PSRemoting Domain Controllers 2008 R2

Similar Messages

• Running Best Practice Analyzer on remote 2008 R2 domain controllers

  Hello Powershell World,
  I'll start out by first mentioning that I am a powershell rookie so I gladly welcome any input to help me improve or work more efficiently.  Anyway, I recently used powershell to run the best practice analyzer for DNS on all of our domain controllers.
   The way I went about was pretty tedious and inefficient but still got the job done through a series of one-liners and exported the report to a UNC path as follows:
  Enable-PSremoting -Force (I logged into all of the domain controllers individually and ran this before running the one-liners below from my workstation)
  New-PSSession -Name <Session Name> -ComputerName <Hostname>
  Enter-PSSession -Name <Session Name>
  Import-Module bestpractices
  Invoke-BPAModel Microsoft/Windows/DNSServer
  Get-BPAResult Microsoft/Windows/DNSServer | Select ModelId,Severity,Category,Title,Problem,Impact,Resolution,Compliance,Help | Sort Category | Export-CSV \\server\share\BPA_DNS_SERVERNAME.csv
  I'm looking to do this again but for the Directory Services best practice analyzer without having to individually enable remoting on the domain controllers and also provide a lsit of servers for the script to run against. 
  Thanks in advance for all your help!

  What do you mean by "without having to individually enable remoting "?
  You cannot remote without enabling remoting.  You only need to enable remoting once.  It is a configuraiton change.  If you have done it once you do not need to do it again.
  Here is how to runfrom a list of DCs.
  $sb={
  Import-Module bestpractices
  Invoke-BPAModel Microsoft/Windows/DNSServer
  Get-BPAResult Microsoft/Windows/DNSServer |
  Select ModelId,Severity,Category,Title,Problem,Impact,Resolution,Compliance,Help |
  Sort Category |
  Export-CSV "\\server\share\BPA_DNS_$env:COMPUTERNAME.csv"
  Invoke-BPAModel Microsoft/Windows/DirectoryServices
  # etc...
  ForEach($dc in $listofDCs){
  Invoke-Command -ScriptBlock $sb -Computer $dc
  ¯\_(ツ)_/¯

• Windows 2008 R2 domain controllers with Windows 2003 forest functional level Supported after Windows 2003 support ends in July 2015

  Hi
  Anyone knows whether Windows 2008 R2 domain controllers with Windows 2003 forest functional level will still be Supported after Windows 2003 support ends in July 2015 ?
  Thanks

  When Windows Server 2003 support ends, you should not have a Windows Server 2003 Domain Controller running if you would like to be supported by Microsoft. This means that there will be no reason to have a DFL or FFL that is lower than Windows Server 2008.
  So, if you are keeping Windows Server 2003 FFL to keep DCs running Windows Server 2003 then this is not supported.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Compatibility Exchange Server 2003 SP2 and Domain controllers Windows Server 2008 R2

  Hi all, I have this scenario:
  - Two Domain Controllers Windows Server 2003 R2 SP2
  - Two mail servers Exchange Server 2003 with the following version:
    6.5 (Build 7638.2 Service Pack 2)
  I want to upgrade my domain controllers to Windows Server 2008 R2.
  My question is whether exchange Server 2003 6.5 (Build 7638.2 Service Pack 2) is supported with Domain Controllers Windows Server 2008 R2.
  Can you tell me some official Microsoft website where this reflected?
  regards
  Microsoft Certified IT Professional Server Administrator

  Exchange Server 2003 SP2 supports DCs running Windows Server 2008 R2. These DCs should be RWDCs and not RODCs:
  Exchange 2003 SP2 will now be supported against writeable Windows Server 2008 R2 Active Directory Servers.  Additionally, with the General Availability of Exchange Server 2010, and those looking to standardize on Windows
  Server 2008 R2 we have enhanced the supportability of forest and domain functional levels up to Windows Server 2008 R2.  This change is effective immediately on Exchange 2003 SP2.
  Reference: http://blogs.technet.com/b/exchange/archive/2009/11/30/3408893.aspx
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Prepare 2003 Forest/Domain for 2008 R2 or 2012 Domain Controllers

