Good day

May you assist im experiencing a slow reponse in connection to active director.Whenever we open active director the response time take 5-10 minutes to open and even if we rest or unlock account it take longer. I have run the following command from the command prompt  on one of the AD servers (dcdiag /q and replsum) this is the results I get

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\daniel-a>dcdiag /q
         The host 49b66143-966c-421a-897f-91bc51134e94._msdcs.energy.gov.za
         could not be resolved to an IP address. Check the DNS server, DHCP,
         server name, etc.
         Got error while checking LDAP and RPC connectivity. Please check your
         firewall settings.
         ......................... LIGHT failed test Connectivity

C:\Users\daniel-a>repadmin /replsum
Replication Summary Start Time: 2015-01-12 10:51:21

Beginning data collection for replication summary, this may take awhile:
  .........

Source DSA          largest delta    fails/total %%   error
 PARLIAMENT        22d.14h:02m:51s    5 /   5  100  (8524) The DSA operation is
unable to proceed because of a DNS lookup failure.
 REFINERY                  02m:47s    0 /   5    0
 RENEWABLE                 02m:47s    0 /   5    0

Destination DSA     largest delta    fails/total %%   error
 LIGHT             22d.14h:03m:22s    5 /  15   33  (8524) The DSA operation is
unable to proceed because of a DNS lookup failure.

Experienced the following operational errors trying to retrieve replication info
rmation:
          58 - Renewable.energy.gov.za
          58 - Parliament.energy.gov.za
          58 - Magnetic.energy.gov.za
          58 - REFINERY.energy.gov.za
          58 - REACTOR.energy.gov.za

C:\Users\daniel-a>dcdiag /q
         The host 49b66143-966c-421a-897f-91bc51134e94._msdcs.energy.gov.za
         could not be resolved to an IP address. Check the DNS server, DHCP,
         server name, etc.
         Got error while checking LDAP and RPC connectivity. Please check your
         firewall settings.
         ......................... LIGHT failed test Connectivity

PLEASE ASSIST URGENTLY

Regards

Dan

Hi

I accidentally removed one of our domain controller's hyper-v image (DC-02) from the hyper-v manager and to bring it back online launched a new virtual machine using the same virtual hard drive. This brought back the domain controller machine and I set the original IP address to the same assuming that everything would just working fine.

Sadly, that wasn't the case as when I tried to open the group policy manager on that machine I started getting "Access is denied" error. I was then presented with an option to open the group policy manager with the first available DC which I did and was able to open it with showing the same machine as the baseline domain controller under the status tab (DC-01 is actually the baseline DC). I then clicked Detect now and noticed it was showing 1 DC under replication in progress with problems in GPO version. I then did the same thing on the primary DC (DC-01) and even there it was showing this only (images attached).

So I started exploring over the internet going through various articles but couldn't find a solution which I could apply without worrying about corrupting something somewhere. I also went to the SYSVOL folder on both the DC's to check the version number in GPT.ini files which are mentioned below:

\\CC-DC01\sysvol\cloudchowk.lab\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
[General]
Version=3

\\CC-DC01\sysvol\cloudchowk.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
[General]
Version=5439513

\\cc-dc02\SYSVOL\cloudchowk.lab\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
[General]
Version=3

\\cc-dc02\SYSVOL\cloudchowk.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
[General]
Version=5308439

Could anyone please help me sort this out? I am no system admin and whatever knowledge I have of setting up DC, AD etc is from following one article or the other over the internet.

Regards

Sajat Jain

I've setup a group managed service account with my AD under Windows Server 2012 R2.  The account looks fine and I can query it from on the 2012R2 AD server via powershell using Get-AdServiceAccount.  However, when I attempt to add this account to another server in the domain using the command "Install-ADServiceAccount gMSATest$"  it dumps the following error 

Install-ADServiceAccount : Cannot find an object with identity: 'gMSATest$' under: 'DC=mydomain,DC=com'.
At line:1 char:1
+ Install-ADServiceAccount gMSATest$
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (:) [Install-ADServiceAccount], ADIdentityNotFoundException
    + FullyQualifiedErrorId : Cannot find an object with identity: 'gMSATest$' under: 'DC=mydomain,DC=com'.,Microsoft
   .ActiveDirectory.Management.Commands.InstallADServiceAccount

I've tried a number of different ways using -Identity but each time I get the same error.  I do have the AD-Domain-Services feature enabled, yet no joy.  The server I'm attempting to add the account on is Server 2008 R2.

