Hi,

Running Windows Server 2008R2 Active Directory, Symantec Backup Exec and Veeam Backup & Replication.  I have this occasional problem with Backup Exec (BE) where the login credentials are rejected.  I have 3 different backup jobs that run each night all using the same credentials but only one job will suffer from the invalid credentials issue in a night.  Then the next night it will work just fine without me changing anything.  So pretty intermittent.

I have believed this was a problem with BE but have yet to find a solution.  Recently I started testing Veeam and it has worked fine until last night's job where it too reported that it cannot complete the login due to an incorrect user name or password.

So I'm wondering if it's possible something in my network is interfering with authentication?  Any thoughts on how can I determine the cause of the problem?  I have looked at the AD's event logs and can't find anything related, it doesn't seem to report any failed logins at the time my backups ran.

Only thing I'm seeing in the System event log of the DC is a warning from the Kerberos-Key-Distribution-Center, event ID 29.  It states it can't find a suitable certificate to use for smart card logons or the KDC certificate could not be verified.  When I looked this message up it refers to a Certificate Authority but I don't think I have one installed.  Could this be part of the problem?

Any help is greatly appreciated.

Thanks in advance,

Linn

I have a server (2003 R2 Standard) that appears to have had replication issues and is beyond the tombstone lifetime. The Primary DC holds all FSMO roles (Server 2008 R2 Standard) and this is the only other DC on the domain and this is on a single site.

We are experiencing various problems on the domain over the last few days. (Users receive "The trust relationship between this workstation and primary domain failed." general logon problems on other pc's and member servers, Event ID 4)

The 2003 DC is due to be demoted but I want to clean up the situation and need some assistance in going down the correct route.

I think I should plan to

repadmin /removelingeringobjects

demote the server once the replication is functioning again.

Is a valid option to just force demote the 2003 DC then clean up the metadata? I ask as I plan to demote that server anyway but Microsoft documentation seems to suggest this is a last resort.

I tried to run the repadmin with the /advisory_mode switch but this failed with "Can't retrieve message string" errors but this may be down to my incorrect command use.

Thanks in advance for any assistance.

Techie247

I have two locations. Location A and locatoin B. at both places i have test.co.in forest, First we have created forest test.co.in at Location A. While created at Locaton B , it was created as separate location no replication was happened between two locations.

as on now we dont have any communication between these two location.

My requirement is to consolidate these two forest which has same naming convension into one, i mean either location a or B will hold DC, other will be demoted ,  i need to transfer all the resources from location A to B where my DC will be available.

Please suggest, what are the possible ways to achive this.

Kiran.d.patel

I have been having an ongoing issue for a couple of months with a few different users Apple devices locking out their accounts in AD when they try to authenticate to ActiveSync.  This doesn't happen every time they authenticate, it seems to be random, while the rest of the time they have access to their email.  It might occasionally happen with an Android, but not on a repetitive basis like this.

Primarily this has been four different iPads, running different versions of iOS, and an iPhone running the latest release of iOS 7.  Other iPhones and iPads function without having the problem, including iPhones on iOS 7.  

The user accounts in question are set to never have their passwords expire, but again, they aren't the only users that are set like this, and those other users, even with Apple devices are not having the same problem.

I used NetWrix to trace out the source machine, which is my Exchange 2003 server and times, and I've checked the W3SVC1 log file, and come up with the following as an example with identification details masked:

<internal IP>, <Domain\Username>, 4/30/2014, 8:10:04, W3SVC1, <ServerName>, <internal IP>, 15, 329, 3367926, 200, 0, GET, /exchange-oma/<username@domain.com>/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync/iPad/ApplV50462*****/eb53cd5d5b9fcf40****************-20ef44, -,

As I was typing this, the owner of the iPad from the log file above came by my desk, so I asked a couple more questions.  He's never had another iPad, it's a gen 1, and he's never updated the iOS on it.  I know one of the other iPads in question has the most up to date iOS, and the other one is brand new, replacing one that was broken, but the owner of that one had the same issue on a 3 year old iOS.  

There is nothing special about the user accounts, no special privileges or restrictions.

Has anyone encountered this before?  Exchange 2003, Server 2003 in a 2008 domain.  Promotion to the 2008 domain was 2 years ago.

