DHCP - From 1 Domain (2008r2) to another Domain (2012r2)

Hello Everyone.
For the sake of convenience and management simplification, my company is moving from 3 WinServer 2008r2 domains to a forest situation which will be 2012. I would like to be able to copy the ADUC information from DC1.2008.old to DC1.2012.new as much
as possible. I would like to find some assistance with copying DNS, DHCP, and ADUC (where possible). Most places I have looked deal with a migration from 2008 to 2012 in the same domain. This is different because the domains are different.
Does anyone have a suggestion?
Thanks for the help.
BJC

Hi,
No tool needed. In case the DHCP server holds different other roles (like file server,etc) you can migrate this like any other computer using the ADMT. If it is just a dhcp server you can either export DB , then migrate the server re-authorize and import
configuration or you can just create a new server inside destination forest install DHCP role configure scopes and make it available for the clients and decommission old one.
Just remember that if you are using Dynamic DNS registration for the windows computers in the AD-integrated zones, you might face issues with DNS resolution once computers are migrated because they start registering in the target domain DNS zone.
Below are some other helpful posts:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/5b9b3ad9-34d6-4ebf-8628-ba0aa19b42df/migration-of-dhcp-server-from-one-ad-forest-to-another?forum=winserverDS
http://social.technet.microsoft.com/Forums/windowsserver/en-US/26defd52-d9a6-4d9f-be6d-de9dc29ab100/dhcp-server-handling-for-cross-forest-migration-ad-2003-to-ad-2008-r2?forum=winserverMigration
http://blogs.technet.com/b/networking/archive/2008/06/27/steps-to-move-a-dhcp-database-from-a-windows-server-2003-or-2008-to-another-windows-server-2008-machine.aspx
Hope it helps.
Regards,
Calin

Similar Messages

Powershell Copy User Description from one Domain to another in one Forest

Hi.
I would like to copy the Description field from one domain to another domain in the same forest.
First I would like to get the following data from source domain
- SamAccountName
- Description
- Office
- Job Title
- Department
- Manager
I would like to get these informations to a txt-file. That I can manage myself, I think.
These values shoud then be set on the destination domain - and here my powershell skills are not suffecient. How do I add these values from txt-file to existing users? (if some users aren't there, the script should continue)....
I can Get-AdUser -Identity xxx -Server sourcedomain and Get-AdUser -Identity xxx -Server destinationdomain from the same powershell windows.
Regards
Carsten
Carsten

Hi. Thank you very much for helping me out. I tried the above script and added in additional properties.
When I run the script, I only get one line in my csv-file, the Office-field is empty and all items appear on screen instead of output to file.
The script looks as follows:
$ou = [adsi] "LDAP:<Server>"
$searcher = New-Object System.DirectoryServices.DirectorySearcher $ou
$searcher.Filter = 'objectClass=user'
$result = $searcher.FindAll()
foreach($contacts in $result)
$contact = $contacts.GetDirectoryEntry()
$contact | Select-Object -Property @{Name="SamAccountName";Expression={$_.SamAccountName}},
           @{Name="Description";Expression={$_.Description}},
           @{Name="Office";Expression={$_.Office}},
           @{Name="Title";Expression={$_.Title}},
           @{Name="Department";Expression={$_.Department}},
           @{Name="Manager";Expression={$_.Manager}}
$contacts | Export-Csv -Path output.csv
Carsten

Migrating from 2003 domain/forest level to 2008R2 with all DC's at 2008R2 and 2 other Domain External and Forest Trusts

Is there anything that needs to be done or considered when migrating from 2003 domain/forest level to 2008R2 with all DC's at 2008R2 with 2 other 2003 separate Domain incoming
and outgoing Trusts, one Trust that is a Forest Trust and the other is an External Trust? Is there any chance or risks that doing this upgrade will break either one of these Trust relationships? Some of the user accounts with SID history have been migrated
from both Domain Trusts to our domain. Any chance that this upgrade will break these relationships for users that are using SID history for access to folders and files in their old Domains? If so what can be done to protect these trusts and SID history, prior
to moving the Domain to 2008R2

Hi,
Based on my knowledge,
the Upgrade of the function level do not affect the trust relationship.
Besides, before you upgrade the Functional Level,
verify that all DCs in the domain are, at a minimum, at the OS version to which you will raise the functional level.
Once the Functional Level has been upgraded, new DCs on running on downlevel versions of Windows Server cannot be added to the domain or forest.
For more information about function level, we can refer to following links:
Understanding Active Directory Domain Services (AD DS) Functional Levels
http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx
What is the Impact of Upgrading the Domain or Forest Functional Level?
http://blogs.technet.com/b/askds/archive/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level.aspx
Best Regards,
Erin

How to replace DHCP server from domainA with DHCP from domainB?

