Getting "The replication operation was preempted."

July 28, 2016, 4:22 am

≫ Next: Additional Domain Controller Decommisioning

≪ Previous: Distribution Group (Accept Messages from - Permission)

Hi,

I have promoted the new AD server DC02 ( Windows server 2012 R2) but getting error opening DNS that " Server could not be contacted. Error: DNS service is unavailable".

Even when I am trying to replicate from DC01 to DC02 from Site-Services NTDS setting I am getting error of

The following error occured during the attempt to synchronize naming context domain.com from dc01 to dc02: The replication operation was preempted.
This operation will not continue."

And I am getting below events continuously id DC02

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 7/28/2016 4:17:36 AM
Event ID: 1925
Task Category: Knowledge Consistency Checker
Level: Warning
Keywords: Classic
User: ANONYMOUS LOGON
Computer: DC02.domain.com
Description:
The attempt to establish a replication link for the following writable directory partition failed.

Directory partition:
DC=DomainDnsZones,DC=domain,DC=com
Source directory service:
CN=NTDS Settings,CN=dc3-01,CN=Servers,CN=dc3,CN=Sites,CN=Configuration,DC=domain,DC=com
Source directory service address:
4f4ff36c-95a1-4999-8f24-b8304995fe62._msdcs.domain.com
Intersite transport (if any):
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=domain,DC=com

This directory service will be unable to replicate with the source directory service until this problem is corrected.

User Action
Verify if the source directory service is accessible or network connectivity is available.

Additional Data
Error value:
1722 The RPC server is unavailable.
------------------------------------------------------------------------------------------------------------------------------------------------------

Another Event is:

Log Name: DNS Server
Source: Microsoft-Windows-DNS-Server-Service
Date: 7/28/2016 4:21:19 AM
Event ID: 4013
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: DC02.domain.com
Description:
The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

Regards,

Jitendra

↧

Additional Domain Controller Decommisioning

August 1, 2016, 12:53 am

≫ Next: ADC Replication using 20 -30 GB in 24 Hours in a day

≪ Previous: Getting "The replication operation was preempted."

Hello Experts,

I had an Additional Domain Controller who crashed due to hardware failure now I have replaced the hardware and re-installed OS. Now I want to know what are the changes do I have to make before adding the replaced ADC. Do I have to remove some data regarding the malfunctioned previous ADC from the Domain Controller.

Secondly I want to know what is more efficient adding an ADC and start the replication over WAN or add the ADC via IFM.

Thanks

FRANK

TechSpec90

↧

ADC Replication using 20 -30 GB in 24 Hours in a day

July 22, 2016, 2:19 pm

≫ Next: Claims language question

≪ Previous: Additional Domain Controller Decommisioning

I've 186 ADC.

In Replication it's using high bandwidth & the total utilization is approx 20 - 30 GB in a day.

↧

Claims language question

August 1, 2016, 1:25 am

≫ Next: No SYSVOL & NETLOGON on a DC (FRS is broken)

≪ Previous: ADC Replication using 20 -30 GB in 24 Hours in a day

Hi all

Can anyone point me a definitive source for the syntax and grammar of the claims language as used in ADFS?

I need something with specific examples of certain use cases

For example I have a SQL database containing the employee number attribute for all my users. The database also contains their UPN.

I would like to create a claim rule that will send back the employee number if the UPN in AD matches the UPN in the SQL database.

I've been scratching my head for a while with no luck.

Can anyone assist?

Regards

Peter

↧

No SYSVOL & NETLOGON on a DC (FRS is broken)

December 4, 2014, 5:58 am

≫ Next: Cannot get AD Connection to appear in Sites & Services for new domain controller

≪ Previous: Claims language question

Need some help on the subjcet.

On one of the DCs, FRS is not working...

Have tried D4/D2 (Auth/non-auth) restore to no avail.

NtFrs logs amongst others:

- ERROR - Invalid Partner: AuthClient:domain name\dcname$

- DS: ERROR - Can't free system member DCname: Ldap Status: Insufficient Rights

- DS: Marking connection inconsistent

I can also see that the there is no GUID in the Cumulative Replica Sets/Replica Sets in the registry of the affected DC...

I have tried to recreate the missing objects (CN=NTFRS Subscriptions etc.) using ADSIEEDIT but getting the GUID baclk in the registry is the issue..

D2 is not working because no GUID set for Cumulative Replica Sets/Replica Sets.

Any help/advice on resolving this would be appreciated.

