FYI: Testing Active Directory Replication Latency/Convergence Through PowerShell (Update 2)
see:
(2014-02-01) Testing Active Directory Replication Latency/Convergence Through PowerShell (Update
2)
Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/
Might that link has been been broken.Here is the link
http://jorgequestforknowledge.wordpress.com/2014/02/01/testing-active-directory-replication-latencyconvergence-through-powershell-update-2/
Nice Jorge. Thanks for sharing.
Regards~Biswajit
Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights.
MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
MY BLOG
Domain Controllers inventory-Quest Powershell
Generate Report for Bulk Servers-LastBootUpTime,SerialNumber,InstallDate
Generate a Report for installed Hotfix for Bulk Servers
Similar Messages
-
see:
(2014-02-02)
Testing SYSVOL Replication Latency/Convergence Through PowerShell (Update 2)
Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/see:
http://jorgequestforknowledge.wordpress.com/2014/02/16/testing-active-directory-replication-latencyconvergence-through-powershell-update-3/
Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/ -
Testing SYSVOL Replication Latency/Convergence Through PowerShell (Update 3)
see:
http://jorgequestforknowledge.wordpress.com/2014/02/17/testing-sysvol-replication-latencyconvergence-through-powershell-update-3/
Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/see:
http://jorgequestforknowledge.wordpress.com/2014/02/16/testing-active-directory-replication-latencyconvergence-through-powershell-update-3/
Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/ -
Active Directory Replication 2008 R2
Hi
We are getting an error as "The following server could not be reached (topology incomplete)"
Domain Controllers: 2008 R2
How can we resolve this issue.
AravindThe error message mentions that the server is not reachable.
You might want to start with checking the basics:
Check that the faulty DC has its A, CNAME and SRV records properly registered in your DNS system (You can
NSlookup for checking: http://social.technet.microsoft.com/wiki/contents/articles/29184.nslookup-for-beginners.aspx). If this is not the case then you follow the IP settings recommendation I mentioned here: http://social.technet.microsoft.com/wiki/contents/articles/18513.active-directory-replication-issues-basic-troubleshooting-steps-single-ad-domain-in-a-single-ad-forest.aspx).
Once the IP settings are corrected then you can ipconfig /registerdns
command
Check that required ports for AD replication are opened between your DCs and are not filtered: http://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx
If none helped then you can temporary disable security software you use on DCs and check again
The last resort could be to demote the DC and promote it again.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Migration SBS2003 to SBS2008 Active Directory Replication
I am migrating from SBS2003 server to SBS2008. I fired up the 2008 server on the network with the 2003 server and started the migration. I got about 25% progress on the “Expanding and Installing Files” window when I got an error message of “Active Directory Replication is taking longer than expected. You can choose whether to continue waiting. If you choose not to wait the migration may fail. Unless you are sure that replication is working correctly, it is recommended that you continue to wait”. After waiting three times of 20 minutes each I don’t think it is working. What are my options? What can I check for?
Hi,
As it is a SBS-related issue, you may wish to post to the SBS newsgroup. This will provide access to others who read the public newsgroups regularly who will either share their knowledge.
Connect Windows Small Business Server 2008
http://connect.microsoft.com/SBS08
Thank you for your understanding and cooperation.
Miles -
Active Directory Replication failed
Hi all,
I'm deploying lync server 2010 in virtual server.
My Domain controller is a physical server.
Windows update restart is done when almost 90% of deployment is completed.
During enabling users in Lync Server control panel
I have got an issue after server restart, is active directory replication failed.
Regards,
Arun.The problem is more related with Domain Controller.
Please check the event log on Domain Controller.
You can also refer to the following link to troubleshoot Active Directory Replication Problems:
http://technet.microsoft.com/en-us/library/cc738415(v=ws.10).aspx
Lisa Zheng
TechNet Community Support -
Windows Server 2008 R2 - Active Directory Replication over DynDNS
Hello,
I have one server that Windows Server 2008 R2 - Active Directory / DNS
Now some users shifted to new office with the server
Some users still in the original place that now don't have ADDS/DNS
i want to install one replication server in the original place to retrieve AD/DNS form new office via DynDNS
is that possible of not?
Best regards,Badr, I don't think you want AD replication occurring over the internet - even if that was possible the server would need access to all the SRV records, a records, And all the ports required for communication - See here for an exhaustive list
http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx - I don't think I have to tell you how bad opening all these ports to the internet would be.
