Restoring a Domain Controller - When other DC's are available
I'm trying to get some clarity and confidence on the proper way to restore domain controllers. here are my questions:
1. What is the proper way to restore a Domain controller into an existing Forrest where other domain controllers are present when you have a system state backup taken by Windows Server Backup?
1a. In this scenario - will i need to enter into DSRM mode prior to booting the server?
2. What is the proper way to restore a Virtualized Domain Controller into an existing Forrest where other domain controllers are present when you have a 3rd party image based backup solution that has HyperV VSS writers?
2a. In this scenario - will i need to enter into DSRM mode prior to booting the server?
1. What is the proper way to restore a Domain controller into an existing Forrest where other domain
controllers are present when you have a system state backup taken by Windows Server Backup?
You can restore the DC using two possible methods:
Method 1: Do a non-authoritative restore using a system state backup. Do not do an authoritative restore so that you do not lose recent changes here.
Method 2: If the DC is an FSMO holder then size the FSMO roles to another DC, do a metadata cleanup and then re-install the server and promote it again as a DC. If it is not an FSMO holder then simply do a metadata cleanup and then re-install
the server and promote it again as a DC.
1a. In this scenario - will i need to enter into DSRM mode prior to booting the server?
Yes. You need to get inside DSRM mode to restore the DC from a system state backup.
2. What is the proper way to restore a Virtualized Domain Controller into an existing Forrest where
other domain controllers are present when you have a 3rd party image based backup solution that has HyperV VSS writers?
You can read that: http://technet.microsoft.com/en-us/library/d2cae85b-41ac-497f-8cd1-5fbaa6740ffe(v=ws.10)#backup_and_restore_considerations_for_virtualized_domain_controllers
Also, see that about DC cloning in Windows Server 2012 and higher: http://blogs.technet.com/b/askpfeplat/archive/2012/10/01/virtual-domain-controller-cloning-in-windows-server-2012.aspx
2a. In this scenario - will i need to enter into DSRM mode prior to booting the server?
You can find the details in the links I shared.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Get Active Directory User Last Logon
Create an Active Directory test domain similar to the production one
Management of test accounts in an Active Directory production domain - Part I
Management of test accounts in an Active Directory production domain - Part II
Management of test accounts in an Active Directory production domain - Part III
Reset Active Directory user password
Similar Messages
-
Remove a domain controller when dcpromo bombs
i'm trying to demote one server in a two server setup
i start dcpromo , it gets part way through and then bombs with an "Access is denied" error
which is b~@:!hit. Ive tied this 2 or 3 times with known good passwords(see dcpromoui.log below)
So how can i fix that or delete the controller without using dcpromo
cheers
dave
============================
dcpromoui E28.638 0466 13:58:28.218 Enter DS::DemoteDC
dcpromoui E28.638 0467 13:58:28.218 Enter State::IsLastDCInDomain false
dcpromoui E28.638 0468 13:58:28.218 Enter State::IsForcedDemotion false
dcpromoui E28.638 0469 13:58:28.218 Enter State::GetAdminPassword
dcpromoui E28.638 046A 13:58:28.218 Enter State::GetAppPartitionList
dcpromoui E28.638 046B 13:58:28.218 Enter AllocateAppPartitionList
dcpromoui E28.638 046C 13:58:28.218 Calling DsRoleDemoteDc
dcpromoui E28.638 046D 13:58:28.218 lpServer : (null)
dcpromoui E28.638 046E 13:58:28.218 lpDnsDomainName : (null)
dcpromoui E28.638 046F 13:58:28.218 ServerRole : DsRoleServerMember
dcpromoui E28.638 0470 13:58:28.218 lpAccount : (null)
dcpromoui E28.638 0471 13:58:28.218 Options : 0x80
dcpromoui E28.638 0472 13:58:28.218 fLastDcInDomain : false
dcpromoui E28.638 0473 13:58:28.218 cRemoteNCs : 0
dcpromoui E28.638 0474 13:58:28.250 HRESULT = 0x00000000
dcpromoui E28.638 0475 13:58:28.250 Enter DeallocateAppPartitionList
dcpromoui E28.638 0476 13:58:28.250 Enter DoProgressLoop
dcpromoui E28.638 0477 13:58:28.250 Enter State::GetOperation DEMOTE
dcpromoui E28.638 0478 13:58:28.250 Enter ProgressDialog::UpdateButton
dcpromoui E28.638 0479 13:58:29.765 Enter ProgressDialog::UpdateText Active Directory Domain Services successfully transferred the remaining data in directory partition DC=ForestDnsZones,DC=data-action,DC=co,DC=uk to Active Directory Domain Controller \\nasbox.data-action.co.uk.
