Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

An active directory domain controller for the domain could not be contacted

$
0
0

Hi All, 

I was just wondering if someone please can help me. 

When I am trying to add a computer to a domain I am seeing the following error: An active directory domain controller for the domain could not be contacted. 

I can confirm that the correct IP addressees are being used and I can confirm that I have correctly set up DNS, can someone please help me find a solution?    


Possible USN Rollback because of Snapshot Restore.

$
0
0
I have done many a google search and found a lot of documents on fixing a USN Rollback, which I believe to be my issue. However, I am running into lots of issues. I attempted to move FSMO Roles from the primary domain controller, but this was not allowed. I am now attempting a non-authoritative SYSVOL restore, but the domain controller that seems to have the issue (PDC "DC1") doesn't have the directory DFSR-LocalSettings. If anyone could help on this issue I would be very grateful.

How to run gpupdate /force on remote computer?

$
0
0

How to run gpupdate /force on remote computer?

(Without psexec)


Thanks Biswajit

Powershell Password Reset

$
0
0
Hi, so I'm looking for a way (via PowerShell) to get an instantaneous email sent to the admin with users who haven't changed their passwords in 3 months. There are no set expiration dates for passwords but I assume it is something similar to password expiry dates. Rather than sending an email to the users informing them to change it, this will be more of a check-up of who hasn't changed their password after being alerted it has been 3 months. To clarify, I just would like an email sent to myself of who hasn't changed their system password in 3 months. If you could provide the command for this that would be great. Thanks!!

Hide headers on ADFS 3.0

$
0
0

Hi,

I would like to hide the information on my ADFS server such as Server : Microsoft-HTTPAPI/2.0

But I couldn't find a way to do it.

I already tried the key register...

Thanks

Powershell Password Reset

$
0
0
Hi, so I'm looking for a way (via PowerShell) to get an instantaneous email sent to the admin with users who haven't changed their passwords in 3 months. There are no set expiration dates for passwords but I assume it is something similar to password expiry dates. Rather than sending an email to the users informing them to change it, this will be more of a check-up of who hasn't changed their password after being alerted it has been 3 months. To clarify, I just would like an email sent to myself of who hasn't changed their system password in 3 months. If you could provide the command for this that would be great. Thanks!!

event ID 1864

$
0
0

Hello,

I have 3 DC: DC-1, DC-2, and DC-3 (window server 2008R2) with domain and forest functional level 2008R2. There is only one domain MyDomain.local and all 3 DC are in one site. All three DC are global catalog and DNS servers.

On all three DC I receive at every 24 hours the following error in Event Viewer, Directory Service log:
--------------------------------------------------------------
 Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          3/22/2010 4:14:07 PM
Event ID:      1864
Task Category: Replication
Level:         Error
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      DC-1.MyDomain.local
Description:
This is the replication status for the following directory partition on this directory server.
 Directory partition:
CN=Schema,CN=Configuration,DC=MyDomain,DC=local
 This directory server has not recently received replication information from a number of directory servers.  The count of directory servers is shown, divided into the following intervals.
 More than 24 hours:
1
More than a week:
1
More than one month:
0
More than two months:
0
More than a tombstone lifetime:
0
Tombstone lifetime (days):
180
 Directory servers that do not replicate in a timely manner may encounter errors. They may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled.
 To identify the directory servers by name, use the dcdiag.exe tool.
You can also use the support tool repadmin.exe to display the replication latencies of the directory servers.   The command is "repadmin /showvector /latency <partition-dn>".

--------------------------------------------------------------
 

This error repeats three times for the following directory partitions:CN=Schema,CN=Configuration,DC=MyDomain,DC=local    CN=Configuration,DC=MyDomain,DC=local  and DC=MyDomain,DC=local

The only place where I found a reference to an removed DC was in registry HKLM\System\CurrentControlSet\Services\NTDS\Parameters where the key “Src Root Domain Srv” have the value of “CCTI-DC2.mydomain.local”. CCTI-DC2 was an DC that was removed from the network with dcpromo. Please advise me what should I do with this key: delete or rename and put the name of actual PDC here?

 

To identify the source of event ID 1864 and eliminate the cause in the last week I’ve done the following:

1. Checked to see if there is a reference to a removed domain controller in:

-           Active Directory site and services -> My_site -> Servers

-          Active Directory users and computers -> Domain Controllers

Everything is OK, there are listed only 3 DC that are functional.


