Promote 2012 R2 in a 2008 R2 domain
My shop is all 2008 R2 domain controllers and all workstations are win7 x64 so my question is simple I want to promote a 2012 R2 server to a DC (later this year we are buying win 8.1 workstations and thought that a 2012 R2 DC would make sense) has anyone
ran into any gotchas or issues by doing this?
MSB
Tim is correct. You can add 2012 R2 DCs to a 2008 R2 domain, they will simply run at the lower functional level. My question would be is this necessary? There is no reason to upgrade the domain in order to support the new clients. The biggest concern I can
think of is the new Group Policy administrative templates for Win 8.1, but those are easily added to the central store in the domain by copying them from the new clients.
My general thinking about upgrading the domain is that it should only be done if there is an express need at the domain level. As Tim mentioned, some applications may not function at a higher level. Upgrading a client OS is not a reason to upgrade the domain.
Similar Messages
-
ADprep failure promoting 2012 server to DC on 2003 domain
Run repadmin /syncall and see if you get errors. If you do not get any run adprep again.
Hello: I am new and I hope I am posting this in the right place:
I promoting a 2012 R2 server to DC in a 2003 domain. The account I am using is the Domain Admin, Schema Admin, Enterprise Admin.
Here's the error:
Adprep failed to verify whether schema master has completed a replication cycle after last reboot
Server extended error : 8344 server extended message: 00002098
Error code: 0x32. Server extended error code: 0x2098, server error message 00002098: secerr: dsid-03151d7d, problem 4003 (insuff_access_rights). Data 0
This topic first appeared in the Spiceworks Community -
Add Windows Server 2012 R2 domain controller to Windows 2008 R2 domain
Hi,
Have today 2 x Windows Server 2008 R2 domain controllers, and domain and functional level 2008 R2.
We now want to replace these DC`s with Windows Server 2012 R2.
My plan is as follow
- Install and promote a Windows Server 2012 R2 as a 3 DC`s with a temporary hostname and IP as DC3
- Install and promote a second Windows Server 2012 R2 as a 4 DC`s with a temporary hostname and IP as DC4
- Decomiss DC1 and remove this host. Change the IP and hostname of the new DC3 to DC1
- Move FSMO roles from DC2 to DC1 and decomiss DC2
- Change the IP and hostname of the new DC4 to DC2
Will this be a ok progress ? I will offcours to have the DC`s replicate information between them before doing each task.
/Regards AndreasHi,
Only error i got running dcdiag was the following
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=domain,DC=local
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=domain,DC=local
......................... DC1 failed test NCSecDesc
Is this a problem ?
I would guess not since im not implementing a RODC ? Ref:
https://support.microsoft.com/en-us/kb/967482?wa=wsignin1.0
You can ignore it.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Server 2012 std not able to see Domain, DC and DNS on Win SBS 2008 std Domain
Hi There
I have a HP ML 110 G5 SBS 2008 std server as my DC on my network. I recently added a HP Microserver running Server 2012 std (with no roles or features installed) to act solely as a file server for a 3rd party program as the program was not running efficiently
on the main server.
The problem I am having now is that the 2012 server keeps falling off the domain and cannot contact DNS server. I have also had to re-enable remote desktop several times. It also shows the 2012 Server as being on a private firewall profile and not on the
domain firewall profile but I suspect that this is part of the same problem.
the resulting problem that this is causing is that the local machines that need to contact an SQL database on the 2012 fileserver intermittently either time out or are very slow to connect.
So far I have tried:
Switching from Static IP to DHCP.
Re-adding the server to the domain.
Stopping and restarting DNS services on the DC.
Checking physical Network connections and routing.
Putting the 2012 server into the same Organizational Unit as the 2008 DC.
Has anyone else encountered this problem when adding a 2012 server to a 2008 domain? I have a feeling that the solution is probably something simple that I've overlooked, but I can't think what. Any help would be greatly appreciated.
