Global Catalog Server?

I am upgrading three domain controllers by replacing old '03 DCs with new '12 DCs. The set is a parent domain with two sub domains for child organizations. No users in the sub domains should be able to log into the other domains or see the GAL for the exchange servers in the other orgs. Each of the three has their own exchange server. The same IT team manages all three, so we want to have them in the same forest. (correct term?)Should any of the domain controllers be a Global Catalog server? That is an option when upgrading the DC server from '03 to '12."Servers running Microsoft Exchange Server rely on access to the global catalog for address information. Users use global catalog (GC) servers to access the global address list (GAL).Because a domain controller that acts as a global catalog server stores objects for all domains in the...
This topic first appeared in the Spiceworks Community

CFLDAP requires a domain controller to be specified. It can't
use find the root dsn of the domain and start from there.
The best workaround is to "know" every domain controller on
your domain. Then, run a very simple LDAP query using the first
domain controller. If an error occurs, then try the LDAP query with
the second domain controller. Keep this up until you run out of
domain controllers. If this happens, then you are in worse trouble
because your domain will start to fall apart.
Use CFTRY/CFCATCH to test for any LDAP errors when a domain
controller is not responding. You can even wrap this into a simple
CFLOOP that loops over a list of domain controllers.
All it has to do is return a simple query that should take
very little time to process. All you are doing is testing to make
the sure domain controller is responding.