You may want to look at Setting up a vpn or DirectAccess from the original site to the new site. This will give you more security and generally won't cost to much.
http://technet.microsoft.com/en-us/network/dd420463.aspx
Another thing that may work for you would be if you setup remote desktop services in the new location and had the original location remote into via a gateway server -
http://blogs.technet.com/b/windowsserver/archive/2012/05/09/windows-server-2012-remote-desktop-services-rds.aspx as a starting point. With RDS your users would be able to access the new location from anywhere, although there would be upfront costs associated,
licensing and server being part of them - I don't recommend turning your domain controller into an RDS server.These are just some ideas to help you with your issue -
Active Directory Replication Servers (wont replicate SYSVOL and NETLOGON Not showing)
I have my first DC Server (DC1). DC1.DOMAIN.lOCAL, I decided to add another Domain Controller. Made it a secondary DNS Server and also GC. Everything seems to replicate, but its missing NETLOGON and SYSVOL Wont replicate.
Windows 2008 R2Errr 5706
The Netlogon service could not create server share C:\Windows\SYSVOL\sysvol\INFGRP.LOCAL\SCRIPTS. The following error occurred:
The system cannot find the file specified.
Event 7009
A timeout was reached (30000 milliseconds) while waiting for the File Replication service to connect.
Event 1058
The processing of Group Policy failed. Windows attempted to read the file \\INFGRP.LOCAL\SysVol\INFGRP.LOCAL\Policies\{55DE4000-0D51-44CD-92A1-30F286B2BC86}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until
this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
All Critical
This domain controller has migrated to using the DFS Replication service to replicate the SYSVOL share. Use of the File Replication Service for replication of non-SYSVOL content sets has been deprecated and therefore, the service has been stopped. The DFS
Replication service is recommended for replication of folders, the SYSVOL share on domain controllers and DFS link targets.
Test replication
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine dc, is a DC.
* Connecting to directory service on server dc.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\dc
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... dc passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\dc
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=GRP,DC=LOCAL
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=GRP,DC=LOCAL
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=GRP,DC=LOCAL
Latency information for 8 entries in the vector were ignored.
8 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=GRP,DC=LOCAL
Latency information for 9 entries in the vector were ignored.
9 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=GRP,DC=LOCAL
Latency information for 9 entries in the vector were ignored.
9 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
......................... dc passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: Advertising
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: RidManager
Test omitted by user request: MachineAccount
Test omitted by user request: Services
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: ObjectsReplicated
Test omitted by user request: frssysvol
Test omitted by user request: frsevent
Test omitted by user request: kccevent
Test omitted by user request: systemlog
Test omitted by user request: VerifyReplicas
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError
Running partition tests on : ForestDnsZones
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom
Running partition tests on : DomainDnsZones
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom
Running partition tests on : Schema
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom
Running partition tests on : Configuration
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom
Running partition tests on : GRP
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom
Running enterprise tests on : GRP.LOCAL
Test omitted by user request: Intersite
Test omitted by user request: FsmoCheck
Test omitted by user request: DNS
Test omitted by user request: DNS
On the second DC (DCR). I see SYSVOL, no files replicated, also theres no NETLOGON. -
Can't fix Active Directory replication
Hi,
I am not sure when the replication issue started, but it is for month now. Whe have two AD's and so actually, we have one working fine (probably). Users are replicated fine (at least they show in the second AD tree) and also, the group policies replicates
(they show in the group policy tree).
But, in the \\dc02\SYSVOL\domainname.com\Policies directory, nothing is shared. It's completely out of date. Also the group policy manager gives an warning: 1 Domain controller(s) with replication in progress.
Anyway, me, and other members of the IT-staff looked into it but it looks that the problem goes deep.
So my question is, what is the best way to solve this. Start to place some errors here or maybe we should completely re-install the second DC? Or both? Or is that a bad idea?
Thanks for any help!Thanks for the responses!
Problem is, Event viewer keeps giving different errors. I just restarted my secondary DC and it gives this error:
This domain controller has migrated to using the DFS Replication service to replicate the SYSVOL share. Use of the File Replication Service for replication of non-SYSVOL content sets has been deprecated and therefore, the service has been stopped. The DFS Replication service is recommended for replication of folders, the SYSVOL share on domain controllers and DFS link targets.
Before restart, I ran dcdiag again and it gave problems with NCSecDesc. So permission problem. I fixed that and after that I ran dcdiag again and no errors were showing. But sysvol directory was still not in sync.
