Remove a domain controller when dcpromo bombs
i'm trying to demote one server in a two server setup
i start dcpromo , it gets part way through and then bombs with an "Access is denied" error
which is b~@:!hit. Ive tied this 2 or 3 times with known good passwords(see dcpromoui.log below)
So how can i fix that or delete the controller without using dcpromo
cheers
dave
============================
dcpromoui E28.638 0466 13:58:28.218 Enter DS::DemoteDC
dcpromoui E28.638 0467 13:58:28.218 Enter State::IsLastDCInDomain false
dcpromoui E28.638 0468 13:58:28.218 Enter State::IsForcedDemotion false
dcpromoui E28.638 0469 13:58:28.218 Enter State::GetAdminPassword
dcpromoui E28.638 046A 13:58:28.218 Enter State::GetAppPartitionList
dcpromoui E28.638 046B 13:58:28.218 Enter AllocateAppPartitionList
dcpromoui E28.638 046C 13:58:28.218 Calling DsRoleDemoteDc
dcpromoui E28.638 046D 13:58:28.218 lpServer : (null)
dcpromoui E28.638 046E 13:58:28.218 lpDnsDomainName : (null)
dcpromoui E28.638 046F 13:58:28.218 ServerRole : DsRoleServerMember
dcpromoui E28.638 0470 13:58:28.218 lpAccount : (null)
dcpromoui E28.638 0471 13:58:28.218 Options : 0x80
dcpromoui E28.638 0472 13:58:28.218 fLastDcInDomain : false
dcpromoui E28.638 0473 13:58:28.218 cRemoteNCs : 0
dcpromoui E28.638 0474 13:58:28.250 HRESULT = 0x00000000
dcpromoui E28.638 0475 13:58:28.250 Enter DeallocateAppPartitionList
dcpromoui E28.638 0476 13:58:28.250 Enter DoProgressLoop
dcpromoui E28.638 0477 13:58:28.250 Enter State::GetOperation DEMOTE
dcpromoui E28.638 0478 13:58:28.250 Enter ProgressDialog::UpdateButton
dcpromoui E28.638 0479 13:58:29.765 Enter ProgressDialog::UpdateText Active Directory Domain Services successfully transferred the remaining data in directory partition DC=ForestDnsZones,DC=data-action,DC=co,DC=uk to Active Directory Domain Controller \\nasbox.data-action.co.uk.
dcpromoui E28.638 047A 13:58:43.297 Enter ProgressDialog::UpdateText Stopping service NETLOGON
dcpromoui E28.638 047B 13:58:44.797 Enter ProgressDialog::UpdateText Stopping service IsmServ
dcpromoui E28.638 047C 13:58:47.797 Enter ProgressDialog::UpdateText Stopping service kdc
dcpromoui E28.638 047D 13:58:49.297 Enter ProgressDialog::UpdateText Creating a new local security account manager (SAM) database...
dcpromoui E28.638 047E 13:58:50.875 Enter ProgressDialog::UpdateText Removing Active Directory Domain Services objects that refer to the local Active Directory Domain Controller from the remote Active Directory Domain Controller nasbox.data-action.co.uk...
dcpromoui E28.638 047F 13:59:02.875 Enter ProgressDialog::UpdateText Configuring service NTDS
dcpromoui E28.638 0480 13:59:04.375 Enter ProgressDialog::UpdateText Configuring service NETLOGON
dcpromoui E28.638 0481 13:59:05.875 Enter ProgressDialog::UpdateText Configuring service DFSR
dcpromoui E28.638 0482 13:59:07.375 Enter ProgressDialog::UpdateText The attempted domain controller operation has completed
dcpromoui E28.638 0483 13:59:07.375 Enter ProgressDialog::UpdateButton
dcpromoui E28.638 0484 13:59:07.375 Progress loop complete.
dcpromoui E28.638 0485 13:59:07.375 Calling DsRoleGetDcOperationResults
dcpromoui E28.638 0486 13:59:07.375 Error 0x0 (!0 => error)
dcpromoui E28.638 0487 13:59:07.375 Operation results:
dcpromoui E28.638 0488 13:59:07.375 OperationStatus : 0x5 !0 => error
dcpromoui E28.638 0489 13:59:07.375 DisplayString : The attempt at remote directory server nasbox.data-action.co.uk to remove directory server CN=LPSERVER,CN=Servers,CN=Palatine,CN=Sites,CN=Configuration,DC=data-action,DC=co,DC=uk was unsuccessful.
