Active Directory FindAll SearchResutlsCollection Performance Issue

Similar Messages

• MS Active Directory LDAP Authentication/Locking Issue.

  Dear All,
  We are a software company; we have implemented feature of LDAP Authentication in our product using Java API and its working fine from our network environment.
  We have used following things with LDAP feature.
  1. User Authentication.
  2. Locking account after exceed the maximum attempts that has configured in window server.
  Main our issue is: The LDAP feature is not working properly from our client side. They are able to authenticate their LDAP user but do not able to lock user account however they have exceeded the maximum attempts from login dialog of our products but it still working in our side.
  If anybody has any experienced about it then please reply with positvie solution or any other information like require do the specific configuration for different version of Windows and Active Directory Server etc.
  Can any body know what are the possibilities for identifying and resolving this issue?
  Please help us if anybody has any experienced about it.
  Please do the needful.
  Thanks,
  Mehul.

  Hi,
  Thanks for your reply.
  We have used java package of javax.naming.* and javax.naming.directory.* for LDAP Authentication.
  Following code for checking whether ADS User is valid or not.
  * Function checks whether ADSUser is valid user or not
  * @returns int value indicating result.
  public int isValidADSUser() {
  Hashtable env = new Hashtable(5);
  Vector adsInfoVec = getADSInfo();
  env.put("java.naming.referral", "ignore");
  // env.put("java.naming.security.authentication", "simple");
  env.put(Context.SECURITY_AUTHENTICATION,"simple");
  String provider = "com.sun.jndi.ldap.LdapCtxFactory";
  env.put("java.naming.factory.initial", provider);
  //For handling Uncontinued reference found message of partial result exception
  env.put(Context.REFERRAL, "follow");
  env.put("java.naming.ldap.derefAliases", "always");
  env.put("java.naming.ldap.deleteRDN", "false");
  env.put("java.naming.ldap.attributes.binary", "");
  env.put(Context.PROVIDER_URL,
  "ldap://" + (String) adsInfoVec.elementAt(0) + ":" +
  (String) adsInfoVec.elementAt(1));
  // env.put("java.naming.security.principal",
  // userNameStr + "@" + (String) adsInfoVec.elementAt(0));
  env.put(Context.SECURITY_PRINCIPAL,
  userNameStr + "@" + (String) adsInfoVec.elementAt(0));
  if (userPassStr == null) {
  userPassStr = "";
  // env.put("java.naming.security.credentials", userPassStr);
  env.put(Context.SECURITY_CREDENTIALS, userPasswordStr);
  try {
  DirContext ctx = new InitialDirContext(env);
  ctx.lookup("");
  //System.out.println(ctx.lookup(""));
  ctx.close();
  catch (javax.naming.AuthenticationException ex) {
  //System.out.println();
  ex.printStackTrace();
  return AUTHENTICATION_ERROR;
  catch (javax.naming.PartialResultException pex) {
  pex.printStackTrace();
  return COMMUNICATION_ERROR;
  catch (javax.naming.CommunicationException pex) {
  pex.printStackTrace();
  return COMMUNICATION_ERROR;
  catch (NamingException e) {
  System.out.println("Failed to connect to ");
  e.printStackTrace();
  return COMMUNICATION_ERROR;
  return SUCCESS;
  Result of this code from our company: We are able to Authenticate LDAP user and also Lock User Account after exceed the Max Failure Attempt that configured from Windows Server.
  Result of this code from our client side: They are able to Authenticate LDAP user but they can't User Accout Lock however exceed the Max Failure Attemp that configured from their Windows Server.
  Can u please help us if any experience about it and suggest if any other configuration require from Windows Server / Active Directory Server OR also if some other implementation require for resolving this issue.
  Your optimistic reply is much appreciated.
  Thanks,
  Mehul Garnara.
  Edited by: [email protected] on Mar 6, 2008 10:24 PM
  Edited by: [email protected] on Mar 6, 2008 10:25 PM
  Edited by: [email protected] on Mar 6, 2008 10:25 PM