Hello fellow Administrators,
We have one remote site with one subnet. There's domainA domain controller and about 100 domainA's client computers in that subnet. We're about to send 100 domainB's client computers there as well.
There's also domainA's DHCP server running on the same subnet. DHCP scope options include domainA's domain name, gw and domainA's DNS server addresses.
DomainA and DomainB belongs to separate forests and there's two-way trust between them. DomainA DNS has stubzone for DomainB and DomainB has stubzone for domainA. That's how
clients can resolve hostnames of other domain.
All domainA's clients in remote site will be replaced gradually with domainB's client computers, but this can take a long time.
I want to note, that I cannot create second subnet for domainB at the moment.
At some point, we need to deploy DHCP server to domainB's member server in the remote site. What are the steps I should take to replace existing domainA's DHCP server with domainB's DHCP server while still allowing clients from domainA and domainB to successfully
find domain controller of their own domain and being able to resolve hostnames from both domains?

When the devices on your network first request an IP address or reach the end of their leases (or you force them to check their lease is still valid) they will simply
broadcast a request for a DHCP server, and will accept an offer from the first DHCP server
to reply.
Multiple DHCP servers PT 1: Spanning multiple subnets.
If you have several VLANs or physical network segments that are separated into different subnets, and you want to provide a DHCP service to devices in all those subnets then there are two ways of doing this.
If the router / layer 3 switch separating them can act as a BOOTP/DHCP relay agent, then you can continue to keep all your DHCP server(s) in one or two central parts of your network and configure your DHCP server(s) to support multiple ranges of addresses.
In order to support this, your router or layer 3 switch must support the BOOTP relay agent specification covered in section
4 of RFC 1542.
If your router does not support RFC 1542 BOOTP relay agents, or if some of your network segments are geographically dispersed over slow links, then you will need to place one or more DHCP server in each subnet. This ‘local’ DHCP server will only serve its own
local segment’s requirements, and there is no interaction between it and other DHCP servers. If this is what you want then you can simply configure each DHCP server as a standalone server, with the details of the address pool for its own subnet, and not worry
about any other DHCP servers on other parts of the network. This is the most basic example of having more than one DHCP server on the same network.
http://www.arabitpro.com

How to migrate Distribution list from one domain to another within same forest

team,
we are in the process of migrating all users mailbox, DL and contacts from one domain to another within a same forest.
can some one please let me know how can we migrate them without loosing the group membership and exchange attributes.
Kindly help.
Srinivasa K

I ran all of them
First Command , it works very well and its removed the exchange attribute
$DomCtrlr = (Dir env:Log*).Value.Replace('\','')
Get-MailContact -OrganizationalUnit Contacts -DomainController $DomCtrlr | Export-Csv E:\MailContacts.csv
Get-Contact -OrganizationalUnit Contacts -DomainController $DomCtrlr | Export-Csv E:\UserContacts.csv
Import-Csv MailContacts.csv | Disable-MailContact -DomainController $DomCtrlr
Second command
$DomCtrlr = "DCNAME"
$MailContacts = Import-Csv E:\MailContacts.csv
$UserContacts = Import-Csv E:\UserContacts.csv
after running the above command, I copied below on note pad and saved as .PS1 , as per your advise I make sure that starting with new-mailcontact and below 2 are is same line and Executed the ps1 script.
Scipt rans but didnt give me any error mesage.
ForEach ($Contact in $MailContacts) {
    $UserContacts | ? { $_.SamAccountName -eq $Contact.Alias } | % {
        New-MailContact -DomainController $DomCtrlr -LastName $_.LastName -FirstName $_.FirstName -Alias $_.SamAccountName -DisplayName $_.DisplayName -Name $_.Name -ExternalEmailAddress $Contact.ExternalEmailAddress -OrganizationalUnit
Test_con }
By Running
$MailContacts : it provided the stored value for users
$UserContacts: it
provided the stored value for users
after runing below in single notepad as .ps1 , not getting error message , but its not giving any
output nor error.
suspecting something needs to b checked on for loop
ForEach ($Contact in $MailContacts) {
    $UserContacts | ? { $_.SamAccountName -eq $Contact.Alias } | % {
        $_
Hope this explained clearly.
Srinivasa K

Migration from 1 domain to another (in relation to Exchange)

