Hi,

I'm using Server 2012R2 and have Namespace and Replication setup. I recently changed Namespace from using the default WINS to DNS, anyway I had a issue with deleting the Namespaces so I had to go into ADSI Edit and remove it that way. I recreated the Namespaces and it's all switched over to DNS and works perfect. BUT I had to republish the Namespaces but to the existing replications, which worked fine but they aren't replicating. I created a brand new one which is replicating fine. I've read on the Internet and a few people are saying delete them and recreate them and it'll all work fine. But I would rather not do this I have people doing work on all of the replicated folders and I can only sync from one folder which will remove other peoples work. Does anyone have any ideas to get them to work. I've tried restarting the services and some do work for a while then stop.

All help is most welcomed

Thanks

working on Site TOPOLOGY.  I need to get the below information through running powershell.

Ø  What type of topology are in the organization
Bus ,star ,ring mesh
Ø  How many sites with domain controllers and without DC
Ø  What are the dependent applications
Ø  No of site
Ø  No of subnets
Ø  No of site links 
Ø  Change of notification –On/Off  

I've followed what I believe to be the right steps from this article (only in powershell). I can't however get it to work. I've tried both controls and verified through adsiedit and ldp that I have both controls that I need. I'm sure I'm missing something quit simple here but would appreciate some help.

supportedControl (35):
  1.2.840.113556.1.4.2239 = ( POLICY_HINTS );
  1.2.840.113556.1.4.2066 = ( POLICY_HINTS_DEPRECATED );

When I set isCritical ("1.2.840.113556.1.4.2239", $byte, $true, $true) to true I get a failure of ...

Exception: System.Management.Automation.MethodInvocationException: Exception calling "SendRequest" with "1" argument(s): "The server does not support the control. The control is critical." --->
	System.DirectoryServices.Protocols.DirectoryOperationException: The server does not support the control. The control is critical.
	   at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
	   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
	   at CallSite.Target(Closure , CallSite , Object , Object )
	   --- End of inner exception stack trace ---
	   at System.Management.Automation.ExceptionHandlingOps.ConvertToMethodInvocationException(Exception exception, Type typeToThrow, String methodName, Int32 numArgs, MemberInfo memberInfo)
	   at CallSite.Target(Closure , CallSite , Object , Object )
	   at System.Dynamic.UpdateDelegates.UpdateAndExecute2[T0,T1,TRet](CallSite site, T0 arg0, T1 arg1)
	   at System.Management.Automation.Interpreter.DynamicInstruction`3.Run(InterpretedFrame frame)
	   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)

When I don't set isCritical ("1.2.840.113556.1.4.2239", $byte, $false, $true) I get a Success returned but the password hasn't been changed.

RequestId    :
MatchedDN    :
Controls     : {}
ResultCode   : Success
ErrorMessage :
Referral     : {}

This is what I'm doing

[System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.Protocols") | Out-Null
[System.Reflection.Assembly]::LoadWithPartialName("System.Net") | Out-Null

$SDPServer = $srv
$SDPPort = 636

$SDPConnection = New-Object System.DirectoryServices.Protocols.LdapConnection -ArgumentList "$($SDPServer):$($SDPPort)"

#Set session options

$SDPConnection.SessionOptions.SecureSocketLayer = $true;
$SDPConnection.SessionOptions.VerifyServerCertificate = { return $true;} #needed for self-signed certificates
$SDPConnection.SessionOptions.ProtocolVersion = 3;

$SDPConnection.AuthType = [System.DirectoryServices.Protocols.AuthType]::Basic
#$SDPConnection.AuthType = [System.DirectoryServices.Protocols.AuthType]::Ntlm

$netcred = new-object "System.Net.NetworkCredential" -ArgumentList $adsvc, $adpwd, $domain

$SDPConnection.Bind($netcred)

[byte]$byte = "0x1"

#$control = new-object "System.DirectoryServices.Protocols.DirectoryControl" -ArgumentList "1.2.840.113556.1.4.2066", $byte, $true, $true
$control = new-object "System.DirectoryServices.Protocols.DirectoryControl" -ArgumentList "1.2.840.113556.1.4.2239", $byte, $true, $true

$request = new-object "System.DirectoryServices.Protocols.ModifyRequest" -ArgumentList $userDN
$request.Controls.Add($control) | Out-Null

