Domain Controllers not replicating

Similar Messages

• Error in Installing Netweaver--domain controllers are not supported

  When i make the pre-requisite check for installing Netweawer 2004s
  I am getting the follwoing error
  <b>installation to domain controllers are not supported</b>
  Pls help me how to resolve this
  Thanks in Advance

  hi balaji,
                FYI,
                       You cannot create local users and groups on the host that is used as domain controller. Therefore, we do not support running an SAP instance (including the database instance) on the host where the DNS service is installed.
  so try to log with a user, who has administrator rights. and check whtr all the services are up & running. then try to re-install.
  for more on this refer the installation manual.
  hope this will help you.
  with regards,
  Rajesh.
  <i> plz, award with suitable points </i>

• Installations on domain controllers are not supported

  Hi All, While checking prerequisites of operating system users and groups, following error message are getting. "installations on domain controllers are not supported". Please help. Thanks, Sam

  Hi Sam,
  I assume as a technical limiation from SAP. which I suppose being as a local user or even as a local group cannot be done or created on Domain controller..
  "You cannot create local users and groups on the host that is used as domain controller. Therefore, we do not support running an SAP instance (including the database instance) on the host where the domain controller is installed.
  I hope it helps.
  Regards,
  Deepanshu Sharma    

• Windows 2008 (Not R2) Domain controllers Kerberos Errors

  We know the replication of the AD structure is working using repadmin /showREPL *
  Which I ran again this morning and all is fine.
  All 3 Domain Controllers are having Kerberos errors ?
  I tried to reset the Kerberos key but the problem still persists.
  This is exactly what I tried yesterday is there something I'm doing wrong ?
  We have 3 Domain controllers
  ch-dc1-2k8    (PDC)
  ch-dc2-2k8
  na-dc1-2k8
  1) I stopped the Kerberos Key Distribution Center service on all 3 servers and set them to manual
  2) I restarted ch-dc2-2k8 and na-dc1-2k8
  3) Then I did the KLIST PURGEon
  ch-dc2-2k8 and na-dc1-2k8
  4) Then on ch-dc1-2k8 (PDC) I did the
  netdom resetpwd /s:ch-dc1-2k8 /ud:companyname\administrator /pd:*
  5) Set Kerberos Key Distribution Center service to Automatic on ch-dc1-2k8 (PDC)
  6) Restarted ch-dc1-2k8 (PDC)
  7) After it restarted I logged in and let it settle for 5 Minutes
  8) Then I started the kerberos service on ch-dc2-2k8 and na-dc1-2k8
  Am I missing something ?

  Hi,
  I think I have already answer this in separate case you have raised in forum.

• Update Deployments not showing up on Read-Only domain controllers

  At several of my remote sites, I have a server08 machine functioning as a read-only domain controller and a server share dist point. We're using a software update point to deploy microsoft patches and it's been working fine with the exception of the read-only domain controllers. When I run the complaince report, they correctly show that they need updates but the icon never appears. Clients at their sites are receving updates.
  Anybody have any ideas?
  thanks!

  Yes, I know this is an old post, I’m trying to clean them up. Did you figure this out, if so how?
  http://www.enhansoft.com/

