Active Directory Migration Tool Issue

Similar Messages

• Active Directory Migration Tool Moving Users before groups?

  How are permissions to resources granted? By user or by group?
  It's been so long I can't actually remember, but I think we moved users and groups together.
  The SIDs will change if things are moving to a new domain.  But the migration tool handles that for you.

  What are the draw backs of migration users before groups in a interdomain migration? if any
  This topic first appeared in the Spiceworks Community

• Cannot install Windows Azure Active Directory Sync tool on Server 2012 w/ SQL Server 2012

  I went to change a user password on the server today and after changing the password I logged into the SQL server to run “Import-module dirsync” & “Start-onlinecoexistencesync” in powershell in order to sync the new password with Exchange Online. After
  waiting ten minutes I tried setting up the email on the user’s PC but the new password was not being accepted. I logged into Office 365 and I got the following warning.
  "Warning: Last synced more than 3 days ago | Troubleshoot"
  So I pressed troubleshoot and the site installed a tool on the server to try and find out what the issue was. After the tool ran it told me that the version of dirsync.exe was out of date and that I should download the new one and install it. So I downloaded
  the new dirsync.exe (version 7020 I believe) and tried installing it. I kept getting error after error, different ones to boot.
  First it told me I wasn’t part of the FIMSyncAdmins group (so I added myself), then it told me that it could not connect to MIIS server,  so I tried starting it and windows said that there was a problem with the sign on used by the service so I had
  to reset the password for the local user named “AAD_bfd1d6f0cef7” which was being used by that service. The service started successfully and when I went to install it told me I could not and if the problem persisted I should uninstall the old version and reinstall.
  Looking in the log file, before I even install the software I see the following Information...
  Level: Information
  Date: 2015-03-24 12:49:17 PM
  Source: Directory Synchronization
  Event ID: 0
  Task Category: None
  "The current configuration of the Windows Azure Active Directory Sync tool is invalid. Please reinstall the Windows Azure Active Directory Sync tool."
  So I tried to reinstall (i even manually uninstalled the old version and removed the folder in C:\Program Files\ called "Windows Azure Active Directory Sync") and on reinstall I get as far as "Installing Components" and then after a little
  while it errors out with the error "The install was unable to setup a required component. Check the event logs for more information. Please try the installation again and if the error persists, contact Technical Support. "
  Looking at the log file there are a bunch of new entries, created by the installer. There's over 300 new entries and I can not post them all here due to character count restriction. you can find the log file here...
  www.clarkfreightways.com/wp-content/uploads/2015/03/dirsync_log.txt
  Can anyone tell me what is going on, I've been looking through the log files and I can see errors but I'm not sure what to do to fix it.

  Greetings!
  Wanted to know if you've hosted the DirSync tool (latest version) on a VM? Also, if this is deployed in a Production or Lab environment? If it's a lab setup, you may
  try installing the DirSync on a new VM / Server (suspecting that it could be some machine related issues).
  Here's a Support KB helping with different errors:
  http://support.microsoft.com/en-us/kb/2684395
  If its a production environment, would suggest to raise a
  Technical Support Ticket for assisting further with break-fix.
  Thank you,
  Arvind 

• How to manage Active directory and tools to manage Active Directory

  How to manage Active directory and which tools we use?

  You can use Microsoft Active Directory management tools:
  http://technet.microsoft.com/en-us/library/aa998508(EXCHG.65).aspx
  http://technet.microsoft.com/en-us/library/aa998508(EXCHG.65).aspx
  erview of Server Message Block signing
  http://support.microsoft.com/kb/887429/en-us
  Remote Server Administration Tools for Windows 7:
  http://www.microsoft.com/downloads/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displaylang=en
  AD Admin Center:
  http://technet.microsoft.com/en-us/library/dd560651(WS.10).aspx
  http://technet.microsoft.com/en-us/library/dd560652(WS.10).aspx
  Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX http://blogs.sivarajan.com/ http://publications.sivarajan.com/ This posting is provided "AS IS" with no warranties, and confers no rights.

• Exchange and EOP and "Windows Azure Active Directory Sync tool".

