Quantcast
Channel: Directory Services Forum
Viewing all 2536 articles
Browse latest View live

500+ AD Sites, but only 150 with DCs?

February 14, 2013, 10:45 am
$
0
0

My company is looking to automate AD support using System Center.  To that end, they want to create a AD Site for every site in the networking DB (outside of AD).  This means any site with a network presence regardless of computers, servers, etc. present will be an AD Site.  We'll have 500+ sites but only ~150 DCs.  Furthermore, they want to use manually create DNS records to identify which DC a client should use instead of letting KCC generate the topology (automatic site coverage and Next Closest Site).

We're running transitioning from a W2K3 forest to a W2K12 forest...ideally will have the same topology in both forests but is not a requirement.  I'm mainly focused on the new 2012 environment for now.

I work with AD on a limited basis and the only rebutal I have is that this is against Microsoft Best Practices.  Does anyone have more concrete reason why this is or is not a good plan?

Search

Issue in Child domain

February 12, 2013, 10:11 pm
$
0
0

Hi,

We have a parent child domain enviroment childs domains are on remote cities and are on VPNS.3  where 2 of them are working fine.where as  i have problem in 1 of child domain.where i go in "domain and trust" on root domain controller.i go into the properties of child domain tis give me the following error

"you cannot modify domain or trust information because a primary domain controller (pdc) emulator"

I can ping the Child domain controller.br IP and host name

Please help me out.

"Impersonate a client after authentication" option in registry? Please help.

February 14, 2013, 10:24 am
$
0
0

Hi,

Have real trouble. Our client has one windows 2000 domain and one dc. With step by step I installed Windows 2003 dc. After reboot I get to this issue:
http://support.microsoft.com/kb/933994

The problem is that I can not accomplish step two. I can not access DC gpo as it is not available and GPO section in DC OU is in gray. As dc gpo is applied I can not edit gpo through gpedit.msc.

How can I access gpo or is there any way to edit "Impersonate a client after authentication" in registry?

thank you,



DFS replication question (FRS, not newer DFSR)

February 13, 2013, 8:53 am
$
0
0

We have a DFS namespace called ADMgmt that we have on our Domain Controllers (we use it to hold our AD scripts and some other stuff).  Our writeable DCs are namespace servers in DFS.  So the DFS looks like this:

Namespaces -> \\DC01\ADMgmt,\\DC01\ADMgmt, \\DC03\ADMgmt

The ADMgmt share on each DC replicates to the others, and here is where I am confused.  There are no replication groups for the entire domain.  In DFS, if I click on "Add Replication Groups to Display..." and then search the domain, nothing shows up.  But replication is most definitely working. 

I know that SYSVOL has some information for replication partners in ADSIEdit, so I thought I would check there.  Sure enough there is a listing for the ADMgmt share in ADSIEdit, under Default naming context -> DC=<domain>,DC=com -> CN=System -> CN=File Replication Service -> CN=DFS Volumes -> CN=ADMgmt.  There are 3 folders, one for each writeable DC (so DC01, DC02, DC03), showing the objectGUID for the DC.   In each folder, there is a nTDSConnection object for each of the other DCs.  So DC01 folder has a nTDSConnection object for DC02 and DC03.  This all makes sense as far as what is happening.

My question is:  how did this information get in ADSIEdit if DFS says there are no replication groups in the entire domain?  Were these ADSIEdit entries added manually by my predecessor?  I took over this environment about a year ago, and this is the first time I am adding a new DC to the environment, so need to have the ADMgmt folder replicate to the new server. 

Any help would be appreciated. 

event id 1168 error value 1032 Internal ID: 160207d1

February 14, 2013, 5:08 pm
$
0
0

This event just showed up on my Windows 2008R2 server.  I have 3 domain controllers (2 of them are Windows 2003SP2 and 1 Windows 2008R2)  and it doesn't appear the Windows 2003 servers.

