Need advice in Recovering a domain controller
Make sure a DCDIAG runs cleanly before you try to promote another DC.
You will need to do a metadata cleanup before you deploy a replacement DC:https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspxhttp://social.technet.microsoft.com/wiki/contents/articles/3984.domain-controller-demotion-and-metad...I would give it a different name tbh,just in case you have any stale data in AD that the metadata cleanup didn't deal with.
Similar Messages
-
Need advice on recovering metadata
Let me explain that subject line:
I made a completely brain-dead move and accidentally deleted some RAW files (83 to be exact) after
they were imported. LR says they're missing and I have not yet deleted them from the LR catalog. I
used the lightroom_recover app to extract the JPEG previews to JPG files and I've realigned
filenames so where I used to have FOO1.CR2, I now have FOO1.JPG and so on.
What I'm looking for advice on: LR doesn't store much metadata in the JPEG preview files so now what
I'd like to do is somehow get the metadata in LR's database into the recovered JPEGs. Once I do
that, I'll delete those CR2's from the LR database and import the JPEGs.
I don't want to distract from the above topic but FWIW, what I did was import from my camera's
memory card but somehow, instead of copying files to the hard disk in my laptop as usual, I imported
in-place without knowing. Once the card was back in the camera and reformatted, kiss those files
goodbye. Which all made me wonder: has the notion of "import presets" been discussed and what was
the general consensus if so? Knowing that with one button I could set all options in the import
dialog to a known-good set of options might have prevented this.I've resolved this as best I can and I'll outline the steps here in case someone else has this
problem later and searches the forum for a solution. This is a long post.
As Tim says, if all you want to recover is your IPTC metadata, then it's trivial: import the JPEGs
you recovered with lightroom_recover, have LR sync the metadata, then remove the original files from
your catalog.
I wanted to recover the EXIF metadata as well though and that required several more steps (I wish LR
were more capable in terms of EXIF handling). Here are the steps I took. I'm interested to hear if
others find an easier way. You need to be comfortable with the command-line for this. The general
idea is to put dummy RAWs back where the lost files should be so that LR believes they are now
there. Then have LR write metadata to disk for those. Then put that metadata into the recovered
JPEGs.
1) Do NOT remove the missing files from LR yet. If you've done that, the metadata you are trying to
recover is gone.
2) Extract the jpegs from LR's previews using lightroom_recover.exe (available here:
http://www.ploki.info/index.php/Main/LightRoomRecover). The JPEG files will be named after the
internal LR ID for the photo. For clarity, you will want to spend the time renaming them to match
the originals. For instance, for every foo.CR2, I found the matching JPEG file and named it foo.JPG.
Place the JPEG files in the same directory where the lost files were. Yes, this is tedious.
3) Copy any old RAW file you have around into the directory where the lost files used to be. There
should be one copy per lost file. E.g.: copy the same dummy.cr2 to foo1.cr2 and foo2.cr2 and so on.
You can probably do this several ways including manually. I used a simple for loop from bash:
for x in *.JPG; do cp ../dummy.CR2 `basename $x .JPG`.CR2; done
4) Back to LR, try to view the lost images in the Library module. It should now "see" them although
it will give you a preview to match the dummy file instead of the original. This is ok at this point
because you saved your images in step 2. Select all of them and write their metadata to disk with
Ctrl+s.
5) You should now see a bunch of updated .xmp files for each of the lost RAW files. Use exiftool
(available here: http://www.sno.phy.queensu.ca/~phil/exiftool/) to copy the metadata in those to the
recovered JPEG files with this command:
exiftool -TagsFromFile %d%f.xmp -all:all -ext jpg .
6) Almost there. Exiftool keeps the original JPEG files with _original appended to the file name.
You need to move these to another folder to avoid LR thinking these are sidecar JPEGs when you
import. Don't delete them since they're your precious images - move them instead.
7) In LR, import the recovered JPEG files. Verify that the EXIF metadata looks good in Library. If
so, you can go ahead and remove the originals from the catalog and you're done.
The above steps assume original RAWs with XMP sidecars. For DNG users, I haven't tested a solution
but I would change step 3 to copy a dummy DNG file instead and change the exiftool command in step 5
to extract metadata from DNGs instead of XMPs.
