I walked into the following at my current company.

Single Forest, parent, and three child domains.  My predecessor had setup scavenging in the parent domain and it is working as expected.  Scavenging is setup on the Server, Parent Zone and records are setup to be scavenged.  Event ID 2501 were occurring every Sunday at 2PM (7 Day Scavenge Period on server, 7 Day No Refresh, 7 Day Refresh on zones)

I wanted to start scavenging on Child Domain 1, the zones are Active Directory Intergrated, I set the zone to be scavenged, but I do not set the DNS server in the Child Domain 1 for scavenging, because the Parent Domain DNS servers is set to scavenge right?

I did not get a 2501 Event ID this past Sunday, I set Child Domain 1 zone 2 weeks ago.  On Child Domain 1 Zone, the records show that they are available to be scavenged on December2 2014 @ 10PM.

I expected scavenging cycle to still occur on Sundays.  I have done scavenging in many places and really never noticed that the scavenging cycle changed dates.  Maybe, I just need to wait until tonight to see what happens.

Hi, I wonder if someone is able to give me some advice on the following. 

We have 1 central HQ site, and 2 branch offices, each branch site is a different AD forest, with a 2 way external forest trust between HQ and each branch site. 1 DC at each branch site, 2 DC's at HQ, all Windows Server 2003 R2.

I have been given the task to:

1) Consolidate the 2 branch site domains/forests into our HQ AD environment

2) We have purchased 3 new physical Windows Server 2008 DC's, to have 1 2008 box per site and demote the old DC's (very old hardware, didn't want to do an in-place upgrade).

I'm trying to figure out the best order to do the above - shall I:

First stick a 2008 DC at each site (I understand the schema preps etc that need to be done), but make this a DC in the HQ domain (not the branch site domains), replicate AD, then migrate accounts from the external domain to it (so not doing it over the WAN) using ADMT. Or;

First migrate all accounts using ADMT from external domains to the current 2003 DC in HQ (but over the WAN), then build and the 2008 DC at branch sites and replicate everything. 

Any advice and opinions would be much appreciated. 

Thanks
Sarah

Hi,

I've recently been asked to manage a small 2003 domain, called “school-dom”. The DCs are on a 192.168.2.xx address  and hosted at the HQ site. Several satellite sites have PCs which remotely connect in. These PCs are all on 10.216.xx addresses. NAT is used to communicate with the DCs, which has been done by configuring NAT at the firewall and adding AD DNS A records for both DCs with their 10.216.xxx NAT addresses.

An issue was discovered whereby the DCs deleted these DC NAT A records from DNS, so the previous admin decided to perform a deny system on the DC’s 10.216.xx A records to get around the auto delete. This setup used to work, but we've recently hit an issue whereby when a new PC is put on the 10.216.xx network and an admin tries to add it to the domain, the PC fails to join the domain. Pinging the domain name and doing an nslookup against the domain returns the correct internal IP of the DCs on their 192.168.xx addresses, but the PCs on the 10.216.xx network can’t communicate with the DCs on 192.168.xx addresses. Why this worked before and not now, nobody knows. If a host record is added on the client mapping the school-dom domain to the NAT IPs of the DCs, then domain join works. The clients can ping and tracert to the DCs on the NAT address, but not the internal 192.168.xx addresses. Domain ports are open from the client to the DCs (tcp 123, 135, 3268, 389, 445, 53. UDP 53, 88, 123, 135, 3268, 389, 445)

I've been asked to come up with a solution of resolving this without making client side changes (e.g. hosts file). I’m thinking of:

1. Checking with networks to see if it’s possible to route traffic rather than NAT.If doable, then get rid of the DC NAT addresses.
2. Introducing a new 2008 R2 DC and configuring proper sites and assign the DC with a 10.216.xx address.
3. Making the registry change in the article above (least preferred).

Some advice on resolving this would be appreciated.

Hello Team,

I see how to delegate control to a user to manage an OU with the settings "Create, delete, and manage user accounts".  Is there a way to have that user only "mange" user account settings without the create and delete permissions...?

