Hi Guys,
I am facing similar issue as highlighted in the below article but only on the RODC,
http://forums.whirlpool.net.au/archive/1533833
Is it fine to execute dcgpofix /ignoreschema on the RODC, Since this is a RODC the changes should not replicate right ? If this is not the fix then how to mitigate the issue on RODC (Issue on RODC only, all other DC's are fine)
I've an existing W2008R2 domain, and I'm trying to create a new child domain using W2012 std. The new server is on a remote subnet, connected via Wan, without any firewall or security filter. It can connect to the existing domain controllers (ping, network share, and so on.. all works)
I start the wizard, and it confirms that environment is ok. Then it stalls when working on "active directory synchronizing". It reports a serie of 1963/1961/2839/1962/1125 event ID errors, then after a while it starts back reporting the same serie (it loops to check if problem are solved I think).
I cannot find any way to understand why it cannot complete the dcpromo.
Any idea?
Thanks
hi,
when i open Active Directory Users and Computers it takes too much time to open ........ same is the bahvior with the other services like Active Directory Site and Services.... i am fedup with this slow bahvior of windows... plz help
Dear All,
I am installing a software(Data Entry) on client machine it works fine when client is on work-group but when i join domain software application stops working.
Let me show you Net stat results.
C:\Documents and Settings\Test>netstat -A
Active Connections
Proto Local Address Foreign Address State
TCP TELECOMM:epmap TELECOMM.pcrwp.com:0 LISTENING
TCP TELECOMM:microsoft-ds TELECOMM.pcrwp.com:0 LISTENING
TCP TELECOMM:2030 TELECOMM.pcrwp.com:0 LISTENING
TCP TELECOMM:3389 TELECOMM.pcrwp.com:0 LISTENING
TCP TELECOMM:6279 TELECOMM.pcrwp.com:0 LISTENING
TCP TELECOMM:9100 TELECOMM.pcrwp.com:0 LISTENING
TCP TELECOMM:1038 TELECOMM.pcrwp.com:0 LISTENING
TCP TELECOMM:1085 TELECOMM.pcrwp.com:0 LISTENING
TCP TELECOMM:1375 localhost:1376 ESTABLISHED
TCP TELECOMM:1376 localhost:1375 ESTABLISHED
TCP TELECOMM:1378 localhost:1379 ESTABLISHED
TCP TELECOMM:1379 localhost:1378 ESTABLISHED
TCP TELECOMM:49100 TELECOMM.pcrwp.com:0 LISTENING
TCP TELECOMM:3083 addons-versioncheck-single1.zlb.phx.mozilla.net:
https CLOSE_WAIT
TCP TELECOMM:3084 addons-star.zlb.phx.mozilla.net:https CLOSE_WAI
T
TCP TELECOMM:netbios-ssn TELECOMM.pcrwp.com:0 LISTENING
TCP TELECOMM:2602 se.pcrwp.com:microsoft-ds ESTABLISHED
TCP TELECOMM:3081 pdc.pcrwp.com:epmap TIME_WAIT
TCP TELECOMM:3082 pdc.pcrwp.com:49158 TIME_WAIT
TCP TELECOMM:3086 pdc.pcrwp.com:49158 TIME_WAIT
TCP TELECOMM:3095 pdc.pcrwp.com:epmap TIME_WAIT
TCP TELECOMM:3096 pdc.pcrwp.com:49156 ESTABLISHED
TCP TELECOMM:3099 192.xxx.xxx.xxx:9000 FIN_WAIT_2
TCP TELECOMM:3389 se.pcrwp.com:57751 ESTABLISHED
UDP TELECOMM:microsoft-ds *:*
UDP TELECOMM:isakmp *:*
UDP TELECOMM:4500 *:*
UDP TELECOMM:ntp *:*
UDP TELECOMM:1025 *:*
UDP TELECOMM:1049 *:*
UDP TELECOMM:1058 *:*
UDP TELECOMM:1115 *:*
UDP TELECOMM:1900 *:*
UDP TELECOMM:2610 *:*
UDP TELECOMM:ntp *:*
UDP TELECOMM:ntp *:*
UDP TELECOMM:netbios-ns *:*
UDP TELECOMM:netbios-dgm *:*
UDP TELECOMM:ntp *:*
UDP TELECOMM:1900 *:*
" TCP TELECOMM:3099 192.xxx.xxx.xxx:9000 FIN_WAIT_2"
This process keeps it self in FIN_WAIT_2 and application didn't start what should i do please advice.
