Global Catalog Placement
Hi,
I have a question regarding Active Directory architecture.
We have a parent domain/forest (top.com) with many child domains (child*.top.com). Some child domains have firewalls segregating their environment from everything else. Do all the child domains need to communicate to every other child domain using all the Active
Directory ports listed
here or just the Global Catalog port if there is a Global Catalog server in that domain.
We have an Exchange server in one of the child domains which I know needs a GC. In the other child domains we have a few SQL servers, but no other application server. Does every DC in every child domain need to be a GC? Or can having GCs at the parent domain
and enabling universal group membership caching be sufficient? I gathered that from
this.
The recommendation is generally that all your DCs should be GCs. Exchange does need GCs.
The replication topology you designed in the Sites and Services console will indicate what DCs to use for replication.
If you don't want DCs from child domain to replicate their global catalog partitions (as well as schema and configuration) with other child domains, you can just design your replication topology in such a way that is it not happening. If you want more recommendation
about the replication topology you could use, feel free to tell us more about your environment (number of sites, connections, where are your DCs...) and we will assist.
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.
Similar Messages
-
Could not find any available Global Catalog in forest when running RemoteMailbox cmdlet
My current Exchange environment is a hybrid configuration of Office 365, Exchange 2013 hybrid, and Exchange 2007 on-premise.
I have a script responsible for enabling remote mailboxes and assigning O365 licenses to a list of users; essentially provisioning users an O365 mailbox. This script runs every hour through a defined scheduled task in the Task Scheduler.
The script is proven to work but will intermittently throw an error on some days: "Could not find any available Global Catalog in forest root.xyz.com"
Here are the nuances of the error when it does occur:
It will only throw the error when the script is run via scheduled task - the script will work fine if executed from the command line
The error occurs when "Enable-RemoteMailbox" or "Get-RemoteMailbox" is called.
The same error will occur with ANY script that calls "Enable-RemoteMailbox" or "Get-RemoteMailbox" and is ran via scheduled task - even when the RemoteMailbox cmdlet was the only line in the script
Here is the output and error when Get-RemoteMailbox -verbose is ran:
VERBOSE: [15:49:52.474 GMT] Get-RemoteMailbox : Active Directory session
settings for 'Get-RemoteMailbox' are: View Entire Forest: 'True',
VERBOSE: [15:49:52.489 GMT]
Get-RemoteMailbox : Runspace context: Executing
user: ,
Executing user organization: ,
Current organization: ,
RBAC-enabled:Disabled.
VERBOSE: [15:49:52.489 GMT] Get-RemoteMailbox : Beginning processing
VERBOSE: [15:49:52.521 GMT] Get-RemoteMailbox : Current ScopeSet is: {
Recipient Read Scope: {{, }},
Recipient Write Scopes: {{, }}, Configuration Read Scope: {{, }},
Configuration Write Scope(s): {{, }, },
Exclusive Recipient Scope(s): {},
Exclusive Configuration Scope(s): {} }
VERBOSE: [15:49:52.521 GMT] Get-RemoteMailbox : Resolved current organization: .
VERBOSE: [15:49:52.521 GMT] Get-RemoteMailbox : Searching objects "abose" of type "ADUser" under the root "$null".
VERBOSE: [15:49:52.536 GMT] Get-RemoteMailbox : Previous operation run on global catalog server 'evw-xyzdc-p02.ad.xyz.com'.
Get-RemoteMailbox : Could not find any available Global Catalog in forest root.xyz.com.
At C:\IDM_In\Scripts\MinimalTest.ps1:42 char:14
+ $abose = Get-RemoteMailbox 'abose' -verbose
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-RemoteMailbox], ADTransientException
+ FullyQualifiedErrorId : E421EF0B,Microsoft.Exchange.Management.RecipientTasks.GetRemoteMailbox
VERBOSE: [15:49:52.567 GMT] Get-RemoteMailbox : Ending processing
What could be the cause of this intermittent error?
Thanks for any helplooks to me permission error as when you are running it via a schedule task is is not able to call exchange shell/ commands {confirm this} where as when you running this manually looks to me you open exchange shell, may be as admin also and then running
the script.
schedule task process is not able to get the permission..
