Guest account is keeping locked on every friday between 7 to 8 PM and target systems are showing random,  Linx boxes, some are authenticated through AD and some are not. I am checking exact logs on DC but didn't find any correct log as we checked it on Monday and due to large number of logs old logs are overwritten. 

I tried below steps from one on technet forum but issue is not resolved. 

1.       Using ADSIEDIT changed the value of UserAccountControl attribute of the Guest account to 66082(numerical) i.e. 0x10222(in hex) and disabled it which is the sum of the following attributes:

a.       ACCOUNTDISABLE; PASSWD_NOTREQD; NORMAL_ACCOUNT; DONT_EXPIRE_PASSWORD

b.      It’s current value was 0x10202 aka 66050 in dec (I believe this implies ACCOUNTDISABLE | NORMAL_ACCOUNT | DONT_EXPIRE_PASSWD)

2.       Then for the account (in ADUC) do the following:

a.       Unchecked the "user cannot change password" -> OK

b.      Right-clicked on the ‘Guest’ account and selected reset password and kept it blank and clicked OK

                                                   i.      This step is to set a NULL password for the GUEST account and keep it disabled

c.       Right-clicked on the guest account and checked the "user cannot change password" again

https://support.microsoft.com/en-us/kb/305144?wa=wsignin1.0

Same case is resolved in past.

https://social.technet.microsoft.com/Forums/windowsserver/en-US/df9255bf-f28d-4acf-b6c1-25ce041cc416/domainguest-account-being-locked-out-via-nondomain-joined-workstations?forum=winserverDS

-----------------------------------------------------------------------------------------------------------

We are using Netwrix Auditor which send mails to us for these kinds of logs and exact log is : 

user

\com\contoso\Users\Guest

Dc01.contoso.com

CONTOSO\DC01$

11/27/2015 7:59:56 PM

unknown

User Account Locked Out (Workstation name: \\LINUX01)

Hi there,

We're implementing an WebApplication Proxy (WAP) on Windows server 2012R2 for our organisation to replace the authentication/SSO features of Forefront TMG. Currently we have a working WAP with SSO for:
- SharePoint 2013
- Outlook
- Office 365
- several other webapplications.
Authentication works great and it is a realy seamless authentication environment. It's backend is based on Kerberos, so no Claims are being used for SharePoint or Exchange. The right SPN's are created in AD obviously.
When I'm logged in with the webbrowser (tried the usual suspects) and try to open an office document located on the SharePoint server, the document opens fine in the Office WebApp server (again with SSO), but when I try to edit the document in Word (or Excel etc), I get a new authentication prompt (forms based) from the WAP server.
If I enter my credentials again, the document opens and everything works fine. I can save the document etc. When I leave the MS Office application open and open another document from the SharePoint site, I don't get another authentication prompt. This is not the seamless experience we had on the TMG solution.
It seems to me that there are two different session cookies in play. One for the browser and one for the MS Office applications. Of course I googled this extensively, but no solution to be found. It almost seems like I'm the only one with this problem!
Things I've learned so far is that MS Office uses the MSOFBA 'engine' for their applications. Maybe there is a way to add this useragent to the WAP server, to receive the right cookie when authenticated in the webbrowser? I'm really stuck here. Plus the feeling I'm the only one, makes me think I'm doing something very stupid.
Thanks for any ideas!

P.S. All access to the WAP is external. No internal (intranet) authentication is being done in our domain. We have a full BYOD network where everything is presented as 'if you are working from your home'.

Thanks & Regards, Amol . Amol Dhaygude

Hi,

Windows 2008 DNS servers across several forests and domains at one company.

Somehow, due to several the reverse lookup zones defined in different domain DNSs, users have issues to do reverse lookups.

just wonder why they created a same lookup zone in a different domain DNS server?

the same subnet such as 192.168.10.x is only defined in one domain (ex:a.local)DNS server, not in b.local DNS server.

Thank you!

Good Morning,

I have all 2012 R2 DCs and I am currently at forest/domain level 2003. What is best practice or steps to go from forest/domain level 2003 to 2012?

cshsysadmin

Hi All,

Have 8 domain controllers across sites. PDC placed in separate site. all others are additional DC's. am scratching my head here...

