Hello. I have a system down situation.

We had our Windows Server 2003 domain controller die. We replaced the drive and reinstalled the OS. I created a domain based on the name the workstations (Windows 7) had.. <name>.local.

I log into the workstation with local administrator, remove them from the domain. Reboot, then try to add them to the domain with <name>.local. The workstation throws the error up "An Active Directory Domain Controler for the domain <name>.local cannot be contacted.

The workstations have internet access. DHCP and DNS are being provided by the Firewall and I can resolve espn.com fine.

I can ping the Domain Server by name and by IP. However, I cannot get the workstations to connect to the domain. I REALLY could use some help on this one.

Thanks!

Sean

I found that there is new features remote access inside windows server 2012 r2 which is much more easier. Is there anybody can suggest me how to connect 2 different sites and it will be the tunnel to replicate ADDS (RW) between both sites.

I need to know if a member of the Enterprise Administrator's parent Domain Group can do DCPROMO on a member server of a Child Domain?  There seems to be a lot of discussion about groups, but shouldn't the Enterprise Administrator's group membership be able to do this?

Charlie

Hi guys,
i came across the following issue:
Imagine a standard enterprise environment with a forest. The root domain is called contoso.com and there is a subdomain called company.contoso.com. There are also subdomains of company.contoso.com, but they are not important for the problem description.

The functional level of the forest is Windows 2003-interim & the domain level of the root domain is Windows 2003, as is the domain level of all subdomains. All Domain Controllers are Windows 2003 SP2.

There have been people in the environment with too many rights, that used to promote DCs and then also just decommission them without properly demoting them. This left several unreachable domain controllers in both the root domain & the subdomain.

I cleared all those DCs that are no longer available, which made company.contoso.com stable and reliable. All DCs within the subdomain are properly talking to each other and replicating fine.

Then i discovered the main issue here. The replication in the root domain is broken. The is only one domain controller left in the root domain, nevertheless the server is suffering from USN rollback. Digging deeper i found out that the domain controllers have been virtualized years ago, but no one ever cared about the root domain. So i found out that replication stopped in 2006 when obv. the last healthy domain controller was removed from the root domain.

So i have basically a crippled root domain with a crippled domain controller. I am not able to set the forest level to 2003 native, as the domain controller says that the domain contoso.com is still Windows 2000. This is not correct, i have checked msDS-Behaviour-Version and nTMixedDomain. They are properly set to 2 & 0.

My idea was to introduce a new installed 2003 server and promote it to a DC. Then get rid of the broken one. Unfortunately the broken DC is not replicating. Due to USN rollback the netlogon service goes constantly to paused state & of course both inbound& outbound replication are disabled. Even when i reenable the replication it is just a matter of seconds before they get disabled again. I also tried to introduce a new 2012R2 DC, but that fails of course due to the forest level not beeing 2003.

So i am a little stuck here. Any thoughts about how to continue to troubleshoot ?

I have a final idea:
Install a new forest with the same name contoso.com and set up a trust with company.contoso.com.
The question would be, how can i convince company.contoso.com that the new installed forest and domain are its parent ?

Dears,

Site A (Main) : 2 DC (win 2003 R2 Sp2)

Site B : 1 DC ( win 2003 R2 Sp2)

On of my clients has a DC replication problem and after investigating using replmon we discovered that the DC on Site B is ran out of Tombstone Lifetime !

And when i checked the Attribute "tombstoneLifetime" of the object cn=directory service,cn=windows,cn=services in the Configuration-Partition , I found the value <not set> , which means from what I know its 60 days !

Now i need to know what if I changed the Attribute "tombstoneLifetime" to 180 days , would I face any problem if I did that ? , because I need to enable replication again between both sites !

mwahab

DCDIAG /test:dns result is pested here.

C:\Users\administrator.SUD>dcdiag /test:dns

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = MUM-ADS-01
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\MUM-ADS-01
      Starting test: Connectivity
         ......................... MUM-ADS-01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\MUM-ADS-01

      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... MUM-ADS-01 passed test DNS

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : sud

   Running enterprise tests on : sud.in
      Starting test: DNS
         Test results for domain controllers:

            DC: MUM-ADS-01.sud.in
            Domain: sud.in

               TEST: Basic (Basc)
                  Warning: The AAAA record for this DC was not found

