Azure Domain Controller disconnects

Similar Messages

• Bug found in Deploy a domain controller and member using Windows Azure Virtual Machines. With fix

  I have been working with the script found at
  http://gallery.technet.microsoft.com/scriptcenter/Deploy-a-domain-controller-2ab7d658 as a base for my azure deployments. I ran into a situation where if a VNetwork already had a DNS entry it wouldn't allow you to add another DNS entry. It would give
  an error similar to  
  Property 'DnsServersRef' cannot be found on this object. Make sure that it exists.
  This happened at line 447 of the original script.
  Line 447 looks like:
  $dnsServersRefElement = $foundVirtualNetworkSite.DnsServersRef
  I fixed the error by adding .node after $foundVirtualNetworkSite. Like this:
  $dnsServersRefElement = $foundVirtualNetworkSite.Node.DnsServersRef
  I hope that this gets fixed in the original script or that my post helps someone in the future.

  Please post comments and fixes to Gallery scripts by posting in the Gallery Q&A section for the referenced script.  THe owner of the script will be monitoring that but not this forum. Also other using the script will be alerted to your discovery.
  Here is the Q&Apage link:
  http://gallery.technet.microsoft.com/scriptcenter/Deploy-a-domain-controller-2ab7d658/view/Discussions#content
  ¯\_(ツ)_/¯

• Lack of Connectivty to Domain Controller - Domain Controller Access Issues Requires Repeated Reauthentication

  Sorry if my attempt to be thorough in my description may result in excessive and unnecessary information. 
  I'm running into some problems with a single server running WS 2012 R2 as a domain controller (AD and DNS) and I’m trying to figure out what the cause is. 
  The network has ~10 computers on it connected through a cable business gateway (running DHCP) which feeds 2 switches and a wireless router acting as a switch. (I also turned on remote services, but the end users aren’t using that until I get certificates
  setup.)
  For 6+ months everyone had access to the shared files and databases on each workstation without issue. 
  In the last month users would occasionally have to re-enter their credentials to get access to shared server folders despite being on a domain account already. 
  Last week one of the computers intermittently cannot gain access to the shared folders– entering the correct credentials just results in the credentials being requested again and again: There’s an error icon at the bottom saying that “there are currently
  no logon servers available to service the logon request”.  While access is rejected I’m still able to ping the DC both via its name and IPV4 address. 
  (Pinging via its name results in an IPv6 address in the response.) 
  Other network connectivity appears intact (able to browse the web, perform network discovery.)
  Things that ‘seem’ to allow access on this computer until the next failure:
  Entering a different domain username and password into the windows credentials request has allowed access a couple of times.
  Disconnecting and reconnecting the network cable allowed the original username to be used to log on (at least once.)
  After removing it from and then rejoining it to the domain (a few hours ago) it experienced the problem once more. Also, logging on with domain credentials created a TEMP user folder instead of the folder with the domain username. 
  Looking at the event logs, I notice there are quite a few warnings and errors reported regarding DC access on many of the computers; maybe this is normal?
  Most Problematic Computer:
  Event ID 8016:  System failed to register host A or AAAA resource records. (With an unknown Ipv6 and the server’s ipv4 address in the DNS server list.) 
  Event ID 131:  NtpClient unable to set a domain peer to use as a time source because of DNS resolution error on ‘Server.domain.local’ 
  ‘No such host is known.”
  Event ID 5719:  NETLOGON. This computer was not able to setup a secure session with a domain controller in the domain due …..: there are currently no logon servers available to service the logon request.
  And then pairs of: Event 1500: The Group Policy settings for the computer were processed successfully. There were no changes detected since the last successful processing of Group Policy. & Event 1054:
   The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
  Event 1030:  The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation
  at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.
  On the server I’ve run DCDIAG and DCDIAG /test:DNS and those all appeared to pass.
  Ipconfig/all from the server:
     Connection-specific DNS Suffix 
     Description . . . . . . . . . . . : Intel(R) Ethernet Connection I217-LM
     Physical Address. . . . . . . . . : FC-4D-D4-F2-A1-83
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : 2601:8:a182:1100:b155:a0b0:892d:9ed5(Pref
  erred)
     Link-local IPv6 Address . . . . . : fe80::b155:a0b0:892d:9ed5%13(Preferred)
     IPv4 Address. . . . . . . . . . . : 10.1.10.42(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . : fe80::abd:43ff:fe9a:ab47%13
   10.1.10.1
     DHCPv6 IAID . . . . . . . . . . . : 234638804
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-3F-7D-B9-68-05-CA-24-31-C4
     DNS Servers . . . . . . . . . . . : ::1
  127.0.0.1
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Ipconfig/all from the problematic computer:
  Wireless LAN adapter Wi-Fi:
     Connection-specific DNS Suffix 
  . : wp.comcast.net
     Description . . . . . . . . . . . : Intel(R) Centrino(R) Wireless-N 6150
     Physical Address. . . . . . . . . : 40-25-C2-63-C2-B8
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : 2601:8:a182:1100:8f5:1606:d0a8:6b25(Prefe
  rred)
     Temporary IPv6 Address. . . . . . : 2601:8:a182:1100:283e:f9e8:4841:6c50(Pref
  erred)
     Link-local IPv6 Address . . . . . : fe80::8f5:1606:d0a8:6b25%3(Preferred)
     IPv4 Address. . . . . . . . . . . : 10.1.10.31(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Lease Obtained. . . . . . . . . . : Tuesday, March 10, 2015 9:19:02 AM
     Lease Expires . . . . . . . . . . : Tuesday, March 17, 2015 1:23:15 PM
     Default Gateway . . . . . . . . . : fe80::abd:43ff:fe9a:ab47%3
  10.1.10.1
     DHCP Server . . . . . . . . . . . : 10.1.10.1
     DHCPv6 IAID . . . . . . . . . . . : 54535618
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-15-6B-AA-F0-DE-F1-9C-07-D4
     DNS Servers . . . . . . . . . . . : 2001:558:feed::1
  2001:558:feed::2
                  10.1.10.42
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Any thoughts? I was assuming it was a Domain Controller/DNS error, but I don't know where to check next.  Could a failing piece of hardware be the culprit? 
  Thanks,
   -JT

