Hi all, I know I can use the set-ADUser cmdlet with a += to add a new logonworkstations to an existing users' allow to logon servers list. How do I do the opposite to remove a specific server from the list using the cmdlet or script?
↧
How to use cmdlet (set-aduser) to remove a specific logonworkstations?
↧
Fault tolerance on AD LDS
i have set up AD LDS on an azure VM. i have a replica of my primary AD LDS instance. what i understand by fault tolerance is that if the primary instance is somehow affected, the replica instance should takeover and my application should continue working normally. am i correct in my understanding in the context of AD LDS?
if yes, is there any way i can test this out using say, Powershell or any other tool? if no, how can i achieve fault tolerance?
thanks
↧
↧
Not able to create DC @ second site.
Hi,
I've my home lab server, where I would like to create 3 sites to make it like more an actual env. I've created two sites, and installed 2 DCs @ site 1, and when I try to install anther DC @ second site, it gives me the error :NOT ENOUGH RESOURCES TO COMPLETE THIS PROCESS. I've every checked all connections and settings regarding DNS/Port/Name Resolution, and all are working fine.
1. Created 2nd IP Subnet and Site 2
2. Associated Subnet with Site 2
3. Created site link for Site 1&2.
4. Ping & NSLOOKUP working fine from both subnets.
5. 2nd Site system is a domain joined system. (means DNS is working fine)
Only glitch I've found that my on-board LAN port is not compatible with WS2012 R2, so I've installed secondary LAN Card into the system and all the communications are working from 2nd LAN card. My thoughts is, this shouldn't be a issue. I googled this one and nothing found anything helpful to resolve the issue.
Any help/suggestion is highly appreciable.
Regards
Rajneesh Kumar MCITP - SA, MCSE, CNA
↧
Failover to remote DC after disaster
I suspect this question has already been answered and apologize in advance for repetition. Here is my current setup:
Site A: Windows Server 2008 R2 running AD/DNS/DHCP. Main domain controller resides here.
Site B: Windows Server 2008 R2 running AD/DNS/DHCP. Second domain controller at remote office.
The two sites are interconnected by a private, leased line running at around 10Mbps. I have configured my sites, subnets, etc. and the two DCs are properly replicating.
What I am searching for is a document that will describe the actual procedures that I need to implement at Site B in the event Site A burns to the ground. I am hunting for the actual procedure for failing-over to the DC at Site B in the event of complete disaster.
Thanks
↧
Downgrading a DC running Server 2012 R2 to Server 2008 R2
This is NOT a licensing question. All I see when searching this question are answers about licensing. I already have the licensing. My question is, is it possible to downgrade a domain controller that is running Server 2012 R2 to Server 2008 R2? I mistakingly
raised the functional level of my domain from server 2003 to 2012 R2 before upgrading my exchange server running 2003 and now I have no way to migrate my exchange server. Ideally, I would like to just downgrade the DC to Server 2008 R2 and upgrade everything
else to that level as well, including Exchange Server 2010. Any relevant input would be greatly appreciated.
↧
↧
communicate only with FQDN
Hello,
I need a solution for the following scenario. Could somebody please provide me the resolution.
I have 2 machines which is part of AD domain. I am running my client server application on those machines. Both are win2012 machines.
Machine 1 is Server
Machine 2 is client
I want to communicate server from the client using FQDN, not with shortname. If I try to ping the machine using shortname it should not resolve and communicate.
I tried my best to get the solution but whenever I use short name,client is pinging to server machine, but i dont want client should communicate using short name. Can any one help me to get the solution for this.
Thanks in Advance,
V.Sathyamoorthy
↧
cannot join dc after domain rename (rendom)
Hello Forum,
after a domain rename, I cannot join a new dc to the domain. I think something went wrong, because I had some olddomain.local entrys left, which I fixed myself with adsiedit. Problem is/was I finally runned /cleanup and /end.
