I have a scenario in which our enterprise activation servers exist in a domain that is in a separate forest than our offices. Currently all our domain controllers are 2008 R2 with domain and forest functional levels at 2008 R2. We have set
up two-way forest trusts with our office domains using selective authentication. We then give the domain controllers from our licensing domain the "Allowed to Authenticate" right to the domain controllers in the office domain. On the
server 2008 R2 domain controllers in the office domain, we can browse to the appropriate objects in the licensing domain after being presented with an authentication window that allows us to enter credentials for the licensing domain. However, after
installing a 2012 R2 domain controller in an office domain, we can not use the 2012 domain controller to browse to the objects in the licensing domain. It never asks for credentials for the licensing domain when we specify the objects we want to add
from the licensing domain. I simply states that the object can not be found. When I look at the domain controller in the licensing domain, I see that the domain controller in the office domain is attempting to pass the credentials of the user that
is logged on and this is failing since this user has no rights in the licensing domain. I can still use a 2008 R2 domain controller in the office domain to add the rights and it works like it always has. Can somebody tell me why this is happening
and how to correct it?
↧
Server 2012 R2 no longer able to query objects in a trusted domain over a Forest Trust using Selective Authentication
↧
shutdown 2003 domain controller, Used new different name; same IP address on new 2012 DC - can I delete the old name object?
Greetings,
I promoted a 2012 domain controller, with new name and IP, shutdown the old DC and re-ip'ed new DC with old IP address.
after reboot everything is working fine. I would like to deleted the old DC object name from the AD. can I do so without interruption?
Thank you
↧
↧
First 2012R2 DC in 2008R2 Domain
I have a domain that has three separate sites. In two sites I have a single DC, but in the main domain I have/had two DCs. One of them died and I'm not able to recover it.
All servers were 2008R2 and we are at the 2008R2 functional level.
I've followed all the procedures to clean the "broken" DC out of the AD and don't see any sign of it. When I try to promote a newly installed 2012R2 server to a domain controller I get:
The operation failed because: Active Directory Domain Services could not replicate the directory partition CN=Schema,CN=Configuration,DC=domain,DC=ext from the remote Active Directory Domain Controller DC1.domain.ext. "The replication operation failed to allocate memory."
DC1 is a 2008 R2 server in Hyper-V with 16GB memory. The new DC is on a different server in a Hyper-V with 32GB memory. I seriously doubt the problem is memory. Especially since we don't have a large domain.
The DCPROMO log shows:
05/15/2014 13:51:44 [INFO] Replicating CN=Schema,CN=Configuration,DC=domain,DC=ext: received 3997 out of approximately 3997 objects 05/15/2014 13:51:44 [INFO] EVENTLOG (Warning): NTDS General / Replication : 1079 Internal event: Active Directory Domain Services could not allocate enough memory to process replication tasks. Replication might be affected until more memory is available.
I have run "dcdiag /e /c /v" and "repadmin /showrepl /all /verbose" and nothing shows in error ... except for the frsComputerReferenceBL is missing its value. But msDFSRComputerReferenceBL is populated as it should be so I figured this was ok.
Any ideas on what i can check? No SBS at all in this domain. Never have been.
Thanks!
↧
ADMT 3.2 How to revert system properties exclusion list back to defaults?
Hello,
I contacted MS support to remove proxyAddresses attribute from exclusion list of ADMT 3.2
Support Engineer suggested that we run following VBS on the server:
Set o = CreateObject("ADMT.Migration")
o.SystemPropertiesToExclude = ""
Now all attributes are available to include or exclude from ADMT.
Does this mean that now ADMT includes all attributes that it should not if you install it out-of-the-box? How I can make sure that only default attributes are excluded + proxyAddresses attribute?
↧
Client PC not always using local RODC and Group Policy is applied from random DC's at other sites
Please help, I am pulling what is left of my hair out!
I have a test XP PC on the same subnet as a new RODC and it randomly connects to the RODC and then randomly connects to different DC's at another site. Also Group Policy is being applied from different DC's randomly.
After reading and reading websites with similar issues I still cannot crack it so please help anyone.
The problem seems to be enhanced if I reboot the PC and log in for the first time, resulting in client connecting to Default Site, Group Policy user side applied by vg2-server, Group Policy computer side applied by 271-RODC
However if I log off and on a few times this changes randomly but seems to end up connecting to site 271 and group policy applied by 271-RODC for both parts.
