We has a few old DCs that are no longer in AD, though the IP addresses of the old DNS servers are still stuck in there somewhere.
I've looked in the ForestDNSZones, DomainDNSZones, though the IPs`are not listed. When running "dcdiag /e /c /v" it tries to connect to the IPs and gets timeout errors.
Where can I look in ADSI or DNS to remove these IPs from its Craw?
Thanks!
We have a AD trust established between two forests. It is working fine except that on one DC there are event logs (event ID 83 in Operations Manager log) generated. It contains:
AD Monitor Trusts : The trusts between this domain (<domain_name1>) and the following domain(s) are in an error state: <domain_name2> (inbound).
The error is: The specified domain either does not exist or could not be contacted. (0x54B)
There is a firewall between only this one DC and trusted domain DCs. I am wondering whether all domain controllers in both forests must have a connection to each other or it is ok that only some DCs (all except this one) from one forest have connection to all DCs in trusted domain?
Hello
My situation :
I have a 2008 functionnal level domain with a technical name, lets say tec.domain.com
I have for this domain configured an alternate UPN : domain.com (that is only a DNS domain name, not an existing AD domain)
My users have a SamAccountName like j.doe and a UPN like john.doe@domain.com (which is their email address, on our Exchange organization)
Now, from a Linux server (running Apache and kerberos), i can do a kinit with j.doe@TEC.DOMAIN.COM, but not with john.doe@DOMAIN.COM.
When i capture trafic, the DC answers "error-code: eRR-WRONG-REALM (68)", saying it is not able to handle the DOMAIN.COM realm.
According to this article ( http://msdn.microsoft.com/en-us/library/Cc212351.aspx ) , my DC should be able to handle it, as far as i understand it.
Am i missing something ?
Thanks in advance.
Please consider the request as urgent and critical. As i had raised it with Office 365 community, they have routed me to the Directory services forum.
I am planning to deploy workplace join with DRS in my environment and looking for your valuable feedback.
Current Environment:
DC: Windows Server 2008 R2
Domain & Forest functional level: 2003
ADFS 2.0 & ADFS proxy deployed
2FA by 3rd party app
In order for workplace join, please confirm if my understanding is cporrect
a) Upgrade the domain controller from 2008 to 2012 R2
b) Replace ADFS 2.0 with ADFS 2012 R2
c) Replace ADFS proxy with WAP
d) Upgrade the forest & domain functional level to 2012?
e) Can cert based authentication be used for external users as 2nd Factor Authentication?
f) what are the other 2FA options (not looking for MFA by O365 or Azure. As it uses APPPassword for Non-Browser)
Any pointer will be deeply appreciated.
Regards,
Dematri
Regards, Dematri
Hi,
I've created a group on my organization's AD for interns (G_Support_Interns).
Set permissions for them to Create Computer Objects and Delete Computer Objects on the Computers OU.
They were able to join computers on the domain.
Now I'm trying to make them able to move computers after joining them on the domain.
So, I've tried to:
What am I doing wrong?
My domain has:
Windows Server 2008 R2 (primary)
Windows Server 2008 (secondary)
Windows Server 2008 R2 (third)
Hi,
I have added an alternate UPN Suffix using these instructions.
My questions which I cant seem to find on-line is applying this new UPN against current AD accounts and making it the default for new accounts.
Is simply changing the UserPrincipalName attribute via powershell script all that needs to be done? Does that perform the same action as selecting the new UPN from the Active Directory GUI drop down list in the account settings? I cant help but notice that the script although it changes the UserPrincipalName attribute value it does not change what the GUI shows under account settings.
Cheers,
Zac Avramides
Hi,
Our existed AD server is win 2003, and we are going to have a new Win 2012 AD Server.
Since the win 2003 AD server is also the dns server in our domain, all our clients' dns setting is point to that win 2003 AD.
I'm thinking let the new Win 2012 AD Server to have the old IP address and also work as dns server, the old win 2003 AD server to a new IP address.
Well that cause side effects?
Thanks for help.
Jason
I'm Adding a 2nd 2012R2 DC to a remote location and it is going to have a large DFSR share on it. I wanted to start the DFSR replication and get everything replicated on the new server while it is still in the HQ Office and Connected via Gigabit network.
The Server will also be a Replacement DC for the remote location. If I make the Server a DC in the HQ Subnet, then Change its IP Address once Its Onsite I should be okay as long as I make sure that I move the server into the Correct Site and make sure DNS has the new IP Address. Any other Gotcha's ?
Thanks!
In our environment we have 6 read / write domain controllers and many read only domain controllers. Recently I have noticed that every time we demote a server the demotion process hangs. It looks to have removed the read only domain controller but the promotion always seems to hang at this point.
