Active Directory error 1864 (replication)

Similar Messages

• An Active Directory error 0x51 occurred when trying to check the suitability of server

  We have several exchange administrators and two exchange 2010 servers and one exchange 2007 server. I am getting the following error message
  when opening up Exchange Management Console on one of the exchange 2010 server. 
  "An Active Directory error 0x51 occurred when trying to check the suitability of server 'dc101.domain.local'. Error: 'Active directory
  response: The LDAP server is unavailable.' 
  dc101 does not exist anymore. I tried changing the Configuration Domain Controller by manually specify a domain controller but get the exact
  same error message and also gets an empty list when selecting the domain. Other administrators who logs into to the same server do not get this error message. 
  If I open the exchange management console on another exchange server, it works without problem. Is there a setting somewhere I need to change
  to point it to the correct domain controller using power shell?

  I fixed it for myself.
  Organization Configuration->Modify Configuration Domain Controller->select Use a default domain controller
   

• Active Directory error "-2147016672"

  Hi,
  I am creating a script in ASP.NET C# to invoke cmdlets from Lync Server.
  I want just list a user : Get-CsUSer and when i run the script i received the follow error code:
  Active Directory error "-2147016672" occurred while searching for domain controllers in domain .
  I run my script from my local machine developer (it is remote) to the server. The script is :
  Runspace remoteRunspace = null;
  openRunspace("servidor:5985/wsman", "http://schemas.microsoft.com/powershell/Microsoft.PowerShell",
  @"\user", "senha", ref remoteRunspace);
  using (PowerShell powershell = PowerShell.Create())
  powershell.Runspace = remoteRunspace;
  powershell.AddScript("Import-Module Lync"); //funciona
  powershell.Invoke();
  Pipeline pipeline = remoteRunspace.CreatePipeline();
  string remoteScript = "Get-CsUser -Identity mmiranda";
  pipeline.Commands.AddScript(remoteScript);
  Collection<PSObject> results = pipeline.Invoke();
  remoteRunspace.Close();
  return results;
  public static void openRunspace(string uri, string schema, string username, string livePass, ref Runspace remoteRunspace)
  System.Security.SecureString password = new System.Security.SecureString();
  foreach (char c in livePass.ToCharArray())
  password.AppendChar(c);
  PSCredential psc = new PSCredential(username, password);
  WSManConnectionInfo rri = new WSManConnectionInfo(new Uri(uri), schema, psc);
  //rri.AuthenticationMechanism = AuthenticationMechanism.Default;
  //rri.AuthenticationMechanism = AuthenticationMechanism.Kerberos;
  //rri.AuthenticationMechanism = AuthenticationMechanism.Basic;
  //rri.NoEncryption = true;
  rri.ProxyAuthentication = AuthenticationMechanism.Negotiate;
  remoteRunspace = RunspaceFactory.CreateRunspace(rri);
  remoteRunspace.Open();
  i don't know what to do anymore.
  Help me.
  My e-mail [email protected]
  thx

  Hi,gersonczjr
  Would you please verify that the user account you used has all the required permission?
  Would you please use DCDiag tool to check the DC connectivity?
  Although I am not very familar with scripts,I remeber I have seen a similar case with running Get-CsUser using C# is fixed by called
  Enable-PsRemoting on ther server,you can try it to see if it also works for you.
  Regards,
  Sharon
  Sharon Shen
  TechNet Community Support
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.

• Active Directory error using Upgrade Mgmt Tool - BI 4.1 sp 3

  I am in the process of creating a new BI 4.1 SP 3 environment within out company.  The software has been installed and I wanted to perform a Complete Upgrade from our existing XI 3.1 sp5 environment into our new 4.1 environment.  Also, we are using Windows Active Directory authentication and AD groups for security.
  The Upgrade Mgmt Tool fails with an Active Directory Error message similar to the one below:
  Active Directory Authentication failed to get the Active Directory groups for account with ID <insert really long alpha numeric string here>; CN=<insert name of employee no longer working for the company>.  Please make sure this account is valid and belongs to an accessible domain.
  Well, the account is not valid because this executive no longer works here.  Most likely within Active Directory all groups owned by this person were transferred over to his replacement.  Is there an way to have the upgrade mgmt tool bypass this validation check?  Or does anyone have any other suggestions how to get around this error?  Once this error occurs I can't upgrade.  I guess the alternative is to do an incremental upgrade, group by group, until I find the offending group but I was wondering if there was an easier way as that will be very time consuming.

