Hello,
Is it possible to directly transfer all FSMO roles from a Windows 2003 DC to a Windows 2012 DC? Our domain and forest are at Windows 2003 functional levels. Doug
↧
Transferring FSMO Roles from a Windows 2003 DC to a Windows 2012 DC
↧
Serious issue with availability - Resource leak possible?
Dear experts,
we've been having serious issues with our domain controllers running Server 2008R2 SP1 (with current updates, depending on when they were last rebooted).
I'll delve right in:
Our domain controllers stop responding to requests after about 60-80 days of uptime.
They then start to log all kinds of errors, but most of them relate only to subsequent failures (such as unable to communicate with DNS or another DC, that replication failed, etc).
The only (possibly) relevant issue I could find was an event log entry saying "The name limit on the local adapter has been exceeded"
For example, I can still RDP in, but am unable to map a network drive or anything like that.
A reboot fixes the problem immediately.
I have done extensive research on the issue and came up empty except for this article:
http://support.microsoft.com/kb/961775
I suspect this as a related or even root cause since it describes to 95% what we are experiencing:
YES - User authentication fails.
YES - Sysvol replication fails.
SOMETIMES - Events 404 and 408 appear in the DNS server log.
YES - One of the following Netlogon events occurs:
SOMETIMES - Netlogon event 5775
SOMETIMES - Netlogon event 5792
SOMETIMES - Netlogon event 5792
SOMETIMES - Netlogon event 5719
YES - This problem most commonly occurs on domain controllers that are running the Microsoft System Center Operations Manager agent.
The agent makes repeated local queries to LSASS on port 389. The queries cause the number of orphaned connections to increase rapidly. Because of this, the domain controller fails after a few days.
YES - TDI interface used (Sophos Antivirus)
The only difference is that the article says this applies to multiprocessor machines. Some of our DCs are multicore, some are single core. All are experiencing the issue.
All DC's run as VM's on top of Hyper-V 2008 R2 SP1
All DC's run 2008 R2 SP1 themselves
All DC's have the SCOM Agent installed
All DC's have Sophos AV installed
Is there any expert out there who can confirm/deny that this might be issue and whether there is a fix for 2008 R2 for this?
Could it be something else else?
We are desperate since if AD goes, so does a lot of our network!
we've been having serious issues with our domain controllers running Server 2008R2 SP1 (with current updates, depending on when they were last rebooted).
I'll delve right in:
Our domain controllers stop responding to requests after about 60-80 days of uptime.
They then start to log all kinds of errors, but most of them relate only to subsequent failures (such as unable to communicate with DNS or another DC, that replication failed, etc).
The only (possibly) relevant issue I could find was an event log entry saying "The name limit on the local adapter has been exceeded"
For example, I can still RDP in, but am unable to map a network drive or anything like that.
A reboot fixes the problem immediately.
I have done extensive research on the issue and came up empty except for this article:
http://support.microsoft.com/kb/961775
I suspect this as a related or even root cause since it describes to 95% what we are experiencing:
YES - User authentication fails.
YES - Sysvol replication fails.
SOMETIMES - Events 404 and 408 appear in the DNS server log.
YES - One of the following Netlogon events occurs:
SOMETIMES - Netlogon event 5775
SOMETIMES - Netlogon event 5792
SOMETIMES - Netlogon event 5792
SOMETIMES - Netlogon event 5719
YES - This problem most commonly occurs on domain controllers that are running the Microsoft System Center Operations Manager agent.
The agent makes repeated local queries to LSASS on port 389. The queries cause the number of orphaned connections to increase rapidly. Because of this, the domain controller fails after a few days.
YES - TDI interface used (Sophos Antivirus)
The only difference is that the article says this applies to multiprocessor machines. Some of our DCs are multicore, some are single core. All are experiencing the issue.
All DC's run as VM's on top of Hyper-V 2008 R2 SP1
All DC's run 2008 R2 SP1 themselves
All DC's have the SCOM Agent installed
All DC's have Sophos AV installed
Is there any expert out there who can confirm/deny that this might be issue and whether there is a fix for 2008 R2 for this?
Could it be something else else?
We are desperate since if AD goes, so does a lot of our network!
