So,

scenario is the following:

I have a member server 2008 with SCCM 2007 installed. It is with static IP and is in a given site. The secure channel broke a few days ago. After restart (not performed be me) everything was fine for a day and then again SC broke. Problem is after restart I did not know to which DC authenticated and logs are gone (too many messages)...

So, again SC broke. With nltest /sc_reset it logs to DC in Headquarters. 

nltest gives correct results for site, but does not show DCs in site - shows DC in other sites. When performing ping to DCs in site - successful, when nslookup - uses DNS on DC in correct site and resolves. In DNS are correct srv records for servers from the site.

Later again channel is broken. Error is:

Event Type: Error 
Event Source: NETLOGON 
Event Category: None 
Event ID: 5719
Date: <var style="box-sizing: border-box;">Date</var>
Time: <var style="box-sizing: border-box;">Time</var>
User: N/A 
Computer: Server
Description:
No Domain Controller is available for domain <var style="box-sizing: border-box;"><domain name></var> due to the following: The RPC server is unavailable.

When domain user tries to log on gets message: "There are currently no logon servers available to service the logon request."

I checked and rechecked DNS and WINS settings. Everything is fine.

Services RPC, Remote Registry, Netbios TCP/IP helper run.

Time and Zone setting are fine. All is perfect. Firewall is off. Switches are tuned - and portfast is enabled.

Other clients from site authenticate to correct DCs.

That's it. Please guys, if you have any bright or not that bright ideas, share them with me :)

Hi,

i have created an user account a.bbbb.cccc.domain.com, after i renamed (in the name account not with nename) in abbbb.cccc.domain.com but user can not authenticate.

I tried to remove the account and recreate but user can not connect.

Can help me ?

Thank you

Amenta

where (by default) are  the Default Domain policy and Domain Controller GPOS supposedto be be located?

Server/Domain =  2003    are they  both to be linked right under the FQDN?   these links got deleted and we need to re link them to their default location

Hi All,

I have setup a domain running windows server (2012) including the domain controllers.

The two DCs seem to be behaving strangely. I have had a number of DNS issues, which I have resolved. Now, I rebooted the server at roughly 5.40pm or before (GMT time; it's 9.33pm as I edit this), and on the server get these event logs:

The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.

The error code for the above is 4015 and the guidance just says restart the service, which I have done.

And then.....

The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

In the AD event logs, the DFS-R service is replicating and creating connections ok. 

But on the PDC-e DC, I get:

The DFS Replication service is stopping communication with partner DC-2 for replication group Domain System Volume due to an error. The service will retry the connection periodically. 

Additional Information: 
Error: 1723 (The RPC server is too busy to complete this operation.) 
Connection ID: 96DE0D90-3D16-4F8B-8D1B-B34C7CC71001 
Replication Group ID: 48617AF8-990C-4D50-B947-271427F95C29

And then straight  after:

Again, this is at  5.40. 

Since then, neither DC is recording anything to the event logs for DNS, DFS-R or Directory Service.

Both DCs point to themselves as the primary DNS and each other as secondary.

If required, I can post ipconfig /all.

i am fixing AD problems in one company that is really missed up

there are a number of child DCs now these DCs are not pining and not replicating

what is the best way to remove these child domains in case if i don’t have access to them at all - i can not see these DC in the domain controllers OU in ADUA

can i just delete these servers from AD sites and services? Please have a look on my DCDIAG below – hope it will help

Directory Server Diagnosis

Performing initial setup:

  Trying to find home server...

  Home Server = DM-AD-DC01

  * Identified AD Forest.

  Done gathering initial info.

Doing initial required tests

  Testing server: HO-Site\DM-AD-DC01

     Starting test: Connectivity

        ......................... DM-AD-DC01 passed test Connectivity

Doing primary tests

  Testing server: HO-Site\DM-AD-DC01

     Starting test: Advertising

        ......................... DM-AD-DC01 passed test Advertising

     Starting test: FrsEvent

        ......................... DM-AD-DC01 passed test FrsEvent

     Starting test: DFSREvent

        ......................... DM-AD-DC01 passed test DFSREvent

     Starting test: SysVolCheck

        ......................... DM-AD-DC01 passed test SysVolCheck

     Starting test: KccEvent

        A warning event occurred.  EventID: 0x80000785

           Time Generated: 12/12/2012   08:59:28

           Event String:

           The attempt to establish a replication link for the following writab

le directory partition failed.