After that, I restarted and the top error is shown in event viewer and dcdiag gives me another, new error:
Starting test: SystemLog
A warning event occurred. EventID: 0x000727A5
Time Generated: 04/16/2014 18:02:36
Event String: The WinRM service is not listening for WS-Management requests.
A warning event occurred. EventID: 0x80040020
Time Generated: 04/16/2014 18:03:13
Event String:
The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may o
ccur.
A warning event occurred. EventID: 0x80040020
Time Generated: 04/16/2014 18:03:13
Event String:
The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may o
ccur.
A warning event occurred. EventID: 0x80040020
Time Generated: 04/16/2014 18:03:13
Event String:
The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may o
ccur.
An error event occurred. EventID: 0xC0001B61
Time Generated: 04/16/2014 18:03:40
Event String:
A timeout was reached (30000 milliseconds) while waiting for the File Replication service to connect.
An error event occurred. EventID: 0xC0001B6F
Time Generated: 04/16/2014 18:03:41
Event String: The Diagnostic System Host service terminated with the following error:
An error event occurred. EventID: 0xC0001B6F
Time Generated: 04/16/2014 18:03:41
Event String: The Diagnostic Service Host service terminated with the following error:
......................... DC02 failed test SystemLog
After restarting the secondary DC, the primary DC gives an error on DFSREvent but I think that's OK because it lost the secondary DC for a minute. No further errors there.
After restarting the primary DC, it gives also a SystemLog error, but different from the other DC with dcdiag:
Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source
, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain
hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domai
n, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function a
s the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this c
omputer, you may choose to disable the NtpClient.
A warning event occurred. EventID: 0x00000090
Time Generated: 04/16/2014 18:31:25
Event String: The time service has stopped advertising as a good time source.
......................... DC01 failed test SystemLog
Now this is the current status. I am pretty desperate. Maybe you have some suggestions? Otherwise, I will try pbbergs' suggestion.
Other errors in the event viewer (not sure if they are related but just posting to be sure):
This domain controller has migrated to using the DFS Replication service to replicate the SYSVOL share. Use of the File Replication Service for replication of non-SYSVOL content sets has been deprecated and therefore, the service has been stopped. The DFS Replication service is recommended for replication of folders, the SYSVOL share on domain controllers and DFS link targets.
Active Directory Web Services could not find a server certificate with the specified certificate name. A certificate is required to use SSL/TLS connections. To use SSL/TLS connections, verify that a valid server authentication certificate from a trusted Certificate Authority (CA) is installed on the machine.
Certificate name: dc01.domainname.com
The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.
Thanks for the help! -
Active Directory : Replication Issue - "Disconnected" sub-domain from the Forest
Hello everyone,
I'm managing a multi-domain forest (with 7 sub-domain). All are working fine except for one. Throught repadmin (Repadmin /replsum /bysrc /bydest /sort:delta), I noticed I got both domain controllers of a subdomain (there are only 2 DCs in that
subdomain), who hadn't replicated with the rest of the forest for more than 60 days.
According to my research, it's usually recommended to Depromote and repromote the problematic DC to avoid the issue of lingering objects. In this case, it's both DC of a sub-domain. Of course, on the others DCs in the forest, I got the event
ID 2012 "it has been too long since this machine last replicated with the named source machine....".
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner
to a value of 1.
As I understand it, this may cause lingering objects to appear (they can be removed with repadmin /removelingeringobjects command with the DSA GUID, naming context, etc..). So far, I haven't used that registry key yet because of the associated risks.
I didn't noticed any other issue so far. Users in the problematic sub-domain are fine, and the problematic sub-domain seems to be able to pull replication data from the others DCs in the forests. (at least, I'm not getting any error in the A.D. Sites
and Services)
I added two new DCs for the affected sub-domains, so the number of DCs for that domain went from 2 to 4 DCs. The two old DCs that hadn't replicated for 60 days are windows Server 2003 and the two new DCs are Server 2008 R2.
Unfortunately (and I was half expecting this, but did it anyway since I must eventually replace the old DCs), that didn't solve my issue, since the rest of the forest "doesn't see" the two new DCs of the sub-domain. By that, I mean that I
cannot add an Active Directory Domain Services Connection in Sites & Services console (from a DC in another domain of the forest or even the root domain). I see all the DCs, including the two old DCs that are server 2003, but not the new ones.
I believe it's because the others DCs doesn't pull/replicate the information from the old DCs anymore, so they aren't "aware" of the two new DCs for that problematic sub-domain.
