Hi There,

I have a problem when i did the trust relationship between two different domains in two different forests ,,in the trust relationship steps all working two ways trust,with external trust,stub zone created on both domains and they are validated in both sides ,,my problem is with the objects it can't be retrieved from side and it can be from the other side . For instance :

NY domain can get the users and computers of 2012DC1 

but 2012DC1 can't get the users and computers of NY

Date and time are the same,i am always getting this error 

The session setup from computer '2012DC1' failed because the security database does not contain a trust account 'test.com.' referenced by the specified computer.  

USER ACTION  
If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time.  If this is a Read-Only Domain Controller and 'test.com.' is a legitimate machine account for the computer '2012DC1' then '2012DC1' should be marked cacheable for this location if appropriate or otherwise ensure connectivity to a domain controller  capable of servicing the request (for example a writable domain controller).  Otherwise, the following steps may be taken to resolve this problem:  

If 'test.com.' is a legitimate machine account for the computer '2012DC1', then '2012DC1' should be rejoined to the domain.  

If 'test.com.' is a legitimate interdomain trust account, then the trust should be recreated.  

Otherwise, assuming that 'test.com.' is not a legitimate account, the following action should be taken on '2012DC1':  

If '2012DC1' is a Domain Controller, then the trust associated with 'test.com.' should be deleted.  

If '2012DC1' is not a Domain Controller, it should be disjoined from the domain.

Can you please help me in this error.

Thank You in advance.

As we in the Northern hemisphere watch the leaves turn brown, and the days grow shorter once more, we mourn the onset of darkness and cold. Winter is coming, and it may be a long one! (heard that somewhere before...)

SO my mighty guru word warriors, light up our hearts and minds with words of wisdom!

Send white hot ideas, spark off imaginations, light the way to a better future!

Let your intellectual outpourings enlighten your readers and lighten their burden, and quench their thirst for knowledge!

Beat back the darkness with laser sharp wit and broad spectrum facts.

Light a fire in our imaginations!

Become a beacon for awesomeness!

Shine so brightly as to become stars, and you shall be worshiped by us, as we bask in your technical glory!

Your time has come!

That time is NOW!

All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.

Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!

This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!

HOW TO WIN

1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.

2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)

3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!

Winning this award in your favoured technology will help us learn the active members in each community.

Feel free to ask any questions below.

More about TechNet Guru Awards

Thanks in advance!
Pete Laker

#PEJL

Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over to the one and onlyTechNet Wiki, for future generations to benefit from! You'll never get archived again!

If you are a member of any user groups, please make sure you list them in the Microsoft User Groups Portal. Microsoft are trying to help promote your groups, and collating them here is the first step.

Hello All,

We have a forest domain e.g School.com and a child domain HQ01.school.com . I usually login the child domain (HQ01.school.com) with enterprise administrator account (SCHOOL\Administrator).

But Due to some issue i am not able to login child domain (HQ01.school.com) with enterprise administrator account (SCHOOL\Administrator), Also child domain user accounts are not authenticating. In logs i see domain (HQ01.school.com) not found.

Please help to solve the issue.

Regards,

We have some different Restricted GPOs that get applied to different computers based on which OUs the computers reside in.  The goal is that Computer Technicians can join a computer to the domain and it will go to Computers OU.  Then all Compiuter Technicians have the abilities to move computers to certain OUs that they have permissions to.  Those OUs make different groups admins on those computers, via GPOs that are linked to those OUs.  We then do not want anyone, besides Domain Admins, to be able to remove those computer objects.  In other words, we need to make sure that people who have permissions on an OU do not remove and object to another OU they have permissions on so that different Admin groups get applied through Group policy.

I know how to do this, but it requires object inheritance.  In other words, if someone is smart enough they could join computer to domain, disable permissions inheritance, move that computer object into an OU they have permissions on, and then move it out when they wanted because it never inherited the permissions to block that.  Is there a way that I can continue to enforce object inheritance to be turned on for all objects in specific OUs, etc?  Guessing the requires a script, but maybe an easier way to make sure that people who join computers to the domain cannot uncheck object inheritance?  I looked for a deny permissions on the object inheritance and do not see it.  I would like for them to have all other permissions on those computer objects that the join to the domain, besides disabling object inheritance.

