Monitor Sysvol and netlogon Share availability on domain controllers
I need to monitor availability of sysvol and Netlogon shares on all our domain controllers around 20 in all.
What is the best way for us to do that.
I have seen scripts that monitor share availability but that would mean i create 40 such 2 times script monitors , that is too much of manual work..
Any advice.
I looked into the discovered Inventory (SysVol for windows 2008) I see all theobjects
But the path shows as dc01.domain.com\dc01\sysvol
However we never get notified when the sysvol share is inaccessible.
We have had a number of cases when the DC is online but somehow we cant access the sysvol share
We need a monitor to alert us in such a case;
I modified the our script to include %computername% and targeted it to all dC's group,
Dim oAPI, oBag
Set oAPI = CreateObject("MOM.ScriptAPI")
Set oBag = oAPI.CreatePropertyBag()
Set objFSO = CreateObject("Scripting.FileSystemObject")
strFile = "\\%computername%\sysvol\"
If objFSO.FolderExists(strFile) Then
Call oBag.AddValue("Status","Exist")
Call oAPI.Return(oBag)
Else
Call oBag.AddValue("Status","NotExist")
Call oAPI.Return(oBag)
End If
However the monitor alerted critical immediately.
How should the monitor be.
I though if i put \\%computername%\sysvol\ in the script and send it to all the DC's group then it will start monitoring as \\dc01\sysvol etc
Similar Messages
-
DSGETDCNAME advertising test failing. SYSVOL and NETLOGON shares not replicating. Please help!!!
Hello all. We are currently running a Windows Server 2003 ADDC as a virtual machine on a Windows Server 2012 host using Hyper-V. We have recently added a second Windows Server 2012 ADDC also as a Hyper-V VM. I promoted the 2k12 to a DC, transferred all FMOS
roles, and tested AD replication. All AD data was replicated fine. However a DCDIAG (the results of which I have attached to this post) show a few errors.
First off, it is failing the advertising test. This is more than likely due to a DNS error. Unfortunately, I can not seem to find the error within the DNS to resolve it.
Secondly, it is failing the KccEvent test; also seeming as a DNS related error.
Thirdly, both SYSVOL and NETLOGON shares were not successfully replicated. This is likely the basis for the other issues. Without these successfully replicated, I can not demote the 2K3 server; which is the goal in the end, to replace the old server with
the new.
I am willing to try just about anything, so any suggestions would be greatly appreciated. As for what I have tried, I have tried a non-authoritative restore using burr flags with no success. I CAN ping both DCs from each other ensuring connectivity. All
users can currently log on to the server (due to the fact that the 2K3 server is still running and still holds the SYSVOL and NETLOGON shares).
Once again, any help would be greatly appreciated! Thank you in advance!
DCDIAG Output:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = RETIRED2012
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site\RETIRED2012
Starting test: Connectivity
......................... RETIRED2012 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site\RETIRED2012
Starting test: Advertising
Warning: DsGetDcName returned information for
\\retired1.RetireFirst.local, when we were trying to reach
RETIRED2012.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... RETIRED2012 failed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... RETIRED2012 passed test FrsEvent
Starting test: DFSREvent
......................... RETIRED2012 passed test DFSREvent
Starting test: SysVolCheck
......................... RETIRED2012 passed test SysVolCheck
Starting test: KccEvent
An error event occurred. EventID: 0xC0000827
Time Generated: 08/09/2013 22:08:34
Event String:
Active Directory Domain Services could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory Domain Services from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.
A warning event occurred. EventID: 0x80000677
Time Generated: 08/09/2013 22:10:02
Event String:
Active Directory Domain Services attempted to communicate with the following global catalog and the attempts were unsuccessful.
An error event occurred. EventID: 0xC0000466
Time Generated: 08/09/2013 22:10:06
Event String:
Active Directory Domain Services was unable to establish a connection with the global catalog.
......................... RETIRED2012 failed test KccEvent
Starting test: KnowsOfRoleHolders
......................... RETIRED2012 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... RETIRED2012 passed test MachineAccount
Starting test: NCSecDesc
......................... RETIRED2012 passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\RETIRED2012\netlogon)
[RETIRED2012] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... RETIRED2012 failed test NetLogons
Starting test: ObjectsReplicated
......................... RETIRED2012 passed test ObjectsReplicated
Starting test: Replications
......................... RETIRED2012 passed test Replications
Starting test: RidManager
......................... RETIRED2012 passed test RidManager
Starting test: Services
......................... RETIRED2012 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x00001695
Time Generated: 08/09/2013 22:06:48
Event String:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'RetireFirst.local.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
A warning event occurred. EventID: 0x000003F6
Time Generated: 08/09/2013 22:06:49
Event String:
Name resolution for the name _ldap._tcp.Default-First-Site._sites.dc._msdcs.RetireFirst.local. timed out after none of the configured DNS servers responded.
A warning event occurred. EventID: 0x00001696
Time Generated: 08/09/2013 22:07:44
Event String:
Dynamic registration or deregistration of one or more DNS records failed with the following error:
A warning event occurred. EventID: 0x000003F6
Time Generated: 08/09/2013 22:07:51
Event String:
Name resolution for the name retired1.RetireFirst.local timed out after none of the configured DNS servers responded.
A warning event occurred. EventID: 0x00001695
Time Generated: 08/09/2013 22:08:23
Event String:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'DomainDnsZones.RetireFirst.local.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
A warning event occurred. EventID: 0x00001695
Time Generated: 08/09/2013 22:08:35
Event String:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'ForestDnsZones.RetireFirst.local.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
An error event occurred. EventID: 0x0000041E
Time Generated: 08/09/2013 22:08:45
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
An error event occurred. EventID: 0x00000423
Time Generated: 08/09/2013 22:08:53
Event String:
The DHCP service failed to see a directory server for authorization.
A warning event occurred. EventID: 0x000003F6
Time Generated: 08/09/2013 22:10:04
Event String:
Name resolution for the name isatap timed out after none of the configured DNS servers responded.
A warning event occurred. EventID: 0x000003F6
Time Generated: 08/09/2013 22:10:08
Event String:
Name resolution for the name e45ad288-70ff-4d9e-adf9-3035e459e126._msdcs.RetireFirst.local timed out after none of the configured DNS servers responded.
A warning event occurred. EventID: 0x000003F6
Time Generated: 08/09/2013 22:10:21
Event String:
Name resolution for the name _ldap._tcp.Default-First-Site._sites.dc._msdcs.RetireFirst.local. timed out after none of the configured DNS servers responded.
An error event occurred. EventID: 0x00000423
Time Generated: 08/09/2013 22:11:14
Event String:
The DHCP service failed to see a directory server for authorization.