Similar Messages

  • A Global Catalog Server could not be located - All GC's are down SBS 2011

    I have been searching through these forums and manage to find similar errors but am struggling to find an answer that applies to this me.
    I seem to be having a number of issues with our SBS. I believe this was originally domain was previously on a SBS 2003 box before being moved to this SBS 2011 box last year, it has been running fine until yesterday. I cant see anything that has changed then
    though.
    Everything seems to point to DNS although I am struggling to pinpoint the actual cause. The most worrying is when I try to open something on the SBS such as AD sites and services.
    the error is
    Active Directory Domain Services - Naming information cannot be located because: The specified domain either does not exist or could not be contacted. Contact your system administrator to verify that your domain is properly configured and
    is currently online.
    Here is the IPconfig/all from the server
    v
    Host Name . . . . . . . . . . . . : SBS2012
    Primary Dns Suffix . . . . . . . : Contosso.local
    Node Type . . . . . . . . . . . . : Broadcast
    IP Routing Enabled. . . . . . . . : Yes
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : Contosso.local
    Ethernet adapter Local Area Connection 2:
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) 82575EB Gigabit Network Connecti
    on #2
    Physical Address. . . . . . . . . : 00-1E-67-39-23-14
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::8087:34f0:59f9:6a26%12(Preferred)
    IPv4 Address. . . . . . . . . . . : 192.168.35.250(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.35.1
    DHCPv6 IAID . . . . . . . . . . . : 301997671
    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-39-46-22-00-1E-67-39-23-15
    DNS Servers . . . . . . . . . . . : 192.168.35.250
    NetBIOS over Tcpip. . . . . . . . : Enabled
    PPP adapter RAS (Dial In) Interface:
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : RAS (Dial In) Interface
    Physical Address. . . . . . . . . :
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    IPv4 Address. . . . . . . . . . . : 192.168.35.24(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.255
    Default Gateway . . . . . . . . . :
    NetBIOS over Tcpip. . . . . . . . : Enabled
    Tunnel adapter isatap.{6E06F030-7526-11D2-BAF4-00600815A4BD}:
    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Microsoft ISATAP Adapter
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    Tunnel adapter Teredo Tunneling Pseudo-Interface:
    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    Tunnel adapter isatap.{A23E95B8-B5C2-4D88-BDE9-E9F1C2DD3902}:
    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    and here is the nltest
    nltest /server:sbs2012 /dsgetdc:contosso.local
    DC: \\SBS2012.contosso.local
    Address: \\192.168.35.250
    Dom Guid: c50b6df3-9d22-4c87-b2a7-adadc4fd5ec1
    Dom Name: contosso.local
    Forest Name: contosso.local
    Dc Site Name: Default-First-Site-Name
    Our Site Name: Default-First-Site-Name
    Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN
    DNS_FOREST CLOSE_SITE FULL_SECRET WS
    The command completed successfully
    As far as I can see everything so far looks ok (highly possible I am missing something) but when I run a DCDIAG it gets messy
    Directory Server Diagnosis
    Performing initial setup:
    Trying to find home server...
    Home Server = SBS2012
    * Identified AD Forest.
    Done gathering initial info.
    Doing initial required tests
    Testing server: Default-First-Site-Name\SBS2012
    Starting test: Connectivity
    ......................... SBS2012 passed test Connectivity
    Doing primary tests
    Testing server: Default-First-Site-Name\SBS2012
    Starting test: Advertising
    Fatal Error:DsGetDcName (SBS2012) call failed, error 1355
    The Locator could not find the server.
    ......................... SBS2012 failed test Advertising
    Starting test: FrsEvent
    There are warning or error events within the last 24 hours after the
    SYSVOL has been shared. Failing SYSVOL replication problems may cause
    Group Policy problems.
    ......................... SBS2012 passed test FrsEvent
    Starting test: DFSREvent
    ......................... SBS2012 passed test DFSREvent
    Starting test: SysVolCheck
    ......................... SBS2012 passed test SysVolCheck
    Starting test: KccEvent
    ......................... SBS2012 passed test KccEvent
    Starting test: KnowsOfRoleHolders
    ......................... SBS2012 passed test KnowsOfRoleHolders
    Starting test: MachineAccount
    ......................... SBS2012 passed test MachineAccount
    Starting test: NCSecDesc
    Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
    Replicating Directory Changes In Filtered Set
    access rights for the naming context:
    DC=DomainDnsZones,DC=Contosso,DC=local
    Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
    Replicating Directory Changes In Filtered Set
    access rights for the naming context:
    DC=ForestDnsZones,DC=Contosso,DC=local
    ......................... SBS2012 failed test NCSecDesc
    Starting test: NetLogons
    Unable to connect to the NETLOGON share! (\\SBS2012\netlogon)
    [SBS2012] An net use or LsaPolicy operation failed with error 67,
    The network name cannot be found..
    ......................... SBS2012 failed test NetLogons
    Starting test: ObjectsReplicated
    ......................... SBS2012 passed test ObjectsReplicated
    Starting test: Replications
    [Replications Check,SBS2012] DsReplicaGetInfo(PENDING_OPS, NULL)
    failed, error 0x2105 "Replication access was denied."
    ......................... SBS2012 failed test Replications
    Starting test: RidManager
    ......................... SBS2012 passed test RidManager
    Starting test: Services
    Could not open NTDS Service on SBS2012, error 0x5
    "Access is denied."
    ......................... SBS2012 failed test Services
    Starting test: SystemLog
    An error event occurred. EventID: 0x0000041E
    Time Generated: 07/12/2013 08:27:32
    Event String:
    The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
    An error event occurred. EventID: 0x0000041E
    Time Generated: 07/12/2013 08:32:32
    Event String:
    The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
    An error event occurred. EventID: 0x0000041E
    Time Generated: 07/12/2013 08:37:32
    Event String:
    The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
    An error event occurred. EventID: 0x0000041E
    Time Generated: 07/12/2013 08:42:32
    Event String:
    The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
    An error event occurred. EventID: 0x0000041E
    Time Generated: 07/12/2013 08:47:32
    Event String:
    The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
    An error event occurred. EventID: 0x0000041E
    Time Generated: 07/12/2013 08:52:32
    Event String:
    The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
    An error event occurred. EventID: 0x00000457
    Time Generated: 07/12/2013 08:54:09
    Event String:
    Driver EPSON WorkForce 645 Series required for printer EPSON WorkForce 645 Series is unknown. Contact the administrator to install the driver before you log in again.
    An error event occurred. EventID: 0x00000457
    Time Generated: 07/12/2013 08:54:10
    Event String:
    Driver FX DocuCentre-IV C2270 PCL 6 required for printer scanner - 212 Manukau Rd Epsom is unknown. Contact the administrator to install the driver before you log in again.
    An error event occurred. EventID: 0x00000457
    Time Generated: 07/12/2013 08:54:10
    Event String:
    Driver HP ePrint required for printer HP ePrint is unknown. Contact the administrator to install the driver before you log in again.
    An error event occurred. EventID: 0x00000457
    Time Generated: 07/12/2013 08:54:11
    Event String:
    Driver PDF Complete Converter required for printer PDF Complete is unknown. Contact the administrator to install the driver before you log in again.
    An error event occurred. EventID: 0x00000457
    Time Generated: 07/12/2013 08:54:14
    Event String:
    Driver Send To Microsoft OneNote 2010 Driver required for printer Send To OneNote 2010 is unknown. Contact the administrator to install the driver before you log in again.
    An error event occurred. EventID: 0x0000041E
    Time Generated: 07/12/2013 08:57:32
    Event String:
    The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
    An error event occurred. EventID: 0x0000041E
    Time Generated: 07/12/2013 09:02:33
    Event String:
    The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
    A warning event occurred. EventID: 0x00002724
    Time Generated: 07/12/2013 09:03:32
    Event String:
    This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.
    An error event occurred. EventID: 0x0000041A
    Time Generated: 07/12/2013 09:03:33
    Event String:
    The DHCP/BINL service on the local machine encountered a network error. The error was: 0x 2.
    An error event occurred. EventID: 0x0000041E
    Time Generated: 07/12/2013 09:03:33
    Event String:
    The DHCP/BINL service on this computer is shutting down. See the previous event log messages for reasons.
    An error event occurred. EventID: 0xC0002720
    Time Generated: 07/12/2013 09:03:45
    Event String:
    The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
    An error event occurred. EventID: 0xC0002720
    Time Generated: 07/12/2013 09:03:46
    Event String:
    The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
    An error event occurred. EventID: 0xC0002720
    Time Generated: 07/12/2013 09:03:46
    Event String:
    The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
    An error event occurred. EventID: 0xC0002720
    Time Generated: 07/12/2013 09:03:46
    Event String:
    The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
    An error event occurred. EventID: 0xC0002720
    Time Generated: 07/12/2013 09:03:46
    Event String:
    The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
    An error event occurred. EventID: 0x00000406
    Time Generated: 07/12/2013 09:07:33
    Event String:
    The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.
    An error event occurred. EventID: 0x00000406
    Time Generated: 07/12/2013 09:12:34
    Event String:
    The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.
    An error event occurred. EventID: 0xC00038D6
    Time Generated: 07/12/2013 09:16:24
    Event String:
    The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.
    An error event occurred. EventID: 0x0000041E
    Time Generated: 07/12/2013 09:17:34
    Event String:
    The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
    An error event occurred. EventID: 0x0000041E
    Time Generated: 07/12/2013 09:22:34
    Event String:
    The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
    ......................... SBS2012 failed test SystemLog
    Starting test: VerifyReferences
    ......................... SBS2012 passed test VerifyReferences
    Running partition tests on : DomainDnsZones
    Starting test: CheckSDRefDom
    ......................... DomainDnsZones passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ......................... DomainDnsZones passed test
    CrossRefValidation
    Running partition tests on : ForestDnsZones
    Starting test: CheckSDRefDom
    ......................... ForestDnsZones passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ......................... ForestDnsZones passed test
    CrossRefValidation
    Running partition tests on : Schema
    Starting test: CheckSDRefDom
    ......................... Schema passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ......................... Schema passed test CrossRefValidation
    Running partition tests on : Configuration
    Starting test: CheckSDRefDom
    ......................... Configuration passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ......................... Configuration passed test CrossRefValidation
    Running partition tests on : Contosso
    Starting test: CheckSDRefDom
    ......................... Contosso passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ......................... Contosso passed test CrossRefValidation
    Running enterprise tests on : Contosso.local
    Starting test: LocatorCheck
    Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
    A Global Catalog Server could not be located - All GC's are down.
    Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
    A Time Server could not be located.
    The server holding the PDC role is down.
    Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
    1355
    A Good Time Server could not be located.
    Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
    A KDC could not be located - All the KDCs are down.
    ......................... Contosso.local failed test LocatorCheck
    Starting test: Intersite
    ......................... Contosso.local passed test Intersite
    I found a few people who have had similar issues that was caused by the "netlogon" service being paused or stopped but in my case it is set to automatically start and is running.
    I have also posted this to serverfault  (cant post links yet serverfault.com/questions/522691/a-global-catalog-server-could-not-be-located-all-gcs-are-down) added as there may be info there that may help.
    Thanks for taking the time to read this, hopefully someone out there has come across this before or can offer something in regards to the next steps I should take.

