Our Application (Oracle) is sending a batch of password resets to the AD via a Gateway machine connected to the AD Domain, and we are getting errors “The remote procedure call failed and did not execute. (Exception from HRESULT: 0x800706BF)” for some password resets. The occurrences of the error are irregular and happens to different random users. When we repeat the password reset operation for the same batch of users, they are processed successfully.

For one batch of 200 to 300 password reset that we submit, there could be about 20 of such RPC error.  So far we are sending about 300 batches a day.  And out of the 300 batches and almost 80% of the total batch will encounter such error.

We have checked with Oracle on the application side, and Oracle has reverted that this exception is from the AD and not from the Oracle Application and the Gateway software. The Gateway software is relying on the .NET functionality to contact the AD Domain Controller and execute functions there via Remote Procedure Calls, which has failed resulting in the error. Oracle also pointed out that it can be a load problem, and pointed us to a Microsoft Support article, http://support.microsoft.com/kb/960007/en-us . But the Windows Server version in the article is Windows Server 2003, while ours are using Windows Server 2008 (AD and Gateway machines).Is the Support Article still applicable to us? Or is there any settings within AD related to RPC connections that we can explore?

Another related observation is that when we rebooted the AD servers in our testing environment, the Application never encountered the above-mentioned error anymore, even when we pumped in a heavy load of password resets. Based on the observation above, we went ahead and rebooted the Production AD Servers. The Production Application managed to carry out the password resets without any errors for a period of time (approximately 15 hours with the calls spread out unevenly). But the errors came back after we restarted the service of the Gateway software. We tried to replicate this issue in our testing environment with the restarting of the Gateway software service but are unable to do so. 

Hi all

Since last reboot, I have one critical event 4015 followed by some critical events 4004 in DNS server event viewer. I use Windows Server 2003 SP2.

I do not understand why. It seems that Active Directory is not working well but I do not know why : users are able to connect to domain without problem. Only one another server can not access to the domain.

If someone can drive me to some reports in order to solve this ?

Thank you in advance

Active Directory and Domain are not working after rebuild of server.

Background:
Windows 2003 Standard - single controller in domain - hard drive failed and replaced
Reloaded Windows, then loaded Backup Exec and restored the System State
After restore fixed the DNS to look to the server.  Setup DNS server to resolve.  All PCs look to the server.

The domain is not working:
nltest /dsgetdc: /pdc /force /avoidself --- gives:  DsGetDcName failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

Hi,

Recently in my company we install 2 new dc 2008.We migrate the FSMO roles from the old domain controller to the new one and the operation was successful.

Today i demote one of the old dc running win 2003 and shut it down.

After that information store in our exchange 2007 cant start.

My first check was to change exchange organisation to point to new dc 2008 that has FSMO roles, but nothing change.

Any ideas?

Hi,

Have a W2012 Domain in which sysvol replication has been migrated to SYSVOL DFSR replication a long time ago (in W2008-R2) and worked well.

I now added a new domain controller (W2012) and there is no SYSVOL_DFSR folder but a SYSVOL folder on this new DC. The new DC tries to replicate using NTFRS and tried to access the SYSVOL folder on other DC's (which do not exist). DFSRMIG.exe reports correctly being in "eliminated (3)" state.

Every other AD partition replicate fine (AFAIK).

Is there something to do about this? Is this normal behavior?

Thanks.

Thomas.

I got Kerberos errors "record not found" so l started poking around and l realized that _kerberos and _ldap records of four domain controllers were done. am just left with only one record in _Msdoc - dc - _tcp container.

1. What could be the cause?

2. How can I populate these records without causing further issues?

3. How do l prevent it from happening again?

Thanks!

Alert from TechNet Posting

I have recently begun an AD upgrade from 2003 to 2008R2. So far, the schema has been upgraded to 2008R2 and a new 2008R2 domain controller (GC and DNS) has been introduced. 3 other DCs are still running 2003 Server (all are GCs and DNS servers). I have ensure all of them have each other listed in their TCPIP dns settings.