• AD Replication issues, SYSVOL / NETLOGON not replicating

  Hello Experts!
  We have a client that recently called us for some assistance. The IT department had a new virtual environment stood up. They Created 3 new VMs and promoted them all to domain controllers. The current domain and forest functional levels are (and were) Server
  2003. There were two existing domain controllers, both Server 2003. The new domain controllers are Server 2012 R2. After promoting the 3 new servers to DC’s, they demoted one of the old DC’s. Then they transferred FSMO roles to a new 2012 R2 DC. When they
  went to demote the last server 2003 DC, it was giving them the error that it is the last DC in the domain. That’s when we were called to assist. I have since demoted 2 of the 3 new 2012 R2 DCs and transferred all FSMO roles back to the Server 2003 DC.
  I have been running some tools to try and gather data. Here is the DCDIAG from the last Server 2003 DC:
  C:\Documents and Settings\user>dcdiag /fix
  Domain Controller Diagnosis
  Performing initial setup:
     Done gathering initial info.
  Doing initial required tests
     Testing server: domainname\server2003server
        Starting test: Connectivity
           ......................... server2003server passed test Connectivity
  Doing primary tests
     Testing server: domainname\server2003server
        Starting test: Replications
           ......................... server2003server passed test Replications
        Starting test: NCSecDesc
           ......................... server2003server passed test NCSecDesc
        Starting test: NetLogons
           ......................... server2003server passed test NetLogons
        Starting test: Advertising
           ......................... server2003server passed test Advertising
        Starting test: KnowsOfRoleHolders
           ......................... server2003server passed test KnowsOfRoleHolders
        Starting test: RidManager
           ......................... server2003server passed test RidManager
        Starting test: MachineAccount
           ......................... server2003server passed test MachineAccount
        Starting test: Services
           ......................... server2003server passed test Services
        Starting test: ObjectsReplicated
           ......................... server2003server passed test ObjectsReplicated
        Starting test: frssysvol
           ......................... server2003server passed test frssysvol
        Starting test: frsevent
           There are warning or error events within the last 24 hours after the
           SYSVOL has been shared.  Failing SYSVOL replication problems may cause
           Group Policy problems.
           ......................... server2003server failed test frsevent
        Starting test: kccevent
           ......................... server2003server passed test kccevent
        Starting test: systemlog
           An Error Event occured.  EventID: 0x0000410B
              Time Generated: 02/18/2015   19:27:04
              Event String: The request for a new account-identifier pool
           An Error Event occured.  EventID: 0xC4350607
              Time Generated: 02/18/2015   19:28:22
              Event String: Component: System Information Agent
           An Error Event occured.  EventID: 0xC00110CD
              Time Generated: 02/18/2015   19:28:22
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x00072787
              Time Generated: 02/18/2015   19:28:22
              Event String: The WinRM service is unable to start because of a
           An Error Event occured.  EventID: 0xC0060024
              Time Generated: 02/18/2015   19:28:34
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0xC0002720
              Time Generated: 02/18/2015   19:32:26
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0xC25A001D
              Time Generated: 02/18/2015   14:33:27
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x825A0011
              Time Generated: 02/18/2015   14:33:28
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x825A0011
              Time Generated: 02/18/2015   14:33:31
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x0000410B
              Time Generated: 02/18/2015   14:36:18
              Event String: The request for a new account-identifier pool
           An Error Event occured.  EventID: 0xC4350607
              Time Generated: 02/18/2015   14:38:48
              Event String: Component: System Information Agent
           An Error Event occured.  EventID: 0x00072787
              Time Generated: 02/18/2015   14:38:48
              Event String: The WinRM service is unable to start because of a
           An Error Event occured.  EventID: 0xC4350505
              Time Generated: 02/18/2015   14:38:54
              Event String: NIC Agent: Connectivity has been lost for the NIC
           An Error Event occured.  EventID: 0x825A0011
              Time Generated: 02/18/2015   14:39:00
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x825A0011
              Time Generated: 02/18/2015   14:39:14
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x0000168E
              Time Generated: 02/18/2015   14:39:54
              Event String: The dynamic registration of the DNS record
           An Error Event occured.  EventID: 0x0000168E
              Time Generated: 02/18/2015   14:39:54
              Event String: The dynamic registration of the DNS record
           An Error Event occured.  EventID: 0x0000168E
              Time Generated: 02/18/2015   14:39:54
              Event String: The dynamic registration of the DNS record
           An Error Event occured.  EventID: 0x0000168E
              Time Generated: 02/18/2015   14:39:54
              Event String: The dynamic registration of the DNS record
           An Error Event occured.  EventID: 0x0000168E
              Time Generated: 02/18/2015   14:39:54
              Event String: The dynamic registration of the DNS record
           An Error Event occured.  EventID: 0x0000168E
              Time Generated: 02/18/2015   14:39:54
              Event String: The dynamic registration of the DNS record
           An Error Event occured.  EventID: 0x0000168E
              Time Generated: 02/18/2015   14:39:54
              Event String: The dynamic registration of the DNS record
           An Error Event occured.  EventID: 0x0000168E
              Time Generated: 02/18/2015   14:39:54
              Event String: The dynamic registration of the DNS record
           An Error Event occured.  EventID: 0x0000168E
              Time Generated: 02/18/2015   14:39:54
              Event String: The dynamic registration of the DNS record
           An Error Event occured.  EventID: 0x0000168E
              Time Generated: 02/18/2015   14:39:54
              Event String: The dynamic registration of the DNS record
           An Error Event occured.  EventID: 0x0000168E
              Time Generated: 02/18/2015   14:39:54
              Event String: The dynamic registration of the DNS record
           An Error Event occured.  EventID: 0x0000168E
              Time Generated: 02/18/2015   14:39:54
              Event String: The dynamic registration of the DNS record
           An Error Event occured.  EventID: 0x0000168E
              Time Generated: 02/18/2015   14:39:54
              Event String: The dynamic registration of the DNS record
           An Error Event occured.  EventID: 0x0000168E
              Time Generated: 02/18/2015   14:39:54
              Event String: The dynamic registration of the DNS record
           An Error Event occured.  EventID: 0x0000168E
              Time Generated: 02/18/2015   14:39:54
              Event String: The dynamic registration of the DNS record
           An Error Event occured.  EventID: 0x0000168E
              Time Generated: 02/18/2015   14:39:54
              Event String: The dynamic registration of the DNS record
           An Error Event occured.  EventID: 0x0000168E
              Time Generated: 02/18/2015   14:39:54
              Event String: The dynamic registration of the DNS record
           An Error Event occured.  EventID: 0x0000168E
              Time Generated: 02/18/2015   14:39:54
              Event String: The dynamic registration of the DNS record
           An Error Event occured.  EventID: 0x0000168E
              Time Generated: 02/18/2015   14:39:54
              Event String: The dynamic registration of the DNS record
           An Error Event occured.  EventID: 0x0000168E
              Time Generated: 02/18/2015   14:39:54
              Event String: The dynamic registration of the DNS record
           An Error Event occured.  EventID: 0x0000168E
              Time Generated: 02/18/2015   14:39:54
              Event String: The dynamic registration of the DNS record