  Hi,
  Since we are using our on-premises Exchange server and Microsoft EOP only for spam filter, and
  we are not using the EOP created domain "XXXX.onmicrosoft.com" for anything.
  Technically speaking, do we require
  "Windows Azure Active Directory Sync tool" to be installed and synchronizing all our AD to the EOP!
  Thanks,

  The Windows Azure Active Directory Sync Tool allows you to filter mail in EOP for nonexistent recipients.  This is a pretty useful antispam feature that you'll be forgoing if you choose not to deploy the tool.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• Active Directory Migration from 2003 to 2012 Process Flow

  We are planning to migrate from Windows Server 2003 AD to Windows server 2012 Server for 6000 Users,
  Can any one suggest  on Following .
  1)What is the Best and Safe Way to do Migration
  2) What are the Precautions should take,
  3) How much downtime it will take,
  4) If migration Failed how we can revert to Earlier
  5) How to do Migration Step by Step
  Current Environment:
  Domain Having  One PDC(server 2003 R2) and 8 ADC(Server 2003 R2) in Different Locations
  PDC having All FSMO Roles and Global Catalog
  Exchange server 2007 was integrated to Active Directory 
  And some Application are integrated to  Active Directory 

  1) I would recommend you first run a test of the steps in test before you do this in production.  Otherwise your production becomes test.
  2) By doing in test, you have taken a large amount of the risk out of the upgrade since, in test you should be able to look for any unforseen issues.  The easiest way to test is to build a virtual fence from production and clone the DC's and member
  servers that you want to test against (This is assuming you are running in a virtual environment).  Ensure that you production environment is error free.
  http://blogs.dirteam.com/blogs/paulbergson/archive/2009/01/26/troubleshooting-active-directory-issues.aspx
  3) There should be no downtime at all, you can just extend the schema and then promote a new 2012 DC (I would recommend R2 if you can).
  4) Before you do the schema extension you should take 2 backups on two different DC's.  Taking two gives you less of a chance of a problem if one of the backups fails.
  5)
  Take a backup
  Extend the schema
  Join the 2012 R2 servers to the domain
  Add the ADDS role to the 2012 R2 member servers
  Promote the 2012 R2 DC's
  Transfer the FSMO roles to the 2012 R2 DC's (Not required but recommended)
  If you want to retire the 2003 DC's, then you will need to make sure that any clients pointing to the 2003 DC's for DNS are pointing to other DC's.
  If you do retire the 2003 then you can think about updating the DFL and FFL of the domain and forest.
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• Active directory reporting tool

  Hi ALL,
         Anyone could help me in finding reporting tools for Active directory
  Thanks

  Are you looking for real time monitoring tool or health checkup tool. Event viewer can be used to find the issues in the DC's.
  DCDIAG is best tool to analyze the health of the AD, Repadmin for monitoring replication, DNSlinit for DNS etc.
  What does DCDIAG actually… do?
  http://blogs.technet.com/b/askds/archive/2011/03/22/what-does-dcdiag-actually-do.aspx
  For GPO AGPMC(Advanced group policy management console), GPinventory etc can be used.
  For FRS/DFSR, you can use FRSDIAG tool, SONAR etc.
  http://msmvps.com/blogs/ad/archive/2008/06/03/active-directory-health-checks-for-domain-controllers.aspx
  http://technet.microsoft.com/en-us/library/cc180912.aspx
  For real time monitoring tool, you can use
  SCOM (System center operations manager)2007 R2, you can also have audit collection service with SCOM. 
  http://www.microsoft.com/download/en/details.aspx?id=21357 
  There are other 3rd party tools like Netwrix, Quest, Admanager plus etc.
  Regards
  Awinish Vishwakarma
  MY BLOG:
   http://awinish.wordpress.com
  This posting is provided AS-IS with no warranties/guarantees and confers no rights.