All of these DCs are in the same site and same subnet (AD sites/services does have the subnet listed). DNS resolution forward/reverse is working correctly for all 4 of these DCs. Replication is working correctly, Exchange 2010 sees all 4, etc.

We are testing all applications/services for a few days before proceeding with moving of roles and replacing 2003 DCs with 2008R2 DCs.

My question is regarding replication partners. When I run the AD Replication Status Tool (or even repadmin /showreps), I notice that each DC seems to only have 2 of the remaining 3 DCs listed as its outbound replication partners. Should each DC not have all 3 of the others used as partners? I am assuming that the KCC knows what it is doing, but why would this be the case if the controllers are all in the same site/subnet?

In the AD Replication Status Tool I see (where DC1 is the new 2008R2 DC):

Dest                                  Src

DC1                                  DC3, DC4

DC2                                  DC4, DC4

DC3                                  DC1, DC2

DC4                                  DC1, DC2

I am not sure if there is any action I need to take (like manually adding replication partners?)

Any advice would be appreciated.

I am trying to setup a SSO solution using Active Directory Federation Services 2.0, and I am having trouble with the security certificates.

I have my ADFS server and my ADFS proxy server running on Server 2008 R2.

Obviously I have to have an SSL certificate for each server, but the directions are a bit confusing. Listed in some of the tutorials it says this when referring to the certificates on the proxy server:

"This certificate must have the same subject name as the SSL certificate configured on the federation server in the corporate network. Recommendation: Use the same server authentication certificate as is configured on the federation server that this federation server proxy will connect to."

So both of my servers are going to have certificates with the same name? I was thinking that my ADFS server would have one for its name (adfs.whatever.com) and the proxy server would have one for it's name (adfsproxy.whatever.com). Would I generate two certificates saying that each server is adfs.whatever.com?

My organization is split up into two domains, a corporate domain (example.net) and a domain for external resources (example.biz) with a one-way transitive forest trust allowing .net users to authenticate in the .biz domain.  We have installed Team Foundation Server 2012 within the example.biz domain with the intent that our corporate users can access this resource and so we can provide external users access to this same resource without allowing them to gain entry into the corporate network.

The problem that we are facing is that when searching the directory for a user to grant access to either a file (security permissions) or group membership (ie: Team Foundation Administrators in TFS2012) on a member server during the "check names" lookup the users from the example.net domain are not found. I noticed that on our primary Domain Controller for our example.biz domain this is not a problem, you can add the .net users to groups on the Domain Controller and those groups can be used on any member servers within the example.biz domain however this is far from the granular premissions level that we need.

A poor example of this would be setting permissions for a file;

• On the example.biz Domain Controller you can create a group called "ExampleDotNet Users", use the lookup and add users from the example.net domain into this security group.
• On the example.biz Member Server within the a files security permissions you could grant access to the "ExampleDotNet Users" group and it will work as expected, however if you try to grant access to sally@example.net the lookup will fail to locate the user.
  

Is this a standard behavior of the type of trust that we have setup and I am just misunderstanding or should we be allowed to grant our example.net users explicit permissions?  Any assistance would be greatly appreciated.

I recently set up a forest trust between and existing 2003 forest and a new 2008 forest.  The new 2008 side has two domain conrollers/DNS servers and each side has an AD integrated stub pointing to the opposite sides DNS server.  I thought this may be easier than conditional forwarding but could easily change this.  The trust is in place and seems to be working for the purposes of AMDT.  We can migrate objects and SID History does come across to the new domain.  There were some recent troubles with migrated users on migrated workstations accessing non-migrated resources.  I am still in the process of troubleshooting this and the first thing I cam across is this:

C:\Users\administrator>netdom trust trustingdomain.fqdn /d:trusteddomain.fqdn /verify
The attempt to do a group look up on domain controller \\DC.trustingdomain.fqdn
for the Domain Admins group of trusting domain
trustingdomain.fqdn failed with the following error:

Access is denied.