           An Error Event occured.  EventID: 0x0000168E
              Time Generated: 02/18/2015   14:39:54
              Event String: The dynamic registration of the DNS record
           An Error Event occured.  EventID: 0x0000168E
              Time Generated: 02/18/2015   14:39:54
              Event String: The dynamic registration of the DNS record
           An Error Event occured.  EventID: 0x0000168E
              Time Generated: 02/18/2015   14:39:54
              Event String: The dynamic registration of the DNS record
           An Error Event occured.  EventID: 0x0000168E
              Time Generated: 02/18/2015   14:39:54
              Event String: The dynamic registration of the DNS record
           An Error Event occured.  EventID: 0x0000168F
              Time Generated: 02/18/2015   14:42:09
              Event String: The dynamic deletion of the DNS record
           An Error Event occured.  EventID: 0x0000168F
              Time Generated: 02/18/2015   14:42:09
              Event String: The dynamic deletion of the DNS record
           An Error Event occured.  EventID: 0x0000168F
              Time Generated: 02/18/2015   14:42:09
              Event String: The dynamic deletion of the DNS record
           An Error Event occured.  EventID: 0x0000168F
              Time Generated: 02/18/2015   14:42:09
              Event String: The dynamic deletion of the DNS record
           An Error Event occured.  EventID: 0xC25A001D
              Time Generated: 02/18/2015   14:42:10
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x825A0011
              Time Generated: 02/18/2015   14:42:22
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x825A0011
              Time Generated: 02/18/2015   14:42:37
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0xC4350607
              Time Generated: 02/18/2015   14:48:03
              Event String: Component: System Information Agent
           An Error Event occured.  EventID: 0x00072787
              Time Generated: 02/18/2015   14:48:03
              Event String: The WinRM service is unable to start because of a
           An Error Event occured.  EventID: 0x00000457
              Time Generated: 02/18/2015   14:50:06
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x00000457
              Time Generated: 02/18/2015   14:50:06
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x00000457
              Time Generated: 02/18/2015   14:50:06
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x00000457
              Time Generated: 02/18/2015   14:50:07
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x00000457
              Time Generated: 02/18/2015   14:50:07
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x00000457
              Time Generated: 02/18/2015   14:50:07
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x00000457
              Time Generated: 02/18/2015   14:50:07
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x00000457
              Time Generated: 02/18/2015   14:50:07
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x00000457
              Time Generated: 02/18/2015   14:50:07
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x00000457
              Time Generated: 02/18/2015   14:50:07
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x40000004
              Time Generated: 02/18/2015   14:55:30
              Event String: The kerberos client received a
           An Error Event occured.  EventID: 0x00000457
              Time Generated: 02/18/2015   15:11:36
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x00000457
              Time Generated: 02/18/2015   15:11:37
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x00000457
              Time Generated: 02/18/2015   15:11:37
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x00000457
              Time Generated: 02/18/2015   15:11:38
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x00000457
              Time Generated: 02/18/2015   15:11:38
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x00000457
              Time Generated: 02/18/2015   15:11:38
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x00000457
              Time Generated: 02/18/2015   15:11:38
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x00000457
              Time Generated: 02/18/2015   15:11:38
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x00000457
              Time Generated: 02/18/2015   15:11:38
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x00000457
              Time Generated: 02/18/2015   15:11:39
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x00000457
              Time Generated: 02/18/2015   15:16:07
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x00000457
              Time Generated: 02/18/2015   15:16:08
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x00000457
              Time Generated: 02/18/2015   15:16:08
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x00000457
              Time Generated: 02/18/2015   15:16:09
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x00000457
              Time Generated: 02/18/2015   15:16:09
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x00000457
              Time Generated: 02/18/2015   15:16:09
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x00000457
              Time Generated: 02/18/2015   15:16:10
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x00000457
              Time Generated: 02/18/2015   15:16:10
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x00000457
              Time Generated: 02/18/2015   15:16:10
              (Event String could not be retrieved)
           An Error Event occured.  EventID: 0x00000457
              Time Generated: 02/18/2015   15:16:10
              (Event String could not be retrieved)
           ......................... server2003server failed test systemlog
        Starting test: VerifyReferences
           Some objects relating to the DC server2003server have problems:
              [1] Problem: Missing Expected Value
               Base Object:
              CN= server2003server,OU=Domain Controllers,DC=domainname,DC=com
               Base Object Description: "DC Account Object"
               Value Object Attribute Name: frsComputerReferenceBL
               Value Object Description: "SYSVOL FRS Member Object"
               Recommended Action: See Knowledge Base Article: Q312862
              [1] Problem: Missing Expected Value
               Base Object:
              CN=NTDS Settings,CN= server2003server,CN=Servers,CN=domainname,CN=Sites,CN=C
  onfiguration,DC=domainname,DC=com
               Base Object Description: "DSA Object"
               Value Object Attribute Name: serverReferenceBL
               Value Object Description: "SYSVOL FRS Member Object"
               Recommended Action: See Knowledge Base Article: Q312862
           ......................... server2003server failed test VerifyReferences
     Running partition tests on : ForestDnsZones
        Starting test: CrossRefValidation
           ......................... ForestDnsZones passed test CrossRefValidation
        Starting test: CheckSDRefDom
           ......................... ForestDnsZones passed test CheckSDRefDom
     Running partition tests on : DomainDnsZones
        Starting test: CrossRefValidation
           ......................... DomainDnsZones passed test CrossRefValidation
        Starting test: CheckSDRefDom
           ......................... DomainDnsZones passed test CheckSDRefDom
     Running partition tests on : Schema
        Starting test: CrossRefValidation
           ......................... Schema passed test CrossRefValidation
        Starting test: CheckSDRefDom
           ......................... Schema passed test CheckSDRefDom
     Running partition tests on : Configuration
        Starting test: CrossRefValidation
           ......................... Configuration passed test CrossRefValidation
        Starting test: CheckSDRefDom
           ......................... Configuration passed test CheckSDRefDom
     Running partition tests on : domainname
        Starting test: CrossRefValidation
           ......................... domainname passed test CrossRefValidation
        Starting test: CheckSDRefDom
           ......................... domainname passed test CheckSDRefDom
     Running enterprise tests on : domainname.com
        Starting test: Intersite
           ......................... domainname.com passed test Intersite
        Starting test: FsmoCheck
           ......................... domainname.com passed test FsmoCheck
  C:\Documents and Settings\user>
  Now the DCDIAG for the Server 2012 R2 DC.
  2012R2DC
  PS C:\Users\user > dcdiag /fix
  Directory Server Diagnosis
  Performing initial setup:
     Trying to find home server...
