Route mail and Active Directory Sites and Services configuration
Folks,
I have a problem in the internal email routing. My network is spread across various regions and the branch offices are connected together in a mpls network (full mesh). Every region has its own Exchange Server with all roles installed and the smtp connection
to the outside world is linked to two Exchange servers in the headquarter server farm.
The problem is that internally I often see emails going across the Exchange Servers in the branch offices where there is low bandwidth (from 3 to 5 Mbps), thus email are sent first to these servers instead of going immediately to the Exchange hosting
the mailboxes of the intended recipients. This happens also with inbound emails.
This causes slowness in the email system and sometimes also the network with these branch offices suffers from packet loss or very high latency.
I know that Exchange is a site-aware application and uses the Active Directory topology for message routing and to communicate with the services that are running on other Exchange 2013 computers. For this reason I have checked the Active Directory Sites
and Services and surprisingly I have found that there are no sites, no subnets, nothing has been defined but the default settings, included the Inter-Sites transport which contains the default DEFAULTIPSITELINK.
Apart from the fact that clients use logon servers which are not supposed to use in the far remote offices, I am concerned of changing the Exchange Infrastructure whilst the email system is running and I would like to ask your opinion about my next steps:
1) Create subnets for every office
2) Create sites and then link them to the subnets done in point 1
3) Delete the DEFAULTIPSITELINK and create new site links based on the costs (network speed) in order to determine the best routing server. I have 5 remote offices with 5 different network bandwidth, so I'll have to create 5 IP site links: high cost for
link with slow network, low cost for fast network.
4) (Optional) Configure the Exchange-specific cost using the Set-AdSiteLink cmdlet to the AD IP site links created previously
Apart from the valid questions on why the previous Exchange Administrator have forgotten to set up the Active Directory (Topology) Sites and Services...
...And why have chosen to install all Exchange Roles to each server when there was no reason to do that (there are two servers connected to the external smtp gateways in the headquarter, so in my opinion the Exchange Servers in the remote branch offices
should have had only the mailbox and the cas role)...
As a matter of fact, my idea is to go further and create the sites,subnets and the ip site link. If I still notice a wrong email flow, I can configure an ad-hoc Exchange-specific cost using the Set-AdSiteLink cmdlet. Does this sound reasonable to you guys
or I am taking the wrong decisions?
Thanks
Thank you very much for your link. This is exactly the page I have read just before posting my question here. It is not easy for me to understand why this has been setup this way by a Microsoft certified engineer.
There are specific rules to follow when Active Directory and Exchange are located in multiple sites and I am not a skilled Exchange Administrator... he keeps saying that it is correct and also tells that if I go forward with my ideas there is the
risk to increase the level of complexity. I prefer more complexity than default setting, and as a consequence of that, connectivity problems!
Hopefully everything goes well. I will post my results here once I have done the changes
Regards
Similar Messages
-
Replication with Domain and Sub domain in Active directory sites and services
I seen many AD enviroments and know that when you have mutiple DCs you use Active Directory Sites and services to replicate using the NTDS Settings. If you have a Domain and sub domain do you need to do this as well or does it sync up automatically because
it's a sub domain? A see a couple of domains where the NTDS settings isn't being used to snyc with the child domain. Just wondering if that is normal or will it cause authentication errors?I seen many AD enviroments and know that when you have mutiple DCs you use Active Directory Sites and services to replicate using the NTDS Settings. If you have a Domain and sub domain do you need to do this as well or does it sync up automatically
because it's a sub domain? A see a couple of domains where the NTDS settings isn't being used to snyc with the child domain. Just wondering if that is normal or will it cause authentication errors?
Two way transitive trusts are configured automatically when you create a child domain or tree root domain. You don't have to worry about site/subnet or replication part at least from trust perspective. But make sure site's names are unique in each domain.
