Active directory SYSVOL replication issues

Hello.
I have 2 domain controllers, both of them on the same site DC1 & DC2. I have added a new site with a DC3. When I have added DC3 to the domain, I have realized, SYSVOL was not initialized correctly. I went back to DC1 and found out, there's following
error in the event viewer:
Error: 4012 on DC1
The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain. This server has been disconnected from other partners for 99 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter
(60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder until this error is corrected.
Error: 2213 on DC2
The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication
WMI method to resume replication.
This indicates a DFS replication issue between DC1 & DC2 and probably this would be the reason, why the SYSVOL was not properly initialized on DC3.
How can I restore correct DFS replication between DC1 & DC2? I've read
this article, but it's not clear to me, which of the 2 domain controllers has a good version of SYSVOL + I can not find a decent step-by-step article for reconnecting Windows 2012 domain controller.
Any idea, how I can proceed further here?

Here's a complete documentation with resolution of my issue. I have created this documentation for my own purposes in our WIKI, so I will paste it here (I hope, it will help somebody else in the future):
The Problem
We have bought a new server for our domain. This server (NEWDC01) was promoted to be a domain
controller in the DOMAIN. After the promotion, I have added a single computer to the domain. When I have logged on the client to the domain, I realized, this computer is not using the new domain controller (NEWDC01)
for authentication, but DC02 domain controller instead. This is not intended. Local clients should use local domain controllers for authentication (assuming, the Active directory sites & services are configured properly). Further investigation revealed,
there are some replication errors on OLDDC01 & OLDDC02 servers. First I need to solve these replication errors. Then I can
add the NEWDC01 server to domain properly.
Analysis
There are several errors related to DFSR replication on both domain controllers:
Error: 4012 on OLDDC01
The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain.
This server has been disconnected from other partners for 99 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder
until this error is corrected.
Error: 2213 on OLDDC02
The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database
is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication WMI method to resume replication.
In order to have active directory in a healthy condition, one must ensure, there’s a successful
replication between existing domain controllers up and running. If the replication does not work correctly, you can expect bunch of issues.
group policies and logon scripts are not applied correctly, or as intended
when you want to add a new domain controller to the domain, it will not work as expected (although, you will not see any specific errors after the
server is promoted to be a domain controller)
Active directory backup
I have scheduled an AD backup on OLDDC01 server using the ‘Windows Backup’ solution to make sure,
I can restore the AD / SYSVOL, in case something goes wrong. The backup is scheduled to be executed every day.
Active directory restore
In this particular case, I will talk only about SYSVOL restore. As indicated above, we must get
rid of the DFSR event viewer errors which you can find in event viewer. One of them is indicating, that the JET database was not shut down cleanly and autorecovery was disabled. The other error indicates, the SYSVOL volume is no longer replicated. I am not
sure, what is the reason, why the AD’s in the domain stopped to replicate. Probably it was an unclean server shutdown. The DFSR service stopped to replicate the SYSVOL share and I was not aware about that. When the replication did not run for more than ~99
days, the SYSVOL share was excluded from the DFSR replications.
Find out the most accurate SYSVOL share in the domain
I have compared the content of the SYSVOL directories on both OLDDC01 and OLDDC02 servers: C:\Windows\SYSVOL\domain\Policies.
Both directories have 37 subdirectories. Each subdirectory corresponds to one group policy. This means, that the content is approximately the same, thus I can’t tell, which version is most recent. I do most of the GPO changes on OLDDC01, so I made a conclusion,
that this server contains the most recent version of the SYSVOL share.
There are 2 types of SYSVOL restores, you can do:
Authoritative restore
Non-authoritative restore
Non-authoritative restore
This is a more simple kind of a restore. You can perform this kind of restore, when you are sure,
that one of the domain controllers is authoritative (e.g. you presume, the SYSVOL share is intact and working properly). If you can identify such a working server, you can perform non-authoritative restore of the active directory on a broken domain controller.
Authoritative restore
In this case, you can designate a specific domain controller to be authoritative. You set a special
flag on this server, which will prohibit to overwrite it’s state from another domain controllers, when the replication is enabled on the server again. After you designate one server to be authoritative, you need to update all the another domain controllers
using the non-authoritative procedure.
In this article, you can find, how to perform authoritative vs. non authoritative AD resotre:
http://support.microsoft.com/kb/2218556.
In my case, I was not sure, which of the domain controllers had a more recent copy of AD, so I
have decided to make OLDDC01 authoritative (check the link above). Once this has been done, I have made a non-authoritative update on OLDDC02 server.
Everything was almost ready. The last step, I needed to execute was, I needed to fix the ‘JET’
event viewer error on SRVBK1. In the event log entry on the bottom, you can find following:
Recovery Steps
1. Back up the files in all replicated folders on the volume. Failure to do
so may result in data loss due to unexpected conflict resolution during the recovery of the replicated folders.
2. To resume the replication for this volume, use the WMI method ResumeReplication
of the DfsrVolumeConfig class. For example, from an elevated command prompt, type the following command:
wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig
where volumeGuid="D37A9FC3-8B1D-11E2-93E8-806E6F6E6963" call ResumeReplication
For more information, see http://support.microsoft.com/kb/2663685.
Final words
After I have executed this command, the replication was again started between OLDDC01 and OLDDC02
servers. After I have started up the NEWDC01 server, I have realized, it has automatically replicated the contents of the SYSVOL share - almost immediately after the server was started up. I have again tried to login with the local client into DOMAIN domain
and now I see, that local client is using local Domain controller for authentication.
Everything seems to be OK now.

