NTDS Replication - Active Directory encountered a write conflict

HI,Active Directory encountered a write conflict when applying replicated changes to the following object.
Object:
CN=Administrator,OU=Admin,OU=CGL,DC=cgl,DC=local
This seemed to have started when the Administrator Account got locked out some how, it has since been unlocked and hasn't been locked again since.
I have moved the Administrator to a different OU and run repadmin /syncall which seemed successful but shortly afterwards the error logs started appearing again.
I run Ldp.exe and searched under the OU Admin to see if there were duplicate records but only one was found.
Has anyone got any other suggestions? I've tried all the solutions and rebooted the server but still I get the attached in my event viewer... any other ideas anyone? Thanks
Thanks
Hakan
Good luck everyone.

Have you enabled the ability for the built-in Administrator account to being able to be locked out (that's not on by default) - See
http://blogs.technet.com/b/mempson/archive/2012/01/13/event-id-12294-woes.aspx
I suggest renaming the account.
Enfo Zipper
Christoffer Andersson – Principal Advisor
http://blogs.chrisse.se - Directory Services Blog

Similar Messages

Replication Active Directory, ports issues in firewall

Hi,
i am facing some issue in active directory replication between my Active Directory User Database located in two different locations.
I am not doing any Port based ACL in the firewall, and there is no static / dynamic NAT-ng used between the server ip ranges (nat 0).
1) what could be the possible issue in this?2) do i need to issue any command in the FWSM Module to make use / open the dynamic ports ?3) How can i make sure that these ports are not opend or not blocked on the firewall.
below are some of the ports used for this, based on the information from Microsoft Team.
tcp 5389
tcp 5722
tcp 5729
tcp3268
tcp 3269
tcp 445
udp 445
udp 88
udp 2535
udp 389
tcp 1025 - 5000
tcp 44152 - 65535
Appreciate your valuable support.
regards
Sunny

Hi Bro
If you’re not doing any port based ACL in your FWSM, I can only assume you’re permitting the rules between both the AD by IP e.g. access-list inside permit ip host 1.1.1.1 host 2.2.2.2, am I right? I hope you can PING between both the AD, otherwise this could be a routing issue.
Listed below are some commands that you could type to investigate this issue further;
a) show np block (hardware buffer counters) - if they are non-zero and increasing it's bad. You're most likely running into hardware limitation of the FWSM.
b) show np all stats | i RTL and show np all stats | i RL will show you if the packets are dropped because of software rate limiting mechanisms built into network processors.
Perhaps, what you need is to enable the “xlate-bypass” command. By default, the FWSM creates NAT sessions for all connections even if you do not use NAT. You can disable NAT sessions for untranslated network traffic, which is called xlate bypass, in order to avoid the maximum NAT session limit. The xlate-bypass command can be configured as shown:
hostname(config)#xlate-bypass
If the xlate-bypass doesn’t resolve your issue, please do ensure you’ve a static NAT or dedicated nat/global in place.
The last resort is to enable sysoption np completion-unit, this magic option is invoking special processing created to address scenarios in which FWSM was known to introduce out of order packets for TCP streams.

