupt).  While looking at the properties for the "Sysvol Subscription", I selected the "Attribute Editor" tab to review some settings and the ”msDFSR-ContentSetGuid” attribute has the following value: xMB�@CD��&>E��g

Needless to say, I believe that is wrong.  My other domains have something that looks more like: \090B\AC\44\B3\76\FB\A8...

My questions are:

1. What is this attribute used for?
2. what effect is this corruption having on my SYSVOL, if any?  
3. How can I create and enter in a useful value?   

Thank you in advance. 

Hello,

I am on a SBS 2011 system, and I am not an expert on server management. Before this server people where on a 2003 server. I have try to make during the periode of change speaking the 2 servers eatch other.

I have seen that I got a DNS 4004 and 4015 events.   And by reading topic on the web, I didn't find a way to clear this situation (and maybe making wrong things and make it worst).

On my DNS server, on direct zone,  i have all the tree _msdcs, but the primary zone link to the AD  myserver.local is close (it is this zone that get problema). The revers zone look like ok.

On DCDIAG the first connectivity test failed.  Test of serveur not done, partition test all ok.

When starting nsllokup, the default server is unknow.

Could you kindly give and help this point ? And what can I do to give you all information to allow a good analyse.  (Ps: serveur is in french)

Thanks in advance

Hi All,

We have one forest domain (XXXX.LOCAL)and lots of child domains (XXX.XXXX.LOCAL).

We are facing issue that child domains are not able to login with forest administrator account and there are also lots of replication errors.

Exchange OWA gives error of not able to find particular XXX.XXX.local child domain.

dcdiag from child domain is :

--------------------------------------------------------------------------------------------------------------------
C:\Windows\system32>
C:\Windows\system32>nltest.exe /dsregdns
Flags: 0
Connection Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
The command completed successfully

C:\Windows\system32>nltest.exe /dsregdns
Flags: 0
Connection Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
The command completed successfully

C:\Windows\system32>
C:\Windows\system32>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = PMA-DC01
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: HEC-CITY\PMA-DC01
      Starting test: Connectivity
         ......................... PMA-DC01 passed test Connectivity

