Ok, first a brief synopsis of this network.

1. We have the Enterprise DC in the U.S. and it is the Schema master and the Domain Naming Master. We can never seize the Schema from it.

2. I work in the Middle East and we have one root DC here and 3 other Domain Controllers. We have 2 DC's in remote sites.

3. We had to remove a DC the other day and when we ran dcpromo we got the following error.

The Operation failed because:

Active Directory Domain Service could not transfer the remaining data in directory partition DC=DomainDnsZones,DC=example, to Active Directory Domain Controller \\exampleDC1\...............

"The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.

So because of that we had to run dcpromo /forceremove

Afterwards I followed the article here http://support.microsoft.com/?id=216498 to remove the metadata.

Now when I go to the Schema into DC2 it shows the current Schema master. When I right click and change to another server I get this.

"The schema FSMO holder could not be found. Schema modifications can only be made on the schema FSMO holder"

I try to change to any of our other 4 DC's and I get the same error.

When I open Schema on those DC's I get this.

Current Schema Master (Offline)
Error

That is not true because that resides in the states as I mentioned above and it never goes offline.

What is possibly related is when I try to do a replicate with our root DC that fails with the error below.

"The following error occurred during the attempt to synchronize naming context conus.cano.com to from Domain Controller RDC3 to Domain Controller DC1: The naming context is in the process of being removed or is not replicated from the specified server." This operation will not continue.

I think somehow this might be pointing at the Root DC. Our DC3 has all of the other 3 roles and is our primary DNS server.

So to sum it up

DC1 - Current Schema Master (Offline): Error

DC2 - Can see the Schema Master fine

DC3 - Current Schema Master (Offline): Error

DC4 - Current Schema Master (Offline): Error

DC5 - Current Schema Master (Offline): Error

Also when I go to AD and search for one of our larger Groups, all of the members in that group show as SIDs only.

Any help would be appreciated. Thanks

Hi everyone

I have windows server 2003 enterprise edition SP2 32-bit running active directory. I just want to upgrade it to active directory 2008 r2. what are the simple methods to do that. And also tell me please, if i upgrade from active directory 2003 to 2008 r2. Then will i need to join domain on all clients or not?

In our domain controllers we see below events:

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          19.12.2012 7:13:45
Event ID:      1168
Task Category: Internal Processing
Level:         Error
Keywords:      Classic
User:          "our domain"\XXXX$
Computer:      YYYY
Description:
Internal error: An Active Directory Domain Services error has occurred.
 
Additional Data
Error value (decimal):
1332
Error value (hex):
534
Internal ID:
1240627
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS Replication" />
    <EventID Qualifiers="49152">1168</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>9</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2012-12-19T05:13:45.180564900Z" />
    <EventRecordID>1621</EventRecordID>
    <Correlation />
    <Execution ProcessID="436" ThreadID="4832" />
    <Channel>Directory Service</Channel>
    <Computer>YYYY</Computer>
    <Security UserID="S-1-5-21-1074365621-3550774200-4067301949-50952" />
  </System>
  <EventData>
    <Data>1332</Data>
    <Data>534</Data>
    <Data>1240627</Data>
  </EventData>
</Event>

XXXX is RODC and YYYY is DC server.

Hi,

experiencing problems with roaming profiles on Windows 2008 domain. when i am trying to login with domain user on XP machine it gives following error

"Windows cannot locate the server copy of your roaming profile"

If anyone has any guidance on this problem I would really appreciate it.

Thanks.

Greetings.

I'm Willing to take all information of an active directory (W2003) for each user the server has. This means to know all the configuration that affects to each user (Department, Site, GPOs, logon Scripts etc...). In general, i know what info i should check to have all the information from each user, but i would like to ask for some tips/guide/tools (official tools) that maybe could help me to take this information. Maybe there are some points that i'm not considering.

Thanks in advance.

Hi,

I am using Domain object in System.DirectoryServices.ActiveDirectory namespace. When ever I query domain details using Domain.GetCurrentDomain or Domain.GetDomain, it establishes connection with domain controller. This connection can be seen with "netstat -ano|findstr 389" command.

Code:

Domain dom = Domain.GetCurrentDomain();

My question is, how to close the connection ? The only way I can close the connection is to dispose the Domain object. Since I have cached the Domain object in my code I don't want dispose it. The problem it raises is, 'ESTABLISHED' state remains for some time later it changes to 'CLOSE_WAIT'.

netstat -ano | findstr 389
  TCP    10.241.93.168:51291    154.1.124.156:389      CLOSE_WAIT      8028
  TCP    10.241.93.168:51297    154.1.124.154:389      CLOSE_WAIT      8028
  TCP    10.241.93.168:51302    154.1.124.158:389      CLOSE_WAIT      8028
  TCP    10.241.93.168:51320    154.1.124.155:389      CLOSE_WAIT      8028
  TCP    10.241.93.168:51323    154.1.124.153:389      CLOSE_WAIT      8028
  TCP    10.241.93.168:51332    154.1.124.157:389      CLOSE_WAIT      8028
  TCP    10.241.93.168:53399    148.86.153.162:389     CLOSE_WAIT      8028
  TCP    10.241.93.168:53436    139.172.150.15:389     CLOSE_WAIT      8028

For security reason I need to eliminate this stale connection. Do let me know if you have any suggestions.