• Active Directory Ghost Object replication issue

  I have a Windows 2003, Single Forest with nearly 50 Domains. This is a constantly changing, deployable system where not all Domains are connected and online at all times.
  Some months ago 2 of these domains were held up in transit and tombstoned. Before they were connected to the Forest again they went to our Hardware support department to be "cleaned" meaning remove dust etc, instead they wiped the arrays on all
  servers.
  Our Level 4 Support team reanimated these node after restoring them from a really old backup.
  This backup did not refelect the AD as it was when it was deleted, therefore we have several orphaned objects form those domains. The Domains are functioning correctly and replicating, however, the GC in the forest is inconsistent and the orphaned/ghost
  objects are still being replicated.
  We have rehosted the directory partitions from the problem nodes to online domains which works fine, but as soon as another domain comes online the orphaned objects are again replicated into the Global Catalog. The nature of our system means that we cannot
  control when the other domains are coming back online to rehost them before replicating the object items back into the GC.
  I have made several LDAP queries and can see that the items no longer exist on the problem domain, the only reference to the objects is in the GC directory partitions of those domains.
  The biggest issue I have is that these objects were mail enabled users and when the GAL queries the GC it is repopulating them. 
  I've hit a bit of a wall now and do not know how we can remove these ghost objects without having all domains online at the same time and rehosting the problem domains partitions forest wide. I'd appreciate any assistnce.
  I have asked this question before but with less detail so I'm having another go!

  An AD backup is as good as the Tombstone lifetime. By default the TSL of a 2003 forest functional level is 60. So if you haven't done this already you should probably configure a higher value for the TSL. By default Strict Replication
  Consistency is also enabled to prevent DC that have been disconnected for a long time to propagate lingering objects into the AD topology, check to see if you have this enabled. You should use "repadmin" to remove the lingering objects.
  "When a domain controller in your Active Directory environment is disconnected from the replication topology for an extended period of time, all objects that are deleted from AD DS on all other domain controllers might remain on the disconnected
  domain controller. Such objects are called lingering objects. When this domain controller is reconnected to the replication topology, it acts as a source replication partner that has one or more objects that its destination replication partners no longer have.
  Problems occur when these lingering objects on the source domain controller are updated and these updates are sent by replication to the destination domain controllers. A destination domain controller can respond in one of two ways:
  If the destination domain controller has strict replication consistency enabled, it recognizes that it cannot update the object (because the object does not exist), and it locally halts inbound replication of the directory partition from that source
  domain controller.
  If the destination domain controller does not have strict replication consistency enabled, it requests the full replica of the updated object, which introduces a lingering object into the directory."
  Also keep in mind that the Infrastructure Master role handles the cross-domain references and phantoms from the global catalog in its domain. Make sure that you either have all DCs as Global Catalogs or do not place the GC on the DC with the IM role.
  Here are some useful links:
  Determine the tombstone lifetime for the forest
  Event ID 1388 or 1988: A lingering object is detected
  Use Repadmin to remove lingering objects
  Enable strict replication consistency
  FSMO placement and optimization on Active Directory domain controllers
  Phantoms, tombstones and the infrastructure master
  http://mariusene.wordpress.com/

• OID and Active Directory(global catalog) synchronization issues

  We have a large network with 7 domains within the AD forest.....The OID server profile
  points to a single domain controller/gc in 1 of these 7 domains. It is able to synchronize when a change occured
  from this domain but not the others in the forest by quering port 3268/GC. We reloaded
  the bootstrap which reduced the "highest committed usn" last read attribute value in
  OID....and the synch started working again with another domain but not consistently(a change in AD gets pulled into OID)...
  It seems as if OID cannot read the highest committed usn value for all domains
  within one forest by quering a single global catalog domain controller in one
  domain....any ideas on best practice to have a consistent synch from OID to all
  domains in AD?
  Message was edited by:
  marcvip

  Each AD server in the Forest will maintain his own highestCommittedHSN. The AD GC should maintain a consistent HSN but knows and keeps all the AD servers in sync. So if the GC does not maintain a consistent HSN you should contact Microsoft as well (besides this forum :-)
  regards,
  --Olaf                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       

• User synchronization issue between Active Directory and Solution manager.

  Requirement:
  Synchronize the users between Active directory and solution manager system.
  <u>What we did:</u>
  1.     Created RFC connection (LDAP_RFC) for LDAP connector.
  2.     Created new LDAP connector that utilize the RFC (LDAP_RFC).
  3.     Created new logical LDAP Server(CUA).Here we have to maintain the connection
  details to the physical directory.
  4.     We maintained the communication user that is used by the LDAP connector to bind the LDAP Directory Server.
  5.     In transaction LDAPMAP specific SAP data fields, we mapped to the desired
  directory attributes.
  6.     Testing from LDAP transaction working fine. We are able to see the attributes and
  values       from Active directory.
  <b><u>Issue:</u></b>
  When executed the program RSLDAPSYNC_USER for user synchronization from t-code se38 with below selection .
  LDAP Server = CUA (created earlier)
  LDAP Connector = LDAP_RFC (RFC connection created created ealier)
  In the tab: (Object that exist both in the directory and in the Database:)
  Selected: Compare Time Stamp.
  In the tab: (Objects the only exist in the Directory.)
  Selected : Create in Database.
  In the tab(Objects that only Exist in the Database:
  Selected: Ignore Object.
  Result from the report shows that connection to LDAP server is fine and ‘0’(zero) objects in Directory.
  The program does not create any new user in the Solution Manager system.
  Any help on this issue greatly appreciated.
  Thanks & Regards,
  Harish

