2012 R2 DirectAccess multi domain forest: Is it possible Limit Auto-discovery of domain controllers?

I've just successfully implemented Multisite server 2012 R2 DirectAccess in a child domain of a global company with numerous sub domains. I'd like to limit the scope of the auto discovery of management servers in 2012 R2 DA is anyone aware of
any way of doing this?
During the default initial configuration of DirectAccess Auto-discovery of domain controllers is performed for all domains in the same forest as the DirectAccess server and client computers.
In my scenario the number of sub domains and multinational nature of the company means that the DA servers cannot contact all DCs for every child domain in the forest.
This means the Operations Status page in the Remote Access Management console always shows the status of the Domain Controller check as "critical" leaving a red X amongst my nice green ticks. It's untidy and at first glance it looks like there
are major problems with the service.
The DA servers, Client machines and users are in a single sub domain so we have no need to contact the other child domain DCs.
I looked into using the Remove-DAMgmtServer PowerShell cmdlet however this is not applicable since it cannot be used to remove automatically configured management servers such as DCs.
Also the child domain DCs don't actually appear in the management servers list.

Hi, a colleague of mine had the same problem in a DirectAccess deployment in a large organization tat have a multi-domain forest. He had no choice to open network flow to have at least one domain controller per domain in the forest.
BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

Similar Messages

Windows 2012 R2 - NPS in resource forest won't auteticate users in the user forest by UPN, only by DOMAIN\username

Hi there
I have recently setup a windows 2012 R2 NPS server (for WIFI auth) in our resource forest to replace an aging 2003 RADIUS server.
The problem I am having is users logging in with their UPNs.
To give some background our user forest and domains look like company.local and a few child domains department.company.local etc.
Our resource domain is companyresources.com
As we use office 365 we had to add UPNs to our users called company.com and set them.
The NPS cannot authenticate users when they use their [email protected] UPN.
From logs
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: [email protected]
Account Domain: -
Fully Qualified Account Name: -
Followed by event ID 4402
There is no domain controller available for domain DOMAIN.
I believe its cannot translate the Account name into an Account domain when using the UPN we need for office 365 ([email protected]).
If I set a test user to a UPN of [email protected] it does (however we cannot do this because it will affect our office 365 users)
Network Policy Server granted access to a user.
User:
Security ID: DOMAIN\user1
Account Name: [email protected]
Account Domain: DOMAIN
Fully Qualified Account Name: DOMAIN\user1
or if I use DOMAIN\username
Network Policy Server granted full access to a user because the host met the defined health policy.
User:
Security ID: DOMAIN\user1
Account Name: DOMAIN\user1
Account Domain: DOMAIN
Fully Qualified Account Name: DOMAIN\user1
Is there any way I can get my UPN authentication working form the resource domain s I would prefer my users logging into WiFi with their UPNs as we have moved away from the DOMAIN\username method.
Thanks

Hi,
According to your description, my understanding is that client using UPN can’t be authenticated by NPS server, event ID 4402.
In general, when NPS is configured as a RADIUS server with the default connection request policy, NPS processes connection requests for the domain in which the NPS server is a member and for trusted domains.
You may try to use realm names configured in connection request policies to ensure that connection requests are routed from RADIUS clients to RADIUS servers that can authenticate and authorize the connection request.
You may reference the link below for detailed information:
Realm Names
https://technet.microsoft.com/en-us/library/cc731342(v=ws.10).aspx
Using Pattern-Matching Syntax in NPS
https://technet.microsoft.com/en-us/library/dd197583%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Windows 2012 root certification authority in a 2003 Domain/ Forest level

Hello,
We are currently on Windows 2003 Domain & Forest Functional Level. Our Root CA is also currently on Windows 2003 DC.
If we have to setup a new Root/Issuing CA ( not exporting the current 2003 CA cert) on Windows 2012 R2 servers, is it then mandatory to first upgrade Domain & Forest levels to 2012 R2 ? Can we have a PKI infrastructure with
Enterprise CA's on a Windows 2012 Platform but the Domain/Forest levels still on 2003 level ? i understand it will be good to have everything on 2012 R2 , but can a mix of 2003 domain level and 2012 CA work ?

