domainA <-> domainB <-> domainC

^-----------------------------------^

Between all domains is a two-way trust
All domains have 2008R2 domain controllers

SharePoint with SSRS and PowerPivot installed in domainA
SQL DB Engine installed in domainA
SQL Analysis installed in domainA
SQL PowerPivot installed in domainA

We have computers in domainA
We have computers in domainB
We have computers in domainC

We have users in domainA logging in on a copmuter in domainA
We have users in domainB logging in on a computer in domainB
We have users in domainC logging in on a computer in domainC
If a user1 is created in domainA the user is also created in domainB and domainC
Users travel from location and thus using their appropiate domain account/computer per location

Currently we are experiencing issues that users are returning multiple times in search cause they are using their different account and thus a seperate SharePoint profile is created for each 1 of the 3 accounts they use.
As a temporarily workaround we want to place a TMG in front of SharePoint and force each user to use a single account en prevent them from SSO into sharepoint from each location.
The accounts in domainC will be leading and the account to be used.

So if a user is in locationA logs in a computer in domainA with a user account in domainA and the goes to SharePoint (which is in domainA), TMG asks for credentials and the user enters credentials for domainC
So if a user is in locationB logs in a computer in domainB with a user account in domainB and the goes to SharePoint (which is in domainA), TMG asks for credentials and the user enters credentials for domainC

Is this a possible scenario and will it work wth Kerberos Constrain Delegation ,or am i missing things in the bigger picture

Will users experience problem cause SharePoint is in domainA, the computer can be in domainB and the user in domainC?
Will BI piece still work in this scenario and if we have a TMG reverse proxy in the chain?

Hi,

I have a remote office. All computers there are jointed to AD domain and successfully connected to DC /DNS Server in Main office. They getting GP, I can nslookup the DNS from those PCs and can nslookup those PCs.

A have an Intranet Web Server in main location (Parkslopeserver). I am able to ping and trace this Server from remote office. I am able to nslookup this server via IP address and DNS Name. (I see the resultparkslopeserver.parkslopecenter.local). 

But when I try to get this Web address via browsers:http://Parkslopeserver–my browsers getting error-No Name resolved or something like that.

When I insert a appropriate record to the host file-( parkslopeserver   10.15.0...) everything start working fine and I can access this Web Server via any browser.

Should I open some ports in Firewall? Can somebody please point me what should I do in order for browsers resolve the internal DNS address?

Thank you in advance

FQDN for ALL AD joined devices is device.xyz.abc.com.  USERDNSDOMAIN = xyz.abc.com, USERDOMAIN=xyz (we have no WINS) and have several subnets via MPLS.

All DCs live in xyz.abc.com.  There is a DNS zone for abc.com with what I am thinking is a delegated zone (gray icon) for xyz.  The only records that live in this zone are NS for DCs in xyz.abc.com.  

Since USERDOMAIN is XYZ and there are only NS records and no DCs in this zone, is this a configuration problem?

My screen shot is not great but I hope it help to visualize my question

Jason

Folks

I have 2 domain controllers (physical), Windows Server 2012R2.

In the GPO has a tab called STATUS where we collect informations about the infrastructure of the GPO replication.

I always have problems in one or two GPOs, and need to redo them, solving the problem.

However after a while the problem returns, in other GPOs.

I checked the link below to talk about the problem, but not found a solution to my problem.

I wonder how can I investigate and resolve this problem ?

https://blogs.technet.microsoft.com/grouppolicy/2012/11/29/group-policy-in-windows-server-2012-infrastructure-status/

MCP - MCTS - MCTS AD

The following works correctly if a user is a member of a group that starts with "CA_" but if they are not it returns all groups for a given user. 

c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)CA_"]
 => issue(claim = c);

and ideas?

thanks greatly

tr

If anyone could please assist, attempting to add a new domain controller and I am getting the following error message.

I've verified that replication does not have any errors and have also made sure that the meta data is cleaned up, in ADSI, Sites and Services and ADUC. I've tried this with 2 different servers (different names even).

DCDIAG testing DNS successful.