        A warning event occurred.  EventID: 0x80000785

           Time Generated: 12/12/2012   08:59:36

           Event String:

           The attempt to establish a replication link for the following writab

le directory partition failed.

        A warning event occurred.  EventID: 0x80000785

           Time Generated: 12/12/2012   09:00:02

           Event String:

           The attempt to establish a replication link for the following writab

le directory partition failed.

        A warning event occurred.  EventID: 0x80000786

           Time Generated: 12/12/2012   09:00:08

           Event String:

           The attempt to establish a replication link to a read-only directory

 partition with the following parameters failed.

        ......................... DM-AD-DC01 passed test KccEvent

     Starting test: KnowsOfRoleHolders

        ......................... DM-AD-DC01 passed test KnowsOfRoleHolders

     Starting test: MachineAccount

        ......................... DM-AD-DC01 passed test MachineAccount

     Starting test: NCSecDesc

        Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

           Replicating Directory Changes In Filtered Set

        access rights for the naming context:

        DC=ForestDnsZones,DC=dammam,DC=gov,DC=sa

        Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

           Replicating Directory Changes In Filtered Set

        access rights for the naming context:

        DC=DomainDnsZones,DC=dammam,DC=gov,DC=sa

        ......................... DM-AD-DC01 failed test NCSecDesc

     Starting test: NetLogons

        ......................... DM-AD-DC01 passed test NetLogons

     Starting test: ObjectsReplicated

        ......................... DM-AD-DC01 passed test ObjectsReplicated

     Starting test: Replications

        [Replications Check,DM-AD-DC01] A recent replication attempt failed:

           From DM-AD-DC02 to DM-AD-DC01

           Naming Context: DC=dam-plan,DC=dammam,DC=gov,DC=sa

           The replication generated an error (8464):

           Synchronization attempt failed because the destination DC is current

ly waiting to synchronize new partial attributes from source. This condition is

normal if a recent schema change modified the partial attribute set. The destina

tion partial attribute set is not a subset of source partial attribute set.

           The failure occurred at 2012-12-12 08:51:49.

           The last success occurred at 2010-06-01 18:09:21.

           73 failures have occurred since the last success.

           Try synchronizing the Schema partition on all servers in the

           forest.

        ......................... DM-AD-DC01 failed test Replications

     Starting test: RidManager

        ......................... DM-AD-DC01 passed test RidManager

     Starting test: Services

        ......................... DM-AD-DC01 passed test Services

     Starting test: SystemLog

        An error event occurred.  EventID: 0x00000457

           Time Generated: 12/12/2012   08:14:28

           Event String:

           Driver KONICA MINOLTA bizhub C35 PS required for printer KONICA MINO

LTA bizhub C35 PS is unknown. Contact the administrator to install the driver be

fore you log in again.

        An error event occurred.  EventID: 0x00000457

           Time Generated: 12/12/2012   08:14:31

           Event String:

           Driver KONICA MINOLTA bizhub C35 PCL6 required for printer KONICA MI

NOLTA bizhub C35 PCL6 is unknown. Contact the administrator to install the drive

r before you log in again.

        An error event occurred.  EventID: 0x00000457

           Time Generated: 12/12/2012   08:14:31

           Event String:

           Driver WebEx Document Loader required for printer WebEx Document Loa

der is unknown. Contact the administrator to install the driver before you log i

n again.

        An error event occurred.  EventID: 0x00000457

           Time Generated: 12/12/2012   08:14:32

           Event String:

           Driver Send To Microsoft OneNote 2010 Driver required for printer Se

nd To OneNote 2010 is unknown. Contact the administrator to install the driver b

efore you log in again.

        A warning event occurred.  EventID: 0x00000427

           Time Generated: 12/12/2012   08:19:04

           Event String:

           There are no IP addresses available for lease in the scope or supers

cope "Amana-Ground Floor - VLAN3".

        A warning event occurred.  EventID: 0x00000427

           Time Generated: 12/12/2012   08:22:33

           Event String:

           There are no IP addresses available for lease in the scope or supers

cope "Amana-Ground Floor - VLAN3".

        A warning event occurred.  EventID: 0x000003FC

           Time Generated: 12/12/2012   08:23:25

           Event String:

           Scope, 10.1.3.0, is 100 percent full with only 0 IP addresses remain

ing.

        A warning event occurred.  EventID: 0x000003FC

           Time Generated: 12/12/2012   08:23:26

           Event String:

           Scope, 10.1.3.0, is 99 percent full with only 1 IP addresses remaini

ng.

