according to my previous question regarding domain admin have full access to its own domain. However, when I open ADUC as domain administrator, I got error:
Active directory domain services:
Naming information cannot be located because: Access is denied
contact your system adminstrator to verify that your dcomain is properly configured and is currently online.
Hi all,
I have introduced three new 2008 r2 domain controllers which currently live with three 2003 sp2 domain controllers. All DNS servers.
It has been like this for about 3 weeks. During this time I have made changes to our DHCP so that our clients use the new 2008 DNS servers.
I am almost ready to demote the 2003 dc's but what concerns me is the static machines out there which MIGHT be using the old 2003 dns servers that no one knows about.
No-one I work with can be 100% sure of what machines out in the domain are static. Is there anyway to see from the 2003 dns servers which machines may be sending DNS requests to them?
I have used wireshark on them so far and couldn't see alot of dns packets, just the odd few here and there.
Also, does this sound like the correct procedure for the demotion.
1. disable the network connection on all the 2003 DC's for 24hours to make sure that everything is working correctly.
2. DCPromo each dc and remove the domain controller role, restart and rejoin to the domain
3. From the server manager, remove the dns role.
Is this the best route to take?
Thanks
Mac
Actually i didn't do any transferring or seizing operation even though the roles are transferred to ADC.
Suppose if that was done by somebody transferring or seizing how to track it down, and after seizing what happens if the old dc comes back in to online...because i got some solutions for resolving kerberos Event ID4 so if i do it in my old DC what will happen.
Group policies are not updating
in my case DC is in physical machine and ADC is in Hyper-V and previously PDC use to show in DC but when i perform net time form client it use to show ADC.
Hi all,
One company want to redesign its AD architecture based on locations(us/cn), subcompany(sub1,sub2,sub3,sub4). The subcompany domains(ussub1/cnsub1, ussub2/cnsub2) need trust in US/CN locations. Here are some plans and I need to choose the best one. Can
someone give some suggestions on them? (like on cost/security/exchange,etc) Thanks.
1. Just create one tree (company.com) which contain subcompany domain (sub1.company.com,sub2.company.com), separate locations by AD site. But US/CN domain will managed by different IT team.
2. Create two tree (uscompany.com, cncompany.com) in one forest and create domain shortcut trust between subcompany domains (sub1.uscompany.com, sub1.cncompany.com) though there are tree-root trusts by default.
3. Create two trees in different forest and create forest trust/external trust.
4. Create several trees (subcompany) in one forest which contain subcompany location subdomains.(us.sub1company.com, cn.sub1company.com)
5. Other plans on this scenario with the least forest/tree/domain numbers.
I have a LDAP connection (from an application that needs to read the MemberOf attribute in AD to determine group membership. But when I look in my user attributes in ADUC, there is no MemberOf attribute listed. I am logged in with my domain admin account and I cannot see the attribute at all. We are at functional level 2008 if that matters.
I'm pretty sure I've used this memberof attribute when setting up other LDAP connections. How were they working if this attribute is missing?
Any ideas on why this attribute is not showing in ADUC?
Additionally, when I go into ADSI Edit, and look at the schema settings, the memberof attribute is not showing either.
We have 6 locations across north america with a server 2k8 DC in each location. The servers are virtual, and we use a SAN for storage.
I cannot currently authenticate using any of the remote DCs, so when the local is down, the plants are idle.
I need help in understanding what I need to do to allow users to authenticate across the WAN when the local DC is down.
I have tried searching for the answer to my question, but am not having luck.
I am doing a Windows 2008 R2 domain rename. I have ready every thing I can on the process from the MS Technet pages, the MS Doc, and many other blogging sites outlining what they did.
The one thing I see that is somewhat glossed over is the DNS preparation for the new domain.
This link http://technet.microsoft.com/en-us/library/cc794811%28v=ws.10%29.aspx talks aboutPrepare DNS Zones, but I am not quite sure how far am I to go with the DNS setup.
Am I simply going through DNS wizard, creating a new Primary Zone (mydomainNEW.com) in the forward lookup zones and click finish in the wizard and then done?
OR do I have to try and duplicate every single entry from the original DNS zone (mydomainOLD.com)?
In the old DNS zone (mydomainOLD.com) there are things like:
- _msdcs
- _sites
- _tcp
- _udp
- DomainDnsZones
- ForestDnsZones
And underneath those are other folders and with entries.
There is also a _msdcs.mydomainOLD.com zone.
