Hi everyone 

This is my problem :

**IN my Server 2012 R2 DC event id 4015 DNS wont stop and i have replication problem,But whenever i restart the server the event will stop logging and replication works perfectly just for 6 or 7 hours, after that the event comes back and replication fails*******

This is my scenario :

I have four DC's

1.  DC1 : 172.16.3.3-192.168.10.1 ( FSMO holder ) (Server 2008 R2)
2. DC2 :172.16.3.4 (Server 2008 R2)
3. DC3 : 172.16.25.2 (Server 2012 R2)
4. DC4: 172.16.42.2 (Server 2008 R2)

DC1 and DC2 are in a same site

Except DC3 replication works perfectly without error between all other DC's 

on DC3 :

Dcdiag /v /q reports :

[DC1] DsBindWithSpnEx() failed with error 1727,

         The remote procedure call failed and did not execute..
         Warning: DC1 is the Schema Owner, but is not responding to DS RPC

         Bind.

         [DC1] LDAP bind failed with error 55,

         The specified network resource or device is no longer available..
         Warning: DC1 is the Schema Owner, but is not responding to LDAP Bind.

         Warning: DC1 is the Domain Owner, but is not responding to DS RPC

         Bind.

         Warning: DC1 is the Domain Owner, but is not responding to LDAP Bind.

         Warning: DC1 is the PDC Owner, but is not responding to DS RPC Bind.

         Warning: DC1 is the PDC Owner, but is not responding to LDAP Bind.

         Warning: DC1 is the Rid Owner, but is not responding to DS RPC Bind.

         Warning: DC1 is the Rid Owner, but is not responding to LDAP Bind.

         Warning: DC1 is the Infrastructure Update Owner, but is not responding

         to DS RPC Bind.

         Warning: DC1 is the Infrastructure Update Owner, but is not responding

Dciag /test:dns reports : (summary )

Doing initial required tests


   Testing server: SavinTehran\DC1

      Starting test: Connectivity

         * Active Directory LDAP Services Check
         Got error while checking LDAP and RPC connectivity. Please check your

         firewall settings.

         ......................... DC1 failed test Connectivity


   Testing server: SavinTehran\DC2

      Starting test: Connectivity

         * Active Directory LDAP Services Check
         Determining IP4 connectivity 
         * Active Directory RPC Services Check
         ......................... DC2 passed test Connectivity

 Summary of DNS test results:


                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: savin.local

               DC1                          FAIL FAIL n/a  n/a  n/a  n/a  n/a  
               DC2                          PASS PASS PASS PASS PASS PASS n/a  
               DC4                 PASS PASS PASS PASS PASS PASS n/a  
               DC3             PASS PASS PASS PASS PASS PASS n/a  

Repadmin /replsum on DC3 shows :

Source DSA          largest delta    fails/total %%   error

 DC1                       19m:01s    0 /   5    0  

 DC2                       22m:31s    0 /  10    0  

 DC4              19m:01s    0 /   5    0  

 DC3  01d.00h:19m:57s    1 /   5   20  (1726) The remote procedure call failed.





Destination DSA     largest delta    fails/total %%   error

 DC2               01d.00h:20m:19s    1 /  15    6  (1726) The remote procedure call failed.

 DC4             15m:29s    0 /   5    0  

 DC3          23m:02s    0 /   5    0  





Experienced the following operational errors trying to retrieve replication information:

          55 - DC1.savin.local

Also I did the following jobs :

• Check firewall setting on DC's (Firewall services is disable on all of them )
• Use PortqryUI to verify port listening between DC's ( No problem was found )
• Check DNS client setting on all DC's base on Microsoft Best practice  on this link :http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx#dnsbest

Every time i restart the server 2012 R2 (DC3) everything will alright but just for near about 6 hours!!!! 

Dear Experts please Help me !

Hello All,

I am facing a strange issue in implementing the custom SSO application.

There is a vendor sso url https://<sso-url>.com.

I have created a asp.net web site. when the user accesses the website, the website redirects to the vendor sso-url for SAML request. Once the SAML request is received the asp.net website builds the SAML response and posts it to the vendor sso url. The vendor sso url will then redirect it to the end user url.

The functionality works fine in Firefox and Chrome but when i try it in IE, I get a blank page.

But if I type the vendor URL manually then its working fine. I am not sure what needs to be done in the asp.net website.

I want to check the current size of the AD.. Is there any way to check it.

hi team,

i need your support to know about how we can establish Linking of AD User name with the ip address.???