You know when the XP PC is going to hook onto the wrong DC because "Loading your personal settings" take a lot longer.
I have the following setup:
Default Site
vg-server WDC Server 2008 R2 172.16.65.0/24 Postcode1
vg2-server WDC Server 2008 R2 172.16.60.0/24 Postcode2
Site "271"
271-RODC RODC Server 2008 R2 172.16.170.0/24 Postcode3
XP Test PC is at site "271"
dcdiag tests fine, dcdiag dns tests are fine
The only thing I can find is some automatically recreated SRV files for vg-server and vg2-server under site "271" in DNS
I have checked lots and lots of other things but now have brain burn and I'm going round in circles.
Please help
Thanks
Kevin
↧
↧
How to move a stationary pc outside AD and still be able to logon with same valid AD account?
I need to temporary relocate a couple of AD users with their stationary computers. And still be able to logon with the AD account on the relocated computer when it has no AD controller to authenticate to. The reason for this is similar to what happens
when you bring your laptop home an logon with your domain account. I want to use the same user account when the machine is offsite. The only difference here is stationary computer and Laptop. Both are domain members.
↧
ADFS 3.0 deep dive
Team,
Looking for Deep Dive content on ADFS 3.0 in a format of word doc, do we have any link.
Technet article are good, but doesnt have any architectural pictures that makes it easier to understand the changes and new features in ADFS 3.0
Any help will be deeply appreciated.
Regards, Dematri
↧
Trust relationship error on PDC
Hello,
We are getting the error "The security database on the server does not have a computer account for this workstation trust relationship" on our main domain controller. We have a primary domain controller and also a second domain controller on one domain. We are unable to logon to the PDC when this is happening and have to do a hard reboot to get it back up. At the same time our VPN does not roll over to the BDC so we are unable to logon at the time of the error.
We are receiving 5722, 5805 in reference to the BDC on the PDC and we are getting 5783 (in reference to the PDC) and 5719 on the BDC. We are also getting 7 on the PDC as well mentioning the security account manager failed a KDC request.
I've been jumping all over the net to find a solution, but it seems they are all in regards to workstations or other servers with the trust relationship error and nothing in regards to this error on a PDC.
Any help will be greatly appreciated!
↧
Prompted to change password
Hello,
I have a networkwith a group ofusers who haveroaming profilesand sharedcomputers from oneoffice to another.(Doctors)
They all have arespectivecomputer use on a regularbasis.
Safety rulesin placerequires a change ofpasswordin90 days.
I havesomeusers whomay not be ableto change theirpassword whenprompted.
This happensoccasionallywhen itis notintheir respectivecomputer buton another computerand oddlyif returnedto their respective computerthey canchangethe password.
Is it possiblethatsomeof theseusers aresessionremainedopenon their respectivecomputerand make sure thatthe applicationchangesthe passworddoes not work?
I'm reallylost withallthis becauseit is difficult toreproduce the problemto finda permanent solution.
thank you
I have a networkwith a group ofusers who haveroaming profilesand sharedcomputers from oneoffice to another.(Doctors)
They all have arespectivecomputer use on a regularbasis.
Safety rulesin placerequires a change ofpasswordin90 days.
I havesomeusers whomay not be ableto change theirpassword whenprompted.
This happensoccasionallywhen itis notintheir respectivecomputer buton another computerand oddlyif returnedto their respective computerthey canchangethe password.
Is it possiblethatsomeof theseusers aresessionremainedopenon their respectivecomputerand make sure thatthe applicationchangesthe passworddoes not work?
I'm reallylost withallthis becauseit is difficult toreproduce the problemto finda permanent solution.
thank you
↧
↧
Primary Domain Controller Time not working (Windows Server 2008)
Hi there, I'm trying to set up my PDC with an external
before you say anything I have checked other thread and none of them helped and please do not suggest OS upgrades, we don't have the budget for that
we have 4 DC servers (not the real names)
DC1-Site1 (PDC), DC2-Site1, DC1-Site2 & DC2-Site2
All the other DCs and all the machines pick up the time from DC1-Site1, but this is out of sync with NTP
I've set DC1-Site1 to look at 0.uk.pool.ntp.org, 1.uk.pool.ntp.org, 2.uk.pool.ntp.org and 3.uk.pool.ntp.org using w32tm (yes i was running command prompt as administrator)
I am using a physical server not a virtual server
I have checked all the registry keys and they are correct, but when i do w32tm /mointor it is pointing to itself
I have tired creating a GPO for the PDC and this is being applied when I check with gpresult /r but this still doesn't sync the time with the NTP server
when i do w32tm /stripchart my PDU is +53.4 seconds out of sync with 0.uk.pool.ntp.org
it's not the firewall as the PDU can connect to 0.uk.pool.ntp.org on the correct port
C:\Windows\system32>w32tm /stripchart /computer:0.uk.pool.ntp.org /samples:10 /dataonlyTracking 0.uk.pool.ntp.org [130.159.196.118:123].
