I work for a university and teach IT courses to undergrad and graduate students. The details below are pertaining an isolated lab environment

I had a storage failure in my lab and the DCs became corrupt. This is a university lab environment so there isn't anything crucial on here. I just would rather avoid rebuilding the domain/forest and would rather use this as a learning experience with my students...

So after the storage failed and was restored, the VMs hosted became corrupt. I did a NTDSUTIL to basically repair the NDTS.dit file but one of my DCs reverted to a state before DC promotion. Naturally, the domain still had this object in AD. After numerous failed attempts at trying to reinstall the DC on the server through the server manager wizard in 2012 R2, I decided that a metadata cleanup of the old failed object was necessary.

Utilizing this article, I removed all references of the failed DC from both AD and DNS (http://www.petri.com/delete_failed_dcs_from_ad.htm) 

So now that the failed object is removed completely from the domain and the metadata cleanup was successful, I then proceeded to re-install the necessary AD DS role on the server and re-promote to the existing domain. Pre-Requisites pass but generate some warning around DNS Delgation, and Dynamic Updates (delegation is ignored because the lab is isolated from external comms, and dynamic updates are in fact enabled on both my _msdcs and root domain zones).

Upon the promotion process, I get the following error message (also worth mentioning - the account performing these operations is a member of DA, EA, and Schema Admins)

As you can see, this error seems odd considering. Now that I'm down to a single DC and DNS server, the sync should be corrected. I've run a repadmin /syncall and it completed successfully. Since then, I've run dcdiags and dumped those to a text as well and here are my results...

From what I can gather, there is a definite DNS issue but I don't have any stale records to the old DC stored anywhere. I've tried this with a new server as well and get similar errors... 

At this rate I'm ready to rebuild the entire forest over again. I'm just reluctant to do so as I want to make this a learning experience for the students. 

Any help would be greatly appreciated. Thanks!

Hi guys.

Background

We have just acquired an Active Directory 2003 R2 infrastructure. Along the lines they have added, upgraded and deployed Windows Server 2008 and up to 2012 Domain Controllers in the domain. The domain was still running NTFRS for SYSVOL at that point of time.

We have since deployed Windows Server 2012R2 Domain Controllers and phased-out all legacy DC versions in the forest/domain. FSMO has been transferred succesfully and the operational level of the Forest and Domain was then upgraded to Native 2012R2 without incidents.

Issue

Our problem is when we tried to migrate the SYSVOL from FRS to DFS.

When running "dfsrmig /SetGlobalState 1" or even "dfsrmig /SetGlobalState 0" from an elevated CMD returns this error:

Error: 87. Please check the DfsrMig log files under the windows\debug directory.

The command was run directly on the PDC (we have also tested running the dfsrmig from other Domain Controllers) and Windows firewall is turned off.

The excerpt from the log file where the error took place is as follow:

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

20141221 05:28:47.950  312 CFAD  7268 Config::AdConfig::ConstructSysVolObjects [SYSVOL] Member:cn=DC01,cn=Topology,cn=Domain System Volume,cn=DFSR-GlobalSettings,cn=system,DC=domain,DC=com

20141221 05:28:47.950  312 ADWR   311 Config::AdWriter::CreateSysVolGlobalObjects [SYSVOL] Create sysvol global objects

20141221 05:28:47.950  312 CFAD  2838 Config::AdObjectEditor::AddObject Add cn=DFSR-GlobalSettings,cn=system,DC=domain,DC=com

20141221 05:28:47.950  312 ADWR   330 [ERROR] Config::AdWriter::CreateSysVolGlobalObjects [SYSVOL] Failed to add global settings object

20141221 05:28:47.950  312 EVNT  1194 EventLog::Report Logging eventId:8001 parameterCount:3

20141221 05:28:47.950  312 EVNT  1214 EventLog::Report         eventId:8001 parameter1:DC01

20141221 05:28:47.950  312 EVNT  1214 EventLog::Report         eventId:8001 parameter2:87

20141221 05:28:47.950  312 EVNT  1214 EventLog::Report         eventId:8001 parameter3:The parameter is incorrect.

20141221 05:28:47.950  312 MIGM   738 [ERROR] main Error:

+       [Error:87(0x57) Process main.cpp:602 312 W The parameter is incorrect.]

