Active Directory - SharePoint Replication Problem with User Information

Similar Messages

• Problem with users disabling ARD client service

  I've got a problem and i'm not quite sure of the work around. I'm a PC guy by nature and can't quite figure this out.
  I'm having a problem with users disabling the ARD service from the sharing menu. Unfortunately users need to have admin privleges to do their work so I can't simply give them a standard account.
  I've hidden the ARD user account i created from the login window through Netinfo, but I need to find a way to stop users from shutting the ard service down.
  They don't seem to understand that the company requires that it be on the computer. Now, I'm the one who is set as the admin for ARD in the building, however we really just use it to rollout drivers, install packages, and its a lifesaver for remotely fixing problems with programs. The company didn't really buy it to spy on the employee's.
  Is there any way to hide the service from an admin level account? Or keep them from shutting it down?
  BTW, this would have to be done on multiple machines running both panther and tiger.
  Any help would be appreciated as I'm not quite sure where to start.

  First, as a matter of policy, let them know this service is active, and needs to remain active. If they disobey this instruction and turn it off, you have a human resources issue, not a technical issue.
  Second, there are very few enterprise users that need admin access to their machines. Oh, they ALL think they do, and there will be howling when non-admin status is first imposed, but we have 350 users in a publishing environment with less that 20 setup as admins. Those users are almost all superusers who assist others in a technical role.
  We have far fewer software problems like this and with ARD, IT can install/ authorize installation of software remotely should a user need that. It simply does not dramatically impact our users to have non-admin access. On the other hand, we recognize that a FEW users will need more access, and grant that on a case-by-case basis.

• Problem with Billing Information

  Hello,
  Just recently, about 5 months ago, I recieved a Visa giftcard for graduation. I used that as my billing information; chose VISA as the card and then put in the card number. After I was done picking my desired songs, it told me there was a problem with my information and that it had been declined or something. It also said I would have to resolve it before I would be able to purchase more songs.
  So are we not allowed to use VISA gift cards? Now I have a iTunes gift card that I want to use and it wont let me because this previous problem has not been resolved. What do I need to do? I'd rather not have to repay this or have to use this iTunes gift card to pay for it. There was money on that VISA card and I used it to buy songs. I do not have a credit card to repay it either. What do I do?
  Thank you so much.

  I experienced the same problem around the same time. After several less than helpful and very frustrating emails from Apple Support, I happened upon a very simple solution that solved my problem. I went into "Edit Payment Information", and I re-entered my credit card information, security code, etc... just like I had tried a thousand times before. BUT this time, I TYPED IN A SPACE AFTER MY FIRST NAME. It worked. It finally accepted my credit card information.
  They tell you to enter your name just as it appears on your bank statement. It just never occurred to me that they meant to include spaces. I would assume that if your bank prints your middle initial on your statement, you should include that in the "First Name" box as well along with any applicable punctuation. For example, Joe(space)S.(space).
  I offered this advice to my friend as she was having the same problem, and it worked for her, too. So, you might want to give it a try.
  Message was edited by: Max Colevan

• Problem with user-defined functions in XQuery String

  hello
  i've a problem with user-defined functions in XQuery String
  details are here (the code is not Human-readable via forum's embedded editor ?? strange)
  http://docs.google.com/Doc?id=ddqwddsr_21c96d9x
  thanks !!

  See
  michaels>  select xmlquery('declare function local:test_function($namecmp as xs:string?, $inputtype as xs:string?) as xs:string?      
                      return {$inputtype}
                   local:test_function("1","2")' returning content) o from dual
  Error at line 5
  ORA-19114: error during parsing the XQuery expression:
  LPX-00801: XQuery syntax error at '{'
  3                       return {$inputtype}
  -                              ^
  michaels>  select xmlquery('declare function local:test_function($namecmp as xs:string?, $inputtype as xs:string?) as xs:string?      
                      $inputtype
                   local:test_function("1","2")' returning content) o from dual
  O   
  2   
  1 row selected.