↧
↧
netlogon and sysvol
i was referring to this article because my additional DC was having problem : http://technet.microsoft.com/en-us/library/hh147324%28v=ws.10%29.aspx
question : do i change the sysvolready parameter on the DC without problem or on the DC with problem?
for example DC1, when i do a "net share" i can see sysvol and netlogon.
On DC2, i can't see sysvol and netlogon when i do a "net share".
so, where should i modify the registry? DC1, or DC2?
Thanks.
↧
Prevent user to access particular registry key.
<p>In my enviroment i have blocked usb devices using the group policy. But users having the local admin rights on thier desktop so they are able to change the registy settings. So i want to prevent access of this particual registry key not
the whole registry. Due to some resaone i cannot disallow access of whole registry editing. Please help on this. </p><p></p><p></p>
Nirmal Singh IT Administrator
↧
Active Directory - domain naming convention
Hi,
Now that we are no longer able to issue SSL SAN certificates with invalid fully qualidifed domain names like server1.mydomain.local, I'm thinking of having a different naming convention for new domains.
http://support.godaddy.com/help/article/6935
Previously, I would just use .local like server1.mydomain.local for internal and mail.mydomain.com for external.
Option 1 - keep them both the same:
-mail.mydomain.com (For both internal and external and I would have to make sure the external dns records are on the internal dns server as well)
Option 2 - keep them different
-server1.mydomain.net(internal)
-mail.mydomain.com (external)
Option 3 - use a sub-domain
-server1.ad.mydomain.com (internal)
-mail.mydomain.com (external
What do you recommend for the naming conventional for internal and external domain names? It doesn't have to be one of those options above. What's the best pratice?
Thanks
↧
↧
Incremental roaming profile
We are using Active directory and also apply the roaming profile that the AD offer. All files of the user including .pst are backed up. but as files gone bigger, the roaming profile became unstable. it doesnt sink in all the files and sometimes the .pst
files got corrupted because of the file synchronization. The roaming overwrites the existing and it doesnt add the additional files that the user just created. Is theres a way to have an incremental roaming? please help me with this.. thanks
↧
one way trust group design question
Hello everyone, happy 2013!
In a one way trust: DomainA(trusting)-> DomainB(trusted), the best practice to allow users from B accessing resources from A would be to follow AGDLP (the Global group of DomainB would be inserted in Domain Local group of DomainA).
But what if you don't administer DomainB? i.e. you have no possibility of creating or requesting Global groups on the other side of the trust.
Do you recommend any other way besides the awkward ADLP (i.e. DomainB users inserted directly in DomainA local groups)?
↧
can not connect with bind credentials using ldp.exe to rodc server from external network
Hello All,
I have deployed rodc server in dmz network we have one intranet website hosted outside the company with another vendor which is why we had to deploy rodc server so that users can authenticate with the same AD users and passwords, (please do not say that this is supported or not supported as this is already implemented) when i ever i sit at home and try to run ldp.exe and connect to the server it connects successfully, but when i try to bind the creadentials with encrypt traffic after bind checkbox selected i receive the following error, even if i do not select this check box it does not connect, please note that all ports are open from my public ip to rodc server. one more thing is that i have not installed dns on rodc server. please help
53 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='rodc.admin'; Pwd=<unavailable>; domain = 'ffcqa.com'}
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1
Error 0x8009030C The logon attempt failed
If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync
↧
Windows cannot verify that the user name is unique because the following error occurred while contacting the global catalog:Logon failure: unknown user name or bad password.
---------------------------
Active Directory Domain Services
---------------------------
Windows cannot verify that the user name is unique because the following error occurred while contacting the global catalog:Logon failure: unknown user name or bad password.Windows will create this user account, but the user can log on only after the user name is verified to be unique. Make sure the global catalog is available. For more information about troubleshooting this issue, see Windows Help.
---------------------------
OK
---------------------------
Active Directory Domain Services
---------------------------
Windows cannot verify that the user name is unique because the following error occurred while contacting the global catalog:Logon failure: unknown user name or bad password.Windows will create this user account, but the user can log on only after the user name is verified to be unique. Make sure the global catalog is available. For more information about troubleshooting this issue, see Windows Help.