The message I get when I want to join a new 2012r2 dc (to a domain with 2012r2 forest level) is:
Verification of outbound replicaton failed. Error reading the NTDS settings on replication source domain controller dc1.newdomain.lan. Domain Controller data not found for the specified Active Directory domain controller.
dcdiag passed all tests (on the only one dc I have), only two eventlog entrys which I tink are harm.
C:\>dcdiag /v /q
Fehler. Ereignis-ID: 0xC0FF05DC
Erstellungszeitpunkt: 11/03/2014 15:39:17
Ereigniszeichenfolge:
Beim Zugreifen auf den Registrierungsschlüssel SYSTEM\CurrentControl
Set\Services\SNMP\Parameters\TrapConfiguration ist ein Fehler aufgetreten.
Fehler. Ereignis-ID: 0x0000106A
Erstellungszeitpunkt: 11/03/2014 15:39:20
Ereigniszeichenfolge:
Die IP-Adresse für die Isatap-Schnittstelle isatap.{57C07FF6-EAC7-49
B0-9EA0-D08D20812B7E} wurde nicht aktualisiert. Updatetyp: 1. Fehlercode: 0x490.
......................... Der Test SystemLog für DC1 ist
fehlgeschlagen.Sorry - german locale.
I found the follow problem on the computer object in adsiedit: dNSHostName is still the old domain name (which can still be resolved from nslookup to the new dc).
When I try to update it to the new domain I get:
Fehler bei Vorgang. Fehlercode: 0x214d
Beim Verarbeiten der Änderung des DNS-Hostnamens für ein Objekt
konnte die Synconisation des Dienstprinnzipalnamens-Werte (SPN)
nicht aufrechterhalen werden.
0000214D: SvcErr: DSID-033E0FDC, problem 5001 (BUSY), data 87
But all spns are right set (manuelly by me) with setspn:
C:\>setspn -l dc1
Registrierte Dienstprinzipalnamen (SPN) für CN=DC1,OU=Domain Controllers,DC=newdomain,
DC=lan:
WSMAN/dc1.newdomain.lan
WSMAN/dc1
NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/dc1.newdomain.lan
MSSQLSvc/dc1.newdomain.lan:SUSDB
GC/dc1.newdomain.lan/newdomain.lan
HOST/dc1.newdomain.lan/newdomain.lan
HOST/dc1.newdomain.lan/newdomain
TERMSRV/dc1.newdomain.lan
RestrictedKrbHost/dc1.newdomain.lan
ldap/dc1.newdomain.lan/ForestDnsZones.newdomain.lan
ldap/dc1.newdomain.lan/DomainDnsZones.newdomain.lan
ldap/dc1.newdomain.lan/newdomain.lan
ldap/dc1.newdomain.lan/newdomain
ldap/dc1.newdomain.lan
HOST/dc1.newdomain.lan
DNS/dc1.newdomain.lan
ldap/dc1.olddomain.lan/newdomain
HOST/dc1.olddomain.lan/newdomain
ldap/f6504b59-4d01-4a52-88fb-f57f5899fe49._msdcs.newdomain.lan
ldap/DC1/newdomain
HOST/DC1/newdomain
RPC/f6504b59-4d01-4a52-88fb-f57f5899fe49._msdcs.newdomain.lan
GC/dc1.olddomain.lan/newdomain.lan
ldap/dc1.olddomain.lan/ForestDnsZones.newdomain.lan
E3514235-4B06-11D1-AB04-00C04FC2DCD2/f6504b59-4d01-4a52-88fb-f57f5899fe49/newdomain.lan
ldap/dc1.olddomain.lan/DomainDnsZones.newdomain.lan
HOST/dc1.olddomain.lan/newdomain.lan
ldap/dc1.olddomain.lan/newdomain.lan
MSSQLSvc/dc1.olddomain.lan:SUSDB
DNS/dc1.olddomain.lan
RPC/f6504b59-4d01-4a52-88fb-f57f5899fe49._msdcs.olddomain.lan
ldap/DC1
ldap/dc1.olddomain.lan
NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/dc1.olddomain.lan
Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/dc1.olddomain.lan
TERMSRV/DC1
TERMSRV/dc1.olddomain.lan
WSMAN/dc1.olddomain.lan
RestrictedKrbHost/DC1
HOST/DC1
RestrictedKrbHost/dc1.olddomain.lan
HOST/dc1.olddomain.lanAlso on Eventlog I get this event:
Protokollname: Directory Service
Quelle: Microsoft-Windows-ActiveDirectory_DomainService
Datum: 03.11.2014 15:55:10
Ereignis-ID: 1224
Aufgabenkategorie:Interne Verarbeitung
Ebene: Warnung
Schlüsselwörter:Klassisch
Benutzer: ANONYMOUS-ANMELDUNG
Computer: dc1.newdomain.lan
Beschreibung:
Beim Versuch des lokalen Domänencontrollers, Informationen auf mindestens einem Computerobjekt, Einstellungsobjekt oder Serverobjekt automatisch zu aktualisieren, ist ein Fehler aufgetreten.