• Problem with user mapping

  Hello,
  We got a problem with user-mapping to a SAP system.
  We create a SAp system, and an alias to this system.
  We add a user mapping for the administrator (user, not group). Check for connector is OK.
  Now, we make the same user-mapping for a group.
  if the user also belongs to the group "administrator" this mapping works, otherwise this fail with a message <b>"com.sapportals.portal.ivs.cg.SystemNotFoundException: Got null system object for alias R3HR".
  </b>After checking, there is no user-mapping for the "administrator" group, nor for the roles that belong to that group, nor for the user.
  So, it seem that the alias is only visible for an admin.
  does any one got an idea ? we are on SP14, Linux.
  regards
  Guillaume PATRY

  HI Guillaume,
  The user mapping is available for both Admin as well as end users.
  Open your system from System Administration>System Configuration>System Landscape.
  In the property editor,in dropdown for property category,
  select the logon method as UID?password and User Mapping type to admin/user.
  Then you can create a Group,map the system alias for this group and add users to this group.
  Also,in the property editor for the system,from dropdown for display,select permissions , and add the group to asssigned permissions as READ ONLY and select the checkbox for ENDUSER.
  Hope,this resolves your problem.
  Regards,
  Siddhartha

• Problem with user number

  Goodmorning, I have a problem with user number of my smartphone Blackberry Curve 8900: when I call a numer of my adress book, on the right,  appears a user number, that I don't know. Why dont'appears mine? I don't have buy this smartphone personally, but I had it (used) through the smartphone's owner...I think that the user number that appears on my display is his. How I can do to remove it?
  Waiting for an answer, thank you.

  Hello scricciolina90
  Welcome To Support Forums
  On or Curve 8900 from the Home screen > click Options > Click Advanced Settings > SIM Card > Highlight the phone number > Press the Menu key and click Edit SIM Phone Number > Check that field or Enter you Mobile number in that field .
  Good luck.
  Click " Like " if you want to Thank someone.
  If Problem Resolves mark the post(s) as " Solution ", so that other can make use of it.

• Weblogic with Active Directory Authentication provider problem: DN for user ....: null