  Hi,
  I would be grateful if you could help me with this:
  We have a single Forest/Single Domain structure which is managed by 4 Windows Server 2003 Std Edition. We are now trying to add a Server 2008 R2 as a domain controller. I have followed lots of articles on MS and other website with regards to preparing the
  Forest and domain before promoting the new server and here is what I got so far:
  Schema master - Windows 2003 SE
  FFL/DFL both set to 2003
  Run Adprep32.exe (found it on 2008 R2 disc) /forestprep and the outcome was:
  lDAPDisplayName "uidNumber" defined for object "CN=VintelauidNumber,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk" conflicts with the schema extensions needed for Windows Server 2008 R2.
  [Status/Consequence]
  Adprep will not extend your existing schema.
  [User Action]
  Contact the vendor of the application that extended the schema with the lDAPDisplayName value uidNumber and resolve this inconsistency.  Then run adprep again.
  ==============================================================================
  OID "1.3.6.1.1.1.1.0" defined for object CN=Vintela-uidNumber,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk conflicts with the schema extensions needed for Windows Server 2008 R2.
  [Status/Consequence]
  Adprep will not extend your existing schema.
  [User Action]
  Contact the vendor of the application that extended the schema with the OID value "1.3.6.1.1.1.1.0" and resolve this inconsistency.  Then run adprep again.
  ==============================================================================
  lDAPDisplayName "gidNumber" defined for object "CN=Vintela-gidNumber,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk" conflicts with the schema extensions needed for Windows Server 2008 R2.
  [Status/Consequence]
  Adprep will not extend your existing schema.
  [User Action]
  Contact the vendor of the application that extended the schema with the lDAPDisplayName value gidNumber and resolve this inconsistency.  Then run adprep again.
  ==============================================================================
  OID "1.3.6.1.1.1.1.1" defined for object CN=Vintela-gidNumber,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk conflicts with the schema extensions needed for Windows Server 2008 R2.
  [Status/Consequence]
  Adprep will not extend your existing schema.
  [User Action]
  Contact the vendor of the application that extended the schema with the OID value "1.3.6.1.1.1.1.1" and resolve this inconsistency.  Then run adprep again.
  ==============================================================================
  lDAPDisplayName "gecos" defined for object "CN=Vintela-gecos,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk" conflicts with the schema extensions needed for Windows Server 2008 R2.
  [Status/Consequence]
  Adprep will not extend your existing schema.
  [User Action]
  Contact the vendor of the application that extended the schema with the lDAPDisplayName value gecos and resolve this inconsistency.  Then run adprep again.
  ==============================================================================
  OID "1.3.6.1.1.1.1.2" defined for object CN=Vintela-gecos,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk conflicts with the schema extensions needed for Windows Server 2008 R2.
  [Status/Consequence]
  Adprep will not extend your existing schema.
  [User Action]
  Contact the vendor of the application that extended the schema with the OID value "1.3.6.1.1.1.1.2" and resolve this inconsistency.  Then run adprep again.
  ==============================================================================
  lDAPDisplayName "unixHomeDirectory" defined for object "CN=Vintela-homeDirectory,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk" conflicts with the schema extensions needed for Windows Server 2008 R2.
  [Status/Consequence]
  Adprep will not extend your existing schema.
  [User Action]
  Contact the vendor of the application that extended the schema with the lDAPDisplayName value unixHomeDirectory and resolve this inconsistency.  Then run adprep again.
  ==============================================================================
  OID "1.3.6.1.1.1.1.3" defined for object CN=Vintela-homeDirectory,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk conflicts with the schema extensions needed for Windows Server 2008 R2.
  [Status/Consequence]
  Adprep will not extend your existing schema.
  [User Action]
  Contact the vendor of the application that extended the schema with the OID value "1.3.6.1.1.1.1.3" and resolve this inconsistency.  Then run adprep again.
  ==============================================================================
  lDAPDisplayName "loginShell" defined for object "CN=VintelaloginShell,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk" conflicts with the schema extensions needed for Windows Server 2008 R2.
  [Status/Consequence]
  Adprep will not extend your existing schema.
  [User Action]
  Contact the vendor of the application that extended the schema with the lDAPDisplayName value loginShell and resolve this inconsistency.  Then run adprep again.
  ==============================================================================
  OID "1.3.6.1.1.1.1.4" defined for object CN=Vintela-loginShell,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk conflicts with the schema extensions needed for Windows Server 2008 R2.
  [Status/Consequence]
  Adprep will not extend your existing schema.
  [User Action]
  Contact the vendor of the application that extended the schema with the OID value "1.3.6.1.1.1.1.4" and resolve this inconsistency.  Then run adprep again.
  On the Schema master, run AD Schema, MMC and deactivated the object for Vintela. run the adprep32 /forestprep again and still the same result.
  Would you please advise what else can/must be done? anyone knows anything on Vintela (Quest VAS) and how to get rid of it?
  thanks for your help in advance.