Any reason why it can't find the Group MSA account I created?  

Is there any separate license that we need to purchase from Microsoft in order to use and implement Microsoft Certificate Authority Server in an organization. Or is it a free feature which comes as a part of Windows Server licensing.

Also, do we require any separate license for clients connecting or using the certificates.

If there is any licensing involved kindly share information of the same.

Server - 2008 R2

Clients - 7, 8, 8.1

Hi,

We have One RDC and 5 ADC on different locations. 3 ADC are on different zones connected via WAN connectivity and 2 ADC are on different zones connected to RDC via microsoft IPSEC VPN secure channel.

Currently I am facing a issue on one of my ADC which is connected through WAN connectivity with 3 Mbps b/w with below errors:

In Event Log:

1. The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate.

Log Name: System, Source: Schannel, Event ID: 36882, Level: Error, User: System

2. The following fatal alert was generated: 48. The internal error state is 552.

Log Name: System, Source: Schannel, Event ID: 36888, Level: Error, User: SYstem

Whenever I run dcdiag, I get error on system log and finally says '....... failed test SystemLog'.

Error Details: Starting test: SystemLog

         An error event occurred.  EventID: 0x00009018
            Time Generated: 01/14/2015   09:45:33
            Event String: The following fatal alert was generated: 48. The internal error state is 552.
         An error event occurred.  EventID: 0x00009012
            Time Generated: 01/14/2015   09:45:33
            Event String: The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate.
         An error event occurred.  EventID: 0x00009018
            Time Generated: 01/14/2015   09:45:33

Kindly help to resolve the issues.

Best Regards,

NS

Dear Microsoft Expert,

We need AD professional advice out there; we are planning to migrate our domain server with 2003 to new domain with 2012.

Currently our domain 2003 environment:

We have domain1.com which hosted at our office; basically we have DHCP, DNS and file server are join to this domain1.com.

Our objective:

Migrate domain1.com as child domain (new domain = xxx.corp.domain2.com) into our existing parent domain (corp.domain2.com)

New parent domain 2012 (corp.domain2.com):

We have parent domain controller (windows 2012) hosted at data center, there are 4 child domain at different business center under this parent domain (corp.domain2.com).

My question as below:

1. If I want to migrate our domain1.com as child domain to this parent domain (corp.domain2.com) what is the procedure or step to achieve this?

2. We are concern about our File server, there are a lot of credential/folder permission, if we migrate domain1.com to new server, all the credential will lost. All the users would have problem to access the file server.

3. How about the DHCP server? What is the best practice, do we need to build another new DHCP and join to xxx.corp.domain2.com?

4.  We need tools to facilitate migration, If you have any experience related welcome to share.

Please comments if you have anything want to share, appreciate that!   

Thank You!

Best Regards,

Shiro

Hi 

I see an old thread with similar issue, but didn't think that was closed.

I have couple of users with Password already expired like an year ago, but still their LastLogonTimestamp is being updated with recent date/time.

see one of the examples below 

Window 2012 R2 and Windows 8.1 client:

Followed this article http://technet.microsoft.com/en-us/library/dd875529(v=ws.10).aspx and was able to successfully backed up the Bitlocker on AD.  

Basically, created the GPO and ran TPMselfWriteACE.vbs script successfully, delegate write permissions on the msTPM-OwnerInformation and Information for Computer object to the “SELF” account on OU with all workstations.

However, TPM information does not show up in AD Attribute Editor.  I also went ahead and extended the Schema extension and the ACL changes. ldf (http://technet.microsoft.com/en-us/library/dd875529(v=ws.10).aspx).  Still no luck.  I don't think I needed it as Windows 2012 already had those attributes.

