DFSR replicaion problem between domain controllers

Similar Messages

• Communication issues between domain controllers

  Hi everyone,
  I am experiencing some problems in communication between domain controllers in our organization
  We have three domain controllers, one of them is a Windows 2003 server service pack 2 which is physical (controller A), another which is Windows 2008 Service Pack 2 (controller B), also physical, and a third one (controller C) which is a Windows 2008
  service pack 1 and is virtual.
  I have problems with this last DC, it won't respond to pings, or DNS query. I can't Access it by remote desktop client even when it is enabled. I cannot update it, it prompts error messages if I try to do so.
  This problems are solved if I reboot it, it will work fine some hours or days, but not much longer. I have checked event viewer and I didn't found any message about this.
  I read some time ago it would be great to have a DC in a virtual machine, so I did it, but is it right?
  Do you know what might be going on with it? would depromoting it and seting it up again the best solución?
  Thank you very much.
  Best regards.
  David.

  This sounds like a NIC issue, which is odd since it is a virtual machine.  Have you checked the host for any logs about the client? 
  I think the first thing I would do is destroy the current virtual NIC card and add a new one.  Since this has nothing to do with Active Directory I would also suggest you post this in a forum of for the Host (VMWare or Hyper-V).
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• Unable to Sync SYSVOL Folder between Domain Controllers

  Good Afternoon All,
  I have the following issue on my current domain configuration, I say current as we are seeking to go to Server 2012 R2 within the next few months, but for now, we are at the 2008 R2 functional level.
  We have three Domain Controllers namely Server-001 to 3, with Server-002 holding the PDC Emulator Role. Now when policies are created or updated through GP Management, I have noticed that they sync without issue between Server-002 and Server-003, but not
  Server-001. In the SYSVOL Folder in each DC, the folder totals in policies are as follows:
  Server-001 - 72 Folders
  Server-002 - 96 Folders
  Server-003 - 96 Folders
  So here, it can be clearly seen that there is some sort of replication issue between Server-001 and the other controllers. I have researched and read several articles and opinions regarding the same issue and have ran many of the commands outlined including
  repadmin, dnslint, gposync, etc. with the only output displaying errors being gposync. I have checked all the event logs for each DC with added focus on the DFS Replication Logs and have seen no errors regarding replication on Server-001 which is the server
  at fault, but have noted that it appears that Server-001 is only replicating to itself, while Servers -002 and -003 are syncing/replicating between each other. I created a text document in Server-002's SYSVOL Folder and checked in Server-003's and verified
  that the document successfully synced across, but on Server-001 nothing happened. I did some research on the issue and came across non-authoritative sysvol restore as an option, but when I tried this on Server-001 via ADSI Edit, I noticed that the following
  path:
  OU=Domain Controllers>CN=Server-001>CN=DSFR-LocalSettings>CN=Domain System Volume
  is missing. Initially, DSFR-LocalSettings was missing as well, but I re-created it. I then attempted to re-create Domain System Volume, but when I tried entering the Replication Group GUID, I got an error that "one or more of the values are not in the
  correct format", even though this is the same GUID used on the other two DCs. I tried changing the value to octet, hexadecimal, etc. but nothing worked. i still got the same error. I am convinced that this is where the disconnect lies, but with no possible
  idea how to fix this broken section, I am unsure how to further proceed. We were going to demote the server, bring up a 2012 R2 unit and have it seize the roles, but I convinced my Systems Administrator for us to try and see if there is a fix available before
  commissioning a new server. As is, group policy is somewhat broken as policies either do no get applied at all, or, get applied to certain groups or OUs.
  If you are interested I can forward you our DFSR Logs from each server, along with any other reports that I have run in the hopes that someone will be able to assist. I hope that I have been as clear as possible and have provided as much information as is
  possibly required.
  Thank you all in advance.

  Hi,
  To perform non-authoritative synchronization for DFSR-replicated SYSVOL, the following article can be referred to for more information.
  How to force an authoritative and non-authoritative synchronization for DFSR-replicated SYSVOL (like "D4/D2" for FRS)
  http://support.microsoft.com/kb/2218556/en-us
  Besides, we can use dcdiag command to check the health of the DC.
  Dcdiag
  http://technet.microsoft.com/en-us/library/cc731968.aspx
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Best regards,
  Frank Shen

• Difference between domain controllers and group policy objects in GPMC

  Hello,
  Am in confusion, someone can tel me the difference between
  1.Domain controllers>default domain controller policy  and
  2.Group policy object>default domain controller policy
  In Group policy management console and also i would like know where to define these categories. I normally use second option.
  I have attached screenshot for your information.
   regards,
  Dharanesh,

  This first/upper item is a link to the GPO, the second/lower item is the actual GPO.
  (notice the link, has a shortcut arrow showing)
  by default, when you double-click on a link, a message will display which says "you have clicked on a link....." and the messagbox offers a checkbox for "do not display this message again..."
  Effectively they are equivalent to a shortcut-to-a-file vs. the actual file.
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Excessive Traffic on Port 445 between 2 Domain Controllers

  Hi, my company has over 45 DC's across about 25 sites worldwide.  We are noticing a lot of traffic using wireshark and Network Monitor on Microsoft-DS port 445. I have been searching if this is normal and what I see is that it is used for SMB File and
  print sharing. Well, I don't have any file shares on these DC's other than the normal admin shares and sysvol share. I don't believe this is replication traffic since these 2 servers are not replication partners. I have checked sites and services to make sure
  the intersite and intrasite connections look good.   This traffic is constant over weeks and it is about 1 GB an hour between the 2 servers.  This would not be a big deal if this was just on the local LAN but it is over the WAN and
  that saturates the line.   Should 2 DC's be talking that much that are not even replication partners?  What type of traffic could it be.  I am at a loss for troubleshooting this.  I have done packet captures but that really does
  not tell me much ( that I can read anyway).  Oh, I have run AV scans alos and finding nothing.
  Any help would be greatly appreciated.
  Steve
  Steve

  Actually, DFS/FRS/DFSR replication is not related to NTDS replication. It uses a directory change notification event to trigger replication to a replica, and that is to all DCs in the domain. That's why you can have SYSVOL replication problems but AD replication
  of the partitions do not have problems, such as when you create a user on one and it replicates to it's NTDS partner.
  Below is a summary. You can read about how the whole process with NTFRS/DFSR works in the links below, if you like:
  Introduction to Administering DFS-Replicated SYSVOL
  "DFS Replication technology significantly improves replication of SYSVOL. ... When a change to a file occurs, FRS replicates the entire updated file. With DFS Replication, for files larger than 64 KB, only the updated portion of the file is replicated."
  "To replicate only updates to files, DFS Replication uses an algorithm called remote differential compression (RDC). RDC detects changes ... without having to replicate the entire file. RDC detects insertions, removals, and rearrangements of data
  in files. The DFS Replication service monitors SYSVOL, and, if a change occurs to any file that is stored in SYSVOL, DFS Replication automatically replicates the file updates to the SYSVOL folders on the other domain controllers in the domain. "
  http://technet.microsoft.com/en-us/library/cc794837(v=WS.10).aspx
  How FRS Works - Windows 2003
  http://technet.microsoft.com/en-us/library/cc758169(v=WS.10).aspx
  DFS Replication: Frequently Asked Questions (FAQ)
  http://technet.microsoft.com/en-us/library/cc773238(v=WS.10).aspx
  I think 316 MB in SYSVOL is a good amount of data. What is in there taking up that much space? Is something using SYSVOL to store it's data, such as an app that's constantly changing data?
  The reason I'm asking is that this could be the cause of the issue, since if it changes on one DC, then it replicates, then another change occurs, etc., and it keeps going and it appears that a ton of data is being moved back and forth.
  Quick story - I remember a customer was using SYSVOL to store data so they can access it across the WAN link. He said he did it because of its "cool" replication features. I said, yea, but it's meant for domain data (GPO policies, templates, etc.)
  and not for custom data. Create a DFS share for that so it works independently of SYSVOL.
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• Replication and AD Domain sevices errors between 2 Domain Controllers

