Hello:

I am trying to resolve a problem with my AD DS infrastructure.

Our domain has three 2008R2 DC's. All are GC's and each host the DNS service and have an AD Integrated copy of the forward lookup zone for the AD DS domain. All are up to date patch wise - in fact it appears that it was one of the patches installed yesterday that has caused the problem.

The problem started sometime overnight when patches were installed on the DC's.  One of the DC's did not reboot successfully after the patches were installed and, because of that, it would seem that our entire AD infrastructure is broken -  The notable issue being that we cannot on logon to our exchange servers.

The problematic DC was getting a blue screen on boot and the Stop error is "C00002E2 Directory Services Could Not Start",  and the error status was 0xC0000001.

My first recovery efforts involved trying to get the problem DC back on line.  I tried rebooting in safe mode but that failed so I booted from the installation DVD and did a "repair".  From the command prompt I ran startrep.exe.  It went through all it's steps and reported that it could not fix the problem.  In the startrep log it indicated that all but one of the tests passed - the test that failed reported the following error "A patch is preventing the system from starting."

Further recovery steps I found required me to boot up in DSRM so I tried that.  As the DSRM password I have recorded does not seem to be correct :-( I decided to move on trying to figure out why the other DC's were not just taking over. 

The first step there was to try to determine why the Exchange 2010 server was not just using a different DC.  Trouble is that I cannot successfully launch either EMC or EMS - the error I am getting is "No logon Servers can be found".  Quite purposefully I did NOT specify a DC or GC for Exchange to use but, apparently, Exchange has decided to use the DC that's down and that's that.  Of course, since I can't get the Exchange tools to start, I can't change that setting. 

Next step was to look at the remain DC's - my thought was that, as I believe Exchange is pointing to the FQDN of the failed server, perhaps I could just punt that server out of the environment and add a new one with the same name.

So, at this point, I have logged on to both of the other two DC's and, in both cases then I try to launch AD DS tools like ADUC or ADDT I get: "Naming  information cannot be located because: The specified domain either does not exist or could not be contacted"   WTF?

As mentioned earlier, all three DC's are GC's, all three are DNS's and have the DNS information for the domain.  While the DC that's down was entered as the 'primary' DNS on our DHCP server, the other two addresses are also set up as DHCP options and, except for name resolution of AD DS systems, the DNS infrastructure is working fine. When I look in the DNS consoles of the remaining DC's the appropriate AD DS info is present.

While it is true that the failed DC holds all the FSMO role, I don't understand why the other DC's are not accessible - isn't this the point of having multiple DC's in an AD domain??

Any thoughts of what I can try would be much appreciated!

Mike

Hi Admins :),

I am having some difficulties understanding some of our Domain Traffic. We recently (past year) grown a lot in size on our Network, and part of that growth meant that we had to install Domain controllers on all sites to guarantee Availability for our end users. We have our Sites and Services network set up so only connections exist between local and main site (HUB and Spoke).

Our AD traffic goal:

• When logging in - only use local Domain Controller if possible (1dc), else use our main site (2dc).

When logging in to an application with AD credentials we start to see port 445 traffic, this is no problem, SMB traffic should be allowed to local Domain Controllers and the HUB site DC's. We furtherwise have no (routing or switching) configuration on our routers and switches for site-to-site connections on port 445, but only to allowed connections our main site and local site, it is even blocked in the switch ACL in the particular site.

Now the problem:

• When logging in to an application, sometimes the logins are quick (I can see SMB traffic after some 445 to a Local DC or Main Site DC).(approx. 2 seconds)
• Half an hour later: on the same pc, on the same application- It takes about 24 seconds to log in(ARGH!). (Wireshark tells me that the system tries to send TCP packets to all other site's DC's, and gets no answer (because it is blocked at ACL level on switch) > TCP retransmission> no answer > TCP retransmission > then finds local DC or Main site DC and logs in. SMB traffic is all going well and quick after these TCP 445 packets.

How can I control this behaviour to only look in the Local site or Main Site? Blocking it on the Host Firewall is just not a solution.What is the right way to control this?

Also, all systems know in what site they are (confirmed with nltest /dsgetsite)

Hi,

 Anyone can explain me about best method for taking Active directory Backup for 2008R2 domain controller.

I have 20 Domain controllers in 10 sites. Each site two have global catalog server.

Hi,

Looking for an end to end procedure to create a forest trust between two domains in windows.

I need to establish trust relationship between the two domains running windows 2016.
I have installed 2 windows VM and and configured them with domain controllers.

Please keep me posted on the procedure if any one has any idea on the above request.

Thanks,

Pulla

p.Purushotham

Hi,

i'm witing because i have a big problem in my network. This is the layout

SITE-A (192.168.1.0/24)

dc1.domain.local : 192.168.1.1  

dc2.domain.local :  192.168.1.2

vpn

SITE-B (192.168.2.0/24)

rodc1.domain.local: 192.168.2.1 (Read only domain controller)

from a client on site b, if i ping domain.local response the 192.168.1.1 trought VPN.

how can edit settings to response from RODC (192.168.2.1) ?