Hi, hoping someone can give me an opinion on the best way to carry out this task as it's quite a big project. I've read various articles on technet and other blogs, but I'm not sure if this is even possible with the versions of Exchange involved. Details
below:
We are carrying out a domain centralisation project - merging from an external forest (Domain B for example purposes) into another Forest (target Domain A). I will be using ADMT to carry out the account, group migrations etc and will include SID history
when doing so.
There is a two way external trust between the domains.
Domain B (source domain) has it's own Exchange 2010 environment. The target domain is on Exchange 2003 SP2.
Once I have migrated the accounts, is there any Exchange tools or methods for me to ensure that the migrated accounts can still access their Exchange mailboxes (with the domain trust still in place)?
As mentioned earlier I will be migrating SID history to ensure no disruption with access to resources, I have read that this would also be needed to ensure users can still access their original mailboxes in the source domain. Eventually we will be migrating
the mailboxes from old domain to new but this is phase 2 of the project (either by PST import or however this can be done, that will need to be thought about later...).
Any advice on how I can make sure the migrated users can still access their mailboxes and what I need to do, would be much appreciated.
Thanks,
Sarah

If the target forest is running Exchange 2003, you aren't 100% wrong in saying it may not be possible. If you are migrating from Exchange 2010 to a new forest, you need to be migrating into an Exchange 2010 organization - downlevel migrations aren't supported,
to the best of my knowledge. Here are the links supporting Exchange forest migrations, and they specifically say they are for migrations into an Exchange 2010 organization:
http://blogs.technet.com/b/meamcs/archive/2011/06/10/exchange-2010-cross-forest-migration-step-by-step-guide-part-i.aspx
https://gallery.technet.microsoft.com/office/Cross-Forest-Migration-7443029c
http://blogs.technet.com/b/exchange/archive/2010/08/10/3410619.aspx
http://technet.microsoft.com/en-us/library/dd876952.aspx
I'm pretty sure that the tools used won't allow you to migrate from Exchange 2010 into Exchange 2003. I'm sure you can kludge together a migration process that exports mailboxes to PST, then imports them into the target mailboxes, but that would be
a painful process.

File associations are lost when user account is migrated from one domain to another domain (SID changes)

Hello,
Currently we are in the middle of a migration project. We are migrating users from child domains to the root domain of one organization.
The user accounts are migrated with powershell using Move-ADObject cmdlet. This works as expected. The SIDHistory attribute is updated correctly.
Recently we received complaints from some *migrated* users - they lost their default/custom file associations. This happens only on Windows 8/Windows 8.1.
What happens:
the user is migrated and logs on
her profile loads and everything's preserved (as expected)
the user clicks on a .jpeg file (previously associated with program XYZ)
OS asks the user to choose a program to open the file with
the user chooses a default program XYZ and the file opens
when the user clicks on a .jpeg file again - OS asks to choose a program again
i.e. the settings are not preserved.
Our investigation shows that it is connected with the UserChoice registry key and the HASH value under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.SomeExt
According to this blog
the HASH is calculated based on user's SID. But after the migration the user has new SID and the HASH becomes invalid and we hit this:
"However In Win 8, the registry changes are verified by a hash (unique per user and app) that detects tampering by apps. In the absence of a valid hash, we ignore the default in the registry."
Currently deleting the UserChoice key for all associations solves the problem. But the user has to make all her customizations again which is undesirable.
Is there any supported way to fix this? Why the OS doesn't update the HASH after the first logon when the SID has changed as it updates the SID for the ProfileList key?
This could become big issue in large migrations.

Hello Petar K. Georgiev,
Please check the following article to change the registry key to change back to the default file type associations.
http://www.sevenforums.com/tutorials/19449-default-file-type-associations-restore.html
Please note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Best regards,
Fangzhou CHEN
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Deleted failed DC from the domain (Server 2012 R2) - Now after doing metadata and DNS cleanup, I can no longer promote a new DC to the domain