$modification = New-Object "System.DirectoryServices.Protocols.DirectoryAttributeModification"
$modification.Name = "userPassword"
$modification.Operation = [System.DirectoryServices.Protocols.DirectoryAttributeOperation]::Replace
$modification.Add($usrpwd) | Out-Null

$request.Modifications.Add($modification) | Out-Null

$result = $SDPConnection.SendRequest($request);

$result 

The error message I'm seeing is "The security database on the server does not have a computer account for this workstation trust relationship." There's nothing wrong with the trust relationship and I have removed a computer from the domain, deleted the AD account, and re-added it to the domain successfully and I still get the same message but only when I am trying to change my password. Below are all the things I have tried unsuccessfully:

• Removed the computer account from the domain, deleted the account, and re-added the computer to the domain.
• Tested with domain admin account.
• Tried changing my password logged in directly into a domain controller.
• Issue occurs both on manual password change or forced password change.
• Copied existing account and tried changing the password.
• Created brand new (not copied) account in AD and tried changing the password.
• Tried resetting password on multiple computers.
• Removing Windows updates mentioned online that may cause this issue.

The only things that have worked are:

• Changing a local user account's password.
• Changing a domain account password via AD Users and Computers.

Our workstations are Windows 7 SP1 and our servers are Windows 2008 R2 SP1.

Christopher

DC1+DC2 are newly added domain controllers. All FSMO roles have been transferred from 2008 dc to DC2.

I am not sure if this is related, but when I built DC1+DC2, I joined them to the domain with those names. After installed AD and promoting to DCs, they were renamed in AD to DC1~1 and DC2~1 for some reason. I asked about this on these forums and no one thought it would cause issues because DNS resolved properly with DC1+DC2 etc.

I believe there is a problem with DC1 only. We use FIM and AADsync for various services and sometimes when those use DC1, they report Server Down. I also run some powershell scripts against AD and sometimes using DC1 it will report Server Down. I have not had this issue with DC2. Both were built at the same time.

Ernie = 2008r2 DC

DC1+DC2=2012r2 DC

DC1 has the following in the DNS Server event log

"The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error."

And this in the Directory Service log even though both DC1+DC2 have 32gb of RAM and at the time of the error was only using 3.6gb

DC1 dcdiag /v /c 

DC2 dcdiag /v /c

Below is what I think is the most concerning output from dcdiag

Hi All,

I have two domain controllers DC1,DC2 with OS 2008R2.Both are using DHCP with multiple range of scope in split scope mode.Which containing both voice and data range of IPs.

I would like to consolidate and make it only in DC2.Please let me know the proper solution with steps and command with no or minimal downtime .It should consolidate reservations also.

Thanks in advance

Hi,

This is regards to Domain Functional Level Raise from Windows 2003 to Windows 2008 R2. Currently we have Functional Level for Forest and Domain is set to Windows 2003 and for now we are planning to raise only Domain Functional Level to Windows 2008 R2.

Is there any known Impact due to Domain Functional Level Change? Is there any pre-checks? Can we only raise the Domain Functional Level to Windows 2008 R2 and keep Forest Functional Level as it is which is Windows 2003.

Required suggestion.

Regards,

SGH

MCP, MCTS

Hello Everyone,

Good Day Ahead!

I have a question about windows OS update on clients computer, I am working in a company who has 200+ users and all users are using windows 7 pro on their system and also I have windows server 2008 R2 environment so I just want to know if I want to update my users OS from 7 to 8 so is it mandatory we need to change server also, I mean windows server 2008 R2 to windows server 2012 or it will run on the same version.

I am confused on this pattern so please update me..

Answers about this query will be highly appreciated.

Best Regards

Asheer Hasan

Hello,

i want to export all Local group membership to text from all servers in A.D , please advise.

Bahloul.

The Server 2012 with Sql Server showing the following message

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6DF8CB71-153B-4C66-8FC4-E59301B8011B}
 and APPID 
{961AD749-64E9-4BD5-BCC8-ECE8BA0E241F}
 to the user NT SERVICE\SQL Server Distributed Replay Client SID (S-1-5-80-3249811479-2167633679-2115734285-1138413726-166979568) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

I did the following steps to solve the issue- I changed the ownership - {961AD749-64E9-4BD5-BCC8-ECE8BA0E241F} to administrator. But i was not able to find the value - {6DF8CB71-153B-4C66-8FC4-E59301B8011B} or {961AD749-64E9-4BD5-BCC8-ECE8BA0E241F} in component services to make changes in security. 