Powershell Active Directory Account Expiration Script

I am putting together a script that creates a user account in AD, sets the password, adds groups, etc. The part I am having problems with is when the user selects the Contractor employee option and is prompted for the expiration date of the AD account.
The script will create the account, but the expiration date is not set in AD. Any suggestions?
Here's the code:
#Script to create Active Directory account
#Add the Active Directory Module if not already present
if (-not (Get-Module ActiveDirectory))
Import-Module ActiveDirectory -Force
Write-Host ""
Write-Host "======================================================" -ForegroundColor DarkYellow
Write-Host ""
Write-Host "Computer Access"
Write-Host "Create Active Directory User Script"
Write-Host "PowerShell 3.0"
Write-Host "Version: 1.2"
Write-Host "Date: 4/14/2014"
Write-Host "Author: "
Write-Host ""
Write-Host "Please review the created Active Directory Account" -ForegroundColor Red -BackgroundColor Yellow
Write-Host ""
Write-Host "Base Business Unit Group Memberships are added only" -ForegroundColor Red -BackgroundColor Yellow
Write-Host ""
Write-Host "======================================================" -ForegroundColor DarkYellow
Write-Host ""
Write-Host ""
Write-Host "======================================================" -ForegroundColor DarkYellow
Write-Host "Creating Active Directory Account" -ForegroundColor Yellow
Write-Host "======================================================" -ForegroundColor DarkYellow
Write-Host ""
#Specify the target OU for new users
$targetOU = "OU=Personnel,OU=ETA,DC=eta,DC=state,DC=tx"
#Find the current domain info
$domdns = (Get-ADDomain).dnsroot # for UPN generation
#Set Account Variables
#Set Username with Dialogue Box
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
$objForm = New-Object System.Windows.Forms.Form
$objForm.Font = New-Object System.Drawing.Font("Arial",10)
$objForm.Text = "Username"
$objForm.Size = New-Object System.Drawing.Size(300,200)
$objForm.StartPosition = "CenterScreen"
$objForm.KeyPreview = $True
$objForm.Add_KeyDown({if ($_.KeyCode -eq "Enter")
    {$global:setusername=$objTextBox.Text;$objForm.Close()}})
$objForm.Add_KeyDown({if ($_.KeyCode -eq "Escape")
    {$objForm.Close()}})
$OKButton = New-Object System.Windows.Forms.Button
$OKButton.Location = New-Object System.Drawing.Size(75,120)
$OKButton.Size = New-Object System.Drawing.Size(75,23)
$OKButton.Text = "OK"
$OKButton.Add_Click({$global:setusername=$objTextBox.Text;$objForm.Close()})
$objForm.Controls.Add($OKButton)
$CancelButton = New-Object System.Windows.Forms.Button
$CancelButton.Location = New-Object System.Drawing.Size(150,120)
$CancelButton.Size = New-Object System.Drawing.Size(75,23)
$CancelButton.Text = "Cancel"
$CancelButton.Add_Click(
{$Looping=$False
$objForm.Close()
[environment]::Exit(0)
$objForm.Controls.Add($CancelButton)
$objLabel = New-Object System.Windows.Forms.Label
$objLabel.Location = New-Object System.Drawing.Size(10,20)
$objLabel.Size = New-Object System.Drawing.Size(280,20)
$objLabel.Text = "Please enter the username for the account:"
$objForm.Controls.Add($objLabel)
$objTextBox = New-Object System.Windows.Forms.TextBox
$objTextBox.Location = New-Object System.Drawing.Size(10,40)
$objTextBox.Size = New-Object System.Drawing.Size(260,20)
$objForm.Controls.Add($objTextBox)
$objForm.Topmost = $True
$objForm.Add_Shown({$objForm.Activate(); $objTextBox.focus()})
[void] $objForm.ShowDialog()
#If OK then set variable and continue
$samname = ($setusername | Out-String)
$samname = ($setusername) + ("")
function validateUser
    param(
    [string]$username
    #if the username is passed without domain\
    if(($username.StartsWith("domain\")) -eq $false)
        $user = Get-ADUser -Filter { SamAccountName -eq $username }
        if (!$user)
            return $false
        else
            return $true
    elseif(($username.StartsWith("domain\")) -eq $true)
        $username = ($username.Split("\")[1])
        $user = Get-ADUser -Filter { SamAccountName -eq $username }
        if (!$user)
            return $false
        else
            return $true
$usercheck = validateUser -username $samname
if($userCheck -eq $true) {
[System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
[Windows.Forms.MessageBox]::Show("Username already exists in AD please check and retry",`
"Username Check", [Windows.Forms.MessageBoxButtons]::OK, [Windows.Forms.MessageBoxIcon]::Stop)
[environment]::Exit(0)
else {} #Continue
Write-Host ""
Write-Host "USERNAME has been set to" $samname -ForegroundColor Yellow
#Set User Accounts First Name
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
$objForm = New-Object System.Windows.Forms.Form
$objForm.Font = New-Object System.Drawing.Font("Arial",10)
$objForm.Text = "First Name"
$objForm.Size = New-Object System.Drawing.Size(300,200)
$objForm.StartPosition = "CenterScreen"
$objForm.KeyPreview = $True
$objForm.Add_KeyDown({if ($_.KeyCode -eq "Enter")
    {$global:setfirstname=$objTextBox.Text;$objForm.Close()}})
$objForm.Add_KeyDown({if ($_.KeyCode -eq "Escape")
    {$objForm.Close()}})
$OKButton = New-Object System.Windows.Forms.Button
$OKButton.Location = New-Object System.Drawing.Size(75,120)
$OKButton.Size = New-Object System.Drawing.Size(75,23)
$OKButton.Text = "OK"
$OKButton.Add_Click({$global:setfirstname=$objTextBox.Text;$objForm.Close()})
$objForm.Controls.Add($OKButton)
$CancelButton = New-Object System.Windows.Forms.Button
$CancelButton.Location = New-Object System.Drawing.Size(150,120)
$CancelButton.Size = New-Object System.Drawing.Size(75,23)
$CancelButton.Text = "Cancel"
$CancelButton.Add_Click(
{$Looping=$False
$objForm.Close()
[environment]::Exit(0)
$objForm.Controls.Add($CancelButton)
$objLabel = New-Object System.Windows.Forms.Label
$objLabel.Location = New-Object System.Drawing.Size(10,20)
$objLabel.Size = New-Object System.Drawing.Size(280,20)
$objLabel.Text = "Please enter the users first name:"
$objForm.Controls.Add($objLabel)
$objTextBox = New-Object System.Windows.Forms.TextBox
$objTextBox.Location = New-Object System.Drawing.Size(10,40)
$objTextBox.Size = New-Object System.Drawing.Size(260,20)
$objForm.Controls.Add($objTextBox)
$objForm.Topmost = $True
$objForm.Add_Shown({$objForm.Activate(); $objTextBox.focus()})
[void] $objForm.ShowDialog()
#If OK then set variable and continue
$givname = ($setfirstname | Out-String)
$givname = ("$setfirstname") + ("")
Write-Host ""
Write-Host "FIRST NAME has been set to" $givname -ForegroundColor Yellow
#Set User Accounts Last Name
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
$objForm = New-Object System.Windows.Forms.Form
$objForm.Font = New-Object System.Drawing.Font("Arial",10)
$objForm.Text = "Last Name"
$objForm.Size = New-Object System.Drawing.Size(300,200)
$objForm.StartPosition = "CenterScreen"
$objForm.KeyPreview = $True
$objForm.Add_KeyDown({if ($_.KeyCode -eq "Enter")
    {$global:setlastname=$objTextBox.Text;$objForm.Close()}})
$objForm.Add_KeyDown({if ($_.KeyCode -eq "Escape")
    {$objForm.Close()}})
$OKButton = New-Object System.Windows.Forms.Button
$OKButton.Location = New-Object System.Drawing.Size(75,120)
$OKButton.Size = New-Object System.Drawing.Size(75,23)
$OKButton.Text = "OK"
$OKButton.Add_Click({$global:setlastname=$objTextBox.Text;$objForm.Close()})
$objForm.Controls.Add($OKButton)
$CancelButton = New-Object System.Windows.Forms.Button
$CancelButton.Location = New-Object System.Drawing.Size(150,120)
$CancelButton.Size = New-Object System.Drawing.Size(75,23)
$CancelButton.Text = "Cancel"
$CancelButton.Add_Click(
{$Looping=$False
$objForm.Close()
[environment]::Exit(0)
$objForm.Controls.Add($CancelButton)
$objLabel = New-Object System.Windows.Forms.Label