2. With ADSI Edit looked at CN=LostAnd Found that is empty .  Also checked CN=Topology,CN=Domain System Volume,CN=DFSR-Globalsettings,CN=System,DC=MyDomain,DC=local  where are listed only the 3 functional DC.


3. Checked DNS and deleted any reference to an removed DC


4. Checked NTDS with NTDSUTIL . As you can see from the output there are only 3 DC:
--------------------------------------------------------------
metadata cleanup: select operation target
select operation target: list domains
Found 1 domain(s)
0 - DC= MyDomain,DC=local
select operation target: select domain 0
No current site
Domain - DC=MyDomain,DC=local
No current server
No current Naming Context
select operation target: list sites
Found 1 site(s)
0 - CN=MySite,CN=Sites,CN=Configuration,DC=MyDomain,DC=local
select operation target: select site 0
Site - CN=MySite,CN=Sites,CN=Configuration,DC=MyDomain,DC=local
Domain - DC=MyDomain,DC=local
No current server
No current Naming Context
select operation target: list servers in site
Found 3 server(s)
0 - CN=DC-3,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=MyDomain,DC=local

1 - CN=DC-1,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=MyDomain,DC=local

2 - CN=DC-2,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=MyDomain,DC=local

 --------------------------------------------------------------


5.  Used repadmin/showreps on all 3 DC and everything is OK . Here is the output from the DC-1:
--------------------------------------------------------------
MySite\DC-1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 9f02251e-a27c-4c4f-864b-e2242fff6437
DSA invocationID: a24a837b-2655-4c9b-94bb-cf6a235a4351

==== INBOUND NEIGHBORS ======================================

DC=MyDomain,DC=local
    MySite\DC-3 via RPC
        DSA object GUID: f5a575b9-a7f8-4d75-96d1-390861f1afc2
        Last attempt @ 2010-03-23 11:44:04 was successful.
    MySite\DC-2 via RPC
        DSA object GUID: c72d27b2-87f5-4291-b72d-ccf5e421ce39
        Last attempt @ 2010-03-23 11:45:22 was successful.

CN=Configuration,DC=MyDomain,DC=local
    MySite\DC-3 via RPC
        DSA object GUID: f5a575b9-a7f8-4d75-96d1-390861f1afc2
        Last attempt @ 2010-03-23 10:59:01 was successful.
    MySite\DC-2 via RPC
        DSA object GUID: c72d27b2-87f5-4291-b72d-ccf5e421ce39
        Last attempt @ 2010-03-23 10:59:01 was successful.

CN=Schema,CN=Configuration,DC=MyDomain,DC=local
    MySite\DC-2 via RPC
        DSA object GUID: c72d27b2-87f5-4291-b72d-ccf5e421ce39
        Last attempt @ 2010-03-23 10:59:02 was successful.
    MySite\DC-3 via RPC
        DSA object GUID: f5a575b9-a7f8-4d75-96d1-390861f1afc2
        Last attempt @ 2010-03-23 10:59:02 was successful.

DC=ForestDnsZones,DC=MyDomain,DC=local
    MySite\DC-2 via RPC
        DSA object GUID: c72d27b2-87f5-4291-b72d-ccf5e421ce39
        Last attempt @ 2010-03-23 10:59:02 was successful.
    MySite\DC-3 via RPC
        DSA object GUID: f5a575b9-a7f8-4d75-96d1-390861f1afc2
        Last attempt @ 2010-03-23 10:59:02 was successful.

DC=DomainDnsZones,DC=MyDomain,DC=local
    MySite\DC-3 via RPC
        DSA object GUID: f5a575b9-a7f8-4d75-96d1-390861f1afc2
        Last attempt @ 2010-03-23 10:59:02 was successful.
    MySite\DC-2 via RPC
        DSA object GUID: c72d27b2-87f5-4291-b72d-ccf5e421ce39
        Last attempt @ 2010-03-23 10:59:02 was successful.