- Dave -
Replace WS2003 domain controller for WS2012 domain controller
Hi, I think that is a common problem but I haven't found anythink exactly like this, only something similar, but I have a lot of doubts yet.
The thing is that I have a network with two domain controllers:
WS2003 - 192.168.0.1, who is the first domain controller I created and is also a file sharing server
WS2008R2 - 192.168.0.8, who is a new domain controller I added one year ago.
Now, I want to replace the first one, keeping the second. One.
I thinking of removing the first one and replace it with a new machine (WS2012) with the same IP and name host. I need the same host because clients are pointing to it to get the shared files.
My main fear is that clients get some error related with trust relationship and I will have to rejoin them one by one to the domain.
As I have another domain controller, Will the global catalog of the new machine be synchronized automaticly with the WS2008R2 domain controller?
Do I need to demote the old domain controller before add the new one?
Thanks a lotHi Tomas,
As pointed by Burakm you should have an additional file server and should avoid using a Domain controller which has priviledged access, to share files. This puts you at a security risk.
Regarding the requirement of old host name:
Here is something that would let you keep a different servername and IP, yet allow your users to connect to the old hostname and access the share. Use CNAME records of old server to point it to the new hostname.
How to Configure Windows Machine to Allow File Sharing with DNS Alias
You might also look for Distributed File System Shares.
http://blogs.technet.com/b/josebda/archive/2009/06/26/how-many-dfs-n-namespaces-servers-do-you-need.aspx
NOTE- You can't run in-place upgrade of a 2003 to 2012 DC.
Regards,
Satyajit
Please “Vote As Helpful”
if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you. -
Recovering Domain Controller in Exchange 2010 environment.
Hi Friends,
We have one windows 2008 Domain controller & one Exchange 2010 server with all role installed, My problem is if My domain controller failed , how i can recover it?
Is there ant step for domain controller recovery in Exchange 2010 Environment.?
Thanks & regards,
PradeepHi Pradeep,
Sorry to hear that... The only option you have is to do non-authoritative restore of Active Directory...
From Exchange prospective, once you do restore from an old backup whatever changes you made in Exchange since then won't be there as Exchange keeps all the settings in active directory, for example if you have created users then you would need to recreate
them and attach their mailbox to back to users...
Blog |
Get Your Exchange Powershell Tip of the Day from here -
Help with setting up active directory domain controller/DNS - need this for Clustering
Disclaimer: I am new to Active Directory, so please dont rule out the obvious things I may have overlooked.
I need to set up Active Directory Domain controller on at least one server so I can run clustering. I set up the domain controller and ran Cluster validation and that failed - unable to reach writable domain controller.
When I look at my server manager AD DS complain about DNS:
NASE-2012-234 4015 Error Microsoft-Windows-DNS-Server-Service DNS Server 1/14/2014 12:54:06 AM
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.
When I click on DNS this is the error:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.
Output of DCDiag -v is below.
PS C:\Users\Administrator> dcdiag -v
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine NASE-2012-234, is a Directory Server.
Home Server = NASE-2012-234
* Connecting to directory service on server NASE-2012-234.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=lab,DC=nase,DC=com,LDAP_SCOPE_SUBTREE,(objectCategory=
ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=lab,DC=nas
e,DC=com
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=lab,DC=nase,DC=com,LDAP_SCOPE_SUBTREE,(objectClass=ntD
SDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=NASE-2012-234,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
N=Configuration,DC=lab,DC=nase,DC=com
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\NASE-2012-234
Starting test: Connectivity
* Active Directory LDAP Services Check
The host c0c507c4-fb9b-49a6-9a01-ef79d7960c94._msdcs.lab.nasecom could not be resolved to an IP address.
Check the DNS server, DHCP, server name, etc.
Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
......................... NASE-2012-234 failed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\NASE-2012-234
Skipping all tests, because server NASE-2012-234 is not responding to directory service requests.