  Hi,
  Thanks for your post.
  In this case, the most cause may be the OIDS are in conflict with the 2008 /forestprep. Could you please let me know if the forest functional level is 2003? If not, please raise it to 2003.
  For the information about how to raise functional level, please refer to the articles as below:
  What Are Active Directory Functional Levels?
  http://technet.microsoft.com/en-us/library/cc787290(WS.10).aspx
  Raise the Domain Functional Level
  http://technet.microsoft.com/en-us/library/cc753104.aspx
  Raise the Forest Functional Level
  http://technet.microsoft.com/en-us/library/cc730985.aspx
  What is the Impact of Upgrading the Domain or Forest Functional Level?
  http://blogs.technet.com/b/askds/archive/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level.aspx
  Besides, for the best practice, we can back up all domain controllers’ system state for the unexpected issues. Here is one article related to backup Active Directory.
  Backing up Active Directory
  http://technet.microsoft.com/en-us/library/cc961924.aspx
  I hope this information is helpful for you. If there is anything that requires further clarification, please don’t hesitate to let me know.
  Best regards,
  Ann
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Windows 2008 (Not R2) Domain controllers Kerberos Errors

  We know the replication of the AD structure is working using repadmin /showREPL *
  Which I ran again this morning and all is fine.
  All 3 Domain Controllers are having Kerberos errors ?
  I tried to reset the Kerberos key but the problem still persists.
  This is exactly what I tried yesterday is there something I'm doing wrong ?
  We have 3 Domain controllers
  ch-dc1-2k8    (PDC)
  ch-dc2-2k8
  na-dc1-2k8
  1) I stopped the Kerberos Key Distribution Center service on all 3 servers and set them to manual
  2) I restarted ch-dc2-2k8 and na-dc1-2k8
  3) Then I did the KLIST PURGEon
  ch-dc2-2k8 and na-dc1-2k8
  4) Then on ch-dc1-2k8 (PDC) I did the
  netdom resetpwd /s:ch-dc1-2k8 /ud:companyname\administrator /pd:*
  5) Set Kerberos Key Distribution Center service to Automatic on ch-dc1-2k8 (PDC)
  6) Restarted ch-dc1-2k8 (PDC)
  7) After it restarted I logged in and let it settle for 5 Minutes
  8) Then I started the kerberos service on ch-dc2-2k8 and na-dc1-2k8
  Am I missing something ?

  Hi,
  I think I have already answer this in separate case you have raised in forum.

• Communication issues between domain controllers

  Hi everyone,
  I am experiencing some problems in communication between domain controllers in our organization
  We have three domain controllers, one of them is a Windows 2003 server service pack 2 which is physical (controller A), another which is Windows 2008 Service Pack 2 (controller B), also physical, and a third one (controller C) which is a Windows 2008
  service pack 1 and is virtual.
  I have problems with this last DC, it won't respond to pings, or DNS query. I can't Access it by remote desktop client even when it is enabled. I cannot update it, it prompts error messages if I try to do so.
  This problems are solved if I reboot it, it will work fine some hours or days, but not much longer. I have checked event viewer and I didn't found any message about this.
  I read some time ago it would be great to have a DC in a virtual machine, so I did it, but is it right?
  Do you know what might be going on with it? would depromoting it and seting it up again the best solución?
  Thank you very much.
  Best regards.
  David.