    Some troubleshooting ideas:
    0. Check if the DCs can resolve each other using their DNSHostName. If not, this indicates some DNS misconfiguration
    -- you need to fix that first.
    1. Check if the both the DCs are pointing to the same DNS server (or DNS servers that are replica of each
    other). Run: "ipconfig /all" and check its output. If not, correct the DNS client settings and run dcdiag after sometime.
    2. Check if dynamic updates are "turned on" on the DNS server.
    3. Try re-registering the DCs SRV records by either restarting netlogon service or by running the following
    command: 
         nltest.exe /dsregdns

  • How to replicate 'memberOf' attribute to global catalog server

    Hi,
    I am trying to replicate 'member of' attribute to global catalog server, to get the data from child domain where trust is enabled.
    i did a little reserach and found that 'isMemberOfPartialAttributeSet' should be true to get it replicated to global catalog server.
    in schema, i am trying set 'isMemberOfPartialAttributeSet' true for "is-member-of-DL" attribute and getting illegal modification.
    is there any other way, where i can modify (or with help of Microsoft).
    OS: windows 2003 R2 (SP2) - MSDN
    Thanks!
    Karthik
    Thanks, Karthikeyan R

    Hi Karthik,
    Based on my tests, the right way to modify attributes that replicate to the Global Catalog is:
    Open Active Directory schema snap-in.
    Then locate the attribute which you wish to modify.
    Right click on it, and select Properties.
    Tick the check box “Replicate this attribute to the Global Catalog”.
    Here is a screenshot for you:
    More references below:
    Install the Active Directory Schema snap-in
    http://technet.microsoft.com/en-us/library/cc755885(v=WS.10).aspx
    How to Modify Attributes That Replicate to the Global Catalog
    http://support.microsoft.com/kb/248717
    Best Regards,
    Amy

  • A Global Catalog Server could not be located - All GC's are down server 2003 dc

    Im all out of ideas.  I have two 2003 server DC's that both fail DCDIAG with the following adn my exchange services wont come online due to this. please help!
    dc1-server dcdiag
          Starting test: FsmoCheck
             Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
             A Global Catalog Server could not be located - All GC's are down.
             PDC Name: \\dc1-server.silistra-bg.net
             Locator Flags: 0xe00003dd
             Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
             A Time Server could not be located.
             The server holding the PDC role is down.
             Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
             A Good Time Server could not be located.
             Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
             A KDC could not be located - All the KDCs are down.
             ......................... silistra-bg.net failed test FsmoCheck     
    dc2-server dcdiag:
          Starting test: FsmoCheck
             Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
             A Global Catalog Server could not be located - All GC's are down.
             Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
             A Primary Domain Controller could not be located.
             The server holding the PDC role is down.
             Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
             A Time Server could not be located.
             The server holding the PDC role is down.
             Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
             A Good Time Server could not be located.
             Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
             A KDC could not be located - All the KDCs are down.
             ......................... silistra-bg.net failed test FsmoCheck

