Hey folks!

I administrate a Windows Server 2008 R2 SP1 Domain with about 40 users onWindows 7 SP1 clients. Because the users often switch between the many PCs, I am using Roaming Profiles which tend to produce errors with different application-specific paths and files inside the users profiles.

As one of many example, our standard mail application Thunderbird produces paths and files according to folders/subfolders and mails in a user's mailbox. Another one is Microsoft Office's Auto Recovery files which reside in a user's profile and can get very long.

These paths and filenames often extend the allowed max. path of about 256 characters, when (on log on or off) the synchronization process between the client and the server takes place, leading to errors in the event log and a notification to the user about the conflict:

"Event ID 1509 - Windows cannot copy file \\server\share\users\user123.v2\AppData\Roaming\looooong to location C:\Users\user123\AppData\Roaming\looooong. DETAIL - The filename or extension is too long."

In the long run this leads to different file versions on different clients which - in the case of Thunderbird - leads to missing mails.

After extensive searches and lectures of forums - including this - I haven't found a solution for this problem.

So my question is if there's a way to use the extended max path with roaming profiles and if so how do I get it to work?

I tried changing the profile path of a test user in the Active Directory user preferences from "\\server\share\profiles\test_user" to something like "\\?\UNC\server\share\profiles\test_user" without any changes in the system's behavior. Also I think that because this is such a fundamental problem somebody must have come up with a solution for it...

Thanks in advance,

Nico

Hi,

When I try to promote 2003 windows server to Additional domain controller i got an error

failed to configure the service ismserv as requested

I am promoting server on remote site

please help

Anuj Gupta

Hi All,

I have setup a lab in my home for practice and tried to demote a DC in my environment through command line , after transferring a Roles which was on the DC to other,i tried below mention command to clean up metadata and remove a Selected DC. 

1 Ntdsutil ,2 ntdsutil:roles,3 Fsmo maintenance: Connection,4 server connection: connect to server dc3.,5: server connection: quit,6: fsmo maintenance: Seize RID Master(Clicked YES),7: fsmo maintenance: Quit, 8 Ntdsutil: Quit

After seizing Roles i tried to clean up metadata, below are the step which i have taken to perform it

1ntdsutil, 2ntdsutil:metadata cleanup,3 metadata cleanup : connection,4 server connections: connect to server dc3,5 server connection : quit, 6 metadata cleanup: select operation target. , 7 select operation target :select domain 0,8 select operation target: select sites 0, select operation target : select server 3 , 9 select operation target : Quit, 10 metadata cleanup: remove selected server

After reaching to the last step no 10. i received a error stating that to clean up the data please put server online.

Could anyone tell me what step did i missed as all the servers where online and roles was seize successfully, also would like to tell you all that once i go to Active directory sites and services and check the servers the default sites connection are lost on DC1,DC2,DC3.

Please let me know the correct method to perform metadata cleanup.

Also let me know what other prerequisite should i take to perform apart from transferring roles and Global Catalog should be there on other DC

Thanks

Atul Srivastava

Hi,

I'm looking migrate an AD from windows server 2003 to windows server 2012 but i can't find all the requirement to do it.

I find that my Domain and Forest level have to be at least 2003 but anything else.

I will thanks any information to make successfully the migration.

Hi Guys,

I just set up my first ever AD system. First some background... in case 

I have 5 physical servers, and with this upgrade each of them is a hyper-v host and all other business services will be inside Hyper-V servers.

Before this upgrade we had 1 Windows 2008 server and 4 Windows 2008 R2 servers.

In preparation for this upgrade we moved the data from our oldest (windows 2008) server to one of the other servers over our LAN (1gb LAN), and got transfer speeds right around 1gb/s for the entire 500GB of data.

We then installed windows server 2012 on the old server (and upgraded its hard drives and RAM), installed Hyper-V on it, then created 2 domain controllers inside Hyper-V containers on that server. (The idea being that DC2 would move to the next server once it was ready), and the host server was then added to the newly created domain. No problems so far. 