How Domain and Forest Trusts Work
http://technet.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/cc730868.aspx
http://blogs.technet.com/b/askds/archive/2008/09/24/domain-locator-across-a-forest-trust.aspx
Awinish Vishwakarma - MVP
My Blog: awinish.wordpress.com
Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights. -
Active Directory Sites and Exchange 2013 Deployment
I've recently took over responsibility of an Exchange 2013 Organization that is deployed as follows:
Active Directory consists of 4 Sites. AD Site A, B, C, D Exchange 2013 Enterprise resides in 2 of the 4 AD Sites as follows:
AD Site A - ExchangeServer 1 and ExchangeServer 2
AD Site B - Exchange Server 3
AD Site C - No Exchange Servers
AD Site D - No Exchange Servers
All 4 AD Sites are 4 different Physical locations/datacenters. All 3 Exchange 2013 servers are multi-role servers.
The Forest in which Exchange resides in consists of an empty Root domain, a Production (child) domain and a Test (child) domain. Exchange resides in the Production (child) domain.
Issue: AD Site A contains DC's from all 3 domains: Root Domain, Production child Domain (this is where Exchange lives) and Test child Domain. I notice that Exchange in AD Site A is using DC's from the Root Domain for it's "DefaultGlobalCatalog",
"DefaultConfigurationDomainController" and "DefaultPreferredDomainControllers" This to me does not seem to be very efficient as any Address Book queries will have to be referred to by the Root Domain DC's to the Production child domain
where Exchange lives. All of the AD User accounts and mailboxes are in the Production child domain.
In a situation such as this, would it be advisable to build 2 additional AD sites specifically for Exchange? Rather than re-IP Exchange or risk the impact of moving several other (non exchange) servers to another AD site, I would add the IP address
of the Exchange servers /32 to the new Exchange dedicated AD Sites and erect a DC in these new sites adding its IP address /32. Any thoughts on this idea? If the subnet that exchange resides on is (for example) 10.60.3.0 /16 in AD Site A, and
I build a new AD site for Exchange and add the IP address of the Exchange server such as 10.60.3.141/32 for this new Exchange AD Site boundary, I can still leave the 10.60.3.0 /16 unaffected in AD Site A, correct?
I'm looking for Microsoft's best practices in terms of laying out AD and domain controllers pertaining to Exchange server 2013.Hi Anthouyray,
Thank you for your question.
We could use the following command to exclude domain controller which is root domain controller:
Set-ExchangeServer –Identity <exchange servername> -StaticExcludeDomainControllers <root domain controller>
Then we could restart the service of “Microsoft Exchange Active Directory Topology” to check if the issue persist.
If there are any questions regarding this issue, please be free to let me know.
Best Regard,
Jim
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Jim Xu
TechNet Community Support -
Routing issue between two satellites sites and one central hub
Hi,
I have 3 Ad sites with one exchange 2010 hub,cas,mailbox server on each sites.
One of this site (site A) is central Hub and the two other sites ( B and C) are two satellites of site A.
The is no connectivity between site B and C, only connectivity between A and B, and A and C.
When I send a mail from Site B to Site C, Exchange try to deliver the mail directly to site C and don't pass to site A to deliver to site C, some mail stay in queue in site B, and the the queue is in retry.
I flag the site A as HUB.
Site toplogy is correct and the cost too.
Can someone help me??
Thankswhat are your AD costs between A, B and C?
In Exchange 2010, each message recipient is always associated with only one Active Directory site, and there is only one least cost routing
from the source Active Directory site to the destination Active Directory site
If the least-cost routing path to the primary site contains any hub sites, the message must be
routed through the hub sites -
Apple Mail Server and Active Directory
Has anyone had any luck in using Active Directory (2003) as the directory service with an Apple Mail Server? We're testing it out, but we're unable to enable mail services for users on teh Mac server.
If anyone has tried this and can offer up some tips, I'd be grateful!
Dell Latitude D620 Other OSMe too!
I also discovered that Mac users who have valid accounts in AD 2003 can't have an email account in WGM enabled for them (WGM acts like its enabling email but then reverts back to "disabled"). I assume the account must be configured in the Active Directory Users and Groups admin tool before it can be enabled in WGM on the OS X email server, but I havent had any luck getting it to work yet. -
The user and the mailbox are in different Active Directory Sites
Hi All,
I have 2 site, each site have an Exchange Server 2010 SP1, let say Site HQ and Site DRC I monitored it with SCOM 2007 R2, site HQ successfully monitored, then I continue try to monitor DRC site. I executed new-TestCasConnectivityUser.ps1 at MBX DRC Site
to create extest user.