I work for a university and teach IT courses to undergrad and graduate students. The details below are pertaining an isolated lab environment
I had a storage failure in my lab and the DCs became corrupt. This is a university lab environment so there isn't anything crucial on here. I just would rather avoid rebuilding the domain/forest and would rather use this as a learning experience with my
students...
So after the storage failed and was restored, the VMs hosted became corrupt. I did a NTDSUTIL to basically repair the NDTS.dit file but one of my DCs reverted to a state before DC promotion. Naturally, the domain still had this object in AD. After numerous
failed attempts at trying to reinstall the DC on the server through the server manager wizard in 2012 R2, I decided that a metadata cleanup of the old failed object was necessary.
Utilizing this article, I removed all references of the failed DC from both AD and DNS (http://www.petri.com/delete_failed_dcs_from_ad.htm)
So now that the failed object is removed completely from the domain and the metadata cleanup was successful, I then proceeded to re-install the necessary AD DS role on the server and re-promote to the existing domain. Pre-Requisites pass but generate some
warning around DNS Delgation, and Dynamic Updates (delegation is ignored because the lab is isolated from external comms, and dynamic updates are in fact enabled on both my _msdcs and root domain zones).
Upon the promotion process, I get the following error message (also worth mentioning - the account performing these operations is a member of DA, EA, and Schema Admins)
The operation failed because:
Active Directory Domain Services could not create the NTDS Settings object for this Active Directory Domain Controller CN=NTDS Settings,CN=domainVMDC1,CN=Servers,CN=Default-
First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=school,DC=edu on the remote AD DC domainVMDC2. Ensure the provided network credentials have sufficient permissions.
"While processing a change to the DNS Host Name for an object, the Service Principal Name values could not be kept in sync."
As you can see, this error seems odd considering. Now that I'm down to a single DC and DNS server, the sync should be corrected. I've run a repadmin /syncall and it completed successfully. Since then, I've run dcdiags and dumped those to a text as well and
here are my results...
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = domainVMDC2
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\domainVMDC2
Starting test: Connectivity
......................... domainVMDC2 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\domainVMDC2
Starting test: Advertising
......................... domainVMDC2 passed test Advertising
Starting test: FrsEvent
......................... domainVMDC2 passed test FrsEvent
Starting test: DFSREvent
......................... domainVMDC2 passed test DFSREvent
Starting test: SysVolCheck
......................... domainVMDC2 passed test SysVolCheck
Starting test: KccEvent
......................... domainVMDC2 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... domainVMDC2 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... domainVMDC2 passed test MachineAccount
Starting test: NCSecDesc
......................... domainVMDC2 passed test NCSecDesc
Starting test: NetLogons
......................... domainVMDC2 passed test NetLogons
Starting test: ObjectsReplicated
......................... domainVMDC2 passed test ObjectsReplicated
Starting test: Replications
......................... domainVMDC2 passed test Replications
Starting test: RidManager
......................... domainVMDC2 passed test RidManager
Starting test: Services
......................... domainVMDC2 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x00001795
Time Generated: 12/18/2014 00:35:03
Event String:
The program lsass.exe, with the assigned process ID 476, could not authenticate locally by using the target name ldap/domainvmdc2.domain.school.edu. The target name used is not valid. A target name should
refer to one of the local computer names, for example, the DNS host name.
......................... domainVMDC2 passed test SystemLog
Starting test: VerifyReferences
......................... domainVMDC2 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
For the partition
(DC=ForestDnsZones,DC=domain,DC=school,DC=edu) we encountered
the following error retrieving the cross-ref's
(CN=3098109a-ff99-41d4-8926-0e814ac8efde,CN=Partitions,CN=Configuration,DC=domain,DC=school,DC=edu)
information:
LDAP Error 0x52e (1326).
......................... ForestDnsZones failed test CheckSDRefDom
Starting test: CrossRefValidation
For the partition
(DC=ForestDnsZones,DC=domain,DC=school,DC=edu) we encountered
the following error retrieving the cross-ref's
(CN=3098109a-ff99-41d4-8926-0e814ac8efde,CN=Partitions,CN=Configuration,DC=domain,DC=school,DC=edu)
information:
LDAP Error 0x52e (1326).
......................... ForestDnsZones failed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
For the partition
(DC=DomainDnsZones,DC=domain,DC=school,DC=edu) we encountered
the following error retrieving the cross-ref's
(CN=2f0b8ac0-2630-441a-891f-b5fcb91498a8,CN=Partitions,CN=Configuration,DC=domain,DC=school,DC=edu)
information:
LDAP Error 0x52e (1326).
......................... DomainDnsZones failed test CheckSDRefDom
Starting test: CrossRefValidation
For the partition
(DC=DomainDnsZones,DC=domain,DC=school,DC=edu) we encountered
the following error retrieving the cross-ref's
(CN=2f0b8ac0-2630-441a-891f-b5fcb91498a8,CN=Partitions,CN=Configuration,DC=domain,DC=school,DC=edu)
information:
LDAP Error 0x52e (1326).
......................... DomainDnsZones failed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
For the partition
(CN=Schema,CN=Configuration,DC=domain,DC=school,DC=edu) we
encountered the following error retrieving the cross-ref's
(CN=Enterprise Schema,CN=Partitions,CN=Configuration,DC=domain,DC=school,DC=edu)
information:
LDAP Error 0x52e (1326).
......................... Schema failed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
For the partition
(CN=Configuration,DC=domain,DC=school,DC=edu) we encountered
the following error retrieving the cross-ref's
(CN=Enterprise Configuration,CN=Partitions,CN=Configuration,DC=domain,DC=school,DC=edu)
information:
LDAP Error 0x52e (1326).
......................... Configuration failed test CrossRefValidation
Running partition tests on : domain
Starting test: CheckSDRefDom
......................... domain passed test CheckSDRefDom
Starting test: CrossRefValidation
For the partition (DC=domain,DC=school,DC=edu) we encountered
the following error retrieving the cross-ref's
(CN=domain,CN=Partitions,CN=Configuration,DC=domain,DC=school,DC=edu)
information:
LDAP Error 0x52e (1326).
......................... domain failed test CrossRefValidation
Running enterprise tests on : domain.school.edu
Starting test: LocatorCheck
......................... domain.school.edu passed test
LocatorCheck
Starting test: Intersite
......................... domain.school.edu passed test Intersite
From what I can gather, there is a definite DNS issue but I don't have any stale records to the old DC stored anywhere. I've tried this with a new server as well and get similar errors...
At this rate I'm ready to rebuild the entire forest over again. I'm just reluctant to do so as I want to make this a learning experience for the students.
Any help would be greatly appreciated. Thanks!

