Hi All,
I was just wondering if someone please can help me.
When I am trying to add a computer to a domain I am seeing the following error: An active directory domain controller for the domain could not be contacted.
I can confirm that the correct IP addressees are being used and I can confirm that I have correctly set up DNS, can someone please help me find a solution?
How to run gpupdate /force on remote computer?
(Without psexec)
Hi,
I would like to hide the information on my ADFS server such as Server : Microsoft-HTTPAPI/2.0
But I couldn't find a way to do it.
I already tried the key register...
Thanks
Hello,
I have 3 DC: DC-1, DC-2, and DC-3 (window server 2008R2) with domain and forest functional level 2008R2. There is only one domain MyDomain.local and all 3 DC are in one site. All three DC are global catalog and DNS servers.
On all three DC I receive at every 24 hours the following error in Event Viewer, Directory Service log:
--------------------------------------------------------------
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 3/22/2010 4:14:07 PM
Event ID: 1864
Task Category: Replication
Level: Error
Keywords: Classic
User: ANONYMOUS LOGON
Computer: DC-1.MyDomain.local
Description:
This is the replication status for the following directory partition on this directory server.
Directory partition:
CN=Schema,CN=Configuration,DC=MyDomain,DC=local
This directory server has not recently received replication information from a number of directory servers. The count of directory servers is shown, divided into the following intervals.
More than 24 hours:
1
More than a week:
1
More than one month:
0
More than two months:
0
More than a tombstone lifetime:
0
Tombstone lifetime (days):
180
Directory servers that do not replicate in a timely manner may encounter errors. They may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled.
To identify the directory servers by name, use the dcdiag.exe tool.
You can also use the support tool repadmin.exe to display the replication latencies of the directory servers. The command is "repadmin /showvector /latency <partition-dn>".
--------------------------------------------------------------
This error repeats three times for the following directory partitions:CN=Schema,CN=Configuration,DC=MyDomain,DC=local CN=Configuration,DC=MyDomain,DC=local and DC=MyDomain,DC=local
The only place where I found a reference to an removed DC was in registry HKLM\System\CurrentControlSet\Services\NTDS\Parameters where the key “Src Root Domain Srv” have the value of “CCTI-DC2.mydomain.local”. CCTI-DC2 was an DC that was removed from the network with dcpromo. Please advise me what should I do with this key: delete or rename and put the name of actual PDC here?
To identify the source of event ID 1864 and eliminate the cause in the last week I’ve done the following:
1. Checked to see if there is a reference to a removed domain controller in:
- Active Directory site and services -> My_site -> Servers
- Active Directory users and computers -> Domain Controllers
Everything is OK, there are listed only 3 DC that are functional.
2. With ADSI Edit looked at CN=LostAnd Found that is empty . Also checked CN=Topology,CN=Domain System Volume,CN=DFSR-Globalsettings,CN=System,DC=MyDomain,DC=local where are listed only the 3 functional DC.
3. Checked DNS and deleted any reference to an removed DC
4. Checked NTDS with NTDSUTIL . As you can see from the output there are only 3 DC:
--------------------------------------------------------------
metadata cleanup: select operation target
select operation target: list domains
Found 1 domain(s)
0 - DC= MyDomain,DC=local
select operation target: select domain 0
No current site
Domain - DC=MyDomain,DC=local
No current server
No current Naming Context
select operation target: list sites
Found 1 site(s)
0 - CN=MySite,CN=Sites,CN=Configuration,DC=MyDomain,DC=local
select operation target: select site 0
Site - CN=MySite,CN=Sites,CN=Configuration,DC=MyDomain,DC=local
Domain - DC=MyDomain,DC=local
No current server
No current Naming Context
select operation target: list servers in site
Found 3 server(s)
0 - CN=DC-3,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=MyDomain,DC=local
1 - CN=DC-1,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=MyDomain,DC=local
2 - CN=DC-2,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=MyDomain,DC=local
--------------------------------------------------------------
5. Used repadmin/showreps on all 3 DC and everything is OK . Here is the output from the DC-1:
--------------------------------------------------------------
MySite\DC-1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 9f02251e-a27c-4c4f-864b-e2242fff6437
DSA invocationID: a24a837b-2655-4c9b-94bb-cf6a235a4351
==== INBOUND NEIGHBORS ======================================
DC=MyDomain,DC=local
MySite\DC-3 via RPC
DSA object GUID: f5a575b9-a7f8-4d75-96d1-390861f1afc2
Last attempt @ 2010-03-23 11:44:04 was successful.