Hi,
Look at below tread it might help:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/fa8cac92-0f71-426c-ac95-e89e90e1c8d1/certificate-authority-and-forestdomain-functional-level?forum=winserversecurity
Basically the answer is yes you can have CA on 2012 R2 and DFL/FFL still on 2003.
Regards,
Calin

Adding new server 2012 DC in existing 2003 forest

the prerequisites check fails. here is the content of the log file. please help me fix it.
[2012/12/27:16:27:25.535]
Adprep created the log file 'C:\Windows\debug\adprep\logs\20121227162725-test\ADPrep.log'
[2012/12/27:16:27:25.535]
Adprep successfully initialized global variables.
[Status/Consequence]
Adprep is continuing.
[2012/12/27:16:27:25.545]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Schema,CN=Configuration,DC=NJ01,DC=IMSTRANSPORT,DC=COM.
[2012/12/27:16:27:25.545]
LDAP API ldap_search_s() finished, return code is 0x0
[2012/12/27:16:27:25.545]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=AD01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=NJ01,DC=IMSTRANSPORT,DC=COM.
[2012/12/27:16:27:25.546]
LDAP API ldap_search_s() finished, return code is 0x0
[2012/12/27:16:27:25.546]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Schema,CN=Configuration,DC=NJ01,DC=IMSTRANSPORT,DC=COM.
[2012/12/27:16:27:25.546]
LDAP API ldap_search_s() finished, return code is 0x0
[2012/12/27:16:27:25.548]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Infrastructure,DC=NJ01,DC=IMSTRANSPORT,DC=COM.
[2012/12/27:16:27:25.548]
LDAP API ldap_search_s() finished, return code is 0x0
[2012/12/27:16:27:25.548]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=AD01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=NJ01,DC=IMSTRANSPORT,DC=COM.
[2012/12/27:16:27:25.548]
LDAP API ldap_search_s() finished, return code is 0x0
[2012/12/27:16:27:25.555]
Adprep discovered the schema FSMO: AD01.NJ01.IMSTRANSPORT.COM.
[2012/12/27:16:27:25.559]
Adprep connected to the schema FSMO: AD01.NJ01.IMSTRANSPORT.COM.
[2012/12/27:16:27:25.559]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2012/12/27:16:27:25.559]
LDAP API ldap_search_s() finished, return code is 0x0
[2012/12/27:16:27:25.559]
Adprep successfully retrieved information from the Active Directory Domain Services.
[2012/12/27:16:27:25.559]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=NJ01,DC=IMSTRANSPORT,DC=COM.
[2012/12/27:16:27:25.560]
LDAP API ldap_search_s finished, return code is 0x0
[2012/12/27:16:27:25.560]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2012/12/27:16:27:25.560]
LDAP API ldap_search_ext_s finished, return code is 0x0
[2012/12/27:16:27:25.560]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2012/12/27:16:27:25.560]
LDAP API ldap_search_s finished, return code is 0x0
[2012/12/27:16:27:25.560]
Adprep does not find the tokenGroups attribute on the RootDSE object of the Active Directory Domain Controller. This attribute is not avaliable on Windows Server 2003 or lower version of Windows. Adprep will try to obtain token groups from the User object.
[2012/12/27:16:27:25.560]
The parameters /userdomain and /user are not specified. Using current logon user's domain ...
[2012/12/27:16:27:25.560]
The current logon user's domain is NJ01.IMSTRANSPORT.COM.
[2012/12/27:16:27:25.561]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2012/12/27:16:27:25.561]
LDAP API ldap_search_s() finished, return code is 0x0
[2012/12/27:16:27:25.561]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=NJ01,DC=IMSTRANSPORT,DC=COM.
[2012/12/27:16:27:25.562]
LDAP API ldap_search_s() finished, return code is 0x0
[2012/12/27:16:27:25.562]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Benjamin Green,OU=IT,DC=NJ01,DC=IMSTRANSPORT,DC=COM.
[2012/12/27:16:27:25.563]
LDAP API ldap_search_s finished, return code is 0x0
[2012/12/27:16:27:25.569]
Adprep discovered the Infrastructure FSMO: AD01.NJ01.IMSTRANSPORT.COM.
[2012/12/27:16:27:25.572]
Adprep connected to the Infrastructure FSMO: AD01.NJ01.IMSTRANSPORT.COM.
[2012/12/27:16:27:25.572]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2012/12/27:16:27:25.572]
LDAP API ldap_search_s() finished, return code is 0x0
[2012/12/27:16:27:25.572]
Adprep successfully retrieved information from the Active Directory Domain Services.
[2012/12/27:16:27:25.572]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=NJ01,DC=IMSTRANSPORT,DC=COM.
[2012/12/27:16:27:25.573]
LDAP API ldap_search_s finished, return code is 0x0
[2012/12/27:16:27:25.573]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2012/12/27:16:27:25.573]
LDAP API ldap_search_ext_s finished, return code is 0x0
[2012/12/27:16:27:25.573]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2012/12/27:16:27:25.573]
LDAP API ldap_search_s finished, return code is 0x0
[2012/12/27:16:27:25.574]
Adprep does not find the tokenGroups attribute on the RootDSE object of the Active Directory Domain Controller. This attribute is not avaliable on Windows Server 2003 or lower version of Windows. Adprep will try to obtain token groups from the User object.
[2012/12/27:16:27:25.574]
The parameters /userdomain and /user are not specified. Using current logon user's domain ...
[2012/12/27:16:27:25.574]
The current logon user's domain is NJ01.IMSTRANSPORT.COM.
[2012/12/27:16:27:25.574]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2012/12/27:16:27:25.575]
LDAP API ldap_search_s() finished, return code is 0x0
[2012/12/27:16:27:25.575]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=NJ01,DC=IMSTRANSPORT,DC=COM.
[2012/12/27:16:27:25.575]
LDAP API ldap_search_s() finished, return code is 0x0
[2012/12/27:16:27:25.575]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Benjamin Green,OU=IT,DC=NJ01,DC=IMSTRANSPORT,DC=COM.
[2012/12/27:16:27:25.576]
LDAP API ldap_search_s finished, return code is 0x0
[2012/12/27:16:27:25.591]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2012/12/27:16:27:25.592]
LDAP API ldap_search_s() finished, return code is 0x0
[2012/12/27:16:27:25.592]
Adprep successfully retrieved information from the Active Directory Domain Services.
[2012/12/27:16:27:25.592]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=UID,CN=Schema,CN=Configuration,DC=NJ01,DC=IMSTRANSPORT,DC=COM.
[2012/12/27:16:27:25.592]
LDAP API ldap_search_s() finished, return code is 0x0
[2012/12/27:16:27:25.592]
Adprep successfully determined whether Microsoft Windows Services for UNIX (SFU) is installed or not. If adprep detected SFU, adprep also verified that Microsoft hotfix Q293783 for SFU has been applied.
[2012/12/27:16:27:25.611]
Adprep could not retrieve data from the server AD01.NJ01.IMSTRANSPORT.COM through Windows Managment Instrumentation (WMI).
[User Action]
Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20121227162725-test directory for possible cause of failure.
[2012/12/27:16:27:25.611]
Adprep encountered a Win32 error.
Error code: 0x5 Error message: Access is denied.
DSID Info:
DSID: 0x1810012a
HRESULT = 0x80070005
NT BUILD: 9200
NT BUILD: 16384
[2012/12/27:16:27:25.611]
Adprep failed while performing Exchange schema check.
[Status/Consequence]
The Active Directory Domain Services schema is not upgraded.
[User Action]
Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20121227162725-test directory for possible cause of failure.
[2012/12/27:16:27:25.611]
Adprep encountered a Win32 error.
Error code: 0x5 Error message: Access is denied.
DSID Info:
DSID: 0x1810012a
HRESULT = 0x80070005
NT BUILD: 9200
NT BUILD: 16384

