Hi

I can see below error only for domain partition.

Repadmin: running command /showrepl against full DC localhost

SDN\DC02

DSA Options: IS_GC 

Site Options: (none)

DSA object GUID: b6044713-e4bb-4793-8b51-fe8346e69d70

DSA invocationID: 0842ddde-d376-46a8-9042-75e3adc9a0b1



==== INBOUND NEIGHBORS ======================================



DC=IHS,DC=com

    EU07\EU07DC01 via RPC

        DSA object GUID: 053667ff-af7a-4868-bb41-b0b1d5a3d5ba

        Last attempt @ 2017-01-10 13:22:18 failed, result 8451 (0x2103):

            The replication operation encountered a database error.

        51 consecutive failure(s).

        Last success @ (never).

    CA151\CA151DC01 via RPC

        DSA object GUID: 23e863aa-0fac-45eb-a2db-964aee9b4284

        Last attempt @ 2017-01-10 13:22:47 failed, result 8451 (0x2103):

            The replication operation encountered a database error.

        109 consecutive failure(s).

        Last success @ (never).

    CA150\CA150DC01 via RPC

        DSA object GUID: 04416d8b-59c4-4f45-8abe-97d0b2db076b

        Last attempt @ 2017-01-10 13:22:49 failed, result 8451 (0x2103):

            The replication operation encountered a database error.

        116 consecutive failure(s).

        Last success @ (never).

    CA002\CA002DC02 via RPC

        DSA object GUID: 75544cac-83c7-4107-82d2-a333dbebae0d

        Last attempt @ 2017-01-10 13:22:53 failed, result 8451 (0x2103):

            The replication operation encountered a database error.

        238 consecutive failure(s).

        Last success @ (never).

    

We have a DMZ zone with some servers that need to connect to our read only DC's. Replication of both computer accounts and user acocunts to the RODC is done.

Firewall rules are in place. Server joined to the domain, and moved to the DMZ zone.

But the server never even tries to connect to the RODC's. I have looked in the firewall logs, nothing. If i open LDAP from DMZ to the DC on the inside, it works fine. But we do not want that, it should find the RODC, and authenticate.

The DMZ network i also correctly defined in "AD Sites and Services"

Why is the DMZ server not able to find the RODC's? How can we troubleshoot this?

Hi,

I'm new to the server game so please excuse me if I am not so clear with my question.

I want to create a logon script in windows server 2008, that will add a printer to a profile, only if the current profile does not have the printer already installed on logon. Is this possible?

My reason for asking is if I have a basic logon scripts that adds a particular printer every time on logon, when a user sets the particular printer up to meet their individual preferences, when they next log on they will lose the preferences as the logon script will install the default.

Hi to all,

i have a strange issue with a Windows 7 notebook. When the user that use this notebook change his password, Windows 7 doesn't accept the new password and continue to accept only the old one.

To solve, i have to login with the old password, run a gpupdate /force,logoff and then the login works successfully with the new password.

One note..... the notebook is often off for some weeks.

Thank you.

Hi!

Seen some threads about this already but I want to discuss this with my conditions, because I often get very different answers depending on the setup.

How should I handle multiple companies in an Active Directory solution? 

We're hosting 10 separate companies servers, they are pretty small och varies between 5-10 per servers customer. Each customer have between 1-100 users. Our goal is to have all servers joined in an AD-domain for easier management for our admins.

So what options do we have,

• Single forest with one domain?
• Single forest with multiple domains/child domains?
• Mutiple forest with trust relationships. (Use 'Selective authentication' for our admins)

The biggest questions is of course the security, since a forest is a security boundary. Can a good structure, policies and ACL's be an option? Every customer does of course have an isolated network between them.

If Microsoft would measure our quantity of AD-objects it's an really small enviroment, I dont know if this should be calculated in on our decision but I thinks it's very ineffective to use ten different forests for this size?

Today we have one forest with an single domain which one customers is joined to. So would really appreciate some guidance how we should proceed our work to join all servers to an AD-domain.