Doing primary tests

   Testing server: HEC-CITY\PMA-DC01
      Starting test: Advertising
         Warning: PMA-DC01 is not advertising as a time server.
         ......................... PMA-DC01 failed test Advertising
      Starting test: FrsEvent
         ......................... PMA-DC01 passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... PMA-DC01 failed test DFSREvent
      Starting test: SysVolCheck
         ......................... PMA-DC01 passed test SysVolCheck
      Starting test: KccEvent
         ......................... PMA-DC01 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         [PMA-DC02] DsBindWithSpnEx() failed with error -2146893022,
         The target principal name is incorrect..
         Warning: PMA-DC02 is the PDC Owner, but is not responding to DS RPC
         Bind.
         [PMA-DC02] LDAP bind failed with error 8341,
         A directory service error has occurred..
         Warning: PMA-DC02 is the PDC Owner, but is not responding to LDAP
         Bind.
         Warning: PMA-DC02 is the Rid Owner, but is not responding to DS RPC
         Bind.
         Warning: PMA-DC02 is the Rid Owner, but is not responding to LDAP
         Bind.
         Warning: PMA-DC02 is the Infrastructure Update Owner, but is not
         responding to DS RPC Bind.
         Warning: PMA-DC02 is the Infrastructure Update Owner, but is not
         responding to LDAP Bind.
         ......................... PMA-DC01 failed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... PMA-DC01 passed test MachineAccount
      Starting test: NCSecDesc
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         Fatal Error: Cannot retrieve SID
         ......................... PMA-DC01 failed test NCSecDesc
      Starting test: NetLogons
         ......................... PMA-DC01 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... PMA-DC01 passed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,Replications Check] Inbound replication is
         disabled.
         To correct, run "repadmin /options PMA-DC01 -DISABLE_INBOUND_REPL"
         [Replications Check,PMA-DC01] Outbound replication is disabled.
         To correct, run "repadmin /options PMA-DC01 -DISABLE_OUTBOUND_REPL"
         ......................... PMA-DC01 failed test Replications
      Starting test: RidManager
         ......................... PMA-DC01 failed test RidManager
      Starting test: Services
            w32time Service is stopped on [PMA-DC01]
         ......................... PMA-DC01 failed test Services
      Starting test: SystemLog
         A warning event occurred.  EventID: 0x00000010
            Time Generated: 04/21/2014   19:16:04
            Event String:
            Unable to Connect: Windows is unable to connect to the automatic upd
ates service and therefore cannot download and install updates according to the
set schedule. Windows will continue to try to establish a connection.
         An error event occurred.  EventID: 0x0000168E
            Time Generated: 04/21/2014   19:44:42
            Event String:
            The dynamic registration of the DNS record '_kerberos._tcp.dc._msdcs
.PMA.XXXX.LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.' failed on the fol
lowing DNS server:
         An error event occurred.  EventID: 0x0000168E
            Time Generated: 04/21/2014   19:44:43
            Event String:
            The dynamic registration of the DNS record '_kerberos._tcp.PMA.XXXX.
LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.' failed on the following DNS
 server:
         An error event occurred.  EventID: 0x0000168E
            Time Generated: 04/21/2014   19:44:43
            Event String:
            The dynamic registration of the DNS record '_kerberos._tcp.HEC-LAHOR
E._sites.PMA.XXXX.LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.' failed on
 the following DNS server:
         An error event occurred.  EventID: 0x0000168E
            Time Generated: 04/21/2014   19:44:43
            Event String:
            The dynamic registration of the DNS record '_kerberos._udp.PMA.XXXX.
LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.' failed on the following DNS
 server:
         An error event occurred.  EventID: 0x0000168E
            Time Generated: 04/21/2014   19:44:43
            Event String:
            The dynamic registration of the DNS record '_kpasswd._tcp.PMA.XXXX.L
OCAL. 600 IN SRV 0 100 464 PMA-DC01.PMA.XXXX.LOCAL.' failed on the following DNS
 server:
         An error event occurred.  EventID: 0x0000168E
            Time Generated: 04/21/2014   19:44:43
            Event String:
            The dynamic registration of the DNS record '_kpasswd._udp.PMA.XXXX.L
OCAL. 600 IN SRV 0 100 464 PMA-DC01.PMA.XXXX.LOCAL.' failed on the following DNS
 server:
         An error event occurred.  EventID: 0x0000168E
            Time Generated: 04/21/2014   19:44:43
            Event String:
            The dynamic registration of the DNS record '_kerberos._tcp.HEC-LAHOR
E._sites.dc._msdcs.PMA.XXXX.LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.'
 failed on the following DNS server:
         An error event occurred.  EventID: 0x00000C8A
            Time Generated: 04/21/2014   19:44:51
            Event String:
            This computer could not authenticate with \\LHR-DC01.XXXX.LOCAL, a W
indows domain controller for domain XXXX, and therefore this computer might deny
 logon requests. This inability to authenticate might be caused by another compu
ter on the same network using the same name or the password for this computer ac
count is not recognized. If this message appears again, contact your system admi
nistrator.
         An error event occurred.  EventID: 0xC00A0038
            Time Generated: 04/21/2014   19:46:02
            Event String:
            The Terminal Server security layer detected an error in the protocol
 stream and has disconnected the client. Client IP: 10.87.193.37.
         An error event occurred.  EventID: 0x40000004
            Time Generated: 04/21/2014   19:52:41
            Event String:
            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver pma-dc02$. The target name used was PMA\PMA-DC02$. This indicates that the
target server failed to decrypt the ticket provided by the client. This can occu
r when the target server principal name (SPN) is registered on an account other
than the account the target service is using. Please ensure that the target SPN
is registered on, and only registered on, the account used by the server. This e
rror can also happen when the target service is using a different password for t
he target service account than what the Kerberos Key Distribution Center (KDC) h
as for the target service account. Please ensure that the service on the server
and the KDC are both updated to use the current password. If the server name is
not fully qualified, and the target domain (PMA.XXXX.LOCAL) is different from th
e client domain (PMA.XXXX.LOCAL), check if there are identically named server ac
counts in these two domains, or use the fully-qualified name to identify the ser
ver.
         A warning event occurred.  EventID: 0x8000001C
            Time Generated: 04/21/2014   19:53:42
            Event String:
            When generating a cross realm referal from domain XXXX.LOCAL the KDC
 was not able to find the suitable key to verify the ticket. The ticket key vers
ion in the request was 25 and the available key version was 22. This most common
 reason for this error is a delay in replicating the keys. In order to remove th
is problem try forcing replication or wait for the replication of keys to occur.

