hi, i have been working with AD / DC's for a year in a small single site environment with 2 DC's

a remote office of ours has recently expanded and now is requesting a domain controller to be operational onsite.

the users currently connect to our domain via a VPN that's permanently connected. so they can access domain shares and resources.

what are the benefits of setting up a domain controller on there site, and what would be the best configuration so i can ensure nothing is done that could effect the domain in our main site and potentially bring down the network

i have found a few bits but does anyone have any advice or good articles they could point me to?

many thanks 

Hello. I have a system down situation.

We had our Windows Server 2003 domain controller die. We replaced the drive and reinstalled the OS. I created a domain based on the name the workstations (Windows 7) had.. <name>.local.

I log into the workstation with local administrator, remove them from the domain. Reboot, then try to add them to the domain with <name>.local. The workstation throws the error up "An Active Directory Domain Controler for the domain <name>.local cannot be contacted.

The workstations have internet access. DHCP and DNS are being provided by the Firewall and I can resolve espn.com fine.

I can ping the Domain Server by name and by IP. However, I cannot get the workstations to connect to the domain. I REALLY could use some help on this one.

Thanks!

Sean

What are the best practices with DC's and their connectivity to the FSMO servers?

PDC and RID connectivity seem to be a must but what about the other roles? I know some functionality may be hampered but is it acceptable? ...or do all DC's need to be able to hit all the FSMO's?

We have an ADFS 2.0 configuration with a relying trust to O365

We want to move this relying trust to another third party product. Now we have a problem with the powershell command

Update-MSOLFederatedDomain.

Without running that command everything is working fine! With running the commandGet-MsolDomainFederationSettings -DomainName domain_name the right settings are showed. After running the commandUpdate-MSOLFederatedDomain the old ADFS setting are back.

My question is: which data is the command "Update-MSOLFederatedDomain"reading from and how can I delete these settings?

best regard

Hi,

My all the PCs DNS has been changed automatically.

When I use NSLOOKUP it give me the below output.

nslookup

Default Server: <Unknown Computer name>

Address: fe80::f0b7:52ac:ec4b:b4a6

If I uncheck the IPV6 from NW properties it will work, but it happed suddenly before this few time was working.

Please suggest, how to check the Log for this and find the cause.

Hi, we have a mixed set up of Windows 2003, Windows 2008 and Windows 2008R2 servers. Recently I installed a new server in London as a 2008R2 server, call it Ldn1, and used ADUC to transfer the FSMO roles from the older 2008 server (Ldn2). On the new server ADUC was definitely showing the new server as holding the roles so I ran dcpromo on Ldn2 and demoted it and then removed it from the domain. The server has been physically reconfigured now and so there is no chance of reconnecting it. This was a couple of weeks ago.

Following some other issues I have been doing some digging and have found that two servers had some replication issues and they both still think that the FSMO roles are held by Ldn2 rather than Ldn1.

My question really is what is the best way to proceed? Should I be concentring on sorting out the replication problems and hope that that will update the FSMO information on the two affected DCs?

I know I can transfer the roles onto another server but the only other candidates are the two servers which think the current role holder is offline.

The other issue is that I recently installed a new Exchange 2007 SP3 server which made changes to the schema and that is on the same site as the correct FSMO role holder and so I would imagine that the schema changes have been made on Ldn1. If I seize the roles to one of the two affected sites I would be concerned that I would lose or mess up these schema changes.

Thanks for any assistance and I apologise in advance if I sound like a total numpty, AD & Replication has always been my weak point.

Regards, Eddie

Hi,

When I try in AD management console in the domain controller to add a new group for a user I get the following error:

"Object Picker cannot open because no locations from which to choose objects can be found" error message when you try to select objects from an Active Directory domain in Windows 2000

Our domain controller is a W2000 cluster (two W2000 advanced server machines) and this happens in one of the nodes of the controller while in the other node it Works well (the difference between them is where it fails, has the resources: print, file sharing and quorum services). Both nodes of the controller have the remote registry service disabled and in the node where it fails when you start this service it works well but I don`t think this is the reason because in the other node with remote registry service disabled it works. Solutions from the following support articles don`t work:

kb 263231

kb 284914

I have checked that the situation is independent of the domain administrator who tries to add the group to the user.