$objLabel.Location = New-Object System.Drawing.Size(10,20)
$objLabel.Size = New-Object System.Drawing.Size(280,20)
$objLabel.Text = "Please enter the users last name:"
$objForm.Controls.Add($objLabel)
$objTextBox = New-Object System.Windows.Forms.TextBox
$objTextBox.Location = New-Object System.Drawing.Size(10,40)
$objTextBox.Size = New-Object System.Drawing.Size(260,20)
$objForm.Controls.Add($objTextBox)
$objForm.Topmost = $True
$objForm.Add_Shown({$objForm.Activate(); $objTextBox.focus()})
[void] $objForm.ShowDialog()
#If OK then set variable and continue
$surname = ($setlastname | Out-String)
$surname = ("$setlastname") + ("")
Write-Host ""
Write-Host "LAST NAME has been set to" $surname -ForegroundColor Yellow
#Set the Department Number for the Active Directory Account
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
$objForm = New-Object System.Windows.Forms.Form
$objForm.Font = New-Object System.Drawing.Font("Arial",10)
$objForm.Text = "Cost Center"
$objForm.Size = New-Object System.Drawing.Size(300,200)
$objForm.StartPosition = "CenterScreen"
$objForm.KeyPreview = $True
$objForm.Add_KeyDown({if ($_.KeyCode -eq "Enter")
    {$global:setcostcode=$objTextBox.Text;$objForm.Close()}})
$objForm.Add_KeyDown({if ($_.KeyCode -eq "Escape")
    {$objForm.Close()}})
$OKButton = New-Object System.Windows.Forms.Button
$OKButton.Location = New-Object System.Drawing.Size(75,120)
$OKButton.Size = New-Object System.Drawing.Size(75,23)
$OKButton.Text = "OK"
$OKButton.Add_Click({$global:setcostcode=$objTextBox.Text;$objForm.Close()})
$objForm.Controls.Add($OKButton)
$CancelButton = New-Object System.Windows.Forms.Button
$CancelButton.Location = New-Object System.Drawing.Size(150,120)
$CancelButton.Size = New-Object System.Drawing.Size(75,23)
$CancelButton.Text = "Cancel"
$CancelButton.Add_Click(
{$Looping=$False
$objForm.Close()
[environment]::Exit(0)
$objForm.Controls.Add($CancelButton)
$objLabel = New-Object System.Windows.Forms.Label
$objLabel.Location = New-Object System.Drawing.Size(10,20)
$objLabel.Size = New-Object System.Drawing.Size(280,20)
$objLabel.Text = "Please enter the cost center for the account:"
$objForm.Controls.Add($objLabel)
$objTextBox = New-Object System.Windows.Forms.TextBox
$objTextBox.Location = New-Object System.Drawing.Size(10,40)
$objTextBox.Size = New-Object System.Drawing.Size(260,20)
$objForm.Controls.Add($objTextBox)
$objForm.Topmost = $True
$objForm.Add_Shown({$objForm.Activate(); $objTextBox.focus()})
[void] $objForm.ShowDialog()
#If OK then set variable and continue
$costcode = ($setcostcode | Out-String)
$costcode = ("$setcostcode") + ("")
Write-Host ""
Write-Host "COSTCODE has been set to" $costcode -ForegroundColor Yellow
#This creates a checkbox called Employee
$objTypeCheckbox = New-Object System.Windows.Forms.Checkbox
$objTypeCheckbox.Location = New-Object System.Drawing.Size(10,220)
$objTypeCheckbox.Size = New-Object System.Drawing.Size(500,20)
$objTypeCheckbox.Text = "Employee"
$objTypeCheckbox.TabIndex = 4
$objForm.Controls.Add($objTypeCheckbox)
#This creates a checkbox called Citrix User
$objCitrixUserCheckbox = New-Object System.Windows.Forms.Checkbox
$objCitrixUserCheckbox.Location = New-Object System.Drawing.Size(10,240)
$objCitrixUserCheckbox.Size = New-Object System.Drawing.Size(500,20)
$objCitrixUserCheckbox.Text = "Citrix User"
$objCitrixUserCheckbox.TabIndex = 5
$objForm.Controls.Add($objCitrixUserCheckbox)
#Set Permanent or Contractor (Expiration Date)
[void][reflection.assembly]::Load("System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089")
[void][reflection.assembly]::Load("System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")
[System.Windows.Forms.Application]::EnableVisualStyles()
$form1 = New-Object 'System.Windows.Forms.Form'
$datetimepicker1 = New-Object 'System.Windows.Forms.DateTimePicker'
$radiobuttonPermanent = New-Object 'System.Windows.Forms.RadioButton'
$radiobuttonContractor = New-Object 'System.Windows.Forms.RadioButton'
$buttonOK = New-Object 'System.Windows.Forms.Button'
$InitialFormWindowState = New-Object 'System.Windows.Forms.FormWindowState'
$radiobuttonContractor_CheckedChanged={
    if($radiobuttonContractor.Checked){
        $datetimepicker1.Visible=$true
   }else{
        $datetimepicker1.Visible=$false
$Form_StateCorrection_Load=
   #Correct the initial state of the form to prevent the .Net maximized form issue
   $form1.WindowState = $InitialFormWindowState
$Form_Cleanup_FormClosed=
   #Remove all event handlers from the controls
   try
       $radiobuttonContractor.remove_CheckedChanged($radiobuttonContractor_CheckedChanged)
       $form1.remove_Load($FormEvent_Load)
       $form1.remove_Load($Form_StateCorrection_Load)
       $form1.remove_FormClosed($Form_Cleanup_FormClosed)
   catch [Exception]
$form1.Controls.Add($datetimepicker1)
$form1.Controls.Add($radiobuttonPermanent)
$form1.Controls.Add($radiobuttonContractor)
$form1.Controls.Add($buttonOK)
$form1.AcceptButton = $buttonOK
$form1.ClientSize = '508, 262'
$form1.FormBorderStyle = 'FixedDialog'
$form1.MaximizeBox = $False
$form1.MinimizeBox = $False
$form1.Name = "form1"
$form1.StartPosition = 'CenterScreen'
$form1.Text = "Form"
$form1.add_Load($FormEvent_Load)
# datetimepicker1
$datetimepicker1.Location = '160, 91'
$datetimepicker1.Name = "datetimepicker1"
$datetimepicker1.Size = '200, 20'
$datetimepicker1.TabIndex = 3
$datetimepicker1.Visible = $False
# radiobuttonPermanent
$radiobuttonPermanent.Location = '33, 57'
$radiobuttonPermanent.Name = "radiobuttonPermanent"
$radiobuttonPermanent.Size = '104, 24'
$radiobuttonPermanent.TabIndex = 2
$radiobuttonPermanent.TabStop = $True
$radiobuttonPermanent.Text = "Permanent"
$radiobuttonPermanent.UseVisualStyleBackColor = $True
# radiobuttonContractor
$radiobuttonContractor.Location = '33, 87'
$radiobuttonContractor.Name = "radiobuttonContractor"
$radiobuttonContractor.Size = '104, 24'
$radiobuttonContractor.TabIndex = 1
$radiobuttonContractor.TabStop = $True
$radiobuttonContractor.Text = "Contractor"
$radiobuttonContractor.UseVisualStyleBackColor = $True
$radiobuttonContractor.add_CheckedChanged($radiobuttonContractor_CheckedChanged)
# buttonOK
$buttonOK.Anchor = 'Bottom, Right'
$buttonOK.DialogResult = 'OK'
$buttonOK.Location = '421, 227'
$buttonOK.Name = "buttonOK"
$buttonOK.Size = '75, 23'
$buttonOK.TabIndex = 0
$buttonOK.Text = "OK"
$buttonOK.UseVisualStyleBackColor = $True
#endregion Generated Form Code
#Save the initial state of the form
$InitialFormWindowState = $form1.WindowState
#Init the OnLoad event to correct the initial state of the form
$form1.add_Load($Form_StateCorrection_Load)
#Clean up the control events
$form1.add_FormClosed($Form_Cleanup_FormClosed)
#Show the Form
$form1.ShowDialog()
#Set the password for the new user account
#Change P@$$w0rd to whatever you want the account password to be
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
$objForm = New-Object System.Windows.Forms.Form
$objForm.Font = New-Object System.Drawing.Font("Arial",10)
$objForm.Text = "Password"
$objForm.Size = New-Object System.Drawing.Size(300,200)
$objForm.StartPosition = "CenterScreen"
$objForm.KeyPreview = $True
$objForm.Add_KeyDown({if ($_.KeyCode -eq "Enter")
    {$global:setpassword=$objTextBox.Text;$objForm.Close()}})
$objForm.Add_KeyDown({if ($_.KeyCode -eq "Escape")
    {$objForm.Close()}})
$OKButton = New-Object System.Windows.Forms.Button
$OKButton.Location = New-Object System.Drawing.Size(75,120)
$OKButton.Size = New-Object System.Drawing.Size(75,23)
$OKButton.Text = "OK"
$OKButton.Add_Click({$global:setpassword=$objTextBox.Text;$objForm.Close()})
$objForm.Controls.Add($OKButton)
$CancelButton = New-Object System.Windows.Forms.Button
$CancelButton.Location = New-Object System.Drawing.Size(150,120)