--------------------------------------------------------------


6. Run dcdiag an all 3 DC.
All test are OK here are the output from DC1:
--------------------------------------------------------------
 Directory Server Diagnosis
Performing initial setup:
   Trying to find home server...
   Home Server = DC-1
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: MySite\DC-1
      Starting test: Connectivity
         ......................... DC-1 passed test Connectivity

Doing primary tests

   Testing server: MySite\DC-1
      Starting test: Advertising
         ......................... DC-1 passed test Advertising
      Starting test: FrsEvent
         ......................... DC-1 passed test FrsEvent
      Starting test: DFSREvent
         ......................... DC-1 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... DC-1 passed test SysVolCheck
      Starting test: KccEvent
         ......................... DC-1 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... DC-1 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... DC-1 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... DC-1 passed test NCSecDesc
      Starting test: NetLogons
         ......................... DC-1 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DC-1 passed test ObjectsReplicated
      Starting test: Replications
         ......................... DC-1 passed test Replications
      Starting test: RidManager
         ......................... DC-1 passed test RidManager
      Starting test: Services
         ......................... DC-1 passed test Services
      Starting test: SystemLog
         ......................... DC-1 passed test SystemLog
      Starting test: VerifyReferences
         ......................... DC-1 passed test VerifyReferences

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation
 
   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation
 
   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
        ......................... Schema passed test CrossRefValidation
 
   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
 
   Running partition tests on : MyDomain
      Starting test: CheckSDRefDom
         ......................... MyDomain passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... MyDomain passed test CrossRefValidation

   Running enterprise tests on : mydomain.local
      Starting test: LocatorCheck
         ......................... MyDomain.local passed test LocatorCheck
      Starting test: Intersite
         ......................... MyDomain.local passed test Intersite

--------------------------------------------------------------

 

7. Checked with repadmin /showvector /latency… even here everything seems to be OK:
--------------------------------------------------------------
repadmin /showvector /latency CN=Schema,CN=Configuration,DC=MyDomain,DC=local
Caching GUIDs.
MySite\CCTI-DC2\0ADEL:fd33ee52-f05d-48a5-916b-49d5630c1357 (deleted DSA) @ USN  417853 @ Time 2010-02-27 15:49:00
MySite\CCTI-DC1\0ADEL:7679d269-19c2-4440-9b6e-da597ae133b1 (deleted DSA) @ USN 503710 @ Time 2010-03-12 17:59:21
MySite\CCTI-DC3\0ADEL:ed2133ee-8e57-4edf-8aff-c9635a1525c6 (deleted DSA) @ USN 110900 @ Time 2010-03-15 15:06:26
MySite\DC1\0ADEL:4de8a1cf-b8eb-4297-a480-6bf8ac34c343 (deleted DSA) @ USN 22892 @ Time 2010-03-15 19:09:06
MySite\DC3\0ADEL:1960fdc7-938e-4128-a0d4-ae152fe52284 (deleted DSA) @ USN 15079 @ Time 2010-03-17 12:37:27
MySite\DC1\0ADEL:4de8a1cf-b8eb-4297-a480-6bf8ac34c343 (deleted DSA) @ USN 18718 @ Time 2010-03-17 13:32:45
MySite\CCTI-DC2\0ADEL:fd33ee52-f05d-48a5-916b-49d5630c1357 (deleted DSA) @ USN 96683 @ Time 2010-03-17 19:20:50
MySite\DC-2                    @ USN     39243 @ Time 2010-03-23 08:59:02
MySite\DC-3                    @ USN     39370 @ Time 2010-03-23 08:59:02
MySite\DC-1                    @ USN     37164 @ Time 2010-03-23 09:36:27

--------------------------------------------------------------
 

8. Checked in this forum for similar problems but I haven’t find a solution that work in my situation:

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/af95a256-4aeb-4780-b1af-cce3b6c1bcdd/

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/ccae98d9-75cb-4988-8a1a-535b3e1bfeac

http://social.technet.microsoft.com/Forums/fi-FI/winserverDS/thread/567922cd-9c0b-44db-bdbb-803fec000163

9. So finally here I am …. any new idea how to get rid of this error would be really appreciated  :)

Secure LDAP - Domain Controller FQDN (.local vs .com)

$
0
0

According to this article microsoft requires that the name of the certfiicate match the FQDN of the server for LDAP over SSL with a third party.

The FQDN of my Domain Controller is servername.domain.local.  After 11/1/2015 GoDaddy will no longer allow non fully qualified domain names to be used as cert names.  I am attempting to address this issue now.

I have the cert installed for servername.domain.com on the DC in Certificates (Local Computer) > Personal > Certificates.  I have external DNS in place so that servername.domain.com resolves to my public IP of my firewall.  I have my Firewall redirecting traffic from port 636 from specific IPs (my third party) to my internal DC. However when I test it using some simply SSL Checker services I am told "No certificate found".  The server has been rebooted after the cert was installed.  Performing an IPCONFIG /ALL on the DC shows the Host is servername and the Primary DNS suffix is domain.local.  Hence the FQDN is servername.domain.local. 