Dan

Dan Heim

Hi all,

We have recently migrated from ADFS 2.1 to 3.0. The migration was successful.

The only issue we seem to have is that from IE8 only, the ADFS login page is inaccessible. IE does not report any errors, it just does not connect. This subsequently affects our on-premise ADFS reliant services.

I am a little stumped at this point. These browsers worked fine using the 2.1 infrastructure, but no longer with v3.0

Any suggestions would be welcomed!

Cheers,

adrian

Tom Houston, UK Identity Management Practice

Hello all!

I need some help trying to resolve an issue I’m experiencing after a contact migration in between a subdomain and its parent domain using movetree.

The command I ran is:

movetree /start /s dc1.sub.test.com /d dc1.test.com /sdn "OU=testmovecontacts, ,DC=sub,DC=test,DC=com" /ddn "OU=DestinyContacts,DC=test,DC=com" /verbose

Aparently the operation ran correctly (ReturnCode: 0x0 The operation completed correctly. MOVETREE FINISHED SUCCESSFULLY.); but when I try to see the groups (universal distribution groups) a contact is memberof, the memberof tab is empty.

User gets the emails send to the distribution lists, and I can see with ADSI that the contacts have the attribute “memberOf” set with the correct CNs.

The domain is in windows 2003 native mode. Anyone have a clue what’s going on?

Thanks.

Follow the procedure below to fix Microsoft Active Directory database problems (corrupted Active Directory due to e.g memory issues/disk problems):

1. Reboot the server and press F8. Choose Directory Services Restore Mode from the Menu.

2. Check the physical location of the Winnt\NTDS\ folder.

3. Check the permissions on the \Winnt\NTDS folder. The default permissions are: Administrators – Full Control System – Full Control

4. Check the Winnt\Sysvol\Sysvol folder to make sure it is shared.

5. Check the permissions on the Winnt\Sysvol\Sysvol share. The default permissions are: Share Permissions: —————— Administrators – Full Control Authenticated Users – Full Control Everyone – Read NTFS Permissions: —————– Administrators – Full Control Authenticated Users – Read & Execute, List Folder Contents, Read Creator Owner – none Server Operators – Read & Execute, List Folder Contents, Read System – Full Control Note: You may not be able to change the permissions on these folders if the Active Directory database is unavailable because it is damaged, however it is best to know if the permissions are set correctly before you start the recovery process, as it may not be the database that is the problem.

6. Make sure there is a folder in the Sysvol share labeled with the correct name for their domain.

7. Open a command prompt and run NTDSUTIL to verify the paths for the NTDS.dit file. These should match the physical structure from Step 2. To check the file paths type the following commands: Start a command prompt NTDSUTIL Files Info The output should look similar to: Drive Information: C:\ NTFS (Fixed Drive) free (2.9 Gb) total (3.9 Gb) D:\ NTFS (Fixed Drive) free (3.6 Gb) total (3.9 Gb) DS Path Information: Database : C:\WINNT\NTDS\ntds.dit – 10.1 Mb Backup dir: C:\WINNT\NTDS\dsadata.bak Working dir: C:\WINNT\NTDS Log dir : C:\WINNT\NTDS – 30.0 Mb total res2.log – 10.0 Mb res1.log – 10.0 Mb edb.log – 10.0 Mb This information is pulled directly from the registry and mismatched paths will cause Active Directory not to start. Type Quit to end the NTDSUTIL session.