Test omitted by user request: Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Test omitted by user request: FrsEvent
Test omitted by user request: DFSREvent
Test omitted by user request: SysVolCheck
Test omitted by user request: KccEvent
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: MachineAccount
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: Replications
Test omitted by user request: RidManager
Test omitted by user request: Services
Test omitted by user request: SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyReplicas
Test omitted by user request: DNS
Test omitted by user request: DNS
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : lab
Starting test: CheckSDRefDom
......................... lab passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... lab passed test CrossRefValidation
Running enterprise tests on : lab.nasecom
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\NASE-2012-234.lab.nasecom
Locator Flags: 0xe000f3fd
PDC Name: \\NASE-2012-234.lab.nasecom
Locator Flags: 0xe000f3fd
Time Server Name: \\NASE-2012-234.lab.nasecom
Locator Flags: 0xe000f3fd
Preferred Time Server Name: \\NASE-2012-234.lab.nasecom
Locator Flags: 0xe000f3fd
KDC Name: \\NASE-2012-234.lab.nasecom
Locator Flags: 0xe000f3fd
......................... lab.nase.com passed test LocatorCheck
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments
provided.
......................... lab.nasecom passed test Intersite
PS C:\Users\Administrator>http://social.technet.microsoft.com/Forums/en-US/home?forum=winserverDS is the forum for Directory Services questions. You might want to post your question there.
.:|:.:|:. tim -
Does a domain controller need a certificate
Hi,
I have a certificate related question. While checking the logs on our domain controller, I discovered a certificate problem. In the Personal store is a Domain controller Template certificate that expired last year. It was created by an
enterprise CA that no longer exists and was not properly removed from the domain. My question is: Is the certificate needed for anything? I inherited the administration of the domain and I am trying to clean it up.
Thansk
Ron Soulliard
Ron Soulliard Systems Administrator Polaris VenturesHi Ronald,
In addition to the Paul's input,
For your question Is the certificate needed for anything?,
It depends on your security requirement, such as the level of confidential information you share through network.
Certificate appears to be useful for doing SSL/IPSec, providing wireless authentication, and for securing VPN.
Regarding Certificate Services, it allows you to create and manage "self signed" certificates.
It allows many security enhancements, but only to the point that any security service based on SSL certificates will be installed, configured, and enabled.
Also it allows you to be your own Certificate Authority, instead of purchasing a commercial SSL certificate.
Checkout the below thread dealing with the similar discussion,
Is Certificate Services necessary for a small domain?
Regards,
Gopi
JiJi
Technologies -
Need to delete Transport system , which is not domain controller
I need to delete transport system on machine which is not domain controller .
our domain controller system is not avalible now .
how can i delete the transport system on my machine as domain controller system is not avaliable .
Please let me know what can i do ??
Thanks,
AscHi,
Logon to any system which is in your transport path in client 000. Then in stms, go to Overview ---> Systems. Here you can find all the systems in your transport path. You can also find the domain controller which you have configured as before.
Now, goto Extras----> Delete TMS Configuration.
After deleting, logon to system which you want to make as domain controller in client 000. when you execute stms, now it will ask for new stms setup, which you might be aware of.
If you need more guidance, let me know.
Thanks,
Sailesh K -
Need advice on Career in SAP after completing 9 yrs in IT mainly in Telecommunication Domain with BMC Remedy Tool knowledge.
Which Module of SAP I can learn and get into as I have Tool based knowledge in BMC Remedy and fair knowledge in SQL, as I come from non-IT background. What are career prospect after completing any SAP module now will my previous experience will be taken into account?Prashant,
One of the reasons nobody has replied to you yet is that, this is a question with so little information provided.
- There is no mention of your education background.
- Your work background is very vague.What exactly did you do in Telecommunication Domain?
- What exactly did you do in BMC Remedy? Where you just an end-user or did you do any background support work?
- What exactly did you do in SQL? Did you work on it or did you just attend training?
- Why do you want to jump into SAP? And what precisely you want to jump into in SAP?
- What are your interests? Technical or Non-technical?
- What's your career objective? Where do you want to be 5 years from now?
Without providing these information how can anyone help you? Picking a module and going with it makes no sense. What if you spend an insane amount of time and money learning a module in SAP (based on some random suggestions given here) and realize that this is not what you were looking for, or there is little scope for that module in the market? What then?
It's your career that you are planning. It definitely deserves more thought-process and planning to go into.
pk -
Which Server Version for Domain Controller do I Need
Hello
We are currently running two domain controllers with Server 2003 on them. We have a standard TCP/IP star topology networking including web servers, files servers, sql, iis etc.
We are upgrading 5 of our servers to 2012r2 and are using them as "host" servers for upgraded IIS (2012r2) and WebGrabber (2008r2) servers and these servers will be set up as virtual machines (the IIS and web grabbers) on the hosts.
