Do I still remote Domain Controllers.....

Similar Messages

• Running Best Practice Analyzer on remote 2008 R2 domain controllers

  Hello Powershell World,
  I'll start out by first mentioning that I am a powershell rookie so I gladly welcome any input to help me improve or work more efficiently.  Anyway, I recently used powershell to run the best practice analyzer for DNS on all of our domain controllers.
   The way I went about was pretty tedious and inefficient but still got the job done through a series of one-liners and exported the report to a UNC path as follows:
  Enable-PSremoting -Force (I logged into all of the domain controllers individually and ran this before running the one-liners below from my workstation)
  New-PSSession -Name <Session Name> -ComputerName <Hostname>
  Enter-PSSession -Name <Session Name>
  Import-Module bestpractices
  Invoke-BPAModel Microsoft/Windows/DNSServer
  Get-BPAResult Microsoft/Windows/DNSServer | Select ModelId,Severity,Category,Title,Problem,Impact,Resolution,Compliance,Help | Sort Category | Export-CSV \\server\share\BPA_DNS_SERVERNAME.csv
  I'm looking to do this again but for the Directory Services best practice analyzer without having to individually enable remoting on the domain controllers and also provide a lsit of servers for the script to run against. 
  Thanks in advance for all your help!

  What do you mean by "without having to individually enable remoting "?
  You cannot remote without enabling remoting.  You only need to enable remoting once.  It is a configuraiton change.  If you have done it once you do not need to do it again.
  Here is how to runfrom a list of DCs.
  $sb={
  Import-Module bestpractices
  Invoke-BPAModel Microsoft/Windows/DNSServer
  Get-BPAResult Microsoft/Windows/DNSServer |
  Select ModelId,Severity,Category,Title,Problem,Impact,Resolution,Compliance,Help |
  Sort Category |
  Export-CSV "\\server\share\BPA_DNS_$env:COMPUTERNAME.csv"
  Invoke-BPAModel Microsoft/Windows/DirectoryServices
  # etc...
  ForEach($dc in $listofDCs){
  Invoke-Command -ScriptBlock $sb -Computer $dc
  ¯\_(ツ)_/¯

• Losing connection to the Domain Controllers at a remote site

  We have a remote site with a IPsec tunnel for a site to site connection and there are about a dozen window 7 systems on site.  Every 3 to 5 weeks, the systems start to lose the ability to log into the domain.  Running some tests, the DNS names
  keep resolving, their subnet is setup in Sites and Services to the group with the DC's and they are setup correctly for IP settings but seems like they still can't connect back to the DC's.  From there, under network profiles, it says the domain network
  is unauthenticated.  
  The only way we have found to fix this is to dis-join the computer from the domain and rejoin it.
  Is there a way from the computer to force it to re-authenticate without having to do this or a better fix?

  Hello Technsopyder,
  Do you means all the Windows 7 use the IPsec will lose connection to the Domain Controllers every 3 to 5 weeks?
  Do you receive the error code 5719 and 3210? Could you please provide the whole error message?
  Please check if you need to change the password before this issue as Brano Lukic mentioned.
  Best regards,
  Fangzhou CHEN
  Fangzhou CHEN
  TechNet Community Support

• Allow log on through Remote Desktop Services Group Policy for Domain Controllers

  Hello,
  We want to allow our Helpdesk Operators to be able to connect to Domain Controllers with the Remote Desktop Services. This is by default not allowed but according to many sites, it should be able to configure by using a Group Policy.
  We made a new Group Policy with the setting 'Allow log on through Remote Desktop Services' and 'Allow log on locally' (as an extra for testing) and applied Security Filtering to only use it for a specific Security Group. Our test user is a member of this
  security group and should be able to access the Domain Controllers now. However this isn't working.
  The error message we receive upon trying to connect:
  The connection was denied because the user account is not authorized for remote login.
  For troubleshooting, we also applied the Security Group for that setting in the Default Domain Controllers Policy but that doesn't seem to work either. We want to avoid customization on our Default Domain Controllers Policy but this was just a test case
  for solving our problem.
  What should we do to solve our problem?
  I hope to hear from you soon.
  Thanks in advance.

