Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

is IPv6 causing domain controllers between sites communication problems

January 5, 2013, 11:31 pm
$
0
0

Good Day,

I have an AD domain (one domain/one forest)  - with multiple sites , DCs are Win2008R2SP1 & Win2003R2SP2, FSMO roles are on Win2008 Server , DCs are not replicating well and having errors (following errors are on win2008 DCs):

ActiveDirectory_DomainService: 1864 Replication

ActiveDirectory_DomainService: 2088 DS RPC Client

ActiveDirectory_DomainService: 1865 KCC

ActiveDirectory_DomainService: 1311 KCC

ActiveDirectory_DomainService: 1566 KCC

Before I start checking each error in depth I suspect that IPv6 is making this issue, when I ping from DC to other it resolves the IPv6 and cannot ping it , whereas if I ping the IPv4 of the same server it replies. Shall I disable IPv6 on all DCs (as this is not recommended by MS) ?

Can anyone assist to solve these replication issues ...

Regards

Elias Dayeh

Search

How to fix DomainController after manually setting it as DirectAccess client

January 7, 2013, 6:37 am
$
0
0

Hello

I have ActiveDirectory (running AD CS, AD DC and DNS roles) and DirectAccess servers running separately on Windows Server 2008 R2.

When I was troubleshooting my problems when implementing DA, I ran these commands on my ActiveDirectory (Domain Controller) server: http://technet.microsoft.com/en-us/library/ee649267(v=ws.10).aspx (not a smart move I suppose). After this my AD server does not work correctly anymore. I have tried to reverse these settings (removing IPHTTPS interface and so on) but did not succeed in restoring the AD server to its working condition.

Can someone please help me with this?



DCs on VMs and HyperV Host as Members

January 6, 2013, 10:22 pm
$
0
0

Hi,

I have got two Physical Servers which will be running Windows 2008 R2 - HyperV and i will be hosting one VM on each Host.

VM1 on Host1 - The VM1 will be configured as Main Domain Controller 

VM2 on Host2 - The VM2 will be configured as Additional Domain Controller

So once i have the Domain and Domain Controllers ready i want to join the HyperV hosts to the same domain eventually Host1 and Host2 will also be part of same domain which is created on VMs.

Is this setup acceptable and supported? Please suggest.

Note: I will surely disable time syn on the VMs with Host machines.

Regards,

Maqsood

Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified

Domain Trusts

January 6, 2013, 6:23 pm
$
0
0

Hi Sir/Mdm,

      I would like to know for Windows Server 2008, can I restrict domain administrator in the trusted domain to modify or view the domain administrator acct in the trusting domain.  I also would like to know what can the other domain see in my domain if i were to trust their domain.  Is there a way to enforce restriction on my domain so that they are only allowed to see certain things in my domain.  Can i share the folders in my domain to them without trusting their domain and is there a way to migrate my users in the AD without trusting their domain.  Please advise.

server 2008 enterprise - AD LSD

January 7, 2013, 7:34 am
$
0
0
i have windows server 2008 enterprise r2 x64 sp1 and i'm trying to install AD LSD. i added the role successfully but when i click on AD LSD setup wizard i get this error : 

AD LSD cannot be installed on this version of the windows operating system

so any help plz 

DNS A record 192.168.0.201 keeps changing itself back to 192.168.0.34 in the DNS table

January 7, 2013, 6:56 am
$
0
0

I have a dictation server statically assigned to 192.168.0.201.  I have two clients who routinely connect to this with dictation clients. 

I virtualized the server last week to do some testing and though I thought I had isolated the VM from the network when I booted it up, I'm guessing the virtual machine got on the network and grabbed an IP number of 192.168.0.34.  Upon noticing this I turned the VM off.  The physical server is still running live and I have had the VM off ever since.  

However, when I look at my DNS server the A record for the dictation server is set at 192.168.0.34.  My dictation clients are getting updates from this DNS server and trying to connect to the wrong IP (.34) where there is no computer.  I manually change the DNS entry in AD back to .201, run ipconfig /flushdns on my clients and they connect fine to .201 for the rest of the day.  But the next day when I come back in to the office the A record has been set back to .34 and the clients cannot connect again.  I have three DNS servers in my domain.  How can I find out where these incorrect updates are coming from?  


Active Directory Sites and Services

January 7, 2013, 4:16 am
$
0
0

Hello All,

   This is my first time that I am playing with Active Directory Sites and Services, so forgive me if I this is a stupid question.

   I have create two sites.

Site A: (Default fist Site) with a Windows 2008 DC and IP range of 192.168.0.0/24

Site B: (Secondary location) with a Windows 2003 DC and IP range of 192.168.1.0/24

I am trying to set up GPO's that will only apply to PC in specifi sites. e.g. Only a PC is Aite A gets printer_1 installed.  To this end I have created a GPO and linked it to the relevent site in the GPMC.

My question is how does a PC or DC know which site a PC is in, does it read the IP address and apply the GPO accordingly, or look at which DC authenticated the device?

