Hi all,

We currently have a windows server 2012 domain controller at home for various reasons ie parents forgetting passwords, managed updates/patches, server backup etc which works fine but I'm wanting to be able to turn off my PC/Makeshift server as the summer months are too hot to sleep with a roaring beast in the room haha!

My question is I have a server in a datacenter a few miles away and would like to have the domain controller hosted there, just going to create the domain from scratch as nothing much on it. How can I configure it so that all my home computers connect to it? I understand I'll need a VPN and have routing & remote access set up and can connect into the VPN fine from home and externally to the home network.

How can I set up the VPN on the home PC's so that it connects to the VPN on startup to avoid lengthy login times etc, all workstations are running windows 8.1.

Many thanks and have a good weekend whatever you all do!

 Hi All,

Why we have to put a UPN while promoting a Windows 2012 Domain Controller? As far as I know we don't have to provide a UPN while promoting a Windows 2008 R2 DC?

is this a new feature / thing in 2012?

Thanks HA

Recently one of Read Only Domain Controller computer failed and now we are in plan of rebuilding RODC in new hardware.

The entry of RODC is still showing in Domain Controllers panel in AD, How can we remove it? What are steps if any or just a delete will do?

Hi,

In my workplace we inherited a system which used to be based on Small Business Server, and the Active Directory is filled with User Groups and Containers that the SBS creates itself.

What is a good rule of thumb/ strategy to use, in order to get rid of the User Groups, Containers and Users that have been created by SBS previously?

The current structure results in extremely weird behavior applying only a bunch of GPOs to a some users and not to others. I believe this happens due to the extremely complicated structure (which is not needed anymore as we migrated to pure Windows Server environment).

Suggestion, or articles would be extremely welcome.

Hi everyone

How do i make my Domain users forcefully login to domain, i have many computers which are not in domain,

Can i block web traffic for users who are not logged to domain, Do Radius Server do this.does it requires a license,

and do i  need a different hardware. I have twos dc's  one is windows server 2008 R2 x64 and the other windows Server 2008 x64

I've recently began using Active Directory Administrative Center to manage Active Directory instead of Active Directory Users & Computers. In ADUC there is a PO Box field in address which I cannot seem to find in ADAC. Is this removed from ADAC? Is there a way I can add that field? I really like the simplicity and flow of ADAC.

Mike

I would like to set up my AD so that members of my help desk can reset passwords for domain users and no one else.  I would like my help desk to be able to add computers to the domain and to reset passwords.  I have made a security group that allows them to join computers to the domain but I do not see how to allow them to reset passwords without being able to reset everyone's passwords, i.e. higher administrators.

Any help would be appreciated.

We have a 2 way trust set up between our domain and an external (not in the same forest) domain.

Is there anyway to perform an LDAP query against a DC in our domain that will enumerate users in the trusted domain?

I understand that if the domain was in the same forest we could use a global catalog LDAP query but I don't believe there is a way to do this with an external trust.   My understanding is that we would need to do 2 separate queries - one against a DC in each domain.   Is this correct?

Hello,

I've seen articles on what ports are required for Workstations, Member Servers, and Domain Controllers communicating to Domain Controllers, but what Im not clear on is the 'Direction' the ports must be opened for these situations.

For example, for Domain Controllers to communicate to other Domain Controllers in the same Forest/Domain, my understanding is ports such as 53, 389, 3268, etc. must be opened Bi-Directionally on a Firewall.  Is that correct?

Simarily, for Workstations and Member Servers to communicate to Domain Controllers in the same Forest/Domain, do the Firewall ports needed to be opened Bi-Directionally as well?

Thanks in advance.

Thanks for your help! SdeDot

Hi,

We are planning a new Citrix environment with login through a Citrix Netscaler.

User accounts have to be member of an Active Directory group to be able to log in.

The Netscaler has to do an ldap query to a read-only Windows Server 2008 R2 domaincontroller.

The AD group is created and also a service account for the Netscaler.

Our security team wants the connection between the Netscaler and the read-only dc to be secure (port 636).