Es wird erneut versucht, diesen Vorgang nach dem folgenden Intervall auszuführen.
Intervall (Minuten):
5
Zusätzliche Daten
Fehlerwert:
5 Zugriff verweigert
Interne ID:
32b0954
Ereignis-XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" /><EventID Qualifiers="32768">1224</EventID><Version>0</Version><Level>3</Level><Task>9</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated SystemTime="2014-11-03T14:55:10.570355200Z" /><EventRecordID>766</EventRecordID><Correlation /><Execution ProcessID="572" ThreadID="696" /><Channel>Directory Service</Channel><Computer>dc1.newdomain.lan</Computer><Security UserID="S-1-5-7" /></System><EventData><Data>5</Data><Data>32b0954</Data><Data>5</Data><Data>Zugriff verweigert</Data><Data></Data></EventData></Event>My Idea was to join a new dc, demote the dc1 and re-join again - but how you see, I can't join a new DC. I rebooted the dc1 new many time in hope it get repaired by it self :)
Any other idea?
↧
AD Authentication Too Slow With Required Ports Open
Hi,
I have a server (2008 R2) in DMZ network and the domain controller (also 2008 R2) is sitting in the internal network. There is no domain or domain controller in DMZ network, only one domain in internal network. The server in DMZ is a domain member. I opened all the necessary ports through firewall mentioned in below article:
http://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx
When I use domain credentials to log on to the server in DMZ, it successfully logs in but takes about 5 mins for the log in process to complete! As a test, I opened ANY (all ports) and then log in takes only a few seconds (normal time).
Can someone tell me whats the reason? Is the above mentioned article missing ports that should also be opened?
Thanks
↧
event 5805
Hi,
I have a new VM server setup as a DC.
↧
↧
ask your advice!
Hi,
we have windows 2003 & windows 2008 R2 DNS servers. I just checked DNS dynamic updates which all have fix time stamp such as 12:AM, 1:00PM; 2:00PM etc... is it normal? even after ipconfig /register dns, time stamps still show fixed time???
thank you for your help!
↧
AD DS 2012 R2 and Exchange 2003
First, yes I understand that Exchange 2003 is no longer supported. :) However, in the real world there are still companies running Exchange 2003 in production. Hopefully not for long.
The client I am at is in the middle of a Exchange 2003 to O365 migration. They are a few months from wrapping the project up. I am in the middle of doing an Active Directory upgrade from 2003 functionality to 2012 R2. Currently all their domain controllers in the forest that Exchange is in are running Windows 2003 and of course it is set at 2003 functionality. They had a few NT 4.0 domains left that we finally decommissioned during this project. Yuck!
My question is, I have read that Exchange 2003 isn't supported with 2012 R2 domain controllers. However, I can not find what will happen if we start to introduce 2012 R2 domain controllers. The plan is to bring up all of the DC's and then cut over to 2012 R2 functionality.