Internal error: An Active Directory Domain Services error has occurred. 
 Additional Data 
Error value (decimal):
-1032 
Error value (hex):
fffffbf8 
Internal ID:
160207d1

NtFrs service cannot be started (Win 2008R2 SP1)

February 15, 2013, 12:50 am
$
0
0

Hi,

because of replication problems I checked the ntfrs service on one domain controller. That service was set to disable, so I changed it to start automatically. After that I tried to start the service, but it failed with the following error message:

Windows could not start the File Replicaiton service on SERVERNAME.

Error 1053: The Service did not respond to the start or control request in a timely fashion.

In Eventlog the error is logged as (7009, Service Control Manager): A timeout was reached (30000 milliseconds) while waiting for the File Replication service to connect.

I tried to debug the issue by changing the Debug log entry in "HKLM\SYSTEM\CCS\services\NtFrs\Parameters\Debug Log Severity" set to 5. In the NtFrs Logs there's only this message everytime I start the service:

<DbgInitLogTraceFile:           3980:  1875: S0: 12:26:31> :S: Full pathname for c:\windows\system32\ntfrs.exe
<Migrate:                       3980:  1376: S0: 12:26:31> Returning DFSR Migration Local state: 3.
<QHashInsert:                   3980:   639: S5: 12:26:31> QHash Insert (000fd750): Entry: 000fddc0  Tag: 00000000 c0003507, Data: 00000003 04f675e7, Flags: 00000000
<FrsPrintEvent:                 3980:   618: S0: 12:26:31> :E: Eventlog written for EVENT_FRS_STOPPED_ELIMINATED_STATE (13575) severity: Error  at: Mo, Dez 12 2011  12:26:31

I don't know how to check what exactly is causing that problem or how to fix it.

 

The system is a Win 2008 R2 Standard with SP1, all Win-Update are applied.

And i am also checked

I changed the timeouts to

ServicesPipeTimeout     60000

WaitToKillServiceTimeout    30000

but no success, the same errors occur again. Then I restarted the server (with service set to automatically), but after reboot the service is still down.

In the eventlog there's still the error message of:

A timeout was reached (30000 milliseconds) while waiting for the File Replication service to connect.

and I am sending the run to this command

un dcdiag /q and repadmin /replsum and post the log.

The Log is Below ......



C:\Users\Administrator>repadmin /replsum
Replication Summary Start Time: 2013-02-15 14:05:45

Beginning data collection for replication summary, this may take awhile:
  ....