My question is will using Windows Server 2003 domain controllers cause issues in the advanced settings in 2012r2 and Hyper-V? Should we upgrade our Domain Controllers and if so to what version? 2008r2 or 2012r2?
Thanks!
Theresa Greene
Theresa GreeneMy question is will using Windows Server 2003 domain controllers cause issues in the advanced settings in 2012r2 and Hyper-V? Should we upgrade our Domain Controllers and if so to what version? 2008r2 or 2012r2?
At least Windows Server 2012
I highly recommend to upgrade the Domain Controllers to at least Windows Server 2012.
Besides the new functionality described by others in this thread, Windows Server 2012-based Domain Controllers (and beyond) offer virtualization safeguards, building on the VM-GenerationID offered by your new virtualization platform. This functionality helps
to protect your Domain Controllers from USN rollbacks and Lingering Objects. It also unlocks the Domain Controller Cloning functionality, that may help you deploy your five Domain Controllers faster and more streamlined.
More information:
New features in AD DS in Windows Server 2012, Part 12: Virtualization-safe
Active Directory
New features in AD DS in Windows Server 2012, Part 13: Domain Controller
Cloning
Cases where VM-GenerationID doesn’t help make Active Directory virtualization-safe, Part
1
Cases where VM-GenerationID doesn’t help make Active Directory virtualization-safe, Part
2
Getting to Windows Server 2012
In terms of getting your Active Directory to Windows Server 2012, there's good news and slightly bad news. The bad news is you can't in-place upgrade your Domain Controllers to Windows Server 2012. The good news: This makes the transition scenario
more appealing.
Instead of upgrading your Domain Controllers on their physical hardware, and, then, convert them to virtual machines, you can build new virtual Windows Server 2012 Domain Controllers, while your Windows Server 2003 Domain Controllers remain running.
Then, when you're ready to get rid of your Windows Server 2003 Domain Controllers, you simply demote them and remove them from your network. I've written a detailed step-by-step on this:
Transitioning your Windows Server
2003 Domain Controllers to Windows Server 2012 -
I have racked my brain and done everything that I know to do for about two weeks now. I am setting up a new system at our fire department and I am having the worst luck with getting the workstations to login to the domain controller with roaming
profiles. It keeps telling me that the roaming profile could not be loaded because of a slow connection. These are workstations that are connected directly to the switch that the DC is connected to. I have tried multiple connections regarding
the layout (DC into the router, router into the switch). The router is a Cisco RV220W. I have two VLANS, one for public and one for private domain. The Private VLAN has DHCP turned off since I am providing it through the DC. I currently
have a connection from the Private VLAN going to the unmanaged switch that the workstations and server are plugged into.
The server is a Dell PowerEdge R420 that has 6 NIC ports (1 dual port and 1 quad port). I have a virtual switch setup on Hyper-V for an external port (let's say Card 2 Port 3) that is assigned to the WS 2012R2 Domain Controller. The DC can see
the internet fine and the workstations can connect to the shared folders on the server. I can retrieve files by just using the computer name or FQDN. The DC is also running DNS and DHCP. The DNS has the _msdcs setup from when I installed
the active directory role. I have attempted to assign static IP addresses to the workstations:
IP: 10.0.0.80
Subnet: 255.255.255.0
IPV4 Gateway: 10.0.0.1
IPV4 DNS: 10.0.0.12
I've attempted "append the specific DNS suffix", I've "registered the connection in DNS", I've used "use this connections suffix in DNS registration".
The server is assigned:
IP: 10.0.0.12
Subnet: 255.255.255.0
IPV4 Gateway: 10.0.0.1
IPV4 DNS: 10.0.0.12
The DNS entries have forwarders that forward to my ISP DNS servers for lookup
I've enabled and disabled DHCP, I've installed a new VM just to create another DC to make sure that I didn't goof up when I created it.
I've lost my patience with this project and am sinking fast. Can someone please offer some advice as to what I've done wrong? I've created this exact scenario at work many times but, I've never done it with Windows Server 2012. Is this
possibly something to do with the Dell PowerEdge server (Generation 12) with the SR-IOV? I am going to attempt to work on it some more tomorrow when I get over there. I think there may be an issue with the SR-IOV not being enabled on the machine
through the Dell Bios. Would the SR-IOV really cause the workstations to report a slow connection? When I login at the domain controller the roaming profiles and folder redirection work fine so, I know the GPO settings are correct. I don't
have "ignore slow connections" or any of those GPO's set. I need to get it working the correct way so, I didn't want to fool the server when there is another underlying problem. Any help that someone can offer, I am more than willing
to listen. If you need more information, please ask.
