Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

FRS Service Stopped

September 1, 2015, 9:53 pm
$
0
0

Dear,

I have three domain controllers 2008 (one PDC and 2 are ADC). The FRS service automatically stopped in all these servers and when i restarted the FRS service , it generate the error in events " the donain controller is migrated to DFS for Replication of  SYSVOL folder".

However no Sysvol_DFRS folder is created in my domain controllers .. 

So i could not able to understand wheather it is the issue or not. 

second should i migrate my all other domain controller trees of the same forest to DFRS (is it good , and what is the risk level in doing this). 

Waiting for response, 

This is the very active forum where i always get solution.. thanks to Microsoft and contributors.. 

Wajahat

Search

Fix Issues with Bad P2V

September 8, 2015, 5:48 am
$
0
0

Hi all,

Recently under duress, I P2V'd a domain controller.  It was my first time doing it and wasn't aware of the potential issues of doing so, and while the end result looks like a virtual version of the original and quacks like it, it also has a number of big issues.  Most pertinently, it thinks it is still a DC, even though the domain doesn't; the original physical box was renamed with the suffix "old" and it is still listed as a domain controller and name server (for DNS).

The problem seems to be that the virtual machine believes, for AD purposes, that it IS the old server; running dcpromo he reports on himself using the hostname of the physical box.  This seems to have resulted in the computer object disappearing from AD, leaving only the old one.

All very problematic, and I think the way forward is to unjoin and rejoin the domain again.  In don't want it to have the roles it thinks it has, so the fact that it's not really a DC anymore is not an issue - my only problem is I've never been in a situation before where I needed to demote a server that thinks it's a DC when it isn't.  Since I assume it will make some query to the domain and probably fail if I try to do this, I'm concerned about the effect this might have on the domain, rather than the server.

Since the old physical server still needs to go through a demotion anyway, would it be enough to simply remove the AD and DNS roles from the virtual machine?  I need to be in a position where I can unjoin and log on with a local account, basically.

Has anyone had such experience?

Event ID 1302 (error 1307) DFS replication service encountered an error while writing to the debug log file

September 8, 2015, 10:51 am
$
0
0

Hello.

We are at the step 0 of the migration from FRS to DFSR sysvol replication on Windows 2008R2 DC.

Every time I run powershell DFSRMIG / GETMIGRATIONSTATE it says:

"Unable to create DFSR Migration Log file. Error 1307.

All Domain Controllers have migrated successfully to Global state 'Start'.

Migration has reached a consistent state on all domain Controllers.

Succeeded."

It creates an event ID 1302 in the "DFS Replication" event log, explaining what error 1307 means:"This security ID may not be assigned as the ownder of this object".

I already checked the space limits, quotas, permissions on C:\windows\debug according to Microsoft support article but I was unable to fix it.

Although, there are new entries added to DFSR00095.txt log file despite this error. This is the only DFSRXXXX file that has not been archived into .GZ format, and, I beleive, it contains all DFSR diagnostics and events.

Here are some of the latest entries:

20150908 08:47:27.867 11616 SYSM  3354 Migration::SysVolMigration::GetSysVolReadyFlag [MIG] Sysvol Is Ready
20150908 08:47:27.867 11616 SYSM   456 Migration::SysvolMigrationTask::Step [MIG] Starting sharing out NTFRS SYSVOL because globalState is 'Start'
20150908 08:47:27.867 11616 CREG  2457 Config::RegWriter::SetSysVolReadyFlag Set key:System\CurrentControlSet\Services\Netlogon\Parameters valueNameSysvolReady value:1
20150908 08:47:27.867 11616 SYSM  1045 Migration::SysVolMigration::Migrate [MIG] Migrate to state 'Start'
20150908 08:47:27.867 11616 SYSM  1056 Migration::SysVolMigration::Migrate [MIG] Begin migrate count:1
20150908 08:47:27.867 11616 SYSM  4836 [WARN] Migration::SysVolMigration::SetLocalStateInLocalAd [MIG] (Ignored) Local Settings does not exist because DC is in START state.
20150908 08:47:27.867 11616 SYSM  1144 Migration::SysVolMigration::Migrate [MIG] Begin migrate: migration to state 'Start' completed
20150908 08:47:27.867 11616 SYSM  4376 Migration::SysVolMigration::DeleteRoMember [MIG] Deleting DFSR member object
20150908 08:47:27.867 11616 SYSM  4396 Migration::SysVolMigration::DeleteRoMember [MIG] Current global state is 'Start