dcpromoui E28.638 048A 13:59:07.375 ServerInstalledSite : (null)
dcpromoui E28.638 048B 13:59:07.375 OperationResultsFlags: 0x0
dcpromoui E28.638 048C 13:59:07.375 Enter ProgressDialog::UpdateText The attempt at remote directory server nasbox.data-action.co.uk to remove directory server CN=LPSERVER,CN=Servers,CN=Palatine,CN=Sites,CN=Configuration,DC=data-action,DC=co,DC=uk was unsuccessful.
dcpromoui E28.638 048D 13:59:07.375 Enter State::SetOperationResultsMessage The attempt at remote directory server nasbox.data-action.co.uk to remove directory server CN=LPSERVER,CN=Servers,CN=Palatine,CN=Sites,CN=Configuration,DC=data-action,DC=co,DC=uk was unsuccessful.
dcpromoui E28.638 048E 13:59:07.375 Enter State::SetOperationResultsFlags 0x0
dcpromoui E28.638 048F 13:59:07.375 Exception caught
dcpromoui E28.638 0490 13:59:07.375 catch completed
dcpromoui E28.638 0491 13:59:07.375 handling exception
dcpromoui E28.638 0492 13:59:07.375 Enter State::ClearHiddenWhileUnattended
dcpromoui E28.638 0493 13:59:07.375 Enter EnableConsoleLocking
dcpromoui E28.638 0494 13:59:07.375 Enter RegistryKey::Create SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
dcpromoui E28.638 0495 13:59:07.375 Enter RegistryKey::SetValue-DWORD DisableLockWorkstation
dcpromoui E28.638 0496 13:59:07.375 Enter State::SetOperationResults result FAILURE
dcpromoui E28.638 0497 13:59:07.375 Enter ProgressDialog::UpdateText
dcpromoui E28.638 0498 13:59:07.375 Enter State::IsOperationRetryAllowed
dcpromoui E28.638 0499 13:59:07.375 true
dcpromoui E28.638 049A 13:59:07.375 credentials were invalid, hr=0x80070005
dcpromoui E28.638 049B 13:59:07.375 Enter GetErrorMessage 80070005
dcpromoui E28.638 049C 13:59:07.375 Enter State::GetOperationResultsMessage The attempt at remote directory server nasbox.data-action.co.uk to remove directory server CN=LPSERVER,CN=Servers,CN=Palatine,CN=Sites,CN=Configuration,DC=data-action,DC=co,DC=uk was unsuccessful.
dcpromoui E28.638 049D 13:59:07.375 Enter State::GetOperation DEMOTE
dcpromoui E28.638 049E 13:59:07.375 Enter State::GetParentDomainDnsName
dcpromoui E28.638 049F 13:59:44.469 credential retry canceled
dcpromoui E28.638 04A0 13:59:44.469 Enter ComposeFailureMessage
dcpromoui E28.638 04A1 13:59:44.469 Enter State::GetOperationResultsMessage The attempt at remote directory server nasbox.data-action.co.uk to remove directory server CN=LPSERVER,CN=Servers,CN=Palatine,CN=Sites,CN=Configuration,DC=data-action,DC=co,DC=uk was unsuccessful.
dcpromoui E28.638 04A2 13:59:44.469 Enter State::GetOperationResultsFlags 0x0
dcpromoui E28.638 04A3 13:59:44.469 Enter State::GetOperationResultsFlags 0x0
dcpromoui E28.638 04A4 13:59:44.469 Enter State::SetFailureMessage The operation failed because:
The attempt at remote directory server nasbox.data-action.co.uk to remove directory server CN=LPSERVER,CN=Servers,CN=Palatine,CN=Sites,CN=Configuration,DC=data-action,DC=co,DC=uk was unsuccessful.