Similar Messages

DNS, Certificates, and Active Directory - School Setup Issues

Our school has been piloting a small iPad depolyment. I have been struggling with getting Profile Manager to work correctly since August of last year. Here's the setup:
1. Active Directory DNS/DHCP server (set as "school.local"--yes, I know .local is bad form, but it was set before I got here). I have changed the "Digest" to "Basic" setting
2. Mac Mini server that has its own external IP and hostname ("mac.school.org") and is also bound to the AD server for user authentication for services (Profile Manager, WebDAV, wiki, etc.). I have a self-signed SSL certificate installed under the name "mac.school.org"
3. About 90 iPads, and a handfull of Mac desktops
In a perfect world, users would be able to login (with their AD credentials) to the Profile Manager self-service portal using the external hostname of the mac server ("mac.school.org/mydevices"), install the Trust Profile, and enroll the device (iPad, Mac, etc).
However, this is not the case. The setup seems to work for awhile; quite perfectly in fact. But then for reasons unknown to me, everything just "breaks" and Profile Manager ceases to work like it should. Here are some of issues I am seeing:
a.) DNS service on the Mac server turns itself ON randomly. DNS should NOT be running this server, correct? All DNS lookups internally are done by the AD server. I've used changeip and everything matches (both say "mac.school.org")
b.) Whenever we use VPN, and at other seemingly random times, the server's hostname changes from "mac.school.org" to "mac.school.local" I would make the server external only, but it needs to have an internal IP to talk to the AD server.
c.) AD binding breaks randomly and I have to rebind the server to AD
d.) When enrolling devices, Profile Manager starts rejecting certificates (not a trusted source, etc.) and I have to destroy OD and PM and start all over again.
I know this is a lot and I'm not necessarily expecting anyone to answer all of these questions. I guess I'm wondering if anyone could point me in the right direction? I've looked for help with these issues all over the place, but none of the environments I read about are quite like the one I'm in.

Yes, I am not giving the real domain name here.
No prob. just checking, sometimes people have weird domain names never know if they are real or they expect them to be real or they put domain names owned by someone else on their internal network eek.
Not really needed to use mac.school.org internally, that is in local LAN. The thing to understand about DNS is the scope for which a DNS zone is relevant WRT a client machine — inside LAN or on Internet, and which DNS server is authoritative for a domain. Authoritative in the sense of 'the final word'.
Go to Network Utility on your mac, type in your real domain name (whatever you are changing to school.org to hide it) what comes back. On my server I see the below (I have replaced my real, Internet legal domain, to 'example.com')
In my setup I have, on the LAN, setup the Mac server to be authoritative for domain 'example.com'. On the Internet however it is another external DNS server.
So you have set DNS forwarders on the Mac machine?
I really don't believe that the machine's hostname is changing, it is statically configured. What I believe is happening is that DNS name resolution is telling you different things at different times because you are using different DNS servers.
On mac machine terminal type $less /etc/resolv.conf and copy paste what it says. In server app Services | DNS right side does it say you have forwarders?
Still it is not good to have two DNS domains in your internal LAN, there is no need to have school.org on the mac DNS unless it is going to be fully setup to be authoritative in the internal LAN for the domain school.org. You can have school.org on the Internet (Internet scope of users point 1) and school.local on internal machine (LAN scope of users).
Lookup has started…
Trying "example.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53292
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;example.com.                   IN        ANY
;; ANSWER SECTION:
example.com.     10800          IN        SOA          example.com. admin.example.com. 2013010907 3600 900 1209600 86400
example.com.     10800          IN         NS          server.example.com.
example.com.     10800          IN         MX          10 server.example.com.
;; ADDITIONAL SECTION:
server.example.com. 10800       IN          A          192.168.1.20
Received 145 bytes from 127.0.0.1#53 in 2 ms

Active Directory credential caching issues under OS X 10.5.5 (and 10.5.4)

