Migrating to all 2012R2 Domain Controllers
Hello All,
I am in an environment where we have multiple sites each with its own domain controller. Each is set up with several roles which include domain controller, dns server, and dhcp server. We want to replace each domain controller including the primary domain
controller which runs the fsmo roles with new machines running server 2012R2. I have been reading a lot about the migration tool which seems pretty straight forward. My question is what would be the best way to perform such an undertaking? I was thinking promote
a new server to a dc one at a time and migrate from the old one at the site to the new one. Any advice for a newbie?
Thanks,
Dylan
Hi Dylan,
In addition to Milos’s information, providing link for migrating roles to server 2012 R2.
1. Migrate Roles and Features to Windows Server 2012 R2
2. Migrating the Server 2008 R2 FSMO DC to a Server
2012 R2 DC
Hope it helps!
Thanks.
Similar Messages
-
Fetch client IP addresses from the Netlogon.log file of all domain controllers in the domain
Hi,
The event ID 5807 is logged in the system logs of domain controllers as a result of which the IP addresses for the missing subnets are logged in Netlogon.log under %systemroot%/debug. The end goal is to fetch the IP addresses along with rest of the respective
attributes from the Netlogon.log for all the domain controllers in the domain. I have the following script however, it gives me a 0KB file despite the fact that the Netlogon.log on the DC contains ample entries from last two months.
function GetDomainControllers {
$DCs=[system.directoryservices.activedirectory.domain]::GetCurrentDomain() | ForEach-Object {$_.DomainControllers} | ForEach-Object {$_.Name}
return $DCs
function GetNetLogonFile ($server) {
$path= '\\' + $server + '\c$\windows\debug\netlogon.log'
try {$netlogon=get-content -Path $path -ErrorAction stop}
catch { "Can't open $path"}
#reverse the array's order to the end of the file
[array]::Reverse($netlogon)
$IPs=@()
foreach ($line in $netlogon) {
#split the line into pieces using a space as the delimiter
$splitline=$line.split(' ')
#Get the date stamp which is in the mm/dd format
$logdate=$splitline[0]
#split the date
$logdatesplit=($logdate.split('/'))
[int]$logmonth=$logdatesplit[0]
#last month and this month
if (($logmonth -eq $thismonth) -or ($logmonth -eq $lastmonth)) {
#only push it into an array if it matches an IP address format
if ($splitline[5] -match '\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b'){
$objuser = new-object system.object
$objuser | add-member -type NoteProperty -name IPaddress -value $splitline[5]
$objuser | add-member -type NoteProperty -name Computername -value $splitline[4]
$objuser | add-member -type NoteProperty -name Server -value $server
$objuser | add-member -type NoteProperty -name Date -value $splitline[0]
$objuser | add-member -type NoteProperty -name Time -value $splitline[1]
$IPs+=$objuser
} else {
#break out of loop if the date is not this month or last month
break
return $IPs
#Get last month's date
$thismonth=(get-date).month
$lastmonth=((get-date).addmonths(-1)).month
#get all the domain controllers
$DomainControllers=GetDomainControllers
#Get the Netlogon.log from each DC
Foreach ($DomainController in $DomainControllers) {
$IPsFromDC=GetNetLogonFile($DomainController)
$allIPs+=$IPsFromDC
$allIPs | Sort-Object -Property IPaddress -Unique | Export-Csv "E:\bin\NetlogonIPs.csv"
PLEASE HELP!!Hi jrv,
Thanks a lot for your help.
I understand you cannot keep on iterating the code for me. However, I am stuck at this error :-
ERROR : Exception calling "Parse" with "1" argument(s): "String was not recognized as a valid DateTime."
After the following code finishes executing, I get the following output :-
$csv=cat c:\windows\debug\netlogon.log |
%{'{0}|{1}' -f $_.SubString(0,14),$_.SubString(15,$_.Length-15)}|
ConvertFrom-Csv -Delimiter '|' -header time,message
time message
04/14 01:18:45
NO_CLIENT_SITE: ServerX 10.x.x.x
04/14 01:17:45
NO_CLIENT_SITE: ServerY 10.x.x.x
04/14 01:17:44
NO_CLIENT_SITE: ServerY 10.x.x.x
04/14 01:17:43
NO_CLIENT_SITE: ServerX 10.x.x.x
However, I get the above mentioned error at the following line :-
$csv|%{$_.time=[datetime]::Parse(($_.time -replace ' ','/2015 '))}
I would later want to run the query just for logs from past day.
