I hope I have this question in the right Forum.  When we configure the NIC on a server with its Preferred DNS and Alternate DNS settings, what does this actually do for us?  The underlying thought is that if the preferred DNS server goes toes up the Alternate DNS takes over thus giving a level of high availability and redundancy.  I have my doubts that it really works this cleanly.  Thoughts anyone?

Francisco Mercado Jr.

Hi Everyone,

I'm having some problem with my AD replication where password change from my Head Quarter DC (HQDC01) is not replicated to the Data Center DC (DC-VM1 and DC-VM3) where the Exchange servers and all servers running in the Data Center.

I'm using 
Site Links for Data Center to All AD Sites.
Site Link Bridges between:
Data Center to DRSITE1
Data Center to HeadQuarter

I'm using NTFRS replication because there is no DFS-R shared folder that I know of.

Because when I check the File Replication Service logs and then filter by Error and Critical, it returns empty. There are lots of warning but nothing critical or error in All AD Domain Controllers.

This is the snippet from DC-VM1:

PS C:\> repadmin /replsumReplication Summary Start Time: 2016-09-13 09:19:16Beginning data collection for replication summary, this may take awhile:.........Source DSA largest delta fails/total %% errorSITEA-DC1 21h:41m:27s 5 / 5 100 (1722) The RPC server is unavailable.DRSITE-DC-01 01h:05m:14s 0 / 5 0DC-VM1 30m:56s 0 / 15 0DC-VM3 25m:46s 0 / 10 0HQDC01 25m:25s 0 / 5 0SITET-DC1 01h:30m:13s 5 / 5 100 (1818) The remote procedure call was cancelled.Destination DSA largest delta fails/total %% errorDRSITE-DC-01 03m:25s 0 / 5 0DC-VM1 21h:41m:27s 5 / 15 33 (1722) The RPC server is unavailable.DC-VM3 01h:30m:13s 5 / 15 33 (1818) The remote procedure call was cancelled.HQDC01 08m:03s 0 / 10 0Experienced the following operational errors trying to retrieve replication information:1818 - SITET-DC11818 - SITEA-DC1PS C:\>

and this is from the HQDC01:

PS C:\> repadmin /replsumReplication Summary Start Time: 2016-09-13 10:27:01Beginning data collection for replication summary, this may take awhile:.........Source DSA largest delta fails/total %% errorSITEA-DC1 22h:49m:12s 5 / 5 100 (1722) The RPC server is unavailable.DRSITE1-DC-01 08m:17s 0 / 5 0DC-VM1 38m:39s 0 / 15 0DC-VM3 33m:52s 0 / 10 0HQDC01 18m:52s 0 / 5 0SITET-DC1 02h:37m:58s 5 / 5 100 (1818) The remote procedure call was cancelled.Destination DSA largest delta fails/total %% errorDRSITE1-DC-01 03m:48s 0 / 5 0DC-VM1 22h:49m:12s 5 / 15 33 (1722) The RPC server is unavailable.DC-VM3 02h:37m:58s 5 / 15 33 (1818) The remote procedure call was cancelled.HQDC01 :48s 0 / 10 0Experienced the following operational errors trying to retrieve replication information:1722 - SITET-DC11722 - SITEA-DC1PS C:\>