  @JRKPrasad  Thank your for your thoughtful and accurate response.  It took less than 2 minutes to update AD in BI 3.1.x and the UMT tool is off and running migrating content from BI 3.1 to our new BI 4.1 environment. 
  Again, thank you very much for reading my post and responding.  It was a huge timesaver.

• DNS and Active Directory error 4000 server 2008

  Hello all,
  My network skills aren't very good and I'm facing a dilemma. First off we have two Windows servers on the network. The newest is 2008 Standard (named Vader) and the other is 2000 (dells3). Obviously I'd like to get rid of the 2000, but the people in charge
  of my budget haven't given me the option to do so and it's the only back up we have.
  Earlier in the week we had lots of problems. One of our nas boxes locked everyone out who was mapped to it and it would only let me log in through the web portal. Two of our Macs our marketing department uses suddenly locked up and wouldn't let them back
  in (both were part of the Active Directory). A second nas box won't let certain people map to it and for awhile I had issues logging into Vader itself.
  I believe all of these problems are connected to some issues on Vader and possibly in conduction with dells3. In Server Manager under DNS I get error 4000 "The DNS server was unable to open Active Directory. 
  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and reload the zone. The event data is the error code."
  Then under Active Directory Domain Services I get error 2042 "It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded
  the tombstone lifetime. Replication has been stopped with this source."
  Followed by more text I can post if needed.
  Under File Services error 1202 "The DFS Replication service failed to contact domain controller  to access configuration information. Replication is stopped. The service will try again during the
  next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues."
  And finally if I try to open Active Directory Domains and Trusts "The configuration information describing this enterprise is not available. The server is not operational."
  I'm not sure where to start or what to post that might help. Any and all help is appreciated.
  Edit: Also I can only add dells3 as the DNS on Vader in the DNS Manager if I try to add Vader to itself I get an error.

  It's the other way around.  Overall, I'm advising ripping the 2008 server out of AD and adding it back . Let's look at this as a series of steps:
  1.) You do a force demote of the 2008 server because it's tombstoned.  This means the 2008 server is no longer a DC. You are doing a force because it doesn't have the ability to replicate.  If it could replicate, we'd just do a graceful demotion
  and be done with it.
  2.) Once the 2008 server is demoted, we go to the 2000 server which holds the only good copy of AD.  From that server we run a metadata cleanup using the ntdsutil utility.  We use that utility to clean out references to the 2008 server which is
  no longer a DC.
  3.) Once you have a clean AD, you can then promote the 2008 server back into Active Directory.  Make sure Vader is pointing to Dells3 as its primary DNS server before promoting or you'll run into issues.
  Hopefully that clarifies things. 

• Active Directory error message "the following object is not from a domain listed in the Select location forestB\username

  Hello Community
      "forestA" is my forest it is a Windows 2008 Server Enterprise Edition
  domain controller using Active Directory and the UI.
      In my forest ("forestA") trust relationship I created a "One-Way, Out-going"
  forest trust with Forest-Wide authentication so that a different forest user(s) or
  group(s) with a different admin in a forest named “forestB” can access the resources in my “forestA”
      But also forestB needs to create a "One-way, Incoming" forest trust so that
  I can either add the user(s) or group(s) from “forestB” into to a "Global Security - Group"
  in my "forestA" or I can
   add user(s)  as  "domain user(s)" from “forestB” into my "forestA".
      The problem is that when I right click  the global group in my forestA  and then
  properties, when I click "Members" and then the "Add" button when I type
  "forestB\username" I get an error message from Active Directory stating:
      "the following object is not from a domain listed in the Select location
  dialog box, and is therefore not valid: forestB\username".
      Am I doing something wrong when creating the one-way trust in my
  “forestA” or is the one-way trust being created wrong by the other domain admin in the other “forestB”?
      Or could I possibly need to select "Change Domain" or "Change Domain Controller"
  before adding the users or Groups to my forestA from forestB?
      That is why I am asking
   how do you add an Active Directory user from one forest into another forest?
      Thank you
      Shabeaut