Thanks,Santhosh

hello everyone,

i have been working on introducing a new RODC to one of our Remote Branches.  i have setup all that i can determine that is necessary to allow this to work.  the connection between the offices is quite a slow 500k link.

i have one new user defined in AD that has been added to the Allowed RODC policy and the machine they use.  it passes in the Resultant Policy on the Writable DC and when i log into the workstation it will 'sometimes' grab the correct RODC.... other times it will use one of the other two DC's.

i can't figure out why or what is causes this.

i have the ADSS setup correctly and the respective Subnets are defined properly.  

thanks for any help on this.

Hi

I have below issue of my client application Kerberos authentication. See below issue history..

Cleint is trying to setup SSO using Windows integrated authentication for one of our SAP Enterprise Portal applications.
 
The browser has to talk to the AD server and send a Kerberos token to the J2EE engine for the authentication to happen. But in client case a NTLM token is being passed which is failing the SPNEGO authentication process.

the prerequisites check fails. here is the content of the log file. please help me fix it.

I had a Windows Server 2003 SP1 Domain Controller on our domain and it was listed on many member servers as the primary DNS server. These same servers also had one of our other domain controllers listed as the secondary DNS server that is a Windows Server 2008 R2 SP1 domain controller.

I removed the Windows Server 2003 domain controller and replaced it with the Windows 2008 R2 domain controller. The issue that I had is that when the 2003 server was decommissioned a few of the other member servers never started using the secondary DNS server for resolution (the majority of them did). I had to go to those servers and change the primary DNS server entry to another DNS server to resolve this issue until I had the new Windows Server 2008 domain controller up and running.

My question is this. Why did these servers never attempt to use the secondary DNS server?

Any help with this would be greatly appreciated.

Leonard Hoffman

Is it possible to determine whether a Users password was set via the end user OR if it was set by an administrator through Active Directory Users and Computers? 

I am trying to target users with a "force password reset at next logon", but I only want to target those users that have not reset since the last administrative set password. 

thanks

Hi,

We had a motherboard failure on our primary DC server night before last (SLSODOMAIN), secondary stayed up the whole time (SLSODOMAIN3), replaced motherboard yesterday and got server back up. But DC diag is still showing a number of issues and not sure where to begin. There is no SYSVOl share on the server that went down and it appears to not be accepting binds from the backup DC. 

When writing code, you always start by correcting the first error and the one underneath tend to fix themselves. Not sure if is true in the DC world as well. 

The dcdiag output from the server that went down for a day, only fails one test, FRSEVENT saying errors occurred in the last 24 hours and  that failing sysvol replication can cause GP issues.

Below is my DCDIAG output from the backup DC.  I apologize for not knowing more about this stuff and any help would be greatly appreciated. 

Performing initial setup:

   Trying to find home server...

   Home Server = SLSODomain3

   * Identified AD Forest. 
   Done gathering initial info.


Doing initial required tests


   Testing server: Default-First-Site-Name\SLSODOMAIN3

      Starting test: Connectivity

         ......................... SLSODOMAIN3 passed test Connectivity



Doing primary tests


   Testing server: Default-First-Site-Name\SLSODOMAIN3

      Starting test: Advertising

         ......................... SLSODOMAIN3 passed test Advertising

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems. 
         ......................... SLSODOMAIN3 passed test FrsEvent

      Starting test: DFSREvent

         ......................... SLSODOMAIN3 passed test DFSREvent

      Starting test: SysVolCheck

         ......................... SLSODOMAIN3 passed test SysVolCheck

      Starting test: KccEvent

         ......................... SLSODOMAIN3 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         [SLSODOMAIN] DsBindWithSpnEx() failed with error -2146893022,

         The target principal name is incorrect..
         Warning: SLSODOMAIN is the Schema Owner, but is not responding to DS

         RPC Bind.

         [SLSODOMAIN] LDAP bind failed with error 8341,

         A directory service error has occurred..
         Warning: SLSODOMAIN is the Schema Owner, but is not responding to LDAP

         Bind.

         Warning: SLSODOMAIN is the Domain Owner, but is not responding to DS

         RPC Bind.

         Warning: SLSODOMAIN is the Domain Owner, but is not responding to LDAP

         Bind.