PS C:\> repadmin /showreplRepadmin: running command /showrepl against full DC localhostDataCenter\DC-VM1DSA Options: IS_GCSite Options: (none)DSA object GUID: 8f33fa6f-a92d-446a-bda1-abf3eeea4c44DSA invocationID: 11907937-2d6f-447a-b1cb-ebc70261e136==== INBOUND NEIGHBORS ======================================DC=Mydomain,DC=com    HeadQuarter\HQDC01 via RPC        DSA object GUID: 6b2b600b-35f0-4aff-8426-8cfb3c775085        Last attempt @ 2016-09-13 10:18:30 was successful.    SITE-A\SITEA-DC1 via RPC        DSA object GUID: b61012a9-8610-4bc9-a148-1398b4d90a61        Last attempt @ 2016-09-13 10:32:48 failed, result 1818 (0x71a): The remote procedure call was cancelled.        34 consecutive failure(s).        Last success @ 2016-09-12 21:59:34.    DataCenter\DC-VM3 via RPC        DSA object GUID: b939025a-dc0c-44e5-b1c7-c049bf8d4c65        Last attempt @ 2016-09-13 10:43:09 was successful.CN=Configuration,DC=Mydomain,DC=com    HeadQuarter\HQDC01 via RPC        DSA object GUID: 6b2b600b-35f0-4aff-8426-8cfb3c775085        Last attempt @ 2016-09-13 10:32:48 was successful.    SITE-A\SITEA-DC1 via RPC        DSA object GUID: b61012a9-8610-4bc9-a148-1398b4d90a61        Last attempt @ 2016-09-13 10:42:48 failed, result 1818 (0x71a): The remote procedure call was cancelled.        91 consecutive failure(s).        Last success @ 2016-09-12 11:37:49.    DataCenter\DC-VM3 via RPC        DSA object GUID: b939025a-dc0c-44e5-b1c7-c049bf8d4c65        Last attempt @ 2016-09-13 10:42:48 was successful.CN=Schema,CN=Configuration,DC=Mydomain,DC=com    DataCenter\DC-VM3 via RPC        DSA object GUID: b939025a-dc0c-44e5-b1c7-c049bf8d4c65        Last attempt @ 2016-09-13 09:53:09 was successful.    SITE-A\SITEA-DC1 via RPC        DSA object GUID: b61012a9-8610-4bc9-a148-1398b4d90a61        Last attempt @ 2016-09-13 10:43:09 failed, result 1722 (0x6ba): The RPC server is unavailable.        59 consecutive failure(s).        Last success @ 2016-09-12 16:54:41.    HeadQuarter\HQDC01 via RPC        DSA object GUID: 6b2b600b-35f0-4aff-8426-8cfb3c775085        Last attempt @ 2016-09-13 10:43:09 was successful.DC=DomainDnsZones,DC=Mydomain,DC=com    HeadQuarter\HQDC01 via RPC        DSA object GUID: 6b2b600b-35f0-4aff-8426-8cfb3c775085        Last attempt @ 2016-09-13 10:18:30 was successful.    DataCenter\DC-VM3 via RPC        DSA object GUID: b939025a-dc0c-44e5-b1c7-c049bf8d4c65        Last attempt @ 2016-09-13 10:32:48 was successful.    SITE-A\SITEA-DC1 via RPC        DSA object GUID: b61012a9-8610-4bc9-a148-1398b4d90a61        Last attempt @ 2016-09-13 10:42:48 failed, result 1256 (0x4e8): The remote system is not available. For information about network troubleshooting, see Windows Help.        92 consecutive failure(s).        Last success @ 2016-09-12 11:37:50.DC=ForestDnsZones,DC=Mydomain,DC=com    DataCenter\DC-VM3 via RPC        DSA object GUID: b939025a-dc0c-44e5-b1c7-c049bf8d4c65        Last attempt @ 2016-09-13 09:53:09 was successful.    HeadQuarter\HQDC01 via RPC        DSA object GUID: 6b2b600b-35f0-4aff-8426-8cfb3c775085        Last attempt @ 2016-09-13 10:18:30 was successful.    SITE-A\SITEA-DC1 via RPC        DSA object GUID: b61012a9-8610-4bc9-a148-1398b4d90a61        Last attempt @ 2016-09-13 10:42:48 failed, result 1256 (0x4e8): The remote system is not available. For information about network troubleshooting, see Windows Help.        92 consecutive failure(s).        Last success @ 2016-09-12 11:37:50.Source: SITE-A\SITEA-DC1******* 91 CONSECUTIVE FAILURES since 2016-09-12 21:59:34Last error: 1818 (0x71a):            The remote procedure call was cancelled.PS C:\>