Regards, Ravi Kumar

Hi,

I am currently facing issues regarding Group Policy, users are unable to change the password.

When i run gpupdate /force on servers, the user policy and computer policy are successful but when i run the same on any client i receive error as per below,

" C:\Windows\system32>gpupdate /force

Below is the result of GPRESULT /H GPReport.html.

Any idea on how to solve this problem ? thanks.

Hi

I am going to be doing a domain upgrade and would like to know if it is required to reset the domain controller computer account after it has been demoted and un-joined from the domain? I would like to re-use this same name again.

Dear All, I have 4 domain controllers running on windows 2008 R2 (1primary+3ADC), In Event viewer lots ERROR event generating which is mentioned below, kindly suggest.

The session setup from computer 'TESTPC' failed because the security database does not contain a trust account 'TESTPC$' referenced by the specified computer. 

Hi. I have two Windows Server 2012 R2 installed in test network. One is DC, another is SQL server (CM0 named).
Now, i would like to configure start SQL service as MSA.
I have created MSA on DC. Assigned to SQL server, and now i try to install this MSA on SQL server:

PS C:\> New-ADServiceAccount -Name TESTMSA -Enabled $true -DNSHostName CM0
PS C:\> Add-ADComputerServiceAccount -Identity CM0 -ServiceAccount TESTMSA

on SQL server:

PS C:\> Get-ADServiceAccount -Identity TESTMSA -Properties *


AccountExpirationDate                      :
accountExpires                             : 9223372036854775807
AccountLockoutTime                         :
AccountNotDelegated                        : False
AllowReversiblePasswordEncryption          : False
AuthenticationPolicy                       : {}
AuthenticationPolicySilo                   : {}
BadLogonCount                              : 0
badPasswordTime                            : 0
badPwdCount                                : 0
CannotChangePassword                       : False
CanonicalName                              : voo.domain.com/Managed Service Accounts/TESTMSA
Certificates                               : {}
CN                                         : TESTMSA
codePage                                   : 0
CompoundIdentitySupported                  : {False}
countryCode                                : 0
Created                                    : 17.07.2014 10:26:38
createTimeStamp                            : 17.07.2014 10:26:38
Deleted                                    :
Description                                :
DisplayName                                :
DistinguishedName                          : CN=TESTMSA,CN=Managed Service Accounts,DC=voo,DC=domain,DC=com
DNSHostName                                : CM0
DoesNotRequirePreAuth                      : False
dSCorePropagationData                      : {01.01.1601 01:00:00}
Enabled                                    : True
HomedirRequired                            : False
HomePage                                   :
HostComputers                              : {CN=CM0,OU=servers,OU=sity,DC=voo,DC=domain,DC=com}
instanceType                               : 4
isCriticalSystemObject                     : False
isDeleted                                  :
KerberosEncryptionType                     : {RC4, AES128, AES256}
LastBadPasswordAttempt                     :
LastKnownParent                            :
lastLogoff                                 : 0
lastLogon                                  : 0
LastLogonDate                              :
localPolicyFlags                           : 0
LockedOut                                  : False
logonCount                                 : 0
ManagedPasswordIntervalInDays              : {30}
MemberOf                                   : {}
MNSLogonAccount                            : False
Modified                                   : 17.07.2014 10:26:38
modifyTimeStamp                            : 17.07.2014 10:26:38
msDS-HostServiceAccountBL                  : {CN=CM0,OU=servers,OU=sity,DC=voo,DC=domain,DC=com}
msDS-ManagedPasswordId                     : {1, 0, 0, 0...}
msDS-ManagedPasswordInterval               : 30
msDS-SupportedEncryptionTypes              : 28
msDS-User-Account-Control-Computed         : 0
Name                                       : TESTMSA
nTSecurityDescriptor                       : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                             : CN=ms-DS-Group-Managed-Service-Account,CN=Schema,CN=Configuration,DC=voo,D
                                             C=domain,DC=com
ObjectClass                                : msDS-GroupManagedServiceAccount
ObjectGUID                                 : fda9060b-0c24-4c6c-8756-bcb3622f0755
objectSid                                  : S-1-5-21-1811451803-3665653429-3710297301-1176
PasswordExpired                            : False
PasswordLastSet                            : 17.07.2014 10:26:38
PasswordNeverExpires                       : False
PasswordNotRequired                        : False
PrimaryGroup                               : CN=Domain Computers,CN=Users,DC=voo,DC=domain,DC=com
primaryGroupID                             : 515
PrincipalsAllowedToDelegateToAccount       : {}
PrincipalsAllowedToRetrieveManagedPassword : {}
ProtectedFromAccidentalDeletion            : False
pwdLastSet                                 : 130500591980747733
SamAccountName                             : TESTMSA$
sAMAccountType                             : 805306369
sDRightsEffective                          : 15
ServicePrincipalNames                      :
SID                                        : S-1-5-21-1811451803-3665653429-3710297301-1176
SIDHistory                                 : {}
TrustedForDelegation                       : False
TrustedToAuthForDelegation                 : False
UseDESKeyOnly                              : False
userAccountControl                         : 4096
userCertificate                            : {}
UserPrincipalName                          :
uSNChanged                                 : 215990
uSNCreated                                 : 215987
whenChanged                                : 17.07.2014 10:26:38
whenCreated                                : 17.07.2014 10:26:38

