Rebooting a domain controller!

Hello,
 If i reboot a domain controller (given the fact i have multiple DCs in my domain), will that cause an issue for users when they are logging in?
Does this depend on the what operations master role DC has?
Thanks

As long you have multiple dc's and they are added to the client's 'DNS list', normally there wont be any major issues. Its all about srv records. If they are setup properly, the client will locate and use any available server hosting a required
service (like a DC)
best regards
jesper vindum, denmark

Similar Messages

  • Server 2008 Hyper-V Failover Cluster Error on Domain Controller Reboot

    I am pretty new to Hyper-V virtual but I have 2 Hyper-V Clusters, each with 2 Nodes and a SAN, 1 Physical Domain Controller for failover cluster management and 1 virtual domain controller as backup.  All is running well, no issues.  I installed
    windows updates on the physical DC and upon reboot, got an error 5120 on cluster 2 that says "Cluster Shared Volume 'Volume1' ('Cluster Disk 1') is no longer available on this node because of 'STATUS_CONNECTION_DISCONNECTED(c000020c)'.  All I/O will
    temporarily be queued until a path to the volume is reestablished.  It pointed to the 2nd node in that cluster as being the issue but when I look at it, it is online and all healthy so I don't understand why the error was triggered and if the DC would
    go down for a failure, would that node not be able to access the CSV permanently.
    Appreciate any help anyone can provide.

    Hi mtnbikediver,
    In theory, if you has the correct configuration of cluster the DC restart will not cause the CSV down, does your shared storage installed on your DC? Did you run
    the cluster validation before you install the cluster? We strongly recommend you run the cluster validation before you build the cluster, same time please install the recommend update of 2008 cluster first.
    Recommended hotfixes for Windows Server 2008-based server clusters
    http://support.microsoft.com/kb/957311
    I found a similar scenario issue the DC restart will effect the cluster network name resource offline, but it is for 2008R2.
    Cluster network name resource cannot be brought online when one of the domain controllers is partly down in Windows Server 2008 R2
    http://support2.microsoft.com/?id=2860142
    I’m glad to be of help to you!
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • Domain Controller resets time ahead one hour on reboot

    I have a Windows 2003 R2 domain controller that is running on a Windows 2012 Hyper-V cluster. Time sync between the host and guest are disabled. The last two times the Domain Controller has been rebooted, time has jumped ahead one hour on the Domain Controller
    which is also our NTP server for the company. Our DC's have been virtualized for 5-6 years, first on VMware, then on hyper-v 2008 r2 now on 2012.
    I have verified that hosts and guests are configured for the correct time zone and the DST is enabled. The first incident occurred the weekend after the time change, so I thought maybe their was some DST issue.
    Any thought on why it would jump ahead exactly one hour after reboot?

    Might need the latest cumulative time zone updates.
    http://support.microsoft.com/kb/2863058
    http://blogs.technet.com/b/dst2007/archive/2013/08/13/august-2013-dst-cumulative-update-for-windows-operating-systems.aspx
    http://support.microsoft.com/kb/2890882
    You can also compare the setting here.
    http://support.microsoft.com/kb/914387
    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]
    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