Source DSA          largest delta    fails/total %%   error


Destination DSA     largest delta    fails/total %%   error



C:\Users\Administrator>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = server
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\SERVER
      Starting test: Connectivity
         ......................... SERVER passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\SERVER
      Starting test: Advertising
         ......................... SERVER passed test Advertising
      Starting test: FrsEvent
         ......................... SERVER passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... SERVER failed test DFSREvent
      Starting test: SysVolCheck
         ......................... SERVER passed test SysVolCheck
      Starting test: KccEvent
         ......................... SERVER passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... SERVER passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... SERVER passed test MachineAccount
      Starting test: NCSecDesc
         ......................... SERVER passed test NCSecDesc
      Starting test: NetLogons
         ......................... SERVER passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... SERVER passed test ObjectsReplicated
      Starting test: Replications
         ......................... SERVER passed test Replications
      Starting test: RidManager
         ......................... SERVER passed test RidManager
      Starting test: Services
         ......................... SERVER passed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0x000003F4
            Time Generated: 02/15/2013   13:17:22
            Event String:
            There was an error while attempting to read the local hosts file.
         An error event occurred.  EventID: 0x000003F4
            Time Generated: 02/15/2013   13:22:27
            Event String:
            There was an error while attempting to read the local hosts file.
         An error event occurred.  EventID: 0x000003F4
            Time Generated: 02/15/2013   13:27:33
            Event String:
            There was an error while attempting to read the local hosts file.
         An error event occurred.  EventID: 0x000003F4
            Time Generated: 02/15/2013   13:32:35
            Event String:
            There was an error while attempting to read the local hosts file.
         An error event occurred.  EventID: 0x000003F4
            Time Generated: 02/15/2013   13:37:41
            Event String:
            There was an error while attempting to read the local hosts file.
         An error event occurred.  EventID: 0x000003F4
            Time Generated: 02/15/2013   13:42:47
            Event String:
            There was an error while attempting to read the local hosts file.
         An error event occurred.  EventID: 0x000003F4
            Time Generated: 02/15/2013   13:47:54
            Event String:
            There was an error while attempting to read the local hosts file.
         An error event occurred.  EventID: 0x000003F4
            Time Generated: 02/15/2013   13:52:56
            Event String:
            There was an error while attempting to read the local hosts file.
         An error event occurred.  EventID: 0xC0001B61
            Time Generated: 02/15/2013   13:54:14
            Event String:
            A timeout was reached (30000 milliseconds) while waiting for the Fil
e Replication service to connect.
         An error event occurred.  EventID: 0xC0001B61
            Time Generated: 02/15/2013   13:54:43
            Event String:
            A timeout was reached (30000 milliseconds) while waiting for the Fil
e Replication service to connect.
         An error event occurred.  EventID: 0xC0001B61
            Time Generated: 02/15/2013   13:56:50
            Event String:
            A timeout was reached (30000 milliseconds) while waiting for the Fil
e Replication service to connect.
         An error event occurred.  EventID: 0x000003F4
            Time Generated: 02/15/2013   13:58:03
            Event String:
            There was an error while attempting to read the local hosts file.
         An error event occurred.  EventID: 0xC0001B61
            Time Generated: 02/15/2013   13:59:56
            Event String:
            A timeout was reached (30000 milliseconds) while waiting for the Fil
e Replication service to connect.
         An error event occurred.  EventID: 0xC0001B61
            Time Generated: 02/15/2013   14:01:51
            Event String:
            A timeout was reached (30000 milliseconds) while waiting for the Fil
e Replication service to connect.
         An error event occurred.  EventID: 0x000003F4
            Time Generated: 02/15/2013   14:03:09
            Event String:
            There was an error while attempting to read the local hosts file.
         An error event occurred.  EventID: 0x000003F4
            Time Generated: 02/15/2013   14:08:13
            Event String:
            There was an error while attempting to read the local hosts file.
         An error event occurred.  EventID: 0x000003F4
            Time Generated: 02/15/2013   14:13:18
            Event String:
            There was an error while attempting to read the local hosts file.
         ......................... SERVER failed test SystemLog
      Starting test: VerifyReferences
         ......................... SERVER passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : AdvancePanels
      Starting test: CheckSDRefDom
         ......................... AdvancePanels passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... AdvancePanels passed test CrossRefValidation

   Running enterprise tests on : AdvancePanels.com
      Starting test: LocatorCheck
         ......................... AdvancePanels.com passed test LocatorCheck
      Starting test: Intersite
         ......................... AdvancePanels.com passed test Intersite

C:\Users\Administrator>

Login info on domain

February 14, 2013, 11:49 pm
$
0
0

Hello all,

i want to get a list of users that have login on their PCs, that is on the domain on a specific date.

Is this possible to get via any command?

i donot want last logon details. for e.g i want to know who has login on the domain (their PCs) on 10 Feb 2013.

Grateful to help...

Any "gotchas" with having both a forest trust and external trust in place?

February 15, 2013, 1:16 am
$
0
0

Hi everyone,

We have 2 AD forests. The first forest - Forest A has 3 domains with an "empty" root domain (yeah - we go back a long way) and 2 child domains . The second forest -Forest B - has a single domain.

There is currently a two way forest trust between Forest A and Forest B - no problems there.

Now we have a member server in one of the child domains in Forest A, that hosts the Cisco ACS 4.2 software. We use this server to authenticate wireless users  in the child domains in Forest A using EAP-TLS.

To cut to the chase, we are having problems extending the Cisco ACS software to cover users in the single domain in Forest B. The root cause is that the Cisco ACS software does not "see" Forest B's domain in its "available domains" list. I get similar behaviour with the "NLTEST /server: <server name> /trusted_domains" command. If I run this command targetted at either the Cisco ACS member server or a domain controller within its child domain in Forest A, I do not see Forest B's domain in the list of trusts.  However if I run the command targetted to a domain controller in the root domain of Forest A then I get the full list of trusts including the forest trust. I guess this is expected as there is no direct trust relationship between the child domains in Forest A and the root of Forest B.