         An error event occurred.  EventID: 0x40000004
            Time Generated: 04/21/2014   20:13:25
            Event String:
            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver pma-dc02$. The target name used was LDAP/4a166db9-c39c-4069-99e7-8a233ce2c0
be._msdcs.XXXX.LOCAL. This indicates that the target server failed to decrypt th
e ticket provided by the client. This can occur when the target server principal
 name (SPN) is registered on an account other than the account the target servic
e is using. Please ensure that the target SPN is registered on, and only registe
red on, the account used by the server. This error can also happen when the targ
et service is using a different password for the target service account than wha
t the Kerberos Key Distribution Center (KDC) has for the target service account.
 Please ensure that the service on the server and the KDC are both updated to us
e the current password. If the server name is not fully qualified, and the targe
t domain (PMA.XXXX.LOCAL) is different from the client domain (PMA.XXXX.LOCAL),
check if there are identically named server accounts in these two domains, or us
e the fully-qualified name to identify the server.
         An error event occurred.  EventID: 0x40000004
            Time Generated: 04/21/2014   20:13:25
            Event String:
            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver pma-dc02$. The target name used was ldap/pma-dc02.pma.XXXX.LOCAL. This indi
cates that the target server failed to decrypt the ticket provided by the client
. This can occur when the target server principal name (SPN) is registered on an
 account other than the account the target service is using. Please ensure that
the target SPN is registered on, and only registered on, the account used by the
 server. This error can also happen when the target service is using a different
 password for the target service account than what the Kerberos Key Distribution
 Center (KDC) has for the target service account. Please ensure that the service
 on the server and the KDC are both updated to use the current password. If the
server name is not fully qualified, and the target domain (PMA.XXXX.LOCAL) is di
fferent from the client domain (PMA.XXXX.LOCAL), check if there are identically
named server accounts in these two domains, or use the fully-qualified name to i
dentify the server.
         ......................... PMA-DC01 failed test SystemLog
      Starting test: VerifyReferences
         ......................... PMA-DC01 passed test VerifyReferences


   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : PMA
      Starting test: CheckSDRefDom
         ......................... PMA passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... PMA passed test CrossRefValidation

   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running enterprise tests on : XXXX.LOCAL
      Starting test: LocatorCheck
         ......................... XXXX.LOCAL passed test LocatorCheck
      Starting test: Intersite
         ......................... XXXX.LOCAL passed test Intersite

C:\Windows\system32>

Hello! I am trying to script my join to domain process as much as possible with powershell! I have everything down to a working point on it's own, but i'm having issues bringing them all together.

My problem lies in the New-ADcomputer command, I need to be able to put a specific service account as the one who has rights to join to the domain, (such as if you use the GUI, It asks User or Group and the Default is Domain Admins). Any help would be awesome! Even if it's a "that can't be done".

Dear NC,
i have one RODC in a Branch Office Site.
I have selected several Usergroups to be replicated to the RODC with nearly 800 Users.
But when i have a look into the RODC i can see that only 400 Users are replicated to the RODC.

I do not understand why this happens.
Can anybody offer some useful hints please?

-Bernd

Good day all.

I understand that this issue might have been repeated several times in the previous posts/questions but nevertheless I feel the need to explain the situation I have thoroughly in order to have the right answer.

In our company, we have a W2k3 DC that has a DNS server installed with it. All clients (who happen to have a static IP, subnet, gateway and DNS) use this DC for internal DNS resolution. The hardware on this DC is getting old and we are planning to use it to run an application that acts as a middleware between the machines that we have and our information system.

In order to achieve this goal, I suggested that we buy new hardware and perform replication of AD. According to my understanding of such a procedure, I know that we have to "upgrade" the forest that the w2k3 holds to be compatible with w2k8 and after that we can perform DCPROMO, etc.

My question is: What happens to the DNS server on the old DC after I successfully perform the replication of AD on the new hardware and demote the old DC? It seems to me that I should keep the DNS server there running in order to prevent the action of manually changing the IP settings for all clients in the network.