  I have a java application (SSO via SAML2) that uses Weblogic as a Identity Service Provider. All works well using users created directly in Weblogic. However, I need to add support for Active Directory. So, as per documentation:
  - I defined an Active Directory Authentication provider
  - changed it's order in the Authentication Providers list so that it comes first
  - set the control flag to SUFFICIENT and configured the Provider Specific; here's the concerned part in config.xml:
  <sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
          <sec:name>MyOwnADAuthenticator</sec:name>
          <sec:control-flag>SUFFICIENT</sec:control-flag>
          <wls:propagate-cause-for-login-exception>true</wls:propagate-cause-for-login-exception>
          <wls:host>10.20.150.4</wls:host>
          <wls:port>5000</wls:port>
          <wls:ssl-enabled>false</wls:ssl-enabled>
          <wls:principal>CN=tadmin,CN=wl,DC=at,DC=com</wls:principal>
          <wls:user-base-dn>CN=wl,DC=at,DC=com</wls:user-base-dn>
          <wls:credential-encrypted>{AES}deleted</wls:credential-encrypted>
          <wls:cache-enabled>false</wls:cache-enabled>
          <wls:group-base-dn>CN=wl,DC=at,DC=com</wls:group-base-dn>
  </sec:authentication-provider>
  I configured a AD LDS instance(Active Directory Lightweight Directory Services) on a Windows Server 2008 R2. I created users and one admin user "tadmin" which was added to Administrators members. I also made sure to set msDS-UserAccountDisabled property to FALSE.
  After restarting Weblogic I can see that the AD LDS's users and groups are correctly fetched in Weblogic. But, when I try to connect with my application, using Username:tadmin and Password:<...> it does not work.
  Here's what I see in the log file:
  <BEA-000000> <LDAP Atn Login username: tadmin>
  <BEA-000000> <authenticate user:tadmin>
  <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
  <BEA-000000> <DN for user tadmin: null>
  <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
  <BEA-000000> <DN for user tadmin: null>
  <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User tadmin denied
    at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:229)
    at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
  So, I tried to look why do I have: <DN for user tadmin: null>. Using Apache Directory Studio I reproduced the ldap search request used in Weblogic and, sure enough, I get no results. But, changing the filter to only "(&(cn=tadmin)(objectclass=user))" (NOTICE, no userAccountControl), it works; here's the result from Apache Directory Studio:
  #!SEARCH REQUEST (145) OK
  #!CONNECTION ldap://10.20.150.4:5000
  #!DATE 2014-01-23T14:52:09.324
  # LDAP URL     : ldap://10.20.150.4:5000/CN=wl,DC=at,DC=com?objectClass?sub?(&(cn=tadmin)(objectclass=user))
  # command line : ldapsearch -H ldap://10.20.150.4:5000 -x -D "[email protected]" -W -b "CN=wl,DC=at,DC=com" -s sub -a always -z 1000 "(&(cn=tadmin)(objectclass=user))" "objectClass"
  # baseObject   : CN=wl,DC=at,DC=com
  # scope        : wholeSubtree (2)
  # derefAliases : derefAlways (3)
  # sizeLimit    : 1000
  # timeLimit    : 0
  # typesOnly    : False
  # filter       : (&(cn=tadmin)(objectclass=user))
  # attributes   : objectClass
  #!SEARCH RESULT DONE (145) OK
  #!CONNECTION ldap://10.20.150.4:5000
  #!DATE 2014-01-23T14:52:09.356
  # numEntries : 1
  (the "[email protected]" is defined as userPrincipalName in the tadmin user on AD LDS)
  As you can see, "# numEntries : 1" (and I can see as result the entry "CN=tadmin,CN=wl,DC=at,DC=com"  in Apache Directory Studio's interface); if I add the userAccountControl filter I get 0.
  I've read that the AD LDS does not use userAccountControl but "uses several individual attributes to hold the information that is contained in the flags of the userAccountControl attribute"; among those attributes is msDS-UserAccountDisabled which, as I said, I already set to FALSE.
  So, my question is, how do I make it work? Why do I have "<DN for user tadmin: null>" ? Is it the userAccountControl ? If it is, do I need to do some other configuration on my AD LDS ? Or, how can I get rid of the userAccountControl filter in Weblogic?
  I didn't seem to find it in config files or in the interface: I only have "User From Name Filter: (&(cn=%u)(objectclass=user))", there's no userAccountControl.
  Another difference I noticed is that, even though in Weblogic I have set ssl-enabled flag to false, in the logs I see ldaps and not ldap ( I'm not looking to setup something production-ready and I don't want SSL for the moment ).
  Here are some other things I tried but did not change anything:
  - the other "msDS-" attributes were not set so I tried initializing them to some value
  - I tried other users defined in AD LDS, not tadmin
  - in Weblogic I added users that were imported from AD LDS in Roles and Policies> Realm Roles > Global Roles > Roles > Admin
  - I removed all userAccountControl occurrences that I found in xml files in Weblogic (schema.ms.xml, schema.msad2003.xml)
  Any thoughts?
  Thanks.

  I managed to narrow it down: the AD LDS does not support the userAccountControl.
  Anyone knows how I can configure my Active Directory Authentication Provider in Weblogic so that it does not implicitly use userAccountControl as filter?
  <BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)> 

• Problem with users accessing sharepoint 2013 site collection

  I have an unbeliveable problem..
  I have a sp site with several site collections..
  I have around 15 users.. Everybody have access to the root site. Two users do not have access to site collections even though they are in EXACTLY same permission groups like other users who can access those site collections!
  I tried to delete them from all user groups in SP, then delete their user profiles in Central Administration, and delete them from Active Directory. After that I recreated their profiles in Active directory, readded them to Central Administration, and again
  added them to coresponding groups in SharePoint site collections. They again CAN NOT ACCESS site collections.
  What should I do.. This is incredible that 5 users with the same user privileges can access site collections, and 2 can not, even though they are all created in the same way..
  Regards,
  Srdjan