  Hi, I just found out what the problem was. This site helped me alot:
  http://blogs.technet.com/b/askperf/archive/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group.aspx
  In my case, I had the group added to the Allow Logon Through Remote Desktop Services but was not added to the Builtin\Remote Desktop Users group. After knowing this I made some changes to our situation and are now using the builtin\Remote Desktop Users group
  rather than a new self made Security Group. I also added the Remote Desktop Users to the Allow Logon Through Remote Desktop Service in the Default Domain Controllers Policy as this is not done by default. By default only the Domain Administrators are able
  to logon through remote desktop services.
  You do not need the 'Log on Locally' permission within the Group Policies.
  In short:
  Add the desired users/groups to the 'Builtin\Remote Desktop Users' security group.
  Add the 'Builtin\Remote Desktop Users' security group to the 'Allow Logon Through Remote Desktop Services' within the 'Default Domain Controllers Policy'.
  Thank you anyway for the fast reply.
  Have a nice day!

• Domain Admin Account cannot logon to member servers by remote. It can only logon to Domain Controllers

  Our environment has both 2008R2 and 2012R2 Domain Controllers. Recently one of our Domain Admins started having problems logging onto all servers by remote desktop except for domain controllers. The error message is as follows:
  "To log on to this remote computer, you must be granted the Allow log on through Terminal
  Services right. By default, members of the Remote Desktop Users group have this right. If you are not a member of the Remote
  Desktop Users group or another group that has this right, or if the Remote Desktop Users group does not have this right, you must be granted this right manually"
  All the other Domain Admin Accounts do not have this problem. Suggested solutions recommend checking local policies on the individual servers however I feel that is not
  right. Also there many servers hence doing that in each member server would be cumbersome. There must be solution that requires a single action for all servers and also does not  involve creating a new account. The account was recently used to implement
  a Windows 2012R2 WSUS server and besides the DC's, it is the only other server the account can remote into. This is strange. Help please.

  Hi,
  Does that user has permission for remoting before?
  To start with, there are two types of user rights; Logon rights & Privileges. In simpler terms these are: 
  1) Remote Logon: rights to machine
  2) Logon: privileges for access to the RDP-TCP Listener
  The Remote Logon is governed by the “Allow Logon through Terminal Services” group policy. This is under
  Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
  Also check RDP-TCP listener properties. More information.
  “Allow Logon through Terminal Services” group policy and “Remote Desktop Users” group.
  http://blogs.technet.com/b/askperf/archive/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Windows 8.1 Pro Cannot Connect to Domain Controllers through Wi-Fi

  I have a domain joined Surface 2 Pro running 8.1 Pro Update that is suddenly unable to connect to the domain controllers on the local network. The machine is fully patched. I'm guessing that it is some network level security issue because the wi-fi is working:
  It has no trouble connecting to my Wi-Fi hotspot on my phone.
  It has no trouble connecting to other Wi-Fi at coffee shops etc.
  It is connecting to my home Wi-Fi and gets an address from DHCP on the domain controllers, but can't ping the DCs, access the DCs through remote desktop even using their IP address.
  It can ping the router and ping systems on the internet using their IP address rather than hostname.
  I can fully access internet systems if I point it at DNS on the router but still cannot access internal systems by name or IP address.
  The Wi-Fi network shows as a public network rather than a domain.
  It will work fine when it is docked and using the dock's ethernet adapter.
  If I use VPN to loop back through my router then I am able to fully access local systems.
  None of the other systems on the network are experiencing the same issue.
  I have tried the following which didn't work:
  Switched off the Windows Firewall on the Windows 8.1 system and a domain controller.
  Network Troubleshooting - which told me that the network seems OK but the DNS servers are not responding.
  Uninstalling the Wi-Fi device and restarting the system to re-install it.
  Resetting TCP/IP.
  I am not aware of any changes, but the system did install System Hardware Update 8/07/2014 (again!) but I can't recall if that was when the problem started or was just a coincidence.
  Any suggestions?
  Thanks,
  Richard
  Richard-F

  Hi Richard,
  Apologize for my slow understanding.
  I thought as it could obtain IP address from the DC, it should have connections between them.
  For the current situation, you may take a try to disable the firewall on the DC, then check the port that used by AD environment is all available,
  Active Directory and Active Directory Domain Services Port Requirements, you could take use of this tool:
  PortQryUI - User Interface for the PortQry Command Line Port Scanner
  If all available and issue still insists, then issue here seems to be restricted with the wireless router. You may try to contact the router side and see if they could offer any further useful information regarding this situation.
  Best regards
  Michael Shao
  TechNet Community Support

