Need advice in Recovering a domain controller

Similar Messages

• Need advice on recovering metadata

  Let me explain that subject line:
  I made a completely brain-dead move and accidentally deleted some RAW files (83 to be exact) after
  they were imported. LR says they're missing and I have not yet deleted them from the LR catalog. I
  used the lightroom_recover app to extract the JPEG previews to JPG files and I've realigned
  filenames so where I used to have FOO1.CR2, I now have FOO1.JPG and so on.
  What I'm looking for advice on: LR doesn't store much metadata in the JPEG preview files so now what
  I'd like to do is somehow get the metadata in LR's database into the recovered JPEGs. Once I do
  that, I'll delete those CR2's from the LR database and import the JPEGs.
  I don't want to distract from the above topic but FWIW, what I did was import from my camera's
  memory card but somehow, instead of copying files to the hard disk in my laptop as usual, I imported
  in-place without knowing. Once the card was back in the camera and reformatted, kiss those files
  goodbye. Which all made me wonder: has the notion of "import presets" been discussed and what was
  the general consensus if so? Knowing that with one button I could set all options in the import
  dialog to a known-good set of options might have prevented this.

  I've resolved this as best I can and I'll outline the steps here in case someone else has this
  problem later and searches the forum for a solution. This is a long post.
  As Tim says, if all you want to recover is your IPTC metadata, then it's trivial: import the JPEGs
  you recovered with lightroom_recover, have LR sync the metadata, then remove the original files from
  your catalog.
  I wanted to recover the EXIF metadata as well though and that required several more steps (I wish LR
  were more capable in terms of EXIF handling). Here are the steps I took. I'm interested to hear if
  others find an easier way. You need to be comfortable with the command-line for this. The general
  idea is to put dummy RAWs back where the lost files should be so that LR believes they are now
  there. Then have LR write metadata to disk for those. Then put that metadata into the recovered
  JPEGs.
  1) Do NOT remove the missing files from LR yet. If you've done that, the metadata you are trying to
  recover is gone.
  2) Extract the jpegs from LR's previews using lightroom_recover.exe (available here:
  http://www.ploki.info/index.php/Main/LightRoomRecover). The JPEG files will be named after the
  internal LR ID for the photo. For clarity, you will want to spend the time renaming them to match
  the originals. For instance, for every foo.CR2, I found the matching JPEG file and named it foo.JPG.
  Place the JPEG files in the same directory where the lost files were. Yes, this is tedious.
  3) Copy any old RAW file you have around into the directory where the lost files used to be. There
  should be one copy per lost file. E.g.: copy the same dummy.cr2 to foo1.cr2 and foo2.cr2 and so on.
  You can probably do this several ways including manually. I used a simple for loop from bash:
  for x in *.JPG; do cp ../dummy.CR2 `basename $x .JPG`.CR2; done
  4) Back to LR, try to view the lost images in the Library module. It should now "see" them although
  it will give you a preview to match the dummy file instead of the original. This is ok at this point
  because you saved your images in step 2. Select all of them and write their metadata to disk with
  Ctrl+s.
  5) You should now see a bunch of updated .xmp files for each of the lost RAW files. Use exiftool
  (available here: http://www.sno.phy.queensu.ca/~phil/exiftool/) to copy the metadata in those to the
  recovered JPEG files with this command:
  exiftool -TagsFromFile %d%f.xmp -all:all -ext jpg .
  6) Almost there. Exiftool keeps the original JPEG files with _original appended to the file name.
  You need to move these to another folder to avoid LR thinking these are sidecar JPEGs when you
  import. Don't delete them since they're your precious images - move them instead.
  7) In LR, import the recovered JPEG files. Verify that the EXIF metadata looks good in Library. If
  so, you can go ahead and remove the originals from the catalog and you're done.
  The above steps assume original RAWs with XMP sidecars. For DNG users, I haven't tested a solution
  but I would change step 3 to copy a dummy DNG file instead and change the exiftool command in step 5
  to extract metadata from DNGs instead of XMPs.
  - Dave