Default Site link : All sites associated.

Account lockout policy : 5 invalid attempts ; 15 mins will be reset the account lockout out. 

Whenever account locked out its not updating the lockout info to all other dc's. Some dc's its showing locked out others not. i can understand that between dc's it will take 15mins. Applicable for Account lockout/Password reset as well. 

i enabled inters-ite change notification but no luck.

How to fix this issue.

Thanks, Venkatesh. "Hardwork Never Fails"

I've got 2 domains in separate forests. Domain A and Domain B.

Domain A trusts Domain B. This is a one way trust. 

All PC's are in Domain A. They all run Windows 7. Both domains run at 'Server 2008 R2' forest functional level.

Half of the users log in with credentials from domain A, and they have no problems.

The other half of my users log in using credentials B. Logging in is fine, and they can access services such as Domain B's Exchange server, from their Domain A clients.

However, all of a sudden last Monday, for no reason, whenever any user from Domain B tries to change their password from their Domain A client, they get an error "The Security database on the server does not have a computer account for this workstation trust relationship" which implies the PC has dropped off the domain during the password reset.

If they then click 'switch user', re-enter their domain B username, and enter the new password, it then lets them back in as if there was no problem. Up until last Monday, this had been working fine, and we didn't have any problems.

Hi All,

I have explain my problem brief as much as I can. I have two domains name A and B. There is server which is joined to Domain A. We have a requirement to add this server to "Domain Computers" group in Domain B. We don't want to join this server to domain B. We only need to add this server to this group in Domain B. How can I do this?

Thanks,

Regs,

Sachitha.

Hello

Please help me to solve the following issue.

I have domain (win 2012r2) with adfs 3.0 and I connect it with Dropbox (manual) without problem. But when i try setup SSO for another external site I get:

Log Name:      AD FS Tracing/Debug
Source:        AD FS Tracing
Date:          9/21/2015 9:59:55 PM
Event ID:      153
Task Category: None
Level:         Error
Keywords:      ADFSPassivePipeline
User:          COMPANY-GROUP\Administrator
Computer:      adfs.company-group.com
Description:
Exception: MSIS0018: The SAML protocol message cannot be read because it contains data that is not valid.
StackTrace:    at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader reader, SamlMessage message)
   at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadAuthnRequest(XmlReader reader)
   at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadSamlMessage(XmlReader reader, NamespaceContext context)
   at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)
   at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.CreateFromNameValueCollection(Uri baseUrl, NameValueCollection collection)
   at Microsoft.IdentityServer.Protocols.Saml.HttpRedirectSamlBindingSerializer.ReadMessage(Uri requestUrl, NameValueCollection form)
   at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
Exception: ID4128: The value is not a valid SAML ID.
Parameter name: value
StackTrace:    at Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
   at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader reader, SamlMessage message)

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="AD FS Tracing" Guid="{0457a490-4d4d-4a5b-b639-35382f1b6709}" /><EventID>153</EventID><Version>0</Version><Level>2</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000004000000</Keywords><TimeCreated SystemTime="2015-09-21T21:59:55.115771600Z" /><EventRecordID>241</EventRecordID><Correlation ActivityID="{00000000-0000-0000-CA00-0080010000D8}" /><Execution ProcessID="3076" ThreadID="5360" ProcessorID="0" KernelTime="0" UserTime="0" /><Channel>AD FS Tracing/Debug</Channel><Computer>adfs.company-group.com</Computer><Security UserID="S-1-5-21-464093264-3329427978-2192498612-500" /></System><UserData><Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events"><EventData>Exception: MSIS0018: The SAML protocol message cannot be read because it contains data that is not valid.
StackTrace:    at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader reader, SamlMessage message)
   at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadAuthnRequest(XmlReader reader)
   at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadSamlMessage(XmlReader reader, NamespaceContext context)
   at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)
   at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.CreateFromNameValueCollection(Uri baseUrl, NameValueCollection collection)
   at Microsoft.IdentityServer.Protocols.Saml.HttpRedirectSamlBindingSerializer.ReadMessage(Uri requestUrl, NameValueCollection form)
   at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext&amp; protocolContext)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext&amp; protocolContext, PassiveProtocolHandler&amp; protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
Exception: ID4128: The value is not a valid SAML ID.
Parameter name: value
StackTrace:    at Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
   at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader reader, SamlMessage message)</EventData></Event></UserData></Event>

or

Encountered error during federation passive request.