Collecting 10 samples.
The current time is 16/05/2014 14:18:39.
14:18:39, +53.4132568s
14:18:41, +53.4028126s
14:18:43, +53.4034405s
14:18:45, +53.4033245s
14:18:47, +53.4026014s
14:18:49, +53.4091998s
14:18:51, +53.4024996s
14:18:53, +53.3945750s
14:18:55, +53.4022851s
14:18:57, +53.4021697s
↧
AD metadata cleanup
Hi all,
I have 2 DC's in domain. Main DC - Windows 2003, Secondary DC - 2008R2.
Secondary DC failed.
I added new one DC with 2008R2. I want to cleanup AD metadata to remove failed DC.
Can I do it from ADUC GUI on new DC?
↧
AD 2012 DNS, SYSVOL Replication and others problem
Hello All,
The existing environment is three AD 2012 in same site. The problem is SYSVOL not replicating between AD. Also DNS showing continuously error. one more thing when primary AD down the next two AD could not take the responsibilities because when primary when down then Exchange owa and Outlook not connected to exchange.
Please suggest.....
Thanks.
The error details:
1. Event ID 4015: The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.
2. Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine abcDC02, is a Directory Server.
Home Server = abcDC02
* Connecting to directory service on server abcDC02.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=abcbd,DC=net,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Primary-Site,CN=Sites,CN=Configuration,DC=abcbd,DC=net
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=abcbd,DC=net,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=abcDC01,CN=Servers,CN=Primary-Site,CN=Sites,CN=Configuration,DC=abcbd,DC=net
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=abc-01-RODC-02,CN=Servers,CN=Primary-Site,CN=Sites,CN=Configuration,DC=abcbd,DC=net
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
Server is an RODC
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=abcDC02,CN=Servers,CN=Primary-Site,CN=Sites,CN=Configuration,DC=abcbd,DC=net
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=BANANIRODC02,CN=Servers,CN=Primary-Site,CN=Sites,CN=Configuration,DC=abcbd,DC=net
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
Server is an RODC
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=BANANIRODC01,CN=Servers,CN=Primary-Site,CN=Sites,CN=Configuration,DC=abcbd,DC=net
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
Server is an RODC
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=abc-01-RODC-01,CN=Servers,CN=Primary-Site,CN=Sites,CN=Configuration,DC=abcbd,DC=net
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
Server is an RODC
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=abc-0003-RODC0,CN=Servers,CN=Primary-Site,CN=Sites,CN=Configuration,DC=abcbd,DC=net
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
Server is an RODC
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=MDB-004-RODC-02,CN=Servers,CN=Primary-Site,CN=Sites,CN=Configuration,DC=abcbd,DC=net
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
Server is an RODC
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=abc-05-RODC-01,CN=Servers,CN=Primary-Site,CN=Sites,CN=Configuration,DC=abcbd,DC=net
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
Server is an RODC
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=abc-06-RODC-01,CN=Servers,CN=Primary-Site,CN=Sites,CN=Configuration,DC=abcbd,DC=net
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
Server is an RODC
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=abc-07-RODC-01,CN=Servers,CN=Primary-Site,CN=Sites,CN=Configuration,DC=abcbd,DC=net
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
Server is an RODC
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=abcDC03,CN=Servers,CN=Primary-Site,CN=Sites,CN=Configuration,DC=abcbd,DC=net
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 12 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Primary-Site\abcDC02
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... abcDC02 passed test Connectivity
Doing primary tests
Testing server: Primary-Site\abcDC02
Starting test: Advertising
Warning: DsGetDcName returned information for
\\abcdc01.abcbd.net, when we were trying to reach abcDC02.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... abcDC02 failed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
Skip the test because the server is running DFSR.