An error event occurred. EventID: 0x0000041E
Time Generated: 08/09/2013 22:13:45
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
......................... RETIRED2012 failed test SystemLog
Starting test: VerifyReferences
......................... RETIRED2012 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : RetireFirst
Starting test: CheckSDRefDom
......................... RetireFirst passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... RetireFirst passed test CrossRefValidation
Running enterprise tests on : RetireFirst.local
Starting test: LocatorCheck
......................... RetireFirst.local passed test LocatorCheck
Starting test: Intersite
......................... RetireFirst.local passed test IntersiteThank you for your response first of all! And in response:
1. "Retired1" is the 2k3 ADDC / DNS Server. It currently has a different IP than the 2K12 Server. Verified with ipconfig/all.
2. I set 2K12 to only 2K3 for DNS; no external ISP servers or itself listed. Registered DNS, restarted netlogon; no success.
3. ipconfig/all for 2K12 server here:
Windows IP Configuration
Host Name . . . . . . . . . . . . : RETIRED2012
Primary Dns Suffix . . . . . . . : RetireFirst.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : RetireFirst.local
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
Physical Address. . . . . . . . . : 00-15-5D-01-33-0A
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::8159:4f0c:4071:d780%12(Preferred)
IPv4 Address. . . . . . . . . . . : 172.21.69.246(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.192
Default Gateway . . . . . . . . . : 172.21.69.250
DHCPv6 IAID . . . . . . . . . . . : 251663709
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-74-BE-C0-00-15-5D-01-33-0A
DNS Servers . . . . . . . . . . . : 172.21.69.240
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{8317BEC2-079A-4846-B6B2-1AE3E2784691}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
4. The 2K12 is a GC; yes.
Thanks again and hopefully we can work this out!
Seems like you have/had a server named "retired1" with the same IP address as the new 2012 server? (if this is a old server) remove all references to it in DNS
Make sure that on the 2012 server in the TCP/IP DNS Settings, you only point to the 2003 DC for DNS (Not it self for now, and no external ISP DNS servers) - Run ipconfig /registerdns and restart the netlogon service on the 2012 server.
Can you post and unedited output of ipconfig /all from the 2012 server?
Did you make the 2012 server a global catalog? (if not I would recommend that)http://support.microsoft.com/kb/296882
Seems like you have/had a server named "retired1" with the same IP address as the new 2012 server? (if this is a old server) remove all references to it in DNS
Make sure that on the 2012 server in the TCP/IP DNS Settings, you only point to the 2003 DC for DNS (Not it self for now, and no external ISP DNS servers) - Run ipconfig /registerdns and restart the netlogon service on the 2012 server.
Can you post and unedited output of ipconfig /all from the 2012 server?
Did you make the 2012 server a global catalog? (if not I would recommend that)http://support.microsoft.com/kb/296882
Seems like you have/had a server named "retired1" with the same IP address as the new 2012 server? (if this is a old server) remove all references to it in DNS
Make sure that on the 2012 server in the TCP/IP DNS Settings, you only point to the 2003 DC for DNS (Not it self for now, and no external ISP DNS servers) - Run ipconfig /registerdns and restart the netlogon service on the 2012 server.
Can you post and unedited output of ipconfig /all from the 2012 server?
Did you make the 2012 server a global catalog? (if not I would recommend that)http://support.microsoft.com/kb/296882 -
Want to modify sysvol and netlogon share permissions
HI all,
As per security concern we need to remove the everyone from share permission on SYSVOL and NETLOGON share.......can anyone provide me the suggesstion for the same...or any documented article which says that how to do it or what precaution showld we take....
Or if the permission is by design has any document or Kb article which says the permission should not be changed.
Appreciate any help.
Thanks........
Ahmed Gaziyani Enterprise Admin.Hello,
If you remove such permission then you will have issues in appliance of group policies and netlogon scripts on your users. Users should have at least read permission on the SYSVOL folder so that group policies and netlogon scripts will be applied.
More if you ask them here: http://social.technet.microsoft.com/Forums/en-US/winserverGP/threads
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft Student
Partner 2010 / 2011
Microsoft Certified
Professional
Microsoft Certified
Systems Administrator: Security
Microsoft Certified
Systems Engineer: Security
Microsoft Certified
Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified
Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified
Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows 7, Configuring
Microsoft
Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft Certified
IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer -
Pls help: SYSVOL and NetLOGON share not ready after creating first Windows 2012 DC
Hi all,
I'm setting up the first DC on Windows server 2012 following steps here (social.technet.microsoft.com/wiki/contents/articles/12370.step-by-step-guide-for-setting-up-a-windows-server-2012-domain-controller.aspx).
DCdiag gives following errors in SysVolCheck, services, and Netlogons while the rest of tests are successful:
------------------------- cut here --------------------------
Test omitted by user request: DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
[ORT001C] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
The registry lookup failed to determine the state of the SYSVOL. The error returned was 0x43
"The network name cannot be found.". Check the FRS event log to see if the SYSVOL has successfully been
shared.
......................... ORT001C failed test SysVolCheck
[snipped]
Starting test: Services
Could not open Remote ipc to [ort001c.ad1.mydomain]: error 0x43 "The network name cannot be found."
......................... ORT001C failed test Services
[snipped]
Starting test: NetLogons
* Network Logons Privileges Check
[ORT001C] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
......................... ORT001C failed test NetLogons
------------------------- cut here --------------------------
Some information collected:
----------------------- cut here --------------------
- net share
Share name Resource Remark
C$ C:\ Default share
IPC$ Remote IPC
ADMIN$ C:\Windows Remote Admin
NETLOGON C:\Windows\SYSVOL\sysvol\ad1.mydomain\SCRIPTS
Logon server share
SYSVOL C:\Windows\SYSVOL\sysvol Logon server share
The command completed successfully.
dnslint /ad /s <DC IP>: no error
- nltest /server:ort001c.ad1.mydomain /dsgetdc:AD1.MYDOMAIN
DC: \\ort001c.ad1.mydomain
Address: \\192.168.1.77
Dom Guid: 9faa9bae-faae-42be-bf45-05a1d77b2bf0
Dom Name: ad1.mydomain
Forest Name: ad1.mydomain
Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE FULL_SECRET WS DS_8 DS_9
The command completed successfully
- repadmin /showrepl
Repadmin: running command
/showrepl against full DC localhost
Default-First-Site-Name\ORT001C
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: ff4092a2-62d8-4b83-a4d4-fec6920d8535
DSA invocationID: ff4092a2-62d8-4b83-a4d4-fec6920d8535
- netdom query /domain:AD1 fsmo
Schema master
ort001c.ad1.mydomain
Domain naming master
ort001c.ad1.mydomain
PDC
ort001c.ad1.mydomain
RID pool manager
ort001c.ad1.mydomain
Infrastructure master
ort001c.ad1.mydomain
The command completed
successfully.
----------------------- cut here --------------------
Besides, DFSR instead of FRS is used.
Sorry that I'm newbie to Windows and afraid if I've anything missed. Would anyone please help?
Thanks a lot.