    Some troubleshooting ideas:
    0. Check if the DCs can resolve each other using their DNSHostName. If not, this indicates some DNS misconfiguration
    -- you need to fix that first.
    1. Check if the both the DCs are pointing to the same DNS server (or DNS servers that are replica of each
    other). Run: "ipconfig /all" and check its output. If not, correct the DNS client settings and run dcdiag after sometime.
    2. Check if dynamic updates are "turned on" on the DNS server.
    3. Try re-registering the DCs SRV records by either restarting netlogon service or by running the following
    command: 
         nltest.exe /dsregdns

  • Can't reach global catalog server.....that I am actively pinging....

    Hello.
    Background
    I have a Window server 2008 r2 installation that I fell in on. I removed all roles and features. Renamed, and gave a new ip address
    I ran DCpromo and installed AD and DNS. this server was to be the first in a new domain.
    After successfully creating the domain, I added my workstation (laptop) to the domain successfully and logged on with a created domain administrator account.
    I installed the remote administrator pack for windows 7 onto my workstation 
    Problem
    I ran AD Users and Computers (from my workstation) and proceeded to create a user... only to be told:
    "Windows cannot verify that the user name is unique because the following error occurred while contacting the global catalog: The server is not operational."
    Troubleshooting steps taken so far:
    I have ensured that my workstation and server times match (to the second)
    I have ensure they are in the same time zone, date, etc.
    I am actively pinging the domain controller from my workstation WHILE I attempt to create the user, so network connectivity is ruled out. they are in the same subdomain, there is no router in between. it is workstation > switch > switch > switch
    > server
    I checked sites and services, to find only 1 server listed for the sole domain, and it IS checked as the global catalog server
    My workstation when added to the domain registered in DNS appropriately. As is the domain controller itself.
    DCDIAG /fix reports no errors, everything passes
    metadata.cleanup cannot be used because there are not other domains or sites, or servers listed beside the one I created.
    Please help....Thank you.

    Please use dcdiag /v and repadmin /showreps
    to check the DCs health status and AD replication.
    Please also refer to the recommendations mentioned here: http://social.technet.microsoft.com/wiki/contents/articles/18513.active-directory-replication-issues-basic-troubleshooting-steps-single-ad-domain-in-a-single-ad-forest.aspx
    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Get Active Directory User Last Logon
    Create an Active Directory test domain similar to the production one
    Management of test accounts in an Active Directory production domain - Part I
    Management of test accounts in an Active Directory production domain - Part II
    Management of test accounts in an Active Directory production domain - Part III
    Reset Active Directory user password

  • Could not find any available Global Catalog in forest when running RemoteMailbox cmdlet

    My current Exchange environment is a hybrid configuration of Office 365, Exchange 2013 hybrid, and Exchange 2007 on-premise.
    I have a script responsible for enabling remote mailboxes and assigning O365 licenses to a list of users; essentially provisioning users an O365 mailbox. This script runs every hour through a defined scheduled task in the Task Scheduler.
    The script is proven to work but will intermittently throw an error on some days: "Could not find any available Global Catalog in forest root.xyz.com"
    Here are the nuances of the error when it does occur:
    It will only throw the error when the script is run via scheduled task - the script will work fine if executed from the command line
    The error occurs when "Enable-RemoteMailbox" or "Get-RemoteMailbox" is called.
    The same error will occur with ANY script that calls "Enable-RemoteMailbox" or "Get-RemoteMailbox" and is ran via scheduled task - even when the RemoteMailbox cmdlet was the only line in the script
    Here is the output and error when Get-RemoteMailbox -verbose is ran:
    VERBOSE: [15:49:52.474 GMT] Get-RemoteMailbox : Active Directory session
    settings for 'Get-RemoteMailbox' are: View Entire Forest: 'True',
    VERBOSE: [15:49:52.489 GMT] 
    Get-RemoteMailbox : Runspace context: Executing
    user: , 
    Executing user organization: , 
    Current organization: , 
    RBAC-enabled:Disabled.
    VERBOSE: [15:49:52.489 GMT] Get-RemoteMailbox : Beginning processing
    VERBOSE: [15:49:52.521 GMT] Get-RemoteMailbox : Current ScopeSet is: {
    Recipient Read Scope: {{, }}, 
    Recipient Write Scopes: {{, }}, Configuration Read Scope: {{, }}, 
    Configuration Write Scope(s): {{, }, }, 
    Exclusive Recipient Scope(s): {}, 
    Exclusive Configuration Scope(s): {} }
    VERBOSE: [15:49:52.521 GMT] Get-RemoteMailbox : Resolved current organization: .
    VERBOSE: [15:49:52.521 GMT] Get-RemoteMailbox : Searching objects "abose" of type "ADUser" under the root "$null".
    VERBOSE: [15:49:52.536 GMT] Get-RemoteMailbox : Previous operation run on global catalog server 'evw-xyzdc-p02.ad.xyz.com'.
    Get-RemoteMailbox : Could not find any available Global Catalog in forest root.xyz.com.
    At C:\IDM_In\Scripts\MinimalTest.ps1:42 char:14
    + $abose = Get-RemoteMailbox 'abose' -verbose
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Get-RemoteMailbox], ADTransientException
    + FullyQualifiedErrorId : E421EF0B,Microsoft.Exchange.Management.RecipientTasks.GetRemoteMailbox
    VERBOSE: [15:49:52.567 GMT] Get-RemoteMailbox : Ending processing
    What could be the cause of this intermittent error?
    Thanks for any help