I would like to receive the response from the local server for browse \\domain.local

thank you and best regards

Hello Team,

Want to know about the new things added for DMZ in cloud infrastructure in Server 2016.

How DMZ can work with cloud and what things to consider while creating DMZ network in cloud/in premises DC.

Thanks in Advance !!

Can someone please help me with the following question regarding Active Directory replication

I have been reading a number of in-depth articles on AD replication including this onehttps://technet.microsoft.com/en-us/library/cc772726(v=ws.10).aspx I have not read the whole of this document at present but I do have a question about what I have read thus for, and hoping someone can answer it for me.

Keeping things simple, let say we have two Domain Controllers DC1 and DC2 and we have two user objects User1 and User2 both created on DC1

Now each user is an instance of a class and has its own attributes (based on the attribute Schema for that class)

The first thing I want to clarify is with regards to USN (update sequence number)

As far as I can see there are a number of USN to take into account (please correct me if/where I am wrong)

1.      USN for the partition as a whole (e.g. defaultNamingContext partition holding the user, groups etc.) My understanding is the is ‘one USN per DC per partition’ which represents the last update (add, delete, amend (e.g. change telephone number of a user object), move) which has happened across all objects it holds in that given partition. For example, if you started off with a USN of 1 and added 10 users object the USN would not be 11, if you then removed one user object the USN would increment to 12 and if you changed the telephone number of one user and the department of another user the USN would increment to 14.

Question: Is my understanding in 1 above correct? And if not please explain where/why, thanks.

1.      As far I can (see from reading the document in the above link) ‘each object’ (e.g. user, computer, group etc.) in the partition has its own USN (I think of this as the local USN), in fact I think it has two which I am thinking of as the Local USN and the uSNChanged. For example, if we again start off with 10 user objects (as above) the partitions USN is 11, however each user object has a USN of 1 (as only one event has occurred per user e.g. it has been created, and this creation is not influenced by the creation of the other users and thereby each users own USN is not incremented when other users are added) Next we have to think about the updating and modification of individual attributes of a user object (as I understand AD replication replicates at the attribute level rather than the object level). Leaving aside linked/multi-values attributes for a moment, If I add a ‘telephone number’ and a ‘department name’ to UserA, (both in the same transaction). Then latter I go back to UserA and change the department to something else. I have made three changed to UserA but in only two separate transactions.

Assuming ‘all’ attributes (for UserA) started off with a USN of 1.  Then after the first update the USN for both the telephone number and department attributes would have a USN of 2, and the USN for the city attribute would have a USN of 1 (as that was not updated). After the second update the USN for attribute department would 3 and the USN for telephone would remain at 2 and the USN for city would remain at 1.   Also, as we have now made ‘committed’ two separate transaction changes (e.g. saved a set of changes twice, even though we had two changed in the first commit) the USN for the partition as a whole would be incremented by 2

I also understand, that each individual object maintains a USN known as the uSNChanged for the ‘overall’ object which is incremented when one or more of the objects attributes are updated. For example, if objects department name is updated the uSNChanged is incremented by 1, then is the objects telephone number is updated the uSNChanged is incremented by 1 again. Therefore, uSNChanged should always be higher than or equal too and given attribute USN (assuming attributes changes have their own USN)

Question: Is it correct to say each update to UserA has its own ‘attribute level USN’ which is separate from the partitions overall USN?

Question: Is my understanding of uSNChanged correct?

Question: Assuming ‘the individual attributes’ of an object each have their own USN, is my assumption of how these USNs (and the objects uSNChanged) are updated, compare with the overall partitions USN update behaviour (e.g. every time a change is made within the partition to an object or one of the objects attributes) correct?

Question: If ‘the individual attributes’ do not have their own USN numbering system, how does AD archive ‘attribue level’ as opposed to object level replication between DCs (e.g. just send the changed attributes, rather than all attributes for the whole object)

EBrant

Hi Team,

We are using the Classic ASP and querying the LDAP for some attributes. We are getting the following error as 

Unspecified provider error - 80004005

please check and let me know

Thanks

Meena

i have a very strange problem i fighting with for some time. PLEASE HELP

small domain with two domain controllers, both Windows Server 2o12R2. domain and forest level: 2oo8R2.

i always disable GPO inheritance on Domain Controller OU to prevent applying some policy by mistake.

and now: i noticed that there are strange issues with user passwords what lead me to debugging GPOs on DCs. what came out that:

- 'Security Settings' part from Default Domain Controller Policy is not applied on DCs.

- as a workaround i created policy at root level with enforcement flag. behavour is getting stranger and stranger: one of the DCs [PDC] is applying that policy, but the second one is not!

- if i check 'Modeling Policy Result' - everything seems to be ok. but RSoP shows different results

Modeling result. you can notice that everything is ok by the policies configured - password, lockout, eventlog

Image may be NSFW.
Clik here to view.

RSoP for AD01.some policies for security setting apply but they are from another policy - the one from domain root, with enforcement.

Image may be NSFW.
Clik here to view.

RSoP for AD02. here Security Setting are not applied at all!