/ST WongHi all,
Thanks for your advice. I updated following settings and restart the server:
- IPv6: set both address/DNS to dynamic
- IPv4: Add 127.0.0.1 as alternate DNS server
Same error reported in dcdiag. Besides, the server name used by nslookup is Unknown.
I'm afraid if I've something missed :(
Sorry for the trouble caused. Thanks a lot.
Regards,
/ST Wong
--------------- cut here ---------------
C:\Users\Administrator>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : ort001c
Primary Dns Suffix . . . . . . . : ad1.mydomain
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ad1.mydomain
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connectio
n
Physical Address. . . . . . . . . : 00-50-56-AA-1C-6D
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::dd03:5eec:b396:a323%12(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.77(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 302010454
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-57-D0-61-00-50-56-AA-1C-6D
DNS Servers . . . . . . . . . . . : 192.168.1.77
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{598372EC-A809-493B-8E25-004F6D4655E2}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
C:\Users\Administrator>nslookup ort001c.ad1.mydomain
Server: UnKnown
Address: 192.168.1.77
Name: ort001c.ad1.mydomain
Address: 192.168.1.77
C:\Users\Administrator>nslookup ad1.mydomain
Server: UnKnown
Address: 192.168.1.77
Name: ad1.mydomain
Address: 192.168.1.77
PS C:\Users\Administrator> dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = ort001c
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\ORT001C
Starting test: Connectivity
......................... ORT001C passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\ORT001C
Starting test: Advertising
......................... ORT001C passed test Advertising
Starting test: FrsEvent
......................... ORT001C passed test FrsEvent
Starting test: DFSREvent
......................... ORT001C passed test DFSREvent
Starting test: SysVolCheck
[ORT001C] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
......................... ORT001C failed test SysVolCheck
Starting test: KccEvent
......................... ORT001C passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... ORT001C passed test KnowsOfRoleHolders
Starting test: MachineAccount
Could not open pipe with [ORT001C]:failed with 67: The network name cannot be found.
Could not get NetBIOSDomainName
Failed can not test for HOST SPN
Failed can not test for HOST SPN
......................... ORT001C passed test MachineAccount
Starting test: NCSecDesc
......................... ORT001C passed test NCSecDesc
Starting test: NetLogons
[ORT001C] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
......................... ORT001C failed test NetLogons
Starting test: ObjectsReplicated
......................... ORT001C passed test ObjectsReplicated
Starting test: Replications
......................... ORT001C passed test Replications
Starting test: RidManager
......................... ORT001C passed test RidManager
Starting test: Services
Could not open Remote ipc to [ort001c.ad1.mydomain]: error 0x43 "The network name cannot be found."
......................... ORT001C failed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x00001796
Time Generated: 01/14/2014 10:26:57
Event String:
Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and t
his server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
A warning event occurred. EventID: 0x00000090
Time Generated: 01/14/2014 10:40:03
Event String: The time service has stopped advertising as a good time source.
......................... ORT001C passed test SystemLog
Starting test: VerifyReferences
......................... ORT001C passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : ad1
Starting test: CheckSDRefDom
......................... ad1 passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ad1 passed test CrossRefValidation
Running enterprise tests on : ad1.mydomain
Starting test: LocatorCheck
......................... ad1.mydomain passed test LocatorCheck
Starting test: Intersite
......................... ad1.mydomain passed test Intersite -
Can't see the SYSVOL and NETLOGON folder into newly migrated server
Hi,
I have recently promoted and migrated FSMO role to my new Additional Domain controller but after migration I can't see SYSVOL and NETLOGON folder into new domain controller. Even I can't add any backup domain controller to newly migrated domain controller.
Regard;
Jitendra GautamHi
How much time it should take to advertise because it become more than 20 days after promotion of new DC. When I run dcdiag and I found that :
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = NEWDC
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\NEWDC
Starting test: Connectivity
......................... NEWDC passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\NEWDC
Starting test: Advertising
Warning: DsGetDcName returned information for
\\OLD DC.domain.name, when we were trying to reach
NEWDC.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... NEWDC failed test Advertising
Starting test: FrsEvent
......................... NEWDC passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... NEWDC failed test DFSREvent
Starting test: SysVolCheck
......................... NEWDC passed test SysVolCheck
Starting test: KccEvent
......................... NEWDC passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... NEWDC passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... NEWDC passed test MachineAccount
Starting test: NCSecDesc
......................... NEWDC passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\NEWDC\netlogon)
[NEWDC] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... NEWDC failed test NetLogons
Starting test: ObjectsReplicated
......................... NEWDC passed test ObjectsReplicated
Starting test: Replications
......................... NEWDC passed test Replications
Starting test: RidManager
......................... NEWDC passed test RidManager
Starting test: Services
......................... NEWDC passed test Services
Starting test: SystemLog
An error event occurred. EventID: 0xC00010DF
Time Generated: 10/07/2014 17:11:03
Event String:
A duplicate name has been detected on the TCP network. The IP addre
ss of the computer that sent the message is in the data. Use nbtstat -n in a com
mand window to see which name is in the Conflict state.
An error event occurred. EventID: 0xC00010DF
Time Generated: 10/07/2014 17:14:13
Event String:
A duplicate name has been detected on the TCP network. The IP addre
ss of the computer that sent the message is in the data. Use nbtstat -n in a com
mand window to see which name is in the Conflict state.
An error event occurred. EventID: 0xC00010DF
Time Generated: 10/07/2014 17:15:31
Event String:
A duplicate name has been detected on the TCP network. The IP addre
ss of the computer that sent the message is in the data. Use nbtstat -n in a com
mand window to see which name is in the Conflict state.
An error event occurred. EventID: 0xC00010DF
Time Generated: 10/07/2014 17:15:42
Event String:
A duplicate name has been detected on the TCP network. The IP addre
ss of the computer that sent the message is in the data. Use nbtstat -n in a com
mand window to see which name is in the Conflict state.
An error event occurred. EventID: 0xC00010DF
Time Generated: 10/07/2014 17:17:27
Event String:
A duplicate name has been detected on the TCP network. The IP addre
ss of the computer that sent the message is in the data. Use nbtstat -n in a com
mand window to see which name is in the Conflict state.
An error event occurred. EventID: 0xC00010DF
Time Generated: 10/07/2014 17:53:35
Event String:
A duplicate name has been detected on the TCP network. The IP addre
ss of the computer that sent the message is in the data. Use nbtstat -n in a com
mand window to see which name is in the Conflict state.
An error event occurred. EventID: 0xC0001B61
Time Generated: 10/07/2014 17:54:39
Event String:
A timeout was reached (30000 milliseconds) while waiting for the Fil
e Replication service to connect.
An error event occurred. EventID: 0xC0001B61
Time Generated: 10/07/2014 17:54:44
Event String:
A timeout was reached (30000 milliseconds) while waiting for the Fil
e Replication service to connect.
An error event occurred. EventID: 0xC0001B61
Time Generated: 10/07/2014 17:55:40
Event String:
A timeout was reached (30000 milliseconds) while waiting for the Fil
e Replication service to connect.