MySite\DC-2 via RPC
DSA object GUID: c72d27b2-87f5-4291-b72d-ccf5e421ce39
Last attempt @ 2010-03-23 11:45:22 was successful.
CN=Configuration,DC=MyDomain,DC=local
MySite\DC-3 via RPC
DSA object GUID: f5a575b9-a7f8-4d75-96d1-390861f1afc2
Last attempt @ 2010-03-23 10:59:01 was successful.
MySite\DC-2 via RPC
DSA object GUID: c72d27b2-87f5-4291-b72d-ccf5e421ce39
Last attempt @ 2010-03-23 10:59:01 was successful.
CN=Schema,CN=Configuration,DC=MyDomain,DC=local
MySite\DC-2 via RPC
DSA object GUID: c72d27b2-87f5-4291-b72d-ccf5e421ce39
Last attempt @ 2010-03-23 10:59:02 was successful.
MySite\DC-3 via RPC
DSA object GUID: f5a575b9-a7f8-4d75-96d1-390861f1afc2
Last attempt @ 2010-03-23 10:59:02 was successful.
DC=ForestDnsZones,DC=MyDomain,DC=local
MySite\DC-2 via RPC
DSA object GUID: c72d27b2-87f5-4291-b72d-ccf5e421ce39
Last attempt @ 2010-03-23 10:59:02 was successful.
MySite\DC-3 via RPC
DSA object GUID: f5a575b9-a7f8-4d75-96d1-390861f1afc2
Last attempt @ 2010-03-23 10:59:02 was successful.
DC=DomainDnsZones,DC=MyDomain,DC=local
MySite\DC-3 via RPC
DSA object GUID: f5a575b9-a7f8-4d75-96d1-390861f1afc2
Last attempt @ 2010-03-23 10:59:02 was successful.
MySite\DC-2 via RPC
DSA object GUID: c72d27b2-87f5-4291-b72d-ccf5e421ce39
Last attempt @ 2010-03-23 10:59:02 was successful.
--------------------------------------------------------------
6. Run dcdiag an all 3 DC. All test are OK here are the output from DC1:
--------------------------------------------------------------
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC-1
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: MySite\DC-1
Starting test: Connectivity
......................... DC-1 passed test Connectivity
Doing primary tests
Testing server: MySite\DC-1
Starting test: Advertising
......................... DC-1 passed test Advertising
Starting test: FrsEvent
......................... DC-1 passed test FrsEvent
Starting test: DFSREvent
......................... DC-1 passed test DFSREvent
Starting test: SysVolCheck
......................... DC-1 passed test SysVolCheck
Starting test: KccEvent
......................... DC-1 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DC-1 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DC-1 passed test MachineAccount
Starting test: NCSecDesc
......................... DC-1 passed test NCSecDesc
Starting test: NetLogons
......................... DC-1 passed test NetLogons
Starting test: ObjectsReplicated
......................... DC-1 passed test ObjectsReplicated
Starting test: Replications
......................... DC-1 passed test Replications
Starting test: RidManager
......................... DC-1 passed test RidManager
Starting test: Services
......................... DC-1 passed test Services
Starting test: SystemLog
......................... DC-1 passed test SystemLog
Starting test: VerifyReferences
......................... DC-1 passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : MyDomain
Starting test: CheckSDRefDom
......................... MyDomain passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... MyDomain passed test CrossRefValidation
Running enterprise tests on : mydomain.local
Starting test: LocatorCheck
......................... MyDomain.local passed test LocatorCheck
Starting test: Intersite
......................... MyDomain.local passed test Intersite
--------------------------------------------------------------
7. Checked with repadmin /showvector /latency… even here everything seems to be OK:
--------------------------------------------------------------
repadmin /showvector /latency CN=Schema,CN=Configuration,DC=MyDomain,DC=local
Caching GUIDs.