  Hi,
  According to the error you have posted.
  A Netlogon 5719 event indicates that the client component of Netlogon was unable to locate a DC for the domain it was trying to perform an operation against.
  Most of the time this is caused by network issues or name resolution (DNS/WINS) issues, you could refer to:
  Netlogon 5719 and the Disappearing Domain [Controller]
  http://blogs.technet.com/b/instan/archive/2008/09/18/netlogon-5719-and-the-disappearing-domain.aspx
  Did you refer to this KB article?
  Event ID 5719 is logged when you start a Domain Member
  http://support.microsoft.com/kb/938449
  Regards.
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Domain Controller cannot access \\domain\netlogon causing Auth issues

  Hi everyone, I have been spent all day trying to figure out what is going on here, I have a Domain controller (only DC in the environment) that is acting funny
  I first noticed when I was attempting to RDP into a server in my domain I was getting "access denied" (but I could log in as a local admin). So when I looked at the Domain Controller, I ran a DCDiag DNS test and got some an AUTH error, but am not
  able to figure out how to fix this.
  Another thing I notice is when I am signed into the domain Controller (GP2010-a), I cannot browse to
  \\contoso.com\netlogon or any similar share.
  Here is the kicker, other servers on this domain, server3, server4, server5 etc... THEY CAN access
  \\contoso.com\netlogon It is ONLY the Domain controller and Server2 that CANNOT access this share. The other servers also allow me to RDP into them fine, it is only 1 server that is affected by this strange behavior.
  I have checked for no IP conflicts and as far as I can tell all the DNS records are correct.
  Regarding the DYNAMIC ip warning, we have a reservation that assigns the IP
  thanks for any input here as i'm really stuck,
  Directory Server Diagnosis
  Performing initial setup:
     Trying to find home server...
     Home Server = GP2010-A
     * Identified AD Forest.
     Done gathering initial info.
  Doing initial required tests
     Testing server: Default-First-Site-Name\GP2010-A
        Starting test: Connectivity
           ......................... GP2010-A passed test Connectivity
  Doing primary tests
     Testing server: Default-First-Site-Name\GP2010-A
        Starting test: DNS
           DNS Tests are running and not hung. Please wait a few minutes...
           ......................... GP2010-A passed test DNS
     Running partition tests on : ForestDnsZones
     Running partition tests on : DomainDnsZones
     Running partition tests on : Schema
     Running partition tests on : Configuration
     Running partition tests on : contoso
     Running enterprise tests on : contoso.com
        Starting test: DNS
           Test results for domain controllers:
              DC: GP2010-A.contoso.com
              Domain: contoso.com
                 TEST: Authentication (Auth)
                    Error: Authentication failed with specified credentials
                 TEST: Basic (Basc)
                    Warning: Adapter 00:0D:3A:00:0D:01 has dynamic IP address
                    (can be a misconfiguration)
           Summary of test results for DNS servers used by the above domain
           controllers:
              DNS server: 128.8.10.90 (d.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90              
              DNS server: 2001:500:1::803f:235 (h.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:1::803f:235              
              DNS server: 2001:500:2::c (c.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2::c              
              DNS server: 2001:500:2d::d (d.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2d::d              
              DNS server: 2001:500:2f::f (f.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2f::f              
              DNS server: 2001:500:3::42 (l.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:3::42              
              DNS server: 2001:500:84::b (b.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:84::b              
              DNS server: 2001:503:ba3e::2:30 (a.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:ba3e::2:30              
              DNS server: 2001:503:c27::2:30 (j.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:c27::2:30              
              DNS server: 2001:7fd::1 (k.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fd::1              
              DNS server: 2001:7fe::53 (i.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fe::53              
              DNS server: 2001:dc3::35 (m.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:dc3::35              
           Summary of DNS test results:
  Auth Basc Forw Del  Dyn  RReg Ext
              Domain: contoso.com
                 GP2010-A                     FAIL WARN PASS PASS PASS PASS n/a 
           ......................... contoso.com failed test DNS