An error event occurred. EventID: 0xC0001B61
Time Generated: 10/07/2014 17:55:53
Event String:
A timeout was reached (30000 milliseconds) while waiting for the Fil
e Replication service to connect.
......................... NEWDC failed test SystemLog
Starting test: VerifyReferences
......................... NEWDC passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : domain
Starting test: CheckSDRefDom
......................... domain passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... domain passed test CrossRefValidation
Running enterprise tests on : domain.name
Starting test: LocatorCheck
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
1355
A Good Time Server could not be located.
......................... domain.name failed test LocatorCheck
Starting test: Intersite
......................... domain.name passed test Intersite
And
"I can't add any backup domain controller..." means I am not able to join the new ADDC to newly promoted server. But I can join the new
ADDC to old DC of which the FSMO roles are transferred to new DC .
I also found that File replication service is disabled while starting it getting the below Error:
"Error 1053: Ther service did not respond to start or control request in timely fashion"
Regards;
Jitendra Gautam -
Hi guys, quick question,
Is sysvol the same as netlogon, what I mean is if there is a script in sysvol but I didnt put anything in netlogon, will this script be replicated in netlogon folder?
If yes, so If I delete this script in sysvol, technically will it be deleted in netlogon
Regards,
JeffHi Jeff,
I agree with Calin.
The Sysvol folder is shared on an NTFS volume on all the domain controllers in a particular domain. Sysvol is used to deliver the policy and logon scripts to domain members.
By default sysvol includes 2 folders:
1.Policies - (Default location - %SystemRoot%\Sysvol\Sysvol\domain_name\Policies)
2.Scripts - (Default lcation - %SystemRoot%\Sysvol\Sysvol\domain_name\Scripts)
Script folder under sysvol folder will act as Netlogon share.
For more detailed information, you can refer to the link below:
Sysvol and netlogon share importance
in Active Directory
Best regards,
Susie -
SBS2011 Recovered from Missing SYSVOL and NETLOGON; looking for original cause - not restore related
Call from client that they couldn't login to their shares. Connected to the server and found SYSVOL and NETLOGON missing. This has happened 3 times on this server 2014-01-06, 2014-03-26, and 2014-06-04. Although I have documentation and can restore quickly,
preventing is out primary goal.
What are the situation is which tis might happen and possible event log items that can give us a warning that this may take place.Searched more for SYSVOL NETLOGON Repeat. I excluded the C:\Windows\sysvol directory from Anti-virus scan to prevent locks. Links are below.Thank you,
Jefferson Eckert
Systems Engineer | Inline Computer & Communications
509.783.5450 ext 158 | [email protected] | http://www.inlinecomputer.com
Please consider the environment before printing this email
http://blogs.technet.com/b/instan/archive/2009/07/14/what-happens-in-a-journal-wrap.aspx
Since the PDC server was in Journal Wrap errors state and new DC was not having sysvol share avaialbe to fix the issue you need to first take the backup of sysvol and perfrom D4(authorative restore) and D2(non authorative restore) to fix the issue.http://support.microsoft.com/kb/290762/
Also your first step should be finding why JRNL_WRAP_ERROR error has occurred. Normally, JRNL_WRAP_ERROR occurs due to drive/partition being corrupted, antivirus locking and corrupting the file during sysvol scan, heavy size of the files inside
sysvol and netlogon shares.
Run chkdsk in read only mode for any errors and if issue reported take the backup of server and run chkdsk/f.Exclude the sysvol/nrtds/sysvol from AV scan too.To fix the Journal wrap perfrom authorative restore assuming you have single DC.See below link too.
what-happens-in-a-journal-:http://blogs.technet.com/b/instan/archive/2009/07/14/what-happens-in-a-journal-wrap.aspx
Since you have restored the DC to previous state check the health of DC by running dcdiag /q and also check event log for any errors and warning and post the same if any.
Best Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator |
My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Proposed as answer by
VenkatSP<abbr class="affil"></abbr> Tuesday, November 20, 2012 2:02 AM -
Windows 2012 - SYSVOL replication and NETLOGON share
After reading 100 tons of articles and links i decided to open this thread.
I know today is 1st of april, but unfortunately for me this is not a joke.
given:
two 2003 DC's - physical servers
two 2008 DC's - VM's on ESX 5.1 hosts
two 2012 DC's - VM's on ESX 5.5 hosts
domian fucntional level 2003
situation:
we plan to decom the 2003's.
The 2008 DC's are in place since a while and working ok.
We plan to upgrade to 2012 and here it is where the trouble starts.
Firstly, I couldn't, by any means, to promote 2012 as DC's until i moved all the FSMO roles from the 2003 DC's to the 2008 DC's.
After lots of work with the network team we made all the right connections opened the firewalls, made the DCDIAG and DNS tests and the only problem reported are the SYSVOL replication and NETLOGON share.
I tried all the tools out there to check the replication and the last one is Microsoft's AdRplstatus Tool which made me think that either Microsoft makes fun of me, either i'm the dumbest windows admin on this planet.
This tool reports that there are NO ERRORS in replicating SYSVOL, but when i run the command 'net share' the 'domain.com\sysvol\scripts' is not there. Further more checking, i try to access '\\domain.com\sysvol' - directory under which i must find the 'policies'
and 'scripts' folders and, Sysvol is empty - obviously these are present when i do this check from the 2008 DC's or 2003 DC's.
Is there a known issue for these problems regarding 2012 and ESX 5.5 ? - still, i doubt it.
DCDIAG /TEST:DNS
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = dc-p01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: dc-p01
Starting test: Connectivity
......................... dc-p01 passed test Connectivity
Doing primary tests
Testing server: dc-p01
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
......................... dc-p01 passed test DNS
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : domain
Running enterprise tests on : domain.com
Starting test: DNS
Test results for domain controllers:
DC: dc-p01.domain.com
Domain: domain.com
TEST: Dynamic update (Dyn)
Warning: Failed to delete the test record dcdiag-test-record i
n zone domain.com
Summary of test results for DNS servers used by the above domain
controllers:
DNS server: 184.134.0.97 (<name unavailable>)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 184.134.0.97
dc-p01 PASS
PASS PASS PASS WARN PASS n/a
......................... domain.com passed test DNS
The PTR record query for 1.0.0.127 is still there but i will change it manually, my DNS is set as primary to point to the server itself by it's IP and not 127.0.0.1.
still, that DNS server with that error is a linux DNS, but all my DC's have DNS role on and fully replicating and working, including the 2012's.