I am having a problem with ADMT. Basically it thinks it finds duplicate objects:

[Object Migration Section]
2014-04-30 13:25:21 Starting Account Replicator.
2014-04-30 13:25:22 WRN1:7814 A unique match was not found. The source object 'CN=Robert Williams,OU=KnowMoreIT.Info,OU=Microsoft Exchange Hosted Organizations,DC=host,DC=local' matches the following target objects 'CN=Robert Williams,OU=SCI,OU=CC,OU=Hosting,DC=cloud,DC=local', 'CN=Robert Williams,OU=FOR,OU=CC,OU=Hosting,DC=cloud,DC=local'.
2014-04-30 13:25:22 Operation completed.

Here is the issue:
There isn't a duplicate! The sAMAccountName's for both the objects in the new domain are different! One is rwilliams1 and the other is rwilliams2. The UserPrincipalName is different. The SID is different. What exactly is it comparing that it is seeing that they are the same and not letting me merge these accounts?

I'm trying to migrate from Exchange 2010 SP1 /hosting to SP2. Everything is going well except for issues like this that I run into.

Also is there a better way to do this if in the old domain the sAMAccountName is like jdoe but in the new domain you want it to be jdoe1?

Please excuse the wall of text that is about to assail you, I have been at this problem for several weeks and have read every google search and technet article I can lay my hands on that seams in any way relevant. So here goes.

The scenario:

I have two severs, one in NewHampshire, the other in Maryland. They are both domain controllers. The one in NewHampshire is an SBS2011 server, the one in Maryland a 2008 R2 regular server. The two are linked by a pair of ZyWall 200 units creating an IPSec tunnel for the two sites. SiteNH uses the subnet 10.0.0.0/24 and the SiteMD uses the subnet 10.0.1.0/24. When the MD server was brought down to its final location it had been unplugged for well beyond the tombstone lifetime for active directory, so as per recommendations I read here, I forcefully demoted it, did a metadata cleanup and rejoined it and re-promoted it. After that we set up a DFS store between the two servers to replicate a particular directory's data. All this worked flawlessly for a little over 24 hours.

The first problem that showed up was that the DFS stopped replicating. It was showing the following errors in the event log:

Event ID: 5002
The DFS Replication service encountered an error communicating with partner MAIN-SBS for replication group galaxy.local\galaxydfs\companymaryland.

About the same time this showed up, a few other errors also showed up in the ActiveDirectory event log:

Event ID: 1311
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition

Event ID: 1865
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.

Event ID: 1566
All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.

While this was happening, I checked "repadmin /showrepl" and saw that all replication points had failed with "The remote procedure call failed and did not execute". Also a "repadmin /replicate main-md main-sbs DC=galaxy,DC=local /force" failed with a similar error. At this point I was thinking conenctivity. However from the Maryland server I could ping NH server without a problem, which also ment I was getting DNS resolution. I was also able to successfully ping the NH server using "rpcping -s main-sbs" without a problem. Also client computers at the Maryland site could still access the NH server directly through "\\main-sbs" without a problem. Checking the ZyWall's themselves also didnt turn up any problems, the VPN was established and showed no problems over the last 24 hours. However no matter what I did active directory would not replicate. In an act of desperation I just tried a reboot of the Maryland server, once it came back up I tried another manual replication, which surprisingly worked fine. Suddenly the DFS started replicating as well, a few hours later everything was properly replicated and working perfectly. Given that I couldn't find a problem I figured this wasn't the end, and about 24 hours later it all stopped working again, in exactly the same way.

At this point I'm a bit baffled, Directory Services seems to fall appart every 24 hours, rebooting the remote server in Maryland fixes it for another 24 hours, and when it stops working complaining of RPC communication failures, RPC still seams to be working fine both across the VPN from clients and even on the broken server itself via rpcping in either direction. The only other event of any interest is:

Event ID: 4005
The Windows logon process has unexpectedly terminated.

This tends to start showing up usually once the directory services stop working, not sure if its a symptom or a cause however. Googling for that event in conjunction with the directory services errors turned up nothing. The only other cause I've read about is a lack of memory or system resources, however that doesn't seem to be a problem on either server. The SBS server has 32GB of memory and though it tends to use most of it their is usually at least 1-2gb free. The 2008R2 server has 16GB of memory and usualy has well over 12gb of it free as it does nothing more than host AD and DFS. I expect their will probably be further questions or diagnostic requests, please feel free to ask, at this point I'll try almost anything. I have just about run out of ideas for this one. Thanks in advance!