     Home Server = 2012R2DC
     * Identified AD Forest.
     Done gathering initial info.
  Doing initial required tests
     Testing server: domainname\2012R2DC
        Starting test: Connectivity
           ......................... 2012R2DC
  passed test Connectivity
  Doing primary tests
     Testing server: domainname\2012R2DC
        Starting test: Advertising
           Warning: DsGetDcName returned information for \\server2003server.domainname.com, when we were trying to reach 2012R2DC.
           SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
           ......................... 2012R2DC
  failed test Advertising
        Starting test: FrsEvent
           There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL
           replication problems may cause Group Policy problems.
           ......................... 2012R2DC
  passed test FrsEvent
        Starting test: DFSREvent
           ......................... 2012R2DC passed test DFSREvent
        Starting test: SysVolCheck
           ......................... 2012R2DC passed test SysVolCheck
        Starting test: KccEvent
           ......................... 2012R2DC passed test KccEvent
        Starting test: KnowsOfRoleHolders
           ......................... 2012R2DC passed test KnowsOfRoleHolders
        Starting test: MachineAccount
           ......................... 2012R2DC passed test MachineAccount
        Starting test: NCSecDesc
           ......................... 2012R2DC passed test NCSecDesc
        Starting test: NetLogons
           Unable to connect to the NETLOGON share! (\\2012R2DC \netlogon)
           [2012R2DC] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
           ......................... 2012R2DC failed test NetLogons
        Starting test: ObjectsReplicated
           ......................... 2012R2DC passed test ObjectsReplicated
        Starting test: Replications
           [Replications Check, 2012R2DC] DsReplicaGetInfo(PENDING_OPS, NULL) failed, error 0x2105
           "Replication access was denied."
           ......................... 2012R2DC failed test Replications
        Starting test: RidManager
           ......................... 2012R2DC passed test RidManager
        Starting test: Services
              Could not open NTDS Service on 2012R2DC, error 0x5 "Access is denied."
           ......................... 2012R2DC failed test Services
        Starting test: SystemLog
           An error event occurred.  EventID: 0x0000041E
              Time Generated: 02/18/2015   14:39:32
              Event String:
              The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could
  be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
           An error event occurred.  EventID: 0x0000041E
              Time Generated: 02/18/2015   14:44:34
              Event String:
              The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could
  be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
           An error event occurred.  EventID: 0x40000004
              Time Generated: 02/18/2015   14:47:09
              Event String:
              The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server cr-dc3$. The target name used was C
  RDC02$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when t
  he target server principal name (SPN) is registered on an account other than the account the target service is using. En
  sure that the target SPN is only registered on the account used by the server. This error can also happen if the target
  service account password is different than what is configured on the Kerberos Key Distribution Center for that target se
  rvice. Ensure that the service on the server and the KDC are both configured to use the same password. If the server nam
  e is not fully qualified, and the target domain (domainname.COM) is different from the client domain (domainname.COM),
   check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify
  the server.
           ......................... 2012R2DC failed test SystemLog
        Starting test: VerifyReferences
           ......................... 2012R2DC passed test VerifyReferences
     Running partition tests on : ForestDnsZones
        Starting test: CheckSDRefDom
           ......................... ForestDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... ForestDnsZones passed test CrossRefValidation
     Running partition tests on : DomainDnsZones
        Starting test: CheckSDRefDom
           ......................... DomainDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... DomainDnsZones passed test CrossRefValidation
     Running partition tests on : Schema
        Starting test: CheckSDRefDom
           ......................... Schema passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Schema passed test CrossRefValidation
     Running partition tests on : Configuration
        Starting test: CheckSDRefDom
           ......................... Configuration passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Configuration passed test CrossRefValidation
     Running partition tests on : domainname
        Starting test: CheckSDRefDom
           ......................... domainname passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... domainname passed test CrossRefValidation
     Running enterprise tests on : domainname.com
        Starting test: LocatorCheck
           ......................... domainname.com passed test LocatorCheck
        Starting test: Intersite
           ......................... domainname.com passed test Intersite
  PS C:\Users\user>
  From here I can see SYSVOL and NETLOGON are not replicating from server2003server. When I log on to server2003server and run ‘net share’ the SYSVOL and NETLOGON shares are shared. But, when I do the same on 2012R2DC there are no NETLOGON or SYSVOL shares.
  I see ntfrs issues. So I ran ntfrsutl ds on server2003server and the results are here:
  C:\Documents and Settings\user>ntfrsutl ds
  NTFRS CONFIGURATION IN THE DS
  SUBSTITUTE DCINFO FOR DC
     FRS  DomainControllerName: (null)
     Computer Name            : SERVER2003SERVER
     Computer DNS Name        : SERVER2003SERVER.domainname.com
  BINDING TO THE DS:
     ldap_connect     : SERVER2003SERVER.domainname.com
     DsBind     : SERVER2003SERVER.domainname.com
  NAMING CONTEXTS:
     SitesDn    : CN=Sites,cn=configuration,dc= domainname,dc=com
     ServicesDn : CN=Services,cn=configuration,dc= domainname,dc=com
     DefaultNcDn: DC= domainname,DC=com
     ComputersDn: CN=Computers,DC= domainname,DC=com
     DomainCtlDn: OU=Domain Controllers,DC= domainname,DC=com
     Fqdn       : CN= SERVER2003SERVER,OU=Domain Controllers,DC= domainname,DC=com
     Searching  : Fqdn
  COMPUTER: SERVER2003SERVER
     DN   : cn= SERVER2003SERVER,ou=domain controllers,dc= domainname,dc=com
     Guid : d3cfdf56-a013-40ab-a2e9ffc3d88896bd
     UAC  : 0x00082000
     Server BL : CN= SERVER2003SERVER,CN=Servers,CN=domainname,CN=Sites,CN=Configuration,D
  C= SERVER2003SERVER,DC=com
     Settings  : cn=ntds settings,cn= SERVER2003SERVER,cn=servers,cn= domainname,cn=sites,c
  n=configuration,dc= domainname,dc=com
     DNS Name  : SERVER2003SERVER. domainname.com
     WhenCreated  : 5/29/2007 10:36:30 Eastern Standard Time Eastern Daylight Time
   [300]
     WhenChanged  : 2/17/2015 11:21:58 Eastern Standard Time Eastern Daylight Time
   [300]
     SUBSCRIPTION: NTFRS SUBSCRIPTIONS
        DN   : cn=ntfrs subscriptions,cn= SERVER2003SERVER,ou=domain controllers,dc= domainname,dc=com
        Guid : 5d0ca299-209d-4814-ae6d7acd9209e10a
        Working       : c:\windows\ntfrs
        Actual Working: c:\windows\ntfrs
        WhenCreated  : 5/29/2007 10:50:26 Eastern Standard Time Eastern Daylight T
  ime [300]
        WhenChanged  : 5/29/2007 10:50:26 Eastern Standard Time Eastern Daylight T
  ime [300]
        SUBSCRIBER: DOMAIN SYSTEM VOLUME (SYSVOL SHARE)
           DN   : cn=domain system volume (sysvol share),cn=ntfrs subscriptions,cn
  = SERVER2003SERVER,ou=domain controllers,dc= domainname,dc=com
           Guid : fb56d707-3c40-429f-bd7c63d227b9fb5d
           Member Ref: (null)
           Root      : c:\windows\sysvol\domain
           Stage     : c:\windows\sysvol\staging\domain
           WhenCreated  : 5/29/2007 10:50:26 Eastern Standard Time Eastern Dayligh
  t Time [300]
           WhenChanged  : 5/29/2007 10:50:26 Eastern Standard Time Eastern Dayligh
  t Time [300]
     SERVER2003SERVER IS NOT A MEMBER OF ANY SET!
  C:\Documents and Settings\user>
  Also worth noting that when we power down SERVER2003SERVER no computer can contact a logon server. 
  The last line of this worries me as well. I am going to continue to work on this but I wanted to get these logs to some other eyes in case you have some ideas off the bat. Thanks in advance!