Regards
Russ
Also, as some additional info -
Event viewer gives the following errors:
Group Policy Error:
Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 2015-04-27 01:17:51 PM
Event ID: 1129
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: [SERVERNAME].[DOMAIN].local
Description:
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has
successfully processed. If you do not see a success message for several hours, then contact your administrator.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
<EventID>1129</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2015-04-27T11:17:51.111942100Z" />
<EventRecordID>19056</EventRecordID>
<Correlation ActivityID="{C0CBAF2B-1E93-49C0-B910-069AE43F74B2}" />
<Execution ProcessID="732" ThreadID="1336" />
<Channel>System</Channel>
<Computer>[SERVERNAME].[DOMAIN].local</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="SupportInfo1">1</Data>
<Data Name="SupportInfo2">1548</Data>
<Data Name="ProcessingMode">0</Data>
<Data Name="ProcessingTimeInMilliseconds">0</Data>
<Data Name="ErrorCode">1222</Data>
<Data Name="ErrorDescription">The network is not present or not started. </Data>
</EventData>
</Event>
DNS Error:
Log Name: System
Source: Microsoft-Windows-DNS-Client
Date: 2015-04-27 04:54:58 PM
Event ID: 8015
Task Category: (1028)
Level: Warning
Keywords:
User: NETWORK SERVICE
Computer: [SERVERNAME].[DOMAIN].local
Description:
The system failed to register host (A or AAAA) resource records (RRs) for network adapter with settings:
Adapter Name : {3DDD0E46-D879-48C0-9DF6-5FAC0F1A56C4}
Host Name : [SERVERNAME]
Primary Domain Suffix : [DOMAIN].local
DNS server list :
192.168.2.10
Sent update to server : <?>
IP Address(es) :
192.168.2.15
The reason the system could not register these RRs was because the update request it sent to the DNS server timed out. The most likely cause of this is that the DNS server authoritative for the name it was attempting to register or update is not running
at this time. You can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-DNS-Client" Guid="{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}" />
<EventID>8015</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>1028</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2015-04-27T14:54:58.599130300Z" />
<EventRecordID>19105</EventRecordID>
<Correlation />
<Execution ProcessID="856" ThreadID="952" />
<Channel>System</Channel>
<Computer>[SERVERNAME].[DOMAIN].local</Computer>
<Security UserID="S-1-5-20" />
</System>
<EventData>
<Data Name="AdapterName">{3DDD0E46-D879-48C0-9DF6-5FAC0F1A56C4}</Data>
<Data Name="HostName">[SERVERNAME]</Data>
<Data Name="AdapterSuffixName">[DOMAIN].local</Data>
<Data Name="DnsServerList"> 192.168.2.10</Data>
<Data Name="Sent UpdateServer"><?></Data>
<Data Name="Ipaddress">192.168.2.15</Data>
<Data Name="ErrorCode">1460</Data>
</EventData>
</Event>Can you post an ipconfig /all from the server and the DC?
Robert Pearman SBS MVP
itauthority.co.uk |
Title(Required)
Facebook |
Twitter |
Linked in |
Google+ -
First 2012 R2 server in 2008 domain (same name and IP)
Hi all,
Think I know the answer to this but wanted to double-check. I'm installing a Windows 2012 R2 server. It is our first 2012 server in our 2008 R2 environment. It will also be our first 2012 DC. It will be replacing an old 2008 R2 DC and will have the same
name and IP as the old 2008 server. I have several other DCs in place and they handle DHCP and DNS. The DHCP server service is not currently running on the old 2008 server to be decommissioned, and the DNS settings in DHCP server/scope options point to other
servers than the server to be shut down.
Plan is to demote the old 2008 R2 server, wait 24 hours for directory replication and check that all instances of the old server is gone from AD, then rename the old server and assign different IP address. At that point I'll assign the 2012 server the old
server's original IP address and name, then run Server Manager to promote the 2012 server to a DC. Then migrate data.
So, when running DCPROMO to demote the old 2008 server, I'm asked if I want to delete the DNS delegations pointing to this server. Should I? I tend to think I should NOT because the new 2012 server will have the same name and IP as the old one, and that
the DHCP/DNS settings as configured point to other servers anyway. Does that make sense?
Thanks in advance,
Sir_TimbitHi Timbit,
Here is a nice walkthrough article below which is written by Ace:
Remove an Old DC and Introduce a New DC with the Same Name and IP Address
http://blogs.msmvps.com/acefekay/2010/10/09/remove-an-old-dc-and-introduce-a-new-dc-with-the-same-name-and-ip-address/
Best Regards,
Amy -
Windows Server 2012 DFS on a Windows 2008 R2 domain
Hello All,
Quick question. We would like to take advantage of the improvements in DFS replication provided by Server 2012. However I am hesitant to upgrade our domain controllers (currently running 2008 R2. My question is.
