Please post your test lab questions here
Corey Hynes
↧
Discussion topic for Test Lab
↧
How to disable pre-authentication logs on Windows Server 2003
Hi there,
I was wondering whether anyone knew of a way to disable pre-authentication logs on a Windows 2003 Server in the Event Viewer, we keep getting lots of these on our replication server which used to be the main domain controller as is now a secondary replicate domain controller until we have finished migrating all the stuff over to the latest domain controller. Your help would be greatly appreciated.
Many thanks,
RocknRollTim
P.S. I was advised by a moderator from the Microsoft Community to post my question here.
↧
↧
DCPROMO FAILS -The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.
Hi Experts,
We have 4 AD sites and working properly. Due to some requirement we need to decommission DCs in one site. We are trying to demote DC roles in 2 servers but they are throwing attached errors.
I tried to follow given link and changed the orphan entry as mentioned. But still this error persists. Replication and
communication is properly happening in all sites.
When I tried to fire dsquery * CN=Infrastructure,DC=ForestDnsZones,DC=xxx,DC=net -attr fSMORoleOwner
I got below mentioned result which shows that there is some orphan entry. DC01 doesn’t exists in our network more.
CN=NTDS Settings\0ADEL:413b675f-3da2-4c09-b801-6358e839268f,CN=DC01\0ADEL:de8559b2-255b-4603-8f07-608df9e61a73,CN=Servers,CN=GVA,CN=Sites,CN=Configuration,DC=XXX,DC=net
I changed the entry according to link.
CN=NTDS Settings,CN=EUDC2,CN=Servers,CN=AUS,CN=Sites,CN=Configuration,DC=XXX,DC=net
Event Log Errors-01
The operations master roles held by this directory server could not transfer to the following remote directory server.
Remote directory server:
\\EUDC2.xxx.net
This is preventing removal of this directory server.
User Action
Investigate why the remote directory server might be unable to accept the operations master roles, or manually transfer all the roles that are held by this directory server to the remote directory server. Then, try to remove this directory server again.
Additional Data
Error value:
5005 The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.
Extended error value:
0
Internal ID:
52498735
Event Log Errors-02
Ownership of the following FSMO role is set to a server which is deleted or does not exist.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: CN=Infrastructure,DC=DomainDnsZones,DC=xxx,DC=net
FSMO Server DN: CN=NTDS Settings\0ADEL:413b675f-3da2-4c09-b801-6358e839268f,CN=DC01\0ADEL:de8559b2-255b-4603-8f07-608df9e61a73,CN=Servers,CN=USA,CN=Sites,CN=Configuration,DC=XXX,DC=net
User Action:
1. Determine which server should hold the role in question.
2. Configuration view may be out of date. If the server in question has been promoted recently, verify that the Configuration partition has replicated from the new server recently. If the server in question has been demoted recently and the role transferred, verify that this server has replicated the partition (containing the latest role ownership) lately.
3. Determine whether the role is set properly on the FSMO role holder server. If the role is not set, utilize NTDSUTIL.EXE to transfer or seize the role. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
4. Verify that replication of the FSMO partition between the FSMO role holder server and this server is occurring successfully.
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.
Any Suggestion apart from that Link pls?
Regards Suman B. Singh
↧
Events 5774, 5775 on Windows Server 2012 R2 DC using 3rd Party DNS server
I am getting events 5774 and 5774 logged on my first Windows Server 2012 R2 DC, because I am using 3rd party DNS server (InfoBlox).
According to http://support.microsoft.com/kb/977158, the Hotfix can be applied to DC running Windows Server 2008 R2. Can the same Hotfix be applied to Windows Server 2012 R2 DC? Or is there some other way to resolve the issue?
________________________________
"You are using a 3rd party DNS server application for DNS updates on a computer that is running Windows Server 2008 R2 or Windows 7. Additionally, you enable the dynamic update feature on the DNS server. The DNS records are updated successfully. However, some DNS update errors may be recorded in the event logs or in other error logs." (...from the above KB977158).
Thanks.
↧
Placing RODC in Perimeter network
Thanks to all in advance. we have two ADC servers on one of our sites with single forest and single domain on all sites. My client wants me to Install one RODC server at the same site but in perimeter network instead of corporate network.Please suggest me feedback on below concerns;
1. Client do not want to open firewall ports from RODC in perimeter to ADC in corporate network although they are agreed to open ports from ADC to RODC. Can this scenario be possible.
2. This RODC server is used by some VC application for authentication of users.Can RODC authenticate Users without contacting ADC ( although one sided replication is allowed from ADC to RODC)
Please suggest on above issues. My ADC servers are Windows Server 2008 R2 SP1 and RODC is also the same.
↧
↧
Rodc and Dns
I have an rodc that is not passing it's dcdiag connectivity tests due to Ldap and rpc communication errors. It is also having alot of kcc errors and general active directory sync issues. I have eliminated firewall blockings. I've noticed
that the rodc does not have an A record in domain dns when searched from the writable domain controller. Should rodc's have A record entries in dns like all other servers?
↧
Upgrading AD from 2003 to 2012 R2
Hi All, I am hoping that someone could perhaps provide some insight on this topic as I apparently can't seem to google the best answer.
I have recently acquired an AD domain that is running on a 2003 domain controller. I have been tasked with upgrading our existing domain structure with 2012 R2 domain controllers for our main office and remote offices.
The domain name is company.mynetwork.com, and it is the default first site name. We have multiple offices throughout the US with their own domain controllers (i.e. FL.mynetwork.com, NY.mynetwork.com, DC.mynetwork.com, etc.).
Our main office, and default first site has one domain controller (mynetdc1) running Server 2003 R2. It is also our only DNS server for the main office. It also has an additional domain controller called mynetmaster3 which is running Server 2003.
Both mynetdc1 & mynetmaster3 NTDS settings show them as global catalogs under AD Sites & Services. Both servers are also in the AD Domain Controllers OU, along with all of the other satellite office domain controllers.
