Because of heavy load on our DC coming from multiple applications doing constant LDAP queries to them I'm trying to remove all this traffic by replicating our AD in an AD LDS instance. 

We do have 6 child domains for which i created application paritions and sync the proper OU and attribute properly, all this is fine, but now, we do have a lot of overall access management univsersal groups that are created in the root domain and used for almost everything, and though i also created a parition for the root domain in the same instance of AD LDS, all group membership are removed with 

  Will not synchronize dn-ref to be13d726f61d3e4dbc22e64a8eb8d591. Target does not exist.

I don't seem to find any way of synchronizing universal group memberships in this kind of setup, is it achievable with AD LDS?

Thank you !

Régis Hambalek

History:  I migrated a 2003 domain to 2012 R2 (2 DCs), now native.  All was ok until my 1st reboot of the 2nd DC.  It lost its ability to communicate w/the domain.  I've demoted/removed it and am now on 1 DC until I can do some more testing.  DNS is now clean and dcdiag give a clean bill.  This has been running without issues for several weeks.

This AM I get a call and users cannot log into the terminal server.  I reboot it, but the problem persists.  I then try to log onto the DC.  I get a login error, the DC doesn't recognize administrator or the regular domain admin account I typically use.  I'm forced to do a power button shutdown and restart.  After restart I can log in and everything appears to be good.

A review of the event logs show that @ 4:30PM yesterday the scheduled backup (Win Backup) occurred successfully.  Then shortly after 5PM the system logs event 5823 (NETLOGON  The system successfully changed its password on the domain controller .  This event is logged when the password for the computer account is changed by the system. It is logged on the computer that changed the password. ). 

The nothing until ~ 2 1/2 hours later I start getting a bunch of event 4 (kerberos KRB_AP_ERR_MODIFIED)  and 1006 (Group Policy processing failed) errors every couple minutes until I reboot.

Can anyone shed some light on what possibly happened?  Did the automatic change of the system password break AD because I only have 1 DC?

Hi there

i have the following Network Setup (all Servers are 2008 R2 with SP)

If i try to Join the DB Server to our Domain via offline Join(DJOIN) everything is working fine.
But if i try to join the Clients to our Domain, the login fails with the message "no authentification servers available"

I also checked the network logs via wireshark and i found this

CLIENT ->RODC DNS 97 Standard query 0xea67  SRV _kerberos._tcp.dc._msdcs.Domäne
RODC -> CLIENT DNS 200 Standard query response 0xea67  SRV 0 100 88 DC2.DOMÄNE SRV 0 100 88 DC.DOMÄNE

After that the client seems to try to reach our DC via CLDAP(which is not allowed on the firewall)
CLIENT ->DC CLDAP 207 searchRequest(6987)"<ROOT>" baseObject 

Is that normal? i thought the clients only need a connection to the RODC Server, and the RODC Server is going to make the LDAP Connection to the DCs.

My company had someone add a word press section to their website. 

Externally I can ping the domain name without WWW, but internally I can only ping it with WWW in front. 

The IP address of the site has stayed the same, but I believe the developer has set it up to only be accessible without the www in front of it. 

What do I add in terms of DNS records to make the domain name ( domain.com) pingable 

( again www.domain.com is pingable, domain.com is not) 

Trying upgrading from AD 2003 to AD 2008r2.  When  examining their environment tried to change the domain function level (as a test) and got the message that I could not because one or more servers was at domain funcion level 2000.  When I got detailed info the server name is blank.  There are only 2 domain controllers in th domain.  Both of them are 2003 servers.  One crashed and was rebuilt.  FSMO roles are on the rebuilt server.<o:p></o:p>

 Need to get the function level to 2003 so  can extend the scema and install the new domain controllers and transfer function.<o:p></o:p>

In order for one to have read access to a confidential attribute, both of the following conditions must be true: (1) permissions must be held that grant read access to the that attribute and (2) CONTROL_ACCESS permission must be present against that attribute for the entity accessing it. A side note to the original article mentions that Full Control Permissions will grant CONTROL_ACCESS as well.