  Hi,
  I've a 2 Domain Controllers (NJ-DC1-2K8 and NJ-DC2-2K8) setup in VMware Workstation 10. Recently, I've run into different errors in regards to Replication, DNS and AD Domain services. Both of my DC are setup with static IP pointing to each other for fault
  tolerance. Initially, One of my DC had a lingering object error which I was able to fix after spending some time. The next day, when I tried to replicate 2 DC, the number of errors grew. Ran dcdiag, it produced a list of crazy errors that I never saw before.
  I'm a newbie to the server environment, trying to gain knowledge so I can't get those errors sort out even I tried a lot. I read a lot of online articles on different forums like here Microsoft TechNet trying to overcome this problem but didn't work. I even
  removed DNS role and re-added it but same problem. I guess removing the DNS role doesn't remove everything related to DNS. I'm going to upload pictures here of the different errors through the commands I got. I would appreciate if someone can help me to get
  it fixed.
  Other than that, I also would like to know what is the best way to remove DNS, AD Domain Services and then reinstall them without demoting the server. What are some of the things I would have to keep in mind before doing that. How can I make sure that doing
  this wouldn't impact in AD data loss like user account, GP Policies, Computer account and etc....?
  Errors are as follows:
  1) C:\Users\Administrator>repadmin /syncall
      CALLBACK MESSAGE: The following replication is in progress:
      From: 66803610-2817-4853-ad3b-70c32a78c04a._msdcs.Fleet.local
      To  : 9736b2e5-a75e-4991-a481-08c0226ed1c5._msdcs.Fleet.local
      CALLBACK MESSAGE: Error issuing replication: 8451 (0x2103):
      The replication operation encountered a database error.
      From: 66803610-2817-4853-ad3b-70c32a78c04a._msdcs.Fleet.local
      To  : 9736b2e5-a75e-4991-a481-08c0226ed1c5._msdcs.Fleet.local
      CALLBACK MESSAGE: SyncAll Finished.
      SyncAll reported the following errors:
      Error issuing replication: 8451 (0x2103):
      The replication operation encountered a database error.
      From: 66803610-2817-4853-ad3b-70c32a78c04a._msdcs.Fleet.local
      To  : 9736b2e5-a75e-4991-a481-08c0226ed1c5._msdcs.Fleet.local
  2) C:\Users\Administrator>repadmin /showrepl
  Repadmin: running command /showrepl against full DC localhost
  NewJersey\NJ-DC1-2K8
  DSA Options: IS_GC
  Site Options: (none)
  DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
  DSA invocationID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
  ==== INBOUND NEIGHBORS ======================================
  DC=Fleet,DC=local
      NewJersey\NJ-DC2-2K8 via RPC
          DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
          Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
              The source server is currently rejecting replication requests.
          30 consecutive failure(s).
          Last success @ 2014-07-06 16:16:49.
  CN=Configuration,DC=Fleet,DC=local
      NewJersey\NJ-DC2-2K8 via RPC
          DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
          Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
              The source server is currently rejecting replication requests.
          29 consecutive failure(s).
          Last success @ 2014-07-06 16:06:25.
  CN=Schema,CN=Configuration,DC=Fleet,DC=local
      NewJersey\NJ-DC2-2K8 via RPC
          DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
          Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
              The source server is currently rejecting replication requests.
          10 consecutive failure(s).
          Last success @ 2014-07-06 15:49:54.
  DC=DomainDnsZones,DC=Fleet,DC=local
      NewJersey\NJ-DC2-2K8 via RPC
          DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
          Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
              The source server is currently rejecting replication requests.
          30 consecutive failure(s).
          Last success @ 2014-07-06 15:49:54.
  DC=ForestDnsZones,DC=Fleet,DC=local
      NewJersey\NJ-DC2-2K8 via RPC
          DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
          Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
              The source server is currently rejecting replication requests.
          19 consecutive failure(s).
          Last success @ 2014-07-06 16:10:47.
  Source: NewJersey\NJ-DC2-2K8
  ******* 30 CONSECUTIVE FAILURES since 2014-07-06 16:16:49
  Last error: 8456 (0x2108):
              The source server is currently rejecting replication requests.
  3) C:\Users\Administrator>dcdiag /replsum
  Invalid Syntax: Invalid option /replsum. Use dcdiag.exe /h for help.
  C:\Users\Administrator>repadmin /replsum
  Replication Summary Start Time: 2014-07-06 21:03:28
  Beginning data collection for replication summary, this may take awhile:
  Source DSA          largest delta    fails/total %%   error
   NJ-DC1-2K8        09d.22h:06m:34s    5 /   5  100  (8457) The destination server is currently rejecting replication requests.
   NJ-DC2-2K8            05h:13m:34s    5 /   5  100  (8456) The source server is currently rejecting replication requests.
  Destination DSA     largest delta    fails/total %%   error
   NJ-DC1-2K8            05h:13m:34s    5 /   5  100  (8456) The source server is currently rejecting replication requests.
   NJ-DC2-2K8        09d.22h:06m:34s    5 /   5  100  (8457) The destination server is currently rejecting replication requests.
  4) C:\Users\Administrator>dcdiag /test:DNS
  Directory Server Diagnosis
  Performing initial setup:
     Trying to find home server...
     Home Server = NJ-DC1-2K8
     * Identified AD Forest.
     Done gathering initial info.
  Doing initial required tests
     Testing server: NewJersey\NJ-DC1-2K8
        Starting test: Connectivity
           ......................... NJ-DC1-2K8 passed test Connectivity
  Doing primary tests
     Testing server: NewJersey\NJ-DC1-2K8
        Starting test: DNS
           DNS Tests are running and not hung. Please wait a few minutes...
           ......................... NJ-DC1-2K8 passed test DNS
     Running partition tests on : ForestDnsZones
     Running partition tests on : DomainDnsZones
     Running partition tests on : Schema
     Running partition tests on : Configuration
     Running partition tests on : Fleet
     Running enterprise tests on : Fleet.local
        Starting test: DNS
           Summary of test results for DNS servers used by the above domain controllers:
              DNS server: 128.8.10.90 (d.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90
           ......................... Fleet.local passed test DNS
  5) C:\Users\Administrator>dcdiag
  Directory Server Diagnosis
  Performing initial setup:
     Trying to find home server...
     Home Server = NJ-DC1-2K8
     * Identified AD Forest.
     Done gathering initial info.
  Doing initial required tests
     Testing server: NewJersey\NJ-DC1-2K8
        Starting test: Connectivity
           ......................... NJ-DC1-2K8 passed test Connectivity
  Doing primary tests
     Testing server: NewJersey\NJ-DC1-2K8
        Starting test: Advertising
           ......................... NJ-DC1-2K8 passed test Advertising
        Starting test: FrsEvent
           ......................... NJ-DC1-2K8 passed test FrsEvent
        Starting test: DFSREvent
           There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL replication problems may cause
           Group Policy problems.
           ......................... NJ-DC1-2K8 failed test DFSREvent
        Starting test: SysVolCheck
           ......................... NJ-DC1-2K8 passed test SysVolCheck
        Starting test: KccEvent
           ......................... NJ-DC1-2K8 passed test KccEvent
        Starting test: KnowsOfRoleHolders
           ......................... NJ-DC1-2K8 passed test KnowsOfRoleHolders
        Starting test: MachineAccount
           ......................... NJ-DC1-2K8 passed test MachineAccount
        Starting test: NCSecDesc
           ......................... NJ-DC1-2K8 passed test NCSecDesc
        Starting test: NetLogons
           ......................... NJ-DC1-2K8 passed test NetLogons
        Starting test: ObjectsReplicated
           ......................... NJ-DC1-2K8 passed test ObjectsReplicated
        Starting test: Replications
           [Replications Check,NJ-DC1-2K8] A recent replication attempt failed:
              From NJ-DC2-2K8 to NJ-DC1-2K8
              Naming Context: DC=ForestDnsZones,DC=Fleet,DC=local
              The replication generated an error (8456):
              The source server is currently rejecting replication requests.
              The failure occurred at 2014-07-06 20:49:06.
              The last success occurred at 2014-07-06 16:10:47.
              19 failures have occurred since the last success.
              Replication has been explicitly disabled through the server options.
           [Replications Check,NJ-DC1-2K8] A recent replication attempt failed:
              From NJ-DC2-2K8 to NJ-DC1-2K8
              Naming Context: DC=DomainDnsZones,DC=Fleet,DC=local
              The replication generated an error (8456):
              The source server is currently rejecting replication requests.
              The failure occurred at 2014-07-06 21:04:16.
              The last success occurred at 2014-07-06 15:49:54.