Additionally, our main office is running Exchange 2010 with the latest service pack. My questions are:
- Can we demote and retire mynetmaster3, then replace mynetdc1 with a newly promoted 2012 R2 global catalog domain controller without harming anything in the domain tree and interrupting connectivity to the other offices (this of course goes without saying after a 4 hour maintenance window to get the task completed has passed)?
- Should we upgrade the satellite offices first after raising the functional level for mynetdc1, or should we do the opposite (upgrade main office, then satellite offices)?
- Exchange 2010 is heavily dependent on AD, what effect will this entire project have on our email server? What steps should we take beforehand to ensure email continuity?
- Finally, is there any shame for a Net Admin to suggest that we hire an implementation specialist for this task? :)
Any advice would be greatly appreciated!
↧
Not able to create DC @ second site.
Hi,
I've my home lab server, where I would like to create 3 sites to make it like more an actual env. I've created two sites, and installed 2 DCs @ site 1, and when I try to install anther DC @ second site, it gives me the error :NOT ENOUGH RESOURCES TO COMPLETE THIS PROCESS. I've every checked all connections and settings regarding DNS/Port/Name Resolution, and all are working fine.
1. Created 2nd IP Subnet and Site 2
2. Associated Subnet with Site 2
3. Created site link for Site 1&2.
4. Ping & NSLOOKUP working fine from both subnets.
5. 2nd Site system is a domain joined system. (means DNS is working fine)
Only glitch I've found that my on-board LAN port is not compatible with WS2012 R2, so I've installed secondary LAN Card into the system and all the communications are working from 2nd LAN card. My thoughts is, this shouldn't be a issue. I googled this one and nothing found anything helpful to resolve the issue.
Any help/suggestion is highly appreciable.
Regards
Rajneesh Kumar MCITP - SA, MCSE, CNA
↧
Dial-in Propierties error AD 2000
Hello,
I have a AD Windows 2000 server and when I try to view user's propierties in AD I get: Could not load the Dial-in profile for this user because:access is denied. This happened suddenly with any cause.
Do somebody know what is the root of the problem?
Best Regards and thanks in advance.
↧
↧
Single child domain server will not replicate to parent domain servers
I just started a new job, and inherited a problem with a child domain server. This Server 2012 server is the only domain controller for this child domain. I can't add another domain controller because the child domain server is not replicating to the parent domain, and DCDIAG shows that the "SERVER has not finished promoting to be a GC." It would appear there is no global catalog in the child domain available to show the computer account. It doesn’t matter if I add the NEW server to the domain before I start the AD Wizard or not. In both cases the Wizard fails with the error, "The operation failed because: A domain controller could not be contacted for the domain XXXX that contained an account for this computer. Make the computer a member of a workgroup and then rejoin the domain before trying the promotion. Access is denied." I've done this a couple of times but it doesn't make a difference.
I even tried to install from media, but I get the same error. I can't delete the domain and recreate it because it has lots of client computers.
I'm not sure what started it all, but one likely candidate is that the C: drive was full when I got here. I added a second disk and moved the TEMP and page files to D:, and cleaned up a bit so now there is 5.6GB free.
There are lots of things going on, and I keep going in circles. I need a completed global catalog on this server so I can add another domain controller. That would allow me to demote this server and re-promote it which would hopefully fix all the errors I'm having. But until I can get at least the global catalog working, I'm stumped.
I can't connect to the CHILD domain in AD Users and Computers. I get this error:
- The domain CHILD could not be found because: The server is not operational
I checked the firewall and is SAYS that all the ports are open between the two domains. I can telnet between the CHILD and PARENT domain on all the Replication ports required, at least those that work between the PARENT controllers that are replicating properly (I get no response on ports 138 or 3268 on any of my domain controllers).
DCDIAG says:
C:\Users\Administrator>dcdiag | more
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = CHILDSERVER
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\CHILDSERVER
Starting test: Connectivity
......................... CHILDSERVER passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\CHILDSERVER
Starting test: Advertising
Warning: CHILDSERVER has not finished promoting to be a GC.
Check the event log for domains that cannot be replicated.
Warning: CHILDSERVER is not advertising as a global catalog.
Check that server finished GC promotion.
Check the event log on server that enough source replicas for the GC are available.
......................... CHILDSERVER failed test Advertising
Starting test: FrsEvent
......................... CHILDSERVER passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the
Group Policy problems. Failing SYSVOL replication problems may cause
......................... CHILDSERVER failed test DFSREvent
Starting test: SysVolCheck
......................... CHILDSERVER passed test SysVolCheck
Starting test: KccEvent
(NOTE: DUPLICATE EVENTS NOT SHOWN)
* An error event occurred. EventID: 0xC000066D
Time Generated: 09/24/2014 13:23:42
Event String:
Active Directory Domain Services did not perform an authenticated remote procedure call (RPC) to another directory server because the desired service principal name (SPN) for the destination directory server is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.
* A warning event occurred. EventID: 0x80000677
Time Generated: 09/24/2014 13:23:42
Event String:
Active Directory Domain Services attempted to communicate with the following global catalog and the attempts were unsuccessful.
* An error event occurred. EventID: 0xC0000466
Time Generated: 09/24/2014 13:23:42
Event String:
Active Directory Domain Services was unable to establish a connection with the global catalog.
* A warning event occurred. EventID: 0x80000785
Time Generated: 09/24/2014 13:24:06
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
* A warning event occurred. EventID: 0x80000785
Time Generated: 09/24/2014 13:24:06
Event String:
The attempt to establish a replication link to a read-only directory partition with the following parameters failed.
* An event occurred. EventID: 0x40000617
Time Generated: 09/24/2014 13:32:24
Event String:
The local domain controller has been selected to be a global catalog . However, the domain controller does not host a read-only replica of the following directory partition.