I found this: http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

My question is if the ldap connection still needs to be secured with a certificate?

Is the Netscaler not already using a secure connection because of the service account and password?

I have a SBS 2003 box that was originally migrated from SBS2000. i just finished install new 2012 standard server and installed AD service on it, but when i trying promote to DC, it won't do it until functional level raise to least 2003 level.

My question is following:

when user login, user uses pre-windows 2000 login name.  

For example, DC11\user but FQDC is DC1.local.  we have no DC11 exist. 

When user trying login as DC1\user, it won't able to login. even Administrator has to login as DC11\administrator not DC1\administrator. 

 When i look user properties account login name user @dc1.local and pre-Windows 2000 name DC11\ user are listed. 

if i raised to Windows 2003 function level, did user can't login? or any effect? 

Thanks

I am using a Windows Server 2008 R2, these are the following errors that shows up in the Active Directory Domain Services Role.

Issue:
The primary domain controller (PDC) emulator operations master in this forest is not configured to correctly synchronize time from a valid time source.

Impact:
If the PDC emulator master in this forest is not configured to correctly synchronize time from a valid time source, it might use its internal clock for time synchronization. If the PDC emulator master in this forest fails or otherwise becomes unavailable (and if you have not configured a reliable time server (GTIMESERV) in the forest root domain), other member computers and domain controllers in the forest will not be able to synchronize their time.

Resolution:
Set the PDC emulator master in this forest to synchronize time with a reliable external time source. If you have not configured a reliable time server (GTIMESERV) in the forest root domain, set the PDC emulator master in this forest to synchronize time with a hardware clock that is installed on the network (the recommended approach). You can also set the PDC emulator master in this forest to synchronize time with an external time server by running the w32tm /config /computer:WS2008R2-DC.relianceinfotech.net /manualpeerlist:time.windows.com /syncfromflags:manual /update command. If you have configured a reliable time server (GTIMESERV) in the forest root domain, set the PDC emulator master in this forest to synchronize time from the forest root domain hierarchy by running w32tm /config /computer:WS2008R2-DC.relianceinfotech.net /syncfromflags:domhier /update.

and another issue

Issue:
The domain relianceinfotech.net has only one functioning domain controller.

Impact:
In the event of a failure on the domain's only domain controller, users will not be able to log in to the domain or access domain resources.

Resolution:
Add one or more additional domain controllers to the domain to handle authentication and authorization requests in case there is a failure on the domain's single available domain controller.

the problem is that I do not have a relianceinfotech.net that domain is the past one and the domain that is working now is relianceti.net. I just want to know how to resolve that and remove these warnings from showing.

Hi, an hour ago I started migration of sysvol replication from frs to dfs. I have five domain controllers and f/d functional lever Windows Server 2008 R2. I have done "upgrade" of domain from Windows Server 2003 to Windows Server 2008 R2 three years ago so sysvol replication is still via frs.

I have done the following:

dfsrmig /setglobalstate 1

dfsrmig /getglobalstate

dfsrmig /getmigrationstate

After more that one hour only three of five domain controllers are in prepared state.

SLT62800SVAD ('Start') - Writable DC
DRDC ('Start') - Writable DC

Migration has not yet reached a consistent state on all Domain Controllers.
State information might be stale due to AD latency.

I have checked both of them and SYSVOL_DFSR folder is not created. Also in DFS manager tool I saw they were not displayed as members in Domain System Volume replication.

How to solve this, is there any way to force "domain controllers" to be in prepared state thus I can continue migration process? Link between my primary site and site where these two DCs are located is fast so I do not think this has something to do with network problems. Plus today is day off so link is practically more or less idle sort of speak.

Hi all, I have only 1 active directory domain and two domain controllers.