  Hello,
  Have you found a solution for this problem? I have the exact same problem with 2 users accessing a site collection (access denied). I found also this row on uls log:
  Access Denied. Exception: Attempted to perform an unauthorized operation., StackTrace:   at Microsoft.SharePoint.Utilities.SPUtility.HandleAccessDenied(Exception ex)     at Microsoft.Office.Project.PWA.PJBaseWebPartPage.OnPreInit(EventArgs
  e)     at System.Web.UI.Page.PerformPreInit()     at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)     at System.Web.UI.Page.ProcessRequest(Boolean
  includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)     at System.Web.UI.Page.ProcessRequest()     at System.Web.UI.Page.ProcessRequest(HttpContext context)     at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()    
  at System.Web.HttpApplication.ExecuteStep(IExecutionSt... 6955b79c-c42c-50fc-84f8-2b68f97002ea

• Problem with user home directory redirection on OS X

  It appears that the Authorware 7.01 runtime gets confused
  when home directory redirection is used on Mac OS X to redirect a
  user's directory to the network.
  I suspect it is a problem with the path to the Application
  Support folder where Authorware stores its .rec files.
  That happens is that JumpFileReturn returns to the start of
  the piece, rather then returning to where the jump was performed.
  As anyone else seen this? Is there any workaround?
  On Windows one can setup and ini file to tell Authorware
  where to store temporary files. Is there any such equivalent on
  Mac?

  I'm not sure of the process on macs that match the use of the
  ini file, but
  the goal was always identical operation on both platforms so
  it's very
  likely that the ini file is read and interpreted in the same
  manner.
  It seems that the 'initial' location of the current records
  folder is the
  one that's messed up. The .rec file is created on the local
  machine rather
  than the redirected one. I can only guess that either the
  home folder isn't
  redirected until after the first AW piece starts or the
  initial setting is
  being set to a 'default' location for the user rather than
  asking the system
  what the current location is. A solution might be to create a
  "launcher"
  application with Authorware designed to start up and jump to
  what is
  currently your startup piece. This way the RecordsLocation
  should be changed
  to the network location and you can ignore the original rec
  file since
  you'll never return to that first location.
  HTH
  ====================
  Mike Baker
  Adobe Community Expert
  [email protected]
  "peterevensen" <[email protected]> wrote in
  message
  news:[email protected]...
  > On Mac OS X, you can set a workstation up to have the
  user's directory
  > (including the preferences folder, etc.) on a file
  server. If one sets up
  a
  > Mac workstation to do this, Authorware quits working
  properly when you
  jump
  > between pieces.
  >
  > The piece is set up correctly. I don't touch the User
  Record location.
  The
  > pieces are set to resume and work fine if the user's
  directory is not
  > redirected.
  >
  > When Authorware jumps to another piece/file, it dumps
  out a *.rec file
  > containing the current state. These are stored on the
  Mac in <user
  > directory>/Library/Application
  Support/Macromedia/AW7Data folder. When
  the
  > user directory is redirect to the network and the user
  exits the file that
  was
  > jumped to, the original piece starts over from the
  beginning. This is
  the
  > same behavior you see if Authorware cannot write out the
  *.rec file (e.g.,
  if
  > you write protected the above folder, or the equivalent
  folder on Windows,
  > hence the change in AW 6.5
  >
  http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_16607&sliceId=1
  >
  > This problem has been reported in the field several
  times. I haven't set
  up a
  > server yet to reproduce it, but my assumption is that
  Authorware is not
  getting
  > the path or not handling the path to the user's
  Application Support
  properly
  > when it is redirected to a network server.
  >
  > On Windows, there is an .ini file which can be used to
  change where
  Authorware
  > stores temporary file (.rec). I don't believe there is
  an equivalent for
  the
  > Mac runtime, is there? I see that I could change that
  path using the path
  > parameters in JumpFileReturn, but does that change where
  the current piece
  your
  > jumping from writes out the .rec file? It would be
  preferable if I could
  > change it globally once, rather than going into the 100s
  of pieces I am
  > maintaining.
  >
  > I'm not sure an aw7.ini would fix the problem in any
  case, since I am not
  sure
  > where one could safely map the user record location,
  since this is a
  multi-user
  > environment. You couldn't map everyone to the same
  location.
  >
  > Your reply, while not answering my question directly,
  has pointed me to
  some
  > more things to look at (like the path parameter on
  JumpFileReturn),
  although
  > I'm not sure why Authorware isn't working without
  changing that. If you
  have
  > any additional suggestion, I would greatly appreciate
  it!
  >
  >
  quote:
  Originally posted by:
  Newsgroup User
  > I'm not sure what you're asking. Can you provide more
  detail? Are you
  > using JumpFileReturn to launch another file, which also
  sets a different
  > UserRecord location? And that doesn't work...how?
  > Do you have 'resume' set in the File Preferences instead
  of 'restart'?
  > Erik
  >
  >
  >
  >