  I would first recommend to make sure that the new DCs are also global catalogs and to refer to IP setting recommendations I shared here: http://www.ahmedmalek.com/web/fr/home.asp
  It is possible to do a non-authoritative restore of SYSVOL to make it appear on the other DCs: https://support.microsoft.com/kb/290762?wa=wsignin1.0
  However, you would need to upgrade to DFSR.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Active Directory Not Replicating

  Hey Guys,
  I have a Windows 2012 server but it has a demo license, this is also my DC. I am trying to create another DC and let it replicate so I can license the new properly and stuff. I have the DNS of each server pointing to each other as the primary and themselves
  as the alternative. When I check my SYSVOL folder and go to domains, its empty, as I shutdown my original DC the other one the entries disappear and I get errors. When I go to the event log on my new DC I get errors with event IDs 1202 and 2213. Any assistance
  with this issue i'm having will be greatly appreciated, thanks!
  Regards,
  Jevon.

  Please follow this , it should help  expecially this section:
  For environments that have two domain controllers 
  Determine whether a dirty shutdown was detected (event ID 2213) on either domain controller. You may find the second domain controller
  is waiting to complete initialization of SYSVOL, This is because after promotion, it will have logged a 4614 event that indicates that DFS Replication is waiting to perform initial replication, and it will not have logged a 4604 event signaling that
  DFS Replication has initialized SYSVOL.
  If content freshness is enabled on both domain controllers
  If the second domain controller is waiting to perform initial synchronization (event 4614 logged without the 4604 anti-event), follow
  the section of article 2218556 to
  set the first domain controller as authoritative. You do not have to configure the second domain controller as nonauthoritative, because it is already waiting to perform initial synchronization.
  Or, if the second domain controller is healthy and SYSVOL is shared, perform the following steps:
  Back up all SYSVOL contents of the first domain controller.
  Evaluate if the second domain controller's SYSVOL data is up to date. If it is not, you may want to copy updated SYSVOL files to the second domain controller from the first domain controller. Otherwise, any existing data
  present on first domain controller not present on the second will go into the 'PreExisting' and 'Conflict and Deleted' folders.
  Set the first domain controller as nonauthoritative by disabling the membership per 2218556.
  Confirm that an event ID 4114 is logged to indicate the membership is disabled.
  Enable the first domain controller's membership, and wait for the 4614 and 4604 events that report completion of the initial synchronization. If it is necessary, restore any updated files from "PreExisting" to the
  original location.
  If content freshness is not enabled or triggered on both domain controllers
  If the first domain controller is in the event ID 2213 state and the second domain controller has never completed initialization
  after it was promoted and content freshness has not been triggered, perform the following steps:
  Run the ResumeReplication WMI method on the first domain controller as instructed in the 2213 event.
  After replication resumes, it will log an event ID 4602 that indicates that DFS Replication initialized the SYSVOL replicated folder and designated it as the primary member.
  Run the dfsrdiag pollad command on the second domain controller to trigger it to complete initial sync (event ID 4614). As soon as initial sync is finished, event ID 4604 is logged, signaling SYSVOL
  has completed initialization.
  Or, if the first domain controller is in the 2213 state and the second domain controller is healthy (SYSVOL is shared), run theResumeReplication WMI
  method on the first domain controller. It will log event ID 2214 at the completion of dirty shutdown recovery.  
  This post is provided AS IS with no warranties or guarantees, and confers no rights.
  ~~~
  Questo post non fornisce garanzie e non conferisce diritti

• DSGETDCNAME advertising test failing. SYSVOL and NETLOGON shares not replicating. Please help!!!

  Hello all. We are currently running a Windows Server 2003 ADDC as a virtual machine on a Windows Server 2012 host using Hyper-V. We have recently added a second Windows Server 2012 ADDC also as a Hyper-V VM. I promoted the 2k12 to a DC, transferred all FMOS
  roles, and tested AD replication. All AD data was replicated fine. However a DCDIAG (the results of which I have attached to this post) show a few errors.
  First off, it is failing the advertising test. This is more than likely due to a DNS error. Unfortunately, I can not seem to find the error within the DNS to resolve it. 
  Secondly, it is failing the KccEvent test; also seeming as a DNS related error.
  Thirdly, both SYSVOL and NETLOGON shares were not successfully replicated. This is likely the basis for the other issues. Without these successfully replicated, I can not demote the 2K3 server; which is the goal in the end, to replace the old server with
  the new. 
  I am willing to try just about anything, so any suggestions would be greatly appreciated. As for what I have tried, I have tried a non-authoritative restore using burr flags with no success. I CAN ping both DCs from each other ensuring connectivity. All
  users can currently log on to the server (due to the fact that the 2K3 server is still running and still holds the SYSVOL and NETLOGON shares).
  Once again, any help would be greatly appreciated! Thank you in advance!
  DCDIAG Output:
  Directory Server Diagnosis
  Performing initial setup:
  Trying to find home server...
  Home Server = RETIRED2012
  * Identified AD Forest.
  Done gathering initial info.
  Doing initial required tests
  Testing server: Default-First-Site\RETIRED2012
  Starting test: Connectivity
  ......................... RETIRED2012 passed test Connectivity
  Doing primary tests
  Testing server: Default-First-Site\RETIRED2012
  Starting test: Advertising
  Warning: DsGetDcName returned information for
  \\retired1.RetireFirst.local, when we were trying to reach
  RETIRED2012.
  SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
  ......................... RETIRED2012 failed test Advertising
  Starting test: FrsEvent
  There are warning or error events within the last 24 hours after the
  SYSVOL has been shared. Failing SYSVOL replication problems may cause
  Group Policy problems.
  ......................... RETIRED2012 passed test FrsEvent
  Starting test: DFSREvent
  ......................... RETIRED2012 passed test DFSREvent
  Starting test: SysVolCheck
  ......................... RETIRED2012 passed test SysVolCheck
  Starting test: KccEvent
  An error event occurred. EventID: 0xC0000827
  Time Generated: 08/09/2013 22:08:34
  Event String:
  Active Directory Domain Services could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory Domain Services from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.
  A warning event occurred. EventID: 0x80000677
  Time Generated: 08/09/2013 22:10:02
  Event String:
  Active Directory Domain Services attempted to communicate with the following global catalog and the attempts were unsuccessful.
  An error event occurred. EventID: 0xC0000466
  Time Generated: 08/09/2013 22:10:06
  Event String:
  Active Directory Domain Services was unable to establish a connection with the global catalog.
  ......................... RETIRED2012 failed test KccEvent
  Starting test: KnowsOfRoleHolders
  ......................... RETIRED2012 passed test KnowsOfRoleHolders
  Starting test: MachineAccount
  ......................... RETIRED2012 passed test MachineAccount
  Starting test: NCSecDesc
  ......................... RETIRED2012 passed test NCSecDesc
  Starting test: NetLogons
  Unable to connect to the NETLOGON share! (\\RETIRED2012\netlogon)
  [RETIRED2012] An net use or LsaPolicy operation failed with error 67,
  The network name cannot be found..
  ......................... RETIRED2012 failed test NetLogons
  Starting test: ObjectsReplicated
  ......................... RETIRED2012 passed test ObjectsReplicated
  Starting test: Replications
  ......................... RETIRED2012 passed test Replications
  Starting test: RidManager
  ......................... RETIRED2012 passed test RidManager
  Starting test: Services
  ......................... RETIRED2012 passed test Services
  Starting test: SystemLog
  A warning event occurred. EventID: 0x00001695
  Time Generated: 08/09/2013 22:06:48
  Event String:
  Dynamic registration or deletion of one or more DNS records associated with DNS domain 'RetireFirst.local.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
  A warning event occurred. EventID: 0x000003F6
  Time Generated: 08/09/2013 22:06:49
  Event String:
  Name resolution for the name _ldap._tcp.Default-First-Site._sites.dc._msdcs.RetireFirst.local. timed out after none of the configured DNS servers responded.
  A warning event occurred. EventID: 0x00001696
  Time Generated: 08/09/2013 22:07:44
  Event String:
  Dynamic registration or deregistration of one or more DNS records failed with the following error:
  A warning event occurred. EventID: 0x000003F6
  Time Generated: 08/09/2013 22:07:51
  Event String:
  Name resolution for the name retired1.RetireFirst.local timed out after none of the configured DNS servers responded.
  A warning event occurred. EventID: 0x00001695
  Time Generated: 08/09/2013 22:08:23
  Event String:
  Dynamic registration or deletion of one or more DNS records associated with DNS domain 'DomainDnsZones.RetireFirst.local.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
  A warning event occurred. EventID: 0x00001695
  Time Generated: 08/09/2013 22:08:35
  Event String:
  Dynamic registration or deletion of one or more DNS records associated with DNS domain 'ForestDnsZones.RetireFirst.local.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
  An error event occurred. EventID: 0x0000041E
  Time Generated: 08/09/2013 22:08:45
  Event String:
  The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
  An error event occurred. EventID: 0x00000423
  Time Generated: 08/09/2013 22:08:53
  Event String:
  The DHCP service failed to see a directory server for authorization.
  A warning event occurred. EventID: 0x000003F6
  Time Generated: 08/09/2013 22:10:04
  Event String:
  Name resolution for the name isatap timed out after none of the configured DNS servers responded.
  A warning event occurred. EventID: 0x000003F6
  Time Generated: 08/09/2013 22:10:08
  Event String:
  Name resolution for the name e45ad288-70ff-4d9e-adf9-3035e459e126._msdcs.RetireFirst.local timed out after none of the configured DNS servers responded.
  A warning event occurred. EventID: 0x000003F6
  Time Generated: 08/09/2013 22:10:21
  Event String:
  Name resolution for the name _ldap._tcp.Default-First-Site._sites.dc._msdcs.RetireFirst.local. timed out after none of the configured DNS servers responded.
  An error event occurred. EventID: 0x00000423
  Time Generated: 08/09/2013 22:11:14
  Event String:
  The DHCP service failed to see a directory server for authorization.
  An error event occurred. EventID: 0x0000041E
  Time Generated: 08/09/2013 22:13:45
  Event String:
  The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
  ......................... RETIRED2012 failed test SystemLog
  Starting test: VerifyReferences
  ......................... RETIRED2012 passed test VerifyReferences
  Running partition tests on : ForestDnsZones
  Starting test: CheckSDRefDom
  ......................... ForestDnsZones passed test CheckSDRefDom
  Starting test: CrossRefValidation
  ......................... ForestDnsZones passed test
  CrossRefValidation
  Running partition tests on : DomainDnsZones
  Starting test: CheckSDRefDom
  ......................... DomainDnsZones passed test CheckSDRefDom
  Starting test: CrossRefValidation
  ......................... DomainDnsZones passed test
  CrossRefValidation
  Running partition tests on : Schema
  Starting test: CheckSDRefDom
  ......................... Schema passed test CheckSDRefDom
  Starting test: CrossRefValidation
  ......................... Schema passed test CrossRefValidation
  Running partition tests on : Configuration
  Starting test: CheckSDRefDom
  ......................... Configuration passed test CheckSDRefDom
  Starting test: CrossRefValidation
  ......................... Configuration passed test CrossRefValidation
  Running partition tests on : RetireFirst
  Starting test: CheckSDRefDom
  ......................... RetireFirst passed test CheckSDRefDom
  Starting test: CrossRefValidation
  ......................... RetireFirst passed test CrossRefValidation
  Running enterprise tests on : RetireFirst.local
  Starting test: LocatorCheck
  ......................... RetireFirst.local passed test LocatorCheck
  Starting test: Intersite
  ......................... RetireFirst.local passed test Intersite

  Thank you for your response first of all! And in response:
  1. "Retired1" is the 2k3 ADDC / DNS Server. It currently has a different IP than the 2K12 Server. Verified with ipconfig/all.
  2. I set 2K12 to only 2K3 for DNS; no external ISP servers or itself listed. Registered DNS, restarted netlogon; no success.
  3. ipconfig/all for 2K12 server here:
  Windows IP Configuration
  Host Name . . . . . . . . . . . . : RETIRED2012
  Primary Dns Suffix . . . . . . . : RetireFirst.local
  Node Type . . . . . . . . . . . . : Hybrid
  IP Routing Enabled. . . . . . . . : No
  WINS Proxy Enabled. . . . . . . . : No
  DNS Suffix Search List. . . . . . : RetireFirst.local
  Ethernet adapter Ethernet:
  Connection-specific DNS Suffix . :
  Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
  Physical Address. . . . . . . . . : 00-15-5D-01-33-0A
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes
  Link-local IPv6 Address . . . . . : fe80::8159:4f0c:4071:d780%12(Preferred)
  IPv4 Address. . . . . . . . . . . : 172.21.69.246(Preferred)
  Subnet Mask . . . . . . . . . . . : 255.255.255.192
  Default Gateway . . . . . . . . . : 172.21.69.250
  DHCPv6 IAID . . . . . . . . . . . : 251663709
  DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-74-BE-C0-00-15-5D-01-33-0A
  DNS Servers . . . . . . . . . . . : 172.21.69.240
  NetBIOS over Tcpip. . . . . . . . : Enabled
  Tunnel adapter isatap.{8317BEC2-079A-4846-B6B2-1AE3E2784691}:
  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix . :
  Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
  Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes
  4. The 2K12 is a GC; yes.
  Thanks again and hopefully we can work this out!
  Seems like you have/had a server named "retired1" with the same IP address as the new 2012 server? (if this is a old server) remove all references to it in DNS
  Make sure that on the 2012 server in the TCP/IP DNS Settings, you only point to the 2003 DC for DNS (Not it self for now, and no external ISP DNS servers) - Run ipconfig /registerdns and restart the netlogon service on the 2012 server.
  Can you post and unedited output of ipconfig /all from the 2012 server?
  Did you make the 2012 server a global catalog? (if not I would recommend that)http://support.microsoft.com/kb/296882
  Seems like you have/had a server named "retired1" with the same IP address as the new 2012 server? (if this is a old server) remove all references to it in DNS
  Make sure that on the 2012 server in the TCP/IP DNS Settings, you only point to the 2003 DC for DNS (Not it self for now, and no external ISP DNS servers) - Run ipconfig /registerdns and restart the netlogon service on the 2012 server.
  Can you post and unedited output of ipconfig /all from the 2012 server?
  Did you make the 2012 server a global catalog? (if not I would recommend that)http://support.microsoft.com/kb/296882
  Seems like you have/had a server named "retired1" with the same IP address as the new 2012 server? (if this is a old server) remove all references to it in DNS
  Make sure that on the 2012 server in the TCP/IP DNS Settings, you only point to the 2003 DC for DNS (Not it self for now, and no external ISP DNS servers) - Run ipconfig /registerdns and restart the netlogon service on the 2012 server.
  Can you post and unedited output of ipconfig /all from the 2012 server?
  Did you make the 2012 server a global catalog? (if not I would recommend that)http://support.microsoft.com/kb/296882

• The box indicating that this domain controller is the last controller for the domain is unchecked. However, no other Active Directory domain controllers for that domain can be contacted

  I have 2 domain controllers running 2003 server, server1 and server2. I ran dcpromo on server1 and removed AD and removed him from the domain and disconnected from network. I then added a 2012 server
  with the same name and IP address server1 with no problem. Replication from sites and services work fine on both controllers.
  The new 2012 server1 is GC. I transferred all FSMO roles to server1. Again no problem and replicating using sites and services. AD on server1 is populated correctly.
  Now what I had intended on doing was a dcpromo to remove server2 from the domain so I can then add another 2012 server. That is when I get the: "The box indicating that this domain controller is the last controller for the domain
   is unchecked. However, no other Active Directory domain controllers for that domain can be contacted.