Regards

Event ID 1126 after trying to move GC to new server

January 7, 2013, 7:58 am
$
0
0
Hi all,

after adding my the Global Catalog server role to my new AD server and removing the GC from my old DC I can see the following error message in directory services events:

  
"Active Directory was unable to establish a connection with the global catalog. 

Additional Data 
Error value:
1355 The specified domain either does not exist or could not be contacted. 
Internal ID:
3200cf3"

None of the clients in my network can logon anymore. That means my problem is really severe and I need help urgently. The situation is as follows.

I migrated our Active Directory Domain from Windows 2003 to Windows 2008 R2. I moved all roles to the new server which worked without problems. DNS also was configured properly. During my tests I found out that I also need to move the Global Catalog to the new server. So I checked the NTDS properties for the new server in Active Directory Sites and Services and that the option "Global Catalog" was enabled already. This was the final step to demote and remove my old Windows 2003 Domain Controller, so I unchecked"Global Catalog" in the NTDS Settings of my old DC and confirmed the warning message that no new GC was found in the domain (I know this was a mistake now!). I removed the GC role from my old server. Before that I made sure that the new server has become a GC by checking the GC column under the domain controller group in Active Directory Users & Computers. 

After disabling the GC checkbox for the old server both DCs started logging the error messages as above.

The DCDiag results showed up that the DCs still were advertising and have not become a GC yet. I think the reason for that was a orphaned sub domain which was removed manually a fews months ago.

Re-enableing the GC role for the old server did not help. No user can login in the moment. 

Is there any way to fix the GC role?

Thanks
Martin


Search

DHCP move from 2000 to 2008 VM servers

January 7, 2013, 8:05 am
$
0
0

I would like to move our existing DHCP from 2000 to 2008

The plan is to build 2x VM 2008 DHCP servers / enable DHCP on the new servers / export DHCP scopes from both 2000 DHCP servers / import to 2008 (same 60/40 split)

Turn off 2000 DHCP servers

Change IP addresses of new 2008 DHCP servers to IP addresses of old 2000 DHCP servers

Do you know of any issues? (ARP tables on network switches/routers?), is there an issue with changing the IP address on the 2008 DHCP servers after importing the scope/database,other??

URGENT, Please help! Need help to clean up AD

January 6, 2013, 3:52 pm
$
0
0

not thinking before I acted I transferred all FSMO roles to a new DC, problem was that the old DC was an SBS 2011 server and had Exchange Server adn SQL on it also

now I cant install things like Lync, Exchange 2013 , etc

How can I manually remove all data in AD related to that old SBS server?

There is no Exchange server currently adn the old server is no longer able to retrieve any data, so all clean up will have to manual..

David Sheetz MCP

How to find out when dcpromo was run on a server?

January 7, 2013, 7:34 am
$
0
0

Is there an event ID or something that gets logged that shows when dcpromo was run on a server? I am trying to figure out when a server was promoted to a domain controller.

Thanks

Time sync 2mins delay with external source timeanddate.com

January 9, 2013, 1:56 am
$
0
0

Hi 

  our primary DC sync with external time source,  today we  noticed that it was 2 mins delay   with timeanddate.com

our primary DC was a Hyper V Host machine,  any boady help me to  sync  my DC with external time source.

Regards

JAGS

Jags

cannot delete object in ADSI edit

January 7, 2013, 12:05 pm
$
0
0

I'm a domain admin on Windows Server 2012 and I cannot delete any AD object...in ADSI Edit

The delete button is grayed, any idea ?

Serge Luca; SharePoint MVP ; blog: http://sergeluca.wordpress.com/ ICT7 http://twitter.com/sergeluca

Active Directory Federation services certificate expiring

January 7, 2013, 9:12 am
$
0
0

Hi,

We have had an ADFS deployment in place for almost a year now and have started to get the certificate warning messages.  I have checked the process from the link in the email and it seems pretty straight forward, however before I attempted runt he update I thought i would check a couple of things out first:

To manually update trust properties, follow these steps.

Note:
If you need to support multiple top-level domains, such as contoso.com and fabrikam.com, you must use the SupportMultipleDomain switch with any cmdlets. For more information, see Support for Multiple Top Level Domains.

  1. Open the Microsoft Online Services Module for Windows PowerShell.

  2. Run $cred=Get-Credential. When this cmdlet prompts you for credentials, type your Office 365 administration account credentials.

  3. Run Connect-MsolService -Credential $cred. This cmdlet connects you to Office 365. Creating a context that connects you to Office 365 is required before running any of the additional cmdlets installed by the tool.

  4. Run Set-MSOLAdfscontext -Computer <AD FS 2.0 primary server>, where <AD FS 2.0 primary server> is the internal FQDN name of the primary AD FS 2.0 server. This cmdlet creates a context that connects you to AD FS 2.0.

    Note:
    If you have installed the Microsoft Online Services Module on the primary AD FS 2.0 server, then you do not need to run this cmdlet.

  5. Run Update-MSOLFederatedDomain -DomainName <domain>. This cmdlet updates the settings from AD FS 2.0 into Office 365 and configures the trust relationship between the two.