  where did you see this error ? is there anymore details.
  i think the account you are using for Sync does not have Replicate Directory Changes permission in AD. follow below article and give Replicate directory changes permission.
  http://technet.microsoft.com/en-us/library/hh296982(v=office.15).aspx
  Thanks, Noddy

• Active Directory Diagnostics not running in PerfMon

  Hello all!
  I am trying to run Active Directory Diagnostics in Performance Monitor to address an lsass issue in which lsass consumes too much CPU. 
  I opened PerfMon from an elevated Command Prompt and expanded the tree: Data Collector Sets -> System -> Active Directory Diagnostics.  I right-clicked Active Directory Diagnostics and selected "Start."  The diagnostic is supposed
  to run for 300 seconds and then generate a report.  Problem is, nothing happened after that.  If I right-click Active Directory Diagnostics again, the "Start" option is greyed out. 
  Under Reports -> System -> Active Directory Diagnostics, there are no items to show.
  I consulted the following Microsoft Document:
  http://support.microsoft.com/kb/971714 and found the following file path where the reports should be located: %systemdrive%\Perflogs\ADDS\<var>date report generation run</var>\*.  But there is no ADDS folder and the Admin folder that
  is there is empty.
  Has anyone seen this before?  If so, how did you resolve it?
  Thanks.

  Have you tried reload the AD DS perf counters?
  http://technet.microsoft.com/en-us/library/cc961948.aspx
  Enfo Zipper
  Christoffer Andersson – Principal Advisor
  http://blogs.chrisse.se - Directory Services Blog

• Oim 9.1.0.1 to active directory using ssl

  Hi,
  I am working on OIM 9.1.0.1 and AD IS on WIN2K3 R2.
  I successfully installed CA certificate in AD Server as given in AD Connector Document 9.1.0.1 given below.
  Configuring SSL for Microsoft Active Directory
  To configure SSL communication between Oracle Identity Manager and Microsoft Active Directory, you must perform the following tasks:
  a) Installing Certificate Services
  b) Enabling LDAPS
  c) Setting Up the Target System Certificate As a Trusted Certificate
  a) Installing Certificate Services
  To install Certificate Services on the target system host computer:
  Before you begin installing Certificate Services, you must ensure that Internet Information Services (IIS) is installed on the target system host computer.
  Note:
  1. Insert the operating system installation media into the CD-ROM or DVD drive.
  2. Click Start, Settings, and Control Panel.
  3. Double-click Add/Remove Programs.
  4. Click Add/Remove Windows Components.
  5. Select Certificate Services.
  6. In the Windows Components Wizard, follow the instructions to start Certificate Services.
  I selected Enterprise root CA as the CA type as said in AD connector Doc.
  b) Enabling LDAPS
  The target system host computer must have LDAP over SSL (LDAPS) enabled. To enable LDAPS:
  1. On the Active Directory Users and Computers console, right-click the domain node, and select Properties.
  2. Click the Group Policy tab.
  3. Select Default Domain Policy.
  4. Click Edit.
  5. Click Computer Configuration, Windows Settings, Security Settings, and Public Key Policies.
  6. Right-click Automatic Certificate Request Settings, and then select New and Automatic Certificate Request. A wizard is started.
  7. Use the wizard to add a policy with the Domain Controller template.
  At the end of this procedure, the certificate is created and LDAPS is enabled on port 636. You can use an LDAP browser utility to verify that LDAPS is working.
  But my problem is i am not able to connect to AD over SSL through JExplorer LDAP Browser in AD Server itself.
  its saying Socket closed and some times binding failed.
  And Firewall is on and Telnet is happening to both 389 and 636 ports from outside AD Server and in AD Server
  Please give the solution to overcome this issue.
  regards
  Ramu

