I'm posting here because the issue is with a demoted server that can't find the new domain controllers on the network. It could also be a DNS issue; feel free to move it if it doesn't belong here. Thanks.

I have this server 2008 SP1 that was a playground for the Operations Manager for quite some years before i came here.

It had ADDS with all FSMO roles, DNS server, DHCP server, TS server, file server, IIS, our ERP, Exchange for some time, every single utility he could find to test, 20 users logged on fulltime using Office Remote Apps and surfing the web (on admin privileges) on it and then some. The only thing it didn't have was updates. All of this on a single RAID 5 volume with no HS. It was a mess.

I've been working my way to kill it and managed to remove almost every essential service out of it, the most recent (oct) being ADDS. I created a new server, promoted it and moved all FSMO roles to it, finally i demoted the old server.dcdiag reported all Ok.

Since then, i've been having conectivity issues all the time on that server.

I'm having 3 different errors poping up all the time:

Level: Error
Source: NETLOGON
Event ID: 5719
Description: This computer was not able to set up a secure session with a
domain controller in domain <DOMAIN> due to the following: There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is
connected to the network. If the problem persists, please contact your domain
administrator.

Level: Error
Source: GroupPolicy
Event ID: 1054
Description: The processing of Group Policy failed. Windows could not obtain
the name of a domain controller. This could be caused by a name resolution
failure. Verify your Domain Name Sysytem (DNS) is configured and working correctly. 

Level: Error
Source: GroupPolicy
Event ID: 1030
Description: The processing of Group Policy failed. Windows attempted to retrieve
new Group Policy settings for this user or computer. Look in the details tab for
error code and description. Windows will automatically retry this operation at
the next refresh cycle. Computers joined to the domain must have proper name
resolution and network connectivity to a domain controller for discovery of new
Group Policy objects and settings. An event will be logged when Group Policy is
successful.
ErrorCode: 58
ErrorDescription: The specified server cannot perform the requested operation.

As a result it sometimes takes 3 or 4 tries to RDP successfully on it, other times it just won't let you until later. It says "Access denied" on the dialog.

The errors basically tell me there are DNS/Network issues with the server. I couldn't find any network issue: It flawlessly serves files, keeps RDP sessions open and responds to ping with <1ms lattency all day, so it must be DNS or something else.

Thing is i can't scrap the server just yet, not until we buy the new file server and that may still take some months and up to a year.

So my only option is to fix this problems.

Further info:

1. The remaining roles on the server are: file services, NPAS, TS and IIS.
2. Any other server/service in the network works fine, it's only this server with issues.
3. It doesn't have athentication issues on shares (most shares are for Authenticated users)
4. nslookup detects the dc with no issue. I can't check whether it does when it starts throwing "Access denied" since that happens when i'm trying to logonto it, hence, i'm out of it.

I'd appreciate any help you could provide.

Cheers.

"When something is not working as it is supposed to, then it is working as expected" -R

Specifically my problem is with ALockout.dll.

I installed this on my win7 machine and tested it by deliberately locking out an account from my computer.

When I did this though the following file was not generated: %Systemroot%\Debug\ALockout.txt

According to the docs (http://technet.microsoft.com/en-us/library/cc738772(v=ws.10).aspx) the dll is supposed to create this file when an account is locked out from this machine- or maybe I have misunderstood how this works? 

Hi:

We have a CRM 2011 server setup with Claims & IFD and another Server for ADFS 2.0.  Everything validated correctly, however when we visit the ADFS login page and login, we are prompted with credentials for "authtest.test-corp.com" and when we look on the ADFS server, we see this event.

"The Federation Service could not satisfy a token request because the accompanying credentials do not meet the authentication type requirement of 'urn:oasis:names:tc:SAML:1.0:am:password' for the relying party 'https://crmcorptest.test-corp.com/'.
Authentication type: http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows
Desired authentication type(s): urn:oasis:names:tc:SAML:1.0:am:password
Relying party: https://crmcorptest.test-corp.com/

This request failed."

Help!

-Stangride

I have had two instances in my environment where a user has named their computer the same name as a production server. Each time each server had static records in DNS, however the static records were overwritten by the the DDNS entry.

Any ideas on how to prevent this?

I have 2 DNS servers running Windows Server 2008R2 SP1.

Hi Guys,

backgroud: I have an admin account, it's member of Domain Admins. Windows Server 2003!

When I log on to the domain controller directly via RDP, it's no any operation rights in ADUC, DSSITE, etc..  including move a computer object to another OU.....

Unless I using the runas then type again the same account, it all works...

no any idear about it,  does someone has some comments?