For your information, were using SCCM in the domain.

Thank you!

Good morning,

I'm trying to troubleshoot a lock out issue.  I know what PC is locking the user account but I can't find which program is doing it on this server.  Any ideas?  I can't find any instances of event id 4625 on the server that is locking the account.  I bet I have to enable some more logging.  Any ideas?

Thanks,

Tim

Hi,

Can RODC able to do automatic site coverage ?

Hello all and thanks for your time and expertise.

I had to forcefully demote (and then promoted again with a different name) a 2008 r2 dc and I have a question about the old sysvol folder.  Please note we migrated to DFSR replication at least two years ago and it worked fine.  However, when I demoted (and then promoted) this DC today the old sysvol folder was still there.  When we first migrated to DFSR the old sysvol folder was deleted so I don't understand why the old sysvol folder is showing after I promoted this DC. 

I ran a DFS Management health report and replication worked, including this DC, but I was concerned about the old sysvol folder being there.  Is this a problem, should I try and delete the sysvol folder, or should I leave well enough alone.

I just want to follow best practices in this scenario.  Appreciate your advice and recommendations.

hi

I am having primary DC and Backup DC. while am doing replication backup dc working fine.

but primary got with error.



I want to know concept about PDC and ADC details. Before the concept was PDC and BDC then PDC/ADC. Now what is the new concept regarding Active Directory 2012 server. Please clarify me. your cooperation will be highly appreciated.

Thanks,

Babu

Babu

Hi, i am getting the following error while demoting a windows 2003 domain controller. Our environment consists of 2 Win2008R2 DC, 2 Win2003R2 DC and 1 Win2003 DC. All FSMO roles are on one of the Win2008R2 DC. All are Global Catalogs. When i try to demote the Win2003 DC, the following error occurs:

The operation failed because: Active Directory could not configure the computer account xxxx02$ on the remote domain controller xxxx.xxxxx.local.  "Access is denied."

Have followed the steps in the following MS article and no luck: http://support.microsoft.com/kb/2000939

Please help.

regards,

kishore.ch

Hi, everyone.
I have 2 DC on Windows Server 2008R2.
I have only one Domain (domain.local)
Both DC are located in different places.
The first is DC in the Azure Cloud and the second DC at the office.

The problem that clients are not properly determined "DC Site Name" and when sign-in a domain account, Signed in occurs in about 2 minutes in the Azure Cloud and a little faster at the office.
1. I created sites in AD Sites and Services.
2. Moved DC in these sites.
3. Configured subnets on the sites.

OfficeSite=192.168.xxx.x/24
CloudSite=100.71.x.x/16
CloudSite=10.0.0.0/8 - it is VPN subnet, through which the combined local networks.

OFFICEDC=192.168.xxx.x
CLOUDDC=10.71.xx.xx and 10.1.0.xxx

PC at the office. (Defines the wrong site)

C:\Users\user>nltest /DCLIST:domain.local
Get list of DCs in domain 'domain.local' from '\\CLOUDDC.domain.local'.    CLOUDDC.domain.local        [DS] Site: CloudSite      OFFICEDC.domain.local [PDC]  [DS] Site: OfficeSite
The command completed successfully

C:\Users\user>nltest /DSGETSITE
CloudSite
The command completed successfully

C:\Users\user>nltest /DSGETDC:domain.local /KDC           DC: \\CLOUDDC.domain.local      Address: \\100.71.xx.xx     Dom Guid: ec816caf-e075-4633-b577-xxxxxxxxxxxx     Dom Name: domain.local  Forest Name: domain.local Dc Site Name: CloudSite
Our Site Name: CloudSite        Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLO
SE_SITE FULL_SECRET WS
The command completed successfully

C:\Users\user>nltest /DSGETDC:domain.local /GC           DC: \\CLOUDDC.domain.local      Address: \\10.1.0.xxx     Dom Guid: ec816caf-e075-4633-b577-xxxxxxxxxxxx     Dom Name: domain.local  Forest Name: domain.local Dc Site Name: CloudSite
Our Site Name: CloudSite        Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLO
SE_SITE FULL_SECRET WS
The command completed successfully

