Hi Guys,

I had an issue with my exchange server that caused me to recover my AD from a backup. I have been able to resolve the issue with exchange server.

During the trouble shooting process, I had to delete some users from exchange (mailbox and AD object). I recreated those users and created fresh mailboxes for them. Problem now is, these users get a temporary profile message when they log on to their workstation. Our user profiles are stored on a network path. The users that I did not recreate are fine. When I create a new user I get the same error and I also cannot find the user profile folder in the path specified.

I am at a loss at to how to proceed ..please help if you have experienced this before.

Thanks ..

..forever is just a minute away*

Hello,

We are moving buildings and the we have 2 domain controllers in this building and 75% of our company staff.  In the new building there are 2 nee DC's and as I decommission the 2 DC's on our old building I've moved the FSMO roles to our remote datacenter. It make me think should the FSMO roles be closes to the bulk of the users and should I move them again to our new site?

Thanks 

Hi,

i'm witing because i have a big problem in my network. This is the layout

SITE-A (192.168.1.0/24)

dc1.domain.local : 192.168.1.1  

dc2.domain.local :  192.168.1.2

vpn

SITE-B (192.168.2.0/24)

rodc1.domain.local: 192.168.2.1 (Read only domain controller)

from a client on site b, if i ping domain.local response the 192.168.1.1 trought VPN.

how can edit settings to response from RODC (192.168.2.1) ?

I would like to receive the response from the local server for browse \\domain.local

thank you and best regards

Hi friends

Will try to explain the situation to the best of my knowledge.

Client: Comercial Bank

Users: 3000+

Domain Controllers (5) due to 3 Sites (Primary/Secondary and DR)

Infrastructure 95% Virtualized with exceptions: 1 Physical DC / Backup Server and 4 other servers related to Core Bank Apps

Hypervisor: ESXI 5.5

OS: Windows 2008 R2 and 2012 R2

1 DC is a Windows 2012 R2 all others are Windows 2008 R2.

The Windows 2012 R2 is the FSMO Roles Holder and it is a Physical Server

If you need more info please ask.

The subject:

4 Custom Attributes where created in 2013, these atributes correspond to Date of Admission / Date of Birth / Date of Dismiss / Date of Transfer and a Boolean atribute to show weather the user is at the HQ or not.

When These atributes where created they populated the new user accounts and also appeared on the accounts already in the system, there are several HR scripts running on an app wich populate these attributes when required.

The problem:

Recently (not sure when) these atributes are not replicating or appearing on a few of the user accounts, and it has reached a level of concern due to HR not been able to report correclty when a employee has been hired for exemple.

I thought this was a Configuration issue at first, ruled that out, then i researched on the replicating the schema and cheked for replication issues, ruled that out as well, created a few new users and none have the custom atributes associated with their accounts, and several other troubleshooting steps.

What i have done so far:

1. Registry key to "allow schema updates"

2. MMC and modify the atribue to contain the option "Replicate this atribute to the Global catalogue"

3. Index this Attribute

4. Force Replication

5. Transfered the Schema Master to a Windows 2008 R2 DC, waited 72 hours, nothing happned transfered back to the Windows 2012 R2.

6. Removed a User with the atributes in question and re-created them, the atribute never re-appeared.

7. Created several new users and the atributes dont appear.

8. Removed the custos atributes from the "USER CLASS" waited a couple of hours and re-added them on the hope of a schema replication would check the change and re-sync the user objects.

not sure what i am missing...

I can see the custom atributes on all 5 DCs, if i amke a change to them i can see the change replicated to other DCs.

I need these atributes to register with the end users so the HR software can populate them properly.

Can someone help me please?

Thanks for your time

Rui

Hello;

I've 2 sites.

All subnets are configured properly.

All nltest commands returns correct answer.

SRV records of dns servers are point the correct domain controllers in sites.

In spite of all bullets above, firewall logs show that client computers tries to access domain controller(s) in different site via 443.