Entire code is as follows :-
function GetDomainControllers {
$DCs=[system.directoryservices.activedirectory.domain]::GetCurrentDomain() | ForEach-Object {$_.DomainControllers} | ForEach-Object {$_.Name}
return $DCs
function GetNetLogonFile ($server) {
$path= 'C:\Test\netlogon.log'
try {$netlogon=get-content -Path $path -ErrorAction stop}
catch { "Can't open $path"}
#reverse the array's order to the end of the file
[array]::Reverse($netlogon)
foreach ($line in $netlogon) {
$csv= $netlogon | %{'{0}|{1}' -f $_.SubString(0,14),$_.SubString(15,$_.Length-15)}| ConvertFrom-Csv -Delimiter '|' -header time,message | Out-Gridview
$csv|%{$_.time=[datetime]::Parse(($_.time -replace ' ','/2015 '))}
#get all the domain controllers
$DomainControllers=GetDomainControllers
#Get the Netlogon.log from each DC
Foreach ($DomainController in $DomainControllers) {
GetNetLogonFile($DomainController)
Please help!! Any help will be highly appreciated. -
UnLock Ad user from all Domain controllers
We have 13 domain controllers in 5 Active directory sites, Unlock status is not updating in All DC's immediately. please help me to unlock Ad user from all the Domain controllers.
Below is the script to unlock Ad account from one domain controller:
Clear-Host
$luser = Read-Host “Input the name (Last name, First name) of the locked user”
$lockstatus = Get-ADUser "$luser" –Properties lockedout -Server DC10
if ($lockstatus.lockedout –eq $True)
$nul = Get-ADUser "$luser" | Unlock-ADaccount
$nul = Get-ADUser "$luser" | Set-ADAccountPassword -NewPassword “password”
Write-Host "Account unlocked and password reset"
if ($lockstatus.lockedout –eq $false)
Write-Host "Account is not locked"
Rajwe have remote site users are facing problems.
Our L1 agents will unlock User ID in Primary site, replication taking time to replicate to remote DC.
So need a script to unlock USer ID in all Dcs
Raj
Replication of unlocks is faster than you can do it in script. It is pushed immediately. It does not wait fro replication. If thisis not happening then you need to find the problem and fix it.
You need to fix your problem. A script will not fix it.
IF you insist on doing it manually then just run the script one time for each DC.
If you still do not know what to do you must contact a consultant or your network vendor and have them assist you with this. We are not a custom solution provider or a free script writing forum. Doing this would keep you from fixing a problem
which could lead to other bad things. Please take the time to take the correct technical steps.
One thing that might help is to NOT select a DC for the reset. The DC you are selecting is probably not replicating. Let Windows choose a DC for you.
You must run diagnostics on your network to find out what is happening. Contact you network administrator to do this. If you do not have a trined network administrator then please contact a consultant or your vendor.
¯\_(ツ)_/¯ -
Our environment has both 2008R2 and 2012R2 Domain Controllers. Recently one of our Domain Admins started having problems logging onto all servers by remote desktop except for domain controllers. The error message is as follows:
"To log on to this remote computer, you must be granted the Allow log on through Terminal
Services right. By default, members of the Remote Desktop Users group have this right. If you are not a member of the Remote
Desktop Users group or another group that has this right, or if the Remote Desktop Users group does not have this right, you must be granted this right manually"
All the other Domain Admin Accounts do not have this problem. Suggested solutions recommend checking local policies on the individual servers however I feel that is not
right. Also there many servers hence doing that in each member server would be cumbersome. There must be solution that requires a single action for all servers and also does not involve creating a new account. The account was recently used to implement
a Windows 2012R2 WSUS server and besides the DC's, it is the only other server the account can remote into. This is strange. Help please.Hi,
Does that user has permission for remoting before?
To start with, there are two types of user rights; Logon rights & Privileges. In simpler terms these are:
1) Remote Logon: rights to machine
2) Logon: privileges for access to the RDP-TCP Listener
The Remote Logon is governed by the “Allow Logon through Terminal Services” group policy. This is under
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
Also check RDP-TCP listener properties. More information.
“Allow Logon through Terminal Services” group policy and “Remote Desktop Users” group.
http://blogs.technet.com/b/askperf/archive/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group.aspx
Hope it helps!
Thanks.
Dharmesh Solanki
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Dfs R Service Stopping before backup on Domain Controllers
HI,
I have a weird issue where the DFS replication service is stopping when a DC backup starts.
Setup: Forest with 5 child domains. Only one of the domains is having a problem. this domain has DCs in the US and UK. all four DCs experience the same issue. All DC’s are Server 2008 r2. DFS
R is used for AD replication.
Issue: DFS replication service stops when a backup starts.
The DFS Replication service is stopping communication with partner P1USDC01 for replication group Domain System Volume due to an error. The service will retry the connection periodically.