Can anybody help me? Which is the reason of this different behaviour from one cluster node to another ?

Thanks.

The DFS Replication service is stopping communication with partner server-adc-01 for replication group domain system volume due to an error. The service will retry the connection periodically.

Additional Information :

Error : 1726 (The remote procedure call failed.)

Connection ID : 5F9FDE82-F535-4579-836C-7C9E90C5A863

Replication group ID : 4672CE10-6D18-4688-9ABA-8FF674EA9B88

Please advise for above

My current forest and domain functional levels are 2008 R2. I know I can safely upgrade the functional levels in most cases, but I want to specifically know with regards to Lync.

Our entire environment, including Lync, is running on Windows Server 2012 R2. (We have no domain joined clients.)

Can I safely raise the forest and domain functional levels to 2012 R2 without impacting Lync?

I want to sort out those users who have not login in AD or not login in email within 90 days of period.But the problem is that we have mixed environment most of the users are not on domain (Workstation users but have an email ID).

Is there any script or process to sort out the both users, domain and non-domain users.

I have no experience in dealing with servers, but my senior has asked me to investigate on how to migrate instances on ADAM (windows server 2003 32bit) to AD LDS (Windows server 2012R2 64 bit) as in place upgrade is not an option as we're running a 32bit Server and want to migrate to a 64bit Server. can someone please give me a Walkthrough on how to do this.

Thanks in advance.

I am in the middle of a Hybrid migration to Office 365 from a 2007 Exchange server with a 2013 server acting as the Hybrid.

All of my users that have shared mailboxes are being asked to enter a password for the shared mailbox.

I have already gone through the steps outlined in a similar post:
http://community.office365.com/en-us/f/158/t/186497.aspx

• I have tried disabling automapping and manually adding the shared mailbox. The password prompt still pops up periodically.
• I have cleared all cached credentials, and also manually added some for testing purposes.
• I checked the connection status of Outlook and confirmed that both the user mailboxes, and the Shared mailbox's connection status are "Established"

Of note with my troubleshooting:

• This does not happen to users that are on Outlook 2010.
• This only happens to users that are on Outlook 2013.
• This does not happen to users that are outside the office.
• This does not happen if I change the DNS server to an external DNS

Obviously, this is some sort of strange DNS issue. However, I can't pinpoint it.

I have a hybrid configuration, so I am assuming that it has something to do with the on-premise exchange server. What I do not know is why it will connect to Exchange online, and then come back and prompt all because of DNS.

I started the thread below on the Office 365 forum, and I was directed here.
http://community.office365.com/en-us/f/158/t/275312.aspx

Hi All,

i have enabled Directory Service auditing in the environment, there is a security Event Log 5136 (Directory Service change).

When as an Example, change the User Manager Field from AD Side, there are two Events (5136) created in the Security Log of this DC (one for the Old Manager Value and another for the New Manager Value).

When i do the same but from the Exchange Server Side, There are two Event (5136) created in the connected DC (one for the Old Manager Value, but the other Event has an empty Value for the New Manager  Value).

So does anyone has an explanation for this?

In our environment we have 6 read / write domain controllers and many read only domain controllers. Recently I have noticed that every time we demote a server the demotion process hangs. It looks to have removed the read only domain controller but the promotion always seems to hang at this point. 

Any insight to what could be causing this would be appreciated. 

The following logs may help identify the problem.