  • DFSR failed to contact domain controller

    Im having an odd problem with DFSR group we created to replicate web content between two of our web servers.
    In event viewer we have this event 1202 for DFSR.
    "The DFS Replication service failed to contact domain controller  to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can
    be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.
    Additional Information:
    Error: 160 (One or more arguments are not correct.)"
    In the DFSR logs I see this.
    20140303 12:18:27.874 1404 CFAD 8300 Config::AdConfig::GetLocalComputerNameWithDns Computer's fully-qualified DNS name: DFSRSERVER.domain.tld
    20140303 12:18:27.920 1404 CFAD 311 Config::AdConnection::Connect Binding to dcAddr:\\1.1.1.1 dcDnsName:\\MYDC.domain.tld
    20140303 12:18:27.936 1404 CFAD 143 Config::AdConnection::BindToAd Trying to connect. hostName:MYDC.domain.tld
    20140303 12:18:28.467 1404 CFAD 162 Config::AdConnection::BindToAd Bound. hostName:MYDC.domain.tld
    20140303 12:18:28.467 1404 CFAD 199 Config::AdConnection::BindToDc Try to bind. hostName:\\MYDC.domain.tld domainName:<null>
    20140303 12:18:28.514 1404 CFAD 3373 [ERROR] Config::DsSession::Bind Failed to DsBind(). dc:\\MYDC.domain.tld domainName:<null> Error:5
    20140303 12:18:28.514 1404 CFAD 215 Config::AdConnection::BindToDc (Ignored) Failed to bind. hostName:\\MYDC.domain.tld domainName:<null> Error:[Error:5(0x5) Config::DsSession::Bind ad.cpp:3380 1404 W Access is denied.]
    20140303 12:18:28.514 1404 CFAD 199 Config::AdConnection::BindToDc Try to bind. hostName:\\1.1.1.1 domainName:<null>
    20140303 12:18:28.514 1404 CFAD 3373 [ERROR] Config::DsSession::Bind Failed to DsBind(). dc:\\1.1.1.1 domainName:<null> Error:87
    20140303 12:18:28.514 1404 CFAD 215 Config::AdConnection::BindToDc (Ignored) Failed to bind. hostName:\\1.1.1.1 domainName:<null> Error:[Error:87(0x57) Config::DsSession::Bind ad.cpp:3380 1404 W The parameter is incorrect.]
    20140303 12:18:28.514 1404 SCFS 150 [WARN] ServiceConfig::DsPollIsDue Failed to enable lightweight polling. Error:
    + [Error:160(0xa0) Config::AdConfig::ConnectToLocalDc ad.cpp:8365 1404 W One or more arguments are not correct.]
    + [Error:160(0xa0) Config::AdConfig::Connect ad.cpp:8113 1404 W One or more arguments are not correct.]
    + [Error:160(0xa0) Config::AdConnection::Connect adconnection.cpp:377 1404 W One or more arguments are not correct.]
    + [Error:160(0xa0) Config::AdConnection::BindToDc adconnection.cpp:226 1404 W One or more arguments are not correct.]
    20140303 12:18:28.514 1404 CREG 1419 Config::RegReader::IsSysVolCommitFlagSet key: System\CurrentControlSet\Services\DFSR\Parameters\SysVols\Demoting SysVols valueName:'SysVol Information is Committed' result:0
    20140303 12:18:28.514 1404 W2CH 266 ConfigurationHelper::PollAdConfigNow Trying to connect to AD
    20140303 12:18:28.514 1404 CFAD 311 Config::AdConnection::Connect Binding to dcAddr:\\1.1.1.1 dcDnsName:\\MYDC.domain.tld
    20140303 12:18:28.514 1404 CFAD 143 Config::AdConnection::BindToAd Trying to connect. hostName:MYDC.domain.tld
    20140303 12:18:28.514 1404 CFAD 162 Config::AdConnection::BindToAd Bound. hostName:MYDC.domain.tld
    20140303 12:18:28.514 1404 CFAD 199 Config::AdConnection::BindToDc Try to bind. hostName:\\MYDC.domain.tld domainName:<null>
    20140303 12:18:28.514 1404 CFAD 3373 [ERROR] Config::DsSession::Bind Failed to DsBind(). dc:\\MYDC.domain.tld domainName:<null> Error:5
    20140303 12:18:28.514 1404 CFAD 215 Config::AdConnection::BindToDc (Ignored) Failed to bind. hostName:\\MYDC.domain.tld domainName:<null> Error:[Error:5(0x5) Config::DsSession::Bind ad.cpp:3380 1404 W Access is denied.]
    20140303 12:18:28.514 1404 CFAD 199 Config::AdConnection::BindToDc Try to bind. hostName:\\1.1.1.1 domainName:<null>
    20140303 12:18:28.514 1404 CFAD 3373 [ERROR] Config::DsSession::Bind Failed to DsBind(). dc:\\1.1.1.1 domainName:<null> Error:87
    20140303 12:18:28.514 1404 CFAD 215 Config::AdConnection::BindToDc (Ignored) Failed to bind. hostName:\\1.1.1.1 domainName:<null> Error:[Error:87(0x57) Config::DsSession::Bind ad.cpp:3380 1404 W The parameter is incorrect.]
    20140303 12:18:28.514 1404 EVNT 1194 EventLog::Report Logging eventId:1202 parameterCount:4
    20140303 12:18:28.514 1404 EVNT 1214 EventLog::Report eventId:1202 parameter1:
    20140303 12:18:28.514 1404 EVNT 1214 EventLog::Report eventId:1202 parameter2:60
    20140303 12:18:28.514 1404 EVNT 1214 EventLog::Report eventId:1202 parameter3:160
    20140303 12:18:28.514 1404 EVNT 1214 EventLog::Report eventId:1202 parameter4:One or more arguments are not correct.
    20140303 12:18:28.530 1404 W2CH 318 [ERROR] ConfigurationHelper::PollAdConfigNow (Ignored) Failed to connect to AD. Error:
    + [Error:160(0xa0) Config::AdConfig::ConnectToLocalDc ad.cpp:8365 1404 W One or more arguments are not correct.]
    + [Error:160(0xa0) Config::AdConfig::Connect ad.cpp:8113 1404 W One or more arguments are not correct.]
    + [Error:160(0xa0) Config::AdConnection::Connect adconnection.cpp:377 1404 W One or more arguments are not correct.]
    + [Error:160(0xa0) Config::AdConnection::BindToDc adconnection.cpp:226 1404 W One or more arguments are not correct.]
    When I run "dfsrdiag pollad":
    [ERROR] PollDsNow method executed unsuccessfully. ReturnValue: 12 (0xc)
    [ERROR] Failed to execute PollAD command Err: -2147217407 (0x80041001)
    However I can run "dfsrdiag dumpadcfg" and it outputs everything fine.
    We don't have any other problems with AD.  It seems like this started after we installed KB2467173 & KB2538242.  We are going to uninstall those and see if it works.