  Hi
  From Apache Directory Studio i am able to connect over SSL (port 636) to AD and also imported certificate in oim.
  In Diagnostic Dashboard Test Connectivy of AD i found the below error.
  ITResource information values are not correct. Enter the correct values.
  The root cause is . . .
  java.lang.reflect.InvocationTargetException
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at com.thortech.xl.systemverification.tests.TestConnector.runInterfaceMethods(Unknown Source)
       at com.thortech.xl.systemverification.tests.TestConnector.execute(Unknown Source)
       at com.thortech.xl.systemverification.webapp.SystemVerificationServlet.doPost(Unknown Source)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:821)
       at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
       at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:176)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3498)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(Unknown Source)
       at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2180)
       at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2086)
       at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1406)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  Caused by: javax.naming.CommunicationException: simple bind failed: adr.oimad.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
       at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:197)
       at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2658)
       at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:287)
       at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
       at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
       at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
       at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
       at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
       at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
       at javax.naming.InitialContext.init(InitialContext.java:223)
       at javax.naming.InitialContext.(InitialContext.java:197)
       at javax.naming.directory.InitialDirContext.(InitialDirContext.java:82)
       at com.thortech.xl.integration.ActiveDirectory.test.ADServerConnectorTest.getLDAPConnection(Unknown Source)
       at com.thortech.xl.integration.ActiveDirectory.test.ADServerConnectorTest.testBasicConnectivity(Unknown Source)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at com.thortech.xl.systemverification.tests.TestConnector.runInterfaceMethods(Unknown Source)
       at com.thortech.xl.systemverification.tests.TestConnector.execute(Unknown Source)
       at com.thortech.xl.systemverification.webapp.SystemVerificationServlet.doPost(Unknown Source)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
       at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
       at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
       ... 8 more
  Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)
       at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
       at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
       at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:975)
       at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:123)
       at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
       at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:744)
       at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
       at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
       at java.io.BufferedInputStream.read1(BufferedInputStream.java:258)
       at java.io.BufferedInputStream.read(BufferedInputStream.java:317)
       at com.sun.jndi.ldap.Connection.run(Connection.java:805)
       at java.lang.Thread.run(Thread.java:619)
  Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
       at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
       at sun.security.validator.Validator.validate(Validator.java:218)
       at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
       at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
       at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
       at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:954)
       ... 12 more
  Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
       at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
       at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
       ... 18 more
  regards
  Ramu

• Bootcamp iMac + Active Directory = Not working!

  I have a 2009 iMac with bootcamp and XP pro SP3 running great.
  Now have to bind to Active directory box and having issues.
  Will bind perfectly but upon restart the login windows stalls on selecting the new domain. the machine then needs to be restarted and same again etc etc.
  I have a thinkpad with same install and it works a treat so definitely the iMac thats causing the issue.
  Could it be the EFI?
  Anyone had similar problems?
  Any help would be grand
  thanks

  I have a 2009 iMac with bootcamp and XP pro SP3 running great.
  Now have to bind to Active directory box and having issues.
  Will bind perfectly but upon restart the login windows stalls on selecting the new domain. the machine then needs to be restarted and same again etc etc.
  I have a thinkpad with same install and it works a treat so definitely the iMac thats causing the issue.
  Could it be the EFI?
  Anyone had similar problems?
  Any help would be grand
  thanks

• Add random number to a email id while creating account in active directory

  Hi,
  I have this code with me,
  in this code i am creating user account into the active directory, i am facing issue in validating it.
  validation is: Let's say we got 2nd Aman verma into the active directory, first aman verma got id as [email protected], i want id of second aman verma as [email protected] (or any other number at the place of 1)
  below is my code,
  using System;
  using System.IO;
  using System.DirectoryServices;
  namespace ActiveDirectoryAddContacts
  class Class1
  static void Main(string[] args)
  System.DirectoryServices.DirectorySearcher DSESearcher = new System.DirectoryServices.DirectorySearcher();
  string RootDSE=DSESearcher.SearchRoot.Path;
  RootDSE=RootDSE.Insert(7,"ou=Mytest,");
  DirectoryEntry myDE = new DirectoryEntry(RootDSE);
  DirectoryEntries myEntries = myDE.Children;
  // Create a new entry 'Sample' in the container.
  FileStream fs = new FileStream("C:\\UserDetails.csv" , FileMode.OpenOrCreate, FileAccess.Read
  StreamReader sr = new StreamReader(fs); 
  for(int i=1;i<291;i++)
  string str = sr.ReadLine();
  char[] ca={','};
  try
  string[] sa = str.Split(ca,4);
  DirectoryEntry myDirectoryEntry = myEntries.Add("CN="+sa[2], "user");
  myDirectoryEntry.Properties["givenname"].Value=sa[0];
  //myDirectoryEntry.Properties["sn"].Value=sa[1];
  //myDirectoryEntry.Properties["displayname"].Value=sa[2];
  //myDirectoryEntry.Properties["mail"].Value=sa[3];
  //myDirectoryEntry.CommitChanges();
  catch (Exception e)
  Console.WriteLine(str);
  any Help will be highly appreciated.
  Thank you!
  Aman 