         Warning: SLSODOMAIN is the PDC Owner, but is not responding to DS RPC

         Bind.

         Warning: SLSODOMAIN is the PDC Owner, but is not responding to LDAP

         Bind.

         ......................... SLSODOMAIN3 failed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... SLSODOMAIN3 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... SLSODOMAIN3 passed test NCSecDesc

      Starting test: NetLogons

         ......................... SLSODOMAIN3 passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... SLSODOMAIN3 passed test ObjectsReplicated

      Starting test: Replications

         [Replications Check,SLSODOMAIN3] A recent replication attempt failed:

            From SLSODOMAIN to SLSODOMAIN3

            Naming Context: DC=ForestDnsZones,DC=slso,DC=music

            The replication generated an error (1256):

            The remote system is not available. For information about network troubleshooting, see Windows Help.



            The failure occurred at 2012-12-28 10:58:14.

            The last success occurred at 2012-12-25 23:58:03.

            59 failures have occurred since the last success.

         [Replications Check,SLSODOMAIN3] A recent replication attempt failed:

            From SLSODOMAIN to SLSODOMAIN3

            Naming Context: DC=DomainDnsZones,DC=slso,DC=music

            The replication generated an error (1256):

            The remote system is not available. For information about network troubleshooting, see Windows Help.



            The failure occurred at 2012-12-28 10:58:14.

            The last success occurred at 2012-12-25 23:58:03.

            59 failures have occurred since the last success.

         [Replications Check,SLSODOMAIN3] A recent replication attempt failed:

            From SLSODOMAIN to SLSODOMAIN3

            Naming Context: CN=Schema,CN=Configuration,DC=slso,DC=music

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2012-12-28 10:58:14.

            The last success occurred at 2012-12-25 23:58:03.

            59 failures have occurred since the last success.

         [Replications Check,SLSODOMAIN3] A recent replication attempt failed:

            From SLSODOMAIN to SLSODOMAIN3

            Naming Context: CN=Configuration,DC=slso,DC=music

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2012-12-28 10:58:14.

            The last success occurred at 2012-12-25 23:58:03.

            63 failures have occurred since the last success.

         [Replications Check,SLSODOMAIN3] A recent replication attempt failed:

            From SLSODOMAIN to SLSODOMAIN3

            Naming Context: DC=slso,DC=music

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2012-12-28 11:23:43.

            The last success occurred at 2012-12-26 00:32:29.

            1082 failures have occurred since the last success.

         ......................... SLSODOMAIN3 failed test Replications

      Starting test: RidManager

         ......................... SLSODOMAIN3 passed test RidManager

      Starting test: Services

         ......................... SLSODOMAIN3 passed test Services

      Starting test: SystemLog

         An error event occurred.  EventID: 0x40000004

            Time Generated: 12/28/2012   10:51:08

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server slsodomain$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/1fb9c9bf-8540-40ba-8c92-03f911ddfc20/slso.music@slso.music. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (SLSO.MUSIC) is different from the client domain (SLSO.MUSIC), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An error event occurred.  EventID: 0x40000004

            Time Generated: 12/28/2012   11:09:29

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server slsodomain$. The target name used was LDAP/1fb9c9bf-8540-40ba-8c92-03f911ddfc20._msdcs.slso.music. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (SLSO.MUSIC) is different from the client domain (SLSO.MUSIC), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An error event occurred.  EventID: 0x40000004

            Time Generated: 12/28/2012   11:09:29

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server slsodomain$. The target name used was ldap/slsodomain.slso.music. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (SLSO.MUSIC) is different from the client domain (SLSO.MUSIC), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An error event occurred.  EventID: 0x40000004

            Time Generated: 12/28/2012   11:14:54

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server slsodomain$. The target name used was SLSO\SLSODOMAIN$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (SLSO.MUSIC) is different from the client domain (SLSO.MUSIC), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         ......................... SLSODOMAIN3 failed test SystemLog

      Starting test: VerifyReferences

         ......................... SLSODOMAIN3 passed test VerifyReferences



   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation


   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation


   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation


   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation


   Running partition tests on : slso

      Starting test: CheckSDRefDom

         ......................... slso passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... slso passed test CrossRefValidation


   Running enterprise tests on : slso.music

      Starting test: LocatorCheck

         ......................... slso.music passed test LocatorCheck

      Starting test: Intersite

         ......................... slso.music passed test Intersite

I am in the process of replacing all the Windows 2003 DCs in our Domain with new Windows 2008 R2 servers.  The current setup consists of three domain controllers that use BIND for DNS.  The existing DCs update their srv records in DNS dynamicly with no errors.  This configuration has been in production for more than 5+ years with no DNS problems.