PS C:\> Install-ADServiceAccount -Identity "TESTMSA"Install-ADServiceAccount : Cannot install service account. Error Message: 'An unspecified error has occurred'.
At line:1 char:1+ Install-ADServiceAccount -Identity "TESTMSA"+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo          : WriteError: (TESTMSA:String) [Install-ADServiceAccount], ADException+ FullyQualifiedErrorId : InstallADServiceAccount:PerformOperation:InstallServiceAcccountFailure,Microsoft.ActiveD
   irectory.Management.Commands.InstallADServiceAccount

goooooogle doesn't help me (

Thank you!

Hey everyone,

I'm having a bit of a conundrum about the new forest domain name and what possible implications it can have if I chose the wrong name convention...

Current Setup

The current issue is that the company I work for was bought out by another company and atm, where using a 2-way forest trust.

The company also has another site in Africa which is using a different forest domain but doesn't have any forest trust to either of the other 2 domains.

The current forest domains are:-

1. Company1.local (my old company)

2. Company2.com.au (main company)

3. internal.company2direct.com.ke (Africa site)

To make it worse, all three sites have their own Exchange environment and there's all types of file share/application authentication issues between sites.

Therefore, the company has decided that they want to get rid of all the exchange environments/file shares and so forth and move everything toOffice365, including SharePoint and Lync

New Solution

They have also decided that they want a new forest with a single domain and that the locations and security will be delegated by using different OU structures/GPO's as it's all going to administered by 2 people at the main company site. This is non-negotiable as they don't want sub/child domains or different forests, just a single entity.

They're using a third party to do the Office365 design and implementation. However I have been assigned to setup the new initial ADDS server for the new forest.

After some reading I've found that we really shouldn't be using '.local' or '.internal' for the forest root domain. I suggested that we use 'internal.thecompanynamethatisreallylong.com.au' and a NetBIOS of 'CNF' (which is actually that long, and I feel that if we have to use a FQDN for anything then it will cause an issue)

They want me use the following for the forest root domain ' au.cnf' with a NetBIOS of 'CNF'

Is that really such a good idea or is there any situation whereby using 'au.cnf' as theprefix.suffix could cause any issues?

I would of like to use 'internal.cnf.com.au' however the domain name 'cnf.com.au' is already registered by another company..

Once the new forest is created, I'll create a 2way trust between the companies and start using ADMT to migrate accounts across

Thanks in advance for you help

I need to know in simple terms the key advantages 

of the domain. Kindly assist.

Regards, Ravi Kumar

My previous thread was closed with Marked Answer, but I still need assistance here.  Please don't close it without verifying it works (I was not even able to reply...).

I asked for two things:

1) Export-CSV the following properties: sAMAccountName, DisplayName, from the user accounts in an OU, in a CSV file.  (I will then add a "Password" column into this CSV file with individual passwords for each user).

2) Import-CSV the modified CSV file, and do a bulk password reset for the user accounts.

I have 1) done:

Get-ADUser -Filter * -SearchBase "OU=Students,OU=School,DC=SchoolName,DC=local" |
 Select-Object -Property sAMAccountName  | Export-CSV "C:\users\%username%\Desktop\User List\Summer\Students_GradeNumber.csv"

Unfortunately, I was not able to add the "DisplayName" property correctly. Whenever I did, it would show up blank in the CSV.

Either way, I would like to have 2) piece. Would any help me with that?