---------------------------
OK
---------------------------
↧
↧
replication between AD and RODC
hi,
i am using the two windows server 2080R2. In 1st server there is an AD and in another server is a read only domain. Now the problem is these two server replication is not happening. I am troubleshooting the problem. When i open the active directory sites and services from there i select that server and say replicate now it is giving me following error.
The following error occurred during the attempt to synchronize naming context abc.local from domain controller server2 to domain controller exch2k10:
The source server is currently rejecting replication requests.
This operation will not continue.
Please anybody suggest me how to resolve this problem.
↧
Deleted file returns in SYSVOL
Strange one here that I can't figure out.
We have a domain with just over 40 DC's in it. This is due to having remote sites that each have a DC in them.
Replication is working fine according Sonar and FRSDiag.
The issue I have is that there is one file that we need to remove from SYSVOL that will not go from just 2 of the DC's. All other DC's have removed the file but thses two will not delete it. If I delete the file from one of them it comes staight back under a F5 refresh. This happens on each of the two DC's.
Strange thing is this file is not getting replicated to all the other DC's even though replication is working. I have tested this by creating a new file on a DC and watching as it is replicated to all the other DC's with no problems. I can also delete this test file with no problems.
Anyone got any idea why this one particular file will not delete of just two of the DC's in the domain??
I am lost with this one now!
Rob
↧
dcdiag /test:dns fail - [00000007] Microsoft Virtual Machine Bus Network Adapter has invalid DNS Server
Hi all,
When I running DCDiag /test:DNS on server DC1 (IP Address 172.16.0.98, OS=Windows Server 2008 R2 SP1), I getting warning & Error
TEST: Basic (Basc)
Warning: adapter
[00000007] Microsoft Virtual Machine Bus Network Adapter has
invalid DNS server: 172.16.0.99 (DC2)
Warning: adapter
[00000007] Microsoft Virtual Machine Bus Network Adapter has
invalid DNS server: 172.16.0.98 (DC1)
Error: all DNS servers are invalid
TEST: Records registration (RReg)
Error: Record registrations cannot be found for all the network
adapters
Summary of test results for DNS servers used by the above domain controllers:
DNS server: 172.16.0.98 (DC1)
1 test failure on this DNS server
Name resolution is not functional. _ldap._tcp.domain.com. failed on the DNS server 172.16.0.98
DNS server: 172.16.0.99 (DC2)
1 test failure on this DNS server
Name resolution is not functional. _ldap._tcp.domain.com. failed on the DNS server 172.16.0.99
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
_________________________________________________________________
Domain: domain.com
DC1 PASS FAIL PASS PASS WARN FAIL n/a
......................... domain.com failed test DNS
Note: This server is a virtual machine from Hyper-V 2008 R2.... The NIC corrupted? Because I running all my client PC with command SET L, all are login to DC2....
But I can ping to DC1 without any issue....
↧
Upgrade from 2008 to 2012 question.
I am currently working on re-designing a 2008 Active Directory that I inherited from a previous admin. I plan to make changes to the OU structure, Group Policies, delegation of authority, etc. I am also planning to upgrade to 2012.
My question is...would it be better to complete the re-design before upgrading to 2012 or upgrade first and then work on the re-design?
Thanks,
Kenny
Kenny
↧
↧
ADFS 2.0 - Renewing certificates
Hello all Microsoft geeks,
I am standing before renewal process for our production ADFS 2.0 farm - 2 servers and as proxy we use UAG server. I would like to ask you what is standard process for it if there is any. We use public CA certificates published by Verisign. Can I proceed this via renewal process in IIS on both servers? We use ADFS for own SSO applications between our company and partners. Do you have any experience with that? I have read some topics on the internet but i am not quite sure.
Thanks for each comment
Libor
Liibas
↧
domain PREP returns 0x13 error during domain prep
While attempting to run ADPREP from the Server 2008 R2 CD, ADPREP returns an error message after attemting to modify the base domain object. The error looks like this:
Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is DC=AA,DC=BB,DC=COM.
[2011/05/13:11:11:16.392]
LDAP API ldap_modify_s() finished, return code is 0x13
[2011/05/13:11:11:16.408]
Adprep was unable to modify some attributes on object DC=AA,DC=BB,DC=COM.