Now I'm trying to delegate the right to read a specific confidential attribute using the "Delegate Control" wizard. I can easily adapt the delegwiz.inf so that it contains a new template with a "@=GA" for the attribute I'm after, in effect granting Full Control (which will in turn grant CONTROL_ACCESS). However I'd like not to grant change permissions to that attribute as well, only read (in terms of final, effective permissions). How is it possible to grant the CONTROL_ACCESS permission through a template in delegwiz.inf ? I've found here that CA should be "Control Access" I'm after, but when I use this, the template is invalidated and it's no longer visible in the "Delegate Control" wizard.

I've though about the "Reset Password" right that appears throught delegwiz.inf, and thought the CONTROL_ACCESS is a similar right, however it's nowhere to be found in thelist of rights.

We want to merge three active directories with on as parent in Dubai, then child in Dubai, Bahrain and Kuwait. The time zones are different and sites are connected using VPN/leased line. With my studies i have explored two options. One way is to have parent domain/forest in Dubai and Child domain in respective countries/offices; second way is to have parent and all child domains in Dubai Data center as it is bigger, while respective countries have DCs connected to their respective child domains in Dubai. (Personally i find it safer in second option)

Kindly advise which approach comes under best practice.

Thanks in advance.

Cheers!<o:p></o:p>

I am trying
to provide a junior admin with rights to modify only the home drive and home
drive path setting on the terminal server tab in ADUC. <o:p></o:p>

I have read
through the discussion here: http://social.technet.microsoft.com/Forums/windowsserver/en-US/91072599-65c0-4b40-bd8b-4aa5f2bc47f6/delegate-terminal-services-tab-permissions<o:p></o:p>

This discussion describes my issue exactly. I have tried using the ADUC delegation
wizard as explained in the post above as well as using the advanced ACL editor
to prescribe read write permissions to the specific terminal server properties.
With each approach the access seems to work as the input boxes are not greyed
out after I apply the rights, but when I go to apply the settings change it
gives an operation failed: access denied message.<o:p></o:p>

The article above is marked as answered, but there are comments posted later that show
others have the same failed result after following the steps. I will also note
that when I tested either approach (wizard or advanced ACL editor) with other
property setting tabs in ADUC I was successful. This shows that either approach
should work, but for some reason only the Terminal server properties seem to
have this behavior. This is an exception situation where the standard technique does not work under specific circumstances.

This link http://blogs.technet.com/b/heyscriptingguy/archive/2008/10/23/how-can-i-edit-terminal-server-profiles-for-users-in-active-directory.aspx
talks about how the terminal server tab in ADUC was developed separately, and
therefore requires a special scripting technique to modify the TS settings.
This may be a clue as to why the behavior is different with the TS tab in ADUC.<o:p></o:p>

My environment is a mix of Win2k3 and Win2k8 servers with a domain functional
level set to 2003.<o:p></o:p>

Thanks in advance for any help with this.

Steven Terry

I have a simple two site AD topology. One site in each datacenter; 1GB connection between the site networks. Users at both sites.

Recently we installed a active/active DAG Exchange 2013 highly available design across sites.  Works just fine, but I find it annoying that org related changes within Exchange take 15 minutes to replicate unless forced manually.  I'm considering enabling Change Notification to alleviate this minor annoyance.  I've got no bandwidth or compute concerns... It seems like an easy solution, but wanted to make sure there isn't something I'm overlooking or using it beyond its intended purpose.


Thanks for reading!

LW

Hello all,

I'm trying to wrap my mind around what the difference is between a Schema Update and a Functional Level Update. For example, to have a 2012 R2 DC you need a 2012 Schema update, but not necessarily a functional level update. Is this because the 2012 R2 DC would bring in Schema objects that the current domain wouldn't have, and thus it needs to update its schema to 2012? And why can the functional level stay at a lower level with a 2012 R2 DC, say 2008 r2?

