Domain Controller Ratio to Lync servers
For Lync 2013/2010, is there some formula that dictates the number of domain controllers that are required for each FE/pool? I see that Exchange 2013 has a requirement that for every 8 mbx servers, one DC is needed.
This could potentially be dealing with 100K users.
Thanks,
Chris
Christian Frank
I have not come across any Lync documentation specifying a number of Front Ends limit to a DC. Usually a DC per site is the only mentioned requirement. Thats not what you are after though. I would assume that if Exchange were deployed with the numbers you
have stated that Lync would be quite happy with that.
In any event, I don't think you are going to get a straightforward answer as scoping DC's come into play. So it all depends on a huge number of variables. You probably alredy see this but I'll add it anyway
http://social.technet.microsoft.com/wiki/contents/articles/14355.capacity-planning-for-active-directory-domain-services.aspx
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
Lync Sorted blog
Similar Messages
-
When exchange Domain Controller or Global Catalog servers?
I have a few questions want to get your help.
1,which situation exchange would contact with the Domain Controller, and which situation exchange would contact with the Global Catalog servers?what's the difference?
2,for the mailbox replication service, besides moving the mailbox ,and DAD relevant operations, which situation mailbox replication service also contact with Dc?
Please click the Mark as Answer button if a post solves your problem!Hi,
About Question 1:
For Exchange, GC is mainly for Address Book lookups. Exchange server access to the global catalog for address information.
About DC, every domain controller contains the following three directory partitions.
1. Configuration: Contains the Configuration container, which stores configuration objects for the entire forest in cn=configuration,dc= forestRootDomain.
2. Schema: Contains the Schema container, which stores class and attribute definitions for all existing and possible Active Directory objects in cn=schema,cn=configuration,dc= forestRootDomain.
3. Domain: Contains a < domain > container, which stores users, computers, groups, and other objects for a specific domain.
For example, each Exchange Server object has the attribute Boolean messageTrackingEnabled. The Exchange server processes will turn on or off message tracking depending on the value of this attribute in the directory. This is an example of configuration data.
Configuration data is stored in the Configuration partition of Active Directory, and this partition is replicated to every DC in the Forest. Therefore Exchange can potentially go to any DC to access this information.
About Question 2:
The Mailbox Replication Service is responsible for moving mailboxes, importing and exporting .pst files, and restoring disabled and soft-deleted mailboxes. All these options need to contact with DC.
Best regards,
Belinda
Belinda Ma
TechNet Community Support
Thank you so much
Please click the Mark as Answer button if a post solves your problem! -
Process MAD.EXE (PID=1932). Topology discovery failed, error 0x80040a02 (DSC_E_NO_SUITABLE_CDC).
Look up the Lightweight Directory Access Protocol (LDAP) error code specified in the event description. To do this, use Microsoft Knowledge Base article 218185, "Microsoft LDAP Error Codes." Use the information in that article to learn more about
the cause and resolution to this error. Use the Ping or PathPing command-line tools to test network connectivity to local domain controllers.
Process MAD.EXE (PID=1932). All Domain Controller Servers in use are not responding:
DC02.targetiletisim.local
DC01.targetiletisim.local
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1148). Topology discovery failed, error 0x80040a02 (DSC_E_NO_SUITABLE_CDC). Look up the Lightweight Directory Access Protocol (LDAP) error code specified in the event description. To do this, use Microsoft Knowledge
Base article 218185, "Microsoft LDAP Error Codes." Use the information in that article to learn more about the cause and resolution to this error. Use the Ping or PathPing command-line tools to test network connectivity to local domain controllers.
pls help me :(Hi,
Please use dcdiag and nltest to test the connectivity.
BTW, have you disabled ipv6 on Exchange Server.
Thanks,
Simon Wu
TechNet Community Support -
Sorry if my attempt to be thorough in my description may result in excessive and unnecessary information.
I'm running into some problems with a single server running WS 2012 R2 as a domain controller (AD and DNS) and I’m trying to figure out what the cause is.
The network has ~10 computers on it connected through a cable business gateway (running DHCP) which feeds 2 switches and a wireless router acting as a switch. (I also turned on remote services, but the end users aren’t using that until I get certificates
setup.)
For 6+ months everyone had access to the shared files and databases on each workstation without issue.
In the last month users would occasionally have to re-enter their credentials to get access to shared server folders despite being on a domain account already.
Last week one of the computers intermittently cannot gain access to the shared folders– entering the correct credentials just results in the credentials being requested again and again: There’s an error icon at the bottom saying that “there are currently
no logon servers available to service the logon request”. While access is rejected I’m still able to ping the DC both via its name and IPV4 address.
(Pinging via its name results in an IPv6 address in the response.)
Other network connectivity appears intact (able to browse the web, perform network discovery.)
Things that ‘seem’ to allow access on this computer until the next failure:
Entering a different domain username and password into the windows credentials request has allowed access a couple of times.
Disconnecting and reconnecting the network cable allowed the original username to be used to log on (at least once.)
After removing it from and then rejoining it to the domain (a few hours ago) it experienced the problem once more. Also, logging on with domain credentials created a TEMP user folder instead of the folder with the domain username.
Looking at the event logs, I notice there are quite a few warnings and errors reported regarding DC access on many of the computers; maybe this is normal?
Most Problematic Computer:
Event ID 8016: System failed to register host A or AAAA resource records. (With an unknown Ipv6 and the server’s ipv4 address in the DNS server list.)
Event ID 131: NtpClient unable to set a domain peer to use as a time source because of DNS resolution error on ‘Server.domain.local’
‘No such host is known.”
Event ID 5719: NETLOGON. This computer was not able to setup a secure session with a domain controller in the domain due …..: there are currently no logon servers available to service the logon request.
And then pairs of: Event 1500: The Group Policy settings for the computer were processed successfully. There were no changes detected since the last successful processing of Group Policy. & Event 1054:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
Event 1030: The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation
at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.
On the server I’ve run DCDIAG and DCDIAG /test:DNS and those all appeared to pass.