We are experiencing issues with cached credentials and login delays using the Active Directory DirectoryServices plugin under 10.5. In our case, the plugin works fine as long as the system is on one of our networks, and credential caching works when the system is disconnected. Everything is repeatable, scripted and reasonably well tested. We're pretty happy with how it's working on-site. Once a system leaves our network however, as laptops tend to do, it is not possible to log in without a massive delay. Looking into the issue, I have determined that the following contribute to the problem:
1) There are 9 active directory servers in our "/Library/Preferences/DirectoryServices/ActiveDirectoryDynamicData.plist" file.
2) The timeout appears to be 90 seconds, according to the string value of the LDAP Connection Timeout element in "/Library/Preferences/DirectoryServices/ActiveDirectory.plist".
The login delay does seems to coincide with the value of 90 seconds multiplied by the number of AD servers, about 13 1/2 minutes. Changing the value of the LDAP Connection Timeout does not seem to resolve the issue, even after a reboot. Moving the ActiveDirectoryDynamicData.plist file out of the way (to prevent the system from contacting any AD servers) does not seem to resolve the issue either. I'd like the ability to force cached credentials without the AD delay. Is this possible to change this value without rebooting, or at least without patching the binaries?
I am currently testing on a MacBook Air with 10.5.5, and the following procedure was used from the command line to configure AD (note that you'd need to replace the AD username, OU, and domain values):
dsconfigad -a `hostname -s` -u "ad-admin-user-replaceme" -ou "OU=Whatever, OU=You, OU=Have" -domain=example.com -mobile enable -mobileconfig disable -useuncpath disable
dscl -q localhost -create /Search SearchPolicy ds AttrTypeStandard:CSPSearchPath
defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
Reboot and all seems to be working for us, except when the systems leave our network.
Note that the last command (plutil) is not strictly necessary, but the DirectoryService utility seems to write the file in xml1 format, so this makes things consistent with what Apple is doing and hopefully less likely to break anything.

As silly as it seems to respond to one's own posts, I think I've found a solution. Using the first set of commands at the bottom of this post, I disable Active Directory authentication (and ensure that LDAPv3 is disabled as well). This seems to still allow for cached credentials to function, since AD is still in the search path. Although there is still a rather long 2 minute initial delay on the MacBook Air, it seems to work and is nowhere near 13 1/2 minutes. Interestingly enough, it seems to work with little delay on a test Powerbook G4 using the same baseline configuration with little to no delay.
My plan is to push this out through my update mechanism as a cron job every 5 minutes, with a script that detects whether it's on one of our networks. The cron job will also be run on bootup so systems initially booted shouldn't need to suffer a 13.5 minute delay. This could be made better with a mechanism that could launch a script when the network interface came up or went down, I'll look at launchd for clues. If you have any comments feel free to reply...
Commands executed on networks which cannot access our AD servers:
defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Inactive"
/usr/libexec/PlistBuddy -c "Set \"LDAP Connection\ Timeout\" 0" /Library/Preferences/DirectoryService/ActiveDirectory.plist
Commands executed when a system is back on one of our networks:
defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
/usr/libexec/PlistBuddy -c "Set \"LDAP Connection\ Timeout\" 90" /Library/Preferences/DirectoryService/ActiveDirectory.plist

Active directory intersite replication minimum polling interval is 15 min or 7.5 min ?

in MCITP 70-640 R2 Self-paced training kit , at page 593, we read :
"The minimum polling interval is 15 minutes. With this setting, and using Active Directory’s
default replication configuration, a change made to the directory in one site takes on average
seven and a half minutes to replicate to domain controllers in another site."
i don't underestand which one is true at last ? 15 min or 7.5 min ?
i wonder at my exercises i noticed that replication occured between sites at about that 7.5 min and didn't take 15 min.
if that is 7.5 min , so what is the reason that they wrote 15 min ?

at a maximum 15 min.
the so called average is 7,5 min <----- forget this!
remember the following as your rule of thumb: the minimum interval that can be configured is 15 min and the default is 180 min (3 hours). The interval is the max amount of time that needs to pass before the DCs (between sites) initiates inbound replication.
So it will take the period of the interval or less before replications starts
<o:p></o:p>
Cheers,<o:p></o:p>
(HOPEFULLY THIS INFORMATION HELPS YOU!)
Jorge de Almeida Pinto | MVP Identity & Access - Directory Services
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/
################# Jorge's Quest For Knowledge ###############
###### BLOG URL: http://JorgeQuestForKnowledge.wordpress.com/ #####
#### RSS Feed URL: http://jorgequestforknowledge.wordpress.com/feed/ ####
-------------------------------------------------------------------------------------------------------<o:p></o:p>
"john.s2011" wrote in message news:[email protected]...
in MCITP 70-640 R2 Self-paced training kit , at page 593, we read :
"The minimum polling interval is 15 minutes. With this setting, and using Active Directory�??s
default replication configuration, a change made to the directory in one site takes on average
seven and a half minutes to replicate to domain controllers in another site."
i don't underestand which one is true at last ? 15 min or 7.5 min ?
i wonder at my exercises i noticed that replication occured between sites at about that 7.5 min and didn't take 15 min.
if that is 7.5 min , so what is the reason that they wrote 15 min ?
Jorge de Almeida Pinto [MVP-DS] (http://jorgequestforknowledge.wordpress.com/)