NOTE:

DC is Windows 2012 R2, SYSVOL still uses FRS. When this is resolved and no issues with all DCs, FRS would be migrated to DFSR...

Please help.

Thanks.

↧

Cannot get AD Connection to appear in Sites & Services for new domain controller

August 1, 2016, 5:10 am

≫ Next: Ports PsPasswd Windows Sysinternals

≪ Previous: No SYSVOL & NETLOGON on a DC (FRS is broken)

Windows 2008 R2

I've promoted a new server to a domain controller running DNS and I've created a computer, group and DNS object on a working DC on the other side of the world, and the computer & group objects created on the new DC came thru to the other DCs in the domain, so did the computer & group objects from the other DCs which came thru to the new DC- so these objects are replicating correctly.

However, DNS is not replicating correctly. A DNS name created on another DC was replicated correctly on the new DC, however a DNS object created on the new DC did not replicate back to the remote DC.

I checked Sites & Services and there are NO AD connection objects for the new DC. What can I do to get one or more AD Connection objects to appear in Sites & Services?

Here's some info:

C:\Users\MyUserName>dcdiag

Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
Home Server = MyNewDomainControllerServer03
* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: Spain\MyNewDomainControllerServer03
Starting test: Connectivity
......................... MyNewDomainControllerServer03 passed test Connectivity

Doing primary tests

Testing server: Spain\MyNewDomainControllerServer03
Starting test: Advertising
......................... MyNewDomainControllerServer03 passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems.
......................... MyNewDomainControllerServer03 passed test FrsEvent
Starting test: DFSREvent
......................... MyNewDomainControllerServer03 passed test DFSREvent
Starting test: SysVolCheck
......................... MyNewDomainControllerServer03 passed test SysVolCheck
Starting test: KccEvent
......................... MyNewDomainControllerServer03 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... MyNewDomainControllerServer03 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... MyNewDomainControllerServer03 passed test MachineAccount
Starting test: NCSecDesc
Error MYDOMAINNAME\Enterprise Read-only Domain Controllers doesn't have
Replicating Directory Changes
access rights for the naming context:
CN=Configuration,DC=MYDOMAINNAME,DC=com
......................... MyNewDomainControllerServer03 failed test NCSecDesc
Starting test: NetLogons
......................... MyNewDomainControllerServer03 passed test NetLogons
Starting test: ObjectsReplicated
......................... MyNewDomainControllerServer03 passed test ObjectsReplicated
Starting test: Replications
......................... MyNewDomainControllerServer03 passed test Replications
Starting test: RidManager
......................... MyNewDomainControllerServer03 passed test RidManager
Starting test: Services
......................... MyNewDomainControllerServer03 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x80000434
Time Generated: 08/01/2016 13:12:02
Event String: The reason supplied by user MYDOMAINNAME\MyUserName for the last unexpected shutdown of this computer is: Other Failure: System Unresponsive
......................... MyNewDomainControllerServer03 passed test SystemLog
Starting test: VerifyReferences
......................... MyNewDomainControllerServer03 passed test VerifyReferences

Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation

Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation

Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation

Running partition tests on : MYDOMAINNAME
Starting test: CheckSDRefDom
......................... MYDOMAINNAME passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... MYDOMAINNAME passed test CrossRefValidation

Running enterprise tests on : MYDOMAINNAME.com
Starting test: LocatorCheck
......................... MYDOMAINNAME.com passed test LocatorCheck
Starting test: Intersite
......................... MYDOMAINNAME.com passed test Intersite

C:\Users\MyUserName>repadmin /replsummary
Replication Summary Start Time: 2016-08-01 13:30:59

Beginning data collection for replication summary, this may take awhile:
  ..................................................
  .............................


Source DSA          largest delta    fails/total %%   error
 Site1DC_Server01                10m:40s    0 /  10    0
 Site1DC_Server02                05m:02s    0 /   5    0
 Site2DC_Server01                43m:40s    0 /  15    0
 Site2DC_Server02                40m:20s    0 /   5    0
 Site3DC_Server01                12m:47s    0 /  55    0
 Site3DC_Server02                34m:20s    0 /  10    0
 Site4DC_Server01                04m:01s    0 /   5    0
 Site5DC_Server01                04m:03s    0 /   5    0
 Site6DC_Server01              44m:33s    0 /   5    0
 Site6DC_Server02              43m:59s    0 /  10    0
 MyNewDomainControllerServer02	0s    0 /   5    0