Ipconfig/all from the server:
Connection-specific DNS Suffix
Description . . . . . . . . . . . : Intel(R) Ethernet Connection I217-LM
Physical Address. . . . . . . . . : FC-4D-D4-F2-A1-83
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2601:8:a182:1100:b155:a0b0:892d:9ed5(Pref
erred)
Link-local IPv6 Address . . . . . : fe80::b155:a0b0:892d:9ed5%13(Preferred)
IPv4 Address. . . . . . . . . . . : 10.1.10.42(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::abd:43ff:fe9a:ab47%13
10.1.10.1
DHCPv6 IAID . . . . . . . . . . . : 234638804
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-3F-7D-B9-68-05-CA-24-31-C4
DNS Servers . . . . . . . . . . . : ::1
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Ipconfig/all from the problematic computer:
Wireless LAN adapter Wi-Fi:
Connection-specific DNS Suffix
. : wp.comcast.net
Description . . . . . . . . . . . : Intel(R) Centrino(R) Wireless-N 6150
Physical Address. . . . . . . . . : 40-25-C2-63-C2-B8
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2601:8:a182:1100:8f5:1606:d0a8:6b25(Prefe
rred)
Temporary IPv6 Address. . . . . . : 2601:8:a182:1100:283e:f9e8:4841:6c50(Pref
erred)
Link-local IPv6 Address . . . . . : fe80::8f5:1606:d0a8:6b25%3(Preferred)
IPv4 Address. . . . . . . . . . . : 10.1.10.31(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Tuesday, March 10, 2015 9:19:02 AM
Lease Expires . . . . . . . . . . : Tuesday, March 17, 2015 1:23:15 PM
Default Gateway . . . . . . . . . : fe80::abd:43ff:fe9a:ab47%3
10.1.10.1
DHCP Server . . . . . . . . . . . : 10.1.10.1
DHCPv6 IAID . . . . . . . . . . . : 54535618
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-15-6B-AA-F0-DE-F1-9C-07-D4
DNS Servers . . . . . . . . . . . : 2001:558:feed::1
2001:558:feed::2
10.1.10.42
NetBIOS over Tcpip. . . . . . . . : Enabled
Any thoughts? I was assuming it was a Domain Controller/DNS error, but I don't know where to check next. Could a failing piece of hardware be the culprit?
Thanks,
-JTHi,
According to the error you have posted.
A Netlogon 5719 event indicates that the client component of Netlogon was unable to locate a DC for the domain it was trying to perform an operation against.
Most of the time this is caused by network issues or name resolution (DNS/WINS) issues, you could refer to:
Netlogon 5719 and the Disappearing Domain [Controller]
http://blogs.technet.com/b/instan/archive/2008/09/18/netlogon-5719-and-the-disappearing-domain.aspx
Did you refer to this KB article?
Event ID 5719 is logged when you start a Domain Member
http://support.microsoft.com/kb/938449
Regards.
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Error in starting domain controller !
I have installed on Windows 2000, Oracle 9i Database 9.0.1 and Oracle 9iFS release 9.0.1.
Configuration was OK, but the domain doesn't start.
I launch 'ifslaunchdc.bat', 'ifslaunchnode.bat', and when I launch 'ifsstartdomain.bat', I receive this error:
"An exception occurred while starting Domain controller - oracle.ifs.common.IfsException: IFS-40066: Remothed method threw exception java.lang.NoSuchFieldError: OCIEnvHandle"
OTHER WAY:
If I try in Oracle Management Server (from Oracle Enterprise Management Console), I go to Internet File Systems, I go to the domain picasso:53140 and it is launched (yellow light). I do right click and I choose 'Start Domain'. I receive the following message:
" The Domain Controller 'picasso:53140' is launched
Command failed:
IFS-40066: Remothed method threw exception java.lang.NoSuchFieldError: OCIEnvHandle"
So, the same error, and I don't find anywhere this exception !
What should be done? Thanks, JeaninaI am not sure how you got into this state, but to clear it up you can edit the boot.properties file to enter (clear text) the username and password for the server (entered when running the Configuration Wizard).
The boot.properties file is located in your domain at:
<domain root>/servers/AdminServer/security
Just enter the username and password in the file:
username=myUserName
password=myPassword
WebLogic Server will boot up using these values and immediately encrypt the username and password in the file.
An alternate approach would be to delete boot.properties in which case WLS will prompt you for the id/pw each time it is started/stopped.
Brad -
I have racked my brain and done everything that I know to do for about two weeks now. I am setting up a new system at our fire department and I am having the worst luck with getting the workstations to login to the domain controller with roaming
profiles. It keeps telling me that the roaming profile could not be loaded because of a slow connection. These are workstations that are connected directly to the switch that the DC is connected to. I have tried multiple connections regarding
the layout (DC into the router, router into the switch). The router is a Cisco RV220W. I have two VLANS, one for public and one for private domain. The Private VLAN has DHCP turned off since I am providing it through the DC. I currently
have a connection from the Private VLAN going to the unmanaged switch that the workstations and server are plugged into.
The server is a Dell PowerEdge R420 that has 6 NIC ports (1 dual port and 1 quad port). I have a virtual switch setup on Hyper-V for an external port (let's say Card 2 Port 3) that is assigned to the WS 2012R2 Domain Controller. The DC can see
the internet fine and the workstations can connect to the shared folders on the server. I can retrieve files by just using the computer name or FQDN. The DC is also running DNS and DHCP. The DNS has the _msdcs setup from when I installed
the active directory role. I have attempted to assign static IP addresses to the workstations:
IP: 10.0.0.80
Subnet: 255.255.255.0
IPV4 Gateway: 10.0.0.1
IPV4 DNS: 10.0.0.12
I've attempted "append the specific DNS suffix", I've "registered the connection in DNS", I've used "use this connections suffix in DNS registration".
The server is assigned:
IP: 10.0.0.12
Subnet: 255.255.255.0
IPV4 Gateway: 10.0.0.1
IPV4 DNS: 10.0.0.12
The DNS entries have forwarders that forward to my ISP DNS servers for lookup
I've enabled and disabled DHCP, I've installed a new VM just to create another DC to make sure that I didn't goof up when I created it.