Any insight to what could be causing this would be appreciated.
The following logs may help identify the problem.
DCPROMO.txt
10/03/2014 09:54:41 [INFO] Request for demotion of domain controller
10/03/2014 09:54:41 [INFO] DnsDomainName (NULL)
10/03/2014 09:54:41 [INFO] ServerRole 1
10/03/2014 09:54:41 [INFO] Account (NULL) 10/03/2014 09:54:41 [INFO]Options 128
10/03/2014 09:54:41 [INFO] LastDcInDomain FALSE
10/03/2014 09:54:41 [INFO] Forced Demote FALSE
10/03/2014 09:54:41 [INFO] Stage 2 only FALSE
10/03/2014 09:54:41 [INFO] Start the worker task
10/03/2014 09:54:41 [INFO] Request for demotion returning 0
10/03/2014 09:54:41 [INFO] Reading domain policy from the local machine
10/03/2014 09:54:41 [INFO] Searching for a domain controller for the domain DPI.NSW.GOV.AU
10/03/2014 09:54:41 [INFO] Searching for a domain controller for the domain DPI.NSW.GOV.AU that contains the account WGONFP1$
10/03/2014 09:54:41 [INFO] Located domain controller ORANDC1.DPI.NSW.GOV.AU for domain DPI.NSW.GOV.AU
10/03/2014 09:54:41 [INFO] Support Dc in DPI.NSW.GOV.AU is ORANDC1.DPI.NSW.GOV.AU
10/03/2014 09:54:41 [INFO] Located domain controller ORANDC1.DPI.NSW.GOV.AU for domain DPI.NSW.GOV.AU
10/03/2014 09:54:43 [INFO] Preparing the directory service for demotion
10/03/2014 09:54:47 [INFO] Started system volume demotion on enterprise
10/03/2014 09:54:47 [INFO] Read the LSA policy information from the local machine
10/03/2014 09:54:47 [INFO] Informed NETLOGON to deregister records
10/03/2014 09:54:47 [INFO] Stopping service NETLOGON
10/03/2014 09:54:49 [INFO] Configuring service NETLOGON to 1 returned 0
10/03/2014 09:54:49 [INFO] Stopped NETLOGON
10/03/2014 09:54:49 [INFO] Configuring service NTDS
10/03/2014 09:54:49 [INFO] Configuring service NTDS to 2112 returned 0
10/03/2014 09:54:49 [INFO] Stopping service IsmServ
10/03/2014 09:54:51 [INFO] Configuring service IsmServ to 577 returned 0
10/03/2014 09:54:51 [INFO] Stopping service kdc
10/03/2014 09:54:52 [INFO] Configuring service kdc to 65 returned 0
10/03/2014 09:54:52 [INFO] Stopping service NETLOGON
10/03/2014 09:54:52 [INFO] Configuring service NETLOGON to 273 returned 0
10/03/2014 09:54:52 [INFO] Configuring service NtFrs
10/03/2014 09:54:52 [INFO] Configuring service NtFrs to 2304 returned 0
10/03/2014 09:54:52 [INFO] Configuring service DFSR
10/03/2014 09:54:52 [INFO] Configuring service DFSR to 2304 returned 0
10/03/2014 09:54:52 [INFO] Configured domain controller services
10/03/2014 09:54:52 [INFO] Uninstalling the Directory Service
10/03/2014 09:54:52 [INFO] Invoking NtdsDemote
10/03/2014 09:54:52 [INFO] Preparing the security account manager (SAM) and Active Directory Domain Services for demotion...
10/03/2014 09:54:52 [INFO] Validating the removal of this Active Directory Domain Controller...
10/03/2014 09:54:52 [INFO] Authenticating supplied credentials
10/03/2014 09:54:52 [INFO] Creating new local account information...
10/03/2014 09:54:52 [INFO] Creating a new local security account manager (SAM) database...
10/03/2014 09:54:52 [INFO] Setting the new Local Security Authority (LSA) account information...
10/03/2014 09:54:52 [INFO] Removing Active Directory Domain Services objects that refer to the local Active Directory Domain Controller from the remote Active Directory Domain Controller ORANDC1.DPI.NSW.GOV.AU...
10/03/2014 09:54:58 [INFO] Removing LDAP and remote procedure call (RPC) access to Active Directory Domain Services...
10/03/2014 09:55:00 [INFO] Completing removal of Active Directory Domain Services, SAM and LSA...