"Access is denied."
dcpromoui E28.638 04A5 13:59:44.469 posting message to progress window
dcpromoui E28.318 04A6 13:59:44.469 Enter ProgressDialog::UpdateText Operation Stopped
dcpromoui E28.318 04A7 13:59:44.485 Enter ProgressDialog::OnDestroy
dcpromoui E28.318 04A8 13:59:44.485 OPERATION FAILED
dcpromoui E28.318 04A9 13:59:44.485 Enter State::GetNeedsReboot false
dcpromoui E28.318 04AA 13:59:44.485 Enter State::IsOperationRetryAllowed
dcpromoui E28.318 04AB 13:59:44.485 true
dcpromoui E28.318 04AC 13:59:44.485 Enter Wizard::SetNextPageID id = 156
dcpromoui E28.318 04AD 13:59:44.485 push 142
dcpromoui E28.318 04AE 13:59:44.485 Enter FailurePage::OnInit
dcpromoui E28.318 04AF 13:59:44.485 Enter MultiLineEditBoxThatForwardsEnterKey::Init
dcpromoui E28.318 04B0 13:59:44.485 Enter ControlSubclasser::Init
dcpromoui E28.318 04B1 13:59:44.485 Enter FailurePage::OnSetActive
dcpromoui E28.318 04B2 13:59:44.485 Enter State::GetOperationResultsCode FAILURE
dcpromoui E28.318 04B3 13:59:44.485 Enter State::GetNeedsReboot false
dcpromoui E28.318 04B4 13:59:44.485 Enter State::GetFailureMessage The operation failed because:
The attempt at remote directory server nasbox.data-action.co.uk to remove directory server CN=LPSERVER,CN=Servers,CN=Palatine,CN=Sites,CN=Configuration,DC=data-action,DC=co,DC=uk was unsuccessful.
"Access is denied."
dcpromoui E28.318 04B5 13:59:47.876 Enter DCPromoWizardPage::OnWizNext
dcpromoui E28.318 04B6 13:59:47.876 Enter FailurePage::Validate
dcpromoui E28.318 04B7 13:59:47.876 Enter Wizard::SetNextPageID id = 154
dcpromoui E28.318 04B8 13:59:47.876 push 156
dcpromoui E28.318 04B9 13:59:47.876 Enter FinishPage::OnInit
dcpromoui E28.318 04BA 13:59:47.876 Enter MultiLineEditBoxThatForwardsEnterKey::Init
dcpromoui E28.318 04BB 13:59:47.876 Enter ControlSubclasser::Init
dcpromoui E28.318 04BC 13:59:47.876 Enter FinishPage::OnSetActive
dcpromoui E28.318 04BD 13:59:47.876 Enter State::GetNeedsReboot false
dcpromoui E28.318 04BE 13:59:47.876 Enter getCompletionMessage
dcpromoui E28.318 04BF 13:59:47.876 Enter State::GetOperation DEMOTE
dcpromoui E28.318 04C0 13:59:47.876 Enter State::GetOperationResultsCode FAILURE
dcpromoui E28.318 04C1 13:59:47.876 Enter NeedDsBinaryWarning
dcpromoui E28.318 04C2 13:59:47.876 Enter Computer::RemoveLeadingBackslashes
dcpromoui E28.318 04C3 13:59:47.876 Enter GetProductTypeFromRegistry
dcpromoui E28.318 04C4 13:59:47.876 Enter RegistryKey::Open System\CurrentControlSet\Control\ProductOptions
dcpromoui E28.318 04C5 13:59:47.876 Enter RegistryKey::GetValue-String ProductType
dcpromoui E28.318 04C6 13:59:47.876 LanmanNT
dcpromoui E28.318 04C7 13:59:47.876 prodtype : 0x2
dcpromoui E28.318 04C8 13:59:47.876 Enter State::GetFinishMessages
dcpromoui E28.318 04C9 13:59:59.751 Enter FinishPage::OnWizFinish
dcpromoui E28.318 04CA 13:59:59.766 Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04CB 13:59:59.766 Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04CC 13:59:59.766 Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04CD 13:59:59.766 Enter State::GetNeedsReboot false
dcpromoui E28.318 04CE 13:59:59.766 Enter State::GetUserCancelled false
dcpromoui E28.318 04CF 13:59:59.766 Enter State::GetOperationResultsCode FAILURE
dcpromoui E28.318 04D0 13:59:59.766 Enter State::GetHadNonCriticalFailures
dcpromoui E28.318 04D1 13:59:59.766 bHadNonCriticalFailures = false
dcpromoui E28.318 04D2 13:59:59.766 Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04D3 13:59:59.766 Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04D4 13:59:59.766 Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04D5 13:59:59.766 Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04D6 13:59:59.766 Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04D7 13:59:59.766 Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04D8 13:59:59.766 Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04D9 13:59:59.766 Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04DA 13:59:59.766 Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04DB 13:59:59.766 Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04DC 13:59:59.766 exitCode = 54