Active Directory - SharePoint Replication Problem with User Information

Hi, we have a implementation of SharePoint 2010 stand alone server, when we start to work in this server, we add the users from Active Directory services implemented in our company. This users had information like the email and department. When i add one
user to SharePoint, sharepoint import all information user.
The problem is when i change the email information from the user in Active Directory, this information didnt replicate to SharePoint. The user have the new email In Active Directory and the old email in SharePoint.
How can i replicate new one all information from the user to SharePoint?
I hope someone can help me..
thanks.

Standalone installations of SharePoint do not support the User Profile Sync Service. You'll want to use a farm installation for that functionality.
Are you using SharePoint Foundation, Standard, or Enterprise? The UPSS only comes with Standard and Enterprise.
Trevor Seward
Follow or contact me at...
&nbsp&nbsp
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Active Directory data replication to database

Hi Guys
Does anybody known how to replicate data from Active Directory (groups and users) direct to database table like Oracle?
My research drive me to code a program that make persistent search on Active Directory monitoring object changes to make insert or update in my table.
Java Technology Forums - JNDI, Active Directory and Persistent Searches (part 1)
http://forum.java.sun.com/thread.jspa?threadID=578338&tstart=200
Java Technology Forums - JNDI, Active Directory and Persistent Searches (part 2)
http://forum.java.sun.com/thread.jspa?forumID=51&threadID=672007
Is it a good idea ?
Thanks
MHM

As I said previously, it depends on how frequently you need to synchronise the database; weekly, daily, hourly, realtime.
LDIFDE, CSVDE can be used to export LDIF or CSV files respectively, which you could then import into a database. That would be a good pragmatic solution for something that needs to be done daily or weekly.
The DIRSYNC control is good for any schedule synchronisation, whereas the LDAP Notification Control is better suited to real time applications.
I am rather flattered that the post you referred to http://www.forumeasy.com/forums/thread.jsp?tid=117381285598&fid=ldapprof2&highlight=LDAP+Persistent+Search+Control+JNDI+Client
is based on my original sample titled "JNDI, Active Directory and Persistent Searches (part 2)" which I posted at
http://forum.java.sun.com/thread.jspa?threadID=672007&tstart=90
BTW, the sample for using the dirscnc control which is titled "JNDI, Active Directory & Persistent Searches (part 1)" is available at
http://forum.java.sun.com/thread.jspa?threadID=578338&tstart=200
Another alternative would be to install another server with Active Directory Application Mode (ADAM) specifically for your "expensive" queries and use a tool such as ADAMSync to populate it from your other Active Directory domain controllers.
ADAMSync is included with ADAM and you can find the command line options described at http://technet2.microsoft.com/windowsserver/en/library/c64799ab-88c0-4e5a-b296-bc26031141291033.mspx?mfr=true
Personally, I would much prefer to use something like LDIFDE, CSVDE, ADAMSync or a full fledged synchrisation/provision product such as Identity Lifecycle Manager rather than write (and debug/maintain) my own code.