Justin Shea
LAN Network Connections, Inc.

We have ADFS 2012 installed and running under domain foo.com.  Would also like to be able to simultaneously run ADFS under domain bar.com as well.  Is this possible using passive use case / ws-federation?  If so, how do you setup?

thanks

 Hi guys,

I am having some problems with my server. I am unable to create new AD objects with the message, the directory has exhausted the pool of relative identifiers. I have a SBS 2003 environment with only that as the DC. However, a while ago, the previous admin promoted another server (Server 2003) as a Backup DC and later on the network was split and the Secondary DC no longer connected to the domain. It was not demoted or anything like that. The network was split in two and now after almost a year I am unable to create new objects. The PDC has all the FSMO roles as indicated when i run the netdom query fsmo command. Below is the dcdiag /v output:

Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine wsgpdc, is a DC. 
   * Connecting to directory service on server wsgpdc.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 2 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\WSGPDC
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... WSGPDC passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\WSGPDC
      Starting test: Replications
         * Replications Check
         [Replications Check,WSGPDC] Inbound replication is disabled.
         To correct, run "repadmin /options WSGPDC -DISABLE_INBOUND_REPL"
         [Replications Check,WSGPDC] Outbound replication is disabled.
         To correct, run "repadmin /options WSGPDC -DISABLE_OUTBOUND_REPL"
         ......................... WSGPDC failed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC WSGPDC.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=WSG,DC=local
            (NDNC,Version 2)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=WSG,DC=local
            (NDNC,Version 2)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=WSG,DC=local
            (Schema,Version 2)
         * Security Permissions Check for
           CN=Configuration,DC=WSG,DC=local
            (Configuration,Version 2)
         * Security Permissions Check for
           DC=WSG,DC=local
            (Domain,Version 2)
         ......................... WSGPDC passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\WSGPDC\netlogon
         Verified share \\WSGPDC\sysvol
         ......................... WSGPDC passed test NetLogons
      Starting test: Advertising
         The DC WSGPDC is advertising itself as a DC and having a DS.
         The DC WSGPDC is advertising as an LDAP server
         The DC WSGPDC is advertising as having a writeable directory
         The DC WSGPDC is advertising as a Key Distribution Center
         The DC WSGPDC is advertising as a time server
         The DS WSGPDC is advertising as a GC.
         ......................... WSGPDC passed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=WSGPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=WSG,DC=local
         Role Domain Owner = CN=NTDS Settings,CN=WSGPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=WSG,DC=local
         Role PDC Owner = CN=NTDS Settings,CN=WSGPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=WSG,DC=local
         Role Rid Owner = CN=NTDS Settings,CN=WSGPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=WSG,DC=local
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=WSGPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=WSG,DC=local
         ......................... WSGPDC passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 2609 to 1073741823
         * wsgpdc.WSG.local is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 2109 to 2608
         * rIDPreviousAllocationPool is 2109 to 2608
         * rIDNextRID: 2608
         * Warning :Next rid pool not allocated
         * Warning :There is less than 0% available RIDs in the current pool
         ......................... WSGPDC passed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC WSGPDC on DC WSGPDC.
         * SPN found :LDAP/wsgpdc.WSG.local/WSG.local
         * SPN found :LDAP/wsgpdc.WSG.local
         * SPN found :LDAP/WSGPDC
         * SPN found :LDAP/wsgpdc.WSG.local/WSG
         * SPN found :LDAP/2af33017-abf3-4f05-9b9c-c19eb3868401._msdcs.WSG.local
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/2af33017-abf3-4f05-9b9c-c19eb3868401/WSG.local
         * SPN found :HOST/wsgpdc.WSG.local/WSG.local
         * SPN found :HOST/wsgpdc.WSG.local
         * SPN found :HOST/WSGPDC
         * SPN found :HOST/wsgpdc.WSG.local/WSG
         * SPN found :GC/wsgpdc.WSG.local/WSG.local
         ......................... WSGPDC passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
            IsmServ Service is stopped on [WSGPDC]
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... WSGPDC failed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         WSGPDC is in domain DC=WSG,DC=local
         Checking for CN=WSGPDC,OU=Domain Controllers,DC=WSG,DC=local in domain DC=WSG,DC=local on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=WSGPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=WSG,DC=local in domain CN=Configuration,DC=WSG,DC=local on 1 servers
            Object is up-to-date on all servers.
         ......................... WSGPDC passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL ready test 
         File Replication Service's SYSVOL is ready 
         ......................... WSGPDC passed test frssysvol
      Starting test: frsevent
         * The File Replication Service Event log test 
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems. 
         An Error Event occured.  EventID: 0xC0003500
            Time Generated: 04/29/2014   06:19:58
            (Event String could not be retrieved)
         ......................... WSGPDC failed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         Found no KCC errors in Directory Service Event log in the last 15 minutes.
         ......................... WSGPDC passed test kccevent
      Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 04/29/2014   18:58:21
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 04/29/2014   18:58:22
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 04/29/2014   18:58:22
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 04/29/2014   18:58:22
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 04/29/2014   18:58:23
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 04/29/2014   18:58:23
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 04/29/2014   18:58:24
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 04/29/2014   18:58:31
            (Event String could not be retrieved)
         ......................... WSGPDC failed test systemlog
      Test omitted by user request: VerifyReplicas
      Starting test: VerifyReferences
         The system object reference (serverReference)