......................... abcDC02 passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
......................... abcDC02 passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
The registry lookup failed to determine the state of the SYSVOL. The
error returned was 0x0 "The operation completed successfully.".
Check the FRS event log to see if the SYSVOL has successfully been
shared.
......................... abcDC02 passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... abcDC02 passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=abcDC01,CN=Servers,CN=Primary-Site,CN=Sites,CN=Configuration,DC=abcbd,DC=net
Role Domain Owner = CN=NTDS Settings,CN=abcDC01,CN=Servers,CN=Primary-Site,CN=Sites,CN=Configuration,DC=abcbd,DC=net
Role PDC Owner = CN=NTDS Settings,CN=abcDC01,CN=Servers,CN=Primary-Site,CN=Sites,CN=Configuration,DC=abcbd,DC=net
Role Rid Owner = CN=NTDS Settings,CN=abcDC01,CN=Servers,CN=Primary-Site,CN=Sites,CN=Configuration,DC=abcbd,DC=net
Role Infrastructure Update Owner = CN=NTDS Settings,CN=abcDC01,CN=Servers,CN=Primary-Site,CN=Sites,CN=Configuration,DC=abcbd,DC=net
......................... abcDC02 passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC abcDC02 on DC abcDC02.
* SPN found :LDAP/abcDC02.abcbd.net/abcbd.net
* SPN found :LDAP/abcDC02.abcbd.net
* SPN found :LDAP/abcDC02
* SPN found :LDAP/abcDC02.abcbd.net/abc
* SPN found :LDAP/ae23a59d-8267-4681-a51a-032d4475e1e7._msdcs.abcbd.net
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/ae23a59d-8267-4681-a51a-032d4475e1e7/abcbd.net
* SPN found :HOST/abcDC02.abcbd.net/abcbd.net
* SPN found :HOST/abcDC02.abcbd.net
* SPN found :HOST/abcDC02
* SPN found :HOST/abcDC02.abcbd.net/abc
* SPN found :GC/abcDC02.abcbd.net/abcbd.net
......................... abcDC02 passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC abcDC02.
* Security Permissions Check for
DC=ForestDnsZones,DC=abcbd,DC=net
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=abcbd,DC=net
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=abcbd,DC=net
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=abcbd,DC=net
(Configuration,Version 3)
* Security Permissions Check for
DC=abcbd,DC=net
(Domain,Version 3)
......................... abcDC02 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Unable to connect to the NETLOGON share! (\\abcDC02\netlogon)
[abcDC02] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... abcDC02 failed test NetLogons
Starting test: ObjectsReplicated
abcDC02 is in domain DC=abcbd,DC=net
Checking for CN=abcDC02,OU=Domain Controllers,DC=abcbd,DC=net in domain DC=abcbd,DC=net on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=abcDC02,CN=Servers,CN=Primary-Site,CN=Sites,CN=Configuration,DC=abcbd,DC=net in domain CN=Configuration,DC=abcbd,DC=net on 1 servers
Object is up-to-date on all servers.
......................... abcDC02 passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=abcbd,DC=net
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
DC=DomainDnsZones,DC=abcbd,DC=net
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
CN=Schema,CN=Configuration,DC=abcbd,DC=net
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
CN=Configuration,DC=abcbd,DC=net
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
DC=abcbd,DC=net
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
......................... abcDC02 passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 3601 to 1073741823
* abcdc01.abcbd.net is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 2101 to 2600
* rIDPreviousAllocationPool is 2101 to 2600
* rIDNextRID: 2110
......................... abcDC02 passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: DFSR
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... abcDC02 passed test Services
Starting test: SystemLog
* The System Event log test
An error event occurred. EventID: 0x00000457
Time Generated: 05/14/2014 14:22:19
Event String:
Driver Canon iR2520 UFRII LT required for printer Canon iR2520 UFRII LT is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 05/14/2014 14:22:20
Event String:
Driver CutePDF Writer required for printer CutePDF Writer is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 05/14/2014 14:22:20
Event String:
Driver Microsoft Office Document Image Writer Driver required for printer Microsoft Office Document Image Writer is unknown. Contact the administrator to install the driver before you log in
again.