dcpromoui E28.638 047A 13:58:43.297 Enter ProgressDialog::UpdateText Stopping service NETLOGON
dcpromoui E28.638 047B 13:58:44.797 Enter ProgressDialog::UpdateText Stopping service IsmServ
dcpromoui E28.638 047C 13:58:47.797 Enter ProgressDialog::UpdateText Stopping service kdc
dcpromoui E28.638 047D 13:58:49.297 Enter ProgressDialog::UpdateText Creating a new local security account manager (SAM) database...
dcpromoui E28.638 047E 13:58:50.875 Enter ProgressDialog::UpdateText Removing Active Directory Domain Services objects that refer to the local Active Directory Domain Controller from the remote Active Directory Domain Controller nasbox.data-action.co.uk...
dcpromoui E28.638 047F 13:59:02.875 Enter ProgressDialog::UpdateText Configuring service NTDS
dcpromoui E28.638 0480 13:59:04.375 Enter ProgressDialog::UpdateText Configuring service NETLOGON
dcpromoui E28.638 0481 13:59:05.875 Enter ProgressDialog::UpdateText Configuring service DFSR
dcpromoui E28.638 0482 13:59:07.375 Enter ProgressDialog::UpdateText The attempted domain controller operation has completed
dcpromoui E28.638 0483 13:59:07.375 Enter ProgressDialog::UpdateButton
dcpromoui E28.638 0484 13:59:07.375 Progress loop complete.
dcpromoui E28.638 0485 13:59:07.375 Calling DsRoleGetDcOperationResults
dcpromoui E28.638 0486 13:59:07.375 Error 0x0 (!0 => error)
dcpromoui E28.638 0487 13:59:07.375 Operation results:
dcpromoui E28.638 0488 13:59:07.375 OperationStatus : 0x5 !0 => error
dcpromoui E28.638 0489 13:59:07.375 DisplayString : The attempt at remote directory server nasbox.data-action.co.uk to remove directory server CN=LPSERVER,CN=Servers,CN=Palatine,CN=Sites,CN=Configuration,DC=data-action,DC=co,DC=uk was unsuccessful.
dcpromoui E28.638 048A 13:59:07.375 ServerInstalledSite : (null)
dcpromoui E28.638 048B 13:59:07.375 OperationResultsFlags: 0x0
dcpromoui E28.638 048C 13:59:07.375 Enter ProgressDialog::UpdateText The attempt at remote directory server nasbox.data-action.co.uk to remove directory server CN=LPSERVER,CN=Servers,CN=Palatine,CN=Sites,CN=Configuration,DC=data-action,DC=co,DC=uk was unsuccessful.
dcpromoui E28.638 048D 13:59:07.375 Enter State::SetOperationResultsMessage The attempt at remote directory server nasbox.data-action.co.uk to remove directory server CN=LPSERVER,CN=Servers,CN=Palatine,CN=Sites,CN=Configuration,DC=data-action,DC=co,DC=uk was unsuccessful.
dcpromoui E28.638 048E 13:59:07.375 Enter State::SetOperationResultsFlags 0x0
dcpromoui E28.638 048F 13:59:07.375 Exception caught
dcpromoui E28.638 0490 13:59:07.375 catch completed
dcpromoui E28.638 0491 13:59:07.375 handling exception
dcpromoui E28.638 0492 13:59:07.375 Enter State::ClearHiddenWhileUnattended
dcpromoui E28.638 0493 13:59:07.375 Enter EnableConsoleLocking
dcpromoui E28.638 0494 13:59:07.375 Enter RegistryKey::Create SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
dcpromoui E28.638 0495 13:59:07.375 Enter RegistryKey::SetValue-DWORD DisableLockWorkstation
dcpromoui E28.638 0496 13:59:07.375 Enter State::SetOperationResults result FAILURE
dcpromoui E28.638 0497 13:59:07.375 Enter ProgressDialog::UpdateText
dcpromoui E28.638 0498 13:59:07.375 Enter State::IsOperationRetryAllowed
dcpromoui E28.638 0499 13:59:07.375 true
dcpromoui E28.638 049A 13:59:07.375 credentials were invalid, hr=0x80070005
dcpromoui E28.638 049B 13:59:07.375 Enter GetErrorMessage 80070005
dcpromoui E28.638 049C 13:59:07.375 Enter State::GetOperationResultsMessage The attempt at remote directory server nasbox.data-action.co.uk to remove directory server CN=LPSERVER,CN=Servers,CN=Palatine,CN=Sites,CN=Configuration,DC=data-action,DC=co,DC=uk was unsuccessful.