Thanks & good day!

cccc

Greetings everyone.

I have created a child domain in the AD forest with two domain controllers (both Windows 2003 R2). After that I tried to configure additional DNS server on the second DC. Now I should say, that the 1st DNS server on the 1st DC works fine, but the second one doesn't. In the DNS console both the Forward and Reverse lookup zones are empty and I have 4015 error event accompanied by 4513 and 4514 events (messages are attached below).

As it has been said here, I have found and deleted one duplicating zone record using ADSIEdit (the duplicated zone was storied in Default Naming Context). Now all DNS zones store in appropriate AD partitions - domain-wide zone in DC=DomainDNSZones,DC=child,DC=domain,DC=com, and forest-wide zone in the DC=ForestDNSZones,DC=domain,DC=com - and no duplicating zones have been found (Default naming contex partition contains only Root hints now). All DNS servers were restarted, force replication was made but no luck - errors are still present and the zones are empty in the DNS console.

So, as 4514 and 4515 say, I tried to put my second DC into the apropriate replication scope. This topic should help me. But after

Add NC Replica DC=DomainDNSZones,DC=child,DC=domain,DC=com dc2.child.domain.com

I have got an error:

LDAP error 0x32(50 (Insufficient Rights).
Ldap extended error message is 00002098: SecErr: DSID-03150A48, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x2098(Insufficient access rights to perform the operati
on.)

I tried to google it, but no luck. So, I need help. Please.

Some additional information.

1. 4015 Error message

Event Type:	Error
Event Source:	DNS
Event Category:	None
Event ID:	4015
Date:		26.12.2012
Time:		17:22:27
User:		N/A
Computer:	DC2
Description:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "000020B5: AtrErr: DSID-03152395, #1:
	0: 000020B5: DSID-03152395, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9067d (msDS-NC-Replica-Locations)". The event data contains the error.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 13 00 00 00               ....    

2. 4513 and 5414 error messages:

Event Type:	Information
Event Source:	DNS
Event Category:	None
Event ID:	4513
Date:		26.12.2012
Time:		17:22:27
User:		N/A
Computer:	DC2
Description:
The DNS server detected that it is not enlisted in the replication scope of the directory partition ForestDnsZones.domain.com. This prevents the zones that should be replicated to all DNS servers in the child.domain.com forest from replicating to this DNS server. 
To create or repair the forest-wide DNS directory partition, open the the DNS  console. Right-click the applicable DNS server, and then click 'Create Default Application Directory Partitions'. Follow the instructions to create the default DNS application directory partitions. For more information, see 'To create the default DNS application directory partitions' in Help and Support. 
The error was 9002.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2a 23 00 00               *#..    
 

Event Type:	Information
Event Source:	DNS
Event Category:	None
Event ID:	4514
Date:		26.12.2012
Time:		17:22:26
User:		N/A
Computer:	DC2
Description:
The DNS server detected that it is not enlisted in the replication scope of the  directory partition DomainDnsZones.child.domain.com. This prevents the zones that should be replicated to all DNS servers in the domain.com domain from replicating to this DNS server. For information on how to add a DNS server to the replication scope of an application directory partition, please see Help and Support. 
To create or repair the domain-wide DNS directory partition, open the the DNS  console. Right-click the applicable DNS server, and then click 'Create Default Application Directory Partitions'. Follow the instructions to create the default DNS application directory partitions. For more information, see 'To create the default DNS application directory partitions' in Help and Support. 
 The error was 9005.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2d 23 00 00               -#..    

3. DC1 and DC2 ipconfigs:

Windows IP Configuration
   Host Name . . . . . . . . . . . . : dc2
   Primary Dns Suffix  . . . . . . . : child.domain.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : child.domain.com
                                       domain.com
Ethernet adapter Local Area Connection 3:
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : HP Network Team #1
   Physical Address. . . . . . . . . : 00-14-C2-3D-B6-9A
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.25.3
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.25.1
   DNS Servers . . . . . . . . . . . : 192.168.25.2
                                       192.168.25.3

Windows IP Configuration

   Host Name . . . . . . . . . . . . : dc1
   Primary Dns Suffix  . . . . . . . : child.domain.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : child.domain.com
                                       domain.com

Ethernet adapter Local Area Connection 3:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : HP Network Team #1
   Physical Address. . . . . . . . . : 00-14-C2-3F-6C-E2
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.25.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.25.1
   DNS Servers . . . . . . . . . . . : 192.168.25.2
                                       192.168.25.3