• Active Directory migration from domain X to Y

  Hey Guys 
  Planning to migrate Child domain to another child domain inter forest with ADMT 
  we do have a small environment with Active directory integrated DNS, I do have a rough knowledge of migrating domains but still if there is any checklist kind of thing on priority (i.e migrate users first then do groups then computers then GPO) and let me
  know how much time it will take for 500 users 800 machines and 400 groups approximately .
  We do not have techinical Architecture guys to plan up , Please list out any excel sheets for migration if any
  Went through n number of blogs but still did not get any proper info about this , Thank you in advance

  1) I would recommend you first run a test of the steps in test before you do this in production.  Otherwise your production becomes test.
  2) By doing in test, you have taken a large amount of the risk out of the upgrade since, in test you should be able to look for any unforseen issues.  The easiest way to test is to build a virtual fence from production and clone the DC's and member
  servers that you want to test against (This is assuming you are running in a virtual environment).  Ensure that you production environment is error free.
  http://blogs.dirteam.com/blogs/paulbergson/archive/2009/01/26/troubleshooting-active-directory-issues.aspx
  3) There should be no downtime at all, you can just extend the schema and then promote a new 2012 DC (I would recommend R2 if you can).
  4) Before you do the schema extension you should take 2 backups on two different DC's.  Taking two gives you less of a chance of a problem if one of the backups fails.
  5)
  Take a backup
  Extend the schema
  Join the 2012 R2 servers to the domain
  Add the ADDS role to the 2012 R2 member servers
  Promote the 2012 R2 DC's
  Transfer the FSMO roles to the 2012 R2 DC's (Not required but recommended)
  If you want to retire the 2003 DC's, then you will need to make sure that any clients pointing to the 2003 DC's for DNS are pointing to other DC's.
  If you do retire the 2003 then you can think about updating the DFL and FFL of the domain and forest.
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• SBS 2008 to Server 2012 R2 Active Directory Migration

  Is there a tool that i can use to migrate Active Directory from SBS 2008 to Server 2012 R2?

  There is no special tool for your situation. While there is a tool called ADMT that you may see mentioned if you search enough, it isn't really well suited for what you want.
  With that said, there is also no *need* for a tool as I've already said. Nor do you need to recreate the users and have mismatched SIDs. You will add the 2012 machine to your existing domain and make it a domain controller. Yes, that means you will have
  two DCs (for a time.)  This is how larger organizations handle multiple DCs all the time, and they obviously don't go and create the same user on each DC. That is where the domain replication comes in.  Your new server will be a DC and will replicate
  all of the users *and* SIDs from the existing SBS server. 
  Then, when you are ready, you decommission the SBS 2008 server gracefully and the new 2012 server becomes your sole DC, but has AD completely intact. It is a tried and true practice, both within and outside of the SBS world, and has been done many many times.

• DNS, Certificates, and Active Directory - School Setup Issues

  Our school has been piloting a small iPad depolyment.  I have been struggling with getting Profile Manager to work correctly since August of last year. Here's the setup:
  1. Active Directory DNS/DHCP server (set as "school.local"--yes, I know .local is bad form, but it was set before I got here). I have changed the "Digest" to "Basic" setting
  2. Mac Mini server that has its own external IP and hostname ("mac.school.org") and is also bound to the AD server for user authentication for services (Profile Manager, WebDAV, wiki, etc.). I have a self-signed SSL certificate installed under the name "mac.school.org"
  3. About 90 iPads, and a handfull of Mac desktops
  In a perfect world, users would be able to login (with their AD credentials) to the Profile Manager self-service portal using the external hostname of the mac server ("mac.school.org/mydevices"), install the Trust Profile, and enroll the device (iPad, Mac, etc).
  However, this is not the case.  The setup seems to work for awhile; quite perfectly in fact. But then for reasons unknown to me, everything just "breaks" and Profile Manager ceases to work like it should. Here are some of issues I am seeing:
  a.) DNS service on the Mac server turns itself ON randomly.  DNS should NOT be running this server, correct? All DNS lookups internally are done by the AD server. I've used changeip and everything matches (both say "mac.school.org")
  b.) Whenever we use VPN, and at other seemingly random times, the server's hostname changes from "mac.school.org" to "mac.school.local" I would make the server external only, but it needs to have an internal IP to talk to the AD server.
  c.) AD binding breaks randomly and I have to rebind the server to AD
  d.) When enrolling devices, Profile Manager starts rejecting certificates (not a trusted source, etc.) and I have to destroy OD and PM and start all over again.
  I know this is a lot and I'm not necessarily expecting anyone to answer all of these questions. I guess I'm wondering if anyone could point me in the right direction? I've looked for help with these issues all over the place, but none of the environments I read about are quite like the one I'm in.

