Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

DR recovery of server 2012 root domain

October 9, 2014, 9:12 am
$
0
0

All,

I've got a server 2012 forest with two domains. For DR testing, i'm shutting down the FSMO role holder of the root domain, copying the VMDK into DR and powering it up completely isolated from the production environment but  the subnet network IDs are the same (IP doesn't change)..there is just no network connectivity back. When i power on this DC i can't use ADUC and domain authentication doesn't work until I do two things:

FIrst, i have to set the registry key to not require initial sync:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]

"Repl Perform Initial Synchronizations"=dword:00000000

Then I have to set FRS burflags to D4

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process

From there, all is well and I can continue the recovery. My question is that I didn't have to this back when the domain had 2003 DCs, now that they are 2012 I have to. Is there some other process I should be following for DR? I really don't get the "why" of why this DC won't just power up and run in an isolated network!!!

Thanks for your insight!

Search

FRS errors 13552 & 13555. SYSVOL not replicating.

June 21, 2011, 12:07 am
$
0
0

Hi All, looking for a little help here...

Here is the scenario. My (new) client has ONLY 1 domain controller (Windows Server 2003 which I will call SERVER1). I recently installed a new 2008 R2 server and made it a replica domain controller. Everything went well until I realised that there was no SYSVOL share on the new server. I checked FRS event logs on SERVER1 and noticed that event ID errors 13552 & 13555 have been occuring since December 2010. 

I've been reading about changing burflags to do a nonauthorative restore from a replica DC however in this case there is only 1 DC. Can someone advise how I go about fixing this?

 

------------------------------------------------------------------------------

Event Type: Error
Event Source: NtFrs
Event Category: None
Event ID: 13552
Date:  21/06/2011
Time:  2:15:57 PM
User:  N/A
Computer: SERVER1
Description:
The File Replication Service is unable to add this computer to the following replica set:
    "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
 
This could be caused by a number of problems such as:
  --  an invalid root path,
  --  a missing directory,
  --  a missing disk volume,
  --  a file system on the volume that does not support NTFS 5.0
 
The information below may help to resolve the problem:
Computer DNS name is "server1.mydomain.local"
Replica set member name is "SERVER1"
Replica set root path is "c:\windows\sysvol\domain"
Replica staging directory path is "c:\windows\sysvol\staging\domain"
Replica working directory path is "c:\windows\ntfrs\jet"
Windows error status code is 
FRS error status code is FrsErrorMismatchedJournalId 
 
------------------------------------------------------------------------------

Event Type: Error
Event Source: NtFrs
Event Category: None
Event ID: 13555
Date:  21/06/2011
Time:  2:15:57 PM
User:  N/A
Computer: SERVER1
Description:
The File Replication Service is in an error state. Files will not replicate to or from one or all of the replica sets on this computer until the following recovery steps are performed: 

------------------------------------------------------------------------------

 

 

Server randomly getting hang with high cpu utilization in few mins

October 23, 2014, 8:01 pm
$
0
0
Hi Team,

One of windows 2008 R2 SP1 server is randomly going to offline / hang state where i cannot even ping. This server is installed in VMware. The host is having 90+ guest but only this guest is having this issue. we have increased double CPU, memory and moved to different datastore and different storage but still cannot identify which is causing the issue. the perfmon, adplus, procdump is not even helping to take dump as the data is not storing to server when crashed. The server goes hang / offline suddenly. Is there any option or tool which will show or create a dump when the cpu goes offline. actually, if any too that can store the logs side by which would be helpful like wmic. i do not know what is the process ID or process name so could see see what is causing high CPU utilization. 

Could you please help this issue to overide. Thank you

AD Hub and Spoke Site Topology but KCC still sets up replication with DC's outside the Hub site

September 25, 2014, 2:22 pm
$
0
0

2008R2 Domain & Forest Functional Level; 30 sites; 1 hub the rest are spokes.  Bridge all site Links = enabled; all DC's running Win2K8R2 SP1.