Once that was all done and working properly, I wanted to empty the second server so it could then be updated in the same way - with windows 2012 + hyper-V etc. To facilitate that we moved that servers customers to a 3rd server (our first server did not have room), which again got 1gb/s transfer speeds (2008R2 to 2008R2, non-AD), as well as about 200GB of data that needed to go to the old (now new 2012) server. Again, no problems and good transfer speeds.

We then wiped and installed W2012 on the second server, installed Hyper-V and added it to the domain. 

The next step was to move customer data back from the 1st server (which is not powerful enough for it to stay there - it was just there temporarily). This is where the problems began. Transferring from the 2012 server to the other newly upgraded 2012 server got speed capped at about 100mb/s.

I googled it and found that I needed to disable a few things in GPEdit + Regedit (SMB, etc), and did that... but that did not fix the problem. I then started experimenting and found that I can transfer from the 1st server (2012) to our storage server (2008 R2) at 1gb/s easily... but transfers to the other 2012 are still capped at 100mb/s.

Any ideas as to what is causing this? If I cannot fix it I will need to remove AD... but I would really love to keep AD if possible... but in the future my last 3 servers (which are all pretty much identical hardware-wise) will need to continuously transfer hundreds of gigabytes per day back and forth... so the gigabit network is absolutely required without having to first dump things on a 3rd server.

Any help is greatly appreciated!

Dave 

Hi,

My question is regarding implementation technique rather than design. I have redesigned a new OU structure for my companies AD on paper and am now required to make the changes on the infrastructure itself.

The current set up is as follows:

2 x physical DC servers, DC1 and DC2 (replicating)

Windows Server 2008 R2

No test VLAN as of yet (planning to be implemented ASAP)

As per above, my plan so far is to:

1. Create a test VLAN

2. Create a DC3 virtual machine and put it in the VLAN

3. Import all objects minus OU folders from DC1/2 into DC3 via ADMT

4. Organise the objects into new OU structure.

5. Test in development VLAN

6. If working OK, add to production VLAN and enable replication with other DC's to transfer changes.

I would like to know...

Will this work? Is there a better way? And what do I need to be mindful of? 

Thanks!

Hi,

We have Windows 2k8 server which we are using as a File Server. One of our department who is working on this server are frequently creating long path name folder. since long path name has been created, the files are in that folder are not able to open due to long file path character.

Kindly advice how to overcome this problem.

Regards 

Hi all,

I'm currently experiencing a problem where one DC (Dr-dc2)won't replicate with others. I noticed the netlogon service goes to paused after a reboot and as a result the Windows Time services doesn't start as a result. Even after starting the time service, when I run net time (as admin) I receive error 5 access denied.

There were numerous kerberos errors in the event log so I reset the account via command netdom resetpwd /server:dr-dc2/userd:*your_domain*\administrator /passwordd:*admin_password*

This command doesn't appear to have helped as Kerberos errors still rife in the servers log.

I've attached a copy of dcdiag  /v /c /d /e from the troubled server.

I've telnetted to these ports on all servers apart from dr-dc1 which fails on 3268

Port Assignments for Active Directory Replication

Service Name UDP TCP

LDAP              389  389

LDAP                     636

LDAP                     3268

Kerboros         88    88

DNS                53    53

smb over IP     445   445

Setup new replication partners for dr-dc2 in AD sites and services, but fails for these. DR-DC1 was the only partner setup prior to this.

The server hasn't been restored recently. However its a vm and having checked snapshots, it's running off one dated early April, but one has been taken since at the end of April.

Please advise how I should proceed.

Many thanks,

ps don't seem to be able to attach the dcdiag output... to many characters apparently

The results for April's TechNet Guru competition have been posted!

http://blogs.technet.com/b/wikininjas/archive/2014/05/17/the-microsoft-technet-guru-awards-april-2014.aspx

Congratulations to all our new Gurus for April!