dcpromoui E28.638 049D 13:59:07.375 Enter State::GetOperation DEMOTE
dcpromoui E28.638 049E 13:59:07.375 Enter State::GetParentDomainDnsName
dcpromoui E28.638 049F 13:59:44.469 credential retry canceled
dcpromoui E28.638 04A0 13:59:44.469 Enter ComposeFailureMessage
dcpromoui E28.638 04A1 13:59:44.469 Enter State::GetOperationResultsMessage The attempt at remote directory server nasbox.data-action.co.uk to remove directory server CN=LPSERVER,CN=Servers,CN=Palatine,CN=Sites,CN=Configuration,DC=data-action,DC=co,DC=uk was unsuccessful.
dcpromoui E28.638 04A2 13:59:44.469 Enter State::GetOperationResultsFlags 0x0
dcpromoui E28.638 04A3 13:59:44.469 Enter State::GetOperationResultsFlags 0x0
dcpromoui E28.638 04A4 13:59:44.469 Enter State::SetFailureMessage The operation failed because:
The attempt at remote directory server nasbox.data-action.co.uk to remove directory server CN=LPSERVER,CN=Servers,CN=Palatine,CN=Sites,CN=Configuration,DC=data-action,DC=co,DC=uk was unsuccessful.
"Access is denied."
dcpromoui E28.638 04A5 13:59:44.469 posting message to progress window
dcpromoui E28.318 04A6 13:59:44.469 Enter ProgressDialog::UpdateText Operation Stopped
dcpromoui E28.318 04A7 13:59:44.485 Enter ProgressDialog::OnDestroy
dcpromoui E28.318 04A8 13:59:44.485 OPERATION FAILED
dcpromoui E28.318 04A9 13:59:44.485 Enter State::GetNeedsReboot false
dcpromoui E28.318 04AA 13:59:44.485 Enter State::IsOperationRetryAllowed
dcpromoui E28.318 04AB 13:59:44.485 true
dcpromoui E28.318 04AC 13:59:44.485 Enter Wizard::SetNextPageID id = 156
dcpromoui E28.318 04AD 13:59:44.485 push 142
dcpromoui E28.318 04AE 13:59:44.485 Enter FailurePage::OnInit
dcpromoui E28.318 04AF 13:59:44.485 Enter MultiLineEditBoxThatForwardsEnterKey::Init
dcpromoui E28.318 04B0 13:59:44.485 Enter ControlSubclasser::Init
dcpromoui E28.318 04B1 13:59:44.485 Enter FailurePage::OnSetActive
dcpromoui E28.318 04B2 13:59:44.485 Enter State::GetOperationResultsCode FAILURE
dcpromoui E28.318 04B3 13:59:44.485 Enter State::GetNeedsReboot false
dcpromoui E28.318 04B4 13:59:44.485 Enter State::GetFailureMessage The operation failed because:
The attempt at remote directory server nasbox.data-action.co.uk to remove directory server CN=LPSERVER,CN=Servers,CN=Palatine,CN=Sites,CN=Configuration,DC=data-action,DC=co,DC=uk was unsuccessful.
"Access is denied."