An event occurred. EventID: 0x40000617
Time Generated: 09/24/2014 13:32:24
* An event occurred. EventID: 0x4000062A
Time Generated: 09/24/2014 13:32:24
Event String:
Promotion of the local domain controller to a global catalog has been delayed because the directory partition occupancy requirements have not been met. The occupancy requirement level and current domain controller level are as follows.
* An event occurred. EventID: 0x40000456
Time Generated: 09/24/2014 13:32:24
Event String:
Promotion of this domain controller to a global catalog will be delayed for the following interval.
......................... CHILDSERVER failed test KccEvent
Starting test: KnowsOfRoleHolders
[PARENT1] DsBindWithSpnEx() failed with error 5,
Access is denied..
Warning: PARENT1 is the Schema Owner, but is not responding to DS RPC Bind.
[PARENT1] LDAP bind failed with error 1326,
The user name or password is incorrect..
Bind.ng: PARENT1 is the Schema Owner, but is not responding to LDAP
Warning: PARENT1 is the Domain Owner, but is not responding to DS RPC Bind.
Bind.ng: PARENT1 is the Domain Owner, but is not responding to LDAP
......................... CHILDSERVER failed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... CHILDSERVER passed test MachineAccount
Starting test: NCSecDesc
......................... CHILDSERVER passed test NCSecDesc
Starting test: NetLogons
......................... CHILDSERVER passed test NetLogons
Starting test: ObjectsReplicated
......................... CHILDSERVER passed test ObjectsReplicated
Starting test: Replications
[Replications Check,CHILDSERVER] A recent replication attempt failed:
From PARENT2 to CHILDSERVER
Naming Context: DC=ForestDnsZones,DC=cee-w,DC=net
The replication generated an error (1908):
Could not find the domain controller for this domain.
The failure occurred at 2014-09-24 13:02:23.
The last success occurred at 2014-01-18 20:49:14.
5935 failures have occurred since the last success.
Kerberos Error.
A KDC was not found to authenticate the call.
Check that sufficient domain controllers are available.
[PARENT2] DsBindWithSpnEx() failed with error 5,
Access is denied..
[Replications Check,CHILDSERVER] A recent replication attempt failed:
From PARENT2 to CHILDSERVER
Naming Context: CN=Schema,CN=Configuration,DC=cee-w,DC=net
The replication generated an error (1908):
Could not find the domain controller for this domain.
The failure occurred at 2014-09-24 13:02:23.
The last success occurred at 2014-01-18 20:49:14.
5935 failures have occurred since the last success.
Kerberos Error.
A KDC was not found to authenticate the call.
Check that sufficient domain controllers are available.
[Replications Check,CHILDSERVER] A recent replication attempt failed:
From PARENT2 to CHILDSERVER
Naming Context: CN=Configuration,DC=cee-w,DC=net
The replication generated an error (1908):
Could not find the domain controller for this domain.
The failure occurred at 2014-09-24 13:02:23.
The last success occurred at 2014-01-18 20:49:13.
5942 failures have occurred since the last success.
Kerberos Error.
A KDC was not found to authenticate the call.
Check that sufficient domain controllers are available.
......................... CHILDSERVER failed test Replications
Starting test: RidManager
......................... CHILDSERVER passed test RidManager
Starting test: Services
......................... CHILDSERVER passed test Services
Starting test: SystemLog
* An error event occurred. EventID: 0xC00038D6
Time Generated: 09/24/2014 12:59:25
Event String:
The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.
* A warning event occurred. EventID: 0x000727A5
Time Generated: 09/24/2014 13:01:03
Event String:
The WinRM service is not listening for WS-Management requests.
* An error event occurred. EventID: 0xC0FF05DC
Time Generated: 09/24/2014 13:02:03
Event String:
The SNMP Service encountered an error while accessing the registry key SYSTEM\CurrentControlSet\Services\SNMP\Parameters\TrapConfiguration.
* A warning event occurred. EventID: 0x00001796
Time Generated: 09/24/2014 13:02:23
Event String:
Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
* An error event occurred. EventID: 0x0000168E
Time Generated: 09/24/2014 13:02:28
Event String:
The dynamic registration of the DNS record 'CHILD-DOMAIN.DOMAIN.NET. 600 IN A 192.168.215.15' failed on the following DNS server:
* An error event occurred. EventID: 0x0000168E
Time Generated: 09/24/2014 13:02:30
Event String:
The dynamic registration of the DNS record '_ldap._tcp.CHILD-DOMAIN.DOMAIN.NET.
600 IN SRV 0 100 389 CHILDSERVER.CHILD-DOMAIN.DOMAIN.NET.' failed on the following DNS server:
* An error event occurred. EventID: 0x0000168E
Time Generated: 09/24/2014 13:02:32
Event String:
The dynamic registration of the DNS record '40b4b99e-4e62-42ee-aa39-
66d69b66660f._msdcs.DOMAIN.NET. 600 IN CNAME CHILDSERVER.CHILD-DOMAIN.DOMAIN.NET.' failed on the following DNS server:
* An error event occurred. EventID: 0x00000457
Time Generated: 09/24/2014 13:04:08
Event String:
Driver Send To Microsoft OneNote 2010 Driver required for printer Send To OneNote 2010 is unknown. Contact the administrator to install the driver before you log in again.
* A warning event occurred. EventID: 0x000727AA
Time Generated: 09/24/2014 13:04:30
Event String:
The WinRM service failed to create the following SPNs: WSMAN/CHILDSERVER.CHILD-DOMAIN.DOMAIN.NET; WSMAN/CHILDSERVER.