  Hello Denis Cooper
      That is the end result.
      What I was trying  to do was that I was trying to
   bring in the user(s) and group(s) from “forestB”  into
  my “forestA”  Global group.
      Later on I was going to add the user(s) or Global groups(s) that I brought into my dc in my forestA
   into the domain local groups  on my member servers in my forestA.
      So since the error message is:
  "the following object is not from a domain listed in the Select location dialog box, and is therefore not valid: forestB\username".
  Does your response
   mean only Global group(s) from forestB not domain user(s) from forestB have
   to been added to domain local groups in forestA?
  Or is it also possible to add Global group(s) from “forestB” to Global group(s) in my “forestA” and if so
  how without getting the above error message?
  Thank you
      Shabeaut

• Active Directory Error 0x51 occurred when trying to check the suitability of server ' servername '. Error: 'Active directory response: The LDAP server is unavailable'. It was running the command 'Get-OwaVirtualDirectory'.

  This issue is driving us nuts - there are no issues with Domain Controllers or AD in this environment.  The server it is citing in the error has been retired - it was gracefully dcpromo'ed down and removed from the environment.  DNS has no record of it, nor is it located anywhere else.  We are not able to log into Outlook Web App either with authentication failed errors - and I can't help but expect these 2 issues are related?  I tried hard coding the Configuration Domain Controller at the org level, as well as using the -staticdomaincontrollers and -staticglobalcatalogservers with the "Set-ExchangeServer" powershell command - no luck....  System settings of the exchange 2010 servers show they are pointing to the correct DCs - but I still get this error accompanied with long delays in rendering windows in EMC.  Extremely frustrating.....  I have an issue logged with MS now, but they aren't looking at them until Nov 9.  Has anyone seen this issue at all?  More info on the OWA config - using Form based auth, and I'm not able to perform a simple test-owaconnectivity -mailboxcredential (get-credential\username) -allowuntrustedcertificate -allowinsecurelogon - please help

  Create a "global catalog" on the 2nd domain contoller, will fix this problem. 
  To create a new global catalog:
  On the domain controller where you want the new global catalog, start the Active Directory Sites and Services snap-in. To start the snap-in, click Start , point to Programs , point to Administrative Tools , and then click Active Directory Sites and Services .
  In the console tree, double-click Sites , and then double-click <var>sitename</var> .
  Double-click Servers , click your domain controller, right-click NTDS Settings , and then click Properties .
  On the General tab, click to select the Global catalog check box to assign the role of global catalog to this server.
  Restart the domain controller.

• Active Directory Error(error code 53 - 0000001F)

  Hello,
  We got a webapp writing to AD, that is throwing the following error:
  Root exception is javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0We are using 'unicodePwd', ssl is enabled and the account that is writing to AD is domain administrator account. Also, our webapp is on a different domain(Linux) than Active Directory, though this has not caused us problems in the past.
  Our previous version of the code was working, and the only change made in the code is that we allow dot(.) character in the user name. However, the test case that failed does not have a dot(.) in the user name.
  Any ideas? I haven't found anything on google that helped

  used to work, but now you've moved the web application somewhere else, and now it doesn't work ?
  Well the obvious question is what exactly have you changed ? What is the difference between when it used to work and now ?
  -- Not much has changed! (I can't debug the code that actually makes the call, all I have is a jar by another group that does all the "low-level" stuff. ) I know for a fact that we are now allowing the user name to contain a dot character. But, the test case that failed does not contain the dot character. It is possible that other changes have been made, but after scanning a few of the files the code looks the same.
  -- Forget, the domains part, it's only confusing. My fault mentioning it.
  Does the password meet the complexity requirements. Is it performed over a secure connection such as SSL or TLS ?
  -- Yes, I checked the password policy --we have disabled most requirements
  -- Yes, I believe so
  -- The attributes
  userAccountControl=66048
  scriptPath=Logon.bat
  ldap.first.name.property=John
  ldap.email.property=[email protected]
  homeDirectory=\\10.10.10.10\Users\b216
  ldap.last.name.property=Smith
  profilePath=\\10.10.10.10\Users\b216
  cn=b216I guess I'll have to wait for the developer who wrote the code to help me out, because it seems like something changed in the code below me. Our test cases are the same.
  However, if you do know what this error usually indicates, it could help us solve the problem faster.
  Thanks!

