Have a strange issue..Computer accounts getting deleted automatically from AD. (Win 2008R2,2012 and 2012R2 DCs). I could see few events 4724 and 4742 for reset and change. Also could see 5141 event for the same computer account but its for class: dnsnode with security id system. Anyone can help me in uderstanding what this event for...? DN: shows cn-MicrosoftDNS,DC=domain,DC=com. Is this anything wrong with the DNS Server? If issue with DNS server why doesn't cause issue for all the host records.

Also, I dont see any 4743 or any other event for computer account deletion.

Need help and suggestion immediately please....

Appreciate the support provided!!

Hi all,

I'm trying to join PCs to the domain but I'm getting errors with DNS and path.

I have a pretty flat network... internal, wireless, dmz, external zones.

The objective that I'm trying to do is to create a share server were two users can share and retrieve documents.  First, I want to add the share server to the domain and then add the users to the domain.

The share server is a windows server 2012 r2 standard and the DC is also 2012 r2 standard.  Both the share and DC are on the same internal network.  When I try to add the share to the domain from 'computer' > properties I need to change the primary DNS setting to the IP of the DC.  Only then will I get prompted to enter the domain credentials.  When I try to add the credentials that's when I get the error about DNS.  Do you have to change the DNS IP to the DC IP when you want to add a PC/Server to the domain?  Or am I doing something wrong?  Thanks!   

Hi,

I'm hoping someone can help me out here. I have a server 2008 R2 domain controller that seems to stop communicating with itself and refusing new connections every 24 hours, the server also stops resolving DNS queries.  This all started after the previous domain controller was turned off and we had to remove it from AD without using dcpromo.  This is now the only server in the environment.

The server has multiple other roles installed on it such as RDS, IIS and Print Server (Yes, this is less than ideal, but it is something that I have had dumped on my lap, it does not have RRAS). 

I have performed a meta-data clean up of the old system and as far as I can tell there aren't any other references in DNS or the AD Schema referring to the old server. Initially we thought it could be port exhaustion, but we have allowed a larger number of ports and the issue still persists.

The server has a 4 port NIC, all are disabled except a single port.  I've read that teaming them would be a good idea, regardless of whether they're all enabled or not, does this seem plausible?

The active NIC is the highest on the connection list.  We have tried disabling IPV6 completelyas well as setting IPV4 as the preferred method.  We have enabled it again since then.

Restarting the DNS and Netlogon services don't help resolve the situation.  I have tried restarting these services and using ipconfig /registerdns.

Once the sever reboots it finds itself as the Domain Controller/GC and continues on it's merry way.

I've tried everything under the sun to fix this, and I'm fast running out of ideas.  Has anyone run into a similar situation or have any idea on how to resolve this?

The error messages we see in the event log are:
ADWS: Active Directory Web Services was unable to determine if the computer is a global catalog server.

Group Policy: The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

The network configuration of the server is:

Ethernet adapter Local Area Connection 4:

DHCP Enabled: No
Autoconfiguration Enabled: Yes
Link-local IPv6 Address: fe80::b4bc:70cf:8986:6db%14(Preferred)
IPv4 Address: 192.168.0.2(Preferred)
Subnet Mask: 255.255.255.0
Default Gateway : 192.168.0.240

DNS Servers: 192.168.0.2
NetBIOS over Tcpip: Enabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:
Media State: Media disconnected
Connection-specific DNS Suffix:
Description: Teredo Tunneling Pseudo-Interface
Physical Address: 00-00-00-00-00-00-00-E0
DHCP Enabled: No
Autoconfiguration Enabled: Yes

Tunnel adapter isatap.{56B74FD5-3714-4962-B8B3-667702D69964}:

Media State: Media disconnected
Connection-specific DNS Suffix:
Description: Microsoft ISATAP Adapter #3
Physical Address: 00-00-00-00-00-00-00-E0
DHCP Enabled: No
Autoconfiguration Enabled: Yes

2008R2 Domain & Forest Functional Level; 30 sites; 1 hub the rest are spokes.  Bridge all site Links = enabled; all DC's running Win2K8R2 SP1.

In my AD topology there is one hub site (the data center with multiple dc's) and the rest are branch sites with 2 domain controllers each.  Bridge all Site Links in enabled and i want to leave it that way as 90% of my sites are connected via high speed, reliable MPLS WAN.  Three of my AD sites are outside the U.S. and connected via VPN which is mostly stable but has had some stability issues in the past. 

Each AD site has one site link object defined which contains only itself and the "hub" site (the data center)

The problem:  In my sites connected via VPN, the KCC is creating replication partners with DC's in the other branch VPN sites instead of just with the dc's in the hub site.
 