DCDIAG:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = dc-p01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: dc-p01
Starting test: Connectivity
......................... dc-p01 passed test Connectivity
Doing primary tests
Testing server: dc-p01
Starting test: Advertising
......................... dc-p01 passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... dc-p01 passed test FrsEvent
Starting test: DFSREvent
......................... dc-p01 passed test DFSREvent
Starting test: SysVolCheck
......................... dc-p01 passed test SysVolCheck
Starting test: KccEvent
......................... dc-p01 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... dc-p01 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... dc-p01 passed test MachineAccount
Starting test: NCSecDesc
......................... dc-p01 passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\dc-p01\netlogon)
[dc-p01] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... dc-p01 failed test NetLogons
Starting test: ObjectsReplicated
......................... dc-p01 passed test ObjectsReplicated
Starting test: Replications
REPLICATION-RECEIVED LATENCY WARNING
dc-p01: Current time is 2014-04-01 10:25:09.
DC=ForestDnsZones,DC=mydomain,DC=lan
Last replication received from DC-P02 at
2014-03-31 15:22:40
DC=DomainDnsZones,DC=mydomain,DC=lan
Last replication received from DC-P02 at
2014-03-31 15:22:40
CN=Schema,CN=Configuration,DC=mydomain,DC=lan
Last replication received from DC-P02 at
2014-03-31 15:22:40
CN=Configuration,DC=mydomain,DC=lan
Last replication received from DC-P02 at
2014-03-31 15:25:50
DC=mydomain,DC=lan
Last replication received from DC-P02 at
2014-03-31 15:22:40
......................... dc-p01 passed test Replications
Starting test: RidManager
......................... dc-p01 passed test RidManager
Starting test: Services
......................... dc-p01 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0xA004001B
Time Generated: 04/01/2014 09:26:35
EvtFormatMessage failed, error 15027 the message resource is present
but the message is not found in the string/message table.
(Event String (event log = System) could not be retrieved, error
0x3ab3)
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 09:27:52
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID fdc (C:\Windows\s
ystem32\taskhost.exe).
A warning event occurred. EventID: 0xA004001B
Time Generated: 04/01/2014 09:31:14
EvtFormatMessage failed, error 15027 the message resource is present
but the message is not found in the string/message table.
(Event String (event log = System) could not be retrieved, error
0x3ab3)
A warning event occurred. EventID: 0xA004001B
Time Generated: 04/01/2014 09:32:13
EvtFormatMessage failed, error 15027 the message resource is present
but the message is not found in the string/message table.
(Event String (event log = System) could not be retrieved, error
0x3ab3)
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 09:32:53
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID c18 (C:\Windows\s
ystem32\taskhost.exe).
A warning event occurred. EventID: 0xA004001B
Time Generated: 04/01/2014 09:35:33
EvtFormatMessage failed, error 15027 the message resource is present
but the message is not found in the string/message table.
(Event String (event log = System) could not be retrieved, error
0x3ab3)
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 09:37:54
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID 950 (C:\Windows\s
ystem32\taskhost.exe).
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 09:42:54
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID 5c4 (C:\Windows\s
ystem32\taskhost.exe).
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 09:47:55
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID ee0 (C:\Windows\s
ystem32\taskhost.exe).
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 09:52:56
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID e48 (C:\Windows\s
ystem32\taskhost.exe).
A warning event occurred. EventID: 0xA004001B
Time Generated: 04/01/2014 09:53:30
EvtFormatMessage failed, error 15027 the message resource is present
but the message is not found in the string/message table.
(Event String (event log = System) could not be retrieved, error
0x3ab3)
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 09:57:57
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID a20 (C:\Windows\s
ystem32\taskhost.exe).
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 10:02:58
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID 1bc (C:\Windows\s
ystem32\taskhost.exe).
A warning event occurred. EventID: 0xA004001B
Time Generated: 04/01/2014 10:06:04
EvtFormatMessage failed, error 15027 the message resource is present
but the message is not found in the string/message table.
(Event String (event log = System) could not be retrieved, error
0x3ab3)
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 10:07:58
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID 14c (C:\Windows\s
ystem32\taskhost.exe).
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 10:12:59
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID 90c (C:\Windows\s
ystem32\taskhost.exe).
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 10:18:00
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID 558 (C:\Windows\s
ystem32\taskhost.exe).
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 10:23:01
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID f00 (C:\Windows\s
ystem32\taskhost.exe).
A warning event occurred. EventID: 0xA004001B
Time Generated: 04/01/2014 10:23:56
EvtFormatMessage failed, error 15027 the message resource is present
but the message is not found in the string/message table.
(Event String (event log = System) could not be retrieved, error
0x3ab3)
......................... dc-p01 failed test SystemLog
Starting test: VerifyReferences
......................... dc-p01 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : mydomain
Starting test: CheckSDRefDom
......................... mydomain passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... mydomain passed test CrossRefValidation
Running enterprise tests on : domain.comn
Starting test: LocatorCheck
......................... domain.comn passed test LocatorCheck
Starting test: Intersite
......................... domain.comn passed test Intersite
in Active DIrecotry Sites adn Services when i try to replicate FROM a valid SYSVOL Domain Controller towards my 2012 DC i get this:
The following error ocurred during the attempt to contact the domain controller dc-p01:
Directory object not found
i cannot upload picture yet because Ms ...didn t verified me.Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\dc-p01\netlogon)
[dc-p01] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... dc-p01 failed test NetLogons
Starting test: ObjectsReplicated
......................... dc-p01 passed test ObjectsReplicated
Starting test: Replications
REPLICATION-RECEIVED LATENCY WARNING
dc-p01: Current time is 2014-04-01 10:25:09.
DC=ForestDnsZones,DC=mydomain,DC=lan
Last replication received from DC-P02 at
2014-03-31 15:22:40
DC=DomainDnsZones,DC=mydomain,DC=lan
Last replication received from DC-P02 at
2014-03-31 15:22:40
To perform non-authoritative restore of sysvol, you set the Burflag value & system will automatically tries to sync contents of sysvol with its replicating partner DC. Its not mandatory to select any particular DC for sysvol replication becasue in a
same domain, all DC's shares the same sysvol content.
Sometime, if initialization of FRS doesn't start, you have to follow the below article. Its also applicable to windows 2008 even as long as your using FRS for replication.
http://support.microsoft.com/kb/290762/en-us
To force the replication of sysvol using cmdline, refer below link.
http://blogs.technet.com/b/justinturner/archive/2007/04/27/quick-tip-force-frs-replication.aspx
Its better to find out what went wrong with the overall AD domain infra that sysvol has not been able to contact its partner for sysvol replication using depth assessment of the domain. It can be the network,firewall,antivirus or in-built firewall port issues
which might have broken sysvol replication.
http://msmvps.com/blogs/ad/archive/2008/06/03/active-directory-health-checks-for-domain-controllers.aspx
Awinish Vishwakarma - MVP
My Blog: awinish.wordpress.com
Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights. -
Good Evening experts,
I have a Windows 2003 Standard DC which will soon be replaced with a Windows 2008 DC. I have given the 2008 box the DC role but I have noticed neither the sysvol nor netlogon share have appeared on the new DC. When I looked into this further,
I found this error on the 2003 server:
"The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR. Replica set name
is : "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" Replica root path is : "c:\windows\sysvol\domain" Replica root volume is : "\\.\C:" A Replica set hits JRNL_WRAP_ERROR when the record that it
is trying to read from the NTFS USN journal is not found. This can occur because of one of the following reasons. [1] Volume "\\.\C:" has been formatted. [2] The NTFS USN journal on volume "\\.\C:" has been deleted.