I've lost my patience with this project and am sinking fast. Can someone please offer some advice as to what I've done wrong? I've created this exact scenario at work many times but, I've never done it with Windows Server 2012. Is this
possibly something to do with the Dell PowerEdge server (Generation 12) with the SR-IOV? I am going to attempt to work on it some more tomorrow when I get over there. I think there may be an issue with the SR-IOV not being enabled on the machine
through the Dell Bios. Would the SR-IOV really cause the workstations to report a slow connection? When I login at the domain controller the roaming profiles and folder redirection work fine so, I know the GPO settings are correct. I don't
have "ignore slow connections" or any of those GPO's set. I need to get it working the correct way so, I didn't want to fool the server when there is another underlying problem. Any help that someone can offer, I am more than willing
to listen. If you need more information, please ask.
Thanks,
JaySo, I've managed to research this some more since Thursday and I've come to the conclusion that Hyper-V does a horrible job of supporting Qualcomm NIC cards. That's the only thing I can conclude as far as where the issue is originating. I've read many
post and walkthroughs but nothing that has helped. The issue wasn't with any settings in the domain controller. The issue was that there really is a slow connection originating at the domain controller that is a VM and has network connectivity through the
virtual switch from Hyper-V. So, next question is, how do I get the DC to have better connectivity through the NIC that Hyper-V won't give it? If hyper-v would allow passthrough, this would be so much simpler. VM-ware is looking really good at this point.
Im disappointed in MS right now. -
Cannot Login to Read Only Domain Controller
One of my Read Only Domain Controller Servers shut down unexpectedly due to a power outage and now I cannot login to it anymore. When the server powered on again, it came up with an error regarding on of the hard drives failing (RAID1)
I get a message Access is Denied when I try to login with one of my domain admin accounts. As it is a RODC, there are no local accounts for me to use. The RODC is running on Windows Server 2008 R2. The server is also running as a DHCP/Print/File server for
the office so these are not working as well.
I checked my PDC and it is coming up with the following error in the event viewer
Log Name: System
Source: Security-Kerberos
Event ID: 4
Level: Error
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server rodc01$. The target name used was domain/rodc01.domain.local. This indicates that the target server failed to decrypt
the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account
used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the
server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (domain.local) is different from the client domain (domain.local), check if there are identically named server accounts in these
two domains, or use the fully-qualified name to identify the server.
I have tried to reset the computer password with netdom but I get the following error
netdom resetpwd /server:rodc01 /userd:administrator /passwordd:*
The machine account password for the local machine could not be reset.
Logon Failure: The target account name is incorrect.
The command failed to complete successfully.
If I try to reset the password using the IP address instead, I get the following error
netdom resetpwd /server:192.168.10.1 /userd:administrator /passwordd:*
The machine account password for the local machine could not be reset.
Access is denied.
The command failed to complete successfully.
I checked my AD and DNS and the rodc object is present
If I run repadmin /replsum on the PDC I get the message for the faulty RODC server
Experienced the following operational errors trying to retrieve replication information:
8341 – rodc01.domain.local
Any advice is appreciated
ThanksLogon to the server in Directory Services Restore Mode (DSRM) using the password you supplied during DCPROMO and verify that the Active Directory database isn't corrupted on the RODC - You will most likely see indications on this in the Directory
Services log.
Enfo Zipper
Christoffer Andersson – Principal Advisor
http://blogs.chrisse.se - Directory Services Blog -
Scenario
Windows 7 users log on to workstations at a site. Domain Controller is up and does the domain authentication for those users across the WAN. Users are then accessing a local(same building) Shared directory on a Windows 2008r2 server, in order to open, modify,
save new files, etc.
Then, the site loses access to the Domain Controller due to a WAN outage.
Question
Will those users that have already logged onto their Windows 7 workstations continue to have access to the shared resources on the local Windows 2008r2 server with their cached credentials(assuming they don't logoff or restart their machines)?? This has
been the case in the past, but wondering if anything has changed with Windows 2008??
ThanksHi,
The duration that you can access the server depends on when the server requires re-authentication.
In Windows implementation, SMB session expiration is enforced based upon the client’s support of dynamic re-authentication capability [MS-SMB].
If the client enables the CAP_DYNAMIC_REAUTH capability bit, the server will enforce session expiration. If a client does not set CAP_DYNAMIC_REAUTH, the Windows server does not return STATUS_NETWORK_SESSION_EXPIRED.
The SMB dynamic re-authentication feature was introduced in Windows XP. From there, Windows-based clients set the CAP_DYNAMIC_REAUTH capability bit to indicate to the server that the client supports re-authentication when the Kerberos service ticket for
the session expires.
Windows servers do check CAP_DYNAMIC_REAUTH:
If clientCapabilities sets CAP_DYNAMIC_REAUTH, the server will set Server. Session.AuthenticationExpirationTime to the expiry time returned by AcceptSecuirtyContext.
If clientCapabilities does not set CAP_DYNAMIC_REAUTH, the server will not set Server. Session.AuthenticationExpirationTime, basically a CAP_DYNAMIC_REAUTH capability bit not set by the client means the session will not expire on the server side.
To configure Maximum lifetime for service ticket, you can use grouppolicy. The default value of
Maximum lifetime for service ticket
in Default Domain Policy is 600 minutes.
Note:This setting is applied to DC, not clients.
For detailed information, please view the link below
CIFS and SMB Timeouts in Windows
http://blogs.msdn.com/b/openspecification/archive/2013/03/19/cifs-and-smb-timeouts-in-windows.aspx
Maximum lifetime for service ticket
http://technet.microsoft.com/en-us/library/jj852188.aspx
Hope this helps.
Steven Lee
TechNet Community Support -
I am working on determining if I can have a separate administrator group handle patching and performing maintenance on four servers that are DCs of their own AD domain, but restrict these administrators from the ability to see the active directory user
accounts in that AD domain?Hello,
Since you are talking about domain controllers I have to say there are no Power Users group in them. Actually the local user management will be disabled as soon as you promote a server to a domain controller. The only option which is left here is to grant
Administrators handle the job. In case of RODC you can go through what Albert suggested.
However since domain controllers are sensitive and plays a key role in your environment I strongly recommend not to allow non administrators to perform maintanance or other related tasks (At least for domain controllers).