         CN=WSGPDC,OU=Domain Controllers,DC=WSG,DC=local and backlink on

         CN=WSGPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=WSG,DC=local

         are correct. 
         The system object reference (frsComputerReferenceBL)

         CN=WSGPDC,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=WSG,DC=local

         and backlink on CN=WSGPDC,OU=Domain Controllers,DC=WSG,DC=local are

         correct. 
         The system object reference (serverReferenceBL)

         CN=WSGPDC,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=WSG,DC=local

         and backlink on

         CN=NTDS Settings,CN=WSGPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=WSG,DC=local

         are correct. 
         ......................... WSGPDC passed test VerifyReferences
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : WSG
      Starting test: CrossRefValidation
         ......................... WSG passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... WSG passed test CheckSDRefDom
   
   Running enterprise tests on : WSG.local
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope

         provided by the command line arguments provided. 
         ......................... WSG.local passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\wsgpdc.WSG.local
         Locator Flags: 0xe00001fd
         PDC Name: \\wsgpdc.WSG.local
         Locator Flags: 0xe00001fd
         Time Server Name: \\wsgpdc.WSG.local
         Locator Flags: 0xe00001fd
         Preferred Time Server Name: \\wsgpdc.WSG.local
         Locator Flags: 0xe00001fd
         KDC Name: \\wsgpdc.WSG.local
         Locator Flags: 0xe00001fd
         ......................... WSG.local passed test FsmoCheck
      Test omitted by user request: DNS
      Test omitted by user request: DNS

Also, another problem I am experiencing seems to point to my DNS service which also runs on the same machine. When I try to open Active Directory snap ins, it indicates that the domain does not exist or cannot be contacted and the AD is unable to load. 

I'd really appreciate any help at the moment. Thanks in advance.

Shawn

Trying to restore two domain controllers to a test environment.

I am unable to get the domain controllers to sync. One of the server is our FSMO roll holder. I recieve an errror when running the command netdom query fsmo

How do I get the servers to start replicating to each other. Each server shows the domain is unavailable. DNS is not functioning on either server.

I have a remote site connected to the internet with a satellite WAN connection which has a high latency (ping=750ms). Because of this high latency I can't replicate the AD trough RCP. Therefore I decided to create a child domain for that site in order to use SMTP for AD replication. I demoted the remote site domain controller and now I'm trying to promote it again as a child domain but I'm also having problems to get the initial replication done as it also uses RCP. While promoting to domain controller is stops at "Replicating the schema directory partition". On the Event Viewer I see errors 1125 and 1962 both saying "The RPC server is unavailable".

I've insulated the cause of the RPC problem to the high latency of the WAN connection. I've turned off the firewall on both sides. The parent domain DC is also replicating with another site without any problem so I'm sure the RPC service is ok there. From the remote site I can access the parent domain controller with no problem, I can DNS to it, I can add and remove the remote server to the AD.