I was wondering what is the best course of action. Is it worthwhilte to use the registry key force replication with the old DCs ? (and hopefully, the new DCs will get their AD Services connection/replication vector created, so I can depromote
the old DCs.
Since the Old DCs from the problematic sub-domain seems to be able to pull the replication from the rest of the forest, does the risk of Lingering object isn't that great ?
Or is it too risky and I must create a new sub-domain and migrate one way or another the users ? (which would be time-consuming)
Thanks in advance,
AdamThanks for the reply. One of the link had another link to a good article about the use of repadmin :
So, I ran the command "repadmin /removinglingerobjects " on one of the problematic DCs ().
For clarity purpose, let's say I used the domain :
domain = main domain
subdomain = the domain whose DC are problematic (all of them).
AnotherSubDomain = Just another subdomain I used as a "reference" DC to cleanup the appropriate partition.
Command (the DSA guid is from a DC "clean" in another domain)
repadmin /removelingeringobjects adrec01.mysubdomain.domain.ca C4081E00-921A-480D-9FDE-C4C34F96E7AC dc=ANOTHERsubdomain,dc=domain,dc=ca /advisory_mode
I got the following message in the event viewer :
Active Directory Domain Services has completed the verification of lingering objects on the local domain controller in advisory mode. All objects on this domain controller have had their existence verified on the following source domain controller.
Source domain controller:
c4081e00-921a-480d-9fde-c4c34f96e7ac._msdcs.mydomain.ca
Number of objects examined and verified:
0
Objects that have been deleted and garbage collected on the source domain controller yet still exist on this domain controller have been listed in past event log entries. To permanently delete the lingering objects, restart this procedure without using the
advisory mode option.
How should I interpret the message "number of objects examined and verified 0". Does it mean it just didn't find any object to compare ? (which would be odd IMHO) Or there is another problem ?
Thanks in advance,
Adam -
Monitoring active directory replication.
Hello! How to configure step by step monitoring replication between 2 domains?
Hi,
Have you downloaded “Guide for System Center Management Pack for Active Directory for Operations Manager 2012”? It includes detailed information.
http://www.microsoft.com/en-us/download/details.aspx?id=21357
Niki Han
TechNet Community Support -
How to test Active Directory health?
Hi,
I need to test my AD replication and health. Also need to check if AD sites and services is configured properly. What can I use for that?You can check the replication issue using this.
repadmin /replsum /bysrc /bydest /sort:delta
You need to check the client computers if those are getting correct DC or not for AD sites configuration.
Regards~Biswajit
Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights.
MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
MY BLOG
Domain Controllers inventory-Quest Powershell
Generate Report for Bulk Servers-LastBootUpTime,SerialNumber,InstallDate
Generate a Report for installed Hotfix for Bulk Servers -
Directory replication among DC through SSL ports
We have a customer who has a requirement to secure AD replication among DC's through SSL ports. We have tried to convince them that replication that is happening follows kerberos authentication and data is in encrypted format, but still they are asking whether
replication can happen through SSL port or not.
Their requirement involves customization of AD which I am not sure if possible.
Also if this is not possible they are asking for a technet article in relevance to that.
Seeking for support!
Regards,
AnkurHiya,
The answer is no.
The replication traffic itself is already secure, as it is performed using Kerberos, which is an encrypted protocol. Furthermore internal traffic between geographically dispersed sites should be done using VPN, MPLS or similar inclosed network protocol,
which is also encrypted. DC replication traffic should be considered internal traffic and should only be performed on internal networks.(traffic on a VPN/MPLS is considered internal in that sense)
So by default, when installing your DC's, the replication traffic between these DC's is already secure.
DNS has no need for secure communications, it's a name to IP repository. If you don't want people to use your DNS, don't allow them to use it.
LDAP can be changed to use LDAPS instead, however it requires client compatibility.
Kerberos is by default a secure protocol. - And this is the protocol used for replication. -
Hi Scripting Guy. I am a Server Administrator who is very familiar with Active Directory, but new to PowerShell. Like many SysAdmins, I often need to create multiple accounts (ranging from 3-200) and add them multiple groups (ranging
from 1 - 100). Previously I used VBS scripts in conjunction with an Excel .XLS file (not CSV file). Since VBS is essentially out the door and PowerShell is in - I am having to re-create everthing.
I have written a PowerShell script that bulk creates my users and adds them to their corresponding groups - however, this can only use a CSV file (NOT an XLS file). I understand that "CSV is much easier to use than Excel worksheets", but
most times I have three sets of nearly identical groups (for Dev, QA and Prod). Performing Search and Replace on the Excel template across all four Worksheets ensures the names used are consistent throughout the three environments.