Can DFS replica partner servers currently running 2008R2 be upgraded (preferably in place) to Server 2012 and managed by 2008 R2 DC's?
If so what do I lose by not having 2012 DC? Any issues to speak of?
This topic first appeared in the Spiceworks CommunityThe only true intellectual property (IP) for Internet companies is not scale or infrastructure but data, both in terms of quality and quantity, Flipkart's outgoing CTO Amod Malviya said during his keynote address on the future patterns in data processing at The Fifth Elephant conference in Bangalore."Today, I understand better than a Samsung why a particular phone sells less or more as against its competition. I am able to do that because I have access to a lot more fine-grain data about customer behaviour as and when they come on to a product page and what is the actual product that they end up buying." Malviya said."At what point in time I start using that in order to make this IP useful is a separate matter but that doesn't take away the fact that data is really the true IP." he added...Read More
Read More -
Downgrading a DC running Server 2012 R2 to Server 2008 R2
This is NOT a licensing question. All I see when searching this question are answers about licensing. I already have the licensing. My question is, is it possible to downgrade a domain controller that is running Server 2012 R2 to Server 2008 R2? I mistakingly
raised the functional level of my domain from server 2003 to 2012 R2 before upgrading my exchange server running 2003 and now I have no way to migrate my exchange server. Ideally, I would like to just downgrade the DC to Server 2008 R2 and upgrade everything
else to that level as well, including Exchange Server 2010. Any relevant input would be greatly appreciated.here you go Exchange 2010 Sp3 RU5 .....
Active Directory Domain Controllers running Windows Server 2012 R2
Active Directory Forest Function Level and Domain Functional Level of Windows Server 2012 R2
The following is not supported:
Installing Exchange Server 2010 SP3 RU5 on a Windows Server 2012 R2 server
http://exchangeserverpro.com/exchange-server-2010-support-windows-server-2012-r2/
--oz -
Hi,
Windows 7 or Windows Server 2008 R2 domain join displays error "Changing the Primary Domain DNS name of this computer to "" failed...."
DC:windows Server 2008 R2
Domain functional level:Windows Server 2003
When Winxp join domain, have no this error message.
I checked http://support.microsoft.com/kb/2018583?wa=wsignin1.0 does't work.
There have 3 suggestion in this article:
1.The "Disable NetBIOS over TCP/IP" checkbox has been disabled in the IPv4 properties of the computer being joined.
Doesnt's work.
2.Connectivity over UDP port 137 is blocked between client and the helper DC servicing the join operation in the target domain.
On my DC, I run netstat -an, reslut as below:
UDP 192.168.20.3:137 *:*
3.The TCP/IPv4 protocol has been disabled so that the client being joined or the DC in the destination domain targeted by the LDAP BIND is running TCP/IPv6 only.
We are not using IPV6.
This server recently updated from Windows Server 2003 to Windows Server 2008 R2. Before upgrade, when Win7 and Win2008 join this domain, also have the same error message.
Please help to check this issue.
Thank you very much.
BR
Guo YingHuiHi Guo Ying,
I have faced this critical error which makes over-writes the host names in the domain when you join.
For example: Already you had a host name called as PC.domain.com in the domain.com Domain.
When you try to add the another host name called as PC in the domain.com Domain, it doesn't give you the duplicate name error on the network it does over-write the existing host name called as PC.domain.com & it will add the new host name into the domain.
Host name which got over-written will get removed from the domain. I faced this issue in my project. My DPM host name got removed from the Domain & new host name got joined into the domain which halted my backups for one day.
Final Resolution is as follows:
You need to start the dns console on the DC & drop down the domain name.
Select the _msdcs when you click on _msdcs it will show the Name Server's list on the right hand side.
You need to add the Domain Naming Master under the _msdcs or add all the domain controllers which you had.
After you add the Name server's try joining the PC OR Laptop to the domain which is successfully joins it.
Regards
Anand S
Thanks & Regards Anand Sunka MCSA+CCNA+MCTS -
How to Reset Windows 2008/R2 Domain Administrator Password
How to Reset Windows Server 2008/R2 Domain Administrator password if forgot or lost it?