    I can successfully run "dfsrdiag.exe dumpadcfg" and it outputs the entire config.  Why does "dfsrdiag pollad" fail then if the config can be read.
    Why did it work before I rebooted the server?  In both cases it broke after rebooting.
    PS C:\Windows\system32> dfsrdiag dumpadcfg
    LDAP Bind : mydc.domain.tld
    SitesDn : cn=sites,cn=configuration,dc=domain,dc=tld
    ServicesDn : cn=services,cn=configuration,dc=domain,dc=tld
    SystemDn : cn=system,dc=domain,dc=tld
    DefaultNcDn : dc=domain,dc=tld
    ComputersDn : cn=computers,dc=domain,dc=tld
    DomainCtlDn : ou=domain controllers,dc=domain,dc=tld
    SchemaDn : CN=Schema,CN=Configuration,dc=domain,dc=tld
    COMPUTER: web1
    DN : cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
    GUID : 152E849C-4D7B-4AE8-B034-83747DBC1E89
    DNS : web1.domain.tld
    Server Ref : (null)
    USN Changed : 10862129
    When Created : Friday, January 31, 2014 8:41:06 PM
    When Changed : Tuesday, March 4, 2014 2:54:36 PM
    LOCAL SETTINGS: DFSR-LOCALSETTINGS
    DN : cn=dfsr-localsettings,cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
    GUID : 3FD696E7-6598-4CDB-B2AB-98F148C0D2F7
    Version : 1.0.0.0
    USN Changed : 10932017
    When Created : Thursday, March 6, 2014 2:11:12 PM
    When Changed : Thursday, March 6, 2014 2:15:25 PM
    SUBSCRIBER: FF88A312-A0EB-44CC-A614-7A3D06DCC0AB
    DN : cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=dfsr-localsettings,cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
    GUID : 1119B663-F02A-4F1F-A904-23A87CFC93C3
    Member Ref : cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
    USN Changed : 10931931
    When Created : Thursday, March 6, 2014 2:11:12 PM
    When Changed : Thursday, March 6, 2014 2:11:27 PM
    SUBSCRIPTION: 6783DDE1-C795-4E8B-B07D-4EA8D7D0317F
    DN : cn=6783dde1-c795-4e8b-b07d-4ea8d7d0317f,cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=dfsr-localsettings,cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
    GUID : 3737B1F2-7E38-47E2-90E7-E57D82B145F1
    ContentSetGuid: 6783DDE1-C795-4E8B-B07D-4EA8D7D0317F
    Root Path : c:\inetpub\internetsites
    Root Size : 10240 (MB)
    Staging Path : c:\inetpub\internetsites\dfsrprivate\staging
    Staging Size : 4096 (MB)
    Conflict Path : c:\inetpub\internetsites\dfsrprivate\conflictanddeleted
    Conflict Size : 4096 (MB)
    USN Changed : 10931919
    When Created : Thursday, March 6, 2014 2:11:13 PM
    When Changed : Thursday, March 6, 2014 2:11:27 PM
    SUBSCRIPTION: F2F1F3A2-B36F-4170-B371-8E8043DF73F4
    DN : cn=f2f1f3a2-b36f-4170-b371-8e8043df73f4,cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=dfsr-localsettings,cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
    GUID : 57E7F8D7-1121-4334-BC81-74226ADF8969
    ContentSetGuid: F2F1F3A2-B36F-4170-B371-8E8043DF73F4
    Root Path : c:\internet_data
    Root Size : 10240 (MB)
    Staging Path : c:\internet_data\dfsrprivate\staging
    Staging Size : 4096 (MB)
    Conflict Path : c:\internet_data\dfsrprivate\conflictanddeleted
    Conflict Size : 4096 (MB)
    USN Changed : 10931921
    When Created : Thursday, March 6, 2014 2:11:13 PM
    When Changed : Thursday, March 6, 2014 2:11:27 PM
    SUBSCRIPTION: D0438B52-B706-4E40-B4C3-FE7A1ACA5FCF
    DN : cn=d0438b52-b706-4e40-b4c3-fe7a1aca5fcf,cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=dfsr-localsettings,cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
    GUID : F8217091-F71A-4D4A-A676-097583171A63
    ContentSetGuid: D0438B52-B706-4E40-B4C3-FE7A1ACA5FCF
    Root Path : c:\php\phpsites
    Root Size : 10240 (MB)
    Staging Path : c:\php\phpsites\dfsrprivate\staging
    Staging Size : 4096 (MB)
    Conflict Path : c:\php\phpsites\dfsrprivate\conflictanddeleted
    Conflict Size : 4096 (MB)
    USN Changed : 10931923
    When Created : Thursday, March 6, 2014 2:11:13 PM
    When Changed : Thursday, March 6, 2014 2:11:27 PM
    GLOBAL SETTINGS: DFSR-GLOBALSETTINGS
    DN : cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
    GUID : 2E98CE5E-5CC7-4322-B5EA-2B6B340C689F
    USN Changed : 12525
    When Created : Saturday, October 22, 2011 1:56:38 AM
    When Changed : Saturday, October 22, 2011 1:56:38 AM
    REPLICATION GROUP: WEB CONTENT
    DN : cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
    GUID : 9C94A417-6F6C-4F6C-BBFA-B8F52854C4DF
    Type : 0 (UNKNOWN REPLICATION GROUP TYPE)
    Options : 0x1 [Local Time Schedule]
    USN Changed : 10931906
    When Created : Thursday, March 6, 2014 2:11:12 PM
    When Changed : Thursday, March 6, 2014 2:11:27 PM
    CONTENT: CONTENT
    DN : cn=content,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
    GUID : 6714C533-E631-4E71-930D-E4934FB7BD7E
    USN Changed : 10931908
    When Created : Thursday, March 6, 2014 2:11:12 PM
    When Changed : Thursday, March 6, 2014 2:11:27 PM
    CONTENT SET: INTERNET_DATA
    DN : cn=internet_data,cn=content,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
    GUID : F2F1F3A2-B36F-4170-B371-8E8043DF73F4
    File Filter : ~*, *.bak, *.tmp
    Compression Excl : (null)
    Dir Filter : (null)
    USN Changed : 10931916
    When Created : Thursday, March 6, 2014 2:11:13 PM
    When Changed : Thursday, March 6, 2014 2:11:27 PM
    CONTENT SET: INTERNETSITES
    DN : cn=internetsites,cn=content,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
    GUID : 6783DDE1-C795-4E8B-B07D-4EA8D7D0317F
    File Filter : ~*, *.bak, *.tmp
    Compression Excl : (null)
    Dir Filter : (null)
    USN Changed : 10931915
    When Created : Thursday, March 6, 2014 2:11:13 PM
    When Changed : Thursday, March 6, 2014 2:11:27 PM
    CONTENT SET: PHPSITES
    DN : cn=phpsites,cn=content,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
    GUID : D0438B52-B706-4E40-B4C3-FE7A1ACA5FCF
    File Filter : ~*, *.bak, *.tmp
    Compression Excl : (null)
    Dir Filter : (null)
    USN Changed : 10931917
    When Created : Thursday, March 6, 2014 2:11:13 PM
    When Changed : Thursday, March 6, 2014 2:11:27 PM
    TOPOLOGY: TOPOLOGY
    DN : cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
    GUID : 16053002-7B99-4DA7-BFE5-2A6418040640
    USN Changed : 10931907
    When Created : Thursday, March 6, 2014 2:11:12 PM
    When Changed : Thursday, March 6, 2014 2:11:27 PM
    MEMBER: FF88A312-A0EB-44CC-A614-7A3D06DCC0AB
    DN : cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
    GUID : 75A99277-C401-409F-A32D-6D8EE18E5D0C
    Server Ref : (null)
    Computer Ref : cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
    Keywords : (null)
    Computer DNS : web1.domain.tld
    USN Changed : 10931933
    When Created : Thursday, March 6, 2014 2:11:12 PM
    When Changed : Thursday, March 6, 2014 2:11:27 PM
    CXTION: 9ECE3EB7-FE97-4A1B-8DE3-47A77B2C625B
    DN : cn=9ece3eb7-fe97-4a1b-8de3-47a77b2c625b,cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
    GUID : 1D26B348-3875-4BD1-9473-E72506AFA222
    Inbound : true
    Partner DN : cn=46f913db-8509-4581-a66d-d37e4ea3ef29,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
    Enabled : TRUE
    Options : 0x1 [Local Time Schedule]
    USN Changed : 10931924
    When Created : Thursday, March 6, 2014 2:11:13 PM
    When Changed : Thursday, March 6, 2014 2:11:27 PM
    CXTION: 2BFA8BE2-0444-4AAF-8293-A5486CF8D7A3
    DN : cn=2bfa8be2-0444-4aaf-8293-a5486cf8d7a3,cn=46f913db-8509-4581-a66d-d37e4ea3ef29,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
    GUID : A7203451-D95F-44D5-AC04-13056DCE5A89
    Inbound : false
    Partner DN : cn=46f913db-8509-4581-a66d-d37e4ea3ef29,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
    Enabled : TRUE
    Options : 0x1 [Local Time Schedule]
    USN Changed : 10931925
    When Created : Thursday, March 6, 2014 2:11:13 PM
    When Changed : Thursday, March 6, 2014 2:11:27 PM
    MEMBER: 46F913DB-8509-4581-A66D-D37E4EA3EF29
    DN : cn=46f913db-8509-4581-a66d-d37e4ea3ef29,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
    GUID : 1BA26D07-45F5-44A0-8450-9274AFD99B1C
    Server Ref : (null)
    Computer Ref : cn=fccu01web,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
    Keywords : (null)
    Computer DNS : fccu01web.domain.tld
    USN Changed : 10931927
    When Created : Thursday, March 6, 2014 2:11:12 PM
    When Changed : Thursday, March 6, 2014 2:11:27 PM
    Operation Succeeded