$CancelButton.Size = New-Object System.Drawing.Size(75,23)
$CancelButton.Text = "Cancel"
$CancelButton.Add_Click(
{$Looping=$False
$objForm.Close()
[environment]::Exit(0)
$objForm.Controls.Add($CancelButton)
$objLabel = New-Object System.Windows.Forms.Label
$objLabel.Location = New-Object System.Drawing.Size(10,20)
$objLabel.Size = New-Object System.Drawing.Size(280,40)
$objLabel.Text = "Please enter the password you wish to set. Press Enter for P@SSw0rd:"
$objForm.Controls.Add($objLabel)
$objTextBox = New-Object System.Windows.Forms.TextBox
$objTextBox.Location = New-Object System.Drawing.Size(10,60)
$objTextBox.Size = New-Object System.Drawing.Size(260,20)
$objForm.Controls.Add($objTextBox)
$objForm.Topmost = $True
$objForm.Add_Shown({$objForm.Activate(); $objTextBox.focus()})
[void] $objForm.ShowDialog()
#If OK then set password and continue
$userpassword = ($setpassword | Out-String)
$userpassword = ("$setpassword") + ("")
if ($userpassword -eq "") {$userpassword = 'P@SSw0rd'}
$password = (ConvertTo-SecureString $userpassword -AsPlainText -Force)
#Set Variables for New-ADUser cmdlet
$dplname = "$surname, $givname"
$upname = "$givname.$surname" + "@" + "$domdns"
$email = "$givname" + "." + "$surname" + "@eta.state.tx.us"
$office = "WBT"
$description = "$costcode"
$description2 = "611IS - Permanent"
$description3 = "611PM - Permanent"
$description4 = "501 - Permanent"
##$loginscript = "yourloginscriptname"
$servername = "teafs2"
$homedir = "\\$($servername)\User\$($samname)"
$homedirpath = "\\$($servername)\User\$($samname)"
$Company= "ETA"
$department = "yourdepartment"
$department4 = "School Finance"
$departmentnumber = "" + "-" + "$costcode"
Write-Host ""
Write-Host "HOME SERVER is" $servername -ForegroundColor Yellow
Write-Host ""
Write-Host "HOME DIRECTORY has been set to" $homedir -ForegroundColor Yellow
Write-Host ""
Write-Host "DEPARTMENT has been set to" $department -ForegroundColor Yellow
Write-Host ""
Write-Host "DESCRIPTION has been set to" $departmentnumber -ForegroundColor Yellow
Write-Host ""
#Create Active Directory Account
New-ADUser -Name $dplname -SamAccountName $samname -DisplayName $dplname `
-givenname $givname -surname $surname -userprincipalname $upname -emailaddress $email `
-Path $targetou -Enabled $true -ChangePasswordAtLogon $true -Department $department `
-OtherAttributes @{'departmentNumber'="$departmentnumber"} -Company $Company -HomeDrive "H" -HomeDirectory $homedir `
-Description $description -Office $office -ScriptPath $loginscript -AccountPassword $password `
#Add User to Active Directory Groups Based on Description Field
If ((Get-ADUser $samname -Properties description).description -eq $description2) {
Add-ADGroupMember -Identity "CN=InformationSystemsPrintGroup,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=InformationSystemsOUDataGroup,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=InformationSystemsNetworkAccess,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=Mail users,OU=Groups,DC=tea,DC=state,DC=tx" -Member $samname
If ((Get-ADUser $samname -Properties description).description -eq $description3) {
Add-ADGroupMember -Identity "CN=ProjectMgmtNetworkAccess,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=ProjectMgmtOUDataGroup,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=ProjectMgmtPrintGroup,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=Cognos ETASE Dev-Test-Prod,OU=Groups,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=PMO ALL,OU=Distribution Groups,OU=Mailbox accounts,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=PMO Permanent,OU=Distribution Groups,OU=Mailbox accounts,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=Mail users,OU=Groups,DC=tea,DC=state,DC=tx" -Member $samname
If ((Get-ADUser $samname -Properties description).description -eq $description4) {
Add-ADGroupMember -Identity "CN=SchoolFinancePrintGroup,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=SchoolFinanceOUDataGroup,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=SchoolFinanceNetworkAccess,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=Mail users,OU=Groups,DC=tea,DC=state,DC=tx" -Member $samname
#Does the user require a mailbox?
$mailbox = New-Object -ComObject wscript.shell
$intAnswer = $mailbox.popup("Does this user require a mailbox?", `
0,"Create Mailbox",32+4)
If ($intAnswer -eq 6) {
    Add-ADGroupMember -Identity "YourADGroupName5" -Member $samname
    $mailbox.popup("User added to EMail Provisioning Group", `
    0,"Created",64+0)
} else {
    $mailbox.popup("User has not been added to the EMail Provisioning Group", `
    0,"Not Created",64+0)
#Does the user require a LYNC Account?
$lyncaccount = New-Object -ComObject wscript.shell
$intAnswer = $lyncaccount.popup("Does this user require a LYNC Account?", `
0,"Create LYNC Account",32+4)
If ($intAnswer -eq 6) {
    Add-ADGroupMember -Identity "YourADGroupName6" -Member $samname
    $lyncaccount.popup("User added to LYNC Provisioning Group", `
    0,"Created",64+0)
} else {
    $lyncaccount.popup("User has not been added to the LYNC Provisioning Group", `
    0,"Not Created",64+0)
#Create Home Directory and Set Permissions on Home Directory
New-Item -path $homedirpath -type directory
$acl = Get-ACL -path $homedirpath
$permission = "yourdomainname\$($samname)","Modify","ContainerInherit,ObjectInherit","None","Allow"
$accessrule = new-object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($accessrule)
$acl | Set-ACL -path $homedirpath
##Set Share Permissions on Home Directory
$Computer = $servername
$Class = "Win32_Share"
$Method = "Create"
$name = $sharename
$path = $sharedirpath
$description = ""
$sd = ([WMIClass] "\\$Computer\root\cimv2:Win32_SecurityDescriptor").CreateInstance()
$ACE = ([WMIClass] "\\$Computer\root\cimv2:Win32_ACE").CreateInstance()
$Trustee = ([WMIClass] "\\$Computer\root\cimv2:Win32_Trustee").CreateInstance()
$Trustee.Name = "EVERYONE"
$Trustee.Domain = $Null
$Trustee.SID = @(1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0)
$ace.AccessMask = 2032127
$ace.AceFlags = 3
$ace.AceType = 0
$ACE.Trustee = $Trustee
$sd.DACL += $ACE.psObject.baseobject
$mc = [WmiClass]"\\$Computer\ROOT\CIMV2:$Class"
$InParams = $mc.psbase.GetMethodParameters($Method)
$InParams.Access = $sd
$InParams.Description = $description
$InParams.MaximumAllowed = $Null
$InParams.Name = $name
$InParams.Password = $Null
$InParams.Path = $path
$InParams.Type = [uint32]0
$R = $mc.PSBase.InvokeMethod($Method, $InParams, $Null)
switch ($($R.ReturnValue))
0 {Write-Host "Share:$name Path:$path Result:Success"; break}
2 {Write-Host "Share:$name Path:$path Result:Access Denied" -foregroundcolor red -backgroundcolor yellow;break}
8 {Write-Host "Share:$name Path:$path Result:Unknown Failure" -foregroundcolor red -backgroundcolor yellow;break}
9 {Write-Host "Share:$name Path:$path Result:Invalid Name" -foregroundcolor red -backgroundcolor yellow;break}
10 {Write-Host "Share:$name Path:$path Result:Invalid Level" -foregroundcolor red -backgroundcolor yellow;break}
21 {Write-Host "Share:$name Path:$path Result:Invalid Parameter" -foregroundcolor red -backgroundcolor yellow;break}
22 {Write-Host "Share:$name Path:$path Result:Duplicate Share" -foregroundcolor red -backgroundcolor yellow;break}
23 {Write-Host "Share:$name Path:$path Result:Reedirected Path" -foregroundcolor red -backgroundcolor yellow;break}
24 {Write-Host "Share:$name Path:$path Result:Unknown Device or Directory" -foregroundcolor red -backgroundcolor yellow;break}
25 {Write-Host "Share:$name Path:$path Result:Network Name Not Found" -foregroundcolor red -backgroundcolor yellow;break}
default {Write-Host "Share:$name Path:$path Result:*** Unknown Error ***" -foregroundcolor red -backgroundcolor yellow;break}