It is annoying and bad to forget a Windows Server 2008/r2 Domain administrator login password. It is troublesome unless you have that Windows Server 2008/r2 password reset disk. We can still find several tricks to reset Windows Server Domain password but they require a mass of operations and waste a lot of time. For example, you can reset Windows Server 2008/R2 domain administrator password with an installation disk but it requires you to type a mass of command line. So today I want to share everyone an omnipotent method to reset Windows Server 2008/R2 Domain/local administrator password. You need the following 3 things.
An accessible PC.
A USB/CD/DVD flash drive.
The Windows password reset tool Daossoft Windows Password Rescuer.
Then it requires 4 steps as below:
Step 1: Download and install Daossoft Windows Password Rescuer into that accessible computer.
Step 2: Burn it to the flash drive.
Step 3: Boot your Windows Server computer from the flash drive.
Step 4: Follow its instruction and click “Reset Password” button to reset your Windows 2008/R2 Domain/Local administrator password.
More details in this video: Windows Server 2008 R2 Password Reset - Reset Domain or Local Password.It wasn't difficult to reset the domain password and I think Microsoft's policy of not providing an easy forward way is to create an
illusion of security which is not there. Linux systems that are much more secure that MSFT software allow easy password reset when physical access is there so why not include the same tools in System Repair tools or using F8?
Anyhow, this guide helped me reset the password in 5 minutes. Read the bottom of it to find the scripted / automatic version of the process:
http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm
Thanks, -
Windows 2008 R2 Domain Controller (PDC) - NTP server - time showing local CMOS clock
I'm having issues setting an external source on a Windows 2008 R2 domain controller (PDC emulator role for the domain)
Here is the output showing its source is the Local CMOS clock.
C:\Windows\System32>w32tm /query /status
Leap Indicator: 0(no warning)
Stratum: 1 (primary reference - syncd by radio clock)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0000000s
Root Dispersion: 10.0000000s
ReferenceId: 0x4C4F434C (source name: "LOCL")
Last Successful Sync Time: 06/11/2014 15:44:15
Source: Local CMOS Clock
Poll Interval: 6 (64s)
1) I have performed the following on the DC with the PDC role:
net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org"
w32tm /config /reliable:yes
net start w32time
w32tm /query /configuration
[Configuration]
EventLogFlags: 2 (Local)
AnnounceFlags: 5 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 172800 (Local)
MaxPosPhaseCorrection: 172800 (Local)
MaxAllowedPhaseOffset: 300 (Local)
FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)
[TimeProviders]
NtpClient (Local)
DllName: C:\Windows\System32\w32time.DLL (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Local)
Type: NTP (Local)
NtpServer: 0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org (Local)
NtpServer (Local)
DllName: C:\Windows\System32\w32time.DLL (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)
VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
But still showing the output:
C:\Windows\System32>w32tm /query /status
Leap Indicator: 0(no warning)
Stratum: 1 (primary reference - syncd by radio clock)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0000000s
Root Dispersion: 10.0000000s
ReferenceId: 0x4C4F434C (source name: "LOCL")
Last Successful Sync Time: 06/11/2014 15:58:45
Source: Local CMOS Clock
Poll Interval: 6 (64s)
2. If I resync and rediscover the following error appears:
w32tm /resync /rediscover
Sending resync command to local computer
The computer did not resync because no time data was available.
3. I've also clearing the current time config, by
net stop w32time
w32tm /unregister
w32tm /register
net start w32time
But no change, it still shows the Local CMOS clock.
4. This event is showing
Log Name: System
Source: Microsoft-Windows-Time-Service
Date: 06/11/2014 15:43:30
Event ID: 12
Task Category: None
Level: Warning
Keywords:
User: LOCAL SERVICE
Computer: domaincontroller1
Description:
Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source.
It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy.
If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Time-Service" Guid="{06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB}" />
<EventID>12</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2014-11-06T15:43:30.465619200Z" />