              31 failures have occurred since the last success.
              Replication has been explicitly disabled through the server options.
           [Replications Check,NJ-DC1-2K8] A recent replication attempt failed:
              From NJ-DC2-2K8 to NJ-DC1-2K8
              Naming Context: CN=Schema,CN=Configuration,DC=Fleet,DC=local
              The replication generated an error (8456):
              The source server is currently rejecting replication requests.
              The failure occurred at 2014-07-06 20:49:06.
              The last success occurred at 2014-07-06 15:49:54.
              10 failures have occurred since the last success.
              Replication has been explicitly disabled through the server options.
           [Replications Check,NJ-DC1-2K8] A recent replication attempt failed:
              From NJ-DC2-2K8 to NJ-DC1-2K8
              Naming Context: CN=Configuration,DC=Fleet,DC=local
              The replication generated an error (8456):
              The source server is currently rejecting replication requests.
              The failure occurred at 2014-07-06 20:49:06.
              The last success occurred at 2014-07-06 16:06:25.
              29 failures have occurred since the last success.
              Replication has been explicitly disabled through the server options.
           [Replications Check,NJ-DC1-2K8] A recent replication attempt failed:
              From NJ-DC2-2K8 to NJ-DC1-2K8
              Naming Context: DC=Fleet,DC=local
              The replication generated an error (8456):
              The source server is currently rejecting replication requests.
              The failure occurred at 2014-07-06 20:49:06.
              The last success occurred at 2014-07-06 16:16:49.
              30 failures have occurred since the last success.
              Replication has been explicitly disabled through the server options.
           ......................... NJ-DC1-2K8 failed test Replications
        Starting test: RidManager
           ......................... NJ-DC1-2K8 passed test RidManager
        Starting test: Services
           ......................... NJ-DC1-2K8 passed test Services
        Starting test: SystemLog
           A warning event occurred.  EventID: 0x000003F6
              Time Generated: 07/06/2014   20:17:29
              Event String: Name resolution for the name 2.5.16.172.in-addr.arpa timed out after none of the configured DNS servers responded.
           An error event occurred.  EventID: 0x0000168E
              Time Generated: 07/06/2014   20:18:05
              Event String:
              The dynamic registration of the DNS record '9736b2e5-a75e-4991-a481-08c0226ed1c5._msdcs.Fleet.local. 600 IN CNAME NJ-DC1-2K8.Fleet.local.'
   failed on the following DNS server:
           A warning event occurred.  EventID: 0x000003F6
              Time Generated: 07/06/2014   21:04:01
              Event String: Name resolution for the name 1.0.0.127.in-addr.arpa timed out after none of the configured DNS servers responded.
           ......................... NJ-DC1-2K8 failed test SystemLog
        Starting test: VerifyReferences
           ......................... NJ-DC1-2K8 passed test VerifyReferences
     Running partition tests on : ForestDnsZones
        Starting test: CheckSDRefDom
           ......................... ForestDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... ForestDnsZones passed test CrossRefValidation
     Running partition tests on : DomainDnsZones
        Starting test: CheckSDRefDom
           ......................... DomainDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... DomainDnsZones passed test CrossRefValidation
     Running partition tests on : Schema
        Starting test: CheckSDRefDom
           ......................... Schema passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Schema passed test CrossRefValidation
     Running partition tests on : Configuration
        Starting test: CheckSDRefDom
           ......................... Configuration passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Configuration passed test CrossRefValidation
     Running partition tests on : Fleet
        Starting test: CheckSDRefDom
           ......................... Fleet passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Fleet passed test CrossRefValidation
     Running enterprise tests on : Fleet.local
        Starting test: LocatorCheck
           ......................... Fleet.local passed test LocatorCheck
        Starting test: Intersite
           ......................... Fleet.local passed test Intersite
  6) C:\Users\Administrator>repadmin /showrepl NJ-DC1-2K8
  NewJersey\NJ-DC1-2K8
  DSA Options: IS_GC
  Site Options: (none)
  DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
  DSA invocationID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
  ==== INBOUND NEIGHBORS ======================================
  DC=Fleet,DC=local
      NewJersey\NJ-DC2-2K8 via RPC
          DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
          Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
              The source server is currently rejecting replication requests.
          30 consecutive failure(s).
          Last success @ 2014-07-06 16:16:49.
  CN=Configuration,DC=Fleet,DC=local
      NewJersey\NJ-DC2-2K8 via RPC
          DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
          Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
              The source server is currently rejecting replication requests.
          29 consecutive failure(s).
          Last success @ 2014-07-06 16:06:25.
  CN=Schema,CN=Configuration,DC=Fleet,DC=local
      NewJersey\NJ-DC2-2K8 via RPC
          DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
          Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
              The source server is currently rejecting replication requests.
          10 consecutive failure(s).
          Last success @ 2014-07-06 15:49:54.
  DC=DomainDnsZones,DC=Fleet,DC=local
      NewJersey\NJ-DC2-2K8 via RPC
          DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
          Last attempt @ 2014-07-06 21:04:16 failed, result 8456 (0x2108):
              The source server is currently rejecting replication requests.
          31 consecutive failure(s).
          Last success @ 2014-07-06 15:49:54.
  DC=ForestDnsZones,DC=Fleet,DC=local
      NewJersey\NJ-DC2-2K8 via RPC
          DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
          Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
              The source server is currently rejecting replication requests.
          19 consecutive failure(s).
          Last success @ 2014-07-06 16:10:47.
  Source: NewJersey\NJ-DC2-2K8
  ******* 31 CONSECUTIVE FAILURES since 2014-07-06 16:16:49
  Last error: 8456 (0x2108):
              The source server is currently rejecting replication requests.
  7) C:\Users\Administrator>repadmin /showrepl NJ-DC2-2K8
  NewJersey\NJ-DC2-2K8
  DSA Options: IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL
  Site Options: (none)
  DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
  DSA invocationID: 3e8ee380-a165-4cef-b311-dadcf30f8406
  ==== INBOUND NEIGHBORS ======================================
  DC=Fleet,DC=local
      NewJersey\NJ-DC1-2K8 via RPC
          DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
          Last attempt @ 2014-07-06 21:04:22 failed, result 8457 (0x2109):
              The destination server is currently rejecting replication requests.
          53 consecutive failure(s).
          Last success @ 2014-06-26 23:01:29.
  CN=Configuration,DC=Fleet,DC=local
      NewJersey\NJ-DC1-2K8 via RPC
          DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
          Last attempt @ 2014-07-06 20:52:11 failed, result 8457 (0x2109):
              The destination server is currently rejecting replication requests.
          10 consecutive failure(s).
          Last success @ 2014-06-26 22:56:54.
  CN=Schema,CN=Configuration,DC=Fleet,DC=local
      NewJersey\NJ-DC1-2K8 via RPC
          DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
          Last attempt @ 2014-07-06 20:52:11 failed, result 8457 (0x2109):
              The destination server is currently rejecting replication requests.
          7 consecutive failure(s).
          Last success @ 2014-06-26 22:56:56.
  DC=DomainDnsZones,DC=Fleet,DC=local
      NewJersey\NJ-DC1-2K8 via RPC
          DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
          Last attempt @ 2014-07-06 20:52:11 failed, result 8457 (0x2109):
              The destination server is currently rejecting replication requests.
          7 consecutive failure(s).
          Last success @ 2014-06-26 22:57:01.
  DC=ForestDnsZones,DC=Fleet,DC=local
      NewJersey\NJ-DC1-2K8 via RPC
          DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
          Last attempt @ 2014-07-06 20:52:11 failed, result 8457 (0x2109):
              The destination server is currently rejecting replication requests.
          23 consecutive failure(s).
          Last success @ 2014-06-26 22:57:03.
  Source: NewJersey\NJ-DC1-2K8
  ******* 53 CONSECUTIVE FAILURES since 2014-06-26 23:01:29
  Last error: 8457 (0x2109):
              The destination server is currently rejecting replication requests.
  Please someone go through these different errors and walk me through exactly what I got to do to fix them.
  Thanks