Additional Data

Protocol Name:


Relying Party:


Exception details:
System.Xml.XmlException: MSIS0018: The SAML protocol message cannot be read because it contains data that is not valid. ---> System.ArgumentException: ID4128: The value is not a valid SAML ID.
Parameter name: value ---> System.Xml.XmlException: Name cannot begin with the '0' character, hexadecimal value 0x30.
   at System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType exceptionType)
   at Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
   at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader reader, SamlMessage message)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader reader, SamlMessage message)
   at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadAuthnRequest(XmlReader reader)
   at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadSamlMessage(XmlReader reader, NamespaceContext context)
   at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)
   at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.CreateFromNameValueCollection(Uri baseUrl, NameValueCollection collection)
   at Microsoft.IdentityServer.Protocols.Saml.HttpRedirectSamlBindingSerializer.ReadMessage(Uri requestUrl, NameValueCollection form)
   at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

System.ArgumentException: ID4128: The value is not a valid SAML ID.
Parameter name: value ---> System.Xml.XmlException: Name cannot begin with the '0' character, hexadecimal value 0x30.
   at System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType exceptionType)
   at Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
   at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader reader, SamlMessage message)

System.Xml.XmlException: Name cannot begin with the '0' character, hexadecimal value 0x30.
   at System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType exceptionType)
   at Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)

Thanks in advance.

I've an existing W2008R2 domain, and I'm trying to create a new child domain using W2012 std. The new server is on a remote subnet, connected via Wan, without any firewall or security filter. It can connect to the existing domain controllers (ping, network share, and so on.. all works)

I start the wizard, and it confirms that environment is ok. Then it stalls when working on "active directory synchronizing". It reports a serie of 1963/1961/2839/1962/1125 event ID errors, then after a while it starts back reporting the same serie (it loops to check if problem are solved I think).

I cannot find any way to understand why it cannot complete the dcpromo.

Any idea?

Thanks

one of our AD servers occasionally gets bogged down due to 100percent CPU usage.

Upon investigating, we have discovered that cscript.exe is calling a VBS file "smarcardrequire.vbs" which is hogging up the CPU.

We checked 3 other AD servers. 2 of them did not even have this file.

the File smartcardrequire.vbs is located in <SYSTEMDRIVE>\Windows\Temp\

A search for information on this file revealed nothing. Does anyone know what exactly is this file for and is it needed on  AD Server?

Guys,

We're a bit stumped on this one.  Recently, replaced one of our DCs (promo down, new hardware, same name/IP, promo up) and now whenever clients (Win7) hit that DC for Smart Card authentication they fail out with a generic message on the client and a corresponding DC log entry (example below).

We've checked certificates and that doesn't seem to be the issue, the DC is getting them correctly from the CA which go to the proper stores.  And this only happens on this one DC - we've shut it down for now to alleviate the problem.

Not sure what else it could be, any help would be appreciated!

Thanks!!

Hello Everyone,

It has been brought to my attention that none of our group policies are being applied to computer objects. I have verified that all GPO's targeting User objects are being applied correctly. Even the default domain policy is not being applied to computer objects.

I have created an new OU and placed a computer object into the OU. Linked the default domain policy to the OU and enforced the GPO at the OU level. However a GPResults still shows no policies being applied to the Computer Object. A funny thing is if I use the Group Policy Modeling and select the computer object it shows the default domain policy should be applied to the computer.

At this point I am at a loss for why these GPO's are not being applied for the Computer Objects. Any suggestions would be greatly appreciated.

Hello.