<EventRecordID>77295</EventRecordID>
<Correlation />
<Execution ProcessID="256" ThreadID="2056" />
<Channel>System</Channel>
<Computer>domaincontroller1</Computer>
<Security UserID="SID" />
</System>
<EventData Name="TMP_EVENT_DOMAIN_HIERARCHY_ROOT">
</EventData>
</Event>
5. If I perform the below it appears DC2 is having problems but I'm not sure if related.
C:\w32tm /monitor
DC1.domain.local *** PDC ***[192.168.1.1:123]:
ICMP: 0ms delay
NTP: +0.0000000s offset from DC1.domain.local
RefID: 'LOCL' [0x4C434F4C]
Stratum: 1
DC2.domain.local[192.168.1.2:123]:
ICMP: 0ms delay
NTP: -110.4925481s offset from DC1.domain.local
RefID: (unspecified / unsynchronized) [0x00000000]
Stratum: 0
DC3.domain.local[192.168.2.1:123]:
ICMP: 0ms delay
NTP: -0.0256084s offset from DC1.domain.local
RefID: DC1.domain.local [192.168.1.1]
Stratum: 2
DC4.domain.local[192.168.2.4:123]:
ICMP: 0ms delay
NTP: -0.0011524s offset from DC1.domain.local
RefID: 80.84.77.86.rev.sfr.net [86.77.84.80]
Stratum: 2
Warning:
Reverse name resolution is best effort. It may not be
correct since RefID field in time packets differs across
NTP implementations and may not be using IP addresses.
Any help would be much appreciated. Thanks.
Craig BrandI suspected some issue with AV so uninstalled.
To resolve the Access Denied I followed these steps:
stop w32time
w32tm /unregister
reboot
regsvr32 /u w32time.dll
w32tm /register
sc query w32time -- you should see that the service is set to
shared mode -- this is presumably how it should be -- if you try to start right now, you'll get the expected 1290 SID-related error
reboot
w32time should now automatically start at boot up and be running -- that was my result -- it's running as shared, started on its own, and I can do the w32tm /query commands successfully
After rebooting the time service started.
I then repeated the steps:
net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org"
w32tm /config /reliable:yes
net start w32time
w32tm /query /configuration
And all worked. I'll wait a short while to see if this fixes the issue. I also have am SA case with MS so will confirm fix when resolved.
Craig Brand -
Hello to all, there are two confliting articles about this topic:
1-
http://technet.microsoft.com/en-us/library/upgrade-domain-controllers-to-windows-server-2008-r2(v=ws.10).aspx#BKMK_Whatsnew : this one says that it does not work "The Group Chat feature in Office Communications Server 2007 R2 does not work in Windows
Server 2008 R2 domains". This article was updated in 2013.
2-
http://technet.microsoft.com/en-us/library/ee692314(office.13).aspx: this other article says that it will function "Office Communications Server 2007 R2 Group Chat will function in a Windows Server 2008 R2 forest". This article was updated in
2010 and was refered by the first one.
What is the correct support position for Group Chat feature in Office Communications Server 2007 R2 and Windows Server 2008 R2 domains?
Regards, EEOC.Hi,
I notice the following sentence in the link below “Office Communications Server 2007 R2, Group Chat will not function in a Windows Server 2008 R2 forest or when Group Chat member servers are joined to a Windows Server 2008 R2 domain.
We know of an issue with changes in Windows 2008 R2 that requires a Group Chat Client and Group Chat Admin Tools hotfix. The Group Chat Client and Group Chat Admin Tools hotfixes are currently scheduled for mid-April 2010.”
http://blogs.technet.com/b/nexthop/archive/2010/11/06/supportability-for-office-communications-server-2007-r2-and-windows-server-2008-r2.aspx
So in my opinion, if you update to the latest version of Windows Server 2008 R2, OCS Server 2007 R2 and Group Chat Client, Group Chat Admin Tools to the latest version, it should work.
However, the best method for you is make a lab to test the problem firstly.
Best Regards,
Eason Huang
Eason Huang
TechNet Community Support -
Change Tracking internals behave differently, SQL Server 2012 vs SQL Server 2008
<original post by Glenn Estrada>
Reposting an issue from Stack Overflow that a coworker and I are dealing with.
In trouble shooting an issue with synchronizing disconnected devices with a central database server using Sync Framework 1.0, we are experiencing a problem after upgrading to SQL Server 2012 on the server. It appears that the CHANGE_TRACKING_MIN_VALID_VERSION
is returning a value 1 higher than it should (or at least than it did prior to the upgrade.)
I have been working thru Arshad
Ali's great walk thru example of how to set up a simple example.
I have run the scripts from #1 thru #5 to insert, delete, and update a row in the Employee table in both a SQL Server 2008 and a 2012 environment.
In 2008, the following statement returns a 0:
SELECT CHANGE_TRACKING_MIN_VALID_VERSION(OBJECT_ID('Employee'))
In 2012, it returns a 1.