What can I do to get my Domain Controller FQDN to be servername.domain.com?  Can this be as simple as adding a DNS suffix for domain.com?  Or is this going to take a major rework of my AD structure?

Any advice is appreciated.

Thanks,



AD site issue : klist command returns KDC Name: (null) and Flags: 0x41000 -> WRITABLE_REQUIRED NEXTCLOSEST_SITE

$
0
0

Hello everybody,

I create a new topic after my first one here : https://social.technet.microsoft.com/Forums/windowsserver/en-US/1b551474-8d04-470f-94a7-08fb2bbd45ff/client-not-authenticating-to-the-right-domain-controller-but-the-site-is-correctly-identified?forum=winserverDS#b23a803c-2640-4cab-bcee-3fcd259b6431

I have an issue with a DC (win 2003 Sp2) that doesnt authenticate the user associated to its website (no subnet overlap, clients retrieve the AD right AD site, etc.) but the authentication is done to another DC, in another AD site).

I run this command on a client that has an IP address on the subnet attached to the AD site :

klist query_bind

I have this information regarding my DC attached to this AD Site : 

               

#3>     RealmName: MyDomain.local
        KDC Address: MYDC.MyDomain.local
KDC Name: (null)
Flags: 0x41000 -> WRITABLE_REQUIRED NEXTCLOSEST_SITE
        DC Flags: 0xe00001fc -> GC LDAP DS KDC TIMESERV CLOSEST_SITE WRITABLE DN
S_DC DNS_DOMAIN DNS_FOREST
        Cache Flags: 0


On other DCs, I have more something like this : 

RealmName: ABC
KDC Address: 1.2.3.4
KDC Name: DC_ABC
Flags: 0 
DC Flags: 0x8000017c -> GC LDAP DS KDC TIMESERV WRITABLE DNS_FOREST 
Cache Flags: 0 

I think that's the point but I am not able to decrypt this output for now.

Thank you everybody :)

Client not authenticating to the right Domain controller but the site is correctly identified

$
0
0

Hi,

I have a root and child AD domain (2003) with several clients.

The subnet and sites are correctly configured (I precise that on the "site" configuration, I have a DC for each domain and sub-domain (I hope this is not the reason of the issue).

From the client, if I run the nltest /dsgetsite I have the correct site displayed. The DNS configuration of the client is defined to the IP Adress of the DC that I want it to authenticate.

BUT if I run a echo %logonserver%, the DC is not the one in the list of the DCs associated to the site).

How can I force my client to be authenticated to the DC associated to its site ? and how can I find the issue ? :)

Thank you

Domain Accounts login with default settings

$
0
0

A couple of our users will login with their domain accounts and upon logins all of their saved icons and settings are gone, but when they reboot and log back in everything reverts back to normal for them. This happens on occasion and I was wondering why this would be happening. I feel like it's an authentication or connection issue with the Domain Controller when the user first logs in so it doesn't load everything or push Group Policy.

Any thoughts?

DNS Problems on DNS Server

$
0
0

All of a sudden, I am getting 5774 errors on my only DNS server.  I did edit the Domain Policy to add a Deltek account to logon as a service and logon as a batch job.  I also stupidly listened to Trend Micro and install SQL Server 2014 which they then told me was the wrong version.  I uninstalled and reinstalled SQL Server 2008 R2 which failed.  I uninstalled that but have not rebooted.  I don't know how these things affect DNS but wanted to be clear.

Here is the DCdiag test:

Microsoft Windows [Version 6.2.9200]
(c) 2012 Microsoft Corporation. All rights reserved.