• Replace WS2003 domain controller for WS2012 domain controller

  Hi, I think that is a common problem but I haven't found anythink exactly like this, only something similar, but I have a lot of doubts yet.
  The thing is that I have a network with two domain controllers:
  WS2003     - 192.168.0.1, who is the first domain controller I created and is also a file sharing server
  WS2008R2 - 192.168.0.8, who is a  new domain controller I added one year ago.
  Now, I want to replace the first one, keeping the second. One.
  I thinking of removing the first one and replace it with a new machine (WS2012) with the same IP and name host. I need the same host because clients are pointing to it to get the shared files.
  My main fear is that clients get some error related with trust relationship and I will have to rejoin them one by one to the domain.
  As I have another domain controller, Will the global catalog of the new machine be synchronized automaticly with the WS2008R2 domain controller?
  Do I need to demote the old domain controller before add the new one?
  Thanks a lot

  Hi Tomas,
  As pointed by Burakm you should have an additional file server and should avoid using a Domain controller which has priviledged access, to share files. This puts you at a security risk.
  Regarding the requirement of old host name:
  Here is something that would let you keep a different servername and IP, yet allow your users to connect to the old hostname and access the share. Use CNAME records of old server to point it to the new hostname.
  How to Configure Windows Machine to Allow File Sharing with DNS Alias
  You might also look for Distributed File System Shares.
  http://blogs.technet.com/b/josebda/archive/2009/06/26/how-many-dfs-n-namespaces-servers-do-you-need.aspx
  NOTE- You can't run in-place upgrade of a 2003 to 2012 DC.
  Regards,
  Satyajit
  Please “Vote As Helpful”
  if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

• Recovering Domain Controller in Exchange 2010 environment.

  Hi Friends,
  We have one windows 2008 Domain controller & one Exchange 2010 server with all role installed, My problem is if My domain controller failed , how  i can recover it?
  Is there ant step for domain controller recovery in Exchange 2010 Environment.?
  Thanks & regards,
  Pradeep

  Hi Pradeep,
  Sorry to hear that... The only option you have is to do non-authoritative restore of Active Directory...
  From Exchange prospective, once you do restore from an old backup whatever changes you made in Exchange since then won't be there as Exchange keeps all the settings in active directory, for example if you have created users then you would need to recreate
  them and attach their mailbox to back to users...
  Blog |
  Get Your Exchange Powershell Tip of the Day from here

• Help with setting up active directory domain controller/DNS - need this for Clustering