C:\Users\user>nltest /DSGETDC:domain.local           DC: \\CLOUDDC.domain.local      Address: \\100.71.xx.xx     Dom Guid: ec816caf-e075-4633-b577-xxxxxxxxxxxx     Dom Name: domain.local  Forest Name: domain.local Dc Site Name: Cloud-CNF-25dc83cd-f6f3-4731-9cb8-xxxxxxxxxxxx        Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST FUL
L_SECRET WS
The command completed successfully

C:\Users\user>nltest /DSGETDC:domain.local /force           DC: \\CLOUDDC.domain.local      Address: \\100.71.xx.xx     Dom Guid: ec816caf-e075-4633-b577-xxxxxxxxxxxx     Dom Name: domain.local  Forest Name: domain.local Dc Site Name: CloudSite
Our Site Name: CloudSite        Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLO
SE_SITE FULL_SECRET WS
The command completed successfully

C:\Users\user>nltest /DCLIST:domain.local
Get list of DCs in domain 'domain.local' from '\\OFFICEDC.domain.local'.
      OFFICEDC.domain.local [PDC]  [DS] Site: OfficeSite
    CLOUDDC.domain.local        [DS] Site: CloudSite
The command completed successfully

C:\Users\user>nltest /DSGETSITE
OfficeSite
The command completed successfully

C:\Users\user>nltest /DSGETDC:domain.local /KDC
           DC: \\OFFICEDC.domain.local
      Address: \\192.168.xxx.x
     Dom Guid: ec816caf-e075-4633-b577-xxxxxxxxxxxx
     Dom Name: domain.local
  Forest Name: domain.local
 Dc Site Name: OfficeSite
Our Site Name: OfficeSite
        Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN
DNS_FOREST CLOSE_SITE FULL_SECRET WS
The command completed successfully

C:\Users\user>nltest /DSGETDC:domain.local /GC
           DC: \\OFFICEDC.domain.local
      Address: \\192.168.xx.xx
     Dom Guid: ec816caf-e075-4633-b577-xxxxxxxxxxxx
     Dom Name: domain.local
  Forest Name: domain.local
 Dc Site Name: OfficeSite
Our Site Name: OfficeSite
        Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN
DNS_FOREST CLOSE_SITE FULL_SECRET WS
The command completed successfully

C:\Users\user>nltest /DSGETDC:domain.local
           DC: \\OFFICEDC.domain.local
      Address: \\192.168.xxx.x
     Dom Guid: ec816caf-e075-4633-b577-xxxxxxxxxxxx
     Dom Name: domain.local
  Forest Name: domain.local
 Dc Site Name: OfficeSite
Our Site Name: OfficeSite
        Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN
DNS_FOREST CLOSE_SITE FULL_SECRET WS
The command completed successfully

C:\Users\user>nltest /DSGETDC:domain.local /force
           DC: \\OFFICEDC.domain.local
      Address: \\192.168.xxx.x
     Dom Guid: ec816caf-e075-4633-b577-xxxxxxxxxxxx
     Dom Name: domain.local
  Forest Name: domain.local
 Dc Site Name: OfficeSite
Our Site Name: OfficeSite
        Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN
DNS_FOREST CLOSE_SITE FULL_SECRET WS
The command completed successfully

The Server in the Azure Cloud. (Defines the right site)

C:\Users\user>nltest /DCLIST:domain.local
Get list of DCs in domain 'domain.local' from '\\CLOUDDC.domain.local'.
    CLOUDDC.domain.local        [DS] Site: CloudSite
      OFFICEDC.domain.local [PDC]  [DS] Site: OfficeSite
The command completed successfully

C:\Users\user>nltest /DSGETSITE
CloudSite
The command completed successfully

C:\Users\user>nltest /DSGETDC:domain.local /KDC
           DC: \\CLOUDDC.domain.local
      Address: \\100.71.xx.xx
     Dom Guid: ec816caf-e075-4633-b577-xxxxxxxxxxxx
     Dom Name: domain.local
  Forest Name: domain.local
 Dc Site Name: Cloud-CNF-25dc83cd-f6f3-4731-9cb8-xxxxxxxxxxxx
        Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST FUL
L_SECRET WS
The command completed successfully