MARK AS USEFUL/ANSWER IF IT DID
Thanks
Happiness Always
Jatin -
A Global Catalog Server could not be located - All GC's are down SBS 2011
I have been searching through these forums and manage to find similar errors but am struggling to find an answer that applies to this me.
I seem to be having a number of issues with our SBS. I believe this was originally domain was previously on a SBS 2003 box before being moved to this SBS 2011 box last year, it has been running fine until yesterday. I cant see anything that has changed then
though.
Everything seems to point to DNS although I am struggling to pinpoint the actual cause. The most worrying is when I try to open something on the SBS such as AD sites and services.
the error is
Active Directory Domain Services - Naming information cannot be located because: The specified domain either does not exist or could not be contacted. Contact your system administrator to verify that your domain is properly configured and
is currently online.
Here is the IPconfig/all from the server
v
Host Name . . . . . . . . . . . . : SBS2012
Primary Dns Suffix . . . . . . . : Contosso.local
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : Contosso.local
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82575EB Gigabit Network Connecti
on #2
Physical Address. . . . . . . . . : 00-1E-67-39-23-14
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::8087:34f0:59f9:6a26%12(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.35.250(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.35.1
DHCPv6 IAID . . . . . . . . . . . : 301997671
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-39-46-22-00-1E-67-39-23-15
DNS Servers . . . . . . . . . . . : 192.168.35.250
NetBIOS over Tcpip. . . . . . . . : Enabled
PPP adapter RAS (Dial In) Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : RAS (Dial In) Interface
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.35.24(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{6E06F030-7526-11D2-BAF4-00600815A4BD}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{A23E95B8-B5C2-4D88-BDE9-E9F1C2DD3902}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
and here is the nltest
nltest /server:sbs2012 /dsgetdc:contosso.local
DC: \\SBS2012.contosso.local
Address: \\192.168.35.250
Dom Guid: c50b6df3-9d22-4c87-b2a7-adadc4fd5ec1
Dom Name: contosso.local
Forest Name: contosso.local
Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN
DNS_FOREST CLOSE_SITE FULL_SECRET WS
The command completed successfully
As far as I can see everything so far looks ok (highly possible I am missing something) but when I run a DCDIAG it gets messy
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = SBS2012
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SBS2012
Starting test: Connectivity
......................... SBS2012 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SBS2012
Starting test: Advertising
Fatal Error:DsGetDcName (SBS2012) call failed, error 1355
The Locator could not find the server.
......................... SBS2012 failed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... SBS2012 passed test FrsEvent
Starting test: DFSREvent
......................... SBS2012 passed test DFSREvent
Starting test: SysVolCheck
......................... SBS2012 passed test SysVolCheck
Starting test: KccEvent
......................... SBS2012 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... SBS2012 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... SBS2012 passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=Contosso,DC=local
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=Contosso,DC=local
......................... SBS2012 failed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\SBS2012\netlogon)
[SBS2012] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... SBS2012 failed test NetLogons
Starting test: ObjectsReplicated
......................... SBS2012 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,SBS2012] DsReplicaGetInfo(PENDING_OPS, NULL)
failed, error 0x2105 "Replication access was denied."
......................... SBS2012 failed test Replications
Starting test: RidManager
......................... SBS2012 passed test RidManager
Starting test: Services
Could not open NTDS Service on SBS2012, error 0x5
"Access is denied."