An error event occurred. EventID: 0x00000457
Time Generated: 05/14/2014 14:22:21
Event String:
Driver doPDF 7 Printer Driver required for printer doPDF v7 is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 05/14/2014 14:22:21
Event String:
Driver Send To Microsoft OneNote Driver required for printer Send To OneNote 2007 is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 05/14/2014 14:22:21
Event String:
Driver Microsoft XPS Document Writer required for printer Microsoft XPS Document Writer is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 05/14/2014 14:22:22
Event String:
Driver Send To Microsoft OneNote 2010 Driver required for printer Send To OneNote 2010 is unknown. Contact the administrator to install the driver before you log in again.
A warning event occurred. EventID: 0x00009016
Time Generated: 05/14/2014 14:27:46
Event String:
No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An
example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
A warning event occurred. EventID: 0x00009016
Time Generated: 05/14/2014 14:27:46
Event String:
No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An
example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
......................... abcDC02 failed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference)
CN=abcDC02,OU=Domain Controllers,DC=abcbd,DC=net and backlink
on
CN=abcDC02,CN=Servers,CN=Primary-Site,CN=Sites,CN=Configuration,DC=abcbd,DC=net
are correct.
The system object reference (serverReferenceBL)
CN=abcDC02,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=abcbd,DC=net
and backlink on
CN=NTDS Settings,CN=abcDC02,CN=Servers,CN=Primary-Site,CN=Sites,CN=Configuration,DC=abcbd,DC=net
are correct.
The system object reference (msDFSR-ComputerReferenceBL)
CN=abcDC02,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=abcbd,DC=net
and backlink on
CN=abcDC02,OU=Domain Controllers,DC=abcbd,DC=net are correct.
......................... abcDC02 passed test VerifyReferences
Test omitted by user request: VerifyReplicas
Test omitted by user request: DNS
Test omitted by user request: DNS
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : abcbd
Starting test: CheckSDRefDom
......................... abcbd passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... abcbd passed test CrossRefValidation
Running enterprise tests on : abcbd.net
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\abcdc01.abcbd.net
Locator Flags: 0xe00071fd
PDC Name: \\abcdc01.abcbd.net
Locator Flags: 0xe00071fd
Time Server Name: \\abcdc01.abcbd.net
Locator Flags: 0xe00071fd
Preferred Time Server Name: \\abcdc01.abcbd.net
Locator Flags: 0xe00071fd
KDC Name: \\abcdc01.abcbd.net
Locator Flags: 0xe00071fd
......................... abcbd.net passed test LocatorCheck
Starting test: Intersite
Skipping site Primary-Site, this site is outside the scope provided by
the command line arguments provided.
......................... abcbd.net passed test Intersite
↧
Roaming Profile Corruption, Active Directory and GPO issues
Please take the time to read completely, this HAS NOT been solvable with 'normal' profile replacements. Also, yes, I know that roaming profiles are a pain, but we have to work with what we've got. PLEASE DON'T TELL ME TO GET RID OF ROAMING PROFILES - this is not a helpful response!
1. We have a mobile fleet of about 70 vehicles with laptops that connect via wifi-modems.
2. There is a GPO involved that keeps (kept) user profiles from up/down loading to vehicle laptops - user could log onto the device/network and had standard desktop, but the GPO kept the roaming profile from up/down loading to vehicles (and no expense from bandwidth use). Users are able to access the 'roaming' part at desktops.
3. A new/young administrator misread the vehicle GPO as if it were "disabled" (classic Microsoft GPO misread) and "enabled" it for about 12 hours. For those that are unaware 'disabled' often means 'enabled' in Microsoft GPO and vice versa.
4. Older admin comes in in the morning and takes it back to "disabled" and cautions newby that this would normally be a termination offence. But the older admin didn't go any further than that.
5. Users in vehicles start getting "temporary profile creation" logons, and "can't sync profile" messages, laptops admin logons started up with a whole different device name (Ex: device MDT-15, showed up with an admin profile from MDT-03.)
6. The few users who were able to logon 'normally' lost everything (documents, pictures, forms, etc) even from off the server, out of their profile.
7. Last but not least, we are in the middle of a transition from XP to Win7, and, it appears that it is the Win7 side of things at the server, that is maintaining the corruption.
As a mid-level admin I've done everything I know to do (I got handed this due to the older guy knowing it would be a massive headache and he didn't want to deal with it, and the younger guy didn't have a clue where to even begin):
Deleted/re-created user accounts, disconnected/reconnected laptops to domain, wiped a laptop completely and tried to pull an image (if necessary for later use), gpupdated and forced, etc.