MySite\CCTI-DC2\0ADEL:fd33ee52-f05d-48a5-916b-49d5630c1357 (deleted DSA) @ USN 417853 @ Time 2010-02-27 15:49:00
MySite\CCTI-DC1\0ADEL:7679d269-19c2-4440-9b6e-da597ae133b1 (deleted DSA) @ USN 503710 @ Time 2010-03-12 17:59:21
MySite\CCTI-DC3\0ADEL:ed2133ee-8e57-4edf-8aff-c9635a1525c6 (deleted DSA) @ USN 110900 @ Time 2010-03-15 15:06:26
MySite\DC1\0ADEL:4de8a1cf-b8eb-4297-a480-6bf8ac34c343 (deleted DSA) @ USN 22892 @ Time 2010-03-15 19:09:06
MySite\DC3\0ADEL:1960fdc7-938e-4128-a0d4-ae152fe52284 (deleted DSA) @ USN 15079 @ Time 2010-03-17 12:37:27
MySite\DC1\0ADEL:4de8a1cf-b8eb-4297-a480-6bf8ac34c343 (deleted DSA) @ USN 18718 @ Time 2010-03-17 13:32:45
MySite\CCTI-DC2\0ADEL:fd33ee52-f05d-48a5-916b-49d5630c1357 (deleted DSA) @ USN 96683 @ Time 2010-03-17 19:20:50
MySite\DC-2 @ USN 39243 @ Time 2010-03-23 08:59:02
MySite\DC-3 @ USN 39370 @ Time 2010-03-23 08:59:02
MySite\DC-1 @ USN 37164 @ Time 2010-03-23 09:36:27
--------------------------------------------------------------
8. Checked in this forum for similar problems but I haven’t find a solution that work in my situation:
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/af95a256-4aeb-4780-b1af-cce3b6c1bcdd/
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/ccae98d9-75cb-4988-8a1a-535b3e1bfeac
http://social.technet.microsoft.com/Forums/fi-FI/winserverDS/thread/567922cd-9c0b-44db-bdbb-803fec000163
9. So finally here I am …. any new idea how to get rid of this error would be really appreciated :)
According to this article microsoft requires that the name of the certfiicate match the FQDN of the server for LDAP over SSL with a third party.
The FQDN of my Domain Controller is servername.domain.local. After 11/1/2015 GoDaddy will no longer allow non fully qualified domain names to be used as cert names. I am attempting to address this issue now.
I have the cert installed for servername.domain.com on the DC in Certificates (Local Computer) > Personal > Certificates. I have external DNS in place so that servername.domain.com resolves to my public IP of my firewall. I have my Firewall redirecting traffic from port 636 from specific IPs (my third party) to my internal DC. However when I test it using some simply SSL Checker services I am told "No certificate found". The server has been rebooted after the cert was installed. Performing an IPCONFIG /ALL on the DC shows the Host is servername and the Primary DNS suffix is domain.local. Hence the FQDN is servername.domain.local.
What can I do to get my Domain Controller FQDN to be servername.domain.com? Can this be as simple as adding a DNS suffix for domain.com? Or is this going to take a major rework of my AD structure?
Any advice is appreciated.
Thanks,
Hello everybody,
I create a new topic after my first one here : https://social.technet.microsoft.com/Forums/windowsserver/en-US/1b551474-8d04-470f-94a7-08fb2bbd45ff/client-not-authenticating-to-the-right-domain-controller-but-the-site-is-correctly-identified?forum=winserverDS#b23a803c-2640-4cab-bcee-3fcd259b6431
I have an issue with a DC (win 2003 Sp2) that doesnt authenticate the user associated to its website (no subnet overlap, clients retrieve the AD right AD site, etc.) but the authentication is done to another DC, in another AD site).
I run this command on a client that has an IP address on the subnet attached to the AD site :
klist query_bind
I have this information regarding my DC attached to this AD Site :
#3> RealmName: MyDomain.local
KDC Address: MYDC.MyDomain.local
KDC Name: (null)
Flags: 0x41000 -> WRITABLE_REQUIRED NEXTCLOSEST_SITE
DC Flags: 0xe00001fc -> GC LDAP DS KDC TIMESERV CLOSEST_SITE WRITABLE DN
S_DC DNS_DOMAIN DNS_FOREST
Cache Flags: 0
On other DCs, I have more something like this :
RealmName: ABC
KDC Address: 1.2.3.4
KDC Name: DC_ABC
Flags: 0
DC Flags: 0x8000017c -> GC LDAP DS KDC TIMESERV WRITABLE DNS_FOREST
Cache Flags: 0
I think that's the point but I am not able to decrypt this output for now.
Thank you everybody :)
Hi,
I have a root and child AD domain (2003) with several clients.
The subnet and sites are correctly configured (I precise that on the "site" configuration, I have a DC for each domain and sub-domain (I hope this is not the reason of the issue).
From the client, if I run the nltest /dsgetsite I have the correct site displayed. The DNS configuration of the client is defined to the IP Adress of the DC that I want it to authenticate.
BUT if I run a echo %logonserver%, the DC is not the one in the list of the DCs associated to the site).