Domain controllers are Windows Server 2003 SP2 32bit

I have two problems:

1. GPOs are not applied when I run gpupdate / force, the following error message:

Error processing Group Policy. windows could not read the \\ <domain> \ sysvol \ <domain> \ {yyyyyy-xxxxxxxx} \ gpt.ini

2 When you run repadmin / syncall / d / e, I get the following error:

<nerwork error>: 1722 (0x6ba)

Syncall exited with fatal Win32 error: 8440 (0x20f8):

The co-text of the name specified in the operation is not valid replies

greetings

Microsoft Certified IT Professional Server Administrator

hello everyone

in our company we are upgrading our DCs to server 2012R2 we have one Dc 2008R2 we installed another DC 2012R2 and make it GC from sites and services the problem appeared when I demoted the 2008 server I noticed that nobody in the company is able to log to the domain I realized that even the global catalog check mark is checked the server is not global catalog when I connect through ldap I see isglobalcatalogready : false I tried many solution to make it global catalaog but no success my solution was to shut down this server and restore the 2008 server from a previous backup now all the users can log to the domain but I only have one DC I tried to add another 2012R2 Dc but DCPromo fails on the prerequisite "check verification of outbound replication failed error reading the ntds settings on replication source controller" I installed another server 2008R2 server since there is no prerequisite check but the same problem occured the new DC is marked as GC but it's not GC I checked port 3268 I ran dcidag and this is the result

dcdiag /test:checksecurityerror

Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
Home Server = 2k8DC
* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: mysite\2K8DC
Starting test: Connectivity
......................... 2K8DC passed test Connectivity

Doing primary tests

Testing server: mysite\2K8DC
Starting test: CheckSecurityError
The account 2K8DC is not a DC account. It cannot replicate.
Unable to verify the machine account
(CN=2K8DC,OU=Domain Controllers,DC=mydomain,DC=local) for 2K8DC on
2K8DC.
Source DC WIN-SM5GUTCII7H has possible security error (8453).
Diagnosing...
Error 2184 querying time on DC WIN-SM5GUTCII7H. Ignoring this
DC and continuing...
* Missing SPN
:LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
* Missing SPN :LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@
* Missing SPN :LDAP/WIN-SM5GUTCII7H
* Missing SPN
:LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain
* Missing SPN
:LDAP/f67b0f34-07ae-4dec-8ff5-7cd284ecb7b8._msdcs.mydomain.local
* Missing SPN
:HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
* Missing SPN :HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@
* Missing SPN
:HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain
* Missing SPN
:GC/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
Unable to verify the machine account
(CN=WIN-SM5GUTCII7H,OU=Domain Controllers,DC=mydomain,DC=local)
for WIN-SM5GUTCII7H on 2K8DC.
Unable to connect to the NETLOGON share!
(\\WIN-SM5GUTCII7H\netlogon)
[WIN-SM5GUTCII7H] An net use or LsaPolicy operation failed with
error 67, The network name cannot be found..
[WIN-SM5GUTCII7H] Unable to verify logon privileges on DC
shares. Please check the above output and take appropriate
steps.
Failed to read object metadata on WIN-SM5GUTCII7H, error
Directory object not found.
[WIN-SM5GUTCII7H] Unable to diagnose problem for this source.
See any errors reported in attempting tests.
......................... 2K8DC failed test CheckSecurityError


Running partition tests on : ForestDnsZones

Running partition tests on : DomainDnsZones

Running partition tests on : Schema

Running partition tests on : Configuration

Running partition tests on : mydomain

Running enterprise tests on : mydomain.local

C:\Users\Administrator>dcdiag /test:checksecurityerror

Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
Home Server = 2k8DC
* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: mysite\2K8DC
Starting test: Connectivity
......................... 2K8DC passed test Connectivity