• Domain Controllers that are DNS servers DNS Client settings

  [Copying verbatim from a mail by Joe ]
  So I have been pinged by a few folks recently on configuration of client DNS settings on Domain Controllers that are also functioning as DNS Servers. Lots of debate. I understand there has been long time debate within MSFT as well.
  From http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx there
  is the quote
  "3.When referencing a DNS server on itself, a DNS client should always use a loopback address and not a real IP address."
  From http://www.microsoft.com/en-us/download/confirmation.aspx?id=9166 (Windows
  Server 2008 R2 Core Network Guide)
  "9.        In Preferred DNS server, type the IP address of your DNS server. If you plan to use the local computer as the preferred DNS server, type the IP address of the
  local computer.
  10.       In Alternate DNS Server, type the IP address of your alternate DNS server, if any. If you plan to use the local computer as an alternate DNS server, type the IP address of
  the local computer."
  From http://technet.microsoft.com/en-us/library/dd378900(v=ws.10).aspx (DNS:
  DNS servers on <adapter name> should include their own IP addresses on their interface lists of DNS servers)
  "The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers. However, if the DNS server is also a domain controller and it points only to
  itself for name resolution, it can become an island and fail to replicate with other domain controllers. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should
  be configured only as a secondary or tertiary DNS server on a domain controller...
  Add the loopback IP address to the list of DNS servers on all active interfaces. The loopback IP address should not be the first server in the list."
  ESPECIALLY "For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should be configured only as a secondary or tertiary
  DNS server on a domain controller." and "Add the loopback IP address to the list of DNS servers on all active interfaces. The loopback IP address should not be the first server in the list."
  Why shouldn't loopback not be first, the justification is why you shouldn't only use loopback, not why it shouldn't be first.
  From http://technet.microsoft.com/en-us/library/ff807362(v=ws.10).aspx (DNS:
  DNS servers on <adapter name> should include the loopback address, but not as the first entry)
  "If the loopback IP address is the first entry in the list of DNS servers, Active Directory might be unable to find its replication partners. 
  The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers. However, if the DNS server is also a domain controller and it points only to itself,
  or points to itself first for name resolution, this can cause a delay during startup. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should be configured only
  as a secondary or tertiary DNS server on a domain controller."
  This also seems like justification against only using loopback versus using it first.
  Are there any actual real documented issues for using loopback first and a remote DNS server second and perhaps third? If the local DNS server service isn't working yet (or at all), I would expect the DNS Client process
  to try to connect to it, fail, and then failover to the secondary just like I would expect it to failover if the remote DNS server was secondary and it was unavailable and it failed back to the loopback. Am I making a bad assumption?
  And by documented I don't mean random responses to questions on the internet or other such items. I mean a KB article or technet article or properly researched and tested other web article from a reliable resource.
  thanks, 
  joe

  As I understand it, the scenario whereby a DC could become an 'island' if it points only to itself, or to itself first, was repaired in the Windows Server 2003 product cycle. See
  http://support.microsoft.com/kb/275278 for information about this scenario.
  However, there is still a known problem of slow boot times that can occur. See
  http://support.microsoft.com/kb/2001093 for information about this. The scenario that is discussed assumes there is a power failure and servers shut down due to overheating while on backup power. When
  multiple servers come online simultaneously after power is restored, there can be a significant delay.
  The recommended configuration is one that avoids a single point of failure, but also tries to optimize the speed of resource record registration, so that Active Directory can properly synchronize.
  -Greg

• SCCM 2012 Distribution Points on Domain Controllers

  I want to install Distribution points on all of my remote servers. They are all domain controllers though. I know one of the prerequisites to host the DP role is to have the SCCM computer object apart of that servers local administrators group. Since they
  are domain controllers they dont have a local security policy and it is controlled by AD. I'm sure you can add the SCCM computer object to the domain admins group to solve this but my question is if this is considered a supported configuration?