• Active Directory Ghost Object replication issue

  I have a Windows 2003, Single Forest with nearly 50 Domains. This is a constantly changing, deployable system where not all Domains are connected and online at all times.
  Some months ago 2 of these domains were held up in transit and tombstoned. Before they were connected to the Forest again they went to our Hardware support department to be "cleaned" meaning remove dust etc, instead they wiped the arrays on all
  servers.
  Our Level 4 Support team reanimated these node after restoring them from a really old backup.
  This backup did not refelect the AD as it was when it was deleted, therefore we have several orphaned objects form those domains. The Domains are functioning correctly and replicating, however, the GC in the forest is inconsistent and the orphaned/ghost
  objects are still being replicated.
  We have rehosted the directory partitions from the problem nodes to online domains which works fine, but as soon as another domain comes online the orphaned objects are again replicated into the Global Catalog. The nature of our system means that we cannot
  control when the other domains are coming back online to rehost them before replicating the object items back into the GC.
  I have made several LDAP queries and can see that the items no longer exist on the problem domain, the only reference to the objects is in the GC directory partitions of those domains.
  The biggest issue I have is that these objects were mail enabled users and when the GAL queries the GC it is repopulating them. 
  I've hit a bit of a wall now and do not know how we can remove these ghost objects without having all domains online at the same time and rehosting the problem domains partitions forest wide. I'd appreciate any assistnce.
  I have asked this question before but with less detail so I'm having another go!

  An AD backup is as good as the Tombstone lifetime. By default the TSL of a 2003 forest functional level is 60. So if you haven't done this already you should probably configure a higher value for the TSL. By default Strict Replication
  Consistency is also enabled to prevent DC that have been disconnected for a long time to propagate lingering objects into the AD topology, check to see if you have this enabled. You should use "repadmin" to remove the lingering objects.
  "When a domain controller in your Active Directory environment is disconnected from the replication topology for an extended period of time, all objects that are deleted from AD DS on all other domain controllers might remain on the disconnected
  domain controller. Such objects are called lingering objects. When this domain controller is reconnected to the replication topology, it acts as a source replication partner that has one or more objects that its destination replication partners no longer have.
  Problems occur when these lingering objects on the source domain controller are updated and these updates are sent by replication to the destination domain controllers. A destination domain controller can respond in one of two ways:
  If the destination domain controller has strict replication consistency enabled, it recognizes that it cannot update the object (because the object does not exist), and it locally halts inbound replication of the directory partition from that source
  domain controller.
  If the destination domain controller does not have strict replication consistency enabled, it requests the full replica of the updated object, which introduces a lingering object into the directory."
  Also keep in mind that the Infrastructure Master role handles the cross-domain references and phantoms from the global catalog in its domain. Make sure that you either have all DCs as Global Catalogs or do not place the GC on the DC with the IM role.
  Here are some useful links:
  Determine the tombstone lifetime for the forest
  Event ID 1388 or 1988: A lingering object is detected
  Use Repadmin to remove lingering objects
  Enable strict replication consistency
  FSMO placement and optimization on Active Directory domain controllers
  Phantoms, tombstones and the infrastructure master
  http://mariusene.wordpress.com/

• Active directory intersite replication minimum polling interval is 15 min or 7.5 min ?

  in  MCITP 70-640 R2 Self-paced training kit , at page 593, we read :
  "The minimum polling interval is 15 minutes. With this setting, and using Active Directory’s
  default replication configuration, a change made to the directory in one site takes on average
  seven and a half minutes to replicate to domain controllers in another site."
  i don't underestand which one is true at last ? 15 min or  7.5 min ?
  i wonder at my exercises i noticed that replication occured between sites at about that 7.5 min  and didn't take  15 min.
  if that is 7.5 min , so what is the reason that they wrote 15 min ?