Make sure that the server 2012 is already an member of the domain before upgrading it to an domain controller.
To use an server 2012 domain in an 2003 envoirment you need to run adprep its located on the server 2012 disk ..\support\adprep
When everything is looking fine your adprep will show you this.
PS C:\Users\Administrator> D:\support\adprep\adprep.exe /forestprep
ADPREP WARNING:
Before running adprep, all Windows Active Directory Domain Controllers in the forest must run Windows Server 2003 or lat
er.
You are about to upgrade the schema for the Active Directory forest named 'domain', using the Active Directory
domain controller (schema master) 'SRV2012SRV01.domain.local'.
This operation cannot be reversed after it completes.
[User Action]
If all domain controllers in the forest run Windows Server 2003 or later and you want to upgrade the schema, confirm by
typing 'C' and then press ENTER to continue. Otherwise, type any other key and press ENTER to quit.
Then start server manager and click 'Add roles and features' and install the needed services.
it did not work. here is the contents of the log.
[2012/12/28:09:44:36.122]
Adprep created the log file 'C:\Windows\debug\adprep\logs\20121228094436\ADPrep.log'
[2012/12/28:09:44:36.122]
Adprep successfully initialized global variables.
[Status/Consequence]
Adprep is continuing.
[2012/12/28:09:44:36.193]
Adprep discovered the schema FSMO: <DC>.<DOMAIN NAME>.
[2012/12/28:09:44:36.302]
Adprep connected to the schema FSMO: <DOMAIN NAME>.
[2012/12/28:09:44:36.302]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2012/12/28:09:44:36.303]
LDAP API ldap_search_s() finished, return code is 0x0
[2012/12/28:09:44:36.303]
Adprep successfully retrieved information from the Active Directory Domain Services.
[2012/12/28:09:44:36.303]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=<DOMAIN>,DC=<DOMAIN>,DC=COM.
[2012/12/28:09:44:36.303]
LDAP API ldap_search_s finished, return code is 0x0
[2012/12/28:09:44:36.303]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2012/12/28:09:44:36.303]
LDAP API ldap_search_ext_s finished, return code is 0x0
[2012/12/28:09:44:36.303]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2012/12/28:09:44:36.304]
LDAP API ldap_search_s finished, return code is 0x0
[2012/12/28:09:44:36.304]
Adprep does not find the tokenGroups attribute on the RootDSE object of the Active Directory Domain Controller. This attribute is not avaliable on Windows Server 2003 or lower version of Windows. Adprep will try to obtain token groups from the User object.
[2012/12/28:09:44:36.304]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2012/12/28:09:44:36.305]
LDAP API ldap_search_s() finished, return code is 0x0
[2012/12/28:09:44:36.305]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=<DOMAIN>,DC=<DOMAIN>,DC=COM.
[2012/12/28:09:44:36.305]
LDAP API ldap_search_s() finished, return code is 0x0
[2012/12/28:09:44:36.305]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=<DOMAIN>,DC=<DOMAIN>,DC=COM.
[2012/12/28:09:44:36.306]
LDAP API ldap_search_s finished, return code is 0x0
[2012/12/28:09:44:36.306]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=<NAME>,OU=<OU>,DC=<DOMAIN>,DC=<DOMAIN>,DC=COM.
[2012/12/28:09:44:36.307]
LDAP API ldap_search_s finished, return code is 0x0
[2012/12/28:09:44:36.346]
Adprep successfully logged on to the local machine using the specified credentials for network connections.
[2012/12/28:09:44:36.346]
Adprep successfully made the network connection to the Active Directory Domain Controller <DC>.<DOMAIN>.<DOMAIN NAME>.COM.
[2012/12/28:09:44:36.376]
Adprep successfully stopped using the specified credentials for network connections.
[2012/12/28:09:44:36.377]
Adprep successfully closed the network connection to the Active Directory Domain Controller <DC>.<DOMAIN>.<DOMAIN NAME>.COM.
[2012/12/28:09:44:36.380]
Adprep discovered the schema FSMO: <DC>.<DOMAIN>.<DOMAIN NAME>.COM.
[2012/12/28:09:44:36.384]