Does anyone have or know what exactly will happen if we go ahead with deploying 2012 R2 domain controllers. I can't find any information documented except for it isn't supported. We have other projects waiting the AD upgrade to be complete and can't wait for the O365 project to be completed.
Kristopher Turner | Not the brightest bulb but by far not the dimmest bulb.
↧
DCPromo error: The wizard cannot gain access to the list of domains in the forest
Hello folks,
I cant promote a member server to be a DC. This server was not even able to get added to the domain. I got that taken care of by offline join (djoin). I'm able to ping/nslookup any other DC, DNS, domain name, forest name, etc
Please see the C:\Windows\debug\dcpromoui.log and the screenshot
dcpromoui 810.E14 0000 14:49:10.837 opening log file C:\Windows\debug\dcpromoui.logdcpromoui 810.E14 0001 14:49:10.837 C:\Windows\system32\wsmprovhost.exe
dcpromoui 810.E14 0002 14:49:10.837 file timestamp 08/22/2013 04:03:07.107
dcpromoui 810.E14 0003 14:49:10.838 C:\Windows\system32\dcpromocmd.dll
dcpromoui 810.E14 0004 14:49:10.838 file timestamp 11/03/2014 09:01:41.277
dcpromoui 810.E14 0005 14:49:10.838 local time 11/05/2014 14:49:10.838
dcpromoui 810.E14 0006 14:49:10.838 running Windows NT 6.3 build 9600 (BuildLab:9600.winblue_r3.140827-1500) amd64
dcpromoui 810.E14 0007 14:49:10.838 logging flags 0001007C
dcpromoui 810.E14 0008 14:49:10.838 Enter GetExistingAccountForComputerInReplicaDomain
dcpromoui 810.E14 0009 14:49:10.838 START TEST: GetExistingAccountForComputerInReplicaDomain
dcpromoui 810.E14 000A 14:49:10.838 Enter Computer::RemoveLeadingBackslashes
dcpromoui 810.E14 000B 14:49:10.838 Using empty constructor
dcpromoui 810.E14 000C 14:49:10.838 Enter Computer::Refresh
dcpromoui 810.E14 000D 14:49:10.838 Enter IsLocalComputer
dcpromoui 810.E14 000E 14:49:10.838 Enter RefreshLocalInformation
dcpromoui 810.E14 000F 14:49:10.838 Enter GetProductTypeFromRegistry
dcpromoui 810.E14 0010 14:49:10.838 Enter RegistryKey::Open System\CurrentControlSet\Control\ProductOptions
dcpromoui 810.E14 0011 14:49:10.838 Enter RegistryKey::GetValue-String ProductType
dcpromoui 810.E14 0012 14:49:10.838 ServerNT
dcpromoui 810.E14 0013 14:49:10.839 prodtype : 0x3
dcpromoui 810.E14 0014 14:49:10.839 Enter GetSafebootOption
dcpromoui 810.E14 0015 14:49:10.839 Enter RegistryKey::Open System\CurrentControlSet\Control\SafeBoot\Option
dcpromoui 810.E14 0016 14:49:10.839 HRESULT = 0x80070002
dcpromoui 810.E14 0017 14:49:10.839 returning : 0x0
dcpromoui 810.E14 0018 14:49:10.839 Enter DetermineRoleAndMembership
dcpromoui 810.E14 0019 14:49:10.839 Enter MyDsRoleGetPrimaryDomainInformation
dcpromoui 810.E14 001A 14:49:10.839 Enter MyDsRoleGetPrimaryDomainInformationHelper
dcpromoui 810.E14 001B 14:49:10.839 Calling DsRoleGetPrimaryDomainInformation
dcpromoui 810.E14 001C 14:49:10.839 lpServer : (null)