The attempt to do a group look up on domain controller \\DC.trusteddomain.fqdn
for the Domain Admins group of trusting domain
trusteddomain.fqdn failed with the following error:

Access is denied.

The command failed to complete successfully.



This only happens when run from the new 2008 forest.  When run on the other forest the trust verifys as expected.  I am using some test accounts and I appear to still have access to resources through the SID History attribute.  Is there any chance that this is causing a part of my issue?

Hi all,

Most of us are aware about the two minute timeout for queries using AD Module in PS.  And this timeout is unchangeable.

However sometimes a time consuming query is unavoidable.  Imagine this scenario:

There are 500,000 users in one OU in which all accounts except maybe two dozens have account expiry date.  My task is to find them out and put an expiry date on them.  My code is like this:

Get-ADUser -SearchBase:'OU=MyOU,DC=MyDomain,DC=COM' -RessultPageSize:10 -ResultSetSize:$null -LDAPFilter:"(|(accountExpires=9223372036854775807)(accountExpires=0))" | Set-ADUser -AccountExpirationDate:$date

However it just keeps timing out:

Get-ADUser : This operation returned because the timeout period expired
At line:1 char:11
+ Get-ADUser <<<<  -SearchBase:'OU=MyOU,DC=MyDomain,DC=COM
' -ResultPageSize:10 -ResultSetSize:$null -LDAPFilter:"(|(accountExpires=922337
2036854775807)(accountExpires=0))" | Measure-Object
    + CategoryInfo          : NotSpecified: (:) [Get-ADUser], ADException
    + FullyQualifiedErrorId : This operation returned because the timeout peri
   od expired,Microsoft.ActiveDirectory.Management.Commands.GetADUser

This I understand.  The job basically have to scan through thousands of objects with negative results, and it times out well before the first positive is yielded.

So does this mean I can't do this with AD Module and have to resort to something likeSDS?

Thanks.

Hi

 I have 10 DCs in my child domain and in parent domain have 3 Dcs.

I don't have any DNS in root domain.

 I have all ADDNS in child domain and my parent domain DCs are pointing to child Domain ADDNS in TCP/IP properties on preferred DNS.

 As of now everything is working fine.

 But i can see some discrepancy in my child domain ADDNS settings as follows:

 1:- DC20, 21, 22, 23 & 24 has the same conditional forwarders updated to each other and except these 5 dcs, all other dcs don't have same conditional forwarders.

 2:- DC20, 21, 22, 23 &  24 has the ISP IP address details in the forwarders but other remaining DCs are having DC20, DC21 IP address in the forwarders.

 Also I have forest wide zone data replication enabled in the ADDNS.

I want to know that why its discrepancies in the same domain Active directory integrated DNS?

While performing the nslookup on windows 2008 R2 Core DC, getting below result..

Can anybody tell me why its showing ..

Also Host A and PTR record is availble in ADDNS.

======================

We have an Active Directory domain that is at functional level for "Windows2008Domain" so it is at Windows Server 2008 fuctional level.

All of the writable domain controllers are Server 2008R2.

Can we deploy a Server 2008 RODC to one of our remote offices?

We already have the server, it is up and running, but not as an RODC. Although the functional level (or domain mode) is set for 2008, some of the schemas are listing level 47 (Level for Server 2008 R2). Would this possibly cause issues?

The domain was previously Server 2003 functional level, once we dumped the 2003 DC, we upped the Functional Level to 2008, thinking that we could then use the existing Server 2008 machine to be an RODC. We have NOT run adprep /*anything*, but were wondering if we needed to up the OS of the older server system.

Secondary Question: If we cannot do this because of the schema level issue, is then a Server 2012 RODC on a Server 2008 R2 domain then a possibility? Or should we demote one of the 2008 R2 servers to an RODC and then use a new 2012 server as a DC in a 2008 R2 functional domain?

Thank you for your time and answers.

Hello,

I am new to configuring domain controllers.

