I have 2 DCs.

Domain Controller (08R2) running as a Hyper-V machine, time is always ahead 10 mins.

I have done some steps to set the DCs to synchronize with the external time source time.windows.com

But , on the one DC, run

C:\>w32tm /query /source

return: VM IC Time Synchronization Provider

On the other DC, run  C:\>w32tm /query /source

return:  time.Windows.com

And on any oneof thetwo DCs,  run w32tm /resync /rediscover

time can be adjust to right, BUT after 1 or 2 seconds, yes , very fast,  time will automaticlly go ahead 10 mins in a flash!

What is wrong?

I've an existing W2008R2 domain, and I'm trying to create a new child domain using W2012 std. The new server is on a remote subnet, connected via Wan, without any firewall or security filter. It can connect to the existing domain controllers (ping, network share, and so on.. all works)

I start the wizard, and it confirms that environment is ok. Then it stalls when working on "active directory synchronizing". It reports a serie of 1963/1961/2839/1962/1125 event ID errors, then after a while it starts back reporting the same serie (it loops to check if problem are solved I think).

I cannot find any way to understand why it cannot complete the dcpromo.

Any idea?

Thanks

hello everyone,

i have been working on introducing a new RODC to one of our Remote Branches.  i have setup all that i can determine that is necessary to allow this to work.  the connection between the offices is quite a slow 500k link.

i have one new user defined in AD that has been added to the Allowed RODC policy and the machine they use.  it passes in the Resultant Policy on the Writable DC and when i log into the workstation it will 'sometimes' grab the correct RODC.... other times it will use one of the other two DC's.

i can't figure out why or what is causes this.

i have the ADSS setup correctly and the respective Subnets are defined properly.  

thanks for any help on this.

Hi,

If I deny netlogons to the DC for Domain Admins, would the GPOs get depolyed successfully?

I mean, I have some policies specified for domain admins, and looks like this would stop these people from reading the GPOs / scripts directly.

Would it this be a problem? Or which user account is used to retrieve user policies when a user logon?

I have a Windows Server 2008 Active Directory domain (i.e., domain.com), and I need to create an A record at the root of this domain that will point to a webserver. I know that domain controllers for this domain will require an A record that points to their respective IP addresses, however, I didn't know if there was a creative way around this issue. I already have an A record for "www.domain.com", however, we also need to enable users to go to the webserver if they forget the "www".

Thanks!

Darren

When I run LDP against one of my accounts it comes back with:

dSCorePropagationData (5): 10/18/2012 12:31:29 AM Eastern Standard Time; 6/26/2012 5:14:39 PM Eastern Standard Time; 6/26/2012 5:14:39 PM Eastern Standard Time; 6/26/2012 5:14:39 PM Eastern Standard Time; 0x1 = ( NEW_SD ), 0x1 = ( NEW_SD ), 0x11 = ( NEW_SD | ANCESTRY_BEING_UPDATED_IN_SUBTREE ), 0xA = ( NEW_ANCESTORS | ANCESTRY_INCONSISTENT_IN_SUBTREE );

I have searched for ANCESTRY_INCONSISTENT_IN_SUBTREE and found zero results. Can anyone explain what this means and if it is something I should be concerned about?

JJ

Hi,

I am studying the MCTS Self-Paced Training Kit (Exam 70-640): Configuring Windows Server 2008 book . I am getting the errors when trying to import computers from a LDIFDE file. Chapter 5 Exercise 3 on page 210 "

Any help would be much appreciated.

dn: CN=SERVER10,OU=Servers,DC=Contoso,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn : SERVER10
userAccountControl: 4096
sAMAccountName: SERVER10$

dn: CN=SERVER11,OU=Servers,DC=Contoso,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn : SERVER11
userAccountControl: 4096
sAMAccountName: SERVER11$

C:\Windows\System32>ldifde -i -f "%userprofile%\documents\computers.ldf" -j c:\log
Connecting to "Server01.contoso.com"
Logging in as current user using SSPI
Importing directory from file "C:\Users\Administrator\documents\computers.ldf"
Loading entries.
Add error on entry starting on line 1: No Such Attribute
The server side error is: 0x57 The parameter is incorrect.
The extended server error is:
00000057: LdapErr: DSID-0C090C26, comment: Error in attribute conversion operation, data 0, v1772
0 entries modified successfully.
An error has occurred in the program

***Below is thecontents of the log file log file***
Connecting to "Server01.Contoso.Com"

Logging in as current user using SSPI

Importing directory from file "C:\Users\Administrator\documents\computers.ldf"

Loading entries
1: CN=SERVER10,OU=Servers,DC=Contoso,DC=Com
Entry DN: CN=SERVER10,OU=Servers,DC=Alps,DC=Priv
changetype: add
Attribute 0) objectClass:top person organizationalPerson user computer
Attribute 1) cn :SERVER10
Attribute 2) userAccountControl:4096
Attribute 3) sAMAccountName:SERVER10$

Add error on entry starting on line 1: No Such Attribute

The server side error is: 0x57 The parameter is incorrect.