As per http://technet.microsoft.com/en-us/library/dd736189(v=ws.10).aspx, In these three VPN-connected branch AD sites, i've set the repadmin siteoption as such:
repadmin /siteoptions <dc name> /site:<sitename> +W2K3_BRIDGES_REQUIRED

My understanding is that this setting allows Bridge All Site Links to remain enabled at the InterSite Transports - IP level in AD S&S, but for the sites where its set as such, will force KCC to only set up replication partners with dc's contained within its site link object.  In my case, the only other site link object is the hub site itself.

Even odder is that, on dc's in each of the three branch sites, the KCC is not creating ANY replication links with DC's in the hub site ONLY with DC's in the other branch VPN sites-----the exact branch sites these DC's can't communicate with due to routing limitations.  Because of this weirdness, i've had to manually create replication links with DC's in the hub site to maintain replication flow.

JKuta

We have quite a few contractors in our organization.  Is there a best practice for the way you should manage contractors in your Active Directory environment?  Is there any value in a contractor only container or additional qualifier in their login name?

Hope this was the correct area to post and thank you for any feedback.

Hello

My situation :

I have a 2008 functionnal level domain with a technical name, lets say tec.domain.com

I have for this domain configured an alternate UPN : domain.com (that is only a DNS domain name, not an existing AD domain)

My users have a SamAccountName like j.doe and a UPN like john.doe@domain.com (which is their email address, on our Exchange organization)

Now, from a Linux server (running Apache and kerberos), i can do a kinit with j.doe@TEC.DOMAIN.COM, but not with john.doe@DOMAIN.COM.

When i capture trafic, the DC answers "error-code: eRR-WRONG-REALM (68)", saying it is not able to handle the DOMAIN.COM realm.

According to this article ( http://msdn.microsoft.com/en-us/library/Cc212351.aspx ) , my DC should be able to handle it, as far as i understand it.

Am i missing something ?

Thanks in advance.

I'm trying to set the UID, GID, etc. properties for users in Server 2012 but the "unix attributes" tab is missing under the user properties.  Articles for managing Unix in 2003 & 2008 don't appear to apply to 2012.  IdMU no longer exists.  Server for NIS is "DEPRECIATED" and doesn't appear to work (The Unix Attributes tab appears in AD DS, but the drop down for NIS domain only contains "none").

How do I manage unix properties in Server 2012?

It appears that all of the Unix Attributes are available under "Attribute Editor" when View->Advanced is selected.  The missing piece seems to be the 2012 equivalent of Identity Management for Unix.  Without it, I can't figure out how to bind the domain name to the NIS Domain.

Hi, we have 2 domain controllers, both virtual Hyper-V Windows 2008 R2 servers (not RODC). All of a sudden we couldn't add a new DNS record ("The host XXX cannot be created: Refused). This happens on both domain controllers. Windows firewall is turned off on both servers.

When checking eventlog on DC1 event 4015 is created each time we attempt to add a record:

The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "0000051B: AtrErr: DSID-030F1F8D, #1:
0: 0000051B: DSID-030F1F8D, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)".

On DC2 I get the same events, but I also see a few 4013 as well.

I have searched around for so many hours and many people seem to have resolved their issues by either granting Administrators access to Manage Auditing And Security Logs on Domain Controllers Security Policy, or by making sure SYSTEM is the owner on DNS through ADSI edit. I've verified both, on both domain controllers. Also there is no enforced link on the policies, so Default domain policy should not interfer. I even tried granting Administrators Manage Auditing And Security Logs on Default Domain Policy to be on the safe side. 

dcdiag & dcdiag /test:dns reports no errors on both domain controllers. Would much appreciate if someone can point me in the right direction here, this has so far been a very time consuming problem to troubleshoot.

In advance, thank you.

Part of our DR documentation/planning involves renaming computers.  For example, we may have a cold or hot DR server.  For server "MYSERVER" with IP "MYIP", we would have a corresponding server "MYSERVER_DR" with IP"MYIP_DR".

In a DR scenario, our documentation basically asks us to go to "MYSERVER_DR" and rename it to "MYSERVER".

Is this a good idea to rename objects like this?

What occurred in our last test was that renaming MYSERVER_DR to MYSERVER, before doing this, I have to shutdown MYSERVER and remove the MYSERVER computer object from AD (maybe I should have unjoined MYSERVER before starting?!).

So MYSERVER_DR was renamed to MYSERVER successfully.  After the DR test, MYSERVER was then renamed back to MYSERVER_DR, and the original MYSERVER was brought back online.

Well MYSERVER came up with the typically "No trust relationship" message.  I was able to login to MYSERVER with a local account, then changed it to a WORKGROUP to try to rejoin it.  The server would not boot at this point, stopping at"Applying Computer Settings...".

I was eventually able to book into safe mode, have the server boot, and then rejoin it to AD. At that point all was well, but it was a stressful event...

Comments?