Nothing seems to be working and our drivers and managers are extremely frustrated.
This isn't keeping anybody from doing their job, but it has added extra, trivial, steps they have to engage in to be operational , and they no longer have the accessibility that (which works fine from a desktop) working in vehicles.
Thanks in advance if someone can provide a reasoned, fairly conclusive, step-by-step process for a fix!
↧
↧
event ID 1864
Hello,
I have 3 DC: DC-1, DC-2, and DC-3 (window server 2008R2) with domain and forest functional level 2008R2. There is only one domain MyDomain.local and all 3 DC are in one site. All three DC are global catalog and DNS servers.
On all three DC I receive at every 24 hours the following error in Event Viewer, Directory Service log:
--------------------------------------------------------------
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 3/22/2010 4:14:07 PM
Event ID: 1864
Task Category: Replication
Level: Error
Keywords: Classic
User: ANONYMOUS LOGON
Computer: DC-1.MyDomain.local
Description:
This is the replication status for the following directory partition on this directory server.
Directory partition:
CN=Schema,CN=Configuration,DC=MyDomain,DC=local
This directory server has not recently received replication information from a number of directory servers. The count of directory servers is shown, divided into the following intervals.
More than 24 hours:
1
More than a week:
1
More than one month:
0
More than two months:
0
More than a tombstone lifetime:
0
Tombstone lifetime (days):
180
Directory servers that do not replicate in a timely manner may encounter errors. They may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled.
To identify the directory servers by name, use the dcdiag.exe tool.
You can also use the support tool repadmin.exe to display the replication latencies of the directory servers. The command is "repadmin /showvector /latency <partition-dn>".
--------------------------------------------------------------
This error repeats three times for the following directory partitions:CN=Schema,CN=Configuration,DC=MyDomain,DC=local CN=Configuration,DC=MyDomain,DC=local and DC=MyDomain,DC=local
The only place where I found a reference to an removed DC was in registry HKLM\System\CurrentControlSet\Services\NTDS\Parameters where the key “Src Root Domain Srv” have the value of “CCTI-DC2.mydomain.local”. CCTI-DC2 was an DC that was removed from the network with dcpromo. Please advise me what should I do with this key: delete or rename and put the name of actual PDC here?
To identify the source of event ID 1864 and eliminate the cause in the last week I’ve done the following:
1. Checked to see if there is a reference to a removed domain controller in:
- Active Directory site and services -> My_site -> Servers
- Active Directory users and computers -> Domain Controllers
Everything is OK, there are listed only 3 DC that are functional.
2. With ADSI Edit looked at CN=LostAnd Found that is empty . Also checked CN=Topology,CN=Domain System Volume,CN=DFSR-Globalsettings,CN=System,DC=MyDomain,DC=local where are listed only the 3 functional DC.
3. Checked DNS and deleted any reference to an removed DC
4. Checked NTDS with NTDSUTIL . As you can see from the output there are only 3 DC:
--------------------------------------------------------------
metadata cleanup: select operation target
select operation target: list domains
Found 1 domain(s)
0 - DC= MyDomain,DC=local
select operation target: select domain 0
No current site
Domain - DC=MyDomain,DC=local
No current server
No current Naming Context
select operation target: list sites
Found 1 site(s)
0 - CN=MySite,CN=Sites,CN=Configuration,DC=MyDomain,DC=local
select operation target: select site 0
Site - CN=MySite,CN=Sites,CN=Configuration,DC=MyDomain,DC=local
Domain - DC=MyDomain,DC=local
No current server
No current Naming Context
select operation target: list servers in site
Found 3 server(s)
0 - CN=DC-3,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=MyDomain,DC=local
1 - CN=DC-1,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=MyDomain,DC=local
2 - CN=DC-2,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=MyDomain,DC=local
--------------------------------------------------------------
5. Used repadmin/showreps on all 3 DC and everything is OK . Here is the output from the DC-1:
--------------------------------------------------------------
MySite\DC-1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 9f02251e-a27c-4c4f-864b-e2242fff6437
DSA invocationID: a24a837b-2655-4c9b-94bb-cf6a235a4351
==== INBOUND NEIGHBORS ======================================
DC=MyDomain,DC=local
MySite\DC-3 via RPC
DSA object GUID: f5a575b9-a7f8-4d75-96d1-390861f1afc2
Last attempt @ 2010-03-23 11:44:04 was successful.