My other questions is: Should I create a replica for the DNS server as well ?

I appreciate the efforts made on TechNet and thank you for your time.

Nadim.

We're deploying an ADFS 2.0 farm on 2008R2 servers utilizing mirrored SQL 2012 databases and getting an error when attempting to 'migrate' the ArtifactDbConnection database to SQL. Being unable to run the ADFS 2.0 scripts to initially configure it for SQL instead of WID (due to an apparent compatibility issue), we had to resort to using the ADFS configuration wizard, then migrate to SQL. I'm following the steps from the "AD FS 2.0: Migrate Your AD FS Configuration Database to SQL Server" TechNet article and cannot get beyond Step 3, task 7:

7.       Change the artifact connection string to point to the new SQL Server-based artifact data location. Open a Windows PowerShell command-line, type the following command-line syntaxes in order, and then press ENTER after each one. In SQLServer\SQLInstance below, type in the appropriate SQL Server and SQL Server instance name where you are migrating the artifact data to. For example, contososrv01\adfs-artifact.

Add-pssnapin microsoft.adfs.powershell

Set-adfsproperties –artifactdbconnection “data source=<SQLServer\SQLInstance>; initial catalog=adfsartifactstore;integrated security=true”

My syntax (using the default SQL instance):

Set-adfsproperties -ArtifactDbConnection "Data Source=sql1;Failover Partner=sql2;Initial Catalog=AdfsArtifactStore;Integrated Security=True"

Resulting error:

Set-ADFSProperties : Exception of type 'Microsoft.IdentityServer.PolicyModel.Client.StorageOperationException' was thro
wn.
At line:1 char:19 + Set-adfsproperties <<<<  -ArtifactDbConnection "Data Source=sql1;Failover Partner=sql2;Initial Cata
log=AdfsArtifactStore;Integrated Security=True"
    + CategoryInfo          : InvalidData: (:) [Set-ADFSProperties], StorageOperationException
    + FullyQualifiedErrorId : Exception of type 'Microsoft.IdentityServer.PolicyModel.Client.StorageOperationException
   ' was thrown.,Microsoft.IdentityServer.PowerShell.Commands.SetServicePropertiesCommand

Everything up to this point has been successful, the databases have been migrated/updated and mirrored. The ADFS service starts fine with the migrated ADFSConfiguration database. I have tried entering this CMDlet six ways from Sunday (including using FQDNs) and nothing works. I have also deleted the databases and started the migration from scratch with the exact same results. What am I missing?

Once I cross this hurdle, I plan to go back to FSConfig to add the other ADFS servers to the farm.

Thanks,

Dave

Hi

I've been banging my head for a few hours on this and can't seem to correct it. Here's what's going on:

We have 2 domains in our forest. The DC with the problem is part of the child domain. It's IP changed from a 10.90.0.x to 10.238.0.x static IP.

I noticed some replication problems with the Replication Status Tool and what I've found is a DNS problem between the Parent and Child DNS servers.

If I do an nslookup on the cfc5a4e4-53ea-4232-b66e-41d6cc681cb3._msdcs.xxx.net record in the child domain DNS server, it resolves to the new IP address. If I do it on the parent domain DNS server, it resolves to the old IP address.

I've tried deleting that msdcs record in both sets of DNS servers and restarting NETLOGON, but within a few minutes, the parent gives the old IP address again and stops replication from happening.

Is there some way to scrub the DNS servers of any trace of that old IP address? Is there something on the DC itself that could be giving the wrong IP to the DNS servers?

Thanks for any suggestions anyone has

Hello all,

My question centers around the following error when setting the Managedby attribute in ADUCwithout checking the "Manager can update membership list" checkbox:

What I think is strange about this error is that the error occurs without the "Manager can update membership list" checkbox checked. Thus, to my knowledge, no changes to the ACL are being made to the group; the only thing that's happening is the"Managedby" attribute of the group is being changed.

Assuming no changes to the ACL are being made, here's the fun part. When a user with "Modify Permissions" rights on the group ACL changes the Managedby in ADUC (again, without the update membership checkbox being checked) there is no error. However, when a user who does not have "Modify Permissions" rights on the group ACL performs the Managedby change, it results in the above error but the changes still go through.