Thanks,
JaySo, I've managed to research this some more since Thursday and I've come to the conclusion that Hyper-V does a horrible job of supporting Qualcomm NIC cards. That's the only thing I can conclude as far as where the issue is originating. I've read many
post and walkthroughs but nothing that has helped. The issue wasn't with any settings in the domain controller. The issue was that there really is a slow connection originating at the domain controller that is a VM and has network connectivity through the
virtual switch from Hyper-V. So, next question is, how do I get the DC to have better connectivity through the NIC that Hyper-V won't give it? If hyper-v would allow passthrough, this would be so much simpler. VM-ware is looking really good at this point.
Im disappointed in MS right now. -
Moving domain controller vm between Hyper-V 2012 R2 hosts
Hello,
I have one stand alone Hyper-V host - hvserver01 (Hyper-V Server 2012 R2) and 3 VM's running on it. One Virtual machine is our company's additional Domain controller.
I'm planning to install an additional hyper-v host - hvserver02 (Hyper-V Server 2012 R2) as well.
I have the following task to perform: I need to move domain controller virtual machine from hvserver01 to hvserver02.
So, for this operation which tool do i need - move, export/import or something else... ? or it will be necessary to install a new DC and then demote the old one.. ?
Is there a some special requirements when moving DC from one virtual host to another.. ?
And also, - MS Hyper-V Server 2012 R2 is installed on both Hyper-V hosts.
Do you have some advices ?
Thanks in advance,There's no difference between a VM acting as your DC and any other VM as far as live-migration is concerned.
You should use live-migration. The VM will remain up and running during the entire process. Both Hyper-V hosts should be domain members. They should have vSwitches with the same exact name. They should have same CPU type, or configure CPU compatibility on
the VM. Configure Live-migration setting on each host. You can use Hyper-V Manager for live-migration..
Sam Boutros, Senior Consultant, Software Logic, KOP, PA http://superwidgets.wordpress.com (Please take a moment to Vote as Helpful and/or Mark as Answer, where applicable) _________________________________________________________________________________
Powershell: Learn it before it's an emergency http://technet.microsoft.com/en-us/scriptcenter/powershell.aspx http://technet.microsoft.com/en-us/scriptcenter/dd793612.aspx -
New Domain Controller does not show in our different site's Domain controller's Sites and Services
Hi,
we have two sites in our AD environment. OMA site and NY site. we have three domain controllers in our OMA site and two domain controllers in our NY site. All our DCs are windows server 2008R2 except one in our OMA site that is 2003R2 the domain
functional level is also 2003R2.
We decided to raise our functional level to 2008R2. I added a new domain controller in our OMA site and transferred all FESMOS from the DC that was running 2003R2 to this new domain controller.
the issue now is that our NY site does not make any connection with the new domain controller in OMA site. it does not even show it under sites and services. I have checked the DNS settings and everything. if you try to replicate the connections
from NY site it gives the following error: "The naming context is in the process of being removed or is not replicated from the specific server."
can anyone plz tell me why this is happening mt brain is just frozen at this moment and cant figure out why is this happeningJust noticed this replication issue has been going on for a while now but we never noticed until I added new DC. here is the error log for the NY site DC.
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 1/4/2014 8:11:40 AM
Event ID: 2042
Task Category: Replication
Level: Error
Keywords: Classic
User: ANONYMOUS LOGON
Computer: NORDC1.vertrue.com
Description:
It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source.
The reason that replication is not allowed to continue is that the two DCs may contain lingering objects. Objects that have been deleted and garbage collected from an Active Directory Domain Services partition but still exist in the writable partitions
of other DCs in the same domain, or read-only partitions of global catalog servers in other domains in the forest are known as "lingering objects". If the local destination DC was allowed to replicate with the source DC, these potential lingering object
would be recreated in the local Active Directory Domain Services database.