After promoting one of the Windows 2008 servers, I started seeing multiple DNS dynamic registration failures (event 5774) on the 2008 server only.  There is one event logged for each of the 13 srv records that netologon is trying to register.  The error value for each event is "Bad DNS packet."  

The 2003 DCs are still able to dynamically register with DNS and BIND is configured to allow dynamic updates from the new 2008 DC. 

The strange thing is that when I check the DNS server zone files the new 2008 DC is correctly registered in DNS.  Also replication works with no errors.  The only errors I see in the event log are the 5774 errors.

The BIND server is set to accept non secure updates from only the three old DCs and the three new DCs.  Does Windows 2008 only register DNS with DNS servers that only accept secure updates?

Since the DNS records are registered correctly can I ignore the 5774 errors or is there something else that I should look at.

Thanks for any help

All of our domain controllers are Server 2008, but the domain functional level is 2003.

We would like to upgrade all the domain controllers 2008 R2 and also upgrade the domain functional level to 2008 R2.

We see no reason why we would ever add any new domain controllers in the future that are not 2008 R2, so that is not a reason to not upgrade.  

However, if it causes problems with any of the company's line of business apps (some of which are very old from before 2003), we would might have to revert back to 2003 domain functional level.

If the issue was not noticed immediately, it would be a big mess to attempt to restore AD from backup.

Are there any kind of features/configuration/schema that any kind of application could be relying on the AD being at an older domain functional level?

Is there any way to test for this in advance of changing the domain functional level?

I have just completed a domain rename operation on a Windows Server 2003 R2 domain that apparently came down smoothly, without errors and with everything working at the end. Quick background: This domain has two DCs and a bunch of XP SP3 client members. Nothing else. No other server members (other than the Control Station server that I created and added to the domain for the purpose of running rendom). No Exchange, no Internet (i.e., no visibility to anything outside the domain). Simple. After renaming the domain, I renamed the two servers, and also changed the IP addresses of every system (including all members) in the domain. Everything (DFS, AD, Group Policies, everything) works. Apparently. As far as I can tell... so far.

But I am bothered by the DNS structure and my clients (Windows XP members) are bothered by their default directory name. In DNS, I see entries for both the old domain name and the new domain name, and even though I set the new domain name to be primary via netdom, the old domain name records "appear to me" to be "in control".

Under Forward Lookup Zone for .(root) -> local, I have a folder for 'old_domain_name' that contains two Host(A) records, one for each DC -and- I have a folder for 'new_domain_name' that contains a Name Server (NS) record pointing back to 'computername.old_domain_name.local'. So this looks to me like 'new_domain_name' is just an alias or a pseudonym for old_domain_name. I sort of expected that after completing this procedure and cleaning up everything, old_domain_name would no longer appear in DNS. The way things look to me suggests that if I did (and if I could) delete or remove DNS entries referencing old_domain_name, everything would break (because new_domain_name depends on old_domain_name for its definition). Apparently.

But wait. Maybe not. Moving on down the tree, I have Forward Lookup Zone entries for old_domain_name.local and new_domain_name.local and _msdcs.old_domain_name.local and _msdcs.new_domain_name.local, and the entries associated with new_domain_name appear to be fully-populated, while the odl_domain_name entries are not. But there are still entries scattered throughout the tree that refer to old_domain_name.

So my question here is: Is this a problem, and would everything break if I tried to delete all the DNS records that are defined in terms of old_domain_name?

It might help here for me to add -- in case you were wondering why we changed everything, including the IP addresses of every system in the domain -- all of this operation is in preparation for a new domain, currently bearing the same names and IP addresses and structure as old_domain_name ... to join the forest.  In other words, we have two identically configured domains, each standing alone with no knowledge of each other or anything else in the world ... and we need to join them together as two DIFFERENT domains in the SAME FOREST. So ONE of the domains has to change its name, the names of its DCs, and all of its IP addresses. And my domain is the lucky one that gets to change.

So... it is my assumption that in MY domain, I need to get rid of all remnants and vestiges of old_domain_name, as well as its computernames and IP addresses. Before we join our two extant domains at the hip in a common forest. So on this basis, I think the remnants of old_domain_name in my current domain could be a problem. Down the road and around the next corner.

The other name problem -- and this is (I think) a completely separate problem and a problem in name only -- is that my Windows XP client members, all of which are well-aware of the new domain name, still associate with each computer user a default directory of the form

C:\Documents and Settings\<username>.old_domain_name

Is there a way to change this to C:\Documents and Settings\<username>.new_domain_name ??  Maybe just rename the directory and watch everything break? I think that this is just a name issue, not a functionality issue, but my users are picky. I'm less worried about this than about the remnants of old_domain_name in my DNS.

Any suggestions about either of these "clean up" issues will be greatly appreciated !!

Chris