I am hesitatnt to start the Step 1 of migration until that error is fixed or determined to be benign...  Please, help!

Slava

ADPREP impact

September 4, 2015, 1:07 am
$
0
0

Hi Team,

I have 2008 R2 DC environment with domain and forrest functional level is 2008

I plan to install additional domain Win 2012 R2, before that, we must run aprep command and change schema version from 44 to 69

is there any impact with this action (adprep) in my existing environment ? I keep domain and forrest functional level to 2008

I still have old product like SQL 2005 and others

please tell me the TechNet link :)

Regards

Can't access the main DC (which has the active directory service running on it) due to the following error: The security database on the server does not have a computer account for this workstation

September 3, 2015, 12:29 am
$
0
0

I have an environment containing 2 physical servers (MS Windows Server 2012). I've been facing many problem with client access to my exchange server, so i did some investigation and found out that the active directory has three other registered servers with active directory services, so i deleted those servers and left the main DC (I did this from the main DC itself)

And now i can't access either one of the physical servers, (The security database on the server does not have a computer account for this workstation trust relationship)

And I don't know the local user credentials. Please help, this is really urgent! 

How to do LDAP cross-forest search based on GUIDs and SIDs?

September 8, 2015, 10:13 am
$
0
0

Hi,

My LDAP based service involves searching for user information across trusted AD forests. The search operations are based on GUIDs, SIDs, and Names. As I have mentioned already the search has to span across the forests.

e.g. I have two forests forest1.com and forest2.com. My application talks to Global Catalog server of forest1.com and need to look up for information of users in both forest1.com and forest2.com.

With LDAP referral handling enabled in my application, found that lookups using names work. But, could not find a way to successfully lookup for users using their SIDs or GUIDs.

e.g.

1. My LDAP application is connected to Global Catalog server of forest1.com

2. Have an user in forest2.com with GUID e0361393-bf09-4b39-9d-3d-8b72d78a1621 and SID  S-1-5-21-3788342835-698758318-3857666980-500

3. LDAP search using the search filter (objectGUID=e0361393-bf09-4b39-9d-3d-8b72d78a1621) and search scope being entire forest, search doesn't yield any results. Same search works if I directly connect to forest2.com Global Catalog server.

Please let me know if there is a way to achieve my requirement.

Thanks,

Lokesh

Access server by FQDN

August 31, 2015, 4:23 pm
$
0
0
Hello

I have 2 Dcs (2012R2), both with two network cards, and pointing at each other as the preferred DNS on the network adapter.

However experience the following issue:

If I try to access the domain so \\ contoso.local can not therefore say that this is not available on any of the workstations as well as on the member servers, such as fileservers.

With this I can not ride the namespace for my file servers to do by replicating a namspace.

Could anyone help me?

laptop win 10 home

September 9, 2015, 7:41 am
$
0
0

the group policy client service failed the sign in. the universal unique identifier (uuid)type is not supported.

When starting I am geeting above mentioned message.  Any help pls.


Search

Host name: edge.kadasco.com WARNING! Host not found in topology. All roles will be uninstalled.

September 9, 2015, 7:23 am
$
0
0

HI

PZ Help me

Host name: edge.*.com
WARNING! Host not found in topology. All roles will be uninstalled.

Best Regard Mohammad Reza Abdi

changing SID's of domain client computers are ok or will impact to the domain ?