    looks to me permission error as when you are running it via a schedule task is is not able to call exchange shell/ commands {confirm this} where as when you running this manually looks to me you open exchange shell, may be as admin also and then running
    the script.
    schedule task process is not able to get the permission..
    MARK AS USEFUL/ANSWER IF IT DID
    Thanks
    Happiness Always
    Jatin

  • Global Catalog and IFM files

    What is the difference between when you "Install Domain Controller as a Global Catalog or without a Global Catalog"?

    When the first domain controller is installed on the network by default it becomes the global catalog server, when you install the additional domain controllers then you will have to manually specify the global catalog server in case if you want.
    The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain
    in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed
    to the global catalog are faster because they do not involve referrals to different domain controllers
    http://technet.microsoft.com/en-us/library/cc728188(v=ws.10).aspx
    http://www.arabitpro.com

  • Global Catalog Placement

    Hi,
    I have a question regarding Active Directory architecture.
    We have a parent domain/forest (top.com) with many child domains (child*.top.com). Some child domains have firewalls segregating their environment from everything else. Do all the child domains need to communicate to every other child domain using all the Active
    Directory ports listed
    here or just the Global Catalog port if there is a Global Catalog server in that domain.
    We have an Exchange server in one of the child domains which I know needs a GC. In the other child domains we have a few SQL servers, but no other application server. Does every DC in every child domain need to be a GC? Or can having GCs at the parent domain
    and enabling universal group membership caching be sufficient? I gathered that from
    this.

    The recommendation is generally that all your DCs should be GCs. Exchange does need GCs.
    The replication topology you designed in the Sites and Services console will indicate what DCs to use for replication.
    If you don't want DCs from child domain to replicate their global catalog partitions (as well as schema and configuration) with other child domains, you can just design your replication topology in such a way that is it not happening. If you want more recommendation
    about the replication topology you could use, feel free to tell us more about your environment (number of sites, connections, where are your DCs...) and we will assist.
    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

  • Exchange 2007 with Global catalog servers

    exchange 2007 connects with 2 global catalog servers
    when it connects GC server A, and A is down, there is user connection error at Outlook side.
    any setting to allow Exchange 2007 immediately switching to GC server B without waiting?
    Thanks a lot.

    Hi
    As per the information and details provided by you, please follow these steps: -
    If you are running a version of Exchange Server that is earlier than Exchange Server 2010, use the following steps to force Outlook to identify and use the closest global
    catalog server yourself.
    Click
    Start, and then click Run.
    In the
    Open box, type regedit.exe, and then click
    OK.
    Locate and then click the following key in the registry:
    HKEY_CURRENT_USER\Software\Microsoft\Exchange\Exchange Provider
    On the
    Edit menu, click Add Value, and then add the following registry value:
    Value name: Closest GC
    Data Type: REG_DWORD
    Radix: Hexadecimal
    Value Data: 0x0000000
    Quit
    Registry Editor.
    I hope this information will be helpful for you.
    Thanks and regards
    Shweta@G 

  • Lync Server 2013 dropping global catalog in forest

    I have an interesting issue. My Lync 2013 Server is connected to an AD network running at 2012. All my Lync 2013 clients can connect without issue, all the inherent Lync capabilities are functional (except desktop sharing, but that is another question for
    later), and I get no general errors from my server.
    However, when I go to administer to the system through PowerShell, or the Lync Command Console, I get the error:
    "Cannot find any global catalog in the forest "xxxxx.yyy""
    Therefore I cannot manage the server very well, if at all. Here is the real kicker. If I reboot the server, everything works great and I get no errors running admin powershell commands, or executing the Lync Command Console. This connectivity seems to work
    for random lengths of time from 1-6 hours or so before "losing" the global catalog again.
    Any thoughts on what is happening here?

    We are using Standard Edition, and the deployment wizard will not complete when I am getting this error message. However, it works fine when I reboot the Lync Server system and it "reconnects" with the global catalog.
    What I can't figure out is why it is "losing"the catalog, or really even where to start looking. Is that an Active Directory issue (Sites or other issue)? Is it a networking issue with DNS?
    When the server "loses" the global catalog Lync clients still function normally, I can ping the server (by IP, FQDN, and machine name) from another system. Lync continues to communicate with Exchange and archive conversations, etc.. It just won't
    run Lync powershell commands for admin, and the Lync Management Control Panelwon't recognize any login. It gives out a error stating "The application cannot verify your credentials" message.
    This makes me think there is an issue with AD, but not sure where to start since users are not affected at all. Could there be a replication issue or something?