  Hi,
  As this might not be a SharePoint issue, I suggest you open a thread in the Windows Server forum, you will get more help and confirmed answers there:
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverDS
  Thanks
  Patrick Liang
  TechNet Community Support
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]

• Event ID 5013 - Old Exchange 2003 reference from Active Directory - Performance Issues or Just a Message?

  Hello,
  I am working on an existing 2010 Exchange implementation.  The site has one Exchange 2010 server with no other Exchange servers running and/or available.  I looked through the application logs and I see multiple Event ID 5013 errors that state,
  "The routing group for Exchange server <ServerName>.<DomainName>.LOCAL was not determined in routing tables with timestamp 6/24/2014 8:01:48 PM. Recipients will not be routed to this server."
  I would like to know if by having this old 2003 Exchange server in AD, if it could be causing performance issues or if it is just a warning message only.  I have located the old server name using ADSIedit under, "CN=Configuration,DC=<DomainName>DC=Local\CN=Services\CN=Microsoft
  Exchange\CN=First Organization\CN=Administrative Groups\CN=First Administrative Group\CN=Servers".  The old 2003 Exchange server is then listed in the right window pane so it could be deleted but I would need to know if this would effect the Exchange
  environment other than removing the error from the event logs.
  Thank you for your help,
  Michael

  Hi,
  When you install Exchange 2010 in an existing Exchange 2003 environment, a routing group connector is created automatically. If you remove Exchange 2003 from you environment, you should also delete this routing group connector.
  Besides, here is a related article about Event ID 5013 which may help you for your reference.
  http://technet.microsoft.com/en-us/library/ff360498(v=exchg.140).aspx
  Best regards,
  Belinda Ma
  TechNet Community Support

• CCE Web Administration - Active Directory issue when managing agent attributes

  I am experiencing an issue when managing agents (supervisors specifically) in CCE Web Admin.  When attempting to add / remove / modify an Attribute for a supervisor agent we are getting an error that the supervisor must have a valid active directory account.  (Screenshot attached)  The agents that this is affecting are correctly configured in ICM as a supervisor and ICM was able to successfully move their AD account into the 'Config' AD Security Group.  From looking at the logs on the AWS it appears that the Web Admin tool is attempting to lookup their account in AD via UPN by appending their username to the domain name.  
  Log Snippet:  
  exception=com.cisco.ccbu.api.jaxb.error.ApiException: supervisorUserInfo.userName: Could not find user. Check if a domain account exists for [email protected]
  This isn't going to work for some users in our account because we have multiple suffixes in our domain.  (Our domain is a single forest and I'm not aware of a requirement to have a single suffix.)
  I'm curious why it wouldn't use samaccountname which is what I believe ICM Configuration Manager is using.  Has anyone else experienced this issue?

  Lo and behold, my AD sync started working.
  Though I have added the site to my local intranet sites, I'm not very confident whether this was the actual solution. I've performed several actions configuring my farm before I started troubleshooting this issue again, so it might be another action that
  solved this.
  Alemaitre: can you try the following please:
  See if the SharePoint Web Service site is started in IIS.  If not, start it, see if that works.
  Instead of adding the site to your Trusted Sites, try Local Intranet Sites (click Advanced to add sites besides using auto-discovery)
  Turn the Security Level for the zone all the way down.
  Turn off Compression for your site in IIS, do an iisreset, see if that works.
  I've also had to remove a host header from my MySite portal (running on port 8080 here), unlikely for this to be the cause but it's just one of the things I did this morning :-)
  Should I think of anything else, I'll let you know.
  Bonne chance.

