About three months ago, we installed a new server running Windows Server 2012 (Std.) at a branch office.  The server is running the following roles: File Services (including File Server Resource Manager FSRM), Print Server, and DHCP server.  Since the installation we noticed through our WAN monitoring (netflow) that there is a substantial increase in the amount of traffic between this new server and our two domain controllers (Server 2008 R2 std.).  The two domain controllers are located at our headquarters over the WAN.

I can see in Netflow that the traffic is being labeled LDAP.  I noticed on the new 2012 server there are a few event errors pointing to the issue of "claims" not being available on the domain (Event ID 12339 and 12344).  We're not using Dynamic Access Control or central access policies.  When I run Network Monitor on the new 2012 server, I see SMB and SMB2 traffic between the file server and domain controller(s), but that's about it.

I'm wondering if others have seen this issue I'm experiencing.  At the moment, I'm leaning towards the traffic increase being Server 2012 FSRM trying to sync claims and policies which don't exist.  I will likely remove FSRM from Server 2012, but I wanted to get others' input first.

Thanks,

Brian

I have recently upgraded a 2000 domain to 2008r2. I am having problems with my VPN clients when they connect causing the accounts to be locked out because of old policy set up in the 2000 days. Where can I find this setting? Somewhere in the domain after so many failed passwords my accounts are becoming locked and I want to be rid of it for the short term. There are no 2000 DC's left and this is native mode 2008r2 now.

Thanks.

Hi Experts,

We have a requirement where

1. We will have 3 Different isolated Domain with different forest and there should not any communication between these domains.
2. We will have one more Master-Engineering domain that will be used as central engine to do all administrative tasks.
3. We will push code/updates and share resources to those 3 isolated domains however they will not talk to each other as said above except Master Engineering.
4. Group Policy and User Right assignment will be done from Master-Engineering AD domain and they will be applied on respective domain in forest. It will not hold information locally.
5. There will not be any AD object replication between Eng. AD domain and other three domains.

What kind of trust relation will be best as I'm planing to go For Forest Trust Between these Three Isolated Domain and Master Engineering domain?

Can I replicate AD data between these Domains if I want (for my knowledge and tests)

Regards Suman B. Singh

Does anyone have access to a vb script or code that will change the AD Computer description of the current computer using another domain account?

gary pearson

Error in system log:

Hi 

I have Active directory on my server ( Windows server 2008 R2) And  Many users on it so.. Now  I want move allusers to the new server installed on Windows server 2008 R2 And format old one .The question ishowcanImove usersto.

The question ishowcanImove usersto the other active directory.

I hopetohelp

Thank you very much

Current setup:  3 x Windows 2003 R2 Enterprice domain controllers, a file server, Exchange 2003 single server and various other member servers.  Clients running either Windows XP Pro SP2 or Windows 7 Pro SP1

The problem: Inability to promote a domain controller. Have to rely on Install From Media (IFM) to promote. Things fail when normal dcpromo is used and the same error appears: "Directory Object Not Found"

The probable cause:  MS support found out that the "iscriticalsystemobject" attribute of the built-in admin account was set to False instead of True.  Unable to change to True because it says the account is owned by SAM.  This glitch most likely existed from Day 1. 

Attempts:  attempts to promote new DCs have obviously failed unless of course IFM is used.  Attempt to conduct an in-place upgrade of a Windows 2003 DC to Windows 2008 DC and then use the IFM method to promote a Windows 2008 R2 DC have also failed.  Due to different OS level versions.

Questions:

1) Are there any known fixes for this attribute problem with admin account?

2) if there are none, what is the next option?  Create a new domain?

3) Should a new domain be started or a new forest?

4) Can the new domain/forest link to the old one to allow cross usage of resources as well as migration of AD objects?

5) If not will ADMT work? Will ADMT also bring over the nasty attribute issue as well?

6) Any suggestions where to go from here?

I'm posting here because the issue is with a demoted server that can't find the new domain controllers on the network. It could also be a DNS issue; feel free to move it if it doesn't belong here. Thanks.

I have this server 2008 SP1 that was a playground for the Operations Manager for quite some years before i came here.

It had ADDS with all FSMO roles, DNS server, DHCP server, TS server, file server, IIS, our ERP, Exchange for some time, every single utility he could find to test, 20 users logged on fulltime using Office Remote Apps and surfing the web (on admin privileges) on it and then some. The only thing it didn't have was updates. All of this on a single RAID 5 volume with no HS. It was a mess.

I've been working my way to kill it and managed to remove almost every essential service out of it, the most recent (oct) being ADDS. I created a new server, promoted it and moved all FSMO roles to it, finally i demoted the old server.dcdiag reported all Ok.

Since then, i've been having conectivity issues all the time on that server.

I'm having 3 different errors poping up all the time:

Level: Error
Source: NETLOGON
Event ID: 5719
Description: This computer was not able to set up a secure session with a
domain controller in domain <DOMAIN> due to the following: There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is
connected to the network. If the problem persists, please contact your domain
administrator.