[User Action]
Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20110513111116 directory for more information.
[2011/05/13:11:11:16.408]
Adprep encountered an LDAP error.
Error code: 0x13. Server extended error code: 0x20b5, Server error message: 000020B5: AtrErr: DSID-03152395, #1:
0: 000020B5: DSID-03152395, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9054f (otherWellKnownObjects)
.
[2011/05/13:11:11:16.423]
Adprep was unable to update domain information.
[Status/Consequence]
Adprep requires access to existing domain-wide information from the infrastructure master in order to complete this operation.
[User Action]
Check the log file, ADPrep.log, in the C:\Windows\debug\adprep\logs\20110513111116 directory for more information.
Any idea what this might be?
↧
We recently noticed (by using Active Directory auditing) strange login attempts that are being made by many of our workstations. Is this a virus/worm? If so, how can I know which one is it?
Hi,
Recently we noticed (by using Active Directory auditing tool) strange login attempts from many workstations on our corporate network, some of these login attempts use strange usernames that do not exist on our Active Directory (such as @@CYAAAAAjBgcA0GAhBAZA0GApBgbAAEAzBwdAEDA,
owner, support_388945a0 and others) we also see an extremely high rate (over a hundred attempts per second from a single workstation) of login attempts that supposedly made by legitimate users but with wrong passwords.
How can I tell if it is a virus/worm and if so which one is it or how to remove it?
BTW: I didn't mentioned it because it is sort of a given thing - We do have a TrendMicro antivirus installed and running on all of our workstations and it is up-to-date. We also have an up-to-date WSUS server.
Thanks a lot,
Yuval.
YuvalK
↧
Can account SUPPORT_388945a0 be deleted from domain controller?
Hi Guys,
I see that there have an account "SUPPORT_388945a0" has been created on domain controller automatically. Can we delete it safety?
Thanks,
OCS User
↧
↧
Non-Authoritative restore
Hi,
I am trying understand non authoritative restore. My senario
I have dc1 (ip 192.168.2.100)with windows 2008r2 , which has actividirectory intregrated DNS and I created some user&OUs.
Now I did a system state backup using command
wbadmin start systemstatebackup -backuptarget:e:
Now , lets assume that my DC1 has hardware isssue and I build a new server.
In new server,
1)I installed windows 2008 r2
2)then press f8
3)then go to directory server restore mode and gave following command to restore the DC1.
E:\>WBADMIN START SYSTEMSTATERECOVERY -version:01/03/2013-03:39 -backuptarget:e: -authsysvol
now, every thing run fine and when I loged in; I found that it renamed the computer to dc1 and also reseted the ip(ip 192.168.2.100).
However, I found that it did not install active directory!!!
I was wondering do I need to install active directory before I run the command
WBADMIN START SYSTEMSTATERECOVERY -version:01/03/2013-03:39 -backuptarget:e: -authsysvol
Hope it is clear. Please help.
Summery: What I try to achieve is , if the DC is damaged, how I restore the DC ?
↧
Sysvol replication problem between two windows 2008 R2 DC
Hello,
Our domain Windows 2008 domain function level.
I checked DFRS state, it’s ‘eliminated’ state with no error.
dfrsmig tool has never been run before to change the state or migration from FRS to DFSR.
We have just two Windows 2008 DCs from the begining.
But sysvol folder is not syncronized. And we have several GPO update problems.
According to ‘DFSR Management console diagnostic report’ DFSR services is running properly.
According to dcdiag tool AD replication working properly.
Do you have any idea or have you ever met with a problem that?
Thanks...
Bosde
↧
ADC dns issue
Hi, I am bit confusted about how to configure ADC? For instance
PDC, ip 192.168.2.100/24 & dns 127.0.0.1
now on ADC , ip 192.168.2.110/24 & dns 192.168.2.100
However , I got following error
A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain “test.local”. Otherwise, no action is required.
I know in first DC , I donot need to concern about this warning. However, in ADC, can I ignore this warning ?
Do I need to change any setting in PDC/ADC ?
BTW, PDC has intregrated DNS (default decpromo setup).
↧