+       [Error:87(0x57) Migration::SysVolMigration::CreateGlobalADObjects migration.cpp:4251 312 W The parameter is incorrect.]

+       [Error:87(0x57) Config::AdWriter::CreateSysVolMigrationGlobalObjects adwriter.cpp:1748 312 W The parameter is incorrect.]

+       [Error:87(0x57) Config::AdWriter::CreateSysVolGlobalObjects adwriter.cpp:336 312 W The parameter is incorrect.]

+       [Error:87(0x57) Config::AdObjectEditor::AddObject ad.cpp:2861 312 W The parameter is incorrect.]

+       [Error:16(0x10) Config::AdObjectEditor::AddObject ad.cpp:2861 312 L No Such Attribute]

<cr>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++</cr>

<cr>The DFS migration failure event is also registered in Event Viewer as follow:</cr>

It seems the error is caused by dfsrmig not being able to create the "cn=DFSR-GlobalSettings,cn=system,DC=domain,DC=com" object; not sure why though.

Comparing the ACL of the "cn=system,DC=domain,DC=com" object with other AD installations looks legit.

We have previously done FRS to DFS migrations on MixedAD2008 and NativeAD2012 domains succesfully. This is our first time migrating on an NativeAD2012R2 domain.

Any pointers is greatly appreciated...

HI All,

   We are running Windows 2003 domain functional level. Total 5 DC's.  AD schema: 47 (Windows 2008 R2), Ex Schema: Exchange 2010 Sp1

  Netbios Name: mydomain.com

  Our company now going to merged onto another company called newdoamin.com. At this stage they don't want to migrate domain so setting the trust and run the business as usual

 So how do i give our user access to resources in newdomain and give them access to mydomain.com ?

How do i setup their exchange as our primary? 

As

Hi there,

I am a relatively new Sysadmin at my employer and have found a very strange problem that I was wondering if the people here would like to challenge themselves with. There is a phantom Machine account on my domain. To illustrate:

Recently a network admin performed a check on our international traffic as we were using a lot more than expected. One culprit was something using the BITS protocol (mostly this is Windows Update related I understand?). When I went looking for the computer in question I found it had the same IP address as another computer very close to me. Ok, I thought, probably just need to flush DNS. Did that, now it has a new IP address associated with another computer downstairs from me that I can also lay my hands on and definitely has that IP address assigned (Ipconfig on the client and DHCP lease in console on our DHCP server confirm this).

Also, when checking DHCP the computer has a different IP address entirely. 

I try to RDP to the computer by name and it prompts for password then tells me the computer does not have the same name as the one I was trying to connect to - presumably because the computer actually on that IP address is the one with the DHCP lease.

I've since disabled and deleted the machine account in question but am a little worried it's a sign of a botnet or similar on our network because of the behaviour - large amount of international traffic coming from a non-existent computer.

- Chewing up international traffic

- Can be pinged on fqdn and IP after flushing DNS but had a different IP than what was assigned by DHCP

- cannot be remoted to (as there is another computer on that IP address)

- May not actually be physically connected to our network. (Pending validation with 4 floors of head office users the day before Christmas on that one).

We already have a setup of Win2012 R2 Servers but as soon as we promoting a new Win Server 2012 R2 as a New Child Domain in existing Forest (i.e.xyz.abc.com), The Promotion completed successfully but after that It Start rebooting in 15mins.

We tried to install all windows updates/Hotfixes but no solution.

But Once we demote it it starts working fine again.

It seems a bug in Windows Server 2012 R2.

My Organization's current AD scenario is as below

Single Domain, Single Forest - Five - 2012 DCs and One 2008 R2 DC. Domain Functional Level(DFL) & Forest Functional (Level FFL) is presently Win 2003.

My question is :

1. After demoting Windows 2008R2 DC, Can I directly raise the functional level to 2012 ?. At present 2012 functional level option is not coming. Upto 2008 R2 option is available.

2. If possible - Which one to raise first- DFL or FFL?

3. Any time interval need to be given between raising DFL and FFL?

Pretty generic domain:  Two DC's, ServerA and ServerB.  Server B crashed one night, and it turned out to be the On/Off switch.  Once I replaced that, it came back up, but there is a problem with DNS for some reason.