PS C:\> repadmin /showreplRepadmin: running command /showrepl against full DC localhostHeadQuarter\HQDC01DSA Options: IS_GCSite Options: (none)DSA object GUID: 6b2b600b-35f0-4aff-8426-8cfb3c775085DSA invocationID: 4beb6a87-c816-4d06-8780-312bb5e2448d==== INBOUND NEIGHBORS ======================================DC=Mydomain,DC=com    DataCenter\DC-VM1 via RPC        DSA object GUID: 8f33fa6f-a92d-446a-bda1-abf3eeea4c44        Last attempt @ 2016-09-13 10:41:13 was successful.    DataCenter\DC-VM3 via RPC        DSA object GUID: b939025a-dc0c-44e5-b1c7-c049bf8d4c65        Last attempt @ 2016-09-13 10:41:13 was successful.CN=Configuration,DC=Mydomain,DC=com    DataCenter\DC-VM1 via RPC        DSA object GUID: 8f33fa6f-a92d-446a-bda1-abf3eeea4c44        Last attempt @ 2016-09-13 10:41:13 was successful.    DataCenter\DC-VM3 via RPC        DSA object GUID: b939025a-dc0c-44e5-b1c7-c049bf8d4c65        Last attempt @ 2016-09-13 10:41:13 was successful.CN=Schema,CN=Configuration,DC=Mydomain,DC=com    DataCenter\DC-VM1 via RPC        DSA object GUID: 8f33fa6f-a92d-446a-bda1-abf3eeea4c44        Last attempt @ 2016-09-13 10:41:13 was successful.    DataCenter\DC-VM3 via RPC        DSA object GUID: b939025a-dc0c-44e5-b1c7-c049bf8d4c65        Last attempt @ 2016-09-13 10:41:13 was successful.DC=DomainDnsZones,DC=Mydomain,DC=com    DataCenter\DC-VM3 via RPC        DSA object GUID: b939025a-dc0c-44e5-b1c7-c049bf8d4c65        Last attempt @ 2016-09-13 10:41:13 was successful.    DataCenter\DC-VM1 via RPC        DSA object GUID: 8f33fa6f-a92d-446a-bda1-abf3eeea4c44        Last attempt @ 2016-09-13 10:41:13 was successful.DC=ForestDnsZones,DC=Mydomain,DC=com    DataCenter\DC-VM3 via RPC        DSA object GUID: b939025a-dc0c-44e5-b1c7-c049bf8d4c65        Last attempt @ 2016-09-13 10:41:13 was successful.    DataCenter\DC-VM1 via RPC        DSA object GUID: 8f33fa6f-a92d-446a-bda1-abf3eeea4c44        Last attempt @ 2016-09-13 10:41:13 was successful.PS C:\>

Note:
The command repadmin /replsum took one hour to complete for each DC, is that normal ?

Any help and suggestion would be greatly appreciated.

Thanks in advance,

/* Server Support Specialist */

Hi Team,

Need help finding out a user's logon details in Active directory with computer name and IP address for last 180 days or n number days.

If we can get just logon date and their mailbox would appreciate.

Hi,

Have a W2012 Domain in which sysvol replication has been migrated to SYSVOL DFSR replication a long time ago (in W2008-R2) and worked well.

I now added a new domain controller (W2012) and there is no SYSVOL_DFSR folder but a SYSVOL folder on this new DC. The new DC tries to replicate using NTFRS and tried to access the SYSVOL folder on other DC's (which do not exist). DFSRMIG.exe reports correctly being in "eliminated (3)" state.

Every other AD partition replicate fine (AFAIK).

Is there something to do about this? Is this normal behavior?

Thanks.

Thomas.

Hi Team,

I have a quick question on DNS resolution issues on Domain environment, if i'm using a domain without DNS resolution, does it will effect in any case??

Thanks in advance !!

NTRao.

For example.

Can I see when and which users were logged in to the domain, on which client and for how long they were connected until they logged out?