  This sounds like a NIC issue, which is odd since it is a virtual machine.  Have you checked the host for any logs about the client? 
  I think the first thing I would do is destroy the current virtual NIC card and add a new one.  Since this has nothing to do with Active Directory I would also suggest you post this in a forum of for the Host (VMWare or Hyper-V).
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• Can't edit default domain controllers policy on windows 8 or server 2012

  I have found that I can't edit the "Default Domain Controllers Policy" from a Windows 8 or Server 2012 machine.  I can edit and save changes fine from a Windows 7 machine.  The domain controllers are running Windows 2012 Standard upgraded
  from Windows 2008 R2.  Is there a security setting I am missing?

  Posting the resolution from the other thread.  Hope it helps!
  I just accidentally resolved this issue today.  I added the GPMC to a 2008 R2 server so I could make a needed firewall
  change within the Windows Firewall with Advanced Security section of the Default Domain Controllers GPO (I enabled the Remote Event Log management rule for the Domain profile).  About an hour later, I forgot I was using my Windows 8 machine and I went
  to edit the Default Domain Controllers GPO and opened for edit without a problem.  I can now edit it from Windows 8 and from Windows Server 2012.  Until now, I was using a Windows 7 VM to make the edits, so in my case the problem was resolved by
  editing the GPO once from a 2008 R2 machine.

• Retiring 2 domain Controllers

  Hi, we are looking to retire 2 out of our 5 2008 r2 domain controllers. There are no FMSO roles on these 2 controllers. The only other role is DNS. All devices and workstations are now pointing to other DNS servers besides these two.
  My question is that I want to simply shutdown these 2 servers for a week or so and see if anything screams. If it does I can simply bring the controllers back up and figure out what went wrong. If nothing screams I can then safely demote them from being
  a domain controller
  Is the act of shutting them down for a bit a valid way of testing? This will be done off hours but what can the end users or application servers expect if the DC they were using is no longer there, will they get error messages on the screen or
  will it silently go to another DC in the background?
  Any thoughts would be appreciated.
  Thanks

  Is the act of shutting them down for a bit a valid way of testing? This will be done off hours but what can the end users or application servers expect if the DC they were using is no longer there, will they get error messages on the screen or
  will it silently go to another DC in the background?
  Greetings!
  No it is not. When they are offline the replication for sure will occur and you may get replication problems due to tombstone and lingering objects may appear. If you are concerned about the drawbacks of demotion, just do them one by one and check replication
  and go for the other one. But from a technical view it is OK to demote them if they are holding no FSMO roles.
  Regards.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Dfs R Service Stopping before backup on Domain Controllers

  HI,
  I have a weird issue where the DFS replication service is stopping when a DC backup starts.
  Setup: Forest with 5 child domains. Only one of the domains is having a problem. this domain has DCs in the US and UK. all four DCs experience the same issue. All DC’s are Server 2008 r2. DFS
  R is used for AD replication.
  Issue: DFS replication service stops when a backup starts.
  The DFS Replication service is stopping communication with partner P1USDC01 for replication group Domain System Volume due to an error. The service will retry the connection periodically.
  Additional Information:
  Error: 9036 (Paused for backup or restore)
  About 30 minutes later when the backup completed, DFS replication resumes.  
  As mentioned this happens to all 4 domain controllers in the domains, but no other domains are affected. AD replication stops during this time.
  Every time this happens the AD DB is rebuilt.
  lsass (548) A database location change was detected from 'D:\Active Directory\Windows\NTDS\DB\ntds.dit' to '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy168\Active Directory\Windows\NTDS\DB\ntds.dit'.
  I thinks this is more due to the VSS provider than an issue with the DB.
  Some ‘Googling/Binging’ shows that that error can be ignored as it resumes after. But im not so sure. Why are my other domains not effected. They use the same backup procedure,
  same hardware, same OS, same patch revision (always 3 months behind current release).
  Any suggestions would be great!

  You can ignore it as long as it restarts. You can also create a scheduled task that will check the service and start it if it is not running.
  I would recommend starting by installing latest Windows Updates (Especially those ones: http://support.microsoft.com/kb/968429) and make sure that your backup solution is up-to-date too. 
  If none helped then I would recommend contacting your backup solution developers technical support for assistance.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Disabling IPv6 on 2008R2 Domain Controllers... Best Practice?