Tom Karpowski...

Hi

We have to issue certificate using "Computer" certificate template, but this template is not available with certificate request URL and even failed with command as seen below

Denied by Policy Module  0x80094800, The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: computer.

This template is showing with enterprise CA. How can we enable this template, we are using Windows 2008 R2 enterprise server

Thank in advance

LMS

Hi all,

We have faced an issue during downtime maintenance in Data Center.

After downtime, we restarted all production servers and root domain controller.

In our data center, we have 2 node windows clusters for DB and  IIS Applications.

After we restarted rot domain controller, DNS console not opening and active directory related consoles are also not opened.

And also by using domain user account,  not able to login to servers also.

Also cluster resources was also not worked.

After long time, and rebooted several time DNS and AD started working.

In this root domain controller had all 5 FSMO roles.

And we have additional DC in remote controller also.

Domain Controller OS: Windows Server 2008 R2 Enterprise.

We faced 2 times same issue during downtime

Why this issue will come. Can anybody help me .

Ok,

So here is the dilemma, which i honestly have been on for the past month, and can't seem to track down the issue. It hasn't been just me either, there was a support case from Microsoft created, and they can't seem to figure this out either, so if i get no replies here i understand why. (open to suggestions)

The issue is that the Domain logon server itself is disappearing, which in a high load environment i would understand and think this is likely an issue with over utilization.. The environment here is 34 people, and at any given time there is only 20 - 25 in the office. But, for whatever reason, i am getting clients disconnecting from the domain controller. I had created a Domain policy to try to force the systems to wait for the network, thinking this would at minimal point out if this is a network issue, or a server issue.. But the Policy setting doesn't seem to make a difference.. (Wait for network and require domain controller to log into the PC)

The DC is a 2k8 server x64 running 64GB of DDR2 Registered memory

It has 2 8 core Xenon processors

It is a Raid6 with SSD's that do 6GBPS

The server is fully patched, all drivers NIC and all have been updated, there is no NIC teaming.

The server is rebooted 4 times a year, once every 3 months.

The network is a Gigabit network using Cat6 and Juniper hardware

There is no internal firewalls and the servers do not run an AV.

The Desktops are all windows 7 X64 and vary as to hardware, with the worst being Core2's and the best being I7's.

Memory varies from 4GB - 16GB

Hard disks are all at least 250Gb and SATA 7200RPM

All the windows 7 machines are updated weekly with WSUS

All the 7 machines have an AV installed, all the same, all have the Firewall turned off and network discovery turned on.

They were all clean builds never using ghost or any cloning.

I haven't been able to track down where the issue is coming from, has anyone else seen this issue? 

Rob

Has anyone in the community experienced issues in environments where a Riverbed Stealhead 'RODC' has been deployed ?  is there anything which needs special attention ?  from what I understand it does not advertise itself as a DC and does not directly service authentication requests.

Hello,

We have been recently given responsibility for performing independent audits of our Active Directory, so would like to get some advice of how to setup and perform these AD audits.

We need to be able to audit and document all accounts, groups and their changes, all default admin accounts, accounts with elevated access, delegated rights and admins, access and changes to critical objects (e.g. Domain Admin group, Administrators account etc), directory service audit settings (i.e. SACL on AD objects) etc. The objective is to perform periodic security audits independently of our AD team, so we can inform them if we find anything strange.

So how can we achieve that using Microsoft native tools? Or is there a standalone product that will give us oportunity to perform AD audits easily and what is more important make "management friendly" audit reports?

Merci!

Hey guys, need some thoughts on this. This is not my idea nor am I an favor for it, but can any of you give me pros or cons why usernames should be replaced by a users' employee ID number? There are talks where I work that they would like to replace everyone's username with their employee ID.... Seems to me that just having to always cross reference a number with a user's name is just asking for more trouble than its worth....

Thanks!

Mike

Hi,

We have 2 offices Head office & Branch office. Head office has 2 Domain Controller & Branch office has one domain controller.

