We are running Active Directory on Server 2008R2 with the Forest Function Level Server 2008R2.

Some time ago, a prior Administrator added a custom class and custom attributes for the custom class.  We currently edit these attributes using ADUC's Attribute editor tab.

Now I have to add another custom attribute to the already existing custom class.  Is this just as easy as going into MMC (with the schema mgmt loaded) and creating the custom attribute, then associating it to the custom class?  Is that all I need to do so that the new custom attribute shows up under the "attribute Editor" in ADUC for each user?  (we have our own OID tree as well)

In order to find out for myself and before breaking anything in production, I created a test environment and attempted to add a new class and some new attributes for the new class.  I used the following threads to do this:

http://technet.microsoft.com/en-us/library/bb727064.aspx

http://blogs.technet.com/b/isingh/archive/2007/02/18/adding-custom-attributes-in-active-directory.aspx

I was able to successfully create a custom auxiliary class and one custom attribute for that class.  The custom attribute is associated to the new class and the new class is an auxiliary class of the "user" class.  Afterwards I ran "Update Schema Now" from ADSIEdit.

However I am not able to access the new attribute for any of the users in the test environment.  I tried to add a new user as well, but the attribute is not on the "Attribute Editor" list in ADUC.

Please note..I did not modify the Display Specifier because we are not looking to access the attributes within the ADUC interface other than in the "Attribute Editor" list.  My thinking was that once I add the attribute/class properly, that the attribute would be available to modify.  However this is not the case (I'm probably wrong).

Can someone tell me  what I'm doing wrong here?  Should'nt I be able to see the new attribute in the ADUC attribute editor tab?

I have an issue trying to do a BMR of our Primary Domain Controller which is running Windows Server 2008 on a VM hosted on a ESXI server.

I am trying to restore an image which was taken a year ago in a test environment. I have setup a test ESXI server on a completely different network. The reason I need to restore my 1 year old image is because something is not working right which used to when this image was taken. So to rule out that our domain controller is the problem, I am trying to do a bare metal restore of this image. I use Retrospect to backup the domain controller taking system state snapshots. After I restore the image to the test VM I boot into DSRM. I figured out that I had to change the date and time of the DC to the date and time of the image then I can reboot normally otherwise I get a BSOD. However active directory does not seemed to be running right. Is there a proper procedure I need to do when restoring a Primary domain controller from a 1 year old system state image?

DHCP server would not run until I removed the server and re-authorized it. I open GPO editor an I get an error "cannot find network name".

If I try to add a client machine to the domain it can't find the domain. I get an error DNS Server failure 0x0000232A RCODE_SERVER_FAILURE. I have also tried to do a full domain authoritative restore and still no luck.

Any Ideas?

  Hi,

With the claim rule language in ADFS 2.0, is it possible to manipulate a claim by performing fairly simple string functions:

 - search and replace characters

 - split incoming claims

 - etc.

I have a case where I would need to take an incoming claim, split it by finding certain characters, possibly leave parts of it out and then combine it to a new outgoing claim.

Any ideas?

Cheers,

Kari

Hi guys,

I know that a user can type in "set logonserver, or set l" to tell which domain controller they authenticated through.  Is there a way I can tell which DC remote computers used to login?  Do I have to go into the logs?  I was trying to use psexec to pull th einfo remotely, but pretty tough using it with the set or echo command.

Basically we are removing all DCs in a few sites, and currently leaving the sites there. I want to make sure that the computers are logging in through the DCs in their neighbor sites.

Thanks,

Dan Heim

i have problem user takes too long time for log in that it is happen for most user i checked dns miliion time i do not have problem also i have additional domain in same site but same problem

also sometimes users loing by clicking ok in loing screen without password and they access that it is with windows 7 enterprise 

Hi,

I tried to create a one-way forest trust between two 2008 R2 forests. I've managed to create the trust successfully, where DomeneK.Com is trusting DomeneX.com. Trust validation is showing that everything is OK. I have the ability to search for objects in DomainX.com from AD Users Computers on a domain controller in DomeneK.com, but I do not get anything in return no matter what I search for:

I created a shared folder on a domain controller in DomeneK.com, and tried to add a user from DomeneX.com. I then get the following error:

If I specify the user DomeneX\Administrator I am allowed to search for users in the domain. I suspect that the problem is the one-way trust is causing the problem. Is there a way to solve this or is the solution to create a two-way forest trust? I've tried both forest and external trust with the same error.