Another option you have left for your patch management is to use a member server like WSUS to automatically install updates on your DCs.
Regards.
Mahdi Tehrani |
|
www.mahditehrani.ir
Please click on Propose As Answer or to mark this post as
and helpful for other people.
This posting is provided AS-IS with no warranties, and confers no rights.
How to query members of 'Local Administrators' group in all computers? -
DFS Replication failed to contact Domain Controller.....
I have seen this error since the inception of this stand alone AD PDC instance of Windows server 2012 R2 Essentials. I understand that Essentials does not support other Domain Controllers ; Member servers ; or trust between Domains of any kind. I also
understand that DSF Replication is a service that replicates files between other servers and other domain servers that Essentials dose not want to talk to.
So my question is why am I seeing this DFSR error 1202 in my event log, if Essentials does not support communication to other servers and domain servers? Maybe a better question is why does Essentials even try to implement this
service? Do I even need to try to resolve this issue or should I just disable it and move on?
Contents of Error:
Log Name: DFS Replication
Source: DFSR
Date: 2/6/2014 1:57:57 PM
Event ID: 1202
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Hxxx2.xxxxxxxxxxxxx.local
Description:
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused
by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.
Additional Information:
Error: 160 (One or more arguments are not correct.)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="DFSR" />
<EventID Qualifiers="49152">1202</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-02-06T19:57:57.000000000Z" />
<EventRecordID>194</EventRecordID>
<Channel>DFS Replication</Channel>
<Computer>Hxxx2.Hxxxxxxxxxxxxx.local</Computer>
<Security />
</System>
<EventData>
<Data>
</Data>
<Data>60</Data>
<Data>160</Data>
<Data>One or more arguments are not correct.</Data>
</EventData>
</Event>Hi,
Did you mean that you did not configure a DFS server in the new DC but you get the DFSR error 1202 in your event log? Then the issue is not related to the existing SBS domain.
Please try to turn off the Windows Firewall to check if it causes the issue. You could also refer to the articles below to troubleshoot the issue:
Newly Promoted Win2K8 DC is not advertising as Domain Controller.
http://blogs.technet.com/b/niraj_kumar/archive/2009/04/23/newly-promoted-win2k8-dc-is-not-advertising-as-domain-controller.aspx
Restrictions for Unauthenticated RPC Clients: The group policy that punches your domain in the face
https://blogs.technet.com/b/askds/archive/2011/04/08/restrictions-for-unauthenticated-rpc-clients-the-group-policy-that-punches-your-domain-in-the-face.aspx
Regards,
Mandy
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
DFSR failed to contact domain controller
Im having an odd problem with DFSR group we created to replicate web content between two of our web servers.
In event viewer we have this event 1202 for DFSR.
"The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can
be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.
Additional Information:
Error: 160 (One or more arguments are not correct.)"
In the DFSR logs I see this.
20140303 12:18:27.874 1404 CFAD 8300 Config::AdConfig::GetLocalComputerNameWithDns Computer's fully-qualified DNS name: DFSRSERVER.domain.tld
20140303 12:18:27.920 1404 CFAD 311 Config::AdConnection::Connect Binding to dcAddr:\\1.1.1.1 dcDnsName:\\MYDC.domain.tld
20140303 12:18:27.936 1404 CFAD 143 Config::AdConnection::BindToAd Trying to connect. hostName:MYDC.domain.tld
20140303 12:18:28.467 1404 CFAD 162 Config::AdConnection::BindToAd Bound. hostName:MYDC.domain.tld
20140303 12:18:28.467 1404 CFAD 199 Config::AdConnection::BindToDc Try to bind. hostName:\\MYDC.domain.tld domainName:<null>
20140303 12:18:28.514 1404 CFAD 3373 [ERROR] Config::DsSession::Bind Failed to DsBind(). dc:\\MYDC.domain.tld domainName:<null> Error:5
20140303 12:18:28.514 1404 CFAD 215 Config::AdConnection::BindToDc (Ignored) Failed to bind. hostName:\\MYDC.domain.tld domainName:<null> Error:[Error:5(0x5) Config::DsSession::Bind ad.cpp:3380 1404 W Access is denied.]
20140303 12:18:28.514 1404 CFAD 199 Config::AdConnection::BindToDc Try to bind. hostName:\\1.1.1.1 domainName:<null>
20140303 12:18:28.514 1404 CFAD 3373 [ERROR] Config::DsSession::Bind Failed to DsBind(). dc:\\1.1.1.1 domainName:<null> Error:87
20140303 12:18:28.514 1404 CFAD 215 Config::AdConnection::BindToDc (Ignored) Failed to bind. hostName:\\1.1.1.1 domainName:<null> Error:[Error:87(0x57) Config::DsSession::Bind ad.cpp:3380 1404 W The parameter is incorrect.]
20140303 12:18:28.514 1404 SCFS 150 [WARN] ServiceConfig::DsPollIsDue Failed to enable lightweight polling. Error:
+ [Error:160(0xa0) Config::AdConfig::ConnectToLocalDc ad.cpp:8365 1404 W One or more arguments are not correct.]
+ [Error:160(0xa0) Config::AdConfig::Connect ad.cpp:8113 1404 W One or more arguments are not correct.]
+ [Error:160(0xa0) Config::AdConnection::Connect adconnection.cpp:377 1404 W One or more arguments are not correct.]
+ [Error:160(0xa0) Config::AdConnection::BindToDc adconnection.cpp:226 1404 W One or more arguments are not correct.]