Then I try to execute command to test-connectivity, but it failed.
Test-OwaConnectivity -TestType:Internal -MonitoringContext:$true -TrustAnySSLCertificate:$true -LightMode:$true | fl
RunspaceId : 6b709fa5-0719-4be5-ae62-ec4b3617a6e0
AuthenticationMethod :
MailboxServer : CONMBX02.contoso.com
LocalSite : CONMBX02.contoso.com
SecureAccess : False
VirtualDirectoryName :
Url :
UrlType : Unknown
Port : 0
ConnectionType : Plaintext
ClientAccessServerShortName : DRCCAS01
LocalSiteShortName : CONMBX02
ClientAccessServer : DRCCAS01.contoso.com
Scenario : Reset Credentials
ScenarioDescription : Reset automated credentials for the Client Access Probing Task user on Mailbox server CON
MBX02.contoso.com.
PerformanceCounterName :
Result : Failure
Error : [Microsoft.Exchange.Monitoring.CasHealthStorageErrorException]: An error occurred while t
rying to access mailbox CONMBX02.contoso.com, on behalf of user contoso.com\extes
t_xxxxxxxx
Additional information:
[Microsoft.Exchange.Data.Storage.WrongServerException]: The user and the mailbox are in
different Active Directory sites..
UserName : extest_xxxxxxxx
StartTime : 04/01/2012 20:46:19
LaCONcy : 00:00:00.0156460
EventType : Error
LaCONcyInMillisecondsString :
Identity :
IsValid : True
WARNING: No Client Access servers were tested.
RunspaceId : 6b709fa5-0719-4be5-ae62-ec4b3617a6e0
Events : {Source: MSExchange Monitoring OWAConnectivity Internal
Id: 1005
Type: Error
Message: Couldn't access one or more test mailboxes.
The service that is being tested will not run against these mailboxes.
Detailed information:
Local Site:DRCProduction
[Microsoft.Exchange.Monitoring.CasHealthStorageErrorException]: An error occurred while trying to
access mailbox CONMBX02.contoso.com, on behalf of user contoso.com\extest_xxxxxxxx
Additional information:
[Microsoft.Exchange.Data.Storage.WrongServerException]: The user and the mailbox are in differen
t Active Directory sites..
PerformanceCounters : {Object: MSExchange Monitoring OWAConnectivity Internal
Counter: Logon LaCONcy
Instance: DRCCAS01.contoso.com|DRCProduction
Value: -1000}
any help appreciate it.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Krisna Ismayanto | My blogs:
Krisna Ismayanto | Twitter: @ikrisnaHi
Removed existing test account on two site.
Then created test account on DGC through new-TestCasConnectivityUser.ps1.
Flushed Health Service on RMS.
Terence Yu
TechNet Community Support
Hi
What do you mean on DGC ? you mean I have remove both test account or just at DRC site only ?
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Krisna Ismayanto | My blogs:
Krisna Ismayanto | Twitter: @ikrisna -
I have a two site DAG, and the command is running from the alternate site where the databases are not currently being hosted. The following command...
Test-OutlookConnectivity -Protocol:TCP -TrustAnySSLCert:$true -MonitoringContext:$true
...errors with the following output:
An error occurred while trying to access mailbox CurrentlyHostingMBServerName.InternalDomainName, on behalf of user InternalDomainName\extest_bb13200232474
Additional information:
[Microsoft.Exchange.Data.Storage.WrongServerException]: The user and the mailbox are in different Active Directory sit
es..
+ CategoryInfo : OperationStopped: (Microsoft.Excha...onnectivityTask:TestOutlookConnectivityTask) [Test-
OutlookConnectivity], CasHealthStorageErrorException
+ FullyQualifiedErrorId : F2F8AC0D,Microsoft.Exchange.Monitoring.TestOutlookConnectivityTask
I thought this command would work based on the 'AllowCrossSiteRpcClientAccess: True' option on the DAG. The command works well if run a CAS server in the active DB site.Hi,
Exchange 2013 users use Outlook Anywhere to connect to CAS server. You may run the RCA to test the connectivity:
https://www.testexchangeconnectivity.com/
Thanks,
Simon Wu
TechNet Community Support -
AADSync and Azure Active Directory Device Registration Service
Now I try to implement Azure Active Directory Device Registration Service with AADSync.