  • Global catalog problem

    hello everyone
    in our company we are upgrading our DCs to server 2012R2 we have one Dc 2008R2 we installed another DC 2012R2 and make it GC from sites and services the problem appeared when I demoted the 2008 server I noticed that nobody in the company is able to log to
    the domain I realized that even the global catalog check mark is checked the server is not global catalog when I connect through ldap I see isglobalcatalogready : false I tried many solution to make it global catalaog but no success my solution was to shut
    down this server and restore the 2008 server from a previous backup now all the users can log to the domain but I only have one DC I tried to add another 2012R2 Dc but DCPromo fails on the prerequisite "check verification of outbound replication
    failed error reading the ntds settings on replication source controller" I installed another server 2008R2 server since there is no prerequisite check but the same problem occured the new DC is marked as GC but it's not GC I checked port 3268 I ran dcidag
    and this is the result
    dcdiag /test:checksecurityerror
    Directory Server Diagnosis
    Performing initial setup:
    Trying to find home server...
    Home Server = 2k8DC
    * Identified AD Forest.
    Done gathering initial info.
    Doing initial required tests
    Testing server: mysite\2K8DC
    Starting test: Connectivity
    ......................... 2K8DC passed test Connectivity
    Doing primary tests
    Testing server: mysite\2K8DC
    Starting test: CheckSecurityError
    The account 2K8DC is not a DC account. It cannot replicate.
    Unable to verify the machine account
    (CN=2K8DC,OU=Domain Controllers,DC=mydomain,DC=local) for 2K8DC on
    2K8DC.
    Source DC WIN-SM5GUTCII7H has possible security error (8453).
    Diagnosing...
    Error 2184 querying time on DC WIN-SM5GUTCII7H. Ignoring this
    DC and continuing...
    * Missing SPN
    :LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
    * Missing SPN :LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@
    * Missing SPN :LDAP/WIN-SM5GUTCII7H
    * Missing SPN
    :LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain
    * Missing SPN
    :LDAP/f67b0f34-07ae-4dec-8ff5-7cd284ecb7b8._msdcs.mydomain.local
    * Missing SPN
    :HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
    * Missing SPN :HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@
    * Missing SPN
    :HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain
    * Missing SPN
    :GC/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
    Unable to verify the machine account
    (CN=WIN-SM5GUTCII7H,OU=Domain Controllers,DC=mydomain,DC=local)
    for WIN-SM5GUTCII7H on 2K8DC.
    Unable to connect to the NETLOGON share!
    (\\WIN-SM5GUTCII7H\netlogon)
    [WIN-SM5GUTCII7H] An net use or LsaPolicy operation failed with
    error 67, The network name cannot be found..
    [WIN-SM5GUTCII7H] Unable to verify logon privileges on DC
    shares. Please check the above output and take appropriate
    steps.
    Failed to read object metadata on WIN-SM5GUTCII7H, error
    Directory object not found.
    [WIN-SM5GUTCII7H] Unable to diagnose problem for this source.
    See any errors reported in attempting tests.
    ......................... 2K8DC failed test CheckSecurityError
    Running partition tests on : ForestDnsZones
    Running partition tests on : DomainDnsZones
    Running partition tests on : Schema
    Running partition tests on : Configuration
    Running partition tests on : mydomain
    Running enterprise tests on : mydomain.local
    C:\Users\Administrator>dcdiag /test:checksecurityerror
    Directory Server Diagnosis
    Performing initial setup:
    Trying to find home server...
    Home Server = 2k8DC
    * Identified AD Forest.
    Done gathering initial info.
    Doing initial required tests
    Testing server: mysite\2K8DC
    Starting test: Connectivity
    ......................... 2K8DC passed test Connectivity
    Doing primary tests
    Testing server: mysite\2K8DC
    Starting test: CheckSecurityError
    The account 2K8DC is not a DC account. It cannot replicate.
    Unable to verify the machine account
    (CN=2K8DC,OU=Domain Controllers,DC=mydomain,DC=local) for 2K8DC on
    2K8DC.
    Source DC WIN-SM5GUTCII7H has possible security error (8453).
    Diagnosing...
    Error 2184 querying time on DC WIN-SM5GUTCII7H. Ignoring this
    DC and continuing...
    * Missing SPN
    :LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
    * Missing SPN :LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@
    * Missing SPN :LDAP/WIN-SM5GUTCII7H
    * Missing SPN
    :LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain
    * Missing SPN
    :LDAP/f67b0f34-07ae-4dec-8ff5-7cd284ecb7b8._msdcs.mydomain.local
    * Missing SPN
    :HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
    * Missing SPN :HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@
    * Missing SPN
    :HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain
    * Missing SPN
    :GC/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
    Unable to verify the machine account
    (CN=WIN-SM5GUTCII7H,OU=Domain Controllers,DC=mydomain,DC=local)
    for WIN-SM5GUTCII7H on 2K8DC.
    Unable to connect to the NETLOGON share!
    (\\WIN-SM5GUTCII7H\netlogon)
    [WIN-SM5GUTCII7H] An net use or LsaPolicy operation failed with
    error 67, The network name cannot be found..
    [WIN-SM5GUTCII7H] Unable to verify logon privileges on DC
    shares. Please check the above output and take appropriate
    steps.
    Failed to read object metadata on WIN-SM5GUTCII7H, error
    Directory object not found.
    [WIN-SM5GUTCII7H] Unable to diagnose problem for this source.
    See any errors reported in attempting tests.
    Authoritative attribute pwdLastSet on 2K8DC (writeable)
    usnLocalChange = 5866156
    LastOriginatingDsa = 2K8DC
    usnOriginatingChange = 5866156
    timeLastOriginatingChange = 2014-08-17 08:55:52
    VersionLastOriginatingChange = 42
    Out-of-date attribute pwdLastSet on WIN-SM5GUTCII7H (writeable)
    usnLocalChange = 12868
    LastOriginatingDsa = 22a5b57a-fac4-4cfe-9fcb-c545025d3716
    usnOriginatingChange = 5830453
    timeLastOriginatingChange = 2014-08-13 15:07:23
    VersionLastOriginatingChange = 41
    Unable to verify the convergence of this machine account
    (CN=2K8DC,OU=Domain Controllers,DC=mydomain,DC=local) on these DC's
    (DC=mydomain,DC=local,2K8DC). Does the machine account password need
    resetting?
    ......................... 2K8DC failed test CheckSecurityError
    Running partition tests on : ForestDnsZones
    Running partition tests on : DomainDnsZones
    Running partition tests on : Schema
    Running partition tests on : Configuration
    Running partition tests on : mydomain
    Running enterprise tests on : mydomain.local
    note that WIN-SM5GUTCII7H is the new DC I renamed it to server 2008R2 but it can't be a global catalog due to the error.
    I tried to google this error but I didn't find any solution how to make make it replicate the GC
    Best