The extended server error is:

00000057: LdapErr: DSID-0C090C26, comment: Error in attribute conversion operation, data 0, v1772

0 entries modified successfully.

An error has occurred in the program

We have external users connecting to our network through a VPN service.  If their account they are logging into their PC with (ex. jsmith) matches an account on our domain (ex. abc\jsmith), we see invalid password attempts on our domain account.  The external users are mostly running a version of Windows 7 and joined to another domain.  So, when they login to their PC, they login to the account home\jsmith.  As soon as they connect up to the VPN, we see invalid passwords on the 2008 DC's for account ndgov\jsmith coming from the IP address assigned to their external users computer on our domain.  We see this from many different computers.  The only solution we have found is to either have the user change their account they are logging into the external PC (if their ID's actually match) to use an account that does not belong to our domain or synch their passwords.

We have utilized VPN for many years, but this only reared it's head when we migrated to a new solution due to support for Windows 7 (couple years ago).  So, not sure if this is a Windows 7 issue where it is not sending the domain information with the request or our DC's that are ignoring the domain information in the authentication request.

Any insight would be appreciated. 

Thanks in advance.

Greetings.

I'm Willing to take all information of an active directory (W2003) for each user the server has. This means to know all the configuration that affects to each user (Department, Site, GPOs, logon Scripts etc...). In general, i know what info i should check to have all the information from each user, but i would like to ask for some tips/guide/tools (official tools) that maybe could help me to take this information. Maybe there are some points that i'm not considering.

Thanks in advance.

Hi to all,

I'm having an issue with my DC.

I have two DC's in my domain: DC01 and DC02.

I changed the names for both DC's and now I'm having the following error when I try to create a new user :Windows cannot verify that the user name is unique because the following error occurred while contacting the global catalog:Logon failure: unknown user name or bad password.

Please can you help me.

Thanks.

Hi,

I am receiving the following error while trying to migrate user with SIDHistory on my ADMT 3.2 Server.

"Could not verify auditing and TcpipClientSupport on domains. Will not be able to migrate Sid's. Access is denied."

NOTE: I have already followed the recommendations as per the following article, but still it doesn't appear to be working and I am receiving the above error.

http://technet.microsoft.com/en-us/library/cc974410(v=ws.10).aspx

STEPS ALREADY FOLLOWED:

HA

Current setup:  3 x Windows 2003 R2 Enterprice domain controllers, a file server, Exchange 2003 single server and various other member servers.  Clients running either Windows XP Pro SP2 or Windows 7 Pro SP1

The problem: Inability to promote a domain controller. Have to rely on Install From Media (IFM) to promote. Things fail when normal dcpromo is used and the same error appears: "Directory Object Not Found"

The probable cause:  MS support found out that the "iscriticalsystemobject" attribute of the built-in admin account was set to False instead of True.  Unable to change to True because it says the account is owned by SAM.  This glitch most likely existed from Day 1. 

Attempts:  attempts to promote new DCs have obviously failed unless of course IFM is used.  Attempt to conduct an in-place upgrade of a Windows 2003 DC to Windows 2008 DC and then use the IFM method to promote a Windows 2008 R2 DC have also failed.  Due to different OS level versions.

Questions:

1) Are there any known fixes for this attribute problem with admin account?

2) if there are none, what is the next option?  Create a new domain?

3) Should a new domain be started or a new forest?

4) Can the new domain/forest link to the old one to allow cross usage of resources as well as migration of AD objects?

5) If not will ADMT work? Will ADMT also bring over the nasty attribute issue as well?

6) Any suggestions where to go from here?

Hello all,

we have the HQ Active Directory and we have around 200 branch also we have a daily integration process that takes between 2 to 6 H to complete this integration process get the AD Users from Softpeople DB, we need to implement RODC in each branch with considering the following 

1- no replication should be happen between the AD and the RODC before the end of the integration process

2-  each branch has its OU that contains all users and Groups can we assign an OU to a certain RODC ?

3- can we choose certain  objects to be replicated or just attributes ?

hi,

We have some usernames and passwords in a domain (Active Directory) and we wanna transfer or copy them to another domain, the main point is that there's no any relation and replication between these two domain controller.