According to step-by-step guide, it has to execute "Enable-MSOnlineObjectManagement" cmdlet.
Step-by-Step Guide for On-premises Conditional Access using Azure Active Directory Device Registration Service
https://msdn.microsoft.com/en-us/library/azure/dn788908.aspx
Unfortunately, AADsync doestn't have "Enable-MSOnlineObjectManagement", and can't find similar cmdlet.
I'm looking for cmdlet for device object synchronization.
Does anyone know alternate cmdlet?Hi,
Thanks for your post.
You need to use the command import-module DirSync in PowerShell, then running the command "get-command -m Microsoft.Online.Conexistence.PS.config", you will find the cmdlet "Enable-MSOnlineObjectManagement"
Regards.
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Windows 2008 Server - Cannot run Active Directory Users and Computers
Hi,
I am running Windows 2008 Server with latest windows updates installed. Directory Services Role also.
I attempt to open Active Directory Users and Computers tool and I get a;
Microsoft Visual C++ Runtime Library error;
"The Application has requested the runtime to terminate it in a unusual way. Please contact the application's support team for more information"
I click ok, then get the following debug info;
Problem signature:
Problem Event Name: APPCRASH
Application Name: mmc.exe
Application Version: 6.0.6001.18000
Application Timestamp: 47919524
Fault Module Name: msvcrt.dll
Fault Module Version: 7.0.6001.18000
Fault Module Timestamp: 4791ad6b
Exception Code: 40000015
Exception Offset: 0000000000029b06
OS Version: 6.0.6001.2.1.0.272.7
Locale ID: 3081
Additional Information 1: 43aa
Additional Information 2: cf3a46656318492c1997480001b6b0e0
Additional Information 3: 3837
Additional Information 4: 92f72e0d0589ff77cef51e0a413aeff6
Read our privacy statement:
http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409
If someone could please assist, it would be very much appreciated.
Regards
B
Hi,
To solidly troubleshoot this kind of issue, we need to debug dump file. A suggestion would be to contact Microsoft Customer Service and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request.
To obtain the phone numbers for specific technology request please take a look at the web site listed below:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607
However, I am also glad to share my research.
Some third party applications may lead to this error. Please check if you install other third party applications on Windows server 2008?
Also, please follow the article below to perform necessary steps to see how it's going?
FIX: You receive an "invalid page fault in module MSVCRT.DLL" error message after you install the run-time libraries from Visual C++ 6.0
http://support.microsoft.com/kb/190536/en-us
Hope this helps.
Best wishes
Morgan Che -
Active directory users and computers wont start on a dc, "the server is not operational"
In our environment, we have 3 dc's
two which run server 2008 (they work perfectly)
and one never off branch dc that runs server 2008 r2.
We have been having some problems where we feel the replication isnt up too speed(stuff could take up to 24 hours to replicate) and now when i tried opening active directory users and computers i am met with this error window:
We have a third party DNS solution.
How do i troubleshoot this issue?dc01 (which replicates perfectly with dc02, and vise versa)
dcdiag /test:dns
C:\Users\adminuser>dcdiag /test:dns
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Hostingpartner\ourdc01
Starting test: Connectivity
......................... ourDC01 passed test Connectivity
Doing primary tests
Testing server: Hostingpartner\ourdc01
DNS Tests are running and not hung. Please wait a few minutes...
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : int
Running enterprise tests on : int.domain.com
Starting test: DNS
Test results for domain controllers:
DC: ourdc01.int.domain.com
Domain: int.domain.com
TEST: Delegations (Del)
Error: DNS server: ourdc02.int.domain.com. IP:xx.xx.xx.32 [Broken delegated domain domaindnszones.int.domain.com.]
Error: DNS server: ourdc02.int.domain.com. IP:xx.xx.xx.32 [Broken delegated domain forestdnszones.int.domain.com.]
Summary of test results for DNS servers used by the above domain controllers:
DNS server: xx.xx.xx.32 (ourdc02.int.domain.com.)