* An error event occurred. EventID: 0x0000168E
Time Generated: 09/24/2014 13:07:32
Event String:
The dynamic registration of the DNS record '40b4b99e-4e62-42ee-aa39-66d69b66660f._msdcs.DOMAIN.NET. 600 IN CNAME CHILDSERVER.CHILD-DOMAIN.DOMAIN.NET.' failed on the following DNS server:
* An error event occurred. EventID: 0x0000168F
Time Generated: 09/24/2014 13:17:32
Event String:
The dynamic deletion of the DNS record '_gc._tcp.DOMAIN.NET. 600 IN SRV 0 100 3268 CHILDSERVER.CHILD-DOMAIN.DOMAIN.NET.' failed on the following DNS server:
* An error event occurred. EventID: 0x0000168F
Time Generated: 09/24/2014 13:17:32
Event String:
The dynamic deletion of the DNS record '_gc._tcp.Default-First-Site-Name._sites.DOMAIN.NET. 600 IN SRV 0 100 3268 CHILDSERVER.CHILD-DOMAIN.DOMAIN.NET.' failed on
the following DNS server:
* An error event occurred. EventID: 0x0000168E
Time Generated: 09/24/2014 13:17:34
Event String:
The dynamic registration of the DNS record '40b4b99e-4e62-42ee-aa39-66d69b66660f._msdcs.DOMAIN.NET. 600 IN CNAME CHILDSERVER.CHILD-DOMAIN.DOMAIN.NET.' failed on the following DNS server:
* An error event occurred. EventID: 0x0000168E
* An error event occurred. EventID: 0x0000168E
Time Generated: 09/24/2014 13:37:36
Event String:
The dynamic registration of the DNS record '40b4b99e-4e62-42ee-aa39-66d69b66660f._msdcs.DOMAIN.NET. 600 IN CNAME CHILDSERVER.CHILD-DOMAIN.DOMAIN.NET.' failed on the following DNS server:
......................... CHILDSERVER failed test SystemLog
Starting test: VerifyReferences
......................... CHILDSERVER passed test VerifyReferences
Running partition tests on : CHILD-DOMAIN
Starting test: CheckSDRefDom
......................... CHILD-DOMAIN passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... CHILD-DOMAIN passed test CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running enterprise tests on : DOMAIN.NET
Starting test: LocatorCheck
......................... DOMAIN.NET passed test LocatorCheck
Starting test: Intersite
The dynamic registration of the DNS record '40b4b99e-4e62-42ee-aa39-66d69b66660f._msdcs.DOMAIN.NET. 600 IN CNAME CHILDSERVER.CHILD-DOMAIN.DOMAIN.NET.' failed on the following DNS server:
......................... CHILDSERVER failed test SystemLog
Starting test: VerifyReferences
......................... CHILDSERVER passed test VerifyReferences
Running partition tests on : CHILD-DOMAIN
Starting test: CheckSDRefDom
......................... CHILD-DOMAIN passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... CHILD-DOMAIN passed test CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running enterprise tests on : DOMAIN.NET
Starting test: LocatorCheck
......................... DOMAIN.NET passed test LocatorCheck
Starting test: Intersite
......................... DOMAIN.NET passed test Intersite
The DIRECTORY SERVICE ERROR LOG shows:
* Event ID: 1126. Active Directory Domain Services was unable to establish a connection with the global catalog. Error value: 1355 The specified domain either does not exist or could not be contacted.
* Event ID: 1126. Active Directory Domain Services was unable to establish a connection with the global catalog. Error value: 8430 The directory service encountered an internal failure.
* Event ID: 1655. Active Directory Domain Services attempted to communicate with the following global catalog and the attempts were unsuccessful. Global catalog: \\PARENT4.DOMAIN.NET The operation in progress might be unable to continue. Active Directory Domain Services will use the domain controller locator to try to find an available global catalog server.
* Event ID: 1645. Active Directory Domain Services did not perform an authenticated remote procedure call (RPC) to another directory server because the desired service principal name (SPN) for the destination directory server is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.
* Event ID: 1869. Active Directory Domain Services has located a global catalog in the following site. Global catalog: \\PARENT4.DOMAIN.NET
* Event ID: 1645. Active Directory Domain Services did not perform an authenticated remote procedure call (RPC) to another directory server because the desired service principal name (SPN) for the destination directory server is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.
Destination directory server:
\\PARENT3.DOMAIN.NET
SPN:
GC/PARENT3.DOMAIN.NET/DOMAIN.NET@DOMAIN.NET
The ACTIVE DIRECTORY ERROR LOG shows:
* Event ID: 1202. This computer is now hosting the specified directory instance, but Active Directory Web Services could not service it. Active Directory Web Services will retry this operation periodically.
The DNS SERVER ERROR LOG shows:
* Event ID: 4512. The DNS server was unable to create the built-in directory partition DomainDnsZones.CHILD-DOMAIN.DOMAIN.NET. The error was 9571.
* Event ID: 4013. The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.
The WINDOWS SYSTEM ERROR LOG shows:
* Event ID: 5774. The dynamic registration of the DNS record '40b4b99e-4e62-42ee-aa39-66d69b66660f._msdcs.DOMAIN.NET. 600 IN CNAME CHILDSERVER.CHILD-DOMAIN.DOMAIN.NET.' failed on the following DNS server:
DNS server IP address: 172.20.200.170
Returned Response Code (RCODE): 5
Returned Status Code: 9017
* Event ID: 5775. The dynamic deletion of the DNS record '_gc._tcp.Default-First-Site-Name._sites.DOMAIN.NET. 600 IN SRV 0 100 3268 CHILDSERVER.CHILD-DOMAIN.DOMAIN.NET.' failed on the following DNS server:
DNS server IP address: 172.21.24.16
Returned Response Code (RCODE): 5
Returned Status Code: 9017
* Event ID: 5775.
The dynamic deletion of the DNS record '_gc._tcp.DOMAIN.NET. 600 IN SRV 0 100 3268 CHILDSERVER.CHILD-DOMAIN.DOMAIN.NET.' failed on the following DNS server:
DNS server IP address: 172.21.24.16
Returned Response Code (RCODE): 5
Returned Status Code: 9017
I don’t' see any DFS REPLICATION ERROR LOG entries, although I had to reinitialize replication after I freed up disk space.