Time of last successful replication:
2013-05-16 15:26:38
Invocation ID of source directory server:
9236ac56-d046-4632-b072-acbe823c5f6c
Name of source directory server:
accde843-11b2-476c-9783-9b29252d0ba5._msdcs.vertrue.com
Tombstone lifetime (days):
90
The replication operation has failed.
User Action:
The action plan to recover from this error can be found at
http://support.microsoft.com/?id=314282.
If both the source and destination DCs are Windows Server 2003 DCs, then install the support tools included on the installation CD. To see which objects would be deleted without actually performing the deletion run "repadmin /removelingeringobjects
<Source DC> <Destination DC DSA GUID> <NC> /ADVISORY_MODE". The eventlogs on the source DC will enumerate all lingering objects. To remove lingering objects from a source domain controller run "repadmin /removelingeringobjects <Source
DC> <Destination DC DSA GUID> <NC>".
If either source or destination DC is a Windows 2000 Server DC, then more information on how to remove lingering objects on the source DC can be found at
http://support.microsoft.com/?id=314282 or from your Microsoft support personnel.
If you need Active Directory Domain Services replication to function immediately at all costs and don't have time to remove lingering objects, enable replication by setting the following registry key to a non-zero value:
Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner
Replication errors between DCs sharing a common partition can prevent user and compter acounts, trust relationships, their passwords, security groups, security group memberships and other Active Directory Domain Services configuration data to vary between
DCs, affecting the ability to log on, find objects of interest and perform other critical operations. These inconsistencies are resolved once replication errors are resolved. DCs that fail to inbound replicate deleted objects within tombstone lifetime
number of days will remain inconsistent until lingering objects are manually removed by an administrator from each local DC. Additionally, replication may continue to be blocked after this registry key is set, depending on whether lingering objects are
located immediately.
Alternate User Action:
Force demote or reinstall the DC(s) that were disconnected.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS Replication" />
<EventID Qualifiers="49152">2042</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>5</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2014-01-04T13:11:40.963263500Z" />
<EventRecordID>38018</EventRecordID>
<Correlation />
<Execution ProcessID="660" ThreadID="1596" />
<Channel>Directory Service</Channel>
<Computer>NORDC1.vertrue.com</Computer>
<Security UserID="S-1-5-7" />
</System>
<EventData>
<Data>2013-05-16 15:26:38</Data>
<Data>9236ac56-d046-4632-b072-acbe823c5f6c</Data>
<Data>accde843-11b2-476c-9783-9b29252d0ba5._msdcs.vertrue.com</Data>
<Data>90</Data>
<Data>Allow Replication With Divergent and Corrupt Partner</Data>
<Data>System\CurrentControlSet\Services\NTDS\Parameters</Data>
</EventData>
</Event> -
I had a single domain controller. It has crashed. I had to create a new domain controller with all the same existing information from the old server..same domain name, server name, and IP. Im having issues with desktops. Everything is setup on the server.
The desktops however I need to rejoin them to the domain and get them to start synching properly. But when I do this, the profile is resetting itself to a new profile. How can I keep the same profile with the same documents. Or am I out of luck on this and
have to recreate the profiles. I have had to recreate the profiles so far, but do not want to do this for about 5 computers because there is way to much software and work that will need to be involved in moving these profiles. Any shortcut for these computers
to automatically see this domain server and synch to it? Everything is identical to the old server. The old server is inaccessible.
The new servers domain name is the same, IP address is the same, and computer name is the same. AD running with all identical information. DNS installed.
Let me know if anyone has some advice on here.There's unfortunately a lot more involved than names, domain names and IP addresses.
Most of those are linked to long numbers such as "SID"s and "GUID"s in the background that actually govern the interaction between clients and servers (authentication for one).
Without the same SIDs and GUID, I fear there will be no end to your problems.
That's why either a second domain controller or a good backup are so important.
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. -
Hi,
I have Windows Server 2008 Enterprise and have
2 Domain Controllers in my Company:
Primary Domain Controller (PDC)
Additional Domain Controller (ADC)
My (PDC) was down due to Hardware failure, but somehow I got a chance to get it up and transferred
(5) FSMO Roles from (PDC) to (ADC).
Now my (PDC) is rectified and UP with same configurations and settings. (I did not install new OS or Domain Controller in existing PDC Server).
Finally I want it to move back the (FSMO Roles) from
(ADC) to (PDC) to get UP and operational my (PDC) as Primary.