......................... SBS2012 failed test Services
Starting test: SystemLog
An error event occurred. EventID: 0x0000041E
Time Generated: 07/12/2013 08:27:32
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
An error event occurred. EventID: 0x0000041E
Time Generated: 07/12/2013 08:32:32
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
An error event occurred. EventID: 0x0000041E
Time Generated: 07/12/2013 08:37:32
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
An error event occurred. EventID: 0x0000041E
Time Generated: 07/12/2013 08:42:32
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
An error event occurred. EventID: 0x0000041E
Time Generated: 07/12/2013 08:47:32
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
An error event occurred. EventID: 0x0000041E
Time Generated: 07/12/2013 08:52:32
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
An error event occurred. EventID: 0x00000457
Time Generated: 07/12/2013 08:54:09
Event String:
Driver EPSON WorkForce 645 Series required for printer EPSON WorkForce 645 Series is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 07/12/2013 08:54:10
Event String:
Driver FX DocuCentre-IV C2270 PCL 6 required for printer scanner - 212 Manukau Rd Epsom is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 07/12/2013 08:54:10
Event String:
Driver HP ePrint required for printer HP ePrint is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 07/12/2013 08:54:11
Event String:
Driver PDF Complete Converter required for printer PDF Complete is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 07/12/2013 08:54:14
Event String:
Driver Send To Microsoft OneNote 2010 Driver required for printer Send To OneNote 2010 is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x0000041E
Time Generated: 07/12/2013 08:57:32
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
An error event occurred. EventID: 0x0000041E
Time Generated: 07/12/2013 09:02:33
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
A warning event occurred. EventID: 0x00002724
Time Generated: 07/12/2013 09:03:32
Event String:
This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.
An error event occurred. EventID: 0x0000041A
Time Generated: 07/12/2013 09:03:33
Event String:
The DHCP/BINL service on the local machine encountered a network error. The error was: 0x 2.
An error event occurred. EventID: 0x0000041E
Time Generated: 07/12/2013 09:03:33
Event String:
The DHCP/BINL service on this computer is shutting down. See the previous event log messages for reasons.
An error event occurred. EventID: 0xC0002720
Time Generated: 07/12/2013 09:03:45
Event String:
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
An error event occurred. EventID: 0xC0002720
Time Generated: 07/12/2013 09:03:46
Event String:
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
An error event occurred. EventID: 0xC0002720
Time Generated: 07/12/2013 09:03:46
Event String:
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
An error event occurred. EventID: 0xC0002720
Time Generated: 07/12/2013 09:03:46
Event String:
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
An error event occurred. EventID: 0xC0002720
Time Generated: 07/12/2013 09:03:46
Event String:
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
An error event occurred. EventID: 0x00000406
Time Generated: 07/12/2013 09:07:33
Event String:
The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.
An error event occurred. EventID: 0x00000406
Time Generated: 07/12/2013 09:12:34
Event String:
The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.
An error event occurred. EventID: 0xC00038D6
Time Generated: 07/12/2013 09:16:24
Event String:
The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.
An error event occurred. EventID: 0x0000041E
Time Generated: 07/12/2013 09:17:34
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
An error event occurred. EventID: 0x0000041E
Time Generated: 07/12/2013 09:22:34
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
......................... SBS2012 failed test SystemLog
Starting test: VerifyReferences
......................... SBS2012 passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : Contosso
Starting test: CheckSDRefDom
......................... Contosso passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Contosso passed test CrossRefValidation
Running enterprise tests on : Contosso.local
Starting test: LocatorCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
1355
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
A KDC could not be located - All the KDCs are down.
......................... Contosso.local failed test LocatorCheck
Starting test: Intersite
......................... Contosso.local passed test Intersite
I found a few people who have had similar issues that was caused by the "netlogon" service being paused or stopped but in my case it is set to automatically start and is running.
I have also posted this to serverfault (cant post links yet serverfault.com/questions/522691/a-global-catalog-server-could-not-be-located-all-gcs-are-down) added as there may be info there that may help.
Thanks for taking the time to read this, hopefully someone out there has come across this before or can offer something in regards to the next steps I should take.Some troubleshooting ideas:
0. Check if the DCs can resolve each other using their DNSHostName. If not, this indicates some DNS misconfiguration
-- you need to fix that first.
1. Check if the both the DCs are pointing to the same DNS server (or DNS servers that are replica of each
other). Run: "ipconfig /all" and check its output. If not, correct the DNS client settings and run dcdiag after sometime.
2. Check if dynamic updates are "turned on" on the DNS server.
3. Try re-registering the DCs SRV records by either restarting netlogon service or by running the following
command:
nltest.exe /dsregdns -
How to replicate 'memberOf' attribute to global catalog server
Hi,
I am trying to replicate 'member of' attribute to global catalog server, to get the data from child domain where trust is enabled.
i did a little reserach and found that 'isMemberOfPartialAttributeSet' should be true to get it replicated to global catalog server.
in schema, i am trying set 'isMemberOfPartialAttributeSet' true for "is-member-of-DL" attribute and getting illegal modification.
is there any other way, where i can modify (or with help of Microsoft).