dcpromoui E28.318 04DD 13:59:59.766 Enter State::UnbindFromReplicationPartnetDC
dcpromoui E28.318 04DE 13:59:59.766 closing log
this is what i decided to do. unfortunately the metadata cleanup did not complete
Access is denied? - that sounds familiar
the server is still listed in "AD Sites and Services" (and cannot be deleted by the management snapin)
===================================================
select operation target:
select operation target:
select operation target:
select operation target: select server 1
Site - CN=Palatine,CN=Sites,CN=Configuration,DC=data-action,DC=co,DC=uk
Domain - DC=data-action,DC=co,DC=uk
Server - CN=LPSERVER,CN=Servers,CN=Palatine,CN=Sites,CN=Configuration,DC=data-ac
tion,DC=co,DC=uk
DSA object - CN=NTDS Settings,CN=LPSERVER,CN=Servers,CN=Palatine,CN=Site
s,CN=Configuration,DC=data-action,DC=co,DC=uk
DNS host name - lpServer.data-action.co.uk
No current Naming Context
select operation target:
select operation target: quit
metadata cleanup:
metadata cleanup:
metadata cleanup: remove selected server
Transferring / Seizing FSMO roles off the selected server.
Removing FRS metadata for the selected server.
Unable to find server reference on "CN=LPSERVER,CN=Servers,CN=Palatine,CN=Sites,
CN=Configuration,DC=data-action,DC=co,DC=uk".
LDAP error 0x5e(94 (No result present in message).
The attempt to remove the FRS settings on CN=LPSERVER,CN=Servers,CN=Palatine,CN=
Sites,CN=Configuration,DC=data-action,DC=co,DC=uk failed because "Element not fo
und.";
metadata cleanup is continuing.
DsRemoveDsServerW error 0x5(Access is denied.)
metadata cleanup:
metadata cleanup:
Similar Messages
-
I have SBS 2008 with a Windows Server 2008 SP2 server as a second domain controller. I've added a new 2012 server and made it a domain controller. I need to demote the 2008 box. If I run dcpromo, it doesn't detect that it is a domain
controller and just wants to create a new one. I notice that the AD DS service is not running, it is disabled. When I try to start it, it just stops. dsquery server shows all three as domain controllers. What is the best way to remove
this DC?I have gone through the thread. Please check the following:
1. Login to 2012 DC, and check "NTDS Settings" are not seen under 2008 DC in Active Directory Sites and Services snap-in
2. Ensure that 2012 DC have all FSMO roles
3. Do your clients point to 2008 DNS for resolution or 2012 DC for resolution? If they use 2008, plan to change them to 2012
4. Ensure that 2008 DC doesn't run any other services like - WINS, DFS, DHCP, Certificate Services etc.
5. Run repadmin /replsummary to see replication state for 2008 DC
Once the above are answered, I would suggest that you clean-up the Active Directory metadata by using NTDSUTIL on 2012 DC.
If there are any configuration issues with 2008 DC and it is not completely removed from the configuration then you could end up with having Lingering Objects in your environment and it might create more issues.
I suggest to clean-up AD before Tombstone period kicks in for 2008DC.
- Sarvesh Goel - Enterprise Messaging Administrator -
I have a small computer with just an embedded drive instead of a sata port. It seemed perfect for a small domain controller, since it has 32G's which is more than enough space, and with a gigabit Ethernet, and 1.6Ghz dual core cpu, seemed more than enough
for what I needed.
Windows 2012, or Windows Server Technical Preview, both install fine on it, but when I run dcpromo to create the domain It fails on selecting the location for files. The error is that the path is not a hard drive. The machine only has USB ports so I can't
add a SATA drive just to store these logs/configs, even if I wanted to.
The actual computer I was trying to use: http://www.ecs.com.tw/LIVA/
Thanks for any help.On the Windows Server Technical Preview,
Install-ADDSForest -SkipPreChecks -DomainName DOMAIN.CONTOSO.COM -DomainMode Win2008 -ForestMode Win2008R2 –DatabasePath "C:\Windows\NTDS" –SYSVOLPath "C:\Windows\NTDS" –LogPath "C:\Windows\NTDS\Logs"
gives me the error "No NTFS 5 drives exit." (note exit, not exist)
I'll reinstalling windows 2012 and see if I get a different message there.