In my AD topology there is one hub site (the data center with multiple dc's) and the rest are branch sites with 2 domain controllers each.  Bridge all Site Links in enabled and i want to leave it that way as 90% of my sites are connected via high speed, reliable MPLS WAN.  Three of my AD sites are outside the U.S. and connected via VPN which is mostly stable but has had some stability issues in the past. 

Each AD site has one site link object defined which contains only itself and the "hub" site (the data center)

The problem:  In my sites connected via VPN, the KCC is creating replication partners with DC's in the other branch VPN sites instead of just with the dc's in the hub site.
 
As per http://technet.microsoft.com/en-us/library/dd736189(v=ws.10).aspx, In these three VPN-connected branch AD sites, i've set the repadmin siteoption as such:
repadmin /siteoptions <dc name> /site:<sitename> +W2K3_BRIDGES_REQUIRED

My understanding is that this setting allows Bridge All Site Links to remain enabled at the InterSite Transports - IP level in AD S&S, but for the sites where its set as such, will force KCC to only set up replication partners with dc's contained within its site link object.  In my case, the only other site link object is the hub site itself.

Even odder is that, on dc's in each of the three branch sites, the KCC is not creating ANY replication links with DC's in the hub site ONLY with DC's in the other branch VPN sites-----the exact branch sites these DC's can't communicate with due to routing limitations.  Because of this weirdness, i've had to manually create replication links with DC's in the hub site to maintain replication flow.

JKuta

Two DNS Servers with different SOA

October 23, 2014, 11:20 am
$
0
0

Hello,

I have a DNS Server in my main office (Lab environment) of an Active Directory domain.

I have set up another one in a branchoffice, and they communicated to each other just fine with a ISA Server VPN Site-to-site.

The link of that VPN broke and the branchoffice was off line for several days.

I managed to bring up again that VPN site to site, but now I see that the SOA within the DNS Sever in the branchoffice is482, whereas the SOA in the DNS Server in the main office is 548.

I read somewhere that this SOA is precisely for this cases, and that Active Directory would determine which DNS is better and therefore, the branchoffice would take the new dns records.

Is this so? . I am waiting but don't see that the branchoffice takes that 548 SOA Number from the DNS in the main office.

Thanks in advance!

P.S : I manually changed some things in the DNS in the Branchoffice and I am hoping that the SOA will work that out.

Luis Olías Técnico/Admon Sistemas . Sevilla (España - Spain)


sysvol and netlogon not shared in additional domain controller 08 r2 and shared in another additional 2012

October 25, 2014, 11:22 pm
$
0
0

i have dc 2008 and adc 2012 have shared sysvol and netlogon, and when i create another ADC 2008 r2 but sysvol and netlogon not shared 

i don't know why and i need to remove dc and move fsmo to new adc 2008 r2

Replaced 2008 DC, now remote systems are slow to browse network

October 25, 2014, 2:04 pm
$
0
0

I just replaced our DC that also served as one of several DNS servers.  All FSMO roles were transferred to the new DC before demoting.

After doing so, the majority of our remote sites (connected via site-to-site VPN), can no longer access the UNC path of the file server also located in each remote site, and if they can, it is extremely slow.  However, this isn't happening to every remote site.  Affected sites are also unable to access UNC path via IP address, although nslookup/pings resolve normally.  The temporary workaround is to remove all affected systems from the domain.  As soon as those machines are removed from the domain and rebooted, accessibility to these paths returns instantly.

each time i configure or assign certificate to RD MANAGER ... IP-HTTPS and KEBEROS in the remote access setup gives Error

October 22, 2014, 9:06 am
$
0
0
I have set up remote Access and it works and even deploy application but anytime i tried logging in from client end it prompt that my website is insecure.. i tried installing certificate for RD Gateway.. The remote access stop with Error on IP-HTTPS and KEBEROS .. Complaining Certificate binding... How do i go around these..
Search

we are having AD and Exchange in production environment. we planned to make new test environment with new different forest in same network and same vlan range. is there any challenges to create two forest in same environment.

October 27, 2014, 1:31 am
$
0
0

Hi all,

we are having AD and Exchange in production environment. we planned to make new test environment with new different forest in same network and same vlan range. is there any challenges to create two forest in same environment.