So my question is, even without the "Manager can update membership list" checkbox being checked, does updating the "Managedby" field in ADUC require an ACL change on the group somewhere? If not, why is the error being generated for a user without"Modify Permissions" rights? Am I missing something here?

I have a small test lab currently with 1 DC (srvr2012a).  I previously had 2 DCs but I have demoted srvr2012b and it no longer runs the DNS role. When I run dcdiag /test:dns /v /e, I get the following error:

DCDiag error

Should I be concerned with this?  Why is dcdiag seeing srvr2012b as a DNS server?

I have a AD FS 2.0 server (Server 2012) in my forest root domain. My user domain is a child domain within that forest. I am unable to find any documentation that tells me if I need to do any further configuration to have it authenticate users from the child domain or if that should just magically happen because of the Parent Child trust relationship.

Upon rebuilding the server again and making sure that the server name and the pool name were diffrent so I could create the proper SPN entries, I am now unable to access my server using any of the AD FS urls'. It will prompt me for my credentials 3 times and then tell me I am not Authorized. I have been searching on the web but have been unable to find the solutionsI have made DNS changes, added http SPN entries. Changed the Authentication settings on IIS... I am stuck. Any help would be great.

Hi,

In my Infrastructure some Application server are using ldap to authenticate user to active directory. My Question is how password communication works and is it secure. For Example Application Provides Popup or dialgbox to User to input active directory User/password and then User authenticated. Now Please correct me in both

1- User get authentication through application server , like his password reach to application server and then application server pass to active directory using LDAP.

2- When user input user /password in popup , application only provide him ldap ip from the application server and client machines direct communication with active directory to get authentication.

Thanks

Usman Ghani - MCITP Exchange 2010

Given a degraded production situation, where we have one chance and one chance only, what would be the correct and proven remedy for the following situation?
 
Windows Server 2012 Standard (No R2!) build 6.2.9200;
DFSR of one replication group with 5 replicated folders, over dark fiber between two members at different data-centers;
Implemented in one-way replication “Mirroring” config, purely for redundancy and quick (manual) fail-over in case of failure or maintenance of a node;
Member one is currently “Live” and member two is/was “Active Standby”;
Approx. 2 TB in millions of files;
 
This setup has been working near perfectly for our purposes for many years since we started using it on Windows Server 2003.
 
On 03 March DFSR logged event 2213 on member 1 (the live member):

The DFS Replication service stopped replication on volume U:. This occurs when a DFSR JET database is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication WMI method to resume replication.
 
Additional Information:
Volume: U:
GUID: B49EFDDB-0DC2-435C-A6DD-65E07F1F554C

We understand member 1 now has a corrupt database and DFSR has been halted. Indeed we see that since 3rd March all the changes on member one have not been replicated to member 2, which has a healthy database but is now “stale”.
 
The recovery procedure suggested in the event log is definitely not what we need, because if we understand correctly then that will sync the stale member 2 back over the live member 1, losing all changes since March 3rd on member 1. Please remember: member 1 is live and fresh and contains all the correct versions, but has a corrupt database. Member two is stale since 3rd of March but has a healthy database.
 
So what can we do? That doesn't entail weeks of preseeding (member two is already 99% preseeded, until March 3rd), and doesn't require more than a few hours of downtime at most, and most importantly won't lead to data loss (of the changes on member 1 since March 3rd)?
 
Although suggestions are welcome, we cannot afford taking great risks with guesswork and really need an empirically proven recovery method for this situation from somebody who knows what they’re talking about.
 
After we have recovered this situation, we will obviously take a look at our setup, and at the very least move up to Windows Server 2012 R2 where DFRS has undergone many improvements.
 
My colleague Tom is more in the know of the technical details, and he can provide any additional information if required.
 
Regards, Nick

Our environment is quite simple, we have 3 DCs and one site.