Currently we have 2 Domain Controllers serving 1 domain in 2 locations.  Location 2 had a DC failure several months ago.  I cleaned up all metadata regarding the old DC and promoted a new DC.

The new DC at location 2 replicates from the existing DC at location 1 fine, but the existing DC at location 1 will not replicate from the new DC at location 2.

New DC:  jmac-dc

Existing DC: hexom-app1

Here is the DCDIAG DNS test when ran on the existing DC:

I need assistance giving authenticated users "read" access to active directory. I have different OU's and not all permissions are being inherited.

Is there a script to give all authenticated users read access? For some reason the admin before me either did not do it or removed read permissions to active directory.

Thanks

Hello

I  have a server DC1 that has not successfully replicated for a log time.

Rebuilding it is not an option as it's remotely located

Here is the Repadmin /Showreps

Site1DC1

DSA Options: IS_GC

Site Options: (none)

DSA object GUID: a0a03b2f-3cef-4fae-b721-786ef49d24b0

DSA invocationID: 0bdc582b-7a5b-4308-99fb-e81ad6350040

Source: Site2\DC3
******* 10 CONSECUTIVE FAILURES since 2014-09-23 20:50:57

Last error: -2146893022 (0x80090322):

            The target principal name is incorrect.

Naming Context: CN=Configuration,DC=Company,DC=local

Source: Site2\DC3
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: DC=ForestDnsZones,DC=Company,DC=local

Source: Site2\DC3
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: DC=DomainDnsZones,DC=Company,DC=local

Source: Site2\DC3
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: DC=Company,DC=local

Source: Site2\DC3
******* WARNING: KCC could not add this REPLICA LINK due to error.

Source: Site3\DC2

******* 10 CONSECUTIVE FAILURES since 2014-09-23 20:51:00

Last error: -2146893022 (0x80090322):

            The target principal name is incorrect.

Source: Site2\DC6

******* 1 CONSECUTIVE FAILURES since 2014-09-23 22:52:44

Last error: 1722 (0x6ba):

            The RPC server is unavailable.

Naming Context: CN=Configuration,DC=Company,DC=local

Source: Site2\DC6

******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: DC=ForestDnsZones,DC=Company,DC=local

Source: Site2\DC6

******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: DC=DomainDnsZones,DC=Company,DC=local

Source: Site2\DC6

******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: DC=Company,DC=local

Source: Site2\DC6

******* WARNING: KCC could not add this REPLICA LINK due to error.

and the DC Diag /C

Directory Server Diagnosis

Performing initial setup:

   Trying to find home server...

   Home Server = DC1

   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

  
   Testing server: Site1\DC1

      Starting test: Connectivity

         ......................... DC1 passed test Connectivity

Doing primary tests

  
   Testing server: Site1\DC1

      Starting test: Advertising

         ......................... DC1 passed test Advertising

      Starting test: CheckSecurityError

         [DC1] No security related replication errors were found on

         this DC!  To target the connection to a specific source DC use

         /ReplSource:<DC>.

         ......................... DC1 passed test CheckSecurityError

      Starting test: CutoffServers

         ......................... DC1 passed test CutoffServers

      Starting test: FrsEvent

         ......................... DC1 passed test FrsEvent

      Starting test: DFSREvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... DC1 failed test DFSREvent

      Starting test: SysVolCheck

         ......................... DC1 passed test SysVolCheck

      Starting test: FrsSysVol

         ......................... DC1 passed test FrsSysVol

      Starting test: KccEvent

         A warning event occurred.  EventID: 0x80000785

            Time Generated: 09/23/2014   22:14:19

            Event String:

            The attempt to establish a replication link for the following writable directory partition failed.

         A warning event occurred.  EventID: 0x80000785

            Time Generated: 09/23/2014   22:14:19

            Event String:

            The attempt to establish a replication link for the following writable directory partition failed.