REPADMIN /REPLSUMMARY shows:
C:\Users\Administrator>repadmin /replsummary
Replication Summary Start Time: 2014-09-24 14:26:44
Beginning data collection for replication summary, this may take awhile:
.........
Source DSA largest delta fails/total %% error
PARENT2 >60 days 3 / 3 100 (5) Access is denied.
Destination DSA largest delta fails/total %% error
CHILDSERVER >60 days 3 / 3 100 (5) Access is denied.
Experienced the following operational errors trying to retrieve replication information:
1326 – PARENT1.DOMAIN.NET
1326 – PARENT2.DOMAIN.NET
1326 – PARENT3.DOMAIN.NET
1326 – PARENT4.DOMAIN.NET
58 - 81cd2013-357e-40ed-a006-e6546fc6735f._msdcs.DOMAIN.NET
C:\Users\Administrator>
I looked at the SPDs on each domain controller, but there is no mingling of SPDs between PARENT and FOREST domain. I'm not sure if there should be. PARENT1 through PARENT2 contain references to each other, but none to CHILDSERVER, and vice-versa. I tried running SETSPD –A per the KB article the ERROR LOG reference said, but it fails because the computer accounts cannot be identified across the PARENT/CHILD domain boundary.
I know this is a permissions or replication issue, but I just don't know where to start. Can anyone help?
Thanks, Jack
↧
AD Replication Issues Server not replicated in a long time
Hello
I have a server DC1 that has not successfully replicated for a log time.
Rebuilding it is not an option as it's remotely located
Here is the Repadmin /Showreps
Site1DC1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: a0a03b2f-3cef-4fae-b721-786ef49d24b0
DSA invocationID: 0bdc582b-7a5b-4308-99fb-e81ad6350040
Source: Site2\DC3
******* 10 CONSECUTIVE FAILURES since 2014-09-23 20:50:57
Last error: -2146893022 (0x80090322):
The target principal name is incorrect.
Naming Context: CN=Configuration,DC=Company,DC=local
Source: Site2\DC3
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: DC=ForestDnsZones,DC=Company,DC=local
Source: Site2\DC3
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: DC=DomainDnsZones,DC=Company,DC=local
Source: Site2\DC3
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: DC=Company,DC=local
Source: Site2\DC3
******* WARNING: KCC could not add this REPLICA LINK due to error.
Source: Site3\DC2
******* 10 CONSECUTIVE FAILURES since 2014-09-23 20:51:00
Last error: -2146893022 (0x80090322):
The target principal name is incorrect.
Source: Site2\DC6
******* 1 CONSECUTIVE FAILURES since 2014-09-23 22:52:44
Last error: 1722 (0x6ba):
The RPC server is unavailable.
Naming Context: CN=Configuration,DC=Company,DC=local
Source: Site2\DC6
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: DC=ForestDnsZones,DC=Company,DC=local
Source: Site2\DC6
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: DC=DomainDnsZones,DC=Company,DC=local
Source: Site2\DC6
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: DC=Company,DC=local
Source: Site2\DC6
******* WARNING: KCC could not add this REPLICA LINK due to error.
and the DC Diag /C
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC1
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Site1\DC1
Starting test: Connectivity
......................... DC1 passed test Connectivity
Doing primary tests
Testing server: Site1\DC1
Starting test: Advertising
......................... DC1 passed test Advertising
Starting test: CheckSecurityError
[DC1] No security related replication errors were found on
this DC! To target the connection to a specific source DC use
/ReplSource:<DC>.
......................... DC1 passed test CheckSecurityError
Starting test: CutoffServers
......................... DC1 passed test CutoffServers
Starting test: FrsEvent
......................... DC1 passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... DC1 failed test DFSREvent
Starting test: SysVolCheck
......................... DC1 passed test SysVolCheck
Starting test: FrsSysVol
......................... DC1 passed test FrsSysVol
Starting test: KccEvent
A warning event occurred. EventID: 0x80000785
Time Generated: 09/23/2014 22:14:19
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 09/23/2014 22:14:19
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 09/23/2014 22:14:20
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 09/23/2014 22:14:20
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 09/23/2014 22:14:21
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 09/23/2014 22:14:22
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 09/23/2014 22:14:22
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 09/23/2014 22:14:23
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 09/23/2014 22:14:24
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 09/23/2014 22:14:25
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 09/23/2014 22:21:44
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 09/23/2014 22:21:45
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 09/23/2014 22:21:45
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 09/23/2014 22:21:46
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 09/23/2014 22:21:46
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 09/23/2014 22:21:47
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 09/23/2014 22:21:48
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 09/23/2014 22:21:48
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 09/23/2014 22:21:49
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 09/23/2014 22:21:50
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
......................... DC1 passed test KccEvent
Starting test: KnowsOfRoleHolders
[DC3] DsBindWithSpnEx() failed with error -2146893022,
The target principal name is incorrect..
Warning: DC3 is the Schema Owner, but is not responding to DS
RPC Bind.
[DC3] LDAP bind failed with error 8341,
A directory service error has occurred..
Warning: DC3 is the Schema Owner, but is not responding to LDAP
Bind.
Warning: DC3 is the Domain Owner, but is not responding to DS
RPC Bind.
Warning: DC3 is the Domain Owner, but is not responding to LDAP
Bind.
Warning: DC3 is the PDC Owner, but is not responding to DS RPC
Bind.
Warning: DC3 is the PDC Owner, but is not responding to LDAP
Bind.
Warning: DC3 is the Rid Owner, but is not responding to DS RPC
Bind.
Warning: DC3 is the Rid Owner, but is not responding to LDAP
Bind.