Level: Error
Source: GroupPolicy
Event ID: 1054
Description: The processing of Group Policy failed. Windows could not obtain
the name of a domain controller. This could be caused by a name resolution
failure. Verify your Domain Name Sysytem (DNS) is configured and working correctly. 

Level: Error
Source: GroupPolicy
Event ID: 1030
Description: The processing of Group Policy failed. Windows attempted to retrieve
new Group Policy settings for this user or computer. Look in the details tab for
error code and description. Windows will automatically retry this operation at
the next refresh cycle. Computers joined to the domain must have proper name
resolution and network connectivity to a domain controller for discovery of new
Group Policy objects and settings. An event will be logged when Group Policy is
successful.
ErrorCode: 58
ErrorDescription: The specified server cannot perform the requested operation.

As a result it sometimes takes 3 or 4 tries to RDP successfully on it, other times it just won't let you until later. It says "Access denied" on the dialog.

The errors basically tell me there are DNS/Network issues with the server. I couldn't find any network issue: It flawlessly serves files, keeps RDP sessions open and responds to ping with <1ms lattency all day, so it must be DNS or something else.

Thing is i can't scrap the server just yet, not until we buy the new file server and that may still take some months and up to a year.

So my only option is to fix this problems.

Further info:

1. The remaining roles on the server are: file services, NPAS, TS and IIS.
2. Any other server/service in the network works fine, it's only this server with issues.
3. It doesn't have athentication issues on shares (most shares are for Authenticated users)
4. nslookup detects the dc with no issue. I can't check whether it does when it starts throwing "Access denied" since that happens when i'm trying to logonto it, hence, i'm out of it.

I'd appreciate any help you could provide.

Cheers.

"When something is not working as it is supposed to, then it is working as expected" -R

domain user account is getting disabled on every Thursday. it is not locked out it getting disabled

pls if any suggest me a solution

thanks in advance

I am having the most baffling problem with one of my domain controllers.  Windows Server 2008 Enterprise.

I has been working with out incident for two years.  Then with little warning it fell off the network and refuses connection with any computer except for our main file server and the back up server.  Those two devices information flows unimpeded.  All other devices, including the other DNS simply time out. 

I have tried the following:

ipconfig/flushdns

ipconfig/registerdns

located the entry for reverse dns

ensured that the ipv6 box was not cheched in the network properties

turned on and off the firewall

The cmputer can RESOLVE local computer address, just will time out.  It cant even ping the gateway.  It will not ping or connect EVEN using IP addresses.

NS lookup from the broke DNS gives:

Server:  UnKnown
Address:  204.85.36.31

Name:    galvatron.bwfund.org
Address:  204.85.36.31

ipconfig/all gives:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Galvatron
   Primary Dns Suffix  . . . . . . . : bwfund.org
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : bwfund.org

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5709C NetXtreme II GigE (NDIS VBD Client)
   Physical Address. . . . . . . . . : F0-4D-A2-06-A1-A8
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 204.85.36.31(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 204.85.36.254
   DNS Servers . . . . . . . . . . . : 204.85.36.31
                                       204.85.36.16
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 8:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{F44BE425-4FE8-4A36-ADCF-9CDDB8CB5583}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 02-00-54-55-4E-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 12:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : 6TO4 Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2002:cc55:241f::cc55:241f(Preferred)
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 204.85.36.31
                                       204.85.36.16
   NetBIOS over Tcpip. . . . . . . . : Disabled

Any help would be very appreciated.  I am spinning my wheels now.

Thanks in advance.

Wemdell Jones

I have a PDC the Server Manager MCC failed. I've spent a day and a half troubleshooting it but no luck. My last option is to do a fresh install and start from scratch. Assuming I named the DC and configure AD User/Computer exactly the way it is now and manually add each computer name as it was, would I have to rejoin the machine? It's faster to rebuild my DC than to have to reconfigure each user's profile.

Since Server Manager won't load, I can't do Win server bkup, is there other ways to backup my AD?

Danny

The environment

I configured a AD LDS instance and sync it with an existing AD. To help and guide me in this process I followed this tutorials: http://www.thegeekispeak.com/archives/64 http://lab.technet.microsoft.com/en-us/magazine/dd228991

I am using a Windows 2008 R2 Server (the AD and AD LDS are running in the same server). I successfully manage to sync the AD LDS with the AD and at this moment I have all the objects that I want in the AD LDS. All objects are user proxies pointing to their corresponding AD objects.