    In addition, I just wanted to point out that the error you are receiving below, can be indicative of some sort of firewall block. Antivirus apps can do this, too, with their network protection features.
    "check verification of outbound replication failed error reading the ntds settings on replication source controller"
    Do you have an AV on the machine, or the Windows firewall, or a third party firewall enabled?
    Run PortQRY to see if there are any ports blocked.
    PortQry GUI -
    Run the "Domains & Trusts" option between DCs, or between DCs and any machine (other servers you want to promote, or even from a client machine), that you want to test if there are any blocked AD ports. Post only errors with "NOTLISTENING," 0x00000001,
    and 0x00000002. You can ignore UDP 389 and UDP 88 messages. If you see TCP 42 errors, that just means WINS is not running on the target server.
           PortQryUI - GUI - Version 2.0 8/2/2004
    http://www.microsoft.com/download/en/details.aspx?id=24009
    Time issue?
    A time skew between DCs that is beyond 5 minutes, can cause it, too. Are the clocks on the new server and the current DCs within 5 minutes? Is the PDC emulator configured to sync time to an outside or to a local, reliable source?
    Configuring the Windows Time Service - Complete step by step with contingency plan
    http://blogs.msmvps.com/acefekay/2014/04/26/configuring-the-windows-time-service/
    And of course we are all assuming that the new machine is definitely only using a current DC as the only DNS address in its NIC.
    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

  • OID and Active Directory(global catalog) synchronization issues

    We have a large network with 7 domains within the AD forest.....The OID server profile
    points to a single domain controller/gc in 1 of these 7 domains. It is able to synchronize when a change occured
    from this domain but not the others in the forest by quering port 3268/GC. We reloaded
    the bootstrap which reduced the "highest committed usn" last read attribute value in
    OID....and the synch started working again with another domain but not consistently(a change in AD gets pulled into OID)...
    It seems as if OID cannot read the highest committed usn value for all domains
    within one forest by quering a single global catalog domain controller in one
    domain....any ideas on best practice to have a consistent synch from OID to all
    domains in AD?
    Message was edited by:
    marcvip

    Each AD server in the Forest will maintain his own highestCommittedHSN. The AD GC should maintain a consistent HSN but knows and keeps all the AD servers in sync. So if the GC does not maintain a consistent HSN you should contact Microsoft as well (besides this forum :-)
    regards,
    --Olaf                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       

  • Exchange Management Shell Cannot Find Global Catalog Servers

    Hello,
    I have a client with a single Exchange 2013 RU2 multi role server.  Exchange works fine with no issues.  However, when I open EMS and try to do anything (example get-mailbox) it returns the following error.  It was working up until about a
    week ago.
    "Could not find any available Global Catalog in forest domain.com"
    I haven't tried rebooting the server yet because Exchange is running fine, it's just PowerShell is jacked up.  I have even tried Remote PowerShell from another server and same results.  Has anyone ever seen this?
    Thanks,
    John

    can you check what  your nslookup returns you... are you able to connect to your DNS without any error.
    the above error is generally towards network connectivity issues.
    guess you have two lan cards on exchange. what is the DNS on both lan cards. i guess should b same.
    MARK AS USEFUL/ANSWER IF IT DID
    Thanks
    Happiness Always
    Jatin