  Disclaimer: I am new to Active Directory, so please dont rule out the obvious things I may have overlooked.
  I need to set up Active Directory Domain controller on at least one server so I can run clustering. I set up the domain controller and ran Cluster validation and that failed - unable to reach writable domain controller.
  When I look at my server manager AD DS complain about DNS:
  NASE-2012-234    4015    Error    Microsoft-Windows-DNS-Server-Service    DNS Server    1/14/2014 12:54:06 AM
  The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.
  When I click on DNS this is the error:
  The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.
  Output of DCDiag -v is below.
  PS C:\Users\Administrator> dcdiag -v
  Directory Server Diagnosis
  Performing initial setup:
     Trying to find home server...
     * Verifying that the local machine NASE-2012-234, is a Directory Server.
     Home Server = NASE-2012-234
     * Connecting to directory service on server NASE-2012-234.
     * Identified AD Forest.
     Collecting AD specific global data
     * Collecting site info.
     Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=lab,DC=nase,DC=com,LDAP_SCOPE_SUBTREE,(objectCategory=
  ntDSSiteSettings),.......
     The previous call succeeded
     Iterating through the sites
     Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=lab,DC=nas
  e,DC=com
     Getting ISTG and options for the site
     * Identifying all servers.
     Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=lab,DC=nase,DC=com,LDAP_SCOPE_SUBTREE,(objectClass=ntD
  SDsa),.......
     The previous call succeeded....
     The previous call succeeded
     Iterating through the list of servers
     Getting information for the server CN=NTDS Settings,CN=NASE-2012-234,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
  N=Configuration,DC=lab,DC=nase,DC=com
     objectGuid obtained
     InvocationID obtained
     dnsHostname obtained
     site info obtained
     All the info for the server collected
     * Identifying all NC cross-refs.
     * Found 1 DC(s). Testing 1 of them.
     Done gathering initial info.
  Doing initial required tests
     Testing server: Default-First-Site-Name\NASE-2012-234
        Starting test: Connectivity
           * Active Directory LDAP Services Check
           The host c0c507c4-fb9b-49a6-9a01-ef79d7960c94._msdcs.lab.nasecom could not be resolved to an IP address.
           Check the DNS server, DHCP, server name, etc.
           Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
           ......................... NASE-2012-234 failed test Connectivity
  Doing primary tests
     Testing server: Default-First-Site-Name\NASE-2012-234
        Skipping all tests, because server NASE-2012-234 is not responding to directory service requests.
        Test omitted by user request: Advertising
        Test omitted by user request: CheckSecurityError
        Test omitted by user request: CutoffServers
        Test omitted by user request: FrsEvent
        Test omitted by user request: DFSREvent
        Test omitted by user request: SysVolCheck
        Test omitted by user request: KccEvent
        Test omitted by user request: KnowsOfRoleHolders
        Test omitted by user request: MachineAccount
        Test omitted by user request: NCSecDesc
        Test omitted by user request: NetLogons
        Test omitted by user request: ObjectsReplicated
        Test omitted by user request: OutboundSecureChannels
        Test omitted by user request: Replications
        Test omitted by user request: RidManager
        Test omitted by user request: Services
        Test omitted by user request: SystemLog
        Test omitted by user request: Topology
        Test omitted by user request: VerifyEnterpriseReferences
        Test omitted by user request: VerifyReferences
        Test omitted by user request: VerifyReplicas
        Test omitted by user request: DNS
        Test omitted by user request: DNS
     Running partition tests on : ForestDnsZones
        Starting test: CheckSDRefDom
           ......................... ForestDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... ForestDnsZones passed test CrossRefValidation
     Running partition tests on : DomainDnsZones
        Starting test: CheckSDRefDom
           ......................... DomainDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... DomainDnsZones passed test CrossRefValidation
     Running partition tests on : Schema
        Starting test: CheckSDRefDom
           ......................... Schema passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Schema passed test CrossRefValidation
     Running partition tests on : Configuration
        Starting test: CheckSDRefDom
           ......................... Configuration passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Configuration passed test CrossRefValidation
     Running partition tests on : lab
        Starting test: CheckSDRefDom
           ......................... lab passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... lab passed test CrossRefValidation
     Running enterprise tests on : lab.nasecom
        Test omitted by user request: DNS
        Test omitted by user request: DNS
        Starting test: LocatorCheck
           GC Name: \\NASE-2012-234.lab.nasecom
           Locator Flags: 0xe000f3fd
           PDC Name: \\NASE-2012-234.lab.nasecom
           Locator Flags: 0xe000f3fd
           Time Server Name: \\NASE-2012-234.lab.nasecom
           Locator Flags: 0xe000f3fd
           Preferred Time Server Name: \\NASE-2012-234.lab.nasecom
           Locator Flags: 0xe000f3fd
           KDC Name: \\NASE-2012-234.lab.nasecom
           Locator Flags: 0xe000f3fd
           ......................... lab.nase.com passed test LocatorCheck
        Starting test: Intersite
           Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments
           provided.
           ......................... lab.nasecom passed test Intersite
  PS C:\Users\Administrator>

  http://social.technet.microsoft.com/Forums/en-US/home?forum=winserverDS is the forum for Directory Services questions.  You might want to post your question there.
  .:|:.:|:. tim

• Does a domain controller need a certificate

  Hi,
  I have a certificate related question.  While checking the logs on our domain controller, I discovered a certificate problem.  In the Personal store is a Domain controller Template certificate that expired last year.  It was created by an
  enterprise CA that no longer exists and was not properly removed from the domain.  My question is:  Is the certificate needed for anything?    I inherited the administration of the domain and I am trying to clean it up.
  Thansk
  Ron Soulliard
  Ron Soulliard Systems Administrator Polaris Ventures