• Active directory SYSVOL replication issues

  Hello. 
  I have 2 domain controllers, both of them on the same site DC1 & DC2. I have added a new site with a DC3. When I have added DC3 to the domain, I have realized, SYSVOL was not initialized correctly. I went back to DC1 and found out, there's following
  error in the event viewer:
  Error: 4012 on DC1
  The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain. This server has been disconnected from other partners for 99 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter
  (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder until this error is corrected.
  Error: 2213 on DC2
  The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication
  WMI method to resume replication. 
  This indicates a DFS replication issue between DC1 & DC2 and probably this would be the reason, why the SYSVOL was not properly initialized on DC3. 
  How can I restore correct DFS replication between DC1 & DC2? I've read
  this article, but it's not clear to me, which of the 2 domain controllers has a good version of SYSVOL + I can not find a decent step-by-step article for reconnecting Windows 2012 domain controller.
  Any idea, how I can proceed further here?

  Here's a complete documentation with resolution of my issue. I have created this documentation for my own purposes in our WIKI, so I will paste it here (I hope, it will help somebody else in the future):
  The Problem
  We have bought a new server for our domain. This server (NEWDC01) was promoted to be a domain
  controller in the DOMAIN. After the promotion, I have added a single computer to the domain. When I have logged on the client to the domain, I realized, this computer is not using the new domain controller (NEWDC01)
  for authentication, but DC02 domain controller instead. This is not intended. Local clients should use local domain controllers for authentication (assuming, the Active directory sites & services are configured properly). Further investigation revealed,
  there are some replication errors on OLDDC01 & OLDDC02 servers. First I need to solve these replication errors. Then I can
  add the NEWDC01 server to domain properly.
  Analysis
  There are several errors related to DFSR replication on both domain controllers:
  Error: 4012 on OLDDC01
  The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain.
  This server has been disconnected from other partners for 99 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder
  until this error is corrected.
  Error: 2213 on OLDDC02
  The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database
  is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication WMI method to resume replication.
  In order to have active directory in a healthy condition, one must ensure, there’s a successful
  replication between existing domain controllers up and running. If the replication does not work correctly, you can expect bunch of issues.
  group policies and logon scripts are not applied correctly, or as intended
  when you want to add a new domain controller to the domain, it will not work as expected (although, you will not see any specific errors after the
  server is promoted to be a domain controller)
  Active directory backup
  I have scheduled an AD backup on OLDDC01 server using the ‘Windows Backup’ solution to make sure,
  I can restore the AD / SYSVOL, in case something goes wrong. The backup is scheduled to be executed every day.
  Active directory restore
  In this particular case, I will talk only about SYSVOL restore. As indicated above, we must get
  rid of the DFSR event viewer errors which you can find in event viewer. One of them is indicating, that the JET database was not shut down cleanly and autorecovery was disabled. The other error indicates, the SYSVOL volume is no longer replicated. I am not
  sure, what is the reason, why the AD’s in the domain stopped to replicate. Probably it was an unclean server shutdown. The DFSR service stopped to replicate the SYSVOL share and I was not aware about that. When the replication did not run for more than ~99
  days, the SYSVOL share was excluded from the DFSR replications.
  Find out the most accurate SYSVOL share in the domain
  I have compared the content of the SYSVOL directories on both OLDDC01 and OLDDC02 servers: C:\Windows\SYSVOL\domain\Policies.
  Both directories have 37 subdirectories. Each subdirectory corresponds to one group policy. This means, that the content is approximately the same, thus I can’t tell, which version is most recent. I do most of the GPO changes on OLDDC01, so I made a conclusion,
  that this server contains the most recent version of the SYSVOL share.
  There are 2 types of SYSVOL restores, you can do:
  Authoritative restore
  Non-authoritative restore
  Non-authoritative restore
  This is a more simple kind of a restore. You can perform this kind of restore, when you are sure,
  that one of the domain controllers is authoritative (e.g. you presume, the SYSVOL share is intact and working properly). If you can identify such a working server, you can perform non-authoritative restore of the active directory on a broken domain controller.
  Authoritative restore
  In this case, you can designate a specific domain controller to be authoritative. You set a special
  flag on this server, which will prohibit to overwrite it’s state from another domain controllers, when the replication is enabled on the server again. After you designate one server to be authoritative, you need to update all the another domain controllers
  using the non-authoritative procedure.
  In this article, you can find, how to perform authoritative vs. non authoritative AD resotre:
  http://support.microsoft.com/kb/2218556.
  In my case, I was not sure, which of the domain controllers had a more recent copy of AD, so I
  have decided to make OLDDC01 authoritative (check the link above). Once this has been done, I have made a non-authoritative update on OLDDC02 server.
  Everything was almost ready. The last step, I needed to execute was, I needed to fix the ‘JET’
  event viewer error on SRVBK1. In the event log entry on the bottom, you can find following:
  Recovery Steps
  1. Back up the files in all replicated folders on the volume. Failure to do
  so may result in data loss due to unexpected conflict resolution during the recovery of the replicated folders.
  2. To resume the replication for this volume, use the WMI method ResumeReplication
  of the DfsrVolumeConfig class. For example, from an elevated command prompt, type the following command:
  wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig
  where volumeGuid="D37A9FC3-8B1D-11E2-93E8-806E6F6E6963" call ResumeReplication
  For more information, see http://support.microsoft.com/kb/2663685.
  Final words
  After I have executed this command, the replication was again started between OLDDC01 and OLDDC02
  servers. After I have started up the NEWDC01 server, I have realized, it has automatically replicated the contents of the SYSVOL share - almost immediately after the server was started up. I have again tried to login with the local client into DOMAIN domain
  and now I see, that local client is using local Domain controller for authentication.
  Everything seems to be OK now.