  I have DNS installed on both servers and both look good with replicating there. Strange thing is when on the 2012 server within DNS if I right click and connect to another DNS server I can add server2 just fine but from server2 adding server1 it tells me it
  is not available.
  Help please!

  Hi,
  As there is server 2012 DC (SERVER1) DC is operational in a domain then "This domain controller is the last controller for the domain" should be remain unchecked when you demote SERVER2 DC. 
  If you are getting error "Active Directory domain controllers for that domain can be contacted" while demoting SERVER2 DC then check the DNS pointing on both as per below article, disable windows firewall on all DC, less possiblities but worth to check if both
  are different site then check the ports are open on firewall. 
  http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/
  http://technet.microsoft.com/en-us/library/cc766337(v=ws.10).aspx
  http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx
  run “ipconfig /flushdns & ipconfig /registerdns“, restart DNS server and NETLOGON service on each DC and try to demote server2 DC.
  If issue reoccurs, post dcdiag /q result.
  NOTE: If initial replication was completed between both DC (new 2012 and old DC) then you may remove the server2 DC from Active Directory forcefully (DCPROMO /FORCEREMOVAL) and perform metadata cleanup.
  Active Directory Metadata Cleanup
  http://abhijitw.wordpress.com/2012/03/03/active-directory-metadata-cleanup/
  Best regards,
  Abhijit Waikar.
  MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
  Blog: http://abhijitw.wordpress.com
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

• DNS issues with replaced domain controllers

  I have slight issue I hope some one can help with.
  We recently replaced some domain controllers in our 2 core sites the process we followed is as below:-
  moved FSMO roles to different already working servers
  demoted the old domain controllers and decommissioned.
  built virtual machine replacements with the same names.
  depromo'd the servers
  ran all the tests and it reported everything was fine.
  moved the fsmo roles to the new servers.
  repeated this for the remaining servers.
  this was our 2003 domain to free up physical space but our new 2013 domain what will exist separately until all our applications our tested.
  however the problem we now have is that non domain controllers have issues registering against the new servers despite being able to do look-ups against them all (replication testing looks fine). one of our regional DC's seems to have taken over as the primary
  replica. as changes made else where disappeared but changes made there got replicated out perfectly.
  I have managed to resolve this particular issue by added the domain controllers back into several locations in DNS manually (maining forward lookup zones>my domain>_tcp )but we still experience the odd issue with servers not registering in DNS properly
  (although it's a lot better since the I did the above)
  so basically does any one have a idea on what could have caused this issue and how I can resolve?

  should the demotion not automatically remove it from sites and services automatically (it could well be this if not) the question then becomes how do we resolve the issues we have now.
  Hello,
  NO, as you can demote a DC and it still may run site-aware services like DFS and for this reason a DC is NOT automatically removed from AD sites and services during demotionprocess.
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://blogs.msmvps.com/MWeber
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  Twitter:  

• Clustering Configuration with Primary & Secondary Domain Controllers

  Hello.
  I am trying to configure Failover Clustering on my Server 2012 computers.
  I have a primary domain, as well as a secondary domain.
  We will call them dc1.domain.com and dc2.domain.com.
  I have Failover Clustering Manager installed on both servers.
  Upon adding them both to the Create A Cluster Wizard, I receive the following error message on my report.
  (My account is fairly new, so it will not let me attach an image, but I assure you, it is safe)
  s14.postimg.org/lssjm2vu9/Screenshot_1.png

  More that trying to avoid clustering domain controllers, you simply cannot do it.  Active Directory has high availability built into it.  It is known as multimaster, meaning there is no primary and secondary domain controllers.  All are 'masters',
  meaning you can make changes on any domain controller and the change will be replicated to the other DCs.
  If you only have two physical servers and you want to cluster them, you will first need to install the Hyper-V role on the servers (it is not recommended to install both Hyper-V and Domain Controller on the same box, so we will get this fixed).  Once
  you have Hyper-V installed, build a VM on each server, join them to the domain, and promote them to domain controllers.  On one of the VMs, seize the FSMO roles from the FSMO master.  Then demote the physical hosts from being domain controllers. 
  You can now form a cluster of the two physical servers.
  . : | : . : | : . tim

• Unable to Sync SYSVOL Folder between Domain Controllers

  Good Afternoon All,
  I have the following issue on my current domain configuration, I say current as we are seeking to go to Server 2012 R2 within the next few months, but for now, we are at the 2008 R2 functional level.
  We have three Domain Controllers namely Server-001 to 3, with Server-002 holding the PDC Emulator Role. Now when policies are created or updated through GP Management, I have noticed that they sync without issue between Server-002 and Server-003, but not
  Server-001. In the SYSVOL Folder in each DC, the folder totals in policies are as follows:
  Server-001 - 72 Folders
  Server-002 - 96 Folders
  Server-003 - 96 Folders
  So here, it can be clearly seen that there is some sort of replication issue between Server-001 and the other controllers. I have researched and read several articles and opinions regarding the same issue and have ran many of the commands outlined including
  repadmin, dnslint, gposync, etc. with the only output displaying errors being gposync. I have checked all the event logs for each DC with added focus on the DFS Replication Logs and have seen no errors regarding replication on Server-001 which is the server
  at fault, but have noted that it appears that Server-001 is only replicating to itself, while Servers -002 and -003 are syncing/replicating between each other. I created a text document in Server-002's SYSVOL Folder and checked in Server-003's and verified
  that the document successfully synced across, but on Server-001 nothing happened. I did some research on the issue and came across non-authoritative sysvol restore as an option, but when I tried this on Server-001 via ADSI Edit, I noticed that the following
  path:
  OU=Domain Controllers>CN=Server-001>CN=DSFR-LocalSettings>CN=Domain System Volume
  is missing. Initially, DSFR-LocalSettings was missing as well, but I re-created it. I then attempted to re-create Domain System Volume, but when I tried entering the Replication Group GUID, I got an error that "one or more of the values are not in the
  correct format", even though this is the same GUID used on the other two DCs. I tried changing the value to octet, hexadecimal, etc. but nothing worked. i still got the same error. I am convinced that this is where the disconnect lies, but with no possible
  idea how to fix this broken section, I am unsure how to further proceed. We were going to demote the server, bring up a 2012 R2 unit and have it seize the roles, but I convinced my Systems Administrator for us to try and see if there is a fix available before
  commissioning a new server. As is, group policy is somewhat broken as policies either do no get applied at all, or, get applied to certain groups or OUs.
  If you are interested I can forward you our DFSR Logs from each server, along with any other reports that I have run in the hopes that someone will be able to assist. I hope that I have been as clear as possible and have provided as much information as is
  possibly required.
  Thank you all in advance.

  Hi,
  To perform non-authoritative synchronization for DFSR-replicated SYSVOL, the following article can be referred to for more information.
  How to force an authoritative and non-authoritative synchronization for DFSR-replicated SYSVOL (like "D4/D2" for FRS)
  http://support.microsoft.com/kb/2218556/en-us
  Besides, we can use dcdiag command to check the health of the DC.
  Dcdiag
  http://technet.microsoft.com/en-us/library/cc731968.aspx
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Best regards,