By my reckoning I have to choose between relocating the Cisco ACS server to the root domain of Forest A or creating an external trust between the child domain hosting the Cisco ACS server in Forest A and the root of Forest B.

Now creating an external trust in addition to the existing forest trust certainly appears possible. Can anyone advise whether I'm likely to come across any problems with doing this? 

I am currently loathe to move the ACS member server to the root domain due to its limited number of users with logon privileges. I would hate to have to open this up to a much larger community to support the ACS server.

Opinions as to the coexistence of a forest and external trust in my situation would be appreciated.


Search

LastLoginTime of Mailbox and LastLogon of User

February 14, 2013, 4:09 am
$
0
0
Where exactly lastlogontime is retrived from while executing Get-MailBox statistics..?Because lastlogon time stored in AD and lastlogintime retrived from Get-MailBox Statistics differs by seconds..! 

Bitlocker GPO settings so that rebooting workstation does not require PIN

February 15, 2013, 12:55 pm
$
0
0

All,

I have recently deployed MBAM MDOP to a Server 2008 R2.  I successfully deployed the MBAM client to a test workstation and it has been reporting back to the MBAM server and its information is showing up in the SQL database that MBAM is using.

However, every time the test workstation reboots, the system requires a PIN.  I have removed every requirement for the PIN from the GPO governing MBAM and I have decrypted and reencrypted the harddrive of the test workstation.

Yet, it still requires a PIN on reboot.  Anyone have any ideas on how I can configure the GPO, MBAM server and/or workstation system so that no PIN is required at reboot?

Thanks in advance.

Installed 2008 R2 AD server without adprep /domainprep

February 15, 2013, 12:34 pm
$
0
0

My group is responsible for a sub domain.  I know /forestprep has been run and a 2008 R2 AD server has been isntall in the root domain but none of us remember running /domainprep in our 2003 sub domain.  Last week we installed 2 2008 R2 AD servers. We're not seeing any problems that I know of.  How do I know if /domainprep was run?  If it wasn't should I demote the 2 servers, run /domainprep and re-promote them?

Thanks,

K

Comparision between dfsr folders interm latency

February 15, 2013, 6:21 pm
$
0
0
Hi , I am doing a analysis between 2 server which are dfsr enabled . Is there any way , how to find time taken to replicate files from server 1 to server 2 . Thanks Jay

HELP!! RENDOM /prepare error 1825

February 15, 2013, 4:26 am
$
0
0

Hi all,

I'm trying to rename mi domain from xxx.com to xxx.local

We only have one server, is the domain controller, dns server, all is promoted to windows 2003

When we run the rendom /prepare we have the following message:

Failed to prepare machine.xxx.com : 1825

1 server contacted, 1 server returned errors

The operation completed succesfully

Any idea what's happen?

Regards

Forest Trust - Authentication problems

February 15, 2013, 1:05 pm
$
0
0

We currently have an external two-way trust between two domains (let's call them DomA.local and DomB.local) . Those domains are the only one in their respective forests.  Trust is used to access network shares and everything works fine. As we are planning to introduce a subdomain in one of the forest we changed the trust to Forest Trust and enabled name suffix routing. The problem is that users cannot access anymore the shares with their account and they have to specify it as  domA.local\username in order to access the share

Are we missing a step in configuration ?

Thanks

Active Directory Domain Services Exception

January 29, 2013, 3:39 pm
$
0
0

Hello.

On several of my Domain Controllers I've started noticing a warning in the Directory Services event log.

EventID:  1173

Source: ActiveDirectory_DomainService

"Internal event:  Active Directory Domain Services has encountered the following exception and associated parameters."
Exception:
e0010004
Parameter:
0
Additional Data
Error Value:
-1603
Internal ID:
205036b

I've done a bunch of searching and I've found several references that are close, they have the same exception, parameter and error value, but nothing that has the same Internal ID of 205036b.  Does anybody know what is causing these exceptions and should I be worried?

Any help would be appreciated.

Craig

Search

Which Event Viewer log is specific to GPO events? and Where is this log located within Event Viewer?