         A warning event occurred.  EventID: 0x80000785

            Time Generated: 09/23/2014   22:14:20

            Event String:

            The attempt to establish a replication link for the following writable directory partition failed.

         A warning event occurred.  EventID: 0x80000785

            Time Generated: 09/23/2014   22:14:20

            Event String:

            The attempt to establish a replication link for the following writable directory partition failed.

         A warning event occurred.  EventID: 0x80000785

            Time Generated: 09/23/2014   22:14:21

            Event String:

            The attempt to establish a replication link for the following writable directory partition failed.

         A warning event occurred.  EventID: 0x80000785

            Time Generated: 09/23/2014   22:14:22

            Event String:

            The attempt to establish a replication link for the following writable directory partition failed.

         A warning event occurred.  EventID: 0x80000785

            Time Generated: 09/23/2014   22:14:22

            Event String:

            The attempt to establish a replication link for the following writable directory partition failed.

         A warning event occurred.  EventID: 0x80000785

            Time Generated: 09/23/2014   22:14:23

            Event String:

            The attempt to establish a replication link for the following writable directory partition failed.

         A warning event occurred.  EventID: 0x80000785

            Time Generated: 09/23/2014   22:14:24

            Event String:

            The attempt to establish a replication link for the following writable directory partition failed.

         A warning event occurred.  EventID: 0x80000785

            Time Generated: 09/23/2014   22:14:25

            Event String:

            The attempt to establish a replication link for the following writable directory partition failed.

         A warning event occurred.  EventID: 0x80000785

            Time Generated: 09/23/2014   22:21:44

            Event String:

            The attempt to establish a replication link for the following writable directory partition failed.

         A warning event occurred.  EventID: 0x80000785

            Time Generated: 09/23/2014   22:21:45

            Event String:

            The attempt to establish a replication link for the following writable directory partition failed.

         A warning event occurred.  EventID: 0x80000785

            Time Generated: 09/23/2014   22:21:45

            Event String:

            The attempt to establish a replication link for the following writable directory partition failed.

         A warning event occurred.  EventID: 0x80000785

            Time Generated: 09/23/2014   22:21:46

            Event String:

            The attempt to establish a replication link for the following writable directory partition failed.

         A warning event occurred.  EventID: 0x80000785

            Time Generated: 09/23/2014   22:21:46

            Event String:

            The attempt to establish a replication link for the following writable directory partition failed.

         A warning event occurred.  EventID: 0x80000785

            Time Generated: 09/23/2014   22:21:47

            Event String:

            The attempt to establish a replication link for the following writable directory partition failed.

         A warning event occurred.  EventID: 0x80000785

            Time Generated: 09/23/2014   22:21:48

            Event String:

            The attempt to establish a replication link for the following writable directory partition failed.

         A warning event occurred.  EventID: 0x80000785

            Time Generated: 09/23/2014   22:21:48

            Event String:

            The attempt to establish a replication link for the following writable directory partition failed.

         A warning event occurred.  EventID: 0x80000785

            Time Generated: 09/23/2014   22:21:49

            Event String:

            The attempt to establish a replication link for the following writable directory partition failed.

         A warning event occurred.  EventID: 0x80000785

            Time Generated: 09/23/2014   22:21:50

            Event String:

            The attempt to establish a replication link for the following writable directory partition failed.

         ......................... DC1 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         [DC3] DsBindWithSpnEx() failed with error -2146893022,

         The target principal name is incorrect..
         Warning: DC3 is the Schema Owner, but is not responding to DS

         RPC Bind.

         [DC3] LDAP bind failed with error 8341,

         A directory service error has occurred..
         Warning: DC3 is the Schema Owner, but is not responding to LDAP

         Bind.

         Warning: DC3 is the Domain Owner, but is not responding to DS

         RPC Bind.

         Warning: DC3 is the Domain Owner, but is not responding to LDAP

         Bind.