Warning: DC3 is the Infrastructure Update Owner, but is not
responding to DS RPC Bind.
Warning: DC3 is the Infrastructure Update Owner, but is not
responding to LDAP Bind.
......................... DC1 failed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DC1 passed test MachineAccount
Starting test: NCSecDesc
......................... DC1 passed test NCSecDesc
Starting test: NetLogons
......................... DC1 passed test NetLogons
Starting test: ObjectsReplicated
......................... DC1 passed test ObjectsReplicated
Starting test: OutboundSecureChannels
** Did not run Outbound Secure Channels test because /testdomain: was
not entered
......................... DC1 passed test
OutboundSecureChannels
Starting test: Replications
REPLICATION-RECEIVED LATENCY WARNING
DC1: Current time is 2014-09-23 22:22:08.
DC=ForestDnsZones,DC=Company,DC=local
Last replication received from DC2 at
2014-06-21 16:56:38
Last replication received from DC4 at
2014-06-21 17:08:38
Last replication received from DC5 at
2014-06-21 18:53:35
Last replication received from DC6 at
2014-06-21 18:53:34
Last replication received from DC7 at
2014-06-21 17:08:38
Last replication received from DC3 at
2014-06-21 18:56:46
DC=DomainDnsZones,DC=Company,DC=local
Last replication received from DC2 at
2014-06-21 16:56:38
Last replication received from DC4 at
2014-06-21 17:08:37
Last replication received from DC5 at
2014-06-21 18:53:35
Last replication received from DC6 at
2014-06-21 18:56:58
Last replication received from DC7 at
2014-06-21 17:08:37
Last replication received from DC3 at
2014-06-21 18:56:58
CN=Schema,CN=Configuration,DC=Company,DC=local
Last replication received from DC2 at
2014-06-21 16:56:38
Last replication received from DC4 at
2014-06-21 17:08:37
Last replication received from DC5 at
2014-06-21 18:53:35
Last replication received from DC6 at
2014-06-21 18:53:34
Last replication received from DC7 at
2014-06-21 17:08:37
Last replication received from DC3 at
2014-06-21 18:56:43
CN=Configuration,DC=Company,DC=local
Last replication received from DC2 at
2014-06-21 17:05:10
Last replication received from DC4 at
2014-06-21 17:08:36
Last replication received from DC5 at
2014-06-21 18:53:35
Last replication received from DC6 at
2014-06-21 18:53:34
Last replication received from DC7 at
2014-06-21 17:08:35
Last replication received from DC3 at
2014-06-21 18:56:43
DC=Company,DC=local
Last replication received from DC2 at
2014-06-21 16:56:38
Last replication received from DC4 at
2014-06-21 17:08:37
Last replication received from DC5 at
2014-06-21 18:53:35
Last replication received from DC6 at
2014-06-21 18:57:19
Last replication received from DC7 at
2014-06-21 17:08:35
Last replication received from DC3 at
2014-06-21 19:01:08
......................... DC1 passed test Replications
Starting test: RidManager
......................... DC1 failed test RidManager
Starting test: Services
......................... DC1 passed test Services
Starting test: SystemLog
An error event occurred. EventID: 0xC0001B63
Time Generated: 09/23/2014 21:26:09
Event String:
A timeout (30000 milliseconds) was reached while waiting for a transaction response from the UmRdpService service.
An error event occurred. EventID: 0xC0001B63
Time Generated: 09/23/2014 21:26:39
Event String:
A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ScDeviceEnum service.
An error event occurred. EventID: 0xC0001B58
Time Generated: 09/23/2014 21:26:39
Event String:
The Smart Card Device Enumeration Service service failed to start due to the following error:
An error event occurred. EventID: 0x40000004
Time Generated: 09/23/2014 21:28:34
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC2$. The target name used was cifs/DC2.Company.LOCAL. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (Company.LOCAL) is different from the client domain (Company.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 09/23/2014 21:36:48
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server . The target name used was host/DC2.Company.LOCAL. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain () is different from the client domain (Company.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 09/23/2014 21:44:30
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC6$. The target name used was LDAP/4db3f8ca-a1b8-47fe-9edf-f07a4f6f506a._msdcs.Company.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (Company.LOCAL) is different from the client domain (Company.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 09/23/2014 21:47:56
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC3$. The target name used was ldap/DC3.Company.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (Company.LOCAL) is different from the client domain (Company.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 09/23/2014 21:50:28
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC3$. The target name used was Company\DC3$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (Company.LOCAL) is different from the client domain (Company.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 09/23/2014 21:50:43
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC2$. The target name used was Company\DC2$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (Company.LOCAL) is different from the client domain (Company.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 09/23/2014 21:51:28
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC3$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/fb138164-6f72-452f-a911-fd03e47c3b10/Company.local@Company.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (Company.LOCAL) is different from the client domain (Company.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 09/23/2014 21:51:31
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC2$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/484f72cd-dc70-41d7-a9fe-b2b9941a179c/Company.local@Company.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (Company.LOCAL) is different from the client domain (Company.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 09/23/2014 22:06:35
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC2$. The target name used was LDAP/484f72cd-dc70-41d7-a9fe-b2b9941a179c._msdcs.Company.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (Company.LOCAL) is different from the client domain (Company.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 09/23/2014 22:06:36
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC3$. The target name used was LDAP/fb138164-6f72-452f-a911-fd03e47c3b10._msdcs.Company.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (Company.LOCAL) is different from the client domain (Company.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 09/23/2014 22:16:22
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC3$. The target name used was ldap/DC3.Company.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (Company.LOCAL) is different from the client domain (Company.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
......................... DC1 failed test SystemLog
Starting test: Topology