• Active directory issue

  This is the replication status for the following directory partition on this directory server. 
  Directory partition:
  DC=ForestDnsZones,DC=shankarpack,DC=com 
  This directory server has not received replication information from a number of directory servers within the configured latency interval. 
  Latency Interval (Hours): 
  24 
  Number of directory servers in all sites:
  1 
  Number of directory servers in this site:
  1 
  The latency interval can be modified with the following registry key. 
  Registry Key: 
  HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours) 
  To identify the directory servers by name, use the dcdiag.exe tool. 
  You can also use the support tool repadmin.exe to display the replication latencies of the directory servers.   The command is "repadmin /showvector /latency <partition-dn>".

  sir, i means that secondary domain server is down due to system motherboard issue.so guide to me that how remove all setting of the secondary domain from primary domain. (shankarpack.com).
  errors are :
  Active Directory Domain Services could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory Domain Services from replicating between one or more
  domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources. 
  Source domain controller: 
   AVS1 
  Failing DNS host name: 
   f0c8f1a9-50fd-4785-8ca4-29b1d824b251._msdcs.shankarpack.com 
  NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur.  To log all individual failure events, set the following diagnostics registry value to 1: 
  Registry Path: 
  HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client 
  User Action: 
   1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined
  in MSKB article 216498. 
   2) Confirm that the source domain controller is running Active Directory Domain Services and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>". 
   3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns 
    dcdiag /test:dns 
   4) Verify that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows: 
    dcdiag /test:dns 
   5) For further analysis of DNS error failures see KB 824449: 
     http://support.microsoft.com/?kbid=824449 
  Additional Data 
  Error value: 
   11004 The requested name is valid, but no data of the requested type was found. 
  This is the replication status for the following directory partition on this directory server. 
  Directory partition:
  DC=ForestDnsZones,DC=shankarpack,DC=com 
  This directory server has not received replication information from a number of directory servers within the configured latency interval. 
  Latency Interval (Hours): 
  24 
  Number of directory servers in all sites:
  1 
  Number of directory servers in this site:
  1 
  The latency interval can be modified with the following registry key. 
  Registry Key: 
  HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours) 
  To identify the directory servers by name, use the dcdiag.exe tool. 
  You can also use the support tool repadmin.exe to display the replication latencies of the directory servers.   The command is "repadmin /showvector /latency <partition-dn>".
  This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are
  preventing validation of this role. 
  Operations which require contacting a FSMO operation master will fail until this condition is corrected. 
  FSMO Role: DC=shankarpack,DC=com 
  User Action: 
  1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476. 
  2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors.  Correct the error in question. For example there maybe problems with IP connectivity,
  DNS name resolution, or security authentication that are preventing successful replication. 
  3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server.
  This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com. 
  The following operations may be impacted: 
  Schema: You will no longer be able to modify the schema for this forest. 
  Domain Naming: You will no longer be able to add or remove domains from this forest. 
  PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts. 
  RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups. 
  Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

• Report Performance Issue - Activity

  Hi gurus,
  I'm developing an Activity report using Transactional database (Online real time object).
  the purpose of the report is to list down all contacts related activities and activities NOT related to Contact by activity owner (user id).
  In order to fullfill that requirment I've created 2 report
  1) All Activities related to Contact -- Report A
  pull in Acitivity ID , Activity Type, Status, Contact ID
  2) All Activities not related to Contact UNION All Activities related to Contact (Base report) -- Report B
  to get the list of activities not related to contact i'm using Advanced filter based on result of another request which is I think is the part that slow down the query.
  <Activity ID not equal to any Activity ID in Report B>
  Anyone encountered performance issue due to the advanced filter in analytic before?
  any input is really appriciated
  Thanks in advanced,
  Fina

  Fina,
  Union is always the last option. If you can get all record in one report, do not use union.
  since all records, which you are targeting, are in the activity subject area, it is not nessecery to combine reports. add a column with the following logic
  if contact id is null (or = 'Unspecified') then owner name else contact name
  Hopefully, this is helping.