My question is that how can i do this???

thanx in advance .MoRi

Raghuraj Sharma

Hello All,

I'm running into some serious network lag issues with mapped drives dropping and other weird Group Policy inconsistencies.  We have 2 DC on our domain and I've just run DCDIAG on one of the DCs - output is included below.  Any help is greatly appreciated!

Also, there have been a lot of repeated errors on the DC1 machine including:

Application - Userenv - EventID 1053 - Windows cannot determine the user or computer name.

System - Kerberos - EventID 4 - The kerberos client received a KRB_AP_ERR_MODIFIED error... password used to encrypt the kerberos service ticket is different than that on the target server... etc

DNS Server - DNS - EventID 4000 - The DNS server was unable to open Active Directory...

DCDiag results

DC1 - "PE2800"

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\PE2800
      Starting test: Connectivity
         ......................... PE2800 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\PE2800
      Starting test: Replications
         [Replications Check,PE2800] A recent replication attempt failed:
            From PE2901 to PE2800
            Naming Context: DC=ForestDnsZones,DC=fla,DC=checkmate-florida,DC=com
            The replication generated an error (8614):
            The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
            The failure occurred at 2012-12-25 21:48:31.
            The last success occurred at 2000-11-19 16:58:15.
            877 failures have occurred since the last success.
         [PE2901] DsBindWithSpnEx() failed with error -2146893022,
         The target principal name is incorrect..
         [Replications Check,PE2800] A recent replication attempt failed:
            From PE2901 to PE2800
            Naming Context: DC=DomainDnsZones,DC=fla,DC=checkmate-florida,DC=com
            The replication generated an error (8614):
            The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
            The failure occurred at 2012-12-25 21:48:31.
            The last success occurred at 2000-11-19 16:58:15.
            877 failures have occurred since the last success.
         [Replications Check,PE2800] A recent replication attempt failed:
            From PE2901 to PE2800
            Naming Context: CN=Schema,CN=Configuration,DC=fla,DC=checkmate-florida,DC=com
            The replication generated an error (8614):
            The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
            The failure occurred at 2012-12-25 21:48:31.
            The last success occurred at 2000-11-19 16:58:15.
            877 failures have occurred since the last success.
         [Replications Check,PE2800] A recent replication attempt failed:
            From PE2901 to PE2800
            Naming Context: CN=Configuration,DC=fla,DC=checkmate-florida,DC=com
            The replication generated an error (8614):
            The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
            The failure occurred at 2012-12-25 21:49:31.
            The last success occurred at 2000-11-19 16:58:15.
            2044 failures have occurred since the last success.
         [Replications Check,PE2800] A recent replication attempt failed:
            From PE2901 to PE2800
            Naming Context: DC=fla,DC=checkmate-florida,DC=com
            The replication generated an error (8614):
            The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
            The failure occurred at 2012-12-25 22:08:06.
            The last success occurred at 2000-11-19 17:13:12.
            78085 failures have occurred since the last success.
         REPLICATION-RECEIVED LATENCY WARNING
         PE2800:  Current time is 2012-12-25 22:08:18.
            DC=ForestDnsZones,DC=fla,DC=checkmate-florida,DC=com
               Last replication recieved from PE2901 at 2000-11-19 16:58:15.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
            DC=DomainDnsZones,DC=fla,DC=checkmate-florida,DC=com
               Last replication recieved from PE2901 at 2000-11-19 16:58:15.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
            CN=Schema,CN=Configuration,DC=fla,DC=checkmate-florida,DC=com
               Last replication recieved from PE2901 at 2000-11-19 16:58:15.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
            CN=Configuration,DC=fla,DC=checkmate-florida,DC=com
               Last replication recieved from PE2901 at 2000-11-19 16:58:15.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
            DC=fla,DC=checkmate-florida,DC=com
               Last replication recieved from PE2901 at 2000-11-19 17:13:12.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
         ......................... PE2800 passed test Replications
      Starting test: NCSecDesc
         ......................... PE2800 passed test NCSecDesc
      Starting test: NetLogons
         ......................... PE2800 passed test NetLogons
      Starting test: Advertising
         ......................... PE2800 passed test Advertising
      Starting test: KnowsOfRoleHolders
         Warning: PE2901 is the Schema Owner, but is not responding to DS RPC Bind.
         [PE2901] LDAP bind failed with error 8341,
         A directory service error has occurred..
         Warning: PE2901 is the Schema Owner, but is not responding to LDAP Bind.
         Warning: PE2901 is the Domain Owner, but is not responding to DS RPC Bind.
         Warning: PE2901 is the Domain Owner, but is not responding to LDAP Bind.
         Warning: PE2901 is the PDC Owner, but is not responding to DS RPC Bind.
         Warning: PE2901 is the PDC Owner, but is not responding to LDAP Bind.
         Warning: PE2901 is the Rid Owner, but is not responding to DS RPC Bind.
         Warning: PE2901 is the Rid Owner, but is not responding to LDAP Bind.
         Warning: PE2901 is the Infrastructure Update Owner, but is not responding to DS RPC Bind.
         Warning: PE2901 is the Infrastructure Update Owner, but is not responding to LDAP Bind.
         ......................... PE2800 failed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... PE2800 failed test RidManager
      Starting test: MachineAccount
         ......................... PE2800 passed test MachineAccount
      Starting test: Services
         ......................... PE2800 passed test Services
      Starting test: ObjectsReplicated
         ......................... PE2800 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... PE2800 passed test frssysvol
      Starting test: frsevent
         ......................... PE2800 passed test frsevent
      Starting test: kccevent
         An Warning Event occured.  EventID: 0x8025082D
            Time Generated: 12/25/2012   22:03:31
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x8025082D
            Time Generated: 12/25/2012   22:03:31
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x8025082D
            Time Generated: 12/25/2012   22:03:31
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000748
            Time Generated: 12/25/2012   22:03:31
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x8025082D
            Time Generated: 12/25/2012   22:03:31
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000748
            Time Generated: 12/25/2012   22:03:31
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x8025082D
            Time Generated: 12/25/2012   22:03:31
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000748
            Time Generated: 12/25/2012   22:03:31
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000748
            Time Generated: 12/25/2012   22:03:31
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000748
            Time Generated: 12/25/2012   22:03:31
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC00007FA
            Time Generated: 12/25/2012   22:03:45
            (Event String could not be retrieved)
         ......................... PE2800 failed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 12/25/2012   21:08:40
            Event String: The kerberos client received a