Adprep connected to the schema FSMO: <DC>.<DOMAIN>.<DOMAIN NAME>.COM.
[2012/12/28:09:44:36.386]
Adprep successfully logged on to the local machine using the specified credentials for network connections.
[2012/12/28:09:44:36.386]
Adprep successfully made the network connection to the Active Directory Domain Controller <DC>.<DOMAIN>.<DOMAIN NAME>.COM.
[2012/12/28:09:44:36.428]
ADPREP WARNING:
Before running adprep, all Windows Active Directory Domain Controllers in the forest must run Windows Server 2003 or later.
You are about to upgrade the schema for the Active Directory forest named '<DOMAIN>.<DOMAIN NAME>.COM.', using the Active Directory domain controller (schema master) '<DC>.<DOMAIN>.<DOMAIN NAME>.COM.'.
This operation cannot be reversed after it completes.
[User Action]
If all domain controllers in the forest run Windows Server 2003 or later and you want to upgrade the schema, confirm by typing 'C' and then press ENTER to continue. Otherwise, type any other key and press ENTER to quit.
[2012/12/28:09:44:40.475]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Schema,CN=Configuration,DC=<DOMAIN>,DC=<DOMAIN NAME>,DC=COM.
[2012/12/28:09:44:40.475]
LDAP API ldap_search_s() finished, return code is 0x0
[2012/12/28:09:44:40.475]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=<DC>,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=<DOMAIN>,DC=<DOMAIN NAME>,DC=COM.
[2012/12/28:09:44:40.475]
LDAP API ldap_search_s() finished, return code is 0x0
[2012/12/28:09:44:40.476]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Schema,CN=Configuration,DC=<DOMAIN>,DC=<DOMAIN NAME>,DC=COM.
[2012/12/28:09:44:40.476]
LDAP API ldap_search_s() finished, return code is 0x0
[2012/12/28:09:44:40.476]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2012/12/28:09:44:40.477]
LDAP API ldap_search_s() finished, return code is 0x0
[2012/12/28:09:44:40.477]
Adprep successfully retrieved information from the Active Directory Domain Services.
[2012/12/28:09:44:40.477]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=UID,CN=Schema,CN=Configuration,DC=<DOMAIN>,DC=<DOMAIN NAME>,DC=COM.
[2012/12/28:09:44:40.477]
LDAP API ldap_search_s() finished, return code is 0x0
[2012/12/28:09:44:40.477]
Adprep successfully determined whether Microsoft Windows Services for UNIX (SFU) is installed or not. If adprep detected SFU, adprep also verified that Microsoft hotfix Q293783 for SFU has been applied.
[2012/12/28:09:44:40.512]
Adprep could not retrieve data from the server <DC>.<DOMAIN>.<DOMAIN NAME>.COM through Windows Managment Instrumentation (WMI).
[User Action]
Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20121228094436 directory for possible cause of failure.
[2012/12/28:09:44:40.519]
Adprep encountered a Win32 error.
Error code: 0x5 Error message: Access is denied.
DSID Info:
DSID: 0x1810012a
HRESULT = 0x80070005
NT BUILD: 9200
NT BUILD: 16384
[2012/12/28:09:44:40.541]
Adprep failed while performing Exchange schema check.
[Status/Consequence]
The Active Directory Domain Services schema is not upgraded.
[User Action]
Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20121228094436 directory for possible cause of failure.
[2012/12/28:09:44:40.549]
Adprep encountered a Win32 error.
Error code: 0x5 Error message: Access is denied.
DSID Info:
DSID: 0x1810012a
HRESULT = 0x80070005
NT BUILD: 9200
NT BUILD: 16384
[2012/12/28:09:44:40.549]
Adprep successfully stopped using the specified credentials for network connections.
[2012/12/28:09:44:40.550]
Adprep successfully closed the network connection to the Active Directory Domain Controller <DC>.<DOMAIN>.<DOMAIN NAME>.COM.
Looks like the problem is that
Adprep could not retrieve data from the server <DC>.<DOMAIN>.<DOMAIN NAME>.COM through Windows Managment Instrumentation (WMI).
how do i fix this so it will work??
the other two domain controllers are running windows server 2003 32-bit operating systems.
could the cause of this problem be that the server 2012 is 64-bit and the server 2003 machines are 32-bit???