4. dcdiag on DC2

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: spb\DC2
      Starting test: Connectivity
         ......................... DC2 passed test Connectivity

Doing primary tests
   
   Testing server: spb\DC2
      Starting test: Replications
         ......................... DC2 passed test Replications
      Starting test: NCSecDesc
         ......................... DC2 passed test NCSecDesc
      Starting test: NetLogons
         ......................... DC2 passed test NetLogons
      Starting test: Advertising
         ......................... DC2 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... DC2 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... DC2 passed test RidManager
      Starting test: MachineAccount
         ......................... DC2 passed test MachineAccount
      Starting test: Services
         ......................... DC2 passed test Services
      Starting test: ObjectsReplicated
         ......................... DC2 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... DC2 passed test frssysvol
      Starting test: frsevent
         ......................... DC2 passed test frsevent
      Starting test: kccevent
         ......................... DC2 passed test kccevent
      Starting test: systemlog
         ......................... DC2 passed test systemlog
      Starting test: VerifyReferences
         ......................... DC2 passed test VerifyReferences
   
   Running partition tests on : spb
      Starting test: CrossRefValidation
         ......................... spb passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... spb passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running enterprise tests on : domain.com
      Starting test: Intersite
         ......................... domain.com passed test Intersite
      Starting test: FsmoCheck
         ......................... domain.com passed test FsmoCheck

5.Some repadmin output:

repadmin /showreps
child\DC2
DC Options: (none)
Site Options: (none)
DC object GUID: fbb45f38-ee10-4bdd-bf27-18cc6b6f0995
DC invocationID: e62c67e1-1c6e-4bc8-9238-5307714ac4bb

==== INBOUND NEIGHBORS ======================================

CN=Configuration,DC=domain,DC=com
    child\DC1 via RPC
        DC object GUID: a5f877e9-2a9f-4a70-996c-ab602514a456
        Last attempt @ 2012-12-27 13:45:22 was successful.

CN=Schema,CN=Configuration,DC=domain,DC=com
    child\DC1 via RPC
        DC object GUID: a5f877e9-2a9f-4a70-996c-ab602514a456
        Last attempt @ 2012-12-27 13:45:22 was successful.

DC=child,DC=domain,DC=com
    child\DC1 via RPC
        DC object GUID: a5f877e9-2a9f-4a70-996c-ab602514a456
        Last attempt @ 2012-12-27 13:46:54 was successful.

6. And ntdsutil output:

ntdsutil: domain management
domain management: connections
server connections: connect to server dc2
Binding to dc2 ...
Connected to dc2 using credentials of locally logged on user.
server connections: q
domain management: list nc replicas DC=DomainDnsZones,DC=child,DC=domain,DC=com
The application directory partition DC=DomainDnsZones,DC=child,DC=domain,DC=com's Replicas are:
        CN=NTDS Settings,CN=dc1,CN=Servers,CN=child,CN=Sites,CN=Configuration,D
C=domain,DC=com
domain management: add nc replica DC=DomainDnsZones,DC=child,DC=domain,DC=com dc2.child.domain.com
LDAP error 0x32(50 (Insufficient Rights).
Ldap extended error message is 00002098: SecErr: DSID-03150A48, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x2098(Insufficient access rights to perform the operati
on.)
)

HI , My domain controller is a windows 2008 r2 server and it also is a DNS in the domain.

When I remove the computer in the domain, the correspond DNS record is not removed from the DNS automatically.

So my question is how to remove the dns record automatically , so I need not do it manually.

thank you very much!

Chu.

Chu Qiu

Hello, 

I want to install AD 2008 on 2 geographically disperse sites. These 2 sites will be replica of each other and users will either access Site A or Site B. Both sites must have same identical users i.e. If user created on Site A, then it must replicate it on Site B. Once this will be successful, i will setup Exchange 2010 sp2 hosting in this architecture. 

Please suggest any link/blog to deploy AD on both sites and enable replication. 

Hasan

Hi,

We have 2 domains : 1 old (let's call it domainold.local) and 1 new (let's say newdomain.local) with a forest trust between them. Users are migrating to the new domain.

We would like to set an alternative UPN suffixe in the newdomain (newdomain.local) using the old domain name (domainold.local) to allow some users to logon with it. Note : the users have a new sam name in the new domain.

But we already have declared a trust with this same DNS name (domainold.local) between the two forests.

So the question is : Can I add the alternative UPN "domainold.local" in "newdomain.local" if we have an active trust with "domainold.local" ? I need to be sure adding the UPN will not interfere with the trust or will not block any use of the old domain accounts from the new domain.