Destination DSA     largest delta    fails/total %%   error
 Site1DC_Server01                05m:37s    0 /  10    0
 Site1DC_Server02                07m:35s    0 /   5    0
 Site2DC_Server01                44m:26s    0 /  10    0
 Site2DC_Server02                44m:54s    0 /  10    0
 Site3DC_Server01                36m:54s    0 /  55    0
 Site4DC_Server01                02m:13s    0 /   5    0
 Site5DC_Server01                13m:06s    0 /   5    0
 MyNewDomainControllerServer03 	02m:11s    0 /   5    0


Experienced the following operational errors trying to retrieve replication information:
        1053 - Site3DC_Server02.MYDOMAINNAME.com
          58 - MyNewDomainControllerServer02.MYDOMAINNAME.com
          58 - MyNewDomainControllerServer01.MYDOMAINNAME.com
....
....
....
....

FRS Event Log:

Log Name:      File Replication Service
Source:        NtFrs
Date:          8/1/2016 1:00:10 PM
Event ID:      13508
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      MyNewDomainControllerServer03.MYDOMAINNAME.com
Description:
The File Replication Service is having trouble enabling replication from MyNewDomainControllerServer01 to MyNewDomainControllerServer03 for c:\windows\sysvol\domain using the DNS name MyNewDomainControllerServer01.MYDOMAINNAME.com. FRS will keep retrying.
 Following are some of the reasons you would see this warning.

 [1] FRS can not correctly resolve the DNS name MyNewDomainControllerServer01.MYDOMAINNAME.com from this computer.
 [2] FRS is not running on MyNewDomainControllerServer01.MYDOMAINNAME.com.
 [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.



Log Name:      File Replication Service
Source:        NtFrs
Date:          8/1/2016 1:09:48 PM
Event ID:      13508
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      MyNewDomainControllerServer03.MYDOMAINNAME.com
Description:
The File Replication Service is having trouble enabling replication from MyNewDomainControllerServer02 to MyNewDomainControllerServer03 for c:\windows\sysvol\domain using the DNS name MyNewDomainControllerServer02.MYDOMAINNAME.com. FRS will keep retrying.
 Following are some of the reasons you would see this warning.

 [1] FRS can not correctly resolve the DNS name MyNewDomainControllerServer02.MYDOMAINNAME.com from this computer.
 [2] FRS is not running on MyNewDomainControllerServer02.MYDOMAINNAME.com.
 [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.


Log Name:      File Replication Service
Source:        NtFrs
Date:          8/1/2016 2:00:09 PM
Event ID:      13562
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      MyNewDomainControllerServer03.MYDOMAINNAME.com
Description:
Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller MyNewDomainControllerServer03.MYDOMAINNAME.com for FRS replica set configuration information.

 The nTDSConnection object cn=MyNewDomainControllerServer01,cn=ntds settings,cn=MyNewDomainControllerServer03,cn=servers,cn=spain,cn=sites,cn=configuration,dc=MYDOMAINNAME,dc=com is conflicting with cn=e9d5760e-5e65-4f50-99cb-2fa2b8514a02,cn=ntds settings,cn=MyNewDomainControllerServer03,cn=servers,cn=spain,cn=sites,cn=configuration,dc=MYDOMAINNAME,dc=com. Using cn=MyNewDomainControllerServer01,cn=ntds settings,cn=MyNewDomainControllerServer03,cn=servers,cn=spain,cn=sites,cn=configuration,dc=MYDOMAINNAME,dc=com

Directory Service Event Log:

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          8/1/2016 2:01:50 PM
Event ID:      1925
Task Category: Knowledge Consistency Checker
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      MyNewDomainControllerServer03.MYDOMAINNAME.com
Description:
The attempt to establish a replication link for the following writable directory partition failed.

Directory partition:
DC=MYDOMAINNAME,DC=com
Source directory service:
CN=NTDS Settings,CN=MyNewDomainControllerServer01,CN=Servers,CN=Spain,CN=Sites,CN=Configuration,DC=MYDOMAINNAME,DC=com
Source directory service address:
c2ddc207-2f72-46e0-834f-c812da2676ea._msdcs.MYDOMAINNAME.com
Intersite transport (if any):


This directory service will be unable to replicate with the source directory service until this problem is corrected.

User Action
Verify if the source directory service is accessible or network connectivity is available.

Additional Data
Error value:
1722 The RPC server is unavailable.

No errors in the DNS Event Log.