  Yes, I am not giving the real domain name here.
  No prob. just checking, sometimes people have weird domain names never know if they are real or they expect them to be real or they put domain names owned by someone else on their internal network eek.
  Not really needed to use mac.school.org internally, that is in local LAN. The thing to understand about DNS is the scope for which a DNS zone is relevant WRT a client machine — inside LAN or on Internet, and which DNS server is authoritative for a domain. Authoritative in the sense of 'the final word'.
  Go to Network Utility on your mac, type in your real domain name (whatever you are changing to school.org to hide it) what comes back. On my server I see the below (I have replaced my real, Internet legal domain, to 'example.com')
  In my setup I have, on the LAN, setup the Mac server to be authoritative for domain 'example.com'. On the Internet however it is another external DNS server.
  So you have set DNS forwarders on the Mac machine?
  I really don't believe that the machine's hostname is changing, it is statically configured. What I believe is happening is that DNS name resolution is telling you different things at different times because you are using different DNS servers.
  On mac machine terminal type $less /etc/resolv.conf and copy paste what it says. In server app Services | DNS right side does it say you have forwarders?
  Still it is not good to have two DNS domains in your internal LAN, there is no need to have school.org on the mac DNS unless it is going to be fully setup to be authoritative in the internal LAN for the domain school.org. You can have school.org on the Internet (Internet scope of users point 1) and school.local on internal machine (LAN scope of users).
  Lookup has started…
  Trying "example.com"
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53292
  ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
  ;; QUESTION SECTION:
  ;example.com.                   IN        ANY
  ;; ANSWER SECTION:
  example.com.     10800          IN        SOA          example.com. admin.example.com. 2013010907 3600 900 1209600 86400
  example.com.     10800          IN         NS          server.example.com.
  example.com.     10800          IN         MX          10 server.example.com.
  ;; ADDITIONAL SECTION:
  server.example.com. 10800       IN          A          192.168.1.20
  Received 145 bytes from 127.0.0.1#53 in 2 ms

• Active Directory credential caching issues under OS X 10.5.5 (and 10.5.4)

  We are experiencing issues with cached credentials and login delays using the Active Directory DirectoryServices plugin under 10.5. In our case, the plugin works fine as long as the system is on one of our networks, and credential caching works when the system is disconnected. Everything is repeatable, scripted and reasonably well tested. We're pretty happy with how it's working on-site. Once a system leaves our network however, as laptops tend to do, it is not possible to log in without a massive delay. Looking into the issue, I have determined that the following contribute to the problem:
  1) There are 9 active directory servers in our "/Library/Preferences/DirectoryServices/ActiveDirectoryDynamicData.plist" file.
  2) The timeout appears to be 90 seconds, according to the string value of the LDAP Connection Timeout element in "/Library/Preferences/DirectoryServices/ActiveDirectory.plist".
  The login delay does seems to coincide with the value of 90 seconds multiplied by the number of AD servers, about 13 1/2 minutes. Changing the value of the LDAP Connection Timeout does not seem to resolve the issue, even after a reboot. Moving the ActiveDirectoryDynamicData.plist file out of the way (to prevent the system from contacting any AD servers) does not seem to resolve the issue either. I'd like the ability to force cached credentials without the AD delay. Is this possible to change this value without rebooting, or at least without patching the binaries?
  I am currently testing on a MacBook Air with 10.5.5, and the following procedure was used from the command line to configure AD (note that you'd need to replace the AD username, OU, and domain values):
  dsconfigad -a `hostname -s` -u "ad-admin-user-replaceme" -ou "OU=Whatever, OU=You, OU=Have" -domain=example.com -mobile enable -mobileconfig disable -useuncpath disable
  dscl -q localhost -create /Search SearchPolicy ds AttrTypeStandard:CSPSearchPath
  defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
  plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
  Reboot and all seems to be working for us, except when the systems leave our network.
  Note that the last command (plutil) is not strictly necessary, but the DirectoryService utility seems to write the file in xml1 format, so this makes things consistent with what Apple is doing and hopefully less likely to break anything.