Not sure what else I'm missing here.  Appreciate any help.  Thanks.

Hi

In one of our DC running on Windows 2008 R2 enterprise, we are getting regularly Schannel almost each week interval as in the screen shot for all the months but the number of events varies for each month

From where to investigate the issue for this error

Any help is greatly appreciated!

Thanks & Regards S.Swaminathan Live & let others live!!!

I can connect to my domain using FQDN with LDP.exe , however I'm unable to connect to my domain using domain netbios name in LDP.exe ..... I know this sounds simple, but cannot figure out why (this works on another machine in a different location)

ldp.exe, Connect - domain.local (works)

ldp.exe connect - domain (netbios name - fails)

I've been searching all over and I cannot find out the process by which the netbios domain name is queried in a DNS only Active Directory domain.....

Pls help!

Hi All,

We need a help in configuring ADFS in our environment for the following requirement

We have a application which will be used by users from intranet as well as internet. The application is in LAN and our Domain Controllers are also in LAN. We want the user to access the application from internet using same AD credentials. We were thinking that if we can Place a ADFS server in DMZ and get the users authenticated against those and inturn ADFS server will communicate to AD and authenticate users.

Is it possible using ADFS and how do we plan and design it.

Hi,

My name is john,

And we have a plan of upgrading our domain controller from 2008 r2 to 2012 r2. But our present primary domain controler is 2008 r2 and backup domain is 2003 , so please let me know the beat way of upgrading both pdc & backup domains to 2012 r2.

1) Prerequisits required.

2) which one i shud upgrade first whether PDC OR ADC ? 

3) approximate downtime required.

THANKS IN ADVANCE 

JHON

Hi,

We are facing one issues on which most of the clients are facing issues while logging into the system. They get the error 'The trust relationship between this workstation and the primary domain failed.' and doesn't allows users to log on to the machine. But after trying 2-3 times or after restarting the machine it allows to log-on to the machine using same credentials and id. Also the host-name and users id is existing on the DC.

While running the test from client logon :

nltest /sc_query:abc.com
Flags: 0
Trusted DC Name:
Trusted DC Connection Status Status = 5 0*5 ERROR_ACCESS_DENIED
The command completed successfully.

I get the above result.

Pls help.

Hi,

I'd like to know if I need to transfer the FSMO role for the NTP in my domain from the old Windows Server 2003 physical box into the new Windows Server 2008R2 Virtual Machine <g class="gr_ gr_63 gr-alert gr_gramm Punctuation multiReplace" data-gr-id="63" id="63">(VMware) ?</g>

/* Server Support Specialist */

Hi All

I've been trying to trudge my way through an issue our client is having but I'm getting nowhere fast. This issue was discovered when searching for why users at our second site were experiencing slow logons every morning (5-10minutes to login).

Within our domain there are two domain controllers for the child domain we manage.

DC1 has connection back to the parent DC's (managed by our clients parent company), and also replicates both ways with DC2. DC2 is at another site, on another subnet and replicates to and from DC1 only.

DC2 appears to have no issues, it can resolve any address, nslookup either using itself or DC1 is fine and name servers resolve fine.

DC1 has massive issues with DC2 - using it for nslookup gives me the following:

I get this timeout error for internal and external names, but both DC's are able to ping and access internet with no issues.

When trying to resolve name servers from DC1, DC2 sits at 'validating' for a while and then comes back with 'a timeout occurred during validation'.

Restarting DNS Server, NETLOGON and registering in DNS from DC2 had DC1 talking to it fine for a few minutes, but then it went back how it is (and I haven't been able to replicate this fix since).

Reverse DNS zones are setup for all the subnets used, there are A records and PTR's for both DC's.

Performing 'ping -a dc2.ip.address' from DC1 comes back fine - it knows what it is in both directions (name and IP) but nslookup and nameserver resolution is still failing.

I just don't know where to go from here - from everything I've read they should be happy... Any ideas?

Hello all,

So today I tried to remove an old user out of AD 2003/2008 and for the first time I get the a message:

Confirm Subtree Deletion:

"Object username contains other objects. Are you sure you want to delete object %username% and all of the objects it contains?