The problem

I have a tomcat application, more exactly a Bonitasoft installation, to bind to this AD LDS so the users can login to the Bonita User Experience (Portal and process manager) Here is how I did: http://priyankacool10.wordpress.com/2012/07/25/how-to-configure-ldap-with-bonita-user-xp/

With this small adaptation:

BonitaAuth {
  com.sun.security.auth.module.LdapLoginModule REQUIRED
  userProvider="ldap://10.1.222.254:50000/CN=Users,CN=bonitadir,DC=ZZZ,DC=YYY,DC=XX"
  authIdentity="CN={USERNAME},CN=Users,CN=bonitadir,DC=ZZZ,DC=YYY,DC=XX"
  useSSL=false
  debug=true;
};

BonitaStore {
  org.ow2.bonita.identity.auth.LocalStorageLoginModule required;
};

It's working but not exactly like I wold expected: The problem is that the user proxy's "CN" is the same as "displayName" that is a normal name like "John Doe" not a expected user name like "jdoe".

Is there a way to sync the AD LDS with AD but make the "CN" at the user's proxy equal to perhaps sAMAccountName?

At this moment i have this:
     AD LDS     |        AD
-----------------------------------
  User's Proxy  |       User
       CN       =        CN


And I want this:
      AD LDS       |         AD
----------------------------------------
   User's Proxy    |        User
        CN         =   sAMAccountName

Can this be done, and how?

If you see a different and easier solution please let me know.

Thanks in advance:)

Best regards.

Hi,

I would like to know where I can obtain some kind of script that tells me what changes have occured in AD and GP, and who did it, where and when, etc.

I have been searching all over the internet for something like this but so far haven't really found anything. Ideally I want something like netwrix change reporter (which I have tried) but we cannot really afford these commercial auditing products as they are quite expensive. Hence the need for a script.

We have a full 2003 AD environment.

So can anyone point me in the right direction? And please don't post links to software sites that offer restricted feature trials etc :)

Thanks,

Taz

Actually i didn't do any transferring or seizing operation even though the roles are transferred to ADC.

Suppose if that was done by somebody  transferring or seizing how to track it down, and after seizing what happens if the old dc comes back in to online...because i got some solutions for resolving  kerberos Event ID4 so if i do it in my old DC what will happen.

Group policies are not updating

in my case DC is in physical machine and ADC is in Hyper-V and previously PDC use to show in DC but when i perform net time form client it use to show ADC.  

Hi everyone,

i have 2 2003 dc in my domain, and recently i have added a 2008 r2 one to my domain,, for some reasons i want to demote the 2008 r dc, but while using dcpromo i get the following error:

"Active Directory Domain Services is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles."

what should i do if i dont want to use force removal???

Thnx

One of our domain controllers crashed so it was never demoted.  I rebuilt the server and promoted it to DC.  Ever since then, I've been getting countless NTDS Replication event errors (2023 2042).  I ran therepadmin /removelingeringobjects tool and it was successful.  When I attempt to demote the DC, I get the following error:

The operation failed because:

Active Directory could not tranfer the remaining data in directory partition  CN=Configuration,DC=####,DC=local to domain controller (domaincontrollername).

"The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime."

How can I resolve this issue?

Hello,

in one location we have 3 DC (1 WIN2K3 and 2 WIN2008R2).
We are planning to demote the old WIN2K3 server, I have transferred all the services on the new servers (DHCP, DNS etc.) but I noted that the WIN2K3 server has this error:

The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.
 
 Replica set name is    : "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
 Replica root path is   : "c:\windows\sysvol\domain"
 Replica root volume is : "\\.\C:"
 A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found.  This can occur because of one of the following reasons.
 
Should I demote it immediately or I have to resolve the journal wrap error first?
The other 2 DCs seems OK, the are replicating well
What is the best practice? Enable Journal Wrap Automatic Restore on the failed DC?

Thank you

Hi,

I'm trying to understand how some of the DNS registration updates work between Domain member client PC and the AD infrastructure when not on the local LAN, but on a routed LAN.

I've a simple 3 DC (no RO DCs) setup. On my LAN the DHCP server updates DNS entries for clients. The DNS servers are setup only for Secure Updates.  I'm not aware of any GPO settings overriding default setups.

However we now have an off-shoot LAN, that has its only Linux DHCP server.  Clients on that LAN are pointed to our normal DNS servers directly. There are no firewalls involved, only IP routing.

What we see, is that if an existing record exists when a client PC moves from my LAN to the off-shoot LAN, then its DNS entry is not updated. However, if the client doesn't exist in DNS (because I delete it manually), then they can register in ok from that new LAN.

I don't see this in my local DHCP/DNS update mechanism. Only with the new LAN.

I know that DNS registrations are done by the DNS Client on the PC, but I'm not sure what else is taken into account when security checks are made.

Also, I'm seeing 'stale' entries in the DNS listing. Scavanging is set for 7 days, but yet I see timestamps for 30 Nov, 29 Nov, 28 Nov etc..

Any advice on how to proceed appreciated.  I've searched for basic DNS and read various articles, so I think my understanding is good, but can't see why the clients aren't updating:

http://technet.microsoft.com/en-us/library/cc784052(v=ws.10).aspx
http://social.technet.microsoft.com/Forums/lv/winserverNIS/thread/8f5310f6-3c8e-47c2-a95f-07c4f0ea19d0