Doing primary tests

Testing server: mysite\2K8DC
Starting test: CheckSecurityError
The account 2K8DC is not a DC account. It cannot replicate.
Unable to verify the machine account
(CN=2K8DC,OU=Domain Controllers,DC=mydomain,DC=local) for 2K8DC on
2K8DC.
Source DC WIN-SM5GUTCII7H has possible security error (8453).
Diagnosing...
Error 2184 querying time on DC WIN-SM5GUTCII7H. Ignoring this
DC and continuing...
* Missing SPN
:LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
* Missing SPN :LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@
* Missing SPN :LDAP/WIN-SM5GUTCII7H
* Missing SPN
:LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain
* Missing SPN
:LDAP/f67b0f34-07ae-4dec-8ff5-7cd284ecb7b8._msdcs.mydomain.local
* Missing SPN
:HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
* Missing SPN :HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@
* Missing SPN
:HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain
* Missing SPN
:GC/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
Unable to verify the machine account
(CN=WIN-SM5GUTCII7H,OU=Domain Controllers,DC=mydomain,DC=local)
for WIN-SM5GUTCII7H on 2K8DC.
Unable to connect to the NETLOGON share!
(\\WIN-SM5GUTCII7H\netlogon)
[WIN-SM5GUTCII7H] An net use or LsaPolicy operation failed with
error 67, The network name cannot be found..
[WIN-SM5GUTCII7H] Unable to verify logon privileges on DC
shares. Please check the above output and take appropriate
steps.
Failed to read object metadata on WIN-SM5GUTCII7H, error
Directory object not found.
[WIN-SM5GUTCII7H] Unable to diagnose problem for this source.
See any errors reported in attempting tests.
Authoritative attribute pwdLastSet on 2K8DC (writeable)
usnLocalChange = 5866156
LastOriginatingDsa = 2K8DC
usnOriginatingChange = 5866156
timeLastOriginatingChange = 2014-08-17 08:55:52
VersionLastOriginatingChange = 42
Out-of-date attribute pwdLastSet on WIN-SM5GUTCII7H (writeable)
usnLocalChange = 12868
LastOriginatingDsa = 22a5b57a-fac4-4cfe-9fcb-c545025d3716
usnOriginatingChange = 5830453
timeLastOriginatingChange = 2014-08-13 15:07:23
VersionLastOriginatingChange = 41
Unable to verify the convergence of this machine account
(CN=2K8DC,OU=Domain Controllers,DC=mydomain,DC=local) on these DC's
(DC=mydomain,DC=local,2K8DC). Does the machine account password need
resetting?
......................... 2K8DC failed test CheckSecurityError


Running partition tests on : ForestDnsZones

Running partition tests on : DomainDnsZones

Running partition tests on : Schema

Running partition tests on : Configuration

Running partition tests on : mydomain

Running enterprise tests on : mydomain.local

note that WIN-SM5GUTCII7H is the new DC I renamed it to server 2008R2 but it can't be a global catalog due to the error.
I tried to google this error but I didn't find any solution how to make make it replicate the GC

Best

I installed a Window 2012 R2 Failover Cluster in order to virtualize servers with Hyper-V. Both physical servers of the cluster are namedSRV-SAN01 and SRV-SAN02 and were installed usingWin2012 R2 Datacenter. The name of the cluster is SRV-HV01.

My environment is very simple : a unique domain and a unique site with 2 Domain Controllers (one onWin2013 and the second one on Win2008R2).

I first added a new Win2012 R2 Standard Domain Controller on a physical server namedSRV-DC01 and transferred the following Operation Masters to it :PDC, RID, Schema Master and Domain Naming. It is alsoGlobal Catalog.

I installed another Win2012 R2 Standard Domain Controller as a Virtual Server in the cluster whose name isSRV-DC02. It has the Insfrastructure Operation Master and is also aGlobal Catalog.

More 3 Member Servers using Win2012 R2 were installed on the cluster.

Everything worked fine until I ran my first Cluster-Aware remote updating. I installed the Failover Cluster Manager onSRV-DC01 and executed a remote CAU successfully.

At the end of the process, the Server Manager on the first physical serverSRV-SAN01 had a Manageability problem. The EventViewer showed the following error during 12 hours:

Error 4 from source Microsoft-Windows-Security-Kerberos : “The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server srv-san01$. The target name used was HTTP/SRV-HV01.mydomain.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (MYDOMAIN.COM) is different from the client domain (MYDOMAIN.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.”