If you cancel the running deletion, the objects deleted thus far will not be recovered.

WARNING: if you select Use Delete Subtree Server control check box, all objects within the subtree, including all delete-protected objects, will be deleted and the deletion cannot be canceled"

Check box: Use Delete Subree server Control

YES or No.

What is this all about? I haven't encountered this before and not recently while deleting users, old machines, etc??

Thank You in advance.

SM

Hi,

We have had a Windows Active Directory domain for many years running with few issues.

In the last two days replication from One of our 2008R2 DC's has stopped.

The forest consists of 1 2008R2 DC  and 4 2003R2 DC's in various states around the country.

About two days ago we lost network connectivity to our SAN that the 2008R2 server is running on as a Virtual Machine VMware ESxi  5.0. This loss of connection was around a minute.

It would seem after that there has been no replication to the 4 other servers.

Dcdiag reports first of all LDAP bind failed with error 8341 when testing the 2008R2 dc and when run from one of the 2003 DC's.

repadmin /showrepl shows last attempt failed for all AD partitions from the 2008R2 DC, all others from the 2003 DC's say last attempt was successful.

Using ldp.exe you can connect to the 2008R2 DC but bind fails using the default Bind Method of SSPI. If you use Bind Method DIGEST you can bind to the 2008R2 DC. If you attempt to bind to the 2003DC's there is no problem with any Bind Method.

If you try a repadmin /replicate 2003DC to 2008R2 DC you get the message

DsReplicaSync() failed with status -2146893022 (0x80090322)

Can't retrieve message string -2146893022 (0x80090322), error 1815

This error message is also appearing in the event logs

      Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 01/14/2015   14:43:49
            Event String: The kerberos client received a

KRB_AP_ERR_MODIFIED error from the server

sopm-dc1$.  The target name used was

ldap/b6400cd3-2bcd-4f8b-866b-3dd06716188f._msdcs.shimadzu.com.au.

 This indicates that the password used to encrypt

the kerberos service ticket is different than

that on the target server. Commonly, this is due

to identically named  machine accounts in the

target realm (SOPM.SHIMADZU.COM.AU), and the

client realm.   Please contact your system

administrator.

Dcdiag has various errors such as the following

      Starting test: kccevent
         * The KCC Event log test
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 01/14/2015   15:38:09
            Event String: All domain controllers in the following site that

can replicate the directory partition over this

transport are currently unavailable.

and this

DC: SOPM-DC1.sopm.shimadzu.com.au
            Domain: sopm.shimadzu.com.au

                 
               TEST: Authentication (Auth)
                  Error: Authentication failed with specified credentials
                  [Error details: 1396 (Type: Win32 - Description: Logon Failure: The target account name is incorrect.) - Add connection failed]
                 
               TEST: Basic (Basc)
                  Error: No LDAP connectivity
                  Error: No WMI connectivity
                  [Error details: 0x800706ba (Type: HRESULT - Facility: Win32, Description: The RPC server is unavailable.) - Connection to WMI server failed]

I am trying to understand what is causing the authentication errors, which I think is the basis of all the issues I see.

I have disabled firewalls on the servers but it has made no difference.

Any help greatly appreciated

I'm having trouble getting a user's full list of group memberships from a global catalog inside a single forest.

The scenario is a bit unique:

We have 2 domains within the forest - domainA.example.com and domainB.example.com:

• The domains share a transitive trust between them.
• Each domain has a single domain controller, which are also global catalogs.
• domainA holds only computer objects, while domainB holds only user objects and group.
• I am trying to get the user's group memberships, which are all globalgroups.

The client i'm using (a java client i wrote) doesn't have access to domainB directly, only to domainA.

Therefore, in order to get a domainA user's list of group memberships, i have to query domainA... i did this using Global Catalog - the problem was that when i ask the GC from domainA to get me the list of groups (using thememberOf attribute),i get a partial list of groups (65 groups out of 106 groups the user belongs to).

I am trying to figure out why that is, and whether or not this is even the correct method, considering the fact that i don't have direct access to domainB (it is blocked via a firewall)