dcpromoui 810.E14 001D 14:49:10.839 InfoLevel : 0x1 (DsRolePrimaryDomainInfoBasic)
dcpromoui 810.E14 001E 14:49:10.839 HRESULT = 0x00000000
dcpromoui 810.E14 001F 14:49:10.839 MachineRole : 0x3
dcpromoui 810.E14 0020 14:49:10.839 Flags : 0x1000000
dcpromoui 810.E14 0021 14:49:10.839 DomainNameFlat : Houston
dcpromoui 810.E14 0022 14:49:10.839 DomainNameDns : Houston.contoso.com
dcpromoui 810.E14 0023 14:49:10.839 DomainForestName : contoso.com
dcpromoui 810.E14 0024 14:49:10.839 Enter IsDcInRepairMode
dcpromoui 810.E14 0025 14:49:10.839 HRESULT = 0x00000000
dcpromoui 810.E14 0026 14:49:10.839 Enter State::DetermineRunContext
dcpromoui 810.E14 0027 14:49:10.839 Enter DS::GetPriorServerRole
dcpromoui 810.E14 0028 14:49:10.839 Enter MyDsRoleGetPrimaryDomainInformation
dcpromoui 810.E14 0029 14:49:10.839 Enter MyDsRoleGetPrimaryDomainInformationHelper
dcpromoui 810.E14 002A 14:49:10.839 Calling DsRoleGetPrimaryDomainInformation
dcpromoui 810.E14 002B 14:49:10.839 lpServer : (null)
dcpromoui 810.E14 002C 14:49:10.839 InfoLevel : 0x2 (DsRoleUpgradeStatus)
dcpromoui 810.E14 002D 14:49:10.840 HRESULT = 0x00000000
dcpromoui 810.E14 002E 14:49:10.840 OperationState : 0
dcpromoui 810.E14 002F 14:49:10.840 PreviousServerState : 0
dcpromoui 810.E14 0030 14:49:10.840 Enter Computer::GetNetbiosName
dcpromoui 810.E14 0031 14:49:10.840 USSLCRODC101
dcpromoui 810.E14 0032 14:49:10.840 Enter Computer::GetRole USSLCRODC101
dcpromoui 810.E14 0033 14:49:10.840 role: 3
dcpromoui 810.E14 0034 14:49:10.840 NT5_MEMBER_SERVER
dcpromoui 810.E14 0035 14:49:10.840 Enter State::GetRunContext NT5_MEMBER_SERVER
dcpromoui 810.E14 0036 14:49:10.840 Enter FS::GetPathSyntax C:\Windows\system32
dcpromoui 810.E14 0037 14:49:10.840 HRESULT = 0x00000000
dcpromoui 810.E14 0038 14:49:10.840 Enter State::SetMode STAGETWO
dcpromoui 810.E14 0039 14:49:10.840 Enter State::SetOperation REPLICA
dcpromoui 810.E14 003A 14:49:10.840 Enter GetCredentialsFunctInternal
dcpromoui 810.E14 003B 14:49:10.840 Enter ShouldSkipCredentialsPage
dcpromoui 810.E14 003C 14:49:10.840 Enter State::GetOperation REPLICA
dcpromoui 810.E14 003D 14:49:10.840 using empty user domain name
dcpromoui 810.E14 003E 14:49:10.840 Enter State::GetOperation REPLICA
dcpromoui 810.E14 003F 14:49:10.840 Enter GetForestName Houston.contoso.com
dcpromoui 810.E14 0040 14:49:10.840 Enter MyDsGetDcName
dcpromoui 810.E14 0041 14:49:10.840 Enter MyDsGetDcName2
dcpromoui 810.E14 0042 14:49:10.840 Calling DsGetDcName
dcpromoui 810.E14 0043 14:49:10.840 ComputerName : (null)
dcpromoui 810.E14 0044 14:49:10.840 DomainName : Houston.contoso.com
dcpromoui 810.E14 0045 14:49:10.840 DomainGuid : (null)
dcpromoui 810.E14 0046 14:49:10.840 SiteName : (null)
dcpromoui 810.E14 0047 14:49:10.840 Flags : 0x40000000
dcpromoui 810.E14 0048 14:49:10.841 HRESULT = 0x00000000
dcpromoui 810.E14 0049 14:49:10.842 DomainControllerName : \\USHOUDC100.Houston.contoso.com