Additional Information:
Error: 9036 (Paused for backup or restore)
About 30 minutes later when the backup completed, DFS replication resumes.
As mentioned this happens to all 4 domain controllers in the domains, but no other domains are affected. AD replication stops during this time.
Every time this happens the AD DB is rebuilt.
lsass (548) A database location change was detected from 'D:\Active Directory\Windows\NTDS\DB\ntds.dit' to '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy168\Active Directory\Windows\NTDS\DB\ntds.dit'.
I thinks this is more due to the VSS provider than an issue with the DB.
Some ‘Googling/Binging’ shows that that error can be ignored as it resumes after. But im not so sure. Why are my other domains not effected. They use the same backup procedure,
same hardware, same OS, same patch revision (always 3 months behind current release).
Any suggestions would be great!You can ignore it as long as it restarts. You can also create a scheduled task that will check the service and start it if it is not running.
I would recommend starting by installing latest Windows Updates (Especially those ones: http://support.microsoft.com/kb/968429) and make sure that your backup solution is up-to-date too.
If none helped then I would recommend contacting your backup solution developers technical support for assistance.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Monitor Sysvol and netlogon Share availability on domain controllers
I need to monitor availability of sysvol and Netlogon shares on all our domain controllers around 20 in all.
What is the best way for us to do that.
I have seen scripts that monitor share availability but that would mean i create 40 such 2 times script monitors , that is too much of manual work..
Any advice.I looked into the discovered Inventory (SysVol for windows 2008) I see all theobjects
But the path shows as dc01.domain.com\dc01\sysvol
However we never get notified when the sysvol share is inaccessible.
We have had a number of cases when the DC is online but somehow we cant access the sysvol share
We need a monitor to alert us in such a case;
I modified the our script to include %computername% and targeted it to all dC's group,
Dim oAPI, oBag
Set oAPI = CreateObject("MOM.ScriptAPI")
Set oBag = oAPI.CreatePropertyBag()
Set objFSO = CreateObject("Scripting.FileSystemObject")
strFile = "\\%computername%\sysvol\"
If objFSO.FolderExists(strFile) Then
Call oBag.AddValue("Status","Exist")
Call oAPI.Return(oBag)
Else
Call oBag.AddValue("Status","NotExist")
Call oAPI.Return(oBag)
End If
However the monitor alerted critical immediately.
How should the monitor be.
I though if i put \\%computername%\sysvol\ in the script and send it to all the DC's group then it will start monitoring as \\dc01\sysvol etc -
Windows 2008 (Not R2) Domain controllers Kerberos Errors
We know the replication of the AD structure is working using repadmin /showREPL *
Which I ran again this morning and all is fine.
All 3 Domain Controllers are having Kerberos errors ?
I tried to reset the Kerberos key but the problem still persists.
This is exactly what I tried yesterday is there something I'm doing wrong ?
We have 3 Domain controllers
ch-dc1-2k8 (PDC)
ch-dc2-2k8
na-dc1-2k8
1) I stopped the Kerberos Key Distribution Center service on all 3 servers and set them to manual
2) I restarted ch-dc2-2k8 and na-dc1-2k8
3) Then I did the KLIST PURGEon
ch-dc2-2k8 and na-dc1-2k8
4) Then on ch-dc1-2k8 (PDC) I did the
netdom resetpwd /s:ch-dc1-2k8 /ud:companyname\administrator /pd:*
5) Set Kerberos Key Distribution Center service to Automatic on ch-dc1-2k8 (PDC)
6) Restarted ch-dc1-2k8 (PDC)
7) After it restarted I logged in and let it settle for 5 Minutes
8) Then I started the kerberos service on ch-dc2-2k8 and na-dc1-2k8
Am I missing something ?Hi,
I think I have already answer this in separate case you have raised in forum. -
Setting up Time Sync when all domain controllers are virtual machines?
We have 2 existing server 2008 domain controllers on 2008 Hyper-V. We plan to set up a third domain controller in a new AD site at a remote site that will be Server 2012 R2 on 2012R2 Hyper-V.
PDC role DC is on one of the DCs in the original site.
How should time syncing be set?
From what I've read, all Hyper-V time synchronization between the virtual domain controllers and their Hyper-V host should be disabled.
So, do we set up the PDC virtual machine to sync to an external site source and then expect the other 3 domain controllers to automatically sync with the time of the PDC?
What happens with this process during a PDC reboot or if that PDC role domain controller becomes unavailable for any other reason? Does one of the other DCs then take over the role of domain time source even through they don't have access to the external
time source?