Thanks,

Hadar

Pls Help me

I would like when user logon another PC then the session that user logged on any PC logoff immediate or user can logon one session with any PC. I don't know active directory on windows server 2012 R2 can do ?.

Thank you very much.

Hello together

When upgrading Active Directory from Windows 2003 / 2008 to 2012 R2, i've seen a differences in the GPO for "Default Domain Controller Policy":

The Group ENTERPRISE DOMAIN CONTROLLERS is not listed in the "log on locally" right for this Policy. (See Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally)

In "CIS Microsoft Server 2012 R2 Benchmark" (p. 53) it's listened to secure Domain Controllers by define only Administrators and ENTERPRISE DOMAIN CONTROLLERS.

Can someone explain why a Domain Controller needs the right to log on locally?

We don't have set this right, and haven't any issues so far.

Thanks for some explanation.

Kind Regards:

Daniel

Hey, guys. Really starting to pull my hair out on this one, but a lot of users are starting to lose access to a shared drive. It might be more as everyone uses the drive differently. But we have a few servers and they are perfectly able to access some but others prompt an error that says, "There are currently no logon servers available to service the logon request."

The servers that we are having issues connecting to are working. I can remote into then and all the files are there. 

 The AD accounts should have all the permissions as those are a GP that covers all the servers including the ones they can access now. I tried dropping the firewall, but no dice. Any help would be appreciated.

Also, this seems like it might be related, but when I tried to do force a GP update it gave me this error, "The processing of Group Policy failed. Windows could not resolve the user  name." & "The Group Policy failed. Windows could not resolve the computer name." This was while I was remoted into the server.

I'm sure it's all something super simple that I'm overlooking, but again, any help would be great. 

The bad server is running Windows Server Standard SP2.

Hi,

So I am going absolutely crazy try to configure RODC that will authenticate the clients after credential caching has been done so that the authentication is done on the RODC.

This what I am doing, can some one please tell me what I'm doing wrong.

1.So I configure the clients to get an IP from the DC DHCP and join the clients to the DC. (TESTED AND WORKING)

2.Then I configure the RODC on the DC for Password Retention Policy and set up the RODC Server as a new Server VM. (TESTED AND WORKING)

3.Then I change the RODC primary DNS IP to itself (127.0.0.1) and the alternate DNS as the DC IP.

4.Then I point the clients to use the RODC as the primary DNS IP and the DC as the alternate DNS IP

5.Then I turn off the DC and test the clients to authenticate by the RODC, the clients login but then the network is unknown and not Domain Network. At this point I have checked that the clients IP is something other than what the DHCP has given them it is probably because of changing the primary DNS of clients to RODC IP.

As you can see below the W10, W8 and W7 computers and MAdmin, M1 and M2 clients are allowed in the Password Retention Policy yet the authentication happens only at the DC, am I missing some step.

Could some one kindly please let me know where I am doing wrong.

Thank You Very Much

Dear all,

I want to collect and analyze event for the below Advanced Audit Policy Configuration.

Audit Logoff
Audit Logon
Audit Other Logon/Logoff
Audit Non Sensitive Privilege Use
Audit Other Privilege Use Events

May I know where should I define the GPO? Under Default Domain Policy of OU for computers(PC and server)?

do I need collect both Server and PC Event log?

The backup operation that started at '‎2016‎-‎09‎-‎15T07:12:22.937071400Z' has failed with following error code '2155347997' (The operation ended before completion.). Please review the event details for a solution, and then rerun the backup operation once the issue is resolved.

I find this hotfix https://support.microsoft.com/en-us/kb/2182466, but it mention that if we are not affected by the issue, it is recommended we wait. another domain controller can successfully backup. Should I apply the hot fix? I feel confused.

I am trying to come up with a query that can tell me the total number of entries in every AD security group in the domain. I was able to create a list of all users and all the groups they belong to, but it would be nice to know the other way around. This would help me find out if there are any empty groups or groups with just one user, so I can consolidate them.