dcpromoui 810.E14 004A 14:49:10.842 DomainControllerAddress : \\10.131.18.10
dcpromoui 810.E14 004B 14:49:10.842 DomainGuid : {DD7C193F-9912-4E8F-A310-EA750D8329D4}
dcpromoui 810.E14 004C 14:49:10.842 DomainName : Houston.contoso.com
dcpromoui 810.E14 004D 14:49:10.842 DnsForestName : contoso.com
dcpromoui 810.E14 004E 14:49:10.842 Flags : 0xE000F1FD:
dcpromoui 810.E14 004F 14:49:10.842 DcSiteName : USHouston
dcpromoui 810.E14 0050 14:49:10.842 ClientSiteName : USSaltLakeCity
dcpromoui 810.E14 0051 14:49:10.842 using forest name contoso.com
dcpromoui 810.E14 0052 14:49:10.842 Enter State::GetOperation REPLICA
dcpromoui 810.E14 0053 14:49:10.842 Enter State::SetForestName contoso.com
dcpromoui 810.E14 0054 14:49:10.842 Enter State::SetTargetDomainName Houston.contoso.com
dcpromoui 810.E14 0055 14:49:10.842 Enter CheckUserIsLocal
dcpromoui 810.E14 0056 14:49:10.842 Enter State::GetOperation REPLICA
dcpromoui 810.E14 0057 14:49:10.842 Enter State::ReadDomains
dcpromoui 810.E14 0058 14:49:10.842 Enter State::GetTargetDomainName
dcpromoui 810.E14 0059 14:49:10.842 Enter State::GetOperation REPLICA
dcpromoui 810.E14 005A 14:49:10.842 target domain name: Houston.contoso.com
dcpromoui 810.E14 005B 14:49:10.842 Enter CDomains::ReadDomains
dcpromoui 810.E14 005C 14:49:10.842 Enter MyDsEnumerateDomainTrusts
dcpromoui 810.E14 005D 14:49:10.842 Enter GetDcName
dcpromoui 810.E14 005E 14:49:10.842 Enter GetDcName2
dcpromoui 810.E14 005F 14:49:10.842 Enter MyDsGetDcName2
dcpromoui 810.E14 0060 14:49:10.842 Calling DsGetDcName
dcpromoui 810.E14 0061 14:49:10.842 ComputerName : (null)
dcpromoui 810.E14 0062 14:49:10.842 DomainName : Houston.contoso.com
dcpromoui 810.E14 0063 14:49:10.842 DomainGuid : (null)
dcpromoui 810.E14 0064 14:49:10.842 SiteName : (null)
dcpromoui 810.E14 0065 14:49:10.842 Flags : 0x40000011
dcpromoui 810.E14 0066 14:49:11.020 HRESULT = 0x00000000
dcpromoui 810.E14 0067 14:49:11.020 DomainControllerName : \\ushoudc102.Houston.contoso.com
dcpromoui 810.E14 0068 14:49:11.020 DomainControllerAddress : \\10.131.18.12
dcpromoui 810.E14 0069 14:49:11.020 DomainGuid : {DD7C193F-9912-4E8F-A310-EA750D8329D4}
dcpromoui 810.E14 006A 14:49:11.020 DomainName : Houston.contoso.com
dcpromoui 810.E14 006B 14:49:11.020 DnsForestName : contoso.com
dcpromoui 810.E14 006C 14:49:11.020 Flags : 0xE000F1FC:
dcpromoui 810.E14 006D 14:49:11.020 DcSiteName : USHouston
dcpromoui 810.E14 006E 14:49:11.020 ClientSiteName : USSaltLakeCity
dcpromoui 810.E14 006F 14:49:11.020 Enter Computer::RemoveLeadingBackslashes \\ushoudc102.Houston.contoso.com
dcpromoui 810.E14 0070 14:49:11.020 ushoudc102.Houston.contoso.com
dcpromoui 810.E14 0071 14:49:11.020 Enter AutoWNetConnection::Init
dcpromoui 810.E14 0072 14:49:11.020 Enter AutoWNetConnection::CloseExistingConnection
dcpromoui 810.E14 0073 14:49:11.020 The current user security context is being used therefore there is no need to establish a connection.