  at a maximum 15 min.
  the so called average is 7,5 min <----- forget this!
  remember the following as your rule of thumb: the minimum interval that can be configured is 15 min and the default is 180 min (3 hours). The interval is the max amount of time that needs to pass before the DCs (between sites) initiates inbound replication.
  So it will take the period of the interval or less before replications starts
  <o:p></o:p>
  Cheers,<o:p></o:p>
  (HOPEFULLY THIS INFORMATION HELPS YOU!)
  Jorge de Almeida Pinto | MVP Identity & Access - Directory Services
  * This posting is provided "AS IS" with no warranties and confers no rights!
  * Always evaluate/test yourself before using/implementing this!
  * DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/
  ################# Jorge's Quest For Knowledge ###############
  ###### BLOG URL: http://JorgeQuestForKnowledge.wordpress.com/ #####
  #### RSS Feed URL: http://jorgequestforknowledge.wordpress.com/feed/ ####
  -------------------------------------------------------------------------------------------------------<o:p></o:p>
  "john.s2011" wrote in message news:[email protected]...
  in  MCITP 70-640 R2 Self-paced training kit , at page 593, we read :
  "The minimum polling interval is 15 minutes. With this setting, and using Active Directory�??s
  default replication configuration, a change made to the directory in one site takes on average
  seven and a half minutes to replicate to domain controllers in another site."
  i don't underestand which one is true at last ? 15 min or  7.5 min ?
  i wonder at my exercises i noticed that replication occured between sites at about that 7.5 min  and didn't take  15 min.
  if that is 7.5 min , so what is the reason that they wrote 15 min ?
  Jorge de Almeida Pinto [MVP-DS] (http://jorgequestforknowledge.wordpress.com/)

• LDAP realm with Active Directory

  Hello,
  In the sun one app server admin console i have set the security role to LDAP.
  I have set up security roles in my web.xml such as this:
  <security-role>
  <description>This role represents administrators of the system, see actor administrators</description>
  <role-name>administrators</role-name>
  </security-role>
  ..and mapped the roles to groups in sun-application as follows:
  <security-role-mapping>
  <role-name>administrators</role-name>
  <group-name>CMS_PM</group-name>
  <principal-name>rlancett</principal-name>
  </security-role-mapping>
  My user and group information is stored in Active Directory so I have tried to configure the ldap realm in the admin console to get it working. These are the settings i have put in:
  directory: ldap://earth.tier2consulting.com:389
  base-dn: cn=Users,dc=tier2consulting,dc=com
  jaas-context: ldapRealm
  search-bind-dn: cn=administrator,cn=Users,dc=domain,dc=com
  search-bind-password: ******
  search-filter: sAMAccountName=%s
  I get the error message :javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
  WARNING: va:850)
  FINEST: JAAS authentication aborted.
  INFO: SEC5046: Audit: Authentication refused for [administrator].
  I am pretty stuck on this having looked arounds all the forums:
  Has anyone got sun one app server using Active Directory to get user/group information for security roles?
  Thanks.

  Howdy,
  I don't have a solution to your problem, but maybe this tid-bit will help in debugging with Active Directory error messages. I'm new to AD, so excuse me if everyone already knows this, but...
  The error message you get back from the directory contains an error code in hexidecimal:
  LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
  If you translate '525' from hex to decimal you get '1317' which is the error message you can look up here:
  http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/system_error_codes.asp
  1317 - ERROR_NO_SUCH_USER - The specified user does not exist.
  It took me a while to find this tip, so I thought I'd share it. Oh, and the easy way to get decimal from hexidecimal is:
  System.out.println( "Here is 525 in decimal: " + Integer.parseInt("525", 16));
  Okay, hope this helps somebody.
  Now it's up to you to find out why it can't find the administrator!
  Craig

• How to authenticate using Active directory!

  Hi all!
  at present im using a code given below, its working fine! currently we are using mixed mode active directory! we are going to migrate that to Native mode!
  import java.util.Properties;
  import javax.naming.*;
  import javax.naming.directory.*;
  import javax.servlet.http.*;
  import java.io.*;
  import java.util.Vector;
  import com.aigss.codegene.utils.PropertyDispatcher;
  public class LdapAuthentication//Servlet extends HttpServlet
       private java.util.Hashtable cache = new java.util.Hashtable();
        * @param loginid
        * @param passwrd
        * @return boolean
       public boolean authenticate(String loginid, String passwrd) {
            if(passwrd.trim().equalsIgnoreCase(""))
            return false;
            Properties props = new Properties();
            String ldapHost = "ldap://HDCQ3Q5CDOM01:389";
            String DN =
                 "CN="
                      + loginid.trim()+"DN=,CN=Users,DC=pslsdc,DC=legacy,DC=r5,DC=websi,DC=net";
            System.out.println("DN: "+DN);     
            props.put(Context.INITIAL_CONTEXT_FACTORY,com.sun.jndi.ldap.LdapCtxFactory);
            props.put(Context.SECURITY_AUTHENTICATION, "simple");
            props.put(Context.SECURITY_CREDENTIALS,  passwrd);
            props.put(Context.SECURITY_PRINCIPAL, DN);
            props.put(Context.PROVIDER_URL, ldapHost);
            try {
                 DirContext ctx = new InitialDirContext(props);
                 System.out.println("successfully authenticate DN: " + DN);
                 return true;
            } catch (Exception ex) {
                 System.out.println(ex+loginid);
                 try{
                      throw new Exception("login failure : "+ex+loginid);
                 }catch(Exception e){
                      e.printStackTrace();
                 return false;
  }when i try to connect into Active directory the new one, im unable to get authenticate, user not found error is coming! (data 525)
  im unable to continue!
  i tried changing the DN to : [email protected]
  also DN: mydomain\vijayvignesh
  then im getting error:
  java.lang.Exception: istar login failure : javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C09018A, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, vecei almost tried everything!
  if any one can find a solution pls do come forward!
  remember my code works fine in Mixed mode active directory, when we shift that to native mode, it is not working!