Issue accessing share from other forest. No logon servers available to serve your request.

October 19, 2014, 11:05 am
$
0
0

Hello, gents!

We have two AD forests and external 2-way trust between them. About month ago I was able to reach share on fileserver from localdomain.com to remotedomai.com without any issues. Now when I am trying to do it I have an error

"\\servername\share is not available.You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.

there are currently no logon server available to service the logon request".

I validated trusts - everything validating fine.

In the event log of remote server, I am trying to access I found this error EventID 4625 from Microsoft Windows Security:

An account failed to log on.

Subject:

Security ID: NULL SID

Account Name: -

Account Domain: -

Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:

Security ID: NULL SID

Account Name: artem

Account Domain: localdomain

Failure Information:

Failure Reason: An Error occured during Logon.

Status: 0xc000005e

Sub Status: 0x0

Process Information:

Caller Process ID: 0x0

Caller Process Name: -

Network Information:

Workstation Name: ANOMDC1

Source Network Address: 172.20.0.10

Source Port: 53693

Detailed Authentication Information:

Logon Process: NtLmSsp

Authentication Package: NTLM

Transited Services: -

Package Name (NTLM only): -

Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.

- Transited services indicate which intermediate services have participated in this logon request.

- Package name indicates which sub-protocol was used among the NTLM protocols.

- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

What would be the proper steps to troubleshoot it?

ADMT 3.2 ServicePrincipalName duplicates – Users unable to logon

October 24, 2014, 11:46 am
$
0
0

Hello everyone,

We are doing an intra-forest migration using ADMT 3.2 (Version with 2012R2 Support as the colleague who installed it told me). Domain Controllers are running at Windows Server 2012 R2 and Windows Server 2003. Clients are running at Windows 7. When migrating computer objects we experience the following:

When the migrated computer boots and joins the destination domain it throws NETLOGON events 5788 and 5789. Therefore, the destination computer object hasn’t any single SPN registered. Because the HOST and RestrictedKrbHost SPNs are missing no user is able to log on to the machine.

After investigating the issue I think I found the cause of the problem.Please correct me if I’m wrong:

When ADMT migrates a computer account it does not clear the SPNs that are registered for the source computer account. Because of the new feature of Server 2012 R2 that does prevent the registration of duplicate SPNs in the forest described here http://technet.microsoft.com/en-us/library/dn535779.aspx this prevents the migrated computer to register its SPN during the first boot in the new domain (leads to 5788 and 5789).

Let’s assume we have a client called client1.emea.contoso.com. This client has the following SPNs registered:

  • HOST/client1
  • HOST/client1.emea.contoso.com
  • RestrictedKrbHost/client1
  • RestrictedKrbHost/client1.emea.contoso.com

When the client is migrated to us.contoso.com it will try to register the following SPNs for its account:

  • HOST/client1
  • HOST/client1.us.contoso.com
  • RestrictedKrbHost/client1
  • RestrictedKrbHost/client1.us.contoso.com

Because the SPNs HOST/client1 and RestrictedKrbHost/client1 are not unique in the forest their registration is blocked by the Server 2012 R2 DC. Also, the registration ofHOST/client1.us.contoso.com and RestrictedKrbHost/client1.us.contoso.com is blocked as well because the client tries to register the Service/Hostname and Service/FQDN -Record at the same time which both fail in the process. This leads to Kerberos failure for interactive logon. Because of the security feature of Windows Vista and above which prevents failback to NTLM for interactive logons mentioned here http://support.microsoft.com/kb/2015518 no logon is possible under this condition.

Note:

Windows Server 2008 R2 DCs that do not have the above mentioned feature of "SPN uniqueness testing" just let the newly booted client register the duplicate SPN for HTTP/client1 and RestrictedKrbHost/client1.

What are we ought to do now? Currently we work around this issue by manually deleting the SPNs at the computer object in the source domain. This does not seem to be the optimal solution for me. Am I missing something? Did I forget something?