dcpromoui E28.318 04B5 13:59:47.876 Enter DCPromoWizardPage::OnWizNext
dcpromoui E28.318 04B6 13:59:47.876 Enter FailurePage::Validate
dcpromoui E28.318 04B7 13:59:47.876 Enter Wizard::SetNextPageID id = 154
dcpromoui E28.318 04B8 13:59:47.876 push 156
dcpromoui E28.318 04B9 13:59:47.876 Enter FinishPage::OnInit
dcpromoui E28.318 04BA 13:59:47.876 Enter MultiLineEditBoxThatForwardsEnterKey::Init
dcpromoui E28.318 04BB 13:59:47.876 Enter ControlSubclasser::Init
dcpromoui E28.318 04BC 13:59:47.876 Enter FinishPage::OnSetActive
dcpromoui E28.318 04BD 13:59:47.876 Enter State::GetNeedsReboot false
dcpromoui E28.318 04BE 13:59:47.876 Enter getCompletionMessage
dcpromoui E28.318 04BF 13:59:47.876 Enter State::GetOperation DEMOTE
dcpromoui E28.318 04C0 13:59:47.876 Enter State::GetOperationResultsCode FAILURE
dcpromoui E28.318 04C1 13:59:47.876 Enter NeedDsBinaryWarning
dcpromoui E28.318 04C2 13:59:47.876 Enter Computer::RemoveLeadingBackslashes
dcpromoui E28.318 04C3 13:59:47.876 Enter GetProductTypeFromRegistry
dcpromoui E28.318 04C4 13:59:47.876 Enter RegistryKey::Open System\CurrentControlSet\Control\ProductOptions
dcpromoui E28.318 04C5 13:59:47.876 Enter RegistryKey::GetValue-String ProductType
dcpromoui E28.318 04C6 13:59:47.876 LanmanNT
dcpromoui E28.318 04C7 13:59:47.876 prodtype : 0x2
dcpromoui E28.318 04C8 13:59:47.876 Enter State::GetFinishMessages
dcpromoui E28.318 04C9 13:59:59.751 Enter FinishPage::OnWizFinish
dcpromoui E28.318 04CA 13:59:59.766 Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04CB 13:59:59.766 Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04CC 13:59:59.766 Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04CD 13:59:59.766 Enter State::GetNeedsReboot false
dcpromoui E28.318 04CE 13:59:59.766 Enter State::GetUserCancelled false
dcpromoui E28.318 04CF 13:59:59.766 Enter State::GetOperationResultsCode FAILURE
dcpromoui E28.318 04D0 13:59:59.766 Enter State::GetHadNonCriticalFailures
dcpromoui E28.318 04D1 13:59:59.766 bHadNonCriticalFailures = false
dcpromoui E28.318 04D2 13:59:59.766 Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04D3 13:59:59.766 Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04D4 13:59:59.766 Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04D5 13:59:59.766 Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04D6 13:59:59.766 Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04D7 13:59:59.766 Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04D8 13:59:59.766 Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04D9 13:59:59.766 Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04DA 13:59:59.766 Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04DB 13:59:59.766 Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04DC 13:59:59.766 exitCode = 54
dcpromoui E28.318 04DD 13:59:59.766 Enter State::UnbindFromReplicationPartnetDC
dcpromoui E28.318 04DE 13:59:59.766 closing logthis is what i decided to do. unfortunately the metadata cleanup did not complete
Access is denied? - that sounds familiar
the server is still listed in "AD Sites and Services" (and cannot be deleted by the management snapin)
===================================================
select operation target:
select operation target:
select operation target:
select operation target: select server 1
Site - CN=Palatine,CN=Sites,CN=Configuration,DC=data-action,DC=co,DC=uk
Domain - DC=data-action,DC=co,DC=uk
Server - CN=LPSERVER,CN=Servers,CN=Palatine,CN=Sites,CN=Configuration,DC=data-ac
tion,DC=co,DC=uk
DSA object - CN=NTDS Settings,CN=LPSERVER,CN=Servers,CN=Palatine,CN=Site
s,CN=Configuration,DC=data-action,DC=co,DC=uk
DNS host name - lpServer.data-action.co.uk
No current Naming Context
select operation target:
select operation target: quit
metadata cleanup:
metadata cleanup:
metadata cleanup: remove selected server
Transferring / Seizing FSMO roles off the selected server.
Removing FRS metadata for the selected server.
Unable to find server reference on "CN=LPSERVER,CN=Servers,CN=Palatine,CN=Sites,
CN=Configuration,DC=data-action,DC=co,DC=uk".
LDAP error 0x5e(94 (No result present in message).
The attempt to remove the FRS settings on CN=LPSERVER,CN=Servers,CN=Palatine,CN=
Sites,CN=Configuration,DC=data-action,DC=co,DC=uk failed because "Element not fo
und.";
metadata cleanup is continuing.