This was just a standard install, so the drive is definitely NTFS. -
Exchange server-Removing a Domain Controller from the forest
Hi Guys,
I need some help on removing a faulty domain controller from the AD forest. Here is the scenario:
1. The FSMO roles have been seized to a new domain controller already.
2. The old one is non-functional and is down for ever.
I know the steps would be doing a meta-data cleanup And then remove some of the DNS entries related to the old server. But the real issue is:
> I have Exchange 2013 running in one of the machines configured in the Forest, which was migrated from the old Domain controller. I then set Exchange listening to the new domain controller.
So, my doubt is, if I delete the old domain controller and do a metadata cleanup, would it have any effect on the exchange server? The Exchange machine acts as an additional domain controller as well. Its a production environment and any
change that affects Exchange would cause a big loss. Looking forward for your valuable suggestions..
Regards,
NashHi Ed,
I don't have issues with the AD on the Exchange server. Eventhough it is configured as an AD, Exchange is pointed to the main working domain controller, which is a different machine. I just want to remove the traces of an old domain controller from which
I transferred the FSMO roles to the new domain controller. The old domain controller is completely down and hence I can't do a conventional 'dcpromo' on it. So just planning to do a 'metadata clean up' for removing the non-working DC from the forest.
So, In essence, I just want to know that, if I do a metadata cleanup, would it affect the Exchange server in any way?
Regards,
Nash -
Restoring a Domain Controller - When other DC's are available
I'm trying to get some clarity and confidence on the proper way to restore domain controllers. here are my questions:
1. What is the proper way to restore a Domain controller into an existing Forrest where other domain controllers are present when you have a system state backup taken by Windows Server Backup?
1a. In this scenario - will i need to enter into DSRM mode prior to booting the server?
2. What is the proper way to restore a Virtualized Domain Controller into an existing Forrest where other domain controllers are present when you have a 3rd party image based backup solution that has HyperV VSS writers?
2a. In this scenario - will i need to enter into DSRM mode prior to booting the server?1. What is the proper way to restore a Domain controller into an existing Forrest where other domain
controllers are present when you have a system state backup taken by Windows Server Backup?
You can restore the DC using two possible methods:
Method 1: Do a non-authoritative restore using a system state backup. Do not do an authoritative restore so that you do not lose recent changes here.
Method 2: If the DC is an FSMO holder then size the FSMO roles to another DC, do a metadata cleanup and then re-install the server and promote it again as a DC. If it is not an FSMO holder then simply do a metadata cleanup and then re-install
the server and promote it again as a DC.
1a. In this scenario - will i need to enter into DSRM mode prior to booting the server?
Yes. You need to get inside DSRM mode to restore the DC from a system state backup.
2. What is the proper way to restore a Virtualized Domain Controller into an existing Forrest where
other domain controllers are present when you have a 3rd party image based backup solution that has HyperV VSS writers?
You can read that: http://technet.microsoft.com/en-us/library/d2cae85b-41ac-497f-8cd1-5fbaa6740ffe(v=ws.10)#backup_and_restore_considerations_for_virtualized_domain_controllers
Also, see that about DC cloning in Windows Server 2012 and higher: http://blogs.technet.com/b/askpfeplat/archive/2012/10/01/virtual-domain-controller-cloning-in-windows-server-2012.aspx
2a. In this scenario - will i need to enter into DSRM mode prior to booting the server?
You can find the details in the links I shared.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Get Active Directory User Last Logon
Create an Active Directory test domain similar to the production one
Management of test accounts in an Active Directory production domain - Part I
Management of test accounts in an Active Directory production domain - Part II
Management of test accounts in an Active Directory production domain - Part III
Reset Active Directory user password -
What note when remove an Domain controller from Existing Domain!!!
Dear everybody,
My company has 3 Domain controllers at the moment.
all of them have some functions: DHCP, DNS.
Now, we have plan to remove an DC/
So, What note we need to pay attention when remove one of them?
Thanks for your help!!!1. Migrate DHCP first. Using below command
netsh dhcp server export C:\dhcp.txt all -old Server
netsh dhcp server import C:\dhcp.txt all -New Server.
