Hi all,
At work (education level), I'm starting to take charge of windows admin, so beiing a noob admin I'm finding strange behaviours that I hope you can help me solve them all :-)
We've one (big) domain with about 5000 computers (workers and students all together), and around 50000 users (again, workers and students all together) setup like this:
DC-DOMAIN-1:
Windows Server 2008R2
Shares NETLOGON and SYSVOL
DC-DOMAIN-2:
Windows Server 2003 R2 x64
Shares CertEnroll, NETLOGON, SMSLOGON, SYSVOL
Checking RootDSE, I see 'domainControllerFunctionaly is Windows 2003' (DC-DOMAIN-2)
So, with this setup, I've noticed these strange behaviours, hope list isn't too big (guess there will be more behaviours but these seemed too odd):
1) On DC-DOMAIN-2, WinServer 2003 eventlog, inside 'Directory Service', I found this warning event ID 1083 (Source NTDS Replication):
Active Directory could not update the following object with changes received from the domain controller at the following network address because Active Directory was busy processing information. Object:CN=<an user name>, CN=Users, DC=DOMAIN
Usually followed by an information event (eventid 1955) which says:
ctive Directory encountered a write conflict when applying replicated changes to the following object. Object: <SAME USER OBJECT THAN PREVIOUS EVENT ID> Time in seconds: 0 Event log entries preceding this entry will indicate whether or not the update was accepted. A write conflict can be caused by simultaneous changes to the same object or simultaneous changes to other objects that have attributes referencing this object. This commonly occurs when the object represents a large group with many members, and the functional level of the forest is set to Windows 2000. This conflict triggered additional retries of the update. If the system appears slow, it could be because replication of these changes is occurring. User Action Use smaller groups for this operation or raise the functional level to Windows Server 2003.
And having as result that user being blocked in domain.
2) I've added a new print server based on Windows Server 2012R2 (running inside an updated ESX 5.5 with VMXNET3 ethernet adapter as recommended by vmware), and seen in the event viewer these warnings/errors:
At System log:
Error Event ID 5783, Source NETLOGON:
The session setup to the Windows NT or Windows 2000 Domain Controller \\DC-DOMAIN-2.fulldns.name for the
domain DOMAIN is not responsive. The current RPC call from Netlogon on \\PRINTSERVER to
\\DC-DOMAIN-2.fulldns.name has been cancelled.
I've seen Event ID 5783 with DC-DOMAIN-1 too....
Error Event ID 5719, Source NETLOGON:
This computer was not able to set up a secure session with a domain controller in domain DOMAIN due to the
following: The remote procedure call failed and did not execute. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO: If this computer is a domain controller for the specified domain, it sets up the secure session to the
primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure
session to any domain controller in the specified domain.
At Microsoft-Windows-TerminalServices-RemoteConnectinoManager/Admin found also this warning:
Warning Event ID 20499 Source TerminalServices-RemoteConnectionManager:
Remote Desktop Services has taken too long to load the user configuration from server
\\DC-DOMAIN-2.fulldns.name for user administrator
3) If I try Group Policy Modeling on DC-DOMAIN-1 (server 2008R2), everything works fine, no matter if I try it against DC-DOMAIN-1 or DC-DOMAIN-2, but if I try this from the Server 2012R2 (the one from point 2), I get this:
Simulation against DC-DOMAIN-2: Gets executed, but all GPO show as inaccessible, empty or disabled.
Simulation against DC-DOMAIN-1: Sometimes it gets executed as DC-DOMAIN-2, sometimes I get an error saying query can't be executed.
4) From server 2012R2, I usually manage printing GPO. If I click on the domain root (GPMC, forest, Domains, DOMAIN-NAME-ROOT) right pane, I get a pop up saying:
'A processing error ocurred collecting data using this base domain controller. Please change the base domain controller and try again'
After closing popup, right pane says something like 'DC-DOMAIN-2.fulldns.name' is the baseline domain controller for this domain.
No infrastructure Status information exists for this domain.
Click the Detect Now button below to gather infrastructure status from all of the domain controllers in this domain.
Pressing 'Detect Now' does nothing, and trying to select New Baseline DC shows again same pop up than before.
5) Last, but not least, I've feeling that GPO takes too much to apply. I've found scenarios in which even after executing 'gpupdate /force' correctly on client computer either local or domain admin, I can't see the new changes (gpresult says it has been updated though). But couldn't find anything on eventlog that informs about problems with GPOs...
For all these strange behaviours I've noticed in last month that I started checking things as sys admin, I believe domain is damaged, or something is wrong there (not just my new server 2012R2, even if it's running inside an ESX, blehh), so please, any hint on what to check, what to change, what to fix, would be highly appreciated.
Thanks in advance.