On ServerB, DCDiag /test:DNS gives:

      Starting test: Connectivity
         The host 5e864aa9-dbc3-4258-8b27-69e53267ef60._msdcs.domain.local could no
t be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (5e864aa9-dbc3-4258-8b27-69e53267ef60._msdcs.domain.local) couldn't be
         resolved, the server name (serverb.sks.local) resolved to the IP address
         (192.168.1.98) and was pingable.  Check that the IP address is
         registered correctly with the DNS server.
         ......................... SERVERB failed test Connectivity

In the DNS console on both servers, ServerB has the correct GUID.  In ADUC, on ServerB, operations masters show ERROR.  If you change them to ServerB, the change takes effect on both servers, but if you change it back on ServerA, it shows ERROR again on ServerB.  The DNS test runs clean on ServerA.

It has only been like this for a day, and frankly I might not have noticed anything, except I made a small change to a logon script, and a user complained the change hadn't taken effect.  Sure enough, no replication.

Hi, I have inherited a network that looks to be running 2 separate DNS servers on each side of a WAN. Both are DCs of the same Domain.

The issue is one side of the WAN sometimes has trouble pinging DHCP clients that are on the other side.

Each side has its own DHCP and DNS, and it looks like neither DNS is setup as a secondary..

My question is what is best practice in this situation? If I setup site 2 as a secondary DNS server, will it have the same issues resolving DHCP clients?

Thanks,

Dekkar

Hello!

So I was working on setting up our new branch office DC. Anyway, the server failed to join the domain the first time because it upgraded the AD schema (This was our first 2012 R2 server) and the schema wasn't synced to all the other remote offices. So I forced a sync, joined the server as a workstation, then made it a domain controller.

Anyway, after that the server would show itself as a DC in Active Directory, but all the other servers believed it was just a workstation. So, I removed Active Directory from the server (I had to force the removal). I reset the computer account on the local DCs, then rejoined it to the domain and made it a domain controller again. This time, it appeared as a Domain Controller on the other DCs in the domain.


Now for the issue --- I've now got two objects for the server under AD Sites and Services. One of them doesn't appear to have any AD DS connections. The other has connections, but not all of them work correctly (I get errors when I tell certain connections to sync).

What should I do to fix this?

I'm still in the setup phase of this, so I can do anything I want with this particular server. I was thinking I would demote from a Domain Controller, remove it from the domain. Then use ntdsutil to cleanup any other metadata that is hanging around in AD (Something like: https://support.microsoft.com/KB/216498?wa=wsignin1.0 )

Does anyone else have suggestions on what I should do to fix this? --- I'm being overly cautious here as I do not want to mess anything up in Active Directory.

Thanks!

Server 2012

This is a new virtual domain server and file server in a starwind cluster, I just started migrating users last week.

 This last weekend (two days ago) the cluster crashed while doing windows updates on this server. I have been unable to get it to download any updates since without crashing, not sure if that is related to this issue somehow.

I added some new users today and got them all logged in and their data transferred over. good. But then I went to this shared folder that everyone has a mapped drive too and tried to add them in the security tab of a sub folder but their accounts will not show up when I search for them. Any account I added previously to last weekend  show up, students, mine, etc.

even if I select the exact OU the accounts are located in, even if I type their whole name and domain. In AD the accounts are there.

If I log into the backup domain controller Their accounts show up there while in a folder security settings tab. They are listed in active directory on both domain controllers.

I have exhausted myself on Google search.

What the heck did I break?

Maybe I should run 

DISM.exe /Online /Cleanup-image /Restorehealth

Not sure if I will lose any data doing that or what the repercussions would be..

Hello,

I have my PKI in FO Cluster and everything works well except of Web Enrollment,

when I'm opening my webbrowser and typing https://cahostname/certsrv - webpage is opening but when I want to request any certificate then I receive an error - no certificate templates are available or you don't have rights to request - something like that.

I've read somewhere that certdat.inc under c$\Windows\System32\CertSrv must be modified, 

I've tried many possibilities, even if certutil -ping is working, I'm still receiving that error. Ofc IIS server s restarted everytime after I change the file.