2 test failures on this DNS server
Delegation is broken for the domain domaindnszones.int.domain.com. on the DNS server xx.xx.xx.32
Delegation is broken for the domain forestdnszones.int.domain.com. on the DNS server xx.xx.xx.32
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
Domain: int.domain.com
ourdc01 PASS PASS PASS FAIL n/a PASS n/a
......................... int.domain.com failed test DNS
dcdiag on dc01(which can replicate with dc02)
C:\Users\adminuser>dcdiag
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: hostingpartner\ourdc01
Starting test: Connectivity
......................... OURDC01 passed test Connectivity
Doing primary tests
Testing server: hostingpartner\ourdc01
Starting test: Replications
[Replications Check,OURDC01] DsReplicaGetInfoW(PENDING_OPS) failed with error 8453,
Win32 Error 8453.
......................... OURDC01 failed test Replications
Starting test: NCSecDesc
......................... OURDC01 passed test NCSecDesc
Starting test: NetLogons
[OURDC01] User credentials does not have permission to perform this operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... OURDC01 failed test NetLogons
Starting test: Advertising
......................... OURDC01 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... OURDC01 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... OURDC01 passed test RidManager
Starting test: MachineAccount
......................... OURDC01 passed test MachineAccount
Starting test: Services
......................... OURDC01 passed test Services
Starting test: ObjectsReplicated
......................... OURDC01 passed test ObjectsReplicated
Starting test: frssysvol
......................... OURDC01 passed test frssysvol
Starting test: frsevent
......................... OURDC01 passed test frsevent
Starting test: kccevent
......................... OURDC01 passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0xC0002719
Time Generated: 04/04/2013 15:04:29
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0002719
Time Generated: 04/04/2013 15:04:50
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0002719
Time Generated: 04/04/2013 15:10:56
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0002719
Time Generated: 04/04/2013 15:11:17
(Event String could not be retrieved)
......................... OURDC01 failed test systemlog
Starting test: VerifyReferences
......................... OURDC01 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : int
Starting test: CrossRefValidation
......................... int passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... int passed test CheckSDRefDom
Running enterprise tests on : int.domain.com
Starting test: Intersite
......................... int.domain.com passed test Intersite
Starting test: FsmoCheck
......................... int.domain.com passed test FsmoCheck
The problematic dc03:
Dcdiag gives the same output as dcdiag /test:dns
C:\Users\adminuser>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = OURDC03
Ldap search capabality attribute search failed on server NTSDC03, return
value = 81
We have an infoblox dns server on ip address xxx.y.y.251.
first error in event logs on dc03:
error 1863
This is the replication status for the following directory partition on this directory server.
Directory partition:
CN=Configuration,DC=int,DC=domain,DC=com
This directory server has not received replication information from a number of directory servers within the configured latency interval.
Latency Interval (Hours):
24
Number of directory servers in all sites:
2
Number of directory servers in this site:
2
The latency interval can be modified with the following registry key.
Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours)
To identify the directory servers by name, use the dcdiag.exe tool.
You can also use the support tool repadmin.exe to display the replication latencies of the directory servers. The command is "repadmin /showvector /latency <partition-dn>".
i have also go several warning 2088, 2093, 2087.
And errors 1863 pointing to different directory partitions like schema/configuration/domaindnszones/forestdnszones -
10.4.6 and Active Directory Problem - Volume cannot be found??
I have bound six 10.4.6 to active directory. All went sweet with no problems. I have "force local home folder" off in Directory Access for AD. I can login to the Mac no problem using any user account from AD. If I login with a user the first time all goes well. The desktop icons show and the home directory is that of the users network home folder and can browse it. All good until I log out and login again. I get the desktop icons but the users home directory give the error "The Volume for %username% Cannot be found" when trying to access. I can browse the network to the user home folder without having to authenticate. The server (2003) shows no login errors, all looks fine. I have upgraded one Mac to 10.4.7 but made no differnce.
I have installed "services for Mac and Appletalk" on the server but from what I have been told this shouldn't need to be installed but I did as I was getting no where anyway.
Any ideas?
PowerPC Mac OS X (10.4.6)Hi Chris!
Before I comment, I want to define a couple of things. A "Mac home folder" stores a user's files (Documents, Library, etc.). This home folder can be stored locally on the workstation or it can be stored on a server. A "Windows home folder" is defined in a user's Active Directory account and can be used as the Mac home folder or simply as a network user folder for storage.