  Hi,
  Actually, I made copies of those VMs to my external usb 3.0 hdd, so I can load up some of the VMs from it than from my internal hdd since it would freeze on my internal one sometimes. Copied ones worked fine for few days until recently when I started having
  these different issues. I did look at USN rollback and applied the fix, didn't work. For the past few days, I been spending endless hours on fixing them but it doesn't look like they are going to be fixed. It's driving me crazy and the bad news is that I've
  no backup of my data. I got 2 DC and both have these issues.
  Building new domain controllers in VMs won't be a problem for me but I'm worried about losing my AD database in both DCs which includes user and computer accounts and a bunch GPOs.
  I'm a newbie to the server environment. Can you please walk me through on exactly how can I save AD database if possible before I start doing the cleanup process on both of my DCs. I read some articles online which provide instructions on how can I cleanup
  the AD with Metadata and take both DCs offline but it's all confusing to me. They don't explain anything about saving AD database rather demoting bad DCs. If you know a fix for my DCs that I can apply, so I won't have do it all over and save time. Please let
  me know step by step process or whatever you could help me to bring those 2 DCs backup.
  Thanks

• Problem creating external trust between domains

  Hello,
  When I try to create one-way incoming external trust between 2 domains (to DomainA from DomainB) in separate forests I get this info:
  This domain already has a one-way trust relationshp with specified domain.
  But I cannot see it on the list of trusts either incoming or outgoing (in both domains).
  For sure trust was never setup before.
  In DomainA there are several other external not transitive trusts with other domains. But for sure DomainB do not have any incoming or outgoing trusts on list. Name resolution betwen domains is OK. I can ping domain name on both sides.
  Any help is welcome.
  Darek.

  Hi,
  Were there error events logged in Event Viewer? Besides, did we open necessary firewall ports for creating external trust?
  Regarding firewall ports, the following thread can be referred to for more information.
  Creating external trust between domain on different forest
  http://social.technet.microsoft.com/Forums/en-US/efe56730-ff95-4d6b-b95c-fc2c01ebd2d3/creating-external-trust-between-domain-on-different-forest?forum=winserverDS
  Best regards,
  Frank Shen

• DFSR failed to contact domain controller

  Im having an odd problem with DFSR group we created to replicate web content between two of our web servers.
  In event viewer we have this event 1202 for DFSR.
  "The DFS Replication service failed to contact domain controller  to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can
  be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.
  Additional Information:
  Error: 160 (One or more arguments are not correct.)"
  In the DFSR logs I see this.
  20140303 12:18:27.874 1404 CFAD 8300 Config::AdConfig::GetLocalComputerNameWithDns Computer's fully-qualified DNS name: DFSRSERVER.domain.tld
  20140303 12:18:27.920 1404 CFAD 311 Config::AdConnection::Connect Binding to dcAddr:\\1.1.1.1 dcDnsName:\\MYDC.domain.tld
  20140303 12:18:27.936 1404 CFAD 143 Config::AdConnection::BindToAd Trying to connect. hostName:MYDC.domain.tld
  20140303 12:18:28.467 1404 CFAD 162 Config::AdConnection::BindToAd Bound. hostName:MYDC.domain.tld
  20140303 12:18:28.467 1404 CFAD 199 Config::AdConnection::BindToDc Try to bind. hostName:\\MYDC.domain.tld domainName:<null>
  20140303 12:18:28.514 1404 CFAD 3373 [ERROR] Config::DsSession::Bind Failed to DsBind(). dc:\\MYDC.domain.tld domainName:<null> Error:5
  20140303 12:18:28.514 1404 CFAD 215 Config::AdConnection::BindToDc (Ignored) Failed to bind. hostName:\\MYDC.domain.tld domainName:<null> Error:[Error:5(0x5) Config::DsSession::Bind ad.cpp:3380 1404 W Access is denied.]
  20140303 12:18:28.514 1404 CFAD 199 Config::AdConnection::BindToDc Try to bind. hostName:\\1.1.1.1 domainName:<null>
  20140303 12:18:28.514 1404 CFAD 3373 [ERROR] Config::DsSession::Bind Failed to DsBind(). dc:\\1.1.1.1 domainName:<null> Error:87
  20140303 12:18:28.514 1404 CFAD 215 Config::AdConnection::BindToDc (Ignored) Failed to bind. hostName:\\1.1.1.1 domainName:<null> Error:[Error:87(0x57) Config::DsSession::Bind ad.cpp:3380 1404 W The parameter is incorrect.]
  20140303 12:18:28.514 1404 SCFS 150 [WARN] ServiceConfig::DsPollIsDue Failed to enable lightweight polling. Error:
  + [Error:160(0xa0) Config::AdConfig::ConnectToLocalDc ad.cpp:8365 1404 W One or more arguments are not correct.]
  + [Error:160(0xa0) Config::AdConfig::Connect ad.cpp:8113 1404 W One or more arguments are not correct.]
  + [Error:160(0xa0) Config::AdConnection::Connect adconnection.cpp:377 1404 W One or more arguments are not correct.]
  + [Error:160(0xa0) Config::AdConnection::BindToDc adconnection.cpp:226 1404 W One or more arguments are not correct.]
  20140303 12:18:28.514 1404 CREG 1419 Config::RegReader::IsSysVolCommitFlagSet key: System\CurrentControlSet\Services\DFSR\Parameters\SysVols\Demoting SysVols valueName:'SysVol Information is Committed' result:0
  20140303 12:18:28.514 1404 W2CH 266 ConfigurationHelper::PollAdConfigNow Trying to connect to AD
  20140303 12:18:28.514 1404 CFAD 311 Config::AdConnection::Connect Binding to dcAddr:\\1.1.1.1 dcDnsName:\\MYDC.domain.tld
  20140303 12:18:28.514 1404 CFAD 143 Config::AdConnection::BindToAd Trying to connect. hostName:MYDC.domain.tld
  20140303 12:18:28.514 1404 CFAD 162 Config::AdConnection::BindToAd Bound. hostName:MYDC.domain.tld
  20140303 12:18:28.514 1404 CFAD 199 Config::AdConnection::BindToDc Try to bind. hostName:\\MYDC.domain.tld domainName:<null>
  20140303 12:18:28.514 1404 CFAD 3373 [ERROR] Config::DsSession::Bind Failed to DsBind(). dc:\\MYDC.domain.tld domainName:<null> Error:5
  20140303 12:18:28.514 1404 CFAD 215 Config::AdConnection::BindToDc (Ignored) Failed to bind. hostName:\\MYDC.domain.tld domainName:<null> Error:[Error:5(0x5) Config::DsSession::Bind ad.cpp:3380 1404 W Access is denied.]
  20140303 12:18:28.514 1404 CFAD 199 Config::AdConnection::BindToDc Try to bind. hostName:\\1.1.1.1 domainName:<null>
  20140303 12:18:28.514 1404 CFAD 3373 [ERROR] Config::DsSession::Bind Failed to DsBind(). dc:\\1.1.1.1 domainName:<null> Error:87
  20140303 12:18:28.514 1404 CFAD 215 Config::AdConnection::BindToDc (Ignored) Failed to bind. hostName:\\1.1.1.1 domainName:<null> Error:[Error:87(0x57) Config::DsSession::Bind ad.cpp:3380 1404 W The parameter is incorrect.]
  20140303 12:18:28.514 1404 EVNT 1194 EventLog::Report Logging eventId:1202 parameterCount:4
  20140303 12:18:28.514 1404 EVNT 1214 EventLog::Report eventId:1202 parameter1:
  20140303 12:18:28.514 1404 EVNT 1214 EventLog::Report eventId:1202 parameter2:60
  20140303 12:18:28.514 1404 EVNT 1214 EventLog::Report eventId:1202 parameter3:160
  20140303 12:18:28.514 1404 EVNT 1214 EventLog::Report eventId:1202 parameter4:One or more arguments are not correct.
  20140303 12:18:28.530 1404 W2CH 318 [ERROR] ConfigurationHelper::PollAdConfigNow (Ignored) Failed to connect to AD. Error:
  + [Error:160(0xa0) Config::AdConfig::ConnectToLocalDc ad.cpp:8365 1404 W One or more arguments are not correct.]
  + [Error:160(0xa0) Config::AdConfig::Connect ad.cpp:8113 1404 W One or more arguments are not correct.]
  + [Error:160(0xa0) Config::AdConnection::Connect adconnection.cpp:377 1404 W One or more arguments are not correct.]
  + [Error:160(0xa0) Config::AdConnection::BindToDc adconnection.cpp:226 1404 W One or more arguments are not correct.]
  When I run "dfsrdiag pollad":
  [ERROR] PollDsNow method executed unsuccessfully. ReturnValue: 12 (0xc)
  [ERROR] Failed to execute PollAD command Err: -2147217407 (0x80041001)
  However I can run "dfsrdiag dumpadcfg" and it outputs everything fine.
  We don't have any other problems with AD.  It seems like this started after we installed KB2467173 & KB2538242.  We are going to uninstall those and see if it works.