Any ideas or advices are appreciated.

I have a near-vanilla Windows 2012 R2 Standard load on a Supermicro based server acting as a domain controller. I just bought the server this year. I've installed all "important" patches but not all optional updates. The problem is it has a slow memory leak which you can't see in Task Manager. Using poolmon.exe I see something with the tag "Wnf" which seems to be the culprit (it is currently eating up 3GB+ RAM and will eventually consume the rest over the course of a week). Researching online I see that Wnf may be "Windows Notification Framework" but I'm not quite sure. I'm basically stuck at this point and not sure what to pursue next. Can someone help me with this pool tag and give me more clues?

Any help is greatly appreciated!

Dears,

I have a strange issue in DSRM that I have installed a GC smoothly with no any issue but i am wondring that i
have been successfully logon on DSRM but it is not showing anything (Black Screen) with mouse pointer can you help me.

Thanks All.

Hi,

We have two Active directory domain forest. We need to enable two way trust between both the domains so as to enable resource sharing. Below is the details:

1. Domain 1- Functional level 2003- All DC are on 2008 R2 OS

2. Domain 2- Functional level 2003- All DC are on Win 2003.

Below ports are open bi-directionally as these domains are separated by a Firewall

389 UDP+TCP,445 TCP,88 UDP+TCP,135 TCP,53 TCP+UDP, 3268 TCP

Conditional forwarder is being added on both domain DNS and is pointing to respective Domain controller IP.

While creating domain trust after entering the domain name, only two options is coming 1. To create realm trsut and other Trust with windows domain. This option should not come ideally as both my domains are Window domain. Also on clicking next teh trust wizard is finishing saying cannot continue. While running NLTEST /dsgetdc: domain FQDN from either domain getting below error:

Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

Just to mention, while creating trust we have checked for the connection log in the firewall and only the above mentioned ports was getting hit from one DC IP to other DC Ip and teh connection was successful. This was to get sure i am not missing any ports which is required and communication is not opened.

Any help will be great.

Manu

Hello,

I have just started to dice into ADFS recently and I have a question regarding the idpiniatedsignon.aspx that I haven't found an answer for. Is it possible to have the dropdown on that page only show the RP that I have access/rights to? Or does it list all of the RP in the system for all users? I would like to know if it is possible, so I can use it as a landing page of sorts. Or is that a bad practice to do?

Thanks for your help.

I have 2 domain controllers running 2003 server, server1 and server2. I ran dcpromo on server1 and removed AD and removed him from the domain and disconnected from network. I then added a 2012 server with the same name and IP address server1 with no problem. Replication from sites and services work fine on both controllers.
The new 2012 server1 is GC. I transferred all FSMO roles to server1. Again no problem and replicating using sites and services. AD on server1 is populated correctly.

Now what I had intended on doing was a dcpromo to remove server2 from the domain so I can then add another 2012 server. That is when I get the: "The box indicating that this domain controller is the last controller for the domain is unchecked. However, no other Active Directory domain controllers for that domain can be contacted.

I have DNS installed on both servers and both look good with replicating there. Strange thing is when on the 2012 server within DNS if I right click and connect to another DNS server I can add server2 just fine but from server2 adding server1 it tells me it is not available.

Help please!

We're trying to set up DFS-R on one of our file servers, but when we go to create the Replication group, we get an error that the schema cannot be read.  Troubleshooting has led us to see that the DFS-R schema is missing in our AD.  However, we are running at Server 2012 schema level and 2008 functional level.  

My guess is that somehow the Server 2003 R2 adprep was never run and the schema additions necessary for DFS-R never added.  Since we're at a functional level of Server 2008, we can't add a 2003 DC to the domain in order to try and run adprep on it to get the DFS-R schema additions added.  

Any ideas on what I can do?  I'm not against manually going through the ldf files that are in the Server 2003 R2 Adprep folder, but if anyone has already went through that and has a script handy, that would be nice.

Thanks

Steve

Hello All,

I have an DC 2008 R2 STD and created Additonal Domain Controller as Win 2012 R2 STD.

Now all my windows XP machines cannot resolve to the internet but it can ping to the google.com.

kindly suggest.

Thanks...