As you can see, there seems to be some errors. The one that I did correct was the one around the _msdcs NS record being unable to resolve. For whatever, reason the name wasn't resolving the IP but all other NS tabs and records were. Just that one _msdcs
sub-zone. Furthermore, the mentioning of any connections to root hint servers can be viewed as false positives. There is no external comms to this lab so no communication with outside IPs can be expected. Lastly, they mentioned a connectivity issue yet mention
that I should check the firewall settings. All three profiles are disabled in Windows Firewall (as they have been the entire time). Thank you in advance for your help!
C:\Windows\system32>dcdiag /test:dns /v
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine domainVMDC2, is a Directory Server.
Home Server = domainVMDC2
* Connecting to directory service on server domainVMDC2.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=school,DC=edu,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=school,DC=edu
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=school,DC=edu,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=domainVMDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=school,DC=edu
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\domainVMDC2
Starting test: Connectivity
* Active Directory LDAP Services Check
The host
3a38b19c-4bb3-4542-acb6-9e5e97cc15c4._msdcs.domain.school.edu
could not be resolved to an IP address. Check the DNS server, DHCP,
server name, etc.
Got error while checking LDAP and RPC connectivity. Please check your
firewall settings.
......................... domainVMDC2 failed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\domainVMDC2
Test omitted by user request: Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Test omitted by user request: FrsEvent
Test omitted by user request: DFSREvent
Test omitted by user request: SysVolCheck
Test omitted by user request: KccEvent
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: MachineAccount
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: Replications
Test omitted by user request: RidManager
Test omitted by user request: Services
Test omitted by user request: SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyReplicas
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
See DNS test in enterprise tests section for results
......................... domainVMDC2 passed test DNS
Running partition tests on : ForestDnsZones
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : DomainDnsZones
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : Schema
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : Configuration
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : domain
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running enterprise tests on : domain.school.edu
Starting test: DNS
Test results for domain controllers:
DC: domainVMDC2
Domain: domain.school.edu
TEST: Authentication (Auth)
Authentication test: Successfully completed
TEST: Basic (Basc)
Error: No LDAP connectivity
The OS
Microsoft Windows Server 2012 R2 Datacenter (Service Pack level: 0.0)
is supported.
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000010] vmxnet3 Ethernet Adapter:
MAC address is 00:50:56:A2:2C:24
IP Address is static
IP address: *.*.100.26
DNS servers:
*.*.100.26 (domainVMDC2) [Valid]
No host records (A or AAAA) were found for this DC
The SOA record for the Active Directory zone was found
The Active Directory zone on this DC/DNS server was found primary
Root zone on this DC/DNS server was not found
TEST: Forwarders/Root hints (Forw)
Recursion is enabled
Forwarders are not configured on this DNS server
Root hint Information:
Name: a.root-servers.net. IP: 198.41.0.4 [Invalid (unreachable)]
Name: b.root-servers.net. IP: 192.228.79.201 [Invalid (unreachable)]
Name: c.root-servers.net. IP: 192.33.4.12 [Invalid (unreachable)]
Name: d.root-servers.net. IP: 199.7.91.13 [Invalid (unreachable)]
Name: e.root-servers.net. IP: 192.203.230.10 [Invalid (unreachable)]
Name: f.root-servers.net. IP: 192.5.5.241 [Invalid (unreachable)]
Name: g.root-servers.net. IP: 192.112.36.4 [Invalid (unreachable)]
Name: h.root-servers.net. IP: 128.63.2.53 [Invalid (unreachable)]
Name: i.root-servers.net. IP: 192.36.148.17 [Invalid (unreachable)]
Name: j.root-servers.net. IP: 192.58.128.30 [Invalid (unreachable)]
Name: k.root-servers.net. IP: 193.0.14.129 [Invalid (unreachable)]
Name: l.root-servers.net. IP: 199.7.83.42 [Invalid (unreachable)]
Name: m.root-servers.net. IP: 202.12.27.33 [Invalid (unreachable)]
Error: Both root hints and forwarders are not configured or
broken. Please make sure at least one of them works.