[3] The NTFS USN journal on volume "\\.\C:" has been truncated. Chkdsk can truncate the journal if it finds corrupt entries at the end of the journal. [4] File Replication Service was not running on this computer for a long time. [5]
File Replication Service could not keep up with the rate of Disk IO activity on "\\.\C:". Setting the "Enable Journal Wrap Automatic Restore" registry parameter to 1 will cause the following recovery steps to be taken to automatically
recover from this error state. [1] At the first poll, which will occur in 5 minutes, this computer will be deleted from the replica set. If you do not want to wait 5 minutes, then run "net stop ntfrs" followed by "net start ntfrs"
to restart the File Replication Service. [2] At the poll following the deletion this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set. WARNING: During the recovery process data in
the replica tree may be unavailable. You should reset the registry parameter described above to 0 to prevent automatic recovery from making the data unexpectedly unavailable if this error condition occurs again.
I don't have another DC to pull the sysvol/netlogon details from and wanted some advice.
BudBHeld,
Cheers for your reply, I was going to go down this road but wanted to ensure I was on the correct path. In addition, this particular domain is part of an overall forest but the other child domains are fine, its just this one that won't replicate.
Do I need to do anything on the domains in the other child domains or just what you had specified above? cheers
Dinesh,
Polices and Script folder is still there. Cheers
Bud
You only need to modify one of the DC in the problem domain. There is noting to be done in all other domains which are working fine. BTW, Sysvol/Netlogon shares are not replicated to other domains.
Restoring The SYSVOL (Non-)Authoritatively When Either Using NTFRS Or DFS-R
(2010-08-12) Restoring The SYSVOL (Non-)Authoritatively When Either Using NTFRS Or DFS-R (Part 1)
(2010-08-12) Restoring The SYSVOL (Non-)Authoritatively When Either Using NTFRS Or DFS-R (Part 2)
(2010-08-12) Restoring The SYSVOL (Non-)Authoritatively When Either Using NTFRS Or DFS-R (Part 3)
(2011-06-22) Restoring The SYSVOL (Non-)Authoritatively When Either Using NTFRS Or DFS-R (Part 4)
Awinish Vishwakarma - MVP
My Blog: awinish.wordpress.com
Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights. -
Active Directory Replication Servers (wont replicate SYSVOL and NETLOGON Not showing)
I have my first DC Server (DC1). DC1.DOMAIN.lOCAL, I decided to add another Domain Controller. Made it a secondary DNS Server and also GC. Everything seems to replicate, but its missing NETLOGON and SYSVOL Wont replicate.
Windows 2008 R2Errr 5706
The Netlogon service could not create server share C:\Windows\SYSVOL\sysvol\INFGRP.LOCAL\SCRIPTS. The following error occurred:
The system cannot find the file specified.
Event 7009
A timeout was reached (30000 milliseconds) while waiting for the File Replication service to connect.
Event 1058
The processing of Group Policy failed. Windows attempted to read the file \\INFGRP.LOCAL\SysVol\INFGRP.LOCAL\Policies\{55DE4000-0D51-44CD-92A1-30F286B2BC86}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until
this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
All Critical
This domain controller has migrated to using the DFS Replication service to replicate the SYSVOL share. Use of the File Replication Service for replication of non-SYSVOL content sets has been deprecated and therefore, the service has been stopped. The DFS
Replication service is recommended for replication of folders, the SYSVOL share on domain controllers and DFS link targets.
Test replication
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine dc, is a DC.
* Connecting to directory service on server dc.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\dc
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... dc passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\dc
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=GRP,DC=LOCAL
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=GRP,DC=LOCAL
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=GRP,DC=LOCAL
Latency information for 8 entries in the vector were ignored.
8 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=GRP,DC=LOCAL
Latency information for 9 entries in the vector were ignored.
9 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=GRP,DC=LOCAL
Latency information for 9 entries in the vector were ignored.
9 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
......................... dc passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: Advertising
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: RidManager
Test omitted by user request: MachineAccount
Test omitted by user request: Services
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: ObjectsReplicated
Test omitted by user request: frssysvol
Test omitted by user request: frsevent
Test omitted by user request: kccevent
Test omitted by user request: systemlog
Test omitted by user request: VerifyReplicas
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError
Running partition tests on : ForestDnsZones
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom
Running partition tests on : DomainDnsZones
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom
Running partition tests on : Schema
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom
Running partition tests on : Configuration
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom
Running partition tests on : GRP
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom
Running enterprise tests on : GRP.LOCAL
Test omitted by user request: Intersite
Test omitted by user request: FsmoCheck
Test omitted by user request: DNS
Test omitted by user request: DNS
On the second DC (DCR). I see SYSVOL, no files replicated, also theres no NETLOGON. -
Camera Extras and Contacts Share available in Mark...
As the title says, but as of this morning they aren't under the Nokia Collection section, you'll need to search for them by name.
Solved!
Go to Solution.Hi rich,
Thanks for your feedback.
If you do not (yet) see the apps in Marketplace you can use a QR code to find them.
Press the Search button on your Lumia phone and then tap Vision
Scan the barcode by pointing your phone at it. You can scan all three in sequence or one at a time.
Tap on the link when it appears on your phone (Need help scanning?)
Install the application from the Windows Phone Marketplace
If this option is not available to you download the app Esponce QR Reader or QR Code Reader as an alternative.
Here are the App QR codes:
Camera Extras
Contact Share
Nokia Counters
Hope this helps,
Kosh
Press the 'Accept As Solution' icon if I have solved your problem, click on the Star Icon below if my advice has helped you!
Attachments:
QR_CameraExtras.png 1 KB
QR_ContactShare.png 1 KB
QR_Counters.png 1 KB -
New DC without netlogon share is not working.
Hello all,
I have a brand new DC (server 2012) that I joined to my domain and it is not behaving. It is a clean install plus the directory services role, the static IP and the promotion, nothing else. The domain has one more DC (server 2012) and it is functioning
properly. The DNS servers of the new DC are the working DC and 127.0.0.1 as secondary. The time is the same, the name is new on a new install of windows (no images, no cloning, no restores). The promotion completed successfully with the initial replication
(it said).
Here is the output of dcdiag:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = IL-DC2
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\IL-DC2
Starting test: Connectivity
......................... IL-DC2 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\IL-DC2
Starting test: Advertising
Warning: DsGetDcName returned information for \\MD-DC.mydomain.com, when we were trying to reach IL-DC2.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... IL-DC2 failed test Advertising
Starting test: FrsEvent
......................... IL-DC2 passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
......................... IL-DC2 passed test DFSREvent
Starting test: SysVolCheck
......................... IL-DC2 passed test SysVolCheck
Starting test: KccEvent
A warning event occurred. EventID: 0x80000481
Time Generated: 03/06/2014 05:07:50
Event String: Internal event: The following schema class has a superclass that is not valid.