07/12/2016 16:46:31 [INFO] Replicating data CN=Configuration,DC=companydomain,DC=int: Received 5808 out of approximately 5808 objects and 271 out of approximately 1077 distinguished name (DN) values...
07/12/2016 16:46:33 [INFO] Replicating data CN=Configuration,DC=companydomain,DC=int: Received 6648 out of approximately 6648 objects and 1294 out of approximately 1294 distinguished name (DN) values...
07/12/2016 16:46:33 [INFO] Replicating data CN=Configuration,DC=companydomain,DC=int: Received 6773 out of approximately 6773 objects and 1414 out of approximately 1414 distinguished name (DN) values...
07/12/2016 16:46:33 [INFO] Replicated the configuration container.
07/12/2016 16:46:33 [INFO] Replicating critical domain information...
07/12/2016 16:46:34 [INFO] EVENTLOG (Warning): NTDS Replication / Replication : 1203
The directory service could not replicate the following object from the source directory service at the following network address because of an Active Directory Domain Services schema mismatch.



Object:
CN=Users,DC=companydomain,DC=int

Network address:
svp-mdc-dc1.companydomain.int



Active Directory Domain Services will attempt to synchronize the schema before attempting to synchronize the following directory partition.

Directory partition:
DC=companydomain,DC=int

07/12/2016 16:46:34 [INFO] Error - Active Directory Domain Services could not replicate the directory partition DC=companydomain,DC=int from the remote Active Directory Domain Controller svp-mdc-dc1.companydomain.int. (8418)
07/12/2016 16:46:34 [INFO] EVENTLOG (Error): NTDS General / Internal Processing : 1168
Internal error: An Active Directory Domain Services error has occurred.



Additional Data

Error value (decimal):
-1073741823

Error value (hex):
c0000001

Internal ID:
30017c6

07/12/2016 16:46:34 [INFO] EVENTLOG (Informational): NTDS General / Service Control : 1004
Active Directory Domain Services was shut down successfully.

07/12/2016 16:46:34 [INFO] Active Directory Domain Services is attempting to recursively delete the \Registry\Machine\System\CurrentControlSet\Services\NTDS registry key (DeleteRoot=0).
07/12/2016 16:46:34 [INFO] Active Directory Domain Services is attempting to recursively delete the \Registry\Machine\System\CurrentControlSet\Services\NTDS\Diagnostics registry key (DeleteRoot=1).
07/12/2016 16:46:34 [INFO] Active Directory Domain Services successfully deleted the \Registry\Machine\System\CurrentControlSet\Services\NTDS\Diagnostics registry key (DeleteRoot=1).
07/12/2016 16:46:34 [INFO] Active Directory Domain Services is attempting to recursively delete the \Registry\Machine\System\CurrentControlSet\Services\NTDS\Parameters registry key (DeleteRoot=1).
07/12/2016 16:46:34 [INFO] Active Directory Domain Services successfully deleted the \Registry\Machine\System\CurrentControlSet\Services\NTDS\Parameters registry key (DeleteRoot=1).
07/12/2016 16:46:34 [INFO] Active Directory Domain Services successfully deleted the \Registry\Machine\System\CurrentControlSet\Services\NTDS registry key (DeleteRoot=0).
07/12/2016 16:46:34 [INFO] NtdsInstall for companydomain.int returned 8418
07/12/2016 16:46:34 [INFO] DsRolepInstallDs returned 8418
07/12/2016 16:46:34 [ERROR] Failed to install to Directory Service (8418)
07/12/2016 16:46:42 [INFO] Starting service NETLOGON
07/12/2016 16:46:42 [INFO] Configuring service NETLOGON to 2 returned 0
07/12/2016 16:46:42 [INFO] The attempted domain controller operation has completed
07/12/2016 16:46:42 [INFO] Updating service status to 4
07/12/2016 16:46:42 [INFO] DsRolepSetOperationDone returned 0

I am contracting at mid size organisation, and there is one small site where both the DCs (Hyper-V VMs on Windows Server 2008R2 with 4GB RAM) are redlining their memory usage a few times of the week. To me the evidence continually suggests that it is not sufficiently specced in terms of memory, but UMDH does not seem to outline memory leaks. As is common with DCs the LSASS.exe process is the chief culprit, and I have suggested to the local site person that the memory on both boxes needs to be increased. However, this is not so easy as the Hyper-V hosts  do not have any spare nor have any capacity left to increase the physical RAM, so he is stonewalling. He wants me to explain why it is redlining more frequently than it did a year ago though (apparently) the infrastructure / clients have not changed. I do not thing it is a splurge of authentication requests from the network, as Perfmon does not see massive activity on the network (“busiest network adapter is less than 15%”). Basically he wants a breakdown of HOW LSASS is using the server memory and for what. Is there are a relatively straight-forward method of getting this information? Thanks

Mike Bartfield

I've raised the domain functional level from Windows 2003 to Windows 2008 R2. After That I receive a couple of replication failed events when running DCDiags.