  If you are using the DC as a Distribution point to install clients via Client Push, the "NT Authority\Authenticated Users" group must be added to the local group "Users" to the DC/DP.
  Clients are still able to get installed manually, but Client Push fails.
  Failed to correctly receive a WEBDAV HTTP request.. (StatusCode at WinHttpQueryHeaders: 401)
  Run elevated command prompt (net localgroup users "Authenticated Users" /add)
  Test Client Push - Should be successful.
  Reason: By default the local groups NT Authority\Interactive Users and
  NT Authority\Authenticated Users are removed from the Domain Controller. Clients that are using the DP for content cannot authenticate using the computer account.

• UnLock Ad user from all Domain controllers

  We have 13 domain controllers in  5 Active directory sites, Unlock status is not updating in All DC's immediately. please help me to unlock Ad user from all the Domain controllers.
  Below is the script to unlock Ad account from one domain controller:
  Clear-Host
  $luser = Read-Host “Input the name (Last name, First name) of the locked user”
  $lockstatus = Get-ADUser "$luser" –Properties lockedout -Server DC10
  if ($lockstatus.lockedout –eq $True)
  $nul = Get-ADUser "$luser" | Unlock-ADaccount
  $nul = Get-ADUser "$luser" | Set-ADAccountPassword -NewPassword “password”
  Write-Host "Account unlocked and password reset"
  if ($lockstatus.lockedout –eq $false)
  Write-Host "Account is not locked"
  Raj

  we have remote site users are facing problems.
  Our L1 agents will unlock User ID in Primary site, replication taking time to replicate to remote DC.
  So need a script to unlock USer ID in all Dcs
  Raj
  Replication of unlocks is faster than you can  do it in script.  It is pushed immediately.  It does not wait fro replication. If thisis not happening then you need to find the problem and fix it.
  You need to fix your problem.  A script will not fix it.
  IF you insist on doing it manually then just run the script one time for each DC.
  If you still do not know what to do you must contact a consultant or your network vendor and have them assist you with this.   We are not a custom solution provider or a free script writing forum.  Doing this would keep you from fixing a problem
  which could lead to other bad things.  Please take the time to take the correct technical steps.
  One thing that might help is to NOT select a DC for the reset.  The DC you are selecting is probably not replicating.  Let Windows choose a DC for you.
  You must run diagnostics on your network to find out what is happening.  Contact you network administrator to do this.  If you do not have a trined network administrator then please contact a consultant or your vendor.
  ¯\_(ツ)_/¯

• I need to be able to find domain controllers that have been removed from the domain but never demoted

  I need to find domain controllers that have been removed but never demoted.
  Here's the story...
  I came on an Active Directory administrator for an organization which has 600+ domain controllers, most running Server 2003, but I have some Server 2008R2. Throughout all this time the organization has had DCs that have stopped working, crashed or failed
  for some reason and all the IT department has done is created another domain controller name it the same thing with an (A), (B) appended to the name and then never removed any of the failed controllers from the directory.
  Thing is this has been going on for quite some time, don’t know for sure how long as I am still trying to clean up DNS replication problems and have been having to go around and reset machine passwords for the forest. What I need to be able to do is to script
  something that will return all the failed DCs so that I can go into the directory and use NTDUTIL to clean the machines. I don’t want to go into the directory and remove a machine that’s still out there. No one in the organization has a list or record of failed
  machines.
  You can see this may be a gargantuan task, but I need to be able to make it easier on 
  myself by finding the machines first and cleaning out DNS, cleaning the DCs out of the “Sites” and cleaning them out of the directory.
  Appreciate any help I can get…

  Hi,
  Thanks for posting in the forum.
  Regarding your question, maybe we should remove these orphaned DC from AD, please try to refer to the following articles to perform the cleanup task.
  How to remove completely orphaned Domain Controller
  http://support.microsoft.com/kb/555846
  Complete Step by Step to Remove an Orphaned Domain controller
  http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx
  Metadata Cleanup of a Domain controller
  http://sandeshdubey.wordpress.com/2011/10/12/metadata-cleanup-of-a-domain-controller/
  Here is a similar thread as reference, hope it helps.
  Remove References of a Failed DC/Domain
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/87516188-731a-4b7f-a4cc-06ce4ad27b19/remove-references-of-a-failed-dcdomain
  Best Regards,
  Andy Qi
  TechNet Subscriber Support
  If you are
  TechNet Subscription user and have any feedback on our support quality, please send your feedback
  here.
  Andy Qi
  TechNet Community Support

