Brendan

The Active Directory Web Services service will not start on a 2008 R2 server with Exchange 2010.

System Specs: 
Dell PowerEdge T310
Dual Xeon 2.67GHz X3450
24Gb DDR3 RAM
Perc h700/1Gb BBWC 8 disks/ 3 volumes
Server 2008R2 SP1 Rollup 3
Exchange 2010 SP1 Rollup 7

Server has been in production since Jan. 2012 with no issues.

When attempting to start the service manually, I am presented with the error "Windows could not start the Active Directory Web Services service on Local Computer.  Error:1053: The service did not respond to the start or control request in a timely fashion."

Upon inspection of the error log, I see the following errors after a start attempt:

System:
EventID 7009
A timeout was reached (90000 milliseconds) while waiting for the Active Directory Web Services service to connect.

EventID 7000
The Active Directory Web Services service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

There are no log entries in the Application log, and there hasn’t been an entry in \Active Directory Web Services log since the end of last month. The last entry is:

EventID 1004
Active Directory Web Services has successfully started and is now accepting requests.

As far as I can tell by looking at the logs and checking AD and Replication, DNS, DFS, and everything else, all systems seem to be working except for ADWS.

I have done the following (in addition to hours of searching and research):

I added “<add key="DebugLevel" Value="Info" />” and “<add key="DebugLogFile" value="C:\ADWSLog\Adws_trace_log.txt" />” to the Microsoft.ActiveDirectory.WebServices.exe.config to enable logging, but the service doesn’t seem to be logging anything.

I have copied the “Microsoft.ActiveDirectory.WebServices.exe” file from another working server.

I have export/imported registry keys from a working server.

I attempted to re-register the ADWS DLLs.

I have uninstalled/reinstalled hotfixes installed immediately prior to the point when the service stopped.

After that I installed all current updates to the system.

I am at a loss here, I have no idea what else to try.  I’m looking for any help or suggestions.

Thanks.

Hello,

I am trying to authenticate AD users on Cent-OS box.I have installed AD on my test machine. From Cent-OS, I can do ldapsearch on that.

However when I try to authenticate using users it gives error as user does not exist. I want to use LDAP for both authentication and retrieving metadata for users.

Is there any step by step instructions available to do this.

Hi All, 

I want to change user logon name to AD and smtp email due to standardization on our company. When we change the login name what is the impact ? is it gonna change the user profiles on each workstation which they log on to ? for the smtp I know we can add a new one and make it primary but still keep the old one so sender still can send him an email. I really concern about the logon / samaccountname.

any ideas for this ? maybe giving a hint or step ? :)

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Krisna Ismayanto | My blogs: Krisna Ismayanto | Twitter: @ikrisna

Back Round:

ok, i have inherited a 3 site company... site meaning physical properties in one comapny. One site no dc just a shared file server which imnot worried about well call site 3. Site one and two have there own forest and DC's and connected via a cable internet VPN. My issue of course is to bring them into one as there is growing need to share files\folders etc... To start off with I cannot even create a trust between them, domain and forest level are 2008 (not r2) no reason just what i stopped at as they were in various flavors of domain and forest level when i got here. I do not push down any GP's (as of yet), only use the servers at this point for authentication for file and folder sharing and DHCP.

Question:

Why cant i trust the domains?

Will migrating with admt 3.2 (to a site) be my answer if so what happens to the dc's at site 2 when i move them to 1.

ideas?

I have done this multiple times with 2000, 2003 but dont seem to be able to find the solution to 2008.

When i run the trust it fails right after putting in the information of domains i go no further, it gives me no details just says "cannot finish"

Old server was a 2003 (64), running Exchange 2007 - PDC, no workstations connected. 100+ users accessing email using http/rpc.  We had some other services on this server as well. very small 'webpage' for users to access over a vpn connection, and Symantec Corporate server as well.  Things worked very well, no issues - unfortunately, the server was multihomed, which apparently caused some problems when we upgraded. 

New server is a vm, on ESX - 2008r2, Exchange 2010.  Everything came accross and worked ok, except we had a strange problem.  the old server needs to be on to add users.  Microsoft worked with us to resolve some issues with DNS and such, caused by the multihomed enviroment.  Lots got resolved but this server was a production server, and we wanted to wait until we had replication setup before finishing off the job. 

So, the other day, we finished off as per discussions with Microsoft, rebooted the new server, and poof. complete failure.  Eventually reverted back to the replica.  The replica actually works without the old server, but there are issues - often when you open Active Directory users and groups, it gives you an error.

Naming information cannot be located because:

the specified domain either does not exist or could not be contacted.  contact your system administrator to verify that yoru domain is properly configured and is currently online.

If you play arround you can get this working.  Because the server is working, we run replicas at night, and try and correct the replicas, if it fails we revert back to the original.