20140303 12:18:28.514 1404 CREG 1419 Config::RegReader::IsSysVolCommitFlagSet key: System\CurrentControlSet\Services\DFSR\Parameters\SysVols\Demoting SysVols valueName:'SysVol Information is Committed' result:0
20140303 12:18:28.514 1404 W2CH 266 ConfigurationHelper::PollAdConfigNow Trying to connect to AD
20140303 12:18:28.514 1404 CFAD 311 Config::AdConnection::Connect Binding to dcAddr:\\1.1.1.1 dcDnsName:\\MYDC.domain.tld
20140303 12:18:28.514 1404 CFAD 143 Config::AdConnection::BindToAd Trying to connect. hostName:MYDC.domain.tld
20140303 12:18:28.514 1404 CFAD 162 Config::AdConnection::BindToAd Bound. hostName:MYDC.domain.tld
20140303 12:18:28.514 1404 CFAD 199 Config::AdConnection::BindToDc Try to bind. hostName:\\MYDC.domain.tld domainName:<null>
20140303 12:18:28.514 1404 CFAD 3373 [ERROR] Config::DsSession::Bind Failed to DsBind(). dc:\\MYDC.domain.tld domainName:<null> Error:5
20140303 12:18:28.514 1404 CFAD 215 Config::AdConnection::BindToDc (Ignored) Failed to bind. hostName:\\MYDC.domain.tld domainName:<null> Error:[Error:5(0x5) Config::DsSession::Bind ad.cpp:3380 1404 W Access is denied.]
20140303 12:18:28.514 1404 CFAD 199 Config::AdConnection::BindToDc Try to bind. hostName:\\1.1.1.1 domainName:<null>
20140303 12:18:28.514 1404 CFAD 3373 [ERROR] Config::DsSession::Bind Failed to DsBind(). dc:\\1.1.1.1 domainName:<null> Error:87
20140303 12:18:28.514 1404 CFAD 215 Config::AdConnection::BindToDc (Ignored) Failed to bind. hostName:\\1.1.1.1 domainName:<null> Error:[Error:87(0x57) Config::DsSession::Bind ad.cpp:3380 1404 W The parameter is incorrect.]
20140303 12:18:28.514 1404 EVNT 1194 EventLog::Report Logging eventId:1202 parameterCount:4
20140303 12:18:28.514 1404 EVNT 1214 EventLog::Report eventId:1202 parameter1:
20140303 12:18:28.514 1404 EVNT 1214 EventLog::Report eventId:1202 parameter2:60
20140303 12:18:28.514 1404 EVNT 1214 EventLog::Report eventId:1202 parameter3:160
20140303 12:18:28.514 1404 EVNT 1214 EventLog::Report eventId:1202 parameter4:One or more arguments are not correct.
20140303 12:18:28.530 1404 W2CH 318 [ERROR] ConfigurationHelper::PollAdConfigNow (Ignored) Failed to connect to AD. Error:
+ [Error:160(0xa0) Config::AdConfig::ConnectToLocalDc ad.cpp:8365 1404 W One or more arguments are not correct.]
+ [Error:160(0xa0) Config::AdConfig::Connect ad.cpp:8113 1404 W One or more arguments are not correct.]
+ [Error:160(0xa0) Config::AdConnection::Connect adconnection.cpp:377 1404 W One or more arguments are not correct.]
+ [Error:160(0xa0) Config::AdConnection::BindToDc adconnection.cpp:226 1404 W One or more arguments are not correct.]
When I run "dfsrdiag pollad":
[ERROR] PollDsNow method executed unsuccessfully. ReturnValue: 12 (0xc)
[ERROR] Failed to execute PollAD command Err: -2147217407 (0x80041001)
However I can run "dfsrdiag dumpadcfg" and it outputs everything fine.
We don't have any other problems with AD. It seems like this started after we installed KB2467173 & KB2538242. We are going to uninstall those and see if it works.I can successfully run "dfsrdiag.exe dumpadcfg" and it outputs the entire config. Why does "dfsrdiag pollad" fail then if the config can be read.
Why did it work before I rebooted the server? In both cases it broke after rebooting.
PS C:\Windows\system32> dfsrdiag dumpadcfg
LDAP Bind : mydc.domain.tld
SitesDn : cn=sites,cn=configuration,dc=domain,dc=tld
ServicesDn : cn=services,cn=configuration,dc=domain,dc=tld
SystemDn : cn=system,dc=domain,dc=tld
DefaultNcDn : dc=domain,dc=tld
ComputersDn : cn=computers,dc=domain,dc=tld
DomainCtlDn : ou=domain controllers,dc=domain,dc=tld
SchemaDn : CN=Schema,CN=Configuration,dc=domain,dc=tld
COMPUTER: web1
DN : cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
GUID : 152E849C-4D7B-4AE8-B034-83747DBC1E89
DNS : web1.domain.tld
Server Ref : (null)
USN Changed : 10862129
When Created : Friday, January 31, 2014 8:41:06 PM
When Changed : Tuesday, March 4, 2014 2:54:36 PM
LOCAL SETTINGS: DFSR-LOCALSETTINGS
DN : cn=dfsr-localsettings,cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
GUID : 3FD696E7-6598-4CDB-B2AB-98F148C0D2F7
Version : 1.0.0.0
USN Changed : 10932017
When Created : Thursday, March 6, 2014 2:11:12 PM
When Changed : Thursday, March 6, 2014 2:15:25 PM
SUBSCRIBER: FF88A312-A0EB-44CC-A614-7A3D06DCC0AB
DN : cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=dfsr-localsettings,cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
GUID : 1119B663-F02A-4F1F-A904-23A87CFC93C3
Member Ref : cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
USN Changed : 10931931
When Created : Thursday, March 6, 2014 2:11:12 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
SUBSCRIPTION: 6783DDE1-C795-4E8B-B07D-4EA8D7D0317F
DN : cn=6783dde1-c795-4e8b-b07d-4ea8d7d0317f,cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=dfsr-localsettings,cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
GUID : 3737B1F2-7E38-47E2-90E7-E57D82B145F1
ContentSetGuid: 6783DDE1-C795-4E8B-B07D-4EA8D7D0317F
Root Path : c:\inetpub\internetsites
Root Size : 10240 (MB)
Staging Path : c:\inetpub\internetsites\dfsrprivate\staging
Staging Size : 4096 (MB)
Conflict Path : c:\inetpub\internetsites\dfsrprivate\conflictanddeleted
Conflict Size : 4096 (MB)
USN Changed : 10931919
When Created : Thursday, March 6, 2014 2:11:13 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
SUBSCRIPTION: F2F1F3A2-B36F-4170-B371-8E8043DF73F4
DN : cn=f2f1f3a2-b36f-4170-b371-8e8043df73f4,cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=dfsr-localsettings,cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
GUID : 57E7F8D7-1121-4334-BC81-74226ADF8969