TEST: Delegations (Del)
Delegation information for the zone: domain.school.edu.
Delegated domain name: _msdcs.domain.school.edu.
Error: DNS server: domainvmdc2. IP:<Unavailable>
[Missing glue A record]
[Error details: 9714 (Type: Win32 - Description: DNS name does not exist.)]
TEST: Dynamic update (Dyn)
Test record dcdiag-test-record added successfully in zone domain.school.edu
Warning: Failed to delete the test record dcdiag-test-record in zone domain.school.edu
[Error details: 13 (Type: Win32 - Description: The data is invalid.)]
TEST: Records registration (RReg)
Network Adapter [00000010] vmxnet3 Ethernet Adapter:
Matching CNAME record found at DNS server *.*.100.26:
3a38b19c-4bb3-4542-acb6-9e5e97cc15c4._msdcs.domain.school.edu
Matching SRV record found at DNS server *.*.100.26:
_ldap._tcp.domain.school.edu
Matching SRV record found at DNS server *.*.100.26:
_ldap._tcp.a9241004-88ea-422d-a71e-df7b622f0d68.domains._msdcs.domain.school.edu
Matching SRV record found at DNS server *.*.100.26:
_kerberos._tcp.dc._msdcs.domain.school.edu
Matching SRV record found at DNS server *.*.100.26:
_ldap._tcp.dc._msdcs.domain.school.edu
Matching SRV record found at DNS server *.*.100.26:
_kerberos._tcp.domain.school.edu
Matching SRV record found at DNS server *.*.100.26:
_kerberos._udp.domain.school.edu
Matching SRV record found at DNS server *.*.100.26:
_kpasswd._tcp.domain.school.edu
Matching SRV record found at DNS server *.*.100.26:
_ldap._tcp.Default-First-Site-Name._sites.domain.school.edu
Matching SRV record found at DNS server *.*.100.26:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.school.edu
Matching SRV record found at DNS server *.*.100.26:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.school.edu
Matching SRV record found at DNS server *.*.100.26:
_kerberos._tcp.Default-First-Site-Name._sites.domain.school.edu
Matching SRV record found at DNS server *.*.100.26:
_ldap._tcp.gc._msdcs.domain.school.edu
Matching SRV record found at DNS server *.*.100.26:
_gc._tcp.Default-First-Site-Name._sites.domain.school.edu
Matching SRV record found at DNS server *.*.100.26:
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.domain.school.edu
Matching SRV record found at DNS server *.*.100.26:
_ldap._tcp.pdc._msdcs.domain.school.edu
Error: Record registrations cannot be found for all the network
adapters
Summary of test results for DNS servers used by the above domain
controllers:
DNS server: 128.63.2.53 (h.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.63.2.53
[Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
DNS server: 192.112.36.4 (g.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.112.36.4
[Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
DNS server: 192.203.230.10 (e.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.203.230.10
[Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
DNS server: 192.228.79.201 (b.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.228.79.201
[Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
DNS server: 192.33.4.12 (c.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.33.4.12
[Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
DNS server: 192.36.148.17 (i.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.36.148.17
[Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
DNS server: 192.5.5.241 (f.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.5.5.241
[Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
DNS server: 192.58.128.30 (j.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.58.128.30
[Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
DNS server: 193.0.14.129 (k.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 193.0.14.129
[Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
DNS server: 198.41.0.4 (a.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.41.0.4
[Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
DNS server: 199.7.83.42 (l.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 199.7.83.42
[Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
DNS server: 199.7.91.13 (d.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 199.7.91.13
[Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
DNS server: 202.12.27.33 (m.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 202.12.27.33
[Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
DNS server: *.*.100.26 (domainVMDC2)
All tests passed on this DNS server
Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
Domain: domain.school.edu
domainVMDC2 PASS FAIL FAIL FAIL WARN FAIL n/a
......................... domain.school.edu failed test DNS
Test omitted by user request: LocatorCheck
Test omitted by user request: Intersite