         Warning: DC3 is the PDC Owner, but is not responding to DS RPC

         Bind.

         Warning: DC3 is the PDC Owner, but is not responding to LDAP

         Bind.

         Warning: DC3 is the Rid Owner, but is not responding to DS RPC

         Bind.

         Warning: DC3 is the Rid Owner, but is not responding to LDAP

         Bind.

         Warning: DC3 is the Infrastructure Update Owner, but is not

         responding to DS RPC Bind.

         Warning: DC3 is the Infrastructure Update Owner, but is not

         responding to LDAP Bind.

         ......................... DC1 failed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... DC1 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... DC1 passed test NCSecDesc

      Starting test: NetLogons

         ......................... DC1 passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... DC1 passed test ObjectsReplicated

      Starting test: OutboundSecureChannels

         ** Did not run Outbound Secure Channels test because /testdomain: was

         not entered

         ......................... DC1 passed test

         OutboundSecureChannels

      Starting test: Replications

         REPLICATION-RECEIVED LATENCY WARNING

         DC1:  Current time is 2014-09-23 22:22:08.

            DC=ForestDnsZones,DC=Company,DC=local
               Last replication received from DC2 at
          2014-06-21 16:56:38
               Last replication received from DC4 at
          2014-06-21 17:08:38
               Last replication received from DC5 at
          2014-06-21 18:53:35
               Last replication received from DC6 at
          2014-06-21 18:53:34
               Last replication received from DC7 at
          2014-06-21 17:08:38
               Last replication received from DC3 at
          2014-06-21 18:56:46
            DC=DomainDnsZones,DC=Company,DC=local
               Last replication received from DC2 at
          2014-06-21 16:56:38
               Last replication received from DC4 at
          2014-06-21 17:08:37
               Last replication received from DC5 at
          2014-06-21 18:53:35
               Last replication received from DC6 at
          2014-06-21 18:56:58
               Last replication received from DC7 at
          2014-06-21 17:08:37
               Last replication received from DC3 at
          2014-06-21 18:56:58
            CN=Schema,CN=Configuration,DC=Company,DC=local
               Last replication received from DC2 at
          2014-06-21 16:56:38
               Last replication received from DC4 at
          2014-06-21 17:08:37
               Last replication received from DC5 at
          2014-06-21 18:53:35
               Last replication received from DC6 at
          2014-06-21 18:53:34
               Last replication received from DC7 at
          2014-06-21 17:08:37
               Last replication received from DC3 at
          2014-06-21 18:56:43
            CN=Configuration,DC=Company,DC=local
               Last replication received from DC2 at
          2014-06-21 17:05:10
               Last replication received from DC4 at
          2014-06-21 17:08:36
               Last replication received from DC5 at
          2014-06-21 18:53:35
               Last replication received from DC6 at
          2014-06-21 18:53:34
               Last replication received from DC7 at
          2014-06-21 17:08:35
               Last replication received from DC3 at
          2014-06-21 18:56:43
            DC=Company,DC=local
               Last replication received from DC2 at
          2014-06-21 16:56:38
               Last replication received from DC4 at
          2014-06-21 17:08:37
               Last replication received from DC5 at
          2014-06-21 18:53:35
               Last replication received from DC6 at
          2014-06-21 18:57:19
               Last replication received from DC7 at
          2014-06-21 17:08:35
               Last replication received from DC3 at
          2014-06-21 19:01:08
         ......................... DC1 passed test Replications

      Starting test: RidManager

         ......................... DC1 failed test RidManager

      Starting test: Services

         ......................... DC1 passed test Services

      Starting test: SystemLog

         An error event occurred.  EventID: 0xC0001B63

            Time Generated: 09/23/2014   21:26:09

            Event String:

            A timeout (30000 milliseconds) was reached while waiting for a transaction response from the UmRdpService service.

         An error event occurred.  EventID: 0xC0001B63

            Time Generated: 09/23/2014   21:26:39

            Event String:

            A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ScDeviceEnum service.