  • Help, error connection Cisco Identity Services Engine with AD, global catalog port status error

    Dear all,
    I have Cisco Indentity Services Engine, that  connected to Active Directory. When I test connection detailed,
    the result is error, said:
    Test Connection Results
    This dialog shows the detailed logs for the operation for: idsv0018.
    Status: FAILED: Global Catalog port status error.
    Can anyone help?
    I believe,  because this error, I can't search group of AD, at Cisco ISE.
    FYI: the connection from Cisco ISE to AD, joined with successful result.
    Thanks,
    Jerri

    It's clears that when ISE tries to  find the GC using the _gc._tcp. DNS query. It doesn't find that  information on the Domain controller. The GC information is missing on  the DC.
    gc._tcp.DnsForestName
    Allows a client to locate a Global Catalog (gc) server for this domain.
    Jatin Katyal
    - Do rate helpful posts -

  • AD 2008 R2 - Bringing old Global Catalog DC Back Online

    Hi all, looking for some direction to take on a Win 2008R2 domain controller server that's been off the network for awhile. Here's the situation:  There's an office that we have that was closed. There was a global catalog domain controller server running
    there that was also functioning as a file server. That server was powered off and put in storage until a new office location was found. It took longer than expected to find a new office location and now we are ready to bring that server online and
    back into service. It's been 150 days since it was powered off.  Our Active Directory tombstoneLifetime is set for the default value of 60 days.
    I'm hesitant to turn this server back on as I don't know what impact on our Active Directory this will have. Can anyone offer some suggestions on how I should handle this situation? I would definitely appreciate any feedback. Thanks.

    Just to re-iterate. One of our GC Domain Controllers has been turned off for 150 days. It's completely operational.  Can it just be connected back to the network and powered on? I'm looking to find out if it will cause any negative impact
    to our Active Directory.  
    I apologize, maybe I wasn't crystal clear. No, you do not want t connect it back to the network.
    It doesn't matter if it's a GC or not. That's not the mitigating factor here. The point is it's a DC that hasn't talked to the other DCs in the time frame allowed that's dictated by the tombstone value.
    When a DC is introduced that hasn't replicated beyond the AD Tombstone period, the DC's replication attempts will effectively be ignored by the other DCs. The out of date DC doesn't really know this. The reason that replication is not allowed to continue is
    that the two machine’s views of deleted objects may now be different. The source machine may still have copies of objects that have been deleted (and garbage collected) on this machine. If they were allowed to replicate, the source machine might return objects
    which have already been deleted.
    And worse, if it held a FSMO role, it complicates things, GC or not, because there are some roles that just simply can't be re-introduced, such as the RID pool manager.
    There are ways you can possibly try to introduce it and get it replcating again, however the concensus, even among Microsoft engineers is to simply to force demote it (using the /forceremoval switch), or just turn it off, rebuild it, run a metadata cleanup
    and re-promote it as a fresh replica. 
    More info:
    Active Directory Lingering Objects, Journal Wraps, USN Rollbacks, Tombstone Lifetime, and Event IDs 13568, 13508, 1388, 1988, 2042, 2023, 2095, 1113, 1115, 2103, and more …
    http://blogs.msmvps.com/acefekay/2011/12/27/active-directory-lingering-objects-journal-wraps-tombstone-lifetime-and-event-ids-13568-13508-1388-1988-2042-2023/
    Or you could try to fix it:
    Event ID 2042: It has been too long since this machine replicated
    http://technet.microsoft.com/en-us/library/cc757610(v=ws.10).aspx
    In summary, as I've suggested, it's much easier to trash it, cleanup AD, rebuild and re-promote.
    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Maybe you are looking for

  • How to play online ESL games simultaneously?

        Hello, I teach English to Spanish-speaking children  living in an orphanage. I use screen share with the students. How can we play online ESL games simultaneously? Let's say that I click on the + to screen share and go to any online ESL game. The

  • ITunes 10.4.1. can't update apps, accessing the iTunes store

    Apps indicated to be updated but the process hangs up "Accessing the iTunes Store". Can't update on iPhone or iPad. OSX 10.6.8 JA

  • Can't open Numbers document at all

    Recently came to the "other side" and using latest mac book air and as far as I can see I don't have to update anything further. But I'm getting the same message here....see below. This is the same document that I created with the same version of num

  • " Question in Web-Intelligence "

    Hai Friend's, (1)  when I developed a universe,I got all the Object's from BI to Bo. The Object's are L00 and L01. What is the Difference between L00 and L01 .Why we will drag only L01 Object's (2)  What is an OLAP Cache and what is the need of OLAP

  • IPod / iPhone App selection

    Dows anyone know of a good site / page where I can read reviews of the iPod Touch / iPhone App offerings. There are some great apps there to buy, and for free but they seem to be lost in the 95% of them that are utter tat. So is there any external si