Active Directory Migration Tool Issue

Hi,
I am currently doing a pilot to migrate users from a Windows Server 2003 Forest (2000 FFL, 2003 DFL) into Windows Server 2008 R2 (2008R2 FFL, 2008R2 DFL).
There is an External Trust setup between the 2 forests.
Having successfully migrated some test users and groups from Source to Target domain, I am able to access resources on a file server located in the Source domain (due to SID history being migrated along with SID Filtering being disabled)
My issue is that I want to now use the Security Translation Wizard to add the newly migrated users and groups to the Source File Servers ACLs, Registry etc.
ADMT is installed on a Target DC and when I run the Security Translation wizard it fails and the log shows the below...
Details for DC01.SourceDomain
Local Machine
    Computer:   DC01.SourceDomain (DC01)
        Domain:    DC01 (DC01)
        OS:         Microsoft Windows Server 2003 R2 5.2 (3790) Service Pack 2
2012-03-08 15:57:47 Starting Security Translator.
2012-03-08 15:57:47 Agent is running in local mode.
2012-03-08 15:57:47 ERR3:7194 Could not open input file C:\Program Files\OnePointDomainAgent\Accounts000026.txt
2012-03-08 15:57:47 SecurityTranslation Files:Yes Shares:Yes LGroups:Yes UserRights:Yes Printers:Yes TranslationMode:Add CWN WIRRAL.NHS.UK
2012-03-08 15:57:47 Starting
2012-03-08 15:57:47 Translating local machine.
2012-03-08 15:57:48 Skipping A:\, rc=21   The device is not ready.
2012-03-08 15:57:48 Processing C:\
2012-03-08 15:57:51 Skipping D:\. D:\ is a CD-ROM drive.
2012-03-08 15:57:51 Processing E:\
2012-03-08 15:57:51 Processing shares on local machine.
2012-03-08 15:57:51 Processing printer security...
2012-03-08 15:57:51 Translating local groups.
2012-03-08 15:57:51 Translating user rights.
2012-03-08 15:57:51 Translating security on registry keys.
2012-03-08 15:58:11 ------Account Detail---------
2012-03-08 15:58:11 The account detail section uses the following format: AccountName(OwnerChanges, GroupChanges, DaclChanges, SaclChanges).
2012-03-08 15:58:11 -----------------------------
2012-03-08 15:58:11 0 users, 0 groups, 0 msas
2012-03-08 15:58:11 0 accounts selected. 0 resolved, 0 unresolved.
2012-03-08 15:58:11            Examined        Changed     Unchanged
2012-03-08 15:58:11 Files          11755              0         11755
2012-03-08 15:58:11 Dirs            1071              0          1071
2012-03-08 15:58:11 Shares             4              0             4
2012-03-08 15:58:11 Members           15              0            15
2012-03-08 15:58:11 User Rights       61              0            61
2012-03-08 15:58:11 Exchange Objects          0              0             0
2012-03-08 15:58:11 Containers         0              0             0
2012-03-08 15:58:11 DACLs         123187              0        123187
2012-03-08 15:58:11 SACLs             63              0            63
2012-03-08 15:58:11            Examined        Changed     No Target   Not Selected     Unknown
2012-03-08 15:58:11 Owners       123189              0        123189
0           0
2012-03-08 15:58:11 Groups       123189              0        123189
0           0
2012-03-08 15:58:11 DACEs       1003913              0       1003913        1003913
0
2012-03-08 15:58:11 SACEs            66              0            66
66           0
2012-03-08 15:58:12 Wrote result file C:\WINDOWS\OnePointDomainAgent\000026_CWN-DC01.result
2012-03-08 15:58:12 Operation completed.
The error is looking for C:\Program Files\OnePointDomainAgent\Accounts000026.txt which does not exist on the Source Server (where the Agent is installed)
Can anyone help please?

Howdie!
On 08.03.2012 17:32, Wrightyi28 wrote:
> ADMT is installed on a Target DC and when I run the Security Translation
> wizard it fails and the log shows the below...
> [...]
> The error is looking for C:\Program
> Files\OnePointDomainAgent\Accounts000026.txt which does not exist on the
> Source Server (where the Agent is installed)
Is/was AGPM installed on the server you ran the security translation
agent on?
Florian
The views and opinions expressed in my postings do NOT necessarily correlate with the ones of my friends, family or my employer. If anyone should be allowed to mark a response as an "answer", it should be the thread creator. No one else.

Active Directory RDP Logon Issue

I have a problem logging on to my test domain, here are the setup and symptoms
Domain Prod: ua.here.someplace.com
Domain Test: ua.test-here.someplace.com
Domains totally separate DNS and WINS, although they are on the same subnets.
From my admin workstation I find I cant login to the test domain with the following format;
SEE ATTACHED
I cant figure out why.
DCDIAG in both domains is clean. All DNS entries listed in netlogon.dns are in the proper locations, I checked line by line.
Event logs say "Access Denied", as if it were a bad password, otherwise clean
But most perplexing, when I spin up a clean Virtual Windows 7 pro box (same DNS as admin workstation), Everything starts to work!!
I have deleted everything in credential manager on the admin workstation (including from cmd line with cmdkey.exe), including all the temp files in Local, LocalLow, and roaming, and all the Temp files with Internet Explorer. No change.
I am at a loss :(
Can the fact that the NetBIOS name is the same for both prod and test be an issue??? but I cant see how...
BlankMonkey

Hi,
In order to solve this issue more efficiently, I need to clarify some information.
Firstly, those failed logon attempts, are they all logon attempts via RDP? What specific error do you see when logon attempts fail?
Secondly, the access denied event in Event Logs, would you please post out a complete version?
You also mentioned that after you brought a clean Virtual Windows 7 pro box, everything started to work, so what is the version of the former problematic machine?
Here are some related links below for your references:
The system cannot log on due to the following error: access is denied
http://social.technet.microsoft.com/Forums/windowsserver/en-US/b458262e-7be7-49d6-9f14-bd0cbbccc226/the-system-cannot-log-on-due-to-the-following-error-access-is-denied
Error message when you use Remote Desktop Connection to connect to a Windows Vista-based computer: "The requested session access is denied"
http://support.microsoft.com/kb/954369
Users Can Log On Using User Name or User Principal Name
http://support.microsoft.com/kb/243280
If these links above are not helpful, please get back to us with necessary information at your earliest convenience.
Best Regards,
Amy Wang