Would you be able to show me how it's done?
Here's an example:
$date = Read-Host 'Enter a date (e.g. 4/23/14)'
Write-Host "Original string: $date"
$dateTime = [datetime]$date
Write-Host "DateTime object: $dateTime"
Don't retire TechNet! -
(Don't give up yet - 12,830+ strong and growing)

Setup encountered a problem while validating the state of Active Directory: Could not find information about the local site

Have an existing ex2010 sp3 organization.
Could not run ex2013cu1 setup from my newly built 2012 server, getting the error in the subject line. I used the command line to run the AD preparation steps successfully from my 2012 DC/GC, then tried to run setup again from the new 2012 server and
still get the same error. The error itself in the log is pretty useless:
[05/07/2013 01:19:13.0137] [0] **********************************************
[05/07/2013 01:19:13.0137] [0] Starting Microsoft Exchange Server 2013 Cumulative Update 1 Setup
[05/07/2013 01:19:13.0137] [0] **********************************************
[05/07/2013 01:19:13.0152] [0] Local time zone: (UTC-08:00) Pacific Time (US & Canada).
[05/07/2013 01:19:13.0152] [0] Operating system version: Microsoft Windows NT 6.2.9200.0.
[05/07/2013 01:19:13.0152] [0] Setup version: 15.0.620.29.
[05/07/2013 01:19:13.0152] [0] Logged on user: DOMAIN\ADMINISTRATOR.
[05/07/2013 01:19:13.0168] [0] The registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\V15\Setup, wasn't found.
[05/07/2013 01:19:13.0168] [0] The registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\V15\Setup, wasn't found.
[05/07/2013 01:19:13.0215] [0] Command Line Parameter Name='sourcedir', Value='\\h1\f$\junk\installers\server\Exchange\2013cu1'.
[05/07/2013 01:19:13.0215] [0] Command Line Parameter Name='mode', Value='Install'.
[05/07/2013 01:19:13.0215] [0] RuntimeAssembly was started with the following command: '/sourcedir:\\SERVER\f$\junk\installers\server\Exchange\2013cu1 /mode:Install'.
[05/07/2013 01:19:13.0215] [0] The registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\V15\Setup, wasn't found.
[05/07/2013 01:19:13.0793] [0] Finished loading screen CheckForUpdatesPage.
[05/07/2013 01:19:38.0762] [0] Finished loading screen UpdatesDownloadsPage.
[05/07/2013 01:19:40.0496] [0] Starting file's copying...
[05/07/2013 01:19:40.0496] [0] Setup copy files from '\\SERVER\f$\junk\installers\server\Exchange\2013cu1\Setup\ServerRoles\Common' to 'C:\Windows\Temp\ExchangeSetup'
[05/07/2013 01:19:40.0700] [0] Finished loading screen CopyFilesPage.
[05/07/2013 01:19:40.0840] [0] Disk space required: 1292445007 bytes.
[05/07/2013 01:19:40.0840] [0] Disk space available: 23767240704 bytes.
[05/07/2013 01:19:59.0762] [0] File's copying finished.
[05/07/2013 01:19:59.0965] [0] Finished loading screen InitializingSetupPage.
[05/07/2013 01:20:02.0934] [0] Setup is choosing the domain controller to use
[05/07/2013 01:20:09.0325] [0] Setup is choosing a local domain controller...
[05/07/2013 01:20:11.0794] [0] [ERROR] Setup encountered a problem while validating the state of Active Directory: Could not find information about the local site. This can be caused by incorrect configuration of subnets or sites or by replication latency.
See the Exchange setup log for more information on this error.
[05/07/2013 01:20:11.0794] [0] [ERROR] Could not find information about the local site. This can be caused by incorrect configuration of subnets or sites or by replication latency.
[05/07/2013 01:20:11.0809] [0] Setup will use the domain controller ''.
[05/07/2013 01:20:11.0809] [0] Setup will use the global catalog ''.
[05/07/2013 01:20:11.0825] [0] Exchange configuration container for the organization is 'CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local'.
[05/07/2013 01:20:11.0919] [0] Exchange organization container for the organization is 'CN=DOMAIN,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local'.
[05/07/2013 01:20:11.0966] [0] Setup will search for an Exchange Server object for the local machine with name 'WEX1'.
[05/07/2013 01:20:12.0028] [0] No Exchange Server with identity 'WEX1' was found.
[05/07/2013 01:20:12.0044] [0] The following roles have been unpacked:
[05/07/2013 01:20:12.0044] [0] The following datacenter roles are unpacked:
[05/07/2013 01:20:12.0044] [0] The following roles are installed:
[05/07/2013 01:20:12.0059] [0] The local server does not have any Exchange files installed.
[05/07/2013 01:20:12.0075] [0] Server Name=WEX1
[05/07/2013 01:20:12.0137] [0] Setup will use the path '\\SERVER\f$\junk\installers\server\Exchange\2013cu1' for installing Exchange.
[05/07/2013 01:20:12.0137] [0] The installation mode is set to: 'Install'.
[05/07/2013 01:20:27.0591] [0] An Exchange organization with name 'DOMAIN' was found in this forest.
[05/07/2013 01:20:27.0591] [0] Active Directory Initialization status : 'False'.
[05/07/2013 01:20:27.0591] [0] Schema Update Required Status : 'False'.
[05/07/2013 01:20:27.0591] [0] Organization Configuration Update Required Status : 'False'.
[05/07/2013 01:20:27.0591] [0] Domain Configuration Update Required Status : 'False'.
[05/07/2013 01:20:27.0841] [0] Applying default role selection state
[05/07/2013 01:20:27.0872] [0] Setup is determining what organization-level operations to perform.
[05/07/2013 01:20:27.0872] [0] Because the value was specified, setup is setting the argument OrganizationName to the value DOMAIN.
[05/07/2013 01:20:27.0872] [0] Setup will run from path 'C:\Windows\Temp\ExchangeSetup'.
[05/07/2013 01:20:27.0888] [0] InstallModeDataHandler has 0 DataHandlers
[05/07/2013 01:20:27.0888] [0] RootDataHandler has 1 DataHandlers
[05/07/2013 01:20:27.0903] [0] Setup encountered a problem while validating the state of Active Directory: Could not find information about the local site. This can be caused by incorrect configuration of subnets or sites or by replication latency. See
the Exchange setup log for more information on this error.
[05/07/2013 01:20:27.0935] [0] [ERROR] Setup encountered a problem while validating the state of Active Directory: Could not find information about the local site. This can be caused by incorrect configuration of subnets or sites or by replication latency.
See the Exchange setup log for more information on this error.
[05/07/2013 01:21:04.0154] [0] The registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\V15\Setup, wasn't found.
[05/07/2013 01:21:04.0154] [0] End of Setup
[05/07/2013 01:21:04.0154] [0] **********************************************

Hi,
The cause is clearly described in the log:
[05/07/2013 01:20:11.0794] [0] [ERROR] Setup encountered a problem while validating the state of Active Directory: Could not find information about the local site. This can be caused by incorrect configuration of subnets or sites or by replication latency.
See the Exchange setup log for more information on this error.
[05/07/2013 01:20:11.0794] [0] [ERROR] Could not find information about the local site. This can be caused by incorrect configuration of subnets or sites or by replication latency.
I'd suggest you check NIC settings and AD configuration.
Hope it is helpful.
Fiona Liao
TechNet Community Support

"Setup encountered a problem while validating the state of Active Directory: Exchange organization-level objects have not been created, and setup cannot create them because the local computer is not in the same domain and site as the schema master. Run se

Team,
I am trying to Install Exchange on my Lab, getting below error
message.
The Schema Role is installed on Root Domain and trying to install
exchange on Child domain.
1 Root Domain - 1 Child domain. both are located on single site.
“Setup encountered a problem while validating
the state of Active Directory: Exchange organization-level objects have not been created, and setup cannot create them because the local computer is not in the same domain and site as the schema master. Run setup with the /prepareAD parameter and wait for
replication to complete.”
Followed below articles:
http://support.risualblogs.com/blog/2012/02/21/exchange-2010-sp2-upgrade-issue-exchange-organization-level-objects-have-not-been-created-and-setup-cannot-create-them-because-the-local-computer-is-not-in-the-same-domain-and-site-as-the-sche/
http://www.petenetlive.com/KB/Article/0000793.htm
transferred the schema roles to different server on root domain, still no luck.
can someone please help me.
regards
Srinivasa k
Srinivasa K

Hi Srinivasa,
I guess, you didn't completed the initial setup schemaprep and adprep before starting the installation. You can do it as follows:
1. Open command Prompt as administrator and browse to the root of installation cd and run Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms
After finishing this,
2. Setup.exe /PrepareAD /OrganizationName:"<organization name>" /IAcceptExchangeServerLicenseTerms
3. To prepare all domains within the forest run Setup.exe /PrepareAllDomains /IAcceptExchangeServerLicenseTerms. If you want to prepare a specific domain run Setup.exe /PrepareDomain:<FQDN of the domain you want to prepare> /IAcceptExchangeServerLicenseTerms
4. Once you complete all of the 3 steps, install the pre-requisities for Exchange 2013
5. Finally, run the setup program
Hope this will help you
Regards from Visit ExchangeOnline |
Visit WindowsAdmin