  Hi Ronald,
  In addition to the Paul's input,
  For your question Is the certificate needed for anything?, 
  It depends on your security requirement, such as the level of confidential information you share through network. 
  Certificate appears to be useful for doing SSL/IPSec, providing wireless authentication, and for securing VPN.
  Regarding Certificate Services, it allows you to create and manage "self signed" certificates. 
  It allows many security enhancements, but only to the point that any security service based on SSL certificates will be installed, configured, and enabled.
  Also it allows you to be your own Certificate Authority, instead of purchasing a commercial SSL certificate.
  Checkout the below thread dealing with the similar discussion,
  Is Certificate Services necessary for a small domain?
  Regards,
  Gopi
  JiJi
  Technologies

• Need to delete Transport system , which is not domain controller

  I need to delete transport system on machine which is not domain controller .
  our domain controller system is not avalible now .
  how can i delete the transport system on my machine as domain controller system is not avaliable .
  Please let me know what can i do ??
  Thanks,
  Asc

  Hi,
  Logon to any system which is in your transport path in client 000. Then in stms, go to Overview ---> Systems. Here you can find all the systems in your transport path. You can also find the domain controller which you have configured as before.
  Now, goto Extras----> Delete TMS Configuration.
  After deleting, logon to system which you want to make as domain controller in client 000. when you execute stms, now it will ask for new stms setup, which you might be aware of.
  If you need more guidance, let me know.
  Thanks,
  Sailesh K

• Need advice on Career in SAP after completing 9 yrs in IT mainly in Telecommunication Domain with BMC Remedy Tool knowledge

  Need advice on Career in SAP after completing 9 yrs in IT mainly in Telecommunication Domain with BMC Remedy Tool knowledge.
  Which Module of SAP I can learn and get into as I have Tool based knowledge in BMC Remedy and fair knowledge in SQL, as I come from non-IT background. What are career prospect after completing  any SAP module now will my previous experience will be taken into account?

  Prashant,
  One of the reasons nobody has replied to you yet is that, this is a question with so little information provided.
  - There is no mention of your education background.
  - Your work background is very vague.What exactly did you do in Telecommunication Domain?
  - What exactly did you do in BMC Remedy? Where you just an end-user or did you do any background support work?
  - What exactly did you do in SQL? Did you work on it or did you just attend training?
  - Why do you want to jump into SAP? And what precisely you want to jump into in SAP?
  - What are your interests? Technical or Non-technical?
  - What's your career objective? Where do you want to be 5 years from now?
  Without providing these information how can anyone help you? Picking a module and going with it makes no sense. What if you spend an insane amount of time and money learning a module in SAP (based on some random suggestions given here) and realize that this is not what you were looking for, or there is little scope for that module in the market? What then?
  It's your career that you are planning. It definitely deserves more thought-process and planning to go into.
  pk

• Which Server Version for Domain Controller do I Need

  Hello
  We are currently running two domain controllers with Server 2003 on them.  We have a standard TCP/IP star topology networking  including web servers, files servers, sql, iis etc.
  We are upgrading 5 of our servers to 2012r2 and are using them as "host" servers for upgraded IIS (2012r2) and WebGrabber (2008r2) servers and these servers will be set up as virtual machines (the IIS and web grabbers) on the hosts.
  My question is will using Windows Server 2003 domain controllers cause issues in the advanced settings in 2012r2 and Hyper-V?  Should we upgrade our Domain Controllers and if so to what version?  2008r2 or 2012r2?
  Thanks!
  Theresa Greene
  Theresa Greene