Server 2012 R2 DirectAccess - 2008 R2 Client

I have things working for Server 2012 R2 Direct Access and Windows 8.1 Enterprise machines. Now moving on to Server 2008 R2 as a client, the environment is not working.
I just tried turning on Windows 7 support and applying but still no luck. I am not seeing much on this, so I suspect it usually just works for Server 2008 R2?
Mike

So I forged ahead with an actual fresh Windows 7 machine, all service packed up, instead of the existing 2008 R2 machine that we need to keep for sometime.
I've installed the DCA 2.0, made the Group Policy edits on the domain. The Windows 7 machine has received the updates and DCA appears happy when on the private network.
However when the Windows 7 machine is switched over to the public network, no connection. Not really much of a hint as to what the problem is.
RED: Corporate connectivity is not working.
"Your computer cannot connect to the DirectAccess server. If the problem persists, contact your administrator.
The Probes FAIL, DTEs FAIL.
The 2012 R2 DirectAccess server has no knowledge of the failed connection attempts.
This is quite the challenge...
Mike

Server 2012 std not able to see Domain, DC and DNS on Win SBS 2008 std Domain

Hi There
I have a HP ML 110 G5 SBS 2008 std server as my DC on my network. I recently added a HP Microserver running Server 2012 std (with no roles or features installed) to act solely as a file server for a 3rd party program as the program was not running efficiently
on the main server.
The problem I am having now is that the 2012 server keeps falling off the domain and cannot contact DNS server. I have also had to re-enable remote desktop several times. It also shows the 2012 Server as being on a private firewall profile and not on the
domain firewall profile but I suspect that this is part of the same problem.
the resulting problem that this is causing is that the local machines that need to contact an SQL database on the 2012 fileserver intermittently either time out or are very slow to connect.
So far I have tried:
Switching from Static IP to DHCP.
Re-adding the server to the domain.
Stopping and restarting DNS services on the DC.
Checking physical Network connections and routing.
Putting the 2012 server into the same Organizational Unit as the 2008 DC.
Has anyone else encountered this problem when adding a 2012 server to a 2008 domain? I have a feeling that the solution is probably something simple that I've overlooked, but I can't think what. Any help would be greatly appreciated.
Regards
Russ
Also, as some additional info -
Event viewer gives the following errors:
Group Policy Error:
Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 2015-04-27 01:17:51 PM
Event ID: 1129
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: [SERVERNAME].[DOMAIN].local
Description:
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has
successfully processed. If you do not see a success message for several hours, then contact your administrator.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
<EventID>1129</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2015-04-27T11:17:51.111942100Z" />
<EventRecordID>19056</EventRecordID>
<Correlation ActivityID="{C0CBAF2B-1E93-49C0-B910-069AE43F74B2}" />
<Execution ProcessID="732" ThreadID="1336" />
<Channel>System</Channel>
<Computer>[SERVERNAME].[DOMAIN].local</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="SupportInfo1">1</Data>
<Data Name="SupportInfo2">1548</Data>
<Data Name="ProcessingMode">0</Data>
<Data Name="ProcessingTimeInMilliseconds">0</Data>
<Data Name="ErrorCode">1222</Data>
<Data Name="ErrorDescription">The network is not present or not started. </Data>
</EventData>
</Event>
DNS Error:
Log Name: System
Source: Microsoft-Windows-DNS-Client
Date: 2015-04-27 04:54:58 PM
Event ID: 8015
Task Category: (1028)
Level: Warning
Keywords:
User: NETWORK SERVICE
Computer: [SERVERNAME].[DOMAIN].local
Description:
The system failed to register host (A or AAAA) resource records (RRs) for network adapter with settings:
Adapter Name : {3DDD0E46-D879-48C0-9DF6-5FAC0F1A56C4}
Host Name : [SERVERNAME]
Primary Domain Suffix : [DOMAIN].local
DNS server list :
192.168.2.10
Sent update to server : <?>
IP Address(es) :
192.168.2.15
The reason the system could not register these RRs was because the update request it sent to the DNS server timed out. The most likely cause of this is that the DNS server authoritative for the name it was attempting to register or update is not running
at this time. You can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-DNS-Client" Guid="{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}" />
<EventID>8015</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>1028</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2015-04-27T14:54:58.599130300Z" />
<EventRecordID>19105</EventRecordID>
<Correlation />
<Execution ProcessID="856" ThreadID="952" />
<Channel>System</Channel>
<Computer>[SERVERNAME].[DOMAIN].local</Computer>
<Security UserID="S-1-5-20" />
</System>
<EventData>
<Data Name="AdapterName">{3DDD0E46-D879-48C0-9DF6-5FAC0F1A56C4}</Data>
<Data Name="HostName">[SERVERNAME]</Data>
<Data Name="AdapterSuffixName">[DOMAIN].local</Data>
<Data Name="DnsServerList"> 192.168.2.10</Data>
<Data Name="Sent UpdateServer"><?></Data>
<Data Name="Ipaddress">192.168.2.15</Data>
<Data Name="ErrorCode">1460</Data>
</EventData>
</Event>