Hello,

I have a requirement to apply the Accept Messages from permission on few of the distribution groups, but the ask is if the organizational structure is having few nested distribution groups as the members. How can we make sure that the permission shall be applied to the nested groups as well.

Scenario Example-

Distribution Group A - Can accept messages from AA User

Distribution Group B(Its a member of Distribution Group A) - Can accept messages from BB User

When, we send message to Distribution Group A from AA user, it won't be delivered to members of Distribution Group B even if it is a member of Distribution Group A.

Regards,
Manuj Khurana

We had issues in  DNS as one of the VM server was not able resolve to the alternate DNS Server.

Scenario is :

Mumbai 4 DC's

2 Physical DC : 2 DC's

2 VM's : ADC's.

One the VM server was not able to resolve to the alternate DNS Server due to Primary DNS Server  (ADC) was having some issue and was down.

=======================

** Both are ADC (Additional Domain Controllers) which are on  VM's

** Primary ADC01 and Secondary ADC02.

** VM server host entry got deleted from DNS.After that we created new entry in DNS Server.

** One of the VM Server was not able to query Alternate DNS Server because Primary DNS Server was down.

** VM Server should have contacted to alternate DNS Server in case of primary DNS Failure which did not happen.

======================

Yesterday the VM's server host  entry  was got deleted from DNS Server after that we created new entry.

Pramod Jadhav 9867715203

Windows 2008 R2

I've promoted a new server to a domain controller running DNS and I've created a computer, group and DNS object on a working DC on the other side of the world, and the computer & group objects created on the new DC came thru to the other DCs in the domain, so did the computer & group objects from the other DCs which came thru to the new DC- so these objects are replicating correctly.

However, DNS is not replicating correctly. A DNS name created on another DC was replicated correctly on the new DC, however a DNS object created on the new DC did not replicate back to the remote DC.

I checked Sites & Services and there are NO AD connection objects for the new DC. What can I do to get one or more AD Connection objects to appear in Sites & Services?

Here's some info:

C:\Users\MyUserName>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = MyNewDomainControllerServer03
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Spain\MyNewDomainControllerServer03
      Starting test: Connectivity
         ......................... MyNewDomainControllerServer03 passed test Connectivity

Doing primary tests

   Testing server: Spain\MyNewDomainControllerServer03
      Starting test: Advertising
         ......................... MyNewDomainControllerServer03 passed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL replication problems may cause Group Policy problems.
         ......................... MyNewDomainControllerServer03 passed test FrsEvent
      Starting test: DFSREvent
         ......................... MyNewDomainControllerServer03 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... MyNewDomainControllerServer03 passed test SysVolCheck
      Starting test: KccEvent
         ......................... MyNewDomainControllerServer03 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... MyNewDomainControllerServer03 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... MyNewDomainControllerServer03 passed test MachineAccount
      Starting test: NCSecDesc
         Error MYDOMAINNAME\Enterprise Read-only Domain Controllers doesn't have
            Replicating Directory Changes
         access rights for the naming context:
         CN=Configuration,DC=MYDOMAINNAME,DC=com
         ......................... MyNewDomainControllerServer03 failed test NCSecDesc
      Starting test: NetLogons
         ......................... MyNewDomainControllerServer03 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... MyNewDomainControllerServer03 passed test ObjectsReplicated
      Starting test: Replications
         ......................... MyNewDomainControllerServer03 passed test Replications
      Starting test: RidManager
         ......................... MyNewDomainControllerServer03 passed test RidManager
      Starting test: Services
         ......................... MyNewDomainControllerServer03 passed test Services
      Starting test: SystemLog
         A warning event occurred.  EventID: 0x80000434
            Time Generated: 08/01/2016   13:12:02
            Event String: The reason supplied by user MYDOMAINNAME\MyUserName for the last unexpected shutdown of this computer is: Other Failure: System Unresponsive
         ......................... MyNewDomainControllerServer03 passed test SystemLog
      Starting test: VerifyReferences
         ......................... MyNewDomainControllerServer03 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : MYDOMAINNAME
      Starting test: CheckSDRefDom
         ......................... MYDOMAINNAME passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... MYDOMAINNAME passed test CrossRefValidation

   Running enterprise tests on : MYDOMAINNAME.com
      Starting test: LocatorCheck
         ......................... MYDOMAINNAME.com passed test LocatorCheck
      Starting test: Intersite
         ......................... MYDOMAINNAME.com passed test Intersite

C:\Users\MyUserName>repadmin /replsummary
Replication Summary Start Time: 2016-08-01 13:30:59

Beginning data collection for replication summary, this may take awhile:
  ..................................................
  .............................