Running the update in step 5 seems to only synchronise AD and O365, does it generate a new certificate as well as this is not clear from the instructions?, also I tried to  Add a token signing certificate on our primary ADFS server and got a message telling me that the auto certificate rollover feature is enabled and requires disabling in order to add a cert.

I have 10 days left before they run out so want to get on it sooner rather than later but could do with some guidance?

Any help?

Regards

Drac

Lingering Objects

January 8, 2013, 11:34 am
$
0
0

Hi,

We are facing issue with replication from one of the child domains to other domains. basically, other domains are unable to get replication from one of the child domains. I have try running remove lingering object command but after deletion number of lingering objects in 0..

Since we have 300 dc in domain, we are unable to find the domain which is generating this lingering objects.. is there a way this can be tracked..

Search

Rename sAMAccountName on Groups

January 8, 2013, 12:45 am
$
0
0

Looking through the clients AD yesterday we came across an interesting issue that needs to be resolved.

There are around 200 Active Directory groups that have been created with the wrong information in the sAMAccountName field (PreWindows2000 Name). I'm not sure how they've managed to do this, I suspect it's something to do with an old/bad import of data from their IDM solution, although the IDM guys seem adamant that this is not the case.

Normally this wouldn't be an issue however, the client are also configuring PCounter to use Active Directory groups rather than OUs. Tests yesterday showed that PCounter uses the sAMAccountName and not the CN and, since the sAMAccountName fields for this group of 200 or so groups is incorrect (format is something like "$9QO000-2T3GRST35425" rather than the friendly name of "HGD21") it is very difficult for the clients IT Admins to marry-up the 'unfriendly' sAMAccountNames with the 'friendly' CN.

I am looking for a simple and easy way to rename the "sAMAccountName" field with the data from the "CN" field...is this easy to do? Can I script this, use LDIFDE etc. or would I be better off just spending the day going through the groups and changing them manually.

File replication Error in 2003 DC

April 26, 2010, 11:36 pm
$
0
0

Dear Team,

Before some days, I added the Additional Domain with 2008 STD in my 2003 PDC.

But in new Additional Server 2008, SYSVOL & NEtlogon not shared, and also in 2003PDC & 2008ADC, showing same following event error.

NTFRS Service is alredy started in both & in 2003 PDC, I checked the registry entry for "Enable Journal Wrap Automatic Restore" i.e. value is 1.

Please help me for this issue.

Error :

The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.

 Replica set name is : "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"

Replica root path is : "c:\windows\sysvol\domain"

Replica root volume is : "\\.\C:"

A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found. This can occur because of one of the following reasons.

 

[1] Volume "\\.\C:" has been formatted.

[2] The NTFS USN journal on volume "\\.\C:" has been deleted.

[3] The NTFS USN journal on volume "\\.\C:" has been truncated. Chkdsk can truncate the journal if it finds corrupt entries at the end of the journal.

[4] File Replication Service was not running on this computer for a long time.

[5] File Replication Service could not keep up with the rate of Disk IO activity on "\\.\C:".

Setting the "Enable Journal Wrap Automatic Restore" registry parameter to 1 will cause the following recovery steps to be taken to automatically recover from this error state.

[1] At the first poll, which will occur in 5 minutes, this computer will be deleted from the replica set. If you do not want to wait 5 minutes, then run "net stop ntfrs" followed by "net start ntfrs" to restart the File Replication Service.

[2] At the poll following the deletion this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set.

 

WARNING: During the recovery process data in the replica tree may be unavailable. You should reset the registry parameter described above to 0 to prevent automatic recovery from making the data unexpectedly unavailable if this error condition occurs again.

 

To change this registry parameter, run regedit.

 

Click on Start, Run and type regedit.

 

Expand HKEY_LOCAL_MACHINE.

Click down the key path:

"System\CurrentControlSet\Services\NtFrs\Parameters"

Double click on the value name

"Enable Journal Wrap Automatic Restore"

and update the value.

 If the value name is not present you may add it with the New->DWORD Value function under the Edit Menu item. Type the value name exactly as shown above.

 

Kiran Wagh

System Admin.

Kiran W. System Admin, MCSA

How can I get the attributes details like user name, mail , from sAMAccount csv or notepad file through powershell or any other command in AD?

June 15, 2012, 4:01 pm
$
0
0
How can I get the attributes details like user name, mail , from sAMAccount csv or notepad file through powershell or any other command in AD?

AD Replication Cost & Interval

January 9, 2013, 3:50 am
$
0
0

Hi,

What is AD Sites Replication Cost & Interval is based on?

Is it recommended to leave this on default / change according to links between sites?

I have Datacenter Site with Main DC & ADC and rest of the 7 Sites with RODCs.

Regards,

Maqsood

Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified

GPO breaks metro apps

January 8, 2013, 8:37 pm
$
0
0
Ok so my metor apps don't work on a domain PC that has the default domain policy applied.  if i block the Default domain policy as soon as i join the Pc to the domain the apps will continue to work.  If i take a new win8 pc and let the default domain policy be applied then it breaks the apps.  So i want to roll out win8 to sooem users but not if Group policy breaks the apps.  How can i further narrow down what policy is breaking this.  thanks.  
Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>