  At the end of last year I had a call with Microsoft Support in which I spoke with a member of the Directory Services team regarding an issue.  The issue was resolved with no further problems, but while conversing with the Technical Support Engineer
  I queried him on another issue regarding a second copy of our DNS zone in Active Directory.  He looked at it (remoted in via RDP) then looked at my NIC properties and stated that the reason it happened is because we are running IPv6 on our DCs. 
  I told him we do that on all our servers. (leave IPv6 enabled.)  He then stated that we should not do that, expanding by saying that "Microsoft is in the process of rewriting documentation as IPv6 is no longer supported on Domain Controllers."    
  Needless to say I could not believe this.  I told him how Exchange on an SBS server cannot have IPv6 disabled as the server will stop booting, but he was very adamant about it; he even put me on hold for 10 minutes then came back saying he confirmed
  that this is the case and spoke with the "Documentation Team" and the new Best Practices would be released within the next month. In the meantime he recommended I disable IPv6 on all my DCs. (I work in Consulting so that's a lot of DCs at various different
  business entities.)
  I didn't believe him then, and I don't believe him now.  Reviewing the FAQ linked through http://support.microsoft.com/kb/929852  Says that Microsoft does not recommend disabling IPv6.  Of course no documentation ever came out, nor have I
  found anything to agree with his statements. (we solved the duplicate partition issue ourselves.)
  I just wanted to post here and see if anyone else has heard of this, maybe I'm the one not up and up on my info.  Has or does Microsoft plan on reversing course on the new IPv6 technology that 2008 and up are built on?  I would think that quite
  preposterous!
  Thanks,
  Christopher Long
  Science is a way of thinking much more than it is a body of knowledge. -- Carl Sagan

  There are cases where you DO WANT to disable IPv6 on a domain controller. 
  Example: you have an IPV4 network and do not have IPV6 deployed. In this case if you are not using IPv6 but leave it enabled than Windows will assign itself an IPv6 at random via the APIPA process. That IP address can and does change when you reboot the
  server.... So I bet you see the problem here. 
  If you build a domain controller with IPv6 enabled - it will register it's IPV6 address in DNS as offering AD services. Then when you reboot that domain controller and that address changes - BOOM. AD comes crashing down. AD relies heavily on DNS. Windows
  thinks it's smarter than you and registers it's IPv6 address obtained via APIPA in DNS. Now that's a problem. Particularly because Win Server 2008+ prefer IPV6 over IPV4 networks. So communication can blow up even if a valid IPv4 network is available. 
  So yes - there are instances where you do want to - in fact need to - disable IPv6 on domain controllers. Microsoft's documentation does not reflect this but it should. At a minimum if they want you to leave it on they should at least remind you to set a
  static IPv6 address if you're running an IPv4 network. 
  (ask me how I know all this over a beer some time)
  I opted to just disable it. Despite MS's documentation warning of the contrary - I've seen no adverse impacts. Exchange, Sharepoint, AD, etc. all humm along fine. 