How far do I have to go here?
Just stop after going through the wizard? Meaning the domain rename will populate the rest?
OR duplicate everything.
Right now I have stopped at the wizard and after a while all that shows up in the new zone mydomainNEW.com are 3 entries:
- Start of Authority (SOA)
- Name Server (NS)
- Name Server (NS)
And all three of these reference the DC's using old domain name like dc1.mydomainOLD.com.
Thanks in advance!
Greg
Hello world,
I am looking for a simple answer on a question with a million posts...
Virtualized DCs NOT holding any FSMO roles - can they serve time to their client PCs?
I have 2 physical DCs, one holding all FSMO roles and syncing to an external NTP server.
I have the 2nd physical DC syncing time off of the domain hierarchy...
I now have these last two DCs that are virtual and cannot determine whether to use w32tm.
I have found conflicting articles stating to NOT enable w32tm due to it syncing externally and causing issues with syncing its time to clients and then having issues due to Hyper-V time lag... I understand the goal is for the virtual machine to get its time from its host, but what about the client machines authenticating from it?
Any help would be appreciated as I feel like its been information overload from the Tech net Forum, MSKB, and the Windows Team Blogs...
Darkrogue MCDST, MCITP, MCTS
Hi, I am from Spain, excuse my bad English
I have a startup script to add domain group to the local administrator group
The script is a vbs script and work fine in the first reboot but in the second reboot the script say that the group is already member of local adminstrator group
How i can add a checking for this issue in the vbs code and avoid this error?
this is my script:
strComputer = "."
Set objAdmins = GetObject("WinNT://" & strComputer & "/Administrators")
Set objGroup = GetObject("WinNT://domain/group")
objAdmins.Add(objGroup.ADsPath)
Thanks for all
One of our domain controllers crashed so it was never demoted. I rebuilt the server and promoted it to DC. Ever since then, I've been getting countless NTDS Replication event errors (2023 2042). I ran therepadmin /removelingeringobjects tool and it was successful. When I attempt to demote the DC, I get the following error:
The operation failed because:
Active Directory could not tranfer the remaining data in directory partition CN=Configuration,DC=####,DC=local to domain controller (domaincontrollername).
"The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime."
How can I resolve this issue?
Both controllers are Windows Server 2003 R2.Hi, I am from Spain, excuse my bad English
I post recently a question about script but This is a another error in my script
I have a startup script to add domain group to the local administrator group
I have English OS and Spanish OS
When the script run in the English OS version the line:
Set objAdmins = GetObject("WinNT://" & strComputer & "/Administradores")
say the group not exist because "Administradores" (in Spanish) not exist
How i can check if this local group exist for avoid this error?
Thanks again for all
ISSUE: Group Policy processing isn't working when using cross forest authentication, works fine with local accounts in Forest B.
Implementing a new system in a segregated network with it's own single domain
Forest B with 2 DCs.
Windows 7 clients and Windows 2008 R2 DCs and application servers.
Loopback replace is defined so that all GP have to be defined in Forest B.
One way cross forest trust: Forest B with computer resources trust in Forest A with user accounts.
Forest A is a multidomain environment based on Windows 2003 (30 DCs in the root, 80 DCs in subdomain A1 and 40 DCs in subdomain A2, there are other subdomains but they are not involved in the solution).
Using conditional DNS forwarder cross the forests.
We have managed to activate the one way trust between all 2 DC in Forest B with 30 root DCs in Forest A, all top DC have full ip connectivity on all ports for the transitive design.
Forest A with AD functional level 2003 and Forest B with AD functional level 2008.
Logon and GP processing works perfect on the Windows 7 client when using an user account in the Forest B.
The symptoms is that when using an user account in subdomain A1 or A2 in Forest A to logon to the Windows 7 client (in the segregated network with forest B) is that we see error messages in the Pre-Authentication phase.
Windows 7 is by default using AES and my expectations were that the negotiation would have solved this via the AS_REQ / AS_REP negotiations.
.
Today can I see in the gpevent log that the winlogon process tries 4 times to retrieve user account information but fails.
I have spent several days searching but without finding the right perfect workaround (have found many threads about DES but our corporate system uses RC4 in Forest A).
The gpevents records below is when we manage to logon to the Windows 7 client using cross forest trust but the Forest B GP processing isn't working with the Loopback replace mode as expected.