A virtual machine can't authenticate accounts from a domain

Hello,
I have a Windows Server 2012 R2 Standard server with Hyper-V, where there is a VM. Hyper-V Manager is 6.3.9600.16384 is used.
The VM was created and at that time it was able to authenticate accounts from anther domain. The VM is in one domain, say Domain A, and the VM and applications on the VM was able to use accounts in another domain, say Domain B. Doman
A and Domain B had a trusted relationship and all was working great on the VM and other servers in Domain A.
Then, the trusted relationship was broken. The applications and the VM still worked, but you could not add and use accounts in Domain B. Applications using accounts in Domain B could be not be authenticated either.
Then, recently we fixed the broken relationship between the two domains. However, on the VM, accounts from Domain B could not be added to applications and could not be authenticated nor used, even though other servers in Domain A had accounts
from Domain B working again.
What can be done to get the VM to recognized accounts in Domain B, now that the trusted relationship is working again between to two domains?
Paul

Hi Paul,
Please try to re-join the VM to domain A then test again .
Also you can use these methods mentioned in the following article to re-build the secure channel ：
http://blogs.technet.com/b/heyscriptingguy/archive/2012/03/02/use-powershell-to-reset-the-secure-channel-on-a-desktop.aspx
Best Regards,
Elton Ji
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] .

Active Directory error message "the following object is not from a domain listed in the Select location forestB\username

Hello Community
    "forestA" is my forest it is a Windows 2008 Server Enterprise Edition
domain controller using Active Directory and the UI.
    In my forest ("forestA") trust relationship I created a "One-Way, Out-going"
forest trust with Forest-Wide authentication so that a different forest user(s) or
group(s) with a different admin in a forest named “forestB” can access the resources in my “forestA”
    But also forestB needs to create a "One-way, Incoming" forest trust so that
I can either add the user(s) or group(s) from “forestB” into to a "Global Security - Group"
in my "forestA" or I can
add user(s) as "domain user(s)" from “forestB” into my "forestA".
    The problem is that when I right click the global group in my forestA and then
properties, when I click "Members" and then the "Add" button when I type
"forestB\username" I get an error message from Active Directory stating:
    "the following object is not from a domain listed in the Select location
dialog box, and is therefore not valid: forestB\username".
    Am I doing something wrong when creating the one-way trust in my
“forestA” or is the one-way trust being created wrong by the other domain admin in the other “forestB”?
    Or could I possibly need to select "Change Domain" or "Change Domain Controller"
before adding the users or Groups to my forestA from forestB?
    That is why I am asking
how do you add an Active Directory user from one forest into another forest?
    Thank you
    Shabeaut

Hello Denis Cooper
    That is the end result.
    What I was trying to do was that I was trying to
bring in the user(s) and group(s) from “forestB” into
my “forestA” Global group.
    Later on I was going to add the user(s) or Global groups(s) that I brought into my dc in my forestA
into the domain local groups on my member servers in my forestA.
    So since the error message is:
"the following object is not from a domain listed in the Select location dialog box, and is therefore not valid: forestB\username".
Does your response
mean only Global group(s) from forestB not domain user(s) from forestB have
to been added to domain local groups in forestA?
Or is it also possible to add Global group(s) from “forestB” to Global group(s) in my “forestA” and if so
how without getting the above error message?
Thank you
    Shabeaut

Outlook Password prompt for Linked Mailboxes from certain Domain

Hello,
As part of a migration project, I'm trying to connect Outlook with Linked Mailboxes from users in a trusted domain.
I'm able to create the linked mailbox on the Exchange 2013 (CU7) server without any issue, but when I try to configure Outlook for these mailboxes, it is prompting for credentials permanently and won't start. Log on to OWA with the same user from the trusted
domain is working fine.
I'm able to configure Linked mailboxes from another trusted domain without any problems.
I've already recreated the trust between these two domains (validation tells everything is ok)
DNS is configured with conditional forwarders in both domains and name resolution looks ok to me (ping and nslookup)
When I look at the LinkedMasterAccount of the mailboxes from this domain, I can see that there is only the SID (S-1-5-21-4033829......). The other linked mailboxes (from the other domain where it's working) are showing the Account name (domain\user)
Internal and External ClientAuthenticationMethod of OutlookAnywhere is set to NTLM
Infos:
DomainA: Domainlevel 2012 - Exchange 2013 - Forest trust to Domain B and C
DomainB: Domainlevel 2008 - Exchange 2010 - Forest trust to Domain A - Outlook for linked Mailboxes of DomainA works fine
DomainC: Domainlevel 2008 - Forest trust to Domain A --> can't connect Outlook to LinkedMailboxes of this domain.
Is there anything else I can check?