OS: windows 2003 R2 (SP2) - MSDN
Thanks!
Karthik
Thanks, Karthikeyan RHi Karthik,
Based on my tests, the right way to modify attributes that replicate to the Global Catalog is:
Open Active Directory schema snap-in.
Then locate the attribute which you wish to modify.
Right click on it, and select Properties.
Tick the check box “Replicate this attribute to the Global Catalog”.
Here is a screenshot for you:
More references below:
Install the Active Directory Schema snap-in
http://technet.microsoft.com/en-us/library/cc755885(v=WS.10).aspx
How to Modify Attributes That Replicate to the Global Catalog
http://support.microsoft.com/kb/248717
Best Regards,
Amy -
Cisco ISE with AD Problem: "Could not read groups data: Global catalog not found"
Hi all,
When I make the ActiveDirectory integration with Cisco ISE, I have complete with this integration. but when I try to read the Groups from Active Directory, ISE shows the message "Could not read groups data: Global catalog not found".
My Domain has multiple sites and subnets, each contains GC for local logon. I have set ISE to the correct site and subnet. Forward and Reverse DNS are working with no error.
Does anyone get this problem, please help.
I have check into the ISE CLI Reference Guide 1.1.x
You are about to configure Active Directory settings.
Are you sure you want to proceed? y/n [n]: y
Parameter Name: dns.servers
Parameter Value: 10.77.122.135
Active Directory internal setting modification should only be performed if approved by ISE
support. Please confirm this change has been approved y/n [n]: y
What shoud I set in the Parameter Name ? dns.servers or my dns hostname ?
Please suggest for this too.
Thanks and Regards,
Pongsatorn M.Hi Pongsatorn,
Thanks for the reply!
I've attached the results of the ISE detailed AD test. As you can see, there is a fair number of domain controllers in the AD forest.
It seems everything works correctly until it gets to testing the AD connectivity on port 3268. Then I get this:
Testing Active Directory connectivity:
Global Catalog: pdascdc02.xyz.com
gc: 3268/tcp - refused
Testing Active Directory connectivity:
Global Catalog: pdascdc02.xyz.com
gc: 3268/tcp - refused
For some reason, the request to the controllers on port 3268 is being refused.
Any thoughts you might have are greatly appreciated.
Cheers,
Greg -
hello everyone
in our company we are upgrading our DCs to server 2012R2 we have one Dc 2008R2 we installed another DC 2012R2 and make it GC from sites and services the problem appeared when I demoted the 2008 server I noticed that nobody in the company is able to log to
the domain I realized that even the global catalog check mark is checked the server is not global catalog when I connect through ldap I see isglobalcatalogready : false I tried many solution to make it global catalaog but no success my solution was to shut
down this server and restore the 2008 server from a previous backup now all the users can log to the domain but I only have one DC I tried to add another 2012R2 Dc but DCPromo fails on the prerequisite "check verification of outbound replication
failed error reading the ntds settings on replication source controller" I installed another server 2008R2 server since there is no prerequisite check but the same problem occured the new DC is marked as GC but it's not GC I checked port 3268 I ran dcidag
and this is the result
dcdiag /test:checksecurityerror
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = 2k8DC
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: mysite\2K8DC
Starting test: Connectivity
......................... 2K8DC passed test Connectivity
Doing primary tests
Testing server: mysite\2K8DC
Starting test: CheckSecurityError
The account 2K8DC is not a DC account. It cannot replicate.
Unable to verify the machine account
(CN=2K8DC,OU=Domain Controllers,DC=mydomain,DC=local) for 2K8DC on
2K8DC.
Source DC WIN-SM5GUTCII7H has possible security error (8453).
Diagnosing...
Error 2184 querying time on DC WIN-SM5GUTCII7H. Ignoring this
DC and continuing...