  As silly as it seems to respond to one's own posts, I think I've found a solution. Using the first set of commands at the bottom of this post, I disable Active Directory authentication (and ensure that LDAPv3 is disabled as well). This seems to still allow for cached credentials to function, since AD is still in the search path. Although there is still a rather long 2 minute initial delay on the MacBook Air, it seems to work and is nowhere near 13 1/2 minutes. Interestingly enough, it seems to work with little delay on a test Powerbook G4 using the same baseline configuration with little to no delay.
  My plan is to push this out through my update mechanism as a cron job every 5 minutes, with a script that detects whether it's on one of our networks. The cron job will also be run on bootup so systems initially booted shouldn't need to suffer a 13.5 minute delay. This could be made better with a mechanism that could launch a script when the network interface came up or went down, I'll look at launchd for clues. If you have any comments feel free to reply...
  Commands executed on networks which cannot access our AD servers:
  defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Inactive"
  /usr/libexec/PlistBuddy -c "Set \"LDAP Connection\ Timeout\" 0" /Library/Preferences/DirectoryService/ActiveDirectory.plist
  Commands executed when a system is back on one of our networks:
  defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
  /usr/libexec/PlistBuddy -c "Set \"LDAP Connection\ Timeout\" 90" /Library/Preferences/DirectoryService/ActiveDirectory.plist

• Active directory SYSVOL replication issues

  Hello. 
  I have 2 domain controllers, both of them on the same site DC1 & DC2. I have added a new site with a DC3. When I have added DC3 to the domain, I have realized, SYSVOL was not initialized correctly. I went back to DC1 and found out, there's following
  error in the event viewer:
  Error: 4012 on DC1
  The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain. This server has been disconnected from other partners for 99 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter
  (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder until this error is corrected.
  Error: 2213 on DC2
  The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication
  WMI method to resume replication. 
  This indicates a DFS replication issue between DC1 & DC2 and probably this would be the reason, why the SYSVOL was not properly initialized on DC3. 
  How can I restore correct DFS replication between DC1 & DC2? I've read
  this article, but it's not clear to me, which of the 2 domain controllers has a good version of SYSVOL + I can not find a decent step-by-step article for reconnecting Windows 2012 domain controller.
  Any idea, how I can proceed further here?