Should we also turn off Hyper-V time syncing for every Hyper-V guest that is a member of our domain (since they should also be getting their time from a domain controller) or only turn off the Hyper-V time sync for the domain controllers alone?We have 2 existing server 2008 domain controllers on 2008 Hyper-V. We plan to set up a third domain controller in a new AD site at a remote site that will be Server 2012 R2 on 2012R2 Hyper-V.
PDC role DC is on one of the DCs in the original site.
How should time syncing be set?
Simply make sure that time sync is disabled on your Hyper-V VM. For time configuration in AD domain, I have documented that here: http://social.technet.microsoft.com/wiki/contents/articles/18573.time-synchronization-in-active-directory-forests.aspx
From what I've read, all Hyper-V time synchronization between the virtual domain controllers and their Hyper-V host should be disabled.
So, do we set up the PDC virtual machine to sync to an external site source and then expect the other 3 domain controllers to automatically sync with the time of the PDC?
They don't take over the role of PDC. The downtime of your PDC should not take a long time. That is why it is important to regularly monitor the health status of your DCs using SCOM or third party tools. The one I usually recommend is
Lepide Auditor - Active Directory: http://www.lepide.com/lepideauditor/active-directory.html. The solution allows you also to trackchanges
in your AD domain.
Should we also turn off Hyper-V time syncing for every Hyper-V guest that is a member of our domain
(since they should also be getting their time from a domain controller) or only turn off the Hyper-V time sync for the domain controllers alone?
I would recommend turning off the Hyper-V time sync on all your Hyper-V VMs that are domain-joined.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Help with Powershell script to gather eventlogs from all Domain Controllers
I am trying to write a script to grab the last 5 days of application, security and system logs from all domain controllers. The script runs but only pulls the logs from the local server. The $Computer variable has all of my DC's so it is querying fine. I
assume it is an issue with my ForEach-Object line but it doesn't error out. See the script below.
$log = "Application"
$date = get-date -format MM-dd-yyyy
$now = get-date
$subtractDays = New-Object System.TimeSpan 5,0,0,0,0
$then = $Now.Subtract($subtractDays)
$Computers = Get-ADDomainController -filter *
ForEach-Object -InputObject $Computers -Process {Get-EventLog -LogName $log -After $then -Before $now -EntryType Error | select EventID,MachineName,Message,Source,TimeGenerated | ConvertTo-html | Out-File $env:TEMP\Applicationlog.htm}
Invoke-Expression $env:TEMP\Applicationlog.htm
Thanks,
RichAlso, you're missing the -ComputerName parameter in the Get-EventLog Cmdlet.
I would re-write the loop part of the script like this:
$log = "Application"
$date = get-date -format MM-dd-yyyy
$now = get-date
$subtractDays = New-Object System.TimeSpan 5,0,0,0,0
$then = $Now.Subtract($subtractDays)
$Computers = Get-ADDomainController -filter *
foreach ($Computer in $computers) {
Get-EventLog -ComputerName $Computer -LogName $log -After $then -Before $now -EntryType Error |
select EventID,MachineName,Message,Source,TimeGenerated | ConvertTo-html | Out-File .\Applicationlog.htm -append
Invoke-Expression .\Applicationlog.htm
Sam Boutros, Senior Consultant, Software Logic, KOP, PA http://superwidgets.wordpress.com (Please take a moment to Vote as Helpful and/or Mark as Answer, where applicable) -
Migrating users from one domain to another(Interforest)
Scenario- Two Domains A & B in two different forests.
A - holds exchange server in DMZ and 2 domain controllers in A used by exchange also in DMZ
B holds all users and computers and 2 Domain controllers used for authentication .
Now I want to migrate all users and computers in B domain to A domain using ADMT
My question here is
1. Can I use the DCs used by exchange to authenticate if I migrate users and computers from B to A.
2. If not what is the work around here. I want to build an action plan on this.After the migration users will be in Domain A. Authentication will happen locally in Domain A using Domain A DCs. Make sure you have correct DNS server (DNS from domain A) for these workstations.
Santhosh Sivarajan | Houston, TX | www.sivarajan.com
ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA
Windows Server 2012 Book - Migrating from 2008 to Windows Server 2012
Blogs: Blogs
Twitter: Twitter
LinkedIn: LinkedIn
Facebook: Facebook
Microsoft Virtual Academy:
Microsoft Virtual Academy
This posting is provided AS IS with no warranties, and confers no rights. -
Windows 2012 R2 default domain controllers policy set to enforced
Hi Guys,
So I've migrated my domain from Windows 2003 R2 over to Windows 2012 R2 and so far everything is running ok. Had a few problems relating to orphaned DC's but have cleared this up now. However, i'm now trying to get to grips with using group policy. When
i migrated, the old policy settings seemed to have come across and things seem to be still locked down ok, in relation to certain OUs. I run a network at our local college so i have a student container which applies a lock-down policy. All these GPOs where
previously setup by someone else.