• Domain Controllers that are DNS servers DNS Client settings

  [Copying verbatim from a mail by Joe ]
  So I have been pinged by a few folks recently on configuration of client DNS settings on Domain Controllers that are also functioning as DNS Servers. Lots of debate. I understand there has been long time debate within MSFT as well.
  From http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx there
  is the quote
  "3.When referencing a DNS server on itself, a DNS client should always use a loopback address and not a real IP address."
  From http://www.microsoft.com/en-us/download/confirmation.aspx?id=9166 (Windows
  Server 2008 R2 Core Network Guide)
  "9.        In Preferred DNS server, type the IP address of your DNS server. If you plan to use the local computer as the preferred DNS server, type the IP address of the
  local computer.
  10.       In Alternate DNS Server, type the IP address of your alternate DNS server, if any. If you plan to use the local computer as an alternate DNS server, type the IP address of
  the local computer."
  From http://technet.microsoft.com/en-us/library/dd378900(v=ws.10).aspx (DNS:
  DNS servers on <adapter name> should include their own IP addresses on their interface lists of DNS servers)
  "The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers. However, if the DNS server is also a domain controller and it points only to
  itself for name resolution, it can become an island and fail to replicate with other domain controllers. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should
  be configured only as a secondary or tertiary DNS server on a domain controller...
  Add the loopback IP address to the list of DNS servers on all active interfaces. The loopback IP address should not be the first server in the list."
  ESPECIALLY "For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should be configured only as a secondary or tertiary
  DNS server on a domain controller." and "Add the loopback IP address to the list of DNS servers on all active interfaces. The loopback IP address should not be the first server in the list."
  Why shouldn't loopback not be first, the justification is why you shouldn't only use loopback, not why it shouldn't be first.
  From http://technet.microsoft.com/en-us/library/ff807362(v=ws.10).aspx (DNS:
  DNS servers on <adapter name> should include the loopback address, but not as the first entry)
  "If the loopback IP address is the first entry in the list of DNS servers, Active Directory might be unable to find its replication partners. 
  The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers. However, if the DNS server is also a domain controller and it points only to itself,
  or points to itself first for name resolution, this can cause a delay during startup. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should be configured only
  as a secondary or tertiary DNS server on a domain controller."
  This also seems like justification against only using loopback versus using it first.
  Are there any actual real documented issues for using loopback first and a remote DNS server second and perhaps third? If the local DNS server service isn't working yet (or at all), I would expect the DNS Client process
  to try to connect to it, fail, and then failover to the secondary just like I would expect it to failover if the remote DNS server was secondary and it was unavailable and it failed back to the loopback. Am I making a bad assumption?
  And by documented I don't mean random responses to questions on the internet or other such items. I mean a KB article or technet article or properly researched and tested other web article from a reliable resource.
  thanks, 
  joe

  As I understand it, the scenario whereby a DC could become an 'island' if it points only to itself, or to itself first, was repaired in the Windows Server 2003 product cycle. See
  http://support.microsoft.com/kb/275278 for information about this scenario.
  However, there is still a known problem of slow boot times that can occur. See
  http://support.microsoft.com/kb/2001093 for information about this. The scenario that is discussed assumes there is a power failure and servers shut down due to overheating while on backup power. When
  multiple servers come online simultaneously after power is restored, there can be a significant delay.
  The recommended configuration is one that avoids a single point of failure, but also tries to optimize the speed of resource record registration, so that Active Directory can properly synchronize.
  -Greg

• Setting up Time Sync when all domain controllers are virtual machines?

  We have 2 existing server 2008 domain controllers on 2008 Hyper-V.  We plan to set up a third domain controller in a new AD site at a remote site that will be Server 2012 R2 on 2012R2 Hyper-V.
  PDC role DC is on one of the DCs in the original site.
  How should time syncing be set?
  From what I've read, all Hyper-V time synchronization between the virtual domain controllers and their Hyper-V host should be disabled.
  So, do we set up the PDC virtual machine to sync to an external site source and then expect the other 3 domain controllers to automatically sync with the time of the PDC?
  What happens with this process during a PDC reboot or if that PDC role domain controller becomes unavailable for any other reason? Does one of the other DCs then take over the role of domain time source even through they don't have access to the external
  time source?
  Should we also turn off Hyper-V time syncing for every Hyper-V guest that is a member of our domain (since they should also be getting their time from a domain controller) or only turn off the Hyper-V time sync for the domain controllers alone?

  We have 2 existing server 2008 domain controllers on 2008 Hyper-V.  We plan to set up a third domain controller in a new AD site at a remote site that will be Server 2012 R2 on 2012R2 Hyper-V.
  PDC role DC is on one of the DCs in the original site.
  How should time syncing be set?
  Simply make sure that time sync is disabled on your Hyper-V VM. For time configuration in AD domain, I have documented that here: http://social.technet.microsoft.com/wiki/contents/articles/18573.time-synchronization-in-active-directory-forests.aspx
  From what I've read, all Hyper-V time synchronization between the virtual domain controllers and their Hyper-V host should be disabled.
  So, do we set up the PDC virtual machine to sync to an external site source and then expect the other 3 domain controllers to automatically sync with the time of the PDC?
  They don't take over the role of PDC. The downtime of your PDC should not take a long time. That is why it is important to regularly monitor the health status of your DCs using SCOM or third party tools. The one I usually recommend is
  Lepide Auditor - Active Directory: http://www.lepide.com/lepideauditor/active-directory.html. The solution allows you also to trackchanges
  in your AD domain.
  Should we also turn off Hyper-V time syncing for every Hyper-V guest that is a member of our domain
  (since they should also be getting their time from a domain controller) or only turn off the Hyper-V time sync for the domain controllers alone?
  I would recommend turning off the Hyper-V time sync on all your Hyper-V VMs that are domain-joined.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Can I add a WinServer 2012 into a mix child Domain with 2008 and 2003?