2. Enable DNS debug log & see which client still pointing the old DC.
http://technet.microsoft.com/en-us/library/cc759581%28v=ws.10%29.aspx
3. Change the DHCP Scope accordingly.
HTH
Biswajit
Regards,
Biswajit
MCTS, MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, Enterprise Admin, ITIL F 2011
Blog:
Script Gallary:
LinkedIn:
Note: Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights.. -
Only contact Domain Controller when on a particular network
As per subject, I have a laptop joined to a domain and logging on is slow when outside the network. Obviously it is trying to contact the domain contoller but fails. Can we set it to immediately use the last saved password when not within the network?
That might be the reason.
but as you could logon it, the cached info is worked here. the logon is slow might caused by the mapped drives. and disable the always wait ..policy should fit this, which is not recommended when mapped drive is in use.
Run Xperf to take a check with the slow logon process.
http://blogs.technet.com/b/yongrhee/archive/2013/10/15/tool-windows-performance-toolkit-xperf-wprui-and-wpr-updated-version-as-of-aug-2013.aspx
Rgds -
Remove domain controller 2008 from active directory
Hi,
I have 2 DC 2008R2 & i have 2 ts one of them don't get the GPO i do everything i found that my 2 dc don't replicate good i can see the different on sysvol folder.
After that i explain my self, My question if i remove the dc (its not the fsmo dc its the second), and after removing i add this dc ?
I need to check some checks before ?
After removing i need to delete from the dns record
?After Adding the same dc to the domain i need to check something ?
Thanks
ZahiHi,
>i want to remove my dc and replace him with new dc.
You can add a new DC to a domain, and then remove the DC that you want to remove.
To add a DC to a domain, after add server to a domain, we can run dcpromo to install AD.
After server 2012, Adprep.exe commands run automatically as needed as part of the AD DS installation process.
For more detailed information about Adprep.exe, you can refer to the following link:
Running Adprep.exe
http://technet.microsoft.com/en-us/library/dd464018(v=WS.10).aspx
For detailed steps about how to Removing a Domain Controller from a Domain, you can refer to the following link:
Removing a Domain Controller from a Domain
http://technet.microsoft.com/en-us/library/cc771844(v=WS.10).aspx
Best Regards,
Erin -
Group Policy Management Console Failes to open when one Domain Controller is powered down
Hi All,
This was an accidental discovery, but here's my dilemma. I have a site with 2 domain controllers(Windows 2008 R2), and if I shut down my second domain controller, when I try to open the Group Policy Management Console on the 1st domain controller,
it fails to open and I get the following error, "The specified domain either does not exist or could not be contacted" with 3 options to "retry", "choose another domain controller", or remove. If I go to chose another domain
controller and select the 1st domain controller it still fails. Unless the 2nd DC is turned on, I have no issues opening the GP management console. Not sure, why this is happening, I've done it in the pass without issue.
Any help would be appreciated.
ThanksWell it seems that some how the PDC emulator is set to be the 2nd DC instead of the 1st DC on the 1st DC which explains why the failure after the 2nd DC went down. Why or should I say how could the PDC get switched from the primary DC without human intervention.
Does the PDC automatically switch for any reason? -
Hi,
I have successfully setup SharePoint Foundation 2013 as single server farm with SQL Server Standard database in a DMZ environment using local accounts since DMZ doesn't have an Active Directory and hence Domain accounts using powershell as described
in https://theblobfarm.wordpress.com/2012/12/03/installing-sharepoint-2013-without-a-domain-controller
When I run Farm configuration wizard to provision search service application, I get an error:
ERROR: "The service application(s) for the service "Search Service Application" could not be provisioned because of the following error: I/O error occurred."
The log file logged the details of this error as:
ERROR: "Failed to create file share Analytics_e441aa1c-1a8d-4f0a-a079-58b499eb4c50 at D:\SharePoint Search\Office Server\Analytics_e441aa1c-1a8d-4f0a-a079-58b499eb4c50 (System.ArgumentException: The SDDL string contains an invalid sid or a sid
that cannot be translated."
After investigation, I found that potentially the error could be because the timer service is trying to setup a network share for analytics component (as part of provisioning search). It is trying to setup that share with a domain account that happens to
be a local user instead in this case and fails with error “System.ArgumentException: The SDDL string contains an invalid sid or a sid that cannot be translated”.