September 3, 2015, 9:50 pm
$
0
0

HI,

myself yogesh borse i am having windows 2008 Server DC in my office & 1 months before 100 laptops we bought OS installed in that laptop is windows7 through ghost now new application has been deploying to our environment for that we need to install their clients to every domain computers but the thing is that those 100 laptop had a ghost image had same SID hence application team suggested to change the sid of all 100 laptops by usingsystem preparation tool .

           so my question is that after changing the 100 laptops SID's will it impact to the domain ?

please suggest & mail me on yogeshsborse@gmail.com 

Thanks

Yogesh Borse

9920380498

   

Config PDC As Not Reliable TIme + Config Domain Controller As Reliable Time

September 9, 2015, 11:39 pm
$
0
0

Hi

I Followed Microsoft Article : https://technet.microsoft.com/en-us/library/cc738042(v=ws.10).aspx

To Cofig Pdc To Be Not Reliable Time As Follow: w32tm /config /syncfromflags:domhier /reliable:no /update;net stop/Start w32time .

Config Domain Controller As Reliable TIme:W32tm /config /reliable:yes /update

After That Procedure All The w32tm/monitor /status /source Show The Correct Config : Pdc Sync Time From That Dc Relaible Time

And Of Course All The Members.

But When I Do Net Time To Members And Pdc I Got The Pdc TIme And Name,

I Checked The AnnounceFlags On The Pdc And I changed It To 10 From A

After That All The Members And The Pdc Show The DC Reliable TIme With Net TIme Command. 

My Ques Is Why The Change OF The Flag Solve It ?

 The PDc Not Reliable when i typed:w32tm /config /syncfromflags:domhier /reliable:no /update; 

Why Do I need To Change AnnounceFlags Additionally To The Prior Command?

Thx

kobi


AD Migration & Syncronization

September 3, 2015, 12:52 am
$
0
0

Hi,

I have to syncronize the data between the Business Units of my Company with the central Platform.

At that moment I have a domain at my Business unit and another Domain at the platform.

I have to migrate all the users and computers from the BU to the platform and then install an RODC at the business unit which will have the data of the platform(read only). The only problem is that the users of the business unit are present in the AD local but also on the AD of the platform. In the AD local I have the users and computers but on the AD of the platform I have only the users, that were created because some applications needed this.

My question is: how can I do the migration so that I won't have two times the users. Can I migrate the computers and assign them the users that are already on the AD of the platform? Is there any other solution for this type of migration?

I thought to migrate the domain of the business unit to be in the same domain as the platforms (uninstalling the AD of the BU and then nmigrate it as a member server for the platform and then reinstall the AD. The only problem is the users which are already on the platform.

Any help would be apreciated!

How to find details about user disabled by someone ?

September 9, 2015, 4:43 am
$
0
0

Hello,

in environment domain how can i find who deleted a user ? or disable ? by whom ?

is there any way to learn it ?

Regards.


Disable AD users

July 22, 2015, 4:18 am
$
0
0

Hi,

I want script to auto disable Active Directory users which is not logged in some days(90).

is there any script for that?

kindly help.

Regards,

Rakesh

NTFRS Error on the disk

September 7, 2015, 2:34 am
$
0
0

Folks,

I encounter a strange error on my hdd-

Log Name:      File Replication Service
Source:        NtFrs
Date:          9/7/2015 14:38:36
Event ID:      13568
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      dcw01.room.com
Description:
The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.
 
 Replica set name is    : "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
 Replica root path is   : "c:\windows\sysvol\domain"
 Replica root volume is : "\\.\C:"
 A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found.  This can occur because of one of the following reasons.
 
 [1] Volume "\\.\C:" has been formatted.
 [2] The NTFS USN journal on volume "\\.\C:" has been deleted.
 [3] The NTFS USN journal on volume "\\.\C:" has been truncated. Chkdsk can truncate the journal if it finds corrupt entries at the end of the journal.
 [4] File Replication Service was not running on this computer for a long time.
 [5] File Replication Service could not keep up with the rate of Disk IO activity on "\\.\C:".
 Setting the "Enable Journal Wrap Automatic Restore" registry parameter to 1 will cause the following recovery steps to be taken to automatically recover from this error state.
 [1] At the first poll, which will occur in 5 minutes, this computer will be deleted from the replica set. If you do not want to wait 5 minutes, then run "net stop ntfrs" followed by "net start ntfrs" to restart the File Replication Service.
 [2] At the poll following the deletion this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set.
 