We will be interviewing some of the winners and highlighting their achievements, as the month unfolds.

Post your MAY contributions here:

http://social.technet.microsoft.com/wiki/contents/articles/24252.technet-guru-contributions-for-may-2014.aspx

Read all about May's competition, hopefully in a stickied post, at the top of this forum.

Unfortunately the forum won't let me post the full version, or even a drastically trimmed version here, so you'll have to visit the link above to see the results :/

A huge thank you to EVERYONE who contributed an article to April's competition.

Hopefully we will see you ALL again in May 2014's listings?

If you haven't contributed an article for this month, and you think you can create a more useful, clever and better presented wiki article than the winners above,here's your chance! :D

Best regards,Pete Laker

Image may be NSFW.
Clik here to view.

More about the TechNet Guru Awards:

• TechNet Guru Competitions
• How it works

#PEJL

Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over to the one and onlyTechNet Wiki, for future generations to benefit from! You'll never get archived again!

If you are a member of any user groups, please make sure you list them in the Microsoft User Groups Portal. Microsoft are trying to help promote your groups, and collating them here is the first step.

Hi,

I've already introduced the 2 new AD 2012R2 servers into the existing domain/forest successfully.  However, now comes the fun part.  I'm getting ready to transfer the FSMO roles for the new phase, but I want to migrate the existing static IP addresses which were allocated on the 2008R2 servers.   Therefore, I'm wondering if the steps below are correct and if there are any gotchas I should be aware of.

Existing IP allocation:  Basically, what I would like to do is move the 2008R2 DC IP addresses to the 2012R2 DC servers.  Once I'm satisfied everything in the domain is working as expected I'll dcpromo the old 2008R2 DCs and decommission those servers.

2008R2-DC1 10.125.100.1  

2008R2-DC2 10.125.100.2  

2012R2-DC1 10.125.100.10

2012R2-DC2 10.125.100.20

1. Backup / System State Backup
2. Set IP on 2008R2-DC1 to 10.125.100.50
3. Set IP on 2012R2-DC1 to 10.125.100.1
4. Set IP on 2008R2-DC1 to 10.125.100.10
5. Set IP on 2008R2-DC2 to 10.125.100.50
6. Set IP on 2012R2-DC2 to 10.125.100.2
7. Set IP on 2008R2-DC2 to 10.125.100.20
8. DNS changes to hostnames
9. Check DHCP settings
10. Leave 2008R2 DCs in place for 1 week then demote

Thanks!

Hi,

I am trying to search groups using VBScript. the code is able to authenticate my ID but giving an error "The host name 'DomainDnsZones.Domain1.com' could not be resolved to its address."

And also I am getting some error like: "000004DC: LdapErr: DSID-0C0906E8"

The DN of the Group is like: CN=GroupName, CN=Builtin,DC=domain1,DC=com

I am guessing, Do I have the necessary access on the Builtin?

or is it something which I am not able to figureout. 

Please help!

Regards,

Anuj

hi,

i've 2 site in my forest in every site i have 2 DC.i accidentally delete the server from the site SPC and from all my replication DC in site SPT.

how can  i recreate the replication between the sited back?

THX

Image may be NSFW.
Clik here to view.

In the process of building ADFS into our AD. Have 2008 R2 DCs so we added a 2012 R2 DC to take advantage of gMSA. Have two 2012 R2 servers to function in HA/NLB array for ADFS 3.0. Installation of first server in farm has been successful and allowed wizard to create gMSA user after waiting 10 hours for results of Add-KDSRootKey to replicate. Although installation procedure failed to add local IP address to cert bindings that was easily remedied with netsh followed by "http add sslcert ipport ...."

The problem now comes in adding a server to the farm. Prerequisite fails with "There were no SPNs set on the following service account..." and "The user name or password is incorrect" and a few other errors. Packet capture shows Kerberos pre-authentication failure. To work around this, "nltest /SC_RESET:domain-name\2012R2-DC was run to force secure channel on host to point to Server 2012 R2 DC. Still the error. Wait and wait and wait.. Still the error. The SPN is clearly and properly set on the gMSA account.