  Hi,
  TEST: Basic (Basc)
                    Warning: Adapter 00:0D:3A:00:0D:01 has dynamic IP address
                    (can be a misconfiguration)
  Do you have any NIC conifgured to get dynamic IP on your DC which is having issue? If yes, please disable that NIC. Also, please provide me the result of the below
  1) On your DC which is having issue, run "ipconfig /all"
  2) Repadmin /showrepl
  Thanks,
  Umesh.S.K
  Thanks, there is only 1 nic card. It is getting a dhcp address because this is an AZURE Hyper-v machine and I have set an IP reservation for it. I have no way to hardcode the IP because it gets shut off/on all the time
  C:\Users\Administrator>repadmin /showrepl
  Repadmin: running command /showrepl against full DC localhost
  Default-First-Site-Name\GP2010-A
  DSA Options: IS_GC
  Site Options: (none)
  DSA object GUID: 007c755c-f56c-4e51-a211-fd4431f63927
  DSA invocationID: 007c755c-f56c-4e51-a211-fd4431f63927

• Pricing for VM running WS 2012 E R2 primarily as domain controller for ~5 clients

  Hi
  I am starting a small medical clinic, with only about 6 client PCs.  However, I  would like a domain network structure for security purposes moving forward rather than a workgroup.
  I'm looking at either purchasing a modest server (ie HP Proliant ml310) with windows server 2012 essentials r2 and using it locally (total cost ~$1500) or using a Windows Azure virtual machine to run the domain controller over a VPN.  We already use
  office 365 e3, so don't really need a local server for email, storage etc. I already have an old synology NAS that could be used for disk images etc that we would lose out on with the hosted server solution.
  Can someone verify my calculations for monthly cost estimate I tried using the calculator --1 small VM + 225 GB storage for the OS came to $65/month
  Would I be able to run it on the small virtual machine or would I need to go up to medium just for the OS?  If the later is the case it would definitely not be cost effective.
  Thanks for the help
  TM

  hi tdiddy,
  Thanks for posting!
  About VM and azure storage pricing , I suggest you could refer to this pricing details page and calculations fee:
  http://azure.microsoft.com/en-us/pricing/details/virtual-machines/
  http://azure.microsoft.com/en-us/pricing/details/storage/
  Also, for this billing question Please contact azure billing support team via
  http://www.windowsazure.com/en-us/support/contact/
  Hope it helps.
  Regards,
  Will
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Best Practices for Setting up a Windows 2012 R2 STD Domain Controller in a Remote Site