Active Directory : Replication Issue - "Disconnected" sub-domain from the Forest

Hello everyone,
I'm managing a multi-domain forest (with 7 sub-domain). All are working fine except for one. Throught repadmin (Repadmin /replsum /bysrc /bydest /sort:delta), I noticed I got both domain controllers of a subdomain (there are only 2 DCs in that
subdomain), who hadn't replicated with the rest of the forest for more than 60 days.
According to my research, it's usually recommended to Depromote and repromote the problematic DC to avoid the issue of lingering objects. In this case, it's both DC of a sub-domain. Of course, on the others DCs in the forest, I got the event
ID 2012 "it has been too long since this machine last replicated with the named source machine....".
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner
to a value of 1.
As I understand it, this may cause lingering objects to appear (they can be removed with repadmin /removelingeringobjects command with the DSA GUID, naming context, etc..). So far, I haven't used that registry key yet because of the associated risks.
I didn't noticed any other issue so far. Users in the problematic sub-domain are fine, and the problematic sub-domain seems to be able to pull replication data from the others DCs in the forests. (at least, I'm not getting any error in the A.D. Sites
and Services)
I added two new DCs for the affected sub-domains, so the number of DCs for that domain went from 2 to 4 DCs. The two old DCs that hadn't replicated for 60 days are windows Server 2003 and the two new DCs are Server 2008 R2.
Unfortunately (and I was half expecting this, but did it anyway since I must eventually replace the old DCs), that didn't solve my issue, since the rest of the forest "doesn't see" the two new DCs of the sub-domain. By that, I mean that I
cannot add an Active Directory Domain Services Connection in Sites & Services console (from a DC in another domain of the forest or even the root domain). I see all the DCs, including the two old DCs that are server 2003, but not the new ones.
I believe it's because the others DCs doesn't pull/replicate the information from the old DCs anymore, so they aren't "aware" of the two new DCs for that problematic sub-domain.
I was wondering what is the best course of action. Is it worthwhilte to use the registry key force replication with the old DCs ? (and hopefully, the new DCs will get their AD Services connection/replication vector created, so I can depromote
the old DCs.
Since the Old DCs from the problematic sub-domain seems to be able to pull the replication from the rest of the forest, does the risk of Lingering object isn't that great ?
Or is it too risky and I must create a new sub-domain and migrate one way or another the users ? (which would be time-consuming)
Thanks in advance,
Adam

Thanks for the reply. One of the link had another link to a good article about the use of repadmin :
So, I ran the command "repadmin /removinglingerobjects " on one of the problematic DCs ().
For clarity purpose, let's say I used the domain :
domain = main domain
subdomain = the domain whose DC are problematic (all of them).
AnotherSubDomain = Just another subdomain I used as a "reference" DC to cleanup the appropriate partition.
Command (the DSA guid is from a DC "clean" in another domain)
repadmin /removelingeringobjects adrec01.mysubdomain.domain.ca C4081E00-921A-480D-9FDE-C4C34F96E7AC dc=ANOTHERsubdomain,dc=domain,dc=ca /advisory_mode
I got the following message in the event viewer :
Active Directory Domain Services has completed the verification of lingering objects on the local domain controller in advisory mode. All objects on this domain controller have had their existence verified on the following source domain controller.
Source domain controller:
c4081e00-921a-480d-9fde-c4c34f96e7ac._msdcs.mydomain.ca
Number of objects examined and verified:
0
Objects that have been deleted and garbage collected on the source domain controller yet still exist on this domain controller have been listed in past event log entries. To permanently delete the lingering objects, restart this procedure without using the
advisory mode option.
How should I interpret the message "number of objects examined and verified 0". Does it mean it just didn't find any object to compare ? (which would be odd IMHO) Or there is another problem ?
Thanks in advance,
Adam

Active directory SYSVOL replication issues

Hello.
I have 2 domain controllers, both of them on the same site DC1 & DC2. I have added a new site with a DC3. When I have added DC3 to the domain, I have realized, SYSVOL was not initialized correctly. I went back to DC1 and found out, there's following
error in the event viewer:
Error: 4012 on DC1
The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain. This server has been disconnected from other partners for 99 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter
(60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder until this error is corrected.
Error: 2213 on DC2
The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication
WMI method to resume replication.
This indicates a DFS replication issue between DC1 & DC2 and probably this would be the reason, why the SYSVOL was not properly initialized on DC3.
How can I restore correct DFS replication between DC1 & DC2? I've read
this article, but it's not clear to me, which of the 2 domain controllers has a good version of SYSVOL + I can not find a decent step-by-step article for reconnecting Windows 2012 domain controller.
Any idea, how I can proceed further here?

Here's a complete documentation with resolution of my issue. I have created this documentation for my own purposes in our WIKI, so I will paste it here (I hope, it will help somebody else in the future):
The Problem
We have bought a new server for our domain. This server (NEWDC01) was promoted to be a domain
controller in the DOMAIN. After the promotion, I have added a single computer to the domain. When I have logged on the client to the domain, I realized, this computer is not using the new domain controller (NEWDC01)
for authentication, but DC02 domain controller instead. This is not intended. Local clients should use local domain controllers for authentication (assuming, the Active directory sites & services are configured properly). Further investigation revealed,
there are some replication errors on OLDDC01 & OLDDC02 servers. First I need to solve these replication errors. Then I can
add the NEWDC01 server to domain properly.
Analysis
There are several errors related to DFSR replication on both domain controllers:
Error: 4012 on OLDDC01
The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain.
This server has been disconnected from other partners for 99 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder
until this error is corrected.
Error: 2213 on OLDDC02
The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database
is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication WMI method to resume replication.
In order to have active directory in a healthy condition, one must ensure, there’s a successful
replication between existing domain controllers up and running. If the replication does not work correctly, you can expect bunch of issues.
group policies and logon scripts are not applied correctly, or as intended
when you want to add a new domain controller to the domain, it will not work as expected (although, you will not see any specific errors after the
server is promoted to be a domain controller)
Active directory backup
I have scheduled an AD backup on OLDDC01 server using the ‘Windows Backup’ solution to make sure,
I can restore the AD / SYSVOL, in case something goes wrong. The backup is scheduled to be executed every day.
Active directory restore
In this particular case, I will talk only about SYSVOL restore. As indicated above, we must get
rid of the DFSR event viewer errors which you can find in event viewer. One of them is indicating, that the JET database was not shut down cleanly and autorecovery was disabled. The other error indicates, the SYSVOL volume is no longer replicated. I am not
sure, what is the reason, why the AD’s in the domain stopped to replicate. Probably it was an unclean server shutdown. The DFSR service stopped to replicate the SYSVOL share and I was not aware about that. When the replication did not run for more than ~99
days, the SYSVOL share was excluded from the DFSR replications.
Find out the most accurate SYSVOL share in the domain
I have compared the content of the SYSVOL directories on both OLDDC01 and OLDDC02 servers: C:\Windows\SYSVOL\domain\Policies.
Both directories have 37 subdirectories. Each subdirectory corresponds to one group policy. This means, that the content is approximately the same, thus I can’t tell, which version is most recent. I do most of the GPO changes on OLDDC01, so I made a conclusion,
that this server contains the most recent version of the SYSVOL share.
There are 2 types of SYSVOL restores, you can do:
Authoritative restore
Non-authoritative restore
Non-authoritative restore
This is a more simple kind of a restore. You can perform this kind of restore, when you are sure,
that one of the domain controllers is authoritative (e.g. you presume, the SYSVOL share is intact and working properly). If you can identify such a working server, you can perform non-authoritative restore of the active directory on a broken domain controller.
Authoritative restore
In this case, you can designate a specific domain controller to be authoritative. You set a special
flag on this server, which will prohibit to overwrite it’s state from another domain controllers, when the replication is enabled on the server again. After you designate one server to be authoritative, you need to update all the another domain controllers
using the non-authoritative procedure.
In this article, you can find, how to perform authoritative vs. non authoritative AD resotre:
http://support.microsoft.com/kb/2218556.
In my case, I was not sure, which of the domain controllers had a more recent copy of AD, so I
have decided to make OLDDC01 authoritative (check the link above). Once this has been done, I have made a non-authoritative update on OLDDC02 server.
Everything was almost ready. The last step, I needed to execute was, I needed to fix the ‘JET’
event viewer error on SRVBK1. In the event log entry on the bottom, you can find following:
Recovery Steps
1. Back up the files in all replicated folders on the volume. Failure to do
so may result in data loss due to unexpected conflict resolution during the recovery of the replicated folders.
2. To resume the replication for this volume, use the WMI method ResumeReplication
of the DfsrVolumeConfig class. For example, from an elevated command prompt, type the following command:
wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig
where volumeGuid="D37A9FC3-8B1D-11E2-93E8-806E6F6E6963" call ResumeReplication
For more information, see http://support.microsoft.com/kb/2663685.
Final words
After I have executed this command, the replication was again started between OLDDC01 and OLDDC02
servers. After I have started up the NEWDC01 server, I have realized, it has automatically replicated the contents of the SYSVOL share - almost immediately after the server was started up. I have again tried to login with the local client into DOMAIN domain
and now I see, that local client is using local Domain controller for authentication.
Everything seems to be OK now.