  I can successfully run "dfsrdiag.exe dumpadcfg" and it outputs the entire config.  Why does "dfsrdiag pollad" fail then if the config can be read.
  Why did it work before I rebooted the server?  In both cases it broke after rebooting.
  PS C:\Windows\system32> dfsrdiag dumpadcfg
  LDAP Bind : mydc.domain.tld
  SitesDn : cn=sites,cn=configuration,dc=domain,dc=tld
  ServicesDn : cn=services,cn=configuration,dc=domain,dc=tld
  SystemDn : cn=system,dc=domain,dc=tld
  DefaultNcDn : dc=domain,dc=tld
  ComputersDn : cn=computers,dc=domain,dc=tld
  DomainCtlDn : ou=domain controllers,dc=domain,dc=tld
  SchemaDn : CN=Schema,CN=Configuration,dc=domain,dc=tld
  COMPUTER: web1
  DN : cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
  GUID : 152E849C-4D7B-4AE8-B034-83747DBC1E89
  DNS : web1.domain.tld
  Server Ref : (null)
  USN Changed : 10862129
  When Created : Friday, January 31, 2014 8:41:06 PM
  When Changed : Tuesday, March 4, 2014 2:54:36 PM
  LOCAL SETTINGS: DFSR-LOCALSETTINGS
  DN : cn=dfsr-localsettings,cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
  GUID : 3FD696E7-6598-4CDB-B2AB-98F148C0D2F7
  Version : 1.0.0.0
  USN Changed : 10932017
  When Created : Thursday, March 6, 2014 2:11:12 PM
  When Changed : Thursday, March 6, 2014 2:15:25 PM
  SUBSCRIBER: FF88A312-A0EB-44CC-A614-7A3D06DCC0AB
  DN : cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=dfsr-localsettings,cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
  GUID : 1119B663-F02A-4F1F-A904-23A87CFC93C3
  Member Ref : cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
  USN Changed : 10931931
  When Created : Thursday, March 6, 2014 2:11:12 PM
  When Changed : Thursday, March 6, 2014 2:11:27 PM
  SUBSCRIPTION: 6783DDE1-C795-4E8B-B07D-4EA8D7D0317F
  DN : cn=6783dde1-c795-4e8b-b07d-4ea8d7d0317f,cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=dfsr-localsettings,cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
  GUID : 3737B1F2-7E38-47E2-90E7-E57D82B145F1
  ContentSetGuid: 6783DDE1-C795-4E8B-B07D-4EA8D7D0317F
  Root Path : c:\inetpub\internetsites
  Root Size : 10240 (MB)
  Staging Path : c:\inetpub\internetsites\dfsrprivate\staging
  Staging Size : 4096 (MB)
  Conflict Path : c:\inetpub\internetsites\dfsrprivate\conflictanddeleted
  Conflict Size : 4096 (MB)
  USN Changed : 10931919
  When Created : Thursday, March 6, 2014 2:11:13 PM
  When Changed : Thursday, March 6, 2014 2:11:27 PM
  SUBSCRIPTION: F2F1F3A2-B36F-4170-B371-8E8043DF73F4
  DN : cn=f2f1f3a2-b36f-4170-b371-8e8043df73f4,cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=dfsr-localsettings,cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
  GUID : 57E7F8D7-1121-4334-BC81-74226ADF8969
  ContentSetGuid: F2F1F3A2-B36F-4170-B371-8E8043DF73F4
  Root Path : c:\internet_data
  Root Size : 10240 (MB)
  Staging Path : c:\internet_data\dfsrprivate\staging
  Staging Size : 4096 (MB)
  Conflict Path : c:\internet_data\dfsrprivate\conflictanddeleted
  Conflict Size : 4096 (MB)
  USN Changed : 10931921
  When Created : Thursday, March 6, 2014 2:11:13 PM
  When Changed : Thursday, March 6, 2014 2:11:27 PM
  SUBSCRIPTION: D0438B52-B706-4E40-B4C3-FE7A1ACA5FCF
  DN : cn=d0438b52-b706-4e40-b4c3-fe7a1aca5fcf,cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=dfsr-localsettings,cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
  GUID : F8217091-F71A-4D4A-A676-097583171A63
  ContentSetGuid: D0438B52-B706-4E40-B4C3-FE7A1ACA5FCF
  Root Path : c:\php\phpsites
  Root Size : 10240 (MB)
  Staging Path : c:\php\phpsites\dfsrprivate\staging
  Staging Size : 4096 (MB)
  Conflict Path : c:\php\phpsites\dfsrprivate\conflictanddeleted
  Conflict Size : 4096 (MB)
  USN Changed : 10931923
  When Created : Thursday, March 6, 2014 2:11:13 PM
  When Changed : Thursday, March 6, 2014 2:11:27 PM
  GLOBAL SETTINGS: DFSR-GLOBALSETTINGS
  DN : cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
  GUID : 2E98CE5E-5CC7-4322-B5EA-2B6B340C689F
  USN Changed : 12525
  When Created : Saturday, October 22, 2011 1:56:38 AM
  When Changed : Saturday, October 22, 2011 1:56:38 AM
  REPLICATION GROUP: WEB CONTENT
  DN : cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
  GUID : 9C94A417-6F6C-4F6C-BBFA-B8F52854C4DF
  Type : 0 (UNKNOWN REPLICATION GROUP TYPE)
  Options : 0x1 [Local Time Schedule]
  USN Changed : 10931906
  When Created : Thursday, March 6, 2014 2:11:12 PM
  When Changed : Thursday, March 6, 2014 2:11:27 PM
  CONTENT: CONTENT
  DN : cn=content,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
  GUID : 6714C533-E631-4E71-930D-E4934FB7BD7E
  USN Changed : 10931908
  When Created : Thursday, March 6, 2014 2:11:12 PM
  When Changed : Thursday, March 6, 2014 2:11:27 PM
  CONTENT SET: INTERNET_DATA
  DN : cn=internet_data,cn=content,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
  GUID : F2F1F3A2-B36F-4170-B371-8E8043DF73F4
  File Filter : ~*, *.bak, *.tmp
  Compression Excl : (null)
  Dir Filter : (null)
  USN Changed : 10931916
  When Created : Thursday, March 6, 2014 2:11:13 PM
  When Changed : Thursday, March 6, 2014 2:11:27 PM
  CONTENT SET: INTERNETSITES
  DN : cn=internetsites,cn=content,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
  GUID : 6783DDE1-C795-4E8B-B07D-4EA8D7D0317F
  File Filter : ~*, *.bak, *.tmp
  Compression Excl : (null)
  Dir Filter : (null)
  USN Changed : 10931915
  When Created : Thursday, March 6, 2014 2:11:13 PM
  When Changed : Thursday, March 6, 2014 2:11:27 PM
  CONTENT SET: PHPSITES
  DN : cn=phpsites,cn=content,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
  GUID : D0438B52-B706-4E40-B4C3-FE7A1ACA5FCF
  File Filter : ~*, *.bak, *.tmp
  Compression Excl : (null)
  Dir Filter : (null)
  USN Changed : 10931917
  When Created : Thursday, March 6, 2014 2:11:13 PM
  When Changed : Thursday, March 6, 2014 2:11:27 PM
  TOPOLOGY: TOPOLOGY
  DN : cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
  GUID : 16053002-7B99-4DA7-BFE5-2A6418040640
  USN Changed : 10931907
  When Created : Thursday, March 6, 2014 2:11:12 PM
  When Changed : Thursday, March 6, 2014 2:11:27 PM
  MEMBER: FF88A312-A0EB-44CC-A614-7A3D06DCC0AB
  DN : cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
  GUID : 75A99277-C401-409F-A32D-6D8EE18E5D0C
  Server Ref : (null)
  Computer Ref : cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
  Keywords : (null)
  Computer DNS : web1.domain.tld
  USN Changed : 10931933
  When Created : Thursday, March 6, 2014 2:11:12 PM
  When Changed : Thursday, March 6, 2014 2:11:27 PM
  CXTION: 9ECE3EB7-FE97-4A1B-8DE3-47A77B2C625B
  DN : cn=9ece3eb7-fe97-4a1b-8de3-47a77b2c625b,cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
  GUID : 1D26B348-3875-4BD1-9473-E72506AFA222
  Inbound : true
  Partner DN : cn=46f913db-8509-4581-a66d-d37e4ea3ef29,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
  Enabled : TRUE
  Options : 0x1 [Local Time Schedule]
  USN Changed : 10931924
  When Created : Thursday, March 6, 2014 2:11:13 PM
  When Changed : Thursday, March 6, 2014 2:11:27 PM
  CXTION: 2BFA8BE2-0444-4AAF-8293-A5486CF8D7A3
  DN : cn=2bfa8be2-0444-4aaf-8293-a5486cf8d7a3,cn=46f913db-8509-4581-a66d-d37e4ea3ef29,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
  GUID : A7203451-D95F-44D5-AC04-13056DCE5A89
  Inbound : false
  Partner DN : cn=46f913db-8509-4581-a66d-d37e4ea3ef29,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
  Enabled : TRUE
  Options : 0x1 [Local Time Schedule]
  USN Changed : 10931925
  When Created : Thursday, March 6, 2014 2:11:13 PM
  When Changed : Thursday, March 6, 2014 2:11:27 PM
  MEMBER: 46F913DB-8509-4581-A66D-D37E4EA3EF29
  DN : cn=46f913db-8509-4581-a66d-d37e4ea3ef29,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
  GUID : 1BA26D07-45F5-44A0-8450-9274AFD99B1C
  Server Ref : (null)
  Computer Ref : cn=fccu01web,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
  Keywords : (null)
  Computer DNS : fccu01web.domain.tld
  USN Changed : 10931927
  When Created : Thursday, March 6, 2014 2:11:12 PM
  When Changed : Thursday, March 6, 2014 2:11:27 PM
  Operation Succeeded