In the one site, we have three new domain controllers who's names are MyNewDomainControllerServer01, MyNewDomainControllerServer02 and MyNewDomainControllerServer03 (the latest one which has no connections in Sites & Servers). 01 & 02 are replicating OK.

| +-- JDMils |

↧

Ports PsPasswd Windows Sysinternals

July 28, 2016, 3:49 pm

≫ Next: bulk Update attribute in AD, best way to get this done?

≪ Previous: Cannot get AD Connection to appear in Sites & Services for new domain controller

I need to know the ports used by PsPasswd (Windows Sysinternals).

Thanks.

↧

bulk Update attribute in AD, best way to get this done?

August 1, 2016, 1:43 am

≫ Next: Connecting to AD LDS using Java

≪ Previous: Ports PsPasswd Windows Sysinternals

Hi All

I have a question on something I need to tackle within my enterprise.

We about to purchase a solution which integrates our smart cards with Active Directory to facilitate room bookings in our building.

For this to work I need to add a specific number as a Active Directory attribute or custom attribute.

Doing this for every user will be a major pain so I am looking at a solution to do this at a bulk level.

I hear products built into Windows like 'csvde' may be able to help or other 3rd party paid tools which have a GUI interface.

I am thinking of using either the 'pager' attribute under AD, telephones tab or using a custom attribute field. However I will need to use Exchange Administrator tools to view this field as I believe its not possible to see this under AD users and computers?

As the users are already created, I just need to update the 'pager' or 'custom attribute 1' field without amending any other details. Would this be possible?

I have a test AD environment which a copy of the live AD environment. I am planning on testing this before I roll out to live production. I have details of users and their card number but I also need to extract of copy of the usernames in AD so I can marry the two data sets together.

Appreciate any advice anyone can give me with this.

↧

Connecting to AD LDS using Java

August 1, 2016, 10:10 am

≫ Next: DNS Issues / Problems adding a PC to the domain

≪ Previous: bulk Update attribute in AD, best way to get this done?

Hi All,

I am writing some java apis to interface with AD LDS using LDAP.

1. i am able to bind using a server. I am also able to create a new user with the specified user name. I do not use ssl/TLS in my set up.

2. My understanding is that AD LDS creates a new user in disabled state and password is not set.

3. however, when I try to modify the user by enabling him, and set a password, I am not able to do so.

the attribute useraccountDisabled is set to null.

even though I set the unicode password to some value, it is set to null.

3. does setting the password progrmmatically requires SSL transport?

regards

Prasad

↧

DNS Issues / Problems adding a PC to the domain

July 13, 2016, 10:41 am

≫ Next: Adding Internal DNS server in Host file

≪ Previous: Connecting to AD LDS using Java

I'm unable to join a server to a domain. I get the message: DNS was successfully queried for service location (SRV) resource record used to locate a domain controller for domain "XYZ_A":

The query was for the SRV record for _ldap._tcp.dc._msdcs.XYZ_A

The following domain controllers were identified by the query:

DC1.XYZ_A

DC2.XYZ_A

However no domain controllers could be contacted. Common causes of this error include:

-Host (A) or (AAAA) records that map the names of the domain controllers to their IP addressses are missing or contain incorrect addresses.

-Domain controllers registered in DNS are not connected to the network or are not running

---------------------------------

So here is what I'm able and not able to do from this server that I'm trying to join to the domain:

1. I couldn't ping DC1 or DC2. I could ping the FQDN DC1.XYZ_A though, so what I did is added a DNS suffix and now I can ping DC1 or DC2 just fine. I still get the same error when trying to add it to the domain though.

2. I cannot ping the domain XYZ_A. When I run nslookup XYZ_A it finds the domain controller but it says "can't find XYZ_A:Non-existent domain".

This server is a VM located in the cloud. It is on a different network than the domain controller that I'm trying to contact. The DNS server that I have in the iPv4 settings is the domain controller I'm trying to contact. The DNS entries seem correct but I might be missing something.

Anyone have any suggestions?

↧

Adding Internal DNS server in Host file

August 31, 2012, 8:34 am

≫ Next: Microsoft CA Certificates- Compatibility with Unix

≪ Previous: DNS Issues / Problems adding a PC to the domain

Hi Everybody,

I have added Global DNS server ip address to one of my Desktop ( please see the Network configuration screenshot ).

and after that i have added my both domain controller ip address in host file, and it is working fine.

Can you please guide, what problem can i face if i kept my configuration in this way.

After adding my domain configuration ip address to my host file, it's working fine.

but i am wondering, can this setting can create a problem?

because the computer will be able to reach corp.abc.com easily, with the help of host file.