Active directory account lockout issue

I have 1 main AD server which is on windows 2003 R2 and all users are authenticated from this server and second ADC i.e backup ADC which is on windows 2003 R2, we have 3rd ADC on windows 2008 R2 which is created for Exchange 2010 on windows
2008R2,
Users are getting Account lock out issue randomly.
Can any one help on this.

Hi,
You can start with the below threads to see if you have prepared to determine lockouts sources.
http://technet.microsoft.com/en-us/library/cc773155(v=ws.10).aspx
http://blogs.technet.com/b/heyscriptingguy/archive/2012/12/27/use-powershell-to-find-the-location-of-a-locked-out-user.aspx
Use Lokoutstatus from Altools (http://www.microsoft.com/en-us/download/details.aspx?id=18465) then check the source DC where lockouts are being reported. Use the event viewer on
that DC and look for "failure audits" for that particular user acocunt or during that time frame reported on lockoutstatus. Use the event description to find the source workstations/server where the lockout is coming from and verify that server for
any (disconnect RDP sessions, credentials manager, services running with domain accounts,applications,etc).
Hope this helps.
Regards,
Calin

Active Directory and Samba issues

When I updated a few of the computers here at work to Leopard, I tried mounting some authenticated samba shares here at work, and they worked just fine. However, with other users, it denies their password, and then re-prompts for the password, despite said password being correct. It doesn't appear to be related to administrator permission on the domain, either, because it denies me when I change my permissions to only have access to specific machines, instead of 'all computers'
If you need any further information, I would be happy to give it.

Hi
I confess I don't know if this is in any way helpful or relevant but I do know changes have been made in Leopard viz Samba since you can no longer setup a Windows Printer via Samba in the GUI as you have previously been able to do. You can do it in CUPS but this isn't for all types of users. Thus I don't know if this has any bearing on your problem but it may help to look for more general based samba support changes.
cheers

Active Directory Domain replication

davidr4 wrote:
Is your DC virtual? Just clone it and put it on an isolated networktechnically they have created another environment and ask us to duplicate the data and the Infrastructure.

Good afternoon Spicers, what is the best option and way to replicate an AD infrastructure for testing purpose? I want everything in the production be cloned so that I can test in a test environment. how do I go by doing that?
Please helpp!!
This topic first appeared in the Spiceworks Community

Active Directory Replication Servers (wont replicate SYSVOL and NETLOGON Not showing)

I have my first DC Server (DC1). DC1.DOMAIN.lOCAL, I decided to add another Domain Controller. Made it a secondary DNS Server and also GC. Everything seems to replicate, but its missing NETLOGON and SYSVOL Wont replicate.
Windows 2008 R2

Errr 5706
The Netlogon service could not create server share C:\Windows\SYSVOL\sysvol\INFGRP.LOCAL\SCRIPTS. The following error occurred:
The system cannot find the file specified.
Event 7009
A timeout was reached (30000 milliseconds) while waiting for the File Replication service to connect.
Event 1058
The processing of Group Policy failed. Windows attempted to read the file \\INFGRP.LOCAL\SysVol\INFGRP.LOCAL\Policies\{55DE4000-0D51-44CD-92A1-30F286B2BC86}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until
this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
All Critical
This domain controller has migrated to using the DFS Replication service to replicate the SYSVOL share. Use of the File Replication Service for replication of non-SYSVOL content sets has been deprecated and therefore, the service has been stopped. The DFS
Replication service is recommended for replication of folders, the SYSVOL share on domain controllers and DFS link targets.
Test replication
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine dc, is a DC.
* Connecting to directory service on server dc.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\dc
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... dc passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\dc
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=GRP,DC=LOCAL
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=GRP,DC=LOCAL
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=GRP,DC=LOCAL
Latency information for 8 entries in the vector were ignored.
8 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=GRP,DC=LOCAL
Latency information for 9 entries in the vector were ignored.
9 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=GRP,DC=LOCAL
Latency information for 9 entries in the vector were ignored.
9 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
......................... dc passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: Advertising
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: RidManager
Test omitted by user request: MachineAccount
Test omitted by user request: Services
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: ObjectsReplicated
Test omitted by user request: frssysvol
Test omitted by user request: frsevent
Test omitted by user request: kccevent
Test omitted by user request: systemlog
Test omitted by user request: VerifyReplicas
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError
Running partition tests on : ForestDnsZones
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom
Running partition tests on : DomainDnsZones
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom
Running partition tests on : Schema
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom
Running partition tests on : Configuration
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom
Running partition tests on : GRP
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom
Running enterprise tests on : GRP.LOCAL
Test omitted by user request: Intersite
Test omitted by user request: FsmoCheck
Test omitted by user request: DNS
Test omitted by user request: DNS
On the second DC (DCR). I see SYSVOL, no files replicated, also theres no NETLOGON.