• Blue Screen on Domain controllers after Updates

  After patching our Domain controllers (virtual on ESXi 5.5 U2) recently we started getting Blue screens and reboots. Other changes in our environment around this time include enabling vshield drivers and scanning with Trend Micro. I have removed patches
  from April but cannot remove Patch KB3020370 - there is no uninstall button. The error still persists, I have removed the Vshield driver and am waiting to see if the issue reoccurs. Can anyone assist in interpreting the details below? Also is it possible to
  remove the patch KB3020370? This only appeart to affect Domain Controllers, regular servers appear unaffected.
  Thanks
  Below is the BugCheck event.
  The computer has rebooted from a bugcheck.  The bugcheck was: 0x0000007f (0x0000000000000008, 0x0000000080050031, 0x00000000000406f8, 0xfffff800018c0e14). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 042915-21762-01.
  And output from the debug tool.
  Microsoft (R) Windows Debugger Version 6.3.9600.17237 AMD64
  Copyright (c) Microsoft Corporation. All rights reserved.
  Loading Dump File [c:\MiniDump\042815-21762-01.dmp]
  Mini Kernel Dump File: Only registers and stack trace are available
  Error: Attempts to access 'c:\windows\i386' failed: 0x2 - The system cannot find the file specified.
  ************* Symbol Path validation summary **************
  Response                         Time (ms)     Location
  Error                                          c:\windows\i386
  ************* Symbol Path validation summary **************
  Response                         Time (ms)     Location
  Deferred                                       srv*c:\symbols*http://msdl.microsoft.com/download/symbols
  Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols
  Executable search path is: c:\windows\i386
  Windows 7 Kernel Version 7601 (Service Pack 1) UP Free x64
  Product: LanManNt, suite: TerminalServer SingleUserTS
  Built by: 7601.18798.amd64fre.win7sp1_gdr.150316-1654
  Machine Name:
  Kernel base = 0xfffff800`0185e000 PsLoadedModuleList = 0xfffff800`01aa3890
  Debug session time: Tue Apr 28 13:20:34.290 2015 (UTC + 1:00)
  System Uptime: 0 days 0:27:28.954
  Loading Kernel Symbols
  Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
  Run !sym noisy before .reload to track down problems loading symbols.
  Loading User Symbols
  Loading unloaded module list
  *                        Bugcheck Analysis                                    *
  Use !analyze -v to get detailed debugging information.
  BugCheck 7F, {8, 80050031, 406f8, fffff800018d4e14}
  Probably caused by : ntkrnlmp.exe ( nt!KiDoubleFaultAbort+b2 )
  Followup: MachineOwner
  kd> !analyze -v
  *                        Bugcheck Analysis                                    *
  UNEXPECTED_KERNEL_MODE_TRAP (7f)
  This means a trap occurred in kernel mode, and it's a trap of a kind
  that the kernel isn't allowed to have/catch (bound trap) or that
  is always instant death (double fault).  The first number in the
  bugcheck params is the number of the trap (8 = double fault, etc)
  Consult an Intel x86 family manual to learn more about what these
  traps are. Here is a *portion* of those codes:
  If kv shows a taskGate
          use .tss on the part before the colon, then kv.
  Else if kv shows a trapframe
          use .trap on that value
  Else
          .trap on the appropriate frame will show where the trap was taken
          (on x86, this will be the ebp that goes with the procedure KiTrap)
  Endif
  kb will then show the corrected stack.
  Arguments:
  Arg1: 0000000000000008, EXCEPTION_DOUBLE_FAULT
  Arg2: 0000000080050031
  Arg3: 00000000000406f8
  Arg4: fffff800018d4e14
  Debugging Details:
  BUGCHECK_STR:  0x7f_8
  CUSTOMER_CRASH_COUNT:  1
  DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT_SERVER
  PROCESS_NAME:  System
  CURRENT_IRQL:  0
  ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre
  LAST_CONTROL_TRANSFER:  from fffff800018cffe9 to fffff800018d0a40
  STACK_TEXT:  
  fffff800`01620d28 fffff800`018cffe9 : 00000000`0000007f 00000000`00000008 00000000`80050031 00000000`000406f8 : nt!KeBugCheckEx
  fffff800`01620d30 fffff800`018ce4b2 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
  fffff800`01620e70 fffff800`018d4e14 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDoubleFaultAbort+0xb2
  fffff880`0276e000 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopfCompleteRequest+0x4
  STACK_COMMAND:  kb
  FOLLOWUP_IP: 
  nt!KiDoubleFaultAbort+b2
  fffff800`018ce4b2 90              nop
  SYMBOL_STACK_INDEX:  2
  SYMBOL_NAME:  nt!KiDoubleFaultAbort+b2
  FOLLOWUP_NAME:  MachineOwner
  MODULE_NAME: nt
  IMAGE_NAME:  ntkrnlmp.exe
  DEBUG_FLR_IMAGE_TIMESTAMP:  5507a73c
  IMAGE_VERSION:  6.1.7601.18798
  FAILURE_BUCKET_ID:  X64_0x7f_8_nt!KiDoubleFaultAbort+b2
  BUCKET_ID:  X64_0x7f_8_nt!KiDoubleFaultAbort+b2
  ANALYSIS_SOURCE:  KM
  FAILURE_ID_HASH_STRING:  km:x64_0x7f_8_nt!kidoublefaultabort+b2
  FAILURE_ID_HASH:  {0367acc4-9bb4-ab69-5701-46a2011718e9}
  Followup: MachineOwner