DsRemoveDsServerW error 0x5(Access is denied.)
metadata cleanup:
metadata cleanup: -
Won't connect to wireless when other cpu's are connected
I apologize if this has been answered, I did look through and didn't find an answer to my issue.. Normally I have no problems connecting my MacBook with 10.4.1 to wireless internet, however, when other users in my household are on it, it will not let me connect. I have tried restarting the router, even when someone opens their laptop it will connect them and boot me off, nobody else has this problem except me. The password on the router is WPA Personal. I'm not sure if this is a problem with the router or with my computer. Thank you in advance for any help as this has been very frustrating for me!
Hi Carina,
The very first thing you need to do is get off of OS 10.4.1. (I'm assuming that's not a typo.) The current release of Tiger (OS 10.4 is 10.4.11). Run Software Update and get the latest version of Tiger, then see if your problem continues. -
Why can't the iTunes store notify me when new TV episodes are available?
Many times, I have had to purchase a TV show that isn't (yet) offered as a SeasonPass. Then, I have to check each week and buy the shows one at a time for the whole season. How difficult would it be for the iTunes store to offer a notification system telling me when a new episode is available... or, better yet, allow me to have the store automatically sell me the next episode when it is available (upgrade to Season Pass?). Apple iTunes Store is missing out on sales by not providing a simple solution to a simple problem. They already know which shows I've purchased, how tough would it be to provide some followup? --- Same holds true for when additional (previous) seasons are offered... why is the store making their customers do all the work?
Here again, Dave, I appreciate your answer...and it is probably the exact excuse that iTunes Store executives use to justify not correcting the situation. However, it too is a load of bull.
Apple has a database of the purchases of its customers. It also knows which shows were purchased on an episode basis (as opposed to a Season Pass)...generally because the show's producer didn't allow (or provide for a Season Pass for whatever reason). But again, regardless of the shows producer's "deal" with Apple regarding the show, there is NO excuse for Apple to not provide an easy mechanism for iTunes Store customers to track, and buy missing episodes. This is a win/win/win situation... the iTunes Customer, Apple, and the show's producer all get something! Don't tell me that Apple can't write an application that does this! We are not talking rocket science here. Most "sales" organizations attempt to upsell... create additional sales. Missed opportunity here.
I'm not even suggesting that the process be an "upgrade" to a Season Pass as far as pricing goes... merely a mechanical notification that additional episodes are available! This is clearly different than the "complete my album" system and would have absolutely nothing to do with the contractual relationship between Apple and the show's producers.
Again... it's too bad that Apple doesn't take these discussion comments seriously... there are substantial missed opportunities for TV show sales. Don't you guys that monitor these boards have any pull with Apple? After all, you've got almost 100k items of commentary on these boards...!!! -
Only contact Domain Controller when on a particular network
As per subject, I have a laptop joined to a domain and logging on is slow when outside the network. Obviously it is trying to contact the domain contoller but fails. Can we set it to immediately use the last saved password when not within the network?
That might be the reason.
but as you could logon it, the cached info is worked here. the logon is slow might caused by the mapped drives. and disable the always wait ..policy should fit this, which is not recommended when mapped drive is in use.
Run Xperf to take a check with the slow logon process.
http://blogs.technet.com/b/yongrhee/archive/2013/10/15/tool-windows-performance-toolkit-xperf-wprui-and-wpr-updated-version-as-of-aug-2013.aspx
Rgds -
IPAD 3 wont connect to MIFI 4620L when other wifi signals are present
I work in a large building with multiple wifi signals bouncing around. My MIFI 4620L works perfectly with all my devices everywhere except in the building in which I work (where it is most needed). Jetpack reception is good. IPAD recognizes the jetpack, but when I try to connect it either simply wont connect or it connects and disconnects in a fast repetitive cycle. Any Ideas?
Hi knox99,
It's a bummer when you are having trouble using your device in the place you need it most! I'm here to work with you and get to the root cause of the issue. Please try the steps below for some troubleshooting.
Connect to any device and then navigate to 192.168.1.1 . Then, login using the password on the Mifi label. Once completed, please click on Advanced and then Settings and change the available Wi-fi Connects to one. At this point, please retest at your work location. Please let me know if you need additional assistance, thank you!
Christina B
VZW Support
Follow us on Twitter @VZWSupport -
How can I get a check box automatically checked when other check boxes are checked?
A little tongue twister there, but the attached image should clarify.
I'm trying to create a form to measure achievements. When all achievements are met/checked I want the green check box with a star to auto-check.
If not all achievements are checked, I want the orange check box to auto check...
Can I get this working by using export values?