I know each Excel Worksheet can be exported as a separate CSV file and then use the PowerShell scripts as is, but since I am not the only SysAdmin who will be using these it leads to "unnecessary time lost", not to mention the reality that even
though you clearly state "These tabs need to be exported using this naming standard" (to work with the PowerShell scripts) that is not the result.
I've been tasked to find a way to modify my existing PowerShell/CSV scripts to work with Excel spreadsheets/workbooks instead - with no success. I have run across many articles/forums/scirpts that let you update Excel or export AD data into an Excel
spreadsheet (even specifying the worksheet, column and row) - but nothing for what I am trying to do.
I can't imagine that I am the ONLY person who is in this situation/has this need. So, I am hoping you can help. How do I modify my existing scripts to reference "use this Excel spreadsheet, and this specific worksheet in the spreadsheet
prior to performing the New-ADUser/Add-ADGroupMember commands".
For reference, I am including Worksheet/Column names of my Excel Spreadsheet Template as well as the first part of my PowerShell script. M-A-N-Y T-H-A-N-K-S in advance.
Worksheet: Accounts
Columns: samAccountName, CN_DisplayName_Name, sn_LastName, givenName_FirstName, Password, Description, TargetOU
Worksheets: DevGroups / QAGroups / ProdGroups
Columns: GroupName, Members, MemberOf, Description, TargetOU
# Load PowerShell Active Directory module
Write-Host "Loading Active Directory PowerShell module." -foregroundcolor DarkCyan # -backgroundcolor Black
Import-Module ActiveDirectory
Write-Host " "
# Set parameter for location of CSV file (so source file only needs to be listed once).
$path = ".\CreateNewUsers-CSV.csv"
# Import CSV file as data source for remaining script.
$csv = Import-Csv -path $path | ForEach-Object {
# Add '@saccounty.net' suffix to samAccountName for UserPrincipalName
$userPrincinpal = $_."samAccountName" + "@saccounty.net"
# Create and configure new AD User Account based on information from the CSV source file.
Write-Host " "
Write-Host " "
Write-Host "Creating and configuring new user account from the CSV source file." -foregroundcolor Cyan # -backgroundcolor Black
New-ADUser -Name $_."cn_DisplayName_Name" `
-Path $_."TargetOU" `
-DisplayName $_."cn_DisplayName_Name" `
-GivenName $_."givenName_FirstName" `
-SurName $_."sn_LastName" `
-SamAccountName $_."samAccountName" `
-UserPrincipalName $userPrincinpal `Here is the same script as a function:
Function Get-ExcelSheet{
Param(
$fileName = 'C:\scripts\test.xls',
$sheetName = 'csv2'
$conn = New-Object System.Data.OleDb.OleDbConnection("Provider=Microsoft.Jet.OLEDB.4.0;Data Source = $fileName;Extended Properties=Excel 8.0")
$cmd=$conn.CreateCommand()
$cmd.CommandText="Select * from [$sheetName$]"
$conn.open()
$cmd.ExecuteReader()
It is called like this:
Get-ExcelSheet -filename c:\temp\myfilename.xslx -sheetName mysheet
Do NOT change anything in the function and post the exact error. If you don't have Office installed correctly or are running 64 bits with a 32 bit session you will have to adjust your system.
¯\_(ツ)_/¯
HI JRV,
My apologies for not responding sooner - I was pulled off onto another project this week. I have included and called your Get-ExcelSheet function as best as I could...
# Load PowerShell Active Directory module
Write-Host "Loading Active Directory PowerShell module." -foregroundcolor DarkCyan # -backgroundcolor Black
Import-Module ActiveDirectory
Write-Host " "
# JRV This Function Loads the Excel Reader
Function Get-ExcelSheet{
Param(
$fileName = 'C:\scripts\test.xls',
$sheetName = 'csv2'
$conn = New-Object System.Data.OleDb.OleDbConnection("Provider=Microsoft.Jet.OLEDB.4.0;Data Source = $fileName;Extended Properties=Excel 8.0")
$cmd=$conn.CreateCommand()
$cmd.CommandText="Select * from [$sheetName$]"
$conn.open()
$cmd.ExecuteReader()