I've also considered promoting the domain controller using IFM (Install From Media) but I think it only works for domain controllers in the same domain (not for a child domain).

Remote site server is running Windows 2012 and the parent site server is running Windows 2008 R2. Parent Domain and Forest are at Windows 2003 level. The remote site is linked to the parent site using an IPsec VPN.

How can I overcome the RPC problem over an high latency network in order to promote the domain controller?

Hi Guys,

I am developing a VBScript (actually a application kind using asp) to change AD user account password. I am trying to set password using setpassword() method. But this method not checking the password history. I am able to set the same password again and again though the password history is enabled on group policy to remember last 6 passwords.

Please let know if there any ways to set password using vbscript after checking the password history of the user.

Ex: if the existing password is April#2014 should get an error message when i try to set the same password again using VBScript.

Thanks in advance.

Deva

I have migrated AD and DC/FSMO from my Windows Server 2003 to 2012 Datacenter. I have encountered a few errors along the way but was able to overcome them (by turning on Remote Registry Service) and verify at the end of the migration that my FSMO roles have successfully transferred to new Win Server 2012 AD by running netdom query FSMO. The command returned a success response. I have used the following instructions to migrate DC and FSMO:

http://blogs.technet.com/b/canitpro/archive/2013/05/05/step-by-step-adding-a-windows-server-2012-domain-controller-to-an-existing-windows-2003-network.aspx

This one to transfer all the FSMO roles and retaering the old 2003 box

https://blogs.technet.com/b/canitpro/archive/2013/05/27/step-by-step-active-directory-migration-from-windows-server-2003-to-windows-server-2012.aspx

Once verified that migration of FSMO roles and Global catalog succeeded I moved on to migrating 2003 Exchange to 2010. After about 2 weeks, AFTER REBOOT, my 12 exchange services do not start and the Exchange Server is displaying Kerberos authentication errorcode 0x80090311. Also it doesn't see the Active Directory Server.

I went on the 2012 Active Directory Server (which is a separate server from Exchange) and noticed that FSMO roles and global catalog have disappeared. No connection to global catalog yet I can still log into the domain. What did just happen?

Netdom query FSMO returns: The specified domain either does not exist or could not be contacted. The command failed to complete successfully.

Here are additional errors listed below:

The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

---
Active Directory Domain Services was unable to establish a connection with the global catalog.
 
Additional Data
Error value:
1355 The specified domain either does not exist or could not be contacted.
Internal ID:
32013c0
 
User Action:
Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem.

---
This is the replication status for the following directory partition on this directory server.
 
Directory partition:
CN=Configuration,DC=BlaDomain,DC=Blalubber,DC=com
 
This directory server has not received replication information from a number of directory servers within the configured latency interval.
 
Latency Interval (Hours):
24
Number of directory servers in all sites:
1
Number of directory servers in this site:
1
 
The latency interval can be modified with the following registry key.
 
Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours)
 
To identify the directory servers by name, use the dcdiag.exe tool.
You can also use the support tool repadmin.exe to display the replication latencies of the directory servers.   The command is "repadmin /showvector /latency <partition-dn>".

---
The Knowledge Consistency Checker (KCC) has detected that successive attempts to replicate with the following directory service has consistently failed.
 
Attempts:
66
Directory service:
CN=NTDS Settings,CN=VIPMAIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=BlaDomain,DC=Blalubber,DC=com
Period of time (minutes):
1582
 
The Connection object for this directory service will be ignored, and a new temporary connection will be established to ensure that replication continues. Once replication with this directory service resumes, the temporary connection will be removed.
 
Additional Data
Error value:
1908 Could not find the domain controller for this domain.

---
This computer is now hosting the specified directory instance, but Active Directory Web Services could not service it. Active Directory Web Services will retry this operation periodically.
 
 Directory instance: NTDS
 Directory instance LDAP port: 389
 Directory instance SSL port: 636

---

Everything was working just a few weeks ago. What happened? I am confused. Any help is appreciated. Thanks in advance.

This FAQ article describes two scenarios for AD/Sysvol version mismatch errors (Figure 1) in the group policy reporting tools which may occur on Windows 8, Windows 2012, Windows 8.1 or Windows 2012 R2 computer.