Replication with Domain and Sub domain in Active directory sites and services

I seen many AD enviroments and know that when you have mutiple DCs you use Active Directory Sites and services to replicate using the NTDS Settings. If you have a Domain and sub domain do you need to do this as well or does it sync up automatically because
it's a sub domain? A see a couple of domains where the NTDS settings isn't being used to snyc with the child domain. Just wondering if that is normal or will it cause authentication errors?

I seen many AD enviroments and know that when you have mutiple DCs you use Active Directory Sites and services to replicate using the NTDS Settings. If you have a Domain and sub domain do you need to do this as well or does it sync up automatically
because it's a sub domain? A see a couple of domains where the NTDS settings isn't being used to snyc with the child domain. Just wondering if that is normal or will it cause authentication errors?
Two way transitive trusts are configured automatically when you create a child domain or tree root domain. You don't have to worry about site/subnet or replication part at least from trust perspective. But make sure site's names are unique in each domain.
How Domain and Forest Trusts Work
http://technet.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/cc730868.aspx
http://blogs.technet.com/b/askds/archive/2008/09/24/domain-locator-across-a-forest-trust.aspx
Awinish Vishwakarma - MVP
My Blog: awinish.wordpress.com
Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

Can't fix Active Directory replication

Hi,
I am not sure when the replication issue started, but it is for month now. Whe have two AD's and so actually, we have one working fine (probably). Users are replicated fine (at least they show in the second AD tree) and also, the group policies replicates
(they show in the group policy tree).
But, in the \\dc02\SYSVOL\domainname.com\Policies directory, nothing is shared. It's completely out of date. Also the group policy manager gives an warning: 1 Domain controller(s) with replication in progress.
Anyway, me, and other members of the IT-staff looked into it but it looks that the problem goes deep.
So my question is, what is the best way to solve this. Start to place some errors here or maybe we should completely re-install the second DC? Or both? Or is that a bad idea?
Thanks for any help!

Thanks for the responses!
Problem is, Event viewer keeps giving different errors. I just restarted my secondary DC and it gives this error:
This domain controller has migrated to using the DFS Replication service to replicate the SYSVOL share. Use of the File Replication Service for replication of non-SYSVOL content sets has been deprecated and therefore, the service has been stopped. The DFS Replication service is recommended for replication of folders, the SYSVOL share on domain controllers and DFS link targets.
Before restart, I ran dcdiag again and it gave problems with NCSecDesc. So permission problem. I fixed that and after that I ran dcdiag again and no errors were showing. But sysvol directory was still not in sync.
After that, I restarted and the top error is shown in event viewer and dcdiag gives me another, new error:
Starting test: SystemLog
A warning event occurred. EventID: 0x000727A5
Time Generated: 04/16/2014 18:02:36
Event String: The WinRM service is not listening for WS-Management requests.
A warning event occurred. EventID: 0x80040020
Time Generated: 04/16/2014 18:03:13
Event String:
The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may o
ccur.
A warning event occurred. EventID: 0x80040020
Time Generated: 04/16/2014 18:03:13
Event String:
The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may o
ccur.
A warning event occurred. EventID: 0x80040020
Time Generated: 04/16/2014 18:03:13
Event String:
The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may o
ccur.
An error event occurred. EventID: 0xC0001B61
Time Generated: 04/16/2014 18:03:40
Event String:
A timeout was reached (30000 milliseconds) while waiting for the File Replication service to connect.
An error event occurred. EventID: 0xC0001B6F
Time Generated: 04/16/2014 18:03:41
Event String: The Diagnostic System Host service terminated with the following error:
An error event occurred. EventID: 0xC0001B6F
Time Generated: 04/16/2014 18:03:41
Event String: The Diagnostic Service Host service terminated with the following error:
......................... DC02 failed test SystemLog
After restarting the secondary DC, the primary DC gives an error on DFSREvent but I think that's OK because it lost the secondary DC for a minute. No further errors there.
After restarting the primary DC, it gives also a SystemLog error, but different from the other DC with dcdiag:
Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source
, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain
hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domai
n, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function a
s the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this c
omputer, you may choose to disable the NtpClient.
A warning event occurred. EventID: 0x00000090
Time Generated: 04/16/2014 18:31:25
Event String: The time service has stopped advertising as a good time source.
......................... DC01 failed test SystemLog
Now this is the current status. I am pretty desperate. Maybe you have some suggestions? Otherwise, I will try pbbergs' suggestion.
Other errors in the event viewer (not sure if they are related but just posting to be sure):
This domain controller has migrated to using the DFS Replication service to replicate the SYSVOL share. Use of the File Replication Service for replication of non-SYSVOL content sets has been deprecated and therefore, the service has been stopped. The DFS Replication service is recommended for replication of folders, the SYSVOL share on domain controllers and DFS link targets.
Active Directory Web Services could not find a server certificate with the specified certificate name. A certificate is required to use SSL/TLS connections. To use SSL/TLS connections, verify that a valid server authentication certificate from a trusted Certificate Authority (CA) is installed on the machine.
Certificate name: dc01.domainname.com
The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.
Thanks for the help!

Credential Roaming failed to write to the Active Directory. Error code 5 (Access is denied.)

Hi All,
I could see following error event in all client computers , Could you please some one help me on this ?
Log Name:      Application
Source:
Microsoft-Windows-CertificateServicesClient-CredentialRoaming
Event ID:      1005
Level:         Error
Description: Certificate Services Client: Credential Roaming failed to write to the Active Directory. Error code 5 (Access is denied.)
Regards, Srinivasu.Muchcherla

If you are not using certificates and Credential Roaming for clients then simply ignore the error message.
If you are using certificates then you are getting access denied message when Credential Roaming is trying to write to your AD. More details about Credential Roaming here: http://blogs.technet.com/b/askds/archive/2009/01/06/certs-on-wheels-understanding-credential-roaming.aspx
http://blogs.technet.com/b/instan/archive/2009/05/26/considerations-for-implementing-credential-roaming.aspx
This is probably related to the fact that your schema version not 44 or higher: https://social.technet.microsoft.com/Forums/windowsserver/en-US/5b3a6e61-68c4-47d3-ae79-8296cb3be315/certificateservicesclientcredentialroaming-errors?forum=winserverGP
Active Directory
ObjectVersion
Windows 2000
13
Windows 2003
30
Windows 2003 R2
31
Windows 2008
44
Windows 2008 R2
47
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile

The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.

got event ID 4015 and source DNS-Server-Service. please suggest how to fix this issue
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.
Raj

Hi
first run "ipconfig /flushdns" and then "ipconfig /registerdns" finally restart dns service and check the situation,also you can check dns logs computer management ->Event viewer->Custom Views->Server roles->DNS.