Replicas - Vconverter does a poor job of 'replicating' and we have to redo the network settings every time, and setup Routing and Remote Access.  After we get that working, we do some Metadata cleanup tasks and such, as per various kb articles.  We leave Exchange services off while we correct Directory Services. There are quite a few reoccurrent problems in DCDIAG - sample errors;

DsGetDcName (NewServer) call failed. Error 1355 The location could not find the server.

.................NewServer faield test Advertising

There are warning or eror events within the last 24 hrs after the SYSVOL has been shared.  Failing SYSVOL replication problems may cause Group Policy problems.

Starting Test KccEvent

A warning event occured. EventID: 0x80000b46 Event String

the security of this directory server can be signifantly enhanced by configuring the server to reject SASL.....

A Global Catalog Server could not be located - All GC's are down

A Time Server could not be found.

Mark Smed, NPA Network Support Technician msmed@northerncomputer.ca Northern Computer l Your trusted partner. Ph: 250.762.7753 Ext. 1803 www.northerncomputer.ca

Hi,

My exchange server is reporting the following:

Process MAD.EXE (PID=5028). Exchange Active Directory Provider has discovered the following servers with the following characteristics: 
 (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version) 
In-site:
dc01.jdc.local CDG 1 7 7 1 0 1 1 7 1
dc02.jdc.local --G 1 1 7 1 0 1 1 7 1
 Out-of-site:

How I can fix/setup, that dc02 gets also the C and D roles?

I know it looks like an exchange problem, but we couldn't find anything with exchange

(http://social.technet.microsoft.com/Forums/en-US/exchangesvradmin/thread/90b1d332-2bbb-4bba-a3d3-8742d67fcbdc/)

ideas, we did: restart all servers, dcdiag/fix, srv records (looks the same for all DC-s),  active directory replication status tool (showed everything ok.

problems, I found during the investigation:

1. on dc01 in c:\windows\system32\config directory netlogon.dns missing (on dc02 it is ok)

2. running nltest /dsregdns gives on both dc-s connection Status = 1311 0x51f ERROR_NO_LOGON_SERVERS

 (after running nltest/sc_reset:domain.local it shows 0 0x0 NERR_Success; restarting the netlogon service turns it back to the original error) 

(both servers are w2k8 R2, domain functional level is w2k8 r2)

Thanks

Guys,

whats the difference between the "set Scavenging for All Zones" and the enable auto scavenging of stale records in the advanced settings of dns?

Hello all!

Thank you for looking at my question.  As the title suggests we are rolling out a new software that is hosted offsite.  And requires an LDAP connection to to our Active Directory store for user authentication and content management via security groups.

Of course our domain controllers are not accessible from the web.  However, we do have a DMZ box that is able to communicate with the domain controller over LDAPS.  This was configured for an unrelated project, whose software was installed on the DMZ box.

What I think I need is what I will call a "LDAP Proxy" that allows for LDAP(S) queries to be ran against the DMZ box which is then in turn actually querying the real domain controller.  Can this be Done with AD LDS?  If so, can it be done without "mirroring" or Syncing the user accounts between AD DS and the LDS instance?  I would prefer the service account to be the only account with the ability to run queries against the DMZ box.  As that is all this software needs.  It uses this "service" account to lookup users to determine logins, and what content should be delivered to the users.

Of course I will layer on security by preventing any authentication request but those from the server that will be running the third party software.

Is there any recommendations for this type of setup?  I would prefer to use microsoft products, and would prefer to avoid an RODC in the DMZ.

Thank you all for your support!

Windows 2008 DCs

we have three sites site1;site2;site3 and site2 is down (all three sites can connect each other)

we have sitelink site1site2; site2site3 created and ntds connections automatically created for site2site3: but since site2 is not avaialbe and I need to ntds connections automatically created between site1 and site3

Should I delete the current site2site3 link and create link site1site3? will ntds connections automatically created between site1 and site3?

what's right procedures to do these?

Thank you.

Hi. I testing trust betwen 2008 R2 and 2012.

Ip settings of 2012:

C:\Users\user>ipconfig /all

Windows IP Configuration
   Host Name . . . . . . . . . . . . : 2012-DC2
   Primary Dns Suffix  . . . . . . . : domain12.localnet
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : domain12.localnet
Ethernet adapter Ethernet:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
   Physical Address. . . . . . . . . : 00-15-5D-0A-13-05
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::71e0:cad3:ca85:f742%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 172.16.16.100(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 172.16.16.10
   DHCPv6 IAID . . . . . . . . . . . : 251663709
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-0F-2E-C0-00-15-5D-0A-13-05

   DNS Servers . . . . . . . . . . . : ::1
                                       172.16.16.100
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

IP settings of 2008 R2:

C:\Users\user2>ipconfig /all
Windows IP Configuration
   Host Name . . . . . . . . . . . . : 2008R2-DC1
   Primary Dns Suffix  . . . . . . . : domain08r2.localnet
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : domain08r2.localnet
Ethernet adapter Local Area Connection 2:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-Win32 Adapter V9
   Physical Address. . . . . . . . . : 00-FF-42-C3-61-BF
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Local Area Connection:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter
   Physical Address. . . . . . . . . : 00-15-5D-0A-13-04
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::4cf7:6d13:14e5:d98a%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.10.100(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.10.10
   DHCPv6 IAID . . . . . . . . . . . : 234886493
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-0F-2F-64-00-15-5D-0A-13-04

   DNS Servers . . . . . . . . . . . : ::1
                                       10.10.10.100
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

I have successful trust configuration for two-way trust:

Authentication - Domain-wide

I'm created on 2012 Server Universal security group "Trust", add my account on this group. And now i wand add this group to NTFS settings on 2008 R2 Server. But i have error:

That i make uncorrect?

Thank you!

Hi.

I have installed a DC1 on a physical server (this is the first server of my domain and forest) and a secondary DC2 on a clustered VM.

I've installed DPM on the first DC1 (physical server), because this is the server who has the drivers of a tape library, but I can't use it to manage protection because this server is a DC1, so I've installed another DC3 on another VM, so  I can demote the physical DC1 to a member server, so I can fully use it to DPM 2012, but when I try to demote this serverr with dcpromo, I get one error message "Can't connect to DC2" "there is not network connection", I've uninstalled SQL server 2008 R2 because I read somewhere that you can't demote a DC if you have SQL installed, but I still get these errors.

I hope anyone cann help me.

Thanks!!!!

We recently migrated from our two Server 2008 DCs to Server 2008 R2 DCs.  I noticed that the DC that holds all FSMO roles (DC1) shows the following messages in Event Log:

The Security System detected an authentication error for the server DNS/DC2.domain.local. The failure code from authentication protocol Kerberos was "An attempt was made to logon, but the netlogon service was not started.
 (0xc0000192)".

The Security System detected an authentication error for the server LDAP/DC1.Domain.local/Domain.local@DOMAIN.LOCAL. The failure code from authentication protocol Kerberos was "An attempt was made to logon, but the netlogon service was not started.
 (0xc0000192)".

The Security System detected an authentication error for the server LDAP/DC1. The failure code from authentication protocol Kerberos was "An attempt was made to logon, but the netlogon service was not started.
 (0xc0000192)".

The Security System detected an authentication error for the server LDAP/DC1.Domain.local/Domain.local. The failure code from authentication protocol Kerberos was "An attempt was made to logon, but the netlogon service was not started.
 (0xc0000192)".

The Security System detected an authentication error for the server LDAP/DC1.Domain.local/DOMAIN. The failure code from authentication protocol Kerberos was "An attempt was made to logon, but the netlogon service was not started.
 (0xc0000192)".

They are warning messages and all services boot successfully.  Are there any solutions for these warnings?

Thanks in advance,
Matthew Dillon

I have an issue at a client site which I need to try to resolve.  The client has a Server 2003 DC, which when we attempt to join a new computer to the domain, the join fails.  The error (which I do not have in front of me, sorry) involves a problem with the Global Catalog.  Due to other issues with the existing server, we are looking at removing and replacing the existing DC with a new DC.

My question is, how can we go about transferring the existing Domain information (users, GPOs, etc) to the new DC?  If the existing DC were working correctly, this would be a trivial task, join the new system, promote it to a DC, let replication happen, transfer the various Domain roles, done.

I'm thinking that possibly the following might work, but I'd like to confirm:

1. Backup the System State of the existing DC
2. Shut down the existing DC
3. Connect the new server, install the AD Role
4. Promote it to be a DC, keeping the domain name the same
5. Go into Directory Services Restore mode, and restore the System State
6. Go to each workstation and run the "Network ID" wizard to "rejoin" them to the Domain

Should this work?  Or is there a simpler method?

Thank you,

Jason A.

Jason A.

Hello All I am currently working on migrating some Schema Attributes to our ADAM server and I had a request come through that has me a bit stump. We have a scenario where the application owner is requesting the following:

He wish us to propagate the Domino attribute to a different attribute on ADAM server like the following: Domino-->UID? Is this possible if not what can I do to make this happen?

Hello,

in Active Directory under the organizational Units there is a property "msExchRecipientValidatorCookies".

Does someone know what this property is used for ?

We want to use this property to store some additional data in the organizational unit.

Thanks for your help.

gruss Daniel Ovadia MBSS - Microsoft Dynamics CRM MCNPS

Hi

How the windows client pc and servers are reaching the nearest domain controller.

How it gets quickly contacting the repective DCs.

please explain.