Please use Mark as Answer if my post solved your problem and use Vote As Helpful if a post was useful. http://www.havardkristiansen.com

Dear Supporter

I  extracted a CSV file from my AD and now, in a new domain i need to import my users from the CSV file i saved from the old AD. Can i ? (i tired to import the CSV but gave me

"C:\Users\Administrator\Desktop>csvde -i -f 1out.csv
Connecting to "(null)"
Logging in as current user using SSPI
Importing directory from file "1out.csv"
Loading entries.
Add error on line 2: Already Exists
The server side error is "A cross reference already exists."
0 entries modified successfully.
An error has occurred in the program
No log files were written.  In order to generate a log file, please
specify the log file path via the -j option."

and if i cant so what is the right way to extract users from a AD and import it in another

kindly help me out here cuz my manager has gave me this task week ago and he is waiting to kill me next week for it :(

....

I have four domain controller servers, A is PDC,B、C、D is BDC, A and B can replicate with each other, C and D can do this too, whereas A and C, B and C, A and D, B and D failed in replication.

Firewall were disabled on all DC, ping from any DC can reach the others. I have excuted ipconfig /flushdns & ipconfig /registerdns command on all DC. In server C, Active Directory Sites and Services console, I force replicate in NTDS settings, replicate form C to A, got error "the naming context is in the process of being removed or is not replicated from the specified server", I check by nslookup with FQDN name in any DC, it's no problem.

Does anyone has any idea about this?

Hi-

Is it possible to query WinXP and Win7 machines and apply a specific AD Policy to those machines without creating/using an OU?

We are trying to find a way to organize our AD structure.

Some want to organize by Department(Example: Sales or Operations people) and some by Computer type - i.e. Win7(32/64bit) and WinXP.

Not sure how to do both since we need to install software on machines in a Department that require certain apps to be installed.

The applications(installed software) are related to people and their tasks - hence - a Department.

But, how can we do that with Computer Policies?

Make sense?

Any input is greatly appreciated.

Thx.

-SP

We're running Server 2008 R2 as the sole DC on our network.  Yesterday, some people were having issues authenticating.  I looked at the server and when I tried to open up active directory I got this:

Naming information could not be located because: The specified domain either does not exist or could not be contacted.  Contact your system administrator to verify that your domain is properly configured.

I ran dcdiag /test:dns and it passed.  I can ping the server with no issues.  I also noticed that it is no longer sharing sysvol or netlogon.  I manually shared those, but after restarting the server, they were no longer being shared.  Server DNS is set to it's internal IPV4 address, and the loopback for secondary.

My DCDIAG results are below.  Thanks!

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = 2008SERVER

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\2008SERVER

      Starting test: Connectivity

         ......................... 2008SERVER passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\2008SERVER

      Starting test: Advertising

         Fatal Error:DsGetDcName (2008SERVER) call failed, error 1355

         The Locator could not find the server.

         ......................... 2008SERVER failed test Advertising

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... 2008SERVER failed test FrsEvent

      Starting test: DFSREvent

         ......................... 2008SERVER passed test DFSREvent

      Starting test: SysVolCheck

         ......................... 2008SERVER passed test SysVolCheck

      Starting test: KccEvent

         ......................... 2008SERVER passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... 2008SERVER passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... 2008SERVER passed test MachineAccount

      Starting test: NCSecDesc

         ......................... 2008SERVER passed test NCSecDesc

      Starting test: NetLogons

         ......................... 2008SERVER passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... 2008SERVER passed test ObjectsReplicated

      Starting test: Replications

         ......................... 2008SERVER passed test Replications

      Starting test: RidManager

         ......................... 2008SERVER passed test RidManager

      Starting test: Services

         ......................... 2008SERVER passed test Services

      Starting test: SystemLog

         An error event occurred.  EventID: 0x0000041E

            Time Generated: 02/19/2013   07:29:23

            Event String:

            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

         An error event occurred.  EventID: 0xC00038D6

            Time Generated: 02/19/2013   07:30:12

            Event String:

            The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

         An error event occurred.  EventID: 0xC0002719

            Time Generated: 02/19/2013   07:30:38

            Event String:

            DCOM was unable to communicate with the computer 8.8.8.8 using any of the configured protocols.

         An error event occurred.  EventID: 0xC0002719

            Time Generated: 02/19/2013   07:32:31

            Event String:

            DCOM was unable to communicate with the computer 8.8.8.8 using any of the configured protocols.

         An error event occurred.  EventID: 0x0000041E

            Time Generated: 02/19/2013   07:34:23

            Event String:

            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

         An error event occurred.  EventID: 0xC0002719

            Time Generated: 02/19/2013   07:35:55

            Event String:

            DCOM was unable to communicate with the computer 8.8.8.8 using any of the configured protocols.