  • Strange issues with domain controller/DNS server

    Our domain controller/DNS server was working fine this morning. Then suddenly we stopped being able to access certain things on it. I could ping it, RDP into it, and access some files on it, but I couldn't run any applications hosted on it, accessing shared
    network files was slow, and different people around the office were getting access denied errors to files and folders they had full control of in NTFS (and in shared permissions).
    At first I noticed an NTP error so I registered w32tm and started the service and that got rid of the error but didn't fix anything.
    Oddly, machines still had internet access.
    We tried rebooting everything, restarting services, nothing has helped.
    When I accessed the server directly through the console I could access everything, could connect to any machine in the office, nothing seemed to be wrong with it.
    Any ideas?

    Is there any recent changes in your network or firewall or antivirus? Is there any change/updates performed in the AD side? I would suggest find out changes being done at the AD or Network/FIrewall level. You can run various diagnostic test within your AD
    environment to find the overall health of the AD infra.
    What does DCDIAG actually… do?
    Active Directory Replication Status Tool Released 
    http://msmvps.com/blogs/ad/archive/2008/06/03/active-directory-health-checks-for-domain-controllers.aspx
    Awinish Vishwakarma - MVP
    My Blog: awinish.wordpress.com
    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

  • Windows domain controller in a virtual machine: how dangerous is saving its state for a short period of time?

    I have a Windows Server 2012 R2 virtualization cluster. All the hosts are connected to an external storage system, and virtual machines' files are stored on external volumes (CSVs). All the hosts and virtual machines are a part of the same AD domain
    (mixed Windows Server 2012 RTM / 2008 R2 domain controllers). All the domain controllers are running in the virtual machines on the hosts of this cluster.
    To prevent problems when all the hosts are turned off and then on simultaneously (for example, because of a power failure) all the domain controller VM files has been placed on local disks of the virtualization hosts (not on the Cluster Shared
    Volumes). As Hyper-V services don't depend on other Windows Server services (except its networking components), it means that my domain controllers can always start, providing the virtualization host can start at all. However, it also means
    that those DCs cannot be (quickly) migrated to other hosts while their current hosts are being rebooted. So if I need to reboot a virtualization host to install new updates, for example, I have to shut down the corresponding DC, reboot the host
    and wait for the DC to finish cold boot and come back online. It means some interruption of service for our users, which, in turn, requires me to perform the reboots late in night.
    The downtime can be significantly decreased by saving the state of the VM in which the DC is running. However, all the articles I've found on the Internet strongly recommend against it. I'm trying to understand why this recommendation was issued in the first
    place. However, I'm unable to find a clear explanation. I've found some statements that saving state of a DC can cause serious AD replication problems because of tombstoning, and that the password of a DC computer account may be changed
    while the DC itself stays in the saved state, which could prevent the DC from connecting to the domain after its state has been restored. However, those considerations are non-significant when we discuss a short-time
    (5 to 10 minutes) saved state.
    I work with AD and virtualization long time, and I fail to see any danger in saving state of a DC for several minutes. In my opinion, after its state has been restored it would simply replicate all the AD changes from other DCs, and that's all.
    What's your opinion?
    Evgeniy Lotosh
    MSCE: Server infractructire, MCSE: Messaging