  Here's a complete documentation with resolution of my issue. I have created this documentation for my own purposes in our WIKI, so I will paste it here (I hope, it will help somebody else in the future):
  The Problem
  We have bought a new server for our domain. This server (NEWDC01) was promoted to be a domain
  controller in the DOMAIN. After the promotion, I have added a single computer to the domain. When I have logged on the client to the domain, I realized, this computer is not using the new domain controller (NEWDC01)
  for authentication, but DC02 domain controller instead. This is not intended. Local clients should use local domain controllers for authentication (assuming, the Active directory sites & services are configured properly). Further investigation revealed,
  there are some replication errors on OLDDC01 & OLDDC02 servers. First I need to solve these replication errors. Then I can
  add the NEWDC01 server to domain properly.
  Analysis
  There are several errors related to DFSR replication on both domain controllers:
  Error: 4012 on OLDDC01
  The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain.
  This server has been disconnected from other partners for 99 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder
  until this error is corrected.
  Error: 2213 on OLDDC02
  The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database
  is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication WMI method to resume replication.
  In order to have active directory in a healthy condition, one must ensure, there’s a successful
  replication between existing domain controllers up and running. If the replication does not work correctly, you can expect bunch of issues.
  group policies and logon scripts are not applied correctly, or as intended
  when you want to add a new domain controller to the domain, it will not work as expected (although, you will not see any specific errors after the
  server is promoted to be a domain controller)
  Active directory backup
  I have scheduled an AD backup on OLDDC01 server using the ‘Windows Backup’ solution to make sure,
  I can restore the AD / SYSVOL, in case something goes wrong. The backup is scheduled to be executed every day.
  Active directory restore
  In this particular case, I will talk only about SYSVOL restore. As indicated above, we must get
  rid of the DFSR event viewer errors which you can find in event viewer. One of them is indicating, that the JET database was not shut down cleanly and autorecovery was disabled. The other error indicates, the SYSVOL volume is no longer replicated. I am not
  sure, what is the reason, why the AD’s in the domain stopped to replicate. Probably it was an unclean server shutdown. The DFSR service stopped to replicate the SYSVOL share and I was not aware about that. When the replication did not run for more than ~99
  days, the SYSVOL share was excluded from the DFSR replications.
  Find out the most accurate SYSVOL share in the domain
  I have compared the content of the SYSVOL directories on both OLDDC01 and OLDDC02 servers: C:\Windows\SYSVOL\domain\Policies.
  Both directories have 37 subdirectories. Each subdirectory corresponds to one group policy. This means, that the content is approximately the same, thus I can’t tell, which version is most recent. I do most of the GPO changes on OLDDC01, so I made a conclusion,
  that this server contains the most recent version of the SYSVOL share.
  There are 2 types of SYSVOL restores, you can do:
  Authoritative restore
  Non-authoritative restore
  Non-authoritative restore
  This is a more simple kind of a restore. You can perform this kind of restore, when you are sure,
  that one of the domain controllers is authoritative (e.g. you presume, the SYSVOL share is intact and working properly). If you can identify such a working server, you can perform non-authoritative restore of the active directory on a broken domain controller.
  Authoritative restore
  In this case, you can designate a specific domain controller to be authoritative. You set a special
  flag on this server, which will prohibit to overwrite it’s state from another domain controllers, when the replication is enabled on the server again. After you designate one server to be authoritative, you need to update all the another domain controllers
  using the non-authoritative procedure.
  In this article, you can find, how to perform authoritative vs. non authoritative AD resotre:
  http://support.microsoft.com/kb/2218556.
  In my case, I was not sure, which of the domain controllers had a more recent copy of AD, so I
  have decided to make OLDDC01 authoritative (check the link above). Once this has been done, I have made a non-authoritative update on OLDDC02 server.
  Everything was almost ready. The last step, I needed to execute was, I needed to fix the ‘JET’
  event viewer error on SRVBK1. In the event log entry on the bottom, you can find following:
  Recovery Steps
  1. Back up the files in all replicated folders on the volume. Failure to do
  so may result in data loss due to unexpected conflict resolution during the recovery of the replicated folders.
  2. To resume the replication for this volume, use the WMI method ResumeReplication
  of the DfsrVolumeConfig class. For example, from an elevated command prompt, type the following command:
  wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig
  where volumeGuid="D37A9FC3-8B1D-11E2-93E8-806E6F6E6963" call ResumeReplication
  For more information, see http://support.microsoft.com/kb/2663685.
  Final words
  After I have executed this command, the replication was again started between OLDDC01 and OLDDC02
  servers. After I have started up the NEWDC01 server, I have realized, it has automatically replicated the contents of the SYSVOL share - almost immediately after the server was started up. I have again tried to login with the local client into DOMAIN domain
  and now I see, that local client is using local Domain controller for authentication.
  Everything seems to be OK now.

• Free JOSE Active Directory Reporting tool in English available!!!

  Hello,
  this FREE tool is in German language a long time available.
  NOW the English version is ready for use also. Please check if it is an option for your work.
  http://www.faq-o-matic.net/2013/08/12/jos-active-directory-reporting-english-version-is-live-now/
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://msmvps.com/blogs/mweber/
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

  Hello,
  I was surfing the threads to see what is going on until I saw this posts and I was stopped to download this tool. It is a great tool Meinolf ! I downloaded it and trying to check all the reports. So far so good my friend. Also I was amazed once I saw the
  nice "Trust Relationship" icon. Every time I run this tool I will definitely check for Trust Relationships first. :)
  In addition I was wondering how it is possible to inform you about a method in order to improve the design in this tool? 
  Regards.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Active directory migration , profile migration using admt

  Hi,
        I have request to migrate the users using admt tool, where profile avg size is 100 mb. how much approx time it should take..  considering below
  1. if profile is local or roaming , does it make any difference in time taken
  2. size of profile is 10 mb and 100 mb, should i assume assume it should take 10 time more time?
  3. what are the other parameters can affect time taken for migration
  thanks