All the  fsmo roles are installed at head office dc2.

Head office Servers are on 182.168.0.0 network

Head office users are in 172.8.4.0 Network

Branch office users are on 172.8.0.0 Network.

Both the offices are connected through 100 MBPS mpls Link.

I have already created sites and services in DC for both the sites & subnet.

The problem is users at Head office are going to login to Brach office Dc3. DC1 & DC2 are at head office but still some users are going to Brach office for Login.

Kindly advise as i want head office users to login to DC1 or DC2 only.

We have server windows 2k8r2.

Hi,

Where can I buy a third party certificate to enable LDAPS communication on a 2008 R2 DC?

I know how to enable LDAPS communication, so thats not what I'm asking, but rather where I can buy a 3rd party certificate?
Thanks.

Hello All,

            I need help in the design of the Active Directory Services.  Let me first give some background before I line up the questions one by one.

BACKGROUND:  There is a Forest Root Domain with the name ofabc.com residing in company's Headquarters in Country A.  Exchange, Lync, SharePoint and other applications are installed in that particular domain.  Now, a requirement has come up to setup an Active Directory for the users in another Country B.  Users in Country B, do not have any dependency on either the Active Directory or any applications running in the Headquarters inCountry A. They run their services locally, currently, in a workgroup environment.  The Network Connectivity betweenCountry A and Country B is 256 Kbps. Country B's IT report to Country A IT and IT Policy flows fromCountry A to B.  There are eight-8 locations in Country B that require Active Directory with oneHub Location that is connected to Country A.  Total number of users in thoseeight-8 locations are around 250.  All the eight-8 locations in Country B are connected to each other by at least 1 Mbps.

1.  Since there is no dependency on any services running in Country Aand keeping low connectivity of 256 Kbps between two geographical locations, would it be a good design to create a separate forest forCountry B?

2.  Or Since IT Policy flows from A to B, it is appropriate thatCountry B should also be part of the same domain.  The only thing that worries me about this design is the low connectivity speeds and there is only one connection at the moment, in case of inactivity, it might cause problems to users or applications here in the Headquarters as they might send requests toDCs in Country B sometimes?  Any suggestions on this? 

3.  If I go with the same domain, what would be better:

     A. Create ADCs in the same domain.

     B. Create DCs in the child domain (countryb.abc.com)

     C. Create DCs in the child domain (global.abc.com) so that any new territories that come up can be added in here as well.

4.   What should be the number of DCs/ADCs in Country B keeping in mind that connectivity between locations is around 1 Mbps and there are around 250 Users in total in them? 

Whilst fixing another problem today I have started to notice that the UserAccountControl flag on 4 or 5 user accounts have changed from being 512 to 544 (PASSWD_NOTREQD).  I have 2 questions:

1) How has the flag set itself to 544?

2) Is this anything to be concerned about?

Cheers

Adam.

Calling all wise men!

Join us and rejoice!

The time for giving is upon us again!

A time for family (community) and gifts of knowledge!

Why not wrap up a little something extra special this year.

After all, tis the season to be generous!

Remember the reason for the season!

All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.

Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!

This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!

HOW TO WIN

1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.

2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)

3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!

Winning this award in your favoured technology will help us learn the active members in each community.

Feel free to ask any questions below.

More about TechNet Guru Awards

Thanks in advance!
Pete Laker

#PEJL
Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over toTechNet Wiki, for future generations to benefit from! You'll never get archived again, and you could win weekly awards!

Have you got what it takes o become this month's TechNet Technical Guru? Join a long list of well known community big hitters, show your knowledge and prowess in your favoured technologies!

Hi Team,

I am Sajin, I have few query related DNS which mentioned below.

1 ) I know about Host record which help for resolve the fully qualified domain to IP Address.

Alias record will help us to resolve a host in multiple name. Example : one host called  zeta.microsoft.com we can have a Alias that www.microsoft.com.