    Hello,
    as stated in "http://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv(v=ws.10).aspx"
    Operational Considerations for Virtualized Domain Controllers
    Domain controllers that are running on virtual machines have operational restrictions that do not apply to domain controllers that are running on physical machines. When you use a virtualized domain controller, there are some virtualization software features
    and practices that you should not use:
    Do not pause, stop, or store the
    saved state of a domain controller
    in a virtual machine for time periods longer than the tombstone lifetime of the forest and then resume from the paused or saved state.
    This may sound as it is supported to store it for shorter times and use it.
    BUT recommendation also from the Hyper-V Program manager in
    http://blogs.msdn.com/b/virtual_pc_guy/archive/2008/11/24/the-domain-controller-dilemma.aspx recommends against using them.
    Also best practices
    http://blogs.technet.com/b/vikasma/archive/2008/07/24/hyper-v-best-practices-quick-tips-2.aspx
    Best regards
    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://blogs.msmvps.com/MWeber
    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
    Twitter:  

  • Windows 2008 R2 Domain Controller (PDC) - NTP server - time showing local CMOS clock

    I'm having issues setting an external source on a Windows 2008 R2 domain controller (PDC emulator role for the domain)
    Here is the output showing its source is the Local CMOS clock.
    C:\Windows\System32>w32tm /query /status
    Leap Indicator: 0(no warning)
    Stratum: 1 (primary reference - syncd by radio clock)
    Precision: -6 (15.625ms per tick)
    Root Delay: 0.0000000s
    Root Dispersion: 10.0000000s
    ReferenceId: 0x4C4F434C (source name:  "LOCL")
    Last Successful Sync Time: 06/11/2014 15:44:15
    Source: Local CMOS Clock
    Poll Interval: 6 (64s)
    1) I have performed the following on the DC with the PDC role:
    net stop w32time
    w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org"
    w32tm /config /reliable:yes
    net start w32time
    w32tm /query /configuration 
    [Configuration]
    EventLogFlags: 2 (Local)
    AnnounceFlags: 5 (Local)
    TimeJumpAuditOffset: 28800 (Local)
    MinPollInterval: 6 (Local)
    MaxPollInterval: 10 (Local)
    MaxNegPhaseCorrection: 172800 (Local)
    MaxPosPhaseCorrection: 172800 (Local)
    MaxAllowedPhaseOffset: 300 (Local)
    FrequencyCorrectRate: 4 (Local)
    PollAdjustFactor: 5 (Local)
    LargePhaseOffset: 50000000 (Local)
    SpikeWatchPeriod: 900 (Local)
    LocalClockDispersion: 10 (Local)
    HoldPeriod: 5 (Local)
    PhaseCorrectRate: 7 (Local)
    UpdateInterval: 100 (Local)
    [TimeProviders]
    NtpClient (Local)
    DllName: C:\Windows\System32\w32time.DLL (Local)
    Enabled: 1 (Local)
    InputProvider: 1 (Local)
    AllowNonstandardModeCombinations: 1 (Local)
    ResolvePeerBackoffMinutes: 15 (Local)
    ResolvePeerBackoffMaxTimes: 7 (Local)
    CompatibilityFlags: 2147483648 (Local)
    EventLogFlags: 1 (Local)
    LargeSampleSkew: 3 (Local)
    SpecialPollInterval: 3600 (Local)
    Type: NTP (Local)
    NtpServer: 0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org (Local)
    NtpServer (Local)
    DllName: C:\Windows\System32\w32time.DLL (Local)
    Enabled: 1 (Local)
    InputProvider: 0 (Local)
    AllowNonstandardModeCombinations: 1 (Local)
    VMICTimeProvider (Local)
    DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
    Enabled: 1 (Local)
    InputProvider: 1 (Local)
    But still showing the output:
    C:\Windows\System32>w32tm /query /status
    Leap Indicator: 0(no warning)
    Stratum: 1 (primary reference - syncd by radio clock)
    Precision: -6 (15.625ms per tick)
    Root Delay: 0.0000000s
    Root Dispersion: 10.0000000s
    ReferenceId: 0x4C4F434C (source name:  "LOCL")
    Last Successful Sync Time: 06/11/2014 15:58:45
    Source: Local CMOS Clock
    Poll Interval: 6 (64s)
    2. If I resync and rediscover the following error appears: 
    w32tm /resync /rediscover 
    Sending resync command to local computer
    The computer did not resync because no time data was available.
    3. I've also clearing the current time config, by
    net stop w32time
    w32tm /unregister
    w32tm /register
    net start w32time
    But no change, it still shows the Local CMOS clock. 
    4. This event is showing 
    Log Name:      System
    Source:        Microsoft-Windows-Time-Service
    Date:          06/11/2014 15:43:30
    Event ID:      12
    Task Category: None
    Level:         Warning
    Keywords:      
    User:          LOCAL SERVICE
    Computer:      domaincontroller1
    Description:
    Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source.
    It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy.
    If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Time-Service" Guid="{06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB}" />
        <EventID>12</EventID>
        <Version>0</Version>
        <Level>3</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2014-11-06T15:43:30.465619200Z" />
        <EventRecordID>77295</EventRecordID>
        <Correlation />
        <Execution ProcessID="256" ThreadID="2056" />
        <Channel>System</Channel>
        <Computer>domaincontroller1</Computer>
        <Security UserID="SID" />
      </System>
      <EventData Name="TMP_EVENT_DOMAIN_HIERARCHY_ROOT">
      </EventData>
    </Event>
    5. If I perform the below it appears DC2 is having problems but I'm not sure if related. 
    C:\w32tm /monitor
    DC1.domain.local *** PDC ***[192.168.1.1:123]:
        ICMP: 0ms delay
        NTP: +0.0000000s offset from DC1.domain.local
            RefID: 'LOCL' [0x4C434F4C]
            Stratum: 1
    DC2.domain.local[192.168.1.2:123]:
        ICMP: 0ms delay
        NTP: -110.4925481s offset from DC1.domain.local
            RefID: (unspecified / unsynchronized) [0x00000000]
            Stratum: 0
    DC3.domain.local[192.168.2.1:123]:
        ICMP: 0ms delay
        NTP: -0.0256084s offset from DC1.domain.local
            RefID: DC1.domain.local [192.168.1.1]
            Stratum: 2
    DC4.domain.local[192.168.2.4:123]:
        ICMP: 0ms delay
        NTP: -0.0011524s offset from DC1.domain.local
            RefID: 80.84.77.86.rev.sfr.net [86.77.84.80]
            Stratum: 2
    Warning:
    Reverse name resolution is best effort. It may not be
    correct since RefID field in time packets differs across
    NTP implementations and may not be using IP addresses.
    Any help would be much appreciated. Thanks. 
    Craig Brand