A warning event occurred. EventID: 0x80000481
Time Generated: 03/06/2014 05:07:50
Event String: Internal event: The following schema class has a superclass that is not valid.
A warning event occurred. EventID: 0x80000481
Time Generated: 03/06/2014 05:07:50
Event String: Internal event: The following schema class has a superclass that is not valid.
A warning event occurred. EventID: 0x80000B46
Time Generated: 03/06/2014 05:09:43
Event String:
The security of this directory server can be significantly enhanced by configuring the server to reject SASL
(Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple
binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds,
configuring the server to reject them will improve the security of this server.
......................... IL-DC2 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... IL-DC2 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... IL-DC2 passed test MachineAccount
Starting test: NCSecDesc
......................... IL-DC2 passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\IL-DC2\netlogon)
[IL-DC2] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
......................... IL-DC2 failed test NetLogons
Starting test: ObjectsReplicated
......................... IL-DC2 passed test ObjectsReplicated
Starting test: Replications
......................... IL-DC2 passed test Replications
Starting test: RidManager
......................... IL-DC2 passed test RidManager
Starting test: Services
......................... IL-DC2 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x000727A5
Time Generated: 03/06/2014 04:20:58
Event String: The WinRM service is not listening for WS-Management requests.
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/06/2014 04:50:41
Event String:
Name resolution for the name teredo.ipv6.microsoft.com. timed out after none of the configured DNS servers r
esponded.
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/06/2014 04:50:41
Event String:
Name resolution for the name teredo.ipv6.microsoft.com. timed out after none of the configured DNS servers r
esponded.
A warning event occurred. EventID: 0x000727A5
Time Generated: 03/06/2014 04:51:32
Event String: The WinRM service is not listening for WS-Management requests.
An error event occurred. EventID: 0x00001001
Time Generated: 03/06/2014 04:56:46
Event String:
The machine IL-DC2 attempted to join the domain mydomain.com but failed. The error code was 1332.
A warning event occurred. EventID: 0x000727A5
Time Generated: 03/06/2014 04:58:07
Event String: The WinRM service is not listening for WS-Management requests.
An error event occurred. EventID: 0x0000271A
Time Generated: 03/06/2014 04:58:06
Event String:
The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
A warning event occurred. EventID: 0x00001796
Time Generated: 03/06/2014 04:59:21
Event String:
Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and t
his server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 05:00:09
Event String:
Driver HP Universal Printing PCL 6 required for printer HP Universal Printing PCL 6 is unknown. Contact the
administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 05:00:09
Event String:
Driver Send To Microsoft OneNote 2010 Driver required for printer Send To OneNote 2010 is unknown. Contact t
he administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 05:00:12
Event String:
Driver HP Universal Printing PCL 6 required for printer HP Color LaserJet CM1312nfi MFP (192.168.2.20) is un
known. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 05:00:12
Event String:
Driver Microsoft XPS Document Writer required for printer Microsoft XPS Document Writer is unknown. Contact
the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 05:00:13
Event String:
Driver PrimoPDF required for printer PrimoPDF is unknown. Contact the administrator to install the driver be
fore you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 05:00:13
Event String:
Driver Send to Microsoft OneNote 15 Driver required for printer Send To OneNote 2013 is unknown. Contact the
administrator to install the driver before you log in again.
A warning event occurred. EventID: 0x000727A5
Time Generated: 03/06/2014 05:08:51
Event String: The WinRM service is not listening for WS-Management requests.
A warning event occurred. EventID: 0x00001796
Time Generated: 03/06/2014 05:12:17
Event String:
Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and t
his server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 05:13:02
Event String:
Driver HP Universal Printing PCL 6 required for printer HP Universal Printing PCL 6 is unknown. Contact the
administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 05:13:02
Event String:
Driver Microsoft XPS Document Writer required for printer Microsoft XPS Document Writer is unknown. Contact
the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 05:13:03
Event String:
Driver HP Universal Printing PCL 6 required for printer HP Color LaserJet CM1312nfi MFP (192.168.2.20) is un
known. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 05:13:04
Event String:
Driver PrimoPDF required for printer PrimoPDF is unknown. Contact the administrator to install the driver be
fore you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 05:13:04
Event String:
Driver Send To Microsoft OneNote 2010 Driver required for printer Send To OneNote 2010 is unknown. Contact t
he administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 05:13:05
Event String:
Driver Send to Microsoft OneNote 15 Driver required for printer Send To OneNote 2013 is unknown. Contact the
administrator to install the driver before you log in again.
......................... IL-DC2 failed test SystemLog
Starting test: VerifyReferences
......................... IL-DC2 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : mydomain
Starting test: CheckSDRefDom
......................... mydomain passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... mydomain passed test CrossRefValidation
Running enterprise tests on : mydomain.com
Starting test: LocatorCheck
......................... mydomain.com passed test LocatorCheck
Starting test: Intersite
......................... mydomain.com passed test Intersite
I also have the following event:
Log Name: System
Source: NetJoin
Date: 3/6/2014 4:56:46 AM
Event ID: 4097
Task Category: None
Level: Error
Keywords:
User: S-1-5-21-1062633599-3710215183-3313947919-500
Computer: IL-DC2
Description:
The machine IL-DC2 attempted to join the domain mydomain.com but failed. The error code was 1332.
Although the machine joined the domain, it is listed with the appropriate records and promoted.
Can anybody help me get a second DC for this domain running? It is kind of urgent... I tried demoting/promoting, reinstalling, I tried to do a non-authoritative restore, however, I don't have the appropriate registry key... I saw the various different posts
on similar issues, please do not paste them as I read them and I was not able to solve this.
Thank you in advance for any responses!
Best regards,
IrinaUmar,
Thank you big time for your time and help today. After we finished talking I tried the authoritative restore (vs non-authoritative the first time - didn't help) and then I started over (one more time) and created one more DC. Before promoting it I disabled
the firewall and the user control in order to make sure nothing is stopping it. I also triple checked the time. I promoted it without the DNS server and Global Catalog functions. I faced the same wall. After the promotion the SYSVOL and NETLOGON shares were
still not there.
After hours of more reading I finally found this:
http://social.technet.microsoft.com/Forums/en-US/58b8cdc3-a990-46c7-a70e-a51fd6965537/sysvol-and-netlogon-shares-missing-from-new-domain-controllers-using-dfrs?forum=windowsserverpreview
and it saved me. So I followed this guy's steps and my system shares showed up on both new DCs. Then I had to wait one more hour for everything to get in sync and after that I successfully shut down my main DC and the other two took over.
Thank you again for the help!