dcpromoui 810.E14 0074 14:49:11.020 HRESULT = 0x00000000
dcpromoui 810.E14 0075 14:49:11.920 NetStatus = 1722
dcpromoui 810.E14 0076 14:49:11.920 Enter AutoWNetConnection::CloseExistingConnection
dcpromoui 810.E14 0077 14:49:11.920 HRESULT = 0x800706BA
dcpromoui 810.E14 0078 14:49:11.920 HRESULT = 0x800706BA
dcpromoui 810.E14 0079 14:49:11.920 HRESULT = 0x800706BA
dcpromoui 810.E14 007A 14:49:11.920 failed trying to read domains, returned 0x800706BA
dcpromoui 810.E14 007B 14:49:11.921 Enter GetErrorMessage 800706BA
dcpromoui 810.E14 007C 14:49:11.921 GetExistingAccountForComputerInReplicaDomain error message: The wizard cannot gain access to the list of domains in the forest.
This condition may be caused by a DNS lookup problem. For information about troubleshooting common DNS lookup problems, please see the following Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=5171
The error is:
The RPC server is unavailable.
dcpromoui 810.E14 007D 14:49:11.921 Test Failed
dcpromoui 810.E14 007E 14:49:11.921 GetExistingAccountForComputerInReplicaDomain returns exit code: 26
dcpromoui 810.E14 007F 14:49:11.921 END TEST: GetExistingAccountForComputerInReplicaDomain
dcpromoui 810.E14 0080 14:49:11.921 Enter State::UnbindFromReplicationPartnetDC
↧
USN rollback
Hi I am facing an issue of a restored AD 2012 DC which was restored using non AD aware back up software.
The DC suffered a USN rollback. All the information is that it is best to demote the DC.
When trying to demote the DC I get an access is denied message..
dcdiag shows umpteen errors, all i wantto do is get the DC demoted.
I have unchecked the remove from accidental deletion box in sites and services and users and computers
Any ideas Guys
Thanks
↧
↧
Service fails to start, error 1297 and 7000
I have a lab configured with a single domain controller and one client server. Both servers are Windows Server 2008 R2 Standard and the functional level of the domain is Windows Server 2008 R2. After I promoted the domain controller, I did not make any changes to the default domain policy GPO. My problem is this: I created a Managed Service Account and a regular user account and tried to use both of these accounts as logon accounts for the "Disk Defragmenter" service on my client server and domain controller. Each time it failed with the following error:
In the system event log:
I also tried moving the client server into a custom OU and blocked inheritance of all parent GPOs, but this did not work either...same error.
I'm assuming the problem lies with the Default Domain group policy and Default Domain Controllers group policy, I'm just not sure which setting. I'm at a complete loss, so any help is greatly appreciated.
jason
UPDATE: after further testing, I am receiving the same errors even when the server is not joined to a domain. After a fresh install of Windows Server 2008 R2, I created a local user and used that account as the logon account for several services. When I started the services, I received the same error.
↧
Setting up second Active Directory controller at remote office
I need to setup active directory controller at remote office over VPN. Right now there is one primary DC at the main site and I need to setup the new secondary DC at a new site? Are there any instructions or steps on setting up an additional site to add second domain controller? The new server is 2012R2. The original server is 2007 data center.