    I suspected some issue with AV so uninstalled. 
    To resolve the Access Denied I followed these steps: 
    stop w32time
    w32tm /unregister
    reboot
    regsvr32 /u w32time.dll
    w32tm /register
    sc query w32time -- you should see that the service is set to
    shared mode -- this is presumably how it should be -- if you try to start right now, you'll get the expected 1290 SID-related error
    reboot
    w32time should now automatically start at boot up and be running -- that was my result -- it's running as shared, started on its own, and I can do the w32tm /query commands successfully
    After rebooting the time service started. 
    I then repeated the steps: 
    net stop w32time
    w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org"
    w32tm /config /reliable:yes
    net start w32time
    w32tm /query /configuration 
    And all worked. I'll wait a short while to see if this fixes the issue. I also have am SA case with MS so will confirm fix when resolved. 
    Craig Brand

  • Error determining whether the target server is already a domain controller: Failed to open the runspace pool

    Hi there , i already have some others DC running w2k12 R2 on the env, but when i was promoting another new DC running w2k12 R2 on the middle of the AD sync , the server encounter an error and rebooted it self ; after the server came back online , it keep
    saying that a configuration is required for AD Domain Services , like the step when you are about to promote the server , but when you try to promote it , the error "Error determining whether the target server is already a domain controller: Failed
    to open the runspace pool. The server manager winrm plug-in might be corrupted or missing."

    Hi,
    Thanks for your post.
    Please waitting for the replication is finished and rerun the domain prep command  to check the result.
    Regards.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • How to start / stop nodes without domain-controller / automatically on Win?

    Hi,
    we have a distributed installation of CMSDK 9.0.4.
    We have installed a 9.2.0.4 Database on Solaris and we are using the 10g(9.0.4) Infrastructure on Solaris with it.
    The first installation of CMSDK uses a J2EE-MidTier installation on the Solaris server and contains the CMSDK domain controller and a normal node with nfs protocol server running.
    The other installations are done on Win2003 Blades. Currently we are using two Blades. On each there is a J2EE-MidTier installation and within these we have installed CMSDK with HTTP-Node and normal node. We are using NTFS-Server within the normal nodes.
    The Blades are within one Domain and we have NLB-Cluster activated for both.
    The whole thing sounds complex, but it works fine. We only have some trouble regarding start/stop of the nodes:
    1. If the solaris backend fails, our cluster-configuration tries to stop and start cmsdk. While stopping cmsdk, all nodes - even those on the Win-Servers - are stopped. But starting does not bring em up again automatically.
    2. If a Windows Server is booted, the normal node does not start automatically.
    3. If one Windows Server is not available, the ifsctl check takes a very long time because it's trying to get information from the missing one.
    Is there a way to restart the domain controller and node on solaris without stopping the nodes on Windows?
    How can we start the windows nodes automatically after reboot?
    Is there a way to probably start the nodes without being managed / guarded by the domain controller?
    Thanks for help,
    Alex

    Try adding this script to your /etc/init.d directory:
    #!/bin/sh
    ifsctl start << EOF
    <ifsctl password>
    EOF
    Replace <ifsctl password> with the password that you would give at the prompt.
    It will complain about Inappropriate ioctl for device, but it works.

  • 2012 Virtual Machine Black Screens Whenever Promoting to Domain Controller

    I have a brand new 2012 cluster with 2 hyper-v host nodes running Server 2012 (not R2). I have successfully spun up several virtual machines from templates via VMM 2012R2. 
    I added the AD DS role today to my DC01 server running server 2012 (not R2). Then I promoted it to a domain controller. When it came back up I got the login screen as normal and logged in. Upon login I only see a black screen. I can click ctr-alt-del and
    get the typical menu, but only logout responds. Everything else such as Task Manager just goes back to the black screen. Connecting via remote eventvwr and checking logs and events shows the DC Promo was successful; I can verify replication to other DC's etc.
    I don't see any problems with this server other than I can't see it after login. RDPing in provides the black screen as well. I am able to log in via safe mode and can see the desktop, but am not sure how to troubleshoot from there. I verified that integration
    services were latest and greatest before I promo'd.
    I de-promo'd it via server manager on another server 2012 server, then removed the roles and deleted it. I just created a new server and did the same process, only used a remote server manager for DCpromo this time. After reboot I have the identical issue
    with a black screen.
    Can anyone help?
    Peter