While the idea of a network-based Mac home folder is nice, it can be clunky simply because the entire user experience is dependent on network speed and/or good file synchronization between your server and workstation. As someone who works in a group supporting about 300 Macs, I suggest enabling local home folders and not using a network-based Mac home folder.
Next, File Services for Macintosh (AFP protocol) built into Windows Server will not support network-based Mac home folders. This is a dead end. You can install a third party product from Group Logic called ExtremeZ-IP, which does support network-based home folders over AFP.
Therefore, what's happening in your network is that the network-based Mac home folders are being mounted via the SMB protocol, which uses Windows style file sharing. SMB in Mac OS X is good for limited use but I wouldn't recommend it for extensive use, which would include network-based Mac home folders.
Here's what I suggest for your AD settings: 1.) Enable local home folders. 2.) Connect via SMB. This will keep your users' Mac home folders local to the machine but if their Windows network home folder is properly defined in their AD account settings then these should automatically mount on the Desktop via SMB at login.
If you can get your Windows home folders to mount automtically on the users' Desktops then you can experiment with synchronization. After logging in, each user can visit Apple menu --> System Preferences... --> Accounts and the synchronization options will be available. A user can synchronize all or part of his local Mac home folder to his mounted Windows home folder.
Hope this helps! bill
1 GHz Powerbook G4 Mac OS X (10.4.7) -
DNS and Active Directory error 4000 server 2008
Hello all,
My network skills aren't very good and I'm facing a dilemma. First off we have two Windows servers on the network. The newest is 2008 Standard (named Vader) and the other is 2000 (dells3). Obviously I'd like to get rid of the 2000, but the people in charge
of my budget haven't given me the option to do so and it's the only back up we have.
Earlier in the week we had lots of problems. One of our nas boxes locked everyone out who was mapped to it and it would only let me log in through the web portal. Two of our Macs our marketing department uses suddenly locked up and wouldn't let them back
in (both were part of the Active Directory). A second nas box won't let certain people map to it and for awhile I had issues logging into Vader itself.
I believe all of these problems are connected to some issues on Vader and possibly in conduction with dells3. In Server Manager under DNS I get error 4000 "The DNS server was unable to open Active Directory.
This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code."
Then under Active Directory Domain Services I get error 2042 "It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded
the tombstone lifetime. Replication has been stopped with this source."
Followed by more text I can post if needed.
Under File Services error 1202 "The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the
next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues."
And finally if I try to open Active Directory Domains and Trusts "The configuration information describing this enterprise is not available. The server is not operational."
I'm not sure where to start or what to post that might help. Any and all help is appreciated.
Edit: Also I can only add dells3 as the DNS on Vader in the DNS Manager if I try to add Vader to itself I get an error.It's the other way around. Overall, I'm advising ripping the 2008 server out of AD and adding it back . Let's look at this as a series of steps:
1.) You do a force demote of the 2008 server because it's tombstoned. This means the 2008 server is no longer a DC. You are doing a force because it doesn't have the ability to replicate. If it could replicate, we'd just do a graceful demotion
and be done with it.
2.) Once the 2008 server is demoted, we go to the 2000 server which holds the only good copy of AD. From that server we run a metadata cleanup using the ntdsutil utility. We use that utility to clean out references to the 2008 server which is
no longer a DC.
3.) Once you have a clean AD, you can then promote the 2008 server back into Active Directory. Make sure Vader is pointing to Dells3 as its primary DNS server before promoting or you'll run into issues.
Hopefully that clarifies things. -
How to create "folders" in Active Directory Users and Computers?
Hello Community
In Windows Server 2008R2 when you go to Active Directory Users and Computer
you will see icons of folders such as:
- Builtin has a folder icon
- Computers has a folder icon
- ForeignSecurityPrinicpals has a folder icon
- Domain Controller as a folder icon
- Managed Service Accounts has a folder icon
- Users has a folder icon
All of the above folders are visually identical.
If you right click and select “File” – “New”
on any of the selections the icon
will not look like the folder icon they have their own icons which look different
from the "Folder" icon.
I would like to create a “Folder” that looks just visually exactly like the ones
mentioned above, how can I create those types of Folders in Active Directory User
and Computers?