How can I force my client to be authenticated to the DC associated to its site ? and how can I find the issue ? :)
Thank you
A couple of our users will login with their domain accounts and upon logins all of their saved icons and settings are gone, but when they reboot and log back in everything reverts back to normal for them. This happens on occasion and I was wondering why this would be happening. I feel like it's an authentication or connection issue with the Domain Controller when the user first logs in so it doesn't load everything or push Group Policy.
Any thoughts?
All of a sudden, I am getting 5774 errors on my only DNS server. I did edit the Domain Policy to add a Deltek account to logon as a service and logon as a batch job. I also stupidly listened to Trend Micro and install SQL Server 2014 which they then told me was the wrong version. I uninstalled and reinstalled SQL Server 2008 R2 which failed. I uninstalled that but have not rebooted. I don't know how these things affect DNS but wanted to be clear.
Here is the DCdiag test:
Microsoft Windows [Version 6.2.9200]I currently have one writable DC with one remote (RODC). I will be created another RODC in a different Subnet.
My questions is it best practices to have two writable AD servers for redundancy?
bc
Here's the deal...
We have a user in a domain Tropical. We have a computer (server) in domain Winter.
I have created two GPOs - one for user, one for computer in the domain Winter.
When a user logs in from domain Tropical, the computer policy applies, but the user policy does not
Of course, I went into the computer policy in the gpo and enabled Loopback processing.
However, this does not work. I get an error. (but it even tells me that it should come from loopback)
| ErrorCode | 8341 |
| ErrorDescription | A directory service error has occurred. |
The user account is in a different forest than the computer account. The processing of Group Policy from another forest is not allowed. Group Policy will be processed using Loopback Replace mode. The scope of the user policy settings will be determined by the location of the computer object in Active Directory. The settings will be acquired from the User Configuration of these policies.
The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.
I have a failing Server, AD Controller running Server 2008 R2 that I preemptively put a new Server 2012 SP1 box in to replace.
I transferred DHCP, and DNS records, transferred Roles, the DCROMO down the old server. The DHCP is working fine, but the DNS is failing lookups for a SQL 2012 Enterprise DB Server. While the old server DNS is left on, it works fine, but when I stop the service, it throws lookup errors in the app (Eclinicalworks) eg. can't locate resource, end of file errors, etc
I am stumped what to do next, feel it is related to DCPROMO down before testing DNS functionality. I tried copying the System32\DNS folder to the new machine with no impact. Anyone have some "magic powder"?
Hi All,
I am running Windows 2008 Server Standard (not R2). Within 'Print Management' I am administering a number of printers. Some of these printers have had I.P. addresses manually added to their 'Ports' tab. One printer in particular is causing me grief, and I believe that the issues I am facing with it are DNS related. I have noticed that there is no DNS entry for the troubled printers TCP/IP Port, despite the fact that it is definitely sitting in the manually assigned addressed range (e.g.: not within the DHCP scope).
My question is "Shouldn't there be a DNS entry for every TCP/IP printer port assigned to printers"? Furthermore if there is supposed to be an entry, but there isn't (as is the case with my troubled printer), what if anything can be done to fix the issue?
Kind Regards,
Davo
Hi ,
Post ADMT AD migration I have removed the cross forest trust . All the users have been migrated to target Domain but still they get the source domain name at ' Log in to' drop down list while logging to the system. This is noticeable for Server 2003& XP. It might be applicable to Win 7 & server 2008 or higher but will not notice if manually changed.
Pls suggest the step to gracefully remove the domain name.
Dear team,
We are having windows server 2012 as a OS of domain controller.
We are want to generate the security event id 4768 for SSO authentication from Cyberoam device, we have configured below security settings and enabled 'Success' and 'Failure' options on server and restarted the AD server.
Computer Configuration--->Policies--->Windows Settings--->Security Setting--->Local Policies--> Audit Policy-> Audit account logon events
Computer Configuration--->Policies--->Windows Settings--->Security Setting--->Advanced Audit Policy Configuration--->Audit Policies--->Account Logon-->Audit Kerberos Authentication Service.
But still the event 4768 is not getting generated on AD server.
Please guide and help on this how to enable this event.
Regards,
Hi All,
I would like to know if there is anyway to check if Active Directory Database has any corruptions?
or anything wrong with it in general. If there is a way please let me know what that is?
For example - if you want to know if there is anything wrong with System Files you just run sfc /scannow in the command prompt and it will give you an output.
Thanks!