When I ping domain name from client, client (or DNS) response the remote DC ip.

My recommendation is that clients mustn't send requests to remote DC. I mean there mustn't be such a necessity.

I am not be able identify which application and why client wants to connect to the remote DC.

I need to your analyze suggestions.

Regards

Tirelibirefe

Hello ,

Environment details: Client - Win2k8 R2(part of domain) and Active Directory - Win2k8 R2

I have a query regarding the Client certificate mapping with Domain Users.

Already client certificate is mapped with locale admin account on the server.

Need suggestion whether same client certificate can be mapped with Domain user or we have to delete the existing mapping and create the new one.

if its new then whether do we need to create another client certificate and then proceed with mapping that certificate with domain user account?

Prashant Dev Pandey LIVE IN YOUR OWN WAY

We have several Windows 2012 R2 servers that system reserved partition(350MB) is automatically 
mounted to c:\foldername.  mounvol shows the mountpoint. removed mounted volume and even the directory in drive c:
made mountvol /N.  After 5 min, the mounted volume came back again. 
Is there a way to find out which app automatically mount system reserved partition? how can we disable it?

Thank you!

Experts,

We have handful of users who are Remote only (Lucky ones) and they connect via Cisco Anyconnect VPN.

They have domain machine (windows 7/8) and authenticate with domain account.

However, after 30 days their machine password fails and we have to either unjoin/re join their machines to domain or ask them to come to work before 30 days.

My impression was that computer will be continue no matter when the password was changed. 

We don't prefer to change this 30 day settings. Is their any other fix? 

~Cheers

I have a test domain currently running at 2008 R2 functional level. I am starting an upgrade to 2012 R2 and have already added a 2012 R2 DC and a 2012 R2 RoDC to the domain. Replication has worked fine and transfer of PDC, RID pool master and Infrastructure manager roles went through fine. However, if I try to transfer Domain naming master it looks like it went fine, the 2012 R2 DC shows it is the owner of the role, but the 2008 R2 DC still says it owns the role, and if I run 

netdom query fsmo

it lists the 2008 R2 DC as the owner of that role. After around 15 minutes the 2012 R2 DC lists the 2008 R2 DC as the role owner again.

If I try to transfer Schema master from the 2008 R2 DC, the current schema master, it tells me it is not connected to the current schema operations master and that this change can only be made from there. Even after telling it to connect it tells me the same thing so I am unable to transfer these last 2 roles to the new DC.

The account I am using for this is domain admin, enterprise admin and schema admin, I have run regsvr32 schmmgmt.dll from an elevated command prompt and added the AD Schema snap in to an MMC console.

I have done this numerous times in other domains but never seen this issue before. Has anyone else seen this and if so how did you get around it?

We have seen that MS will be moving away from supporting the cloud-synch products Windows Azure Active Directory Sync ("DirSync") and Azure Active Directory Sync ("Azure AD Sync") in favour of Azure Active Directory Connect.

Has there been any official announcement regarding the LDAP control also called DirSync?  My assumption is that it will continue to be a feature of future server products, because--you know, angry mob--but that is just my assumption.

Perhaps my search mojo is failing me but I cannot find an official clarification.  Have any of you seen or heard anything?

Many thanks in advance.

Hi,

Is it possible to prepare LDAP query in which only Day and Month are considered by matching the Date.

Eg.