All is Well
Hello,
is it posiible to migrate computer's local users & groups [ workgroup environment ]
to AD domain users & groups ?
ADMT can transfer from domain to domain
but not from workgroup to domain environment.
Why am I asking about it ?
I've standalone fileserver with many shares which will be migrated to CIFS storage system with AD integration.
best regards Janusz Such
I am currently running a Windows Server 2008 R2 Domain Controller. I would like to switch over to a new DC using Windows Server 2012 on the same network and decommission the old DC. This seems pretty straight forward, but I would also like to change the name of the domain and keep all the user profiles.
The current domain controller is tied into ESXi, FreeNAS, and various other server applications.
The goal is to have it so that user1.domain1.local has the same profile when switched to the second domain user1.domain2.local. I would need to manually configure ESXi and some other dependent servers. I would also like to migrate over group policy.
The reason I dont want to migrate the current domain and all of active directory is mostly because of botched installs of Exchange, Lync server, and some other half finished projects that have altered active directory. So I would like to pick and choose what is migrated over.
Is that I am trying to accomplish possible?
How can I capture server events in Windows server 2008 r2 using power shell?
What I want to do is Windows Server 2008 R2 send me an email event time a member has been added to any security group (event ID 4728)
As from the title above, basically is to allow the system administrators to be notified that these users did not login to their PCs for at least a month and above, and therefore is required to disable their domain accounts. The email notification will keep on sending to the system administrators on daily basis until the system administators have disabled the users' domain accounts. Is there any solution to implement it? Hope my explaination is clear. Really need assistance from you all!! Thank you in advance!!
DDM1983
Hi guys,
Just a quick simple question. I want to cleanup my AD domain from old user and computer accounts. What are some tools that will display the last logon time/date for all users and computer in the AD domain. Any ideas?
Hello,
I have a problem where duplicate IP DNS records are causing my domain DHCP computers to fall off the domain with Authentication issues due to failed RPC and broken AD Kerberos connections. And before you ask, 'Yes' I have both DNS scavenging and DHCP Conflict Detection enabled -> It's just the usual sliding window of possible duplicate DNS records when the clients are turnned off and on at a high rate, with a DHCP lease period of 8 days and a total scavenge period of 7 days.
Via a PS script, I have dertermined most of these failed computers have a password > 90 days, as well as a broken Kerberos connection (determined via 'nltest /server:computer /sc_query:domain'), but some have good passwords (i.e. < 90 days), but broken Kerberos connections.
Question 1: How can I prevent this sliding window of possible duplicate IP address DNS records?
Question 2: Why do some of the above mentioned problem computers have a good computer password, but still a bad secure AD connection?
Question 3: Is there any way to prevent this entire above scenario from occuring?
Cheers,
Cosmo
Hello forum,
I am currently working on a Server Core (Windows 2008R2) and I have an OU called 'Groups'. In this OU I have several Global and Domain Local groups that I want to protect from accidental deletion with dsacls.exe. I am however having trouble finding the correct syntax.
Using
dsacls "cn=GG-SALES,ou=Groups,dc=S14,dc=NID" /d Everyone:SDDT
did not work, and so far I have only been able to protect my OU from deletion. Giving the /I:T parameter did not protect the underlying groups.
Does anyone have an idea how I can protect the groups in only this OU from accidental deletion with dsacls.exe ?
Many thanks.
Hi Experts,
I want to upgrade Domain Controller from Windows Server 2003 Standard 32 Bit Edition to Windows Server R2 Standard Edition.
I have some query . pls help me out on these.