Can you post an ipconfig /all from the server and the DC?
Robert Pearman SBS MVP
itauthority.co.uk |
Title(Required)
Facebook |
Twitter |
Linked in |
Google+

Migrating from 2003 domain/forest level to 2008R2 with all DC's at 2008R2 and 2 other Domain External and Forest Trusts

Is there anything that needs to be done or considered when migrating from 2003 domain/forest level to 2008R2 with all DC's at 2008R2 with 2 other 2003 separate Domain incoming
and outgoing Trusts, one Trust that is a Forest Trust and the other is an External Trust? Is there any chance or risks that doing this upgrade will break either one of these Trust relationships? Some of the user accounts with SID history have been migrated
from both Domain Trusts to our domain. Any chance that this upgrade will break these relationships for users that are using SID history for access to folders and files in their old Domains? If so what can be done to protect these trusts and SID history, prior
to moving the Domain to 2008R2

Hi,
Based on my knowledge,
the Upgrade of the function level do not affect the trust relationship.
Besides, before you upgrade the Functional Level,
verify that all DCs in the domain are, at a minimum, at the OS version to which you will raise the functional level.
Once the Functional Level has been upgraded, new DCs on running on downlevel versions of Windows Server cannot be added to the domain or forest.
For more information about function level, we can refer to following links:
Understanding Active Directory Domain Services (AD DS) Functional Levels
http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx
What is the Impact of Upgrading the Domain or Forest Functional Level?
http://blogs.technet.com/b/askds/archive/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level.aspx
Best Regards,
Erin

2012 R2 DirectAccess with very low client throughput

I have a three-node Windows NLB Server 2012 R2 DirectAccess farm. These three single purpose servers have good specs (8 cores, 32GB RAM, etc etc). The problem that I am seeing is that the clients all have very low throughput on each session (between
6 and 8 MBit "aka 1 MByte" per second). This performance spec is linear since for each concurrent client that you add their throughput is also in that range. Clients are all high-spec notebooks with Windows 8.1 Enterprise x64. Performance
on these clients is excellent except when transiting the DirectAccess server. If the same client connects through AnyConnect VPN their throughput is excellent. Additionally, when clients connect to the DA server plugged into the external traffic
switch (aka same network as the DA external interface) the performance is identical so this isn't a WAN performance issue. The utilization on all devices (DA servers, DA clients, network hardware) is very low so it does not appear to be a resource problem.
I confirmed that NULL CIPHER is used on clients so the traffic isn't being double encrypted. This NLB started life 2 years ago as a Windows Server 2012 environment on different hardware and I've had the exact same issue. It works "ok"
but not the throughput that the capacity planning documentation indicates.
Any ideas?
Thanks,
Mark Ringo

Hi Mark,
Which transition technologies does the client use to connect the DirectAccess Server?
Using IP-HTTPS for DirectAccess connectivity has higher overhead and lower performance than Teredo. If the DirectAccess client is using IP-HTTPS instead of Teredo, the DirectAccess client will have a lower performance connection.
When examining performance issues, one of the first places to look is the display of the
ipconfig command on the DirectAccess server, which indicates the type of encapsulation based on the interface that has a global IPv6 address assigned.
For detailed information, please refer to the link below,
DirectAccess Client Connection is Slow
http://technet.microsoft.com/en-us/library/ee844161(v=WS.10).aspx
Best Regards.
Steven Lee
TechNet Community Support