        A warning event occurred.  EventID: 0x00000427

           Time Generated: 12/12/2012   08:23:30

           Event String:

           There are no IP addresses available for lease in the scope or supers

cope "Amana-Ground Floor - VLAN3".

        A warning event occurred.  EventID: 0x000003FC

           Time Generated: 12/12/2012   08:24:26

           Event String:

           Scope, 10.1.3.0, is 94 percent full with only 10 IP addresses remain

ing.

        A warning event occurred.  EventID: 0x00000427

           Time Generated: 12/12/2012   08:24:51

           Event String:

           There are no IP addresses available for lease in the scope or supers

cope "Amana-Ground Floor - VLAN3".

        An error event occurred.  EventID: 0x00000457

           Time Generated: 12/12/2012   08:40:19

           Event String:

           Driver Send to Microsoft OneNote 15 Driver required for printer Send

 To OneNote 2013 is unknown. Contact the administrator to install the driver bef

ore you log in again.

        An error event occurred.  EventID: 0x00000457

           Time Generated: 12/12/2012   08:40:19

           Event String:

           Driver Microsoft XPS Document Writer v4 required for printer Microso

ft XPS Document Writer is unknown. Contact the administrator to install the driv

er before you log in again.

        An error event occurred.  EventID: 0x00000457

           Time Generated: 12/12/2012   08:40:21

           Event String:

           Driver HP Color LaserJet CP202X PCL6 Class Driver required for print

er HP Color LaserJet CP202X PCL6 Class Driver is unknown. Contact the administra

tor to install the driver before you log in again.

        A warning event occurred.  EventID: 0x00000427

           Time Generated: 12/12/2012   09:00:01

           Event String:

           There are no IP addresses available for lease in the scope or supers

cope "Amana-Ground Floor - VLAN3".

        A warning event occurred.  EventID: 0x00000427

           Time Generated: 12/12/2012   09:00:22

           Event String:

           There are no IP addresses available for lease in the scope or supers

cope "Amana-Ground Floor - VLAN3".

        ......................... DM-AD-DC01 failed test SystemLog

     Starting test: VerifyReferences

        ......................... DM-AD-DC01 passed test VerifyReferences

  Running partition tests on : ForestDnsZones

     Starting test: CheckSDRefDom

        ......................... ForestDnsZones passed test CheckSDRefDom

     Starting test: CrossRefValidation

        ......................... ForestDnsZones passed test

        CrossRefValidation

  Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

        ......................... DomainDnsZones passed test CheckSDRefDom

     Starting test: CrossRefValidation

        ......................... DomainDnsZones passed test

        CrossRefValidation

  Running partition tests on : Schema

     Starting test: CheckSDRefDom

        ......................... Schema passed test CheckSDRefDom

     Starting test: CrossRefValidation

        ......................... Schema passed test CrossRefValidation

  Running partition tests on : Configuration

     Starting test: CheckSDRefDom

        ......................... Configuration passed test CheckSDRefDom

     Starting test: CrossRefValidation

        ......................... Configuration passed test CrossRefValidation

  Running partition tests on : dammam

     Starting test: CheckSDRefDom

        ......................... dammam passed test CheckSDRefDom

     Starting test: CrossRefValidation

        ......................... dammam passed test CrossRefValidation

  Running enterprise tests on : dammam.gov.sa

     Starting test: LocatorCheck

        ......................... dammam.gov.sa passed test LocatorCheck

     Starting test: Intersite

        ......................... dammam.gov.sa passed test Intersite

Hi guys,

One of my Windows 2008 SP2 Servers suffered a strange issue. The others don't have this issue.

The server is added into domian, and all the domian controller are windws 2008 Server.

The symptom include:

1. We added some domain IDs into local administrators ever, but now the IDs display as their SSID.

2. When I want to add some new domain ID into local administrators, but I find the server cann't read Active Directory. The  Entire Directory displayed as blank.

 3. As default, when i add domain ID into any local groups, th line "From this location" displayed as its hostname.

Generally speaking, here should display domain name.

See the next screenshot.

I have reset the computer name via ADUC, and I also tried  re-join into domain.

All the DCs are pingable from this server.

But the issue is same.

So the issue is: the server unable to read active directory.

I saw some warning  log from application, such as Event ID:6000

The winlog notification subscriber <GPClient> was unavailable to handle a notification event.