  So I'm looking for an article or writeup similar to the "Adding Domain Controllers in Remote Sites" TechNet article but for Windows Server 2012 STD R2.  Here is my scenario:
  1.  I want to setup the domain controller at Site A where the primary domain controller is located.  The primary domain controller is Windows Server 2008 R2. 
  2.  Once the DC is setup I plan on leaving it on our network for a few days before shipping it to remote Site B for installation
  Other key items:
  1.  The remote Site B will have a different IP range than Site A but will be connected to Site A via a single VPN tunnel.  All the DCs that replicate with each other are on the same domain. 
  2.  The 2012 DC that I setup for Site B (same domain in same forest) will be a DHCP, DNS, and WSUS server all replicating to the primary DC at Site A
  Questions:
  1.  What items can I setup while it's at Site A without effecting or conflicting with the existing network and domain controller?  Can I setup a scope once the DHCP role is added? 
  2.  All of our DCs replicate through Sites and Services, do I have to manually add this to our primary DC for the new DC going to remote Site B?  Or when does this happen automatically when I promote the DC? 
  All and all I'm just looking for a list of Best Practices for 2012 or a Step by Step Guide.  Any help would be appreciated. 

  Hi,
  Thanks for your posting.
  When you install AD DS in the hub or staging site, disconnect the installed domain controller, and then ship the computer to the remote site, you are disconnecting a viable domain controller from the replication topology.
  For more and detail information, please refer to:
  Best Practices for Adding Domain Controllers in Remote Sites
  http://technet.microsoft.com/en-us/library/cc794962(v=ws.10).aspx
  Regards.
  Vivian Wang

• New Domain Controller does not show in our different site's Domain controller's Sites and Services

  Hi,
  we have two sites in our AD environment. OMA site and NY site. we have three domain controllers in our OMA site and two domain controllers in our NY site. All our DCs are windows server 2008R2 except one in our OMA site that is 2003R2 the domain
  functional level is also 2003R2.
  We decided to raise our functional level to 2008R2. I added a new domain controller in our OMA site and transferred all FESMOS from the DC that was running 2003R2 to this new domain controller.
  the issue now is that our NY site does not make any connection with the new domain controller in OMA site. it does not even show it under sites and services. I have checked the DNS settings and everything. if you try to replicate the connections
  from NY site it gives the following error: "The naming context is in the process of being removed or is not replicated from the specific server."
  can anyone plz tell me why this is happening mt brain is just frozen at this moment and cant figure out why is this happening

  Just noticed this replication issue has been going on for a while now but we never noticed until I added new DC. here is the error log for the NY site DC.
  Log Name:      Directory Service
  Source:        Microsoft-Windows-ActiveDirectory_DomainService
  Date:          1/4/2014 8:11:40 AM
  Event ID:      2042
  Task Category: Replication
  Level:         Error
  Keywords:      Classic
  User:          ANONYMOUS LOGON
  Computer:      NORDC1.vertrue.com
  Description:
  It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source.
   The reason that replication is not allowed to continue is that the two DCs may contain lingering objects.  Objects that have been deleted and garbage collected from an Active Directory Domain Services partition but still exist in the writable partitions
  of other DCs in the same domain, or read-only partitions of global catalog servers in other domains in the forest are known as "lingering objects".  If the local destination DC was allowed to replicate with the source DC, these potential lingering object
  would be recreated in the local Active Directory Domain Services database.
  Time of last successful replication:
  2013-05-16 15:26:38
  Invocation ID of source directory server:
  9236ac56-d046-4632-b072-acbe823c5f6c
  Name of source directory server:
  accde843-11b2-476c-9783-9b29252d0ba5._msdcs.vertrue.com
  Tombstone lifetime (days):
  90
  The replication operation has failed.
  User Action:
    The action plan to recover from this error can be found at
  http://support.microsoft.com/?id=314282.
   If both the source and destination DCs are Windows Server 2003 DCs, then install the support tools included on the installation CD.  To see which objects would be deleted without actually performing the deletion run "repadmin /removelingeringobjects
  <Source DC> <Destination DC DSA GUID> <NC> /ADVISORY_MODE". The eventlogs on the source DC will enumerate all lingering objects.  To remove lingering objects from a source domain controller run "repadmin /removelingeringobjects <Source
  DC> <Destination DC DSA GUID> <NC>".
   If either source or destination DC is a Windows 2000 Server DC, then more information on how to remove lingering objects on the source DC can be found at
  http://support.microsoft.com/?id=314282 or from your Microsoft support personnel.
   If you need Active Directory Domain Services replication to function immediately at all costs and don't have time to remove lingering objects, enable replication by setting the following registry key to a non-zero value:
  Registry Key:
  HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner
   Replication errors between DCs sharing a common partition can prevent user and compter acounts, trust relationships, their passwords, security groups, security group memberships and other Active Directory Domain Services configuration data to vary between
  DCs, affecting the ability to log on, find objects of interest and perform other critical operations. These inconsistencies are resolved once replication errors are resolved.  DCs that fail to inbound replicate deleted objects within tombstone lifetime
  number of days will remain inconsistent until lingering objects are manually removed by an administrator from each local DC.  Additionally, replication may continue to be blocked after this registry key is set, depending on whether lingering objects are
  located immediately.
  Alternate User Action:
  Force demote or reinstall the DC(s) that were disconnected.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS Replication" />
      <EventID Qualifiers="49152">2042</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>5</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8080000000000000</Keywords>
      <TimeCreated SystemTime="2014-01-04T13:11:40.963263500Z" />
      <EventRecordID>38018</EventRecordID>
      <Correlation />
      <Execution ProcessID="660" ThreadID="1596" />
      <Channel>Directory Service</Channel>
      <Computer>NORDC1.vertrue.com</Computer>
      <Security UserID="S-1-5-7" />
    </System>
    <EventData>
      <Data>2013-05-16 15:26:38</Data>
      <Data>9236ac56-d046-4632-b072-acbe823c5f6c</Data>
      <Data>accde843-11b2-476c-9783-9b29252d0ba5._msdcs.vertrue.com</Data>
      <Data>90</Data>
      <Data>Allow Replication With Divergent and Corrupt Partner</Data>
      <Data>System\CurrentControlSet\Services\NTDS\Parameters</Data>
    </EventData>
  </Event>