10/03/2014 09:55:00 [INFO] NtdsDemote returned 0
10/03/2014 09:55:00 [INFO] DsRolepDemoteDs returned 0
10/03/2014 09:55:00 [INFO] This machine is no longer a domain controller
10/03/2014 09:55:01 [INFO] Successfully informed DNS Server to prepare for demotion
10/03/2014 09:55:04 [ERROR] Setting security on server files failed with 2
DCPROMOOUI.txt
Last log lines
dcpromoui 10EC.6F4 09AC 09:54:41.121 Enter Computer::IsDomainController WGONFP1
Hello,
In a previous domain, we had DirSync installed on a Domain Controller and configured successfully to Sync with our Office 365 (No Hybrid as we only use Exchange online), with Password Sync enabled. I also enabled the password write-back feature. This worked without issue.
We recently built a new domain and installed DirSync on a standalone server vs the DC, repointed it to the existing O365 subscription and enabled password sync as well as password write-back. The text below is a direct copy from PowerShell showing success, and I receive the event that shows success as well.
PS C:\Windows\system32> Enable-OnlinePasswordWriteBack
cmdlet Enable-OnlinePasswordWriteBack at command pipeline position 1
Supply values for the following parameters:
LocalADCredential
AzureADCredential
Password reset write-back is enabled.
Password sync from on prem AD to Azure AD is working without a problem, however the password write-back simply doesn't work. The AD account is an Enteprise Admin, and the Azure account is a Global Administrator. No firewalls between the dirsync server or the DC.
When a user changes their password from the cloud, the password change takes affect, however that change is never written back to AD. No errors in the event logs or FIM sync interface.
Not sure where to start looking to figure out why this is not working. I have scoured the internet to see if there is anything special about installing DirSync on a standalone member server and cant seem to find any indication that the process is different (other than needing to log off and back on when installing on a DC)
Anyone have any ideas on where to look next?
Thanks!
Hi,
Is there a way to quickly convert a read-only 2008 R2 domain controller to a 'normal' domain controller?
Or do you have to do a dcpromo first to remove the read-only domain controller and after that another dcpromo to make it a 'normal' one?
Thanks
Hi all, looking for some direction to take on a Win 2008R2 domain controller server that's been off the network for awhile. Here's the situation: There's an office that we have that was closed. There was a global catalog domain controller server running there that was also functioning as a file server. That server was powered off and put in storage until a new office location was found. It took longer than expected to find a new office location and now we are ready to bring that server online and back into service. It's been 150 days since it was powered off. Our Active Directory tombstoneLifetime is set for the default value of 60 days.
I'm hesitant to turn this server back on as I don't know what impact on our Active Directory this will have. Can anyone offer some suggestions on how I should handle this situation? I would definitely appreciate any feedback. Thanks.
Hi,
I'm unable to edit the default domain policy from my new Windows 8 desktop. It's the only Win8 in the environment so I'm not able to easily test another one unfortunately. The error I receive is:
Group Policy Error
Failed to open the Group Policy Object. You might not have the appropriate rights.
Details: The volume for a file has been externally altered so that the opened file is no longer valid.
I have checked from a Win7 and a 2003 machine and can access and edit the GPO without issue using the same account. The Win8 desktop is a fresh install with the RSAT tools installed, Exchange 2010 tools and a few basic applicaitons (non of which stick out as having anything to do with AD management).
It only occurs if I click edit on the GPO. I'm able to successfully view the policy and edit the permissions etc. Have rebooted and the machine is current with patches as of now.
thanks
Andy
Cheers Andy
Any help will be greatly appreciated. Thanks.
When running the AD DS BPA on a Windows 2008r2 Server I get the follwoing error:
Title:
The AD DS BPA should be able to collect data about Group Policy Results setting "Access this computer from the network" from the domain controller ServerName
Severity:
Error
Date:
28/07/2011 11:02:15 AM
Category:
Configuration
Issue:
The Active Directory Domain Services Best Practices Analyzer (AD DS BPA) is not able to collect data about Group Policy Results setting "Access this computer from the network" from the domain controller ServerName.
Impact:
The AD DS BPA will not be able to validate configuration data about Group Policy Results setting "Access this computer from the network".
Resolution:
Troubleshoot the domain controller ServerName to determine the root cause of the problem.
More information about this best practice and detailed resolution procedures: http://go.microsoft.com/fwlink/?LinkId=142188
I have attached the error from DirectoryServices_EngineReport.xml below:
<Error>
I have confirmed that the Default Domain Controller Policy has the follwoing users applied under "Access this computer from the network":
Default on domain controllers:
Administrators
Authenticated Users
Enterprise Domain Controllers
Everyone
Pre-Windows 2000 Compatible Access
and conversley none of the users are applied under "Deny access to this computer from the network"
So, we have an internal network and a DMZ network in play here. I'm attempting to setup a one way trust so resources on the DMZ network can be managed from the internal network. Internal network has RWDCs in its domain, and the DMZ has its own
RWDCs in its own domain and a RODC from the internal network's domain. The internal network's RODC is in its own site in AD and is confirmed to be communicating with the RWDCs in the internal network. The RODC is not an authoritative DNS server,
but can host a secondary zone or stub zone. The functional level of the internal domain is 08r2 and the DMZ domain is 2012r2, if that matters.