* Missing SPN
:LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
* Missing SPN :LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@
* Missing SPN :LDAP/WIN-SM5GUTCII7H
* Missing SPN
:LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain
* Missing SPN
:LDAP/f67b0f34-07ae-4dec-8ff5-7cd284ecb7b8._msdcs.mydomain.local
* Missing SPN
:HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
* Missing SPN :HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@
* Missing SPN
:HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain
* Missing SPN
:GC/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
Unable to verify the machine account
(CN=WIN-SM5GUTCII7H,OU=Domain Controllers,DC=mydomain,DC=local)
for WIN-SM5GUTCII7H on 2K8DC.
Unable to connect to the NETLOGON share!
(\\WIN-SM5GUTCII7H\netlogon)
[WIN-SM5GUTCII7H] An net use or LsaPolicy operation failed with
error 67, The network name cannot be found..
[WIN-SM5GUTCII7H] Unable to verify logon privileges on DC
shares. Please check the above output and take appropriate
steps.
Failed to read object metadata on WIN-SM5GUTCII7H, error
Directory object not found.
[WIN-SM5GUTCII7H] Unable to diagnose problem for this source.
See any errors reported in attempting tests.
......................... 2K8DC failed test CheckSecurityError
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : mydomain
Running enterprise tests on : mydomain.local
C:\Users\Administrator>dcdiag /test:checksecurityerror
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = 2k8DC
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: mysite\2K8DC
Starting test: Connectivity
......................... 2K8DC passed test Connectivity
Doing primary tests
Testing server: mysite\2K8DC
Starting test: CheckSecurityError
The account 2K8DC is not a DC account. It cannot replicate.
Unable to verify the machine account
(CN=2K8DC,OU=Domain Controllers,DC=mydomain,DC=local) for 2K8DC on
2K8DC.
Source DC WIN-SM5GUTCII7H has possible security error (8453).
Diagnosing...
Error 2184 querying time on DC WIN-SM5GUTCII7H. Ignoring this
DC and continuing...
* Missing SPN
:LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
* Missing SPN :LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@
* Missing SPN :LDAP/WIN-SM5GUTCII7H
* Missing SPN
:LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain
* Missing SPN
:LDAP/f67b0f34-07ae-4dec-8ff5-7cd284ecb7b8._msdcs.mydomain.local
* Missing SPN
:HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
* Missing SPN :HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@
* Missing SPN
:HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain
* Missing SPN
:GC/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
Unable to verify the machine account
(CN=WIN-SM5GUTCII7H,OU=Domain Controllers,DC=mydomain,DC=local)
for WIN-SM5GUTCII7H on 2K8DC.
Unable to connect to the NETLOGON share!
(\\WIN-SM5GUTCII7H\netlogon)
[WIN-SM5GUTCII7H] An net use or LsaPolicy operation failed with
error 67, The network name cannot be found..
[WIN-SM5GUTCII7H] Unable to verify logon privileges on DC
shares. Please check the above output and take appropriate
steps.
Failed to read object metadata on WIN-SM5GUTCII7H, error
Directory object not found.
[WIN-SM5GUTCII7H] Unable to diagnose problem for this source.
See any errors reported in attempting tests.
Authoritative attribute pwdLastSet on 2K8DC (writeable)
usnLocalChange = 5866156
LastOriginatingDsa = 2K8DC
usnOriginatingChange = 5866156
timeLastOriginatingChange = 2014-08-17 08:55:52
VersionLastOriginatingChange = 42
Out-of-date attribute pwdLastSet on WIN-SM5GUTCII7H (writeable)
usnLocalChange = 12868
LastOriginatingDsa = 22a5b57a-fac4-4cfe-9fcb-c545025d3716
usnOriginatingChange = 5830453
timeLastOriginatingChange = 2014-08-13 15:07:23
VersionLastOriginatingChange = 41
Unable to verify the convergence of this machine account
(CN=2K8DC,OU=Domain Controllers,DC=mydomain,DC=local) on these DC's
(DC=mydomain,DC=local,2K8DC). Does the machine account password need
resetting?
......................... 2K8DC failed test CheckSecurityError
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : mydomain
Running enterprise tests on : mydomain.local
note that WIN-SM5GUTCII7H is the new DC I renamed it to server 2008R2 but it can't be a global catalog due to the error.
I tried to google this error but I didn't find any solution how to make make it replicate the GC
BestIn addition, I just wanted to point out that the error you are receiving below, can be indicative of some sort of firewall block. Antivirus apps can do this, too, with their network protection features.