Hi

in a Windows 2012 environment on all DCs, I ran dcdiag/test:dns and I get these delegation errors
.......
Running partition tests on : JSSResearch
Running enterprise tests on : JSSResearch.local
Starting test: DNS
Test results for domain controllers:

DC: MTL-DC01.JSSResearch.local
Domain: JSSResearch.local

             TEST: Delegations (Del)
                Error: DNS server: mtl-dc01.jssresearch.local. IP:192.168.169.69 [Broken delegated domain jssresearch.local.JSSResearch.local.]
                Error: DNS server: mtl-hv1.jssresearch.local. IP:192.168.169.66 [Broken delegated domain jssresearch.local.JSSResearch.local.]
       Summary of test results for DNS servers used by the above domain controllers:
          DNS server: 192.168.169.66 (mtl-hv1.jssresearch.local.)
             1 test failure on this DNS server
          DNS server: 192.168.169.69 (mtl-dc01.jssresearch.local.)
             1 test failure on this DNS server
       Summary of DNS test results:
                                                 Auth Basc  Forw   Del  Dyn  RReg Ext
               Domain: JSSResearch.local
             MTL-DC01                     PASS PASS PASS FAIL PASS PASS n/a
       ......................... JSSResearch.local failed test DNS

So  MTL-DC01 and MTL-HV1 are both DCs and DNS servers (MTL-DC01 is the PDC)

I checked the _msdcs and it look like in the image. I don't know what is wrong

Why the domain show up like this jssresearch.local.JSSResearch.local.    ? I don't understand

Any ideas folks ?

Thanks a lot

Titus

hi, when i want to join the pc to the domain it says "an internal error occured" and the join process fail.

i can ping the domain using fqdn and dns is working ok and the client is pointing to the appropriate dns server. also i have no anti virus installed and firewall is off. here is the netsetup.log file here.

Note: when i prestage the computer the join process is ok with no problem

can anyone help me?