I setup a test network at home before i did the said migration and am now comparing some group policy settings, namely the default ones, and i have noticed that default domain controllers policy has been set to enforced on my newly migrated domain. At home
on my test server i see it is not enforced by default and am wondering why this is? I have been reading up but i can't find anything that tells me it should be enforced but wary to disable this setting. The students return on Monday so i don't want to mess
it up at this stage.
One thing that i did find odd is when i first opened up the GPO's, i was prompted with a message which stated that the policies in the sysvol folder where not consistent with the ones in AD so i followed its recommendation to update.
Any advise you guys have on this would be greatly appreciated.
David> So I've migrated my domain from Windows 2003 R2 over to Windows 2012 R2
> and so far everything is running ok.
This does NOT touch any GPOs, so your GPOs are not "migrated" or
something like that - they are still what they were before.
> enforced on my newly migrated domain. At home on my test server i see it
> is not enforced by default and am wondering why this is?
"A sever misunderstanding of how group policy inheritance and link order
works" is the closest reason I see for this. The DDCP is linked to
"Domain Controllers", and as long as you do not create subordinate OUs
there (which I've never seen) and block inheritance on them, there's no
reason to enforce.
To add my experience from the field: When I see enforced GPOs, in most
cases this enforcement is not required. People simply use it because
they do not understand "link order".
> One thing that i did find odd is when i first opened up the GPO's, i was
> prompted with a message which stated that the policies in the sysvol
> folder where not consistent with the ones in AD so i followed its
> recommendation to update.
That's fairly ok and nothing to hassle about.
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
Hi Folks,
I'd like to know what's the best way to edit the Exchange Server 2007 entry
In-Site entries and removing the entries from Out-Of-Site safely without causing any downtime or problem with the workstations ?
From the MSExchange ADAccess Event ID 2080, I can see that the Domain Controllers that is currently used by Exchange Servers is all on the
In-Site lists which I need to decommission due to office building migration and downsizing, the workstations remain in the same building only the servers must go.
Current configuration:
Exchange Servers AD Site: HQ1 (for all roles)
Workstations AD Site: HQ1
Proposed configuration:
Exchange Servers AD Site: Prod-DC1 (for all roles)
Workstations AD Site: HQ1
Thanks.
/* Server Support Specialist */Hi,
Steve's clarification is right.
From your description, you want to change the DC used by Exchange server. If I have misunderstood your concern, please let me know.
Please make sure the following things before setting the DC for Exchange:
1. New DC has its own IP in its TCP/IP as primary DNS server.
2. New DC is global catalog.
3. New DC has correct DNS settings in the MSDC folder.
4. Restart the Exchange active directory topology discovery service and watch the event viewer, there should be an event that discover both domain controllers. If this happens, then turn off the old DC.
Besides, topology information will remain in the system attendant service for 15 min, so the time to switch to the new one is about 15 minutes.
Hope my clarification is helpful.
Best regards,
If you have feedback for TechNet Subscriber Support, contact
[email protected]
Amy Wang
TechNet Community Support
Amy,
The Exchange Server has been rebooted couple of times but yes, all of the In-Site AD servers are still on not rebooted yet.
So in this case do you suggest me to demote the oldDC and turn off all of the In-Site DC/GC first and then reboot Exchange Server after wards one by one ?
/* Server Support Specialist */ -
I need to find domain controllers that have been removed but never demoted.
Here's the story...
I came on an Active Directory administrator for an organization which has 600+ domain controllers, most running Server 2003, but I have some Server 2008R2. Throughout all this time the organization has had DCs that have stopped working, crashed or failed
for some reason and all the IT department has done is created another domain controller name it the same thing with an (A), (B) appended to the name and then never removed any of the failed controllers from the directory.
Thing is this has been going on for quite some time, don’t know for sure how long as I am still trying to clean up DNS replication problems and have been having to go around and reset machine passwords for the forest. What I need to be able to do is to script
something that will return all the failed DCs so that I can go into the directory and use NTDUTIL to clean the machines. I don’t want to go into the directory and remove a machine that’s still out there. No one in the organization has a list or record of failed
machines.
You can see this may be a gargantuan task, but I need to be able to make it easier on
myself by finding the machines first and cleaning out DNS, cleaning the DCs out of the “Sites” and cleaning them out of the directory.
Appreciate any help I can get…Hi,
Thanks for posting in the forum.
Regarding your question, maybe we should remove these orphaned DC from AD, please try to refer to the following articles to perform the cleanup task.