The task is to setup the one way trust, and its proving a bit difficult. So far I've attempted both Conditional Forwarders or stub zones on the RODC and the DMZ RWDC, no dice. There are no observed DNS replication problems within the domains themselves and using ping and nslookup, I've confirmed that DNS resolution is working between the RODC and the DMZ RWDC. When I try to create the trust from the DMZ RWDCs, it fails saying the specified domain cannot be contacted. Based on what I've read online in other posts and my inability to get around it, it seems that a trust requires a RWDC at each end to function. If this is not the case, I would love to hear how it can be setup with a RWDC at one and and a RODC at the other.
Now, if its correct that the trust requires two RWDCs to setup, what if it was setup with two RWDCs and then one of the RWDCs was removed and replaced with a RODC? I guess what I'm asking is does it just require a RWDC at each end to be setup, or does it also require a RWDC at each end for the trust to function properly on an ongoing basis?
Hi,
I have two forests with two Windows 2008 R2 domain controller in each forest.
The forest are connected by a b-directional trust.
I started upgrading the Dc's to Windows 2012 R2 by installing new server (Win 2012 R2), demote the old dc (win 2008 R2), gave the new server (Win 2012 R2) it's ip address and promoted it.
After I promoted the second server in the forest, the trust relationship stopped working so I had to roll back to Win 2008 R2.
Is there a best practice for upgrading forests in a trust relationship ?
Kobi
I am planning for a Domain Controller migration between two Geo-location sites. The existing environment is Server 2008 R2, I will be promoting Server 2012 R2 as the Domain Controller in the new site and eventually shut down the Server 2008 R2.
I would like to know if there would be any issues while transferring all the FSMO roles from Server 2008 R2 to Server 20012 R2.
I do have lot of services pointing to the Domain Controller on Server 2008 R2, including the Exchange Server 2010.
Any suggestions would be much appreciated.
Thanks!
Several months back the building that housed two of my remote domain controllers was destroyed. Since bringing the servers back up was physically impossible, I went through Microsoft's procedure for removing them with ntdsutil. At the same time, I looked at both my dns servers and found numerous references to the "dead" controllers and removed them by hand as well.
Yesterday, I found out my remaining dc's are no longer replicating the scripts folder and have been trying to repair. Today I installed a test domain and after it came up and I verified replication, starting looking at the different zones. The zones on my test domain look different than my production dns server zones. Their is still a left over reference to one of the domain controllers that was destroyedin gc\_tcp area of the dns server .
At this point in time, I believe the AD dns zone is corrupt, but I have no idea how to rebuild?
Any suggestions would be greatly appreciated.
David Harris
Addendum... I noticed today my second dc never receives the message saying
"The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed. "
i have error when i run the dcidag as per below :
The session setup from computer 'TrustedDomainController failed because the security database does not contain a trust account 'etqint.com.' referenced by the specified computer.
An error event occurred. EventID: 0x0000165B
Time Generated: 10/04/2014 18:53:38
Event String:
The session setup from computer 'TrustedDomainController2' failed because the security database does not contain a trust account 'etqint.com.' referenced
by the specified computer.
A warning event occurred. EventID: 0x8000001D
Time Generated: 10/04/2014 19:06:44
Event String:
The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved.
To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
An error event occurred. EventID: 0x000016AD
Time Generated: 10/04/2014 19:07:00
Event String:
The session setup from the computer TrustedDomainController failed to authenticate. The following error occurred:
An error event occurred. EventID: 0x000016AD
Time Generated: 10/04/2014 19:07:00
Event String:
The session setup from the computer TrustedDomainController2 failed to authenticate. The following error occurred:
An error event occurred. EventID: 0x00000457
Time Generated: 10/04/2014 19:34:56
Event String:
Driver Send to Microsoft OneNote 15 Driver required for printer Send To OneNote 2013 is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 10/04/2014 19:35:01
Event String:
Driver Microsoft XPS Document Writer v4 required for printer Microsoft XPS Document Writer is unknown. Contact the administrator to install the driver before you log in again.
......................... DomainController5 failed test SystemLog
Starting test: VerifyReferences
.........................DomainController5 passed test VerifyReferences
i have trust between two domains and the errors for the trusted domain
TrustedDomainController2 .> not for DC for the same domain , its for trusted domain
any advice how can i resolve the errors