If Birth date is 28/09/1989 than in LDAP query should filter all the identities whose month is 09 and Day is 28.

thanks and regards,

Mayank

Hello,

I encountered this kind of error while promoting my Windows Server 2012 to Domain Controller. I just have 1 DC in a Single Forest and a Single Domain. Supposedly, i was trying to make a secondary DC but no good. Anyway i tried to run Dcdiag on PDC and shows below result:

C:\>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = S11094-AAD
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\S11094-AAD
      Starting test: Connectivity
         ......................... S11094-AAD passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\S11094-AAD
      Starting test: Advertising
         ......................... S11094-AAD passed test Advertising
      Starting test: FrsEvent
         ......................... S11094-AAD passed test FrsEvent
      Starting test: DFSREvent
         ......................... S11094-AAD passed test DFSREvent
      Starting test: SysVolCheck
         ......................... S11094-AAD passed test SysVolCheck
      Starting test: KccEvent
         ......................... S11094-AAD passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... S11094-AAD passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... S11094-AAD passed test MachineAccount
      Starting test: NCSecDesc
         ......................... S11094-AAD passed test NCSecDesc
      Starting test: NetLogons
         [S11094-AAD] User credentials does not have permission to perform this operation.
         The account used for this test must have network logon privileges
         for this machine's domain.
         ......................... S11094-AAD failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... S11094-AAD passed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,S11094-AAD] DsReplicaGetInfo(PENDING_OPS, NULL) failed, error 0x2105
         "Replication access was denied."
         ......................... S11094-AAD failed test Replications
      Starting test: RidManager
         ......................... S11094-AAD passed test RidManager
      Starting test: Services
            Could not open NTDS Service on S11094-AAD, error 0x5 "Access is denied."
         ......................... S11094-AAD failed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0x00000457
            Time Generated: 11/18/2016   10:47:49
            Event String:
            Driver Lexmark Universal v2 PS3 required for printer !!sgbpcolcl01ps!Lexmark is unknown. Contact the adminis
trator to install the driver before you log in again.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 11/18/2016   10:47:49
            Event String:
            Driver PDF Complete Converter required for printer PDF Complete is unknown. Contact the administrator to ins
tall the driver before you log in again.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 11/18/2016   10:47:50
            Event String:
            Driver HP ePrint required for printer HP ePrint is unknown. Contact the administrator to install the driver
before you log in again.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 11/18/2016   10:47:50
            Event String:
            Driver Microsoft XPS Document Writer required for printer Microsoft XPS Document Writer is unknown. Contact
the administrator to install the driver before you log in again.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 11/18/2016   10:47:50
            Event String:
            Driver Send to Microsoft OneNote 15 Driver required for printer Send To OneNote 2013 is unknown. Contact the
 administrator to install the driver before you log in again.
         ......................... S11094-AAD failed test SystemLog
      Starting test: VerifyReferences
         ......................... S11094-AAD passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : MHA13INTER
      Starting test: CheckSDRefDom
         ......................... MHA13INTER passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... MHA13INTER passed test CrossRefValidation

   Running enterprise tests on : MHA13INTER.LOCAL
      Starting test: LocatorCheck
         ......................... MHA13INTER.LOCAL passed test LocatorCheck
      Starting test: Intersite
         ......................... MHA13INTER.LOCAL passed test Intersite


I also tried the answer on below link but still no luck.

https://social.technet.microsoft.com/Forums/office/en-US/20ea278d-c3b5-435e-aec6-1fab0aa286dc/verification-of-outbound-replication-failed-error-reading-the-ntds-settings-on-replication-source?forum=winserverDS

Hope someone can help me on this. 

Hi

Sorry for putting this question in maybe wrong forum.

I've installed AD Connect tool and synchronized our AD objects to Azure.

I later found out that I should have picked a specific OU, because it's better to not synk unnecessary users.

I've tried to change to an empty OU and synk, but all users are still in Office365 and Azure.

How to remove AD synchronized users and groups from Office 365?

I have recently gotten an HP Gen 8 microserver, the G1610t. I've been following the TechNut guide tosetting it up  on YouTube found at: https://www.youtube.com/playlist?list=PLfYIS7PWFoq5zRq9ObjDbKa-R07CwbHBV

Pretty good series and mostly smooth sailing so far until trying to join the server to the domain I have set up using sconfig where I get the error:
"The specified domain either does not exist or could not be contacted"

So, Windows 2012 on the server, configured not through Hyper-V Server but by remoting onto the desktop and setting up, only real difference I've had so far to the videos, can't see that being the issue.