  My question is will using Windows Server 2003 domain controllers cause issues in the advanced settings in 2012r2 and Hyper-V?  Should we upgrade our Domain Controllers and if so to what version?  2008r2 or 2012r2?
  At least Windows Server 2012
  I highly recommend to upgrade the Domain Controllers to at least Windows Server 2012.
  Besides the new functionality described by others in this thread, Windows Server 2012-based Domain Controllers (and beyond) offer virtualization safeguards, building on the VM-GenerationID offered by your new virtualization platform. This functionality helps
  to protect your Domain Controllers from USN rollbacks and Lingering Objects. It also unlocks the Domain Controller Cloning functionality, that may help you deploy your five Domain Controllers faster and more streamlined.
  More information:
  New features in AD DS in Windows Server 2012, Part 12: Virtualization-safe
  Active Directory 
  New features in AD DS in Windows Server 2012, Part 13: Domain Controller
  Cloning 
  Cases where VM-GenerationID doesn’t help make Active Directory virtualization-safe, Part
  1 
  Cases where VM-GenerationID doesn’t help make Active Directory virtualization-safe, Part
  2  
  Getting to Windows Server 2012
  In terms of getting your Active Directory to Windows Server 2012, there's good news and slightly bad news. The bad news is you can't in-place upgrade your Domain Controllers to Windows Server 2012. The good news: This makes the transition scenario
  more appealing.
  Instead of upgrading your Domain Controllers on their physical hardware, and, then, convert them to virtual machines, you can build new virtual Windows Server 2012 Domain Controllers, while your Windows Server 2003 Domain Controllers remain running.
  Then, when you're ready to get rid of your Windows Server 2003 Domain Controllers, you simply demote them and remove them from your network. I've written a detailed step-by-step on this:
  Transitioning your Windows Server
  2003 Domain Controllers to Windows Server 2012  

• Windows Domain Controller on Windows Server 2012 R2: Hyper-V roaming profiles not loading due to slow connection

  I have racked my brain and done everything that I know to do for about two weeks now.  I am setting up a new system at our fire department and I am having the worst luck with getting the workstations to login to the domain controller with roaming
  profiles.  It keeps telling me that the roaming profile could not be loaded because of a slow connection.  These are workstations that are connected directly to the switch that the DC is connected to.  I have tried multiple connections regarding
  the layout (DC into the router, router into the switch).  The router is a Cisco RV220W.  I have two VLANS, one for public and one for private domain.  The Private VLAN has DHCP turned off since I am providing it through the DC.  I currently
  have a connection from the Private VLAN going to the unmanaged switch that the workstations and server are plugged into.
  The server is a Dell PowerEdge R420 that has 6 NIC ports (1 dual port and 1 quad port).  I have a virtual switch setup on Hyper-V for an external port (let's say Card 2 Port 3) that is assigned to the WS 2012R2 Domain Controller.  The DC can see
  the internet fine and the workstations can connect to the shared folders on the server.  I can retrieve files by just using the computer name or FQDN.  The DC is also running DNS and DHCP.  The DNS has the _msdcs setup from when I installed
  the active directory role.  I have attempted to assign static IP addresses to the workstations:
  IP:                     10.0.0.80
  Subnet:             255.255.255.0
  IPV4 Gateway:  10.0.0.1
  IPV4 DNS:        10.0.0.12
  I've attempted "append the specific DNS suffix", I've "registered the connection in DNS", I've used "use this connections suffix in DNS registration".
  The server is assigned:
  IP:                     10.0.0.12
  Subnet:             255.255.255.0
  IPV4 Gateway:  10.0.0.1
  IPV4 DNS:         10.0.0.12
  The DNS entries have forwarders that forward to my ISP DNS servers for lookup
  I've enabled and disabled DHCP, I've installed a new VM just to create another DC to make sure that I didn't goof up when I created it.
  I've lost my patience with this project and am sinking fast.  Can someone please offer some advice as to what I've done wrong?  I've created this exact scenario at work many times but, I've never done it with Windows Server 2012.  Is this
  possibly something to do with the Dell PowerEdge server (Generation 12) with the SR-IOV?  I am going to attempt to work on it some more tomorrow when I get over there.  I think there may be an issue with the SR-IOV not being enabled on the machine
  through the Dell Bios.  Would the SR-IOV really cause the workstations to report a slow connection?  When I login at the domain controller the roaming profiles and folder redirection work fine so, I know the GPO settings are correct.  I don't
  have "ignore slow connections" or any of those GPO's set.  I need to get it working the correct way so, I didn't want to fool the server when there is another underlying problem.  Any help that someone can offer, I am more than willing
  to listen.  If you need more information, please ask.
  Thanks,
  Jay