The response time are rather short 0-1 seconds so I do expect that the DC in the local Forest B is responding but why isn't the GP executed as with the local user account?
### Login with Domain-A1 account
2012-12-06 09:56:37.993 4001 14a33e7d-06a2-4c03-85a8-c4d061b42e54 Starting user logon Policy processing for Domain-A1\user-je.
Activity id: {14A33E7D-06A2-4C03-85A8-C4D061B42E54}
2012-12-06 09:56:37.993 5320 14a33e7d-06a2-4c03-85a8-c4d061b42e54 Attempting to retrieve the account information.
2012-12-06 09:56:37.993 4017 14a33e7d-06a2-4c03-85a8-c4d061b42e54 Making system call to get account information.
2012-12-06 09:56:37.993 7017 14a33e7d-06a2-4c03-85a8-c4d061b42e54 The system call to get account information completed.
The call failed after 0 milliseconds.
2012-12-06 09:56:37.993 5320 14a33e7d-06a2-4c03-85a8-c4d061b42e54 Retrying to retrieve account information.
2012-12-06 09:56:38.508 4017 14a33e7d-06a2-4c03-85a8-c4d061b42e54 Making system call to get account information.
2012-12-06 09:56:38.508 7017 14a33e7d-06a2-4c03-85a8-c4d061b42e54 The system call to get account information completed.
The call failed after 0 milliseconds.
2012-12-06 09:56:38.508 5320 14a33e7d-06a2-4c03-85a8-c4d061b42e54 Retrying to retrieve account information.
2012-12-06 09:56:39.023 4017 14a33e7d-06a2-4c03-85a8-c4d061b42e54 Making system call to get account information.
2012-12-06 09:56:39.023 7017 14a33e7d-06a2-4c03-85a8-c4d061b42e54 The system call to get account information completed. The call failed after 0 milliseconds.
2012-12-06 09:56:39.023 5320 14a33e7d-06a2-4c03-85a8-c4d061b42e54 Retrying to retrieve account information.
2012-12-06 09:56:39.538 4017 14a33e7d-06a2-4c03-85a8-c4d061b42e54 Making system call to get account information.
2012-12-06 09:56:39.538 7017 14a33e7d-06a2-4c03-85a8-c4d061b42e54 The system call to get account information completed.
The call failed after 0 milliseconds.
2012-12-06 09:56:39.538 7320 14a33e7d-06a2-4c03-85a8-c4d061b42e54 Error: Retrieved account information. Error code 0x54B.
2012-12-06 09:56:39.538 7320 14a33e7d-06a2-4c03-85a8-c4d061b42e54 Error: Failed to register for connectivity notification. Error code 0x4CE.
2012-12-06 09:56:39.538 7001 14a33e7d-06a2-4c03-85a8-c4d061b42e54 User logon policy processing failed for Domain-A1\user-je in 1 seconds.
2012-12-06 09:56:39.538 5315 00000000-0000-0000-0000-000000000000 Next policy processing for EMEA\kbrh967 will be attempted in 95 minutes.
2012-12-06 09:56:39.538 7320 14a33e7d-06a2-4c03-85a8-c4d061b42e54 Error: Failed to register for connectivity notification. Error code 0x4CE.
2012-12-06 09:56:39.538 1053 14a33e7d-06a2-4c03-85a8-c4d061b42e54 The processing of Group Policy failed. Windows could not resolve the user name.
This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to t
The plan is to disable Allow Cross-Forest User Policy and Roaming User Profiles and see how it works
Anyone recognizing the symptoms or have recommendation to share.
/Stefan
About three months ago, we installed a new server running Windows Server 2012 (Std.) at a branch office. The server is running the following roles: File Services (including File Server Resource Manager FSRM), Print Server, and DHCP server. Since the installation we noticed through our WAN monitoring (netflow) that there is a substantial increase in the amount of traffic between this new server and our two domain controllers (Server 2008 R2 std.). The two domain controllers are located at our headquarters over the WAN.
I can see in Netflow that the traffic is being labeled LDAP. I noticed on the new 2012 server there are a few event errors pointing to the issue of "claims" not being available on the domain (Event ID 12339 and 12344). We're not using Dynamic Access Control or central access policies. When I run Network Monitor on the new 2012 server, I see SMB and SMB2 traffic between the file server and domain controller(s), but that's about it.
I'm wondering if others have seen this issue I'm experiencing. At the moment, I'm leaning towards the traffic increase being Server 2012 FSRM trying to sync claims and policies which don't exist. I will likely remove FSRM from Server 2012, but I wanted to get others' input first.