  Hi,
  Dump file displays：
  BugCheck 7F, {8, 80050031, 406f8, fffff800018d4e14} and Probably caused by : ntkrnlmp.exe ( nt!KiDoubleFaultAbort+b2 ).
  Bug check 0x7F typically occurs after you install a faulty or mismatched hardware (especially memory) or if installed hardware fails.
  A double fault can occur when the kernel stack overflows. This overflow occurs if multiple drivers are attached to the same stack. For example, if two file system filter drivers are attached to the same stack and then the file system recurses back in, the stack
  overflows.
  You may reference the link below for detailed resolution about this problem:
  https://msdn.microsoft.com/en-us/library/windows/hardware/ff559244(v=vs.85).aspx
  Besides, you may try to restore the server to the state before installing these Windows Update.
  Best Regards,
  Eve Wang 
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Communication issues between domain controllers

  Hi everyone,
  I am experiencing some problems in communication between domain controllers in our organization
  We have three domain controllers, one of them is a Windows 2003 server service pack 2 which is physical (controller A), another which is Windows 2008 Service Pack 2 (controller B), also physical, and a third one (controller C) which is a Windows 2008
  service pack 1 and is virtual.
  I have problems with this last DC, it won't respond to pings, or DNS query. I can't Access it by remote desktop client even when it is enabled. I cannot update it, it prompts error messages if I try to do so.
  This problems are solved if I reboot it, it will work fine some hours or days, but not much longer. I have checked event viewer and I didn't found any message about this.
  I read some time ago it would be great to have a DC in a virtual machine, so I did it, but is it right?
  Do you know what might be going on with it? would depromoting it and seting it up again the best solución?
  Thank you very much.
  Best regards.
  David.

  This sounds like a NIC issue, which is odd since it is a virtual machine.  Have you checked the host for any logs about the client? 
  I think the first thing I would do is destroy the current virtual NIC card and add a new one.  Since this has nothing to do with Active Directory I would also suggest you post this in a forum of for the Host (VMWare or Hyper-V).
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• Can't edit default domain controllers policy on windows 8 or server 2012

  I have found that I can't edit the "Default Domain Controllers Policy" from a Windows 8 or Server 2012 machine.  I can edit and save changes fine from a Windows 7 machine.  The domain controllers are running Windows 2012 Standard upgraded
  from Windows 2008 R2.  Is there a security setting I am missing?

  Posting the resolution from the other thread.  Hope it helps!
  I just accidentally resolved this issue today.  I added the GPMC to a 2008 R2 server so I could make a needed firewall
  change within the Windows Firewall with Advanced Security section of the Default Domain Controllers GPO (I enabled the Remote Event Log management rule for the Domain profile).  About an hour later, I forgot I was using my Windows 8 machine and I went
  to edit the Default Domain Controllers GPO and opened for edit without a problem.  I can now edit it from Windows 8 and from Windows Server 2012.  Until now, I was using a Windows 7 VM to make the edits, so in my case the problem was resolved by
  editing the GPO once from a 2008 R2 machine.