# Set parameter for location of CSV file (so source file only needs to be listed once) as well as Worksheet Names.
$sourceFile = ".\NewDocClass-XLS-Test.xlsx"
# Add '@saccounty.net' suffix to samAccountName for UserPrincipalName
$userPrincinpal = $_."samAccountName" + "@saccounty.net"
# Combine GivenName & SurName for DisplayName
$displayName = $_."sn_LastName" + ". " + $_."givenName_FirstName"
# JRV Call the Get-ExcelSheet function, providing FileName and SheetName values
# Pipe the data from source for remaining script.
Get-ExcelSheet -filename "E:\AD_Bulk_Update\NewDocClass-XLS-Test.xlsx" -sheetName "Create DocClass Accts" | ForEach-Object {
# Create and configure new AD User Account based on information from the CSV source file.
Write-Host " "
Write-Host " "
Write-Host "Creating and configuring new user account from the CSV source file." -foregroundcolor Cyan # -backgroundcolor Black
New-ADUser -Name ($_."sn_LastName" + ". " + $_."givenName_FirstName") `
-SamAccountName $_."samAccountName" `
-UserPrincipalName $userPrincinpal `
-Path $_."TargetOU" `
Below is the errors I get:
Exception calling "Open" with "0" argument(s): "The 'Microsoft.Jet.OLEDB.4.0'
provider is not registered on the local machine."
At E:\AD_Bulk_Update\Create-BulkADUsers-XLS.ps1:39 char:6
+ $conn.open()
+ ~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : InvalidOperationException
Exception calling "ExecuteReader" with "0" argument(s): "ExecuteReader
requires an open and available Connection. The connection's current state is
closed."
At E:\AD_Bulk_Update\Create-BulkADUsers-XLS.ps1:40 char:6
+ $cmd.ExecuteReader()
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : InvalidOperationException -
Active Directory replication and login errors (Plz HELP !!)
Hi All,
We have one forest domain (XXXX.LOCAL)and lots of child domains (XXX.XXXX.LOCAL).
We are facing issue that child domains are not able to login with forest administrator account and there are also lots of replication errors.
Exchange OWA gives error of not able to find particular XXX.XXX.local child domain.
dcdiag from child domain is :
C:\Windows\system32>
C:\Windows\system32>nltest.exe /dsregdns
Flags: 0
Connection Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
The command completed successfully
C:\Windows\system32>nltest.exe /dsregdns
Flags: 0
Connection Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
The command completed successfully
C:\Windows\system32>
C:\Windows\system32>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = PMA-DC01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: HEC-CITY\PMA-DC01
Starting test: Connectivity
......................... PMA-DC01 passed test Connectivity
Doing primary tests
Testing server: HEC-CITY\PMA-DC01
Starting test: Advertising
Warning: PMA-DC01 is not advertising as a time server.
......................... PMA-DC01 failed test Advertising
Starting test: FrsEvent
......................... PMA-DC01 passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... PMA-DC01 failed test DFSREvent
Starting test: SysVolCheck
......................... PMA-DC01 passed test SysVolCheck
Starting test: KccEvent
......................... PMA-DC01 passed test KccEvent
Starting test: KnowsOfRoleHolders
[PMA-DC02] DsBindWithSpnEx() failed with error -2146893022,
The target principal name is incorrect..
Warning: PMA-DC02 is the PDC Owner, but is not responding to DS RPC
Bind.
[PMA-DC02] LDAP bind failed with error 8341,
A directory service error has occurred..
Warning: PMA-DC02 is the PDC Owner, but is not responding to LDAP
Bind.
Warning: PMA-DC02 is the Rid Owner, but is not responding to DS RPC
Bind.
Warning: PMA-DC02 is the Rid Owner, but is not responding to LDAP
Bind.
Warning: PMA-DC02 is the Infrastructure Update Owner, but is not
responding to DS RPC Bind.
Warning: PMA-DC02 is the Infrastructure Update Owner, but is not
responding to LDAP Bind.
......................... PMA-DC01 failed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... PMA-DC01 passed test MachineAccount
Starting test: NCSecDesc
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
......................... PMA-DC01 failed test NCSecDesc
Starting test: NetLogons
......................... PMA-DC01 passed test NetLogons
Starting test: ObjectsReplicated
......................... PMA-DC01 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,Replications Check] Inbound replication is
disabled.
To correct, run "repadmin /options PMA-DC01 -DISABLE_INBOUND_REPL"
[Replications Check,PMA-DC01] Outbound replication is disabled.