ContentSetGuid: F2F1F3A2-B36F-4170-B371-8E8043DF73F4
Root Path : c:\internet_data
Root Size : 10240 (MB)
Staging Path : c:\internet_data\dfsrprivate\staging
Staging Size : 4096 (MB)
Conflict Path : c:\internet_data\dfsrprivate\conflictanddeleted
Conflict Size : 4096 (MB)
USN Changed : 10931921
When Created : Thursday, March 6, 2014 2:11:13 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
SUBSCRIPTION: D0438B52-B706-4E40-B4C3-FE7A1ACA5FCF
DN : cn=d0438b52-b706-4e40-b4c3-fe7a1aca5fcf,cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=dfsr-localsettings,cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
GUID : F8217091-F71A-4D4A-A676-097583171A63
ContentSetGuid: D0438B52-B706-4E40-B4C3-FE7A1ACA5FCF
Root Path : c:\php\phpsites
Root Size : 10240 (MB)
Staging Path : c:\php\phpsites\dfsrprivate\staging
Staging Size : 4096 (MB)
Conflict Path : c:\php\phpsites\dfsrprivate\conflictanddeleted
Conflict Size : 4096 (MB)
USN Changed : 10931923
When Created : Thursday, March 6, 2014 2:11:13 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
GLOBAL SETTINGS: DFSR-GLOBALSETTINGS
DN : cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
GUID : 2E98CE5E-5CC7-4322-B5EA-2B6B340C689F
USN Changed : 12525
When Created : Saturday, October 22, 2011 1:56:38 AM
When Changed : Saturday, October 22, 2011 1:56:38 AM
REPLICATION GROUP: WEB CONTENT
DN : cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
GUID : 9C94A417-6F6C-4F6C-BBFA-B8F52854C4DF
Type : 0 (UNKNOWN REPLICATION GROUP TYPE)
Options : 0x1 [Local Time Schedule]
USN Changed : 10931906
When Created : Thursday, March 6, 2014 2:11:12 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
CONTENT: CONTENT
DN : cn=content,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
GUID : 6714C533-E631-4E71-930D-E4934FB7BD7E
USN Changed : 10931908
When Created : Thursday, March 6, 2014 2:11:12 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
CONTENT SET: INTERNET_DATA
DN : cn=internet_data,cn=content,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
GUID : F2F1F3A2-B36F-4170-B371-8E8043DF73F4
File Filter : ~*, *.bak, *.tmp
Compression Excl : (null)
Dir Filter : (null)
USN Changed : 10931916
When Created : Thursday, March 6, 2014 2:11:13 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
CONTENT SET: INTERNETSITES
DN : cn=internetsites,cn=content,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
GUID : 6783DDE1-C795-4E8B-B07D-4EA8D7D0317F
File Filter : ~*, *.bak, *.tmp
Compression Excl : (null)
Dir Filter : (null)
USN Changed : 10931915
When Created : Thursday, March 6, 2014 2:11:13 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
CONTENT SET: PHPSITES
DN : cn=phpsites,cn=content,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
GUID : D0438B52-B706-4E40-B4C3-FE7A1ACA5FCF
File Filter : ~*, *.bak, *.tmp
Compression Excl : (null)
Dir Filter : (null)
USN Changed : 10931917
When Created : Thursday, March 6, 2014 2:11:13 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
TOPOLOGY: TOPOLOGY
DN : cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
GUID : 16053002-7B99-4DA7-BFE5-2A6418040640
USN Changed : 10931907
When Created : Thursday, March 6, 2014 2:11:12 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
MEMBER: FF88A312-A0EB-44CC-A614-7A3D06DCC0AB
DN : cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
GUID : 75A99277-C401-409F-A32D-6D8EE18E5D0C
Server Ref : (null)
Computer Ref : cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
Keywords : (null)
Computer DNS : web1.domain.tld
USN Changed : 10931933
When Created : Thursday, March 6, 2014 2:11:12 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
CXTION: 9ECE3EB7-FE97-4A1B-8DE3-47A77B2C625B
DN : cn=9ece3eb7-fe97-4a1b-8de3-47a77b2c625b,cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
GUID : 1D26B348-3875-4BD1-9473-E72506AFA222
Inbound : true
Partner DN : cn=46f913db-8509-4581-a66d-d37e4ea3ef29,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
Enabled : TRUE
Options : 0x1 [Local Time Schedule]
USN Changed : 10931924
When Created : Thursday, March 6, 2014 2:11:13 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
CXTION: 2BFA8BE2-0444-4AAF-8293-A5486CF8D7A3
DN : cn=2bfa8be2-0444-4aaf-8293-a5486cf8d7a3,cn=46f913db-8509-4581-a66d-d37e4ea3ef29,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
GUID : A7203451-D95F-44D5-AC04-13056DCE5A89
Inbound : false
Partner DN : cn=46f913db-8509-4581-a66d-d37e4ea3ef29,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
Enabled : TRUE
Options : 0x1 [Local Time Schedule]
USN Changed : 10931925
When Created : Thursday, March 6, 2014 2:11:13 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
MEMBER: 46F913DB-8509-4581-A66D-D37E4EA3EF29
DN : cn=46f913db-8509-4581-a66d-d37e4ea3ef29,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
GUID : 1BA26D07-45F5-44A0-8450-9274AFD99B1C
Server Ref : (null)
Computer Ref : cn=fccu01web,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
Keywords : (null)
Computer DNS : fccu01web.domain.tld
USN Changed : 10931927
When Created : Thursday, March 6, 2014 2:11:12 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
Operation Succeeded -
The processing of Group Policy failed because of lack of network connectivity to a domain controller
We are setting up a new AD environment with one AD/DC running DNS services, and a secondary DNS server configured with secondary zone. The problem is that none of the machines in the the domain are getting GPO.
When I run a gpupdate /force from a machine, I get the following output:
"Updating Policy...
User Policy update has completed successfully.