How to remove completely orphaned Domain Controller
http://support.microsoft.com/kb/555846
Complete Step by Step to Remove an Orphaned Domain controller
http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx
Metadata Cleanup of a Domain controller
http://sandeshdubey.wordpress.com/2011/10/12/metadata-cleanup-of-a-domain-controller/
Here is a similar thread as reference, hope it helps.
Remove References of a Failed DC/Domain
http://social.technet.microsoft.com/Forums/windowsserver/en-US/87516188-731a-4b7f-a4cc-06ce4ad27b19/remove-references-of-a-failed-dcdomain
Best Regards,
Andy Qi
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedback
here.
Andy Qi
TechNet Community Support -
Blue Screen on Domain controllers after Updates
After patching our Domain controllers (virtual on ESXi 5.5 U2) recently we started getting Blue screens and reboots. Other changes in our environment around this time include enabling vshield drivers and scanning with Trend Micro. I have removed patches
from April but cannot remove Patch KB3020370 - there is no uninstall button. The error still persists, I have removed the Vshield driver and am waiting to see if the issue reoccurs. Can anyone assist in interpreting the details below? Also is it possible to
remove the patch KB3020370? This only appeart to affect Domain Controllers, regular servers appear unaffected.
Thanks
Below is the BugCheck event.
The computer has rebooted from a bugcheck. The bugcheck was: 0x0000007f (0x0000000000000008, 0x0000000080050031, 0x00000000000406f8, 0xfffff800018c0e14). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 042915-21762-01.
And output from the debug tool.
Microsoft (R) Windows Debugger Version 6.3.9600.17237 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [c:\MiniDump\042815-21762-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Error: Attempts to access 'c:\windows\i386' failed: 0x2 - The system cannot find the file specified.
************* Symbol Path validation summary **************
Response Time (ms) Location
Error c:\windows\i386
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: c:\windows\i386
Windows 7 Kernel Version 7601 (Service Pack 1) UP Free x64
Product: LanManNt, suite: TerminalServer SingleUserTS
Built by: 7601.18798.amd64fre.win7sp1_gdr.150316-1654
Machine Name:
Kernel base = 0xfffff800`0185e000 PsLoadedModuleList = 0xfffff800`01aa3890
Debug session time: Tue Apr 28 13:20:34.290 2015 (UTC + 1:00)
System Uptime: 0 days 0:27:28.954
Loading Kernel Symbols
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
Loading User Symbols
Loading unloaded module list
* Bugcheck Analysis *
Use !analyze -v to get detailed debugging information.
BugCheck 7F, {8, 80050031, 406f8, fffff800018d4e14}
Probably caused by : ntkrnlmp.exe ( nt!KiDoubleFaultAbort+b2 )
Followup: MachineOwner
kd> !analyze -v
* Bugcheck Analysis *
UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault). The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
use .trap on that value
Else
.trap on the appropriate frame will show where the trap was taken
(on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 0000000000000008, EXCEPTION_DOUBLE_FAULT
Arg2: 0000000080050031
Arg3: 00000000000406f8
Arg4: fffff800018d4e14
Debugging Details:
BUGCHECK_STR: 0x7f_8
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT_SERVER
PROCESS_NAME: System
CURRENT_IRQL: 0
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre
LAST_CONTROL_TRANSFER: from fffff800018cffe9 to fffff800018d0a40
STACK_TEXT:
fffff800`01620d28 fffff800`018cffe9 : 00000000`0000007f 00000000`00000008 00000000`80050031 00000000`000406f8 : nt!KeBugCheckEx
fffff800`01620d30 fffff800`018ce4b2 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
fffff800`01620e70 fffff800`018d4e14 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDoubleFaultAbort+0xb2
fffff880`0276e000 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopfCompleteRequest+0x4
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!KiDoubleFaultAbort+b2
fffff800`018ce4b2 90 nop
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: nt!KiDoubleFaultAbort+b2
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 5507a73c
IMAGE_VERSION: 6.1.7601.18798
FAILURE_BUCKET_ID: X64_0x7f_8_nt!KiDoubleFaultAbort+b2
BUCKET_ID: X64_0x7f_8_nt!KiDoubleFaultAbort+b2
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:x64_0x7f_8_nt!kidoublefaultabort+b2
FAILURE_ID_HASH: {0367acc4-9bb4-ab69-5701-46a2011718e9}
Followup: MachineOwnerHi,
Dump file displays:
BugCheck 7F, {8, 80050031, 406f8, fffff800018d4e14} and Probably caused by : ntkrnlmp.exe ( nt!KiDoubleFaultAbort+b2 ).