  The founctionall level is 2003 and the main domain is mix with 2008 and 2003. The user need the templete of Server 2012 and use the "new" group policy so that they are able to use the "new" feature in windows 8 (which I totally
  do Not think is much useful). I've a plan that join the 2012 server into a child domain as a DC but I don't know if that will cause any problems. Can I do so?
  Thanks all.
  Gary

  @Darren: http://technet.microsoft.com/en-us/library/jj592683.aspx
  For Windows 8 a change to how the TPM owner authorization value is stored in AD DS was implemented in the AD DS schema. The TPM owner authorization value is now stored in a separate object which is linked to the Computer object. This value was stored as
  a property in the Computer object itself for the default Windows Server 2008 R2 schemas.
  To take advantage of this integration, you must upgrade your domain controllers to Windows Server 2012 or extend the Active Directory schema and configure BitLocker-specific Group Policy objects.
  Windows Server 2012 domain controllers have the default schema to backup TPM owner authorization information in the separate object. If you are not upgrading your domain controller to Windows Server 2012 you need to extend the schema to support this change.
  To support Windows 8 computers that are managed by a Windows Server 2003 or Windows 2008 domain controller
  There are two schema extensions that you can copy down and add to your AD DS schema:
  TpmSchemaExtension.ldf 
  This schema extension brings parity with the Windows Server 2012 schema. With this change, the TPM owner authorization information is stored in a separate TPM object linked to the corresponding computer object. Only the Computer object that has created
  the TPM object can update it. This means that any subsequent updates to the TPM objects will not succeed in dual boot scenarios or scenarios where the computer is reimaged resulting in a new AD computer object being created. To support such scenarios, an update
  to the schema was created.
  TpmSchemaExtensionACLChanges.ldf 
  This schema update modifies the ACLs on the TPM object to be less restrictive so that any subsequent operating system which takes ownership of the computer object can update the owner authorization value in AD DS. However, this is less secure as any computer
  in the domain can now update the OwnerAuth of the TPM object (although it cannot read the OwnerAuth) and DOS attacks can be made from within the enterprise. The recommended mitigation in such a scenario is to do regular backup of TPM objects and enable auditing
  to track changes for these objects. 
  To download the schema extensions, see Schema Extensions for Windows Server 2008 R2 to support AD DS backup of TPM information from
  Windows 8 clients.
  If you have a Windows Server 2012 domain controller in your environment, the schema extensions are already in place and do not need to be updated.
  Also, if you check the GPO's in 2012, there are specific templates for Windows8/2012 and specific (legacy) templates for Windows 7.
  MCITP:SA:EA:EMA2010:VA2008R2

• Security Log entries on domain controllers

  Hi Everyone,
  I started working in an environment where they must log all security events due to regulations on one of the domains. It has 200 Windows XP and Windows 7 computers and about 200 users give or take. It has several servers including 2 Windows 2008 R2 domain
  controllers.
  The security log on domain controller 1 fills up to 400 MB after a week, archives the log, clears the log and starts all over again. The security log on the domain controller 2 reaches 400 MB every day and archives the entries, clears them and starts again.
  Sometimes the domain controller 2 will reach 400 MB two or three times in a day.
  The other sys admin tells me this issue just started three months ago and he can't determine why. Both servers only reached 400 MB once a week in the past. I've looked at the logs and don't see errors. There are a hundreds of thousands of logon\logoff events--ID
  4634. It shows domain controller 1 constantly connecting to domain controller 2. This doesn't seem to be expected behavior for such a small domain? I'd appreciate any guidance on how to reduce the security entries without cutting back on logging.
  Thanks,
  Greg

  Hi Greg,
  Please post the exact event message for further troubleshooting.
  In addition, please note that support for Windows XP ended on April 8, 2014, please upgrade Windows XP machines as soon as possible.
  A notification about the end of Windows XP support
  http://support.microsoft.com/kb/2934207
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]