On the server, using Hyper-V Manager I have created a new virtual switch and a new VM called HOME-DC01 using the Windows 2012 evaluation iso available at https://www.microsoft.com/en-us/evalcenter/evaluate-hyper-v-server-2012-r2

I'm intending this VM to be the domain controller. Once started have applied all available patches, restarted. Then in Server Manager, using the Add Role wizard, added the Active Directory Domain Services role. Promoted the server to Domain Controller and then I created a new forest and specified the domain name as home.local. Installation seems to go ok, I can log in, services seem to be running and looking in Server Manager after RDP'ing into the server all Roles are green (AD DS, DNS, File and Storage Services as well as Local Sever and All Servers)

Back on the microserver, I have changed the DNS server to be the new domain controller using sconfig. Ping to the Domain Controller using the IP address and the hostname both work. I've used google (8.8.8.8) as the secondary DNS.

Now when I try to change the domain in sconfig, I get the error:
"The specified domain either does not exist or could not be contacted"

I think the firewalls are open as needed as I've run:
Set-NetFirewallRule -DisplayGroup 'Windows Management Instrumentation (WMI)' -Enabled true
Set-NetFirewallRule -DisplayGroup 'Remote Event Log Management' -Enabled true
Set-NetFirewallRule -DisplayName "Windows Firewall Remote Management (RPC)
Set-NetFirewallRule -DisplayName "Windows Firewall Remote Management (RPC-EPMAP)

Can anyone help with my error? Point me in the direction of what else I should check or what I might have missed? I've tried recreating the VM again but got the results (which is good as it's consistent). Been at this a week and making no progress.

Hello Friends,

During the security audit we have been suggested to Disable ldap anonymous directory access, i found multiple article which suggest to change the value for dSHeuristics, we need to change the seventh character to 0 or 2.

However when i checked this value using ADSI EDIT i found it is set as Not Set.

On few MS Forum it is mentioned that the ldap anonymous directory access is by default disabled in Windows 2003 and above systems.

Could someone help me on this and let me know if changing the value will actual help me to disable the ldap anonymous directory access and it will not get captured in next security scan, or is this False Positive.

Regards,

SGH.

MCP, MCTS

People,

Can anyone here please share the steps to fix this issue where the Repadmin result is showing error fromPRODDC01-VM 192.168.1.200 into PRODDC02-VM192.168.1.201 ?

and also I cannot manage the PRODDC02-VM DNS from locally or fromPRODDC01-VM.

Here is some additional information:

PRODDC01-VM DCDIAG:

PS C:\> dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = PRODDC01-VM
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: SYDNEY\PRODDC01-VM
      Starting test: Connectivity
         ......................... PRODDC01-VM passed test Connectivity