......................... DC1 passed test Topology
Starting test: VerifyEnterpriseReferences
......................... DC1 passed test
VerifyEnterpriseReferences
Starting test: VerifyReferences
......................... DC1 passed test VerifyReferences
Starting test: VerifyReplicas
......................... DC1 passed test VerifyReplicas
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
......................... DC1 passed test DNS
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : Company
Starting test: CheckSDRefDom
......................... Company passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Company passed test CrossRefValidation
Running enterprise tests on : Company.local
Starting test: DNS
Test results for domain controllers:
DC: DC1.Company.local
Domain: Company.local
TEST: Dynamic update (Dyn)
Warning: Failed to delete the test record dcdiag-test-record in zone Company.local
Summary of test results for DNS servers used by the above domain
controllers:
DNS server: 128.8.10.90 (d.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90
DNS server: 2001:500:1::803f:235 (h.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:1::803f:235
DNS server: 2001:500:2::c (c.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2::c
DNS server: 2001:500:2d::d (d.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2d::d
DNS server: 2001:500:2f::f (f.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2f::f
DNS server: 2001:500:3::42 (l.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:3::42
DNS server: 2001:500:84::b (b.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:84::b
DNS server: 2001:503:ba3e::2:30 (a.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:ba3e::2:30
DNS server: 2001:503:c27::2:30 (j.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:c27::2:30
DNS server: 2001:7fd::1 (k.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fd::1
DNS server: 2001:7fe::53 (i.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fe::53
DNS server: 2001:dc3::35 (m.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:dc3::35
DC1 PASS PASS PASS PASS WARN PASS n/a
......................... Company.local passed test DNS
Starting test: LocatorCheck
......................... Company.local passed test LocatorCheck
Starting test: FsmoCheck
......................... Company.local passed test FsmoCheck
Starting test: Intersite
......................... Company.local passed test Intersite
Any thoughts are appreciated
Thank you
↧
Delegation of permissions to join computers to domain
Hi
Am having some issues with delegating permissions to users for joining machines to the domain.
I have delegated permissions to a group of users which allows then to join machines to the domain, they can join and disjoin but the only problem is they cannot rejoin if the computer account still exists.
They get the following error
The Join operation was not successful, This could be becuase an existing computer account having name xxxxxx was previously created
using a different set of credentials.
Access Denied
Can someone tell me what extra delegation permissions i need to give to these users to be able to do this.
Thanks
↧
Login to SQL Server fails when user connects from another domain through group membership
Objects in use
Alpha.com (NetBIOS name: Alpha) Windows 2003 domain
Bravo.com (NetBIOS name: Bravo) Windows 2008 R2 domain
A two-way forest trust between Alpha and Bravo is established
A User Alpha\Alice
A Global Security Group in Alpha named GSG
A Domain Local Group in Bravo named DLG
Scenario:
Alpha\Alice is granted Alpha\GSG membership.
Alpha\GSG is granted Bravo\DLG membership.
Bravo\DLG is created as login in SQL Server and granted db_readonly in SomeDB.
Problem:
When Alpha\Alice tries to connect from her workstation in Alpha, the result is 18456.
First Workaround: Grant Bravo\DLG membership to Alpha\Alice.
Test connection from her workstation. Same result. Reverse the last change.
Second Workaround: Create Alpha\Alice as login in SQL Server.
Test connection from workstation: Succesful
Whenever membership is altered, the user logs out of workstation so the TGT is updated.
This is not related to nested AD groups, since direct membership of Bravo\DLG didn't yield another result.
Any ideas how to troubleshoot this?
Appreciate any advice
/Tonny
/torpo
↧
↧
Migrate Password Hash
I've asked this on MSDN with no responses, so i'll try here.
I work a lot with domain migrations and setting up mirrored domain environments. I've written my own applications for replicating domains/objects which works quickly and efficiently for all scenarios except one: the one where I need to replicate passwords.
I've written a password filter which works just fine, but I hate having to deal with the requirement that it be installed and managed on every domain controller.
I know it is entirely possible to programmatically copy the password hash from one domain to another as Quest Migration Manger for AD does it as does DirySync/AADSync (likely others). I avoid ADMT like the plague but I have used it and I believe it also can do this.
My inner geek wants to be able to write my own password migration code. I have no interest in dumping hashes, decrypting hashes, etc. I just want to FULLY migrate a user from one domain to another without having to drop a load of cash every time I want to do it.
Pointers?
ck
↧
DC/GC incorrect Machine DN Name
I was checking some global catalog issues and discovered the "Machine DN Name" was incorrect on 2 of my 6 domain controllers. The incorrect value is located at (HKLM\SYSTEM\CurrentControlSet\services\NTDS\Parameters)
The value that appears as incorrect is the CN site name portion still refers to "Default-First-Site-Name" instead of "SiteDomain"
Server Roles:
1rst incorrect DC: PDC emulator
2nd incorrect DC: global catalog
Should this be manually reconfigured within the registry? Thank you in advance for any insight.
↧
AD Replication only works one way
Currently we have 2 Domain Controllers serving 1 domain in 2 locations. Location 2 had a DC failure several months ago. I cleaned up all metadata regarding the old DC and promoted a new DC.
The new DC at location 2 replicates from the existing DC at location 1 fine, but the existing DC at location 1 will not replicate from the new DC at location 2.
New DC: jmac-dc
Existing DC: hexom-app1
Here is the DCDIAG DNS test when ran on the existing DC:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = hexom-app1
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\HEXOM-APP1
Starting test: Connectivity
......................... HEXOM-APP1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\HEXOM-APP1
Starting test: Replications
[Replications Check,HEXOM-APP1] A recent replication attempt failed:
From JMAC-DC to HEXOM-APP1
Naming Context: DC=DomainDnsZones,DC=hexom,DC=local
The replication generated an error (1722):
The RPC server is unavailable.
The failure occurred at 2014-09-18 13:59:27.
The last success occurred at 2014-03-01 06:19:22.
8700 failures have occurred since the last success.
[JMAC-DC] DsBindWithSpnEx() failed with error 1722,
The RPC server is unavailable..