               TEST: Forwarders/Root hints (Forw)
                  Error: Root hints list has invalid root hint server:
                  a.root-servers.net. (198.41.0.4)
                  Error: Root hints list has invalid root hint server:
                  b.root-servers.net. (128.9.0.107)
                  Error: Root hints list has invalid root hint server:
                  c.root-servers.net. (192.33.4.12)
                  Error: Root hints list has invalid root hint server:
                  d.root-servers.net. (128.8.10.90)
                  Error: Root hints list has invalid root hint server:
                  e.root-servers.net. (192.203.230.10)
                  Error: Root hints list has invalid root hint server:
                  f.root-servers.net. (192.5.5.241)
                  Error: Root hints list has invalid root hint server:
                  g.root-servers.net. (192.112.36.4)
                  Error: Root hints list has invalid root hint server:
                  h.root-servers.net. (128.63.2.53)
                  Error: Root hints list has invalid root hint server:
                  i.root-servers.net. (192.36.148.17)
                  Error: Root hints list has invalid root hint server:
                  j.root-servers.net. (192.58.128.30)
                  Error: Root hints list has invalid root hint server:
                  k.root-servers.net. (193.0.14.129)
                  Error: Root hints list has invalid root hint server:
                  l.root-servers.net. (198.32.64.12)
                  Error: Root hints list has invalid root hint server:
                  m.root-servers.net. (202.12.27.33)

               TEST: Delegations (Del)
                  Error: DNS server: sud-ad.sud.in. IP:<Unavailable>
                  [Missing glue A record]

               TEST: Records registration (RReg)
                  Network Adapter
                  [00000006] Intel(R) PRO/1000 MT Network Connection:
                     Warning:
                     Missing AAAA record at DNS server 10.1.6.132:
                     MUM-ADS-01.sud.in

                     Warning:
                     Missing AAAA record at DNS server 10.1.6.132:
                     gc._msdcs.sud.in

                     Warning:
                     Missing AAAA record at DNS server 10.1.6.133:
                     MUM-ADS-01.sud.in

                     Warning:
                     Missing AAAA record at DNS server 10.1.6.133:
                     gc._msdcs.sud.in

               Warning: Record Registrations not found in some network adapters

         Summary of test results for DNS servers used by the above domain
         controllers:

            DNS server: 128.63.2.53 (h.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 128.63.2.53
            DNS server: 128.8.10.90 (d.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 128.8.10.90
            DNS server: 128.9.0.107 (b.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 128.9.0.107
            DNS server: 192.112.36.4 (g.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.112.36.4
            DNS server: 192.203.230.10 (e.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.203.230.10
            DNS server: 192.33.4.12 (c.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.33.4.12
            DNS server: 192.36.148.17 (i.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.36.148.17
            DNS server: 192.5.5.241 (f.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.5.5.241
            DNS server: 192.58.128.30 (j.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.58.128.30
            DNS server: 193.0.14.129 (k.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 193.0.14.129
            DNS server: 198.32.64.12 (l.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 198.32.64.12
            DNS server: 198.41.0.4 (a.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 198.41.0.4
            DNS server: 202.12.27.33 (m.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 202.12.27.33
         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: sud.in
               MUM-ADS-01                   PASS WARN FAIL FAIL PASS WARN n/a

         ......................... sud.in failed test DNS

Hi,

We would like to allow some functional accounts (ITS Accounts)can access to all company´s servers but without be domain admin and neither add them manually on local admin group in each server.

Could we do this using Group Policy management? or Active Directory delegation? (our AD is 2012).

Could anyone help me please?

Thanks and regards

Manuel Osorio

hi, I need help with the following problem.  I have an application which serves as A&A.  Currently the application is running in old .net framework and active directory level 2003.  Everything is running ok.  I just had new servers built in Windows server 2012 R2 and we have a new domain (2012 level).  The problem I just found out that when I change the password (from the portal/application), it changes ok, however, the first 5 mins after the password is changed, I can login with both old and new passwords.  After 5 mins, the old password is no longer valid, and I only can login using my new password.  Why is the delay in password changed?  Prod doesn't have this problem.  I am thinking there maybe a catch account/credential that causes this, but don't quite sure.  Can you please help me with this?

Thanks a lot.

We have one domain with about 36 sites.  On the sites we use (2008R2 / 2012R2) RODC's .

All workstations have Windows 7.

Some users work on several sites. We want the user to just be able to use one account and the environment to see on which site the user logs in, so the right script can be loaded and the appropiate resources like data and printers are available.

We have several users working on 4 sites (different schools) doing their work fot that specific site overthere.

I want the system to see where a user logs in  (can be on IP address), so we can give the users just one account that will work as it should.

I like to get some ideas or advise on how to get it done.

Thanks,

Ben.

Ben van der Meer

Abp

Hello,

I am trying to create a script for auditing purposes. For ease of use, I would like all the information in the same script, but I am strugling with PasswordNeverExpires property of the users object. Everything else works like a charm. Can anyone tell me why the underlined code does not output True or False?