Thanks and best regards,

Steven

Retiring 2 domain Controllers

October 24, 2014, 3:54 am
$
0
0

Hi, we are looking to retire 2 out of our 5 2008 r2 domain controllers. There are no FMSO roles on these 2 controllers. The only other role is DNS. All devices and workstations are now pointing to other DNS servers besides these two.

My question is that I want to simply shutdown these 2 servers for a week or so and see if anything screams. If it does I can simply bring the controllers back up and figure out what went wrong. If nothing screams I can then safely demote them from being a domain controller

Is the act of shutting them down for a bit a valid way of testing? This will be done off hours but what can the end users or application servers expect if the DC they were using is no longer there, will they get error messages on the screen or will it silently go to another DC in the background?

Any thoughts would be appreciated.

Thanks

NTDS single/Static port vs Fixed port range.

October 22, 2014, 5:37 am
$
0
0


I'm well aware on how to setup a custom Fixed RPC port range (as per https://support.microsoft.com/kb/154596?wa=wsignin1.0).

I also know NTDS can be configured to use a single/Static TCP port (as per http://support.microsoft.com/kb/224196).

My question is:

  • What happens if you *only specify a Fixed RPC port range*
    AND
  • *Do not* specify a single/Static Port for NTDS

-> Will NTDS simply offer its services through the Fixed RPC port range?

Thanks.

Regards,

A.

ADMT 3.2 migration from 2003 to 2012 R2

October 27, 2014, 4:21 am
$
0
0

Hello,

The latest update of ADMT supports AD 2012 (and R2), and I succeed the following migration with ADMT 3.2 :
2003 -> 2008 R2

then

2008 R2 -> 2012 R2

I would like to know if the migration from an AD 2003 to AD 2012 R2 is possible in one step and if someone did that (that means without the 2008 R2 transition's step).

Thanks

user cannot change password option is automatically getting unchecked while giving domain admin rights

October 27, 2014, 3:14 am
$
0
0
user cannot change password option is automatically getting unchecked while giving domain admin rights
Search

Active Directory NETBIOS name

July 11, 2013, 12:20 pm
$
0
0

Hello.

I think I should be able to ping NETBIOS name of the AD.  Should I? It does not work.

For example, full domain name is fulldomain.local.  NETBIOS name is ourdomain.

I can ping fulldomain.local, but I cannot ping ourdomain.

Can someone help?

Thank you.

Thank you. Eric.

Need to Restrict Domain Admin group

October 22, 2014, 2:20 am
$
0
0

Hi All,

Can someone suggest me in restricting "Domain Admins" group in below two criterion.

1) Anonymous users shouldn't be able see members of this group.

2) "Builtin/Administrators" shouldn't have privilege to edit this group.

Sai Krishna

AD Replication error

October 24, 2014, 8:00 am
$
0
0


I'm getting the below error while run the readmin /showrepl command in my Parent Domain.

  

  Default-First-Site-Name\(CHILDDomain) via RPC

        DSA object GUID: dc7844e2-0b94-4f30-9ef2-78b1b64a4aba

        Last attempt @ 2014-10-24 19:23:48 failed, result 8606 (0x219e):

            Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.

        452 consecutive failure(s).

I would appreciate any help in resolving this issue

Outgoing and incoming trusts

October 16, 2014, 11:06 pm
$
0
0

What does Outgoing, Non-Transitive, External Trust means?

First of all, I am not a AD guy. I am just gathering information for an Issue I ma facing in my application :-)

There is  a domain trust between our domain and an external domain. It is expected that users of this external domain should appear in our AD so that my application (SharePoint) can pull those users. However, I am not able to see these users (external domain users) in our AD. I have got this info from my AD team guy

What does this mean?

Populate AD Security Group with a SCCM 2012 collection members

October 27, 2014, 7:42 am
$
0
0

Hello everyone,

I have a device collection in SCCM 2012 with a certain numbers of Laptops in it based on a specific query. 

I want to be able to create a Security Group in AD and populate this group with all the members of this collection. 

Is this possible? it YES, how can it be accomplished? 

Appreciate any help in advance ;-)

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>