"check verification of outbound replication failed error reading the ntds settings on replication source controller"
Do you have an AV on the machine, or the Windows firewall, or a third party firewall enabled?
Run PortQRY to see if there are any ports blocked.
PortQry GUI -
Run the "Domains & Trusts" option between DCs, or between DCs and any machine (other servers you want to promote, or even from a client machine), that you want to test if there are any blocked AD ports. Post only errors with "NOTLISTENING," 0x00000001,
and 0x00000002. You can ignore UDP 389 and UDP 88 messages. If you see TCP 42 errors, that just means WINS is not running on the target server.
PortQryUI - GUI - Version 2.0 8/2/2004
http://www.microsoft.com/download/en/details.aspx?id=24009
Time issue?
A time skew between DCs that is beyond 5 minutes, can cause it, too. Are the clocks on the new server and the current DCs within 5 minutes? Is the PDC emulator configured to sync time to an outside or to a local, reliable source?
Configuring the Windows Time Service - Complete step by step with contingency plan
http://blogs.msmvps.com/acefekay/2014/04/26/configuring-the-windows-time-service/
And of course we are all assuming that the new machine is definitely only using a current DC as the only DNS address in its NIC.
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
OID and Active Directory(global catalog) synchronization issues
We have a large network with 7 domains within the AD forest.....The OID server profile
points to a single domain controller/gc in 1 of these 7 domains. It is able to synchronize when a change occured
from this domain but not the others in the forest by quering port 3268/GC. We reloaded
the bootstrap which reduced the "highest committed usn" last read attribute value in
OID....and the synch started working again with another domain but not consistently(a change in AD gets pulled into OID)...
It seems as if OID cannot read the highest committed usn value for all domains
within one forest by quering a single global catalog domain controller in one
domain....any ideas on best practice to have a consistent synch from OID to all
domains in AD?
Message was edited by:
marcvipEach AD server in the Forest will maintain his own highestCommittedHSN. The AD GC should maintain a consistent HSN but knows and keeps all the AD servers in sync. So if the GC does not maintain a consistent HSN you should contact Microsoft as well (besides this forum :-)
regards,
--Olaf -
Exchange Management Shell Cannot Find Global Catalog Servers
Hello,
I have a client with a single Exchange 2013 RU2 multi role server. Exchange works fine with no issues. However, when I open EMS and try to do anything (example get-mailbox) it returns the following error. It was working up until about a
week ago.
"Could not find any available Global Catalog in forest domain.com"
I haven't tried rebooting the server yet because Exchange is running fine, it's just PowerShell is jacked up. I have even tried Remote PowerShell from another server and same results. Has anyone ever seen this?
Thanks,
Johncan you check what your nslookup returns you... are you able to connect to your DNS without any error.
the above error is generally towards network connectivity issues.
guess you have two lan cards on exchange. what is the DNS on both lan cards. i guess should b same.
MARK AS USEFUL/ANSWER IF IT DID
Thanks
Happiness Always
Jatin -
Help, error connection Cisco Identity Services Engine with AD, global catalog port status error
Dear all,
I have Cisco Indentity Services Engine, that connected to Active Directory. When I test connection detailed,
the result is error, said:
Test Connection Results
This dialog shows the detailed logs for the operation for: idsv0018.
Status: FAILED: Global Catalog port status error.
Can anyone help?
I believe, because this error, I can't search group of AD, at Cisco ISE.
FYI: the connection from Cisco ISE to AD, joined with successful result.
Thanks,
JerriIt's clears that when ISE tries to find the GC using the _gc._tcp. DNS query. It doesn't find that information on the Domain controller. The GC information is missing on the DC.
gc._tcp.DnsForestName
Allows a client to locate a Global Catalog (gc) server for this domain.
Jatin Katyal
- Do rate helpful posts - -
A Global Catalog Server could not be located - All GC's are down server 2003 dc
Im all out of ideas. I have two 2003 server DC's that both fail DCDIAG with the following adn my exchange services wont come online due to this. please help!
dc1-server dcdiag
Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down.
PDC Name: \\dc1-server.silistra-bg.net
Locator Flags: 0xe00003dd
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
A KDC could not be located - All the KDCs are down.