Best regards,
Irina -
Excessive Traffic on Port 445 between 2 Domain Controllers
Hi, my company has over 45 DC's across about 25 sites worldwide. We are noticing a lot of traffic using wireshark and Network Monitor on Microsoft-DS port 445. I have been searching if this is normal and what I see is that it is used for SMB File and
print sharing. Well, I don't have any file shares on these DC's other than the normal admin shares and sysvol share. I don't believe this is replication traffic since these 2 servers are not replication partners. I have checked sites and services to make sure
the intersite and intrasite connections look good. This traffic is constant over weeks and it is about 1 GB an hour between the 2 servers. This would not be a big deal if this was just on the local LAN but it is over the WAN and
that saturates the line. Should 2 DC's be talking that much that are not even replication partners? What type of traffic could it be. I am at a loss for troubleshooting this. I have done packet captures but that really does
not tell me much ( that I can read anyway). Oh, I have run AV scans alos and finding nothing.
Any help would be greatly appreciated.
Steve
SteveActually, DFS/FRS/DFSR replication is not related to NTDS replication. It uses a directory change notification event to trigger replication to a replica, and that is to all DCs in the domain. That's why you can have SYSVOL replication problems but AD replication
of the partitions do not have problems, such as when you create a user on one and it replicates to it's NTDS partner.
Below is a summary. You can read about how the whole process with NTFRS/DFSR works in the links below, if you like:
Introduction to Administering DFS-Replicated SYSVOL
"DFS Replication technology significantly improves replication of SYSVOL. ... When a change to a file occurs, FRS replicates the entire updated file. With DFS Replication, for files larger than 64 KB, only the updated portion of the file is replicated."
"To replicate only updates to files, DFS Replication uses an algorithm called remote differential compression (RDC). RDC detects changes ... without having to replicate the entire file. RDC detects insertions, removals, and rearrangements of data
in files. The DFS Replication service monitors SYSVOL, and, if a change occurs to any file that is stored in SYSVOL, DFS Replication automatically replicates the file updates to the SYSVOL folders on the other domain controllers in the domain. "
http://technet.microsoft.com/en-us/library/cc794837(v=WS.10).aspx
How FRS Works - Windows 2003
http://technet.microsoft.com/en-us/library/cc758169(v=WS.10).aspx
DFS Replication: Frequently Asked Questions (FAQ)
http://technet.microsoft.com/en-us/library/cc773238(v=WS.10).aspx
I think 316 MB in SYSVOL is a good amount of data. What is in there taking up that much space? Is something using SYSVOL to store it's data, such as an app that's constantly changing data?
The reason I'm asking is that this could be the cause of the issue, since if it changes on one DC, then it replicates, then another change occurs, etc., and it keeps going and it appears that a ton of data is being moved back and forth.
Quick story - I remember a customer was using SYSVOL to store data so they can access it across the WAN link. He said he did it because of its "cool" replication features. I said, yea, but it's meant for domain data (GPO policies, templates, etc.)
and not for custom data. Create a DFS share for that so it works independently of SYSVOL.
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
Help with Powershell script to gather eventlogs from all Domain Controllers
I am trying to write a script to grab the last 5 days of application, security and system logs from all domain controllers. The script runs but only pulls the logs from the local server. The $Computer variable has all of my DC's so it is querying fine. I
assume it is an issue with my ForEach-Object line but it doesn't error out. See the script below.
$log = "Application"
$date = get-date -format MM-dd-yyyy
$now = get-date
$subtractDays = New-Object System.TimeSpan 5,0,0,0,0
$then = $Now.Subtract($subtractDays)
$Computers = Get-ADDomainController -filter *
ForEach-Object -InputObject $Computers -Process {Get-EventLog -LogName $log -After $then -Before $now -EntryType Error | select EventID,MachineName,Message,Source,TimeGenerated | ConvertTo-html | Out-File $env:TEMP\Applicationlog.htm}
Invoke-Expression $env:TEMP\Applicationlog.htm
Thanks,
RichAlso, you're missing the -ComputerName parameter in the Get-EventLog Cmdlet.
I would re-write the loop part of the script like this:
$log = "Application"
$date = get-date -format MM-dd-yyyy
$now = get-date
$subtractDays = New-Object System.TimeSpan 5,0,0,0,0
$then = $Now.Subtract($subtractDays)
$Computers = Get-ADDomainController -filter *
foreach ($Computer in $computers) {
Get-EventLog -ComputerName $Computer -LogName $log -After $then -Before $now -EntryType Error |
select EventID,MachineName,Message,Source,TimeGenerated | ConvertTo-html | Out-File .\Applicationlog.htm -append
Invoke-Expression .\Applicationlog.htm
Sam Boutros, Senior Consultant, Software Logic, KOP, PA http://superwidgets.wordpress.com (Please take a moment to Vote as Helpful and/or Mark as Answer, where applicable) -
ACS 5.1 & Tons of Domain Controllers Behind Firewalls
We have ACS 5.1 deployed in a large environment where we have two local domain controllers and boat loads of other domain controllers outside of our administrative domain behind multiple firewalls. When joining ACS to the domain we had troubles. Debugs were showing the system attempting connection to a bunch of DCs outside of us before eventually timing out. I decided to click the "Test Connectivity" button and let it sit. About 20 minutes later the page finally popped up the box that said the connection was successful. At that point I was able to save the config, the status showed connected, and I was even able to enumerate the directory groups.
However, when I go to do actual testing I keep getting EAP-TLS timeouts that I suspect are due to the million other DCs its trying to talk to. Additionally, now when I go back to the "directory groups" tab it no longer pulls groups even though the status still shows "connected."
Is there any way to limit which domain controllers we talk to? Or should I just switch to a generic LDAP store? If I switch to LDAP, do I lose any functionality?
Thanks.Hi,
We had the same issue in our environment, where we have over 100 DC's located across the US and each behind series of firewalls. We ended up going to LDAP and eventually LDAP-S as we were able to point the ACS machines to a specific set of servers. With AD, we would constantly see our ACS boxes trying to contact every GC server and if it failed to reach a few it would time out and disconnect.
Hopefully that helps.
Maybe you are looking for
-
Reading a config file from servlet
I am having an issue where my servlet on init() is trying to read a file from the filesystem in order to override the log4j configuration for the application. Code in servlet: ServletContext context = getServletContext(); String logInitFile = context
-
I am using ready to program as my IDE. I have installed java 3D API and when I run example programs it always give me errors that the package is not found. anyone know why this might be?
-
How to configure AD and Token server (over radius) authentication
Dear forum, I have a scenario where users should be allowed network access after their have given their AD credentials and a token (Blackshield Token server). The token server speaks over radius to the cisco ACS appliance. I have managed to get users
-
Hi guys! Is there a tutorial somewhere that I can learn how to populate a tree component? Thanks!
-
How to install flash player with safari 7 and OSX Mavericks
flash 13 refuses to install on brand new imac with Mavericks and Safari. Any ideas on how to get Flash installed would be much appreciated