  So, I've managed to research this some more since Thursday and I've come to the conclusion that Hyper-V does a horrible job of supporting Qualcomm NIC cards. That's the only thing I can conclude as far as where the issue is originating. I've read many
  post and walkthroughs but nothing that has helped. The issue wasn't with any settings in the domain controller. The issue was that there really is a slow connection originating at the domain controller that is a VM and has network connectivity through the
  virtual switch from Hyper-V. So, next question is, how do I get the DC to have better connectivity through the NIC that Hyper-V won't give it? If hyper-v would allow passthrough, this would be so much simpler. VM-ware is looking really good at this point.
  Im disappointed in MS right now.

• Moving domain controller vm between Hyper-V 2012 R2 hosts

  Hello,
  I have one stand alone Hyper-V host - hvserver01 (Hyper-V Server 2012 R2) and 3 VM's running on it. One Virtual machine is our company's additional Domain controller.
  I'm planning to install an additional hyper-v host - hvserver02 (Hyper-V Server 2012 R2) as well.
  I have the following task to perform: I need to move domain controller virtual machine from hvserver01 to hvserver02.
  So, for this operation which tool do i need - move, export/import or something else... ? or it will be necessary to install a new DC and then demote the old one.. ?
  Is there a some special requirements when moving DC from one virtual host to another.. ?
  And also, - MS Hyper-V Server 2012 R2 is installed on both Hyper-V hosts.
  Do you have some advices ?
  Thanks in advance,

  There's no difference between a VM acting as your DC and any other VM as far as live-migration is concerned.
  You should use live-migration. The VM will remain up and running during the entire process. Both Hyper-V hosts should be domain members. They should have vSwitches with the same exact name. They should have same CPU type, or configure CPU compatibility on
  the VM. Configure Live-migration setting on each host. You can use Hyper-V Manager for live-migration..
  Sam Boutros, Senior Consultant, Software Logic, KOP, PA http://superwidgets.wordpress.com (Please take a moment to Vote as Helpful and/or Mark as Answer, where applicable) _________________________________________________________________________________
  Powershell: Learn it before it's an emergency http://technet.microsoft.com/en-us/scriptcenter/powershell.aspx http://technet.microsoft.com/en-us/scriptcenter/dd793612.aspx

• New Domain Controller does not show in our different site's Domain controller's Sites and Services

  Hi,
  we have two sites in our AD environment. OMA site and NY site. we have three domain controllers in our OMA site and two domain controllers in our NY site. All our DCs are windows server 2008R2 except one in our OMA site that is 2003R2 the domain
  functional level is also 2003R2.
  We decided to raise our functional level to 2008R2. I added a new domain controller in our OMA site and transferred all FESMOS from the DC that was running 2003R2 to this new domain controller.
  the issue now is that our NY site does not make any connection with the new domain controller in OMA site. it does not even show it under sites and services. I have checked the DNS settings and everything. if you try to replicate the connections
  from NY site it gives the following error: "The naming context is in the process of being removed or is not replicated from the specific server."
  can anyone plz tell me why this is happening mt brain is just frozen at this moment and cant figure out why is this happening