The domain consist of 2 Domain Controllers, Primary and secondary. OS on both DC's Windows 2008 R2.

The dfsrmig /setglobalstate ELIMINATED but there are no SYSVOL_DFS folder on any of the domain controllers. The following error message is on the primary DC.

EventID: 13757, NtFrs "this domain controller has migrated to using the dfs replication service to replicate the sysvol"

I've attached a print screen of the different DCDiag errors received.

Thank you in advanced

Hi,

After migrated user and computer account with ADMT 3.2 from ADDS 2003 (w2k3 domain and forest functional level) to ADDS 2012 R2 (w2k12 r2 domain and forest functional level) without SID History, computers does not apply new target domain GPOs, but old source domain GPOs.

When I ran GPO Results from gpmc.msc console, It shows in computer configuration the following:

In general the Group Policy Results show that I'm consulting newdomain\myMigratedUser on olddomain\MyMigratedComputer.

So could you help me to know, why GPO is applying user configuration correctly and failed for computer configuration, because appears that new domain can't recognize the migrated computer to be in new domain, It still recognizing the migrated computer like it is in the old domain.

Thank you so much for your help.

Hi,

Actually I need urgently download Password Export Server x86 from microsoft connect, but I can't because when I clicked the link, nothing happens and download isn't launch, I had the same problem with PES x64, but now I can download the x64 binaries but not x86.

I tried all web browsers in PC and Smartphone.

Could you help me please?

Thanks so much guys.

I have the following query:

This is my output:

Name lastLogonTimestamp

--------------------------------------

Device-1 06/10/2099

Device-2 14/07/2016

Device-3 03/07/2034

I have 6 domain controllers and only one domain, I run this query in this DCs and the output is the same in all server.

Why I have devices with dates over 2034 and 2099 !?

Jimcesse
Principal: http://sysadmin-cr.com/
Alterno: http://blogs.itpro.es/jimcesse

Hello, Good afternoon.

A month ago I started receiving several errors on my domain controller's event viewer, all of them have been about replication of partitions and information between domain controllers, affecting also Group Policy Deployment. 

At the company we have only one domain suffix (ex: contoso.local), which is installed in three domain controllers, 2 of them in the HeadOffice, and the third in a near branch, these sites are connected through a dedicated VPN link.

I've been doing some tests with DNS records, trying to identify DNS miss configurations, apparently the DNS records (SRV, A, CNAME, NS, SOA) are all configured correctly at all DNS Servers, I could ping all domain controllers by the DNS name, from all domain controllers successfully, but sometimes for no reason, I couldn't. I tested also the DNS address of the PDC from msdcs zone (ex: \\xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx._msdcs.CONTOSO.LOCAL), and I could access it successfully also from the domain controller of our branch.

Our network topology is basically separated by two network ranges (192.168.1.x for Headoffice, and 192.168.4.x for the Branch), these two ranges belong to the unique DNS suffix (ex: contoso.local), and  if we look at the DNS servers, we'll find DNS records of all hosts of both sites. At Active Directory Sites and Services I've created these two subnets, the two sites (HeadOffice and Branch), and have created a connection between domain controllers, using the Inter Site Transport IP. To be honest, I'm not used to make configurations on Active Directory tool, because I haven't had the need of create this kind of connection between sites sharing the same DNS suffix.

As I said, this problem is affecting Group Policy Deployment, so since I started receiving them, Group Policy objects haven't been applied successfully on computers, making the management of all computer difficult.

It's also important to say that all tries of ping using the IP of domain controllers and other hosts, were done successfully.