Here is my current setup.

I have 3 domain controllers on the same domain across 3 different networks. They are all failover and replicated together.

What I want to do is remove one of those domain controllers from the exisiting domain and create a new domain. What is the best way to do this? or is there an easier way than to remove it completely from the current domain?

Thanks!

Hi,

I installed a unique AD LDS on a workgroup Windows Server 2008 (x86as well as R2 x64)

Instance name „instance1“, using port 389.

Created an Application partition o=test,c=de

Used the default path for installing AD LDS (c:\program files\microsoft

ADAM\Instance1\data)

As service account I choose a local user account “testadlds”  (which is a

local admin account ), because I want to replicate the instance ...

AD LDS Administrator - actual logged in user (which is the default

administrator)

Added LDIF-files:  MS-ADLDS-Display-Specifiers.LDF, MS-InetorgPerson.LDF,

MS-User.LDF

Using ADSIEDIT, I created an OrganizationUnit  and 2 users

Created a snapshot as follows:

Elevated command-prompt:

Dsdbutil

dsdbutil: Snapshot

snapshot: activate instance instance1

Message: successfully actived instance instance1 ….

snapshot: create

snapshot: mount

Snapshot: list mounted - shows me

1: 2009/03/16:20:22 {017b67da-bd38- .....}

2:      c:  {f37af06b-1395-.......}  C:\$SNAP_200903162022_Volumec$\

C:\$SNAP_200903162022_Volumec$\Program Files\Microsoft ADAM\Instance1\data\

Used the command DSAMAIN in another elevated command prompt:

dsamain -dbpath "C:\$SNAP_200903162022_Volumec$\Program Files\Microsoft

ADAM\Instance1\data\adamntds.dit" -ldapPort 60000

RESULT:
EVENTLOG <ERROR>: NTDS General / Internal Processing : 1003

Active Directory Domain Services could not be initialized.
The directory service cannot recover from this error




User Action

restore the local directory service from backup media.

Additional Data

Error value:

-1032 JET_errFileAccessDenied, Cannot access file, the file is locked or in 

use

EVENTLOG <Informational>: NTDS General / Service ControL : 1004

Active Directory Domain Services was shut down successfully.  "

No matter if I quit "dsdbutil" before or not, if I stop the service

Instance1 or not. tried to use "-dbpath C:\$SNAP_200903162022_Volumec$\Windwows  I always get the same error message

What is wrong?

I need urgent help and a solution would be very much appreciated.

Thanks in advance

Edith Hochreiter

I'm helping a client migrate their DFS infrastructure to a new forest.  We're using ADMT 3.2, but this utility does not support migration of DFS namespaces.  What tool or process would you recommend for moving DFS and associated permissions to the new forest?

Current Forest:  Server 2003 functional level

New Forest:  Server 2008 R2 functional level

Thanks!

MCITP Windows 7 MCTS Windows Server 2008

"The Lightweight Directory Access Protocol (LDAP) can be used to provide information about users, groups, etc.
The LDAP service on this system allows anonymous connections. Access to this information by malicious users may assist them in launching further attacks."

please help me on this issue.

Regards,

Ananda

I'm setting up RBAC and need to hide an OU and it's contents...simple eh?

I've done the usual stuff that you need to do, checked the access and the users (as designed) cannot see the browse the OU. Perfect you'd think...however I've noticed a quirk and was wondering whether I've done something wrong or, whether it's a 'feature' of Active Directory.

When you do a search in ADUC or any other 3rd party utilities etc. the results still return the users from the 'hidden' OU....this wouldn't normally stress me too much as they have no permissions and cannot amend the user objects however, the client has expressed a desire to have none of the hidden users shown in the search results.

I've looked through all I can find (even the dSHeuristics attribute) but it searches are still returning the 'hidden' users....have I done something wrong? Is there a way to do this in AD (i.e. can you hide the OU and prevent the 'hidden' users from being returned in searches)?

Answers on a postcard to....

FMcFF