We have a AD trust established between two forests. It is working fine except that on one DC there are event logs (event ID 83 in Operations Manager log) generated. It contains:

AD Monitor Trusts : The trusts between this domain (<domain_name1>) and the following domain(s) are in an error state: <domain_name2> (inbound).
The error is: The specified domain either does not exist or could not be contacted. (0x54B)

There is a firewall between only this one DC and trusted domain DCs. I am wondering whether all domain controllers in both forests must have a connection to each other or it is ok that only some DCs (all except this one) from one forest have connection to all DCs in trusted domain?

Hi,

I need to change my Domain Controller into New Hardware. what are step should i follow ???

1. Why i need same host name ?

Ans: Some application is configured with that Host Name

What i planned is 

1. Demote the Present Domain Controller

2. Changing the IP and Hostname

3. make a new Server with Same IP and Hostname

4. Run the dcpromo command

Questions

1. My procedure is right or anything else i need to follow ?

2. What will be the Impact ? 

3. I asked 3hrs Down Time for that Server is that fine ?

4. Any other Way is there to proceed the same activity ?

5. How long i need to wait after decommission the server ?

No Virtual Environment all are Physical

Many thanks in advance.

Regards, Hari Prasad.D

Hi

Presently, the token is overweight. My DC is Windows 2003 and prepare to remplace by Windows 2008 R2. (The functionnal level to domain and forest is presently Windows 2003 and all client Windows 7).

When all DC transfert for Windows 2008 R2 and raise functionnal level, it's necessary to deploy a GPO to all client? It's neccessary change registery key?

I search a link to explain a best practice to modify a token size?

Thanks

Several months back the building that housed two of my remote domain controllers was destroyed.  Since bringing the servers back up was physically impossible, I went through Microsoft's procedure for removing them with ntdsutil.  At the same time, I looked at both my dns servers and found numerous references to the "dead" controllers and removed them by hand as well.

Yesterday, I found out my remaining dc's are no longer replicating the scripts folder and have been trying to repair.  Today I installed a test domain and after it came up and I verified replication, starting looking at the different zones.  The zones on my test domain look different than my production dns server zones.  Their is still a left over reference to one of the domain controllers that was destroyedin gc\_tcp area of the dns server .

At this point in time, I believe the AD dns zone is corrupt, but I have no idea how to rebuild?

Any suggestions would be greatly appreciated.

David Harris

Addendum... I noticed today my second dc never receives the message saying

"The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed. "

Hi,my machine in NOT domain joined.

using ActiveDS and VB6 i get this kerberos authentication via LDAP Working correctly:

q = "LDAP://192.168.1.10/CN=myADfullusername,CN=Users,DC=repdc,DC=com"

Set oUser = dso.OpenDSObject(q, "samAccountName@repcdc.com, "mypassword", ADS_USE_SEALING)

oUser.getInfo

All I need is to cache on the disk all the data for future authentication offline (without ethernet)

What can I do ?!?

Can I use kerberos ticket if I'm not domain joined ?

Which adsPath I have to use to local saved credentials ?

It's urgent, please hellp me.

Hi all-

Like many of you, I am confronting the problem of having the same FQDN for both my Active Directory domain and Internet domain.  For the sake of discussion, let's call the domain rlh.com.

I need to access an externally-hosted website on the rlh.com domain.  The site is coded exclusively to use rlh.com and NOTwww.rlh.com.  Therefore, the old trick of adding a static www A record on my internal DNS server will not work.

It looks like another option is to install IIS on my DC and then configure some type of forwarding to the external site.  While this might work, frankly, I don't want IIS on my DC.  It's a DC, not a web server.

Yet a third option, correct me if I'm wrong, looks to be using some type of "split DNS."  Though I have not read the particulars (yet) of this solution, I am suspicious of it causing DNS inefficiencies.

All of these solutions look to me to be workarounds.  I am preparing to install a new DC (upgrading from 2003 to 2008 R2) and want to FIX the problem, not work around it.  That said, it looks like I have two options:

1.  Rename my existing 2003 AD domain using rendom

2.  Install the new 2008 R2 DC with the new domain name, setup domain trust between the old and new domains, and then use ADMT.

Can someone please comment on my logic here?  Does anyone have experience with both of the two options?  Is one less painful than the other?

As I preparatory step, I have migrated from my onsite Exchange 2003 server to Office 365.  Exchange is no longer present in my organization, though some slight "remnants" may remain in Active Directory.  Other than Exchange, I have a Hyper-V host, 2 SQL Servers, and 3 RDS servers present in my environment.

Thanks.

Hi all-

I am preparing for a domain rename using rendom.  The docs specify a Windows 2003 member server for use as a control station.  Any reason I can't use a Windows 2003 Server guest on a 2008 R2 Hyper-V host for the control station?

Thanks.

I have ADRAP install on a server and I usually run health check on the domain.  the software runs from the C: drive which occupying large amount disk space.  Is it possible\safe some files\folders to another location?

thanks

mjksgea

What are the consequences of adding a computer object to the Administrators group on a server? Does doing so give users who logon to that computer additional rights?

What if a computer is added to the Administrators group on a domain controller? What are the security concerns?