         An error event occurred.  EventID: 0x0000041E

            Time Generated: 02/19/2013   07:39:23

            Event String:

            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

         An error event occurred.  EventID: 0x0000041E

            Time Generated: 02/19/2013   07:44:23

            Event String:

            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

         An error event occurred.  EventID: 0x0000168F

            Time Generated: 02/19/2013   07:46:17

            Event String:

            The dynamic deletion of the DNS record '_kerberos._tcp.dc._msdcs.stanleysteemer.local. 600 IN SRV 0 100 88 2008SERVER.stanleysteemer.local.' failed on the following DNS server:  


         An error event occurred.  EventID: 0x0000168F

            Time Generated: 02/19/2013   07:46:17

            Event String:

            The dynamic deletion of the DNS record '_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.stanleysteemer.local. 600 IN SRV 0 100 88 2008SERVER.stanleysteemer.local.' failed on the following DNS server:  


         An error event occurred.  EventID: 0x0000168F

            Time Generated: 02/19/2013   07:46:17

            Event String:

            The dynamic deletion of the DNS record '_kerberos._tcp.stanleysteemer.local. 600 IN SRV 0 100 88 2008SERVER.stanleysteemer.local.' failed on the following DNS server:  


         An error event occurred.  EventID: 0x0000168F

            Time Generated: 02/19/2013   07:46:17

            Event String:

            The dynamic deletion of the DNS record '_kerberos._tcp.Default-First-Site-Name._sites.stanleysteemer.local. 600 IN SRV 0 100 88 2008SERVER.stanleysteemer.local.' failed on the following DNS server:  


         An error event occurred.  EventID: 0x0000168F

            Time Generated: 02/19/2013   07:46:17

            Event String:

            The dynamic deletion of the DNS record '_kerberos._udp.stanleysteemer.local. 600 IN SRV 0 100 88 2008SERVER.stanleysteemer.local.' failed on the following DNS server:  


         An error event occurred.  EventID: 0x0000168F

            Time Generated: 02/19/2013   07:46:17

            Event String:

            The dynamic deletion of the DNS record '_kpasswd._tcp.stanleysteemer.local. 600 IN SRV 0 100 464 2008SERVER.stanleysteemer.local.' failed on the following DNS server:  


         An error event occurred.  EventID: 0x0000168F

            Time Generated: 02/19/2013   07:46:17

            Event String:

            The dynamic deletion of the DNS record '_kpasswd._udp.stanleysteemer.local. 600 IN SRV 0 100 464 2008SERVER.stanleysteemer.local.' failed on the following DNS server:  


         A warning event occurred.  EventID: 0x8000001D

            Time Generated: 02/19/2013   07:46:32

            Event String:

            The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

         A warning event occurred.  EventID: 0x000003F6

            Time Generated: 02/19/2013   07:46:56

            Event String:

            Name resolution for the name _ldap._tcp.pdc._msdcs.stanleysteemer.local timed out after none of the configured DNS servers responded.

         An error event occurred.  EventID: 0x0000041E

            Time Generated: 02/19/2013   07:49:23

            Event String:

            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

         An error event occurred.  EventID: 0x0000041E

            Time Generated: 02/19/2013   07:54:23

            Event String:

            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

         A warning event occurred.  EventID: 0x000003F6

            Time Generated: 02/19/2013   07:55:16

            Event String:

            Name resolution for the name 1.168.192.in-addr.arpa timed out after none of the configured DNS servers responded.

         An error event occurred.  EventID: 0x0000041E

            Time Generated: 02/19/2013   07:59:23

            Event String:

            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

         An error event occurred.  EventID: 0x0000041E

            Time Generated: 02/19/2013   08:04:23

            Event String:

            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

         An error event occurred.  EventID: 0x0000041E

            Time Generated: 02/19/2013   08:09:23

            Event String:

            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

         An error event occurred.  EventID: 0x0000041E

            Time Generated: 02/19/2013   08:14:23

            Event String:

            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

         An error event occurred.  EventID: 0x0000041E

            Time Generated: 02/19/2013   08:19:23

            Event String:

            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

         An error event occurred.  EventID: 0x0000041E

            Time Generated: 02/19/2013   08:24:23

            Event String:

            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

         ......................... 2008SERVER failed test SystemLog

      Starting test: VerifyReferences

         ......................... 2008SERVER passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : stanleysteemer

      Starting test: CheckSDRefDom

         ......................... stanleysteemer passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... stanleysteemer passed test

         CrossRefValidation

   
   Running enterprise tests on : stanleysteemer.local

      Starting test: LocatorCheck

         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355

         A Global Catalog Server could not be located - All GC's are down.