MySite\DC-2 via RPC
DSA object GUID: c72d27b2-87f5-4291-b72d-ccf5e421ce39
Last attempt @ 2010-03-23 11:45:22 was successful.
CN=Configuration,DC=MyDomain,DC=local
MySite\DC-3 via RPC
DSA object GUID: f5a575b9-a7f8-4d75-96d1-390861f1afc2
Last attempt @ 2010-03-23 10:59:01 was successful.
MySite\DC-2 via RPC
DSA object GUID: c72d27b2-87f5-4291-b72d-ccf5e421ce39
Last attempt @ 2010-03-23 10:59:01 was successful.
CN=Schema,CN=Configuration,DC=MyDomain,DC=local
MySite\DC-2 via RPC
DSA object GUID: c72d27b2-87f5-4291-b72d-ccf5e421ce39
Last attempt @ 2010-03-23 10:59:02 was successful.
MySite\DC-3 via RPC
DSA object GUID: f5a575b9-a7f8-4d75-96d1-390861f1afc2
Last attempt @ 2010-03-23 10:59:02 was successful.
DC=ForestDnsZones,DC=MyDomain,DC=local
MySite\DC-2 via RPC
DSA object GUID: c72d27b2-87f5-4291-b72d-ccf5e421ce39
Last attempt @ 2010-03-23 10:59:02 was successful.
MySite\DC-3 via RPC
DSA object GUID: f5a575b9-a7f8-4d75-96d1-390861f1afc2
Last attempt @ 2010-03-23 10:59:02 was successful.
DC=DomainDnsZones,DC=MyDomain,DC=local
MySite\DC-3 via RPC
DSA object GUID: f5a575b9-a7f8-4d75-96d1-390861f1afc2
Last attempt @ 2010-03-23 10:59:02 was successful.
MySite\DC-2 via RPC
DSA object GUID: c72d27b2-87f5-4291-b72d-ccf5e421ce39
Last attempt @ 2010-03-23 10:59:02 was successful.
--------------------------------------------------------------
6. Run dcdiag an all 3 DC. All test are OK here are the output from DC1:
--------------------------------------------------------------
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC-1
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: MySite\DC-1
Starting test: Connectivity
......................... DC-1 passed test Connectivity
Doing primary tests
Testing server: MySite\DC-1
Starting test: Advertising
......................... DC-1 passed test Advertising
Starting test: FrsEvent
......................... DC-1 passed test FrsEvent
Starting test: DFSREvent
......................... DC-1 passed test DFSREvent
Starting test: SysVolCheck
......................... DC-1 passed test SysVolCheck
Starting test: KccEvent
......................... DC-1 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DC-1 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DC-1 passed test MachineAccount
Starting test: NCSecDesc
......................... DC-1 passed test NCSecDesc
Starting test: NetLogons
......................... DC-1 passed test NetLogons
Starting test: ObjectsReplicated
......................... DC-1 passed test ObjectsReplicated
Starting test: Replications
......................... DC-1 passed test Replications
Starting test: RidManager
......................... DC-1 passed test RidManager
Starting test: Services
......................... DC-1 passed test Services
Starting test: SystemLog
......................... DC-1 passed test SystemLog
Starting test: VerifyReferences
......................... DC-1 passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : MyDomain
Starting test: CheckSDRefDom
......................... MyDomain passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... MyDomain passed test CrossRefValidation
Running enterprise tests on : mydomain.local
Starting test: LocatorCheck
......................... MyDomain.local passed test LocatorCheck
Starting test: Intersite
......................... MyDomain.local passed test Intersite
--------------------------------------------------------------
7. Checked with repadmin /showvector /latency… even here everything seems to be OK:
--------------------------------------------------------------
repadmin /showvector /latency CN=Schema,CN=Configuration,DC=MyDomain,DC=local
Caching GUIDs.