Source DSA          largest delta    fails/total %%   error
 Site1DC_Server01                10m:40s    0 /  10    0
 Site1DC_Server02                05m:02s    0 /   5    0
 Site2DC_Server01                43m:40s    0 /  15    0
 Site2DC_Server02                40m:20s    0 /   5    0
 Site3DC_Server01                12m:47s    0 /  55    0
 Site3DC_Server02                34m:20s    0 /  10    0
 Site4DC_Server01                04m:01s    0 /   5    0
 Site5DC_Server01                04m:03s    0 /   5    0
 Site6DC_Server01              44m:33s    0 /   5    0
 Site6DC_Server02              43m:59s    0 /  10    0
 MyNewDomainControllerServer02	0s    0 /   5    0


Destination DSA     largest delta    fails/total %%   error
 Site1DC_Server01                05m:37s    0 /  10    0
 Site1DC_Server02                07m:35s    0 /   5    0
 Site2DC_Server01                44m:26s    0 /  10    0
 Site2DC_Server02                44m:54s    0 /  10    0
 Site3DC_Server01                36m:54s    0 /  55    0
 Site4DC_Server01                02m:13s    0 /   5    0
 Site5DC_Server01                13m:06s    0 /   5    0
 MyNewDomainControllerServer03 	02m:11s    0 /   5    0


Experienced the following operational errors trying to retrieve replication information:
        1053 - Site3DC_Server02.MYDOMAINNAME.com
          58 - MyNewDomainControllerServer02.MYDOMAINNAME.com
          58 - MyNewDomainControllerServer01.MYDOMAINNAME.com
....
....
....
....

FRS Event Log:

Log Name:      File Replication Service
Source:        NtFrs
Date:          8/1/2016 1:00:10 PM
Event ID:      13508
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      MyNewDomainControllerServer03.MYDOMAINNAME.com
Description:
The File Replication Service is having trouble enabling replication from MyNewDomainControllerServer01 to MyNewDomainControllerServer03 for c:\windows\sysvol\domain using the DNS name MyNewDomainControllerServer01.MYDOMAINNAME.com. FRS will keep retrying.
 Following are some of the reasons you would see this warning.

 [1] FRS can not correctly resolve the DNS name MyNewDomainControllerServer01.MYDOMAINNAME.com from this computer.
 [2] FRS is not running on MyNewDomainControllerServer01.MYDOMAINNAME.com.
 [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.



Log Name:      File Replication Service
Source:        NtFrs
Date:          8/1/2016 1:09:48 PM
Event ID:      13508
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      MyNewDomainControllerServer03.MYDOMAINNAME.com
Description:
The File Replication Service is having trouble enabling replication from MyNewDomainControllerServer02 to MyNewDomainControllerServer03 for c:\windows\sysvol\domain using the DNS name MyNewDomainControllerServer02.MYDOMAINNAME.com. FRS will keep retrying.
 Following are some of the reasons you would see this warning.

 [1] FRS can not correctly resolve the DNS name MyNewDomainControllerServer02.MYDOMAINNAME.com from this computer.
 [2] FRS is not running on MyNewDomainControllerServer02.MYDOMAINNAME.com.
 [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.


Log Name:      File Replication Service
Source:        NtFrs
Date:          8/1/2016 2:00:09 PM
Event ID:      13562
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      MyNewDomainControllerServer03.MYDOMAINNAME.com
Description:
Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller MyNewDomainControllerServer03.MYDOMAINNAME.com for FRS replica set configuration information.

 The nTDSConnection object cn=MyNewDomainControllerServer01,cn=ntds settings,cn=MyNewDomainControllerServer03,cn=servers,cn=spain,cn=sites,cn=configuration,dc=MYDOMAINNAME,dc=com is conflicting with cn=e9d5760e-5e65-4f50-99cb-2fa2b8514a02,cn=ntds settings,cn=MyNewDomainControllerServer03,cn=servers,cn=spain,cn=sites,cn=configuration,dc=MYDOMAINNAME,dc=com. Using cn=MyNewDomainControllerServer01,cn=ntds settings,cn=MyNewDomainControllerServer03,cn=servers,cn=spain,cn=sites,cn=configuration,dc=MYDOMAINNAME,dc=com

Directory Service Event Log:

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          8/1/2016 2:01:50 PM
Event ID:      1925
Task Category: Knowledge Consistency Checker
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      MyNewDomainControllerServer03.MYDOMAINNAME.com
Description:
The attempt to establish a replication link for the following writable directory partition failed.