I have a home lab with AD domain called tnx.cz. I have single DC called DC02 (Windows Server 2012). I needed to install new DC called DC03 (Windows Server 2012). I have done it many time, never run into trouble. This time everything went OK, but at the end the new DC03 was not sharing NETLOGON and SYSVOL. Replication worked according repadmin. DNS was working, the new server was serving clients OK. But when I shutdown the old DC02, the domain stopped working. Instead of network called tnx.cz computers showed Network 2 or something like this. I have removed the DC03 (moved FSMO back, done correct demotion, uninstalled od ADDS, DNS) and started again. Before I started adding new DC, I have walked through the DNS and checked every single record in whole tree. I have also ran BPA for ADDS and DNS before installing. No significant errors or warnings. (Not counting warnings that I have single DC, or that I should use localhost as the DNS server in tcpip settings on DC, but not the first.) I have used Windows Server 2012 R2 this time for the installation of new DC, but the result was the same.

Replications seem to be working.

Results of repadmin /showrepl from DC02:

C:\Users\Administrator.TNX>repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost
home\DC02
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 5a572dc6-2ed9-44c1-834f-70661d4c0d0a
DSA invocationID: bceb8b7d-f5e7-45ee-b5fd-f36b9c601d37

==== INBOUND NEIGHBORS ======================================

DC=tnx,DC=cz
    home\DC03 via RPC
        DSA object GUID: 2f0862c7-11ca-48b5-82a4-587b9b6bd982
        Last attempt @ 2013-12-03 09:56:52 was successful.

CN=Configuration,DC=tnx,DC=cz
    home\DC03 via RPC
        DSA object GUID: 2f0862c7-11ca-48b5-82a4-587b9b6bd982
        Last attempt @ 2013-12-03 09:56:52 was successful.

CN=Schema,CN=Configuration,DC=tnx,DC=cz
    home\DC03 via RPC
        DSA object GUID: 2f0862c7-11ca-48b5-82a4-587b9b6bd982
        Last attempt @ 2013-12-03 09:56:52 was successful.

DC=ForestDnsZones,DC=tnx,DC=cz
    home\DC03 via RPC
        DSA object GUID: 2f0862c7-11ca-48b5-82a4-587b9b6bd982
        Last attempt @ 2013-12-03 09:56:52 was successful.

DC=DomainDnsZones,DC=tnx,DC=cz
    home\DC03 via RPC
        DSA object GUID: 2f0862c7-11ca-48b5-82a4-587b9b6bd982
        Last attempt @ 2013-12-03 09:56:52 was successful.

Results of repadmin /showrepl from DC03:

C:\Users\Administrator.TNX>repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost
home\DC03
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 2f0862c7-11ca-48b5-82a4-587b9b6bd982
DSA invocationID: cb1960e2-9fed-45d5-8539-bad3bbca3981

==== INBOUND NEIGHBORS ======================================

DC=tnx,DC=cz
    home\DC02 via RPC
        DSA object GUID: 5a572dc6-2ed9-44c1-834f-70661d4c0d0a
        Last attempt @ 2013-12-03 10:25:56 was successful.

CN=Configuration,DC=tnx,DC=cz
    home\DC02 via RPC
        DSA object GUID: 5a572dc6-2ed9-44c1-834f-70661d4c0d0a
        Last attempt @ 2013-12-03 09:50:00 was successful.

CN=Schema,CN=Configuration,DC=tnx,DC=cz
    home\DC02 via RPC
        DSA object GUID: 5a572dc6-2ed9-44c1-834f-70661d4c0d0a
        Last attempt @ 2013-12-03 09:50:00 was successful.

DC=ForestDnsZones,DC=tnx,DC=cz
    home\DC02 via RPC
        DSA object GUID: 5a572dc6-2ed9-44c1-834f-70661d4c0d0a
        Last attempt @ 2013-12-03 09:50:00 was successful.

DC=DomainDnsZones,DC=tnx,DC=cz
    home\DC02 via RPC
        DSA object GUID: 5a572dc6-2ed9-44c1-834f-70661d4c0d0a
        Last attempt @ 2013-12-03 09:50:00 was successful.

But the DCDIAG shows errors.