• Download issue when Windows 7 Pro joins a Windows Server 2008 Active Directory

  Hi,
  I purchased 2 new Dell OptiPlex 3010 desktop computers that came with Windows 7 Professional operating system with SP1. 
  There were no Microsoft updates installed yet.  After I added one of these Dell computers to the Windows Server 2008 Active Directory, I was not able to download several items. 
  Below are several examples:
  1) I downloaded the Norton anti-virus installation file.  This file is not the full installation of Norton; it is more of a file where you execute it and it will download the full installation from the Internet like from their Norton web
  site.  So when I executed this installation file, it does not download the full installation files. 
  It just hung at the screen saying “Downloading” and it will finally stop with an error (don’t remember the error message).
  Note: If I have the full Norton installation file then I am able to install it on this computer with no problems.
  2) I downloaded the Adobe Reader installation file.  This file is not the full installation of Adobe Reader; it is more of a file where you execute it and it will download the full installation from the Internet like from their Adobe web
  site.  So when I executed this installation file, it hung at the downloading part and then it will error out with a “Actionlist Not Found” message.
  Note: If I have the full Adobe Reader installation file then I am able to install it on this computer with no problems.
  3) I installed Microsoft Office 2010 Standard version on this computer. 
  I configured Microsoft Outlook to retrieve emails from my email provider (pop and smtp settings). 
  After configuring Microsoft Outlook, I was able to send emails through Microsoft Outlook successfully (and very quickly), but he was unable to retrieve my emails. The progress bar for the Receiving in the "Outlook Send/Receive Progress" box
  shows no progress. The Progress bar is not moving. There is a message at the bottom of Microsoft Outlook stating "Receiving message 1 of 6 (x.xx KB of x.xx MB)" and it is very slow. My new emails were not being retrieved at all. 
  I tried various pop and smtp servers that was available for my email provider, but all had the same effect.
  4) I can access certain web sites (e.g.
  www.yahoo.com, www.cnn.com) while I cannot access other web sites like
  www.usatoday.com, my web hosting email site.
  Note: I had a Dell computer with Windows XP Professional operating system and this computer does not have any of the above issues.
  The above are only a few examples that I have experienced. 
  If I removed this Dell OptiPlex 3010 computer from the Windows Server 2008 Active Directory then I still experience the same issue.
  So as another test, I setup the other new Dell OptiPlex 3010 with the same Windows 7 Professional OS with SP1. 
  This time, I did not join the Windows Server 2008 Active Directory and I was able to successfully download the full Norton installation files, download the full Adobe Reader installation files, download my emails from Microsoft Outlook 2010, etc. 
  But once I joined this computer to the Windows Server 2008 Active Directory then I am not able to download these files and emails at all.
  It seems like there might be some group policy or a security setting that is preventing these downloads so I disabled the group policy on the Windows Server 2008 AD and Windows 7 Profession OS, but it didn’t resolve the issue.
   I disabled all of the firewall programs on this Windows 7 Professional OS, but it still did not resolve the issue.
  Since the Windows Server 2008 AD did not have DHCP installed, I installed DHCP and setup a scope. 
  Then configured the Windows 7 Professional OS to obtain an IP address, but it didn’t resolve the issue.
  If I move this Windows 7 Professional computer to another network where it did not have any Active Directory; it just had a wireless router serving DHCP then everything works on the Windows 7 Pro computer.
  Any ideas what is the root cause when a Windows 7 Professional computer join a Windows Server 2008 AD?
  Thanks,
  wl_tech

  Hi,
  Could you please tell some information for the AD environment and how it connect to the internet?
  Regarding 3rd party installlers didn't work as expected, please also seek help in their offical website.
  For outlook not receiving emails, could you please take a look in
  Event Viewer and see if there are any special errors logged there?
  And when trying to access the website like
  www.usatoday.com, any special errors IE showed out?
  Best regards
  Michael Shao
  TechNet Community Support