• The box indicating that this domain controller is the last controller for the domain is unchecked. However, no other Active Directory domain controllers for that domain can be contacted

  I have 2 domain controllers running 2003 server, server1 and server2. I ran dcpromo on server1 and removed AD and removed him from the domain and disconnected from network. I then added a 2012 server
  with the same name and IP address server1 with no problem. Replication from sites and services work fine on both controllers.
  The new 2012 server1 is GC. I transferred all FSMO roles to server1. Again no problem and replicating using sites and services. AD on server1 is populated correctly.
  Now what I had intended on doing was a dcpromo to remove server2 from the domain so I can then add another 2012 server. That is when I get the: "The box indicating that this domain controller is the last controller for the domain
   is unchecked. However, no other Active Directory domain controllers for that domain can be contacted.
  I have DNS installed on both servers and both look good with replicating there. Strange thing is when on the 2012 server within DNS if I right click and connect to another DNS server I can add server2 just fine but from server2 adding server1 it tells me it
  is not available.
  Help please!

  Hi,
  As there is server 2012 DC (SERVER1) DC is operational in a domain then "This domain controller is the last controller for the domain" should be remain unchecked when you demote SERVER2 DC. 
  If you are getting error "Active Directory domain controllers for that domain can be contacted" while demoting SERVER2 DC then check the DNS pointing on both as per below article, disable windows firewall on all DC, less possiblities but worth to check if both
  are different site then check the ports are open on firewall. 
  http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/
  http://technet.microsoft.com/en-us/library/cc766337(v=ws.10).aspx
  http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx
  run “ipconfig /flushdns & ipconfig /registerdns“, restart DNS server and NETLOGON service on each DC and try to demote server2 DC.
  If issue reoccurs, post dcdiag /q result.
  NOTE: If initial replication was completed between both DC (new 2012 and old DC) then you may remove the server2 DC from Active Directory forcefully (DCPROMO /FORCEREMOVAL) and perform metadata cleanup.
  Active Directory Metadata Cleanup
  http://abhijitw.wordpress.com/2012/03/03/active-directory-metadata-cleanup/
  Best regards,
  Abhijit Waikar.
  MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
  Blog: http://abhijitw.wordpress.com
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

• Synchronization of redundant Domain Controller

  Hello everyone,
  I have a question about synchronization of a redundant Domain Controller.
  We have a pair of DC and they are placed in different buildings. The question is, what happens if the network connection between the buildings gets disconnected for a longer time, e.g. because of construction work.
  How long can they be isolated before they are not able to synchronize again, when the connections gets back? 
  Thanks in advance!