I got some pointer from the below thread
https://social.technet.microsoft.com/Forums/en-US/c8e93984-f4e5-46da-8e8a-c5c79ea1ff62/error-creating-search-service-application-on-sharepoint-foundation-with-local-account?forum=sharepointadmin
However, the above thread doesn't state that the solution worked.
I have tried creating share manually for Analytics_<Guid> folder but it doesn't work since every time farm configuration wizards is run it creates a new Analytics_<Guid> folder.
Since, I have setup SharePoint Foundation 2013 on a production environment I cannot test and trial various solutions.
Can some please guide me on how to successfully provision search for SharePoint Foundation 2013 setup as a single server farm with SQL Server Standard database in a DMZ environment using local accounts (without Active Directory - domain accounts).
Thanks in advance.
HimanshuMicrosoft documentation doesn't always specifically call out all products (Project Server isn't there, either). But it does apply. You'll need to stand up at least one Domain Controller, or allow port access back to a DC.
Preferably, set up SharePoint on the internal network and use a reverse proxy (which will terminate client connections at the reverse proxy) present in the DMZ.
Trevor Seward
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs. -
Error finding a domain controller
Hi,
I have an error in finding a windows domain controller when a PC bootup and does a network access via a Cisco wireless PCMCIA card (AIR PCM-352) managed by Cisco ACU.
This is the situation:
- the operating system of the PC is Windows XP sp2
- the wireless card is an AIR PCM352 with firmware V.5.60.21
- the version of ACU is 6.6.00
- the Access point is a Cisco 1120 (802.11b) with IOS version 12.3(8)JA
- wireless communication is completely open (ssid in guest mode, authentication open ,no wep)
- the ip address of the PC is obtained via DHCP (DHCP server is a Microsoft Server)
I notice a difference between a Cisco PCMCIA card 352 managed by Cisco ACU and by Windows XP.
In fact this error doesn't happen when the WLAN card is controlled by Windows wireless utility.
Is it possible that the startup timing of the Cisco ACU is later than the Window's one?
Does anyone resolved this error?
Thanks in advance
AntonioHi Antonio,
Obviously you get the error of the domain not found because your wireless card is not even associated (the wireless card utility hasnt started)
Can you clarify the line "Is it possible that the startup timing of the Cisco ACU is later than the Window's one? " . You mean start the Cisco ACU before the windows one right?
The best way to get around issues like that is to use for example the Odyssey client from Funk and turn on GINA and it should work fine.
Rgds,
Pablo -
Directory service console not able to open in a Domain Controller
Hai,
I have a 2008 domain controller. when i open the users and computer console i get the below error
data from "domain name" is not available from domain controller because: the search filter cannot be recognized. try again later, or choose another DC by selecting connect to Domain controller on the domain context menu.
what could be the issue????Pls help
thanks in advance
Thanks Chandru CT. MCITPWhen you open ADUC on windows 2008, it is trying to connect DC which is not available due to connectivity issue or DNS issue, try to connect different DC using ADUC console and see if it works.
By default, DC should connect its own ADUC when type DSA.MSC in run, if it is connecting other DC, then there is issue with the existing DC.
Verify DNS resolution is working and also might rebooting resolves your issues.
Regards
Awinish Vishwakarma
MY BLOG:
awinish.wordpress.com
This posting is provided AS-IS with no warranties/guarantees and confers no rights. -
Does Oracle 10G R2 support installation on Windows 2003 Domain Controller?
Does Oracle 10g R2 support installation on Windows 2003 Domain Controller? I remember that 10g R1 had issues with the DC? Is it still the case. Does it work now?
Any help is appreciated.
Regards,
RaghavWe have Oracle 10g R2 running on a Windows 2003 domain controller. It was not a domain controller when Oracle was installed. The domain was created after installation. (I don't recommend that procedure. I spent a long day fixing the installation after they configured the domain.) If Oracle is unhappy with being on a domain controller, it has not shown it yet.
-
Rebuilding Domain controller & Transport Routes after system refresh
I have refreshed Dev from Prdn, now my domain controller only shows single system
I have documentation but, it is confusing to me how to have QAS and Prdn join the domain controller again and show the domain as a three tier system
When I log into QAS and Prdn I still see the old 3 tier system including the domain and the other systems.