Bug check 0x7F typically occurs after you install a faulty or mismatched hardware (especially memory) or if installed hardware fails.
A double fault can occur when the kernel stack overflows. This overflow occurs if multiple drivers are attached to the same stack. For example, if two file system filter drivers are attached to the same stack and then the file system recurses back in, the stack
overflows.
You may reference the link below for detailed resolution about this problem:
https://msdn.microsoft.com/en-us/library/windows/hardware/ff559244(v=vs.85).aspx
Besides, you may try to restore the server to the state before installing these Windows Update.
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Upgrade to Server 2012 R2 domain controllers from 2003
I am at a loss as to what I did wrong here. Everything seems to be working fine except for one subnet (which is behind a hardware firewall).
We had two Server 2003 domain controllers and one of them was failing. I raised the forest functional level of our old primary domain controllers to 2003. I built the first replacement Server 2012 R2 domain controller. Added the AD DS roles
and promoted it as a domain controller. I let it sit for a couple days. The FSMO roles were currently being handled by our other 2003 domain controller. Once this had been sitting for a while (don't recall how long) I ran dcpromo on the failing
server and demoted it. Once demoted I shut it down and pulled it out of the rack. I then built our second 2012 R2 server and gave it the same IP as the failing one. Installed the AD DS roles and integrated DNS as prompted by the wizard.
I then made it the operations master for Schema master, Domain naming master, PDC, RID pool manager, and Infrastructure master. Then I ran dcpromo on the second 2003 domain controller to demote it and removed it from the network. I then demoted
the first new controller (DC03) changed the hostname and IP to the name and IP of the second 2003 controller and promoted it again. I'm not sure at what point things broke, but everything works from the same subnet that the domain controllers are in,
just not a second subnet that is through a hardware firewall. I don't see anything getting blocked while watching firewall logs so I don't think the firewall is the issue.
Here is the dcdiag and ipconfig from the first controller (which has all 5 FSMO roles).
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\username>dcdiag /v /test:dns
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine WGDDC01, is a Directory Server.
Home Server = WGDDC01
* Connecting to directory service on server WGDDC01.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=wgd,DC=inet,LD
AP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name
,CN=Sites,CN=Configuration,DC=wgd,DC=inet
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=wgd,DC=inet,LD
AP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=WGDDC01,CN=Servers,CN=
Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wgd,DC=inet
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=WGDDC02,CN=Servers,CN=
Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wgd,DC=inet
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\WGDDC01
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... WGDDC01 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\WGDDC01
Test omitted by user request: Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Test omitted by user request: FrsEvent
Test omitted by user request: DFSREvent
Test omitted by user request: SysVolCheck
Test omitted by user request: KccEvent
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: MachineAccount
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: Replications
Test omitted by user request: RidManager
Test omitted by user request: Services
Test omitted by user request: SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyReplicas
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
See DNS test in enterprise tests section for results
......................... WGDDC01 failed test DNS
Running partition tests on : DomainDnsZones
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : ForestDnsZones
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : Schema
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : Configuration
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : wgd
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running enterprise tests on : wgd.inet
Starting test: DNS
Test results for domain controllers:
DC: WGDDC01.wgd.inet
Domain: wgd.inet
TEST: Authentication (Auth)
Authentication test: Successfully completed
TEST: Basic (Basc)
The OS
Microsoft Windows Server 2012 R2 Standard (Service Pack level:
0.0)
is supported.
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000010] Broadcom NetXtreme Gigabit Ethernet:
MAC address is B0:83:FE:C1:98:07
IP Address is static
IP address: 10.240.1.23
DNS servers:
10.240.1.23 (WGDDC01) [Valid]
10.240.1.24 (WGDDC02) [Valid]
127.0.0.1 (WGDDC01) [Valid]
The A host record(s) for this DC was found
The SOA record for the Active Directory zone was found
Warning: no DNS RPC connectivity (error or non Microsoft DNS s
erver is running)
[Error details: 5 (Type: Win32 - Description: Access is denied
Summary of test results for DNS servers used by the above domain
controllers:
DNS server: 10.240.1.23 (WGDDC01)
All tests passed on this DNS server
Name resolution is functional._ldap._tcp SRV record for the fores
t root domain is registered
DNS server: 10.240.1.24 (WGDDC02)
All tests passed on this DNS server
Name resolution is functional._ldap._tcp SRV record for the fores
t root domain is registered
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
Domain: wgd.inet
WGDDC01 PASS WARN n/a n/a n/a
n/a n/a
......................... wgd.inet passed test DNS
Test omitted by user request: LocatorCheck
Test omitted by user request: Intersite
C:\Users\dsmythe>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : WGDDC01
Primary Dns Suffix . . . . . . . : wgd.inet
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : wgd.inet
Ethernet adapter WGD_INET:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : B0-83-FE-C1-98-07
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.240.1.23(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.240.1.1
DNS Servers . . . . . . . . . . . : 10.240.1.23
10.240.1.24
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{2C28B0FA-6BF8-4201-A6DA-081AED63B496}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
When I try to bind a machine to the domain I get an error message that says "
The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "wgd.inet":
The error was: "This operation returned because the timeout period expired."