• Windows 8.1 Pro Cannot Connect to Domain Controllers through Wi-Fi

  I have a domain joined Surface 2 Pro running 8.1 Pro Update that is suddenly unable to connect to the domain controllers on the local network. The machine is fully patched. I'm guessing that it is some network level security issue because the wi-fi is working:
  It has no trouble connecting to my Wi-Fi hotspot on my phone.
  It has no trouble connecting to other Wi-Fi at coffee shops etc.
  It is connecting to my home Wi-Fi and gets an address from DHCP on the domain controllers, but can't ping the DCs, access the DCs through remote desktop even using their IP address.
  It can ping the router and ping systems on the internet using their IP address rather than hostname.
  I can fully access internet systems if I point it at DNS on the router but still cannot access internal systems by name or IP address.
  The Wi-Fi network shows as a public network rather than a domain.
  It will work fine when it is docked and using the dock's ethernet adapter.
  If I use VPN to loop back through my router then I am able to fully access local systems.
  None of the other systems on the network are experiencing the same issue.
  I have tried the following which didn't work:
  Switched off the Windows Firewall on the Windows 8.1 system and a domain controller.
  Network Troubleshooting - which told me that the network seems OK but the DNS servers are not responding.
  Uninstalling the Wi-Fi device and restarting the system to re-install it.
  Resetting TCP/IP.
  I am not aware of any changes, but the system did install System Hardware Update 8/07/2014 (again!) but I can't recall if that was when the problem started or was just a coincidence.
  Any suggestions?
  Thanks,
  Richard
  Richard-F

  Hi Richard,
  Apologize for my slow understanding.
  I thought as it could obtain IP address from the DC, it should have connections between them.
  For the current situation, you may take a try to disable the firewall on the DC, then check the port that used by AD environment is all available,
  Active Directory and Active Directory Domain Services Port Requirements, you could take use of this tool:
  PortQryUI - User Interface for the PortQry Command Line Port Scanner
  If all available and issue still insists, then issue here seems to be restricted with the wireless router. You may try to contact the router side and see if they could offer any further useful information regarding this situation.
  Best regards
  Michael Shao
  TechNet Community Support

• The box indicating that this domain controller is the last controller for the domain is unchecked. However, no other Active Directory domain controllers for that domain can be contacted

  I have 2 domain controllers running 2003 server, server1 and server2. I ran dcpromo on server1 and removed AD and removed him from the domain and disconnected from network. I then added a 2012 server
  with the same name and IP address server1 with no problem. Replication from sites and services work fine on both controllers.
  The new 2012 server1 is GC. I transferred all FSMO roles to server1. Again no problem and replicating using sites and services. AD on server1 is populated correctly.
  Now what I had intended on doing was a dcpromo to remove server2 from the domain so I can then add another 2012 server. That is when I get the: "The box indicating that this domain controller is the last controller for the domain
   is unchecked. However, no other Active Directory domain controllers for that domain can be contacted.
  I have DNS installed on both servers and both look good with replicating there. Strange thing is when on the 2012 server within DNS if I right click and connect to another DNS server I can add server2 just fine but from server2 adding server1 it tells me it
  is not available.
  Help please!