  Is this the right setup?
  Yes it is correct. I would go with 127.0.0.1 for 'Alternate DNS server'.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Required FSMO Roles to Bring up Domain Controller

  I have an unusual situation.  Our network team is moving to a new vendor for our WAN circuits and this change which has left our network split. I have 10 domain controllers which can't talk to the other seven domain controllers. This situation
  will last about another 2 months.
  I have been asked to bring up an RODC domain controller in a location which can't connect to the DC which hosts the FSMO roles, but has communication with seven domain controllers.
  Is this possible?  What FSMO roles are required to bring up a DC?
  Thanks
  LRL

  In a worse case scenario, replication may fail between domain controllers when a WAN link is re-established:
  http://pmeijden.wordpress.com/2011/01/12/domain-replication-has-exceeded-the-tombstone-lifetime/
  "This can also happen when your network isn’t working properly or when replication error’s have occurred for to long without anyone noticing them. In large environments it’s possible that a complete site has been disconnected due to unavailable WAN
  connections. [...]
  The reason why the domain controllers will not continue the replication is because they are protected for so called Lingering Objects. For example, one or more objects that are deleted from Active Directory on all other domain controllers might remain on
  the disconnected domain controller. Such objects are called Lingering Objects. Because the domain controller is offline during the entire time that the tombstone is alive, the domain controller never receives replication of the tombstone and therefor doesn’t
  know that the object has been deleted."
  If your tombstone lifetime is still 60 days (the original default), that is about 2 months.
  You can check like this:
  http://technet.microsoft.com/en-us/library/cc784932(v=ws.10).aspx
  If it is 180 days (new default - I won't go into the details of how and when this changed), you may avoid the worse case scenario. But you still might have problems.
  Two months... how much time has already passed?
  Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

• Autoscale a Domain Controller VM

  Hi All,
  From what I have read so far I suspect I cannot do autoscale VM's that perform the active directory role as the AutoScale service will shutdown (Deallocate) the VM which I understand is a big problem for DC's.
  Can someone confirm?
  Thanks
  Mark

  Thanks for replying and for the link.
  I noticed the following paragraph
  "You should shut down and restart a VM that runs the domain controller role in Azure within the guest operating system instead of using the
  Shut Down option in the Azure Management Portal. Today, using the Management Portal to shut down a VM causes the VM to be deallocated. A deallocated VM has the advantage of not incurring charges, but it also resets the VM-GenerationID, which
  is undesirable for a DC. When the VM-GenerationID is reset, the invocationID of the AD DS database is also reset, the RID pool is discarded, and SYSVOL is marked as non-authoritative."
  Does AutoScale shutdown (de-allocate) the VM? if that is correct then I would assume that AutoScale cannot be applied against DC's?
  Apologies if I lack the grasp of this new (but amazing) technology.
  Mark

• Findout previous deleted domain controller computer name frome SID

  Hi
  I recently suspicious that some one in my company join new additional domain controller  to my primary DC and after replication and get the domain controller partitions ,he disjoint the new additional dc .
  I got the his event in my dns log :
  The DNS server was unable to create a resource record for  d630907c-e2f4-41cf-a2c6-adc087f25f46._msdcs.metro.com. in zone metro.com. The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event
  data contains the error.
  I want to translate the DNS alias sid :d630907c-e2f4-41cf-a2c6-adc087f25f46
  to computer name in order to find who did this?
  is there a way to find out previous DC computer name after hey disconnected or DC computer account deleted?
  I wonder to know ho did this?
  Regards

  The guid you're referring to corresponds to the NTDS Settings object for the "lost" DC. You can do this in Powershell to get the DirectoryEntry for that guid:
  [adsi]"LDAP://<GUID=d630907c-e2f4-41cf-a2c6-adc087f25f46>"
  However, if the object has been deleted, you need to perform another query (in Powershell as well):
  $guid = ([guid]"d630907c-e2f4-41cf-a2c6-adc087f25f46")
  Get-ADObject -SearchBase "DC=metro,DC=com" -IncludeDeletedObjects -Filter { objectGuid -eq $guid }
  Note that by default you need to be a member of Domain Admins or Administrators to be able to query AD for deleted objects.
  Best Regards,
  Carl S
  All code is provided as-is with no guarantees. Always try it out in a test environment before applying it in a production environment.