To correct, run "repadmin /options PMA-DC01 -DISABLE_OUTBOUND_REPL"
......................... PMA-DC01 failed test Replications
Starting test: RidManager
......................... PMA-DC01 failed test RidManager
Starting test: Services
w32time Service is stopped on [PMA-DC01]
......................... PMA-DC01 failed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x00000010
Time Generated: 04/21/2014 19:16:04
Event String:
Unable to Connect: Windows is unable to connect to the automatic upd
ates service and therefore cannot download and install updates according to the
set schedule. Windows will continue to try to establish a connection.
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:42
Event String:
The dynamic registration of the DNS record '_kerberos._tcp.dc._msdcs
.PMA.XXXX.LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.' failed on the fol
lowing DNS server:
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:43
Event String:
The dynamic registration of the DNS record '_kerberos._tcp.PMA.XXXX.
LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.' failed on the following DNS
server:
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:43
Event String:
The dynamic registration of the DNS record '_kerberos._tcp.HEC-LAHOR
E._sites.PMA.XXXX.LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.' failed on
the following DNS server:
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:43
Event String:
The dynamic registration of the DNS record '_kerberos._udp.PMA.XXXX.
LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.' failed on the following DNS
server:
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:43
Event String:
The dynamic registration of the DNS record '_kpasswd._tcp.PMA.XXXX.L
OCAL. 600 IN SRV 0 100 464 PMA-DC01.PMA.XXXX.LOCAL.' failed on the following DNS
server:
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:43
Event String:
The dynamic registration of the DNS record '_kpasswd._udp.PMA.XXXX.L
OCAL. 600 IN SRV 0 100 464 PMA-DC01.PMA.XXXX.LOCAL.' failed on the following DNS
server:
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:43
Event String:
The dynamic registration of the DNS record '_kerberos._tcp.HEC-LAHOR
E._sites.dc._msdcs.PMA.XXXX.LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.'
failed on the following DNS server:
An error event occurred. EventID: 0x00000C8A
Time Generated: 04/21/2014 19:44:51
Event String:
This computer could not authenticate with \\LHR-DC01.XXXX.LOCAL, a W
indows domain controller for domain XXXX, and therefore this computer might deny
logon requests. This inability to authenticate might be caused by another compu
ter on the same network using the same name or the password for this computer ac
count is not recognized. If this message appears again, contact your system admi
nistrator.
An error event occurred. EventID: 0xC00A0038
Time Generated: 04/21/2014 19:46:02
Event String:
The Terminal Server security layer detected an error in the protocol
stream and has disconnected the client. Client IP: 10.87.193.37.
An error event occurred. EventID: 0x40000004
Time Generated: 04/21/2014 19:52:41
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver pma-dc02$. The target name used was PMA\PMA-DC02$. This indicates that the
target server failed to decrypt the ticket provided by the client. This can occu
r when the target server principal name (SPN) is registered on an account other
than the account the target service is using. Please ensure that the target SPN
is registered on, and only registered on, the account used by the server. This e
rror can also happen when the target service is using a different password for t
he target service account than what the Kerberos Key Distribution Center (KDC) h
as for the target service account. Please ensure that the service on the server
and the KDC are both updated to use the current password. If the server name is
not fully qualified, and the target domain (PMA.XXXX.LOCAL) is different from th
e client domain (PMA.XXXX.LOCAL), check if there are identically named server ac
counts in these two domains, or use the fully-qualified name to identify the ser
ver.
A warning event occurred. EventID: 0x8000001C
Time Generated: 04/21/2014 19:53:42
Event String:
When generating a cross realm referal from domain XXXX.LOCAL the KDC
was not able to find the suitable key to verify the ticket. The ticket key vers
ion in the request was 25 and the available key version was 22. This most common
reason for this error is a delay in replicating the keys. In order to remove th
is problem try forcing replication or wait for the replication of keys to occur.
An error event occurred. EventID: 0x40000004
Time Generated: 04/21/2014 20:13:25
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver pma-dc02$. The target name used was LDAP/4a166db9-c39c-4069-99e7-8a233ce2c0
be._msdcs.XXXX.LOCAL. This indicates that the target server failed to decrypt th
e ticket provided by the client. This can occur when the target server principal
name (SPN) is registered on an account other than the account the target servic
e is using. Please ensure that the target SPN is registered on, and only registe
red on, the account used by the server. This error can also happen when the targ
et service is using a different password for the target service account than wha
t the Kerberos Key Distribution Center (KDC) has for the target service account.