Thanks!I would use a custom JavaScript to count the number of check boxes whose value is not "Off" and set the final box on the result of the count.
-
Dreamweaver hangs when other CS programs are running,
If I run Dreamweaver (4 or 5.5) on its own (with no other CS programs running) it works fine; but the minute I run another CS program (InDesign for example) Dreamweaver eventually hangs and is shown as not responding in Activity Monitor.
I'm running 10.7.4, but I gave up trying to solve the issue so I uninstalled ALL my creative suite applications and re-installed. Problem solved.
-
Best Practice - knowing when excludeIn/includeIn components are available
I'm using excludeIn and includeIn with states to show/hide certain elements. What's the best practice of knowing hidden elements become available? I frequently change to a new state and set labels/dataproviders/etc. on the elements in that state. Databinding isn't always a clean solution. Right now I just have a creationComplete handler for a group that contains the changing items, but obviously this won't work if I have numerous elements spread all over the interface.
Thanks.I'm using excludeIn and includeIn with states to show/hide certain elements. What's the best practice of knowing hidden elements become available? I frequently change to a new state and set labels/dataproviders/etc. on the elements in that state. Databinding isn't always a clean solution. Right now I just have a creationComplete handler for a group that contains the changing items, but obviously this won't work if I have numerous elements spread all over the interface.
Thanks. -
Group Policy Management Console Failes to open when one Domain Controller is powered down
Hi All,
This was an accidental discovery, but here's my dilemma. I have a site with 2 domain controllers(Windows 2008 R2), and if I shut down my second domain controller, when I try to open the Group Policy Management Console on the 1st domain controller,
it fails to open and I get the following error, "The specified domain either does not exist or could not be contacted" with 3 options to "retry", "choose another domain controller", or remove. If I go to chose another domain
controller and select the 1st domain controller it still fails. Unless the 2nd DC is turned on, I have no issues opening the GP management console. Not sure, why this is happening, I've done it in the pass without issue.
Any help would be appreciated.
ThanksWell it seems that some how the PDC emulator is set to be the 2nd DC instead of the 1st DC on the 1st DC which explains why the failure after the 2nd DC went down. Why or should I say how could the PDC get switched from the primary DC without human intervention.
Does the PDC automatically switch for any reason? -
Secondary domain controller not able to connect from work stations.
We are using primary and secondary domain controllers. In which the secondary domain controller act as a replication server. actually the problem occurs while accessing the secondary domain controller from work stations I get the following error:
"The trust relationship between this workstation and the primary domain failed".
Any one please give as a solution.
Thank you.Hi,
Most simple resolution would be unjoin/disjoin the computer from the domain and rejoin the computer account back to the domain.
There might be multiple reasons for this kind of behavior.
Here are a few of them:
Single SID has been assigned to multiple computers.
If the Secure Channel is Broken between Domain controller and workstations
If there are no SPN or DNS Host Name mentioned in the computer account attributes
Outdated NIC Drivers.
According your description, the second one may be the cause of your problem.
When a Computer account is joined to the domain, Secure Channel password is stored with computer account in domain controller. By default this password will change every 30 days (This is an automatic process, no manual intervention is required).
Upon starting the computer, Netlogon attempts to discover a DC for the domain in which its machine account exists. After locating the appropriate DC, the machine account password from the workstation is authenticated against the password on the DC.
If there are problems with system time, DNS configuration or other settings, secure channel’s password between Workstation and DCs may not synchronize with each other.
A common cause of broken secure channel [machine account password] is that the secure channel password held by the domain member does not match that held by the AD. Often, this is caused by performing a Windows System Restore (or reverting
to previous backup or snapshot) on the member machine, causing an old (previous) machine account password to be presented to the AD.
Follow below link which explains typical symptoms when Secure channel broken,
Typical Symptoms when secure channel is broken
http://blogs.technet.com/b/asiasupp/archive/2007/01/18/typical-symptoms-when-secure-channel-is-broken.aspx
For detailed information, please refer to the link below,
Troubleshooting AD: Trust Relationship between Workstation and Primary Domain failed
http://social.technet.microsoft.com/wiki/contents/articles/9157.troubleshooting-ad-trust-relationship-between-workstation-and-primary-domain-failed.aspx
Hope this helps.