Event ID:502

Certificate Service Client failed to register group policy notifications. Error code: 2147944153

But I think the root cause is "the server unable to read active directory."

Did anyone ever see this issue and know how to fix it.

When I request to create a new certificate, I have to be able to enter a service principal name like host/server.foo.com.  I know how to enter the dns, for example, like san:dns=server.foo.com in the additional attributes box, however, I can't find the proper syntax to enter the service principal name (spn).

Thanks in advance.

Paul S

Hi All,

Hopeing someone can help. feel like a real plank.

was clearing out old exchange servers from our enviroment and deleted the wrong servers and Administrative group.

I need to restore the administrative group and servers.

I have used LDP.exe to restore the Administrative group by removeing the isDeleted=True option and modifying the DN.

I can not restore the Servers container tho with the two server even tho i can still see them in CN=Deleted Container.

I get a Error: Modify: Nameing Violation. <64>

and when i dont include the GUID i get a

Error: Modify: Unwilling to Perform <53>

Im Currently Waiting on the backup team to confirm if they have an AD backup from one of the domain controllers.

My question is why carnt i rebuild the servers container? and if i did an authoritve restore for the subtree:

CN=Exchange_Admin_Group,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=xxx,DC=xxx

Would that solve my issue and restore my exchange server back or is my understanding completly off.

Regards,

Zach

    
Hi,

Just promoted a server to replicate the main DC and everythings seems ok apart from the DNS.

When looking at the zones from the second server the DNS zones show no content like it hasnt been replicated at all but when i connect to the server from server one (adding second server into server 1 management console) it shows server 2 has all the computers listed. Both server have themselves as the primary (10.***.***.*) and the secondary as each other.
Is this normal behavour?

Thanks

Heres the only error in the log.    Event Errors: 4013

The DNS server is waiting for Active Directory Domain Services (AD DS) to
signal that the initial synchronization of the directory has been completed.
The DNS server service cannot start until the initial synchronization is
complete because critical DNS data might not yet be replicated onto this
domain controller. If events in the AD DS event log indicate that there is a
problem with DNS name resolution, consider adding the IP address of another
DNS server for this domain to the DNS server list in the Internet Protocol
properties of this computer. This event will be logged every two minutes
until AD DS has signaled that the initial synchronization has successfully
completed.

All:

 There is a subset of users that belong to a security group that cannot reset their own password.  This security group is a member of account operators.   They can reset passwords for other users ,but not their own.  The accounts exist in the Users Container in which they can reset other users passwords through ADUC.  When they logon to a workstation and try to reset their password they receive "Windows Cannot Change Password because Access is Denied". Any help is greatly appreciated. 

We have two servers with Windows Server Std 2012. On both of them installed HyperV role, and running domain controllers in virtual environment. On these DC there is errors in logs, because disk write cache is not disabled. HDD images of VMs (vhd-files) connected via virtual IDE controller. In this article said, that 

"Use virtual SCSI controllers for any virtual machine that runs as a domain controller. If you cannot use virtual SCSI controllers, ensure that write caching is disabled on the virtual IDE drives of virtual machines that run as domain controllers". I tried to do the following: I switched off one of DCs, detached vhd-file from virtual IDE-controller and attached to virtual SCSI-controller. As you supposed, my VM doesn't booted, because it's impossible to have bootable disk on SCSI virtual controller. Before it I tried to perform manual disable of disk write cache, but I received an error "windows could not change the write-caching setting for the device". 

What I can to do to prevent some failures in future with our Active Directory infrastructure? 

Hi Forum users,

I have a client request asking specifically for a group policy to delete inactive computer accounts and user accounts, but I couldn't find any policy related to this. I found a old thread 'http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/88808b2d-472a-457a-829c-66359b875550" but it too doesn't mention about any policy other than dsquery, please advice.

I have bit idea on ADLDS, previously that is ADAM. I know how to install & configure the ADLDS.

Could anyone provide  a live example for ADLDS which I can test in my test lab & watch how the ADLDS is interacting with any application?

Any help highly appreciate.

I have read the articles but till I have  not found any area which I can implement in my organization.

http://www.windowsnetworking.com/articles_tutorials/Configuring-Active-Directory-Lightweight-Directory-Service-Part4.html

Have read the seven links.

AliahMurfy

My domain does not have a SPN for CIFS/mydomain.com. My DC is throwing ErrorCode: KDC_ERR_S_PRINCIPAL_UNKNOWN. There are a number of windows workstations on the domain that are trying to use this SPN.