$NumDays = 0
 $LogDir = ".\Users-Last-Logon.csv"

 $currentDate = [System.DateTime]::Now
 $currentDateUtc = $currentDate.ToUniversalTime()
 $lltstamplimit = $currentDateUtc.AddDays(- $NumDays)
 $lltIntLimit = $lltstampLimit.ToFileTime()
 $adobjroot = [adsi]''
 $objstalesearcher = New-Object System.DirectoryServices.DirectorySearcher($adobjroot)
 $objstalesearcher.filter = "(&(objectCategory=person)(objectClass=user)(lastLogonTimeStamp<=" + $lltIntLimit + "))"
 $objstalesearcher.PageSize=4000

 $users = $objstalesearcher.findall() | select `
 @{e={$_.properties.cn};n='Display Name'},`
 @{e={$_.properties.samaccountname};n='Username'},`
 @{e={[datetime]::FromFileTimeUtc([int64]$_.properties.lastlogontimestamp[0])};n='Last Logon'},`
 @{e={$_.properties.description};n='Description'},`
 @{e={$_.properties.passwordneverexpires};n='PW'},`
 @{e={[string]$adspath=$_.properties.adspath;$account=[ADSI]$adspath;$account.psbase.invokeget('AccountDisabled')};n='Account Is Disabled'}

 $users | Export-CSV -NoType $LogDir

Hello folks,

I cant promote a member server to be a DC. This server was not even able to get added to the domain. I got that taken care of by offline join (djoin). I'm able to ping/nslookup any other DC, DNS, domain name, forest name, etc

Please see the C:\Windows\debug\dcpromoui.log and the screenshot

Hello!

Can anybody enumerate security risks two-way trusts have? Security holes?

I mean two-way trusts between two domains from different forests Windows 2003\2008.

Thank you for any info.

Neither domain will trust from either end.

The domain does not exist or network or other problems are preventing the connection.

all the ports I could find in the technet article

Droid Hacker

Abp

My computer is 2 months old. When I opened it and registered and connected to the FIOS router, I clicked to connect to devices, thinking I would only connect to the tv and vcr, however it downloaded an old laptop's information that I had years ago. I have done nothing but change passwords and account names in a desperate struggle to remove myself from spyware and viruses that were teeming in that old laptop. No viruses or spyware is being found, but yet my laptop is constantly running a marathon and it is full of groups and users and I seem to be in a classroom...........I'm quite certain I qualify for preschool computer class, but no one told me about it.  Should I have brought the crayons or the paste? I'm completely spent. You'll find me at the windowsill eating paint chips, while I wait for my 2014 laptop to update it's 1996 drivers :)

Oh...and another thing....who are you people and how did I get here?

I have 4 2003 DC's that i am running dcdiag on in preperation for an upgrade to a 2012 forest. The forest and domain are at a 2003 level. So far everything is looking good but i do not know what this is. Can someone tell me what this information from DCDIAG means? Also what I need to do to make this come up properly.

Thanks for your help.

Starting test: Replications
         * Replications Check
         * Replication Latency Check
            DC=ForestDnsZones,DC=domain,DC=com
               Latency information for 6 entries in the vector were ignored.
                  6 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
            DC=DomainDnsZones,DC=Domain,DC=com
               Latency information for 6 entries in the vector were ignored.
                  6 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
            CN=Schema,CN=Configuration,DC=Domain,DC=com
               Latency information for 6 entries in the vector were ignored.
                  6 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
            CN=Configuration,DC=Domain,DC=com
               Latency information for 6 entries in the vector were ignored.
                  6 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
            DC=Domain,DC=com
               Latency information for 6 entries in the vector were ignored.
                  6 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 

Thanks for your help

Hello,
I have two Domain Controllers DC01 and DC02, members ofdomain.local and child.domain.local respectively.

DC01 has all FSMO roles (netdom query fsmo). Looking at fSMORoleOwnerattribute under the path CN=Infrastructure,DC=ForestDnsZones,DC=domain,DC=local it refers to DC02 instead of DC01 (FSMO roles). 

Question: could I change it manually ?

Notes:

• Same fSMORoleOwner attribute value under the path CN=Infrastructure,DC=DomainDnsZones,DC=domain,DC=localis pointing to DC01 (rightly)
• Script fixfsmo.vbs (Microsoft Support http://support.microsoft.com/kb/949257) doesn't help because it fix the attribute if current FSMO server was deleted but it isn't

Thank you,
Luca

Disclaimer: This posting is provided AS IS with no warranties or guarantees, and confers no rights. Whenever you see a helpful reply, click on [Vote As Help] and click on [Mark As Answer] if a post answers your question.

Hello

I want to authenticate users by Active Directory (from a web application). It works fine
 but it needs users to have "logon to" permission to the web server or the client they use..
I think there should be other ways without giving such permission to all users.
Can any body help me?