WARNING: During the recovery process data in the replica tree may be unavailable. You should reset the registry parameter described above to 0 to prevent automatic recovery from making the data unexpectedly unavailable if this error condition occurs again.
 
To change this registry parameter, run regedit.
 
Click on Start, Run and type regedit.
 
Expand HKEY_LOCAL_MACHINE.
Click down the key path:
   "System\CurrentControlSet\Services\NtFrs\Parameters"
Double click on the value name
   "Enable Journal Wrap Automatic Restore"
and update the value.
 
If the value name is not present you may add it with the New->DWORD Value function under the Edit Menu item. Type the value name exactly as shown above.

I've never come across such type of error and i do see this kind of errors quite a lot. Can anyone make me understand what is this error about?

Is my hdd dying? Do advise.

Cheers, Alan.

Search

Can I perform authoritative restore without doing non-authoritative restore?!

September 3, 2015, 12:09 am
$
0
0

Hello everybody,

Can I perform authoritative restore without doing non-authoritative restore?! suppose I have 2 scenarios: the first I have only one DC, and second scenario I have one PDC and some additional DCs. So can I achieve this or not.

Thanks

Regards

Windows Time Service: Differentiation between PDC and reliable time source

September 14, 2011, 1:12 am
$
0
0

Hi,

the TechNet article "How Windows Time Service works" states the following:

  In a Windows Server 2003 forest, the computer that holds the primary domain controller (PDC) emulator operations master
  role, located in the forest root  domain, holds the position of best time source, unless another reliable time source has been
  configured.

I can confirm this - as long as no other DC is configured as reliable time source (with the "w32tm /config /reliable:yes" flag), all other Domain Controllers gain their time from the PDC.

When configuring a DC as reliable time source and performing a "w32tm /resync /rediscover" afterwards on another DC, the DC will gain its time from the reliable time source DC and no longer from the PDC. This corresponds to the fact that the score for a reliable time source is 4 instead of just 1 for the PDC as explained in TechNet.

However, when checking with "w32tm /monitor", the Offset on that DC still corresponds to the PDC and not to the reliable time source.

Is this correct? I thought when a reliable time source is available it is the best time source in hiearchy. And why else would a reliable time source score better than a PDC? Why is the offset still counted against the PDC? I thought a reliable time source is basically a way to overwrite a PDC as best time source.

Can someone explain the differencies between the PDC and DC configured as reliable time source?

Thanks!

Active directory and Syslog server

September 9, 2015, 11:48 pm
$
0
0

Hi all, 

Is there a syslog server for windows, it will be used to collect data from windows Xp machine, from cisco and netgear routers and from TRU64 linux server?

It is possible to install the syslog server and the active directory on the same machine?

Thanks.

Help Required to restore Deleted OU

September 7, 2015, 8:15 am
$
0
0

Hi,

I was doing a system state restore in my test DC to restore Deleted OU.

OS : windows 2008 R2

The system state backup I have stored in Remote share and from that remote share I am trying to restore the backup.But After restoration the deleted OU is not coming back .

Can anyone help me with this please ?

Replication error Between Two Domians

September 7, 2015, 12:56 am
$
0
0

Dears,

I have two Domain controllers installed between to sites, when I run repadmin /replsum the data collection for replication summer will show me operation encountered a database error, I thing this issue related to NTDS database corrupted, kindly any advice for solution. based on my search I have found recommended to see log files for 467 for NTDS corrupted, if the NTDS database corrupted how can I fixed?

Thanks..

Viewing all 31638 articles
Browse latest View live
Search