  Just noticed this replication issue has been going on for a while now but we never noticed until I added new DC. here is the error log for the NY site DC.
  Log Name:      Directory Service
  Source:        Microsoft-Windows-ActiveDirectory_DomainService
  Date:          1/4/2014 8:11:40 AM
  Event ID:      2042
  Task Category: Replication
  Level:         Error
  Keywords:      Classic
  User:          ANONYMOUS LOGON
  Computer:      NORDC1.vertrue.com
  Description:
  It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source.
   The reason that replication is not allowed to continue is that the two DCs may contain lingering objects.  Objects that have been deleted and garbage collected from an Active Directory Domain Services partition but still exist in the writable partitions
  of other DCs in the same domain, or read-only partitions of global catalog servers in other domains in the forest are known as "lingering objects".  If the local destination DC was allowed to replicate with the source DC, these potential lingering object
  would be recreated in the local Active Directory Domain Services database.
  Time of last successful replication:
  2013-05-16 15:26:38
  Invocation ID of source directory server:
  9236ac56-d046-4632-b072-acbe823c5f6c
  Name of source directory server:
  accde843-11b2-476c-9783-9b29252d0ba5._msdcs.vertrue.com
  Tombstone lifetime (days):
  90
  The replication operation has failed.
  User Action:
    The action plan to recover from this error can be found at
  http://support.microsoft.com/?id=314282.
   If both the source and destination DCs are Windows Server 2003 DCs, then install the support tools included on the installation CD.  To see which objects would be deleted without actually performing the deletion run "repadmin /removelingeringobjects
  <Source DC> <Destination DC DSA GUID> <NC> /ADVISORY_MODE". The eventlogs on the source DC will enumerate all lingering objects.  To remove lingering objects from a source domain controller run "repadmin /removelingeringobjects <Source
  DC> <Destination DC DSA GUID> <NC>".
   If either source or destination DC is a Windows 2000 Server DC, then more information on how to remove lingering objects on the source DC can be found at
  http://support.microsoft.com/?id=314282 or from your Microsoft support personnel.
   If you need Active Directory Domain Services replication to function immediately at all costs and don't have time to remove lingering objects, enable replication by setting the following registry key to a non-zero value:
  Registry Key:
  HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner
   Replication errors between DCs sharing a common partition can prevent user and compter acounts, trust relationships, their passwords, security groups, security group memberships and other Active Directory Domain Services configuration data to vary between
  DCs, affecting the ability to log on, find objects of interest and perform other critical operations. These inconsistencies are resolved once replication errors are resolved.  DCs that fail to inbound replicate deleted objects within tombstone lifetime
  number of days will remain inconsistent until lingering objects are manually removed by an administrator from each local DC.  Additionally, replication may continue to be blocked after this registry key is set, depending on whether lingering objects are
  located immediately.
  Alternate User Action:
  Force demote or reinstall the DC(s) that were disconnected.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS Replication" />
      <EventID Qualifiers="49152">2042</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>5</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8080000000000000</Keywords>
      <TimeCreated SystemTime="2014-01-04T13:11:40.963263500Z" />
      <EventRecordID>38018</EventRecordID>
      <Correlation />
      <Execution ProcessID="660" ThreadID="1596" />
      <Channel>Directory Service</Channel>
      <Computer>NORDC1.vertrue.com</Computer>
      <Security UserID="S-1-5-7" />
    </System>
    <EventData>
      <Data>2013-05-16 15:26:38</Data>
      <Data>9236ac56-d046-4632-b072-acbe823c5f6c</Data>
      <Data>accde843-11b2-476c-9783-9b29252d0ba5._msdcs.vertrue.com</Data>
      <Data>90</Data>
      <Data>Allow Replication With Divergent and Corrupt Partner</Data>
      <Data>System\CurrentControlSet\Services\NTDS\Parameters</Data>
    </EventData>
  </Event>

• Old domain controller crashed. Created a new one..having to rejoin computers to domain..easier way to do this?

  I had a single domain controller. It has crashed. I had to create a new domain controller with all the same existing information from the old server..same domain name, server name, and IP. Im having issues with desktops. Everything is setup on the server.
  The desktops however I need to rejoin them to the domain and get them to start synching properly. But when I do this, the profile is resetting itself to a new profile. How can I keep the same profile with the same documents. Or am I out of luck on this and
  have to recreate the profiles. I have had to recreate the profiles so far, but do not want to do this for about 5 computers because there is way to much software and work that will need to be involved in moving these profiles. Any shortcut for these computers
  to automatically see this domain server and synch to it? Everything is identical to the old server. The old server is inaccessible.
  The new servers domain name is the same, IP address is the same, and computer name is the same. AD running with all identical information. DNS installed.
  Let me know if anyone has some advice on here.