January 31, 2013, 9:18 am

Windows Server 2003 domain controller not letting me logon locally.....

February 15, 2013, 6:53 pm
$
0
0

Hi Team,

Unable to logon to domain controller (Server 2003)holding all five fsmo roles, after the installation of Windows server 2008 R2 as an additional domain controller,I remotely connected to Eventviewer of problematic DC and found evenid 1126, related to global catalog.

any help???

Muhammad Nadeem Ahmed Sr System Support Engineer Premier Systems (Pvt) Ltd T. +9221-2429051 Ext-226 F. +9221-2428777 M. +92300-8262627 Web. www.premier.com.pk

AD-DS and DNS full failure.

February 15, 2013, 7:39 pm
$
0
0

I have a physical DC running Windows Server 2008 R2.

We are currently experiencing a full failure with AD and DNS.  We cannot access any of the VMs in Hyper-V at this time.  We have a virtual DC that is not reachable.  On our physical DC, AD-DS is completely unresponsive.  I can log into the server with the domain administrator account, but when trying to open any management consoles, such as ADUC or Sites and Services, these fail.  The error message I receive is shown below:

When trying to open the DNS mmc, I am told that access is denied, as shown below:

Running a DCDIAG of the DC shows the following results:


Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = DC-01

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

  
   Testing server: Default-First-Site-Name\DC-01

      Starting test: Connectivity

         The host

         11e9af9b-504a-4ee7-8e68-648b85c91bb7._msdcs.ad.domain.org could

         not be resolved to an IP address. Check the DNS server, DHCP, server

         name, etc.

         Neither the the server name (DC-01.ad.domain.org) nor the Guid

         DNS name

         (11e9af9b-504a-4ee7-8e68-648b85c91bb7._msdcs.ad.domain.org)

         could be resolved by DNS.  Check that the server is up and is

         registered correctly with the DNS server.
         Got error while checking LDAP and RPC connectivity. Please check your

         firewall settings.

         ......................... DC-01 failed test Connectivity

 

Doing primary tests

  
   Testing server: Default-First-Site-Name\DC-01

      Skipping all tests, because server DC-01 is not responding to directory

      service requests.

  
  
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

  
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

  
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

  
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

  
   Running partition tests on : ad

      Starting test: CheckSDRefDom

         ......................... ad passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ad passed test CrossRefValidation

  
   Running enterprise tests on : ad.domain.org

      Starting test: LocatorCheck

         ......................... ad.domain.org passed test

         LocatorCheck

      Starting test: Intersite

         ......................... ad.domain.org passed test Intersite

Also, looking at the Roles in Server Manager, I can see several errors for both the DNS Server role and the AD-DS role.  The DNS service is flooded with Event ID 4015 errors, indicating that the DNS server has encountered a critical error from the Active Directory.  Looking at the AD-DS role, I see that there is one service that is stopped: Intersite Messaging.  When I try to start ismserv, I receive and error indicating the service could not be started and am not given much information past that.

We are not sure what has caused this issue as it started a couple days ago.  There are no known changes in the environment or any changes to AD that we are aware of.

Any help or insight would be greatly appreciated. 


Active Directory Groups without description

February 16, 2013, 5:06 am
$
0
0

Started a new Network Admin position!  The previous admin left hundreds of AD groups without descriptions or documentation.  Is there any way to discover what these groups are used for? 

Cant find Enterprise Admins Security Group ? Pls help

February 15, 2013, 10:09 pm
$
0
0

Hello

I have notices that we have only one Active Directory DC that is Configured as Global Catalog Server 2008R2 Standard

I was to promote the new Installed DC Windows Server 2012 and got the error that I'm not in the Enterprise Administrators Sec. Group

So i started the search but dident found that on the AD Domaincontroller GC Server or on the other Domain Controller that is not Global Catalog Server.

I have Compared other DC- Servers they have this Security Group.

So pls do some one have a anwser? or have or had a simlar case?

Or is the Enterprise Admins Security Group not a default Security Group (the Type of this Group is Universal)

Thank you!

Kind Regards Mohamad

Viewing all 2536 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>