  If you would read the Active Directory error message, it actually gives you a hint:
  "The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection"
  There was a security feature introduced in Windows Server 2003 that would allow administrators to only allow connections over encrypted sessions (eg. SSL/TLS or Kerberos signing and sealing). This setting is configured somewhere in the Domain Controller's Group Policy, called something like "LDAP Server signing"
  One solution is to use SSL/TLS. Refer to my previous post titled "JNDI, Active Directory & Authentication (part 2) (SSL)" at
  http://forum.java.sun.com/thread.jspa?threadID=581425&tstart=50

• The Microsoft Exchange Mailbox Replication service was unable to process a request due to an unexpected error. : Error: An Active Directory Constraint Violation error occurred

  Hello,
  We have a multi domain parent child AD domain infrastructure and now we upgraded our exchange from Exchange 2007 to Exchange 2013. Since last few days, we see the below error on the mailbox server event viewer.
  EVENT ID : 1121
  The Microsoft Exchange Mailbox Replication service was unable to process a request due to an unexpected error. 
  Request GUID: '93a7d1ca-68a1-4cd9-9edb-a4ce2f7bb4cd' 
  Database GUID: '83d028ec-439d-4904-a0e4-1d3bc0f58809' 
  Error: An Active Directory Constraint Violation error occurred on <domain controller FQDN>. Additional information: The name reference is invalid. 
  This may be caused by replication latency between Active Directory domain controllers. 
  Active directory response: 000020B5: AtrErr: DSID-0315286E, #1:
  Our Exchange setup is in parent domain, but we keep on getting this error for various domain controllers in each child domain in the same site. We then configured one of the parent domain domain controller on Exchange. Still we are getting this error for
  the configured parent domain DC.
  Verified the AD replication and there is no latency or pending stuffs.
  Any support  to resolve this issue will be highly appreciated. Thank you in advance.
  Regards,
  Jnana R Dash

  Hi,
  In addition to Ed's suggestion, I would like to clarify the following things for troubleshooting:
  1. Please restart IIS at first.
  2. If the issue persists, please ping your DC on your Exchange server to check if Exchange can communicate with DC.
  Hope it helps.
  Best regards,
  Amy Wang
  TechNet Community Support

• Windows client error joining with Samba 4.2 Active Directory server

  I have a basic samba 4.2 ADC setup on CentOS 7 and I get a RPC server not available whenever I attempt to join a windows client to the domain. The smb.conf is default on created during provisioning. All indicated pre-testing seems to work as expected. The windows client finds the domain and recognizes a valid user or not but the last step of joining the domain ends with the error "Unable to join the Domain RPC server not available. Does anyone have any ideas?
  Thanks Paul 
  This topic first appeared in the Spiceworks Community

  I have a scenario for you in active directory when two passwords may be valid:
  Old passwords can also work on domain controllers that have not received replication yet from either the domain controller the password was changed on, or the PDC emulator in the domain.
  Let's take a scenario where we have a 3 site, 3 domain controller (DC) active directory: Site1 with DC1, site2 with DC2 and site3 with DC3.
  The ACS application resides in Site3 and is configured to use DC3 for authentication. We have a user "user1" with a password of "123".
  User1 decides to call the helpdesk and changes his password to "456".
  The helpdesk uses DC1 to make password changes because they are located in site1. For a period of time (based on replication, which defaults to 3 hours between sites) the 123 password and the 456 password will be
  valid.
  If the user1 user tries the "123" password it will work until DC3 receives the changed password from normal replication. If user1 tries to use 456, DC3 will flag this as a wrong password, and then check the PDC
  emulator of the domain to see if it has received a newer password. The PDC emulator will validate the login, and then trigger an immediate replication with DC3.
  Regards,
  ~JG
  Do rate helpful posts