In working thru a few more scripts (6-8) in the tests, I set the retention period to 1 minute to hopefully force a cleanup action. I left for the day and apparently it ran overnight.
In the 2008 instance, the CHANGE_TRACKING_CURRENT_VERSION and the CHANGE_TRACKING_MIN_VALID_VERSION are equal (11). In the 2012 instance, the CHANGE_TRACKING_MIN_VALID_VERSION is one higher (12) than the CHANGE_TRACKING_CURRENT_VERSION (11). This could have
an impact to the synchronization process when a database is idle for extended periods of time. And we have found that process could get caught in a loop, especially when the following test is performed to determine if a re-initialization, as opposed to synchronization,
is required:
IF CHANGE_TRACKING_MIN_VALID_VERSION(object_id(N'dbo.Employee')) > @sync_last_received_anchor
RAISERROR (N'SQL Server Change Tracking has cleaned up tracking information for table ''%s''...
Has anyone else experienced this change in behavior? Does anyone have an explanation?<original post by Glenn Estrada>
Reposting an issue from Stack Overflow that a coworker and I are dealing with.
In trouble shooting an issue with synchronizing disconnected devices with a central database server using Sync Framework 1.0, we are experiencing a problem after upgrading to SQL Server 2012 on the server. It appears that the CHANGE_TRACKING_MIN_VALID_VERSION
is returning a value 1 higher than it should (or at least than it did prior to the upgrade.)
I have been working thru Arshad Ali's
great walk thru example of how to set up a simple example.
I have run the scripts from #1 thru #5 to insert, delete, and update a row in the Employee table in both a SQL Server 2008 and a 2012 environment.
In 2008, the following statement returns a 0:
SELECT CHANGE_TRACKING_MIN_VALID_VERSION(OBJECT_ID('Employee'))
In 2012, it returns a 1.
In working thru a few more scripts (6-8) in the tests, I set the retention period to 1 minute to hopefully force a cleanup action. I left for the day and apparently it ran overnight.
In the 2008 instance, the CHANGE_TRACKING_CURRENT_VERSION and the CHANGE_TRACKING_MIN_VALID_VERSION are equal (11). In the 2012 instance, the CHANGE_TRACKING_MIN_VALID_VERSION is one higher (12) than the CHANGE_TRACKING_CURRENT_VERSION (11). This could have
an impact to the synchronization process when a database is idle for extended periods of time. And we have found that process could get caught in a loop, especially when the following test is performed to determine if a re-initialization, as opposed to synchronization,
is required:
IF CHANGE_TRACKING_MIN_VALID_VERSION(object_id(N'dbo.Employee')) > @sync_last_received_anchor
RAISERROR (N'SQL Server Change Tracking has cleaned up tracking information for table ''%s''...
Has anyone else experienced this change in behavior? Does anyone have an explanation?
sql-server sql sql-server-2012 -
I have configured the Default Domain Controller's policy to log SUCCESS for Account Logon Events in the Server 2008 R2 Domain Controller, but these events are not logging in the Security Event log.
Default Domain Controllers Policy
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policies/Audit Account Logon Events = Success.
What tools can I use to troubleshoot this further? The results of "Auditpol.exe /get /category:*" are below.
System audit policy
Category/Subcategory Setting
System
Security System Extension No Auditing
System Integrity No Auditing
IPsec Driver No Auditing
Other System Events No Auditing
Security State Change No Auditing
Logon/Logoff
Logon No Auditing
Logoff No Auditing
Account Lockout No Auditing
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon No Auditing
Other Logon/Logoff Events No Auditing
Network Policy Server No Auditing
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use No Auditing
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change No Auditing
Authentication Policy Change No Auditing
Authorization Policy Change No Auditing
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events No Auditing
Account Management
User Account Management No Auditing
Computer Account Management No Auditing
Security Group Management No Auditing
Distribution Group Management No Auditing
Application Group Management No Auditing
Other Account Management Events No Auditing
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access No Auditing
Account Logon
Kerberos Service Ticket Operations No Auditing
Other Account Logon Events No Auditing
Kerberos Authentication Service No Auditing
Credential Validation SuccessHi Lawrence,
After configuring the GPO, did we run command gpupdate/force to update the policy immediately on domain controller? Besides, please run command gpresult/h c:\gpreport.html to check if the audit policy
setting was applied successfully.