Active Directory : Replication Issue - "Disconnected" sub-domain from the Forest

Hello everyone,
I'm managing a multi-domain forest (with 7 sub-domain). All are working fine except for one. Throught repadmin (Repadmin /replsum /bysrc /bydest /sort:delta), I noticed I got both domain controllers of a subdomain (there are only 2 DCs in that
subdomain), who hadn't replicated with the rest of the forest for more than 60 days.
According to my research, it's usually recommended to Depromote and repromote the problematic DC to avoid the issue of lingering objects. In this case, it's both DC of a sub-domain. Of course, on the others DCs in the forest, I got the event
ID 2012 "it has been too long since this machine last replicated with the named source machine....".
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner
to a value of 1.
As I understand it, this may cause lingering objects to appear (they can be removed with repadmin /removelingeringobjects command with the DSA GUID, naming context, etc..). So far, I haven't used that registry key yet because of the associated risks.
I didn't noticed any other issue so far. Users in the problematic sub-domain are fine, and the problematic sub-domain seems to be able to pull replication data from the others DCs in the forests. (at least, I'm not getting any error in the A.D. Sites
and Services)
I added two new DCs for the affected sub-domains, so the number of DCs for that domain went from 2 to 4 DCs. The two old DCs that hadn't replicated for 60 days are windows Server 2003 and the two new DCs are Server 2008 R2.
Unfortunately (and I was half expecting this, but did it anyway since I must eventually replace the old DCs), that didn't solve my issue, since the rest of the forest "doesn't see" the two new DCs of the sub-domain. By that, I mean that I
cannot add an Active Directory Domain Services Connection in Sites & Services console (from a DC in another domain of the forest or even the root domain). I see all the DCs, including the two old DCs that are server 2003, but not the new ones.
I believe it's because the others DCs doesn't pull/replicate the information from the old DCs anymore, so they aren't "aware" of the two new DCs for that problematic sub-domain.
I was wondering what is the best course of action. Is it worthwhilte to use the registry key force replication with the old DCs ? (and hopefully, the new DCs will get their AD Services connection/replication vector created, so I can depromote
the old DCs.
Since the Old DCs from the problematic sub-domain seems to be able to pull the replication from the rest of the forest, does the risk of Lingering object isn't that great ?
Or is it too risky and I must create a new sub-domain and migrate one way or another the users ? (which would be time-consuming)
Thanks in advance,
Adam

Thanks for the reply. One of the link had another link to a good article about the use of repadmin :
So, I ran the command "repadmin /removinglingerobjects " on one of the problematic DCs ().
For clarity purpose, let's say I used the domain :
domain = main domain
subdomain = the domain whose DC are problematic (all of them).
AnotherSubDomain = Just another subdomain I used as a "reference" DC to cleanup the appropriate partition.
Command (the DSA guid is from a DC "clean" in another domain)
repadmin /removelingeringobjects adrec01.mysubdomain.domain.ca C4081E00-921A-480D-9FDE-C4C34F96E7AC dc=ANOTHERsubdomain,dc=domain,dc=ca /advisory_mode
I got the following message in the event viewer :
Active Directory Domain Services has completed the verification of lingering objects on the local domain controller in advisory mode. All objects on this domain controller have had their existence verified on the following source domain controller.
Source domain controller:
c4081e00-921a-480d-9fde-c4c34f96e7ac._msdcs.mydomain.ca
Number of objects examined and verified:
0
Objects that have been deleted and garbage collected on the source domain controller yet still exist on this domain controller have been listed in past event log entries. To permanently delete the lingering objects, restart this procedure without using the
advisory mode option.
How should I interpret the message "number of objects examined and verified 0". Does it mean it just didn't find any object to compare ? (which would be odd IMHO) Or there is another problem ?
Thanks in advance,
Adam

Replication Active Directory, ports issues in firewall

Hi,
i am facing some issue in active directory replication between my Active Directory User Database located in two different locations.
I am not doing any Port based ACL in the firewall, and there is no static / dynamic NAT-ng used between the server ip ranges (nat 0).
1) what could be the possible issue in this?2) do i need to issue any command in the FWSM Module to make use / open the dynamic ports ?3) How can i make sure that these ports are not opend or not blocked on the firewall.
below are some of the ports used for this, based on the information from Microsoft Team.
tcp 5389
tcp 5722
tcp 5729
tcp3268
tcp 3269
tcp 445
udp 445
udp 88
udp 2535
udp 389
tcp 1025 - 5000
tcp 44152 - 65535
Appreciate your valuable support.
regards
Sunny