 Hope I'm clear enough :) Thanks.

Hi,

we have group by namereset.

Lock1 andLock2 are the two normal domain users which are member of reset group.

Reset group is a member ofaccount operator builtin group.

Now the problem comes here

Lock1 and lock2 can unlock all the user accounts in the domain. But lock1 cannot unlock lock2 if it gets locked out or reset password of each other and viceversa.

please help ...

Thanks

Sunny

Hi

We are using AD 2003 on Windows 2003 servers.

There is an account - domain\account1 - that keeps locking out. I suspect that either someone is trying to continously authenticate using a wrong password or, more likely, there is an application that is set to use this account which has an old password.

I've run EventComb with the following parameters:

Security, Failure Audit, All DC's in domain, Event ID 528
Text: domain\account1

But I'm getting no results.

Can anyone tell me what I'm doing wrong?

I have an ADO query that works fine with Windows Server 2003:

dim strQuery 
strQuery = "LDAP://dc=Windows2003DC,dc=COM;(objectCategory=user);name,sAMAccountName;subtree"
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Open "Provider=ADsDSOObject;"
objCommand.ActiveConnection = objConnection
objCommand.CommandText = strQuery
Set objRecordSet = objCommand.Execute
Do until objRecordSet.EOF
WScript.Echo objRecordSet("sAMAccountName")
objrecordset.Movenext
loop
objConnection.close

But when I run the same script, but make the following change:

strQuery = "<LDAP://dc=Windows2008DC,dc=COM>;(objectCategory=user);name,sAMAccountName;subtree"

I get an error that says "There is no such object on the server"

I do not have domain rights for the domain, but if I can run this query for Windows 2003, I shoudl be able to do so with 2008.

I am in the process of removing a domain controller (2008 R2) from our environment.  I was able to successfully transfer all required FSMO roles to the new domain controller, but receive the error when running DCPromo on the server.

"The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles."

I ran a dsquery using the command dsquery * CN=Infrastructure,DC=DomainDnsZones,DC=Domain,DC=com -attr fSMORoleOwner and receive the following output:

Based on the results of the command I see the problem is related to a role that's assigned to a server (OldServer) that was incorrectly removed from the environment over 4 years ago.  While I believe i have identified the source of the problem I have hit a wall on how to proceed with resolving the problem.  Your advise would be appreciated..

I think this should be easily resolved, but I need some guidance.

I have a client with 2 Server 2003 R2 x64 DCs: BORIS & NATASHA. Last year I upgraded both of them from x86 to x64 one at a time, allowing replication to occur between the upgrades. BORIS is the FSMO roles holder as it is currently the production server, while NATASHA is a backup DC. One thing that puzzles me though is that if I look at the NS record in DNS on the SOA tab, it says NATASHA is the Primary server.

While doing some routine maintenance I noticed an error in the File Replication Service events about a 'Tombstone' situation (Event ID 2042). I looked at article cc757610 in the Technet Library and opted for remedy #3 as I did not want to demote NATASHA and I got confused looking at the help about using "repadmin /removelingeringobjects". I have no idea how to determine which DC has the good copy of the directory.

Now, in running "repadmin /showrepl" I get

"DC=CPA,DC=local
    Default-First-Site-Name\BORIS via RPC
        DC object GUID: 0267a090-1890-40e2-9a15-ea928cabd425
        Last attempt @ 2012-12-27 08:28:55 failed, result -2146893022 (0x80090322):
            The target principal name is incorrect.
        1179 consecutive failure(s).        Last success @ 2012-12-21 23:30:15." <-- THIS IS WEIRD SINCE THIS IS THE DATE THAT I DISCOVERED THE TOMBSTONE EVENT AND MADE THE REGISTRY CHANGE (I THINK).

When I try to look at the FSMO roles on NATASHA, it shows ERROR for RID, PDC & Infrastructure and says "The current Operations Master is offline. The role cannot be transferred." The other issue I'm having is that client PCs are intermittently having trouble reconnecting to necessary server shares.

TIA

Wayne S. CompTIA A+ CompTIA Network+ Microsoft MCP www.InfoTek831.com

I am restoring a system state backup to my test environment win2003 DC's.

After my backup and before my restore, I deleted a GPO.  During the wizard I chose "Restore to: Original Location" and "Leave Existing Files".  Post restore, the GPO was once again listed in gpmc, but was not restored to SYSVOL.

FYI I did this from DSRM, exactly per these steps: http://technet.microsoft.com/en-us/library/cc758435(v=ws.10).aspx

Thanks in advance,

Jaime