Doing primary tests

   Testing server: SYDNEY\PRODDC01-VM
      Starting test: Advertising
         ......................... PRODDC01-VM passed test Advertising
      Starting test: FrsEvent
         ......................... PRODDC01-VM passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL replication problems may cause Group Policy problems.
         ......................... PRODDC01-VM failed test DFSREvent
      Starting test: SysVolCheck
         ......................... PRODDC01-VM passed test SysVolCheck
      Starting test: KccEvent
         ......................... PRODDC01-VM passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... PRODDC01-VM passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... PRODDC01-VM passed test MachineAccount
      Starting test: NCSecDesc
         ......................... PRODDC01-VM passed test NCSecDesc
      Starting test: NetLogons
         ......................... PRODDC01-VM passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... PRODDC01-VM passed test ObjectsReplicated
      Starting test: Replications
         REPLICATION LATENCY WARNING
         ERROR: Expected notification link is missing.
         Source PRODDC02-VM
         Replication of new changes along this path will be delayed.
         This problem should self-correct on the next periodic sync.
         ......................... PRODDC01-VM passed test Replications
      Starting test: RidManager
         ......................... PRODDC01-VM passed test RidManager
      Starting test: Services
         ......................... PRODDC01-VM passed test Services
      Starting test: SystemLog
         A warning event occurred.  EventID: 0x0000000C
            Time Generated: 11/17/2016   20:44:40
            Event String:
            Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source
, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain
hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domai
n, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function a
s the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this c
omputer, you may choose to disable the NtpClient.
         A warning event occurred.  EventID: 0x000727AA
            Time Generated: 11/17/2016   20:44:45
            Event String:
            The WinRM service failed to create the following SPNs: WSMAN/PRODDC01-VM.KTM.COM; WSMAN/PRODDC01-VM.
         A warning event occurred.  EventID: 0x000003F6
            Time Generated: 11/17/2016   20:44:57
            Event String:
            Name resolution for the name KTM.COM timed out after none of the configured DNS servers responded.
         A warning event occurred.  EventID: 0x0000168D
            Time Generated: 11/17/2016   20:45:31
            Event String:
            The following DNS server that is authoritative for the DNS domain controller locator records of this domain controller does not support dynamic DNS updates:
         A warning event occurred.  EventID: 0x000003F6
            Time Generated: 11/17/2016   20:45:31
            Event String:
            Name resolution for the name KTM.COM timed out after none of the configured DNS servers responded.
         A warning event occurred.  EventID: 0x000003F6
            Time Generated: 11/17/2016   20:46:02
            Event String:
            Name resolution for the name KTM.COM timed out after none of the configured DNS servers responded.
         A warning event occurred.  EventID: 0x00001796
            Time Generated: 11/17/2016   20:54:40
            Event String:
            Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
         ......................... PRODDC01-VM passed test SystemLog
      Starting test: VerifyReferences
         ......................... PRODDC01-VM passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : KTM
      Starting test: CheckSDRefDom
         ......................... KTM passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... KTM passed test CrossRefValidation

   Running enterprise tests on : KTM.COM
      Starting test: LocatorCheck
         ......................... KTM.COM passed test LocatorCheck
      Starting test: Intersite
         ......................... KTM.COM passed test Intersite
PS C:\>

PRODDC02-VM DCDIAG:

PS C:\Users\Administrator.KTM> dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = PRODDC02-VM
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: SYDNEY\PRODDC02-VM
      Starting test: Connectivity
         The host 94ddd95e-a625-4e14-987d-fca5ab9fdf59._msdcs.KTM.COM could not be resolved to an IP address. Check the
         DNS server, DHCP, server name, etc.
         Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
         ......................... PRODDC02-VM failed test Connectivity

Doing primary tests

   Testing server: SYDNEY\PRODDC02-VM
      Skipping all tests, because server PRODDC02-VM is not responding to directory service requests.


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : KTM
      Starting test: CheckSDRefDom
         ......................... KTM passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... KTM passed test CrossRefValidation

   Running enterprise tests on : KTM.COM
      Starting test: LocatorCheck
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
         A Good Time Server could not be located.
         ......................... KTM.COM failed test LocatorCheck
      Starting test: Intersite
         ......................... KTM.COM passed test Intersite
PS C:\Users\Administrator.KTM>

From the below screenshot, you can see that the AD object created from PRODDC02-VM 192.168.1.201 is replicated successfully in PRODDC01-VM 192.168.1.200

Any help would be greatly appreciated.

Thanks.

/* Server Support Specialist */

Can I get procedure for below

1. transfer the fsmo roles from windows 2003 to windows 2012 r2 and raise the functional levels to 2012 r2

2. transfer the fsmo roles from windows 2003 to windows 2008 r2 and raise the functional levels to 2008 r2

3. What is the risk if raise to 2012 r2 functional levels

4.what is the difference between 2008 r2 and 2012 r2 functional levels

5.which is recomended

Can any tell me ,Which object i need to Migrate using ADMT like Groups or Users or computers.