         An error event occurred.  EventID: 0xC0001B58

            Time Generated: 09/23/2014   21:26:39

            Event String:

            The Smart Card Device Enumeration Service service failed to start due to the following error:

         An error event occurred.  EventID: 0x40000004

            Time Generated: 09/23/2014   21:28:34

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC2$. The target name used was cifs/DC2.Company.LOCAL. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (Company.LOCAL) is different from the client domain (Company.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An error event occurred.  EventID: 0x40000004

            Time Generated: 09/23/2014   21:36:48

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server . The target name used was host/DC2.Company.LOCAL. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain () is different from the client domain (Company.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An error event occurred.  EventID: 0x40000004

            Time Generated: 09/23/2014   21:44:30

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC6$. The target name used was LDAP/4db3f8ca-a1b8-47fe-9edf-f07a4f6f506a._msdcs.Company.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (Company.LOCAL) is different from the client domain (Company.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An error event occurred.  EventID: 0x40000004

            Time Generated: 09/23/2014   21:47:56

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC3$. The target name used was ldap/DC3.Company.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (Company.LOCAL) is different from the client domain (Company.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An error event occurred.  EventID: 0x40000004

            Time Generated: 09/23/2014   21:50:28

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC3$. The target name used was Company\DC3$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (Company.LOCAL) is different from the client domain (Company.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An error event occurred.  EventID: 0x40000004

            Time Generated: 09/23/2014   21:50:43

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC2$. The target name used was Company\DC2$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (Company.LOCAL) is different from the client domain (Company.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An error event occurred.  EventID: 0x40000004

            Time Generated: 09/23/2014   21:51:28

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC3$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/fb138164-6f72-452f-a911-fd03e47c3b10/Company.local@Company.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (Company.LOCAL) is different from the client domain (Company.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An error event occurred.  EventID: 0x40000004

            Time Generated: 09/23/2014   21:51:31

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC2$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/484f72cd-dc70-41d7-a9fe-b2b9941a179c/Company.local@Company.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (Company.LOCAL) is different from the client domain (Company.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An error event occurred.  EventID: 0x40000004

            Time Generated: 09/23/2014   22:06:35

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC2$. The target name used was LDAP/484f72cd-dc70-41d7-a9fe-b2b9941a179c._msdcs.Company.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (Company.LOCAL) is different from the client domain (Company.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An error event occurred.  EventID: 0x40000004

            Time Generated: 09/23/2014   22:06:36

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC3$. The target name used was LDAP/fb138164-6f72-452f-a911-fd03e47c3b10._msdcs.Company.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (Company.LOCAL) is different from the client domain (Company.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An error event occurred.  EventID: 0x40000004

            Time Generated: 09/23/2014   22:16:22

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC3$. The target name used was ldap/DC3.Company.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (Company.LOCAL) is different from the client domain (Company.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         ......................... DC1 failed test SystemLog

      Starting test: Topology

         ......................... DC1 passed test Topology

      Starting test: VerifyEnterpriseReferences

         ......................... DC1 passed test

         VerifyEnterpriseReferences

      Starting test: VerifyReferences

         ......................... DC1 passed test VerifyReferences

      Starting test: VerifyReplicas

         ......................... DC1 passed test VerifyReplicas

  
      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minutes...

         ......................... DC1 passed test DNS

  
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

  
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

  
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

  
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

  
   Running partition tests on : Company

      Starting test: CheckSDRefDom

         ......................... Company passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Company passed test CrossRefValidation

  
   Running enterprise tests on : Company.local

      Starting test: DNS

         Test results for domain controllers:

           
            DC: DC1.Company.local

            Domain: Company.local

                 
               TEST: Dynamic update (Dyn)
                  Warning: Failed to delete the test record dcdiag-test-record in zone Company.local
        
         Summary of test results for DNS servers used by the above domain

         controllers:

            DNS server: 128.8.10.90 (d.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90              
            DNS server: 2001:500:1::803f:235 (h.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:1::803f:235              
            DNS server: 2001:500:2::c (c.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2::c              
            DNS server: 2001:500:2d::d (d.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2d::d              
            DNS server: 2001:500:2f::f (f.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2f::f              
            DNS server: 2001:500:3::42 (l.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:3::42              
            DNS server: 2001:500:84::b (b.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:84::b              
            DNS server: 2001:503:ba3e::2:30 (a.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:ba3e::2:30              
            DNS server: 2001:503:c27::2:30 (j.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:c27::2:30              
            DNS server: 2001:7fd::1 (k.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fd::1              
            DNS server: 2001:7fe::53 (i.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fe::53              
            DNS server: 2001:dc3::35 (m.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:dc3::35              
               DC1                  PASS PASS PASS PASS WARN PASS n/a 
         ......................... Company.local passed test DNS

      Starting test: LocatorCheck

         ......................... Company.local passed test LocatorCheck

      Starting test: FsmoCheck

         ......................... Company.local passed test FsmoCheck

      Starting test: Intersite

         ......................... Company.local passed test Intersite

Any thoughts are appreciated

Thank you

Preparing to configure windows 
Please do not turn of your computer.

We see this skin a long time (3 Hours) but server not start. If we remove LAN cable on the server then the server automatic run but exchange server all services not run automatic and user can't connect to the Exchange 2010 SP3.

Md. Ramin Hossain

Hi all,

To carry out one request we recently set up a new site on the AD (Let call it Site X). Even though there is no local DC at this new site, we had to set it up because we had to deploy a site-specific group policy. With this arrangement the GPO seems to be getting applied correctly on the clients on site but we have an issue with the DC locator service. Initially, in the absence of local DC, we had not set up site-link involving this site, so the local clients were referring to the central datacenter DC's (let's call it Site A) but as it turned out, this default link is not the fastest one. Hence we created a new site-link yesterday between this new site X to another slightly closer site (let's call it Site B -which has many DC's), with a random cost of 200 and replication interval of 60 minutes.

The problem is that even after 24 hours I can see that the clients on site X are still referring to the datacenter DC's (Site A) where as I would have expected them to talk to Site B DC's when it is now part of an explicit site link? I did a further digging on the DNS SRV records and it looks like the site-specific available-DC-listing (for site X) is still pointing to site A DC's which is what I think is causing the clients to talk to the distant DC's.

So, I wanted to know what might be going on here. How do I make sure the DNS SRV records for Site X get refreshed with Site B DC's?

Thanks in advance,

Hi

I am looking for a solution to update the the information of universal Distribution group  as in User properties



This is the Group properties

But I want to add Properties like General, Address, Telephoneand Organisation as in User properties. Is there any possibility to do that.

Please help me

I have a simple two site AD topology. One site in each datacenter; 1GB connection between the site networks. Users at both sites.

Recently we installed a active/active DAG Exchange 2013 highly available design across sites.  Works just fine, but I find it annoying that org related changes within Exchange take 15 minutes to replicate unless forced manually.  I'm considering enabling Change Notification to alleviate this minor annoyance.  I've got no bandwidth or compute concerns... It seems like an easy solution, but wanted to make sure there isn't something I'm overlooking or using it beyond its intended purpose.


Thanks for reading!

LW

We are planning on upgrading our domain from 2003R2 to 2008R2 and we are heavy users of the Services for Unix 3.5. Either on technet or one of these forums someone had a great document on what the changes are and what the interoperability would be like during the upgrade.  I can not seem to locate that documentation anymore, does anybody know where I could find something like that again?

I cannot seem to find anything that states whether backing up your system state on a parent domain controller will also back up the child domain.

Thank you in advance.

Hello,

It is my understanding that the Computers container can not have Group Policy applied to it. Does it still inherit the default domain policy, or is it not affected by any Group Policy at all?

Thanks.