8. Rename the edb.chk file and try to boot to Normal mode. If that fails, proceed with the next steps.

9. Reboot into Directory Services Restore mode again. At the command prompt, use the ESENTUTL to check the integrity of the database. NOTE: You can use NTDSUTIL to check the Integrity, however esentutl is usually more reliable. Type the following command: ESENTUTL /g “\NTDS.dit” /!10240 /8 /v /x /o (Note: Type the path without the quotes). Note: The default path would be C:\Winnt\NTDS\ntds.dit; however it may be different in some cases. The output will tell you if the database is inconsistent and may produce a jet_error 1206 stating that the database is corrupt. If the database is inconsistent or corrupt it will need to be recovered or repaired . To recover the database type the following at the command prompt: NTDSUTIL Files Recover If this fails with an error, type quit until back at the command prompt and repair the database using ESENTUTL by typing the following: ESENTUTL /p “\NTDS.dit” /!10240 /8 /v /x /o (Note: Type the path without the quotes). Note: If you do not put the switches at the end of the command you will most likely get a Jet_error 1213 “Page size mismatch” error.

10. Delete the log files in the NTDS directory, but do not delete or move the ntds.dit file.

11. The NTDSUTIL tool needs to be run again to check the Integrity of the database and to perform a Semantic Database analysis. To check the integrity, at the command prompt type: NTDSUTIL Files Integrity The output should tell you that the integrity check completed successfully and prompt that you should perform a Semantic Database Analysis. Type quit. To perform the Semantic Database Analysis type the following at the NTDSUTIL Prompt type: Semantic Database Analysis Go The output will tell you that the Analysis completed successfully. Type quit and closes the command prompt. NOTE: If you get errors running the Analysis then type the following at the semantic checker prompt: semantic checker: go fix This puts the checker in Fixup mode, which should fix whatever errors there were.

12. Reboot the server to Normal Mode. If any of these steps fail to recover the database the only alternative is to perform an Authoritative System State restore from backup in Directory Services Restore mode. For more information, please refer to the following articles: 315136 HOW TO: Complete a Semantic Database Analysis for the Active Directory http://support.microsoft.com/?id=315136 265706 DCDiag and NetDiag in Windows 2000 Facilitate Domain Join and DC Creation http://support.microsoft.com/?id=265706 258007 Error Message: Lsass.exe – System Error : Security Accounts Manager http://support.microsoft.com/?id=258007 265089 Event 1168: Windows 2000 DCs Unable to Boot into Active Directory http://support.microsoft.com/?id=265089 315131 HOW TO: Use Ntdsutil to Manage Active Directory Files from the Command http://support.microsoft.com/?id=315131 BR – Frank

Good day

As known there must be only 1 schema master in the forst.

but If I seize schema master role to another server and the old server come back online.

what may happnse. and how to recover it

Hi all,

I am a person only work for linux system. Recently i work for my company that using microsoft technologie. So i have a lot of trouble. Could you please help me and below are my big troble that i have met:

In my system, i have the first window SBS server 2008 run on our domain. However my organization growth up and we have more than 150 users and mailbox of exchange server 2007. So i do not want to use my sbs server 2008 anymore.

I am going to install a window server 2008 R2 64 bit and join it into the same domain with sbs server 2008. It will be replicate the username, dns, OU and group policy...After that i will tranfer FSMO role to new server and i will demote then remove the sbs server.

My boss say that i should not use this solution because window server sbs can not run with any other kinds of window server 2008 (R2, standard, enterprise...) and it will automatically shutdown the main server after a couple of days.

Someone have experience can help me. I am so confuse now

HI,

I have a test case scenario, 

Site -A   (Domain-A-RW)

Site -B   (Domain-B-RW)

Site -C  (Domain-C-Ro)

if the site connectivity get failed with other site (A & B) the user is unable to login to computer (via Remote desktop) and is getting "Authentication error, the local security authority cannot be contacted", whereas he can login by console on desktop (the user has local Admin rights on this system).

do we have some workaround.

Regards,

Hi,

Not sure whther this the right form like to know that if we have installed say i.e chinese kanguage how we can change the language 

without distrubing the xisting setup .

we are having win 2003,win 2008,win20012 etc.

Any help  much apprectiated...

Regards

Muthu

Thanks Muthu

Hi,

I am in a situation and I need a help. Two days ago I ran a command in Powershell to get the mailbox statistics for all users and I exported the file excel



But when I checked in outlook there is a big diffeerence between the size of OST and server mail box

For example if the Server mailbox size is 8.033 GB ,then in outlook the size OST is 5.954 GB

Why this happen?