Hi,
Please check whether the server is configured to only accept NTLM version 2 and reject NTLM and LM, and the Outlook client computer is not configured with the same LAN Mananger authentication level.
Check DC, Start -> Programs -> Administrative Tools -> Security Options -> Note the LAN Manager authentication level.
Check DC's policies, Start -> Programs -> Administrative Tools -> expand Security Settings\Local Policies -> Security Options -> Note the Lan Manager authentication level.
IMPORTANT： You may also have to check policies that are linked at the site/domain/organizational unit levels to determine where the LAN Manager authentication level must be configured. Configure the LAN Manager authentication level to "Send
NTLMv2 response only". If you want to implement NTLM version 2 in your network, make sure that all computers in the domain are set to use this authentication level.
Thanks
Mavis Huang
TechNet Community Support

Grant access to users from different Domains

Hi,
Recently my company was merged with another. All users from my company are setup in our Domain (DomainA). Sharepoint is able to see the users in this domain and grant access to the users as well. When the merger happened, we created a Group (Test - Sharepoint)
in our AD to add groups from other companie's domain:DomainB, totally different Forest. There is a two way trust setup between these domains. The group Test-Sharepoint is "domain local" and it is able to see the groups/users from other domain: DomainB.
The other users are now able to access our sharepoint environment once access is granted to DomainA\Test-Sharepoint.
Problem came when we applied Audience targetting around few web parts. The users from DomainB who are added as object in DomainA\Test-Sharepoint (group in DomainA) are not able to see the web parts that have audience targeting for this group. Someone
suggested that AD groups should be Global or Universal but that is not our case. Most of the groups in our AD are domain local and SP is able to see the users within it.
Please suggest how we can resolve audience targeting issue?
Regards, Kapil ***Please mark answer as Helpful or Answered after consideration***

My apologies, yes that is correct you'll have to use Domain Local in this case. http://technet.microsoft.com/en-us/library/cc755692(v=WS.10).aspx
Actually what you'll need to do is not use Groups in your domain at all, as the users are Foreign Security Principals. Instead, use a group in the trusted domain, or attributes of the users you intend to target directly.
Trevor Seward
Follow or contact me at...
&nbsp&nbsp
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Mapping users coming from different domain in AD

HI,
We have configured vintela SSO which is working.Now we are trying to add another domain but it has been unsuccessful.
We have imported the users coming from other domain in CMC->AD, and UseFDQNDirectoryForServers parameter in registry.
The issue is our complex krb5.ini errors as "cannot find kdc for realm" for the user account coming from the other domain.The existing domain kinit is successful.
Please help in resolving this issue!!! We need to have users coming from different domain to use vintela SSO.
Thank you.

well you're mixing things up a bit.
The usefqdnfordirectoryservers is used to map in groups. If the groups show up as well as the users that piece should be complete.
the krb5.ini is for logging in users manually, it must conatin the KDC for every domain that may contain users that need to log into BO. It also must have a KDC or capath entry to define all the parent domains as well (even if they do not have members that need to login. This is how the krb5 is used to verify transitive trusts. Then all users that are not in the default domain must logon as username@ DNSDOMAIN.COM where the DNS domain is entered in all caps aqnd represents the FQDN of theidomain the users bewlong to. Now if not logging in manually this should be a big problem.
So for SSO (vintela anyway) this process is automatic, although you may want to configure vintela with site information so it doesn't randomly use all your DC's Site can be set following the steps at the end of business objects note 1261835 (complete and vintela only editions).
In order for vintela to work properly the value entered in CMC > Authentication > Windows AD > service principal name must = an SPN thet was created on the account that is running the SIA/CMS
Regards,
Tim

Send connector - e-mails from two domains to distinct anti-spam IPs

I have an Exchange enviroment that has two domains. I want that e-mails sent from a domain do the relay to an anti-spam, and e-mails sent from another domain do the relay to another anti-spam.
Example:
I need to config send connector to send the e-mails from "test1.com" to IP 10.160.190.66 and from "test2.com" to IP 10.160.190.69
How do I do?
I need this because each domain uses distincts anti-spam
Tks.

Hi,
Before going on, I would like to confirm the following information.
What's the version of the Exchange?
Whether the two domains have their own Exchange or share one Exchange?
Thanks
Allen

Unable to load swf from different domain through html wrapper in Chrom

Hi All,
I am trying a embed a swf from different domain. My html wrapper was in one domain and swf was in another domain. I have embedded the swf into the html wrapper. When i run the html file it is loading the swf in firefox and working fine. But when i try to run the same html in chrom or IE the swf is aborted. I have crossdomain.xml file in both the servers which is also allowing both the domains. I was not able to figure out the issue. Can anybody help on this.
regards,
Jayagopal.

Are you getting any errors or warnings?

DHCP - From 1 Domain (2008r2) to another Domain (2012r2)

Similar Messages

Maybe you are looking for