Hi Bro
If you’re not doing any port based ACL in your FWSM, I can only assume you’re permitting the rules between both the AD by IP e.g. access-list inside permit ip host 1.1.1.1 host 2.2.2.2, am I right? I hope you can PING between both the AD, otherwise this could be a routing issue.
Listed below are some commands that you could type to investigate this issue further;
a) show np block (hardware buffer counters) - if they are non-zero and increasing it's bad. You're most likely running into hardware limitation of the FWSM.
b) show np all stats | i RTL and show np all stats | i RL will show you if the packets are dropped because of software rate limiting mechanisms built into network processors.
Perhaps, what you need is to enable the “xlate-bypass” command. By default, the FWSM creates NAT sessions for all connections even if you do not use NAT. You can disable NAT sessions for untranslated network traffic, which is called xlate bypass, in order to avoid the maximum NAT session limit. The xlate-bypass command can be configured as shown:
hostname(config)#xlate-bypass
If the xlate-bypass doesn’t resolve your issue, please do ensure you’ve a static NAT or dedicated nat/global in place.
The last resort is to enable sysoption np completion-unit, this magic option is invoking special processing created to address scenarios in which FWSM was known to introduce out of order packets for TCP streams.

Active Directory Ghost Object replication issue

I have a Windows 2003, Single Forest with nearly 50 Domains. This is a constantly changing, deployable system where not all Domains are connected and online at all times.
Some months ago 2 of these domains were held up in transit and tombstoned. Before they were connected to the Forest again they went to our Hardware support department to be "cleaned" meaning remove dust etc, instead they wiped the arrays on all
servers.
Our Level 4 Support team reanimated these node after restoring them from a really old backup.
This backup did not refelect the AD as it was when it was deleted, therefore we have several orphaned objects form those domains. The Domains are functioning correctly and replicating, however, the GC in the forest is inconsistent and the orphaned/ghost
objects are still being replicated.
We have rehosted the directory partitions from the problem nodes to online domains which works fine, but as soon as another domain comes online the orphaned objects are again replicated into the Global Catalog. The nature of our system means that we cannot
control when the other domains are coming back online to rehost them before replicating the object items back into the GC.
I have made several LDAP queries and can see that the items no longer exist on the problem domain, the only reference to the objects is in the GC directory partitions of those domains.
The biggest issue I have is that these objects were mail enabled users and when the GAL queries the GC it is repopulating them.
I've hit a bit of a wall now and do not know how we can remove these ghost objects without having all domains online at the same time and rehosting the problem domains partitions forest wide. I'd appreciate any assistnce.
I have asked this question before but with less detail so I'm having another go!

An AD backup is as good as the Tombstone lifetime. By default the TSL of a 2003 forest functional level is 60. So if you haven't done this already you should probably configure a higher value for the TSL. By default Strict Replication
Consistency is also enabled to prevent DC that have been disconnected for a long time to propagate lingering objects into the AD topology, check to see if you have this enabled. You should use "repadmin" to remove the lingering objects.
"When a domain controller in your Active Directory environment is disconnected from the replication topology for an extended period of time, all objects that are deleted from AD DS on all other domain controllers might remain on the disconnected
domain controller. Such objects are called lingering objects. When this domain controller is reconnected to the replication topology, it acts as a source replication partner that has one or more objects that its destination replication partners no longer have.
Problems occur when these lingering objects on the source domain controller are updated and these updates are sent by replication to the destination domain controllers. A destination domain controller can respond in one of two ways:
If the destination domain controller has strict replication consistency enabled, it recognizes that it cannot update the object (because the object does not exist), and it locally halts inbound replication of the directory partition from that source
domain controller.
If the destination domain controller does not have strict replication consistency enabled, it requests the full replica of the updated object, which introduces a lingering object into the directory."
Also keep in mind that the Infrastructure Master role handles the cross-domain references and phantoms from the global catalog in its domain. Make sure that you either have all DCs as Global Catalogs or do not place the GC on the DC with the IM role.
Here are some useful links:
Determine the tombstone lifetime for the forest
Event ID 1388 or 1988: A lingering object is detected
Use Repadmin to remove lingering objects
Enable strict replication consistency
FSMO placement and optimization on Active Directory domain controllers
Phantoms, tombstones and the infrastructure master
http://mariusene.wordpress.com/

Active directory SYSVOL replication issues

Similar Messages

Maybe you are looking for