Please ensure that the service on the server and the KDC are both updated to us
e the current password. If the server name is not fully qualified, and the targe
t domain (PMA.XXXX.LOCAL) is different from the client domain (PMA.XXXX.LOCAL),
check if there are identically named server accounts in these two domains, or us
e the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 04/21/2014 20:13:25
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver pma-dc02$. The target name used was ldap/pma-dc02.pma.XXXX.LOCAL. This indi
cates that the target server failed to decrypt the ticket provided by the client
. This can occur when the target server principal name (SPN) is registered on an
account other than the account the target service is using. Please ensure that
the target SPN is registered on, and only registered on, the account used by the
server. This error can also happen when the target service is using a different
password for the target service account than what the Kerberos Key Distribution
Center (KDC) has for the target service account. Please ensure that the service
on the server and the KDC are both updated to use the current password. If the
server name is not fully qualified, and the target domain (PMA.XXXX.LOCAL) is di
fferent from the client domain (PMA.XXXX.LOCAL), check if there are identically
named server accounts in these two domains, or use the fully-qualified name to i
dentify the server.
......................... PMA-DC01 failed test SystemLog
Starting test: VerifyReferences
......................... PMA-DC01 passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : PMA
Starting test: CheckSDRefDom
......................... PMA passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... PMA passed test CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running enterprise tests on : XXXX.LOCAL
Starting test: LocatorCheck
......................... XXXX.LOCAL passed test LocatorCheck
Starting test: Intersite
......................... XXXX.LOCAL passed test Intersite
C:\Windows\system32>There are a number of things that can cause this, such as:
DNS is misconfigured to support a parent-child-additional tree forest.
Incorrect DNS zone replication scope for the design, which points back to the point #1.
AD Sites are misconfigured for the physical environment. For example if you have a hub and spoke physical environment, you can't use the default settings that bridge all sites (BASL) and must individually configure them.
Incorrect DNS settings on the DCs.
Multi-homed DCs.
Time service is not configured properly and/or syncing from the VM host, which should be configured otherwise (Microsoft, VMware and Citrix have KBs explaining this).
Default security settings at either the parent, child or both domains, have been altered.
Firewalls between DCs, such as perimeter firewalls, or installed antivirus protection features if not excluded on DCs properly, will cause this, too.
That's the short list. If you can describe some of the points above, it may help us pinpoint where the issue may be.
Some links that may help understand some of the bullet points:
AD Site Design, DNS & the DC Locator Process, and Auto Site Link Bridging, or Bridge All Site Links (BASL)
http://blogs.msmvps.com/acefekay/2013/02/24/ad-site-design-and-auto-site-link-bridging-or-bridge-all-site-links-basl/
DNS Design Options in a Multi-Domain Forest - How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest
Published by Ace Fekay, MCT, MVP DS on Oct 1, 2010 at 12:22 PM
http://msmvps.com/blogs/acefekay/archive/2010/10/01/dns-parent-child-dns-delegation-how-to-create-a-dns-delegation.aspx
Configuring the Windows Time Service for Windows 2000, 2003, 2008 and newer, explanation of the time service hierarchy, and more
Published by Ace Fekay, MCT, MVP DS on Sep 18, 2009 at 8:14 PM 3050 1
http://msmvps.com/blogs/acefekay/archive/2009/09/18/configuring-the-windows-time-service-for-windows-server.aspx
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Maybe you are looking for
-
How do I remove unwanted table/ cell borders in firefox
I just built my website in dreamweaver. When I preview it, it looks fine in both firefox & safari. However when i post and view my site online, i see unwanted cel borders in firefox...I've already checked the code and the border is set to 0 - any hel
-
How to install Windows in Paravirtualized Mode
Hi, I have succesfully create virtual machines in Full Virtualized mode and WinXP as OS. Since the performances are weird, I would like to create a PV machine with Windows. I mounted the image inside the Server, and then I gave access to the mount po
-
Hello All, I'm using BO XI 3.1 SP3. What API/Class should I use to retrieve a Webi document from the CMS and then save it locally? I understand how to query for reports, modify them, and then save back to the CMS with the DocumentInstance object. How
-
Regarding connection pooling in java mail
Hi, Im implementing enterprise application which has ability of sending/receiving emails. Im using java mail API 14.3. I have implemented the application level connection pooling which keep track of open folders, perform the time-out and other task
-
My volume won't work on mac pro
My volume won't work on my Macbook Pro. The button works and I can see the volume being turned up/down, but no sound comes out! I tried everything in the volume section of System Preferences. Does anybody know what I can do? Thanks!