My question is instead of creating alias record ,If we create additional Host record for same host and giving the name as www . Then also we can perform the same task.  So which cases we need to use Alias record ??

2) I have query relate to refresh the records in DNS database.

I  had gone through some Docs and found the situation when record refresh will occur.

Record refresh :• When a computer is restarted on the network and, if at startup, its name and IP address information are consistent with the same name and address information it used before being shut down,
                  it sends a refresh to renew its associated resource records for this information.
                • A periodic refresh is sent by the computer while it is running.
                  The Windows DNS Client service renews DNS registration of client resource records every 24 hours.

So my query is that every time when we restart a system which is in domain , the refresh process can occur. So the time stamp also get it change right ???

Assume that client uses secondary DNS database server (Read only copy) for resolution process so whether the  time will get change or not in secondary server as it is read only ..

 Kindly give your suggestion.

Regards

Sajin P S

Hi

I have recently introduced the first Server 2012R2 Domain Controller into our environment.

We currently have Server 2008 DC, and my plan was to upgrade a DC on a remote site to Server 2012 R2.

The upgrade appears to be successful, but only a few days later we started noticing issues.

We have some Server 2003 servers on that site to support legacy applications. When we try to RDP to the 2003 servers, we receive the following:

            The system cannot log you on due to the following error:
            The RPC server is Unavailable

I suspect the 2012R2 DC has disabled some authentication method that I need to manually  re-enable.

I’m sure the problem can be easily resolved, and I’m looking for anyone else who has had a similar issue that has managed to resolve it.

Hi,

I restored today two AD Objects with the ldp.exe method which is written on the mstechnet.

The log of the operation is ok:

***Call Modify...
ldap_modify_ext_s(ld, 'CN=nas1\0ADEL:d575a524-2b46-4033-8916-019aa2f05810,CN=Deleted Objects,DC=kanzlei,DC=local',[2] attrs, SvrCtrls, ClntCtrls);
Modified "CN=nas1\0ADEL:d575a524-2b46-4033-8916-019aa2f05810,CN=Deleted Objects,DC=kanzlei,DC=local".

and

***Call Modify...
ldap_modify_ext_s(ld, 'CN=KKKK SSSS\0ADEL:63589638-7ebe-43ea-a8c8-fe3595841585,CN=Deleted Objects,DC=kanzlei,DC=local',[2] attrs, SvrCtrls, ClntCtrls);
Modified "CN=KKKK SSSS\0ADEL:63589638-7ebe-43ea-a8c8-fe3595841585,CN=Deleted Objects,DC=kanzlei,DC=local".

one was a computer account and the other a user. But now the problem I got:

The Accounts are both disabled. When I try to enable I get the message:

The original translation is: The requested object has a non-unique identifier and cannot be retrieved. The error code 0x219D is from ldp.exe when I try to delete the object:

ldap_delete_ext_s(ld, 'CN=nas1,CN=Computers,DC=kanzlei,DC=local', SvrCtrls, ClntCtrls);
Error: Delete: Ausführung verweigert. <53>
Server error: 0000219D: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0

Error 0x219D Das angeforderte Objekt hat eine nichteindeutigen Kennung und kann nicht ermittelt werden.

I also get the same message on every other operation with the accounts (modify, delete).

Any idea what could be going wrong and what I can do to fix the problem?

The AD Environment is Windows Server 2012R2 with two domain controllers (no errors on the event log about replication and co..)

I also tried to check for duplicate sids with ntdsutil:

C:\>ntdsutil
ntdsutil: security account management
Wartung des Sicherheitskontos: connect to server dc1
Wartung des Sicherheitskontos: check duplicate sid
.
Die Suche nach duplizierten SIDs wurde einwandfrei abgeschlossen. Suchen Sie in
dupsid.log nach Duplikate.
Wartung des Sicherheitskontos:

but the logfile is empty.

Also the follow powershell command list me only one account:

Get-ADObject -LDAPFilter "(sAMAccountName=Accountname)" -IncludeDeletedObjects

Regards,
Thomas