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best regards,
Frank Shen -
Running two instances of Windows Server 2012 Essentials R2 on the same domain
We have Windows Server 2012 Essentials R2 running as a domain controller -- and have installed another licensed copy of the same thing on the same domain. We want to use the 2nd server for running an LOB application and provide backup for the
AD services.
The 2nd server is a member of the domain. Can I do this and have the 2nd server provide AD failover services like they do with 2012 Standard?Two things to consider. In the XP and 2003 era, the OS was not written in a security-first fashion. While XP did have LUA, almost nobody used them. Then came Vista and UAC, and those prompts were a major pain point because nobody wrote for security. Fast
forward 6 years and standard accounts are a normal best practice. Almost nobody in business recommends running daily tasks as administrator.
I mention all this to illustrate that, similar to admin accounts, what you used to get away with no longer applies. Running LOB apps on a DC is just bad. Many times, the app just doesn't work. But even if you could get it to work, it is a terrible idea.
If the stories of Home Depot, Target, and most recently Sony don't already give it away, I'll spell it out. We no longer live in an age where you can take shortcuts and expect to be safe. Large organizations make national news when they screw up. But small
businesses are targeted just as often and are at just as much risk. From "leaking" their client info to having their data held for ransom, the small business is abused regularly, but never makes national news because they are, by definition, small.
If you can take simple easy steps to help minimize that risk, such as keeping a domain controller free of other software and locked down, then it is almost unethical to do Otherwise in the modern computing era. The world ha changed. It is our responsibility
as I.T professionals to change with it. That's why we get to call ourselves "professionals" in relation to I.T.
So, what bad things? Risking the customer's very livelihood. I consider that pretty darn bad. -
Windows Server 2008 R2 Domain Controller NOT logging EventID 4740
EventID 4740 (account lockout) is not being logged to the event viewer. When searching through the security log there are none to be found. Having accounts locked out and no logging is driving me nuts. Hope someone has run into this before. This is what
i have checked thus far.
>Windows Server 2008 R2 Domain Controller
>Verified the following GPO settings are set and correct:
>Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\ all are set for Success & Failure
>Computer Configuration\Windows Settings\Security Settings\Advanced Audit Configuration\Logon/Logoff) is set for Success and Failure
>Powershell command Get-Eventlog -log Security -InstanceId 4740 returns no results which makes sense since there are no entries in the security log file.
>No 4740 entries in the netlogon.log debug file
AD and the LockoutStatus tool show the account is locked out but i still have nothing in the logs.
Anyone have any ideas? From everything i can find online , it appears i have everything set properly.
Thanks, ChicoHi Chico,
I suggest you try to enable this group policy below:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account management
More information for you:
Missing 4740 EventID's
http://social.technet.microsoft.com/Forums/windowsserver/en-US/c9871d72-7439-46b5-98e6-a7fadfa6ff28/missing-4740-eventids?forum=winserversecurity
If you have multiple Domain Controllers, check this event on other DCs, too.
Please feel free to let us know if there are any further requirements.
Best Regards,
Amy Wang
Maybe you are looking for
-
Hi We have a starge issue. We use the table SWWUSERWI to see all the work items in the user's inbox. If we delete the work item in this table it will remove the same from user's inbox. We have a problem now. Even after we deleted all the work items t
-
Imported XML errors "java.io.UTFDataFormatException: Invalid UTF8 encoding"
Hi, I had to display a mutli select table region in a Oracle Standard Supplier Site Manage page in R12. So I had a created a custom Stack Layout region and imported in to the database. The import went through fine. Then using Personalization i had cr
-
BEx queries hitting aggregates
Hi Gurus, Is there anyway we can findout queries hitting aggregates. I mean any table where we can check which queries have ran by pulling the data from aggregates rather than cube. Thanks in advance. Gurantee of award points. Regards Baba
-
My Apple ID has been blocked cuz I tried to purchase apps but when it ask for answers of the security Q.I forget them and I tried to guess the answers several times PLZzzzzzzz I want to reactivate my account plus I want to know the right answers of S
-
Hi I have been observing that my matrix row deleted before executing my code for delete the matrix row. I write my code in BeforeAction=False and I use the menu id to delete the row in matrix. Some code snap If pval.BeforeAction = False Then