Any help would be apprecaited. Thanks in advance.

Karthik

Hello,

We seem to have an old group policy that is hiding File Explorer on the Windows 10 start menu and the yellow folder icon on the quick start bar. Any ideas what setting it could be? nothing is standing out

Thanks

Robbie

One user acidentally was deleted from Active Directory or 2012 servers. 

I will not try authoritative restore. Active directory recycle bin is turned off. Option that left is LDP. But under deleted objects that user do not appear. Why it is like that?

Hello,

I have 2 domain controllers (WS 2012 R2) and around 150 Win 10 Edu hosts. I have one domain, and when it was set up like 6 months ago, login to domain took few seconds. Now it takes from 30sec to even 10min(!!). I have no roaming profiles, all files are saved on local machine, very few GPO policies (but I have tried with clean host - no GPOs, but same resultat).

Any ideas why it takes so long to login? I'm writing user/pass, press enter and it takes and takes.

//logging into servers (also in DC) takes like 2 sec.

Hello,

I work for a big international company with multi AD domains in one forest.

I am currently testing/validating the forest recovery process in an isolated lab wrote by Microsoft.

It says to restore one DC of each domain starting by the root domain in an isolated network or with the network cable unplugged.

Once restored I have to remove the global catalogue in order to avoid lingering objects. When I do so, my isolated DC has no more GC to contact when it needs to authenticate a user's logon.

The problem is that in the doc they ask to reboot, so when I reboot I can no longer logon to the DC, doing DSRM boot I can't re add the GC role?!!

Even in the MS white paper they say to remove the GC role on the isolated DC. When I re add it I have errors like this:

Event Type:    Information Event Source:    NTDS Replication Event Category:    Global Catalog  Event ID:    1110 Date:        19/10/2009 Time:        10:23:31 User:       NT AUTHORITY\ANONYMOUS LOGON Computer:    ADMGT04 Description: Promotion of this domain controller to a global catalog will be delayed for the following interval.    Interval (minutes): 30 

This delay is necessary so that the required directory partitions can be prepared before the global catalog is advertised. In the registry, you can specify the number of seconds that the directory system agent will wait before promoting the local domain controller to a global catalog. For more information about the Global Catalog Delay Advertisement registry value, see the Resource Kit Distributed Systems Guide.

So is actually possible to remove the GC role on a isolated DC when restoring?

Thank you

Stéphane

Hi @all,

we run a Windows 2012R2 Domain with Windows 7 Clients. For our Notebooks, we use Bitlocker. Now we encountered a problem that we was unable to initialize a TPM for the second time because of a “Access Denied Error 0x80070005”.

The specific windows client has a TPM 2.0 chip with activated UEFI.

The operating system is Windows 7 x64 with installed hotfix KB2920188.

This was the second time we want to initialize the TPM because this specific device is our test notebook. So we removed the computer account from domain, cleared the TPM, make a fresh install and after this, the error occurred.

After a few hours of reading and testing I came to the following solution.

1. The problem occurred because we store TPM password in AD. (I can successfully initialize TPM if I don’t store TPM password in AD!).
2. Because we run a Windows 2012R2 domain, the TPM owner information are stored in the “TPM devices” container in the root of the AD.
3. Because we delete the computer account and reinstalled after this the computer lost the ability to access the entry in the “TPM devices” container, because of missing ACLs.
4. As we find the right entry in the “TPM devices” container and gave the computer the ACLs “everything write”, we could initialize the TPM and store the password in the AD successfully.

But we still have some questions about this “TPM devices” container.

1. Is it save to delete entries in the TPM devices container which are not referenced by a computer account?
2. If this entry is deleted, did a computer create a new one if he needs one?
3. How is the “cn” created? I noticed and this was our problem it is every time the same “cn” for the same computer.
4. How do I save remove a computer from a domain. Have I change the domain membership to workgroup? Did this delete the entry in the TPM devices container too?

Regards,

Ingo