The source remains down. Please check the machine.
[Replications Check,HEXOM-APP1] A recent replication attempt failed:
From JMAC-DC to HEXOM-APP1
Naming Context: DC=ForestDnsZones,DC=hexom,DC=local
The replication generated an error (1722):
The RPC server is unavailable.
The failure occurred at 2014-09-18 14:00:22.
The last success occurred at 2014-03-01 05:45:46.
5643 failures have occurred since the last success.
The source remains down. Please check the machine.
[Replications Check,HEXOM-APP1] A recent replication attempt failed:
From JMAC-DC to HEXOM-APP1
Naming Context: CN=Schema,CN=Configuration,DC=hexom,DC=local
The replication generated an error (1722):
The RPC server is unavailable.
The failure occurred at 2014-09-18 13:58:38.
The last success occurred at 2014-03-01 05:45:46.
5528 failures have occurred since the last success.
The source remains down. Please check the machine.
[Replications Check,HEXOM-APP1] A recent replication attempt failed:
From JMAC-DC to HEXOM-APP1
Naming Context: CN=Configuration,DC=hexom,DC=local
The replication generated an error (1722):
The RPC server is unavailable.
The failure occurred at 2014-09-18 13:48:44.
The last success occurred at 2014-03-01 05:45:46.
4938 failures have occurred since the last success.
The source remains down. Please check the machine.
[Replications Check,HEXOM-APP1] A recent replication attempt failed:
From JMAC-DC to HEXOM-APP1
Naming Context: DC=hexom,DC=local
The replication generated an error (1722):
The RPC server is unavailable.
The failure occurred at 2014-09-18 13:59:58.
The last success occurred at 2014-05-30 16:20:37.
6355 failures have occurred since the last success.
The source remains down. Please check the machine.
......................... HEXOM-APP1 failed test Replications
Running partition tests on : DomainDnsZones
Running partition tests on : ForestDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : hexom
Running enterprise tests on : hexom.local
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = hexom-app1
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\HEXOM-APP1
Starting test: Connectivity
......................... HEXOM-APP1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\HEXOM-APP1
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
......................... HEXOM-APP1 passed test DNS
Running partition tests on : DomainDnsZones
Running partition tests on : ForestDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : hexom
Running enterprise tests on : hexom.local
Starting test: DNS
Test results for domain controllers:
DC: hexom-app1.hexom.local
Domain: hexom.local
TEST: Basic (Basc)
Warning: adapter
[00000006] Microsoft Virtual Machine Bus Network Adapter has
invalid DNS server: 10.0.0.3 (jmac-dc.hexom.local.)
Warning: The AAAA record for this DC was not found
TEST: Forwarders/Root hints (Forw)
Error: Forwarders list has invalid forwarder: 10.0.0.3 (jmac-dc.hexom.local.)
TEST: Delegations (Del)
Error: DNS server: jmac-dc.hexom.local. IP:10.0.0.3
[Broken delegated domain _msdcs.hexom.local.]
TEST: Records registration (RReg)
Network Adapter
[00000006] Microsoft Virtual Machine Bus Network Adapter:
Warning:
Missing AAAA record at DNS server 10.0.1.8:
hexom-app1.hexom.local
Warning:
Missing AAAA record at DNS server 10.0.1.8:
gc._msdcs.hexom.local
Warning: Record Registrations not found in some network adapters
Summary of test results for DNS servers used by the above domain
controllers:
DNS server: 10.0.0.3 (jmac-dc.hexom.local.)
3 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 10.0.0.3 Name resolution is not functional. _ldap._tcp.hexom.local. failed on the DNS server 10.0.0.3
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
_________________________________________________________________
Domain: hexom.local
hexom-app1 PASS WARN FAIL FAIL PASS WARN n/a
......................... hexom.local failed test DNS
↧
windows 2012 server keeps disappearing from DNS
windows 2012 server keeps disappearing from DNS
our AD is installed on windows 2008 server
when i manually register the 2012 server it disappears from dns after about 1 hour.
↧
↧
Active Directory Replication Servers (wont replicate SYSVOL and NETLOGON Not showing)
I have my first DC Server (DC1). DC1.DOMAIN.lOCAL, I decided to add another Domain Controller. Made it a secondary DNS Server and also GC. Everything seems to replicate, but its missing NETLOGON and SYSVOL Wont replicate.
Windows 2008 R2
↧
dSCorePropagationData not updating on workstation
not having much luck when trying to find out why a computers'
dSCorePropagationData
value are not updating.
any ideas?
↧
DirSync Password Write-Back not working
Hello,
In a previous domain, we had DirSync installed on a Domain Controller and configured successfully to Sync with our Office 365 (No Hybrid as we only use Exchange online), with Password Sync enabled. I also enabled the password write-back feature. This worked without issue.
We recently built a new domain and installed DirSync on a standalone server vs the DC, repointed it to the existing O365 subscription and enabled password sync as well as password write-back. The text below is a direct copy from PowerShell showing success, and I receive the event that shows success as well.
PS C:\Windows\system32> Enable-OnlinePasswordWriteBack
cmdlet Enable-OnlinePasswordWriteBack at command pipeline position 1
Supply values for the following parameters:
LocalADCredential
AzureADCredential
Password reset write-back is enabled.
Password sync from on prem AD to Azure AD is working without a problem, however the password write-back simply doesn't work. The AD account is an Enteprise Admin, and the Azure account is a Global Administrator. No firewalls between the dirsync server or the DC.
When a user changes their password from the cloud, the password change takes affect, however that change is never written back to AD. No errors in the event logs or FIM sync interface.
Not sure where to start looking to figure out why this is not working. I have scoured the internet to see if there is anything special about installing DirSync on a standalone member server and cant seem to find any indication that the process is different (other than needing to log off and back on when installing on a DC)
Anyone have any ideas on where to look next?
Thanks!
↧