DCPROMO.txt

10/03/2014 09:54:41 [INFO] Request for demotion of domain controller
10/03/2014 09:54:41 [INFO] DnsDomainName  (NULL)
10/03/2014 09:54:41 [INFO] ServerRole  1
10/03/2014 09:54:41 [INFO] Account (NULL) 10/03/2014 09:54:41 [INFO]Options  128
10/03/2014 09:54:41 [INFO] LastDcInDomain  FALSE
10/03/2014 09:54:41 [INFO] Forced Demote  FALSE
10/03/2014 09:54:41 [INFO] Stage 2 only   FALSE
10/03/2014 09:54:41 [INFO] Start the worker task
10/03/2014 09:54:41 [INFO] Request for demotion returning 0
10/03/2014 09:54:41 [INFO] Reading domain policy from the local machine
10/03/2014 09:54:41 [INFO] Searching for a domain controller for the domain DPI.NSW.GOV.AU
10/03/2014 09:54:41 [INFO] Searching for a domain controller for the domain DPI.NSW.GOV.AU that contains the account WGONFP1$
10/03/2014 09:54:41 [INFO] Located domain controller ORANDC1.DPI.NSW.GOV.AU for domain DPI.NSW.GOV.AU
10/03/2014 09:54:41 [INFO] Support Dc in DPI.NSW.GOV.AU is ORANDC1.DPI.NSW.GOV.AU
10/03/2014 09:54:41 [INFO] Located domain controller ORANDC1.DPI.NSW.GOV.AU for domain DPI.NSW.GOV.AU
10/03/2014 09:54:43 [INFO] Preparing the directory service for demotion
10/03/2014 09:54:47 [INFO] Started system volume demotion on enterprise
10/03/2014 09:54:47 [INFO] Read the LSA policy information from the local machine
10/03/2014 09:54:47 [INFO] Informed NETLOGON to deregister records
10/03/2014 09:54:47 [INFO] Stopping service NETLOGON
10/03/2014 09:54:49 [INFO] Configuring service NETLOGON to 1 returned 0
10/03/2014 09:54:49 [INFO] Stopped NETLOGON
10/03/2014 09:54:49 [INFO] Configuring service NTDS
10/03/2014 09:54:49 [INFO] Configuring service NTDS to 2112 returned 0
10/03/2014 09:54:49 [INFO] Stopping service IsmServ
10/03/2014 09:54:51 [INFO] Configuring service IsmServ to 577 returned 0
10/03/2014 09:54:51 [INFO] Stopping service kdc
10/03/2014 09:54:52 [INFO] Configuring service kdc to 65 returned 0
10/03/2014 09:54:52 [INFO] Stopping service NETLOGON
10/03/2014 09:54:52 [INFO] Configuring service NETLOGON to 273 returned 0
10/03/2014 09:54:52 [INFO] Configuring service NtFrs
10/03/2014 09:54:52 [INFO] Configuring service NtFrs to 2304 returned 0
10/03/2014 09:54:52 [INFO] Configuring service DFSR
10/03/2014 09:54:52 [INFO] Configuring service DFSR to 2304 returned 0
10/03/2014 09:54:52 [INFO] Configured domain controller services
10/03/2014 09:54:52 [INFO] Uninstalling the Directory Service
10/03/2014 09:54:52 [INFO] Invoking NtdsDemote
10/03/2014 09:54:52 [INFO] Preparing the security account manager (SAM) and Active Directory Domain Services for demotion...
10/03/2014 09:54:52 [INFO] Validating the removal of this Active Directory Domain Controller...
10/03/2014 09:54:52 [INFO] Authenticating supplied credentials
10/03/2014 09:54:52 [INFO] Creating new local account information...
10/03/2014 09:54:52 [INFO] Creating a new local security account manager (SAM) database...
10/03/2014 09:54:52 [INFO] Setting the new Local Security Authority (LSA) account information...
10/03/2014 09:54:52 [INFO] Removing Active Directory Domain Services objects that refer to the local Active Directory Domain Controller from the remote Active Directory Domain Controller ORANDC1.DPI.NSW.GOV.AU...
10/03/2014 09:54:58 [INFO] Removing LDAP and remote procedure call (RPC) access to Active Directory Domain Services...
10/03/2014 09:55:00 [INFO] Completing removal of Active Directory Domain Services, SAM and LSA...
10/03/2014 09:55:00 [INFO] NtdsDemote returned 0
10/03/2014 09:55:00 [INFO] DsRolepDemoteDs returned 0
10/03/2014 09:55:00 [INFO] This machine is no longer a domain controller
10/03/2014 09:55:01 [INFO] Successfully informed DNS Server to prepare for demotion
10/03/2014 09:55:04 [ERROR] Setting security on server files failed with 2