    Hi Peter,
    Based on your description, the following thread also focused on this kind of issue and can be referred to for troubleshooting.
    Server 2012 Black Screen on Login
    http://community.spiceworks.com/topic/406717-server-2012-black-screen-on-login
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Hope it helps.
    Best regards,
    Frank Shen

  • Adding a Server 2008 R2 Domain Controller at a remote site

    Hello. I have been trying to set up a hot site at a remote location.  The story is long and involved but a few weeks ago it seemed to be finally working.  Our setup is two mirrored 2008 R2 servers at main site, mirrored with Double Take. 
    The hot site is the same except that so far I only had one server working.  The two sites connected via site to site VPN.
    About a week later our primary server basically crashed.  At first it worked but very slowly.  I was on vacation at the time and so I am not sure of the sequence of events, or exactly what errors were presented, but my associate first tried rebooting. 
    It took over 20 minutes to boot and then it said something to the effect that no domain controllers were available (not sure about this message).  He then discovered that the server at the remote site had some fsmo roles assigned to it.  He transferred
    the roles to the primary at the main site and then demoted the remote server to a workstation (but still a domain member).
    After that, rebooting the primary was much faster and everything at the primary site is working again. Now I want to set the remote site up again, but avoid the problem.  The way I originally set up the remote server was to use an IFM file, generated
    from our primary.  This should have made the remote server a catalog server, with DNS (which it did), but as far as I know should not have transferred any fsmo roles.
    The remote server(s) are wanted to be in the same domain as the primary.  They will also be mirrored from the primary (with Double Take).  If we had total failure at the main site, we wish to be able to immediately begin operations at the hot site
    (after a fail over).  I freely admit that I am swimming out of my depth here.  I am not sure that I have selected the correct architecture or used the correct options in setting up the remote servers.  I am looking for information about what
    went wrong, and whether some other setup is more desirable.
    Thanks for any help, Russ
    Russ

    Philippe, thank you for you answers.  I do not understand everything you said but I will address each point as best I can:
    1. "In the remote site do you simply do a dcpromo / add the ADDS's role to make the server a active Domain Controller ?"  Yes, but I use the method described at
    http://technet.microsoft.com/en-us/library/cc753720(v=ws.10).aspx, The GUI method.  At step #8 I specified to use advanced mode so I could use the IFM file.
    2. "In your AD' Site and Service MMC, do you configured the remote site ?"  R do not know what you mean by this. How does one configure the site as 'remote'?
    3. "Do you added that remote server as a Global catalogue ?".  Yes, when I built the IFM file I specified to add the global catalog.
    4. "Do you added the PC in site 1, the IP of those DNS server in them ? (last of course) So the computer in the main site will talk to the remote server in case of a crash."  I am not sure I understand this item.  After the remote server
    was added, all of the members of both domain servers automatically appeared in the DNS of all servers in the domain.  I do not recall if the new items were last, but I expect that they would be.
    I have since reviewed the happenings with my associate and have a little more information.  The order of the problems and the actions taken are:
    1. Our primary (production) system was still working but extremely slow, and he observed that the slowness was caused by a lot of traffic with the remote site.  Rebooting the production server took over 25 minutes and the server to came up saying
    that domain information was not available.  After another 30 minutes or so he discovered that the domain data was now available and the server worked, but still slow.
    2. He did not check to verify that roles were held by the remote server, but he transferred all roles from the remote to the production server using ntdsutil.  I would expect that if the role was not held by the remote, the transfer command would have
    shown that fact.
    3. He then tried to demote the remote server but had an error that it could not be demoted because "the active directory service is missing mandatory configuration information".
    4. He forcefully demoted the remote server.
    5. After rebooting the production server again performance was slightly better but still slow (and the rebood was still very slow).
    6. After some research he removed the remote domain controller's meta data from the production server and then rebooted the production server again.
    At that point reboot was fast (under 5 minutes) and the production system was working at normal speed again.
    All of the above leads me to believe that somehow the FSMO roles got added to, or moved to the remote site when I used the IFM file to create the new domain controller.  However nothing I have read says that this should happen.  I hope someone
    here can give me a better answer as to what caused the problem, as I do not wish to interrupt our production system like this again.
    Thank you, Russ
    PS: Sorry for the delay in getting back to this but some other priorities took me away from it for a week.
    Russ

  • 10.5.7 server as primary domain controller

    Setting up a 10.5.7 server -
    Server is setup as a open directory master, I want it also to be a primary domain controller (smb).
    But when I try to change it from Standalone Server to primary domain controller, using my directory admin user id and password, it just reverts back to standalone server. tried it with smb running and not running.
    Any ideas ?

    Having the same issue with Leopard Server 10.5.8.
    SMB was previously set up as a "Domain Member" and now I want to make it a "Primary Domain Controller".
    After reboot, the Role always reverts back to "Domain Member".
    Any ideas?