         An Error Event occured.  EventID: 0x40000004
            Time Generated: 12/25/2012   21:08:42
            Event String: The kerberos client received a

         An Error Event occured.  EventID: 0x40000004
            Time Generated: 12/25/2012   21:10:39
            Event String: The kerberos client received a

         An Error Event occured.  EventID: 0x40000004
            Time Generated: 12/25/2012   21:10:39
            Event String: The kerberos client received a

         An Error Event occured.  EventID: 0x40000004
            Time Generated: 12/25/2012   21:13:19
            Event String: The kerberos client received a

         An Error Event occured.  EventID: 0x40000004
            Time Generated: 12/25/2012   21:18:31
            Event String: The kerberos client received a

         An Error Event occured.  EventID: 0x40000004
            Time Generated: 12/25/2012   21:33:31
            Event String: The kerberos client received a

         An Error Event occured.  EventID: 0x40000004
            Time Generated: 12/25/2012   21:33:31
            Event String: The kerberos client received a

         An Error Event occured.  EventID: 0x40000004
            Time Generated: 12/25/2012   21:52:14
            Event String: The kerberos client received a

         ......................... PE2800 failed test systemlog
      Starting test: VerifyReferences
         ......................... PE2800 passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : fla
      Starting test: CrossRefValidation
         ......................... fla passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... fla passed test CheckSDRefDom

   Running enterprise tests on : fla.checkmate-florida.com
      Starting test: Intersite
         ......................... fla.checkmate-florida.com passed test Intersite
      Starting test: FsmoCheck
         ......................... fla.checkmate-florida.com passed test FsmoCheck

DC2 - PE2901

In working with two different, and totally unrelated, unconnected AD domains, and in each I've found the same pecularity.

Both domains function normally. No issues whatsoever.

About a year ago, I rev'd the schema in each to the level of Windows Server 2008 R2. I installed new computers and promoted them to Domain Controllers, leaving in place, 'for the moment,' the old Windows Server 2003 domain controllers that were being superceded.

No issues.

Situation:   each domain has two W2K3 DC's and two W2K8 DC's running at the W2K3 Forest and Domain functional levels.

Last week, I was about to demote the Windows Server 2003 domain controllers when I noticed a pecularity. In running replmon on the oldsters, I noted that each W2K8 DC had connections to each of the W2K3 domain controllers -- but not to its partner W2K8 DC. Running DSSITE.MSC on each W2K8 controller confirmed this.

It didn't look as if the two W2K8 DC's had connections to each other.

Is this normal, or pathological?

Will this clear up when I demote the W2K DC's, or wll it require further action?

Thanks in advance.