Two-way forest trust between two (single domain) forests with multiple identical user ID's

Domain and forest levels - Windows 2003 (they both have one 2008 R2 DC)
We need to create a two-way forest trust between two separate single-domain forests. The problem is that these two forests already access each others resources through a S2S. Users have the same login names and passwords on both forests/domains. Now, we
are combining their infrastructures and need to set up a trust. From what I'm reading, you can't create forest trusts if you have the same SIDs, user ID's, or computer name in each of the forests.
I'm looking into AD migration tool to copy the userSIDs (SID history?) between forest/domain, deleting the user ID's in the domain we migrated from, and then setting up the trust, but I'm leery about doing it this way as there is no easy 'recovery' should
something go wrong.
Any suggestions for the easiest way to setup this forest trust?

Hi,
To eliminate your worries, two user accounts have the same user name doesn’t mean that they have the same SID. Moreover, the user’s SID remains the same even after it has been renamed.
The SID for domain account/group consists of a
Domain Identifier and a Relative Identifier. Domain Identifier is unique in every domain within a forest, and a Relative Identifier is unique within domain. It is unlikely that two user accounts with or without the same account
name from two forests have the same SID.
The Technet article you mentioned is talking about duplicate SIDs instead of “duplicate computer name or user account”, I will submit a change request to Microsoft about this.
If there are duplicate SIDs when you create forest trust, you need to delete one of them as the article guides.
Here are some related articles below for your references:
How Security Identifiers Work
http://technet.microsoft.com/en-us/library/cc778824(v=WS.10).aspx
Security Identifier Structure
http://technet.microsoft.com/en-us/library/cc962011.aspx
Security Identifier
http://en.wikipedia.org/wiki/Security_Identifier
I hope this helps.
Amy Wang

Set up Migration Endpoint to single-label Domain/Forest

I'm in the process of migrating a company from a single-label domain & forest, "domainname," to a new "newdomainname.local" domain & forest. EX2013 single-server installed and working on both domains, including autodiscover. Trust
is set up and works, cross-domain DNS works from both sides. However...
I can create a Migration Endpoint on ex2013.domainname that points to ex2013.newdomainname.local, but when I try to add a mailbox created in newdomainname.local, none are displayed.
I can't create a Migration Endpoint at all on ex2013.newdomainname.local. I get a message that starts, "We couldn't detect your server settings. Please enter them. AutoDiscover failed with a configuration error: The migration service failed to detect
the migration endpoint using the Autodiscover service."
I'm prompted for the FQDN of the other Exchange server. When I enter ex2013.domainname, I get, "Error: The connection to the server 'ex2013.domainname' could not be completed."
Is this expected when one server is on a single-label domain? Is there a way to enable me to use mailbox migration?
TIA

Thank you for your post.
This is a quick note to let you know that we are performing research on this issue
Niko Cheng
TechNet Community Support

SQL Server 2012 AlwaysOn for Multi-subnet geographical HA solution steps -- NON-Shared storage,standalone servers

1.Can any one provide the detailed steps for multi-subnet HA for Always ON Groups.
--SQL Server 2012 AlwaysOn for Multi-subnet geographical HA solution steps
2.Do we need VLAN or not for SQL Server 2012 on win 2012 ? provide details for this VLAN required or not.
--I read MS links, sql server 2012 and above VLAN not required.
Env:
SQL Server 2012
Windows 2012 R2(2 servers different location)
Non-Shared storage (stand-alone servers)
Always ON Availability Group
I have seen white papers,but did not have detail step by steps.
Thanks

Hi SQLDBA321,
As your post, SQL Server 2012 or higher version has removed that requirement of virtual local area network (VLAN). For more details, please review this similar blog:
What you need for a Multi Subnet Configuration for AlwaysOn FCI in SQL Server 2012.
And you can perform the steps in the following similar blog to set up an AlwaysOn Availability Group with multiple subnets.
http://www.patrickkeisler.com/2013/07/setup-availability-group-with-multiple.html
Thanks,
Lydia Zhang
Lydia Zhang
TechNet Community Support

Business Management Error: You are attempting to create a user with a domain logon that does not exist. Select another domain logon and try again.

Hello,
Suddenly the working CRM is being stopped for some group of users.
I drilled down to the issue and have checked that the users from Domain in which CRM is installed are having CRM access.
But for other domain user having problem to access CRM.
I tried to add a user from a domain which is not of CRM domain then it gives following error.
"Business Management Error: You are attempting to create a user with a domain logon that does not exist. Select another domain logon and try again.
<Message>LookupAccountNameW failed with error</Message> "
The change is made - AD group have upgraded Activer Directory server to 2012 R2
Please help as the Production CRM is not working for other domain user.