......................... silistra-bg.net failed test FsmoCheck
dc2-server dcdiag:
Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
A KDC could not be located - All the KDCs are down.
......................... silistra-bg.net failed test FsmoCheckSome troubleshooting ideas:
0. Check if the DCs can resolve each other using their DNSHostName. If not, this indicates some DNS misconfiguration
-- you need to fix that first.
1. Check if the both the DCs are pointing to the same DNS server (or DNS servers that are replica of each
other). Run: "ipconfig /all" and check its output. If not, correct the DNS client settings and run dcdiag after sometime.
2. Check if dynamic updates are "turned on" on the DNS server.
3. Try re-registering the DCs SRV records by either restarting netlogon service or by running the following
command:
nltest.exe /dsregdns -
I am upgrading three domain controllers by replacing old '03 DCs with new '12 DCs. The set is a parent domain with two sub domains for child organizations. No users in the sub domains should be able to log into the other domains or see the GAL for the exchange servers in the other orgs. Each of the three has their own exchange server. The same IT team manages all three, so we want to have them in the same forest. (correct term?)Should any of the domain controllers be a Global Catalog server? That is an option when upgrading the DC server from '03 to '12."Servers running Microsoft Exchange Server rely on access to the global catalog for address information. Users use global catalog (GC) servers to access the global address list (GAL).Because a domain controller that acts as a global catalog server stores objects for all domains in the...
This topic first appeared in the Spiceworks CommunityCFLDAP requires a domain controller to be specified. It can't
use find the root dsn of the domain and start from there.
The best workaround is to "know" every domain controller on
your domain. Then, run a very simple LDAP query using the first
domain controller. If an error occurs, then try the LDAP query with
the second domain controller. Keep this up until you run out of
domain controllers. If this happens, then you are in worse trouble
because your domain will start to fall apart.
Use CFTRY/CFCATCH to test for any LDAP errors when a domain
controller is not responding. You can even wrap this into a simple
CFLOOP that loops over a list of domain controllers.
All it has to do is return a simple query that should take
very little time to process. All you are doing is testing to make
the sure domain controller is responding. -
AD 2008 R2 - Bringing old Global Catalog DC Back Online
Hi all, looking for some direction to take on a Win 2008R2 domain controller server that's been off the network for awhile. Here's the situation: There's an office that we have that was closed. There was a global catalog domain controller server running
there that was also functioning as a file server. That server was powered off and put in storage until a new office location was found. It took longer than expected to find a new office location and now we are ready to bring that server online and
back into service. It's been 150 days since it was powered off. Our Active Directory tombstoneLifetime is set for the default value of 60 days.
I'm hesitant to turn this server back on as I don't know what impact on our Active Directory this will have. Can anyone offer some suggestions on how I should handle this situation? I would definitely appreciate any feedback. Thanks.Just to re-iterate. One of our GC Domain Controllers has been turned off for 150 days. It's completely operational. Can it just be connected back to the network and powered on? I'm looking to find out if it will cause any negative impact
to our Active Directory.
I apologize, maybe I wasn't crystal clear. No, you do not want t connect it back to the network.
It doesn't matter if it's a GC or not. That's not the mitigating factor here. The point is it's a DC that hasn't talked to the other DCs in the time frame allowed that's dictated by the tombstone value.
When a DC is introduced that hasn't replicated beyond the AD Tombstone period, the DC's replication attempts will effectively be ignored by the other DCs. The out of date DC doesn't really know this. The reason that replication is not allowed to continue is
that the two machine’s views of deleted objects may now be different. The source machine may still have copies of objects that have been deleted (and garbage collected) on this machine. If they were allowed to replicate, the source machine might return objects
which have already been deleted.
And worse, if it held a FSMO role, it complicates things, GC or not, because there are some roles that just simply can't be re-introduced, such as the RID pool manager.
There are ways you can possibly try to introduce it and get it replcating again, however the concensus, even among Microsoft engineers is to simply to force demote it (using the /forceremoval switch), or just turn it off, rebuild it, run a metadata cleanup
and re-promote it as a fresh replica.