Steven Lee
TechNet Community Support -
Hi,
I have successfully setup SharePoint Foundation 2013 as single server farm with SQL Server Standard database in a DMZ environment using local accounts since DMZ doesn't have an Active Directory and hence Domain accounts using powershell as described
in https://theblobfarm.wordpress.com/2012/12/03/installing-sharepoint-2013-without-a-domain-controller
When I run Farm configuration wizard to provision search service application, I get an error:
ERROR: "The service application(s) for the service "Search Service Application" could not be provisioned because of the following error: I/O error occurred."
The log file logged the details of this error as:
ERROR: "Failed to create file share Analytics_e441aa1c-1a8d-4f0a-a079-58b499eb4c50 at D:\SharePoint Search\Office Server\Analytics_e441aa1c-1a8d-4f0a-a079-58b499eb4c50 (System.ArgumentException: The SDDL string contains an invalid sid or a sid
that cannot be translated."
After investigation, I found that potentially the error could be because the timer service is trying to setup a network share for analytics component (as part of provisioning search). It is trying to setup that share with a domain account that happens to
be a local user instead in this case and fails with error “System.ArgumentException: The SDDL string contains an invalid sid or a sid that cannot be translated”.
I got some pointer from the below thread
https://social.technet.microsoft.com/Forums/en-US/c8e93984-f4e5-46da-8e8a-c5c79ea1ff62/error-creating-search-service-application-on-sharepoint-foundation-with-local-account?forum=sharepointadmin
However, the above thread doesn't state that the solution worked.
I have tried creating share manually for Analytics_<Guid> folder but it doesn't work since every time farm configuration wizards is run it creates a new Analytics_<Guid> folder.
Since, I have setup SharePoint Foundation 2013 on a production environment I cannot test and trial various solutions.
Can some please guide me on how to successfully provision search for SharePoint Foundation 2013 setup as a single server farm with SQL Server Standard database in a DMZ environment using local accounts (without Active Directory - domain accounts).
Thanks in advance.
HimanshuMicrosoft documentation doesn't always specifically call out all products (Project Server isn't there, either). But it does apply. You'll need to stand up at least one Domain Controller, or allow port access back to a DC.
Preferably, set up SharePoint on the internal network and use a reverse proxy (which will terminate client connections at the reverse proxy) present in the DMZ.
Trevor Seward
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs. -
Every few days we see two dialogs with the following messages:
Dialog 1, title: Check for Licensing Compliance is Incomplete
The server did not finish checking the license compliance. If the server is joined to a domain, make sure that the server can connect to a domain controller.
Dialog 2, title: Check for Licensing Compliance is Incomplete
The server did not finish checking the license compliance. If the server is joined to a domain, make sure that the server can connect to a domain controller. If the license compliance check cannot be completed, the server will automatically shut
down in 8 day(s) 23 hour(s) 0 minute(s).
The server is not (and never has been) joined to a domain or had any DC roles installed. In fact its still connected to the default Workgroup.
The server was configured in our office and never showed this message until it was installed on site. The main difference from what I can see is that when installed on site it was given a static IP address and does not have any DNS settings in the network
adapter properties.
I have scoured a number of forums on this error but in almost every other instance of this error message the servers are connected to a Domain Controller and the solutions generally are linked to dis-joining and rejoining the domain. Unfortunately this is
not an option for this scenario.
I initially thought that adding some relevant DNS server IP address may resolve the issue, however, we have the exact same model server configured exactly the same running at a different site that does not experience this problem. This server also has no
DNS server configured.
I have seen a post that suggests turning off the servers "Foundation Checking", but I'm unsure how to do this.Thanks for your response Vivian.
I can confirm that this server is not (and never has been) a member of any active directory, it is configured as a Workgroup server. It was initially configured on a network that does have an active directory, but was never joined to it. During that time it
never displayed these messages.
The server was moved into production on a different site and network and setup with a static IP address.The site network does have its own active directory but the server was not joined to it. It is whilst on this new network that these messages began.
Since my original post DNS servers have been added and the Microsoft activation has been verified, however, the messages are still appearing.
There are only 2 user accounts configured on this server. The local admin account and another local admin user.
The remote desktop services roles have been installed but not yet configured. I don't think that has any bearing on this scenario though.
The description of this error in the above "Introduction to Windows Server 2012 Foundation" link states:
This error occurs when the server cannot finish checking the requirements for the root domain, forest trust configuration, or both. It usually happens when the server cannot connect to a domain controller. If the situation persists, the server will
shut down 10 days after the first time the compliance check failed. Each time this error message occurs, it will state the actual time remaining before the server will shut down. If you restart the server after it has shut down because of non-compliance, the
server will shut itself down again in 3 days.