C:\Users\administrator.WTRKTECTS>dcdiag.exe

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = WTA
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\WTA
      Starting test: Connectivity
         ......................... WTA passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\WTA
      Starting test: Advertising
         ......................... WTA passed test Advertising
      Starting test: FrsEvent
         ......................... WTA passed test FrsEvent
      Starting test: DFSREvent
         ......................... WTA passed test DFSREvent
      Starting test: SysVolCheck
         ......................... WTA passed test SysVolCheck
      Starting test: KccEvent
         ......................... WTA passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... WTA passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... WTA passed test MachineAccount
      Starting test: NCSecDesc
         ......................... WTA passed test NCSecDesc
      Starting test: NetLogons
         ......................... WTA passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... WTA passed test ObjectsReplicated
      Starting test: Replications
         ......................... WTA passed test Replications
      Starting test: RidManager
         ......................... WTA passed test RidManager
      Starting test: Services
         ......................... WTA passed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0x0000168E
            Time Generated: 06/21/2016   09:49:54
            Event String:
            The dynamic registration of the DNS record 'wtrktects.prv. 600
192.168.18.11' failed on the following DNS server:
         An error event occurred.  EventID: 0x0000168E
            Time Generated: 06/21/2016   09:49:55
            Event String:
            The dynamic registration of the DNS record 'gc._msdcs.wtrktect
 600 IN A 192.168.18.11' failed on the following DNS server:
         An error event occurred.  EventID: 0x0000168E
            Time Generated: 06/21/2016   09:49:58
            Event String:
            The dynamic registration of the DNS record 'DomainDnsZones.wtr
.prv. 600 IN A 192.168.18.11' failed on the following DNS server:
         An error event occurred.  EventID: 0x0000168E
            Time Generated: 06/21/2016   09:49:59
            Event String:
            The dynamic registration of the DNS record 'ForestDnsZones.wtr
.prv. 600 IN A 192.168.18.11' failed on the following DNS server:
         An error event occurred.  EventID: 0xC0001B58
            Time Generated: 06/21/2016   09:53:03
            Event String:
            The Diagnostic Service Host service failed to start due to the
wing error:
         ......................... WTA failed test SystemLog
      Starting test: VerifyReferences
         ......................... WTA passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDo
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDo
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValid

   Running partition tests on : wtrktects
      Starting test: CheckSDRefDom
         ......................... wtrktects passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... wtrktects passed test CrossRefValidatio

   Running enterprise tests on : wtrktects.prv
      Starting test: LocatorCheck
         ......................... wtrktects.prv passed test LocatorCheck
      Starting test: Intersite
         ......................... wtrktects.prv passed test Intersite

RODC

$
0
0

I currently have one writable DC with one remote (RODC).  I will be created another RODC in a different Subnet.

My questions is it best practices to have two writable AD servers for redundancy?  


bc

GPO With Secure Filtering, Why do I need to add the computer?

$
0
0
Hi!

First I will explain my enviroment.

I have one OU, OU A with linked GPO, GPO B:

GPO B Status: Computer configuration settings disabled.

OU A contains Users

In the Secure Filtering, I remove Authenticate Users and I added a Global Group with some users from OU A.

GPRESULT shows:

GPO A     Filtering:  Not Applied (Unknown Reason)

But if I add the computer of those users to the secure filtering,the GPO is applied.

Can anybody explain me, Why!? Why do I need to add computer accounts to the secure filtering? The gpo computer section is disable, the OU contains users...
I can't understand.

Can anybody explain me this behavior?

Thanks!!


Apply Group Policy to User from Domain A logging into Computer in Domain B

$
0
0

Here's the deal...

We have a user in a domain Tropical.  We have a computer (server) in domain Winter.

I have created two GPOs - one for user, one for computer in the domain Winter.

When a user logs in from domain Tropical, the computer policy applies, but the user policy does not

Of course, I went into the computer policy in the gpo and enabled Loopback processing.

However, this does not work. I get an error.  (but it even tells me that it should come from loopback)

ErrorCode8341
ErrorDescriptionA directory service error has occurred. 

The user account is in a different forest than the computer account. The processing of Group Policy from another forest is not allowed. Group Policy will be processed using Loopback Replace mode. The scope of the user policy settings will be determined by the location of the computer object in Active Directory. The settings will be acquired from the User Configuration of these policies.

The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.


AD Migration to Server 2012 with DNS Failure

$
0
0

I have a failing Server, AD Controller running Server 2008 R2 that I preemptively put a new Server 2012 SP1 box in to replace.

I transferred DHCP, and DNS records, transferred Roles, the DCROMO down the old server.  The DHCP is working fine, but the DNS is failing lookups for a SQL 2012 Enterprise DB Server.  While the old server DNS is left on, it works fine, but when I stop the service, it throws lookup errors in the app (Eclinicalworks) eg. can't locate resource, end of file errors, etc

I am stumped what to do next, feel it is related to DCPROMO down before testing DNS functionality.  I tried copying the System32\DNS folder to the new machine with no impact. Anyone have some "magic powder"?