  Hi,
  As there is server 2012 DC (SERVER1) DC is operational in a domain then "This domain controller is the last controller for the domain" should be remain unchecked when you demote SERVER2 DC. 
  If you are getting error "Active Directory domain controllers for that domain can be contacted" while demoting SERVER2 DC then check the DNS pointing on both as per below article, disable windows firewall on all DC, less possiblities but worth to check if both
  are different site then check the ports are open on firewall. 
  http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/
  http://technet.microsoft.com/en-us/library/cc766337(v=ws.10).aspx
  http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx
  run “ipconfig /flushdns & ipconfig /registerdns“, restart DNS server and NETLOGON service on each DC and try to demote server2 DC.
  If issue reoccurs, post dcdiag /q result.
  NOTE: If initial replication was completed between both DC (new 2012 and old DC) then you may remove the server2 DC from Active Directory forcefully (DCPROMO /FORCEREMOVAL) and perform metadata cleanup.
  Active Directory Metadata Cleanup
  http://abhijitw.wordpress.com/2012/03/03/active-directory-metadata-cleanup/
  Best regards,
  Abhijit Waikar.
  MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
  Blog: http://abhijitw.wordpress.com
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

• OIM provisioning to Multiple Domain Controllers of a single Domain

  Hi experts !
  Our client has offices in different parts of country and they are using MS AD. We have to integrated this AD with OIM. The issue we are facing is that there is a cluster of domain controllers (DC) at each location for example NewYork, Dallas and Ohio and OIM is being deployed in NY. All the DC at all location are part of a single domain "example.com" and they is no child domain.
  Now if a User Administrator in Ohio logs in to this central OIM online and creates / modifies user profile of a user in AD, it means that the OIM will create / update the user profile in the DC placed in NY and through AD replication, it will be pushed to Ohio.
  As the communication between few sites is not reliable, thus managers at these locations will have to bear the delays if the replication between DCs takes time even when they have modified the resource profile in OIM.
  Is it a possibility that the user administrator at location A, when modifies the user resource profile, the modifications is carried out in the DC of location A? for example, if the administrator in Ohio logs in, whenever, he changes the profile, OIM modifies the profile in DC placed at Ohio?
  I have gone through "Configuring the Connector for Multiple Installations of the Target System" in MS AD connector Documentation but i am uncertain whether this "target system" means DC of same domain or different child domains?
  Any help / idea would be really appreciated.
  Best Regards.
  Edited by: Zia on May 8, 2011 11:21 PM
  Edited by: Zia on May 8, 2011 11:22 PM

  thank you for your reply sir
  initially i was of the idea to place OIM servers at each location with DB at a central point. However, there are more than a dozen such locations! have you come accross any such scenario where more than 12 machines running OIM at different places point to a central DB? i was a bit reluctant in proposing such design due to network instability. So we decided to deploy OIM at a single location in cluster mode and admins at each location will access this single instance (cluster) over the WAN. This cluster will populate domain controller at this specific location and will be replicated through AD replication.
  But now the analysis team has pointed out the problem scenario as i have mentioned in my earlier post. so we are in a bit fix how to handle this situation :-s

• DFSR replication stopped between sites after all servers updated (Event 1202)

  Hello,
  I'm afraid, i will greatly appreciate any help on this one.
  I'm working on it since 2 days without success (I read many thread without help).
  So the fact:
  I have 2 AD (2008 R2) on site 1 and 2 AD (2008 R2) on site 2.
  I have also 2 files servers (2008) on site 1 and 2 files servers (2008 R2) on site 2.
  The files servers run DFS system.
  DFS Namespace is host on all AD.
  DFS Replication and share are on all files servers.
  After update all my servers. I got a big problem.
  Communication between files servers and AD of site 2 isn't working properly now.
  By this fact, DFSR is not working anymore between site 1 (all seem fine on this site) and site 2.
  DFSR on site 2, pop this events all time:
  Event 1202 - Source DFSR
  The DFS Replication service failed to contact domain controller  to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused
  by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.
  Additional Information:
  Error: 160 (One or more arguments are not correct.)
  Event 1055 - Source GroupPolicy
  The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
  a) Name Resolution failure on the current domain controller.
  b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
  >dfsrdiag dumpadcfg
  Operation Failed
  >dfsrdiag pollad
  Operation Failed
  On ADs site 2, dcdiag /e don't reveal any issue.
  I tried to install hotfix ref on this thread (without help) -> https://social.technet.microsoft.com/Forums/en-US/7d486eb5-6b03-471c-a4dc-65826e712fc3/dfsr-replication-event-id-1202-the-dfs-replication-service-failed-to-contact-domain-controller?forum=winserverfiles
  I don't have issue with DNS (nslookup work fine).
  Firewall are disable on all servers.
  My problem looks a bit like here (but he don't speak about 2008 R2 - old article) -> blogs.technet.com/b/askds/archive/2011/04/08/restrictions-for-unauthenticated-rpc-clients-the-group-policy-that-punches-your-domain-in-the-face.asp
  Any help will be greatly appreciate.
  Fabien

  Hi Fabien,
  Do you use the ping command to check basic network connectivity? Please refer to the article below to clear bad information in Active Directory-integrated DNS:
  How to clear bad information in Active Directory-integrated DNS
  http://support.microsoft.com/kb/305967
  You could also refer to the threads below to troubleshoot the issue:
  DFSR failed to contact domain controller
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/eae32fb9-3234-402a-be8b-2ab9555fd25d/dfsr-failed-to-contact-domain-controller?forum=winserverfiles
  GPO not replicating and GPO's during today not always applying
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/ff885ae8-497f-48c1-b30b-efea95016334/gpo-not-replicating-and-gpos-during-today-not-always-applying?forum=winserverGP
  Best Regards,
  Mandy 
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Site to Site VPN connection for two Domain Controllers

  I need to set up a site to site vpn connection using 2 pix 500 series firewalls to connect 2 domain controllers. Once the site to site vpn is established, do the servers automatically see each other for replication?
  Thanx.

  My Active Directory guy has taken a good look at a small site-to-site VPN setup that I'm having a BIG problem with, and his answer is "They're supposed to." He said that as long as DC#2 (in the remote office) has the ability to resolve DNS for DC#1 (in the primary office) then the two should automatically replicate.
  I have a two-office IPSec site-to-site tunnel between two 831's running 12.4.11T (soon to be upgraded to the latest 11T or even 15T1). XP SP2 machines in the remote office have full visibility back to the shares in the central office, and pings and nmap scans work perfectly in either direction, but my newly-added DC#2 in the remote office isn't replicating back to DC#1 (the original DC for the environment). I ran a full nmap scan from the central office against DC#2, and can see all of the expected ports/services open (e.g. 389(LDAP), 445 (msds), 135, 137, 3389, etc) but I can't view shares on DC#2 (or any other PC in the remote office) from the central office. Again, DC#2 and remote office PCs have no problem seeing shares back at headquarters.
  Sorry for not being more helpful - hopefully someone out there can shed more light on the topic. If not, I'm going to call it into TAC and I'll let you know.
  But again, from an Active Directory perspective this should 'just work' so it seems that either the IPSec tunnel or perhaps the "ip inspect" IOS CBAC firewalls are getting in the way.