DCPROMOOUI.txt

Last log lines

I have a client who has an Active Directory domain, 'test.example.org', and an Active Directory integrated DNS zone, 'example.org', with a DNS domain 'test'.  The domain and DNS were set up this way ~15 years ago, when the domain was initially created.

As we have added newer domain controllers to the client's domain, I have had problems with DNS during DC promotion.  Namely, I get the "DNS cannot be installed on this domain controller because this domain does not host DNS" error, despite that this is not true; the zone is indeed on each existing DC, and is AD integrated.

Additionally, I'm unable to install DNS after DC promotion, with the message "You cannot use the Add Roles Wizard to install DNS Server on a computer with Active Directory Domain Services. Instead, run the AD DS Installation Wizard (dcpromo.exe) to to install AD DS and DNS Server together."  So, in order to get DNS onto a new domain controller, I have to remember to add the DNS role first, then perform dcpromo.

My supervisor theorizes that the problem (or at least a problem) lies in the fact that the AD domain name and DNS zone name are different; that dcpromo can't find the AD integrated DNS zone because the DNS zone's scope (example.org) is larger than the AD domain's scope (test.example.org).

Can anyone weigh in on this?  What needs to be done so new DCs automatically pick up the fact that DNS exists, and configure the role during dcpromo?

I found that there is new features remote access inside windows server 2012 r2 which is much more easier. Is there anybody can suggest me how to connect 2 different sites and it will be the tunnel to replicate ADDS (RW) between both sites.

Hi!

We need to assign permissions to a junior admin to be able to manage a group of users in our Additional Domain Controller. We don't want him to change settings for the server and all other domain users. How can we do this?

Any Suggestions?

Thanks.

I have 4 2003 DC's that i am running dcdiag on in preperation for an upgrade to a 2012 forest. The forest and domain are at a 2003 level. So far everything is looking good but i do not know what this is. Can someone tell me what this information from DCDIAG means? Also what I need to do to make this come up properly.

Thanks for your help.

Starting test: Replications
         * Replications Check
         * Replication Latency Check
            DC=ForestDnsZones,DC=domain,DC=com
               Latency information for 6 entries in the vector were ignored.
                  6 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
            DC=DomainDnsZones,DC=Domain,DC=com
               Latency information for 6 entries in the vector were ignored.
                  6 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
            CN=Schema,CN=Configuration,DC=Domain,DC=com
               Latency information for 6 entries in the vector were ignored.
                  6 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
            CN=Configuration,DC=Domain,DC=com
               Latency information for 6 entries in the vector were ignored.
                  6 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
            DC=Domain,DC=com
               Latency information for 6 entries in the vector were ignored.
                  6 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 

Thanks for your help

Team,

Invoke-GPUpdate -Computer JBL-FPS003 -force

Regards,

Biswajit

MCTS, MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, Enterprise Admin, ITIL F 2011

Note: Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights..

I have a windows 2012 server and recently i have a active directory installed as company.local, i removed company.local from the server and tried to install again with the same name "company.local"

now i'm having issues saying "verification of replica failed. an active directory domain controller could not be contacted" when promoting it to a domain controller.

i tried to put in a different name but still give me the same error.

I also removed DNS server and installed it again, thinking it might resolved the problem. Now, DNS server doesnt have any configuration in forward lookup zone.

Please advise on what to do.

Thanks