Image may be NSFW.
Clik here to view.

i already used dcgpofix to reset policies. i even removed files from sysvol manually and rereun dcgpofix again. no change. restart, installation of hotfixes... no change.

eventlog is white - no warnings or errors or soever.

HELP!

-o((: Leliv

Hi All,

So I have the typical error message:

Description:
An unhandled exception occurred during the execution of the current web
request. Please review the stack trace for more information about the error and
where it originated in the code.

Exception Details:
System.UnauthorizedAccessException: Access to the path
'\\server\c$\Folder\file.htm' is denied.

ASP.NET is not
authorized to access the requested resource. Consider granting access rights to
the resource to the ASP.NET request identity. ASP.NET has a base process
identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6) that
is used if the application is not impersonating. If the application is
impersonating via <identity impersonate="true"/>, the identity will be the
anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.


To grant ASP.NET access to a file, right-click the file in Explorer,
choose "Properties" and select the Security tab. Click "Add" to add the
appropriate user or group. Highlight the ASP.NET account, and check the boxes
for the desired access.

The problem is I have already used the "everyone" account and I still get the error message and I have also used FileMon and I've added all of the users that it found during the scan (network services, local, etc) and it still spits out the same error message.

WHATS THE DEELIO ? Can anybody shed some light here.

I have a win7 box and a win2008r2 box.  Not sure if this is related to my problem, but the win2008r2 server has KB3177108 installed.  Win7 does not have this patch.

When I run this program on Win7, it works (returns status_success and changes the password).  When I run this on win2008r2, it fails with error 87 - invalid parameter, but it also successfully changes the password...
What am I doing wrong here?

Thanks for looking at this...

#include "windows.h"
#include <LM.h>
#include <stdio.h>

int wmain(int argc, wchar_t * argv[])
{
    DWORD    error = NetUserChangePassword(
                L"mydomain",
                L"lowlyuser",
                L"oldpassword",
                L"newpassword"
                );

    wprintf(L"Error = %d\n", error);

    return error;
}

We've been getting a handful of calls lately from our Network Admins complaining that they can't delete computer accounts.

The get an Active Directory dialog box that states that they are a loser..."You do not have sufficient privileges to delete XXXXXX".

When it occurs, it affects all of the Adminis for the particular problem object in question.

As a domain admin and enterprise admin, I am able to delete the object without a problem.

The Admins are able to delete other comptuers accounts as well as create new computer accounts with in the same OU.  The security and ownership is identical for both problem objects and non-problem objects.

I'm stumped and I couldn't get any relavant hits on TechNet or the web.

David W. King

Techical Architect - Systems, Information Technology
(919) 784-3889 david.king@rexhealth.com

REX Healthcare, 4420 Lake Boone Trail, Raleigh, NC 27607

David W King

When I run set-aduser user1 -profilepath \\server1\Profiles\%username%,
profile path stay as\\server1\Profiles\%username% in AD.
If I manually type \\server1\Profiles\%username% in profile path of Active Directory Users and Computers,
profile path is changed to \\server1\Profiles\user1.
Can anyone help why profilepath shows as \\server1\Profiles\%username% after set-aduser user1 -profilepath \\server1\Profiles\%username%?

Thank you!

Hi Team,

In dcdiag report i have error on DFSREvent , so where i can go and check if the sysvol folders are replicating with out any issues , so we have any commands to check this.

Also , how to check for DFSR Event replication issues.

Kindly let me know.

Paramesh KA

Dear team,

Please somebody help to get FAQ from the User on active directory migration. 

Regards,

Hebbar

Hello,

If I have multiple domain, one deployed with ADRMS (lets say "itfellas.rdms" and one which dont (lets say "itfellas.local" where my users are located), both domains have users equivalent to each other. Now I would want to sync a number of users from the itfellas.local to the itfellas.rdms domain, kinda like how the DirSync works in your local AD environment and Azure.

Is there such a tool in MS that would allow me to do that?

The point is, I would like to deploy some several services in my laboratory and I want the domain to be the boundary between the actual users use to login to the domain, and a separate domain to deploy the services, like RDMS, ADCS, and etc, but I want them to have a synced information (including Passwords) between domain so that there is only one point of entry for user information change.

For God, and Country.

Hi Guys,

Just want to get your advise the best approach on restoring the AD. We will be doing a bulk modification on 8K users and one of the requirements is making sure to have a plan in place to backup the AD so that we have a way to restore it case we mess up with the AD.

We  are using Sysmantec Netbackup to all Domain Controllers.

My question is restoring the DC from Netbackup System State is the best way? Because it looks like we are doing a full recovery of Domain Controller it self.

Hoping you can give me an easiest approach.

Thanks,

Hi,

I have some questions about the using this cmdlet in Powershell.

I know that in order to move objects in AD you need to have rights to delete and create objects, but what I would like to understand is the process of deleting before creating.

Is the current information from the object copied before the object is deleted? If so, is the new object created with the information obtained previously?

Does this cmdlet checks for users permissions on the new (destination) OU before deleting the object?

What happens if the user doesn't have wrights to create the object in the destination OU? If it is a computer object, will this computer need to be rejoined the domain?

Thanks,