  • Limit Administrator Access to only OS Level functions on a Windows 2003 (and up) Domain Controller Server

    <p>I have read several articles such as:</p><p>1.&nbsp; <a href="http://social.technet.microsoft.com/Forums/windowsserver/en-US/9c723f4a-51a7-4844-9dc6-0017355d694c/limited-administrative-on-domain-controller?forum=winserverDS">http://social.technet.microsoft.com/Forums/windowsserver/en-US/9c723f4a-51a7-4844-9dc6-0017355d694c/limited-administrative-on-domain-controller?forum=winserverDS</a></p><p>2.&nbsp;
    Active_Directory_Delegation.doc</p><p>Consider that a domain controller, doing no other functions than domain based functions (ie no file server, printer or app server) - is managed in two parts:&nbsp; The OS-only level, to read log files,
    server health monitoring, install OS-level Micrsoft security patching and the second part being Domain management level - Users and Computers, Domains and Trusts, etc).</p><p>For a given domain controller server, an outsourced support&nbsp;group&nbsp;needs
    to be responsible for the OS-only level access - they need no access to the Domain management level functions so they can fufill contractual obligations (SLAs) for server uptime, patching etc.&nbsp; </p><p>For the same given domain controller
    server above, there is an internal (non-outsourced) support group that will perform all Domain management level functions only.&nbsp; They want to manage the Domain on the Domain Controller servers, want the Outsourcer to manage the VM and OS-related tasks,
    but DO NOT want them to be able to access and change information in Users and Computers, Domains and Trusts etc.&nbsp; </p><p>With that explaination, would putting the Outsourcer's AD-based account IDs in the Server Operators group alone be
    sufficient to allow OS-level management, like patching, reboots, etc but disallow access to Domain Management functionality (Users and Computers etc) - or does it need to be a combination of built in groups and delgated rights?</p><p>Please consider
    that I am seeking a technical solution here&nbsp;- do not respond with "either trust your Domain Administrators or keep your junior admins from the server" as that is not a viable solution.&nbsp; </p>
    Jason B. Allen

    Hi Jason,
    According to your description, you want to assign the OS-level management and Domain management rights to two groups separately, right?
    Based on my research, members of Server Operators group don’t have sufficient rights to install updates for Domain Controllers, you can refer to this article below:
    Default groups
    http://technet.microsoft.com/en-us/library/cc756898(v=WS.10).aspx
    You can configure Allow non-administrators to receive update notifications group policy so that non-administrative users will be able to install all optional, recommended, and important updates content for which
    they received a notification, except some updates which contain User Interface, End User License Agreement and so on, which still require domain admin credentials.
    To enable non-administrator users the ability of logging onto and shutting down DCs,
    Allow logon locally and Shut down the System rights should be granted.
    In addition, reading logs and monitoring server performance rights are included on Performance Log Users and Performance Monitor Users groups.
    More information for you:
    Step 5: Configure Group Policy Settings for Automatic Updates
    http://technet.microsoft.com/en-us/library/dn595129.aspx
    User Rights Assignment
    http://technet.microsoft.com/en-us/library/cc780182(v=WS.10).aspx
    I hope this helps.
    Amy Wang

  • Directory service console not able to open in a Domain Controller

    Hai,
    I have a 2008 domain controller. when i open the users and computer console i get the below error
    data from "domain name" is not available from domain controller because: the search filter cannot be recognized. try again later, or choose another DC by selecting connect to Domain controller on the domain context menu.
    what could be the issue????Pls help
    thanks in advance
    Thanks Chandru CT. MCITP

    When you open ADUC on windows 2008, it is trying to connect DC which is not available due to connectivity issue or DNS issue, try to connect different DC using ADUC console and see if it works.
    By default, DC should connect its own ADUC when type DSA.MSC in run, if it is connecting other DC, then there is issue with the existing DC.
    Verify DNS resolution is working and also might rebooting resolves your issues.
    Regards
    Awinish Vishwakarma
    MY BLOG:
     awinish.wordpress.com
    This posting is provided AS-IS with no warranties/guarantees and confers no rights.

  • Error determining whether the target server is already a domain controller: The target server is already a Domain Controller.

    So basically, I was promoting a new server to a DC.  It said the promotion failed.  I rebooted the server and low and behold, it is acting like a domain controller.  It is moved to the domain controller OU, it is replicating fine, it knows
    who has the FSMO roles and I see no other problems. However, server manager is still telling me to promote the machine to be a DC as can be seen here:
    If I click the link to run DC Promo, I get this:
    Is there any way to just tell the server that "yes this is a working DC" to get rid of the task in server manager? Or is there something else I should do to correct this?

    Hi Vinny,
    There are others who have encountered similar scenarios as yours, clicking the Post-deployment Configuration message is enough to make the message disappear for good.
    Although I am more worried about that you mentioned the promotion failed, I suggest you run DCdiag.exe on this machine to examine if the DC is healthy.
    More information for you:
    Server 2012 DC Promotion Bug
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/221ed1ff-fc16-4c5d-ae05-edea7a9076be/server-2012-dc-promotion-bug?forum=winserverDS
    Troubleshooting Domain Controller Deployment
    http://technet.microsoft.com/en-us/library/jj592690.aspx
    Best Regards,
    Amy

Maybe you are looking for

  • Changes to template deletes document only css

    <?php include("../application.php"); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <link href="../css/styles.css" rel="s

  • ALV GRID print problem

    Hi guys, When I execute my report I can see all fields ok, but when I decide to print it the columns and fields are been displaced. I tried to fix with the fielcatalog but it isn't possible. Can anybody help me? Thanks a lot Best regards. Ana

  • Customized Control shape varies in Windows XP to Windows 7

    Hello all  I have created few customized control icon and used in my application,for development i using windows XP ,screen resolution -1280X1024,when i use the Exe created in Windows7 system with screen resolution 1280X1024, the customized control i

  • Single Path Selection Lag Illustrator CS4

    Running OSX on a MacBook Pro Illustrator CS4 up to date 4gb Ram No significant performance issues anywhere else. Does this happen to anyone else? Draw a path.  Deselect the path.  Use a single click to select the path with the selection tool. For me

  • Lkfile in $ORACLE_HOME/dbs

    Hi we have some files in /../app/oracle/product/9.2.0/dbs lkDATAB1 lkDATAB2 etc ... these files are created on instances startup and header files says "DO NOT DELETE THIS FILE!" what are these files ? Regards Den