(error code 0x000005B4 ERROR_TIMEOUT)
The query was for the SRV record for _ldap._tcp.dc._msdcs.wgd.inet
The DNS servers used by this computer for name resolution are not responding. This computer is configured to use DNS servers with the following IP addresses:
10.240.1.24
10.240.1.23
Verify that this computer is connected to the network, that these are the correct DNS server IP addresses, and that at least one of the DNS servers is running.
Please let me know if I'm missing something or if there are other things I can check.
Thanks!
I forgot to mention that after the 2003 domain controllers were out of the environment, I raised the domain and forest functional level to 2012 R2. All clients in the environment are Windows XP Pro or above. The XP Pro boxes will be going away as
soon as our vendor supports their software to run on Windows 7.We now have 2 2012 R2 DCs. The 2003 DCs are gone. Metadata from the old DCs is all cleaned up. DNS seems to be working fine in 3 out of 4 subnets. The 4th is behind a hardware firewall and I can see the IP address of the machine I am trying to bind to the
domain connecting to the two new domain controllers but the client machine that is trying to bind gives an error. An Active Directory Domain Controller for the domain wgd.inet could not be contacted. It seems that this is just a DNS issue for one
particular subnet (10.240.2.0/24). This subnet is setup in AD Sites and Services\Sites\Subnets\10.240.2.0/24 (Site: Default-First-Site-Name).
When trying to do anything with nslookup from the 10.240.2.0/24 subnet it times out. The route is there and I can watch it connect through our hardware firewall over port 53.
DC01
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\dsmythe>netdom query fsmo
Schema master WGDDC01.wgd.inet
Domain naming master WGDDC01.wgd.inet
PDC WGDDC01.wgd.inet
RID pool manager WGDDC01.wgd.inet
Infrastructure master WGDDC01.wgd.inet
The command completed successfully.
C:\Users\dsmythe>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : WGDDC01
Primary Dns Suffix . . . . . . . : wgd.inet
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : wgd.inet
Ethernet adapter WGD_INET:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : B0-83-FE-C1-98-07
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.240.1.23(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.240.1.1
DNS Servers . . . . . . . . . . . : 10.240.1.23
10.240.1.24
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{2C28B0FA-6BF8-4201-A6DA-081AED63B496}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
C:\Users\dsmythe>
DC02
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\dsmythe>netdom query fsmo
Schema master WGDDC01.wgd.inet
Domain naming master WGDDC01.wgd.inet
PDC WGDDC01.wgd.inet
RID pool manager WGDDC01.wgd.inet
Infrastructure master WGDDC01.wgd.inet
The command completed successfully.
C:\Users\dsmythe>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : WGDDC02
Primary Dns Suffix . . . . . . . : wgd.inet
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : wgd.inet
Ethernet adapter NIC1:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : B0-83-FE-C1-9F-74
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.240.1.24(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.240.1.1
DNS Servers . . . . . . . . . . . : 10.240.1.24
10.240.1.23
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{4F45E51E-FC2F-49ED-85CF-0750A9EEECF5}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
C:\Users\dsmythe>
Maybe you are looking for
-
How to get a list of Layout Sets
Hi Experts, How do I get a list of Layout sets in Portal ? I am using a KM Navigation IView to show a list of External Links. I have used a copy of Links IView for this. The Layout set used here is "LinkListExplorer". The problem with this layout set
-
In October 2013 I was on Vacationin Dubai and bought there Macbook pro retina ME665. I returned to Kyrgystan (home town) and for New Year I was away for a week. When I came back i found that the dispaly of my laptop became white and black, some lines
-
Create Controlling document on VF01
Hi gurus How to to activate "Controlling document creation" ( cost center & Cost element ) on invoice creation ( vf01) . ( like accounting document is created on vf01). thanks
-
Changing a .properties file from within a programme
Hi, I was just wondering is there anyway that i can change a .properties file from within a programme? I have certain values in the .properties file and I want to add a username and password to the file once it has been entered in a login part of the
-
When combining multiple PDF's, the field properties change
When combining multiple PDF's, the field properties for the Font and/or the "Scroll long text" checkbox change settings. What is causing this to happen?