DCDIAG from DC02:

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = DC02

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: home\DC02

      Starting test: Connectivity

         ......................... DC02 passed test Connectivity



Doing primary tests

   
   Testing server: home\DC02

      Starting test: Advertising

         ......................... DC02 passed test Advertising

      Starting test: FrsEvent

         ......................... DC02 passed test FrsEvent

      Starting test: DFSREvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... DC02 failed test DFSREvent

      Starting test: SysVolCheck

         ......................... DC02 passed test SysVolCheck

      Starting test: KccEvent

         ......................... DC02 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... DC02 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... DC02 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... DC02 passed test NCSecDesc

      Starting test: NetLogons

         ......................... DC02 passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... DC02 passed test ObjectsReplicated

      Starting test: Replications

         ......................... DC02 passed test Replications

      Starting test: RidManager

         ......................... DC02 passed test RidManager

      Starting test: Services

         ......................... DC02 passed test Services

      Starting test: SystemLog

         ......................... DC02 passed test SystemLog

      Starting test: VerifyReferences

         ......................... DC02 passed test VerifyReferences

   
   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : tnx

      Starting test: CheckSDRefDom

         ......................... tnx passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... tnx passed test CrossRefValidation

   
   Running enterprise tests on : tnx.cz

      Starting test: LocatorCheck

         ......................... tnx.cz passed test LocatorCheck

      Starting test: Intersite

         ......................... tnx.cz passed test Intersite

DCDIAG from DC03:

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = dc03

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: home\DC03

      Starting test: Connectivity

         ......................... DC03 passed test Connectivity



Doing primary tests

   
   Testing server: home\DC03

      Starting test: Advertising

         Warning: DsGetDcName returned information for \\DC02.tnx.cz, when we

         were trying to reach DC03.

         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.

         ......................... DC03 failed test Advertising

      Starting test: FrsEvent

         ......................... DC03 passed test FrsEvent

      Starting test: DFSREvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... DC03 failed test DFSREvent

      Starting test: SysVolCheck

         ......................... DC03 passed test SysVolCheck

      Starting test: KccEvent

         ......................... DC03 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... DC03 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... DC03 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... DC03 passed test NCSecDesc

      Starting test: NetLogons

         Unable to connect to the NETLOGON share! (\\DC03\netlogon)

         [DC03] An net use or LsaPolicy operation failed with error 67,

         The network name cannot be found..

         ......................... DC03 failed test NetLogons

      Starting test: ObjectsReplicated

         ......................... DC03 passed test ObjectsReplicated

      Starting test: Replications

         ......................... DC03 passed test Replications

      Starting test: RidManager

         ......................... DC03 passed test RidManager

      Starting test: Services

            DFSR Service is stopped on [DC03]

         ......................... DC03 failed test Services

      Starting test: SystemLog

         ......................... DC03 passed test SystemLog

      Starting test: VerifyReferences

         ......................... DC03 passed test VerifyReferences

   
   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : tnx

      Starting test: CheckSDRefDom

         ......................... tnx passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... tnx passed test CrossRefValidation

   
   Running enterprise tests on : tnx.cz

      Starting test: LocatorCheck

         ......................... tnx.cz passed test LocatorCheck

      Starting test: Intersite

         ......................... tnx.cz passed test Intersite

There are some warnings and errors in logs, but they are quite confusing to me:

-----

There is an error on DC03 in DFS Replication log:

The DFS Replication service initialized SYSVOL at local path C:\Windows\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner DC02.tnx.cz. If the server was in the process of being promoted to a domain controller, the domain controller will not advertise and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the sync partner. If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers.
 
Additional Information:
Replicated Folder Name: SYSVOL Share
Replicated Folder ID: 5C759754-F9F4-4EDA-B262-B2E86BF6487F
Replication Group Name: Domain System Volume
Replication Group ID: CB8E010A-2891-495E-B1D5-C8128B4EAA52
Member ID: FA76F872-92C5-454B-875B-CA1A1DF414FE
Read-Only: 0

-----

Later there is information in DFS Replication log saying:

The DFS Replication service successfully established an inbound connection with partner DC02 for replication group Domain System Volume.
 
Additional Information:
Connection Address Used: DC02.tnx.cz
Connection ID: CB8E010A-2891-495E-B1D5-C8128B4EAA52
Replication Group ID: 106FA20D-096B-4C4C-87C9-5F58355B7165

-----

DNS Server log on DC03 says:

The DNS server has finished the background loading and signing of zones. All zones are now available for DNS updates and zone transfers, as allowed by their individual zone configuration.