Computer policy could not be updated successfully. The following errors were enc
ountered:
The processing of Group Policy failed because of lack of network connectivity to
a domain controller. This may be a transient condition. A success message would
be generated once the machine gets connected to the domain controller and Group
Policy has succesfully processed. If you do not see a success message for sever
al hours, then contact your administrator.
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
rom the command line to access information about Group Policy results."
While the system event log outputs the following:
"The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy
has succesfully processed. If you do not see a success message for several hours, then contact your administrator."
All the machines that were joined to the domain are able to resolve in forward and reverse lookups, ping the DC and ping each other so I dont understand how the error can be resolved.
Here are few things I have tried:
1. I came across this KB which checked ok for me: http://support.microsoft.com/kb/241515
2. Made a copy of the default GPO, applied to a OU with one machine, and made sure to remove any GPO links from above
3. Enabled the following two local Group policies on a test member:
GP slow link detection
Startup policy processing wait time
4. Modified firewall to allow everything on both member and DC
5. Verified DSN logs, SRV records, access to sysvol ( added authenticated users to sysvol)
I have yet to figure out the reason for this issue. Has anyone seen anything like this before?1. I checked the NIC, it only has one IP. and I followed your article. I set the primary DNS to its own IP and the secondary DNS to the loopback ip
2. This is a new DC and DNS server. I dont have old records yet. I also check the DNS event logs. No errors
3. I made sure the member server is pointing only to the only DC/DNS server
4. Here is the output from the dcdiag.... everything passed except, the Netlogons part. I'm not sure what means or how to fix it yet:
Starting test: NetLogons
* Warning BUILTIN\Administrators did not have the "Access this
computer
"* from network" right.
[hostname] An net use or LsaPolicy operation failed with error
1, Incorrect function..
......................... hostname failed test NetLogons
Complete output:
> hostname
Server: hostname.domain.local
Address: X.X.X.95
> ^C
C:\Windows\system32>
C:\Windows\system32>nslookup
> set type=all
>
>
>
> _ldap._tcp.dc._msdcs.domainname
_ldap._tcp.dc._msdcs.domain.local SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = hostname.domain.local
hostname.domain.local internet address = X.X.X.95
> ^C
C:\Windows\system32>cd ..
C:\Windows>cd SYSVOL
C:\Windows\SYSVOL>cd sysvol
C:\Windows\SYSVOL\sysvol>dir
Volume in drive C has no label.
Volume Serial Number is F624-CDB2
Directory of C:\Windows\SYSVOL\sysvol
10/29/2014 08:25 PM <DIR> .
10/29/2014 08:25 PM <DIR> ..
10/29/2014 08:25 PM <JUNCTION> domain.local [C:\Windows\SYSVOL\domain]
0 File(s) 0 bytes
3 Dir(s) 63,971,037,184 bytes free
C:\Windows\SYSVOL\sysvol>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = hostname
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\hostname
Starting test: Connectivity
......................... hostname passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\hostname
Starting test: Advertising
......................... hostname passed test Advertising
Starting test: FrsEvent
......................... hostname passed test FrsEvent
Starting test: DFSREvent
......................... hostname passed test DFSREvent
Starting test: SysVolCheck
......................... hostname passed test SysVolCheck
Starting test: KccEvent
......................... hostname passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... hostname passed test
KnowsOfRoleHolders
Starting test: MachineAccount
......................... hostname passed test MachineAccount
Starting test: NCSecDesc
......................... hostname passed test NCSecDesc
Starting test: NetLogons
* Warning BUILTIN\Administrators did not have the "Access this
computer
"* from network" right.
[hostname] An net use or LsaPolicy operation failed with error
1, Incorrect function..
......................... hostname failed test NetLogons
Starting test: ObjectsReplicated
......................... hostname passed test
ObjectsReplicated
Starting test: Replications
......................... hostname passed test Replications
Starting test: RidManager
......................... hostname passed test RidManager
Starting test: Services
......................... hostname passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/04/2015 18:23:06
Event String:
Name resolution for the name ctldl.windowsupdate.com timed out after
none of the configured DNS servers responded.
......................... hostname passed test SystemLog
Starting test: VerifyReferences
......................... hostname passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : emcdsm
Starting test: CheckSDRefDom
......................... emcdsm passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... emcdsm passed test CrossRefValidation
Running enterprise tests on : domain.local
Starting test: LocatorCheck
......................... domain.local passed test LocatorCheck
Starting test: Intersite
......................... domain.local passed test Intersite
C:\Windows\SYSVOL\sysvol> -
Domain controller 2008 Server with SP2
Here is a real issue which i cannot track down what is causing it.
It appears that in windows 2008 Server running DHCP, DNS and AD i am getting some weird errors on the clients.
The client machines are all Windows 7 Professional x64.
The Issue is that the Domain controller seems to disappear as the logon server from the client after a few days. On some it indicates that there was no logon server available, but still logs in.. Which should be impossible since i have group policy configured
to block the ability of logon without a logon server.
The issue with this, is that over time, the desktops seem to go rogue, they no longer populate the information as to password expiration, and at times don't allow the clients to access the network shares.
The security log, shows hit and miss as to if it sees them log into the domain.
the weird issue is that if you log out, switch user, and change the users password, then log back into the desktop with domain\username and a new password the issue goes away for about 10 days.. then re-appears and causes all sorts of fun issues on the domain.
I took another step and decided that i would give a shot to building a clone test network, using a cloned image of the Domain controller, and it doesn't seem to happen on that side..The test network just has less PC's but they are all the same hardware..
Here is what i have troubleshot so far:
DNS looks fine.. no errors or issues..
DHCP looks fine, no duplicates etc..
AD has all the information correctly, and the security log looks fine, most of the time..
Windows updates are all up to date
All desktops have logon scripts, but i have removed the cached data from the management console (Cred manager)
Modified Group policy and forced it across the network.. Can see the GPResult from the clients and they have the updated settings, but the clients don't seem to care..
Group policy is set to wait till network comes up and require a domain controller to log into the client desktop.. This sometimes works, sometimes does not, it was done to see if the problem was happening on other machines, there are about 15 total out of
47 currently having the issue.
All the desktops are fresh installs, not ghosted images, not clones, or something you would need to sysprep.