The above description leads me to the following question - In a Workgroup environment, does the server still try to contact a domain controller to establish a level of trust? If this is the case could it be that the server can no longer see the initial DC
on its new network and this is what is triggering the messages?
Am I clutching at straws here? -
Error finding a domain controller
Hi,
I have an error in finding a windows domain controller when a PC bootup and does a network access via a Cisco wireless PCMCIA card (AIR PCM-352) managed by Cisco ACU.
This is the situation:
- the operating system of the PC is Windows XP sp2
- the wireless card is an AIR PCM352 with firmware V.5.60.21
- the version of ACU is 6.6.00
- the Access point is a Cisco 1120 (802.11b) with IOS version 12.3(8)JA
- wireless communication is completely open (ssid in guest mode, authentication open ,no wep)
- the ip address of the PC is obtained via DHCP (DHCP server is a Microsoft Server)
I notice a difference between a Cisco PCMCIA card 352 managed by Cisco ACU and by Windows XP.
In fact this error doesn't happen when the WLAN card is controlled by Windows wireless utility.
Is it possible that the startup timing of the Cisco ACU is later than the Window's one?
Does anyone resolved this error?
Thanks in advance
AntonioHi Antonio,
Obviously you get the error of the domain not found because your wireless card is not even associated (the wireless card utility hasnt started)
Can you clarify the line "Is it possible that the startup timing of the Cisco ACU is later than the Window's one? " . You mean start the Cisco ACU before the windows one right?
The best way to get around issues like that is to use for example the Odyssey client from Funk and turn on GINA and it should work fine.
Rgds,
Pablo -
I had a single domain controller. It has crashed. I had to create a new domain controller with all the same existing information from the old server..same domain name, server name, and IP. Im having issues with desktops. Everything is setup on the server.
The desktops however I need to rejoin them to the domain and get them to start synching properly. But when I do this, the profile is resetting itself to a new profile. How can I keep the same profile with the same documents. Or am I out of luck on this and
have to recreate the profiles. I have had to recreate the profiles so far, but do not want to do this for about 5 computers because there is way to much software and work that will need to be involved in moving these profiles. Any shortcut for these computers
to automatically see this domain server and synch to it? Everything is identical to the old server. The old server is inaccessible.
The new servers domain name is the same, IP address is the same, and computer name is the same. AD running with all identical information. DNS installed.
Let me know if anyone has some advice on here.There's unfortunately a lot more involved than names, domain names and IP addresses.
Most of those are linked to long numbers such as "SID"s and "GUID"s in the background that actually govern the interaction between clients and servers (authentication for one).
Without the same SIDs and GUID, I fear there will be no end to your problems.
That's why either a second domain controller or a good backup are so important.
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.
Maybe you are looking for
-
Unable to see new bill in my bt
My billing date was 22nd Jan, my next bill date is showing as 25 April 2011, my current useage shows from my last bill and is up to last night but my current bill is still showing from October, I need to see my new bill as I was on a discounted call
-
Missing files Lightroom 3 and OSX 10.9.5 - how do I fix this? PLEASE
Hi Mr. Jim. I am having very similar problems with my Lightroom 3. I recently updated my Mac OSX to 10.9.5 and since doing so my photos are missing or offline and I cannot import from any source, even my Canon. I found updates on Adobe that take it u
-
2 sums on the same field??
hi I need a special request to do that: source : date price type 01/01/05 1000 credit 02/01/05 500 credit 02/01/05 200 debit 01/01/05 2000 debit 01/01/05 3000 debit 01/01/05 12 credit 02/01/05 12 credit result wanted: date credit debit 01/01/05 1012
-
Oracle Web Center - Records Management Sessions at Collaborate 12!
Save the Date For COLLABORATE 12! The COLLABORATE 12 Conference will take place April 22-26 2012 at Mandalay Bay resort in Las Vegas. Three and a half days of sessions | Search now to determine topics of interest to you and your team members. | Four
-
Convert Keithley 2400 Driver for Labview 8
Hello. I need someone to convert the Keithley Driver (labview 5.1) for me to use in labview 8.6. I can only use the earlier version of the driver since my program was written based on this driver. Thank you in advance. Attachments: Ke24xx.LLB 3508 K