• Domain Controller Authentication Fail Since Upgrade

  When I boot my Mac Pro at the office, the network's domain controller prompts me for my domain login. Since upgrading to Yosemite, the domain controller rejects my credentials. However, I can go to "Connect To Server" and browser the entire network despite the domain controller not authenticating me as a user.
  To summarize, since switching to Yosemite:
  1. Can't login to the network when I submit my credentials
  2. Can browse the network without my credentials
  My theory is that the only reason #2 works is because #1 is working but Yosemite is just mistakenly telling me I wasn't authenticated.
  So what's the problem you may ask if I can browse the network anyway? The problem is that I can't mount any of the network drives to my desktop because Yosemite doesn't think I'm authenticated to do such. If I can solve this authentication problem, then I should get my mounted network drives back.
  Thanks in advance.

  Hi,
  TEST: Basic (Basc)
                    Warning: Adapter 00:0D:3A:00:0D:01 has dynamic IP address
                    (can be a misconfiguration)
  Do you have any NIC conifgured to get dynamic IP on your DC which is having issue? If yes, please disable that NIC. Also, please provide me the result of the below
  1) On your DC which is having issue, run "ipconfig /all"
  2) Repadmin /showrepl
  Thanks,
  Umesh.S.K
  Thanks, there is only 1 nic card. It is getting a dhcp address because this is an AZURE Hyper-v machine and I have set an IP reservation for it. I have no way to hardcode the IP because it gets shut off/on all the time
  C:\Users\Administrator>repadmin /showrepl
  Repadmin: running command /showrepl against full DC localhost
  Default-First-Site-Name\GP2010-A
  DSA Options: IS_GC
  Site Options: (none)
  DSA object GUID: 007c755c-f56c-4e51-a211-fd4431f63927
  DSA invocationID: 007c755c-f56c-4e51-a211-fd4431f63927

• Error in starting domain controller !

  I have installed on Windows 2000, Oracle 9i Database 9.0.1 and Oracle 9iFS release 9.0.1.
  Configuration was OK, but the domain doesn't start.
  I launch 'ifslaunchdc.bat', 'ifslaunchnode.bat', and when I launch 'ifsstartdomain.bat', I receive this error:
  "An exception occurred while starting Domain controller - oracle.ifs.common.IfsException: IFS-40066: Remothed method threw exception java.lang.NoSuchFieldError: OCIEnvHandle"
  OTHER WAY:
  If I try in Oracle Management Server (from Oracle Enterprise Management Console), I go to Internet File Systems, I go to the domain picasso:53140 and it is launched (yellow light). I do right click and I choose 'Start Domain'. I receive the following message:
  " The Domain Controller 'picasso:53140' is launched
  Command failed:
  IFS-40066: Remothed method threw exception java.lang.NoSuchFieldError: OCIEnvHandle"
  So, the same error, and I don't find anywhere this exception !
  What should be done? Thanks, Jeanina

  I am not sure how you got into this state, but to clear it up you can edit the boot.properties file to enter (clear text) the username and password for the server (entered when running the Configuration Wizard).
  The boot.properties file is located in your domain at:
  <domain root>/servers/AdminServer/security
  Just enter the username and password in the file:
  username=myUserName
  password=myPassword
  WebLogic Server will boot up using these values and immediately encrypt the username and password in the file.
  An alternate approach would be to delete boot.properties in which case WLS will prompt you for the id/pw each time it is started/stopped.
  Brad

• SAP Server Manager Error after BPC installation on domain controller

  Hi, I have installed BPC on a domain controller with windows 2003 server (english version). When I launch diagnostic in the "SAP Server Manager"  I have the following error message " Current user Name does not have permission for Adminitrators group" . I think that the application it's taking the local user (the diagnistic show that de current user is "server name\user name" instead of "domain name\user name" but I login with the domain Administrator ( this server is a domain controller don't have local users).
  Thanks

  Hi
  I have the same issue that you had.
  "I have installed BPC on a domain controller with windows 2003 server (english version). When I launch diagnostic in the "SAP Server Manager" I have the following error message " Current user Name does not have permission for Adminitrators group" . The application it's taking the local user (the diagnistic show that de current user is "server name\user name" instead of "domain name\user name" but I login with the domain Administrator ( this server is a domain controller don't have local users)."
  Can you please let me know how you solved this ?
  thanks & regards
  Lokesh