Directory partition:
DC=MYDOMAINNAME,DC=com
Source directory service:
CN=NTDS Settings,CN=MyNewDomainControllerServer01,CN=Servers,CN=Spain,CN=Sites,CN=Configuration,DC=MYDOMAINNAME,DC=com
Source directory service address:
c2ddc207-2f72-46e0-834f-c812da2676ea._msdcs.MYDOMAINNAME.com
Intersite transport (if any):


This directory service will be unable to replicate with the source directory service until this problem is corrected.

User Action
Verify if the source directory service is accessible or network connectivity is available.

Additional Data
Error value:
1722 The RPC server is unavailable.

No errors in the DNS Event Log.

In the one site, we have three new domain controllers who's names are MyNewDomainControllerServer01, MyNewDomainControllerServer02 and MyNewDomainControllerServer03 (the latest one which has no connections in Sites & Servers). 01 & 02 are replicating OK.

| +-- JDMils |

Hi,

Active Directory 2016 introducing a new feature Expiring Links which allows the time based memberships. I am able to add the time based memberships using powershell. Here is the command to perform the same:

$ttl = New-TimeSpan -Hours 2
Add-ADGroupMember -Identity 'Domain Admins' -Members "CN=newuser1,CN=Users,DC=AD2016,DC=com" -MemberTimeToLive $ttl

This doesn't work when I run the commands using a remote powershell on Windows 2008 or 2012 as the earlier versions do not have the option '-MemberTimeToLive'.

1. If I have to use this feature using remote powershell on earlier versions, how can I do it? Do I need to install anything for this? 

2. Is this feature supported through LDAP interface? If yes, how the time limit can be specified?

Thanks in advance.

ishwar

I have windows server 2012 R2 environment. I need to stop user to access through C$ and D$...

Cant run services with UPN in different forest-- Getting Access Denied

but services can run fine with Domainname\Samaccountname format.

MCSE Certified

I'm trying to think of an easy way without being over-complicated, to organize OU in AD to manage security groups.
Here's what I'm looking at now:

Then other OU's not nested that are for Departments/users/computers. 

Does anyone else organize similar to that?
The idea of Groups > Access > File > Servers, would be that I create a security group called something like "ACL_Server1_inetpub_write", and then add that group to have write access to C:\inetpub on "Server1".
Versus giving a user local Admin rights entirely to Server1
Then I could have a Role Group called "Server1 Web Editors", which would be a member of ACL_Server1_inetpub_write.
Am I over-complicating Role Based Access, given this idea, OU structure and naming convention?
I got the idea from this video "Role-Based Management Extreme Makeover for Active Directory"

we are getting the following error continuously in our window server 2008 r2 server.

event id - 7050

error massage - 

The DNS server recv() function failed. The event data contains the error.

Please help to restore the above issue.

I'm unable to join a server to a domain.  I get the message:  DNS was successfully queried for service location (SRV) resource record used to locate a domain controller for domain "XYZ_A":

The query was for the SRV record for _ldap._tcp.dc._msdcs.XYZ_A

The following domain controllers were identified by the query:

DC1.XYZ_A

DC2.XYZ_A

However no domain controllers could be contacted.  Common causes of this error include:

-Host (A) or (AAAA) records that map the names of the domain controllers to their IP addressses are missing or contain incorrect addresses. 

-Domain controllers registered in DNS are not connected to the network or are not running

---------------------------------

So here is what I'm able and not able to do from this server that I'm trying to join to the domain:

1.  I couldn't ping DC1 or DC2.  I could ping the FQDN DC1.XYZ_A though, so what I did is added a DNS suffix and now I can ping DC1 or DC2 just fine.  I still get the same error when trying to add it to the domain though.  

2.  I cannot ping the domain XYZ_A.  When I run nslookup XYZ_A it finds the domain controller but it says "can't find XYZ_A:Non-existent domain".  

This server is a VM located in the cloud.  It is on a different network than the domain controller that I'm trying to contact.  The DNS server that I have in the iPv4 settings is the domain controller I'm trying to contact.  The DNS entries seem correct but I might be missing something.  

Anyone have any suggestions?