(Before Disaster my PDC had 5 FSMO Roles).
Here I want to know the best practice and Microsoft best recommended procedure for the placement of “FSMO Roles both on (PDC) and (ADC)” ?
In case if Primary (DC) fails then automatically other Additional (DC) should take care without any problem in live environment.
Example like (FSMO Roles Distribution between both Servers) should be……. ???
Primary Domain Controller (PDC) Should contains:????
Schema Master
Domain Naming Master
Additional Domain Controller (ADC) Should contains:????
RID
PDC Emulator
Infrastructure Master
Please let me know the best practice and Microsoft best recommended procedure for the placement of “FSMO Roles.
I will be waiting for your valuable comments.
Regards,
Muhammad DaudHere I want to know the best practice
and Microsoft best recommended procedure for the placement of “FSMO Roles both on (PDC) and (ADC)” ?
There is a good article I would like to share with you:http://oreilly.com/pub/a/windows/2004/06/15/fsmo.html
For me, I do not really see a need to have FSMO roles on multiple servers in your case. I would recommend making it simple and have a single DC holding all the FSMO roles.
In case if
Primary (DC) fails then automatically other Additional (DC) should take care without any problem in live environment.
No. This is not true. Each FSMO role is unique and if a DC fails, FSMO roles will not be automatically transferred.
There is two approaches that can be followed when an FSMO roles holder is down:
If the DC can be recovered quickly then I would recommend taking no action
If the DC will be down for a long time or cannot be recovered then I would recommend that you size FSMO roles and do a metadata cleanup
Attention! For (2) the old FSMO holder should never be up and online again if the FSMO roles were sized. Otherwise, your AD may be facing huge impacts and side effects.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Get Active Directory User Last Logon
Create an Active Directory test domain similar to the production one
Management of test accounts in an Active Directory production domain - Part I
Management of test accounts in an Active Directory production domain - Part II
Management of test accounts in an Active Directory production domain - Part III
Reset Active Directory user password -
Setting up FTP on Domain Controller using User Isolation
Hi all,
Our FTP site is set on a domain controller (not best practice i know, but i wasn't involved in the implementation of it) However, it currently works with the "FTP Root Directory" option selected, however this is not very secure as everyone has access
to everything. I need to set it up so it uses "Username Directory" as this is a domain controller, and i want them to authenticate via AD User/Group. However when i select that option, i can't connect to the FTP site - Connection attempt failed with
"EAI_NONAME - Neither nodename nor servname provided, or not known". When i change it back to "FTP Root Directory" it connects fine.
Basic Authentication is Enabled and Anonymous Authentication is disabled.
Virtual Directory option is selected under directory listing options.
Our FTP folder structure is E:\FTPRoot it got moved to this drive as it's a bigger drive.
I've set up a Virtual Directory for the FTP site and for the individual folders.
I'm stuck on what else to try, any advice and guidance would be appreciated.Hi,
FTP setup is related to IIS so you could post the question to IIS forum instead.
http://forums.iis.net/
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Maybe you are looking for
-
Windows 8.1 IE don't sync tabs, pinned site, password, ecc
I have 4 Windows 8.1 pro where pinned site, tabs, password, ecc don't sync across device. 3 machine are SMB 2011 Essentials domain joined, the other one, a virtual machine, is not a domain joined. Sometimes the tabs sync but there are old one mixed w
-
Can't get texts from one person
Does anyone know of anything I could try to help me receive texts from someone that I previously received texts from just fine? About 2 weeks ago a friend of mine and I noticed that neither of our texts were being received by the other. He uses an i
-
Running itunes problem..
I can't run my itunes, every time I open it stopped working. window support says it's due to data execution prevention. I followed these steps : http://discussions.apple.com/thread.jspa?messageID=11964647� but I'm missing the QuickTime.qtp f
-
Calling one WTC service from another WTC service
Hi, We have a service called COLLECT defined in our WTC server. Recently we've added a second service called SUM in the same WTC server. We were wondering if it's possible to call SUM from COLLECT, and if it is, what configuration changes should be m
-
Acrobat reader 7 I downloaded didn't compatible with my laptop Windows 8, pls help!!
Dear friends, My name is Terry. Acrobat reader 7 I downloaded didn't compatible with my laptop Windows 8, pls help!! Thanx.