08/04 17:30:45 -----------------------------------------------------------------
08/04 17:30:45 NetpValidateName: checking to see if 'vivaldi.au' is valid as type 3 name
08/04 17:30:45 NetpCheckDomainNameIsValid [ Exists ] for 'vivaldi.au' returned 0x0
08/04 17:30:45 NetpValidateName: name 'vivaldi.au' is valid for type 3
08/04 17:30:54 -----------------------------------------------------------------
08/04 17:30:54 NetpDoDomainJoin
08/04 17:30:54 NetpMachineValidToJoin: 'OMM-7687492'
08/04 17:30:54 NetpGetLsaPrimaryDomain: status: 0x0
08/04 17:30:54 NetpMachineValidToJoin: status: 0x0
08/04 17:30:54 NetpJoinDomain
08/04 17:30:54 Machine: OMM-7687492
08/04 17:30:54 Domain: vivaldi.au
08/04 17:30:54 MachineAccountOU: (NULL)
08/04 17:30:54 Account: vivaldi.au\administrator
08/04 17:30:54 Options: 0x25
08/04 17:30:54 OS Version: 5.1
08/04 17:30:54 Build number: 2600
08/04 17:30:54 ServicePack: Service Pack 3
08/04 17:30:54 NetpValidateName: checking to see if 'vivaldi.au' is valid as type 3 name
08/04 17:30:55 NetpCheckDomainNameIsValid [ Exists ] for 'vivaldi.au' returned 0x0
08/04 17:30:55 NetpValidateName: name 'vivaldi.au' is valid for type 3
08/04 17:30:55 NetpDsGetDcName: trying to find DC in domain 'vivaldi.au', flags: 0x1020
08/04 17:30:59 NetpDsGetDcName: failed to find a DC having account 'OMM-7687492$': 0x525
08/04 17:30:59 NetpDsGetDcName: found DC '\\001-002-001-204.vivaldi.au' in the specified domain
08/04 17:30:59 NetpJoinDomain: status of connecting to dc '\\001-002-001-204.vivaldi.au': 0x0
08/04 17:30:59 NetpGetLsaPrimaryDomain: status: 0x0
08/04 17:30:59 NetpGetDnsHostName: Read NV Hostname: omm-7687492
08/04 17:30:59 NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS domain name: vivaldi.au
08/04 17:30:59 NetpLsaOpenSecret: status: 0xc0000034
08/04 17:30:59 NetpGetLsaPrimaryDomain: status: 0x0
08/04 17:30:59 NetpLsaOpenSecret: status: 0xc0000034
08/04 17:30:59 SamLookupNamesInDomain on OMM-7687492$ failed with 0xc0000073
08/04 17:30:59 NetpJoinDomain: status of setting machine password: 0x534
08/04 17:30:59 NetpJoinDomain: initiaing a rollback due to earlier errors
08/04 17:30:59 NetpLsaOpenSecret: status: 0x0
08/04 17:30:59 NetpJoinDomain: rollback: status of deleting secret: 0x0
08/04 17:30:59 NetpJoinDomain: status of disconnecting from '\\001-002-001-204.vivaldi.au': 0x0
08/04 17:30:59 NetpDoDomainJoin: status: 0x534
08/04 17:30:59 -----------------------------------------------------------------
08/04 17:30:59 NetpDoDomainJoin
08/04 17:30:59 NetpMachineValidToJoin: 'OMM-7687492'
08/04 17:30:59 NetpGetLsaPrimaryDomain: status: 0x0
08/04 17:30:59 NetpMachineValidToJoin: status: 0x0
08/04 17:30:59 NetpJoinDomain
08/04 17:30:59 Machine: OMM-7687492
08/04 17:30:59 Domain: vivaldi.au
08/04 17:30:59 MachineAccountOU: (NULL)
08/04 17:30:59 Account: vivaldi.au\administrator
08/04 17:30:59 Options: 0x27
08/04 17:30:59 OS Version: 5.1
08/04 17:30:59 Build number: 2600
08/04 17:30:59 ServicePack: Service Pack 3
08/04 17:30:59 NetpValidateName: checking to see if 'vivaldi.au' is valid as type 3 name
08/04 17:30:59 NetpCheckDomainNameIsValid [ Exists ] for 'vivaldi.au' returned 0x0
08/04 17:30:59 NetpValidateName: name 'vivaldi.au' is valid for type 3
08/04 17:30:59 NetpDsGetDcName: trying to find DC in domain 'vivaldi.au', flags: 0x1020
08/04 17:31:03 NetpDsGetDcName: failed to find a DC having account 'OMM-7687492$': 0x525
08/04 17:31:03 NetpDsGetDcName: found DC '\\001-002-001-201.vivaldi.au' in the specified domain
08/04 17:31:03 NetpJoinDomain: status of connecting to dc '\\001-002-001-201.vivaldi.au': 0x0
08/04 17:31:03 NetpGetLsaPrimaryDomain: status: 0x0
08/04 17:31:03 NetpGetDnsHostName: Read NV Hostname: omm-7687492
08/04 17:31:03 NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS domain name: vivaldi.au
08/04 17:31:03 NetpLsaOpenSecret: status: 0xc0000034
08/04 17:31:03 NetpGetLsaPrimaryDomain: status: 0x0
08/04 17:31:03 NetpLsaOpenSecret: status: 0xc0000034
08/04 17:31:03 NetpManageMachineAccountWithSid: NetUserAdd on '\\001-002-001-201.vivaldi.au' for 'OMM-7687492$' failed: 0x54f
08/04 17:31:03 NetpJoinDomain: status of creating account: 0x54f
08/04 17:31:03 NetpJoinDomain: initiaing a rollback due to earlier errors
08/04 17:31:03 NetpLsaOpenSecret: status: 0x0
08/04 17:31:03 NetpJoinDomain: rollback: status of deleting secret: 0x0
08/04 17:31:03 NetpJoinDomain: status of disconnecting from '\\001-002-001-201.vivaldi.au': 0x0
08/04 17:31:03 NetpDoDomainJoin: status: 0x54f

Hi,

We have 4 OUs with some Admin Delegations.

We are now wanting to flatten the OU structure into 1 OU, but need to migrate the 4 OUs Delegations into the 1 new OU.

Is that possible? and what tools would you recommend?

Thanks,

SK

Hi,

I want to setup a PKI within our environment. I wanted to deploy a standalone root CA to serve 2 domains. The two domains will have separate Enterprise CA's that will serve their domains. I wanted to know if this setup is feasible or if I should setup a standalone root CA to serve each domain.

Looking forward to your input.

Hi

I have a problem getting a dc demoted. In preparation for this demotion I gracefully moved all the fsmo roles to another dc without any errors. As such I started the demotion process, but got an error saying that the naming context could not be found on the dc I wish to demote (when I run repadmin /showrepl from the dc holding all the fsmo roles).

It fails on the DomainDnsZones directory partition.

Strangely, if I run the exact same command from a third dc as well as the dc I wish to promote no errors are displayed under repadmin /showrepl.

Topology

3 sites

Location 1: 1 DC

Location 2: 2 DC

Location 3: 3 DC

The location 1 DC is having replications issues

The replication status tool show the following errors

1 The target principal name is incorrect

2. The remote system is not available

The issues has started after the machine DC1 was not in network for 3 hours. Can any one help me on this

Amal RS