More info:
Active Directory Lingering Objects, Journal Wraps, USN Rollbacks, Tombstone Lifetime, and Event IDs 13568, 13508, 1388, 1988, 2042, 2023, 2095, 1113, 1115, 2103, and more …
http://blogs.msmvps.com/acefekay/2011/12/27/active-directory-lingering-objects-journal-wraps-tombstone-lifetime-and-event-ids-13568-13508-1388-1988-2042-2023/
Or you could try to fix it:
Event ID 2042: It has been too long since this machine replicated
http://technet.microsoft.com/en-us/library/cc757610(v=ws.10).aspx
In summary, as I've suggested, it's much easier to trash it, cleanup AD, rebuild and re-promote.
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
Hi All,
Has anyone experience with consuming global catalog using the latest OIM AD Connector (forrest support)? If so, are there any special considerations to be take care of for implementing this?
Thanks in advance.It's clears that when ISE tries to find the GC using the _gc._tcp. DNS query. It doesn't find that information on the Domain controller. The GC information is missing on the DC.
gc._tcp.DnsForestName
Allows a client to locate a Global Catalog (gc) server for this domain.
Jatin Katyal
- Do rate helpful posts - -
Global Catalog and Searching Child Domains
Hi Everyone,
I'm attempting to sync events from a parent domain and I want to include all child domains as well. The forest contains a parent domain with 2 child domains. In my adapter I have the following configuration specified:
Container: DC=parent,DC=company,DC=com
Search Filter: DC=parent,DC=company,DC=com
Search Child Domain: Checked
Global Catalog: DC1.parent.company.com (Domain Controller of the parent domain is configured as Global Catalog)
When I attempt to sync domains from the child domain I recieve the following error:
dn attribute not found in search result
Does anyone have insight into what might be occuring. I can query the gc and can retrieve the events with no problem from other tools but IDM seems to always have an error for these child domain events. All comments or suggestions welcome. ThanksThis is the actual error from the AS log if that helps:
2009-10-09T13:26:13.840-0500: com.waveset.util.WavesetException: Unable to find dn attribute for object returned from search.
at com.waveset.adapter.AgentResourceAdapter.loadUsersFromResponse(AgentResourceAdapter.java:573)
at com.waveset.adapter.AgentResourceAdapter$AgentAccountSupplier.call(AgentResourceAdapter.java:2937)
at com.waveset.util.BufferedSupplier.getNextBlock(BufferedSupplier.java:70)
at com.waveset.util.BufferedSupplier.run(BufferedSupplier.java:86)
at java.lang.Thread.run(Thread.java:619) -
What is the difference between when you "Install Domain Controller as a Global Catalog or without a Global Catalog"?
When the first domain controller is installed on the network by default it becomes the global catalog server, when you install the additional domain controllers then you will have to manually specify the global catalog server in case if you want.
The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain
in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed
to the global catalog are faster because they do not involve referrals to different domain controllers
http://technet.microsoft.com/en-us/library/cc728188(v=ws.10).aspx
http://www.arabitpro.com
Maybe you are looking for
-
Syncing addresses from iPhone 3 to my iMac
My iPhone 3 has 1200 addresses in it, but for some reason my iMac only has 517. I've tried syncing to transfer all my addresses from my iPhone but it doesn't transfer the other 700 addresses. How to I make a complete transfer of ALL my iPhone contact
-
Copy user fields between PRq and PO.
Hello. I have little problem. I prepare new user field in Purchase Requisition called for example ZFIELD it is displayed and save into table EBAN by user exit MEREQ001. Now I want to copy this field to Purchase Order when I create PO with reference t
-
Made the change to 4.5, now a browser issue
hello, ok i upgraded to 4.5, now when i try and go to the mobile.blackberry.com website on my device for apps and such, i get a warning message stating that this site was designed for blackberry browsers, so whats up with that? thnx in advace for any
-
Quotes and apostrophes show as question marks when published to my server
imac intel core 2 duo 24" Mac OS X (10.4.9)
-
My mac freezes just for a second about every two seconds and it gets really hot really fast?
When i am watching a video or just scrolling on a webpage, even typing, there is a small glitch ever 1-2 seconds where everything freezes just for a second. Its almost as if its lagging all the time. I have tried every utility and cant figure it out.