Thanks & Regards,

Param

Thanks & Regards,
Param
www.paramgupta.blogspot.com

↧

Microsoft CA Certificates- Compatibility with Unix

August 1, 2016, 3:27 am

≫ Next: Granting permissions on a Permission Set

≪ Previous: Adding Internal DNS server in Host file

Can the certificates issued by MS 2008/2012 CAs, be used with Unix applications. Is there any known limitations or compatibility issues?

↧

Granting permissions on a Permission Set

August 1, 2016, 11:19 am

≫ Next: Server 2012 and Windows 10

≪ Previous: Microsoft CA Certificates- Compatibility with Unix

Hi -

I hope this is a relatively simple question: How does one go about granting permissions in Active Directory to be able to read attributes in a permission set? For example, if I wanted to grant "Read" permissions to the user-logon permission set, how would I do that? Is that through DSALCS? Powershell? I've looked on line and I can't seem to find any information on how to do that.

Thanks.

↧

Server 2012 and Windows 10

August 1, 2016, 10:27 am

≫ Next: Server 2012 Roles/Features Won't install

≪ Previous: Granting permissions on a Permission Set

Hi All,

Can Windows 2012R2 be used to manage windows 10? If so how can I get the ADMX files added to the AD server in order to use group policy?

↧

Server 2012 Roles/Features Won't install

August 1, 2016, 1:47 pm

≫ Next: AD Accounts getting locked out again and again

≪ Previous: Server 2012 and Windows 10

This started out as group policy issue. Two server 2012 R2 core domain controllers could not replicate between each other. The actual GPO error in the event viewer was that a domain controller could not replicate for X number of days. The solution to the issue was to run a non-authoritative restore on one domain controller and to run a authoritative restore on the other domain controller. To run the solution a replication command line command must be run which is a feature that must be loaded by PowerShell. The first time that we try to load the PowerShell command the command did run and load the feature. The server reboots and when the server comes back up the feature that was just loaded rolls back the install and says it cannot install the feature. So now any feature or role that tries to be loaded will not install. It initially will load the feature and restart the server but when the server comes back up the server starts rolling back the install. It does this for any feature or role that you try to install.

↧

AD Accounts getting locked out again and again

August 1, 2016, 12:50 pm

≫ Next: Programmatic way of getting certificate enrollment password from NDES

≪ Previous: Server 2012 Roles/Features Won't install

Hi Guys,

Need a little help. Some AD accounts are getting locked again and again. When we checked in Event logs. ISA server server is causing this lockout issue. Please can anyone help me in this case

Thanks

↧

Programmatic way of getting certificate enrollment password from NDES

July 1, 2016, 11:15 am

≫ Next: certificate template could not be loaded. element not found

≪ Previous: AD Accounts getting locked out again and again

Is there an API to get enrollment password for enrolling devices using SCEP? If so, could you please point me to the documentation?

We have setup NDES and got the device enrollment going. However we are building additional components that interface with NDES and those components perform the authentication. Is there any API that we could call that provides the enrollment challenge instead of calling /certsrv/mscep_admin and string filtering?

↧

certificate template could not be loaded. element not found

July 30, 2016, 1:39 pm

≫ Next: How to identify which computers are authenticated off a particular domain controller

≪ Previous: Programmatic way of getting certificate enrollment password from NDES

I try Migrate the CA to a New Host via guide line at https://technet.microsoft.com/en-us/library/cc742388%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

I Restore and change host successful, but i can't to grant permission for Public Key Services (AIA, CDP) Computer CA. When I open Wizard CA access Certificate Template recive error "certificate template could not be loaded. element not found".

Please guide to me fix error!

↧

How to identify which computers are authenticated off a particular domain controller

March 23, 2009, 5:52 pm

≫ Next: Please help me, some GPO not working and DFSREvent error

≪ Previous: certificate template could not be loaded. element not found

Hi Guys
I know you can find out which domain controller a certain computer has authenticated off from the command prompt of the computer itself but what I'm chasing is a method of determining which computers have authenticated off a individual domain controler.

Thanks

Jim

↧

Please help me, some GPO not working and DFSREvent error

August 2, 2016, 2:19 am

≫ Next: DFS Replication issue

≪ Previous: How to identify which computers are authenticated off a particular domain controller

Hi,

wall paper gpo not working. I check gpo not detect Infrastructure role and "dcdiag" error

Starting test: DFSREvent

There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems.

I don't know this about include the issue so I click "Detect now" on GPO windows error "Active Directory or SysVol inaccessible on the domain controller or an object is missing"

pls,

Thank you very much

↧