Figure 1: AD / SYSVOL Version Mismatch

Scenario One

Symptom

Assume that we run the Group Policy Modeling Wizard from the Group Policy Management Console (GPMC) snap-in or gpresult /h on a Windows 8-based, Windows Server 2012-based, Windows 8.1-based, or Windows Server 2012 R2-based machines, the alerts section of the Group Policy Results reports that: AD / SYSVOL version mismatch

Cause

As explained in the KB2866345, this issue can occur because one or more Group Policy Objects (GPOs) cannot be applied due to security filtering or Windows Management Instrumentation (WMI) filtering.

Solution

There are corresponding hotfixes available for different operating systems in the KB2866345, we can install the hotfix to check if the issue persists.

I was wondering if there is a way that if you add a users to a certain group it would add an entry into the event logs and then we can setup a schedule task to send us an email alert everytime we see that event id.

We need to audit one paticular group that sends out an email notification if someone were to get added to that group and that group only.  I need to be able to get an email alert when this happens. The only way I know how to get an email alert for this is for it to trigger an event id and then use task scheduler to send an email for on event for that event id code.

Can this be done, if so how would you go to audit only one group.

OK - this is going to be long. I hope I am detailed enough.

Four domains, each in their own forests:

domain.w.com

domain.x.com

domain.y.com

domain.z.com

For the sake of everyone, I'll refer to each domain as "w" or "x", which would be domain.w.com and domain.x.com, respectively.

Domains x, y, and z all have users that require access to resources on domainw. Remember - each domain is in its own forest.

Three trusts were created on domain w. Since the users on domain w do not need any resources on the other domains, three "ONE-WAY:OUTGOING" trusts were created (one for each) via Active Directory Domains and Trusts on domain w. The option to create the trust (have it show up in Active Directory Domains and Trusts) in the other domains (in this casex, y, and z) was selected.

After the trusts were created from domain w, the trusts were verified. Administrators on domainw could "verify" the trusts (using admin accounts created for them on the three trusted domains).

Since everything looked good (domain w shows up as an incoming trust for the other three domains), permissions for specific users on domainsx, y, and z were granted for a share in domainw.

Only... that didn't happen. When attempting to change permissions on the share, administrators were able to change the working domain directory to eitherx, y, or z... but searching returned zero results. Zilch.

*It should be noted that this scenario has been in place for quite some time now, and that all groups/users previously defined on the share (that belong to the three domains trusted by domainw) now all show up as SIDs.

When attempting to verify (validate) the incoming trust on any of the three domains, the error "Windows cannot find an Active Directory Domain Controller for the domain.w.com domain. Verify that an AD DC is available and then try again." is returned.

Pinging domain.w.com returns the correct address. Direct pings to both domain controllers on domain wis also working. Domain w can also do the same pings that I just listed to all three other domains with correct results.

There is no firewall in between these forests.

I am leaning towards a DNS or AD issue on the domain w side. This all occurred at once on the same day last week, and no changes were made onx, y, or z. Of course... domainw is another entity and they are saying they have no clue why its not working.

Questions:

Should I be able to verify the trust from x, y, orz to domain w?

Why cant domain w see the users/groups in the other domains?

Why does domain w validate the trust if the other three domains cant?

Could this be caused by some setting in GPO having to do with LDAP security, signing requirements, or authentication settings?

Any help is much appreciated.

Chris

After having renamed a computer in the domain, I noticed that I had to create a computer object with the new name and an entry to DNS. When I wanted to grant the relevant permissions I noticed that automatically created records have computernames displayed differently from manually added computers.

By default a computer object (displayed HOSTNAME$) has full control on the DNS entry.

A manually added ACE for a hostname is displayed HOSTNAME (DOMAIN\HOSTNAME)

The icon for HOSTNAME$ is the same as a user, the icon for HOSTNAME (DOMAIN\HOSTNAME) is the usual as display inActive Directory Users and Computers

Why is that and can I fix it?

Thanks in advance

Hello ! -  Bit confused find out the direction of the ports for Internal client–External domain domain controllers trust?

I know the communication between the child domain computer subnet and the Root DCs, on the following ports. But not very sure which direction it should be?

Is it bi directional or unidirectional ? Please help !

Anoop C Nair - @anoopmannur :: MY Site: www.AnoopCNair.com ::FaceBook: ConfigMgr(SCCM) Page ::Linkedin: Linkedin<