• Active Directory : Replication Issue - "Disconnected" sub-domain from the Forest

  Hello everyone,
  I'm managing a multi-domain forest (with 7 sub-domain).  All are working fine except for one.  Throught repadmin (Repadmin /replsum /bysrc /bydest /sort:delta), I noticed I got both domain controllers of a subdomain (there are only 2 DCs in that
  subdomain), who hadn't replicated with the rest of the forest for more than 60 days.
  According to my research, it's usually recommended to Depromote and repromote the problematic DC to avoid the issue of lingering objects.  In this case, it's both DC of a sub-domain.  Of course, on the others DCs in the forest, I got the event
  ID 2012 "it has been too long since this machine last replicated with the named source machine....". 
   HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner
  to a value of 1. 
  As I understand it, this may cause lingering objects to appear (they can be removed with repadmin /removelingeringobjects command with the DSA GUID, naming context, etc..).  So far, I haven't used that registry key yet because of the associated risks.
  I didn't noticed any other issue so far.  Users in the problematic sub-domain are fine, and the problematic sub-domain seems to be able to pull replication data from the others DCs in the forests. (at least, I'm not getting any error in the A.D. Sites
  and Services)
  I added two new DCs for the affected sub-domains, so the number of DCs for that domain went from 2 to 4 DCs.  The two old DCs that hadn't replicated for 60 days are windows Server 2003 and the two new DCs are Server 2008 R2. 
  Unfortunately (and I was half expecting this, but did it anyway since I must eventually replace the old DCs), that didn't solve my issue, since the rest of the forest "doesn't see" the two new DCs of the sub-domain.  By that, I mean that I
  cannot add an Active Directory Domain Services Connection in Sites & Services console (from a DC in another domain of the forest or even the root domain).  I see all the DCs, including the two old DCs that are server 2003, but not the new ones. 
  I believe it's because the others DCs doesn't pull/replicate the information from the old DCs anymore, so they aren't "aware" of the two new DCs for that problematic sub-domain.
  I was wondering what is the best course of action. Is it worthwhilte to use the registry key force replication with the old DCs ?  (and hopefully, the new DCs will get their AD Services connection/replication vector created, so I can depromote
  the old DCs.
  Since the Old DCs from the problematic sub-domain seems to be able to pull the replication from the rest of the forest, does the risk of Lingering object isn't that great ?
  Or is it too risky and I must create a new sub-domain and migrate one way or another the users ? (which would be time-consuming)
  Thanks in advance,
  Adam

  Thanks for the reply.  One of the link had another link to a good article about the use of repadmin :
  So, I ran the command "repadmin /removinglingerobjects " on one of the problematic DCs ().
  For clarity purpose, let's say I used the domain :
  domain = main domain
  subdomain = the domain whose DC are problematic (all of them).
  AnotherSubDomain = Just another subdomain I used as a "reference" DC to cleanup the appropriate partition.
  Command (the DSA guid is from a DC "clean" in another domain)
  repadmin /removelingeringobjects adrec01.mysubdomain.domain.ca C4081E00-921A-480D-9FDE-C4C34F96E7AC dc=ANOTHERsubdomain,dc=domain,dc=ca /advisory_mode
  I got the following message in the event viewer :
  Active Directory Domain Services has completed the verification of lingering objects on the local domain controller in advisory mode. All objects on this domain controller have had their existence verified on the following source domain controller.
  Source domain controller:
  c4081e00-921a-480d-9fde-c4c34f96e7ac._msdcs.mydomain.ca
  Number of objects examined and verified:
  0
  Objects that have been deleted and garbage collected on the source domain controller yet still exist on this domain controller have been listed in past event log entries. To permanently delete the lingering objects, restart this procedure without using the
  advisory mode option.
  How should I interpret the message "number of objects examined and verified 0".  Does it mean it just didn't find any object to compare ? (which would be odd IMHO)  Or there is another problem ?
  Thanks in advance,
  Adam