What to do? Anyone encounter this or could point us in the right direction to get a second ADFS server into the farm?

I am working on a Powershell script to update the SamAccountName and UPN with new names but I need to leave the existing UPN suffix as the users I am updating could be from 1 of 3 domains so I have no way to set the UPN suffix variable. I need to query the UPN suffix. Is there a way to query and set just the suffix as a variable or only update the logon name in the UPN without changing the suffix?

What is not explicitly allowed should be implicitly denied

In ADCS on Windows 2008R2 we are getting " An attempt was made to open a Certification Authority database session, but there are already too many active sessions" on a request usingCERTADMINLib.IEnumCERTVIEWROW.Next(). I found a recommendation to setHKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\DBSessionCount to 64 hex (100 Dec).  With this set we could only get 10 sessions open using IEnumCERTVIEWROW. With debugging and logging turned on I found a reference to DBMaxReadSessionCount  and a matching reference in certsrv.h. When HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\DBMaxReadSessionCount  is also set to 64 hex (100 Dec) we can get 100 session running.

What is the impact of setting DBMaxReadSessionCount and are there any problems with explicitly setting this value?

Dan

Hello!

We have two 2008 R2 DCs and our second DC has been getting the 13508 for months.  I have checked the logs and have found no instance of 13509.  I have ran ntfrsutl version and got this:

NtFrsApi Version Information
   NtFrsApi Major      : 0
   NtFrsApi Minor      : 0
   NtFrsApi Compiled on: Nov 19 2010 22:04:38
NtFrs Version Information
   NtFrs Major        : 0
   NtFrs Minor        : 0
   NtFrs Compiled on  : Nov 20 2010 02:15:59
   Latest changes:
   Install Override fix
OS Version 6.1 (7601) -
SP (1.0) SM: 0x0110  PT: 0x02
Processor:  AMD64 Level: 0x0006  Revision: 0x0f0b  Processor num/mask: 2/0000000
3

I'm not exactly sure what that means, but I continued to do some diagnostics.  I was able to ping the FQDN with no problem.  I disabled the firewalls on both boxes and tested with no luck. 

In addition, I have noticed on the DC that is NOT receiving the 13508 error is getting 13568 -

It appears these two (13508 on DC2 and 13568 on DC1) starting about the same time months ago.  It informs me in 13568 to "Enable Journal Wrap Automatic Restore", but I'm afraid to do so.  Is this something I should do?

Any idea what would be causing this and what my next steps would be?  Let me know if I can get you any more info.

Thanks for the help in advance!

Hello,

The reason why i'm writing is because, recently we have seen some strange DFS issues, where clients aren't able to connect to their DFS mapped drives.  flushing DFS cache or DNS cache or rebooting client seems to fix issue.  We have also had to reboot a DFS server, since it was hung in the past.  So, I have ticket open with MS and can't find any DFS related issues from event logs.

I see a Kerberos error in event logs on both DFS servers and some clients that have the issue and I"m wondering if this is the cause of problems.  Please see Kerberos error below and let me know what you think.  I want to also add that we have direct access server and i'm seeing "isatap.ipv6address" when I run ipconfig on these servers and clients..

The following error occurred attempting to join the domain "egl-underground.mainframe":

An attempt to resolve the DNS name of a domain controller in the domain being joined has failed. Please verify this client is configured to reach a DNS server that can resolve DNS names in the target domain.

I am running windows server 2008 R2 trying to connect with a windows 7 computer.
I have already set the DNS in my computer to the Server running DNS Server (same as DC server)
I can ping the server, i can nslookup the FQDN aswell with no problems.

Any help?

Can anyone tell me what the difference between sysprep.exe with or without "Generalized" Option?

Another question is, is it possible to join a computer to domain contorller if they have the same SID (I clone them from a single image)?

Thank all beforehand for answering my questions :)