The Microsoft Exchange Mailbox Replication service was unable to process a request due to an unexpected error. : Error: An Active Directory Constraint Violation error occurred

Hello,
We have a multi domain parent child AD domain infrastructure and now we upgraded our exchange from Exchange 2007 to Exchange 2013. Since last few days, we see the below error on the mailbox server event viewer.
EVENT ID : 1121
The Microsoft Exchange Mailbox Replication service was unable to process a request due to an unexpected error.
Request GUID: '93a7d1ca-68a1-4cd9-9edb-a4ce2f7bb4cd'
Database GUID: '83d028ec-439d-4904-a0e4-1d3bc0f58809'
Error: An Active Directory Constraint Violation error occurred on <domain controller FQDN>. Additional information: The name reference is invalid.
This may be caused by replication latency between Active Directory domain controllers.
Active directory response: 000020B5: AtrErr: DSID-0315286E, #1:
Our Exchange setup is in parent domain, but we keep on getting this error for various domain controllers in each child domain in the same site. We then configured one of the parent domain domain controller on Exchange. Still we are getting this error for
the configured parent domain DC.
Verified the AD replication and there is no latency or pending stuffs.
Any support to resolve this issue will be highly appreciated. Thank you in advance.
Regards,
Jnana R Dash

Hi,
In addition to Ed's suggestion, I would like to clarify the following things for troubleshooting:
1. Please restart IIS at first.
2. If the issue persists, please ping your DC on your Exchange server to check if Exchange can communicate with DC.
Hope it helps.
Best regards,
Amy Wang
TechNet Community Support

Active Directory Replication Servers (wont replicate SYSVOL and NETLOGON Not showing)

I have my first DC Server (DC1). DC1.DOMAIN.lOCAL, I decided to add another Domain Controller. Made it a secondary DNS Server and also GC. Everything seems to replicate, but its missing NETLOGON and SYSVOL Wont replicate.
Windows 2008 R2

Errr 5706
The Netlogon service could not create server share C:\Windows\SYSVOL\sysvol\INFGRP.LOCAL\SCRIPTS. The following error occurred:
The system cannot find the file specified.
Event 7009
A timeout was reached (30000 milliseconds) while waiting for the File Replication service to connect.
Event 1058
The processing of Group Policy failed. Windows attempted to read the file \\INFGRP.LOCAL\SysVol\INFGRP.LOCAL\Policies\{55DE4000-0D51-44CD-92A1-30F286B2BC86}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until
this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
All Critical
This domain controller has migrated to using the DFS Replication service to replicate the SYSVOL share. Use of the File Replication Service for replication of non-SYSVOL content sets has been deprecated and therefore, the service has been stopped. The DFS
Replication service is recommended for replication of folders, the SYSVOL share on domain controllers and DFS link targets.
Test replication
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine dc, is a DC.
* Connecting to directory service on server dc.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\dc
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... dc passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\dc
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=GRP,DC=LOCAL
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=GRP,DC=LOCAL
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=GRP,DC=LOCAL
Latency information for 8 entries in the vector were ignored.
8 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=GRP,DC=LOCAL
Latency information for 9 entries in the vector were ignored.
9 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=GRP,DC=LOCAL
Latency information for 9 entries in the vector were ignored.
9 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
......................... dc passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: Advertising
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: RidManager
Test omitted by user request: MachineAccount
Test omitted by user request: Services
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: ObjectsReplicated
Test omitted by user request: frssysvol
Test omitted by user request: frsevent
Test omitted by user request: kccevent
Test omitted by user request: systemlog
Test omitted by user request: VerifyReplicas
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError
Running partition tests on : ForestDnsZones
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom
Running partition tests on : DomainDnsZones
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom
Running partition tests on : Schema
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom
Running partition tests on : Configuration
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom
Running partition tests on : GRP
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom
Running enterprise tests on : GRP.LOCAL
Test omitted by user request: Intersite
Test omitted by user request: FsmoCheck
Test omitted by user request: DNS
Test omitted by user request: DNS
On the second DC (DCR). I see SYSVOL, no files replicated, also theres no NETLOGON.

Lync Hybrid : Unable to write to active directory due to lack of permission

Hello everyone,
I need a little help to troubleshoot a problem I have when moving a user to Lync Online.
My client has a Dirsync and Adfs working perfectly with o365.
My problem is that when I try to move a user to Lync Online I have this error :
Move-CsUser -Identity "Username" -Target sipfed.online.lync.com -credential $cred -hostedmigrationOverrideUrl "https://admin0e.online.lync.com/hostedmigration/hostedmigrationservice.svc"
"Move-CsUser : Unable to write to Active Directory due to lack of permissions"
Like the error said, it's a lack of permission but what kind of permission do I need to make this work ? I've tried to googleit/technetit but no helpful topic found...
Thanks in advance for your help and answers.
Regards,
Adrian TUPPER - ABC Systemes - http://thelyncexperience.blog.com/ If answer is helpful, please hit the green arrow on the left, or mark as answer Thank you

Hi,
Did you solve the issue by adding the account to RTCUniversalUserAdmins group?
To move an on-premises user to your Lync Online tenant, run the following cmdlets in the Lync Server Management Shell, using the administrator credentials for your Microsoft Office 365 tenant. Replace "[email protected]" with the information for the user
that you want to move.
You can try to move the user from Lync Server on premises to Lync online with the help of the link below “Move users to Lync Online”:
http://technet.microsoft.com/en-us/library/jj204969.aspx
Best Regards,
Eason Huang
Eason Huang
TechNet Community Support

Active Directory error 1864 (replication)

Hello colleagues
I have 5 DC's (1dc.test.local - 5dc.test.local) and 1 DC (6dc.test.local) out of domain 3 months. All DC's is Windows 2003 in one domain test.local. Then I changed IP address for 6dc.test.local and connect it to LAN of domain (to another 5 DC's). I see that
6dc.test.local now have lastest update copy of DNS zone and AD. Now I want remove 6dc.test.local from a domain but I can't do this, after run DCPROMO I take an error:
"The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime."
and have error 1864 (about replication) in events.
Maybe someone already have this problem? How can I remove 6dc.test.local from domain and that another DC's in domain khows about it?
Please help!

Hi,
Please remove the 6th dc using following command.
DCPROMO /Forceremoval
If that one also failed run the metadata cleanup using script given below. make sure you run this scriptfrom PDC server and then delete the records manually from DNS console given below. Once you have done that kindly Rebuild the OS & then Promote as
Domain controller.
https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3
Repeat running the vbs script till the wrong/unnecessary dc’s are removed.
         Cross check the removal – dsa.msc [ad users and computers] > Domain Controllers OU
Adsiedit.msc
Expand domain partition, select OU=Domain Controllers, make sure only the necessary domain controllers are listed.
Delete the incorrect domain controllers.
Dnsmgmt.msc [Dns Management]
      Expand the forward lookup zones\_msdcs folder
i.      Make sure only the actual domain controllers are listed, delete wrong Alias recordsremove wrong name server records
ii.      Select the container [forward lookup zones\_msdcs.domain.com\dc\_sites_\sitename\_tcp] > delete incorrect _ldap and _kerberos records are listed.
iii.      Select the container [forward lookup zones\_msdcs.domain.com\dc\_tcp] and delete incorrect _ldap and _kerberos records
iv.      Expand the [forward lookup zones\_msdcs.domain.com\domains\guid\_tcp] and delete incorrect _ldap entries
v.      Select [forward lookup zones\_msdcs.domain.com\gc] – delete incorrect HostA records
vi.      Expand the [forward lookup zones\_msdcs.domain.com\gc\_sites\sitename\_tcp] – delete incorrect _ldap entries
vii.      Select the [forward lookup zones\_msdcs.domain.com\gc\_tcp] – delete incorrect _ldap entries
viii.      Select the [forward lookup zones\_msdcs.domain.com\pdc\_tcp] – delete incorrect _ldap entries
      Expand the forward lookup zones\domain.com folder
i.
Delete Host(A) records of dc’s which are non-existant.
ii.
Correct the NameServer (NS) records
iii.
Follow steps similar to ’ A ii ‘ >> ‘ A viii’
         Dssite.msc [Sites and Services]
      Expand the [Sites\Sitename\Servers] – delete incorrect server’s
B.      Delete incorrect subnet configurations [Sites\Subnets]
      Delete incorrect site links [Sites\IP]

NTDS Replication - Active Directory encountered a write conflict

Similar Messages

Maybe you are looking for