Note: I would like to put users in the folders.
Thank you
ShabeautHi,
you should use OUs (an OU is they type of object (folder) that is available for you to easily create.
The object type you are asking about is a "container", and there are various reasons why an OU is more flexible (applying GPO, etc).
Refer: Delegating Administration by Using OU Objects
http://technet.microsoft.com/en-us/library/cc780779(v=ws.10).aspx
and the sub-articles:
Administration of Default Containers and OUs
http://technet.microsoft.com/en-us/library/cc728418(v=ws.10).aspx
Delegating Administration of Account and Resource OUs
http://technet.microsoft.com/en-us/library/cc784406(v=ws.10).aspx
Also: http://technet.microsoft.com/en-us/library/cc961764.aspx
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
Not able to open active directory user and computer in windows server 2008r2
Hi All techies,
i would like to know one issue which i am facing mostly, i have created 5 virtual machine all with window server2008r2 and one windows 7 on vm-ware now when ever i start my virtual machines everything going rite but when i try to open active directory user/
computer or domain and trust i get a following error "data from active directory user and computers is not available from dc(null) bcoz unspecified error" even when i chk in events log its give me no help, and after 15-30 min everything works good
Please let me know the cause of it and really appreciate it .
Thanks
AtulYou need to ensure that
1. group policy that says "wait for network before logon" is applied to all computers including servers and workstations is applied
2. DNS record exists for all DCs in DNS
3. If there are multiple Domain Controllers in Forests, then they point them as secondary DNS server. This way they will be able to resolve IPs if local DNS server service takes time to start.
As Chris mentioned, you need to start all DCs first, give a time of 5 minutes and then start member servers and workstations for successful logon.
- Sarvesh Goel - Enterprise Messaging Administrator -
Active Directory Users and Computer not displaying column data?
I am running Windows 8.1 Enterprise with RSAT installed. My Domain controllers are Server 2008 R2.
I am having and issue with Active Directory Users and Computers. Typically I will turn on Advanced Features and then add Columns for Email address and Display Name. This for example allows me to easily export lists of users and there email
addresses among other things.
The issue is that on my Windows 8.1 client, the columns for Email and Display Name are empty. It simply will not display this information. It only displays Name, TYpe and Description.
If I use a Windows 7 client, the information displays correctly.
Has anyone run into this issue or heard of this problem when using ADUC on Windows 8.1?ADUC is an AD tool that is no longer being improved, with Microsoft now focusing on ADAC (Administrative Center). In 8.1, it has improved quite a bit since 7. You can also just try using the
ActiveDirectory PowerShell Module, which is easy to use and fairly powerful. It can be simple to export lists, and the module for AD is included with RSAT tools.
Example:
Import-Module ActiveDirectory
Get-ADUser -Filter {Manager -eq "John.Smith"} -Properties DisplayName,Mail | Export-Csv dump.csv -NoTypeInformation
So, recommendation: either use ADAC, or PowerShell -- ADUC is part of the wave of deprecation.
Maybe you are looking for
-
Is it possible to change the theme color of a view...
Hi, In the bar chart i want to give my own themes(my selected colors) for the bars.how can i do that.i want to give my own theme as a existing one. and also is that possible to give multiple themes for a single bar chart,what i mean to say is that i
-
SAP MMC Java with Solution Manager
Dear experts, i have installed a SAP Solution Manager 7.0 in WAS ABAP + JAVA in Windows Server 2003 SR2 Enterprise Edition 64 bits + MS SQL 2005. I try to connect to the SAP MMC in Java (http://localhost:52113/) but i have a message error: Your brows
-
Accessing Flash Video Encoder Programmatically
At the moment I am working on a batch program that will take video files, and /encode them into FLVs. I would like to do this in a programmatic (command line way), so that I can can embed this into a nightly batch process. Can the Flash Video Encoder
-
Hi, I just want to know how I can get all the qualifers in all the segments in an iDoc as well as display all the valid value ranges for the qualifiers. I know I can get to the domain for a specific segment qualifier and display the value range in se
-
screen says unknown software exception oxc000005 occured in the application oxc76277eb2, click to terminate program. This occurs when I shut down computer sometimes. Is there anything I can do to remedy this?