C:\ANS\DNSConvergeCheck.cmd gti-server gti-ad2 XYZ.local
['DNSconvergeCheck' begins at 16:48:00 on Mon 06/13/2016]
- Confirming source name server [DNS] is listening     : SUCCESS!
- Confirming destination name server [DNS] is listening: SUCCESS!
+ Verifying source name server holds supplied DNS domain [zone]
  = server's addresss: gti-server
  = querying domain  : XYZ.local
  = record [RR] type : SOA
  = DNS query type   : iterative
 #FAILED!
#ERROR - Source DNS server does not host supplied domain!
         = server's address: gti-server
         = domain queried  : xyz.local
         = record [RR] type: SOA
         = DNS query type  : iterative
['DNSconvergeCheck' completed at 16:48:03 on Mon 06/13/2016]
PS C:\Users\Administrator.XYZ> dnscmd GTI-AD2 /ZoneExport xyz.local dns.txt
Command failed:  DNS_ERROR_ZONE_DOES_NOT_EXIST     9601    0x2581
PS C:\Users\Administrator.XYZ> dnscmd GTI-AD2 /ZoneExport XYZ.local dns.txt
Command failed:  DNS_ERROR_ZONE_DOES_NOT_EXIST     9601    0x2581
PS C:\Users\Administrator.XYZ> C:\ANS\DNSConvergeCheck.cmd gti-server gti-ad2 XYZ.local
['DNSconvergeCheck' begins at 10:17:08 on Tue 06/14/2016]
- Confirming source name server [DNS] is listening     : SUCCESS!
- Confirming destination name server [DNS] is listening: SUCCESS!
+ Verifying source name server holds supplied DNS domain [zone]
  = server's addresss: gti-server
  = querying domain  : XYZ.local
  = record [RR] type : SOA
  = DNS query type   : iterative
 #FAILED!
#ERROR - Source DNS server does not host supplied domain!
         = server's address: gti-server
         = domain queried  : XYZ.local
         = record [RR] type: SOA
         = DNS query type  : iterative
['DNSconvergeCheck' completed at 10:17:10 on Tue 06/14/2016]

A printers TCP/IP port is not listed under DNS. Is this normal? If not how can I fix the issue?

$
0
0

Hi All,

I am running Windows 2008 Server Standard (not R2). Within 'Print Management' I am administering a number of printers. Some of these printers have had I.P. addresses manually added to their 'Ports' tab. One printer in particular is causing me grief, and I believe that the issues I am facing with it are DNS related. I have noticed that there is no DNS entry for the troubled printers TCP/IP Port, despite the fact that it is definitely sitting in the manually assigned addressed range (e.g.: not within the DHCP scope).

My question is "Shouldn't there be a DNS entry for every TCP/IP printer port assigned to printers"? Furthermore if there is supposed to be an entry, but there isn't (as is the case with my troubled printer), what if anything can be done to fix the issue?

Kind Regards,

Davo

Post AD migration - Remove Domain from ' Log in to' drop down list after removing the trust

$
0
0

Hi ,

Post ADMT AD migration I have removed the cross forest trust . All the users have been migrated to target Domain but still they get the source domain name at ' Log in to' drop down list while logging to the system. This is noticeable for Server 2003& XP. It might be applicable to Win 7 & server 2008 or higher but will not notice if manually changed.

Pls suggest the step to gracefully remove the domain name.

 

4768 event in active directory

$
0
0

Dear team,

We are having windows server 2012 as a OS of domain controller.

We are want to generate the security event id 4768 for SSO authentication from Cyberoam device, we have configured below security settings and enabled 'Success' and 'Failure' options on server and restarted the AD server.

Computer Configuration--->Policies--->Windows Settings--->Security Setting--->Local Policies--> Audit Policy-> Audit account logon events

Computer Configuration--->Policies--->Windows Settings--->Security Setting--->Advanced Audit Policy Configuration--->Audit Policies--->Account Logon-->Audit Kerberos Authentication Service.

But still the event 4768 is not getting generated on AD server.

Please guide and help on this how to enable this event.

Regards,


 

How to check if AD has any errors or problems?

$
0
0

Hi All,

I would like to know if there is anyway to check if Active Directory Database has any corruptions?

or anything wrong with it in general. If there is a way please let me know what that is?

For example - if you want to know if there is anything wrong with System Files you just run sfc /scannow in the command prompt and it will give you an output.

Thanks!

Viewing all 31638 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>