  There's unfortunately a lot more involved than names, domain names and IP addresses.
  Most of those are linked to long numbers such as "SID"s and "GUID"s in the background that actually govern the interaction between clients and servers (authentication for one).
  Without the same SIDs and GUID, I fear there will be no end to your problems.
  That's why either a second domain controller or a good backup are so important. 
  Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

• What is the best practice and Microsoft best recommended procedure of placing "FSMO Roles on Primary Domain Controller (PDC) and Additional Domain Controller (ADC)"??

  Hi,
  I have Windows Server 2008 Enterprise  and have
  2 Domain Controllers in my Company:
  Primary Domain Controller (PDC)
  Additional Domain Controller (ADC)
  My (PDC) was down due to Hardware failure, but somehow I got a chance to get it up and transferred
  (5) FSMO Roles from (PDC) to (ADC).
  Now my (PDC) is rectified and UP with same configurations and settings.  (I did not install new OS or Domain Controller in existing PDC Server).
  Finally I want it to move back the (FSMO Roles) from
  (ADC) to (PDC) to get UP and operational my (PDC) as Primary. 
  (Before Disaster my PDC had 5 FSMO Roles).
  Here I want to know the best practice and Microsoft best recommended procedure for the placement of “FSMO Roles both on (PDC) and (ADC)” ?
  In case if Primary (DC) fails then automatically other Additional (DC) should take care without any problem in live environment.
  Example like (FSMO Roles Distribution between both Servers) should be……. ???
  Primary Domain Controller (PDC) Should contains:????
  Schema Master
  Domain Naming Master
  Additional Domain Controller (ADC) Should contains:????
  RID
  PDC Emulator
  Infrastructure Master
  Please let me know the best practice and Microsoft best recommended procedure for the placement of “FSMO Roles.
  I will be waiting for your valuable comments.
  Regards,
  Muhammad Daud

  Here I want to know the best practice
  and Microsoft best recommended procedure for the placement of “FSMO Roles both on (PDC) and (ADC)” ?
  There is a good article I would like to share with you:http://oreilly.com/pub/a/windows/2004/06/15/fsmo.html
  For me, I do not really see a need to have FSMO roles on multiple servers in your case. I would recommend making it simple and have a single DC holding all the FSMO roles.
  In case if
  Primary (DC) fails then automatically other Additional (DC) should take care without any problem in live environment.
  No. This is not true. Each FSMO role is unique and if a DC fails, FSMO roles will not be automatically transferred.
  There is two approaches that can be followed when an FSMO roles holder is down:
  If the DC can be recovered quickly then I would recommend taking no action
  If the DC will be down for a long time or cannot be recovered then I would recommend that you size FSMO roles and do a metadata cleanup
  Attention! For (2) the old FSMO holder should never be up and online again if the FSMO roles were sized. Otherwise, your AD may be facing huge impacts and side effects.
  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Get Active Directory User Last Logon
  Create an Active Directory test domain similar to the production one
  Management of test accounts in an Active Directory production domain - Part I
  Management of test accounts in an Active Directory production domain - Part II
  Management of test accounts in an Active Directory production domain - Part III
  Reset Active Directory user password

• Setting up FTP on Domain Controller using User Isolation

  Hi all,
  Our FTP site is set on a domain controller (not best practice i know, but i wasn't involved in the implementation of it) However, it currently works with the "FTP Root Directory" option selected, however this is not very secure as everyone has access
  to everything. I need to set it up so it uses "Username Directory" as this is a domain controller, and i want them to authenticate via AD User/Group. However when i select that option, i can't connect to the FTP site - Connection attempt failed with
  "EAI_NONAME - Neither nodename nor servname provided, or not known". When i change it back to "FTP Root Directory" it connects fine.
  Basic Authentication is Enabled and Anonymous Authentication is disabled.
  Virtual Directory option is selected under directory listing options.
  Our FTP folder structure is E:\FTPRoot it got moved to this drive as it's a bigger drive.
  I've set up a Virtual Directory for the FTP site and for the individual folders. 
  I'm stuck on what else to try, any advice and guidance would be appreciated.

  Hi,
  FTP setup is related to IIS so you could post the question to IIS forum instead.
  http://forums.iis.net/
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]