-----

On DC02:

Error in DFS Replication log:

The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain. This server has been disconnected from other partners for 362 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder until this error is corrected.
 
To resume replication of this folder, use the DFS Management snap-in to remove this server from the replication group, and then add it back to the group. This causes the server to perform an initial synchronization task, which replaces the stale data with fresh data from other members of the replication group.
 
Additional Information:
Error: 9061 (The replicated folder has been offline for too long.)
Replicated Folder Name: SYSVOL Share
Replicated Folder ID: 5C759754-F9F4-4EDA-B262-B2E86BF6487F
Replication Group Name: Domain System Volume
Replication Group ID: 106FA20D-096B-4C4C-87C9-5F58355B7165
Member ID: 0FBB30B0-D9C5-401A-897E-2129D3230429

-----

Later information in the DFS Replication log:

The DFS Replication service has detected that at least one connection is configured for replication group Domain System Volume.
 
Additional Information:
Replication Group ID: 106FA20D-096B-4C4C-87C9-5F58355B7165
Member ID: 0FBB30B0-D9C5-401A-897E-2129D3230429

-----

There is an information in the log describing what should I do. "To resume replication of this folder, use the DFS Management snap-in to remove this server from the replication group, and then add it back to the group. This causes the server to perform an initial synchronization task, which replaces the stale data with fresh data from other members of the replication group. " But I do not have DNS management snapin in my DC for MMC. Should I install it to continue? Is the error relevant in this case? I just do not understand why it says it was disconnected from replication when it was the only DC in domain.

Can you advice, please?

Thank you

Best regards

Jan Kovar

honza@tnx.cz

Hey everybody! 

In our environment I was running a single DC running DNS, AD, etc.  We have gone through an engineering change which requires 3 Child domains to be spun up.  I built the Child DCs, and promoted them as such with the global catalog option two days ago, and all seemed fine until I went to join my first server to the new Child domain. My DNS skills are quite terrible, so please go easy on me. All servers are Server 2012.

Upon trying to join a server to the child domain, I received the error: "DNS name does not exist" the query was for the SRV record for _ldap._tcp.dc._msdcs.child.parent.local  - The DNS SRV records required to locate a AD DC for the domain are not registered in DNS.  These records are registered with a DNS server automatically when a AD DC is added to a domain.  One or more of the following zones do not include delegation to its child zone  (substituted names for child and parent domains for annonymity).

On the parent DC, in DNS manager, I can see delegations for all three child DCs with FQDNs.  I've set zone transfers to allow to any server.

On the child domains, in the TCP/IP settings, the primary DNS address points to the loopback 127.0.0.1, and secondary is set to the IP of the parent DC.  I've tried creating secondary zone, but it says that "the server with this IP address is not authoritative for this zone"...and when it finishes creating the zone, I try to go into the properties and change the name server to add the parent dc as authoritative, but the buttons are greyed out.

On the server I've attempted joining to the Child Domain, the TCP/IP settings are set to point to the Child DC's DNS.

I'm sure i'm missing something very simple somewhere, but my experience with DNS is limited, and non-existent with subdomains.  Any help is greatly appreciated.

Hello everyone,

I would like to mention that I'm new to configuring DCs and DNS servers, which is why please bear with me :)

I have 3 VMs configured.

1 DC, which is also the DNS server.

1 dirsync server

1 exchange server.

I plan on creating a hybrid deployment with an onpremise exchange 2013 and Office 365.

The problem that I have at the moment is that the namespace of my AD is domain.com which is the exact same name as my public domain, which I use for public DNS records, as well. I need to create an MX, autodiscover, mail and a couple of TXT public records for my future deployment.

I did that, and then I noticed that if I do an nslookup from the internal network for my domain.com, it would not resolve it on the global DNS, but it would only search in the local DNS.

If I do nslookup for any other domain, it resolves it by using the global DNS, which is normal.

Is there any way to work around this (as far as I understood, the problem is having the same AD namespace as the public one)? I've read about conditional forwarding and reverse lookup zone. Would that apply here? If you need additional information, I will try to reply as best as I can.

Thank you,

Nonis