C:\Users\user>nltest /DSGETDC:domain.local /GC
           DC: \\CLOUDDC.domain.local
      Address: \\100.71.xx.xx
     Dom Guid: ec816caf-e075-4633-b577-xxxxxxxxxxxx
     Dom Name: domain.local
  Forest Name: domain.local
 Dc Site Name: CloudSite
Our Site Name: CloudSite
        Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLO
SE_SITE FULL_SECRET WS
The command completed successfully

C:\Users\user>nltest /DSGETDC:domain.local
           DC: \\CLOUDDC.domain.local
      Address: \\100.71.xx.xx
     Dom Guid: ec816caf-e075-4633-b577-xxxxxxxxxxxx
     Dom Name: domain.local
  Forest Name: domain.local
 Dc Site Name: Cloud-CNF-25dc83cd-f6f3-4731-9cb8-xxxxxxxxxxxx
        Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST FUL
L_SECRET WS
The command completed successfully

The Server in the Azure Cloud.

C:\Users\User>set logonserver
LOGONSERVER=\\CLOUDDC

Checking replicate.

C:\Users\User>repadmin /showutdvec clouddc dc=domain,dc=local
CachingGUIDs...
CloudSite\CLOUDDC                       @ USN   1770868 @ Time 2016-07-11 14:18:31
OfficeSite\OFFICEDC                        @ USN    958563 @ Time 2016-07-11 14:16:58

OFFICEDC (IP: 192.168.xxx2)

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : D8-CB-8A-5C-xx-xx
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::49xx:xxx7:76x0:439%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.xxx.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.xxx.1
   DHCPv6 IAID . . . . . . . . . . . : 249088906
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-E3-FB-C9-D8-CB-8A-xx-xx-xx

   DNS Servers . . . . . . . . . . . : ::1
                                       192.168.xxx.2
                                       10.1.0.xxx
   Primary WINS Server . . . . . . . : 192.168.xxx.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . : xxxxxxx.d3.internal.xxxxxxx.net
   Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Ada
pter #3
   Physical Address. . . . . . . . . : 00-15-5D-E0-xx-xx
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::558c:cb94:32xx:x8x4%23(Preferred)
   IPv4 Address. . . . . . . . . . . : 100.71.xx.59(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Lease Obtained. . . . . . . . . . : Saturday, March 26, 2016 11:07:33 AM
   Lease Expires . . . . . . . . . . : Thursday, August 17, 2152 8:59:47 PM
   Default Gateway . . . . . . . . . : 100.71.xx.1
   DHCP Server . . . . . . . . . . . : 100.71.x.218
   DHCPv6 IAID . . . . . . . . . . . : 385881437
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-E3-BA-88-00-15-5D-xx-xx-xx

   DNS Servers . . . . . . . . . . . : 100.71.xx.59
                                       192.168.xxx.2
   Primary WINS Server . . . . . . . : 100.71.xx.59
   NetBIOS over Tcpip. . . . . . . . : Enabled

Hi all

i am scheduled to do a domain migration between a 2003 target domain and a 2008 r2 source domain. The target domain controllers are 2008 r2 and the source domain controllers are 2012 r2.

The source domain has 2 domain controllers and when i try to do a group migration using each of the servers i get 2 different results. Not entirely sure why. hoping someone can help

Source PDC Result:

Source other DC Result:

On the source PDC i enabled the TcpClientSupport and on the source domain controllers i enabled auditing Account Management and also DS Access. they are both set to Success and Failure. Also did some advanced auditing settings as i read someone had to do that part.

I followed this guide as my base setup: https://blog.thesysadmins.co.uk/admt-series-1-preparing-active-directory.html

So we have external trust between the 2 domains. we have DNS conditional forwarders set up. Now i did mess about with SID filtering. think i disabled SID filtering but i ran the commands from both target and source domains.