DC1 (FSMO holder)

DC2

DC3

They were all 2008 R2 servers with the DFL and FFL both on 2008 R2. Recently I have been upgrading one at a time to server 2012. When I say upgrade, I am building a brand new server as 2012 then cutting the old server over to it and renaming/re-IPing the new server to match the old server. I am following similar steps as provided here: http://msmvps.com/blogs/acefekay/archive/2010/10/09/remove-an-old-dc-and-introduce-a-new-dc-with-the-same-name-and-ip-address.aspx

Immediately after moving DC3 to 2012, I started receiving 3 errors per day under the Directory Service event log. They were all event ID 1864 (replication) and say

"This directory server has not received replication information from a number of directory servers within the configured latency interval. "

There is one event for each of the following:

Directory partition:

CN=Schema,CN=Configuration,DC=intra,DC=cas,DC=org

CN=Configuration,DC=intra,DC=cas,DC=org

DC=intra,DC=cas,DC=org

Interesting enough, after 60 days the event went away (I believe our tombstone life is set to 60 days). This past weekend I did DC2 and now I have the exact same error 3 times a day. This time it is labeled as event ID 1863 but has the exact same wording. I suspect after 60 days it too will disappear. But I am curious as to why I am getting it. Can I make it go away now and did I do something wrong? Our DCs replicate every 5 minutes and there was at least 10-15 minutes in-between demoting the old server (and removing it from the domain) and promoting the new one.

When running repadmin /showrepl  - all of the replications are successful.

When running

repadmin /showvector /latency <partition-dn>   (as suggested in the error details)

I get:

C:\Users\OURUSER>repadmin /showvector /latency <OUR PARTITION-DN INFO>
Caching GUIDs.
..
e11c3ac2-18e7-4eb8-834c-c6670d1f4f8d @ USN     81230 @ Time (unknown)
ba407c28-b8ce-449a-89fe-f27b1521ec98 @ USN   1628347 @ Time (unknown)
5856b6d1-cd55-43c9-a00e-e3a9ffdf6fe8 @ USN      7799 @ Time (unknown)
54457437-3ad4-448a-900d-cdee9386828e @ USN     21734 @ Time (unknown)
e8b40225-5392-4a7e-9473-69f6007f0e30 @ USN  25005091 @ Time (unknown)
65a00f16-4842-46b1-a4fc-7c63eb53c3d8 @ USN  30991256 @ Time 2005-10-27 17:33:58
8e4f8edc-2df5-4d3f-a83e-7fe303dd5bb8 @ USN   3141255 @ Time 2007-09-14 16:40:24
378eb54f-bbd1-4f31-8ee0-bb363e3baa54 @ USN   2332345 @ Time 2008-12-13 03:09:10
12dafb44-873d-472a-af81-1dcbce83d691 @ USN   3410119 @ Time 2011-02-19 12:04:20
e4cdc57d-87a9-44a6-9462-59258377e449 @ USN 134210124 @ Time 2011-09-17 20:46:50
6fa89ebc-26d2-439c-b481-4db8c8a1ead0 @ USN 117915771 @ Time 2011-09-17 22:09:06
b9f30932-31f3-496d-baa7-e6dba9436373 @ USN  77103549 @ Time 2014-02-15 18:32:20
OURSITE\DC2 (deleted DSA)     @ USN  94389169 @ Time 2014-04-19 18:05:39
OURSITE\DC3                   @ USN   6690499 @ Time 2014-04-22 11:46:45
OURSITE\DC1                   @ USN 127299088 @ Time 2014-04-22 11:46:55
OURSITE\DC2                   @ USN    398281 @ Time 2014-04-22 11:46:58

From what I've read, this information provided is static and cannot be changed/deleted/cleaned up. Once OURSITE\DC2 (deleted DSA) runs the course of being tombstoned and becomes just a GUID listed, I think our errors will go away.

Doesn't the demotion take care of any metadata that I would have to worry about? I have the suspicion that I am having these issues due to keeping the same name and IP, I am just not sure where I went wrong.

I have a 2008 r2 domain controller in my lab.

i'm doing Exchange 2007, 2010 and 2013. I have mix Windows 2008 r2 servers for other applications.

i'm running into issues where i'm thinking it is time to have both IPV4 & IPV6 to run on all lab machines.

I can't get a clear picture on how to accomplish a mix environment. in the DNS administrator do I create a new "reverze lookup zone" with only the IPV6? or do I have to create a new record in the "forward lookup zone" to with both IPV4& IPV6 which the later points to the new "reverse lookup zone".

I see a lot of internet article but little on "how to".

or on the DC should I enable the DHCP role to support the IPV6?