We have Activer Directory Structure like below.
One Root Domain says A
and there are multiple child domain like B,C,D etc...
B,C and D are all in same level,they are child of A domain.
There are two way transitive trusts between A and all the child Domain.
But there is no trust in between B and C and so on.
Our CRM server is in B domain and B domain's user can access CRM but users of Domain C,D and so on can not access CRM.
If this post answers your question, please click "Mark As Answer" on the post and "Mark as Helpful"

The box indicating that this domain controller is the last controller for the domain is unchecked. However, no other Active Directory domain controllers for that domain can be contacted

I have 2 domain controllers running 2003 server, server1 and server2. I ran dcpromo on server1 and removed AD and removed him from the domain and disconnected from network. I then added a 2012 server
with the same name and IP address server1 with no problem. Replication from sites and services work fine on both controllers.
The new 2012 server1 is GC. I transferred all FSMO roles to server1. Again no problem and replicating using sites and services. AD on server1 is populated correctly.
Now what I had intended on doing was a dcpromo to remove server2 from the domain so I can then add another 2012 server. That is when I get the: "The box indicating that this domain controller is the last controller for the domain
is unchecked. However, no other Active Directory domain controllers for that domain can be contacted.
I have DNS installed on both servers and both look good with replicating there. Strange thing is when on the 2012 server within DNS if I right click and connect to another DNS server I can add server2 just fine but from server2 adding server1 it tells me it
is not available.
Help please!

Hi,
As there is server 2012 DC (SERVER1) DC is operational in a domain then "This domain controller is the last controller for the domain" should be remain unchecked when you demote SERVER2 DC.
If you are getting error "Active Directory domain controllers for that domain can be contacted" while demoting SERVER2 DC then check the DNS pointing on both as per below article, disable windows firewall on all DC, less possiblities but worth to check if both
are different site then check the ports are open on firewall.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/
http://technet.microsoft.com/en-us/library/cc766337(v=ws.10).aspx
http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx
run “ipconfig /flushdns & ipconfig /registerdns“, restart DNS server and NETLOGON service on each DC and try to demote server2 DC.
If issue reoccurs, post dcdiag /q result.
NOTE: If initial replication was completed between both DC (new 2012 and old DC) then you may remove the server2 DC from Active Directory forcefully (DCPROMO /FORCEREMOVAL) and perform metadata cleanup.
Active Directory Metadata Cleanup
http://abhijitw.wordpress.com/2012/03/03/active-directory-metadata-cleanup/
Best regards,
Abhijit Waikar.
MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
Blog: http://abhijitw.wordpress.com
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

Added existing domain to the parent domain and now permission not inheriting on the child domain

Hi Friends
There was a existing Domain but we bought the company and make that Domain as a child domain of our Domain, problem is that users of Parent domain does not have access to the child domain. permissions are not inheriting from parent domain to child domain.
for e.g i created user on the parent domain i cant even login to the machine in other domain or access the resources which are on the child domain.

Simply delegate the permissions you want to grant so that users from the root domain can have access to resources in the child domain.
As an example, you make users from the parent domain login to computers from the child domain using
Allow logon locally group policy: http://technet.microsoft.com/en-us/library/cc756809%28v=ws.10%29.aspx
You can also make them able to RDP the computers if you add them to Remote Desktop Users
group. This could be done by Restricted Groups Group Policy.
So, for security reasons and depending on your current configuration, it is normal that users from the root domain might not have by default access to resources in the child domain. This could be fixed by doing the proper delegation.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile

I have different domains in different folders. why it opens the same domain always?

this is crazy. I have different folder for the domais and avery time I want to open one of them, it opens always the same domain. After I upgraded to OS X 10.8.2 I do not know... did they change the way iWeb works?

In Lion and Mountain Lion the Home/Library folder is now invisible. To make it permanently visible enter the following in the Terminal application window: chflags nohidden ~/Library and hit the Enter button - 10.7: Un-hide the User Library folder.
To open your domain file in Lion or Mountain Lion or to switch between multiple domain files Cyclosaurus has provided us with the following script that you can make into an Applescript application with Script Editor. Open Script Editor, copy and paste the script below into Script Editor's window and save as an application.
do shell script "/usr/bin/defaults write com.apple.iWeb iWebDefaultsDocumentPath -boolean no"delay 1
tell application "iWeb" to activate
You can download an already compiled version with this link: iWeb Switch Domain.
Just launch the application, find and select the domain file in your Home/Library/Application Support/iWeb folder that you want to open and it will open with iWeb. It modifies the iWeb preference file each time it's launched so one can switch between domain files.
WARNING: iWeb Switch Domain will overwrite an existing Domain.sites2 file if you select to create a new domain in the same folder. So rename your domain files once they've been created to something other than the default name.
OT

2012 R2 DirectAccess multi domain forest: Is it possible Limit Auto-discovery of domain controllers?

Similar Messages

Maybe you are looking for