  Frank Shen

• Excessive Traffic on Port 445 between 2 Domain Controllers

  Hi, my company has over 45 DC's across about 25 sites worldwide.  We are noticing a lot of traffic using wireshark and Network Monitor on Microsoft-DS port 445. I have been searching if this is normal and what I see is that it is used for SMB File and
  print sharing. Well, I don't have any file shares on these DC's other than the normal admin shares and sysvol share. I don't believe this is replication traffic since these 2 servers are not replication partners. I have checked sites and services to make sure
  the intersite and intrasite connections look good.   This traffic is constant over weeks and it is about 1 GB an hour between the 2 servers.  This would not be a big deal if this was just on the local LAN but it is over the WAN and
  that saturates the line.   Should 2 DC's be talking that much that are not even replication partners?  What type of traffic could it be.  I am at a loss for troubleshooting this.  I have done packet captures but that really does
  not tell me much ( that I can read anyway).  Oh, I have run AV scans alos and finding nothing.
  Any help would be greatly appreciated.
  Steve
  Steve

  Actually, DFS/FRS/DFSR replication is not related to NTDS replication. It uses a directory change notification event to trigger replication to a replica, and that is to all DCs in the domain. That's why you can have SYSVOL replication problems but AD replication
  of the partitions do not have problems, such as when you create a user on one and it replicates to it's NTDS partner.
  Below is a summary. You can read about how the whole process with NTFRS/DFSR works in the links below, if you like:
  Introduction to Administering DFS-Replicated SYSVOL
  "DFS Replication technology significantly improves replication of SYSVOL. ... When a change to a file occurs, FRS replicates the entire updated file. With DFS Replication, for files larger than 64 KB, only the updated portion of the file is replicated."
  "To replicate only updates to files, DFS Replication uses an algorithm called remote differential compression (RDC). RDC detects changes ... without having to replicate the entire file. RDC detects insertions, removals, and rearrangements of data
  in files. The DFS Replication service monitors SYSVOL, and, if a change occurs to any file that is stored in SYSVOL, DFS Replication automatically replicates the file updates to the SYSVOL folders on the other domain controllers in the domain. "
  http://technet.microsoft.com/en-us/library/cc794837(v=WS.10).aspx
  How FRS Works - Windows 2003
  http://technet.microsoft.com/en-us/library/cc758169(v=WS.10).aspx
  DFS Replication: Frequently Asked Questions (FAQ)
  http://technet.microsoft.com/en-us/library/cc773238(v=WS.10).aspx
  I think 316 MB in SYSVOL is a good amount of data. What is in there taking up that much space? Is something using SYSVOL to store it's data, such as an app that's constantly changing data?
  The reason I'm asking is that this could be the cause of the issue, since if it changes on one DC, then it replicates, then another change occurs, etc., and it keeps going and it appears that a ton of data is being moved back and forth.
  Quick story - I remember a customer was using SYSVOL to store data so they can access it across the WAN link. He said he did it because of its "cool" replication features. I said, yea, but it's meant for domain data (GPO policies, templates, etc.)
  and not for custom data. Create a DFS share for that so it works independently of SYSVOL.
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• Block Based replication of Domain Controllers to DR site

  I have to bring up a business critical application at a DR site using the same hostname and IP address as in production site. For this purpose, I plan to use a block replication software to replicate data from production servers to a SAN at the DR site.
  For DR invocation or testing, I am planning to take a snapshot from the SAN, create virtual disks and attach them to newly created VM's at the DR site.
  This application depends on Active Directory and hence I need to have a domain controller at the DR site. If I create a new domain controller for the DR site, as it will be in a separate IP subnet, it will have to be in a separate AD site and the application
  servers will not be able to use this domain controllers, as they will look for domain controllers in their AD site (which is from the production site). If I put the domain controller in the same IP subnet as the application servers, the same IP subnet has
  user workstations and hence user authentication requests from production site will start coming to the DR site across the WAN.
  In this scenario, I am proposing to replicate the domain controllers also from the production site to the DR site, like the application servers. But I am not sure if block replication of production DC's to DR site and then when required for testing/invocation,
  can we create a new VM and attaching virtual hard disks with the replicated data, will bring these VM's up as domain controllers in the DR site or will they have any negative effects ? Would this be a supported solution ? Any response will be highly appreciated.
  Thanks in advance.

  You don't want to run any type of duplicated software to clone the DC, that is a bad idea.  You could end up with lingering objects and/or Directory Service corruption. 
  If you want the DC's to exist in the same subnet then you are in a quandry.  You can start to modify srv records so the DC won't authenticate clients (BUt you will have to manually change that at DR time).
  I have a Blog that talks about lag site replication that blocks clients from ever attempting to authenticate to the DC, you should be able to use this same logic.
  http://blogs.dirteam.com/blogs/paulbergson/archive/2013/05/14/how-to-build-an-ad-replication-delay-lag-site.aspx
  You will want to create yourself a group policy that prevents the DC in the DR site from registering records that will advertise itself as an authenticating DC.  If you need to use the DR site, you will need to remove the gpo and either reboot the DC
  or run a gpupdate and restart NetLogon on the DC so it will register the records so the clients can then use this DC.
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• OIM provisioning to Multiple Domain Controllers of a single Domain

  Hi experts !
  Our client has offices in different parts of country and they are using MS AD. We have to integrated this AD with OIM. The issue we are facing is that there is a cluster of domain controllers (DC) at each location for example NewYork, Dallas and Ohio and OIM is being deployed in NY. All the DC at all location are part of a single domain "example.com" and they is no child domain.
  Now if a User Administrator in Ohio logs in to this central OIM online and creates / modifies user profile of a user in AD, it means that the OIM will create / update the user profile in the DC placed in NY and through AD replication, it will be pushed to Ohio.
  As the communication between few sites is not reliable, thus managers at these locations will have to bear the delays if the replication between DCs takes time even when they have modified the resource profile in OIM.
  Is it a possibility that the user administrator at location A, when modifies the user resource profile, the modifications is carried out in the DC of location A? for example, if the administrator in Ohio logs in, whenever, he changes the profile, OIM modifies the profile in DC placed at Ohio?
  I have gone through "Configuring the Connector for Multiple Installations of the Target System" in MS AD connector Documentation but i am uncertain whether this "target system" means DC of same domain or different child domains?
  Any help / idea would be really appreciated.
  Best Regards.
  Edited by: Zia on May 8, 2011 11:21 PM
  Edited by: Zia on May 8, 2011 11:22 PM

  thank you for your reply sir
  initially i was of the idea to place OIM servers at each location with DB at a central point. However, there are more than a dozen such locations! have you come accross any such scenario where more than 12 machines running OIM at different places point to a central DB? i was a bit reluctant in proposing such design due to network instability. So we decided to deploy OIM at a single location in cluster mode and admins at each location will access this single instance (cluster) over the WAN. This cluster will populate domain controller at this specific location and will be replicated through AD replication.
  But now the analysis team has pointed out the problem scenario as i have mentioned in my earlier post. so we are in a bit fix how to handle this situation :-s