I know the ADMT server that sit in target domain works because i can migrate successfully from another domain.

The service account TARGET\AdmtAdmin is domain admin in target domain and part of the Administrators in the source domain.

In source domain on the domain controllers we ensured that Windows Firewall is off and we completely removed McAfee Endpoint Security Suite.

We are suspecting the site to site VPN between the 2 countries and the 2 domains but the source and the target side both says ANY ANY on their rule set.

Any ideas?

Hi,

it's possible in active directory to do:

-i have a few OU (OU for town)

-i want add administrator permission only to PC's ADM (no ActiveDirectory admin)  for predefined user (one person to one OU/town)

That is possible ?
How to do that ?

Hey all, 

So I have an on prem. AD RMS server set up with mobile device support using the article I will link below.
I was wondering if anyone has successfully set this up, it would seem that my mobile devices (when on the network) cannot access rights management.

Has anyone had any luck with this? 

https://technet.microsoft.com/en-us/library/dn673574(v=ws.11).aspx

Hi

We are planning to deploy IPsec using the group policy. We have two different sites. Site A have DCs setup up and running. Site B there are new VMs created. Site A and Site B has a firewall in place and we don't want to open all ports since Domain Controller promotion involves random port to be opened and we don't have the luxury to do it. Instead we have deployed IPsec and now trying to create IPsec policy. I created a local policy on Site A server and checked whether the policy is applied or not but it wasn't applied. We are using 2012 R2 I applied the policy using computer configuration --> Windows Settings --> Security Settings --> IP Security Policies. Then I searched some more articles and found that the new way of configuring on 2012 is Computer Configuration --> Windows Settings --> Security Settings --> Windows firewall with Advanced settings --> Connection Security. Now I have few question for which I am posting this.

1. Are the way of implementing IPsec is changed on 2012 R2 then 2008 and 2003?

2. Do we need to apply group policy or local policy on existing DC (Bridgehead Server for that domain) to communication outside the firewall to site B. The site B server is on workgroup at the moment so that will definitely be using local policy but what about the one which is already a DC. Shall I use GP and use security filtering to apply the policy limited to that DC only or the local policy will also work.

3. I also saw that there is some particular windows firewall settings needs to be done to allow IPsec traffic. However, in my environment windows firewall is off by default. Do we still need to create a policy for this or that will work automatically without using firewall considering it is off.

4. What will happen to the other DCs those are not using IPsec since I am only applying the policy to bridgehead server on Site A and on the server on Site B. Will the other DCs be forced to use IPsec and end up in no communication or they will work fine even without the policy.

Kindly help me to get my answers.

Regards Puneet Pandey MCITP

Hi Directory Services Gurus,

I have a mailbox which gets disabled automatically. When found attribute msExchHideFromAddressLists was set to true which means it will not show in GAL(global Address List). When I further check I found that the user account is disabled for this mailbox and I read on article https://social.technet.microsoft.com/Forums/exchange/en-US/7fef86b6-04af-4c1a-98ec-24dd99e6854a/hiding-users-from-global-address-list-in-exchange-2010?forum=exchangesvradminlegacythat if the ID is disable it will set the attribute to true automatically. My question is how to track this attribute. Where are the logs generated for this attribute. If I have to enable the auditing which auditing will be best suited for this attributed and should I set it for success, Failure or only failure. I can see under repadmin /showobjmeta that the attribute has been modified on the recent date but don't know if the auditing is enabled for that because I don't know whether it will come under audit object access or directory server access etc. Please provide the answer.

Hope I summarize the question.

Regards Puneet Pandey MCITP

Good evening,

Due to another issue on our domain (for which I now have a ticket) I tried to reset the permissions on the domain controllers to their default perms using: dsacls "DC=instream,dc=local" /S /T

But it seems to be failing, and since when I do a gpupdate on systems I get an Event 1058 with an Access denied error code.

Would anyone know the proper way to reset the permissions on a forest so that the gpupdate works again?

Thanks