Balwan Singh
Our environment consists of Windows XP & few windows 7 client and 2003 servers. We have added a 2008 R2 DC in our 2003 environment (two 2003 DCs) and plan to add another soon.We plan to move all the roles to the 2008 R2 DCs and phase out the 2003 DCs. Currently we have started getting few warning in DNS & AD event logs on both 2008 R2 and 2003 domain. We want these issues resolved before introducing the other 2008 R2 domain in our environment and transferring the roles to 2008 R2 DC. Please review the events below:
Log Name: DNS Server-2008 R2
Source: Microsoft-Windows-DNS-Server-Service
Date: 12/12/2012 1:00:54 AM
Event ID: 4013
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: DMGDC1.dawn.com
Description:
The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data
might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet
Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-DNS-Server-Service" Guid="{71A551F5-C893-4849-886B-B5EC8502641E}" EventSourceName="DNS" />
<EventID Qualifiers="32768">4013</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-12-11T20:00:54.000000000Z" />
<EventRecordID>33</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>DNS Server</Channel>
<Computer>DMGDC1.dawn.com</Computer>
<Security />
</System>
<EventData Name="DNS_EVENT_DS_OPEN_WAIT">
</EventData>
</Event>
DNS Server-2003
Event Type:Warning
Event Source:DNS
Event Category:None
Event ID:9999
Date:12/11/2012
Time:10:08:49 PM
User:N/A
Computer:DAWNHO
Description:
The DNS server has encountered numerous run-time events. To determine the initial cause of these run-time events, examine the DNS server event log entries that preceded these run-time events. The data is the number of events that have been suppressed in the
last 60 minute interval.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 16 00 00 00 ....
DNS Server-2003
Event Type:Warning
Event Source:DNS
Event Category:None
Event ID:4521
Date:12/12/2012
Time:10:44:49 AM
User:N/A
Computer:DAWNHO
Description:
The DNS server encountered error 9002 attempting to load zone . from Active Directory. The DNS server will attempt to load this zone again on the next timeout cycle. This can be caused by high Active Directory load and may be a transient condition.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
and in AD of 2008 R2 and 2003 (below)
Log Name: Directory Service-2008 R2
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 12/11/2012 6:22:06 PM
Event ID: 2886
Task Category: LDAP Interface
Level: Warning
Keywords: Classic
User: ANONYMOUS LOGON
Computer: DMGDC1.dawn.com
Description:
The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed
on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.
Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory
server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended
that you configure the server to reject such binds.
For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.
You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
<EventID Qualifiers="32768">2886</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>16</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2012-12-11T13:22:06.241712000Z" />
<EventRecordID>489</EventRecordID>
<Correlation />
<Execution ProcessID="532" ThreadID="704" />
<Channel>Directory Service</Channel>
<Computer>DMGDC1.dawn.com</Computer>
<Security UserID="S-1-5-7" />
</System>
<EventData>
</EventData>
</Event>
Directory Service-2003
==========================================================================
how do we correct these issues before moving forward with our plan
Regards
Imran
Dear Colleagues,
I have installed an LDS server to support multiforest authentication for Cisco UC Manager. I have extended the schema, imported the affected users and finally I gave the new LDS server as a source. The user import was success from both domain (as proxy users with all necessary attributes), but no one can authenticate.
The CUCM error message has no usable information (LDAP error! Contact your Administrator). My 'Cisco' colleague has started to check the CUCM logs, but meanwhile I should check the LDS related logs (no usable info) and the functionality.
How can I test the LDS based authentication without CUCM?
Any suggestion will be appreciated!
Cheers, Laci
Hi,
I have little doubt in transferring FSMO role. Pls clear my doubt.
I have two dc in a forest. First is eva.com and second is tech.eva.com.
I know we can transfer or seize the FSMO role on ADC. But i want to know that can we transfer FSMO role to child domain? If not why?
I tried to search about this but not get any exact answer.
Regards
Raj
Hello,
I use a domain with 2 domain controller. 1 with SBS 2008 and an other in windows 2008 R2.
The sbs crash after a disk failure and I have to restore him from the backup. After reinstallation the domain is Unavailable. When I open the user active directory console, the system could'nt find the domain. But when I add a domain controller (the windows 2008 R2) he find the tree and all the domain. But it still anavailable.
I really don't know how to fix it.
Could somebody help me ??
Hi All,
We have Windows 2008 R2 DHCP server, and seprate AD integrated DNS server in our environment. One of our non windows client has recived IP from scope X.X.74.0 and later the same machine has connected to other VLAN and got new IP from VLAN X.X.78.0. When we come to the DNS part, the new IP has not reflected on the DNS server. The A record has there with the old IP only X.X.74.91, but both the leases are there in the DHCP server scopes. We have enabled the option "Always Dynamically Update DNS A and PTR record", but couldn't find any logs on the DHCP server for DNS registration failures. Please