         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355

         A Time Server could not be located.

         The server holding the PDC role is down.

         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error

         1355

         A Good Time Server could not be located.

         Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355

         A KDC could not be located - All the KDCs are down.

         ......................... stanleysteemer.local failed test

         LocatorCheck

      Starting test: Intersite

         ......................... stanleysteemer.local passed test Intersite

This ex-pdc used to get time from some internet sources to keep the domain with accurate time.

Event Type: Warning
Event Source: W32Time
Event Category: None
Event ID: 50
Date:  2/18/2013
Time:  9:30:37 AM
User:  N/A
Computer: OLDPDCSERVER

Description:
The time service detected a time difference of greater than 5000 milliseconds  for 900 seconds. The time difference might be caused by synchronization with  low-accuracy time sources or by suboptimal network conditions. The time service is no longer synchronized and cannot provide the time to other clients or update  the system clock. When a valid time stamp is received from a time service  provider, the time service will correct itself.  

I have done these steps already but I keep seeing this event id on this now member server:

http://technet.microsoft.com/en-us/library/cc758905(WS.10).aspx

w32tm /config /update /syncfromflags:domhier
net stop w32time && net start w32time

I am trying to understand the equivalent option/ method to replicate just the configuration partition between the Win2K3 DCs in two different sites.  In this example, lets say there is one DC per site.

In a scenario when the DC in two sites are isolated thus stopping them from replicating with each other.  Then if there were any changes to the configuration partition in terms of site links, connection objects, etc, how does the DC in those two sites learn about the changes to the configuration partition once the DC in two sites are online/ available.

Does repadmin /syncall /aAeP command provide the above functionality for Win2k3?

Appreciate your advise.

Using Q312862 - Recovering missing FRS objects and FRS attributes in Active Directory, I was able to locate the missing attribute: fRSMemberReference. When I tried to replace the DC with the null attribute of fRSMemberReference with a working DC's fRSMemberReference path, making adjustments to the CN=Value so that it reflects the name of the correct DC instead of the working DC's name, I am not able to apply the change. What I get is:

Operation failed. Error code: 0x20b5

The name reference is invalid.

000020B5: AtrErr: DSID-03152804, #1: 0: 000020B5: DSID-03152804, problem 1005

(CONSTRAINT_ATT_TYPE), data 0, Att 9036b

(fRSMemberReference)

I'm not sure why it won't accept the change. Why does it keep me from making the needed change? I am using the Admin account. I read on another form that the admin there had to:

net stop ntfrs

re-instate the serverReference attribute

re-instate the fRSMemberReference attribue

Backup the SYSVOL\domain folder

Rename the c:\windows\ntfrs\jet folder

Set the Burflags value to d2 for a  non-authoritative restore

net start ntfrs

I don't really want to do those steps verbatim since all I want to do is change the fRSMemeberReference attribute. Do I need to stop ntfrs, and if so, does that mean I should backup the SYSVOL\domain folder and rename the jet folder? I'm not sure the reasoning behind their methodology. I'm using server 2008R2 for all my DCs but our forest functional level is 2003 still (I know, I need to upgrade it...) Thanks!

Hello supporters

I need a start up script to run it on my domain computers, to start installing an exe file located on my server...

PS:

-my clients are using XP

-i need the script to run the exe as domain administrator to be able to install

Is Universal Group Membership Caching available in Server 2012?  I can't find the option in AD Sites and Services nor can I find any documentation references to it.

Thanks in advance!

C Shane Cribbs
http://www.georgiatechnologies.com

Dear All,

This is regrading FSMO role transfer when DC has gone done and details are as below:

We are assuming that we  have 2 Server, one is Domain Controller and Second is Additional Domain Controller and everything is going on properly but suddenly DC has stuck after restarting, DC OS has been crashed in the mean time how will transfer FSMO roles (SCHEMA,DOMAIN NAMING MASTER) to the ADC. What will planning for Roll back?

Pradip Sisodiya

Hello people,

I'm struggling with this issue from about an year.

A long time ago we had an improper decommissioned DC from a sub zone of our domain. In this case: lig.contoso.com

After the unclean removal some traces of that domain still persists in my AD and I can't remove it.

Theres an user named: CN=$LIG owned by the SAM Account, that does no show up in ADUC but show in ADSI.

When I try to remove it using ADSIEdit, I always got:

Thanks in advance,