• Restoration of Domain controllers

  Hi All,
  I have 2 RWDCs domain controllers in headquarters and a few RODCs in branch offices.I have some question on the restoration of the domain controllers and what is required to be done on the RODCs after the restoration of RWDC.
  Example:
  All my RWDCs are down site but all other RODCs site are still working properly.  I recover one RWDC that hold all the FSMO roles by using non-autoritative restore (restore from image). After the restoration, do i need to do anything else? Do i need
  to rebuild the RODCs?
  I try to search all over the internet for this scenario but couldn't find anythnig.
  Please advise.
  Thanks, ALoy

  Hello,
  the RODCs will still get the updates from the RWDCs as long as replication works after the restore.
  But with 2 RWDCs you could also seize FSMO roles on the other RWDC, in case the broken RWDC NEVER comes back, run metadata cleanup and then install a new RWDC into the domain AFTER the cleanup is also replicated to the RODCs.
  http://blogs.msmvps.com/mweber/2010/05/16/active-directory-metadata-cleanup/
  Cleanup also require to remove references from AD sites and services, DNS zones and DNS server lists.
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://blogs.msmvps.com/MWeber
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  Twitter:  

• Disabling IPv6 on 2008R2 Domain Controllers... Best Practice?

  At the end of last year I had a call with Microsoft Support in which I spoke with a member of the Directory Services team regarding an issue.  The issue was resolved with no further problems, but while conversing with the Technical Support Engineer
  I queried him on another issue regarding a second copy of our DNS zone in Active Directory.  He looked at it (remoted in via RDP) then looked at my NIC properties and stated that the reason it happened is because we are running IPv6 on our DCs. 
  I told him we do that on all our servers. (leave IPv6 enabled.)  He then stated that we should not do that, expanding by saying that "Microsoft is in the process of rewriting documentation as IPv6 is no longer supported on Domain Controllers."    
  Needless to say I could not believe this.  I told him how Exchange on an SBS server cannot have IPv6 disabled as the server will stop booting, but he was very adamant about it; he even put me on hold for 10 minutes then came back saying he confirmed
  that this is the case and spoke with the "Documentation Team" and the new Best Practices would be released within the next month. In the meantime he recommended I disable IPv6 on all my DCs. (I work in Consulting so that's a lot of DCs at various different
  business entities.)
  I didn't believe him then, and I don't believe him now.  Reviewing the FAQ linked through http://support.microsoft.com/kb/929852  Says that Microsoft does not recommend disabling IPv6.  Of course no documentation ever came out, nor have I
  found anything to agree with his statements. (we solved the duplicate partition issue ourselves.)
  I just wanted to post here and see if anyone else has heard of this, maybe I'm the one not up and up on my info.  Has or does Microsoft plan on reversing course on the new IPv6 technology that 2008 and up are built on?  I would think that quite
  preposterous!
  Thanks,
  Christopher Long
  Science is a way of thinking much more than it is a body of knowledge. -- Carl Sagan

  There are cases where you DO WANT to disable IPv6 on a domain controller. 
  Example: you have an IPV4 network and do not have IPV6 deployed. In this case if you are not using IPv6 but leave it enabled than Windows will assign itself an IPv6 at random via the APIPA process. That IP address can and does change when you reboot the
  server.... So I bet you see the problem here. 
  If you build a domain controller with IPv6 enabled - it will register it's IPV6 address in DNS as offering AD services. Then when you reboot that domain controller and that address changes - BOOM. AD comes crashing down. AD relies heavily on DNS. Windows
  thinks it's smarter than you and registers it's IPv6 address obtained via APIPA in DNS. Now that's a problem. Particularly because Win Server 2008+ prefer IPV6 over IPV4 networks. So communication can blow up even if a valid IPv4 network is available. 
  So yes - there are instances where you do want to - in fact need to - disable IPv6 on domain controllers. Microsoft's documentation does not reflect this but it should. At a minimum if they want you to leave it on they should at least remind you to set a
  static IPv6 address if you're running an IPv4 network. 
  (ask me how I know all this over a beer some time)
  I opted to just disable it. Despite MS's documentation warning of the contrary - I've seen no adverse impacts. Exchange, Sharepoint, AD, etc. all humm along fine.