On the second physical server SRV-SAN02 the Manageability problem still goes on after 27 hours after CAU with the exactly same error 4 form SourceMicrosoft-Windows-Security-Kerberos.

On the Failover Cluster Manager, I also have a Error 1023 from sourceMicrosoft-Windows-ClusterAwareUpdating-Management:

“Failed to get CAU report. Details:Microsoft.ClusterAwareUpdating.ClusterUpdateException: There was a failure in a Common Information Model (CIM) operation, that is, an operation performed by software that Cluster-Aware Updating depends on. The computer was "SRV-HV01", and the operation was "Contacting the Cluster-Aware Updating software on the cluster node.". The failure was: (CimException) WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 

 Possible causes are:

 -The user name or password specified are invalid.

 -Kerberos is used when no authentication method and no user name are specified.

 -Kerberos accepts domain user names, but not local user names.

 -The Service Principal Name (SPN) for the remote computer name and port does not exist.

 -The client and remote computers are in different domains and there is no trust between the two domains.

 After checking for the above issues, try the following:

 -Check the Event Viewer for events related to authentication.

 -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.

 Note that computers in the TrustedHosts list might not be authenticated.

  -For more information about WinRM configuration, run the following command: winrm help config. HRESULT 0x8033809d ---> Microsoft.Management.Infrastructure.CimException: WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 

 Possible causes are:

 -The user name or password specified are invalid.

 -Kerberos is used when no authentication method and no user name are specified.

 -Kerberos accepts domain user names, but not local user names.

 -The Service Principal Name (SPN) for the remote computer name and port does not exist.

 -The client and remote computers are in different domains and there is no trust between the two domains.

 After checking for the above issues, try the following:

 -Check the Event Viewer for events related to authentication.

 -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.

 Note that computers in the TrustedHosts list might not be authenticated.

  -For more information about WinRM configuration, run the following command: winrm help config.

  at Microsoft.Management.Infrastructure.Internal.Operations.CimAsyncObserverProxyBase`1.ProcessNativeCallback(OperationCallbackProcessingContext callbackProcessingContext, T currentItem, Boolean moreResults, MiResult operationResult, String errorMessage, InstanceHandle errorDetailsHandle)

--- End of stack trace from previous location where exception was thrown ---

  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

  at MS.Internal.ClusterAwareUpdating.Logger.<_TraceCallWorker>d__0`1.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

  at MS.Internal.ClusterAwareUpdating.Logger.<TraceCall>d__5`1.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

  at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()

  at MS.Internal.ClusterAwareUpdating.Wmi.ClientConnectionManager.<CreateInstancePreparationTask>d__0.MoveNext()

  --- End of inner exception stack trace ---

  at MS.Internal.ClusterAwareUpdating.Wmi.ClientConnectionManager.<CreateInstancePreparationTask>d__0.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

  at MS.Internal.ClusterAwareUpdating.Wmi.AbstractCauStreamedMethod`1.<OnInvokeAsync>d__0.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

  at MS.Internal.ClusterAwareUpdating.Wmi.AbstractCauMethod`1.<InvokeAsync>d__0.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

  at MS.Internal.ClusterAwareUpdating.Util.Await[TResult](Task`1 t)

  at MS.Internal.ClusterAwareUpdating.ReportManagerImpl.GetReportListFromMachine(String machineName, ClientConnectionManager clientConnectionMgr, Task instancePrepTask, CancellationToken cancelToken)

  at MS.Internal.ClusterAwareUpdating.ReportManagerImpl.GetReportInternal(String clusterName, PSCredential credential, DateTime reportTimestamp, CancellationToken cancelToken)

--- End of stack trace from previous location where exception was thrown ---

  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

  at MS.Internal.ClusterAwareUpdating.ReportManagerImpl.GetReportInternal(String clusterName, PSCredential credential, DateTime reportTimestamp, CancellationToken cancelToken)”

I have not found anything about that on the Internet.

Could you please help me with these errors ?

Thanks in advance.