  I think what you need to use is User State Migration Toolkit (USMT), ADMT is used for migration of domain accounts and from the way I am reading this it sounds like you are trying to migrate profiles on a desktop.
  http://technet.microsoft.com/en-us/library/dd560801(v=WS.10).aspx
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• Migration tool issue

  While creating a propagation session on Workshop 9.2 that merges the assets of my source and production environments i get this error that prevents me to selectively choose the nodes to propagate:
  <pre>
  java.lang.StringIndexOutOfBoundsException: String index out of range: 0
       at java.lang.String.charAt(String.java:558)
       at com.bea.p13n.management.inventory.util.XmlHeaderUtil.removeXmlVersion(XmlHeaderUtil.java:66)
       at com.bea.p13n.management.inventory.hierarchy.nodes.common.xml.FileSystemXmlDescriber.getXml(FileSystemXmlDescriber.java:108)
       at com.bea.content.management.inventory.offline.rule.ContentNodeRules.discoverDependencies(ContentNodeRules.java:81)
       at com.bea.p13n.management.inventory.hierarchy.nodes.common.BaseNodeRules.getDependencies(BaseNodeRules.java:125)
       at com.bea.p13n.management.inventory.hierarchy.trees.common.DependencyComputer.handleNode(DependencyComputer.java:112)
       at com.bea.p13n.management.inventory.hierarchy.InventoryTreeWalker.walkDepthFirst_Recur(InventoryTreeWalker.java:205)
       at com.bea.p13n.management.inventory.hierarchy.InventoryTreeWalker.walkDepthFirst_Recur(InventoryTreeWalker.java:220)
       at com.bea.p13n.management.inventory.hierarchy.InventoryTreeWalker.walkDepthFirst_Recur(InventoryTreeWalker.java:220)
       at com.bea.p13n.management.inventory.hierarchy.InventoryTreeWalker.walkDepthFirst_Recur(InventoryTreeWalker.java:220)
       at com.bea.p13n.management.inventory.hierarchy.InventoryTreeWalker.walkDepthFirst_Recur(InventoryTreeWalker.java:220)
       at com.bea.p13n.management.inventory.hierarchy.InventoryTreeWalker.walkDepthFirst(InventoryTreeWalker.java:154)
       at com.bea.p13n.management.inventory.hierarchy.InventoryTreeWalker.walkDepthFirst(InventoryTreeWalker.java:72)
       at com.bea.p13n.management.inventory.hierarchy.trees.common.DependencyComputer.computeDependencies(DependencyComputer.java:88)
       at com.bea.p13n.management.inventory.hierarchy.trees.common.DependencyComputer.computeDependencies(DependencyComputer.java:56)
       at com.bea.p13n.management.inventory.tool.common.diff.ImpliedChangeComputer.<init>(ImpliedChangeComputer.java:93)
       at com.bea.p13n.management.inventory.tool.common.diff.PropagationDifferencer.generateDifferences(PropagationDifferencer.java:163)
       at com.bea.p13n.management.inventory.tool.common.diff.TreeCombiner.combineTrees(TreeCombiner.java:96)
       at com.bea.wlp.eclipse.proptool.ProptoolUtil.combineTrees(ProptoolUtil.java:251)
       at com.bea.wlp.eclipse.proptool.editor.PropSessionElement.doLoadMergedInventory(PropSessionElement.java:221)
       at com.bea.wlp.eclipse.proptool.editor.PropSessionElement.load(PropSessionElement.java:177)
       at com.bea.wlp.eclipse.proptool.editor.PropSessionDocument.load(PropSessionDocument.java:183)
       at com.bea.wlp.eclipse.proptool.editor.PropSessionDocument$1.run(PropSessionDocument.java:129)
       at org.eclipse.core.internal.jobs.Worker.run(Worker.java:76)
  </pre>
  I've tried several times, each time restarting Workshop.
  Unfortunately i can't propagate till i don't find a solution.
  Thx for any help
  Dario

  Hi Dario
  This looks like a portal issue, please post it in portal newsgroup at http://forums.bea.com/bea/forum.jspa?forumID=2044
  Vimala-