I checked the mailbox size to varify the size after archiving. Does it happen due to archiving ?

One important thing is all problematic email account using outlook 2013.

Is it a common nature seen only in outlook 2013 ?

PLease help me

Thanks

Hi everyone,

Just want to ask how other people are doing this and to see if i am about to do a complete no go!! As the title says we have 5 office sites and 1 data centre. Currently we have 2 DC's in the datacentre and 2 DC's in each office site. Each office site is connected in a hub and spoke network with the datacentre with minimum 50Mbps lines.

I am looking at upgrading our domain controllers to Windows Server 2012 R2 and in the same instance i was playing with the thought of removing 1 DC from each office site. Still keep 2 in the datacentre.

On the client side i would use DHCP to point to the local DNS first and then to a different office as the secondary DNS server.

I am going with the view that if a local DC is down then another office will be available and with 50 and 100 Mbps MPLS connectivity between sites should be enough for not noticing any long logon delays.

Any advice ?

Regards
ronnie.jorgensen systems engineer
My blog

Hi,

I need help in our AD as i have started to face few problems recently. I would first explain the configuration and then define the problem:

ADDH1(in office A)(Hold all the roles, master domain, primary)

Schema master               FU-ADDH1.fu-com.com
Domain naming master        FU-ADDH1.fu-com.com
PDC                         FU-ADDH1.fu-com.com
RID pool manager            FU-ADDH1.fu-com.com
Infrastructure master       FU-ADDH1.fu-com.com
The command completed successfully.

ADDH2(in office A)(secondary domain for backup purpose)

Schema master               FU-ADDH1.fu-com.com
Domain naming master        FU-ADDH1.fu-com.com
PDC                         FU-ADDH1.fu-com.com
RID pool manager            FU-ADDH1.fu-com.com
Infrastructure master       FU-ADDH1.fu-com.com
The command completed successfully.

ADDH3(in office B)(domain controller with golbal catalog connected using VPN to office A)

C:\Users\administrator.FU-COM>netdom query fsmo
Schema master               FU-ADDH3.fu-com.com
Domain naming master        FU-ADDH3.fu-com.com
PDC                         FU-ADDH3.fu-com.com
RID pool manager            FU-ADDH3.fu-com.com
Infrastructure master       FU-ADDH3.fu-com.com
The command completed successfully.

****This should be same as above servers of Office A****

Problem:

Recently there were some changes in network after which i am unable to do the replication on either side. I did alot of troubleshooting for network, firewalls, antivirus, AD configurations but nothing works. Following are the error messages i get:

In such a scenario i want to take over the roles and give it to Office A server ADDH1 but it shows following errors:

C:\Users\administrator.FU-COM>ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server fu-addh1
Binding to fu-addh1 ...
DsBindWithSpnExW error 0x80090322(The target principal name is incorrect.)
server connections:

Hi IT folks,

I'm having trouble logging in remotely to our domain controller (one is the PDC, the other one is RODC).

Please see photo:

It's weird that only on the domain controller I get this message, but on other servers I can log in remotely.

Thanks.

akosijesyang - the conqueror

I had an extra "data disk" in my 2008 r2 Domain Controller box that I removed.  Then it won't boot, giving me an error it can't find winload.exe  I have the original ISO on a usb disk, but I cannot find how to get it to boot into any repair or recover mode.  When I boot with the USB, it seems the only option is to reinstall.  I had a virtualized BDC, but that was on the drive I moved and trying to get it to connect again after changing its location inside the hyperV it tells me there are no domain controllers to connect to...totally true, the DC is dead and I'm trying to get the BDC to connect.

Specifically, trying to change the virtual hard disk off the now-dead DC it's new location on the fileserver (same disk, different machine) says "there are currently no login servers"

I find people saying to use a Vista 7 disk to do the repairs, yet I'm not sure if this would work since I'm trying to repair 2008 R2.  If I had realized the disk I was moving had the vm's on it I would have moved those VM's first, brought the BDC back up, then taking the DC down...

I have another physical box I want to use as a DC, but is that even possible? With no current domain controllers to authenticate to or established trust with I feel very stuck!