• Looking for Help with Active Directory Script to Remove a User from msExchDelegateListLink

  I'm struggling to put together an Active Directory Powershell script that will remove a specific user from the msExchDelegateListLink.
  It looks like Set-AdUser would do the trick. I would want to remove a user in the format of
  {CN=Wood\, Sandy,OU=Networking,OU=IT,DC=my,DC=domain,DC=com}
  Has anyone succeeded in doing this before?
  Orange County District Attorney

  I use this:
  $user = '<user name>'
  $userDN = Get-ADUser $user | select -ExpandProperty DistinguishedName
  $delegates = Get-ADUser $user -Properties msExchDelegateListBL |
  select -ExpandProperty msExchDelegateListBL
  foreach ($delegate in $delegates)
  Set-ADUser $delegate -Remove @{msExchDelegateListLink = "$UserDN"}
  Never quite got around to putting it into a function.
  [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

• Replication problem with iPlanet directory server 5.1 SP2 HF1

  If I make a apply a change to either of consumer servers for an entry that belongs to the large database, that change does get applied to the consumer targated but it can not refer the change to teh master. Neither the master, nor the other consumers get updated consequently. I did not have this problem with directory server 5.1 SP1. I only see this problem after I apply directory server 5.1 SP2 HF1.
  From the error log file, I see the following message:
  NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica

  I have a suggestion - try another means for administering your directory - use the console only for maintenance and tuning purposes. There are several products out there that are much better for day to day operations ...
  Otherwise - I think with 5.1 the view is based on the rdn of the entries - and I am not sure it is customizable. Additionally I know 5.2 solved your second issue - maybe the latest SP of 5.1 has solved it as well - though I don't really know ...
  -Chris Larivee

• SCCM report to show last logged on user and the Active Directory department attribute of that user.

  I need to create an SCCM report to show last logged on user on all machines and the Active Directory department attribute of that last logged on user.

  You problem is here.
  right
  join v_R_User USR on USR.ResourceID
  = CS.ResourceID
  USR.ResourceID != CS.ResourceID, you need to map the username to the user logon to the PC. By using the user’s department information you will
  end up with unreliable results.
  Anyways you need to make these changes to your query.
  left
  join v_R_User USR on USR.Unique_User_Name0
  = CS.UserName0
  http://www.enhansoft.com/

• SharePoint 2013 Problem with automatic detection of Site language - default language

  Hi all,
  we have a SiteCollection that was created with 'english' as
  default language.
  On our SharePoint 2013 environment we have installed the 'german' and 'french' language pack. Both languages are activated as alternative languages on that SiteCollection.
  But the automatic language detection is not working properly for us.
  Problem description:
  User Browser language = German --> Site language = German
  If you now change the Browser language to 'Italian' then we would expect that the site will be displayed in 'English' because the 'Italian' language pack is not installed and the SiteCollection default language was set to 'English'...
  But the Site will be not displayed in 'English' it will keep the last language in this case 'German'...
  Another example: If you change the browser language to 'French' the whole Site is displayed in French. If you try to switch now to 'Italian' then the Site will be still displayed in 'French' instead of 'English'...
  Any ideas what could cause this problem?
  Regards, Simon