Thanks,
Brian
I have a small directory where the AD is now failing to replicate. I have checked on KSD1 the dcdiags and things seem fine there. This is the PDC. On the 2 DC KSD2 things aren't repliacating and it's telling me the Target Principal Name is incorrect so I followed the TID http://support.microsoft.com/kb/288167?wa=wsignin1.0 and this didn't work. Here is the dcdiag file from KSD2 and I'm at a loss as to how to get things talking again. Any help would be greatly appreciated. Thank you
Domain Controller DiagnosisHi everyone,
My customer has a Datacenter and many branch offices. On each branch office, there are 2 servers. The first is running AD, DNS, DHCP, Print Server, an application ... and the 2nd is used as a backup in case of the first falls down.
My wish is to deploy the application on the Datacenter in a VM and keep a RODC with DNS, DHCP and Print Server on the Branch Office. The network link is SDSL.
The application uses the printers deployed on the branch office. So, my question is if it's possible to deploy a Print Server on the RODC and if it can occur issues (time of printing, delays ...) via the WAN link ? How will it work ? Where should I deploy the print spooler ?
Thank you :-)
I am trying to capture the lastlogontimestamp but I having issues with account that authicated theirUsername and password through IIS and I am having issues. We are windows 2003 / 2008 with IIS6. Any help would be great?
Hi,
our company was merged with another firm and the joint entity has a need for a domain name change.
I am planning to create a new forest (new parent domain), create forest trusts between the new and current, and slowly migrate over to the new.
This new forest will be created on the same existing physical network infrastructure and topology. my question relates to the subnet configuration on the Active Directory Sites and Services for the existing domain.
for network 'simplicity' (we have multiple physical sites all connected via a layer 2 VPLS WAN, delivered over a layer 3 architecture), i dont wish to change the class B subnet. ie all our firewall, routing setup for all sites falls under the 10.61.0.0 network. with each site having a /19 subnet. i.e: SiteA 10.61.0.0 /19; siteB 10.61.32.0 /19; siteC 10.61.64.0 /19, siteD 10.61.96.0 /19, siteE 10.61.128.0 /19, site F 10.61.160.0 /19
these subnets are also configured at the Active Directory Sites and Services snap-in
So - if i were to create a new forest/domain, can i use an ip range within these existing subnets. so long as they are not currently in use? e.g.:
current Domain Controller has IP: 10.61.45.5 mask 255.255.255.0. Can the new Domain Controller for new forest/domain be assigned on the currently unused range 10.61.45.0 mask 255.255.255.0? (both will be on separate vlans at the switch level)
OR (as i fear) because 10.61.46.x is a range within the current siteB subnet for the current domain scope, then issues will arise because of this overlap. And hence my ONLY alternative is to replicate these site IPs using another class B network e.g. 10.62.0.0
Windows 8 pro 64 will not connect to my server 2003 enterprise. It says welcome to domain then gives an error message after about 30 sec.
Error is:
Computer Name/Domain Changes
Changing the Primary Domain DNS name of this computer to ""
failed. The name will remain "DEW.LOCAL".
The error was:
The specified domain either does not exist or could not be
contacted.
I have 2 windows 7 pro 64 connected now and have had several xp machines attached in the past.
The machine that i am using is a Dell Precision M4400 laptop workstation. It is partoned 3 ways with Windows 8 Pro 64 on 1, Windows 7 Pro 64 on 2, and a data drive on 3
I have recently started with a new employer and have been tasked with looknig through their AD and making any suggestions for changes / improvements.
Briefly there is a main head office with 3 DC's and 39 branch offices each with 1 DC. The head office is the main site with each branch office being a seperate site in the domain and all offices are connected via a 10MB link.
I have been looking at the replication partners for the sites and can see that there is some interesting configurations. Now I am not seying it is wrong but is there a definiative guidline to how this sort of setup should be configured for replication?
There are no bridgehead servers anywhere and it almost seems as if the replication partners are just linked at random. I have noticed some interesting replication issues of the sysvol share and am wondering if this setup could be the cause!
Any thoughts most welcome.
Rob
Hi im currently investigating about a account what was removed and recreated in active directory. I was able to confirm that the account was recreted because the whenCreated value of the account in question is just recent, while this employee was hired months ago.
Is there any way to trace who created the active directory account?