The more often errors I've been receiving are:

Primary Domain Controller (HeadOffice) - 192.168.1.x

Source: DFSR, Event ID: 5008, Error: 1722 (The RPC server is unavailable.) , This error means that the PDC couldn't communicate with the Branch Domain Controller (192.168.4.x subnet)

Source: ActiveDirectory_DomainService, Event ID: 1865, (KCC) was unable to form a complete spanning tree network topology, This error means that the list of sites couldn't be reached by the local site.

Source: ActiveDirectory_DomainService, Event ID: 1311, (KCC) has detected problems with the following directory partition (Configuration Partition), This error means that there is insufficient site connectivity information for the KCC to create a spanning tree replication topology.

Source: ActiveDirectory_DomainService, Event ID: 1566, All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable. 

Domain Controller (Branch) - 192.168.4.x

Source: NETLOGON, Event ID: 5781, Error: Dynamic registration or deletion of one or more DNS records associated with DNS domain 'ForestDnsZones.CONTOSO.LOCAL.' failed, these error repeats to each segment of the domain (ex: ForestDnsZones.contoso.local, DomainDnsZones.contoso.local, consoto.local).

Source: NETLOGON, Event ID: 5719, Error: This computer was not able to set up a secure session with a domain controller in domain CONTOSO due to the following: There are currently no logon servers available to service the logon request. 

Source: DFSR, Event ID: 5008, Error: 1722 (The RPC server is unavailable.) , This error means that the PDC couldn't communicate with the Primary Domain Controller (192.168.1.x subnet)

Source: ActiveDirectory_DomainService, Event ID: 2087, Task Category: DS RPC Client, Error: Active Directory Domain Services could not resolve the following DNS host name of the source domain controller to an IP address, Source Domain Controller: PDC, Failing DNS Host name: xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx._msdcs.CONTOSO.LOCAL

On each domain controller the IP Addresses, Gateway and DNS server are configured manually, at the HeadOffice the Primary DNS is the PDC, and the second DNS is the Second Domain Controller, and the Branch the Primary DNS is the Domain Controller, and the second DNS is a Proxy Server, which requests its address as second DNS for transparent proxy function.

If you could give me some path to follow, I'll be very grateful, once I've empty my toolbox, every day I try to research these errors, make new tests, analyze and monitoring the new events, try to make adjusts, but nothing seemed to work.

If there is some information that is important to know, and I didn't put in here, please ask then I'll answer it asap.

Best Regards,

Fabio Reis. Analista de Suporte. Preparando-se para Windows Server 2008 - Server Administrator (MCSA) - MCITP

I'm unable to join a server to a domain.  I get the message:  DNS was successfully queried for service location (SRV) resource record used to locate a domain controller for domain "XYZ_A":

The query was for the SRV record for _ldap._tcp.dc._msdcs.XYZ_A

The following domain controllers were identified by the query:

DC1.XYZ_A

DC2.XYZ_A

However no domain controllers could be contacted.  Common causes of this error include:

-Host (A) or (AAAA) records that map the names of the domain controllers to their IP addressses are missing or contain incorrect addresses. 

-Domain controllers registered in DNS are not connected to the network or are not running

---------------------------------

So here is what I'm able and not able to do from this server that I'm trying to join to the domain:

1.  I couldn't ping DC1 or DC2.  I could ping the FQDN DC1.XYZ_A though, so what I did is added a DNS suffix and now I can ping DC1 or DC2 just fine.  I still get the same error when trying to add it to the domain though.  

2.  I cannot ping the domain XYZ_A.  When I run nslookup XYZ_A it finds the domain controller but it says "can't find XYZ_A:Non-existent domain".  

This server is a VM located in the cloud.  It is on a different network than the domain controller that I'm trying to contact.  The DNS server that I have in the iPv4 settings is the domain controller I'm trying to contact.  The DNS entries seem correct but I might be missing something.  

Anyone have any suggestions?  

I understand, that the attribute is accessible through attribute editor.  I've been given the task of making the attribute more easily available.

To that end, I want to add the attribute to the General tab, of the user account properties page.

Please advise.

After installing the update KB3161606  our programmers get an error about "LDAP server not found" when connecting to an external LDAP system .  Removing this update restores functionality.  Anyone else had this issue?  Troubleshooting on the *nix LDAP system appears to show the TLS handshake never completing.  In Visual Studio/IIS error message, we are only told that the server cannot be found.