  Hi Simon,
  Here is the order of the language preference showing to users with different settings
  For your issue it may be due to the IE data cache, please clear all the IE data cache, then reopen the IE browser see if it displays the English language as expected.
  http://technet.microsoft.com/en-us/library/ff805087.aspx
  If the User Profile service application is started on the SharePoint Server 2013 farm, the language preferences stored in the user profile are used. For information about how to add a list of languages to user profile settings in SharePoint Server 2013,
  see Add, edit, or delete custom properties in SharePoint Server 2013 user profiles. For information about how to add a list of languages to user profile settings in SharePoint Online Administration Center, see Add and edit user profile properties on Office.com.
  If no language preference is defined in the user profile, or if the server uses SharePoint Foundation 2013, the language preferences stored in the user's language settings for the site collection are used.
  If no language preference is defined in the user's site collection language settings, the language preferences stored in the user's web browser are used.
  If no language preference is defined in the user's web browser, the default site language is used.
  Thanks,
  Daniel Yang
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] 
  Daniel Yang
  TechNet Community Support

• Active directory SYSVOL replication issues

  Hello. 
  I have 2 domain controllers, both of them on the same site DC1 & DC2. I have added a new site with a DC3. When I have added DC3 to the domain, I have realized, SYSVOL was not initialized correctly. I went back to DC1 and found out, there's following
  error in the event viewer:
  Error: 4012 on DC1
  The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain. This server has been disconnected from other partners for 99 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter
  (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder until this error is corrected.
  Error: 2213 on DC2
  The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication
  WMI method to resume replication. 
  This indicates a DFS replication issue between DC1 & DC2 and probably this would be the reason, why the SYSVOL was not properly initialized on DC3. 
  How can I restore correct DFS replication between DC1 & DC2? I've read
  this article, but it's not clear to me, which of the 2 domain controllers has a good version of SYSVOL + I can not find a decent step-by-step article for reconnecting Windows 2012 domain controller.
  Any idea, how I can proceed further here?