Thoughts?
RobHello,
please post an unedited ipconfig /all from the DC/DNS servers and a client with the problems.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://blogs.msmvps.com/MWeber
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Twitter: -
Domain Controller cannot access \\domain\netlogon causing Auth issues
Hi everyone, I have been spent all day trying to figure out what is going on here, I have a Domain controller (only DC in the environment) that is acting funny
I first noticed when I was attempting to RDP into a server in my domain I was getting "access denied" (but I could log in as a local admin). So when I looked at the Domain Controller, I ran a DCDiag DNS test and got some an AUTH error, but am not
able to figure out how to fix this.
Another thing I notice is when I am signed into the domain Controller (GP2010-a), I cannot browse to
\\contoso.com\netlogon or any similar share.
Here is the kicker, other servers on this domain, server3, server4, server5 etc... THEY CAN access
\\contoso.com\netlogon It is ONLY the Domain controller and Server2 that CANNOT access this share. The other servers also allow me to RDP into them fine, it is only 1 server that is affected by this strange behavior.
I have checked for no IP conflicts and as far as I can tell all the DNS records are correct.
Regarding the DYNAMIC ip warning, we have a reservation that assigns the IP
thanks for any input here as i'm really stuck,
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = GP2010-A
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\GP2010-A
Starting test: Connectivity
......................... GP2010-A passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\GP2010-A
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
......................... GP2010-A passed test DNS
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : contoso
Running enterprise tests on : contoso.com
Starting test: DNS
Test results for domain controllers:
DC: GP2010-A.contoso.com
Domain: contoso.com
TEST: Authentication (Auth)
Error: Authentication failed with specified credentials
TEST: Basic (Basc)
Warning: Adapter 00:0D:3A:00:0D:01 has dynamic IP address
(can be a misconfiguration)
Summary of test results for DNS servers used by the above domain
controllers:
DNS server: 128.8.10.90 (d.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90
DNS server: 2001:500:1::803f:235 (h.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:1::803f:235
DNS server: 2001:500:2::c (c.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2::c
DNS server: 2001:500:2d::d (d.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2d::d
DNS server: 2001:500:2f::f (f.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2f::f
DNS server: 2001:500:3::42 (l.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:3::42
DNS server: 2001:500:84::b (b.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:84::b
DNS server: 2001:503:ba3e::2:30 (a.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:ba3e::2:30
DNS server: 2001:503:c27::2:30 (j.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:c27::2:30
DNS server: 2001:7fd::1 (k.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fd::1
DNS server: 2001:7fe::53 (i.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fe::53
DNS server: 2001:dc3::35 (m.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:dc3::35
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
Domain: contoso.com
GP2010-A FAIL WARN PASS PASS PASS PASS n/a
......................... contoso.com failed test DNSHi,
TEST: Basic (Basc)
Warning: Adapter 00:0D:3A:00:0D:01 has dynamic IP address
(can be a misconfiguration)
Do you have any NIC conifgured to get dynamic IP on your DC which is having issue? If yes, please disable that NIC. Also, please provide me the result of the below
1) On your DC which is having issue, run "ipconfig /all"
2) Repadmin /showrepl
Thanks,
Umesh.S.K
Thanks, there is only 1 nic card. It is getting a dhcp address because this is an AZURE Hyper-v machine and I have set an IP reservation for it. I have no way to hardcode the IP because it gets shut off/on all the time
C:\Users\Administrator>repadmin /showrepl
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\GP2010-A
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 007c755c-f56c-4e51-a211-fd4431f63927
DSA invocationID: 007c755c-f56c-4e51-a211-fd4431f63927 -
Best pracices for setting up Domain controller for our remote European offices
Hi,,
We have about 17 remote site across Europe (HQ in UK), I want to start revoking the offices local DC's and host them in a couple of Cloud servers in Germany with local NAS boxes for file storage. I will have MPLS network between the offices to the Cloud
DC.
Now what would be the best practices and tips for this situation in respect to the DC's. How can I prioritize the remote offices to use the Cloud DC/DNS and not our DC at our HQ in the UK. Would it be better to have a sub-domain created (europe.company.co.uk)
for the other offices.
Any suggestions on this setup for the DCHiya,
on the conceptual level. The reason for having local DC's, is that if the local sites internet line is offline, people are still able to authenticate and access local resources. From that point of view, you might as well just run with your HQ DC's only. Note:
the cloud does offer availability on their services, that might not be matched by your HQ in terms of double internet lines.
That said.
The DNS server of the clients as well as the sites & services of Active Directory. Your clients will use the nearest domain controller available from sites and services information.
Managing Intersite Replication
http://technet.microsoft.com/en-us/library/cc794799%28v=ws.10%29.aspx
Maybe you are looking for
-
Is there a way to create a PRIVATE folder for some of my audiobooks?
Hello, This might sound cheesy, but I would like to keep some of the audiobooks in my iTunes private and I'm wondering if there's a way of doing it? For example, can I create a second Audiobooks folder and keep there? Is there a way to make that fold
-
How to upgrade OS 10.3.9 to OS 10.4
Hi, I have an eMac G4 with 1.25 GHz and 1 RAM running operating system 10.3.9 but want to upgrade to 10.4. and was wondering how to do such an upgrade. Anyone know of a step by step on this? Also, I have an IMac with 10.4.11. Can I use this one disk
-
How to implemet rulesets withn our overwring custom rules
Hi GRC Experts, Recently we have done upgrade from 4.6C to ECC 6 and upgraded the VIRSA component from VIRSA 400_46C to VIRSA 400_700. Before upgrade we have done some custom changes in the rule set. But after upgrade, we need to get the additional r
-
Touch 1st gen and 2nd gen headphone jack question
Alright so my headphone jack crapped the bed and i was looking into just buying the jack and repairing it myself. Now when i look on the internet for a headphone jack, the only things i see sold are 2nd gen hp-jacks. now would this work in my first g
-
Hello, although I'm sure this topic has already popped up in this forum, I was still unable to find a satisfactory answer nor was I able to hear from Adobe regarding this- I do have to convert SWFs or FLAs to FLVs; is there a way to do so? I find it