↧
Domain Functional Level: 2008 R2 to 2012 R2
My current forest and domain functional levels are 2008 R2. I know I can safely upgrade the functional levels in most cases, but I want to specifically know with regards to Lync.
Our entire environment, including Lync, is running on Windows Server 2012 R2. (We have no domain joined clients.)
Can I safely raise the forest and domain functional levels to 2012 R2 without impacting Lync?
↧
Strange Behavior with gMSA in Server 2012 R2
Greetings,
I have been doing some testing with gMSA Accounts in a Server 2012 R2 environment (two separate environments, actually), and I have noticed something very strange that occurred in both environments, which does not appear to be occurring in one of our customer's
self-managed environments.
We created a Group Managed Service Account using the following article:
http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx
Everything went smoothly, and the account installs/tests successfully on both of the hosts that we are testing on. I am able to set my services to run under the account, and most of them appear to work fine. I am having some issues with a few of my services, and I believe that the strange behavior I am seeing may have something to do with this - described below:
As soon as I set the service's Log On Account (via the Log On Tab under the Service's Properties), the entirety of the "Log On" tab changes to "greyed out," and I am unable to change the Log On account back via the GUI (Screenshot
attached).
I found that I am able to successfully change the account via Command Line using sc.exe, but the Log On tab remains greyed out! So far, I have found nothing to remedy this, but confirmed that it happens for any service I set to use the gMSA as the Logon Account, and that it happens in 2 separate test environments, but not in a Customer's production environment - very strange.
All servers in this environment are running Server 2012 R2, and domain Functional Level is currently Server 2012.
I have been unable to find any information online about this behavior, so I am hoping someone has seen this before, and can explain why this is happening.
Nick
↧
↧
Implementing CNAME www.google.com pointing to nosslsearch.google.com without making DNS server authoritative for google.com domain?
Google has made my life somewhat difficult lately by encrypting everything if you are logged into a Google account or using encrypted.google.com. The SSL encryption causes my URL and network application filtering appliance to fail miserably at blocking certain types of material that comes up in Google searches that it would normally block on an unencrypted connection.
I have discovered that Google provides a method of forcing Google searches to be unencrypted. That solution can be seen at the following link: http://support.google.com/websearch/bin/answer.py?hl=en&answer=173733.
Part of the solution is to create a CNAME record "www.google.com" that points to “nosslsearch.google.com”; however, I am having trouble figuring out how to successfully accomplish this. If they have their own article on the specific implementation of this record, I have not been able to locate it.
I have a Windows Server 2008 R2 Active Directory forest, with all domain controllers also acting as DNS servers (AD integrated). My understanding is that if I attempt to add a forward lookup zone “google.com” and add the desired CNAME record, my internal DNS servers become authoritative for the google.com domain name. Basically, absent any other resource records in the google.com forward lookup zone in our internal DNS servers, DNS requests for other hosts or subdomains in the google.com domain would simply fail. Examples would be Google Docs and Gmail, which are docs.google.com and mail.google.com, respectively.
Is there some way to configure a Windows Server 2008 R2 SP1 DNS server so that it contains the desired CNAME record but forwards other DNS lookup requests for other hosts/subdomains for google.com to the configured forwarding servers (or at least to the nameservers listed for google.com)?
↧
Does Outgoing Trust creation need access to PDC role in the specified (or target) Forest between 2008 R2 Forests?
Hi,
Im creating an Outgoing Transitive Trust between two 2008 R2 Forests and the firewalls are open to DCs in the target Forest, but they are not open to the DC which contains the PDC role. Does successfull Trust creation require the DC with the PDC role in the source domain directly communicate with the DC with the PDC role in the target domain? Put differently, is it sufficient if the DC with the PDC role in the source domain directly communicate with any DC in the target domain which does not contain the PDC role, or any role?
Thanks in advance.
Thanks for your help! SdeDot
↧
Windows Sever Access Control
Windows server manages access control through DAC and MAC. What can be the possible reasons for using DAC and MAC and not using RBAC?
↧