  Here's a complete documentation with resolution of my issue. I have created this documentation for my own purposes in our WIKI, so I will paste it here (I hope, it will help somebody else in the future):
  The Problem
  We have bought a new server for our domain. This server (NEWDC01) was promoted to be a domain
  controller in the DOMAIN. After the promotion, I have added a single computer to the domain. When I have logged on the client to the domain, I realized, this computer is not using the new domain controller (NEWDC01)
  for authentication, but DC02 domain controller instead. This is not intended. Local clients should use local domain controllers for authentication (assuming, the Active directory sites & services are configured properly). Further investigation revealed,
  there are some replication errors on OLDDC01 & OLDDC02 servers. First I need to solve these replication errors. Then I can
  add the NEWDC01 server to domain properly.
  Analysis
  There are several errors related to DFSR replication on both domain controllers:
  Error: 4012 on OLDDC01
  The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain.
  This server has been disconnected from other partners for 99 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder
  until this error is corrected.
  Error: 2213 on OLDDC02
  The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database
  is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication WMI method to resume replication.
  In order to have active directory in a healthy condition, one must ensure, there’s a successful
  replication between existing domain controllers up and running. If the replication does not work correctly, you can expect bunch of issues.
  group policies and logon scripts are not applied correctly, or as intended
  when you want to add a new domain controller to the domain, it will not work as expected (although, you will not see any specific errors after the
  server is promoted to be a domain controller)
  Active directory backup
  I have scheduled an AD backup on OLDDC01 server using the ‘Windows Backup’ solution to make sure,
  I can restore the AD / SYSVOL, in case something goes wrong. The backup is scheduled to be executed every day.
  Active directory restore
  In this particular case, I will talk only about SYSVOL restore. As indicated above, we must get
  rid of the DFSR event viewer errors which you can find in event viewer. One of them is indicating, that the JET database was not shut down cleanly and autorecovery was disabled. The other error indicates, the SYSVOL volume is no longer replicated. I am not
  sure, what is the reason, why the AD’s in the domain stopped to replicate. Probably it was an unclean server shutdown. The DFSR service stopped to replicate the SYSVOL share and I was not aware about that. When the replication did not run for more than ~99
  days, the SYSVOL share was excluded from the DFSR replications.
  Find out the most accurate SYSVOL share in the domain
  I have compared the content of the SYSVOL directories on both OLDDC01 and OLDDC02 servers: C:\Windows\SYSVOL\domain\Policies.
  Both directories have 37 subdirectories. Each subdirectory corresponds to one group policy. This means, that the content is approximately the same, thus I can’t tell, which version is most recent. I do most of the GPO changes on OLDDC01, so I made a conclusion,
  that this server contains the most recent version of the SYSVOL share.
  There are 2 types of SYSVOL restores, you can do:
  Authoritative restore
  Non-authoritative restore
  Non-authoritative restore
  This is a more simple kind of a restore. You can perform this kind of restore, when you are sure,
  that one of the domain controllers is authoritative (e.g. you presume, the SYSVOL share is intact and working properly). If you can identify such a working server, you can perform non-authoritative restore of the active directory on a broken domain controller.
  Authoritative restore
  In this case, you can designate a specific domain controller to be authoritative. You set a special
  flag on this server, which will prohibit to overwrite it’s state from another domain controllers, when the replication is enabled on the server again. After you designate one server to be authoritative, you need to update all the another domain controllers
  using the non-authoritative procedure.
  In this article, you can find, how to perform authoritative vs. non authoritative AD resotre:
  http://support.microsoft.com/kb/2218556.
  In my case, I was not sure, which of the domain controllers had a more recent copy of AD, so I
  have decided to make OLDDC01 authoritative (check the link above). Once this has been done, I have made a non-authoritative update on OLDDC02 server.
  Everything was almost ready. The last step, I needed to execute was, I needed to fix the ‘JET’
  event viewer error on SRVBK1. In the event log entry on the bottom, you can find following:
  Recovery Steps
  1. Back up the files in all replicated folders on the volume. Failure to do
  so may result in data loss due to unexpected conflict resolution during the recovery of the replicated folders.
  2. To resume the replication for this volume, use the WMI method ResumeReplication
  of the DfsrVolumeConfig class. For example, from an elevated command prompt, type the following command:
  wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig
  where volumeGuid="D37A9FC3-8B1D-11E2-93E8-806E6F6E6963" call ResumeReplication
  For more information, see http://support.microsoft.com/kb/2663685.
  Final words
  After I have executed this command, the replication was again started between OLDDC01 and OLDDC02
  servers. After I have started up the NEWDC01 server, I have realized, it has automatically replicated the contents of the SYSVOL share - almost immediately after the server was started up. I have again tried to login with the local client into DOMAIN domain
  and now I see, that local client is using local Domain controller for authentication.
  Everything seems to be OK now.

• Active Directory login soooo slow with 10.4.11 client upgrades

  Hi All,
  I have a problem and hopefully someone will be able to help me.
  We have around 30 Macs in and a golden triangle set up with Mac OS X Server 10.3 on Xserves and a Windows Server 2003 as the PDC and primary DNS server.
  Basically, after upgrading the clients to 10.4.11 the log in process takes an extra 90 seconds to connect. The login window will appear but you are not able to log in until after 90 seconds. During the 90 seconds there are "Some Network Accounts Available" but this is just the Open Directory accounts in the background.
  I have tested with 10.4.4 up to 10.4.10 and this problem does not appear but once I upgrade to 10.4.11 then the problem comes back so I don't believe it is a server orientated problem.
  I also attempted using the old Active Directory plug-in within Directory Access from 10.4.8 and 10.4.10 in place of the one installed with 10.4.11 and this did not help with the matter.
  Does anyone know what has changed with 10.4.11 and what I could possibly do to resolve this problem?
  I probably haven't covered all the bases so let me know if you need more information.
  Dehsinotsa

  Answered at http://discussions.apple.com/message.jspa?messageID=13129261