I try to add the spn but I get the following error.

>setspn -a cifs/corp.dcsgroup.com.au corp.dcsgroup.com.au

What problems would this cause? Should this SPN be there by default?

On looking at my logs, I see several entires like this...

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          12/10/2012 3:41:56 PM
Event ID:      4624
Task Category: Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      2k8d-194-121
Description:
An account was successfully logged on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain:-
Logon ID: 0x0

Logon Type:3

New Logon:
Security ID: ANONYMOUS LOGON
Account Name: ANONYMOUS LOGON
Account Domain:NT AUTHORITY
Logon ID: 0xc2aef4ba
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x0
Process Name: -

Network Information:
Workstation Name:SRVTSIOSHOPPING
Source Network Address:186.210.60.41
Source Port: 1647

Detailed Authentication Information:
Logon Process:NtLmSsp 
Authentication Package:NTLM
Transited Services:-
Package Name (NTLM only):NTLM V1
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4624</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2012-12-10T23:41:56.378Z" />
    <EventRecordID>1042594</EventRecordID>
    <Correlation />
    <Execution ProcessID="676" ThreadID="780" />
    <Channel>Security</Channel>
    <Computer>2k8d-194-121</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-0-0</Data>
    <Data Name="SubjectUserName">-</Data>
    <Data Name="SubjectDomainName">-</Data>
    <Data Name="SubjectLogonId">0x0</Data>
    <Data Name="TargetUserSid">S-1-5-7</Data>
    <Data Name="TargetUserName">ANONYMOUS LOGON</Data>
    <Data Name="TargetDomainName">NT AUTHORITY</Data>
    <Data Name="TargetLogonId">0xc2aef4ba</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="LogonProcessName">NtLmSsp </Data>
    <Data Name="AuthenticationPackageName">NTLM</Data>
    <Data Name="WorkstationName">SRVTSIOSHOPPING</Data>
    <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">NTLM V1</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0x0</Data>
    <Data Name="ProcessName">-</Data>
    <Data Name="IpAddress">186.210.60.41</Data>
    <Data Name="IpPort">1647</Data>
  </EventData>
</Event>

The IP Address is usually different, but I see a lot of them.  How is someone able to log in when I have only 1 user account active, it uses a non standard name, and everywhere I look, it doesn't look like any kind of anonymous login is enable(mainly checked GPEdit.msc, but may be looking at the wrong things I guess?).

Hello

One of my top managment user account got deleted from active directory.

When i tried restoring it is not allowing me to restore and gives me below error message

 Restore-ADObject : Illegal modify operation. Some aspect of the modification is not permitted

Even i tried to restore using LDP.exe tool also but no luck.

My os version is Windows server 2008 R2

Recycle Bin feature is not enabled.

So guys could you please let me how to restore the user object when AD recyclebin feature is not enabled in windows server 2008 r2

Regards

Sriram

Thanks Sriram

Hi,

I'm trying to understand how some of the DNS registration updates work between Domain member client PC and the AD infrastructure when not on the local LAN, but on a routed LAN.

I've a simple 3 DC (no RO DCs) setup. On my LAN the DHCP server updates DNS entries for clients. The DNS servers are setup only for Secure Updates.  I'm not aware of any GPO settings overriding default setups.

However we now have an off-shoot LAN, that has its only Linux DHCP server.  Clients on that LAN are pointed to our normal DNS servers directly. There are no firewalls involved, only IP routing.

What we see, is that if an existing record exists when a client PC moves from my LAN to the off-shoot LAN, then its DNS entry is not updated. However, if the client doesn't exist in DNS (because I delete it manually), then they can register in ok from that new LAN.

I don't see this in my local DHCP/DNS update mechanism. Only with the new LAN.

I know that DNS registrations are done by the DNS Client on the PC, but I'm not sure what else is taken into account when security checks are made.

Also, I'm seeing 'stale' entries in the DNS listing. Scavanging is set for 7 days, but yet I see timestamps for 30 Nov, 29 Nov, 28 Nov etc..

Any advice on how to proceed appreciated.  I've searched for basic DNS and read various articles, so I think my understanding is good, but can't see why the clients aren't updating:

http://technet.microsoft.com/en-us/library/cc784052(v=ws.10).aspx
http://social.technet.microsoft.com/Forums/lv/winserverNIS/thread/8f5310f6-3c8e-47c2-a95f-07c4f0ea19d0