MySite\CCTI-DC2\0ADEL:fd33ee52-f05d-48a5-916b-49d5630c1357 (deleted DSA) @ USN 417853 @ Time 2010-02-27 15:49:00
MySite\CCTI-DC1\0ADEL:7679d269-19c2-4440-9b6e-da597ae133b1 (deleted DSA) @ USN 503710 @ Time 2010-03-12 17:59:21
MySite\CCTI-DC3\0ADEL:ed2133ee-8e57-4edf-8aff-c9635a1525c6 (deleted DSA) @ USN 110900 @ Time 2010-03-15 15:06:26
MySite\DC1\0ADEL:4de8a1cf-b8eb-4297-a480-6bf8ac34c343 (deleted DSA) @ USN 22892 @ Time 2010-03-15 19:09:06
MySite\DC3\0ADEL:1960fdc7-938e-4128-a0d4-ae152fe52284 (deleted DSA) @ USN 15079 @ Time 2010-03-17 12:37:27
MySite\DC1\0ADEL:4de8a1cf-b8eb-4297-a480-6bf8ac34c343 (deleted DSA) @ USN 18718 @ Time 2010-03-17 13:32:45
MySite\CCTI-DC2\0ADEL:fd33ee52-f05d-48a5-916b-49d5630c1357 (deleted DSA) @ USN 96683 @ Time 2010-03-17 19:20:50
MySite\DC-2 @ USN 39243 @ Time 2010-03-23 08:59:02
MySite\DC-3 @ USN 39370 @ Time 2010-03-23 08:59:02
MySite\DC-1 @ USN 37164 @ Time 2010-03-23 09:36:27
--------------------------------------------------------------
8. Checked in this forum for similar problems but I haven’t find a solution that work in my situation:
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/af95a256-4aeb-4780-b1af-cce3b6c1bcdd/
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/ccae98d9-75cb-4988-8a1a-535b3e1bfeac
http://social.technet.microsoft.com/Forums/fi-FI/winserverDS/thread/567922cd-9c0b-44db-bdbb-803fec000163
9. So finally here I am …. any new idea how to get rid of this error would be really appreciated :)
↧
Randomly slow login with roaming profile in DFS Namespace but fine when in same root share???
Hi
I have an issue with random login speeds and it seems to boil down to DFS Namespace.
Server 2008 R2 WDC at HQ (namepace server)
Server 2008 R2 RODC at test site (namespace target)
I have an XP client test pc at the test site which logs in super quick with the profile path written as \\RODC\Profiles$\%username%
But if I change the profile path to \\domain.com\Profiles\%username% then login hangs around randomly at different points and is very sluggish
This is doing my head in because I really need to get this nailed so I can continue to roll out AD with Roaming Profiles across multiple sites. Fast login is critical!
Please help?
Many thanks
Kevin
↧
Force password change by OU and Grace Period
Current Environment: Windows Server 2008 R2
Education
This summer we plan to start forcing all our staff members to change their password every 90 days. I see that the Password policy is under Computer Configuration. Are able to excluded certain OU or Users group from getting the policy. We don't want force our students to have to change their password every days.
Also, Is there a way we set a grace period. Example, after their password expires, they can log in 3 more times before they are force to change their password.
↧
need your help!
we have one site link config between site A and site B
replicate every 5760 minutes(frequency). but, on site B, the connection object
between site A and site B is scheduled only one hour on Wednesday and
Friday. So, what's final replication schedule for these two DCs
between site A and site B?
replicate every 5760 minutes(frequency). but, on site B, the connection object
between site A and site B is scheduled only one hour on Wednesday and
Friday. So, what's final replication schedule for these two DCs
between site A and site B?
↧
↧
Powershell that disables Active Directory Users that have not logged on for x number of days
Does anyone know a powershell command line that will disable an AD user that has not logged on for x amount of days? I'm not looking for script, but if you know of a command for PShell that can do this, please let me know :)
Thank you :)
↧
AD all containers empty
I look after a small domain with two DCs. The Operations Master's Active Directory Users and Computers snap-in shows nothing in any of its containers.
Fortunately the secondary DC is working and is authenticating users to the domain.
As a very part-time administrator, what can I check/do about this situation?
Thanks, Lost
↧
sysvol is not visible in my last domain controller
Hi everybody, I need some help with my last domain controller I had 2 DC's the one that had the fsmo roles crashed and after that I peform a Seizing of the roles and proceed to promote another DC after that DC was promoted I checked the SYSVOL and NetLOGON shares and they were are not, I wait for 24 ours and after that checked the event log of recovered DC and I sow the 13568 Event ID from NTFRS service, that event recommended to configure the registry with the "Enable Journal Wrap Automatic Restore" to "1", after that I restart NTFRS service and the SYSVOL and Netlogon Shares disapear, Now users can't logon and I can see the GPOS, What I should do?
Thanks in Advance.
Felxs
Felx
↧