• I need to be able to find domain controllers that have been removed from the domain but never demoted

  I need to find domain controllers that have been removed but never demoted.
  Here's the story...
  I came on an Active Directory administrator for an organization which has 600+ domain controllers, most running Server 2003, but I have some Server 2008R2. Throughout all this time the organization has had DCs that have stopped working, crashed or failed
  for some reason and all the IT department has done is created another domain controller name it the same thing with an (A), (B) appended to the name and then never removed any of the failed controllers from the directory.
  Thing is this has been going on for quite some time, don’t know for sure how long as I am still trying to clean up DNS replication problems and have been having to go around and reset machine passwords for the forest. What I need to be able to do is to script
  something that will return all the failed DCs so that I can go into the directory and use NTDUTIL to clean the machines. I don’t want to go into the directory and remove a machine that’s still out there. No one in the organization has a list or record of failed
  machines.
  You can see this may be a gargantuan task, but I need to be able to make it easier on 
  myself by finding the machines first and cleaning out DNS, cleaning the DCs out of the “Sites” and cleaning them out of the directory.
  Appreciate any help I can get…

  Hi,
  Thanks for posting in the forum.
  Regarding your question, maybe we should remove these orphaned DC from AD, please try to refer to the following articles to perform the cleanup task.
  How to remove completely orphaned Domain Controller
  http://support.microsoft.com/kb/555846
  Complete Step by Step to Remove an Orphaned Domain controller
  http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx
  Metadata Cleanup of a Domain controller
  http://sandeshdubey.wordpress.com/2011/10/12/metadata-cleanup-of-a-domain-controller/
  Here is a similar thread as reference, hope it helps.
  Remove References of a Failed DC/Domain
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/87516188-731a-4b7f-a4cc-06ce4ad27b19/remove-references-of-a-failed-dcdomain
  Best Regards,
  Andy Qi
  TechNet Subscriber Support
  If you are
  TechNet Subscription user and have any feedback on our support quality, please send your feedback
  here.
  Andy Qi
  TechNet Community Support

• Blue Screen on Domain controllers after Updates

  After patching our Domain controllers (virtual on ESXi 5.5 U2) recently we started getting Blue screens and reboots. Other changes in our environment around this time include enabling vshield drivers and scanning with Trend Micro. I have removed patches
  from April but cannot remove Patch KB3020370 - there is no uninstall button. The error still persists, I have removed the Vshield driver and am waiting to see if the issue reoccurs. Can anyone assist in interpreting the details below? Also is it possible to
  remove the patch KB3020370? This only appeart to affect Domain Controllers, regular servers appear unaffected.
  Thanks
  Below is the BugCheck event.
  The computer has rebooted from a bugcheck.  The bugcheck was: 0x0000007f (0x0000000000000008, 0x0000000080050031, 0x00000000000406f8, 0xfffff800018c0e14). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 042915-21762-01.
  And output from the debug tool.
  Microsoft (R) Windows Debugger Version 6.3.9600.17237 AMD64
  Copyright (c) Microsoft Corporation. All rights reserved.
  Loading Dump File [c:\MiniDump\042815-21762-01.dmp]
  Mini Kernel Dump File: Only registers and stack trace are available
  Error: Attempts to access 'c:\windows\i386' failed: 0x2 - The system cannot find the file specified.
  ************* Symbol Path validation summary **************
  Response                         Time (ms)     Location
  Error                                          c:\windows\i386
  ************* Symbol Path validation summary **************
  Response                         Time (ms)     Location
  Deferred                                       srv*c:\symbols*http://msdl.microsoft.com/download/symbols
  Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols
  Executable search path is: c:\windows\i386
  Windows 7 Kernel Version 7601 (Service Pack 1) UP Free x64
  Product: LanManNt, suite: TerminalServer SingleUserTS
  Built by: 7601.18798.amd64fre.win7sp1_gdr.150316-1654
  Machine Name:
  Kernel base = 0xfffff800`0185e000 PsLoadedModuleList = 0xfffff800`01aa3890
  Debug session time: Tue Apr 28 13:20:34.290 2015 (UTC + 1:00)
  System Uptime: 0 days 0:27:28.954
  Loading Kernel Symbols
  Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
  Run !sym noisy before .reload to track down problems loading symbols.
  Loading User Symbols
  Loading unloaded module list
  *                        Bugcheck Analysis                                    *
  Use !analyze -v to get detailed debugging information.
  BugCheck 7F, {8, 80050031, 406f8, fffff800018d4e14}
  Probably caused by : ntkrnlmp.exe ( nt!KiDoubleFaultAbort+b2 )
  Followup: MachineOwner
  kd> !analyze -v
  *                        Bugcheck Analysis                                    *
  UNEXPECTED_KERNEL_MODE_TRAP (7f)
  This means a trap occurred in kernel mode, and it's a trap of a kind
  that the kernel isn't allowed to have/catch (bound trap) or that
  is always instant death (double fault).  The first number in the
  bugcheck params is the number of the trap (8 = double fault, etc)
  Consult an Intel x86 family manual to learn more about what these
  traps are. Here is a *portion* of those codes:
  If kv shows a taskGate
          use .tss on the part before the colon, then kv.
  Else if kv shows a trapframe
          use .trap on that value
  Else
          .trap on the appropriate frame will show where the trap was taken
          (on x86, this will be the ebp that goes with the procedure KiTrap)
  Endif
  kb will then show the corrected stack.
  Arguments:
  Arg1: 0000000000000008, EXCEPTION_DOUBLE_FAULT
  Arg2: 0000000080050031
  Arg3: 00000000000406f8
  Arg4: fffff800018d4e14
  Debugging Details:
  BUGCHECK_STR:  0x7f_8
  CUSTOMER_CRASH_COUNT:  1
  DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT_SERVER
  PROCESS_NAME:  System
  CURRENT_IRQL:  0
  ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre
  LAST_CONTROL_TRANSFER:  from fffff800018cffe9 to fffff800018d0a40
  STACK_TEXT:  
  fffff800`01620d28 fffff800`018cffe9 : 00000000`0000007f 00000000`00000008 00000000`80050031 00000000`000406f8 : nt!KeBugCheckEx
  fffff800`01620d30 fffff800`018ce4b2 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
  fffff800`01620e70 fffff800`018d4e14 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDoubleFaultAbort+0xb2
  fffff880`0276e000 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopfCompleteRequest+0x4
  STACK_COMMAND:  kb
  FOLLOWUP_IP: 
  nt!KiDoubleFaultAbort+b2
  fffff800`018ce4b2 90              nop
  SYMBOL_STACK_INDEX:  2
  SYMBOL_NAME:  nt!KiDoubleFaultAbort+b2
  FOLLOWUP_NAME:  MachineOwner
  MODULE_NAME: nt
  IMAGE_NAME:  ntkrnlmp.exe
  DEBUG_FLR_IMAGE_TIMESTAMP:  5507a73c
  IMAGE_VERSION:  6.1.7601.18798
  FAILURE_BUCKET_ID:  X64_0x7f_8_nt!KiDoubleFaultAbort+b2
  BUCKET_ID:  X64_0x7f_8_nt!KiDoubleFaultAbort+b2
  ANALYSIS_SOURCE:  KM
  FAILURE_ID_HASH_STRING:  km:x64_0x7f_8_nt!kidoublefaultabort+b2
  FAILURE_ID_HASH:  {0367acc4-9bb4-ab69-5701-46a2011718e9}
  Followup: MachineOwner

  Hi,
  Dump file displays：
  BugCheck 7F, {8, 80050031, 406f8, fffff800018d4e14} and Probably caused by : ntkrnlmp.exe ( nt!KiDoubleFaultAbort+b2 ).
  Bug check 0x7F typically occurs after you install a faulty or mismatched hardware (especially memory) or if installed hardware fails.
  A double fault can occur when the kernel stack overflows. This overflow occurs if multiple drivers are attached to the same stack. For example, if two file system filter drivers are attached to the same stack and then the file system recurses back in, the stack
  overflows.
  You may reference the link below for detailed resolution about this problem:
  https://msdn.microsoft.com/en-us/library/windows/hardware/ff559244(v=vs.85).aspx
  Besides, you may try to restore the server to the state before installing these Windows Update.
  Best Regards,
  Eve Wang 
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]