Please advise
maria
Edited by: Maria Graziano on Mar 27, 2008 3:53 PMYou don't perform backup of domain controller.
You only designate in STMS one of servers as "Backup Domain Controller"
when Primary controller fails than "Backup domain Controller" takes his role and becomes a primary.
So action to refresh domain controller is:
1. Designate one of servers as backup domain controller
2. Backup transport directory if it is on refreshed server (just in case)
3. Switch backup controller to become primary
4. Refresh primary system
5. Join refreshed system to domain
6. Switch back primary function to refreshed server
Regards,
Wojtek -
Yesterday, in my test domain, I created the KDS root key using the Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))
command on a DC that is not the PDC Emulator because it was the server I was on at the time. Today, when I tried to create gMSA accounts on the PDC emulator, I get:
Event ID 7023 The Microsoft Key Distribution Service terminated with the following error: An Exception occurred in the service when handling the control request
I turned on logging on to the KdsSvc and get 2 other errors:
KdsSvc Event ID 4001: Group Key Distribution Service failed to start. Status 0x80070020
KdsSvc Event ID 4007: Group Key Distribution Service cannot connect to the domain controller on local host. Status 0x80070020. Group Key Distribution Service cannot be started because of the error. Please contact the administrator to resolve
the issue.
I took the opportunity to clean up AD, the Schema, and DNS, but the kds errors continues. I am replicating successfully, DNS changes are reflected immediately, and when I run the get-KDSRootKey on the failing server, the key is returned. The
Get-KdsConfiguration matches the KDS config on the DC that originally ran to create the key.
I have a pretty strict GPO pushed to my DCs but I am still able to create gMSAs on the other server. I checked ADS&S and found the msKds-ProvRootKey so I know it is at the domain level, but there is so little documentation on the KdsSvc that I
am not sure if it is working as planned. I have tried unassigning several GPO configuration items but I am throwing darts at this point. I have also uninstalled McAfee AV; IDS/IPS; Firewall.
With that said, I have questions:
Will gMSAs still work even though the domain pdc emulator cannot start the service?
Is the KdsSvc supposed to start only on the server Add-KDSRootKey was originally created?
What happens if the server the KdsSvc key was created fails and has to be removed from the domain?
Is there any books or configuration items I can review to learn the KdsSvc better?
Env:
Windows Standard Server 2012 R2 x64
Active Directory 2012 R2 Schema Updated from Windows 2008 R2
All FSMO roles are on the PDC Emulator which is a Windows 2012 R2 DC
DCDiag returns no errors or test failures
Repadmin returns clean results (/showreps & /replsum)
Windows 2008 R2 Root CA hierarchy (not DCs)
W32tm services are running with less than 6/10's of a ms difference among the domain.Hi,
For Windows Server 2012, the Windows PowerShell cmdlets default to managing the group Managed Service Accounts instead of the original standalone Managed
Service Accounts.
New-ADServiceAccount -name <ServiceAccountName> -DNSHostName <fqdn> -PrincipalsAllowedToRetrieveManagedPassword <group>
-ServicePrincipalNames <SPN1,SPN2,…>
Did you use the command abouve?
Here is a good bolg:
Windows Server 2012: Group Managed Service Accounts
http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx
Hope this helps.
Maybe you are looking for
-
How to process the reports synchronously...
Hi, We are having a set of reports. When multiple requests are coming into the server, all the requests were maintained in the Queue and processed one after the other. Due to this many requests are starving in the queue. Is there any way to process t
-
Placing Images In Illustrator Are Blurry.
Hello I have this problem in CS5 that any type of image or line art are always blurry. All my work is for print and perhaps just the preview is blurry but I am afraid that printing will be bad. Most graphics I bring in are from Photoshop CS5. I make
-
How can i transfer video recordings, messages and contacts to computer?
Hi how can i transfer video recordings, messages and contacts to computer... please guide me through.. regards
-
Maybe this question has already been posted but I could,t find it, so: You can place a pdf in keynote, but is possible to select another page than the first one from a multi-page pdf. That would really simplify the proces of putting together a presen
-
Adding View/tab TO service Order Item Level
Hi All, I am using CRM 5.0 SP3. I need to add a new View/Tab on SERVICE ORDER at Item Level Details. This view consist of Some Custom Field (like IO Box, Drop down etc.) I have created the view but not able to understand how to add this view to the I